The regulations in this part implement the provisions of the Privacy Act.

The following terms used in this part are defined in the Privacy Act: Individual, maintain, record, system of records, statistical record, and routine use. The following definitions also apply in this part:

Board means the Privacy and Civil Liberties Oversight Board, established by the Implementing Recommendations of the 9/11 Commission Act of 2007, Pub. L. 110-53.

Chairman means the Chairman of the Board, as appointed by the President and confirmed by the Senate under section 801(a) of the Implementing Recommendations of the 9/11 Commission Act of 2007, Pub. L. 110-53, or any person to whom the Board has delegated authority in the matter concerned.

General Counsel means the Board's principal legal advisor, or his or her designee.

Privacy Act means the Privacy Act of 1974, 5 U.S.C. 552a, as amended.

Privacy Act Officer means the person designated by the Board to be responsible for the day-to-day administration of the Privacy Act.

(a) Requests to determine if you are the subject of a record. You may request that the Board inform you if we maintain a system of records that contains records about you. Your request must follow the procedures described in paragraph (b) of this section.

(b) Requests for access. You may request access to a Board record about you in writing or by appearing in person. You should direct your request to the Privacy Act Officer. Written requests may be sent to: Privacy Act Officer, Privacy and Civil Liberties Oversight Board, 2100 K Street NW., Suite 500, Washington, DC 20427. Your request should include the following information:

(1) Your name, address, and telephone number;

(2) The system(s) of records in which the requested information is contained; and

(3) At your option, authorization for copying expenses.

(4) Written requests. In addition to the information described in paragraphs (b)(1) through (3) of this section, written requests must include a statement affirming your identity, signed by you and witnessed by two persons (including witnesses' addresses) or notarized.

(i) Witnessed. If your statement is witnessed, it must include a sentence above the witnesses' signatures attesting that they personally know you or that you have provided satisfactory proof of your identity.

(ii) Notarized. If your statement is notarized, you must provide the notary with adequate proof of your identity in the form of a drivers' license, passport, or other identification acceptable to the notary.

(iii) The Board, in its discretion, may require additional proof of identification depending on the nature and sensitivity of the records in the system of records.

(iv) For the quickest possible handling, your letter and envelope should be marked “Privacy Act Request”.

(5) In person requests. In addition to the information described in paragraphs (b)(1) through (3) of this section, if you make your request in person, you must provide adequate proof of identification at the time of your request. Adequate proof of identification includes a valid drivers' license, valid passport, or other current identification that includes your address and photograph.

(c) Requests for amendment or correction of records. You may request an amendment to or correction of a record about you in person or by writing to the Privacy Act Officer following the procedures described in paragraph (b) of this section. Your request for amendment or correction should identify each particular record at issue, state the amendment or correction sought, and describe why the record is not accurate, relevant, timely, or complete.

(d) Requests for an accounting of disclosures. Except for those disclosures for which the Privacy Act does not require an accounting, you may request an accounting of any disclosure by the Board of a record about you. Your request for an accounting of disclosures must be made in writing following the procedures described in subsection (b) of this section.

(e) Requests for access on behalf of someone else. (1) If you are making a request on behalf of someone else, your request must include a statement from that individual verifying his or her identity, as provided in paragraph (b)(4) of this section. Your request also must include a statement certifying that individual's agreement that records about him or her may be released to you.

(2) If you are the parent or guardian of the individual to whom the requested record pertains, or the individual to whom the record pertains has been deemed incompetent by a court, your request for access to records about that individual must include:

(i) The identity of the individual who is the subject of the record, including his or her name, current address, and date and place of birth;

(ii) Verification of your identity in accordance with paragraph (b)(4) of this section;

(iii) Verification that you are the subject's parent or guardian, which may be established by a copy of the subject's birth certificate identifying you as his or her parent, or a court order establishing you as guardian; and

(iv) A statement certifying that you are making the request on the subject's behalf.

(a) Acknowledgement. The Privacy Act Officer shall provide you with a written acknowledgment of your written request under section 3 within ten business days of our receipt of your request.

(b) Grants of requests. If you make your request in person, the Privacy Act Officer shall respond to your request directly, either by granting you access to the requested records, upon payment of any applicable fee and with a written record of the grant of your request and receipt of the records, or by informing you when a response may be expected. If you are accompanied by another person, you must authorize in writing any discussion of the records in the presence of the third person. If your request is in writing, the Privacy Act Officer shall provide you with written notice of the Board's decision to grant your request and the amount of any applicable fee. The Privacy Act Officer shall disclose the records to you promptly, upon payment of any applicable fee.

(c) Denials of requests in whole or in part. The Privacy Act Officer shall notify you in writing of his or her determination to deny, in whole or in part, your request. This writing shall include the following information:

(1) The name and title or position of the person responsible for the denial;

(2) A brief statement of the reason for the denial(s), including any applicable Privacy Act exemption;

(3) A statement that you may appeal the denial and a brief description of the requirements for appeal under § 1002.5.

(d) Request for records not covered by the Privacy Act or subject to Privacy Act exemption. If the Privacy Act Officer determines that a requested record is not subject to the Privacy Act or the records are subject to Privacy Act exemption, your request will be processed in accordance with the Board's Freedom of Information Act procedures at 6 CFR part 1001.

Appeal procedures.

(1) You may appeal any decision by the Board to deny, in whole or in part, your request under § 1002.3 no later than 60 days after the decision is rendered.

(2) Your appeal must be in writing, sent to the General Counsel at the address specified in § 1002.3(b) and contain the following information:

(i) Your name;

(ii) Description of the record(s) at issue;

(iii) The system of records in which the record(s) is contained;

(iv) A statement of why your request should be granted.

(3) The General Counsel shall determine whether to uphold or reverse the initial determination within 30 working days of our receipt of your appeal. The General Counsel shall notify you of his or her decision, including a brief statement of the reasons for the decision, in writing. The General Counsel's decision will be the final action of the Board.

(b) Statement of disagreement. If your appeal of our determination related to your request for amendment or correction is denied in whole or in part, you may file a Statement of Disagreement that states the basis for your disagreement with the denial. Statements of Disagreement must be concise and must clearly identify each part of any record that is disputed. The Privacy Act Officer will place your Statement of Disagreement in the system of records in which the disputed record is maintained and shall mark the disputed record to indicate that a Statement of Disagreement has been filed and where it may be found.

(c) Notification of amendment, correction, or disagreement. Within 30 working days of the amendment or correction of a record, the Privacy Act Officer shall notify all persons, organizations, or agencies to which the Board previously disclosed the record, if an accounting of that disclosure was made, that the record has been corrected or amended. If you filed a Statement of Disagreement, the Privacy Act Officer shall append a copy of it to the disputed record whenever it is disclosed and also may append a concise statement of its reason(s) for denying the request to amend or correct the record.

We will not charge a fee for search or review of records requested under this part, or for the correction of records. If you request copies of records, we may charge a fee of $.10 per page.

Any person who makes a false statement in connection with any request for a record or an amendment or correction thereto under this part is subject to the penalties prescribed in 18 U.S.C. 494 and 495 and 5 U.S.C. 552a(i)(3).