(a) Training. The Chief Privacy Officer shall institute a training program to instruct CFPB employees and contractor personnel covered by 5 U.S.C. 552a(m), who are involved in the design, development, operation, or maintenance of any CFPB system of records, on a continuing basis with respect to the duties and responsibilities imposed on them and the rights conferred on individuals by the Privacy Act, the regulations in this subpart, and any other related regulations. Such training shall provide suitable emphasis on the civil and criminal penalties imposed on the CFPB and the individual employees or contractor personnel by the Privacy Act for non-compliance with specified requirements of the Act as implemented by the regulations in this subpart.

(b) Rules of conduct. The following rules of conduct are applicable to employees of the CFPB (including, to the extent required by the contract or 5 U.S.C. 552a(m), Government contractors and employees of such contractors), who are involved in the design, development, operation or maintenance of any system of records, or in maintaining any records, for or on behalf of the CFPB.

(1) The head of each office of the CFPB shall be responsible for assuring that employees subject to such official's supervision are advised of the provisions of the Privacy Act, including the criminal penalties and civil liabilities provided therein, and the regulations in this subpart, and that such employees are made aware of their individual and collective responsibilities to protect the security of personal information, to assure its accuracy, relevance, timeliness and completeness, to avoid unauthorized disclosure either orally or in writing, and to ensure that no system of records is maintained without public notice.

(2) Employees of the CFPB involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record shall:

(i) Collect no information of a personal nature from individuals unless authorized to collect it to achieve a function or carry out a responsibility of the CFPB;

(ii) Collect information, to the extent practicable, directly from the individual to whom it relates;

(iii) Inform each individual asked to supply information, on the form used to collect the information or on a separate form that can be retained by the individual of—

(A) The authority (whether granted by statute, or by executive order of the President) which authorizes the solicitation of the information and whether disclosure of such information is mandatory or voluntary;

(B) The principal purpose or purposes for which the information is intended to be used;

(C) The routine uses which may be made of the information, as published pursuant to 5 U.S.C. 552a(e)(4)(D); and

(D) The effects on the individual, if any, of not providing all or any part of the requested information;

(iv) Not collect, maintain, use or disseminate information concerning an individual's religious or political beliefs or activities or membership in associations or organizations, unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity;

(v) Advise their supervisors of the existence or contemplated development of any record system which is capable of retrieving information about individuals by individual identifier;

(vi) Assure that no records maintained in a CFPB system of records are disseminated without the permission of the individual about whom the record pertains, except when authorized by 5 U.S.C. 552a(b);

(vii) Maintain and process information concerning individuals with care in order to ensure that no inadvertent disclosure of the information is made either within or without the CFPB;

(viii) Prior to disseminating any record about an individual to any person other than an agency, unless the dissemination is made pursuant to 5 U.S.C. 552a(b)(2), make reasonable efforts to assure that such records are accurate, complete, timely, and relevant for agency purposes; and

(ix) Assure that an accounting is kept in the prescribed form, of all dissemination of personal information outside the CFPB, whether made orally or in writing, unless disclosed under 5 U.S.C. 552 or subpart B of this part.

(3) The head of each office of the CFPB shall, at least annually, review the record systems subject to their supervision to ensure compliance with the provisions of the Privacy Act of 1974 and the regulations in this subpart.