§ 792.69Training and employee standards of conduct with regard to privacy.
(a) The Director of the Office of Human Resources, with advice from the Senior Privacy Act Officer, is responsible for training NCUA employees in the obligations imposed by the Privacy Act and this subpart.
(b) The head of each NCUA Office shall be responsible for assuring that employees subject to that person's supervision are advised of the provisions of the Privacy Act, including the criminal penalties and civil liabilities provided therein, and that such employees are made aware of their responsibilities to protect the security of personal information, to assure its accuracy, relevance, timeliness, and completeness, to avoid unauthorized disclosure either orally or in writing, and to insure that no information system concerning individuals, no matter how small or specialized, is maintained without public notice.
(c) With respect to each system of records maintained by NCUA, Agency employees shall:
(1) Collect no information of a personal nature from individuals unless authorized to collect it to achieve a function or carry out an NCUA responsibility;
(2) Collect from individuals only that information which is necessary to NCUA functions or responsibilities;
(3) Collect information, wherever possible, directly from the individual to whom it relates;
(4) Inform individuals from whom information is collected of the authority for collection, the purposes thereof, the routine uses that will be made of the information, and the effects, both legal and practical of not furnishing the information;
(5) Not collect, maintain, use, or disseminate information concerning an individual's religious or political beliefs or activities or his membership in associations or organizations, unless:
(i) The individual has volunteered such information for his own benefit;
(ii) The information is expressly authorized by statute to be collected, maintained, used, or disseminated; or
(iii) Activities involved are pertinent to and within the scope of an authorized investigation or adjudication.
(6) Advise their supervisors of the existence or contemplated development of any record system which retrieves information about individuals by individual identifier.
(7) Maintain an accounting, in the prescribed form, of all dissemination of personal information outside NCUA, whether made orally or in writing;
(8) Disseminate no information concerning individuals outside NCUA except when authorized by 5 U.S.C. 552a or pursuant to a routine use as set forth in the “routine use” section of the “Notice of Systems of Records” published in the Federal Register.
(9) Maintain and process information concerning individuals with care in order to ensure that no inadvertent disclosure of the information is made either within or outside NCUA; and
(10) Call to the attention of the proper NCUA authorities any information in a system maintained by NCUA which is not authorized to be maintained under the provisions of the Privacy Act, including information on First Amendment activities, information that is inaccurate, irrelevant or so incomplete as to risk unfairness to the individuals concerned.
(c) Heads of offices within NCUA shall, at least annually, review the record systems subject to their supervision to ensure compliance with the provisions of the Privacy Act.