13 CFR 102.22 - Requirements relating to systems of records.
(a) In general. Each SBA office shall, in accordance with the Privacy Act:
(1) Maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the Agency required to be accomplished by a statute or by Executive Order of the President;
(2) Collect information to the greatest extent practicable directly from the subject individual when the information may affect an individual's rights, benefits, and privileges under Federal programs;
(b) Requests for information from individuals. If a form is being used to collect information from individuals, either the form used to collect the information, or a separate form that can be retained by the individual, must state the following:
(1) The authority (whether granted by statute, or by Executive Order of the President) which authorizes the solicitation of the information and whether disclosure of such information is mandatory or voluntary;
(2) The principal purpose or purposes for which the information is intended to be used;
(3) The routine uses which may be made of the information; and
(4) The effects on such individual, if any, of not providing all or any part of the requested information.
(c) Report on new systems. Each SBA office shall provide adequate advance notice to Congress and OMB through the FOI/PA Office of any proposal to establish or alter any system of records in order to permit an evaluation of the probable or potential effect of such proposal on the privacy and other personal or property rights of individuals or the disclosure of information relating to such individuals.
(d) Accurate and secure maintenance of records. Each SBA office shall:
(1) Maintain all records which are used in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination;
(2) Prior to disseminating any record from a system of records about an individual to any requestor, including an agency, make reasonable efforts to assure that such records are accurate, complete, timely, and relevant for SBA purposes; and
(3) Establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.
(i) PASMs, with the approval of the head of their offices, shall establish administrative and physical controls, consistent with SBA regulations, to insure the protection of records systems from unauthorized access or disclosure and from physical damage or destruction. The controls instituted shall be proportional to the degree of sensitivity of the records but at a minimum must ensure that records other than those available to the general public under the FOIA, are protected from public view, that the area in which the records are stored is supervised during all business hours and physically secured during non-business hours to prevent unauthorized personnel from obtaining access to the records.
(ii) PASMs, with the approval of the head of their offices, shall adopt access restrictions to insure that only those individuals within the agency who have a need to have access to the records for the performance of their duties have access to them. Procedures shall also be adopted to prevent accidental access to, or dissemination of, records.
(e) Prohibition against maintenance of records concerning First Amendment rights. No SBA office shall maintain a record describing how any individual exercises rights guaranteed by the First Amendment (e.g. speech), unless the maintenance of such record is:
(1) Expressly authorized by statute, or
(2) Expressly authorized by the individual about whom the record is maintained, or
(3) Pertinent to and within the scope of an authorized law enforcement activity.