15 CFR § 4.25 - Disclosure of requested records to individuals.
(a)
(1) The responsible Privacy Act Officer shall act promptly upon each request. Every effort will be made to respond within ten working days (i.e., excluding Saturdays, Sundays and legal public holidays) of the date of receipt. If a response cannot be made within ten working days due to unusual circumstances, the Privacy Act Officer shall send an acknowledgment during that period providing information on the status of the request and asking for any further information that may be necessary to process the request. “Unusual circumstances” shall include circumstances in which:
(i) A search for and collection of requested records from inactive storage, field facilities or other establishments is required;
(ii) A voluminous amount of data is involved;
(iii) Information on other individuals must be separated or expunged from the particular record; or
(iv) Consultations with other agencies having a substantial interest in the determination of the request are necessary.
(2) If the Privacy Act Officer fails to send an acknowledgment within ten working days, as provided in paragraph (a)(1) of this section, the requester may ask the Assistant General Counsel for Litigation, Employment, and Oversight to take corrective action. No failure of a Privacy Act Officer to send an acknowledgment shall confer administrative finality for purposes of judicial review.
(3) Inclusion of SSNs on responsive documents.
(i) The Department shall redact SSNs from responsive documents provided to requesters where feasible. Where full redaction is not feasible, partial redaction to create a truncated SSN shall be preferred to no redaction. The following conditions must be met for the inclusion of an unredacted (full) SSN or partially redacted (truncated) SSN on a responsive document:
(ii) The inclusion of the full SSN or truncated SSN of an individual must be required or authorized by law,
(iii) The inclusion of the full SSN or truncated SSN of an individual must be determined by the Senior Agency Official for Privacy and Departmental Privacy Act Officer to be necessary to fulfill a compelling Department business need; and
(iv) The full SSN of an individual may be included only on documents listed on the USMDL.
(4) The following requirements apply when the Department mails or delivers responsive documents containing SSNs or truncated SSNs:
(i) The full SSN of an individual may be included only on documents listed on the USMDL.
(ii) For documents that are listed on the USMDL and that include the full SSN of an individual, the signature of the recipient is required upon delivery.
(iii) For documents that include the truncated form of the SSN of an individual, the signature of the recipient is required upon delivery.
(iv) The full SSN, the truncated SSN, any part of the SSN of an individual must not be visible from the outside of the envelope or package.
(b) Grant of access: (1) Notification. An individual shall be granted access to a record pertaining to him or her, unless the provisions of paragraph (g)(1) of this section apply. The Privacy Act Officer shall notify the individual of a determination to grant access, and provide the following information:
(i) The methods of access, as set forth in paragraph (b)(2) of this section;
(ii) The place at which the record may be inspected;
(iii) The earliest date on which the record may be inspected and the period of time that the records will remain available for inspection. In no event shall the earliest date be later than thirty calendar days from the date of notification;
(iv) The estimated date by which a copy of the record will be mailed and the fee estimate pursuant to § 4.31. In no event shall the estimated date be later than thirty calendar days from the date of notification;
(v) The fact that the individual, if he or she wishes, may be accompanied by another individual during personal access, subject to the procedures set forth in paragraph (f) of this section; and,
(vi) Any additional prerequisites for granting access to a specific record.
(2) Methods of access. The following methods of access to records by an individual may be available depending on the circumstances of a given situation:
(i) Inspection in person may be had in the office specified by the Privacy Act Officer granting access, during the hours indicated in Appendix A to this part;
(ii) Transfer of records to a Federal facility more convenient to the individual may be arranged, but only if the Privacy Act Officer determines that a suitable facility is available, that the individual's access can be properly supervised at that facility, and that transmittal of the records to that facility will not unduly interfere with operations of the Department or involve unreasonable costs, in terms of both money and manpower; and,
(iii) Copies of documents may be mailed at the request of the individual and may be subject to payment of the fees prescribed in §§ 4.25(a)(3) and 4.31. In the event that the Department, at its own initiative, elects to provide a copy by mail, no fee will be charged to the individual.
(iv) Copies of documents listed on the USMDL that include full SSNs and that are requested by an individual are subject to payment of the fees prescribed in § 4.31.
(v) Documents containing SSNs or truncated SSNs that are required to be returned by the individual to the Department will be mailed or delivered along with a prepaid mail or delivery service envelope at the expense of the Department.
(c) Access to medical records is governed by the provisions of § 4.26.
(d) The Department shall supply such other information and assistance at the time of access as to make the record intelligible to the individual.
(e) The Department reserves the right to limit access to copies and abstracts of original records, rather than the original records. This election would be appropriate, for example, when the record is in an automated data medium such as tape or disc, when the record contains information on other individuals, and when deletion of information is permissible under exemptions (for example, 5 U.S.C. 552a(k)(2)). In no event shall original records of the Department be made available to the individual except under the immediate supervision of the Privacy Act Officer or his or her designee.
(f) Any individual who requests access to a record pertaining to that individual may be accompanied by another individual of his or her choice. “Accompanied” includes discussing the record in the presence of the other individual. The individual to whom the record pertains shall authorize the presence of the other individual in writing. The authorization shall include the name of the other individual, a specific description of the record to which access is sought, the Department control number assigned to the request, the date, and the signature of the individual to whom the record pertains. The other individual shall sign the authorization in the presence of the Privacy Act Officer. An individual shall not be required to state a reason or otherwise justify his or her decision to be accompanied by another individual during personal access to a record.
(g) Initial denial of access: (1) Grounds. Access by an individual to a record that pertains to that individual will be denied only upon a determination by the Privacy Act Officer that:
(i) The record is exempt under § 4.33 or 4.34, or exempt by determination of another agency publishing notice of the system of records, as described in § 4.23(f);
(ii) The record is information compiled in reasonable anticipation of a civil action or proceeding;
(iii) The provisions of § 4.26 pertaining to medical records have been invoked; or
(iv) The individual unreasonably has failed to comply with the procedural requirements of this part.
(2) Notification. The Privacy Act Officer shall give notice of denial of access to records to the individual in writing, and the notice shall include the following information:
(i) The Privacy Act Officer's name and title or position;
(ii) The date of the denial;
(iii) The reasons for the denial, including citation to the appropriate section of the Act and this part;
(iv) The individual's opportunities, if any, for further administrative consideration, including the identity and address of the responsible official. If no further administrative consideration within the Department is available, the notice shall state that the denial is administratively final; and,
(v) If stated to be administratively final within the Department, the individual's right to judicial review provided under 5 U.S.C.552a(g)(1), as limited by 5 U.S.C. 552a(g)(5).
(3) Administrative review. If a Privacy Act Officer issues an initial denial of a request, the individual's opportunities for further consideration shall be as follows:
(i) As to denial under paragraph (g)(1)(i) of this section, two opportunities for further consideration are available in the alternative:
(A) If the individual contests the application of an exemption to the records, the review procedures in § 4.25(g)(3)(ii) shall apply; or,
(B) If the individual challenges the validity of the exemption itself, the individual must file a petition for the issuance, amendment, or repeal of a rule under 5 U.S.C. 553(e). If the exemption was determined by the Department, such petition shall be filed with the Assistant Secretary for Administration. If the exemption was determined by another agency (as described in § 4.23(f)), the Department will provide the individual with the name and address of the other agency and any relief sought by the individual shall be that provided by the regulations of the other agency. Within the Department, no such denial is administratively final until such a petition has been filed by the individual and disposed of on the merits by the Assistant Secretary for Administration.
(ii) As to denial under paragraphs (g)(1)(ii) of this section, (g)(1)(iv) of this section or (to the limited extent provided in paragraph (g)(3)(i)(A) of this section) paragraph (g)(1)(i) of this section, the individual may file for review with the Assistant General Counsel for Litigation, Employment, and Oversight, as indicated in the Privacy Act Officer's initial denial notification. The individual and the Department shall follow the procedures in § 4.28 to the maximum extent practicable.
(iii) As to denial under paragraph (g)(1)(iii) of this section, no further administrative consideration within the Department is available because the denial is not administratively final until expiration of the time period indicated in § 4.26(a).
(h) If a request is partially granted and partially denied, the Privacy Act Officer shall follow the appropriate procedures of this section as to the records within the grant and the records within the denial.