25 CFR 273.54 - Privacy Act requirements.
(a) When a contractor operates a system of records to accomplish a Bureau function, the contractor shall comply with subpart D of 43 CFR part 2 which implements the Privacy Act (5 U.S.C. 552a). Examples of the contractor's responsibilities are:
(1) To continue maintaining those systems of records declared by the Bureau to be subject to the Privacy Act as published in the Federal Register.
(2) To make such records available to individuals involved.
(3) To disclose an individual's record to third parties only after receiving permission from the individual to whom the record pertains. 43 CFR 2.56 lists exceptions to this procedure.
(4) To establish a procedure to account for access, disclosures, denials, and amendments to records.
(5) To provide safeguards for the protection of the records.
(b) The contractor may not:
(1) Discontinue or alter any established systems of records without prior approval of the appropriate Bureau systems manager.
(2) Deny requests for notification or access of records without prior approval of the appropriate Bureau systems manager.
(3) Approve or deny requests for amendments of records without prior approval of the appropriate Bureau systems manager.
(4) Establish a new system of records without prior approval of the Department of Interior and the Office of Management and Budget.
(5) Collect information about an individual unless it is relevant or necessary to accomplish a purpose of the Bureau as required by statute or Executive Order.
(c) The contractor is subject to the penalties provided in section (i) of 5 U.S.C. 552a.