31 CFR § 1.28 - Training, rules of conduct, penalties for non-compliance.

§ 1.28 Training, rules of conduct, penalties for non-compliance.

(a) Training. The Deputy Assistant Secretary for Privacy, Transparency, & Records must institute a Departmental training program to instruct Treasury employees and employees of Government contractors covered by 5 U.S.C. 552a(m), who are involved in the design, development, operation, or maintenance of any system of records, on a continuing basis with respect to the duties and responsibilities imposed on them and the rights conferred on individuals by the Privacy Act, the regulations in this subpart, including the appendices thereto, and any other related regulations. Such training must provide suitable emphasis on the civil and criminal penalties imposed on the Department and the individual employees by the Privacy Act for non-compliance with specified requirements of the Act as implemented by the regulations in this subpart. Components may supplement or supplant the departmental annual privacy awareness training to address Privacy Act issues unique to their missions. (See 5 U.S.C. 552a(e)(9).)

(b) Rules of conduct. In addition to the Standards of Conduct published in part O of this title, particularly 31 CFR 0.735–44, the following applies to Treasury employees (including, to the extent required by the contract or 5 U.S.C. 552a(m), Government contractors and employees of such contractors), who are involved in the design, development, operation, or maintenance of any system of records, or in maintaining any records, for or on behalf of the Department, including any component thereof.

(1) The head of each office of a component of the Department is responsible for assuring that employees subject to such official's supervision are advised of the provisions of the Privacy Act, including the criminal penalties and civil liabilities provided therein, and the regulations in this subpart, and that such employees are made aware of their individual and collective responsibilities to protect the security of personal information, to assure its accuracy, relevance, timeliness and completeness, to avoid unauthorized disclosure either orally or in writing, and to insure that no system of records is maintained without public notice.

(2) Treasury must:

(i) Collect no information about individuals for maintenance in a system of records unless authorized to collect it to achieve a function or carry out a responsibility of the Department;

(ii) Collect from individuals only that information which is relevant and necessary to perform Department functions or responsibilities, unless related to a system exempted under 5 U.S.C. 552a(j) or (k);

(iii) Collect information, to the greatest extent practicable, directly from the individual to whom it relates, unless related to a system exempted under 5 U.S.C. 552a(j);

(iv) Inform individuals (and third parties, if feasible) from whom information is collected of the authority and purposes for collection, the use that will be made of the information, and the effects, both legal and practical, of not furnishing the information;

(v) Neither collect, maintain, use nor disseminate information concerning an individual's mere exercise of their First Amendment rights, including: an individual's religious or political beliefs or activities; membership in associations or organizations; freedom of speech and of the press, and freedom of assembly and petition, unless:

(A) The individual expressly authorizes it (for example, volunteering relevant and necessary information to obtain a benefit or enforce a right);

(B) A statute expressly/explicitly authorizes the collection, maintenance, use or dissemination of the information (whether or not the statute specifically refers to the First Amendment); or

(C) The activities involved are pertinent to and within the scope of an authorized investigation, adjudication or correctional activity;

(vi) Advise their supervisors of the existence or contemplated development of any record system which is capable of retrieving information about individuals by individual identifier (to determine if actual retrieval is or will necessarily occur with some degree of regularity when the system of records becomes operational);

(vii) Disseminate outside the Department no information from a system of records without the written consent of the individual who is the subject of the records unless disclosure is authorized by one of the 12 exemptions in 5 U.S.C. 552a(b), which includes disclosure pursuant to a routine use published in a system of records notice in the Federal Register;

(viii) Assure that an accounting is kept in the prescribed form of information about individuals that is maintained in a system of records and disseminated outside the Department, whether made orally or in writing, unless disclosed under 5 U.S.C. 552 and subpart A of this part;

(ix) Collect, maintain, use, and disseminate information about individuals in a manner that ensures that no inadvertent disclosure of the information is made either within or outside the Department; and

(x) Assure that the proper Department authorities (e.g., component privacy officer, legal counsel) are aware of any information in a system maintained by the Department which is not/might not be authorized under the provisions of the Privacy Act, including information on how an individual exercises their First Amendment rights, information that is/may be inaccurate, irrelevant, or so incomplete as to risk unfairness to the individual concerned if used to make adverse determinations.

(c) Criminal penalties.

(1) The Privacy Act imposes criminal penalties on the conduct of Government officers or employees as follows: Any officer or employee of an agency (which term includes Treasury):

(i) Who by virtue of their employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section (see 5 U.S.C. 552a) or regulations in this subpart established under the Privacy Act, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it; or

(ii) Who willfully maintains a system of records without meeting the notice requirements of paragraph (e)(4) of this section (see 5 U.S.C. 552a)—shall be guilty of a misdemeanor and fined not more than $5,000.

(2) The Privacy Act also imposes a collateral criminal penalty (misdemeanor and a fine of not more than $5,000) on the conduct of any person who knowingly and willfully requests or obtains records covered by the Privacy Act from an agency under false pretenses.

(3) For the purposes of 5 U.S.C. 552a(i), the provisions of paragraph (c)(1) of this section are applicable to Government contractors and employees of such contractors who by contract, operate by or on behalf of the Treasury a system of records to accomplish a Departmental function. Such contractor and employees are considered employees of the Treasury for the purposes of 5 U.S.C. 552a(i). (See 5 U.S.C. 552a(i) and (m).)