32 CFR § 806b.16 - Denying or limiting access.
System managers process access denials within 5 workdays after you receive a request for access. When you may not release a record, send a copy of the request, the record, and why you recommend denying access (include the applicable exemption) to the denial authority through the legal office and the Privacy Act office. Judge Advocate offices will include a written legal opinion. The Privacy Act officer reviews the file, and makes a recommendation to the denial authority. The denial authority sends the requester a letter with the decision. If the denial authority grants access, release the record. If the denial authority refuses access, tell the requester why and explain pertinent appeal rights (seesubpart F of this part). Before you deny a request for access to a record, make sure that:
(a) The system has an exemption rule published in the Federal Register as a final rule.
(b) The exemption covers each document. (All parts of a system are not automatically exempt.)
(c) Nonexempt parts are segregated.