45 CFR § 2508.11 - How shall offices maintaining a system of records be accountable for those records to prevent unauthorized disclosure of information?
(a) Each office maintaining a system of records shall account for all records within such system by maintaining a written log in the form prescribed by the Director, Administration and Management Services, containing the following information:
(1) The date, nature, and purpose of each disclosure of a record to any person or to another agency. Disclosures made to employees of the Corporation in the normal course of their duties, or pursuant to the provisions of the Freedom of Information Act, need not be accounted for.
(2) Such accounting shall contain the name and address of the person or agency to whom the disclosure was made.
(3) The accounting shall be maintained in accordance with a system of records approved by the Director, Administration and Management Services, as sufficient for the purpose but in any event sufficient to permit the construction of a listing of all disclosures at appropriate periodic intervals.
(4) The accounting shall reference any justification or basis upon which any release was made including any written documentation required when records are released for statistical or law enforcement purposes under the provisions of subsection (b) of the Privacy Act of 1974 (5 U.S.C. 552a).
(6) Any subject individual may request access to an accounting of disclosures of a record. The subject individual shall make a request for access to an accounting in accordance with § 2508.13. An individual will be granted access to an accounting of the disclosures of a record in accordance with the procedures of this subpart which govern access to the related record. Access to an accounting of a disclosure of a record made under § 2508.13 may be granted at the discretion of the Director, Administration and Management Services.