45 CFR 503.2 - General policies - Privacy Act.
The Commission will protect the privacy of an individual identified in any information or record systems which it maintains. Accordingly, its officials and employees, except as otherwise provided by law or regulation, will:
(b) Permit an individual to prevent a record pertaining to that individual obtained by the Commission for a particular purpose from being used or made available for another purpose without the individual's consent.
(d) Collect, maintain, use, or disseminate any record of identifiable personal information in a manner that assures that the Commission's action is for a necessary and lawful purpose, that the information is current and accurate for its intended use, and that adequate safeguards are provided to prevent misuse of the information.
(e) Permit exemptions from record requirements provided under the Privacy Act only where an important public policy use for the exemption has been determined in accordance with specific statutory authority.