Subpart D-Maintenance and Establishment of Systems of Records 1008.20 Content of systems of records. 1008.21 Collection of information by DOE about an individual for a system of records. 1008.22 Use and collection of social security numbers. 1008.23 Public notice of systems of records. 1008.24 Criminal penalties-failure to publish a system notice. AUTHORITY: Dept. of Energy Organization Act, Pub. L. 95-91, Executive Order 12091, 42 FR 46267. Privacy Act of 1974, Pub. L. 93-579 (5 U.S.C. 552a). SOURCE: 45 FR 61577, Sept. 16, 1980, unless otherwise noted. Subpart A-General Provisions § 1008.1 Purpose and scope. (a) This part establishes the procedures to implement the Privacy Act of 1974 (Pub. L. 93-579, 5 U.S.C. 552a) within the Department of Energy. (b) This part applies to all systems of records, as defined in §1008.2(m), maintained by DOE. (c) This part applies to all divisions within the DOE, and to the personnel records of the Federal Energy Regulatory Commission (FERC), which are maintained by DOE on behalf of FERC. These regulations do not apply to other systems of records maintained by FERC. These regulations also apply to DOE contractors and their employees to the extent required by 5 U.S.C. 552a(m). § 1008.2 Definitions. (a) Department or Department of Energy (DOE) means all organizational entities which are a part of the executive department created by title II of the Department of Energy Organization Act, Public Law 95-91, except the Federal Energy Regulatory Commission (FERC). (b) Director, Office of Hearings and Appeals means the Director or his delegate. (c) DOE locations means each of the following DOE components: (1) Alaska Power Administration, P.O. Box 50, Juneau, AK 88801. (2) Albuquerque Operations Office, P.O. Box 5400, Albuquerque, NM 87115. NOTE: This office has cognizance over the following area offices: Amarillo, Daytor. Kansas City, Los Alamos, Pinellas, Rocky Flats and Sanria. (3) Bartlesville Energy Technology Center. P.O. Box 1398, Bartlesville, OK 74003. (4) Bonneville Power Administration, P.0. Box 3621, Portland, OR 97268. (5) Chicago Operations Office, 9800 South Cass Avenue, Argonne, IL 60439. NOTE: This office has cognizance over the Batvia and Brookhaven area offices and the New Brunswick laboratory. (6) Grand Forks Energy Technology Certer, P.O. Box 8213, University Station, Grand Forks, ND 58201. (7) Grand Junction Office, P.O. Box 256. Grand Junction, CO 81502. (8) Headquarters, Department of Energy 1000 Independence Avenue, SW., Washington. DC 20585. (9) Idaho Operations Office, 550 Second Street, Idaho Falls, ID 83401. (10) Laramie Energy Technology Center. P.O. Box 3395, University Station, Laramie. WY 82070. (11) Morgantown Energy Technology Center, P.O. Box 880, Morgantown, WV 26505. (12) Nevada Operations Office, P.O. Box 14100, Las Vegas, NV 89114. (13) Oak Ridge Operations Office, P.O. Box E, Oak Ridge, TN 37830. (14) Oak Ridge Technical Information Center, P.O. Box 62, Oak Ridge, TN 37830. (15) Pittsburgh Energy Technology Center. 4800 Forbes Avenue, Pittsburgh, PA 15213. (16) Region I, Analex Building, Room 700. 150 Causeway Street, Boston, MA 02114. (17) Region II, 26 Federal Plaza, Room 3206. New York, NY 10007. (18) Region III, 1421 Cherry Street, 10th Floor, Philadelphia, PA 19102. (19) Region IV, 1655 Peachtree Street, NE.. 8th Floor, Atlanta, GA 30309. (20) Region V, 175 West Jackson Boulevard. Room A-333, Chicago, IL 60604. (21) Region VI, P.O. Box 35228, 2626 West Mockingbird Lane, Dallas, TX 75235. (22) Region VII, Twelve Grand Building. 1150 Grand Avenue, Kansas City, MO 64106. (23) Region VIII, P.O. Box 26247-Belmar Branch, 1075 South Yukon Street, Lakewood, CO 80226. (24) Region IX, 111 Pine Street, Third Floor, San Francisco, CA 94111. (25) Region X, 1992 Federal Building, 915 Second Avenue, Seattle, WA 98174. (26) Richland Operations Office, P.O. Box 550, Richland, WA 99352. (27) San Francisco Operations Office, 1333 Broadway, Wells Fargo Building, Oakland. CA 94612. (28) Savannah River Operations Office, P.0. Box "A," Aiken, SC 29801. (29) Southeastern Power Administration. Elberton, GA 30635. E (30) Southwestern Power Administration, P.O. Drawer 619, Tulsa, OK 74101. (31) Western Area Power Administration, P.O. Box 3402, Golden, CO 80401. (d) General Counsel means the General Counsel provided for in section 202(b) of the Department of Energy Organization Act, or any DOE attorney designated by the General Counsel. (e) Headquarters means all DOE facilities functioning within the Washington, DC metropolitan area. (f) Individual means a citizen of the United States or an alien lawfully admitted for permanent residence, but does not include proprietorships, businesses, or corporations. Where appropriate, the term individual also includes a duly authorized representative of an individual. (g) Maintain means maintain, collect, use, or disseminate. (h) Privacy Act Officer means the person designated by the Director, Office of Administration, as responsible for administering the DOE's program for implementing the requirements of the Privacy Act of 1974 at the DOE locations listed at § 1008.2(c). (i) Record means any item, collection, or grouping of information about an individual that is maintained by or for the DOE including, but not limited, to education, financial transactions, medical history, and criminal or employment history, and that contains that individual's name, or other identifying number, symbol, or other identifying particulars assigned to the individual, such as a finger or voice print or photograph. See subsection (a)(4) of the Act. (j) Routine use means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected. See subsection (a)(7) of the Act. (k) Statistical record means a record in a system of records maintained for statistical research or reporting purposes only and not used in whole or in part in making any determination about an identifiable individual, except as provided by 13 U.S.C. 8. See subsection (a)(6) of the Act. (1) System Manager means the DOE official who is responsible for a system of records as designated in the system no tice of that system of records published by DOE. (m) System of records means a group of any records under DOE control from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particulars assigned to the individual. See subsection (a)(5) of the Act. (n) Act means the Privacy Act of 1974, Public Law 93-579; references to subsections of the Act mean subsections of section 3 of the Act. $ 1008.3 Employee standards of conduct with regard to privacy. (a) The Headquarters DOE Privacy Act Officer shall assure that DOE personnel are advised of the provisions of the Privacy Act, including the criminal penalties and civil liabilities provided therein, (subsections (g) and (i) of the Act), and that DOE personnel are made aware of their responsibilities: to protect the security of personal information to assure its accuracy, relevance, timeliness and completeness; to avoid unauthorized disclosure; and to insure that no system of records concerning individuals, no matter how insignificant or specialized, is maintained without public notice. (b) DOE personnel shall: (1) Collect or maintain no information of a personal nature about individuals unless relevant and necessary to achieve a purpose or carry out a responsibility of the DOE as required by statute or by Executive Order. See subsection (e)(1) of the Act and § 1008.18(a). (2) Collect information, wherever possible, directly from the individual to whom it pertains. See subsection (e)(2) of the Act and § 1009.19(a). (3) Inform individuals from whom information is collected of the authority for collection, the principal purposes for which the information will be used, the routine uses that will be made of the information, and the effects of not furnishing the information. See subsection (e)(3) of the Act and § 1008.19(b). (4) Collect, maintain, use or disseminate no information concerning an individual's rights guaranteed by the First Amendment, unless: (i) The individual has volunteered such; or (ii) The information is expressly authorized by statute to be collected, maintained, used or disseminated; or (iii) The activities involved are pertinent to and within the scope of an authorized law enforcement activity. See subsection (e)(7) of the Act and § 1008.18(b). (5) Advise their supervisors of the existence or proposal of any system of records which retrieves information about individuals by the individual's name or other identifying number, symbol, or identifying particulars assigned to the individual. (6) Maintain an accounting, in the prescribed form, of all disclosures of information other than those to officers or employees who have a need for the record in the performance of their duties and those required under the Freedom of Information Act. See subsection (c) of the Act. (7) Disclose no records other than to DOE personnel without the advance written consent of the individual, except as authorized by 5 U.S.C. 552a(b) including routine uses published in the FEDERAL REGISTER. (8) Maintain and process information concerning individuals with care to insure that no inadvertent disclosure of the information is made. See subsection (e)(10) of the Act. (9) Inform the proper DOE authorities of any information maintained in a DOE system of records which is not authorized by the Privacy Act of 1974. (c) Heads of Headquarters Divisions and Offices and heads of the other DOE locations shall review annually the systems of records subject to their responsibility to insure compliance with the requirements of the Privacy Act of 1974. § 1008.4 Procedures for identifying the individual making a request for access to or amendment of records. (a) When a request for information about or for access to or correction of a record pertaining to an individual and contained in a system of records has been made pursuant to §1008.6, valid identification of the individual making the request shall be required before information will be given, access granted or a correction considered, to insure that information is given, cor rected, or records disclosed or corrected only at the request of the proper person. (b) Subject to paragraphs (c) and (d) of this section, an individual making a request may establish his identity by: (1) Including with his request, if submitted by mail, a photocopy of two identifying documents bearing his name and signature, one of which shall bear his current home or business address and date of birth; or (2) Appearing at the appropriate DOE location during the regular business hours and presenting either of the following: (i) One identifying document bearing the individual's photograph and signature, such as a driver's license or passport; or (ii) Two identifying documents bearing the individual's name and signature, one of which shall bear the individual's current home or business address and date of birth; or (3) Providing such other proof of identity as the Privacy Act Officer deems satisfactory in the circumstances of a particular request. (c) If the Privacy Act Officer or the appropriate System Manager determines that the information in a record is so sensitive that unauthorized access could cause harm or embarrassment to the individual whose record in involved, or if the individual making the request is unable to produce satisfactory evidence of identity under paragraph (b) or (d) of this section, the individual making the request may be required to submit a notarized statement attesting to his identity and his understanding of the criminal penalties provided under section 1001 of title 18 of the United States Code for making false statements to a Government agency and under subsection (i)(3) of the Act for obtaining records under false pretenses. Copies of these statutory provisions and forms of such notarized statements may be obtained upon request from the Privacy Act Officer. Headquarters, Department of Energy, Washington, DC. (d) When an individual acting as the parent of a minor or the legal guardian of the person to whom a record pertains makes a request pursuant to § 1008.6 of this part: (1) Such an individual shall establish his personal identity in the same manner required in either paragraph (b) or (c) of this section. (2) In addition, such an individual shall establish his identity in the representative capacity of parent or legal guardian. In the case of the parent of a minor, the proof of identity shall be a certified or authenticated copy of the minor's birth certificate. In the case of the legal guardian of a person who has been declared incompetent due to physical or mental incapacity or age by a court of competent jurisdiction, the proof of identity shall be a certified or authenticated copy of the order from a court of competent jurisdiction. (3) A parent or legal guardian may act only for a living individual, not for a decedent. Requests for the records of decedents will be handled under the Freedom of Information Act (5 U.S.C. 552). §1008.5 Effect of the Freedom of Information Act (FOIA). (a) DOE shall not rely on any exemption contained in the Freedom of Information Act (5 U.S.C. 552) to withhold from the individual to whom it pertains, any record which is otherwise accessible to such individual under this part. (b) DOE shall rely on subsection (b) of the Privacy Act to withhold information from a person other than the person to whom the record pertains only when the information is also exempt from disclosure under the FOIA. (c) Where a request for access to records is submitted pursuant to both the FOIA and the Privacy Act, the DOE shall, to the maximum extent possible, process the request under the provisions of this part, including the time limits of this part. Subpart B-Requests for Access or Amendment § 1008.6 Procedures for Privacy Act requests. (a) Any individual may (1) Ask the DOE whether a system of records maintained by the DOE contains records about him or her; (2) Request access to information pertaining to him or her that is maintained in a DOE system of records; (3) Request that information about him or her in a DOE system of records be amended or corrected. Requests for correction or amendment may include inquiries concerning: (i) Whether such information is relevant or necessary to accomplish a purpose that DOE is required to accomplish by statute or Executive Order; or (ii) If the information is to be used by the DOE in making a determination about the individual, whether the information is as accurate, relevant, timely, or complete as is reasonably necessary to assure fairness in the determination. (b) Requests submitted pursuant to this section shall: (1) Be in writing and signed by the individual making the request; (2) State that the request is a "Privacy Act Access" or "Privacy Act Amendment" request; (3) Include the identification information required by § 1008.4; (4) Specify, if possible, the title and identifying number of the system of records as listed in DOE's published notices of system of records; (5) Provide if possible any additional information to aid DOE in responding to the request, for example, a description of the records sought; (6) Indicate, as appropriate, the time, place, and form of access sought. (c) Any request not addressed and marked as specified in paragraph (a) of this section shall be forwarded immediately to the appropriate Privacy Act Officer. An improperly addressed request will not be deemed to have been received for purposes of measuring time periods pursuant to §§ 1008.7 and 1008.10 until actual receipt by the appropriate Privacy Act Officer. The individual making the request shall be notified that the request was improperly addressed and the date when the request was received by the Privacy Act Officer. (d) Assistance in preparing an access request pursuant to this section may be obtained from any DOE Privacy Act Officer at the locations listed at § 1008.2(e). (e) An individual shall not be required to state a reason or otherwise justify his request for information or access to a record pertaining to him/ her that is contained in a system of records. § 1008.7 Processing of requests. (a) Receipt of a request made in accordance with § 1008.6 shall be promptly acknowledged by the Privacy Act Offi cer. (b) Each request shall be acted upon promptly. Every effort will be made to respond within ten working days of the date of receipt by the System Manager or designee. If a response cannot be made within ten working days, the appropriate Privacy Act Officer shall send an interim response providing information on the status of the request, including an estimate of the time within which action is expected to be taken on the request and asking for any further information as may be necessary to respond to the request. Action will be completed as soon as possible, but not later than 20 working days after receipt of the original specific inquiry. In unusual circumstances and for good cause, the appropriate Privacy Act Officer may decide that action cannot be completed within the initial 20 working days. In such case, the appropriate Privacy Act Officer will advise the individual of the reason for the delay and the date (not to exceed an additional 20 working days) by which action can be expected to be completed. (c) The term unusual circumstances as used in this section includes situations where a search for requested records from inactive storage is necessary; cases where a voluminous amount of data is involved; instances where information on other individuals must be separated or expunged from the particular record; and cases where consultation with other agencies which have substantial interest in the response to the request is necessary. (d) Upon receiving a request, the Privacy Act Officer shall ascertain which System Manager or Managers of the DOE have primary responsibility for, custody of, or concern with the system or systems of records subject to the request and shall forward the request to such System Manager or Managers. The System Manager or Managers shall promptly identify and, in consultation with the General Counsel, review the records encompassed by the request. (e) Where the request is for access to or information about records, after reviewing the material the System Manager or Managers concerned shall transmit to the Privacy Act Officer the requested material. The transmission to the Privacy Act Officer shall include any recommendation that the request be granted or wholly or partially denied and shall set forth any exemption categories supporting denials. Any denial recommendation must be concurred in by the appropriate General Counsel. (f) Where the request is for correction or amendment of records, after reviewing the material the System Manager or Managers shall transmit a recommended decision to the Privacy Act Officer. Any recommendation that the request be granted or wholly or partially denied shall cite the exemption relied on and set forth the policy considerations supporting a denial. Any recommendation of denial must be concurred in by General Counsel. § 1008.8 Action in response to a request for access: disclosure of requested information to subject individuals. (a) Consistent with the recommendation of the System Manager and the concurrence of the appropriate General Counsel, the Privacy Act Officer shall provide to the requesting individual the information about or access to a record or information pertaining to the individual contained in a system of records, unless the request is being denied in accordance with §1008.9 of this part. The Privacy Act Officer shall notify the individual of such determination and provide the following information: (1) Whether there is information or a record pertaining to him that is contained in a system of records; (2) The methods of access as set forth in paragraph (b) of this section; (3) The place at which the record or information may be inspected: (4) The earliest date on which the record or information may be inspected and the period of time that the record |