(3) Assuring that NASA employees and officials are informed of their responsibilities and that they receive appropriate training for the implementation of these requirements; and

(4) Preparing and submitting the annual and special reports required under this part, including establishing appropriate reporting procedures.

(b) The Associate Administrator for Management may establish a position of "NASA Privacy Officer" or designate someone to function as such an officer, reporting directly to the Associate Administrator for Management, and delegate to that officer any of the functions described in paragraph (a) of this section.

[44 FR 54994, Sept. 24, 1979, as amended at 47 FR 50467, Nov. 8, 1982]

§ 1212.304 System manager.

(a) Each system manager is responsible for the following with regard to the system of records over which the system manager has congnizance:

(1) Overall compliance with the Privacy Act and these regulations,

(2) Ensuring that each person involved in the design, development, operation or maintenance of the system of records is instructed with respect to the requirements of this part and the possible penalties for noncompliance;

(3) Submitting a request to the Associate Deputy Administrator for an exemption of the system under Subpart 1212.7, setting forth in proposed rulemaking form the reasons for the exemption and citing the specific provision of the Privacy Act which is believed to authorize the exemption;

the

(4) After consultation with Office of the General Counsel or the Chief Counsel, making reasonable efforts to serve notice on an individual when any record on such individual is made available to any person under compulsory legal process when such process becomes a matter of public record;

(5) In accordance with the requirements of § 1212.601, making an initial determination on an individual's request to correct or amend a record;

(6) Prior to disclosure of any record about an individual, assuring that the record is first reviewed for accuracy, completeness, timeliness and relevance;

(7) Authorizing disclosures of a record without the individual's consent under § 1212.400(b)(1) through (11);

(8) Responding within the requirements of § 1212.500 to an individual's request for information as to whether the system contains a record pertaining to the individual;

(9) In accordance with the requirements of Subpart 1212.5, responding to an individual's request for access and copying of a record;

(10) Correcting a record under § 1212.606, or filing in an individual's record a statement of dispute and the NASA addendum submitted in accordance with § 1212.607;

(11) Preparing an addendum to an individual's statement of dispute (§ 1212.607);

(12) Maintaining disclosure accountings in accordance with the requirements of § 1212.401;

(13) Notifying persons to whom a record has been disclosed and for which an accounting was made as to disputes and corrections involving the record; and

(14) Developing appropriate safeguards for the system of records.

(b) Where a system of records has subsystems described in the system notice, the subsystem manager will have the responsibilities outlined in paragraph (a) of this section. Although the system manager has no line authority over subsystem managers, the system manager does have overall functional responsibility for the total system, and may issue guidance to subsystem managers on implementation of this part. When furnishing information for required reports, the system manager will be responsible for reporting on the entire system of records, including any subsystems.

(c) Exercise of the responsibilities and authorities in paragraph (a) of this section by any system or subsystem managers at a NASA installation shall be subject to any conditions or limitations imposed in accordance

with § 1212.303 (a)(4) and (b).

[44 FR 54994, Sept. 24, 1979, as amended at 47 FR 50467, Nov. 8, 1982]

quiring the maintenance of a system of records in order to accomplish an agency function are made subject to the requirements of this part.

§ 1212.306 Delegation of authority.

Authority necessary to carry out the responsibilities specified in this Subpart 1212.3 is delegated to the officials named, subject to any conditions or limitations imposed in accordance with § 1212.303 (a)(4) and (b).

Subpart 1212.4-Disclosure of Records

§ 1212.400

Restrictions on disclosure.

(a) No record in a NASA system of records shall be disclosed to any person, or to another agency, except by written request of, or with the prior written consent of the individual to whom the record pertains, unless the disclosure is authorized by paragraph (b) of this section.

(b) Under 5 U.S.C. 552a(b), disclosure of a record in a NASA system of records is authorized without the consent of the subject individual, if the disclosure of the record would be:

(1) To an officer or employee of NASA who has a need for the record in the performance of official duties;

(2) Required under the Freedom of Information Act (5 U.S.C. 552) and Part 1206;

(3) For a routine use described in the system notice for the system of records;

(4) To the Bureau of Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of Title 13, United States Code;

(5) To a recipient who has provided NASA with adequate advance written assurance that the record will be used solely as a statistical record, and the record is transferred in a form that is not individually identifiable;

(6) To the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Administrator of General Services Administration or a

designee to determine whether the record has such value;

(7) To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity, if the activity is authorized by law and if the head of the agency or instrumentality has made a written request to NASA specifying the particular portion desired and the law enforcement activity for which the record is sought;

(8) To a person on a showing of compelling circumstances affecting the health or safety of an individual if notification of the disclosure is sent to the last known address of the subject individual;

(9) To either House of Congress or, to the extent the matter is within its jurisdiction, any committee or subcommittee of Congress, any joint committee of Congress or subcommittee of any such joint committee;

(10) To the Comptroller General, or any authorized representatives, in the course of the performance of the duties of the General Accounting Office; or

(11) By order of a court of competent jurisdiction.

§ 1212.401 Accounting of certain disclo

sures.

(a) The system manager shall keep a disclosure accounting for each disclosure to a third party of a record from a system of records. Disclosure accountings are not required but are recommended for disclosures made:

(1) With the subject individual's consent, or

(2) Under the authority of § 1212.400(b) (1) or (2).

(b) The disclosure accounting required by paragraph (a) of this section include:

(1) The date, nature, and purpose of the disclosure; and

(2) The name and address of the recipient person or agency.

(c) The disclosure accounting shall be retained for at least 5 years after the disclosure or for the life of the record, whichever is longer.

(d) The disclosure accounting maintained under the requirements of this

section is not itself a system of records.

[44 FR 54994, Sept. 24, 1979, as amended at 47 FR 50467, Nov. 8, 1982]

§ 1212.402 Access to disclosure accounting.

Except for disclosures made under the authority of § 1212.400(b)(7) or where the system is exempt (see Subpart 1212.7), the disclosure accounting required under § 1212.401 shall be made available to the subject individual upon request in accordance with Subpart 1212.5

§ 1212.403 Review of records for accuracy.

Before disclosing any record about an individual to any person other than a NASA employee, unless the disclosure is required under the Freedom of Information Act (see § 1212.400(b)(2)), NASA shall make reasonable efforts to assure that the record is accurate, complete, timely and relevant for NASA purposes.

§ 1212.404 Notification of disclosure under compulsory legal process.

If a record is disclosed to any person under a compulsory legal process, the NASA system manager, after consultation with the Office of the General Counsel or the Chief Counsel, shall make reasonable efforts to serve notice on the subject individual when the compulsory process becomes a matter of public record. The mailing of notice to the individual's last known address constitutes a reasonable effort to notify the individual.

§ 1212.405 Notification to prior recipients of corrected or disputed records. If any correction or statement of dispute is made or filed in a record under Subpart 1212.6, the NASA system manager shall notify each person or agency to whom that portion of the record had been disclosed, if an accounting of the disclosure exists under § 1212.401, as to the correction or statement of dispute.

Subpart 1212.5-Access to Records

§ 1212.500 Requests for access or general

information.

(a) The procedures outlined in this Subpart 1212.5 apply to the following types of requests under the Privacy Act made by individuals concerning records about themselves:

(1) To determine if information on the requester is included in a system of records;

(2) For access to a record; and

(3) For an accounting of disclosures. (b)(1) Requests must be directed to the appropriate system manager, or, if unknown, to the NASA information center. The request should be identified clearly on the envelope and on the letter as a "Request Under the Privacy Act."

to

(2) If known, requests should contain the following information insure timely processing:

(i) Name and address of subject. (ii) Identity of the system of records. (iii) Nature of the request. If a request for amendment, a complete and comprehensive description of the amendment.

(iv) Identifying information such as location of the record, if known, full name, birth date, etc., as specified in the applicable system notice to assist in identifying the request.

or

(c)(1) If a request for access amendment is received by the information center, it will record the date of receipt and immediately forward the request to the responsible system manager for handling.

(2) The NASA information center or the system manager, as appropriate, will acknowledge receipt of the request by NASA within 10 work days. If the request is so incomplete or incomprehensible that the requested record cannot be identified, additional information or clarification will be requested in the acknowledgment, and assistance to the individual will be offered as appropriate. If the request is sufficient for processing, the acknowledgment shall identify the responsible system manager.

(d) NASA need not comply with a general request for access to information concerning an individual, e.g., a request to provide copies of "all infor

(a) Upon request in person, and following the identification procedures of § 1212.502, a subject individual and any accompanying representative shall be granted access to his or her record, including the right to request copies, unless the system of records has been determined to be exempt from this requirement under 5 U.S.C. 552a (j) or (k).

(b)(1) Upon a written request of the subject individual, the individual's representative shall be granted access to unless the subject's record, that system of records has been determined to be exempt under 5 U.S.C. 552a (j) or (k). The representative also may request copies of all or a portion of the record.

(2) A written request to allow access by a representative shall be signed by the subject individual and contain his or her address as well as the name and address of the representative being authorized access. The identities of both the subject individual and the representative must be verified following the procedures of § 1212.502.

(c) When an individual submits a request for records citing both the Privacy Act and the Freedom of Information Act, it shall be processed under Part 1206 if the individual is seeking records pertaining to a third party. If the individual is seeking his or her own records, the request shall be processed under this part. If the records requested are required to be released under the Freedom of Information Act (5 U.S.C. 552(b)), then a Privacy Act exemption may not be invoked to deny access. NASA shall not rely on any ex

emption contained in the Freedom of Information Act to withhold from an individual any record which is otherwise accessible to the individual under this part.

§ 1212.502 Identification procedures.

(a) Before a copy of a record is sent by mail in response to a written request for access, there must be sufficient evidence to assure that the requester and the subject of the record are the same. NASA reserves the right, at the discretion of the system manager, to require that a certificate of a notary public or equivalent official empowered to administer oaths accompany the request.

(b)(1) Before granting access to records in person, the requester or representative shall present appropriate and satisfactory identification, including:

or

(i) A valid unexpired driver's permit;

(ii) An official employment identification card or badge; or

(iii) Any other form of identification which includes the individual's name, signature, or photograph or physical description.

(2) If the individual has no suitable identification, a written statement shall be required asserting the individual's identity and stipulating that the individual understands that knowingly or willfully seeking or obtaining access to records about another individual under false pretenses is a misdemeanor and punishable by a fine of up to $5,000. A form will be provided by the system manager for this purpose.

(c) No verification of identity will be requested of individuals seeking access to records available to any member of the public under the Freedom of Information Act (5 U.S.C. 552) and Part 1206.

(d) Identity procedures more stringent than those required in this section may be prescribed by the system manager in the system notice when the records are medical or other highly sensitive records.

§ 1212.503 Fee schedule.

The system manager will follow the provisions of Subpart 1206.7 in charg

ing search and duplication fees for records.

§ 1212.504 Procedures for responding to requests for access.

(a)(1) The system manager, in response to a request for access, shall:

(i) Notify the requester that there is no record on the individual in the system of records; or

(ii) Make the individual's record available for personal inspection in the presence of a NASA representative, or upon request, promptly provide copies of the record, subject to the fee requirements.

(2) Unless the system manager agrees to another location, personal inspection of the record shall be at the location of the record as identified in the system notice.

(b) Normally, the system manager shall respond to a request for access within 10 work days of receipt of the request and the access shall be provided within 30 work days.

(c) The provisions of paragraph (a) do not apply where the record is subject to additional restrictions as specified in the system notice, or if it is exempt under 5 U.S.C. 552a (j) or (k) and is not otherwise required to be released under the Freedom of Information Act. Under these circumstances, the system manager shall notify the requester within 10 work days.

(d) In the event a request for access to a record is not granted within 30 work days of receipt of the request, the individual shall have the right to appeal. Such an appeal shall be filed and processed under the provisions of Subpart 1212.6. In any determination by a system manager denying an individual's request for access made under this section, the individual shall be informed in writing of:

(1) The reasons for the refusal; and (2) The procedures to be followed to request a review of the refusal by the Associate Deputy Administrator, including the mailing address. (See § 1212.602)

8 1212.505 Medical records.

Normally, an individual's medical record shall be disclosed to the individual, unless, in the judgment of the