(3) Personnel Records-Preemployment Investigation Records, USPS 120.110; Personnel Records-Postmaster Selection Program Records, USPS 120.130. These systems of records are exempt from 5 U.S.C. 552a(d)(1)–(4) and (e)(1) to the extent that information in the system is subject to exemption under 5 U.S.C. 552a(k)(5) as relating to the identity of a source who furnished information to the government in confidence as a part of an investigation conducted solely for the purpose of determining suitability, eligibility, or qualifications of an individual for employment. The reasons for exemption follow:

(i) During its investigation and evaluation of an applicant for a position, the Postal Service contacts individuals who, without an assurance of anonymity, would refuse to provide information concerning the subject of the investigation. If a record subject were given access pursuant to subsection (d)(1)–(4), the promised confidentiality would be breached and the confidential source would be identified. The result would be restriction of the free flow of information vital to a determination of an individual's qualifications and suitability for appointment to or continued occupancy of his position.

(ii) In collecting information for investigative and evaluative purposes, it is impossible to determine in advance what information might be of assistance in determining the qualifications and suitability of an individual for appointment. Information that seems irrelevant, when linked with other information, can sometimes provide a composite picture of an individual that assists in determining whether that individual should be appointed to or retained in a position. For this reason, exemption from subsection (e)(1) is claimed.

(4) Personnel Records-Personnel Research and Test Validation Records, USPS 120.120; Personnel Records-Career Development and Training Records, USPS 120.152. These systems of records are exempt from 5 U.S.C. 552a(d)(1)–(4), (e)(4)(G) and (H), and (f) to the extent that information in the system is subject to exemption pursuant to 5 U.S.C. 552a(k)(6) as relating to the

com

of the testing or examination process. The reasons for exemption follow:

(i) These systems contain questions and answers to standard testing materials, the disclosure of which would compromise the fairness of the future use of these materials. It is not feasible to develop entirely new examinations after each administration as would be necessary if questions or answers were available for inspection and copying. Consequently, exemption from subsection (d) is claimed.

(ii) The requirements of subsections (e)(4)(G) and (H), and (f) do not apply to these systems for which exemption from subsection (d) of the Act has been claimed. Nevertheless, the Postal Service has published notice of its notification, access, and contest procedures because access to system records that do not compromise the objectivity or fairness of the testing examination process is appropriate in some cases.

(5) Personnel Records-Recruiting, Examining, and Appointment Records, USPS 120.151. This system is exempt from 5 U.S.C. 552a(d)(1)–(4), (e)(1), (e)(4)(G) and (H), and (f) to the extent that information in the system is subject to exemption pursuant to 5 U.S.C. 552a(k)(5) as relating to the identity of a source who has furnished information to the government in confidence as part of an investigation conducted solely for the purpose of determining suitability, eligibility, or qualifications of an individual for employment; and to exemption pursuant to subsection 5 U.S.C. 552a(k)(6) as relating to the compromise of the objectivity or fairness of the testing or examination process. The reasons for exemption follow:

(i) To the extent that information in this system is subject to exemption pursuant to 5 U.S.C. 552a(k)(5), application of the provisions at subsection (d)(1)-(4) would reveal to the applicant whose suitability is being investigated the identity of individuals who supplied information under a promise of anonymity. As a result, the Postal Service's promise of confidentiality would be breached, its ability to obtain information in the future would be diminished, and the information source could be subjected to harassment by

the applicant. To the extent that information in this system is subject to exemption pursuant to 5 U.S.C. 552a(k)(6), the requirements of the exemption at subsection (d)(1)–(4) and the reasons for exempting information relating to the compromise of the objectivity or fairness of the testing or examination process are the same as those given in paragraph (b)(5)(i) of this section.

(ii) The reasons for exempting this system of records from subsection (e)(1) are the same as those given in paragraph (b)(4)(ii) of this section.

(iii) The requirements of subsections (e) (4) (G) and (H), and (f) do not apply to this system for which exemption from subsection (d) of the Act has been claimed. Nevertheless, the Postal Service has published notice of its notification, access, and contest procedures because access to system records that do not compromise the objectivity or fairness of the testing or examination process or reveal the identity of a confidential is appropriate in some cases.

(6) Equal Employment Opportunity— EEO Discrimination Complaint Investigations, USPS 030.010. This system is exempt from 5 U.S.C. 552a(d) (1)–(4), (e) (4) (G) and (H), and (f) to the extent that information in the system is subject to exemption pursuant to 5 U.S.C. 552a(k)(2) as material compiled for law enforcement purposes and subsection (k)(5) as relating to the identity of a source who has furnished information to the government in confidence as a part of an investigation conducted solely for the purpose of determining suitability, eligibility, or qualifications of an individual for employment. The reasons for exemption follow.

(i) To the extent that information in this system is subject to exemption pursuant to 5 U.S.C. 552a(k)(2), application of the requirements of the exemption at subsection (d)(1)-(4) would cause disruption of enforcement of the laws relating to equal employment opportunity (EEO). To the extent that information in this system is subject to exemption pursuant to 5 U.S.C. 552a(k)(5), application of the provisions at subsection (d)(1)–(4) would reveal to the EEO complainant the identity of individuals who supplied information under a promise of anonymity. It is essential to the integrity of the EEO

complaint system that information collected in the investigative process not be prematurely disclosed and that witnesses be free from restraint, interference, coercion, or reprisal.

(ii) The requirements of subsections (e) (4) (G) and (H), and (f) do not apply to this system for which exemption from subsection (d) of the Act has been claimed. Nevertheless, the Postal Service has published notice of its notification, access, and contest procedures because access to system records that do not compromise the investigative process or reveal the identity of confidential sources is appropriate in some

cases.

[59 FR 35625, July 13, 1994]

$266.10 Computer matching.

(a) General. Any agency or Postal Service component that wishes to use records from a Postal Service automated system of records in a computerized comparison with other postal or non-postal records must submit its proposal to the USPS Freedom of Information/Privacy Acts Officer. Computer matching programs as defined in paragraph (c) of § 262.5 must be conducted in accordance with the Privacy Act, implementing guidance issued by the Office of Management and Budget and these regulations. Records may not be exchanged for a matching program until all procedural requirements of the Act and these regulations have been met. Other matching activities must be conducted in accordance with the Privacy Act and with the approval of the Freedom of Information/Privacy Acts Officer. See paragraph (b)(6) of $266.4.

(b) Procedure for submission of matching proposals. A proposal must include information required for the matching agreement discussed in paragraph (d)(1) of this section. The Inspection Service must submit its proposals for matching programs and other matching activities to the USPS Freedom of Information/Privacy Acts Officer through: Independent Counsel, Inspection Service, U.S. Postal Service, 475 L'Enfant Plaza SW, Rm 3417, Washington, DC 20260-2181. All other matching proposals, whether from postal organizations or other government agencies, must be mailed directly to: Freedom of

Information/Privacy Acts Officer, U.S. Postal Service, 475 L'Enfant Plaza SW., Washington, DC 20260-5202.

(c) Lead time. Proposals must be subImitted to the USPS Freedom of Information/Privacy Acts Officer at least 3 months in advance of the anticipated starting date to allow time to meet Privacy Act publication and review requirements.

(d) Matching agreements. The participants in a computer matching program must enter into a written agreement specifying the terms under which the matching program is to be conducted. The Freedom of Information/Privacy Acts Officer may require similar written agreements for other matching activities.

(1) Content. Agreements must specify: (i) The purpose and legal authority for conducting the matching program;

(ii) The justification for the program and the anticipated results, including, when appropriate, a specific estimate of any savings in terms of expected costs and benefits, in sufficient detail for the Data Integrity Board to make an informed decision;

(iii) A description of the records that are to be matched, including the data elements to be used, the number of records, and the approximate dates of the matching program;

(iv) Procedures for providing notice to individuals who supply information that the information may be subject to verification through computer matching programs;

(v) Procedures for verifying information produced in a matching program and for providing individuals an opportunity to contest the findings in accordance with the requirement that an agency may not take adverse action against an individual as a result of information produced by a matching program until the agency has independently verified the information and provided the individual with due process;

(vi) Procedures for ensuring the administrative, technical, and physical security of the records matched; for the retention and timely destruction of records created by the matching program; and for the use and return or destruction of records used in the program;

(vii) Prohibitions concerning duplication and redisclosure of records exchanged, except where required by law or essential to the conduct of the matching program;

(viii) Assessments of the accuracy of the records to be used in the matching program; and

(ix) A statement that the Comptroller General may have access to all records of the participant agencies in order to monitor compliance with the agreement.

(2) Approval. Before the Postal Service may participate in a computer matching program or other computer matching activity that involves both USPS and non-USPS records, the Data Integrity Board must have evaluated the proposed match and approved the terms of the matching agreement. To be effective, the matching agreement must receive approval by each member of the Board. Votes are collected by the USPS Freedom of Information/Privacy Acts Officer. Agreements are signed on behalf of the Board by the Chairman. If a matching agreement is disapproved by the Board, any party may appeal the disapproval in writing to the Director, Office of Management and Budget, Washington, DC 20503-0001, within 30 days following the Board's written disapproval.

(3) Effective dates. No matching agreement is effective until 40 days after the date on which a copy is sent to Congress. The agreement remains in effect only as long as necessary to accomplish the specific matching purpose, but no longer than 18 months, at which time the agreement expires unless extended. The Data Integrity Board may extend an agreement for one additional year, without further review, if within 3 months prior to expiration of the 18month period it finds that the matching program is to be conducted without change, and each party to the agreement certifies that the program has been conducted in compliance with the matching agreement. Renewal of a continuing matching program that has run for the full 30-month period requires a new agreement that has received Data Integrity Board approval.

[59 FR 37161, July 21, 1994, as amended at 60 FR 57345, Nov. 15, 1995; 64 FR 41291, July 30, 1999]

Sec.

PART 267-PROTECTION OF INFORMATION

267.1 Purpose and scope.

267.2 Policy.

267.3 Responsibility.

267.4 Information security standards. 267.5 National Security Information.

AUTHORITY: 39 U.S.C. 401; Pub. L. 93-579, 88 Stat. 1896.

$267.1 Purpose and scope.

This part addresses the protection of information and records in the custody of the Postal Service throughout all phases of information flow and within all organization components, and includes micromated, manual and data processing information.

[40 FR 45726, Oct. 2, 1975]

$267.2 Policy.

Consistent with the responsibility of the Postal Service to make its official records available to the public to the maximum extent required by the public interest, and to ensure the security, confidentiality, and integrity of official records containing sensitive or national security information, it is the policy of the Postal Service to maintain definitive and uniform information security safeguards. These safeguards will have as their purpose: (a) Ensuring the effective operation of the Postal Service through appropriate controls over critical information, and (b) Protecting personal privacy, the public interest, and the national security by limiting unauthorized access to both restricted and national security information.

[44 FR 51224, Aug. 31, 1979]

$267.3 Responsibility.

(a) Chief Postal Inspector and Freedom of Information/Privacy Acts Officer. The Chief Postal Inspector and the Freedom of Information/Privacy Acts Officer will ensure within their respective areas of jurisdiction:

(1) Postal Service-wide compliance with this policy and related standards and procedures; and

(2) Implementation of remedial action when violations or attempted vio

lations of these standards and procedures occur.

(b) Custodians. All custodians are responsible for insuring that information security standards and procedures are followed and that all relevant employees participate in the information security awareness programs.

[40 FR 45726, Oct. 2, 1975, as amended at 60 FR 57345, Nov. 15, 1995]

§ 267.4 Information security standards. (a) The Postal Service will operate under a uniform set of information security standards which address the following functional aspects of information flow and management:

(1) Information system development, (2) Information collection,

(3) Information handling and processing,

(4) Information dissemination and disclosure,

(5) Information storage and destruction,

(b) Supplementing this list are information security standards pertaining to the following administrative areas: (1) Personnel selection and training, (2) Physical environment protection, (3) Contingency planning,

(4) Information processing or storage system procurement,

(5) Contractual relationships.

[40 FR 45726, Oct. 2, 1975; 40 FR 48512, Oct. 16, 1975]

§ 267.5 National Security Information.

(a) Purpose and scope. The purpose of this section is to provide regulations implementing Executive Order 12356 National Security Information (hereinafter referred to as the Executive Order) which deals with the protection, handling and classification of national security information.

(b) Definitions. (1) In this section, National Security Information means information on the national defense and foreign relations of the United States that has been determined under the Executive Order or prior Orders to require protection against unauthorized disclosure and has been so designated.

(2) Derivative Classification means the carrying forward of a classification from one document to a newly created

document that contains national security information which is in substance the same as information that is currently classified.

(3) In the Custody of the Postal Service means any national security information transmitted to and held by the U.S. Postal Service for the information and use of postal officials. (This does not include any national security information in the U.S. Mails.)

(c) Responsibility and authority. (1) The Manager, Payroll Accounting and Records, serves as the USPS National Security Information Oversight Officer. This officer shall:

(i) Conduct an active oversight program to ensure that the appropriate provisions of these regulations are complied with;

(ii) Chair a committee composed of the Manager, Payroll Accounting and Records; the Chief Postal Inspector (USPS Security Officer); the General Counsel; the Executive Assistant to the Postmaster General; and the Director, Operating Policies Office; or their designees, with authority to act on all suggestions and complaints concerning compliance by the Postal Service with the regulations in this part;

(iii) Ensure that appropriate and prompt corrective action is taken whenever a postal employee knowingly, willfully and without authorization:

(A) Discloses national security information properly classified under the Executive order, or prior orders,

(B) Compromises properly classified information through negligence, or

(C) Violates any provisions of these regulations or procedures;

(iv) Establish, staff, and direct activities for controlling documents containing national security information at USPS Headquarters and to provide functional direction to the field.

(v) In conjunction with the USPS Security Officer, prepare and issue instructions for the control, protection, and derivative classification of national security information in the custody of, and use by, the Postal Service. These instructions shall include requirements that:

(A) A demonstrable need for access to national security information is estab

(vi) Establish, staff and direct activities for controlling documents containing national security information at USPS Headquarters and provide functional direction to each Regional Records Control Officer;

(vii) As part of the overall program implementation, develop a training program to familiarize appropriate postal employees of the requirements for control, protection and classification; and

(viii) Report to the USPS Security Officer any incidents of possible loss or compromise of national security information.

(2) The USPS Security Officer (the Chief Postal Inspector) shall:

(i) Provide technical guidance to the Manager, Payroll Accounting and Records in implementing the national security information program;

(ii) Conduct investigations into reported program violations or loss or possible compromise of national security information and report any actual loss or compromise to the originating agency;

(iii) Periodically conduct an audit of the USPS national security information program;

(iv) Process requests for sensitive clearances; conduct the appropriate investigations and grant or deny a sensitive clearance to postal employees having an official "need to know" national security information; and

(v) Report to the Attorney General any evidence of possible violations of federal criminal law by a USPS employee and of possible violations by any other person of those federal criminal laws.

(3) All postal employees who have access to national security information shall:

(i) Sign a nondisclosure agreement; (ii) Be familiar with and follow all Program regulations and instructions;