Privacy Policy and Procedures Guide
Note: The information on this page is intended to inform members of the public of GSA’s privacy policies and practices as they apply to GSA employees, contractors, and clients.
Purpose of This Guide
This guide contains the policies and procedures put in place by GSA to protect the personal information of employees and of other individuals on whom GSA maintains systems of records under the Privacy Act. All GSA systems of records from which information is retrieved by name or a personal identifier, such as the Social Security Number (SSN), are covered.
The guide is designed as a source of information and guidance for:
- Individuals who are the subjects of records.
- Managers and supervisors who use the records.
- System managers who manage Privacy Act systems and the information in the systems.
- Vendors and contractors who provide support services for systems containing personal information.
- Management officials who have responsibilities for carrying out functions under the Privacy Act.
The guide provides information on how individuals can obtain, correct, and control the dissemination of their personal information. It explains the responsibilities of GSA managers and supervisors that relate to their staff’s personal information and the responsibilities of the system managers, GSA employees, and vendors or contractors who manage and operate the various systems of records in GSA.
Definition of Terms
The terms in this part are defined to ensure consistency and common understanding when used in a Privacy Act context:
- Agency means Federal Government executive or military departments, corporations, other establishments in the Executive Branch, and regulatory agencies (5 U.S.C. 551(1) and 5 U.S.C. 552a (a)(1)). The Privacy Act applies only to Federal Government agencies. It does not cover State and local government agencies.
- Individual means a citizen of the United States or a legal resident alien on whom GSA maintains Privacy Act records. GSA employees are considered “individuals” under the Act and have all the rights specified by the Act.
- Record means any item, collection, or grouping of information about an individual which contains the individual’s name or other personal identifier such as number or symbol, fingerprint, voiceprint, or photograph. The information may relate to education, financial transactions, medical conditions, employment, or criminal history collected in connection with an individual’s interaction with GSA.
- System of records means a group of records under GSA’s control from which information is retrieved by the name of an individual, or by any number, symbol, or other identifier assigned to that individual.
- System of records notice means a notice published in the Federal Register by GSA for each new or revised system of records. The purpose of the notice is to allow public comment on the system before its implementation.
- Routine use means disclosure of a record for the purpose for which it is intended.
- Request for access means a request by an individual to obtain or review his or her record or the information in the record.
- Disclosure of information means providing a record or the information in a record to someone other than the individual of record.
- Exempt records means records that may not be obtained by an individual because they are exempted under the Privacy Act.
- Solicitation means a request by an officer or employee of GSA for an employee’s personal information to be included in a system of records for a specified purpose.
- Program manager means the GSA official who is responsible for a system of records and the information in it. This person is always cited in the Federal Register system of records notice.
- Computer matching is the computerized comparison of information between GSA and an outside source to verify an individual’s eligibility for Federal benefits or to recoup delinquent debts.
- Information technology (IT) system (also known as electronic information system) means the equipment and software used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.
- Information in identifiable form means data within an IT system or online collection that permits the identity of an individual to whom the information applies to be reasonably inferred; information that identifies the individual by name or other unique identifier or by which an individual is identified in conjunction with other data elements such as gender, race, birth date, geographic indicator, and similar personal information. Information permitting the physical or online contacting of a specific individual is considered information in identifiable form.
- Privacy Impact Assessment (PIA) means the process for evaluating privacy issues in an electronic information system, including examining the risks and effects of collecting, maintaining, and disseminating information in identifiable form, and identifying and evaluating protections and alternative processes to mitigate the impact to privacy of collecting such information. The process consists of gathering data on privacy issues from a project, identifying and resolving privacy risks, and obtaining approval from agency privacy and security officials. Completion of the PIA process results in the PIA Report.
Privacy Act Program Responsibilities
Senior Agency Official for Privacy (SAOP:) Has overall responsibility for establishing and overseeing the Privacy Act Program in GSA and for ensuring GSA’s compliance with privacy laws, regulations and GSA policy.
- Signs GSA Privacy Act notices for publication for public comment in the Federal Register.
- Reports to OMB and Congress on the establishment or revision of Privacy Act systems.
- Periodically reports to OMB on GSA Privacy Act activities, as required by law and OMB information requests.
- Heads for Full Agency Response Team when responding to large-scale information breaches.
GSA Privacy Act Officer : Is responsible for coordinating the implementation of Privacy Act Program requirements within GSA. Specific responsibilities include:
- Developing and issuing GSA’s Privacy Act policy, standards, and procedures.
- Assisting in developing new or revised systems of records notices.
- Coordinating the concurrence and approval of Privacy Act notices for submission to OMB and Congress.
- Submitting for publication in the Federal Register GSA Privacy Act systems of records notices for public comment.
- Clearing new and revised systems with OMB and Congress.
- Developing and clearing requests for computer matching systems.
- Develop and review forms and other data collection instruments for Privacy Act statements.
- Liaison with the Office of General Counsel on privacy matters.
- Maintaining Privacy Act records and documentation.
- Preparing and submitting Privacy Act, Computer Matching, and other reports to OMB as required.
- Evaluating Privacy Impact Assessments to ensure they meet Privacy Act requirements.
Chief Information Officer (CIO): Responsible for implementing IT security management in GSA, with overall responsibility for the GSA IT Security Program and the IT Capital Planning Program, and for security policy on electronic privacy data. Responsibilities include:
- Overseeing security policy for privacy data.
- Ensuring review of Privacy Impact Assessments for information security considerations.
- Ensuring that Privacy Impact Assessments are part of GSA’s System Development Life Cycle Guidance for Information Technology.
Heads of Services and Staff Offices (HSSOs) and Regional Administrators (RAs): Responsible for ensuring that the systems of records under their jurisdiction meet the requirements of the Privacy Act and GSA privacy and security policies and procedures. Specific responsibilities include:
- Approving the establishment of new systems of records and the revision of existing systems within their Service, Staff Office, or Region.
- Concurring in Privacy Act notices to be submitted to the Federal Register for new and revised systems of records.
- Approving their Service, Staff Office, or regional reports on Privacy Act activities upon request by the Privacy Act Officer.
- Ensuring that contractors performing services associated with systems of records (such as system development, maintenance, or operation) are subject to the provisions of the Privacy Act and security requirements.
- Consulting with legal counsel, their program managers, and Privacy Act program officials on the disposition of special cases involving release of information, or on resolving appeals.
- Making decisions to deny access to systems of records and notifying the individual of the denial.
Program Officials: Responsible for ensuring that the systems of records in their program areas meet the requirements of the Privacy Act and security policy and regulations. Responsibilities include:
- Ensuring that the program systems of records are necessary, relevant to the program, and authorized by statute, regulation, or Executive Order.
- Identifying the need for and proposing the establishment of new or revised systems of records to accomplish program mission or functions.
- Proposing the cancellation of outdated or obsolete systems of records.
- Consulting with their HSSO or RA, the General Counsel’s office and Privacy Act program officials on the use and release of system information under special conditions or appeals.
- Identifying and proposing for exemption the systems that meet nondisclosure criteria under the Privacy Act.
- Ensuring that all contractors providing program systems of records services follow Privacy Act and security requirements.
- Appointing a program manager for each of their system of records.
- Identifying systems requiring Privacy Impact Assessments (PIAs), coordinating on developing the PIAs, and resolving any privacy issues.
Program Managers: Responsible for implementing the requirements described in this guide for their systems of records. Responsibilities include:
- Periodically reviewing their system of records for need, relevance, and purpose for existence, and proposing changes as needed to meet changing circumstances.
- Periodically reviewing the information in the system to make sure it’s still necessary, relevant, complete, and up-to-date.
- For a new or a revised system of records, coordinating with the GSA Privacy Act Officer on preparing a Privacy Act notice for publication in the Federal Register.
- Ensuring that an appropriate form or other data collection method is developed for collecting Privacy Act information contains a Privacy Act statement providing the purpose for collecting the information, how it will be used, the authority for collecting the information, its routine uses, and the effect on the individual of not providing the requested information.
- Collecting information directly from the individual whenever possible.
- Ensuring that the system information is used only for the stated purpose.
- Establishing appropriate administrative, technical, and physical safeguards to ensure security and confidentiality of records.
- Providing access to individuals who request it according to established procedures.
- Maintaining an accounting of disclosures of information.
- Informing individuals of information disclosure.
- Amending records where appropriate, informing any recipients of former records of any changes, and maintaining a record of these activities.
- Working with the program officials and the system developer on the system’s privacy issues, preparing a PIA report if needed, obtaining the Program Manager’s approval of the PIA report, and submitting the PIA report to CHCO and OCIO officials for review and approval.
- Serving as the point of contact for the system.
System Developers/Designers: Responsible for ensuring that the system design and specifications conform to privacy standards and requirements and that technical controls are in place for safeguarding personal information from unauthorized access. Responsibilities include establishing system protection controls (e.g., access, retrieval, storage, user restrictions).
Authorizing Official (AO): Each Service, Staff Office, and Region has a DAA whose primary responsibility is to ensure the security of IT systems. Additionally, the DAAs are responsible for reviewing and approving Privacy Impact Assessments in their organizations, and for ensuring that IT systems that handle privacy data meet the privacy and security requirements of the Privacy Act and IT information security laws and regulations.
Office of General Counsel, General Law Division (LG): Responsible for providing legal advice and assistance on Privacy Act matters and GSA systems of records. Responsibilities include:
- Assisting program and system managers to determine the applicable statute or regulation for a new or revised system of records.
- Reviewing the Privacy Act notice for applicable legal citations, routine uses, and other legal aspects of establishing or revising the system.
- Approving each notice for publication.
- Advising management on appropriate actions involving GSA systems of records, including release of information, appropriate use of information, and appeals.
- Providing legal opinions on all Privacy Act issues as needed.
Office of Acquisition Policy: Responsible for developing, coordinating, and obtaining the required public comments and clearance, under Executive Order 12866, on Privacy Act contracting coverage drafted beyond the current FAR clauses.
GSA Forms Management Officer: Responsible for providing advice and assistance on designing forms for collecting system of records information.
Data Integrity Board: Responsible for reviewing and approving all computer matching programs and activities. Specific responsibilities include:
- Reviewing and approving all proposed written agreements with other Federal or non-Federal agencies to establish a computer matching programs.
- Ensuring that all matching programs in which GSA participates, either as a recipient or a source of information, meet applicable laws and regulations.
- Annually assessing the costs and benefits of computer matching programs.
- Annually assessing the continued justification for any computer matching program.
- Approving an annual report to OMB describing GSA’s computer matching activities.
Supervisors and GSA Employees: Responsible for ensuring that the personal information they use in carrying out their official duties is protected according to Privacy Act and security requirements.
Vendors/Contractors: GSA vendors and contractors are subject to the same laws and regulations as Federal employees and are therefore responsible for ensuring the privacy and security of systems they design, develop, maintain, operate, or use and for system data. They are accountable for any violation that may occur due to oversight or negligence and may be subject to civil or criminal penalties under the Privacy Act.
Deputy Administrator (AD): Makes final determinations on administrative appeals for access to a record and for amendments to records based on information provided by the GSA Privacy Act Officer.
GSA Privacy Act Program Policy Guide
Policy Guide Contents
Disclosure of Information: No information contained in a Privacy Act system of records may be disclosed to anyone other than the individual of record without the written consent of that individual, except when specifically allowed under the Privacy Act.
Disclosures that are allowed under the Privacy Act include:
- To GSA officials and employees in the performance of their official duties.
- Under the Freedom of Information Act, where applicable.
- For routine uses cited in the system of records Federal Register notice.
to the Bureau of the Census for statistical purposes and only if the record is unidentifiable by individual.
- To the National Archives and Records Administration (NARA) when the record warrants permanent retention because of historical or other national value as determined by NARA.
to law enforcement agencies in civil or criminal cases.
- In emergencies affecting an individual’s health or safety.
- To Congress or its staff when the record material falls within Congressional jurisdiction or oversight.
- To the Government Accountability Office (GAO) in the performance of its duties.
- Under a court order.
- To a consumer reporting agency if specifically authorized by law.
Accounting of Disclosures: The system manager must keep a record of any disclosure of personal information from a Privacy Act covered system for five years or for the life of the record, whichever is longer, except when no accounting of disclosure is needed as noted below.
Note: No accounting of disclosures is needed when the disclosure is:
- To GSA officials or employees in the performance of their official duties.
- Required under the Freedom of Information Act (FOIA).
- Required for law enforcement purposes.
- The system of records is exempted from disclosure in the Federal Register notice.
Collection and Use of Information: Personal information used to determine employee rights, benefits, and privileges must be collected directly from the individual of record whenever possible, and used only for the purpose for which it is intended. If the information needs to come from a third party, the individual’s written permission is required.
Solicitation of Information: When soliciting personal information from an individual or a third party, the system manager must include the following information on the data collection form or other data collection instrument:
- The legal or regulatory authority for collecting the information.
- Whether furnishing the information is voluntary or mandatory.
- The purpose for which the information will be used.
- The routine uses of the information.
- The effect on the individual of not providing the information.
Collection of Social Security Numbers: Statutory authority must exist for collecting Social Security Numbers (SSNs) for record systems that use the SSN for identification purposes. SSNs will not be collected for systems without this specific authority.
Also, SSNs will not be collected for systems that were established under a statutory authority in effect before January 1, 1975. Systems that were established before January 1, 1975, must be revised to avoid the collection and use of the SSNs.
Information Accuracy: Personal information provided by individuals must be accurate and complete.
System managers must ensure that the information in the system is relevant, necessary, and timely.
Standards of Conduct on Personal Information: GSA employees have a duty to protect the security of personal information by:
- Ensuring the accuracy, relevance, timeliness, and completeness of records.
- Avoiding any unauthorized disclosure, verbal or written, of records.
- Ensuring that no system of records is maintained without a Federal Register notice.
- Not collecting personal information unless authorized.
- Collecting only the information needed to perform an authorized agency function.
- Collecting information directly from the individual whenever possible.
- Maintaining and using records with care to prevent any inadvertent disclosure of information.
Safeguarding Information: System managers must establish physical, administrative, and technical safeguards for their systems of records. The safeguards must ensure the security and confidentiality of records, protect against possible threats or hazards, and permit access only to authorized persons.
Paper records will be placed in secured locations. Electronic systems will use passwords, identity verification, detection of break-in attempts, firewalls, encryption, and/or other security measures determined to be appropriate by the responsible system and program managers.
Other Agencies’ Records: Where GSA has either permanent or temporary custody of other agencies’ records, system managers will coordinate with those agencies on any release or disclosure of information.
Office of Personnel Management (OPM) records that are in GSA’s custody will be handled according to OPM’s rules and procedures.
Conflicting Directives: GSA officials and managers must ensure that no directives under their jurisdiction conflict with Privacy Act provisions. The policies and procedures presented in this guide take precedence over any other directives that may conflict with these policies and procedures.
Computer Matching: In the event GSA needs to establish computer matching programs or agreements to share system of records information with other Federal or non-Federal agencies, a Data Integrity Board will be created to review and approve such programs and agreements.
GSA Privacy Act Program Procedures Guide
Procedures Guide Contents
Accessing Your Records
Who has your records? Generally, the program manager is the person you need to contact to get access to a record. The name and address of the program (system) manager is provided in the Privacy Act notice that is published in the Federal Register for each new system of records that GSA establishes. In cases where records are dispersed by region or office, this information also is provided in the Privacy Act notice.
How do you get access to your records? You can request access in person or in writing.
If you appear in person, you should identify yourself using a photographic identification such as an agency ID badge, a passport, or a driver’s license. Records will be available during business hours at the offices where records are located. You will be able to examine the record and get a copy of it on request. If you want someone else to accompany you when you are reviewing a record, you will be asked to sign a statement authorizing disclosure of your record to that person, and the statement will be kept with your record.
If you request your record in writing, mark both the envelope and the request letter “Privacy Act Request” and send it to the system manager or the official named in the Federal Register notice. Include in the letter:
- Your full name and address.
- A description of the records you want.
- The title and number of the system of records as published in the Federal Register.
- A brief description of the nature, time, and place of your association with GSA.
- Any other information that you believe will help in locating the record.
Can parents or guardians get access to records? Yes, if you are the parent or guardian of a minor or of an individual who is determined to be incompetent by a court. In addition to properly identifying yourself and providing the information described above, you will need to provide:
- A copy of the birth certificate, or a court order establishing guardianship, of the person whose record you want.
- Sufficient information about that person to adequately identify him or her (name, age, Social Security Number, etc.).
How long will it take to get your record?
- If you show up in person and the record is available, you will get it immediately.
- If the record cannot be located when you show up in person, or if your request is in writing, the record will be provided to you by the system manager within 10 working days after receipt of your request.
What if there’s a delay?
- If a delay of more than 10 days is expected in locating your record, the system manager must notify you in writing the reason for the delay and the date when the record will be available.
- If the system manager needs additional information to locate your record, he or she may ask you for it. The system manager will then have an additional 10 workdays after receipt of the new information to provide your record to you.
Fees
Are there any fees for record copies? GSA employees will not be charged for copying a record of 50 pages or less. In other cases:
- No fee will be charged to anyone for a reproduction cost under $25.
- There will be a charge of 10 cents per page for paper copies when the reproduction cost exceeds $125.
- For materials other than paper copies the fee is the actual cost of reproduction if its over $25.
Do these fees apply in every case? The system manager may waive fees above these amounts when he or she determines that providing the records is in the public interest, or when it’s customary to do so.
How do you make your payment? The system manager will notify you of the charges. You may be asked to pay a portion of your fee in advance if your fees are estimated to be over $250. Any additional amount will be due when you receive your records. Any overpayment will be returned to you. Your payment should be made by check or money order payable to the General Services Administration. Send your payment to the system manager.
Medical records
Do any special conditions apply to release of medical records? Yes, medical records that may adversely affect an individual will be released only to a physician designated by the individual. The designated physician will determine how to handle disclosure of the information to the individual of record.
What about medical records in official personnel folders? These records belong to the Office of Personnel Management and requests will be referred there for a response.
Law Enforcement and Security Records
Are there personal records that you can’t access? Yes, you generally won’t be given access to law enforcement and security records. The Privacy Act specifically exempts these records from access by individuals. These records consist of information that is maintained for the enforcement of criminal laws, such as for controlling crime and apprehending criminals, and in the activities of prosecutors, courts, correctional, probation, pardon, or parole authorities.
Which GSA systems of records are exempt? GSA has specifically exempted systems of records from access by individuals that are created and maintained as part of the law enforcement duties and responsibilities of the Federal Protective Service, the Office of Inspector General, and others. These systems are:
- Investigation Case Files
- Internal Evaluation Case Files
- Security Files
Denial of Access To Records
Under what conditions will you be denied access to records? You will be denied access to the systems of records that GSA has specifically exempted under the Privacy Act. These systems consist of law enforcement and security records.
Who has the authority to deny access? The Head of Service or Staff Office or the Regional Administrator whose system contains the records may deny access after consultation with legal counsel, the system manager, and other officials.
How will you be denied access? You will receive a written notification explaining the reason for the denial along with an explanation of your appeal rights.
Appeals
Can you appeal a denial of access to a record? Yes, you may file an administrative appeal within 30 days after you receive a denial.
How do you file an administrative appeal? Write to the GSA Privacy Act Officer stating that you are filing an administrative appeal. Include the reasons for your appeal and any other pertinent information that would be needed for a review of the denial.
Send your appeal to: GSA Privacy Act Officer (ISP)
General Services Administration
1800 F St., NW
Washington, DC 20405
Mark both the envelope and the appeal letter:
“Privacy Act Appeal”
How is an appeal handled? On receiving a denial of access appeal, the GSA Privacy Act Officer consults with the system manager, legal counsel, the program manager, and other officials as necessary. To arrive at decision on whether or not your request may be granted under the applicable laws and regulations. Depending on the decision, the appeal goes through one of the following processes:
Decision to uphold appeal. The GSA Privacy Act Officer notifies you of the decision in writing and arranges for access to the record.
Decision to reject appeal. The GSA Privacy Act Officer refers your appeal to the Deputy Administrator for a final administrative determination.
Administrative decision to uphold appeal. If the Deputy Administrator decides to grant your request, the GSA Privacy Officer notifies you of the decision in writing and arranges for access to the record within 30 days of your appeal.
Administrative decision to reject appeal. If the Deputy Administrator rejects your appeal, you are notified in writing of the reasons for the decision and of your right to a court review within 30 days of your appeal.
Court review. You may file a civil action to have the administrative decision overturned within 2 years after the decision is made. You may file in a Federal District Court where you live or have a principal place of business, where the records are maintained, or in the District of Columbia.
Amending Records
Can you amend your records? Yes, you may amend a record that you believe is incomplete or incorrect, but there are exceptions.
What are the exceptions? Under the law, you can’t amend the following records:
- Transcripts of testimony given under oath, or written statements made under oath.
- Transcripts of grand jury, judicial, or quasi-judicial proceedings that constitute the official record.
- Pre-sentence reports that are within a system of records but are the property of the courts.
- Records exempted from amendment by agency notice in the Federal Register.
How do you amend a record? Send a written request to the appropriate system manager stating that you want to amend your record.
- Include in your request the correct information along with any evidence or justification for amendment, as needed.
- Mark the letter and the envelope “Privacy Act request to amend record”.
Who decides whether it’s appropriate to amend your record? The system manager, in consultation with other officials (legal counsel, program officials, the GSA Privacy Act Officer) as needed, will determine whether to amend your record based on a comparison of the existing record with the amendment you propose for accuracy, relevance, timeliness, and completeness, and for compliance with the law.
How will you know whether your record has been amended? Within 10 workdays after receiving your request, the system manager will let you know in writing whether your proposed amendment has been approved.
If there’s an expected delay in making a decision, the system manager will acknowledge the receipt of your request in writing and provide you with an estimated date for the decision.
Depending on the decision, the system manager will do the following:
Request approved: The system manager will amend your record and send an amended copy to you and to anyone who has previously received the record. The system manager will keep a record of the amendment with your system record.
Request denied: The system manager will let you know in writing the reason for denial, provide an alternative amendment for your consideration when possible, and inform you of your appeal rights.
What are your choices if your request is denied?
Choice 1. You may agree to the alternative amendment if one is proposed by the system manager, in which case:
- Write to the system manager stating that you agree to use the alternative amendment.
- The system manager will amend your record and send a copy to you and to anyone else who previously had received your old record.
Choice 2. You may file an appeal. If you choose to file an appeal, within 30 workdays of the denial, write to the GSA Privacy Act Officer giving your reasons for the appeal.
Send your appeal to:
GSA Privacy Act Officer (ISP)
General Services Administration
1800 F Street, NW
Washington, DC 20405
Mark the appeal letter and the envelope:
“Privacy Act Amendment Appeal”
How will your appeal be handled? On receiving your appeal, the GSA Privacy Act Officer will consult with the system manager, legal counsel, the program manager, and other officials as needed, and a decision will be made on whether or not your request will be granted under the applicable laws and regulations. Depending on the decision, the appeal goes through the following process:
Decision to uphold appeal. The GSA Privacy Act Officer will notify you of the decision in writing and arrange for amending your record.
Decision to reject appeal. The GSA Privacy Act Officer will refer your appeal to the Deputy Administrator for a final administrative determination within 30 days of the receipt of your appeal. The Deputy Administrator may extend the time limit for the decision beyond 30 days, if needed, by notifying you in writing of the reason for any delay.
Administrative decision to uphold appeal. If the Deputy Administrator decides to grant your amendment request, the GSA Privacy Officer will notify you of the decision to amend your record in writing within 30 days of your appeal, and the system manager will amend your record and send a copy to you and anyone else who previously had received a copy.
Administrative decision to reject appeal. If the Deputy Administrator rejects your appeal, within 30 days of your appeal you will be notified in writing of the reasons for the decision, your right to a court review, and your right to file a statement of disagreement.
Statement of disagreement. You may file a statement of disagreement with the system manager within 30 days of the denial to amend your record. In the statement of disagreement include an explanation of why you believe the record to be inaccurate, irrelevant, out of date, or incomplete. The manager will file the statement with your record, provide a copy to anyone who previously had received the record, and include it in any future disclosures.
Court review. You may file a civil action within 2 years of the denial to have the administrative decision overturned. You may file in a Federal District Court where you live or have a principal place of business, where the records are maintained, or in the District of Columbia.
Routine Uses and Disclosures
What is a routine use? It’s the sharing of information for the purpose for which it’s collected as spelled out in the Privacy Act notice for each system of records.
What are GSA’s standard routine uses? GSA has identified certain standard routine uses for its systems of records. GSA may disclose system information as a routine use:
- To GSA employees in the performance of their official duties.
- In any legal proceeding, where pertinent, to which GSA is a party before a court or administrative body.
- To authorized officials engaged in investigating or settling a grievance, complaint, or appeal filed by an individual who is the subject of the record.
- To a Federal agency in connection with the hiring or retention of an employee; the issuance of a security clearance; the reporting of an investigation; the letting of a contract; or the issuance of a grant, license, or other benefit to the extent that the information is relevant and necessary to a decision.
- To the Office of Personnel Management (OPM), the Office of Management and Budget (OMB), or the Government Accountability Office (GAO) when the information is required for program evaluation purposes.
- To a member of Congress or staff on behalf of and at the request of the individual who is the subject of the record.
- To an expert, consultant, or contractor of GSA in the performance of a Federal duty to which the information is relevant.
- To the National Archives and Records Administration (NARA) for records management purposes.
What other routine uses does the Privacy Act permit? The Privacy Act also permits disclosure of information as a routine use in the following cases:
- To the Bureau of the Census for planning and carrying out a census or survey related to the system information.
- For statistical research, but only when the information can’t be identified by an individual.
- When the individual’s health or safety is involved.
- To the National Archives when it determines a record is of historical value warranting permanent retention.
- To a consumer reporting agency as governed by the Federal Claims Collection Act of 1966.
Accounting for Disclosed Records
What is an “accounting of disclosure” record? If a system manager discloses a record as allowed by the Privacy Act, in some cases certain information must be kept on that record. This information is the “accounting of disclosure” record.
Who keeps the accounting of disclosure record? The system manager maintains an account of a disclosure of information from the system he or she manages, when required to do so.
What information is kept on a disclosure? The system manager keeps the following information on the disclosed record:
- Name of person or agency to whom the record has been provided.
- Date information was provided.
- Type of information provided.
- Reason for the disclosure.
- Any needed justification for the disclosure.
- Any written consent by the individual of record.
Can you get an accounting of disclosure of your records? Yes, except in special circumstances, as follows:
Certain disclosures don’t need an accounting and therefore no accounting of disclosure records are kept. This happens when:
- Disclosures are to GSA employees in the performance of their duties.
- Disclosures are required to be provided under the Freedom of Information Act (FOIA).
Disclosures are specifically prohibited, as in the following cases:
- When records are disclosed for law enforcement and security purposes.
- When GSA specifically exempts a system of records in the Federal Register Privacy Act system notice.
Establishing or Revising Privacy Act Systems of Records in GSA
How is a new GSA system of records established? The establishment of a new Privacy Act system of records generally follows these steps: (Contact the GSA Privacy Act Officer for guidance as needed.)
1. A program manager determines that a new system needs to be established to carry out a program responsibility or improve a process.
2. The program manager prepares a proposal, in the form of a draft Privacy Act system of records notice, to establish the new system of records. The draft notice (see format and sample of notice ) describes and justifies the establishment of the system.
3. The proposal is reviewed and concurred in by the Head of Service or Staff Office and submitted to the GSA Privacy Act Officer.
4. The GSA Privacy Act Officer prepares documentation (including a final system proposal, a report to OMB and the Congress, and a camera ready copy for publication in the Federal Register) for review and concurrence by appropriate GSA officials (program officials, legal counsel, and the Chief Human Capital Officer).
5. After the Chief Human Capital Officer signs off on the proposal, it is submitted to OMB, the President of the Senate, and the Speaker of the House of Representatives for evaluation at least 40 calendar days before the planned system implementation.
6. At least 30 calendar days before the planned system implementation, the proposal is submitted for publication in the Federal Register for public comment.
7. The new system goes into effect 30 calendar days after the notice is published in the Federal Register if no public comments are received or if no changes are needed as a result of any comments. The program manager with responsibility for the system resolves any questions resulting from the comments or makes appropriate changes to the proposal. If changes are made, the proposal is reprocessed as a new proposal.
What’s the procedure for revising an existing system of records? The procedure for revising a system of records is the same as for establishing a new system of records if the revision is substantive in nature, such as when there’s a change in:
- The types of individuals covered.
- The categories of information in the system, or an expansion of categories.
- The manner in which the system records are retrieved.
- The purpose(s) for which the information is used, or there’s a new or revised “routine use” of the information in the system.
- The access capability, as when updated software makes it easier to access system information.
Establishing Matching Agreements
What is a matching agreement? It’s a written document establishing the sharing of personal information among computerized systems of two or more Federal or non-Federal agencies. Generally, the shared information is used to determine the eligibility of individuals for Federal benefit programs or to identify delinquencies on obligations.
Does GSA have any matching agreements? Yes. In May a matching agreement between two GSA Privacy Act systems was established.