Privacy Act of 1974

SUBPART B—PRIVACY ACT

5.20

General Provisions.

5.21

Requests for Access to Records.

5.22

Responsibility for Responding to Requests for Access to Records.

5.23

Responses to Requests for Access to Records.

5.24

Classified Information.

5.25

Administrative Appeals for Access Requests.

5.26

Requests for Amendment or Correction of Records.

5.27

Requests for an Accounting of Record Disclosures.

5.28

Preservation of Records.

5.29

Fees.

5.30

Notice of Court-Ordered and Emergency Disclosures.

5.31

Security of Systems of Records.

5.32

Contracts for the Operation of Systems of Records.

5.33

Use and Collection of Social Security Numbers.

5.34

Standards of Conduct for Administration of the Privacy Act.

5.35

Sanctions and Penalties.

5.36

Other Rights and Services.

(a) Purpose and scope. (1) This subpart contains the rules that the Department of Homeland Security (Department or DHS) follows in processing records under the Privacy Act of 1974 (Privacy Act) (5 U.S.C. 552a) and under the Judicial Redress Act of 2015 (JRA) (5 U.S.C. 552a note).

(2) The rules in this subpart should be read in conjunction with the text of the Privacy Act and the JRA, 5 U.S.C. 552a and 5 U.S.C. 552a note, respectively (which provide additional information about records maintained on individuals and covered persons), and JRA designations issued in the Federal Register . The rules in this subpart apply to all records in systems of records maintained by the Department. These rules also apply to all records containing Social Security Numbers regardless of whether such records are covered by an applicable system of records maintained by the Department. They describe the procedures by which individuals may request access to records about themselves, request amendment or correction of those records, and request an accounting of disclosures by Department personnel and contractors. In addition, the Department processes all Privacy Act and JRA requests for access to records under the Freedom of Information Act (FOIA) (5 U.S.C. 552), following the rules contained in subpart A of this part, which gives requesters the benefit of both statutes.

(3) The provisions established by this subpart apply to all Department Components, as defined in paragraph (b)(1) of this section.

(4) DHS has a decentralized system for processing requests, with each component handling requests for its records.

(b) Definitions. As used in this subpart:

(1) Component means the office that processes Privacy Act and JRA requests for each separate organizational entity within DHS that reports directly to the Office of the Secretary.

(2) Request for access to a record means a request made under Privacy Act subsection (d)(1).

(3) Request for amendment or correction of a record means a request made under Privacy Act subsection (d)(2).

(4) Request for an accounting means a request made under Privacy Act subsection (c)(3).

(5) Requester means an individual who makes a request for access, a request for amendment or correction, or a request for an accounting under the Privacy Act.

(6) Individual means, as defined by the Privacy Act, 5 U.S.C. 552a(a)(2), a citizen of the United States or an alien lawfully admitted for permanent residence. Also, an individual, for purposes of this subpart, but limited to the exclusive rights and civil remedies provided in the JRA, includes covered persons, as defined by the JRA, as a natural person (other than an individual) who is a citizen of a covered country, as designated by the Attorney General, with the concurrence of the Secretary of State, the Secretary of the Treasury, and the Secretary of Homeland Security.

(7) Record has the same meaning as contained in the Privacy Act, 5 U.S.C. 552a(a)(4), except that in cases covered by the JRA, the term “record” has the same meaning as contained in the JRA, 5 U.S.C. 552a note.

(c) Authority to request records for a law enforcement purpose. The head of a component or designee thereof is authorized to make written requests under subsection (b)(7) of the Privacy Act for records maintained by other agencies that are necessary to carry out an authorized law enforcement activity.

(d) Notice on Departmental use of (b)(1) exception. As a general matter, when applying the (b)(1) exception for authorized disclosures within an agency on a need to know basis, the Department will consider itself a single entity, meaning that information may be disclosed between components of the Department under the (b)(1) exception.

(e) Interim Retention of Authorities. As an interim solution, all agencies and components under the Department will retain the necessary authority from their original purpose in order to conduct these necessary activities. This includes the authority to maintain Privacy Act systems of records, disseminate information pursuant to existing or new routine uses, and retention of exemption authorities under sections (j) and (k) of the Privacy Act, where applicable. This retention of an agency or component's authorities and information practices will remain in effect until this regulation is promulgated as a final rule, or the Department revises all systems of records notices. This retention of authority is necessary to allow components to fulfill their mission and purpose during the transition period of the establishment of the Department. During this transition period, the Department shall evaluate with the components the existing authorities and information practices and determine what revisions (if any) are appropriate and should be made to these existing authorities and practices. The Department anticipates that such revisions will be made either through the issuance of a revised system of records notices or through subsequent final regulations.

(a) How made and addressed. (1) DHS has a decentralized system for responding to Privacy Act and JRA requests, with each component designating an office to process records from that component.

(2) An individual may make a request for access to a Department of Homeland Security record about that individual covered by a DHS or Component system of records notice (SORN) by writing directly to the Department component that maintains the record at the address listed in appendix A to this part or via the internet at http://www.dhs.gov/dhs-foia-request-submission-form. A description of all DHS-wide and component SORNs may be found here: https://www.dhs.gov/system-records-notices-sorns.

(3) In most cases, a component's central FOIA office, as indicated in appendix A to this part, is the place to send a Privacy Act request. For records held by a field office of U.S. Customs and Border Protection, the U.S. Coast Guard, or other Department components with field offices other than the U.S. Secret Service, the requester must write directly to that U.S. Customs and Border Protection, Coast Guard, or other field office address, which can be found by calling the component's central FOIA office. Requests for U.S. Secret Service records should be sent only to the U.S. Secret Service central FOIA office. (4) Requests for records held by the Cybersecurity and Infrastructure Security Agency (CISA) should be sent to the DHS Privacy Office.

(5) DHS's FOIA website refers the reader to descriptions of the functions of each component and provides other information that is helpful in determining where to make a request. Each component's FOIA office and any additional requirements for submitting a request to a given component are listed in Appendix A to part 5. These references can all be used by requesters to determine where to send their requests within DHS.

(6) An individual may also send a request to the Privacy Office, Mail Stop 0655, U.S. Department of Homeland Security, 2707 Martin Luther King Jr. Ave. SE, Washington, DC 20528-0655, or via the internet at http://www.dhs.gov/dhs-foia-request-submission-form,, or via fax to (202) 343-4011. The Privacy Office will forward the request to the component(s) that it determines to be most likely to maintain the records that are sought. For the quickest possible handling, the requester should mark both the request letter and the envelope “Privacy Act Request” or “Judicial Redress Act Request.”

(b) Government-wide SORNs. A government-wide system of records is a system of records where one agency has regulatory authority over records in the custody of multiple agencies, and the agency with regulatory authority publishes a SORN that applies to all of the records regardless of their custodial location. If records are sought that are covered by a Government-wide SORN and requested of DHS, DHS will consult or refer such request, only as applicable and necessary, to the corresponding agency having authority over such records for further processing. DHS will acknowledge to the requester that it is referring the request to another agency or consulting with that agency when processing the request.

(c) Description of records sought. A requester must describe the records sought in sufficient detail to enable Department personnel to locate the system of records covering them with a reasonable amount of effort. Whenever possible, the request should describe the records sought, the time periods in which the requester believes they were compiled, the office or location in which the requester believes the records are kept, and the name or identifying number of each system of records in which the requesters believes they are kept. The Department publishes notices in the Federal Register that describe its components' systems of records. These notices can be found on the Department's website here: https://www.dhs.gov/system-records-notices-sorns. If a request does not adequately describe the records sought, DHS may at its discretion either administratively close the request or seek additional information from the requester. Requests for clarification or more information will be made in writing (either via U.S. mail or electronic mail whenever possible). Requesters may respond by U.S. Mail or by electronic mail regardless of the method used by DHS to transmit the request for additional information. To be considered timely, responses to requests for additional information must be postmarked or received by electronic mail within 30 working days of the postmark date or date of the electronic mail request for additional information. If the requester does not respond timely, the request may be administratively closed at DHS's discretion. This administrative closure does not prejudice the requester's ability to submit a new request for further consideration with additional information.

(d) Agreement to pay fees. DHS and components shall charge for processing requests under the Privacy Act or JRA. DHS and components will ordinarily use the most efficient and least expensive method for processing requested records. DHS may contact a requester for additional information in order to resolve any fee issues that arise under this section. DHS ordinarily will collect all applicable fees before sending copies of records to a requester. If one makes a Privacy Act or JRA request for access to records, it will be considered a firm commitment to pay all applicable fees charged under section 5.29, up to $25.00. The component responsible for responding to a request ordinarily will confirm this agreement in an acknowledgement letter. When making a request, an individual may specify a willingness to pay a greater or lesser amount. Requesters must pay fees by check or money order made payable to the Treasury of the United States.

(e) Verification of identity. When an individual makes a request for access to records about that individual, he or she must verify his or her identity. The individual must state his or her full name, current address, date and place of birth, and country of citizenship or residency. The individual must sign his or her request and provide a signature that must either be notarized or submitted by the requester under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury, as a substitute for notarization. An individual may obtain more information about this process at http://www.dhs.gov/foia or 1-866-431-0486. In order to help the identification and location of requested records, an individual may also voluntarily include other identifying information that are relevant to the request ( e.g., passport number, Alien Registration Number (A-Number)).

(f) Verification of guardianship. When making a request as the parent or guardian of a minor or as the guardian of someone determined by a court of competent jurisdiction to be incompetent due to physical or mental incapacity or age, for access to records about that individual, the individual submitting a request must establish:

(1) The identity of the individual who is the subject of the record, by stating the name, current address, date and place of birth, and country of citizenship or residency of the individual;

(2) The submitting individual's own identity, in the same manner as required in paragraph (e) of this section;

(3) That the submitting individual is the parent or guardian of the subject of the record, which may be proven by providing a copy of the subject of the record's birth certificate showing parentage or by providing a court order establishing guardianship; and

(4) That the submitting individual is acting on behalf of that individual that is the subject of the record.

(g) Verification in the case of third-party information requests. Outside of requests made pursuant to paragraph (f) of this section, if a third party requests records about a subject individual, the third party requester must provide verification of the subject individual's identity in the manner provided in paragraph (e) along with the subject individual's written consent authorizing disclosure of the records to the third party requester, or by submitting proof by the requester that the subject individual is deceased ( e.g., a copy of a death certificate or an obituary). As an exercise of its administrative discretion, each component can require a third-party requester to supply additional information to verify that the subject individual has consented to disclosure or is deceased.

(a) In general. Except as stated in paragraphs (c), (d), and (e) of this section, the component that first receives a request for access to a record, and has possession of that record, is the component responsible for responding to the request. In determining which records are responsive to a request, a component ordinarily will include only those records in its possession as of the date the component begins its search for them. If any other date is used, the component will inform the requester of that date.

(b) Authority to grant or deny requests. The head of a component, or the component head's designee, is authorized to grant or deny any request for access or amendment to a record of that component.

(c) Consultations, coordination, and referrals. All consultations, coordination, and referrals for requests of records subject to the Privacy Act or JRA will follow the same process and procedures as described in 6 CFR 5.4(d), including how to handle those requests that pertain to law enforcement information, as specified in 6 CFR 5.4(d)(2), and classified information, as specified in 6 CFR 5.4(d)(2) and (e). Further, whenever a request is made for access to a record containing information that has been classified by or may be appropriate for classification by another component or agency under any relevant executive order concerning the classification of records, the receiving component will refer to § 5.24 of this Part for processing.

(d) Release of medical records. (1) Generally, an individual has the right to access his or her medical records maintained by the Department. Special procedures for requests from an individual who requests his or her medical records that include psychological records for which direct release may cause harm to the individual who is requesting access are set forth in paragraph (d)(2) of this section.

(2) If a request is made for access to medical records that include psychological records, and the component determines that direct release is likely to adversely affect the individual who is requesting access, such that direct release would be reasonably likely to cause harm or endanger physical life or safety of the subject individual or others, the decision to release records directly to the individual, or to grant indirect release, will be made by a component medical practitioner or other qualified designee. Components will make their best effort to consult the component medical practitioner in the first instance and utilize the qualified designee if the component medical practitioner is unavailable. If the component medical practitioner or qualified designee believes that direct release is likely to adversely affect the individual requesting access, the component will request the individual to provide the name and contact information of a representative who is capable of ameliorating the potential adverse effect. The representative may be a physician, other health professional, or other responsible individual who will be willing to review the record and inform the requester of its contents. Once provided, the component medical practitioner or designee will send the medical records to the individual's designated representative, and the component will inform the subject individual in writing (either via U.S. mail or electronic mail whenever possible) that the record has been sent to that individual's chosen representative. The representative does not have the discretion to withhold any part of your record. If a representative is not provided, the component medical practitioner or designee will discuss such records with the individual first, and will release the records to the individual thereafter.

(e) Notice of referral. Whenever a component refers all or any part of the responsibility for responding to a request to another component or agency, it ordinarily will notify the requester of the referral and inform the requester of the name of each component or agency to which the request has been referred and of the part of the request that has been referred.

(f) Timing of responses to consultations and referrals. All consultations and referrals received by DHS will be handled according to the date the Privacy Act or JRA access request was initially received by the first component or agency, not any later date.

(g) Agreements regarding consultations and referrals. Components may establish agreements with other components or agencies to eliminate the need for consultations or referrals with respect to types of records.

(a) In general. Components should, to the extent practicable, communicate with requesters having access to the internet using electronic means, such as email or web portal.

(b) Acknowledgements of requests. Consistent with the procedures in Subpart A to this Part, a component will acknowledge the request and assign it an individualized tracking number if it will take longer than ten (10) working days to process. Components will include in the acknowledgement a brief description of the records sought to allow requesters to more easily keep track of their requests. Further, in the acknowledgment letter, the component will confirm the requester's agreement to pay fees under 6 CFR 5.21(d) and 5.29.

(c) Grants of requests for access. Consistent with the procedures in Subpart A to this Part, a component will have twenty (20) working days from when a request is received to determine whether to grant or deny the request unless there are unusual or exceptional circumstances as defined by the FOIA and set out in 6 CFR 5.5(c). Once a component decides to grant a request for access to record(s) in whole or in part, it will notify the requester in writing. The component will inform the requester in the notice of any fee charged under 6 CFR 5.21(d) and 5.29 and will disclose records to the requester promptly upon payment of any applicable fee. The component will inform the requester of the availability of its FOIA Public Liaison to offer assistance.

(d) Adverse determinations of requests for access. A component making an adverse determination denying a request for access in any respect will notify the requester of that determination in writing. Adverse determinations, or denials of requests, include decisions that: The requested record is exempt, in whole or in part; the requested record does not exist or cannot be located; or the record requested is not subject to the Privacy Act or JRA. Further, adverse determinations also include disputes regarding fees, or denials of a request for expedited processing. The denial letter will be signed by the head of the component, or the component head's designee, and will include:

(1) The name and title or position of the person responsible for the denial;

(2) A brief statement of the reason(s) for the denial, including any Privacy Act exemption(s) applied by the component in denying the request; and

(3) A statement that the denial may be appealed under 6 CFR 5.25(a) and a description of the requirements of 6 CFR 5.25(a).

(e) JRA access requests. For purposes of responding to a JRA access request, a covered person is subject to the same limitations, including exemptions and exceptions, as an individual is subject to under section 552a of title 5, United States Code, when pursuing access to records. The implementing regulations and reasons provided for exemptions can be found in Appendix C to 6 CFR part 5, titled DHS Systems of Records Exempt from the Privacy Act.

On receipt of any request involving classified information, the component will determine whether information is currently and properly classified and take appropriate action to ensure compliance with 6 CFR part 7. Whenever a request is made for access to a record that is covered by a system of records containing information that has been classified by or may be appropriate for classification by another component or agency under any applicable executive order, the receiving component will consult the component or agency that classified the information. Whenever a record contains information that has been derivatively classified by a component or agency because it contains information classified by another component or agency, the component will consult the component or agency that classified the underlying information. Information determined to no longer require classification will not be withheld from a requester based on exemption (k)(1) of the Privacy Act. On receipt of any appeal involving classified information, the DHS Office of the General Counsel or its designee, shall take appropriate action to ensure compliance with part 7 of this title.

(a) Requirements for filing an appeal. An individual may appeal an adverse determination denying his or her request for access in any respect to the appropriate component Appeals Officer. For the address of the appropriate component Appeals Officer, an individual may contact the applicable component FOIA Requester Service Center or FOIA Public Liaison using the information in appendix A to Part 5, visit www.dhs.gov/foia,, or call 1-866-431-0486. Alternatively, an individual may also appeal to the DHS Office of the General Counsel or its designee in writing, by mail or email indicated here https://www.dhs.gov/office-general-counsel. An appeal must be in writing, and to be considered timely it must be postmarked or, in the case of electronic submissions, transmitted to the Appeals Officer within 90 working days, consistent with the procedures in Subpart A to this Part, after the date of the component's response. An electronically filed appeal will be considered timely if transmitted to the Appeals Officer by 11:59:59 p.m. EST. The appeal should clearly identify the component determination (including the assigned request number if the requester knows it) that is being appealed and should contain the reasons the requester believes the determination was erroneous. For the quickest possible handling, an individual should mark both his or her appeal letter and the envelope “Privacy Act Appeal” or “Judicial Redress Act Appeal.”

(b) Adjudication of appeals. The DHS Office of the General Counsel or its designee ( e.g., Component Appeals Officers) is the authorized appeals authority for DHS. On receipt of any appeal involving classified information, the Appeals Officer will consult with the Chief Security Officer and take appropriate action to ensure compliance with 6 CFR part 7. If the appeal becomes the subject of a lawsuit, the Appeals Officer is not required to act further on the appeal.

(c) Appeal decisions. Consistent with the procedures in Subpart A to this Part, the decision on an appeal will be made in writing generally twenty (20) working days after receipt. However, consistent with the procedures in Subpart A to this Part, the time limit for responding to an appeal may be extended provided the circumstances set forth in 5 U.S.C. 552(a)(6)(B)(i) are met. A decision affirming an adverse determination in whole or in part will include a brief statement of the reason(s) for the affirmance, including any Privacy Act exemption applied, and will inform the requester of the Privacy Act provisions for court review of the decision. If the adverse determination is reversed or modified on appeal in whole or in part, the requester will be notified in a written decision and his or her request will be reprocessed in accordance with that appeal decision. An adverse determination by the DHS Office of the General Counsel or its designee or Component Appeals Officer will be the final action of the Department.

(d) Appeal necessary before seeking court review. If an individual wishes to seek review by a court of any adverse determination or denial of a request by DHS within the allotted 20 working days to respond unless there are unusual or exceptional circumstances, that individual must first appeal it under this subpart. An appeal will not be acted on if the request becomes a matter of litigation.

(a) How made and addressed. Unless the record is not subject to amendment or correction as stated in paragraph (f) of this section, an individual may make a request for amendment or correction of a record of the Department about that individual by writing directly to the component that maintains the record, following the procedures in section 5.21. The request should identify each record in question, state the amendment or correction requested, and state the reason why the requester believes that the record is not accurate, relevant, timely, or complete. The requester may submit any documentation that he or she thinks would support his or her request. If the individual believes that the same record is in more than one system of records, he or she should state that and address his or her request to each component that maintains a system of records containing the record.

(b) Component responses. Within ten working days of receiving a request for amendment or correction of records, a component will send the requester a written acknowledgment of its receipt of the request, and it will promptly notify the requester whether the request is granted or denied. If the component grants the request in whole or in part, it will describe the amendment or correction made and will advise the requester of his or her right to obtain a copy of the corrected or amended record, in disclosable form. If the component denies the request in whole or in part, it will send the requester a letter signed by the head of the component, or the component head's designee, that will state:

(1) The reason(s) for the denial; and

(2) The procedure for appeal of the denial under paragraph (c) of this section, including the name and business address of the official who will act on his or her appeal.

(c) Appeals. Within 90 working days after the date of the component's response, the requester may appeal a denial of a request for amendment or correction to the Component Appeals Officer or the DHS Office of the General Counsel or its designee. The Component Appeals Officer or the DHS Office of the General Counsel or its designee must complete its review and make a final determination on the requester's appeal no later than 30 days (excluding Saturdays, Sundays, and legal public holidays) from the date on which the individual requests such review unless good cause is shown, and communicated to the individual, for which the 30-day period may be extended for an additional 30 days. If the appeal is denied, the requester will be advised of his or her right to file a Statement of Disagreement as described in paragraph (d) of this section and of his or her right under the Privacy Act, 5 U.S.C. 552a(d)(3), for court review of the decision. If an individual wishes to seek review by a court of any adverse determination or denial of a request, that individual must first appeal it under this subpart. For purposes of responding to a JRA amendment request, a covered person is subject to the same limitations, including exemptions and exceptions, as an individual is subject to under section 552a of title 5, United States Code, when pursuing amendment to records. The implementing regulations and reasons provided for exemptions can be found in Appendix C to 6 CFR part 5, titled DHS Systems of Records Exempt from the Privacy Act.

(d) Statements of Disagreement. If an individual's appeal under this section is denied in whole or in part, that individual has the right to file a Statement of Disagreement, unless exempt, that states his or her reason(s) for disagreeing with the Department's denial of his or her request for amendment or correction. Statements of Disagreement must be concise, must clearly identify each part of any record that is disputed, and should be no longer than one typed page for each fact disputed. The individual's Statement of Disagreement must be sent to the component involved, which will place it in the system of records in which the disputed record is maintained and will mark the disputed record to indicate that a Statement of Disagreement has been filed and where in the system of records it may be found.

(e) Notification of amendment/correction or disagreement. Within 30 working days of the amendment or correction of a record, the component that maintains the record will, unless exempt, notify all persons, organizations, or agencies to which it previously disclosed the record, if an accounting of that disclosure was made or should have been made, that the record has been amended or corrected. If an individual has filed a Statement of Disagreement, the component will append a copy of it to the disputed record whenever the record is disclosed and may also append a concise statement of its reason(s) for denying the request to amend or correct the record.

(f) Records not subject to amendment or correction. The following records are not subject to amendment or correction:

(1) Transcripts of testimony given under oath or written statements made under oath;

(2) Transcripts of grand jury proceedings, judicial proceedings, or quasi-judicial proceedings, which are the official record of those proceedings;

(3) Presentence records that originated with the courts; and

(4) Records in systems of records that have been exempted from amendment and correction under the Privacy Act (5 U.S.C. 552a(j) or (k)) pursuant to a Final Rule published in the Federal Register .

(a) How made and addressed. Except where accountings of disclosures are not required to be kept (as stated in paragraph (b)(1) of this section), an individual may make a request for an accounting of any disclosure that has been made by the Department to another person, organization, or agency of any record about the requester, except to the extent the records are covered by the JRA. This accounting contains the date, nature, and purpose of each disclosure, as well as the name and address of the person, organization, or agency to which the disclosure was made. A request for an accounting should identify each record in question and should be made by writing directly to the Department component that maintains the record, following the procedures in section 5.21.

(b) Where accountings are not required. Components are not required to provide accountings to the requester where they relate to:

(1) Disclosures for which accountings are, by statute (5 U.S.C. 552a(c)(1)), not required to be kept, such as disclosures that are made to officers and employees within the agency and disclosures that are required to be made under the FOIA;

(2) Disclosures made to law enforcement agencies for authorized law enforcement activities in response to written requests from those law enforcement agencies specifying the law enforcement activities for which the disclosures are sought; or

(3) Disclosures made from systems of records that have been exempted from accounting requirements by a rulemaking pursuant to 5 U.S.C. 552a(j) or (k).

(c) Appeals. A requester may appeal a denial of a request for an accounting to the Component Appeals Officer or the DHS Office of the General Counsel or its designee in the same manner as a denial of a request for access to records (see § 5.25 of this part) and the same procedures will be followed.

Each component will preserve all correspondence pertaining to the requests that it receives under this subpart, as well as copies of all requested records, until disposition or destruction is authorized by title 44 of the United States Code or the National Archives and Records Administration's General Records Schedule 4.2. Records will not be disposed of while they are the subject of a pending request, appeal, lawsuit, or litigation or audit hold under the Act.

(a) Fees for access requests granted in full under the Privacy Act are limited to duplication fees, which are chargeable to the same extent that fees are chargeable under the 6 CFR part 5, subpart A. An access request not granted in full under the Privacy Act will be processed under the FOIA and will subject to all fees chargeable under the applicable FOIA regulations. Fees are not charged for processing amendment and accounting requests.

(b) DHS will not process a request under the Privacy Act or JRA from persons with an unpaid fee from any previous Privacy Act or JRA request to any Federal agency until that outstanding fee has been paid in full to the agency.

(a) Court-ordered disclosures. When the component discloses an individual's information covered by a system of records pursuant to an order from a court of competent jurisdiction, and the order is a matter of public record, the Privacy Act requires the component to send a notice of the disclosure to the last known address of the person whose record was disclosed. Notice will be given within a reasonable time after the component's receipt of the order, except that in a case in which the order is not a matter of public record, the notice will be given only after the order becomes public. This notice will be mailed to the individual's last known address and will contain a copy of the order and a description of the information disclosed. Notice will not be given if disclosure is made from a criminal law enforcement system of records that has been exempted from the notice requirement.

(b) Court. For purposes of this section, a court is an institution of the judicial branch of the U.S. Federal Government consisting of one or more judges who seek to adjudicate disputes and administer justice. Entities not in the judicial branch of the Federal Government are not courts for purposes of this section.

(c) Court order. For purposes of this section, a court order is any legal process which satisfies all the following conditions:

(1) It is issued under the authority of a Federal court;

(2) A judge or a magistrate judge of that court signs it;

(3) It commands or permits DHS to disclose the Privacy Act protected information at issue; and

(4) The court is a court of competent jurisdiction.

(d) Court of competent jurisdiction. It is the view of DHS that under the Privacy Act the Federal Government has not waived sovereign immunity, which precludes state court jurisdiction over a Federal agency or official. Therefore, DHS will not honor state court orders as a basis for disclosure, unless DHS does so under its own discretion.

(e) Conditions for disclosure under a court order of competent jurisdiction. The component may disclose information in compliance with an order of a court of competent jurisdiction if—

(1) Another section of this part specifically allows such disclosure, or

(2) DHS, the Secretary, or any officer or employee of DHS in his or her official capacity is properly a party in the proceeding, or

(3) Disclosure of the information is necessary to ensure that an individual who is accused of criminal activity receives due process of law in a criminal proceeding under the jurisdiction of the judicial branch of the Federal Government.

(f) In other circumstances. DHS may disclose information to a court of competent jurisdiction in circumstances other than those stated in paragraph (e) of this section. DHS will make its decision regarding disclosure by balancing the needs of a court while preserving the confidentiality of information. For example, DHS may disclose information under a court order that restricts the use and redisclosure of the information by the participants in the proceeding; DHS may offer the information for inspection by the court in camera and under seal; or DHS may arrange for the court to exclude information identifying individuals from that portion of the record of the proceedings that is available to the public.

(g) Emergency disclosures. Upon disclosing a record pertaining to an individual made under compelling circumstances affecting the health or safety of an individual, the component will notify the individual to whom the record pertains of the disclosure. This notice will be mailed to the individual's last known address and will state the nature of the information disclosed; the person, organization, or agency to which it was disclosed; the date of disclosure; and the compelling circumstances justifying the disclosure.

(h) Other regulations on disclosure of information in litigation. See 6 CFR part 5, subpart C, for additional rules covering disclosure of information and records governed by this part and requested in connection with legal proceedings.

(a) In general. Each component will establish administrative and physical controls to prevent unauthorized access to its systems of records, to prevent unauthorized disclosure of records, and to prevent physical damage to or destruction of records. The stringency of these controls will correspond to the sensitivity of the records that the controls protect. At a minimum, each component's administrative and physical controls will ensure that:

(1) Records are protected from public view;

(2) The area in which records are kept is supervised during business hours to prevent unauthorized persons from having access to them;

(3) Records are inaccessible to unauthorized persons outside of business hours; and

(4) Records are not disclosed to unauthorized persons or under unauthorized circumstances in either oral or written form.

(b) Procedures required. Each component will have procedures that restrict access to records to only those individuals within the Department who must have access to those records to perform their duties and that prevent inadvertent disclosure of records.

As required by 5 U.S.C. 552a(m), any approved contract for the operation of a system of records to accomplish an agency function will contain the standard contract requirements issued by the General Services Administration to ensure compliance with the requirements of the Privacy Act for that system. The contracting component will be responsible for ensuring that the contractor complies with these contract requirements.

Each component will ensure that employees authorized to collect information are aware:

(a) That individuals may not be denied any right, benefit, or privilege because of refusing to provide their Social Security numbers, unless the collection is authorized either by a statute or by a regulation issued prior to 1975; and

(b) That individuals requested to provide their Social Security numbers must be informed of:

(1) Whether providing Social Security numbers is mandatory or voluntary;

(2) Any statutory or regulatory authority that authorizes the collection of Social Security numbers; and

(3) The uses that will be made of the numbers.

(c) Including Social Security numbers of an individual on any document sent by mail is not permitted unless the Secretary determines that the inclusion of the number on the document is necessary.

Each component will inform its employees of the provisions of the Privacy Act, including the Act's civil liability and criminal penalty provisions referenced in § 5.35. Unless otherwise permitted by law, the Department will:

(a) Maintain only such information about an individual as is relevant and necessary to accomplish a purpose of the Component or the Department that is required to be accomplished by statute or by executive order of the President;

(b) Collect information about an individual directly from that individual whenever practicable and when the information may result in adverse determinations about an individual's rights, benefits, and privileges under federal programs;

(c) Inform each individual from whom information is collected of:

(1) The legal authority to collect the information and whether providing it is mandatory or voluntary;

(2) The principal purpose for which the Department intends to use the information;

(3) The routine uses the Department may make of the information; and

(4) The effects on the individual, if any, of not providing the information;

(d) Ensure that the component maintains no system of records without public notice and that it notifies appropriate Department officials of the existence or development of any system of records that is not the subject of a current or planned public notice;

(e) Maintain all records that are used by the Department in making any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in the determination;

(f) Except as to disclosures made to an agency or made under the FOIA, make reasonable efforts, prior to disseminating any record about an individual, to ensure that the record is accurate, relevant, timely, and complete;

(g) Maintain no record describing how an individual exercises his or her First Amendment rights, unless it is expressly authorized by statute or by the individual about whom the record is maintained, or is pertinent to and within the scope of an authorized law enforcement activity;

(h) When required by the Act, maintain an accounting in the specified form of all disclosures of records by the Department to persons, organizations, or agencies;

(i) Maintain and use records with care to prevent the unauthorized or inadvertent disclosure of a record to anyone; and

(j) Disclose Privacy Act or JRA records only as permitted by 5 U.S.C. 552a(b).

Each component will inform its employees and contractors of the Privacy Act's civil liability provisions (5 U.S.C. 552a(g)) and criminal penalty provisions (5 U.S.C. 552a(i)) as they apply to Privacy Act and JRA complaints.

Nothing in this subpart will be construed to entitle any person, as of right, to any service or to the disclosure of any record to which such person is not entitled under the Privacy Act or JRA.

Lynn Parker Dupree,

Chief Privacy Officer, Department of Homeland Security.

[FR Doc. 2021-21374 Filed 10-5-21; 8:45 am]

BILLING CODE 9110-9B-P