Breadcrumb

  1. Home
  2. Privacy
  3. Privacy Act of 1974 (EEOC Order)

Privacy Act of 1974 (EEOC Order)

  DIRECTIVES TRANSMITTAL Number
EEOC 150.003
Date
    11/21/91
SUBJECT: PRIVACY ACT OF 1974, as amended.
PURPOSE: This transmittal issues a revised EEOC Order
150.003 (formerly EEOC Order 156) implementing the
Commission's procedures for compliance with the Privacy Act
of 1974, as amended, 5 U.S.C. 552a. The Order has been
revised to reflect amendments to the Commission's Privacy
Act regulations and Notice of Systems of Records.
EFFECTIVE DATE: November 21, 1991
DISTRIBUTION: W
OBSOLETE DATA: Remove and destroy EEOC Order 156, dated
October 21, 1983. Replace with the attached Order 150.003
dated November 21, 1991.

 

 

__________/s/__________
Thomasina v. Rogers
Legal Counsel

 

GENERAL MANAGEMENT
Privacy Act of 1974, as amended

  1. SUBJECT. Privacy Act of 1974, as amended, 5 U.S.C. § 552a
  2. PURPOSE. This order sets forth the requirements of the
    Privacy Act of 1974, as amended, 5 U.S.C. § 552a, and
    establishes the responsibilities of Commission officials for
    carrying out that law. The order also contains the
    Commission's regulatory procedures for responding to Privacy
    Act requests for disclosure or amendment of a record
    (Appendix A) and the Commission's Notice of its Privacy Act
    Systems of Records that identifies the Commission records
    covered by the Act (Appendix B).
  3. EFFECTIVE DATE. November 21, 1991.
  4. ORIGINATOR. Legal Services, Office of Legal Counsel.
  5. COVERAGE AND REMEDIES PROVIDED BY THE PRIVACY ACT. The
    Privacy Act of 1974, as amended, 5 U.S.C. § 552a, is
    intended to ensure that personal information about
    individuals collected by Federal agencies is limited to that
    which is legally authorized and necessary and is maintained
    in a manner that precludes unwarranted invasion of
    individual privacy. The Act, therefore, prohibits the
    disclosure of any record contained in a system of records by
    any means of communication to any person, or to another
    agency, except pursuant to a written request by, or with the
    prior written consent of the individual to whom the record
    pertains, or under certain limited conditions as indicated
    in paragraph 8 of this Order. 5 U.S.C. § 552a(b). Coverage
    is limited, however, to systems of records (groupings of
    personal data about identifiable individuals) from which
    information is retrieved by reference to the individual's
    name, or some other personal identifier (i.e., fingerprint,
    employee code, social security number). Agencies that
    maintain such systems of records on individuals are required
    to identify their systems, and to comply with the
    requirements of the Act as to those systems of records only.
    5 U.S.C. § 552a(e).
    1. Procedures. The Commission has promulgated
      regulations, 29 C.F.R. Part 1611 (contained in Appendix
      A to this Order), in accordance with the Act [5 U.S.C.
      § 552a(c), (d) and (f)] that permit individuals to:
      • (1) ascertain whether a system of records contains
        information on them;
      • request access to this information;
      • be informed who, if anyone, has been provided with
        information on them from a system of records;
      • challenge the accuracy of the maintained
        information;
      • request that inaccurate information be amended;
      • appeal denials of requests for access to or
        amendment of maintained information;
      • submit, for inclusion in the record, a statement
        as to their version of the alleged inaccurate
        information if the appeal for amendment of a
        record is denied; and
      • require that any statement of their version of the
        alleged accurate information be transmitted to any
        person who has received the information in its
        inaccurate, or allegedly inaccurate, form.
    2. Systems of Records. The Commission's notice of its
      Systems of Records to which the Privacy Act applies has
      been published in the Federal Register and forms
      Appendix B to this Order.
    3. Civil Action. An individual may bring a civil action
      against an agency, and the district courts of the
      United States have jurisdiction, whenever an agency:
      • (1) makes a determination not to amend an individual's
        record in accordance with his request, or fails to
        make such review in conformity with this
        subsection;
      • refuses to comply with an individual request for
        access;
      • fails to maintain any record concerning any
        individual with such accuracy, relevance,
        timeliness, and completeness as is necessary to
        assure fairness in any determination relating to
        qualifications, character, rights, or
        opportunities of, or benefits to the individual
        that may be made on the basis of such record, and
        consequently a determination is made that is
        adverse to the tndividual; or
      • fails to comply with any other provision of the
        Privacy Act or any rule promulgated thereunder, in
        such a way as to have an adverse effect on an
        individual. 5 U.S.C. § 552a(g)(l)
    4. Criminal Liability. Section i of the Act provides:
      • Any officer or employee of an agency, who by
        virtue of his employment or official position, has
        possession of or access to agency records that
        contain individually identifiable information the
        disclosure of which is prohibited by the Privacy
        Act or by rules or regulations established
        thereunder, and who, knowing that disclosure of
        the specific material is so prohibited, willfully
        discloses the material in any manner to any person
        or agency not entitled to receive it, shall be
        guilty of a misdemeanor and fined not more than
        $5,000.
      • Any officer or employee of any agency who
        willfully maintains a system of records without
        publishing a notice of the existence and character
        of that system of records as required by the Act
        shall be guilty of a misdemeanor and fined not
        more than $5,000.
      • Any person who knowingly and willfully requests or
        obtains any record concerning an individual from
        an agency under false pretenses shall be guilty of
        a misdemeanor and fined not more than $5,000. 5
        U.S.C. § 552a(i).
  6. DEFINITIONS.
    1. Accounting. A record of disclosures made from Privacy
      Act systems of records. The record is to contain the
      date, nature, and purpose of each disclosure, and the
      name and address of the person or entity to whom
      disclosure was made.
    2. Determination. Any decision affecting the individual
      that is in whole or in part based on information
      contained in a Privacy Act record and is made by any
      person or any agency.
    3. Individual. A citizen of the United States or an alien
      lawfully admitted for permanent residence.
    4. Maintain. To keep in existence or to retain, to
      collect, use or disseminate.
    5. Privacy Act Statement. A statement that must be given
      to an individual from whom information is solicited for
      inclusion in a Privacy Act system of records. The
      statement need only be given when the solicited
      information is to be maintained in a system of records.

      The statement must include (1) the authority for
      solicitation of the information and whether providing
      the information is mandatory or voluntary; (2) the
      principal purpose(s) for which the information is
      intended to be used; (3) the routine uses that may be
      made of the information; and (4) the effects on the
      individual, if any, of not providing all or any part of
      the requested information.
    6. Privacy Act System Notice. A statement, published in
      the Federal Register, notifying the public of, among
      other things, the existence of a Privacy Act system of
      records. The notice must contain the information
      indicated in paragraph 13 of this Order.
    7. Record. Any item, collection or grouping of
      information about an individual that is maintained by
      an agency including, but not limited to, his or her
      education, financial transactions, medical, criminal
      and employment histories and that contains his or her
      name or some other personal identifier (e.g., social
      security number, employee code, finger or voice print
      or a photograph).
    8. Routine Use. A purpose for maintaining a record that
      permits certain disclosures of the record, as indicated
      in the Privacy Act System Notice (Appendix B), without
      the consent of the subject of the record.
    9. Statistical Record. A record in a system of records
      maintained for statistical research or reporting
      purposes only and not used in whole or in part in
      making any determination about an individual.
    10. System Manager. An agency official who, by virtue of
      his or her duties, has custody and control of one or
      more Privacy Act system(s) of records. Commission
      officials become Privacy Act systems managers only by
      their designation as such in the Privacy Act System
      Notice published in the Federal Register. The System
      Manager is directly responsible for compliance with the
      provisions of the Privacy Act, the Commission's Privacy
      Act Regulations (29 C.F.R. Part 1611) and this Order
      with respect to the system(s) for which he or she is
      the manager. For example, District Directors are the
      managers for the Commission's discrimination case files
      systems, but they are only managers of the case file
      systems located in their office. See Appendix B.
    11. System of Records. A group of records (as defined
      above) under the control of an agency from which
      information is retrieved by the name of the individual
      or some other personal identifier (e.g., social
      security number, employee code). See Appendix B for
      the Commission's Systems of Records.
  7. RESPONSIBILITIES
    1. The Commission shall ensure proper administration of
      the Act within the EEOC.
    2. The Legal Counsel shall:
      • recommend to the Commission agency procedures and
        policies for proper administration of the Act;
        assist System Managers in determining whether any
        grouping of information on individuals constitutes
        a "system of records";
      • review and determine within 30 working days
        appeals brought under the Act;
      • prepare for publication in the Federal Register
        all required Privacy Act regulations, notices and
        other information;
      • specify the data required for and prepare all the
        Commission's Privacy Act reports required to be
        submitted to the Office of Management and Budget,
        the President, the Congress or any other entity
        with oversight responsibility for implementation
        of the Act; and
      • provide assistance and advice to Commission
        off ices and officials regarding compliance with
        the requirements of the Act.
    3. System Managers are directly responsible for the day-to-
      day administration of the Privacy Act with respect
      to the systems of which they are designated as the
      manager. They shall:
      • ensure that only such information about an
        individual as is relevant and necessary to
        accomplish an authorized objective of the
        Commission is maintained in nonexempt systems of
        records;
      • ensure that, to the greatest extent practicable,
        information that may result in adverse
        determinations about an individual's rights,
        benefits and privileges under federal programs is
        collected from the subject individual;
      • ensure that Privacy Act statements are provided,
        as required, to each individual who is asked to
        provide information on himself or herself, when
        that information is to be maintained in a system
        of records;
      • ensure that all records used by the Commission in
        making any determination about any individual are
        maintained with such accuracy, relevance,
        timeliness, and completeness as is reasonably
        necessary to assure fairness to the individual in
        the determination;
      • determine whether the records sought are exempted
        from the provisions of the Act when an individual
        requests access to records in a system;
      • ensure that, prior to disseminating any record
        about an individual to any person other than
        another Federal Agency (unless the dissemination
        is made pursuant to the Freedom of Information
        Act), reasonable efforts are made to ensure that
        such records are accμrate, complete, timely and
        relevant for Commission purposes;
      • ensure that no records are maintained that
        describe how any individual exercises rights
        guaranteed by the First Amendment, unless
        expressly authorized by the individual, or statute
        or unless pertinent to and within the scope of an
        authorized law enforcement activity;
      • make reasonable efforts to serve notice on an
        individual when any record on such individual is
        made available to any person under compulsory
        legal process when such legal process becomes a
        matter of public record;
      • establish appropriate administrative, technical,
        and physical safeguards to ensure the security and
        confidentiality of records and to protect against
        any anticipated threats or hazards to their
        security or integrity that could result in
        substantial harm, embarrassment, inconvenience, or
        unfairness to any individual on whom information
        is maintained;
      • process requests for notification as to whether
        the Commission maintains a record about the
        requester and requests for access to such record;
        ensure that an accounting of disclosures from
        nonexempt systems of records is maintained for
        five years or the life of the record, whichever is
        longer, except that an accounting need not be made
        of intra-agency disclosures and disclosures made
        pursuant to the Freedom of Information Act;
      • (12) make available an accounting of disclosures made
        of a record about the requester from a nonexempt
        system of records upon request;
      • (13) process requests for amendment or correction of a
        record in a nonexempt system of records;
      • (14) notify the Legal Counsel regarding a proposal to
        change a system of records;
      • (15) consult with the Office of Legal Counsel (Legal
        Services) regarding the implementation of the Act;
      • (16) ensure that disclosures from systems of records
        are made only in a manner consistent with this
        Order;
      • (17) ensure compliance with the Commission's Privacy
        Act regulations, 29 C.F.R. Part 1611, for the
        system(s) of records of which he or she is the
        manager; and
      • (18) ensure that disclosures of information from
        Privacy Act systems of records are made only under
        the conditions specified for disclosure, including
        ascertaining proper identification of the
        requester, prior to release, in accordance with 29
        C.F.R. § 1611.4 (see paragraph 8 below).
    4. Office Heads (Hdqs.) and District Directors shall:
      • (l) notify in writing and consult with the Office of
        Legal Counsel (Legal Services) regarding any
        Privacy Act requirements at least 90 days prior to
        the date on which they propose to establish a
        Privacy Act System of Records. Said notification
        shall include the information that is required to
        be published in a Privacy Act System Notice (see
        Appendix B); and
      • (2) ensure that their employees are informed of the
        provisions of this order.
  8. CONDITIONS PERMITTING DISCLOSURE. Disclosure from Privacy
    Act Systems of Records wiil be made only when it is:
    1. pursuant to a written request by, or with the prior
      written consent of, the individual to whom the record
      pertains;
    2. to those officers and employees of the Commission who
      have a need for the record in the performance of their duties;
    3. required by the Freedom of Information Act;
    4. for a routine use for the system of records involved as
      published in the Federal Register (see Appendix B);
    5. to the Bureau of the Census for purposes of planning or
      survey or related activity pursuant to the provisions
      of Title 13 of the United States Code;
    6. to a recipient who has provided the agency with advance
      adequate written assurance that the record will be used
      solely as a statistical research or reporting record,
      and the record is to be transferred in a form that is
      not individually identifiable;
    7. to the National Archives and Records Administration as
      a record that has sufficient historical or other value
      to warrant its continued preservation by the United
      States Government, ot for evaluation by the Archivist
      of the United States or designee to determine whether
      the record has such value;
    8. to another agency or to an instrumentality of any
      governmental jurisdiction within or under the control :.
      of the United States for a civil or criminal law
      enforcement activity if the activity is authorized by
      law, and if the head of the agency or instrumentality
      has made a written request to the Commission specifying
      the particular portion desired and the law enforcement
      activity for which the record is sought;
    9. to a person pursuant to a showing of compelling
      circumstances affecting the health or safety of an
      individual, if upon such disclosure notification is
      transmitted to the last known address of such
      individual;
    10. to either House of Congress, or to the extent the
      matter is within its jurisdiction, any committee or
      subcommittee thereof, any joint committee of Congress
      or subcommittee of any such joint committee;
    11. o the Comptroller General, or any of his authorized
      representatives, in the course of the performance of
      the duties of the General Accounting Office;
    12. pursuant to the order of a court of competent
      jurisdiction; or
    13. to a consumer reporting agency in accordance with
      section 3(d) of the Federal Claims Collection Act of
      1966, 31 U.S.C. § 37ll(f).
  9. PROCEDURES FOR PRIVACY ACT REQUESTS AND APPEALS. Requests
    from individuals regarding whether the Commission maintains
    a record about such individuals, access to such records, and
    correction or amendment of such records and appeals of such
    requests, when denied, shall be processed in accordance with
    the Commission's Privacy Act Regulations, 29 C.F.R. Part
    1611 (Appendix A) and Notice of Privacy Act Systems of
    Records (Appendix B). The regulations and notice explicitly
    describe the manner in which System Managers shall process
    Privacy Act requests; they describe the role of the Legal
    Counsel in responding to appeals of denied requests.
    Therefore, the regulations contained in Appendix A and
    notice in Appendix B to this Order should be consulted for
    the procedures on Privacy Act requests and appeals.
    1. Combined Privacy Act and Freedom of Information Act
      Requests. If an individual seeks access to records
      under both the Privacy Act and Freedom of Information
      Act, the System Manager should consult with the
      Regional Attorney or Office of Legal Counsel, Legal
      Services, before granting or denying such a request.
    2. Charging Fees. No fee shall be charged for searches
      necessary to locate records. Fees shall be charged for
      copies made by photocopy device or otherwise as
      prescribed in the Commission's Privacy Act regulations,
      29 C.F.R. Part 1611 (see Appendix A).
  10. ESTABLISHING A NEW SYSTEM OF RECORDS.
    1. The Chairman, Commissioners, Office Heads (at Hdqs.),
      or District Directors may propose the establishment of
      a new system of records.
    2. The proposing official shall assess the need for and
      relevance of the information to be contained in the
      proposed new system and shall consult with the Office
      of Legal Counsel in order to determine the legality of
      the proposed system. At least 90 days prior to the
      date on which the proposing official plans to collect
      information for inclusion in the new system, the
      proposing official shall provide the Office of Legal
      Counsel with the proposing official's assessments noted
      above and a draft new system notice containing the
      information set forth at paragraph 13. The Office of
      Legal Counsel will prepare the final system notice. No
      new system may be utilized or information collected
      thereunder before the preconditions set forth below in
      lOc, d, e, and f are met.
    3. Upon approval of the system by the Commission, advance
      notice of a new system of records shall be issued by
      the Chairman to the Committee on Government Operations
      of the House of Representatives, the Committee on
      Governmental Affairs of the Senate, and the Office of
      Management and Budget at least 60 days before: (1) the
      issuance of data collection forms and/or instructions;
      (2) any public issuance of a Request for Proposal or an
      Invitation to Bid for computer or communications
      systems or services intended to support the system of
      records; or (3) entering any personal information into
      the new or altered system. The report shall contain:
      • a transmittal letter including the name and
        address of the EEOC official to whom inquiries and
        comments may be addressed;
      • an advanced copy of the new or revised system
        notice that the agency proposes to publish for the
        new or altered system(s);
      • an advance copy of any new rules or changes to
        published rules that the agency proposes for the
        new or altered system; and
      • an advance copy of any proposed rules setting
        forth the reasons why the system is to be exempted
        from any specific provision if the agency head
        plans to invoke any exemptions for the new or
        altered systems.
    4. The Office of Legal Counsel shall prepare the system
      notice for Commission approval and publication in the
      Federal Register for notice and comment in accordance
      with 5 U.S.C. § 552a(e)(ll).
    5. After the period of notice and comment, the Office of
      Legal Counsel shall cause the final system notice to be
      published in the Federal Register 30 days before the
      system becomes operational in accordance with 5 U.S.C.
      § 553.
    6. A Privacy Act Statement must be prepared by the System
      Manager and approved by the Office of Legal Counsel.
  11. CHANGING A SYSTEM OF RECORDS. The Legal Counsel should be
    contacted ninety (90) days in advance of a proposed change
    in an existing system of records for guidance in preparing a
    new system notice. See paragraph 10 above. The following
    changes to an existing system of records require advance
    notice of the revision as set forth in paragraph lOc.
    1. To increase or change the number or types of
      individuals on whom information is maintained;
    2. To expand the types or categories of information
      maintained;
    3. To alter the manner in which the records are organized
      or the manner in which records are indexed or retrieved
      so as to change the nature or scope of those records;
    4. To alter the purposes for which the information is
      used;
    5. To change the equipment configuration (i.e., hardware
      and/or software) on which the system is operated so as
      to create the potential for either greater or easier
      access; or
    6. To add routine uses.
  12. CANCELLING A SYSTEM OF RECORDS
    1. A System Manager shall consult with the Office of Legal
      Counsel to determine whether cancellation is
      appropriate.
    2. The Office of Legal Counsel shall prepare a notice of
      cancellation of a system of records for publication in
      the Federal Register.
    3. Such Notice shall contain:
      • an explanation of the background of the system;
        and
      • the reasons for cancellation
    4. Upon approval by the Commission, the cancellation
      notice shall be published in the Federal Register.
  13. PREPARING PRIVACY ACT NOTICES.
    1. The Legal Counsel shall prepare a notice of the
      existence and character of systems of records and
      publish it in the Federal Register upon establishment
      or revision of a system. The notice shall contain:
      • the name of the system;
      • the location of the system;
      • the categories of individuals on whom records are
        maintained in the system;
      • the categories of records maintained in the
        system;
      • the routine uses of the records contained in the
        system, including the categories of users and the
        purpose of each use;
      • the agency's policies and practices regarding
        storage, retrievability, access controls,
        retention and disposal of the records;
      • the title and business address of the system
        manager;
      • the procedure for determining if the system of
        records contains a record pertaining to an
        individual;
      • the procedure for gaining access to a record in
        the system and contesting a record's contents;
      • (10) the categories of record sources.
  14. PREPARING THE BIENNIAL REPORT
    1. System managers shall periodically review their systems
      of records so as to:
      • determine the relevancy of, and necessity for, the
        general categories of information maintained;
      • ensure that records are accurate, relevant, timely
        and complete;
      • consider the manner in which information has been
        used and what specific authorities permit such
        uses;
      • determine whether some of the information
        collected can be eliminated; and
      • consider whether all the information must be
        individually identifiable.
    2. Biennial Report Data. During February of each even
      numbered year, System Managers shall submit to the
      Off ice of Legal Counsel information on the following
      covering the previous two calendar years:
      • the total number of requests from individuals
        seeking access to and seeking to amend their
        records pursuant to the Act; the number granted in
        full or in part, and the number denied with the
        bases for denial; and the title of the system to
        which access or amendment was sought;
      • the number of requests for access and amendment
        that had to be returned because they contained
        insufficient information to identify the system;
        and
      • information as to problems and proposed revisions
        in their systems of records as well as EEOC's
        Privacy Act procedures indicated from that
        Manager's periodic review of his or system of
        records.
    3. The Privacy Act Biennial Report. The Legal Counsel
      shall prepare the report to be submitted to the Office
      of Management and Budget. The report will consist of:
      • a summary of compliance actions, problems
        experienced, and recommendations for changes in
        legislation, policies, or procedures;
      • a summary of accomplishments or improvements
        including revised rules, systems of records, etc.;
      • a summary of plans for the upcoming two years as
        to such matters as reviews of routine uses,
        application of exemption provisions, revised
        systems of records, etc.;
      • a list of exempt and nonexempt systems; and
      • a summary of changes in agency procedures and
        current statistics including statistics on the
        number of individuals requesting access, the
        number who were refused, the number of appeals,
        and the number who sought judicial review.
  15. LIST OF APPENDICES

    Appendix Title

    A. EEOC's Privacy Act Regulations 29 C.F.R. 1611

    B. EEOC's Notice of Privacy Act Systems of Records
  16. OBSOLETE DATA. This Order supersedes EEOC Order No. 156,
    Privacy Act of 1964, dated October 21, 1983.