[Federal Register: September 29, 2006 (Volume 71, Number 189)]
[Rules and Regulations]
[Page 57416-57425]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr29se06-14]
=======================================================================
-----------------------------------------------------------------------
OCCUPATIONAL SAFETY AND HEALTH REVIEW COMMISSION
29 CFR Part 2400
Regulations Implementing the Privacy Act of 1974
AGENCY: Occupational Safety and Health Review Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Occupational Safety and Health Review Commission (OSHRC)
is amending its regulations implementing the Privacy Act of 1974, 5
U.S.C. 552a. The Privacy Act has been amended multiple times since
OSHRC first promulgated its regulations in 1979. The amendments to
OSHRC's regulations at 29 CFR Part 2400 will assist the agency in
complying with the requirements of the Privacy Act.
DATES: Effective September 29, 2006.
FOR FURTHER INFORMATION CONTACT: Ron Bailey, Attorney-Advisor, Office
of the General Counsel, via telephone at (202) 606-5410, or via e-mail
at rbailey@oshrc.gov.
SUPPLEMENTARY INFORMATION: OSHRC published a notice of proposed
rulemaking on July 28, 2006, 71 FR 42785, which would revise 29 CFR
Part 2400. Interested persons were afforded an opportunity to
participate in the rulemaking process through submission of written
comments on the proposed rule. OSHRC received no public comments. We
have reviewed the proposed rule and now adopt it as the agency's final
rule.
OSHRC's regulations at Part 2400 implementing the Privacy Act of
1974 were first promulgated on January 19, 1979, 44 FR 3968. These
regulations had not been revised, except for changes made to the office
address referenced in Sec. Sec. 2400.6 and 2400.7, 58 FR 26065, April
30, 1993. Since 1979, however, the Privacy Act has been amended on
numerous occasions. These statutory changes, along with intervening
case law, compel OSHRC to amend its
[[Page 57417]]
regulations at Part 2400. Because OSHRC is making extensive revisions
to these regulations, OSHRC has reproduced them in their entirety for
the convenience of the reader at the end of this document. OSHRC's
specific amendments to Part 2400 are discussed below in regulatory
sequence.
OSHRC is first amending its authority citation to exclude all
references to popular names and statutes at large. The Office of the
Federal Register has expressed a preference for citing only to the
United States Code when referencing a Federal statute.
In Sec. 2400.1 (Purpose and scope), OSHRC is making several
changes to clarify what Part 2400 covers. In accordance with the
amendments to the Privacy Act contained in section 2(b), Pub. L. 97-365
(5 U.S.C. 552a(m)(2)), OSHRC is amending Sec. 2400.1 to reflect that
Part 2400 no longer covers systems of records ``that are disclosed to
consumer reporting agencies under [section] 3711(e) of title 31, United
States Code.'' Additionally, OSHRC is amending Sec. 2400.1 to reflect
that Part 2400 applies only to ``records that are maintained by
[OSHRC].'' The prior version of Sec. 2400.1 states that OSHRC's
Privacy Act regulations ``are applicable only to such items of
information as relate to the agency or are within its custody.''
However, the term ``record'' is defined in the Privacy Act at 5 U.S.C.
552a(a)(4) while the term ``items of information'' is not. Therefore,
amending Sec. 2400.1 to substitute ``record'' for ``items of
information'' more appropriately limits the purpose and scope of the
regulations in accordance with the statute. OSHRC is also deleting the
last sentence of Sec. 2400.1, which states ``[t]his part is intended
to protect individual privacy, and affects all personal information
collection and usage activity of the agency,'' because it is overly
broad. Based on these amendments, revised Sec. 2400.1 reads as
follows:
The purpose of the provisions of this part is to provide procedures
to implement the Privacy Act of 1974 (5 U.S.C. 552a). This part is
applicable only to records that are maintained by the Occupational
Safety and Health Review Commission (OSHRC or the Commission), which
includes all systems of records operated on behalf of OSHRC,
pursuant to a contract, to accomplish an agency function, except for
records that are disclosed to consumer reporting agencies under
section 3711(e) of title 31, United States Code. This part is not
applicable to the rights of parties appearing in adversary
proceedings before the Commission to obtain discovery from an
adverse party. Such matters are governed by the Commission's Rules
of Procedure, which are published at 29 CFR 2200.1 et seq.
Revising Sec. 2400.1 in this manner incorporates a statutory
change to the Privacy Act, as well as clarifies the proper scope of the
agency's regulations under Part 2400.
In Sec. 2400.2 (Description of agency), OSHRC is adding a sentence
to the end of the section that provides additional details about the
designation of one of the Commissioners as the Chairman and his
responsibilities for the administrative operations of the Commission,
consistent with section 12(e) of the Occupational Safety and Health Act
of 1970, 29 U.S.C. 661(e). OSHRC is also making a simple change in
nomenclature by deleting ``Occupational Safety and Health Review
Commission'' and replacing it with ``The Commission.'' The agency's
full name is first noted in revised Sec. 2400.1 based on the
amendments to that section discussed above.
OSHRC is amending several items in Sec. 2400.3 (Delegation of
authority). In paragraph (a) of Sec. 2400.3, OSHRC is revising the
paragraph's language to provide that ``[t]he Chairman shall designate
an OSHRC employee as the Privacy Officer, and shall delegate to the
Privacy Officer the authority to ensure agency-wide compliance with
this part.'' In the prior version of paragraph (a), this authority was
delegated to the Executive Director. In recent years, the Office of
Management and Budget (OMB) has issued various guidance memoranda
regarding the responsibilities of executive departments and agencies on
privacy matters, including Safeguarding Personally Identifiable
Information, OMB-06-15 (May 22, 2006); Designation of Senior Agency
Officials for Privacy, OMB Memorandum M-05-08 (Feb. 11, 2005); and OMB
Guidance for Implementing the Privacy Provision of the E-Government Act
of 2002, OMB Memorandum M-03-22 (Sept. 30, 2003). By creating the
position of Privacy Officer and providing this individual with the
authority to handle Privacy Act matters, OSHRC will be better able to
respond to future changes in requirements and subsequent guidance in
the privacy arena.
In paragraph (b) of Sec. 2400.3, OSHRC is replacing the term
``[c]ustodians'' with the more specific term ``[c]ustodians of the
systems of records'' in order to better define those persons covered by
paragraph (b). In accordance with the amendments to Sec. 2400.3(a),
OSHRC is also replacing the term ``Executive Director'' with ``Privacy
Officer.'' Additionally, OSHRC is dividing existing paragraph (b) into
paragraphs (b)(1) and (b)(2) and adding a new paragraph (b)(3) in order
to highlight the various duties of the custodians of the systems of
records. Specifically, OSHRC is reformatting paragraph (b) by turning
its first and second sentences into new paragraphs (b)(1) and (b)(2),
respectively. OSHRC is making several grammatical changes in new
paragraph (b)(1) by transforming the words ``adherence,''
``collection,'' ``use,'' and ``disclosure'' into present participles.
OSHRC is replacing (1) the word ``information'' and the phrase
``personal information'' with the word ``records,'' and (2) the phrase
``personal records systems'' with the phrase ``systems of records.''
Because the terms ``record'' and ``system of records'' are defined in
the Privacy Act at 5 U.S.C. 552a(a)(4) and (5), use of these terms
better delineates the scope of revised paragraph (b). OSHRC is adding a
new paragraph (b)(3), which makes the custodians of the systems of
records responsible for maintaining an accurate accounting of each
disclosure in conformance with old Sec. 2400.4(d) (new Sec.
2400.4(c)) and its statutory counterpart in the Privacy Act at 5 U.S.C.
552a(c). Custodians of the systems of records are best suited to
maintain an accounting of each disclosure because they have the most
interaction with the systems of records and are usually involved in
processing the requests for records.
With regard to Sec. 2400.4 (Collection and disclosure of personal
information), OSHRC is making several structural and substantive
changes, as well as some minor changes in wording. In paragraph
(a)(1)(i) of Sec. 2400.4, OSHRC is adding the phrase ``in its
records'' after ``[s]olicit, collect and maintain'' to clarify that
OSHRC's responsibilities under this provision only extend to
information that is maintained in a record. OSHRC is also adding a new
paragraph (a)(1)(ii) that lists the responsibilities set forth in 5
U.S.C. 552a(e)(5), which requires each agency to--
Maintain all records which are used by the agency in making any
determination about any individual with such accuracy, relevance,
timeliness, and completeness as is reasonably necessary to assure
fairness to the individual in the determination.
With the addition of new paragraph (a)(1)(ii), Sec. 2400.4(a)(1)
better reflects OSHRC's responsibilities under the Privacy Act. OSHRC
is renumbering old paragraphs (a)(1)(ii) and (iii) as new paragraphs
(a)(1)(iii) and (iv). In order to better track the statutory language
of 5 U.S.C. 552a(e)(2), OSHRC is adding the phrase ``under Federal
programs'' after ``benefits or privileges'' in the newly renumbered
paragraph (a)(1)(iii). Finally, OSHRC is making a minor
[[Page 57418]]
change by deleting ``the'' before ``OSHRC'' in new paragraph
(a)(1)(iv).
OSHRC is not making any changes to paragraph (a)(2). In paragraph
(a)(3) of Sec. 2400.4, however, OSHRC is replacing the word
``information'' with ``record'' because the term ``record'' is defined
in the Privacy Act at 5 U.S.C. 552a(a)(4) while the term
``information'' is not, and thus amending paragraph (a)(3) in this
manner better defines this paragraph's scope. OSHRC is also adding the
phrase ``or maintenance of the record'' after ``collection'' to clarify
that all of the requirements and exceptions in the paragraph apply to
both the collection and maintenance of records. Finally, OSHRC is
amending paragraph (a)(3) to include language that excludes records
``pertinent to and within the scope of an authorized law enforcement
activity,'' in accordance with 5 U.S.C. 552a(e)(7). OSHRC is making no
changes to Sec. 2400.4(a)(4).
OSHRC is making structural and substantive changes to paragraphs
(b)(1) and (b)(2) of Sec. 2400.4. Specifically, OSHRC is amending
paragraph (b)(1) to incorporate the opening statutory language
contained in 5 U.S.C. 552a(b). Paragraph (b)(1) now reads:
OSHRC shall not disclose any record which is contained in a system
of records by any means of communication to any person, or to
another agency, except pursuant to a written request by, or with the
prior written consent of, the individual to whom the record
pertains.
The prior version of the regulation at Sec. 2400.4(b)(1)--which,
in part, prevented OSHRC from disseminating records ``unless reasonable
efforts have been made to assure that the information is accurate,
complete, timely and relevant''--could have been construed as applying
to Freedom of Information Act (FOIA) requests. Under 5 U.S.C.
552a(e)(6), however, agency responses to FOIA requests are specifically
exempted from the Privacy Act requirement that agencies must make
reasonable efforts to ensure, when disclosing records about an
individual to any person, that such records are accurate, complete,
timely, and relevant. This exemption makes sense because the purpose of
a FOIA request may be, for example, to gather information that reflects
an agency's propensity for maintaining inaccurate records.
Consequently, it is not appropriate to require that such records
requested under the FOIA be examined in this manner under the Privacy
Act. Thus, in order to eliminate such an interpretation, OSHRC is
amending paragraph (b)(1) in the aforementioned manner, amending
paragraph (b)(2) to list exceptions to revised paragraph (b)(1), and
adding new paragraph (b)(5) which defines when records should be
``accurate, complete, timely and relevant.''
As to paragraph (b)(2) of Sec. 2400.4, OSHRC is making the
following changes. First, in order to reflect that revised paragraph
(b)(2) lists exceptions to the rule set forth in revised paragraph
(b)(1), OSHRC is revising the opening clause to read, ``Exceptions: A
record may be disseminated without satisfying the requirements of
paragraph (b)(1) of this section if disclosure is made: * * *.''
Second, OSHRC is replacing the word ``information'' with ``record'' in
paragraphs (b)(2)(ii) and (b)(2)(iv), because the term ``record'' is
defined in the Privacy Act at 5 U.S.C. 552a(a)(4), while the term
``information'' is not. Third, in paragraph (b)(2)(iv), OSHRC is adding
the words ``OSHRC with'' between ``provided'' and ``adequate advance
written assurance'' in order to clarify that notice must be provided to
OSHRC. In that paragraph, OSHRC is also replacing the phrase
``individually identifiable'' with ``personally identifiable'' because
this is a term of art used by Privacy Act practitioners. Fourth, OSHRC
is making a change in nomenclature by spelling out ``United States'' in
paragraph (b)(2)(v) and deleting ``the'' before ``OSHRC'' in paragraph
(b)(2)(viii). Fifth, in accordance with the amendments to the Privacy
Act contained in section 107(g)(1), Pub. L. 98-497 (5 U.S.C.
552a(b)(6)), OSHRC is modifying, in paragraph (b)(2)(vi), ``National
Archives of the United States'' to read ``National Archives and Records
Administration,'' and ``Administrator of General Services'' to read
``Archivist of the United States or the designee of the Archivist.''
Sixth, OSHRC is modifying, in paragraph (b)(2)(viii), ``Federal
agency'' to read ``another agency.'' This revision better tracks the
statutory language at 5 U.S.C. 552a(b)(7) and makes clear that the
records can be disclosed to federal, state, or local agencies. In this
regard, OMB states in its guidelines, 40 FR 28948, 28955, July 9, 1975,
that in addition to providing for disclosures to federal law
enforcement agencies, section 552a(b)(7) allows an agency, ``upon
receipt of a written request, [to] disclose a record to another agency
or unit of State or local government for a civil or criminal law
enforcement activity.'' Seventh, in order to better track the language
of 5 U.S.C. 552a(b)(9), OSHRC is modifying paragraph (b)(2)(ix) of
Sec. 2400.4 to read, ``To either House of Congress, or, to the extent
of matter within its jurisdiction, any committee or subcommittee
thereof, or any joint committee of Congress or subcommittee of any such
joint committee.'' Eighth, in accordance with the GAO Human Capital
Reform Act of 2004, Pub. L. 108-271, 118 Stat. 811, OSHRC is modifying,
in paragraph (b)(2)(x), ``General Accounting Office'' to read
``Government Accountability Office.'' Finally, OSHRC is adding a new
paragraph (b)(2)(xii) which, in accordance with the amendments to the
Privacy Act contained in section 2(a), Pub. L. 97-365 (5 U.S.C.
552a(b)(12)), permits disclosure ``[t]o a consumer reporting agency in
accordance with section 3711(e) of title 31, United States Code.''
OSHRC is making some minor changes, such as capitalizing
``Service'' in paragraph (b)(3) and revising ``Sec. 2400.4(b)(3)
above'' to read ``paragraph (b)(3) of this section'' in paragraph
(b)(4). In paragraph (b)(3), OSHRC is also changing ``The Personnel
Office'' to ``OSHRC's Office of Administration'' based on the agency's
recent reorganization.
OSHRC is adding new paragraphs (b)(5) and (b)(6) to Sec. 2400.4,
which essentially incorporate the statutory language of 5 U.S.C.
552a(e)(6) and (d)(5), respectively. Paragraph (b)(5) is changed
slightly from that stated in the NPRM, which initially stated: ``OSHRC
shall not disseminate any record about an individual to any person
other than an agency unless the record is disseminated pursuant to
paragraph (b)(2)(i) of this section, or reasonable efforts have been
made to ensure that the record is accurate, complete, timely and
relevant.'' Upon further review of 5 U.S.C. 552a(e)(6), OSHRC makes a
minor edit to paragraph (b)(5) so it more clearly tracks the statute as
follows:
Disclosures to third parties. Prior to disseminating any record
about an individual to any person other than an agency, unless the
record is disseminated pursuant to paragraph (b)(2)(i) of this
section, OSHRC shall make reasonable efforts to ensure that the
record is accurate, complete, timely and relevant.
Paragraph (b)(6) reads:
Anticipated legal action. Nothing in this section shall allow an
individual access to any information compiled in reasonable
anticipation of a civil action or proceeding.
OSHRC is adding these provisions to Sec. 2400.4 in order to track
the statute and make the regulations comprehensive.
OSHRC is re-designating old Sec. 2400.4(c) as new Sec. 2400.5(c).
The old Sec. 2400.4(c), which pertains to notifying certain persons
and agencies about corrections made to a record, is a better fit for
new Sec. 2400.5(c), which pertains to ``[n]otification of amendment.''
[[Page 57419]]
Modifications to the language in the re-designated Sec. 2400.5(c) are
discussed below in that section.
In response to the change above, OSHRC is re-designating old
paragraph (d) of Sec. 2400.4, which sets forth the procedures for
maintaining an accounting of disclosures, as new paragraph (c) of Sec.
2400.4. OSHRC is streamlining the language of new paragraph (c)(1).
Rather than spelling out that the accounting requirements do not
pertain to instances ``in which disclosure is made to OSHRC employees
in the performance of their duties or is required by the Freedom of
Information Act (5 U.S.C. 552), in conformance with section 552a(c) of
the Privacy Act,'' OSHRC is amending the paragraph to read that ``any
disclosure made pursuant to paragraphs (b)(2)(i) and (b)(2)(ii) of this
section'' is excepted. Also, OSHRC is inserting the phrase ``OSHRC
shall maintain'' at the beginning of paragraph (c)(1) to emphasize that
it is, in fact, OSHRC's responsibility to maintain an accurate
accounting of certain disclosures. OSHRC is adding a new paragraph
(c)(2) that lists the information required, in accordance with 5 U.S.C.
552a(c)(1), for a proper accounting of each disclosure. New paragraph
(c)(2) reads as follows:
When an accounting is required under paragraph (c)(1) of this
section, the following information shall be recorded: the date,
nature, and purpose of each disclosure of a record to any person or
to another agency, and the name and address of the person or agency
to whom the disclosure is made.
OSHRC is renumbering old paragraph (d)(2) as new paragraph (c)(3),
and modifying the language ``for at least five (5) years or the life of
the record'' to read ``for at least five (5) years after disclosure or
for the life of the record'' in order to clearly define the length of
time that an accounting must be maintained. Finally, OSHRC is
renumbering old paragraph (d)(3) as new paragraph (c)(4), adding a
cross-reference to ``Sec. 2400.6 for suggested form of request,'' and
deleting the word ``provision'' because it adds nothing to the
sentence.
With regard to Sec. 2400.5 (Notification), OSHRC is making various
changes in substance and nomenclature. In the opening sentence of
paragraph (a) of Sec. 2400.5, OSHRC is modifying the phrase ``personal
records systems'' to read ``systems of records'' because only the
latter phrase is defined in the Privacy Act at 5 U.S.C. 552a(a)(5).
In paragraph (a)(2) of Sec. 2400.5, OSHRC is deleting the word
``personal'' because the definitions of ``record'' and ``system of
records'' in the Privacy Act at 5 U.S.C. 552a(a)(4) and (5),
respectively, already reflect that personally identifiable information
is at issue. In accordance with the amendments to the Privacy Act
contained in section 201(a), Pub. L. 97-375 (5 U.S.C. 552a(e)(4)),
OSHRC is also deleting the word ``annually'' from paragraph (a)(2) and
adding the phrase ``[u]pon establishing or revising a system of
records.'' Additionally, OSHRC is modifying paragraph (a)(2) to reflect
the data elements for Privacy Act notices that are required by the
Office of the Federal Register. These fields include: (i) System name
and location; (ii) security classification; (iii) categories of
individuals covered by the system; (iv) categories of records in the
system; (v) authority for maintenance of the system; (vi) purpose(s) of
the system; (vii) routine uses of records maintained in the system,
including categories of users and the purpose(s) of such uses; (viii)
disclosures to consumer reporting agencies; (ix) policies and practices
for storing, retrieving, accessing, retaining, and disposing of records
in the system; (x) system manager(s) and address; (xi) procedures by
which an individual can be informed whether a system contains a record
pertaining to himself, gain access to such record, and contest the
content, accuracy, completeness, timeliness, relevance, and necessity
for retention of the record; (xii) record source categories; and (xiii)
exemptions claimed for the system. Finally, in the opening sentence of
paragraph (a)(2) of Sec. 2400.5, OSHRC is making minor grammatical
changes, such as inserting ``the'' before the words ``existence'' and
``systems.''
In accordance with the amendments to the Privacy Act contained in
section 3(b), Pub. L. 100-503 (5 U.S.C. 552a(r)), OSHRC is adding a new
paragraph (a)(3) to Sec. 2400.5 that sets forth the reporting
requirements for system-of-records notices. New paragraph (a)(3) reads
as follows:
OSHRC shall submit a report, in accordance with guidelines provided
by the Office of Management and Budget (OMB), in order to give
advance notice to the Committee on Government Reform of the House of
Representatives, the Committee on Homeland Security and Governmental
Affairs of the Senate, and OMB of any proposal to establish a new
system of records or to significantly change an existing system of
records.
It is necessary to add new paragraph (a)(3) to Sec. 2400.5 in
order to provide a comprehensive explanation of the notification
requirements.
In paragraph (b) of Sec. 2400.5, OSHRC is replacing the phrase
``personal information'' with ``record pertaining to the individual''
because the term ``record'' is defined in the Privacy Act at 5 U.S.C.
552a(a)(4), while the term ``information'' is not.
OSHRC is also making substantial changes to paragraph (c) of Sec.
2400.5. The prior version of paragraph (c) stated as follows:
``Notification of amendment. (See Sec. 2400.7 relating to amendment of
records upon request.)'' OSHRC is deleting this language, inserting the
text of old Sec. 2400.4(c) (as discussed earlier), and designating it
as new paragraph (c)(1) in Sec. 2400.5. OSHRC is modifying the text to
read as follows:
OSHRC shall inform any person or other agency about any correction
or notation of dispute made by OSHRC to any record that has been
disclosed to the person or agency, if the correction or notation was
made pursuant to Sec. 2400.8, and an accounting of the disclosure
was made pursuant to Sec. 2400.4(c).
The prior version of this paragraph states that its requirements
apply where a ``personal record has been or is to be disclosed.''
However, the phrase ``is to be disclosed'' is not included in 5 U.S.C.
552a(c)(4), the regulation's statutory counterpart. Moreover, from a
practical standpoint, it would be difficult to notify a person or an
agency of a correction if the record has not yet been disclosed to that
person or agency. The remaining changes to new paragraph (c)(1), shown
above, are based on the statutory text at section 552a(c)(4).
OSHRC is adding a new paragraph (c)(2) to Sec. 2400.5 setting
forth the requirements of 5 U.S.C. 552a(d)(4), which explains how
agencies are to treat disputed portions of the record. New paragraph
(c)(2) reads as follows:
In any disclosure to a person or other agency containing information
about which the individual has filed a statement of disagreement and
occurring after the statement was filed, OSHRC shall clearly note
any portion of the record which is disputed and provide copies of
the statement and, if OSHRC deems appropriate, copies of a concise
statement of OSHRC's reasons for not making the requested
amendments.
Adding this statutory requirement to Sec. 2400.5 will help ensure
that the rights of those covered by the Privacy Act are preserved.
In accordance with 5 U.S.C. 552a(e)(11), OSHRC is amending
paragraph (d) of Sec. 2400.5 to allow interested persons to ``submit
written data, views, or arguments to OSHRC'' after a system-of-records
notice has been published in the Federal Register. OSHRC is also adding
the word ``routine'' before ``use,'' and replacing ``personal
information'' with ``a system of records'' because, under section
552a(e)(11), notification is required only for new and revised routine
uses of
[[Page 57420]]
systems of records. OSHRC is making no changes to paragraph (e) of
Sec. 2400.5.
With regard to Sec. 2400.6 (Procedures for requesting records),
OSHRC is making various substantive and structural changes, as well
some changes in nomenclature. Throughout Sec. 2400.6, OSHRC is
replacing ``personal information'' with ``record'' because the term
``record'' is defined in the Privacy Act at 5 U.S.C. 552a(a)(4) and the
term ``information'' is not. OSHRC is also making a change in
nomenclature by replacing ``Executive Director,'' ``responsible
official,'' and ``disclosure officer'' with ``Privacy Officer'' in
accordance with the amendments to Sec. 2400.3(a).
In the opening sentence of Sec. 2400.6, OSHRC is replacing the
word ``have'' with ``gain.'' OSHRC is also deleting the phrase ``within
a comprehensive format'' as unnecessary.
In paragraph (a)(1) of Sec. 2400.6, OSHRC is deleting the last
sentence which read as follows:
Access to OSHRC records maintained in National Archives and Records
Service Centers may be obtained in accordance with the regulations
issued by the General Services Administration.
According to section 107(g)(2), Pub. L. 98-497 (5 U.S.C.
552a(l)(1)), the records that OSHRC sends to the Federal processing
center are still considered to be under OSHRC's control. Thus,
disclosure of such records must be in accordance with OSHRC's
regulations implementing the Privacy Act. OSHRC is also amending the
agency's mailing address to include the last four digits of the ZIP
code and to spell out ``Ninth Floor.''
OSHRC is deleting the last sentence in paragraph (a)(2) of Sec.
2400.6, which read, ``Upon request, OSHRC also shall disclose to the
individual an accounting of any disclosures made from the individual's
records.'' This sentence was redundant because new Sec. 2400.4(c)(4)
(old Sec. 2400.4(d)(3)) already covers an individual's request for an
accounting.
In paragraph (a)(3) of Sec. 2400.6, OSHRC is revising the Privacy
Officer's period for response to read ``10 working days'' rather than
``10 days,'' because 5 U.S.C. 552a(d)(2)(A) states that Saturdays,
Sundays, and legal holidays are excluded from the 10-day requirement.
Paragraphs (b)(1) and (b)(2) of Sec. 2400.6 remain unchanged.
However, OSHRC is amending paragraph (b)(3) of Sec. 2400.6 to reflect
that a declaration made in accordance with 28 U.S.C. 1746 may serve as
an alternative to a notarized statement, in accordance with section
1(a), Pub. L. 94-550 (28 U.S.C. 1746), and Summers v. United States
Dep't of Justice, 999 F.2d 570, 573 (D.C. Cir. 1993).
While paragraph (c) on verification of guardianship remains
unchanged, OSHRC is modifying paragraph (d) of Sec. 2400.6 to indicate
that the authorization form discussed in that paragraph must be
provided by OSHRC. Because the form is intended, in part, to protect
OSHRC from liability that may arise when records are disseminated to a
third party accompanying the individual whose records are being
accessed, OSHRC must make certain that the form is legally adequate.
OSHRC is deleting old paragraph (e) of Sec. 2400.6, which sets
forth special rules for requesting medical records, and adding a new
Sec. 2400.7 that provides a more legally sound procedure for
requesting such records. OSHRC is also re-designating old paragraph (f)
as new paragraph (e).
OSHRC is re-designating old paragraph (g) of Sec. 2400.6 as new
paragraph (f) and amending its language to require that the Privacy
Officer, upon denying an individual's request for personal records,
notify the individual of his or her right to an administrative appeal.
The paragraph previously required that the requester be advised only of
his right to judicial review in a district court of the United States.
However, the administrative appeal is an equally important aspect of
the review process and, therefore, is also included in the Privacy
Officer's statement. OSHRC is deleting the phrase ``or other
appropriate official,'' thereby requiring that the Privacy Officer sign
any reply denying an individual's written request to review a record.
Placing clear limits on who has authority to deny such a request is
necessary to maintain the integrity of the administrative appeal
process.
As discussed above, OSHRC is creating a new Sec. 2400.7 by carving
out old paragraph (e) of Sec. 2400.6 and revising it to comport with
new case law regarding special procedures for medical records. Under 5
U.S.C. 552a(f)(3), OSHRC must--
establish procedures for the disclosure to an individual upon his
request of his record or information pertaining to him, including
special procedure, if deemed necessary, for the disclosure to an
individual of medical records, including psychological records,
pertaining to him[.]
The previous version of paragraph (e) of Sec. 2400.6 read as
follows:
Medical records shall be disclosed to the requester to whom they
pertain unless the Executive Director, in consultation with a
medical doctor named by the requesting individual, determines that
access to such record could have an adverse effect upon such
individual. In such a case, the Executive Director shall transmit
such information to the named medical doctor.
In light of Benavides v. United States Bureau of Prisons, 995 F.2d
269 (D.C. Cir. 1993), this may not be a valid procedure. In Benavides,
the United States Court of Appeals for the District of Columbia Circuit
found that, while an agency is authorized to devise a ``special''
methodology for disclosing medical records under section 552a(f)(3),
the devised methodology must lead to disclosure of the medical records
to the requesting individual. Id. at 272. Thus, the court held that a
regulation which expressly contemplates that the requesting individual
may never see certain medical records is not a permissible special
procedure. Id. The court, however, rejected the argument that the
Privacy Act requires direct disclosure of medical records to the
requesting individual. Id. at 273. Recognizing the ``potential harm
that could result from unfettered access to medical and psychological
records,'' the court provided that an agency should have the freedom to
craft special procedures to limit such harm, as long as the agency
guarantees ``the ultimate disclosure of the medical records to the
requesting individual.'' Id. New Sec. 2400.7 addresses the concerns
expressed in Benavides by setting forth a procedure that guarantees
``the ultimate disclosure of medical records to the requesting
individual,'' but still requires the intervention of a physician in
order ``to limit the potential harm.'' Id.
OSHRC is re-designating old Sec. 2400.7 (Procedures for requesting
amendment) as new Sec. 2400.8. Throughout new Sec. 2400.8, OSHRC is
replacing ``Executive Director'' with ``Privacy Officer'' in accordance
with the amendments to Sec. 2400.3(a) discussed above. OSHRC is
revising paragraph (b)(4) to reflect that the Privacy Officer will
``[n]otify the requester of a determination not to amend the record, of
the reasons for the refusal, and of the requester's right to appeal in
accordance with [new] Sec. 2400.9.'' Inexplicably, the prior version
of paragraph (b)(4) did not require OSHRC to explain its decision to
deny a person's request for amendment. OSHRC is severing paragraphs (c)
and (d) of old Sec. 2400.7 and renumbering them to create a new Sec.
2400.9 pertaining to appeal procedures. Creating new Sec. 2400.9 by
separating the appeal procedures from old Sec. 2400.7, which pertains
to ``procedures for requesting amendment,'' is necessary because
[[Page 57421]]
individuals should be permitted to appeal the agency's denial of
inspection and copy requests, not just the denial of amendment
requests.
In new Sec. 2400.9 (old Sec. 2400.7(c) and (d)), OSHRC is
changing ``Executive Director'' to ``Privacy Officer.'' OSHRC is also
making the following formatting changes. New paragraphs (a)(1) and
(a)(2) of Sec. 2400.9 coincide with old Sec. 2400.7(c)(1) and (c)(2),
new paragraph (b) coincides with old Sec. 2400.7(c)(3), new paragraph
(c) coincides with old Sec. 2400.7(c)(4), and new paragraph (d)
coincides with old Sec. 2400.7(d). In new paragraph (a)(1) (old Sec.
2400.7(c)(1)), OSHRC is amending the last four digits of the ZIP code
in its mailing address, spelling out ``Ninth Floor,'' and adding
``Attn: Privacy Appeal'' as the second line in the address. In new
paragraph (b) of Sec. 2400.9 (old Sec. 2400.7(c)(3)), OSHRC is: (1)
Adding the word ``working'' after the first mention of ``30'' because 5
U.S.C. 552a(d)(3) states that Saturdays, Sundays, and legal holidays
are excluded from the 30-day requirement; (2) replacing the word
``determination'' with ``decision'' in order to make new paragraph (b)
consistent with paragraph (c) (old Sec. 2400.7(c)(4)); and (3) for the
sake of readability, modifying ``not complete, accurate, relevant, or
timely,'' to read ``incomplete, inaccurate, irrelevant, or untimely.''
In new paragraph (c) (old Sec. 2400.7(c)(4)), OSHRC is titling the
paragraph ``Decision requirements'' and adding the phrase ``of the
United States'' after ``district court.'' Finally, in new paragraph (d)
(old Sec. 2400.7(d)), OSHRC is adding ``then'' after ``the
requester,'' and deleting the word ``personal'' because the definition
of ``record'' in the Privacy Act at 5 U.S.C. 552a(a)(4) already
reflects that personally identifiable information is at issue.
OSHRC is deleting old Sec. 2400.7(e), which states that the
Executive Director ``is available to provide an individual with
assistance in exercising rights pursuant to this part.'' This language
creates no affirmative duty and is therefore unnecessary. Moreover,
other OSHRC regulations already adequately ensure that an individual
requesting records or amendment to records will be provided with the
information necessary to exercise his or her rights.
OSHRC is re-designating old Sec. 2400.8 (Schedule of fees) as new
Sec. 2400.10. OSHRC is amending the schedule of fees to reflect the
change in costs since the original promulgation of the current
regulations in 1979. Rather than specifying a specific copying fee,
OSHRC is incorporating by reference Appendix A to 29 CFR Part 2201--
Schedule of Fees in the agency's final FOIA rules at 71 FR 56347,
September 27, 2006. OSHRC is making this revision for purposes of
administrative ease and to ensure that the fees charged for FOIA and
Privacy Act requests are consistent. Lastly, in accordance with 5
U.S.C. 552a(f)(5), OSHRC is amending paragraph (c) to reflect that no
fee will be charged for reviewing records.
OSHRC is deleting old Sec. 2400.9 (Exemptions), which states that
``[s]ubsections 552a(j) and (k) of title 5 * * * empower the Chairman
to exempt systems of records meeting certain criteria from various
other subsections of section 552a.'' Under 5 U.S.C. 552a(j) and (k),
the head of an agency may promulgate rules, in some circumstances, to
exempt various systems of records from certain Privacy Act
requirements. A system of records cannot be exempted, however, unless a
specific rule regarding it has been published. If ever there is a
system of records that the head of the agency wants to exempt, he or
she can simply publish a regulation at that time to exempt the system.
Thus, deleting Sec. 2400.9 in no way deprives the Chairman of this
authority.
Executive Order 12866
The Commission is an independent regulatory agency, and, as such,
is not subject to the requirements of E.O. 12866.
Paperwork Reduction Act
The Commission has determined that the Paperwork Reduction Act, 44
U.S.C. 3501 et seq., does not apply because these rules do not contain
any information collection requirements that require the approval of
OMB.
Executive Order 13132
The Commission is an independent regulatory agency, and, as such,
is not subject to the requirements of E.O. 13132.
Regulatory Flexibility Act
The Commission has determined under the Regulatory Flexibility Act,
5 U.S.C. 605(b), as amended by the Small Business Regulatory
Enforcement Fairness Act of 1996, 5 U.S.C. 804(2), and has certified to
the Chief Counsel for Advocacy of the Small Business Administration,
that these rules will not have a significant economic impact on a
substantial number of small entities. Therefore, a Regulatory
Flexibility Statement and Analysis has not been prepared.
The Commission maintains relatively few systems of records, as
defined by 5 U.S.C. 552a(a)(5). Moreover, the bulk of the Commission's
record--i.e., its case files--are already open to public review under
section 12(g) of the OSH Act, 29 U.S.C. Sec. 661(g). Despite the
requirements of the Privacy Act, the public may access much of the
information that the Commission maintains. Finally, the Privacy Act
permits agencies to charge requesters for duplication costs, but not
for costs associated with searching for and reviewing requested
records. The Commission's final rule is fully consistent with these
requirements.
Unfunded Mandates Reform Act of 1995
The Commission is an independent regulatory agency, and, as such,
is not subject to the Unfunded Mandates Reform Act, 2 U.S.C. 1501 et
seq.
Congressional Review Act
Consistent with the Congressional Review Act (Section 804 of the
Small Business Regulatory Enforcement Fairness Act), 5 U.S.C. 804 et
seq., the Commission will submit to Congress and to the Comptroller
General of the United States, a report regarding the issues of this
Final Rule prior to the effective date set forth at the outset of this
document. This rule is not a major rule under the Congressional Review
Act. The rule will not result in an annual effect on the economy of
more than $100 million per year; a major increase in costs or prices
for consumers, individual industries, Federal, State, or local
government agencies, or geographic regions; or significant adverse
effects on competition, employment, investment, productivity,
innovation, or on the ability of U.S.-based enterprises to compete with
foreign-based companies in domestic and export markets.
List of Subjects in 29 CFR Part 2400
Administrative practice and procedure, Archives and records,
Government employees, Privacy.
Signed at Washington, DC, on September 27, 2006.
W. Scott Railton,
Chairman.
0
For the reasons set forth in the preamble, OSHRC amends Chapter XX of
Title 29, Code of Federal Regulations, by revising part 2400 to read as
follows:
PART 2400--REGULATIONS IMPLEMENTING THE PRIVACY ACT
Sec.
2400.1 Purpose and scope.
2400.2 Description of agency.
2400.3 Delegation of authority.
2400.4 Collection and disclosure of personal information.
[[Page 57422]]
2400.5 Notification.
2400.6 Procedures for requesting records.
2400.7 Special procedures for requesting medical records.
2400.8 Procedures for requesting amendment.
2400.9 Procedures for appealing.
2400.10 Schedule of fees.
Authority: 5 U.S.C. 552a(f); 5 U.S.C. 553.
Sec. 2400.1 Purpose and scope.
The purpose of the provisions of this part is to provide procedures
to implement the Privacy Act of 1974 (5 U.S.C. 552a). This part is
applicable only to records that are maintained by the Occupational
Safety and Health Review Commission (OSHRC or the Commission), which
includes all systems of records operated on behalf of OSHRC, pursuant
to a contract, to accomplish an agency function, except for records
that are disclosed to consumer reporting agencies under section 3711(e)
of title 31, United States Code. This part is not applicable to the
rights of parties appearing in adversary proceedings before the
Commission to obtain discovery from an adverse party. Such matters are
governed by the Commission's Rules of Procedure, which are published at
29 CFR 2200.1 et seq.
Sec. 2400.2 Description of agency.
The Commission adjudicates contested enforcement actions under the
Occupational Safety and Health Act of 1970 (29 U.S.C. 651-677).
Decisions of the Commission on such actions are issued only after the
parties to the case are afforded an opportunity for a hearing in
accordance with section 554 of title 5, United States Code. All such
hearings are conducted by an OSHRC Administrative Law Judge at a place
convenient to the parties and are open to the public. Each Commission
member has the authority to direct that a decision of a Judge be
reviewed by the full Commission before becoming a final order. The
President designates one of the Commissioners as Chairman, who is
responsible on behalf of the Commission for the administrative
operations of the Commission.
Sec. 2400.3 Delegation of authority.
(a) The Chairman shall designate an OSHRC employee as the Privacy
Officer, and shall delegate to the Privacy Officer the authority to
ensure agency-wide compliance with this part.
(b) Custodians of the systems of records are responsible for the
following:
(1) Adhering to this part within their respective units and, in
particular, collecting, using and disclosing records, and affording
individuals the right to inspect, obtain copies of and correct records
concerning them;
(2) Reporting the existence of systems of records, changes to the
contents of those systems and changes of routine use to the Privacy
Officer, and also establishing the relevancy of records within those
systems; and
(3) Maintaining an accurate accounting of each disclosure in
conformance with Sec. 2400.4(c) of this part.
Sec. 2400.4 Collection and disclosure of personal information.
(a) The following rules govern the collection of personal
information throughout OSHRC operations:
(1) OSHRC shall:
(i) Solicit, collect and maintain in its records only such personal
information as is relevant and necessary to accomplish a purpose
required by statute or executive order;
(ii) Maintain all records which are used by OSHRC in making any
determination about any individual with such accuracy, relevance,
timeliness, and completeness as is reasonably necessary to ensure
fairness to the individual in the determination;
(iii) Collect information, to the greatest extent practicable,
directly from the subject individual when such information may result
in adverse determinations about an individual's rights, benefits or
privileges under Federal programs; and
(iv) Inform any individual requested to disclose personal
information whether that disclosure is mandatory or voluntary, by what
authority it is solicited, the principal purposes for which it is
intended to be used, the routine uses which may be made of it, and any
penalties or consequences known to OSHRC which shall result to the
individual from such non-disclosure.
(2) OSHRC shall not discriminate against any individual who fails
to provide personal information unless that information is required or
necessary for the conduct of the system or program in which the
individual desires to participate. See Sec. 2400.4(a)(1)(i).
(3) No record shall be collected or maintained which describes how
any individual exercises rights guaranteed by the First Amendment
unless the Commission specifically determines that such information is
relevant and necessary to carry out a statutory purpose of OSHRC, and
the collection or maintenance of the record is expressly authorized by
statute or by the individual about whom the record is maintained, or
unless the record is pertinent to and within the scope of an authorized
law enforcement activity.
(4) OSHRC shall not require disclosure of any individual's Social
Security account number or deny a right, privilege or benefit because
of the individual's refusal to disclose the number unless disclosure is
required by Federal law.
(b) Disclosures--(1) Limitations. OSHRC shall not disclose any
record which is contained in a system of records by any means of
communication to any person, or to another agency, except pursuant to a
written request by, or with the prior written consent of, the
individual to whom the record pertains.
(2) Exceptions. A record may be disseminated without satisfying the
requirements of paragraph (b)(1) of this section if disclosure is made:
(i) To a person pursuant to a requirement of the Freedom of
Information Act (5 U.S.C. 552);
(ii) To those officers and employees of OSHRC who have a need for
the record in the performance of their duties;
(iii) For a routine use as contained in the system notices
published in the Federal Register;
(iv) To a recipient who has provided OSHRC with adequate advance
written assurance that the record shall be used solely as a statistical
reporting or research record, and the record is to be transferred in a
form that is not personally identifiable;
(v) To the Bureau of the Census for purposes of planning or
carrying out a census or survey or related activity pursuant to the
provisions of title 13, United States Code;
(vi) To the National Archives and Records Administration as a
record which has sufficient historical or other value to warrant its
continued preservation by the United States Government, or for
evaluation by the Archivist of the United States or the designee of the
Archivist to determine whether the record has such value;
(vii) To a person pursuant to a showing of compelling circumstances
affecting the health or safety of an individual, if upon such
disclosure notification is transmitted to the last known address of
such individual;
(viii) To another agency or an instrumentality of any governmental
jurisdiction within or under the control of the United States for a
civil or criminal law enforcement activity, if such activity is
authorized by law and if the head of the agency or instrumentality has
made a written request to OSHRC specifying the particular portion of
the record desired and the law enforcement activity for which the
record is sought;
[[Page 57423]]
(ix) To either House of Congress, or, to the extent of matter
within its jurisdiction, any committee or subcommittee thereof, or any
joint committee of Congress or subcommittee of any such joint
committee;
(x) To the Comptroller General or any of his authorized
representatives in the course of the performance of the duties of the
Government Accountability Office;
(xi) Pursuant to the order of a court of competent jurisdiction; or
(xii) To a consumer reporting agency in accordance with section
3711(e) of title 31, United States Code.
(3) Employee credit references. OSHRC's Office of Administration
shall verify the following information provided by an employee to a
credit bureau or commercial firm from which an employee is seeking
credit: Length of service, job title, grade, salary, tenure of
employment, and Civil Service status.
(4) Employee job references. Prospective employers of an OSHRC
employee or a former OSHRC employee may be furnished with the
information in paragraph (b)(3) of this section in addition to the date
and reason for separation, if applicable, upon the request of the
employee or former employee.
(5) Disclosures to third parties. Prior to disseminating any record
about an individual to any person other than an agency, unless the
record is disseminated pursuant to paragraph (b)(2)(i) of this section,
OSHRC shall make reasonable efforts to ensure that the record is
accurate, complete, timely and relevant.
(6) Anticipated legal action. Nothing in this section shall allow
an individual access to any information compiled in reasonable
anticipation of a civil action or proceeding.
(c) Accounting of disclosures--(1) OSHRC shall maintain an accurate
accounting of each disclosure, except for any disclosure made pursuant
to paragraphs (b)(2)(i) and (b)(2)(ii) of this section.
(2) When an accounting is required under paragraph (c)(1) of this
section, the following information shall be recorded: The date, nature,
and purpose of each disclosure of a record to any person or to another
agency, and the name and address of the person or agency to whom the
disclosure is made.
(3) The accounting shall be maintained for at least five (5) years
after disclosure or for the life of the record, whichever is longer.
(4) The accounting shall be made available to the individual named
in the record upon inquiry, except for disclosures made pursuant to
paragraph (b)(2)(viii) of this section relating to law enforcement
activities. See Sec. 2400.6 for suggested form of request.
Sec. 2400.5 Notification.
(a) Notification of systems. The following procedures permit
individuals to determine the types of systems of records maintained by
OSHRC.
(1) Upon written request, OSHRC shall notify any individual whether
a specific system named by him contains a record pertaining to him. See
Sec. 2400.6 for suggested form of request.
(2) Upon establishing or revising a system of records, OSHRC shall
publish in the Federal Register a notice of the existence and character
of the system of records. This notice shall contain the following
information:
(i) System name and location;
(ii) Security classification;
(iii) Categories of individuals covered by the system;
(iv) Categories of records in the system;
(v) Authority for maintenance of the system;
(vi) Purpose(s) of the system;
(vii) Routine uses of records maintained in the system, including
categories of users and the purpose(s) of such uses;
(viii) Disclosures to consumer reporting agencies;
(ix) Policies and practices for storing, retrieving, accessing,
retaining, and disposing of records in the system;
(x) System manager(s) and address;
(xi) Procedures by which an individual can be informed whether a
system contains a record pertaining to himself, gain access to such
record, and contest the content, accuracy, completeness, timeliness,
relevance and necessity for retention of the record;
(xii) Record source categories; and
(xiii) Exemptions claimed for the system.
(3) OSHRC shall submit a report, in accordance with guidelines
provided by the Office of Management and Budget (OMB), in order to give
advance notice to the Committee on Government Reform of the House of
Representatives, the Committee on Homeland Security and Governmental
Affairs of the Senate, and OMB of any proposal to establish a new
system of records or to significantly change an existing system of
records.
(b) Notification of disclosure. OSHRC shall make reasonable efforts
to serve notice on an individual before any record pertaining to the
individual is made available to any person under compulsory legal
process when such process becomes a matter of public record.
(c) Notification of amendment--(1) OSHRC shall inform any person or
other agency about any correction or notation of dispute made by OSHRC
to any record that has been disclosed to the person or agency, if the
correction or notation was made pursuant to Sec. 2400.8, and an
accounting of the disclosure was made pursuant to Sec. 2400.4(c).
(2) In any disclosure to a person or other agency containing
information about which the individual has filed a statement of
disagreement and occurring after the statement was filed, OSHRC shall
clearly note any portion of the record which is disputed and provide
copies of the statement and, if OSHRC deems appropriate, copies of a
concise statement of OSHRC's reasons for not making the requested
amendments.
(d) Notification of new routine use. Any new or revised routine use
of a system of records maintained by OSHRC shall be published in the
Federal Register thirty (30) days before such use becomes operational.
Interested persons may then submit written data, views, or arguments to
OSHRC.
(e) Notification of exemptions. OSHRC shall publish in the Federal
Register its intent to exempt any system of records and shall specify
the nature and purpose of that system.
Sec. 2400.6 Procedures for requesting records.
The purpose of this section is to provide procedures by which an
individual may gain access to his records.
(a) Submission of requests for access--(1) Manner. An individual
seeking information regarding the contents of records systems or access
to records about himself in a system of records should present a
written request to that effect either in person or by mail to the
Privacy Officer, OSHRC, One Lafayette Centre, 1120-20th Street, NW.,
Ninth Floor, Washington, DC 20036-3457.
(2) Specification of records sought. Requests for access to records
shall describe the nature of the record sought, the approximate dates
covered by the record, and the system in which the record is thought to
be included as described in the ``Notification'' for that system as
published in the Federal Register. The requester should also indicate
whether he wishes to review the record in person or obtain a copy by
mail. If the information supplied is insufficient to locate or identify
the record, the requester shall be notified promptly and, if necessary,
informed of additional information required.
(3) Period for response. Upon receipt of an inquiry the Privacy
Officer shall respond promptly to the request and no
[[Page 57424]]
later than 10 working days from receipt of such inquiry.
(b) Verification of identity. The following standards are
applicable to any individual who requests records concerning himself:
(1) An individual seeking access to records about himself in person
may establish his identity by the presentation of a single document
bearing a photograph (such as a passport, employee identification card,
or valid driver's license) or by the presentation of two items of
identification which do not bear a photograph but do bear both a name
and address (such as a valid driver's license, or credit card).
(2) An individual seeking access to records about himself by mail
shall establish his identity by a signature, address, date of birth,
place of birth, employee identification number, if any, and one other
identifier such as a photocopy of an identifying document.
(3) An individual seeking access to records about himself by mail
or in person who cannot provide the necessary documentation of
identification may provide a notarized statement, or a declaration in
accordance with 28 U.S.C. 1746, swearing or affirming to his identity
and to the fact that he understands the penalties for false statements
pursuant to 18 U.S.C. 1001. Forms for notarized statements may be
obtained on request from the Privacy Officer.
(c) Verification of guardianship. The parent or guardian of a minor
or a person judicially determined to be incompetent and seeking to act
on behalf of such minor or incompetent shall, in addition to
establishing his own identity, establish the identity of the minor or
other person he represents as required in paragraph (b) of this section
and establish his own parentage or guardianship of the subject of the
record by furnishing either a copy of a birth certificate showing
parentage or a court order establishing the guardianship.
(d) Accompanying persons. An individual seeking to review records
about himself may be accompanied by another individual of his own
choosing. Both the individual seeking access and the individual
accompanying him shall be required to sign a form provided by OSHRC
indicating that OSHRC is authorized to discuss the contents of the
subject record in the presence of both individuals.
(e) When compliance is possible--(1) The Privacy Officer shall
inform the requester of the determination to grant the request and
shall make the record available to the individual in the manner
requested, that is, either by forwarding a copy of the information to
him or by making it available for review, unless:
(i) It is impracticable to provide the requester with a copy of a
record, in which case the requester shall be so notified, and, in
addition, be informed of the procedures set forth in paragraph (b) of
this section, or
(ii) The Privacy Officer has reason to believe that the cost of a
copy of a record is considerably more expensive than anticipated by the
requester, in which case he shall notify the requester of the estimated
cost, and ascertain whether the requester still wishes to be provided
with a copy of the information.
(2) Where a record is to be reviewed by the requester in person,
the Privacy Officer shall inform the requester in writing of:
(i) The date on which the record shall become available for review,
the location at which it may be reviewed, and the hours for inspection;
(ii) The type of identification that shall be required in order for
him to review the record;
(iii) Such person's right to have a person of his own choosing
accompany him to review the record; and
(iv) Such person's right to have a person other than himself review
the record.
(3) If the requester seeks to inspect the record without receiving
a copy, he shall not leave OSHRC premises with the record and shall
sign a statement indicating he has reviewed a specific record or
category of record.
(f) Response when compliance is not possible. A reply denying a
written request to review a record shall be in writing signed by the
Privacy Officer and shall be made only if such a record does not exist
or does not contain personal information relating to the requester, or
is exempt. This reply shall include a statement regarding the
determining factors of denial, and the requester's rights to
administrative appeal and thereafter judicial review in a district
court of the United States.
Sec. 2400.7 Special procedures for requesting medical records.
(a) Upon an individual's request for access to his medical records,
including psychological records, the Privacy Officer shall make a
preliminary determination on whether access to such records could have
an adverse effect upon the requester. If the Privacy Officer determines
that access could have an adverse effect on the requester, OSHRC shall
notify the requester in writing and advise that the records at issue
can be made available only to a physician of the requester's
designation. Upon receipt of such designation, verification of the
identity of the physician, and agreement by the physician to review the
documents with the requesting individual, to explain the meaning of the
documents, and to offer counseling designed to temper any adverse
reaction, OSHRC shall forward such records to the designated physician.
(b) If, within sixty (60) days of OSHRC's written request for a
designation, the requester has failed to respond or designate a
physician, or the physician fails to agree to the release conditions,
then OSHRC shall hold the documents in abeyance and advise the
requester that this action may be construed as a technical denial.
OSHRC shall also advise the requester of his rights to administrative
appeal and thereafter judicial review in a district court of the United
States.
Sec. 2400.8 Procedures for requesting amendment.
(a) Submission of requests for amendment. Upon review of an
individual's personal record, that individual may submit a request to
amend such record. This request shall be submitted in writing to the
Privacy Officer and shall include a statement of the amendment
requested and the reasons for such amendment, e.g., relevance,
accuracy, timeliness or completeness of the record.
(b) Action to be taken by the Privacy Officer. Upon receiving an
amendment request, the Privacy Officer shall promptly:
(1) Acknowledge in writing within ten (10) working days the receipt
of the request;
(2) Make such inquiry as is necessary to determine whether the
amendment is appropriate; and
(3) Correct or eliminate any information that is found to be
incomplete, inaccurate, irrelevant to a statutory purpose of OSHRC, or
untimely and notify the requester when this action is complete; or
(4) Notify the requester of a determination not to amend the
record, of the reasons for the refusal, and of the requester's right to
appeal in accordance with Sec. 2400.9.
Sec. 2400.9 Procedures for appealing.
(a) Submission of appeal--(1) If a request to inspect, copy or
amend a record is denied, in whole or in part, or if no determination
is made within the period prescribed by this part, then the requester
may appeal to the Chairman, Attn: Privacy Appeal, OSHRC, One
[[Page 57425]]
Lafayette Centre, 1120-20th Street, NW., Ninth Floor, Washington, DC
20036-3457.
(2) The requester shall submit his appeal in writing within thirty
(30) days of the date of denial, or within ninety (90) days of such
request if the appeal is from a failure of the Privacy Officer to make
a determination. The letter of appeal should include, as applicable:
(i) Reasonable identification of the record to which access was
sought or the amendment of which was requested.
(ii) A statement of the OSHRC action or failure to act being
appealed and the relief sought.
(iii) A copy of the request, the notification of denial and any
other related correspondence.
(b) Final decisions. The Chairman shall make his final decision not
later than thirty (30) working days from the date of the request,
unless he extends the time for good cause to be shown by him but not to
exceed ninety (90) days from the date of the request. Any record found
on appeal to be incomplete, inaccurate, irrelevant, or untimely, shall
within thirty (30) working days of the date of such findings be
appropriately amended.
(c) Decision requirements. The decision of the Chairman constitutes
the final decision of OSHRC on the right of the requester to inspect,
copy, change or update a record. The decision on the appeal shall be in
writing and, in the event of a denial, shall set forth the reasons for
such denial and state the individual's right to obtain judicial review
in a district court of the United States. An indexed file of the
agency's decisions on appeal shall be maintained by the Privacy
Officer.
(d) Submission of statement of disagreement. If the final decision
does not satisfy the requester, then any statement of reasonable
length, provided by that individual, setting forth a position regarding
the disputed information, shall be accepted and included in the
relevant record.
Sec. 2400.10 Schedule of fees.
(a) Policy. The purpose of this section is to establish fair and
equitable fees to permit reproduction of records for concerned
individuals.
(b) Reproduction--(1) For the fees associated with reproduction of
records, refer to Appendix A to part 2201, Schedule of Fees.
(2) OSHRC shall not normally furnish more than one copy of any
record.
(c) Limitations. No fee shall be charged to any individual for the
process of retrieving, reviewing, or amending records.
[FR Doc. 06-8399 Filed 9-27-06; 1:19 pm]
BILLING CODE 7600-01-P