[Federal Register: January 2, 2008 (Volume 73, Number 1)]
[Proposed Rules]               
[Page 113-125]
                         

=======================================================================
-----------------------------------------------------------------------

OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE

32 CFR Part 1701

 
Privacy Act Regulations

AGENCY: Office of the Director of National Intelligence.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: This proposed regulation provides the public the guidelines 
under which the Office of the Director of National Intelligence (ODNI) 
will implement the Privacy Act of 1974, 5 U.S.C. 552a, as amended. The 
proposed regulation describes agency policies for collecting and 
maintaining personally identifiable records and processes for 
administering requests for records under the Privacy Act. In addition, 
as permitted by the Privacy Act, subsections (j) and (k), and in 
accordance with the rulemaking procedures of the Administrative 
Procedures Act, 5 U.S.C. 553, the ODNI proposes exempting several new 
systems of records of the National Counterterrorism Center (NCTC), the 
Office of the National Counterintelligence Executive (ONCIX), and the 
Office of the Inspector General (OIG) from various provisions of the 
Act. The ODNI further proposes that exemptions invoked by agencies 
whose records the ODNI receives continue in effect where reasons for 
the exemption remain valid. Subpart C of this regulation proposes 
routine uses applicable to more than one ODNI Privacy Act system of 
records.

[[Page 114]]


DATES: Submit comments on or before February 11, 2008.

ADDRESSES: You may submit comments, identified by RIN number, by any of 
the following methods:
    Federal eRulemaking Portal: http://www.regulations.gov.

    Mail: Director, Information Management Office, Office of the 
Director of National Intelligence, Washington, DC 20511.

FOR FURTHER INFORMATION CONTACT: Mr. John F. Hackett, Director, 
Information Management Office (703) 482-3610.

SUPPLEMENTARY INFORMATION: The ODNI was created by the Intelligence 
Reform and Terrorism Prevention Act of 2004, Public Law 108-458, 118 
Stat. 3638 (Dec. 17, 2004). The first Director of National 
Intelligence, Ambassador John D. Negroponte, was sworn in to Office on 
April 21, 2005 and the ODNI began operations on April 22, 2005. Because 
the majority of documents held by the ODNI at its inception were 
previously maintained by the Central Intelligence Agency (CIA) and 
because the ODNI did not have a Privacy staff upon stand-up, records 
were administered under the CIA's Privacy Act authorities and using 
CIA's administrative resources. At this time, the ODNI proposes its own 
Privacy Act regulations. Additionally, in compliance with the Privacy 
Act, 5 U.S.C. 552a(e)(4), the ODNI describes in the notice section of 
today's Federal Register the following twelve new systems of records: 
NCTC Access Authorization Records, NCTC Human Resources Management 
System, NCTC Telephone Directory, NCTC Knowledge Repository (SANCTUM), 
NCTC Online (NOL), NCTC Tacit Knowledge Management Records, NCTC 
Terrorism Analysis Records, NCTC Terrorist Identities Records, NCTC 
Partnership Management Records, ONCIX Counterintelligence Damage 
Assessment Records, OIG Experts Contact Records, OIG Human Resources 
Records and OIG Investigation and Interview Records.

Regulatory Flexibility Act

    This proposed rule affects the manner in which ODNI collects and 
maintains information about individuals. ODNI certifies that this 
rulemaking will not have a significant economic impact on a substantial 
number of small entities. Accordingly, pursuant to the Regulatory 
Flexibility Act, 5 U.S.C. 601-612, no regulatory flexibility analysis 
is required for this rule.

Small Entity Inquiries

    The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 
1996 requires the ODNI to comply with small entity requests for 
information and advice about compliance with statutes and regulations 
within the ODNI jurisdiction. Any small entity that has a question 
regarding this document may address it to the information contact 
listed above. Further information regarding SBREFA is available on the 
Small Business Administration's Web page at http://www.sga.gov/advo/law/law_lib.html
.


Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires 
that the ODNI consider the impact of paperwork and other burdens 
imposed on the public associated with the collection of information. 
There are no information collection requirements associated with this 
proposed rule and therefore no analysis of burden is required.

Executive Order 12866, Regulatory Planning and Review

    This proposed rule is not a ``significant regulatory action'' 
within the meaning of Executive Order 12866. This rule will not have an 
annual effect on the economy of $100 million or more or otherwise 
adversely affect the economy or sector of the economy in a material 
way; will not create inconsistency with or interfere with other agency 
action; will not materially alter the budgetary impact of entitlements, 
grants, fees or loans or the right and obligations of recipients 
thereof; or raise legal or policy issues arising out of legal mandates, 
the President's priorities or the principles set forth in the Executive 
Order. Accordingly, further regulatory evaluation is not required.

Unfunded Mandates

    Title II of the Unfunded Mandates Reform Act of 1995 (UMRA), Public 
Law 104-4, 109 Stat. 48 (Mar. 22, 1995), requires Federal agencies to 
assess the effects of certain regulatory actions on State, local, and 
tribal governments, and the private sector. This proposed rule imposes 
no Federal mandate on any State, local, or tribal government or on the 
private sector. Accordingly, no UMRA analysis of economic and 
regulatory alternatives is required.

Executive Order 13132, Federalism

    Executive Order 13132 requires ODNI to examine the implications for 
the distribution of power and responsibilities among the various levels 
of government resulting from this proposed rule. ODNI concludes that 
the proposed rule does not affect the rights, roles and 
responsibilities of the States, involves no preemption of State law and 
does not limit State policymaking discretion. This rule has no 
federalism implications as defined by the Executive Order.

Environmental Impact

    The ODNI has reviewed this action for purposes of the National 
Environmental Policy Act of 1969 (NEPA), 42 U.S.C. 4321-4347, and has 
determined that this action will not have a significant effect on the 
human environment.

Energy Impact

    The energy impact of this action has been assessed in accordance 
with the Energy Policy and Conservation Act (EPCA), Public Law 94-163, 
as amended, 42 U.S.C. 6362. This rulemaking is not a major regulatory 
action under the provisions of the EPCA.

List of Subjects in 32 CFR Part 1701

    Records and Privacy Act.
    For the reasons set forth in the preamble, ODNI proposes to add 
part 1701 as follows:

PART 1701--ADMINISTRATION OF RECORDS UNDER THE PRIVACY ACT OF 1974

Subpart A--Protection of Privacy and Access to Individual Records Under 
the Privacy Act of 1974
Sec.
1701.1 Purpose, scope, applicability.
1701.2 Definitions.
1701.3 Contact for general information and requests.
1701.4 Privacy Act responsibilities/policy.
1701.5 Collection and maintenance of records.
1701.6 Disclosure of records/policy.
1701.7 Requests for notification of and access to records.
1701.8 Requests to amend or correct records.
1701.9 Requests for an accounting of record disclosures.
1701.10 ODNI responsibility for responding to access requests.
1701.11 ODNI responsibility for responding to requests for amendment 
or correction.
1701.12 ODNI responsibility for responding to requests for 
accounting.
1701.13 Special procedures for medical/psychiatric/psychological 
testing records.
1701.14 Appeals.
1701.15 Fees.
1701.16 Contractors.
1701.17 Standards of conduct.
Subpart B--Exemption of Records Systems Under the Privacy Act
1701.20 Exemption policies.
1701.21 Exemption of National Counterterrorism Center (NCTC) systems 
of records.
1701.22 Exemption of Office of the National Counterintelligence 
Executive (ONCIX) systems of records.

[[Page 115]]

1701.23 Exemption of Office of Inspector General (OIG) systems of 
records.
Subpart C--Routine Uses Applicable to More Than One ODNI System of 
Records
1701.30 Policy and applicability.
1701.31 General routine uses.

    Authority: 50 U.S.C. 401-442; 5 U.S.C. 552a.

Subpart A--Protection of Privacy and Access to Individual Records 
Under the Privacy Act of 1974


Sec.  1701.1  Purpose, scope, applicability.

    (a) Purpose. This subpart establishes the policies and procedures 
the Office of the Director of National Intelligence (ODNI) will follow 
in implementing the requirements of the Privacy Act of 1974, 5 U.S.C. 
552a, as amended. This subpart sets forth the procedures ODNI must 
follow in collecting and maintaining personal information from or about 
individuals, as well as procedures by which individuals may request to 
access or amend records about themselves and request an accounting of 
disclosures of those records by the ODNI. In addition, this subpart 
details parameters for disclosing personally identifiable information 
to persons other than the subject of a record.
    (b) Scope. The provisions of this subpart apply to all records in 
systems of records maintained by ODNI directorates, centers, mission 
managers and other sub-organizations [hereinafter called 
``components''] that are retrieved by an individual's name or personal 
identifier.
    (c) Applicability. This subpart governs the following individuals 
and entities:
    (1) All ODNI staff and components must comply with this subpart. 
The terms ``staff'' and ``component'' are defined in Sec.  1701.2.
    (2) Unless specifically exempted, this subpart also applies to 
advisory committees and councils within the meaning of the Federal 
Advisory Committee Act (FACA) which provide advice to: any official or 
component of ODNI; or the President, and for which ODNI has been 
delegated responsibility for providing service.
    (d) Relation to Freedom of Information Act. The ODNI shall provide 
a subject individual under this subpart all records which are otherwise 
accessible to such individual under the provisions of the Freedom of 
Information Act, 5 U.S.C. 552.


Sec.  1701.2  Definitions

    For purposes of this subpart, the following terms have the meanings 
indicated:
    (a) Access means making a record available to a subject individual.
    (b) Act means the Privacy Act of 1974.
    (c) Agency means the ODNI or any of its components.
    (d) Component means any directorate, mission manager, or other sub-
organization in the ODNI or reporting to the Director, that has been 
designated or established in the ODNI pursuant to Section 103 of the 
National Security Act of 1947, as amended, including the National 
CounterterrorismCenter (NCTC), the National Counterproliferation Center 
(NCPC) and the Office of the National Counterintelligence Executive 
(ONCIX), or such other offices and officials as may be established by 
law or as the Director may establish or designate in the ODNI, for 
example, the Program Manager, Information Sharing Environment (ISE) and 
the Inspector General (IG).
    (e) Disclosure means making a record about an individual available 
to or releasing it to another party.
    (f) FOIA means the Freedom of Information Act.
    (g) Individual, when used in connection with the Privacy Act, means 
a living person who is a citizen of the United States or an alien 
lawfully admitted for permanent residence. It does not include sole 
proprietorships, partnerships, or corporations.
    (h) Information means information about an individual and includes, 
but is not limited to, vital statistics; race, sex, or other physical 
characteristics; earnings information; professional fees paid to an 
individual and other financial information; benefit data or claims 
information; the social security number, employer identification 
number, or other individual identifier; address; phone number; medical 
information; and information about marital, family or other personal 
relationships.
    (i) Maintain means to establish, collect, use, or disseminate when 
used in connection with the term record; and, to have control over or 
responsibility for a system of records, when used in connection with 
the term system of records.
    (j) Notification means communication to an individual whether he is 
a subject individual
    (k) Office of the Director of National Intelligence means any and 
all of the components of the ODNI.
    (l) Record means any item, collection, or grouping of information 
about an individual that is maintained by the ODNI including, but not 
limited to, information such as an individual's education, financial 
transactions, medical history, and criminal or employment history that 
contains the individual's name, or an identifying number, symbol, or 
any other identifier assigned to an individual. When used in this 
subpart, record means only a record that is in a system of records.
    (m) Routine use means the disclosure of a record outside ODNI, 
without the consent of the subject individual, for a purpose which is 
compatible with the purpose for which the record was collected. It does 
not include disclosure which the Privacy Act otherwise permits pursuant 
to subsection (b) of the Act.
    (n) Staff means any current or former regular or special employee, 
detailee, assignee, employee of a contracting organization, or 
independent contractor of the ODNI or any of its components.
    (o) Subject individual means the person to whom a record pertains 
(or ``record subject.'').
    (p) System of records means a group of records under ODNI's control 
from which information about an individual is retrieved by the name of 
the individual or by an identifying number, symbol, or other particular 
assigned to the individual. Single records or groups of records which 
are not retrieved by a personal identifier are not part of a system of 
records,


Sec.  1701.3  Contact for general information and requests.

    Privacy Act requests and appeals and inquiries regarding this 
subpart or about ODNI's Privacy Act program must be submitted in 
writing to the Director, Information Management Office (D/IMO), Office 
of the Director of National Intelligence, Washington, DC 20511 (by mail 
or by facsimile at 703-482-2144) or to the contact designated in the 
specific Privacy Act System of Records Notice. Privacy Act requests 
with the required identification statement and signature pursuant to 
paragraphs (d) and (e) of Sec.  1701.7 of this subpart must be filed in 
original form.


Sec.  1701.4  Privacy Act responsibilities/policy.

    The ODNI will administer records about individuals consisten t with 
statutory, administrative, and program responsibilities. Subject to 
exemptions authorized by the Act, ODNI will collect, maintain and 
disclose records as required and will honor subjects' rights to view 
and amend records and to obtain an accounting of disclosures.


Sec.  1701.5  Collection and maintenance of records.

    (a) ODNI will not maintain a record unless:
    (1) It is relevant and necessary to accomplish an ODNI function 
required by statute or Executive Order;

[[Page 116]]

    (2) It is acquired to the greatest extent practicable from the 
subject individual when ODNI may use the record to make any 
determination about the individual;
    (3) The individual providing the record is informed of the 
authority for providing the record (including whether providing the 
record is mandatory or voluntary), the principal purpose for 
maintaining the record, the routine uses for the record, and what 
effect refusing to provide the record may have;
    (4) It is maintained with such accuracy, relevance, timeliness and 
completeness as is reasonably necessary to ensure fairness to the 
individual in the determination;
    (b) Except as to disclosures made to an agency or made under the 
FOIA, ODNI will make reasonable efforts prior to disseminating a record 
about an individual, to ensure that the record is accurate, relevant, 
timely, and complete;
    (c) ODNI will not maintain or develop a system of records that is 
not the subject of a current or planned public notice;
    (d) ODNI will not adopt a routine use of information in a system 
without notice and invitation to comment published in the Federal 
Register at least 30 days prior to final adoption of the routine use;
    (e) To the extent ODNI participates with a non-Federal agency in 
matching activities covered by section (8) of the Act, ODNI will 
publish notice of the matching program in the Federal Register;
    (f) ODNI will not maintain a record which describes how an 
individual exercises rights guaranteed by the First Amendment unless 
expressly authorized by statute or by the subject individual, or unless 
pertinent to and within the scope of an authorized law enforcement 
activity;
    (g) When required by the Act, ODNI will maintain an accounting of 
all disclosures of records by the ODNI to persons, organizations or 
agencies;
    (h) Each ODNI component shall implement administrative, physical 
and technical controls to prevent unauthorized access to its systems of 
records, to prevent unauthorized disclosure of records, and to prevent 
physical damage to or destruction of records;
    (i) ODNI will establish rules and instructions for complying with 
the requirements of the Privacy Act, including notice of the penalties 
for non-compliance, applicable to all persons involved in the design, 
development, operation or maintenance of any system of records.


Sec.  1701.6  Disclosure of records/policy.

    Consistent with 5 U.S.C. 552a(b), ODNI will not disclose any record 
which is contained in a system of records by any means (written, oral 
or electronic) without the consent of the subject individual unless 
disclosure without consent is made for reasons permitted under 
applicable law, including:
    (a) Internal agency use on a need-to-know basis;
    (b) Release under the Freedom of Information Act (FOIA) if not 
subject to protection under the FOIA exemptions;
    (c) A specific ``routine use'' as described in the ODNI's published 
compilation of Blanket Routine Uses or in specific published Privacy 
Act Systems of Records Notices (available at http://www.dni.gov);

    (d) Release to the Bureau of the Census, the National Archives and 
Records Administration, or the Government Accountability Office, for 
the performance of those entities' statutory duties;
    (e) Release in non-identifiable form to a recipient who has 
provided written assurance that the record will be used solely for 
statistical research or reporting;
    (f) Compelling circumstances in which the health or safety of an 
individual is at risk;
    (g) Release pursuant to the order of a court of competent 
jurisdiction or to a governmental entity for a specifically documented 
civil or criminal law enforcement activity;
    (h) Release to either House of Congress or to any committee, 
subcommittee or joint committee thereof to the extent of matter within 
its jurisdiction;
    (i) Release to a consumer reporting agency in accordance with 
section 3711(e) of Title 31.


Sec.  1701.7  Requests for notification of and access to records.

    (a) How to request. Unless records are not subject to access (see 
paragraph (b) of this section), individuals seeking access to records 
about themselves may submit a request in writing to the D/IMO, as 
directed in Sec.  1701.3 of this subpart, or to the contact designated 
in the specific Privacy Act System of Records Notice. To ensure proper 
routing and tracking, requesters should mark the envelope ``Privacy Act 
Request.''
    (b) Records not subject to access. The following records are not 
subject to review by subject individuals:
    (1) Records in ODNI systems of records that ODNI has exempted from 
access and correction under the Privacy Act, 5 U.S.C. 552a(j) or (k), 
by notice published in the Federal Register, or where those exemptions 
require that ODNI can neither confirm nor deny the existence or 
nonexistence of responsive records (see Sec.  1701.10(c)(iii)).
    (2) Records in ODNI systems of records that another agency has 
exempted from access and correction under the Privacy Act, 5 U.S.C. 
552a(j) or (k), by notice published in the Federal Register, or where 
those exemptions require that ODNI can neither confirm nor deny the 
existence or nonexistence of responsive records (see Sec.  
1701.10(c)(iii)).
    (c) Description of records. Individuals requesting access to 
records about themselves should, to the extent possible, describe the 
nature of the records, why and under what circumstances the requester 
believes ODNI maintains the records, the time period in which they may 
have been compiled and, ideally, the name or identifying number of each 
Privacy Act System of Records in which they might be included. The ODNI 
publishes notices in the Federal Register that describe its systems of 
records. The Federal Register compiles these notices biennially and 
makes them available in hard copy at large reference libraries and in 
electronic form at the Government Printing Office's World Wide Web 
site, http://www.gpoaccess.gov.

    (d) Verification of identity. A written request for access to 
records about oneself must include full (legal) name, current address, 
date and place of birth, and citizenship status. Aliens lawfully 
admitted for permanent residence must provide their Alien Registration 
Number and the date that status was acquired. The D/IMO may request 
additional or clarifying information to ascertain identity. Access 
requests must be signed and the signature either notarized or submitted 
under 28 U.S.C. 1746, authorizing statements made under penalty of 
perjury as a substitute for notarization.
    (e) Verification of guardianship or representational relationship. 
The parent or guardian of a minor, the guardian of an individual under 
judicial disability, or an attorney retained to represent an individual 
shall provide, in addition to establishing the identity of the minor or 
individual represented as required in paragraph (d) of this section, 
evidence of such representation by submitting a certified copy of the 
minor's birth certificate, court order, or representational agreement 
which establishes the relationship and the requester's identity.

[[Page 117]]

    (f) ODNI will permit access to or provide copies of records to 
individuals other than the record subject (or the subject's legal 
representative) only with the requester's written authorization.


Sec.  1701.8  Requests to amend or correct records.

    (a) How to request. Unless the record is not subject to amendment 
or correction (see paragraph (b) of this section), individuals (or 
guardians or representatives acting on their behalf) may make a written 
amendment or correction request to the D/IMO, as directed in Sec.  
1701.3 of this subpart, or to the contact designated in a specific 
Privacy Act System of Records. Requesters seeking amendment or 
correction should identify the particular record or portion subject to 
the request, explain why an amendment or correction is necessary, and 
provide the desired replacement language. Requesters may submit 
documentation supporting the request to amend or correct. Requests for 
amendment or correction will lapse (but may be re-initiated with a new 
request) if all necessary information is not submitted within forty-
five (45) days of the date of the original request. The identity 
verification procedures of paragraphs (d) and (e) of Sec.  1701.7 of 
this subpart apply to amendment requests.
    (b) Records not subject to amendment or correction. (1) Records 
which are determinations of fact or evidence received (e.g., 
transcripts of testimony given under oath or written statements made 
under oath; transcripts of grand jury proceedings, judicial 
proceedings, or quasi-judicial proceedings, which are the official 
record of those proceedings; pre-sentence records that originated with 
the courts) and
    (2) Records in ODNI systems of records that ODNI or another agency 
has exempted from amendment and correction under Privacy Act, 5 U.S.C. 
552a(j) or (k) by notice published in the Federal Register.


Sec.  1701.9  Requests for an accounting of record disclosures.

    (a) How to request. Except where accountings of disclosures are not 
required to be kept (see paragraph (b) of this section), record 
subjects (or their guardians or representatives) may request an 
accounting of disclosures that have been made to another person, 
organization, or agency as permitted by the Privacy Act at 5 U.S.C. 
552a(b). This accounting contains the date, nature, and purpose of each 
disclosure, as well as the name and address of the person, 
organization, or agency to which the disclosure was made. Requests for 
accounting should identify each record in question and must be made in 
writing to the D/IMO, as indicated in Sec.  1701.3 of this subpart, or 
to the contact designated in a specific Privacy Act System of Records.
    (b) Accounting not required. The ODNI is not required to provide 
accounting of disclosure in the following circumstances:
    (1) Disclosures for which the Privacy Act does not require 
accounting, i.e., disclosures to employees within the agency and 
disclosures made under the FOIA;
    (2) Disclosures made to law enforcement agencies for authorized law 
enforcement activities in response to written requests from the 
respective head of the law enforcement agency specifying the law 
enforcement activities for which the disclosures are sought; or
    (3) Disclosures from systems of records that have been exempted 
from accounting requirements under the Privacy Act, 5 U.S.C. 552a(j) or 
(k), by notice published in the Federal Register.


Sec.  1701.10  ODNI responsibility for responding to access requests.

    (a) Acknowledgement of requests. Upon receipt of a request 
providing all necessary information, the D/IMO shall acknowledge 
receipt to the requester and provide an assigned request number for 
further reference.
    (b) Tasking to component. Upon receipt of a proper access request, 
the D/IMO shall provide a copy of the request to the point of contact 
(POC) in the ODNI component with which the records sought reside. The 
POC within the component shall determine whether responsive records 
exist and, if so, recommend to the D/IMO:
    (1) Whether access should be denied in whole or part (and the legal 
basis for denial under the Privacy Act); or
    (2) Whether coordination with or referral to another component or 
federal agency is appropriate.
    (c) Coordination and referrals--(1) Examination of records. If a 
component POC receiving a request for access determines that an 
originating agency or other agency that has a substantial interest in 
the record is best able to process the request (e.g., the record is 
governed by another agency's regulation, or another agency originally 
generated or classified the record), the POC shall forward to the D/IMO 
all records necessary for coordination with or referral to the other 
component or agency, as well as specific recommendations with respect 
to any denials.
    (2) Notice of referral. Whenever the D/IMO refers all or any part 
of the responsibility for responding to a request to another agency, 
the D/IMO shall notify the requester of the referral.
    (3) Effect of certain exemptions. (i) In processing a request, the 
ODNI shall decline to confirm or deny the existence or nonexistence of 
any responsive records whenever the fact of their existence or 
nonexistence:
    (A) May reveal protected intelligence sources and collection 
methods (50 U.S.C. 403-1(i)); or
    (B) Is classified and subject to an exemption appropriately invoked 
by ODNI or another agency under subsections (j) or (k) of the Privacy 
Act.
    (ii) In such event, the ODNI will inform the requester in writing 
and advise the requestor of the right to file an administrative appeal 
of any adverse determination.
    (d) Time for response. The D/IMO shall respond to a request for 
access promptly upon receipt of recommendations from the POC and 
determinations resulting from any necessary coordination with or 
referral to another agency. The D/IMO may determine to update a 
requester on the status of a request that remains outstanding longer 
than reasonably expected.
    (e) ODNI action on requests for access--(1) Grant of access. Once 
the D/IMO determines to grant a request for access in whole or in part, 
the D/IMO shall notify the requester in writing and come to agreement 
with the requester about how to effect access, whether by on-site 
review or duplication of the records. If a requester is accompanied by 
another person, the requester shall be required to authorize in writing 
any discussion of the records in the presence of the other person.
    (2) Denial of access. The D/IMO shall notify the requester in 
writing when an adverse determination is made denying a request for 
access in any respect. Adverse determinations, or denials, consist of a 
determination to withhold any requested record in whole or in part; a 
determination that a requested record does not exist or cannot be 
located; a determination that what has been requested is not a record 
subject to the Privacy Act; or a determination that the existence of a 
record can neither be confirmed nor denied. The notification letter 
shall state:
    (i) The reason(s) for the denial; and
    (ii) The procedure for appeal of the denial under Sec.  1701.14 of 
this subpart.

[[Page 118]]

Sec.  1701.11  ODNI responsibility for responding to requests for 
amendment or correction.

    (a) Acknowledgement of request. The D/IMO shall acknowledge receipt 
of a request for amendment or correction of records in writing and 
provide an assigned request number for further reference.
    (b) Tasking of component. Upon receipt of a proper request to amend 
or correct a record, the D/IMO shall forward the request to the POC in 
the component maintaining the record. The POC shall promptly evaluate 
the proposed amendment or correction in light of any supporting 
justification and recommend that the D/IMO grant or deny the request 
or, if the request involves a record subject to correction by an 
originating agency, refer the request to the other agency.
    (c) Action on request for amendment or correction. (1) If the POC 
determines that the request for amendment or correction is justified, 
in whole or in part, the D/IMO shall promptly:
    (i) Make the amendment, in whole or in part, as requested and 
provide the requester a written description of the amendment or 
correction made; and
    (ii) Provide written notice of the amendment or correction to all 
persons, organizations or agencies to which the record has been 
disclosed (if an accounting of the disclosure was made);
    (2) Where the D/IMO has referred an amendment request to another 
agency, the D/IMO, upon confirmation from that agency that the 
amendment has been effected, shall provide written notice of the 
amendment or correction to all persons, organizations or agencies to 
which ODNI previously disclosed the record.
    (3) If the POC determines that the requester's records are 
accurate, relevant, timely and complete, and that no basis exists for 
amending or correcting the record, either in whole or in part, the D/
IMO shall inform the requester in writing of:
    (i) The reason(s) for the denial; and
    (ii) The procedure for appeal of the denial under Sec.  1701.15 of 
this subpart.


Sec.  1701.12  ODNI responsibility for responding to requests for 
accounting.

    (a) Acknowledgement of request. Upon receipt of a request for 
accounting, the D/IMO shall acknowledge receipt of the request in 
writing and provide an assigned request number for further reference.
    (b) Tasking of component. Upon receipt of a request for accounting, 
the D/IMO shall forward the request to the POC in the component 
maintaining the record. The POC shall work with the component's 
information management officer and the systems administrator to 
generate the requested disclosure history.
    (c) Action on request for accounting. The D/IMO will notify the 
requester when the accounting is available for on-site review or 
transmission in paper or electronic medium.
    (d) Notice of court-ordered disclosures. The D/IMO shall make 
reasonable efforts to notify an individual whose record is disclosed 
pursuant to court order. Notice shall be made within a reasonable time 
after receipt of the order; however, when the order is not a matter of 
public record, the notice shall be made only after the order becomes 
public. Notice shall be sent to the individual's last known address and 
include a copy of the order and a description of the information 
disclosed. No notice shall be made regarding records disclosed from a 
criminal law enforcement system that has been exempted from the notice 
requirement.
    (e) Notice of emergency disclosures. ODNI shall notify an 
individual whose record it discloses under compelling circumstances 
affecting health or safety. This notice shall be mailed to the 
individual's last known address and shall state the nature of the 
information disclosed; the person, organization, or agency to which it 
was disclosed; the date of disclosure; and the compelling circumstances 
justifying the disclosure. This provision shall not apply in 
circumstances involving classified records that have been exempted from 
disclosure pursuant to subsection (j) or (k) of the Privacy Act.


Sec.  1701.13  Special procedures for medical/psychiatric/psychological 
records.

    Current and former ODNI employees, including current and former 
employees of ODNI contractors, and unsuccessful applicants for 
employment may seek access to their medical, psychiatric records, or 
psychological testing records by writing to: Information and Privacy 
Coordinator, Central Intelligence Agency, Washington, DC 20505, and 
provide identifying information as required by paragraphs (d) and (e) 
of Sec.  1701.7 of this subpart. The Central Intelligence Agency's 
Privacy Act Regulations will govern administration of these types of 
records, including appeals from adverse determinations.


Sec.  1701.14  Appeals.

    (a) Individuals may appeal denials of requests for access, 
amendment, or accounting by submitting a written request for review to 
the Director, Information Management Office (D/IMO) at the Office of 
the Director of National Intelligence, Washington, DC 20511. The words 
``PRIVACY ACT APPEAL'' should be written on the letter and the 
envelope. The appeal must be signed by the record subject or legal 
representative. No personal appearance or hearing on appeal will be 
allowed.
    (b) The D/IMO must receive the appeal letter within 45 calendar 
days of the date the requester received the notice of denial. The 
postmark is conclusive as to timeliness. Copies of correspondence from 
ODNI denying the request to access or amend the record should be 
included with the appeal, if possible. At a minimum, the appeal letter 
should identify:
    (1) The records involved;
    (2) The date of the initial request for access to or amendment of 
the record;
    (3) The date of ODNI's denial of that request; and
    (4) A statement of the reasons supporting the request for reversal 
of the initial decision. The statement should focus on information not 
previously available or legal arguments demonstrating that the ODNI's 
decision is improper.
    (c) Following receipt of the appeal, the Director of Intelligence 
Staff (DIS) shall, in consultation with the Office of General Counsel, 
make a final determination in writing on the appeal.
    (d) Where ODNI reverses an initial denial, the following procedures 
apply:
    (1) If ODNI reverses an initial denial of access, the procedures in 
paragraph (e)(1) of Sec.  1701.10 of this subpart will apply.
    (2) If ODNI reverses its initial denial of a request to amend a 
record, the POC will ensure that the record is corrected as requested, 
and the D/IMO will inform the individual of the correction, as well as 
all persons, organizations and agencies to which ODNI had disclosed the 
record.
    (3) If ODNI reverses its initial denial of a request for 
accounting, the POC will notify the requester when the accounting is 
available for on-site review or transmission in paper or electronic 
medium.
    (e) If ODNI upholds its initial denial or reverses in part (i.e., 
only partially granting the request), ODNI'S notice of final agency 
action will inform the requester of the following rights:
    (1) Judicial review of the denial under 5 U.S.C. 552a(g)(1), as 
limited by 5 U.S.C. 552a(g)(5).
    (2) Opportunity to file a statement of disagreement with the 
denial, citing the reasons for disagreeing with ODNI's final 
determination not to correct or amend a record. The requester's

[[Page 119]]

statement of disagreement should explain why he disputes the accuracy 
of the record.
    (3) Inclusion in one's record of copies of the statement of 
disagreement and the final denial, which ODNI will provide to all 
subsequent recipients of the disputed record, as well as to all 
previous recipients of the record where an accounting was made of prior 
disclosures of the record.


Sec.  1701.15  Fees.

    ODNI shall charge fees for duplication of records under the Privacy 
Act, 5 U.S.C. 552a, in the same way in which it will charge for 
duplication of records under Sec.  1700.7(g), ODNI's regulation 
implementing the fee provision of the Freedom of Information Act, 5 
U.S.C. 552.


Sec.  1701.16  Contractors.

    (a) Any approved contract for the operation of a Privacy Act system 
of records to accomplish a function of the ODNI will contain the 
Privacy Act provisions prescribed by the Federal Acquisition 
Regulations (FAR) at 48 CFR Part 24, requiring the contractor to comply 
with the Privacy Act and this subpart. The contracting component will 
be responsible for ensuring that the contractor complies with these 
contract requirements. This section does not apply to systems of 
records maintained by a contractor as a function of management 
discretion, e.g., the contractor's personnel records.
    (b) Where the contract contains a provision requiring the 
contractor to comply with the Privacy Act and this subpart, the 
contractor and any employee of the contractor will be considered 
employees of the ODNI for purposes of the criminal penalties of the 
Act, 5 U.S.C. 552a(i).


Sec.  1701.17  Standards of conduct.

    (a) General. ODNI will ensure that staff are aware of the 
provisions of the Privacy Act and of their responsibilities for 
protecting personal information that ODNI collects and maintains, 
consistent with Sec. Sec.  1701.5 and 1701.6 of this subpart.
    (b) Criminal penalties--(1) Unauthorized disclosure. Criminal 
penalties may be imposed against any ODNI staff who, by virtue of 
employment, has possession or access to ODNI records which contain 
information identifiable with an individual, the disclosure of which is 
prohibited by the Privacy Act or by these rules, and who, knowing that 
disclosure of the specific material is prohibited, willfully discloses 
the material in any manner to any person or agency not entitled to 
receive it.
    (2) Unauthorized maintenance. Criminal penalties may be imposed 
against any ODNI staff who willfully maintains a system of records 
without meeting the requirements of subsection (e)(4) of the Privacy 
Act, 5 U.S.C. 552a. The D/IMO, the Civil Liberties Protection Officer, 
the General Counsel, and the Inspector General are authorized 
independently to conduct such surveys and inspect such records as 
necessary from time to time to ensure that these requirements are met.
    (3) Unauthorized requests. Criminal penalties may be imposed upon 
any person who knowingly and willfully requests or obtains any record 
concerning an individual from the ODNI under false pretenses.

Subpart B--Exemption of Record Systems Under the Privacy Act


Sec.  1701.20  Exemption policies.

    (a) General. The DNI has determined that invoking exemptions under 
the Privacy Act and continuing exemptions previously asserted by 
agencies whose records ODNI receives is necessary: to ensure against 
the release of classified information essential to the national defense 
or foreign relations; to protect intelligence sources and methods; and 
to maintain the integrity and effectiveness of intelligence, 
investigative and law enforcement processes. Accordingly, as authorized 
by the Privacy Act, 5 U.S.C. 552a, subsections (j) and (k), and in 
accordance with the rule-making procedures of the Administrative 
Procedures Act, 5 U.S.C. 553, the ODNI hereby proposes rules to:
    (1) Exercise its authority pursuant to subsections (j) and (k) of 
the Privacy Act to exempt certain ODNI systems of records or portions 
of systems of records from various provisions of the Privacy Act; and
    (2) Continue in effect and assert all exemptions claimed under 
Privacy Act subsections (j) and (k) by an originating agency from which 
the ODNI obtains records where the purposes underlying the original 
exemption remain valid and necessary to protect the contents of the 
record.
    (b) Related policies. (1) The exemptions asserted apply to records 
only to the extent they meet the criteria of subsections (j) and (k) of 
the Privacy Act, whether claimed by the ODNI or the originator of the 
records.
    (2) Discretion to supersede exemption: Where complying with a 
request for access or amendment would not appear to interfere with or 
adversely affect a counterterrorism or law enforcement interest, and 
unless prohibited by law, the D/IMO may exercise his discretion to 
waive the exemption. Discretionary waiver of an exemption with respect 
to a record will not obligate the ODNI to waive the exemption with 
respect to any other record in an exempted system of records. As a 
condition of such discretionary access, ODNI may impose any 
restrictions (e.g., concerning the location of file reviews) deemed 
necessary or advisable to protect the security of agency operations, 
information, personnel, or facilities.
    (3) Records in ODNI systems also are subject to protection under 50 
U.S.C. 403-1(i), the provision of the National Security Act of 1947 
which requires the DNI to protect intelligence sources and methods from 
unauthorized disclosure.


Sec.  1701.21  Exemption of National Counterterrorism Center (NCTC) 
systems of records.

    (a) The ODNI exempts the following systems of records from the 
requirements of subsections (c)(3); (d)(1),(2),(3) and (4); (e)(1); 
(e)(4)(G),(H),(I); and (f) of the Privacy Act to the extent that 
information in the system is subject to exemption pursuant subsections 
(k)(1) and (k)(5) of the Act:
    (1) NCTC Human Resources Management System (ODNI/NCTC-001).
    (2) [Reserved]
    (b) Exemptions from the particular subsections are justified for 
the following reasons:
    (1) From subsection (c)(3) (accounting of disclosures) because an 
accounting of disclosures from records concerning the record subject 
would specifically reveal an investigative interest on the part of the 
ODNI or recipient agency and could result in release of properly 
classified national security or foreign policy information.
    (2) From subsections (d)(1), (2), (3) and (4) (record subject's 
right to access and amend records) because affording access and 
amendment rights could alert the record subject to the investigative 
interest of intelligence or law enforcement agencies or compromise 
sensitive information classified in the interest of national security. 
In the absence of a national security basis for exemption, records in 
this system may be exempted from access and amendment to the extent 
necessary to honor promises of confidentiality to persons providing 
information concerning a candidate for position. Inability to maintain 
such confidentiality would restrict the free flow of information vital 
to a

[[Page 120]]

determination of a candidate's qualifications and suitability.
    (3) From subsection (e)(1) (maintain only relevant and necessary 
records) because it is not always possible to establish relevance and 
necessity before all information is considered and evaluated in 
relation to an intelligence concern. In the absence of a national 
security basis for exemption under subsection (k)(1), records in this 
system may be exempted from the relevance requirement pursuant to 
subsection (k)(5) because it is not possible to determine in advance 
what exact information may assist in determining the qualifications and 
suitability of a candidate for position. Seemingly irrelevant details, 
when combined with other data, can provide a useful composite for 
determining whether a candidate should be appointed.
    (4) From subsections (e)(4)(G) and (H) (publication of procedures 
for notifying subjects of the existence of records about them and how 
they may access records and contest contents) because the system is 
exempted from subsection (d) provisions regarding access and amendment, 
and from the subsection (f) requirement to promulgate agency rules. 
Nevertheless, the ODNI has published notice concerning notification, 
access, and contest procedures because it may in certain circumstances 
determine it appropriate to provide subjects access to all or a portion 
of the records about them in a system of records.
    (5) From subsection (e)(4)(I) (identifying sources of records in 
the system of records) because identifying sources could result in 
disclosure of properly classified national defense or foreign policy 
information, intelligence sources and methods, and investigatory 
techniques and procedures. Notwithstanding its proposed exemption from 
this requirement, ODNI identifies record sources in broad categories 
sufficient to provide general notice of the origins of the information 
it maintains in its systems of records.
    (6) From subsection (f) (agency rules for notifying subjects to the 
existence of records about them, for accessing and amending records, 
and for assessing fees) because the system is exempt from subsection 
(d) provisions regarding access and amendment of records by record 
subjects. Nevertheless, the ODNI has published agency rules concerning 
notification of a subject in response to his request if any system of 
records named by the subject contains a record pertaining to him and 
procedures by which the subject may access or amend the records. 
Notwithstanding exemption, the ODNI may determine it appropriate to 
satisfy a record subject's access request.
    (c) The ODNI exempts the following systems of records from the 
requirements of subsections (c)(3); (d)(1), (2), (3) and (4); (e)(1); 
(e)(4)(G), (H), (I); and (f) of the Privacy Act to the extent that 
information in the system is subject to exemption pursuant subsection 
(k)(1) of the Act:
    (1) NCTC Access Authorization Records (ODNI/NCTC-002).
    (2) NCTC Telephone Directory (ODNI/NCTC-003).
    (3) NCTC Partnership Management Records (ODNI/NCTC-006).
    (4) NCTC Tacit Knowledge Management Records (ODNI/NCTC-007)
    (d) Exemptions from the particular subsections are justified for 
the following reasons:
    (1) From subsection (c)(3) (accounting of disclosures) because an 
accounting of disclosures from records concerning the record subject 
would specifically reveal an investigative interest on the part of the 
ODNI or recipient agency and could result in release of properly 
classified national security or foreign policy information.
    (2) From subsections (d)(1), (2), (3) and (4) (record subject's 
right to access and amend records) because affording access and 
amendment rights could alert the record subject to the investigative 
interest of intelligence or law enforcement agencies or compromise 
sensitive information classified in the interest of national security.
    (3) From subsection (e)(1) (maintain only relevant and necessary 
records) because it is not always possible to establish relevance and 
necessity before all information is considered and evaluated in 
relation to an intelligence concern.
    (4) From subsections (e)(4)(G) and (H) (publication of procedures 
for notifying subjects of the existence of records about them and how 
they may access records and contest contents) because the system is 
exempted from subsection (d) provisions regarding access and amendment 
and from the subsection (f) requirement to promulgate agency rules. 
Nevertheless, the ODNI has published notice concerning notification, 
access, and contest procedures because it may in certain circumstances 
determine it appropriate to provide subjects access to all or a portion 
of the records about them in a system of records.
    (5) From subsection (e)(4)(I) (identifying sources of records in 
the system of records) because identifying sources could result in 
disclosure of properly classified national defense or foreign policy 
information, intelligence sources and methods, and investigatory 
techniques and procedures. Notwithstanding its proposed exemption from 
this requirement, ODNI identifies record sources in broad categories 
sufficient to provide general notice of the origins of the information 
it maintains in its systems of records.
    (6) From subsection (f) (agency rules for notifying subjects to the 
existence of records about them, for accessing and amending records, 
and for assessing fees) because the system is exempt from subsection 
(d) provisions regarding access and amendment of records by record 
subjects. Nevertheless, the ODNI has published agency rules concerning 
notification of a subject in response to his request if any system of 
records named by the subject contains a record pertaining to him and 
procedures by which the subject may access or amend the records. 
Notwithstanding exemption, the ODNI may determine it appropriate to 
satisfy a record subject's access request.
    (e) The ODNI exempts the following systems of records from the 
requirements of subsections (c)(3); (d)(1), (2), (3), (4); (e)(1); 
(e)(4)(G), (H), (I); and (f) of the Privacy Act, to the extent that 
information in the system is subject to exemption pursuant to 
subsections (k)(1) and (k)(2) of the Act:
    (1) NCTC Knowledge Repository (SANCTUM) (ODNI/NCTC-004).
    (2) NCTC Online (ODNI/NCTC-005).
    (3) NCTC Terrorism Analysis Records (ODNI/NCTC-008).
    (4) NCTC Terrorist Identities Records (ODNI/NCTC-009).
    (f) Exemptions from the particular subsections are justified for 
the following reasons:
    (1) From subsection (c)(3) (accounting of disclosures) because an 
accounting of disclosures from records concerning the record subject 
would specifically reveal an investigative interest on the part of the 
ODNI as well as the recipient agency and could: result in release of 
properly classified national security or foreign policy information; 
compromise ongoing efforts to investigate a known or suspected 
terrorist; reveal sensitive investigative or surveillance techniques; 
or identify a confidential source. With this information, the record 
subject could frustrate counterintelligence measures; impede an 
investigation by destroying evidence or intimidating potential 
witnesses; endanger the physical safety of sources, witnesses, and law 
enforcement and intelligence personnel and their families; or evade 
apprehension or prosecution by law enforcement personnel.

[[Page 121]]

    (2) From subsections (d)(1), (2), (3) and (4) (record subject's 
right to access and amend records) because these provisions concern 
individual access to and amendment of counterterrorism, investigatory 
and intelligence records. Affording access and amendment rights could 
alert the record subject to the fact and nature of an investigation or 
the investigative interest of intelligence or law enforcement agencies; 
permit the subject to frustrate such investigation, surveillance or 
potential prosecution; compromise sensitive information classified in 
the interest of national security; identify a confidential source or 
disclose information which would reveal a sensitive investigative or 
intelligence technique; and endanger the health or safety of law 
enforcement personnel, confidential informants, and witnesses. In 
addition, affording subjects access and amendment rights would impose 
an impossible administrative burden to continuously reexamine 
investigations, analyses, and reports.
    (3) From subsection (e)(1) (maintain only relevant and necessary 
records) because it is not always possible for intelligence or law 
enforcement agencies to know in advance what information about an 
encounter with a known or suspected terrorist will be relevant for the 
purpose of conducting an operational response. Relevance and necessity 
are questions of judgment and timing, and only after information is 
evaluated can relevance and necessity be established. In addition, 
information in the system of records may relate to matters under the 
investigative jurisdiction of another agency, and may not readily be 
segregated. Furthermore, information in these systems of records, over 
time, aid in establishing patterns of criminal activity that can 
provide leads for other law enforcement agencies.
    (4) From subsections (e)(4)(G) and (H) (publication of procedures 
for notifying subjects of the existence of records about them and how 
they may access records and contest contents) because the system is 
exempted from subsection (d) provisions regarding access and amendment 
and from the subsection (f) requirement to promulgate agency rules. 
Nevertheless, the ODNI has published notice concerning notification, 
access, and contest procedures because it may in certain circumstances 
determine it appropriate to provide subjects access to all or a portion 
of the records about them in a system of records.
    (5) From subsection (e)(4)(I) (identifying sources of records in 
the system of records) because identifying sources could result in 
disclosure of properly classified national defense or foreign policy 
information. Additionally, exemption from this provision is necessary 
to protect the privacy and safety of witnesses and sources of 
information, including intelligence sources and methods and 
investigatory techniques and procedures. Notwithstanding its proposed 
exemption from this requirement, ODNI identifies record sources in 
broad categories sufficient to provide general notice of the origins of 
the information it maintains in its systems of records.
    (6) From subsection (f) (agency rules for notifying subjects to the 
existence of records about them, for accessing and amending records and 
for assessing fees) because the system is exempt from subsection (d) 
provisions regarding access and amendment of records by record 
subjects. Nevertheless, the ODNI has published agency rules concerning 
notification of a subject in response to his request if any system of 
records named by the subject contains a record pertaining to him and 
procedures by which the subject may access or amend the records. 
Notwithstanding exemption, the ODNI may determine it appropriate to 
satisfy a record subject's access request.


Sec.  1701.22  Exemption of Office of the National Counterintelligence 
Executive (ONCIX) system of records.

    (a) The ODNI exempts the following system of records from the 
requirements of subsections (c)(3); (d)(1), (2), (3), (4); (e)(1); (e) 
(4)(G), (H), (I); and (f) of the Privacy Act, to the extent that 
information in the system is subject to exemption pursuant to 
subsections (k)(1) and (k)(2) of the Act:
    (1) ONCIX Counterintelligence Damage Assessment Records (ODNI/
ONCIX-001).
    (2) [Reserved]
    (b) Exemptions from the particular subsections are justified for 
the following reasons:
    (1) From subsection (c)(3) (accounting of disclosures) because an 
accounting of disclosures from records concerning the record subject 
would specifically reveal an investigative interest on the part of the 
ODNI as well as the recipient agency and could: result in release of 
properly classified national security or foreign policy information; 
compromise ongoing efforts to investigate a known or suspected 
terrorist; reveal sensitive investigative or surveillance techniques; 
or identify a confidential source. With this information, the record 
subject could frustrate counterintelligence measures; impede an 
investigation by destroying evidence or intimidating potential 
witnesses; endanger the physical safety of sources, witnesses, and law 
enforcement and intelligence personnel and their families; or evade 
apprehension or prosecution by law enforcement personnel.
    (2) From subsections (d)(1), (2), (3) and (4) (record subject's 
right to access and amend records) because these provisions concern 
individual access to and amendment of counterterrorism, investigatory 
and intelligence records. Affording access and amendment rights could 
alert the record subject to the fact and nature of an investigation or 
the investigative interest of intelligence or law enforcement agencies; 
permit the subject to frustrate such investigation, surveillance or 
potential prosecution; compromise sensitive information classified in 
the interest of national security; identify a confidential source or 
disclose information which would reveal a sensitive investigative or 
intelligence technique; and endanger the health or safety of law 
enforcement personnel, confidential informants, and witnesses. In 
addition, affording subjects access and amendment rights would impose 
an impossible administrative burden to continuously reexamine 
investigations, analyses, and reports.
    (3) From subsection (e)(1) (maintain only relevant and necessary 
records) because it is not always possible to know in advance what 
information will be relevant to evaluate and mitigate damage to the 
national security. Relevance and necessity are questions of judgment 
and timing, and only after information is evaluated can relevance and 
necessity be established. In addition, information in the system of 
records may relate to matters under the investigative jurisdiction of 
another agency, and may not readily be segregated. Furthermore, 
information in these systems of records, over time, aid in establishing 
patterns of criminal activity that can provide leads for other law 
enforcement agencies.
    (4) From subsections (e)(4)(G) and (H) (publication of procedures 
for notifying subjects to the existence of records about them and how 
they may access records and contest contents) because the system is 
exempted from subsection (d) provisions regarding access and amendment 
and from the subsection (f) requirement to promulgate agency rules. 
Nevertheless, the ODNI has published notice concerning notification, 
access, and contest procedures because it may in certain circumstances 
determine it appropriate to provide subjects access to all or a portion 
of the records about them in a system of records.
    (5) From subsection (e)(4)(I) (identifying sources of records in 
the

[[Page 122]]

system of records) because identifying sources could result in 
disclosure of properly classified national defense or foreign policy 
information. Additionally, exemption from this provision is necessary 
to protect the privacy and safety of witnesses and sources of 
information, including intelligence sources and methods and 
investigatory techniques and procedures. Notwithstanding its proposed 
exemption from this requirement, ODNI identifies record sources in 
broad categories sufficient to provide general notice of the origins of 
the information it maintains in its systems of records.
    (6) From subsection (f) (agency rules for notifying subjects to the 
existence of records about them, for accessing and amending records and 
for assessing fees) because the system is exempt from subsection (d) 
provisions regarding access and amendment of records by record 
subjects. Nevertheless, the ODNI has published agency rules concerning 
notification of a subject in response to his request if any system of 
records named by the subject contains a record pertaining to him and 
procedures by which the subject may access or amend the records. 
Notwithstanding exemption, the ODNI may determine it appropriate to 
satisfy a record subject's access request.


Sec.  1701.23  Exemption of Office of Inspector General (OIG) systems 
of records.

    (a) The ODNI exempts the following systems of records from the 
requirements of subsections (c)(3); (d)(1),(2),(3) and (4); (e)(1); 
(e)(4)(G),(H),(I); and (f) of the Privacy Act to the extent that 
information in the system is subject to exemption pursuant subsections 
(k)(1) and (k)(5) of the Act:
    (1) OIG Human Resources Records (ODNI/OIG-001).
    (2) OIG Experts Contact Records (ODNI/OIG-002).
    (b) Exemptions from the particular subsections are justified for 
the following reasons:
    (1) From subsection (c)(3) (accounting of disclosures) because an 
accounting of disclosures from records concerning the record subject 
would specifically reveal an investigative interest on the part of the 
ODNI or recipient agency and could result in release of properly 
classified national security or foreign policy information.
    (2) From subsections (d)(1), (2), (3) and (4) (record subject's 
right to access and amend records) because affording access and 
amendment rights could alert the record subject to the investigative 
interest of intelligence or law enforcement agencies or compromise 
sensitive information classified in the interest of national security. 
In the absence of a national security basis for exemption under 
subsection (k)(1), records in this system may be exempted from access 
and amendment pursuant to subsection (k)(5) to the extent necessary to 
honor promises of confidentiality to persons providing information 
concerning a candidate for position. Inability to maintain such 
confidentiality would restrict the free flow of information vital to a 
determination of a candidate's qualifications and suitability.
    (3) From subsection (e)(1) (maintain only relevant and necessary 
records) because it is not always possible to establish relevance and 
necessity before all information is considered and evaluated in 
relation to an intelligence concern. In the absence of a national 
security basis for exemption under subsection (k)(1), records in this 
system may be exempted from the relevance requirement pursuant to 
subsection (k)(5) because it is not always possible to determine in 
advance what exact information may assist in determining the 
qualifications and suitability of a candidate for position. Seemingly 
irrelevant details, when combined with other data, can provide a useful 
composite for determining whether a candidate should be appointed.
    (4) From subsections (e)(4)(G) and (H) (publication of procedures 
for notifying subjects of the existence of records about them and how 
they may access records and contest contents) because the system is 
exempted from subsection (d) provisions regarding access and amendment 
and from the subsection (f) requirement to promulgate agency rules. 
Nevertheless, the ODNI has published such a notice concerning 
notification, access, and contest procedures because it may in certain 
circumstances determine it appropriate to provide subjects access to 
all or a portion of the records about them in a system of records.
    (5) From subsection (e)(4)(I)(identifying sources of records in the 
system of records) because identifying sources could result in 
disclosure of properly classified national defense or foreign policy 
information, intelligence sources and methods and investigatory 
techniques and procedures. Notwithstanding its proposed exemption from 
this requirement, ODNI identifies record sources in broad categories 
sufficient to provide general notice of the origins of the information 
it maintains in its systems of records.
    (6) From subsection (f) (agency rules for notifying subjects to the 
existence of records about them, for accessing and amending records and 
for assessing fees) because the system is exempt from subsection (d) 
provisions regarding access and amendment of records by record 
subjects. Nevertheless, the ODNI has published agency rules concerning 
notification of a subject in response to his request if any system of 
records named by the subject contains a record pertaining to him and 
procedures by which the subject may access or amend the records. 
Notwithstanding exemption, the ODNI may determine it appropriate to 
satisfy a record subject's access request.
    (c) The ODNI exempts the following system of records from the 
requirements of subsections (c)(3) and (4); (d)(1),(2),(3),(4); 
(e)(1),(2),(3),(5),(8) and (12); and (g) of the Privacy Act, to the 
extent that information in the system is subject to exemption pursuant 
to subsection (j)(2) of the Act. In addition, the following system of 
records is exempted from the requirements of subsections (c)(3); 
(d)(1),(2),(3)and (4); (e)(1); (e)(4)(G),(H)and (I); and (f) of the 
Privacy Act, to the extent that information in the system is subject to 
exemption pursuant to subsections (k)(1) and (k)(2) of the Act.
    (1) OIG Investigation and Interview Records (ODNI/OIG-003).
    (2) [Reserved]
    (d) Exemptions from the particular subsections are justified for 
the following reasons:
    (1) From subsection (c)(3) (accounting of disclosures) because an 
accounting of disclosures from records concerning the record subject 
would specifically reveal an investigative interest on the part of the 
ODNI as well as the recipient agency and could: result in release of 
properly classified national security or foreign policy information; 
compromise ongoing efforts to investigate a known or suspected 
terrorist; reveal sensitive investigative or surveillance techniques; 
or identify a confidential source. With this information, the record 
subject could frustrate counterintelligence measures; impede an 
investigation by destroying evidence or intimidating potential 
witnesses; endanger the physical safety of sources, witnesses, and law 
enforcement and intelligence personnel and their families; or evade 
apprehension or prosecution by law enforcement personnel.
    (2) From subsection (c)(4) (notice of amendment to record 
recipients) because the system is exempted from the access and 
amendment provisions of subsection (d).
    (3) From subsections (d)(1), (2), (3) and (4) (record subject's 
right to access and amend records) because these

[[Page 123]]

provisions concern individual access to and amendment of 
counterterrorism, investigatory and intelligence records. Affording 
access and amendment rights could alert the record subject to the fact 
and nature of an investigation or the investigative interest of 
intelligence or law enforcement agencies; permit the subject to 
frustrate such investigation, surveillance or potential prosecution; 
compromise sensitive information classified in the interest of national 
security; identify a confidential source or disclose information which 
would reveal a sensitive investigative or intelligence technique; and 
endanger the health or safety of law enforcement personnel, 
confidential informants, and witnesses. In addition, affording subjects 
access and amendment rights would impose an impossible administrative 
burden to continuously reexamine investigations, analyses, and reports.
    (4) From subsection (e)(1) (maintain only relevant and necessary 
records) because it is not always possible to know in advance what 
information will be relevant for the purpose of conducting an 
investigation. Relevance and necessity are questions of judgment and 
timing, and only after information is evaluated can relevance and 
necessity be established. In addition, information in the system of 
records may relate to matters under the investigative jurisdiction of 
another agency, and may not readily be segregated. Furthermore, 
information in these systems of records, over time, aid in establishing 
patterns of criminal activity that can provide leads for other law 
enforcement agencies.
    (5) From subsection (e)(2) (collection directly from the 
individual) because application of this provision would alert the 
subject of a counterterrorism investigation, study or analysis to that 
fact, permitting the subject to frustrate or impede the activity. 
Counterterrorism investigations necessarily rely on information 
obtained from third parties rather than information furnished by 
subjects themselves.
    (6) From subsection (e)(3) (provide Privacy Act Statement to 
subjects furnishing information) because the system is exempted from 
the (e)(2) requirement to collect information directly from the 
subject.
    (7) From subsections (e)(4)(G) and (H) (publication of procedures 
for notifying subjects of the existence of records about them and how 
they may access records and contest contents) because the system is 
exempted from subsection (d) provisions regarding access and amendment 
and from the subsection (f) requirement to promulgate agency rules. 
Nevertheless, the ODNI has published notice concerning notification, 
access, and contest procedures because it may in certain circumstances 
determine it appropriate to provide subjects access to all or a portion 
of the records about them in a system of records.
    (8) From subsection (e)(4)(I) (identifying sources of records in 
the system of records) because identifying sources could result in 
disclosure of properly classified national defense or foreign policy 
information. Additionally, exemption from this provision is necessary 
to protect the privacy and safety of witnesses and sources of 
information, including intelligence sources and methods and 
investigatory techniques and procedures. Notwithstanding its proposed 
exemption from this requirement, ODNI identifies record sources in 
broad categories sufficient to provide general notice of the origins of 
the information it maintains in its systems of records.
    (9) From subsection (e)(5) (maintain timely, accurate, complete and 
up-to-date records) because many of the records in the system are 
derived from other domestic and foreign agency record systems over 
which ODNI exercises no control. In addition, in collecting information 
for counterterrorism, intelligence, and law enforcement purposes, it is 
not possible to determine in advance what information is accurate, 
relevant, timely, and complete. With the passage of time and the 
development of additional facts and circumstances, seemingly irrelevant 
or dated information may acquire significance. The restrictions imposed 
by (e)(5) would limit the ability of intelligence analysts to exercise 
judgment in conducting investigations and impede development of 
intelligence necessary for effective counterterrorism and law 
enforcement efforts.
    (10) From subsection (e)(8) (notice of compelled disclosures) 
because requiring individual notice of legally compelled disclosure 
poses an impossible administrative burden and could alert subjects of 
counterterrorism, law enforcement, or intelligence investigations to 
the previously unknown fact of those investigations.
    (11) From subsection (e)(12) (public notice of matching activity) 
because, to the extent such activities are not otherwise excluded from 
the matching requirements of the Privacy Act, publishing advance notice 
in the Federal Register would frustrate the ability of intelligence 
analysts to act quickly in furtherance of analytical efforts.
    (12) From subsection (f) (agency rules for notifying subjects to 
the existence of records about them, for accessing and amending records 
and for assessing fees) because the system is exempt from the 
subsection (d) provisions regarding access and amendment of records by 
record subjects. Nevertheless, the ODNI has published agency rules 
concerning notification of a subject in response to his request if any 
system of records named by the subject contains a record pertaining to 
him and procedures by which the subject may access or amend the 
records. Notwithstanding exemption, the ODNI may determine it 
appropriate to satisfy a record subject's access request.
    (13) From subsection (g) (civil remedies) to the extent that the 
civil remedies relate to provisions of 5 U.S.C. 552a from which this 
rule exempts the system.

Subpart C--Routine Uses Applicable to More Than One ODNI System of 
Records


Sec.  1701.30  Policy and applicability.

    (a) ODNI proposes the following general routine uses to foster 
simplicity and economy and to avoid redundancy or error by duplication 
in multiple ODNI systems of records and in systems of records 
established hereafter by ODNI or by one of its components.
    (b) These general routine uses may apply to every Privacy Act 
system of records maintained by ODNI and its components, unless 
specifically stated otherwise in the System of Records Notice for a 
particular system. Additional general routine uses may be identified as 
notices of systems of records are published.
    (c) Routine uses specific to a particular System of Records are 
identified in the System of Records Notice for that system.


Sec.  1701.31  General routine uses.

    (a) Except as noted on Standard Forms 85 and 86 and supplemental 
forms thereto (questionnaires for employment in, respectively, ``non-
sensitive'' and ``national security'' positions within the Federal 
government), a record that on its face or in conjunction with other 
information indicates or relates to a violation or potential violation 
of law, whether civil, criminal, administrative or regulatory in 
nature, and whether arising by general statute, particular program 
statute, regulation, rule or order issued pursuant thereto, may be 
disclosed as a routine use to an appropriate federal, state, 
territorial, tribal, local law enforcement authority, foreign 
government or international law enforcement authority, or to an 
appropriate regulatory body

[[Page 124]]

charged with investigating, enforcing, or prosecuting such violations.
    (b) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use, subject to appropriate protections for 
further disclosure, in the course of presenting information or evidence 
to a magistrate, special master, administrative law judge, or to the 
presiding official of an administrative board, panel or other 
administrative body.
    (c) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to representatives of the Department of 
Justice or any other entity responsible for representing the interests 
of the ODNI in connection with potential or actual civil, criminal, 
administrative, judicial or legislative proceedings or hearings, for 
the purpose of representing or providing advice to: the ODNI; any staff 
of the ODNI in his or her official capacity; any staff of the ODNI in 
his or her individual capacity where the staff has submitted a request 
for representation by the United States or for reimbursement of 
expenses associated with retaining counsel; or the United States or 
another Federal agency, when the United States or the agency is a party 
to such proceeding and the record is relevant and necessary to such 
proceeding.
    (d) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use in a proceeding before a court or 
adjudicative body when any of the following is a party to litigation or 
has an interest in such litigation, and the ODNI, Office of General 
Counsel, determines that use of such records is relevant and necessary 
to the litigation: the ODNI; any staff of the ODNI in his or her 
official capacity; any staff of the ODNI in his or her individual 
capacity where the Department of Justice has agreed to represent the 
staff or has agreed to provide counsel at government expense; or the 
United States or another Federal agency, where the ODNI, Office of 
General Counsel, determines that litigation is likely to affect the 
ODNI.
    (e) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to representatives of the Department of 
Justice and other U.S. Government entities, to the extent necessary to 
obtain advice on any matter within the official responsibilities of 
such representatives and the responsibilities of the ODNI.
    (f) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to a Federal, state or local agency or other 
appropriate entities or individuals from which/whom information may be 
sought relevant to: a decision concerning the hiring or retention of an 
employee or other personnel action; the issuing or retention of a 
security clearance or special access, contract, grant, license, or 
other benefit; or the conduct of an authorized investigation or 
inquiry, to the extent necessary to identify the individual, inform the 
source of the nature and purpose of the inquiry, and identify the type 
of information requested.
    (g) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to any Federal, state, local, tribal or 
other public authority, or to a legitimate agency of a foreign 
government or international authority to the extent the record is 
relevant and necessary to the other entity's decision regarding the 
hiring or retention of an employee or other personnel action; the 
issuing or retention of a security clearance or special access, 
contract, grant, license, or other benefit; or the conduct of an 
authorized inquiry or investigation.
    (h) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to a Member of Congress or Congressional 
staffer in response to an inquiry from that Member of Congress or 
Congressional staffer made at the written request of the individual who 
is the subject of the record.
    (i) A record from a system of records maintained by the ODNI may be 
disclosed to the Office of Management and Budget in connection with the 
review of private relief legislation, as set forth in Office of 
Management and Budget Circular No. A-19, at any stage of the 
legislative coordination and clearance process as set forth in the 
Circular.
    (j) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to any agency, organization, or individual 
for authorized audit operations, and for meeting related reporting 
requirements, including disclosure to the National Archives and Records 
Administration for records management inspections and such other 
purposes conducted under the authority of 44 U.S.C. 2904 and 2906, or 
successor provisions.
    (k) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to individual members or staff of 
Congressional intelligence oversight committees in connection with the 
exercise of the committees' oversight and legislative functions.
    (l) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use pursuant to Executive Order to the 
President's Foreign Intelligence Advisory Board, the President's 
Intelligence Oversight Board, to any successor organizations, and to 
any intelligence oversight entity established by the President, when 
the Office of the General Counsel or the Office of the Inspector 
General determines that disclosure will assist such entities in 
performing their oversight functions and that such disclosure is 
otherwise lawful.
    (m) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to contractors, grantees, experts, 
consultants, or others when access to the record is necessary to 
perform the function or service for which they have been engaged by the 
ODNI.
    (n) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to a former staff of the ODNI for the 
purposes of responding to an official inquiry by a Federal, state, or 
local government entity or professional licensing authority or 
facilitating communications with a former staff of the ODNI that may be 
necessary for personnel-related or other official purposes when the 
ODNI requires information or consultation assistance, or both, from the 
former staff regarding a matter within that person's former area of 
responsibility.
    (o) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to legitimate foreign, international or 
multinational security, investigatory, law enforcement or 
administrative authorities in order to comply with requirements imposed 
by, or to claim rights conferred in, formal agreements and arrangements 
to include those regulating the stationing and status in foreign 
countries of Department of Defense military and civilian personnel.
    (p) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to any Federal agency when documents or 
other information obtained from that agency are used in compiling the 
record and the record is relevant to the official responsibilities of 
that agency, provided that disclosure of the recompiled or enhanced 
record to the source agency is otherwise authorized and lawful.
    (q) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to appropriate agencies, entities, and 
persons when: The security or confidentiality of information in the 
system of records has or may have been compromised; and the

[[Page 125]]

compromise may result in economic or material harm to individuals 
(e.g., identity theft or fraud), or harm to the security or integrity 
of the affected information or information technology systems or 
programs (whether or not belonging to the ODNI) that rely upon the 
compromised information; and disclosure is necessary to enable ODNI to 
address the cause(s) of the compromise and to prevent, minimize, or 
remedy potential harm resulting from the compromise.
    (r) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to a Federal, state, local, tribal, 
territorial, foreign, or multinational agency or entity or to any other 
appropriate entity or individual for any of the following purposes: to 
provide notification of a serious terrorist threat for the purpose of 
guarding against or responding to such threat; to assist in 
coordination of terrorist threat awareness, assessment, analysis, or 
response; or to assist the recipient in performing authorized 
responsibilities relating to terrorism or counterterrorism.
    (s) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use for the purpose of conducting or supporting 
authorized counterintelligence activities as defined by section 401a(3) 
of the National Security Act of 1947, as amended, to elements of the 
Intelligence Community, as defined by section 401a(4) of the National 
Security Act of 1947, as amended; to the head of any Federal agency or 
department; to selected counterintelligence officers within the Federal 
government.
    (t) A record from a system of records maintained by the ODNI may be 
disclosed as a routine use to a Federal, state, local, tribal, 
territorial, foreign, or multinational government agency or entity, or 
to other authorized entities or individuals, but only if such 
disclosure is undertaken in furtherance of responsibilities conferred 
by, and in a manner consistent with, the National Security Act of 1947, 
as amended; the Counterintelligence Enhancement Act of 2002, as 
amended; Executive Order 12333 or any successor order together with its 
implementing procedures approved by the Attorney General; and other 
provisions of law, Executive Order or directive relating to national 
intelligence or otherwise applicable to the ODNI. This routine use is 
not intended to supplant the other routine uses published by the ODNI.

    Dated: December 8, 2007.
Ronald L. Burgess, Jr.,
Lieutenant General, USA, Director of the Intelligence Staff.
 [FR Doc. E7-25331 Filed 12-31-07; 8:45 am]

BILLING CODE 3910-A7-P