Privacy Act of 1974; System of Records

AGENCY:

Federal Trade Commission (FTC).

ACTION:

Notice of modified systems of records; correction.

SUMMARY:

The FTC is making non-substantive technical corrections to Appendix I, which lists the authorized disclosures and routine uses applicable to all FTC Privacy Act systems of records. This action makes the notices for these systems of records clearer, more accurate, and up-to-date.

DATES:

This modified systems of records shall become final and effective on November 6, 2018.

FOR FURTHER INFORMATION CONTACT:

G. Richard Gold and Alex Tang, Attorneys (202-326-2424), Office of the General Counsel, FTC, 600 Pennsylvania Avenue NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

To inform the public, the FTC publishes in the Federal Register and posts on its website a “system of records notice” (SORN) for each system of records that the FTC currently maintains within the meaning of the Privacy Act of 1974, as amended, 5 U.S.C. 552a (“Privacy Act” or “Act”). See https://www.ftc.gov/about-ftc/foia/foia-reading-rooms/privacy-act-systems. The Privacy Act protects records about individuals in systems of records collected and maintained by Federal agencies. (A system is not a “system of records” under the Act unless the agency maintains and retrieves records in the system by the relevant individual's name or other personally assigned identifier.) Each Federal agency, including the FTC, must publish a SORN that describes the records maintained in each of its Privacy Act systems, including the categories of individuals that the records in the system are about, where and how the agency maintains these records, and how individuals can find out whether an agency system contains any records about them or request access to such records, if any. The FTC, for example, maintains 40 systems of records under the Act. Some of these systems contain records about the FTC's own employees, such as personnel and payroll files, while other FTC systems contain records about members of the public, such as public comments, consumer complaints, or phone numbers submitted to the FTC's Do Not Call Registry.

The FTC's SORNs discussed in this notice apply only to the FTC's own Privacy Act record systems. They do not cover Privacy Act records that other Federal agencies may collect and maintain in their own systems. Likewise, the FTC's SORNs and the Privacy Act of 1974 do not cover records that private businesses or other non-FTC entities may collect about individuals, which may be covered by other privacy laws.

On June 12, 2008, the FTC republished and updated all of its SORNs, describing all of the agency's systems of records covered by the Privacy Act in a single document for ease of use and reference. 73 FR 33592. To ensure the SORNs remain accurate, FTC staff reviews each SORN on a periodic basis. As a result of this systematic review, the FTC made revisions to several of its SORNs on April 17, 2009 (74 FR 17863), August 27, 2010 (75 FR 52749), February 23, 2015 (80 FR 9460), and November 2, 2017 (82 FR 50871).

Based on a periodic review of its SORNs, the FTC is publishing two technical non-substantive revisions to Appendix I, which lists the routine uses that apply to all FTC SORNs. First, the FTC is updating the number of routine uses stated in the Appendix from “(23)” to “(24).” This conforming amendment was inadvertently omitted when the FTC, following Office of Management and Budget guidance, added a new routine use to this Appendix, relating to data breach notification, earlier this year. See 83 FR 39095 (Aug. 8, 2018). Second, the FTC is removing the current reference in the Appendix to the “General Accounting Office” and, in its place, adding that agency's current name, the “Government Accountability Office” (GAO). This correction reflects the change in GAO's legal name made by Congress several years ago, Public Law 108-271, 118 Stat. 811 (2004). In the same legislation, Congress made a conforming amendment to the Privacy Act of 1974 to authorize disclosures of Privacy Act records to the “Government Accountability Office.” See 5 U.S.C. 552a(b)(10).

The FTC is not substantively adding or amending any routine uses of its Privacy Act system records. The corrections to Appendix I described above are purely technical, and do not in any way modify the legal intent, operation, or effect of the routine uses set forth in that Appendix. Accordingly, the FTC is not required to provide prior public comment or notice to OMB or Congress for these technical amendments, which are final upon publication. See U.S.C. 552a(e)(11) and 552a(r); OMB Circular A-108, supra.

The FTC is reprinting the entire text of Appendix I for the public's benefit and convenience, to read as follows:

Appendix I

Authorized Disclosures and Routine Uses Applicable to All FTC Privacy Act Systems of Records

The Privacy Act allows the FTC to disclose its Privacy Act records in the following ways:

(1) Within the FTC, to FTC officers and employees who need the record to perform their duties;

(2) In response to a request for public disclosure under the Freedom of Information Act (FOIA);

(3) For any “routine use” compatible with the purpose for which the record was collected, as set forth in each system of records notice and in paragraphs (13)-(24) of this Appendix below;

(4) To the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity under title 13 of the United States Code;

(5) To a recipient who has provided the agency with advance adequate written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable;

(6) To the National Archives and Records Administration as a record having sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Archivist of the United States or the designee of the Archivist to determine whether the record has such value;

(7) To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the agency which maintains the record specifying the particular portion desired and the law enforcement activity for which the record is sought;

(8) To a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual if upon such disclosure notification is transmitted to the last known address of such individual;

(9) To either House of Congress, or, to the extent of a matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee;

(10) to the Comptroller General, or any of his authorized representatives, in the course of the performance of the duties of the Government Accountability Office;

(11) Under an order of a court of competent jurisdiction; and

(12) To a consumer reporting agency, when trying to collect a claim of the Government, in accordance with 31 U.S.C. 3711(e).

In addition, in accordance with paragraph (3) above, the “routine uses” set forth in paragraphs (13) through (24) below shall apply to all records in all FTC Privacy Act systems of records. Specifically, such records:

(13) Where appropriately incorporated into the records maintained in FTC-II-6 (Discrimination Complaint System-FTC), may be disclosed under the routine uses published for that system;

(14) May be disclosed to the National Archives and Records Administration for records management inspections conducted under authority of 44 U.S.C. 2904 and 2906;

(15) May be disclosed to other agencies, offices, establishments, and authorities, whether federal, state, local, foreign, or self-regulatory (including, but not limited to organizations such as professional associations or licensing boards), authorized or with the responsibility to investigate, litigate, prosecute, enforce, or implement a statute, rule, regulation, or order, where the record or information by itself or in connection with other records or information:

(a) Indicates a violation or potential violation of law, whether criminal, civil, administrative, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, or

(b) Indicates a violation or potential violation of a professional, licensing, or similar regulation, rule, or order, or otherwise reflects on the qualifications or fitness of an individual who is licensed or seeking to be licensed;

(16) May be disclosed to any source, private or governmental, to the extent necessary to secure from such source information relevant to and sought in furtherance of a legitimate investigation or audit;

(17) May be disclosed to any authorized agency component of the Federal Trade Commission, Department of Justice, or other law enforcement authorities, and for disclosure by such parties:

(a) To the extent relevant and necessary in connection with litigation in proceedings before a court or other adjudicative body, where (i) the United States is a party to or has an interest in the litigation, including where the agency, or an agency component, or an agency official or employee in his or her official capacity, or an individual agency official or employee whom the Department of Justice has agreed to represent, is or may likely become a party, and (ii) the litigation is likely to affect the agency or any component thereof; or

(b) To obtain advice, including advice concerning the accessibility of a record or information under the Privacy Act or the Freedom of Information Act;

(18) May be disclosed to a congressional office in response to an inquiry from that office made at the written request of the subject individual, but only to the extent that the record would be legally accessible to that individual;

(19) May be disclosed to debt collection contractors for the purpose of collecting debts owed to the government, as authorized under the Debt Collection Act of 1982, 31 U.S.C. 3718, and subject to applicable Privacy Act safeguards;

(20) May be disclosed to a grand jury agent pursuant either to a federal or state grand jury subpoena, or to a prosecution request that such record be released for the purpose of its introduction to a grand jury, where the subpoena or request has been specifically approved by a court;

(21) May be disclosed to the Office of Management and Budget (OMB) for the purpose of obtaining advice regarding agency obligations under the Privacy Act, or in connection with the review of private relief legislation pursuant to OMB Circular A-19;

(22) To appropriate agencies, entities, and persons when (a) the FTC suspects or has confirmed that there has been a breach of the system of records; (b) the FTC has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the FTC (including its information systems, programs, and operations), the Federal Government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the FTC's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

(23) To another Federal agency or Federal entity, when the FTC determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

(24) May be disclosed to FTC contractors, volunteers, interns or other authorized individuals who have a need for the record in order to perform their officially assigned or designated duties for or on behalf of the FTC.

The routine uses contained in this Appendix are in addition to any routine uses contained in the system of records notice (SORN) for each FTC Privacy Act records system. Some of the authorized disclosures and routine uses may overlap with one another. The FTC will treat a routine use as valid and still in effect, even if an overlapping routine use or disclosure is partly or fully invalidated or repealed.