Jump to main content.

Chapter 1. Policy and Responsibilities

  1. PURPOSE. This Manual establishes policy and procedures for protecting the privacy of individuals who are identified in the Environmental Protection Agency's information systems and informs Agency employees and officials of their rights and responsibilities under the Privacy Act (5 U.S.C. 552a). It supplements the EPA regulations in Part 16, Title 40, Code of Federal Regulations (CFR).

  2. POLICY. The Agency will safeguard personal privacy in its collection, maintenance, use, and dissemination of information about individuals and make such information available to the individual in accordance with the requirements of the Privacy Act.

  3. SCOPE. This Manual applies to any records under the control of the Agency from which information on a subject individual is retrieved by a personal identifier assigned to the individual. The identifier may be the name of the individual, a number, a symbol, or any other specific retriever assigned to such individual. This Manual applies to such records maintained by the Agency in-house or maintained by a contractor or grantee on behalf of the Agency to accomplish an Agency function.

  4. DEFINITIONS. Definitions applicable to this Manual are located at Figure 1-1, Definitions Applicable to the Privacy Act.

  5. LEGAL AUTHORITY AND ADMINISTRATIVE GUIDELINES. The provisions of this Manual are based on these authorities:

    1. The Privacy Act of 1974, 5 U.S.C. 552a, as amended.

    2. OMB Circular No. A-108 (as amended), Responsibilities for the Maintenance of Records About Individuals by Federal Agencies.

    3. OMB's Privacy Act Implementing Guidelines published at 40 Federal Register 28948 and at 49 Federal Register 12338.

    4. EPA's Privacy Act Regulations published at 40 CFR Part 16.

  6. BASIC REQUIREMENTS OF THE PRIVACY ACT. The basic requirements of the Privacy Act are summarized below:

    1. At least sixty days prior to creation of a new System of Records or significant alteration to an existing System, the Agency must submit documentation to OMB and the Congress, and publish a notice of the System in the Federal Register. (See Chapter 2 for details.)

    2. Each time the Agency creates a new System of Records or requests that an individual provide his/her social security number, the System Manager must provide the individual with a written "privacy act statement." The statement will inform the individual of the legal authority for collecting the information; whether disclosure of such information by the individual is mandatory or voluntary; the purpose for which the information is being collected and the routine uses which may be made of the information; and the effect on the individual if the individual does not provide the information.

    3. To the greatest extent practicable, information about an individual must be collected directly from the individual if the information may be used to make decisions with respect to the individual's rights, benefits, and privileges under Federal programs.

    4. The information that the Agency collects and maintains about individuals must be relevant and necessary to the accomplishment of the Agency's purpose as required by statute or Executive order. The office concerned must establish the relevancy of and need for the information, as well as the authority to collect it.

    5. The information that is maintained in a System of Records must be kept as accurate, relevant, current, and complete as is possible to assure fairness to the individual.

    6. The Agency, upon request from a subject individual, must notify the individual that it is maintaining a record on him/her and must grant the individual access to the record unless the Agency has published a rule exempting the System of Records from this requirement. In addition, the Agency must amend such record upon request, unless the Agency has published a rule exempting the System from this requirement, whenever the subject individual proves that the record is not accurate, relevant, current, or complete. If the Agency does not grant access to or amend an individual's record upon request, it must inform the individual of its refusal to grant access to or amend such record and advise him/her of the appeal rights. (See Chapters 2 and 3 for details.)

    7. The Agency must not disclose information from records maintained in a System of Records to any person or agency, except with written consent of the individual to whom the record pertains. There are, however, twelve exceptions which permit disclosures without consent of the individual. They are listed in Figure 1-2. Any other disclosure of the records (other than to the subject individual) is unauthorized.

    8. Except for disclosures to EPA officials and employees with an official need to know and disclosures required to be made under the Freedom of Information Act, an accounting of the disclosures that are made from a System of Records must be maintained by the System Manager. Each accounting must include the date, nature, and purpose of the disclosure, and the name and address of the person or agency to whom the disclosure was made. The accounting must be retained for the life of the record or for five years after disclosure, whichever is longer.

    9. Each year, at the call of OMB, the Information Management Branch, IMSD, must prepare and submit a report of Agency activities under the Privacy Act.


    1. Assistant Administrators, Inspector General, General Counsel, Associate Administrators, Regional Administrators, Laboratory Directors, and Staff Office Directors. These officials are responsible for implementing the Privacy Act and the requirements specified in this Manual within their respective areas. They are responsible for designating an appropriate EPA employee to serve as System Manager for an existing or proposed System of Records.

    2. Director, Information Management and Services Division, IMSD, Office of Information Resources Management. This individual provides overall management and policy guidance. The Chief, Information Management Branch, IMSD, is the Privacy Policy Officer and is responsible for policy, procedures and oversight of the Act. He/she administers activities related to establishment, alteration or termination of Systems.

    3. General Counsel. The General Counsel is the EPA Privacy Appeals Officer and is responsible for interpreting the Act, reviewing Privacy Act notices, regulations, policy statements and related documents for legal form and substance and deciding all written appeals of negative determinations.

    4. Director, Personnel Management Division. The Director, Personnel Management Division, is responsible for reviewing proposed or altered systems for personnel management implications.

    5. Managers and Supervisors. Managers and supervisors who maintain records subject to the Privacy Act are responsible for implementing the provisions of this Manual within their respective areas.

    6. System Manager. The EPA employee responsible for the application of approved Privacy Act policies and procedures relating to an existing or proposed System of Records and, when appropriate, implementing additional practices and procedures to cover special conditions or situations that may arise within the System of Records. In addition, the System Manager is responsible for:

      1. Preparing documentation required by the Privacy Act, including notices of new, altered or terminated Systems of Records for publication in the Federal Register. (See Chapter 2.)

      2. Making initial decisions whether to grant an individual access to his/her records or amend such records, and whether to extend the date of initial determination concerning requests for access to or amendment of records under the Act.

      3. Safeguarding the System under his/her jurisdiction. (See Chapter 4.)

      4. Informing employees having official access to the System of the penalties under the Privacy Act. (See par. 8.)

  8. PENALTIES. The Privacy Act imposes criminal penalties directly on individuals if they violate certain provisions of the Act. Any Federal employee, for instance, is subject to a misdemeanor charge and a fine of not more than $5,000 whenever such employee:

    1. Knowing that disclosure is prohibited, willfully discloses in any manner records in a System of Records to any person or agency not entitled to access to such records.

    2. Willfully maintains a System of records without publishing the prescribed public notice on the System in the Federal Register.

    3. Knowingly and willfully requests or obtains any record from any System of Records under false pretenses. (The penalty for violation of this provision is not limited to Federal Employees.)

      (The System Manager is responsible for making employees working with a System of Records fully aware of these provisions and the corresponding penalties.)

  9. EXISTING PRIVACY SYSTEMS. Figure 1-3 lists existing EPA Systems of Records which have been documented. (Notice published in the Federal Register.)

  10. OTHER PERTINENT EPA DIRECTIVES. Additional guidance relevant to carrying out the provisions of the Privacy Act is found in other EPA directives as follows:

    1. Forms Management Manual, Chapter 1, for forms developed in connection with the Privacy Act.

    2. Federal Acquisition Regulation Subpart 24.1 and EPA Acquisition Regulation Subpart 15-24.1 for contracts involving collection and maintenance of information on individuals.

    3. Delegations Manual 1-33 for authority to make determinations on appeals from the initial denial and to make determinations on correction or amendment.

    4. Reports Management Manual, Chapter 4, for policy on collecting information from the public.

    5. Records Management Manual, Chapters 1 and 3, for management and disposal of records.

    6. EPA Order 1515.1C dated 8/23/78 for Freedom of Information Act procedures.

    7. Federal Register Document Drafting Handbook for preparation of Federal Register documents.

    8. Facilities and Support Services Manual, Security Volume, Part III, Chapter 13, for security requirements for Privacy Act data.

Figure 1-1: Definitions Applicable to the Privacy Act

The following definitions are applicable to this Manual:

  1. "Access" means availability of a record to a subject individual.

  2. "Agency" means the U.S. Environmental Protection Agency.

  3. "Disclosure" means the availability or release of a record to anyone other than the subject individual.

  4. "Individual" means a citizen of the U.S. or an alien lawfully admitted for permanent residence. It does not include businesses or corporations and, in certain circumstances, may not include sole proprietorships, partnerships, or persons acting in a business capacity identified by the name of one or more persons.

  5. "Maintain" means to collect, use, or disseminate when used in connection with the term "record"; and, to have control over or responsibility for a System of Records when used in connection with the term "System of Records".

  6. "Personal identifier" is any individual number, symbol, or other identifying designation assigned to an individual but not a name, number, symbol, or other identifying designation that identifies a product, establishment, or action.

  7. "Record" means any collection or grouping of information about an individual that is maintained by the Agency, including but not limited to the individual's education, financial transactions, medical history, and criminal or employment history and that contains his/her name, or an identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or photograph.

  8. "Routine use" means, with respect to the disclosure of a record to a person or agency other than EPA, the use of a record for a purpose which is compatible with the purpose for which the record was collected. It includes disclosures required to be made by statute other than the Freedom of Information Act, 5 U.S.C. 552. It does not include other disclosures which are permitted to be made without the consent of the subject individual pursuant to Section 552a(b) of the Privacy Act, such as disclosures to EPA employees who have official need for the record, to the Bureau of the Census, to the General Accounting Office or to the Congress.

  9. "Subject individual" is the individual to whom a record pertains.

  10. "System Manager" is the EPA employee designated as the responsible manager of a System of Records.

  11. "System of Records" means any group of records under the control of the Agency from which information is retrieved by personal identifier such as the name of the individual, or a number, symbol, or other unique identifier assigned to the individual. Single Agency records or groups of records which are not retrieved by a personal identifier are not part of a System of Records. Uncirculated personal records maintained by individual employees of the Agency which are prepared, maintained, or discarded at the discretion of the employee and which are not subject to the Federal Records Act, 44 U.S.C. 3101, do not constitute a System of Records; provided that such personal papers are not used by the employee or the Agency to make any determination concerning the rights, benefits, or privileges of individuals, and are not incorporated into an existing System of Records. A System of Records comes under the provisions of the Privacy Act.

Figure 1-2: Exceptions to the Privacy Act Prohibition against Disclosure

  1. Internal Disclosures. The System Manager may make disclosures to officers and employees of the Agency who have a need for the record in the performance of their duties as determined by the System Manager. In some limited circumstances, disclosures to EPA contractors may be considered internal disclosures. Employees should consult with the Office of General Counsel if they have questions in this area.

  2. Disclosures Under the Freedom of Information Act. Disclosures may be made when required by the Freedom of Information Act if there is a written Freedom of Information Act request. However, when the Freedom of Information Act does not require disclosure, but merely permits disclosure at the Agency's discretion, the Privacy Act disclosure prohibition is applicable.

  3. Routine Use. Disclosures may be made for a routine use as described and published in the Federal Register notice describing the System or Records.

  4. Bureau of the Census. Disclosures may be made to the Bureau of the Census for the purpose of planning or carrying out a census or survey or related activity.

  5. Statistical Research/Reporting. Disclosures may be made to a recipient who has provided the Agency with advanced adequate written assurance that the record will be used solely as a statistical research or reporting record, and that the record is to be transferred in a form that is not individually identifiable.

  6. Preservation of Records. Disclosures may be made to the National Archives of the United States of a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the National Archives and Records Administration to determine whether the record has such value.

  7. Civil or Criminal Law Enforcement. Disclosures may be made to another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the Agency specifying the particular portion of a record desired and the law enforcement activity for which the record is sought.

  8. Health or Safety. Disclosures may be pursuant to a showing of compelling circumstances affecting the health or safety of individuals if upon such disclosure notification is transmitted to the last known address of such individual.

  9. Congressional Disclosures. Disclosures may be made to either House of Congress, or to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee or any such joint committee. This exception does not apply to disclosures to individual members of Congress without consent of the individual.

  10. General Accounting Office. Disclosures may be made to the General Accounting Office for the purpose of carrying out the duties of that office.

  11. Court Order. Disclosures may be made pursuant to the order of a court of competent jurisdiction.

  12. Debt Collection. Disclosure may be made to a consumer reporting agency in accordance with Section 3(d) of the Federal Claims Collection Act of 1966 (31 U.S.C. 3701(a)(3)).

Figure 1-3: EPA Systems of Records

Following is a list of EPA documented Systems of Records:

System No. and Name Office
EPA-1 - Payroll System Payroll Accounts Office
EPA-2 - Personnel Records Personnel Management Div.; Local Personnel Officers
EPA-3 - Health Unit & Stress Lab Med Records Personnel Management Div.
EPA-4 - Inspection Reports Office of Inspector General
EPA-5 - Personnel Security File Office of Inspector General
EPA-6 - Security Computer Program System Office of Inspector General
EPA-7 - Travel Voucher, Advance Cards & Payee File System Financial Management Div.
EPA-8 - Confidential Statement of Employment & Financial Interest Office of General Counsel
EPA-9 - Freedom of Information Act File Freedom of Information Offices; Grants, Contracts and General Admin. Div., OGC
EPA-10 - Parking Control File Facilities & Support Services Div.
EPA-11 - Terminated  
EPA-12 - Terminated  
EPA-13 - Time Accounting Information System Program Support Division, Office of Pesticide Programs
EPA-14 - Enforcement Case Support Expert Resources Inventory System Technical Support Branch, Off. of Waste Prog. Enforcement

Introduction | Chapter 1 | Chapter 2 | Chapter 3 | Chapter 4

Local Navigation

Jump to main content.