Chapter 3. Access and Amendment
You will need Adobe Reader to view some of the files on this page. See EPA's PDF page to learn more.
Some links on this page are pointers to other hosts and locations on the Internet. This information is provided as a service, however the U.S. Environmental Protection Agency is not responsible for the content of these sites.
(Revised December 2005)
The purpose of this Chapter is to describe procedures and responsibilities for responding to a request to access or amend information in a System of Records. This Chapter has been revised to reflect changes in the Agency's process for responding to these types of requests.
PROCESSING REQUESTS FOR ACCESS
3.1 Individual Access to Personal Information
The Privacy Act permits individuals to gain access to records about themselves that EPA maintains in its systems of records, unless the records are covered by an exemption. Individuals also may request that the Agency change or amend incorrect or incomplete information. System managers, or their designees, make initial decisions to release, amend or correct individuals' records, and to extend the date for mailing initial determinations under the Privacy Act.
3.2 Individual Requests for Access
Individuals will address requests for access or amendment to personal information in a Privacy Act system of records to the EPA Privacy Act officer through EPA's Freedom of Information Act (FOIA) Office according to instructions in the relevant Privacy Act notice. A requester who cannot determine which system of records applies should write to the EPA Privacy Act officer. The FOIA Office will assign the request a tracking number and send the individual an letter acknowledging receipt of the request by the Agency.
3.2.1 Time Limits
The Agency FOIA Office will acknowledge requests for access within 10 working days after receipt and forward the request to the manager of the system of records to which the request pertains, who will determine whether to grant access to the record. If the system manager cannot make a determination within 30 working days, he or she will inform the requester of the reasons for the delay, and estimate when he or she will make a decision.
3.3 Relationship Between the Privacy Act and the Freedom of Information Act (FOIA)
The Privacy Act provides seven specific exemptions to apply to systems of records. Individuals can use FOIA to seek access to records that are exempt from disclosure under the Privacy Act. The EPA FOIA Office will process Privacy Act requests under both statutes.
The EPA FOIA Office will:
- Process requests by individuals for access to records pertaining to themselves made under FOIA.
- Process requests by individuals for access to records pertaining to themselves made under the Privacy Act of 1974.
- Process requests by individuals for access to records pertaining to themselves that cite both FOIA and the Privacy Act except:
- When FOIA access provisions provide a greater degree of access; or
- When access to the information is controlled by another federal statute.
- If the former applies, the FOIA staff will follow its access provisions.
- If the latter applies, the FOIA staff will follow the access procedures established under the controlling statute.
- Process requests by individuals for access to records pertaining to themselves in system of records that do not cite either FOIA or the Privacy Act under the procedures established by FOIA and its implementing regulations.
The system manager must cite the specific provisions of the Privacy Act or FOIA when responding to such requests. He or she may not deny individuals access to personal information concerning themselves that would otherwise be released to them under either Act solely because they fail to cite either Act or cite the wrong Act, regulation or instruction. Furthermore, the system manager must explain to the requester which Act or procedure he or she used when granting or denying access.
3.4 Verification of Identity
All Privacy Act requests must include sufficient information to verify an individual's identity. According to 40 CFR 16.3(c), an individual who cannot provide sufficient identification as listed in 40 CFR 16.4(b) must submit a signed and notarized statement indicating that he or she is the individual to whom the records pertain, and that he or she understands that it is a misdemeanor punishable by a fine up to $5,000 to knowingly and willfully seek or obtain records about another individual under false pretenses.
See Figure 1 below for a sample Privacy Act request letter that the Privacy Act officer or system manager can provide to individuals who need help preparing a request or have not provided sufficient information.
Figure 1: Sample Privacy Act Request Letter
Privacy Act officer [or Freedom of Information officer]
U.S. Environmental Protection Agency
[City, state, zip code]
Re: Privacy Request for Access
This is a request under the Privacy Act of 1974.
I request a copy of any records [or specifically named records] about me maintained at EPA. These records are contained in a Privacy Act system of records titled [name of system].
[Optional] To assist with your search for these records, I am providing the following additional information: [for example: full name, Social Security number, date and place of birth]. Also, I have the following contacts with your Agency: [for example: job applications, periods of employment, loans or Agency programs applied for, etc.].
[Optional] Please consider this request is also made under the Freedom of Information Act. Please provide any additional information that may be available under the FOIA.
If you determine that any portions of these documents are exempt under either of these statutes, I will expect you to release the non-exempt portions to me as the law requires. I reserve the right to appeal any decision to withhold information.
[Optional] Enclosed is [a notarized signature or other identifying document] that will verify my identity. I look forward to receiving your reply.
Thank you for your consideration.
[City, state, zip code]
Acceptable identity verification for individuals seeking physical access to their records includes employee and military identification cards, drivers' licenses, other licenses, permits or passes used for routine identification purposes.
When an individual requests access by mail, the individual must provide his or her full name, date and place of birth, or other personal information necessary to locate the record he or she seeks. Additional identifying data and notarization may be required for sensitive information.
If an individual requests that he or she be accompanied by another person during a personal inspection of records or to have the records released directly to another person, he or she must submit a written statement authorizing disclosure in the presence of another person. Furthermore, the individual is not required to explain or justify his or her need for access to any record under this guidance.
(The system manager must not use identification procedures to discourage legitimate requests or to burden needlessly or delay the amendment process. He or she may not refuse access to an individual's records solely because he or she refuses to divulge his or her Social Security number, unless that is the only method by which he or she can retrieve the records.)
Only an EPA system manager may deny access. The denial must be in writing and contain the individuals' rights in accordance with 40 CFR 16.6(a)(2).
According to 40 CFR 16.9, EPA charges no fees for providing a copy of the first 100 pages of a record or any portion of a record to an individual to whom the record pertains. The fee schedule for reproducing additional pages is the same as that for FOIA requests. Since Privacy Act requests are also processed as FOIA requests, the fee schedule is governed by FOIA regulations. (See 40 CFR 2.107.)
3.6 Granting Access to Records
The system manager should grant individuals access to the original record or an exact copy of the original record pertaining to themselves without any changes or deletions, unless they have been made according to the Privacy Act's exemption rules. An amended record is considered original for the purpose of granting access. The system manager should clearly explain to the individual any amendments and deletions to records or portions of records.
If the system manager grants access, he or she notifies the Headquarters FOIA office and the individual of the decision. The individual is told:
- Where the records may be inspected;
- The earliest date (i.e., generally no more than 30 working days from the date the Agency receives the request) the records may be inspected; and,
- The times the records will remain open for inspection.
If the individual requests copies by mail, the system manager must notify him or her of the estimated date - no more than 30 working days from the date the Agency receives the request - that the record will be mailed.
3.6.1 Illegible, Incomplete or Partially Exempt Records
The system manager cannot deny an individual access to a record or a copy of a record solely because the physical condition or format of the record does not make it readily available. He or she must recopy or prepare an extract of the record within the stated time limits.
If a portion of a record contains information exempt from access, the system manager must provide an extract or summary containing all of the releasable information in the record, including a clear, written explanation to the individual of all deletions or changes to the records.
3.6.2 Access to Medical Records
Medical records maintained by EPA are not exempt from access provisions, although the Privacy Act authorizes special provisions for them under 552a(f)(3). The system manager may deny an individual direct access to medical or psychological records if he or she, in consultation with a medical doctor, determines that direct disclosure would harm the individual's physical or mental health. In this case, the system manager must offer to send the records to a physician the individual selects.
If the system manager denies direct access, he or she sends the record to the individual's physician, explaining why access without proper professional supervision could be harmful to the individual, unless it is obvious from the record. If the individual refuses or fails to designate a physician, the system manager will not provide the record. Such refusal of access is not considered a denial for Privacy Act reporting purposes.
3.6.3 Access to Information Compiled in Anticipation of Civil Action
The Privacy Act limits access to any information compiled in reasonable anticipation of a civil proceeding under 5 U.S.C. 552a(d)(5). The system manager is not required to disclose to an individual any information compiled in reasonable anticipation of a civil action or proceeding, which includes quasi-judicial and pretrial judicial proceedings. However, he or she is not required to implement this exemption by regulation.
Attorney work products prepared in conjunction with quasi-judicial, pretrial and trial proceedings, including those prepared to advise EPA officials of the possible legal consequences of a given course of action are also protected.
3.6.4 Access to Investigatory Records
The system manager will process requests by individuals for access to investigatory records pertaining to themselves and compiled for law enforcement purposes that have been incorporated into exempt system of records under the Privacy Act or FOIA, depending on which regulation gives the requester the greatest degree of access. The system manager may not deny an individual access to a record solely because it is in the exempt system. The Agency Privacy Act officer and FOIA officer will collaborate, when appropriate, to give the individual optimal access.
The system manager must refer individual requests for access to exempt investigatory records that are temporarily in the possession of a non-investigatory element for settlement or personnel actions to the originating investigating agency. He or she must inform the individual in writing of these referrals.
3.7 Denial of Access
The system manager may deny an individual access to a record pertaining to him or her for the following reasons and for the reasons itemized under Section 3.7.1, "Other Reasons to Deny Access."
If the record:
- Was compiled in reasonable anticipation of civil action;
- Is in a system of records that has been exempted from the access provisions of this guidance under one of the permitted exemptions;
- Contains classified information that has been exempted from the access provision of this regulation under the blanket exemption for such material claimed for all EPA records systems; or
- Is contained in a system of records for which access may be denied under some other federal statute.
The system manager may only deny access to portions of records if the denial serves a legitimate purpose.
3.7.1 Other Reasons to Deny Access
The system manager may also deny access if:
- The individual does not describe the record well enough for employees familiar with the file to locate it with a reasonable amount of effort; or
- The individual fails or refuses to comply with the established procedural requirements, such as refusing to name a physician to receive medical records when required or refusing to pay fees.
The system manager must explain to the individual the specific reason he or she was refused access, and how he or she may obtain it.
3.7.2 Notifying the Individual of Denial of Access
Denials of access must be in writing and include:
- The name, title and signature of the designated denial authority;
- The date of the denial;
- The specific reason for the denial, including the specific citation from the Privacy Act or FOIA;
- Notice to the individual of his or her right to appeal the denial within the 30-calendar-day time limit; and
- The title and address of the Agency Privacy Act officer.
PROCESSING ACCESS APPEALS
3.8 Access Appeal Procedures
The Agency must establish internal appeal procedures that provide for:
- Review by OGC or OIG for systems of records maintained by them, of any appeal by an individual from a denial of access to EPA records.
- Formal written notification to the individual from the system manager that must include:
- The exact reason for denying the appeal, including specific citation to the provisions of the Privacy Act or other statute;
- The date of the appeal determination;
- The name, title and signature of the appeal authority; and
- A statement informing the applicant of his or her right to seek judicial relief.
If OGC or OIG grants the appeal, it must notify the individual and provide access to the requested records. The written appeal notification granting or denying access is the final Agency action regarding access.
The individual must file any appeals from denial of access within 30 calendar days of receipt of notification. The system manager must process all appeals within 30 days of receipt unless he or she determines that he or she cannot make a fair and equitable review within that period. The system manager must notify the appellant in writing if additional time is required for the appellate review. He or she must also include the reasons for the delay and the date when the individual may expect an answer to the appeal.
3.8.1 Denial of Appeals by Failure to Act
A requester may consider his or her appeal formally denied if the appeal authority fails:
- To act on the appeal within 30 days;
- To provide the requester with a notice of extension within 30 days; or
- To act within the time limits established in the notice of extension.
PROCESSING REQUESTS FOR AMENDMENTS
3.9 Requests for Amendment
An individual may request the amendment of any record contained in a system of records pertaining to him or her, unless the system of records has been exempted specifically from the amendment procedures of this guidance. Normally, amendments under this guidance are limited to correcting factual matters and not matters of official judgment, such as performance ratings, promotion potential and job performance appraisals.
The individual's request for amendment must in writing and sent to the EPA Privacy Act Officer. The Privacy Act Officer will assign the request a tracking number. The system manager must not use the written requirement to discourage individuals from requesting valid amendments.
A request for amendment must include:
- A description of the item or items to be amended;
- The specific reason for the amendment;
- The type of amendment action sought, i.e., deletion, correction or addition; and
- Copies of available documentary evidence supporting the request.
3.9.1 Burden of Proof
Under 40 CFR 16.5, an individual must support his or her request for amendment adequately for the system manager to approve an amendment request. The individual must submit the request in writing, including his or her name, the name of the system of records, a detailed description of the information they seek to correct or amend, the specific reasons for the correction or amendment and sufficient documentation of identity.
3.9.2 Limits on Previously Submitted Judicial Evidence
Individuals may not use this amendment process to alter evidence presented in the course of judicial or quasi-judicial proceedings. The system manager amends these records through specific procedures established for the amendment of such records.
This process does not allow a system manager to amend information that has already been the subject of a judicial or quasi-judicial determination. However, an individual may challenge the accuracy of the official recording of that determination.
3.9.3 Sufficiency of a Request to Amend
The system manager must consider the following factors when evaluating the sufficiency of a request to amend:
- The accuracy of the information itself; and
- The relevancy, timeliness, completeness and necessity of the recorded information for accomplishing an assigned mission or purpose.
3.9.4 Time Limits
The EPA Privacy Act officer must acknowledge a request to amend in writing within 10 working days of its receipt. There is no need to acknowledge a request if the action is completed within 10 working days and the individual is so informed.
The letter of acknowledgment will clearly identify the request and advise the individual when he or she may expect a determination of amendment of his or her records. Only under the most exceptional circumstances will more than 30 days be required to reach a decision on a request to amend. The system manager must also document fully in the Privacy Act case file any such decision that takes more than 30 days to resolve.
3.10 Agreement to Amendments
If the system manager decides to grant all or part of an amendment request, he or she will amend the record accordingly and notify the requesting individual.
3.10.1 Notification of Previous Recipients
The system manager must notify all previous recipients of the information, as reflected in the Privacy Act case file, of the specific nature and substance of the amendment. (See Section 3.13: Privacy Act Case Files.) The system manager must inform the individual of these notifications and honor his or her requests to notify specific federal agencies of the amendment action.
3.11 Denying Amendments
If the system manager denies the request for amendment in whole or in part, he or she must promptly notify the individual of the denial in writing, including:
- The specific reason and authority for denying amendment;
- Notification that the individual may request further review of the decision by OGC or OIG, as appropriate, not later than 30 working days from the date on which he or she requests such review (5 U.S.C. 552a(d)(3));
- The procedures for appealing the decision, citing the position and address of the official to whom he or she must address the appeal; and
- Where he or she can receive assistance in filing the appeal.
3.12 Amendment Appeal Procedures
The Agency must establish procedures to ensure prompt, complete and independent review of each amendment denial appealed by an individual. These procedures must ensure that the reviewing official, i.e., OGC or OIG, receives the appeal, along with all supporting materials, including those sent to the individual and those contained in Agency records. If OGC or OIG denies the appeal completely or in part, it notifies the individual in writing that:
- It has denied the amendment appeal and the specific reason and authority for the denial; and
- If filed properly, it will include the statement of disagreement in the record.
The individual will also be informed that:
- He or she may file a statement of disagreement with the EPA office in control of the record, and the procedures for filing this statement; and
- He or she may seek a judicial review of the decision not to amend.
If the record is amended, the system manager must ensure that:
- He or she promptly notifies the individual of the decision;
- He or she notifies all prior known recipients and retainers of the records of the decision and the specific nature of the amendment; and
- He or she notifies the individual which EPA offices and federal agencies have been told of the amendment.
OGC or OIG, as appropriate, must process all appeals within 30 days unless it determines that it cannot make a fair review within this time limit. If OGC or OIG needs additional time, it must notify the individual in writing of the delay, the reason for the delay and when the individual may expect a final decision on the appeal. OGC or OIG must update the Privacy Act case file to document the reason for the delay.
3.12.1 Statements of Disagreement
If OGC or OIG refuses to amend the record, the individual may submit a concise statement of disagreement, setting forth his or her reasons for disagreeing with the decision not to amend. If the individual files a statement of disagreement, the system manager must annotate the record accordingly and furnish copies of the statement to all future recipients of the disputed information, and to all prior recipients known to hold the disputed record in their systems of records.
OGC or OIG should incorporate the statement of disagreement into the record. If this is not possible, it must ensure that it is apparent from the record that the individual filed a statement of disagreement. The system manager must maintain the statement so that it can be obtained readily when the disputed information is used or disclosed. He or she must annotate automated record systems that are not programmed to accept statements of disagreement so that they clearly indicate that a statement of disagreement is on file and identify the statement with the disputed information in the system. The system manager also must provide a copy of the statement of disagreement whenever he or she discloses the disputed information for any purpose.
3.12.2 EPA Summaries of Reasons for Refusing to Amend
OGC or OIG may, at its discretion, include a summary of reasons for refusing to amend any record for which a requester filed a statement of disagreement. OGC or OIG should only include the reasons it gave the individual for not amending the record, and not include comments on the statement of disagreement itself. OGC or OIG must file the summary and statement of disagreement together.
When disclosing information for which an individual filed a summary, the system manager may include a copy of the summary in the file.
ESTABLISHING PRIVACY ACT CASE FILES
3.13 Privacy Act Case Files
All Agency offices involved in the amendment or access process should establish Privacy Act case files to retain the documentation they receive and generate for each unique record request.
The Privacy Act case file will contain:
- The request for amendment or access;
- Copies of the EPA office's reply granting or denying the request;
- Any appeals from the individual;
- Copies of the action regarding the appeal with supporting documentation not in the basic file; and
- Any other correspondence generated in processing the appeal, including coordination documentation.
The system manager should include only the items listed below in the system of records challenged for amendment or for which access is sought. He or she must not retain copies of unamended records in the basic system of records if OGC or OIG grants a request for amendment.
The system manager must include these items relating to an amendment request in the disputed record system:
- Copies of the amended record;
- The individual's statement of disagreement;
- Program office summaries; and
- Documentation the individual submits.
The system manager may include the following items relating to an access request in the basic records system:
- Copies of the request;
- Program office's action granting or denying total access;
- Appeals filed; and
- Replies to the appeal.