• Decrease font size
  • Return font size to normal
  • Increase font size
U.S. Department of Health and Human Services

About FDA

  • Print
  • Share
  • E-mail

SMG 3297.4

FDA STAFF MANUAL GUIDES, VOLUME III - GENERAL ADMINISTRATION

INFORMATION RESOURCES MANAGEMENT

FREEDOM OF INFORMATION ACT

PROCEDURES FOR IMPLEMENTATION OF THE PRIVACY ACT

Transmittal Number 81-82 -- Date: August 14, 1981
Change: 09/25/2014

[PDF Version]

 1.
 2.
 3.
 4.
 5.
 6.
 7.
 8.
 9.
 10.
 11.
 12.
 13.
 14.
 15.
 16.
  Attachment A - Privacy Act Record Systems

1. PURPOSE. 

The purpose of the Guide is to provide guidelines for implementation of the Privacy Act of 1974 within the Food and Drug Administration. This Guide addresses itself only to those systems of records created by Food and Drug and not those of other agencies, e.g. personnel files required by the Office of Personnel Management. (Necessary guidelines relating to other systems of records will be published separately in additional Staff Manual Guide.)

2. BACKGROUND. 

The Congress of the United States found that the privacy of individuals has been endangered by the increasing use of computers and sophisticated information collecting and disseminating technology by Federal agencies in their conduct of the affairs of Government. The Act provides specific safeguards for individuals against unwarranted invasions of privacy by requiring all Federal agencies to adhere to certain standards for collecting, maintaining, using and/or disseminating information of a personal nature about individuals. It also provides an individual with access privileges and the right to contest when he feels the records about himself are incorrect.

3. DEFINITIONS. 

A. Privacy Act. Section 552a of Title 5, United States Code, as amended by Public Law 93-579.

B. Record. Any item, collection, or grouping of information about an individual that is maintained by the agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains name, or identifying number, symbol, or other identifying particular assigned to the individual, such as finger or voice print or a photograph.

C. Privacy Act Record Systems. A system of any records under the control of any agency from which information is retrieved by the individual names or other personal identifiers. See Attachment A for list of Privacy Act Record Systems maintained by FDA.

D. Routine Use. The disclosure outside the agency of a record or information contained in a record for a purpose which is compatible with the purpose for which the information was collected and the use is described in the notice of the Privacy Act Record System. It does not include disclosures that are permitted by statute (e.g. disclosures required under Freedom of Information or disclosures to National Archives, a court, congressional committees, etc., as specified in paragraph 8).

E. Disclosure. The release of individually identifiable information to a person other than the individual to whom the information pertains.

F. Individual. A natural living person who is a citizen of the United States or an alien lawfully admitted for permanent residence. It does not include persons such as sole proprietorships, partnerships, or corporations.

G. Legal Guardian. A person who has been appointed to act on behalf of an individual who has been declared incompetent due to physical or mental incapacity by a court of competent jurisdiction.

H. Personal Identifiers. Any individual numbers, symbols, or other identifying designations assigned to individuals but not names, numbers, symbols, or other identifying designations that identify products, establishments, or actions.

4. PURPOSE OF THE PRIVACY ACT. 

The Privacy Act of 1974 was established to provide certain safeguards for any individual against an invasion of personal privacy by requiring Federal agencies to: Permit an individual to determine what records pertaining to himself/herself are collected, maintained, used, or disseminated by such agencies.

A. Permit an individual to prevent records pertaining to himself obtained by such agencies for a particular purpose from being used or made available for another purpose without his consent.

B. Permit an individual to gain access to information pertaining to himself in Federal agency records which are retrieved by his name or other personal identifier, to have a copy made of all or any portion thereof, and to correct or amend such records.

C. Collect, maintain, use, or disseminate any record of identifiable personal information in a manner that assures that such action is for a necessary and lawful purpose, that the information is current and accurate for its intended use, and that adequate safeguards are provided to prevent misuse of such information.

D. Permit exemptions from the requirements with respect to records provided in the Act only in those cases where there is an important public policy need for such exemption as has been determined by specific statutory authority.

E. Be subject to civil suit for any damages which occur as a result of willful or intentional action which violates any individual's rights under the Act.

5. POLICY. 

It is the policy of the Food and Drug Administration to protect the privacy of individuals to the fullest extent possible while nonetheless permitting the disclosure of personal information on individuals which is required to fulfill the Agency's administrative and program responsibilities. It is also FDA's responsibility to provide information which the general public is entitled to have under the Freedom of Information Act. Minimum requirements to control and protect documents that contain privileged information are contained in SMG FDA h:2280.6 for Headquarters and SMG FDA f:2280.2 for field.

6. RESPONSIBILITIES. 

A. The Privacy Act Coordinator in the FOI Staff (HFI-30), Office of Public Affairs, is responsible for:

1. Implementing and overseeing the Act agency-wide.

2. Cooperating with the Division of Personnel Management in developing training programs for agency personnel in the provisions of the Act.

3. Preparing reports on the Privacy Act activities in FDA, and coordinating rules and notices for publication in the Federal Register including changes to existing systems or creation of additional systems.

4. Receiving requests for information under the Privacy Act and forwarding them to the appropriate office for processing.

5. Preparing letters responding to requests for information.

6. Preparing denial letters for signature of the Associate Commissioner for Public Affairs.

7. Reviewing appeals concerning the amendment of records and consulting with appropriate officials before making final determinations on whether or not to amend the record and notifying all individuals who have had previous access to the record of the amendment.

8. Assuring that records are maintained specifying the number, status, and disposition of requests, including the number of requests for records exempt from access, and other information pertaining to requests to amend a record within ten working days.

9. Providing reviewing officials with material needed to review requests for amendment.

10. Informing the individual who has appealed a refusal to amend a record, if that refusal has been upheld by the Commissioner, that the statement of disagreement will be made available to all persons listed in an accounting as having previously received the record and any person to whom the record is subsequently disclosed together with, in the discretion of FDA, a brief statement summarizing its reasons for refusing to amend the record.

11. Receiving requests for disclosure of records from law enforcement activities.

B. The systems managers are responsible for:

1. Receiving and responding to requests for information received from the Privacy Act Coordinator.

2. Amending records in cases where amended information is not controversial and does not involve decision making.

3. Determining any fees to be charged.

4. Establishing and maintaining appropriate recordkeeping files.

5. Reviewing records for relevance, timeliness, completeness, and accuracy.

6. Providing material to the Privacy Act liaison officer or the Privacy Act Coordinator for required reports on Privacy Act activities within record systems.

C. Each Associate Commissioner, Bureau Director, Executive Director of Regional Operations, Director of the National Center for Toxicological Research, OC Office Directors and Regional Food and Drug Directors is responsible for:

1. Ensuring that all employees within the component are made aware of Privacy Act policy and procedures.

2. Designating Headquarters or field Privacy Act liaison officers and keeping the Privacy Act Coordinator informed of any changes in such designations.

D. Each Privacy Act liaison officer is responsible for:

1. Providing internal direction and guidance to his component on Privacy Act policies and procedures.

2. Submitting information regarding Privacy Act activities to the Privacy Act Coordinator to be used in preparing necessary reports. (3) Maintaining liaison with the Privacy Act Coordinator on matters relating to the Privacy Act.

E. The Division of Financial Management is responsible for:

1. Receiving all payments submitted in relation to Privacy Act requests.

2. Promptly notifying the Privacy Act Coordinator of receipt of such payment.

7. ACCESS TO RECORDS. 

A. Access may be granted to an individual requesting records about himself by: Informing the individual whether a system of records contains a record pertaining to him.

B. Permitting the requesting individual to obtain a copy thereof either in person or by mail. The individual may request that a record be disclosed to or discussed in the presence of another individual such as an attorney. A written statement may be required of the individual authorizing the disclosure or discussion in such other individual's presence.

C. Permitting an individual to correct or amend a record pertaining to himself in a system of records.

8. CONDITIONS OF DISCLOSURE. 

With respect to the disclosure of a record to a person other than the individual to whom a record pertains, prior written consent of the subject is usually required. However, disclosures under any of the following conditions do not require the individual's written consent: Disclosure to HHS employees who have established a need for the record in the performance of their duties in connection with laws administered by FDA.

A. Disclosure of a record to a member of the public to whom the record is disclosable under the Freedom of Information Act (FOIA). If the provisions of the FOIA permit, but do not require disclosure of the information, the consent of the individual must be obtained prior to disclosure unless the disclosure is permitted under one of the other conditions listed herein.

B. Disclosure to a person where the names and other identifying information are first deleted, and under circumstances in which the recipient is unlikely to know the identity of the subject of the record.

C. Disclosure for a "routine use" provided the "routine use" has been established and described in the annual public notice required by the Privacy Act to be published in the Federal Register.

D. Disclosure to the Bureau of the Census for purposes of planning or carrying out a lawfully constituted census or survey or related activity.

E. Disclosure to a recipient who has provided the agency with advance adequate written assurance that the record will be used solely-as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable.

F. Disclosure to the National Archives as a record which has sufficient historical or other value as to warrant its continued preservation by the Government, or for evaluation by the Administrator of General Services or his designee to determine if the record has such value. (Records which are transferred to the Federal Records Center for safekeeping or storage do not fall within this provision. See paragraph 11d.)

G. Disclosure to another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if that activity is authorized by law; and if the head of the agency or instrumentality or his designee has made a written request to the FDA Privacy Act Coordinator specifying the particular portion of a record desired and the law enforcement activity for which the record is sought.

H. Disclosure to a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual if upon such disclosure notification is transmitted to the last known address of such individual. FDA may disclose records when the time required to obtain consent of the individual to whom the records pertain might result in a delay which could impair the health or safety of an individual; as in the release of medical records on a patient undergoing emergency treatment. The individual whose records are disclosed need not necessarily be the individual whose health or safety is in peril, e.g., release of dental records on several individuals in order to identify an individual who was injured in an accident.

I. Disclosure to either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee.

J. Disclosure to the Comptroller General, or any of his authorized representatives, in the course of the performance of the duties of the General Accounting Office.

K. Disclosure pursuant to the order of a court of competent jurisdiction.

9. PROCEDURES FOR PROCESSING REQUESTS BY INDIVIDUALS OF RECORDS PERTAINING TO THEMSELVES. 

A. Requests Received Directly by Privacy Act Coordinator. Upon receipt of a request for access to information from an individual to whom a record pertains, the Privacy Act Coordinator shall:

1. Make a record of the fact that the request was received and the date.

2. If it is unclear whether an individual is seeking information about himself under the Privacy Act, consult with the individual to determine whether his request should be made under the Privacy Act or the Freedom of Information Act, or both, and assist him in making the appropriate request.

3. Refer requests for records which are not in the control or possession of FDA to the appropriate agency and inform the requester accordingly.

4. Forward the request to the appropriate records system manager to determine if the request is accessible.

5. When a reply is received regarding access to the record, the Privacy Act Coordinator will respond to the requester by letter as follows:

a. If there are no records about the individual that are retrieved by his name or other personal identifier in a named Privacy Act Record System, the letter will advise the individual of such and, when appropriate, indicate that the request can be made under the FOIA for certain records not retrieved by the requester's name or other personal identifier.

b. If records exist which are retrieved by the individual's name or other personal identifier, a copy of the records should be enclosed with the letter or the letter should indicate that the records will be forwarded under separate cover, as long as there has been an adequate verification of identity in accordance with subparagraph d. hereof and the appropriate fee has been paid, if required, in accordance with subparagraph e. hereof. If the records exist but are not available to the individual because a fee need be paid or because of lack of verification, etc., the letter should inform the individual how access to the records can be accomplished.

c. If the records systems are exempt from access, the letter should inform the individual citing the Federal Register notice. If the records are available under the FOIA, the records may be enclosed with the letter.

d. If the records are available but a final determination has not been made with respect to access of all of the records covered by the request, e.g., because it is necessary to consult another person or agency having an interest in the confidentiality of the records, the letter should explain the circumstances and indicate when a final answer will be given.

e. If the request for access to a record is to be denied, in whole or in part, the letter should specify the reason for the denial. Only the Associate Commissioner for Public Affairs can deny a record under the Privacy Act (except for personnel records which can only be denied by the Associate Commissioner for Management and Operations). The letter should state the right of the individual to appeal any denial to the Commissioner of Food and Drugs.

6. If fees are to be assessed, notify the Division of Financial Management (HFA-120) of the fee and the amount using Form FD 2846, "Invoice for Freedom of Information Request." (DFM should also be notified of any cancellation of assessed fees.)

B. Handling Requests by Systems Manager. Upon receipt of a request referred by the Privacy Act Coordinator, a systems manager will:

1. Locate the requested records.

2. Determine whether the records are accessible.

3. Inform the Privacy Act Coordinator or the Privacy Act liaison officer if records are accessible and if necessary, fee to be charged for copying records.

4. Prepare records and forward to Privacy Act Coordinator or the Privacy Act liaison officer.

C. Requests Received by Other Than the Privacy Act Coordinator.

All requests should be referred to the Privacy Act Coordinator except those that deal with personnel records.

D. Verification of Identity.

1. An individual who appears in person for access to records about himself shall be required to provide at least one document such as a driver's license, passport, alien or voter registration card to verify his identity. If the individual does not have any such documents or requests access to records about himself without appearing in person under circumstances in which his identity cannot be verified from the request itself, he shall be required to certify in writing that he is the individual he claims to be and that he understands that the knowing and willful request for, or acquisition to, a record pertaining to an individual under false pretenses is a criminal offense subject to a $5,000 fine.

2. A parent or legal guardian may be required to verify his relationship to a minor child or an incompetent individual, in addition to verifying his own identity, by providing a copy of a minor's birth certificate, a court order, or other evidence of guardianship.

3. When an individual seeks access to particularly sensitive records such as medical records, he may be required to provide additional information beyond that specified in subparagraphs (1) and (2) above, such as the individual's years of attendance at a particular educational institution, rank attained in the uniformed services, date or place of birth, names of parents, occupation, or the specific time the individual received medical treatment.

E. Fees.

1. Schedule. Fees will be charged only when an individual has requested a copy be made of a record to which he is granted access. An individual may be permitted to personally review records without copying them. The schedule for charging for such copies is as follows:

a. $.10 per page for photocopying.

b. Copying of records not susceptible to photocopying, e.g., punch cards or magnetic tapes, actual cost to be determined on a case-by-case basis.

2. Exemption From Fees. No charge shall be made if:

a. Copying for an individual does not exceed $25.

b. A record has to be copied in order to make it accessible as a record, e.g., computer printout where no screen reading is available.

c. Medical records have to be copied in order to make them available to a representative designated by an individual.

d. The service is requested by a Federal department or agency or a cooperating state or local government agency.

e. The service is requested by a Congressional committee, subcommittee, or the General Accounting Office. No fee will be charged for the time spent for searching for a requested record or for the time spent reviewing records to determine if they fall within the provisions of the Privacy Act.

3. Waiver of Fees. Payment of fees may be waived if it is determined that the person making the request is indigent or that the waiver of fees is in the public interest. A request to waive fees should be forwarded to the Privacy Act Coordinator. The decision to waive fees will be made by the Associate Commissioner for Management and Operations or his designee for copies of personnel records, or by the Associate Commissioner for Public Affairs or his designee for copies of all other records.

4. Requesting Payment. If a request will result in a fee of more than $50, an advanced payment will be required as well as payment of any amount not yet received as a result of any previous request by that particular individual requesting records about himself before the records will be made available. If the fee is less than $50, prepayment shall not be required unless payment has not yet been received for records disclosed as a result of a previous request by the individual for a record either under the Privacy Act regulations or the Freedom of Information Act regulations.

5. Receipt for Payment. Payment shall be made by check or money order made payable to the Food and Drug Administration and sent directly to the Accounting Branch, (HFA-120), 5600 Fishers Lane, Rockville, MD 20857. That Branch will notify the Privacy Act Coordinator that the payment has been received and if appropriate the requested material will be released to the individual.

10. PROCEDURES FOR PROCESSING REQUESTS FOR AMENDMENT OF RECORDS. 

A. Requests for Amendment of Records. An individual who has received access to a record under the Privacy Act may request that the record be amended if the individual believes that the record or an item of information in the record is not accurate, relevant to a Food and Drug Administration purpose, timely, or complete. All requests for amendment of records should be directed to the Privacy Act Coordinator. The following should be included in the request:

1. Sufficient information to enable the Food and Drug Administration to locate the record.

2. A brief description of the items of information requested to be amended.

3. The reasons why the record should be amended and any appropriate documentation or arguments in support of the requested amendment. An edited copy of the record showing the described amendment may be included.

B. Processing Requests for Amendment by Privacy Act Coordinator.

1. The Privacy Act Coordinator should take one of the following actions with respect to requests for amending records:

a. Take action to see that amendment is made to any portion of the record which the agency has determined, based upon a preponderance of the evidence, is not accurate.

b. Inform the individual of the refusal to amend any portion of the record in the manner requested, the reason for the refusal, and the opportunity for administrative appeal to the Commissioner of Food and Drugs.

c. If the accuracy, relevancy, timeliness, or completeness of the records may be contested in any other pending or imminent agency proceedings, refer the individual to the other proceeding as the appropriate means for obtaining relief.

d. Where another agency was the source of and has control of the record, refer the request to that agency. The individual should be informed that the request was forwarded to another agency.

e. If the accuracy, relevance, timeliness, or completeness of a record is, or has been, an issue in another agency proceeding, the request will be handled in accordance with the decision in the other proceedings barring unusual circumstances.

2. Written acknowledgement of the receipt of a request to amend a record shall be provided within ten working days to the individual who requested the amendment. Such acknowledgement may request any additional information needed to verify identity or make a determination. No acknowledgement need be made if the request can be reviewed, processed, and the individual notified of the agency's agreement with the request or refusal within the ten day period. The period for taking action may be extended an additional 30 days if notice is provided to the individual explaining the circumstances of the delay.

C. Processing Appeals for Refusal to Amend Records. An individual may appeal a refusal to amend a record directly to the Commissioner. A final determination shall be made within 30 working days unless it is decided to extend the period for good cause. A letter should then be sent to the individual informing him of the reasons for the delay and the approximate date on which a decision of the appeal can be expected. If the appeal is upheld, the Privacy Act Coordinator shall prepare for the Commissioner's signature a letter informing the individual making the request:

1. Of the decision to deny the request and the reasons.

2. Of the individual's right to file with FDA a concise statement of the individual's reasons for disagreeing with agency's decision not to amend the record as requested.

3. That a statement of the disagreement will be made available to any person who has received the disputed record in the past or to whom it is disclosed in the future along with a brief statement summarizing the agency's reasons for refusing to amend the record.

4. That the individual has a right to seek judicial review of the refusal to amend the record.

11. SPECIAL RECORDS. 

A. Personnel Records. The procedures of the Office of Personnel Management govern all FDA personnel record systems maintained by the Division of Personnel Management or by HHS Regional Personnel Offices. Requests by individuals for such records shall be handled in accordance with the Staff Manual Guide on personnel Privacy Act regulations.

B. Medical Records. In most cases an individual is entitled to access to any medical records, including psychological records, in the Privacy Act Systems as long as it is determined that such access would not have an adverse effect on the individual. If it is determined that the disclosure might have an adverse effect on the individual, he shall be requested to designate, in writing, a representative to whom the record shall be disclosed. Such a representative may be a physician, health professional, or other responsible person who would be willing to review the record and discuss it with the individual. The determination for the disclosure shall be made by the Privacy Act Coordinator through consultation with a medical officer if possible. In cases where the record is not disclosed to the individual, the Privacy Act Coordinator will document in writing the reasons for requesting the individual to designate a representative and how the medical record was disclosed to the representative.

C. Records of Contractors. Systems of records that are required to be operated by contractors to accomplish Food and Drug Administration functions, from which information is retrieved by individual names or other personal identifiers, may be subject to the provisions of the Privacy Act. The contractor and his employees are considered to be employees of the Food and Drug Administration and shall operate such systems of records in accordance with the Privacy Act of 1974. The contractor and his employees are subject to the criminal penalties set forth in 5 U.S.C. 552a(i) for violations of the Privacy Act.

D. Stored Records. Food and Drug Administration records that are stored, processed, and serviced by the General Services Administration shall be considered to be maintained by the Food and Drug Administration. The records will be retrieved from General Services Administration by FDA and the requests for these records answered by Food and Drug Administration employees.

12. EXEMPT RECORD SYSTEMS. 

A. FDA Exempt Record Systems. Investigatory records compiled for law enforcement purposes including criminal law enforcement purposes, in the Privacy Act Record Systems, are exempt from certain provisions of the Privacy Act. The systems that are presently exempt are:

1. Regulated Industry Employee Enforcement Records, 09-10-0002.

2. Bioresearch Monitoring Information System, 09-10-0010.

3. Employee Conduct Investigative Records, 09-10-0013.

4. Service Contractor Employees Investigative Records, 09-10-0014.

B. Access to Exempted Records. Where a Privacy Act Record System is exempt and the requested records are unavailable, an individual may nevertheless make a request for notification concerning whether any records about him exist and request access to such records where they are retrievable by his name or other personal identifier. An individual making such a request:

1. May be given access to the records under the FOIA or the Commissioner may, at his discretion, entertain a request under the provisions of this Guide.

2. Shall be given access upon request if the records requested are subject to 5 U.S.C. 552a (k)(2) and not to 5 U.S.C. 552a (j)(2) (i.e., because they consist of investigatory material compiled for law enforcement purposes) and maintenance of the records resulted in denial to the individual of any right, benefit, or privilege to which he would otherwise be entitled by Federal law, or for which he would otherwise be eligible. An individual given access to a record under this subparagraph is not entitled to seek amendment. The FDA may refuse to disclose a record that would reveal the identity of a source who furnished information to the Government under a promise of confidentiality, which must be an express promise if the information were furnished on or after September 27, 1975. Any individual who is refused access to a record that would reveal a confidential source shall be advised in a general way that the record contains information that would reveal a confidential source.

13. CREATION, ALTERATION, AND TERMINATION OF RECORD SYSTEMS. 

When a change is made in a system or a new system of records is created, a report must be prepared for submission to HHS, OMB, and Congress and a notice of the system of records published in the Federal Register. The report shall consist of a brief narrative description, supporting documentation, and an update of the inventory of Federal personal data systems as follows (for additional guidance in documentation and compliance policy relating to new or altered record systems, refer to PHS-TN 45-12, dated 1/15/80, Creation, Alteration, and Termination of Privacy Act Records, of the HHS General Administration Manual):

A. System Name. Provide the name of the record system and the identifying symbols of the organization with primary responsibility maintaining the system of records.

B. Security Classification. Identify the security classification of the system of records. If there is no such classification, enter "none." Indicate if only a portion of the records in the system are subject to a security classification. (Primarily for use by the Defense Department.)

C. System Location. Specify each address at which the record system is maintained. Include Headquarters and field locations. If the system is maintained at five or more locations, the addresses should be listed in an appendix to the notice and reference to the appendix should be made.

D. Categories of Individuals Covered by the System. Describe the categories of individuals on whom records are maintained in the system.

E. Categories of Records in the System. Give a brief description of the type of information in the system.

F. Authority for Maintenance of the System. Cite the specific statute or Executive Order which authorizes the Department to maintain the system of records.

G. Purpose of the System. State the reason(s) for creating the system of records, i.e., what the system is designed to accomplish. Include the categories of users (i.e., organizations).

H. Routine Uses. Describe each routine use which will be made of the records in the system, including the categories of users and the purpose of each use. Indicate if there are none.

I. Records Management Policies and Practices.

1. Storage. Describe the medium in which the records in the system are maintained.

2. Retrievability. Indicate how the records are indexed and retrieved and describe any intra-agency uses and disclosures.

3. Safeguards. Describe in general terms, any measures taken to prevent unauthorized access to the records.

4. Retention and Disposal. Indicate how long the records are retained and how they are disposed of.

J. System Manager(s) and Address. Give the title and business address of the agency official who is responsible for the policies and practices governing the system. Do not include name or telephone number. A contractor may not be named as the system manager.

K. Notification Procedure. Give the name and address of the office or offices which individuals should contact if they want to know whether the system contains information about themselves. Specify any identifying information which individuals will be required to provide in order for the office to make such a determination.

L. Record Access Procedures. Give the name and address of the office or offices which individuals should contact if they want to gain access to any records in the system about themselves. If appropriate, refer to the preceding paragraph.

M. Contesting Record Procedures. Give the name and address of the office or offices which individuals should contact if they want to contest the accuracy, relevancy, timeliness, or completeness of their record in the system. Refer to preceding paragraphs where appropriate.

N. Record Source Categories. Describe the sources from which the information in the system is obtained. Sources include, but are not limited to, the individual, previous and current employees, other agencies, etc.

O. Systems Exempted from Certain Provisions of the Act. Identify the subsection of the Act which permits the Department to exempt the system and the provisions of the Act from which the system is exempt. State the reason for invoking the exemption. Cite the Federal Register issue and page number in which the exemption was promulgated. If the system is not exempted, enter "none."

14. ACCOUNTING. 

Temporary administrative management records accounting for the number, status, and disposition of requests from an individual to whom a record pertains and to third parties with prior written consent from the subject individual shall be maintained by the Privacy Act Coordinator. These administrative records should only include requesting individuals names or personal identifiers and be retained as long-as the request for notification, access, or amendment is pending. The records are not considered to be a Privacy Act Record System and are regarded as confidential and are not disclosable under the public information regulations. The Privacy Act Coordinator is required to perform the following with regard to disclosures as listed in paragraph 8:

A. Record the name and address of the person or agency to whom the disclosure is made and the date, nature, and purpose of the disclosure.

B. Retain the accounting for five years or for the life of the records, whichever is longer, following the disclosure.

C. Notify those recipients listed in the accounting of amendments or disputes concerning the records.

D. Except when the record is exempt from individual access and contest under paragraph 12. or to the extent that the accounting describes a transfer for a law enforcement purpose, make the accounting available to the individual to whom the record pertains in accordance with public information regulations.

E. A single accounting may be used to cover disclosure that consists of a continuing dialogue between two agencies over a prolonged period of time. No accounting is necessary for disclosure made to employees who have need for a record in the performance of their duties and disclosures required under the Freedom of Information Act.

15. PENALTIES. 

A. The Privacy Act subjects FDA employees to a misdemeanor charge and a fine of not more than $5,000 whenever he willfully or knowingly: Discloses records in a system of records to any person or agency not entitled to access to such records.

B. Maintains a system of records without publishing the prescribed public notice on the system in the Federal Register.

C. Requests or obtains any record from any system of records under false pretenses. Such persons may also be subject to prosecution under the False Reports to the Government Act, 18 U.S.C. 1001.

16. Document History -- SMG 3297.4, Procedures for Implementation of the Privacy Act 

STATUS (I, R, C)DATE APPROVEDLOCATION
OF CHANGE HISTORY
CONTACTAPPROVING OFFICIAL
Change09/25/2014Attachment AOC/OES/DFOIFrederick Sadler, Director DFOI

ATTACHMENT A 

PRIVACY ACT RECORD SYSTEMS

The 10 Privacy Act Record Systems maintained by FDA are:

09-10-0002 Regulated Industry Employee Enforcement Records

09-10-0003 Credential Holder File

09-10-0004 Communications (Oral and Written) With the Public

09-10-0005 State Food and Drug Official File

09-10-0009 Individual and Household Statistical Surveys and Special Studies on FDA-Regulated Products

09-10-0010 Bioresearch Monitoring Information System

09-10-0018 Employee Identification Card Information Record

09-10-0019 Mammography Quality Standards Act (MQSA) Training Records, HHS/FDA/CDRH

09-10-0020 FDA Records Related to Research Misconduct Proceedings, HHS/FDA/OC

09-10-0021 FDA User Fee System, HHS/FDA