Federal & State Lawfederalstatelaw.com
Home/Federal/Federal Register/2022-24871
Rule2022-24871

Privacy Act of 1974

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published
November 16, 2022
Effective
December 16, 2022

Issuing agencies

Homeland Security Department

Abstract

The Department of Homeland Security (DHS or Department) is amending its regulations under the Privacy Act of 1974. DHS is updating and streamlining the language of several provisions. In addition, DHS is making minor, technical edits to its Freedom of Information Act regulations.

Full Text

<html>
<head>
<title>Federal Register, Volume 87 Issue 220 (Wednesday, November 16, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 220 (Wednesday, November 16, 2022)]
[Rules and Regulations]
[Pages 68599-68608]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-24871]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

6 CFR Part 5

[Docket No. DHS-2021-0020]
RIN 1601-AB04


Privacy Act of 1974

AGENCY: Office of the Secretary, Department of Homeland Security.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Homeland Security (DHS or Department) is 
amending its regulations under the Privacy Act of 1974. DHS is updating 
and streamlining the language of several provisions. In addition, DHS 
is making minor, technical edits to its Freedom of Information Act 
regulations.

DATES: This final rule is effective December 16, 2022.

FOR FURTHER INFORMATION CONTACT: Lynn Parker Dupree, Chief Privacy 
Officer, Privacy Office, Department of Homeland Security, Washington, 
DC 20528, (202) 343-1717, <a href="/cdn-cgi/l/email-protection#d989abb0afb8baa099b1a8f7bdb1aaf7beb6af"><span class="__cf_email__" data-cfemail="eaba98839c8b8993aa829bc48e8299c48d859c">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: 

I. Background

    The Secretary of Homeland Security has authority under 5 U.S.C. 
301, 552, and 552a, and 6 U.S.C. 112(e) to issue Privacy Act 
regulations. That authority has been delegated to the Chief Privacy 
Officer of the Department pursuant to 6 U.S.C. 142 and DHS Del. No. 
13001, Rev. 01 (June 2, 2020).
    On January 27, 2003, DHS published an interim rule in the Federal 
Register (68 FR 4056) that established DHS procedures implementing the 
Privacy Act, 5 U.S.C. 552a. DHS has since issued minor procedural 
amendments to the interim rule, see 85 FR 11829 (Feb. 28, 2020), but 
DHS has not issued a more comprehensive update since 2003.
    On November 22, 2016, DHS issued a final rule amending the 
Department's regulations under the Freedom of Information Act (FOIA), 6 
CFR part 5, subpart A, in order to update and streamline the language 
of several procedural provisions, to incorporate changes brought by the 
amendments to the FOIA under the Open Government Act of 2007 and FOIA 
Improvement Act of 2016, and to reflect developments in the case law. 
See 81 FR 83625.
    On October 6, 2021, DHS published a proposed rule to amend existing 
regulations under the Privacy Act at 6 CFR part 5, subpart B, and make 
minor, technical edits to 6 CFR part 5, subpart A, for the limited 
purpose of replacing references to appendix I to subpart A with 
references to appendix A to part 5. See 86 FR 55528.\1\ DHS accepted 
comments on the proposed rule through December 6, 2021. DHS is now 
finalizing the rule with minor clarifying changes, the more prominent 
of which are discussed below.
---------------------------------------------------------------------------

    \1\ Except as explicitly stated below, DHS incorporates by 
reference the section-by-section analysis contained in the preamble 
to the proposed rule.
---------------------------------------------------------------------------

II. Discussion of Final Rule

A. Response to Comments

    In total, DHS received 6 public submissions to its proposed rule, 
of which only one provided a specific recommendation. The commenter 
stated that DHS should add language to the proposed regulation to 
address the ability of the public to seek corrections to records 
maintained about them or organizations they are associated with. The 
comment stated that when federal agencies maintain records that are 
inaccurate it can expose individuals to risk, and such individuals 
should have redress to correct such errors. DHS interprets the comment 
to refer to content that is already included in proposed 6 CFR 5.26, 
Requests for Amendment or Correction of Records. After review and 
consideration, DHS has decided to not make additional changes to this 
section. This section clearly explains how an individual can

[[Page 68600]]

ask DHS to amend or correct agency records about them.

B. Clarifying and Procedural Changes

    Upon further review of the proposed rule, DHS has made a number of 
clarifying and procedural changes as compared to the proposed rule, as 
follows:
    <bullet> DHS is removing Appendix I to subpart A, consistent with 
the proposed rule.\2\
---------------------------------------------------------------------------

    \2\ 86 FR at 55528.
---------------------------------------------------------------------------

    <bullet> DHS is eliminating gendered language.
    <bullet> DHS is removing existing Sec.  5.20(e), a provision 
relating to interim retention of authorities, because the Department is 
now issuing a Privacy Act final rule and has updated its existing 
systems of records notices since the Department first issued this 
provision. The paragraph stated that the interim provision would remain 
operative ``until this regulation is promulgated as a final rule, or 
the Department revises all systems of records notices.'' Because both 
of these conditions have been satisfied, and the provision is no longer 
operative in any event, DHS is removing this provision.
    <bullet> DHS is modifying Sec.  5.22(d)(1) to remove the last 
sentence of that paragraph, which was redundant to Sec.  5.22(d)(2).
    <bullet> DHS is modifying Sec.  5.22(d)(2) to make clear that the 
component FOIA Office, rather than the component medical practitioner 
or other qualified designee, is responsible for making any disclosure 
to the individual's representative or the individual. In addition, in 
light of the purpose of the procedures contained in this provision, DHS 
has opted to retain authority to withhold medical records if the 
individual does not designate a representative.\3\ Such a decision 
would be appealable pursuant to the general appeal procedures in 6 CFR 
5.25. However, consistent with the proposed rule,\4\ if an individual 
does designate a representative, Sec.  5.22(d)(2) makes clear that the 
representative does not have discretion to withhold the records from 
the individual.
---------------------------------------------------------------------------

    \3\ Compare, e.g., 20 CFR 401.55(b)(1)(ii).
    \4\ See 86 FR at 55534.
---------------------------------------------------------------------------

    <bullet> Consistent with the preamble to the proposed rule,\5\ DHS 
is adding a Sec.  5.22(d)(3) to clarify that Coast Guard medical 
records held by another agency (such as military medical records held 
by the Department of Defense) are not subject to Sec.  5.22(d)(2).
---------------------------------------------------------------------------

    \5\ See 86 FR at 55529.
---------------------------------------------------------------------------

    <bullet> DHS is modifying Sec.  5.25(a) by removing the reference 
to filing appeals directly with the Office of the General Counsel and 
making other procedural and nonsubstantive changes. These changes will 
make this paragraph consistent with the parallel provision in 6 CFR 
5.8(a), which addresses administrative appeals under the FOIA. DHS is 
not modifying Sec.  5.25(b), under which the Office of the General 
Counsel, or its designee (e.g., Component Appeals Officer) is the 
authorized appeals authority for DHS.
    <bullet> DHS is modifying Sec.  5.27(a) by removing the words ``to 
the extent covered by the [Judicial Redress Act (JRA)]'' and adding 
``or for records covered by the JRA'' at the end of Sec.  5.27(b)(1). 
The purpose of this change is to clarify that accounting of disclosures 
is not required by the JRA and not provided for by the Department.
    <bullet> DHS is modifying appendix A to part 5 to specify where 
persons should send their FOIA and Privacy Act requests for each 
Headquarters Office and Component of the Department. Although 
individuals may request records as they deem fit, the Department 
strongly encourages persons to submit their requests electronically 
through a designated DHS FOIA electronic portal, if applicable and 
available.

III. Regulatory Analyses

Executive Orders 12866 and 13563--Regulatory Review

    Executive Orders 13563 and 12866 direct agencies to assess the 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This rule has been designated a ``significant regulatory 
action,'' under section 3(f) of Executive Order 12866. Accordingly, the 
rule has been reviewed by the Office of Management and Budget.
    DHS has considered the costs and benefits of this rule. This rule 
will not introduce new regulatory mandates. In the proposed rule we 
stated this rule would not result in additional costs on the public or 
the government. Further, we stated this rule does not collect any 
additional fee revenues compared to current practices or otherwise 
introduce new regulatory mandates. The rule's benefits include 
additional clarity for the public and DHS personnel with respect to 
DHS's implementation of the Privacy Act and JRA. No public comments 
were submitted on the analysis presented in the proposed rule.

Unfunded Mandates Reform Act of 1995

    This rule will not result in the expenditure by state, local, and 
tribal governments, in the aggregate, or by the private sector, of 
$100,000,000 or more in any one year, and it will not significantly or 
uniquely affect small governments. Therefore, no written statement was 
deemed necessary under the provisions of the Unfunded Mandates Reform 
Act of 1995.

Regulatory Flexibility Act

    Under the Regulatory Flexibility Act (RFA), 5 U.S.C. 601-612, and 
section 213(a) of the Small Business Regulatory Enforcement Fairness 
Act of 1996, 5 U.S.C. 601 note, agencies must consider the impact of 
their rulemakings on ``small entities'' (small businesses, small 
organizations, and local governments). The term ``small entities'' 
comprises small businesses, not-for-profit organizations that are 
independently owned and operated and are not dominant in their fields, 
and governmental jurisdictions with populations of less than 50,000. 
DHS has reviewed this regulation and by approving it certifies that 
this regulation will not have a significant economic impact on a 
substantial number of small entities. As stated in the proposed rule, 
DHS does not believe this rule imposes any additional direct costs on 
small entities. No public comments were submitted on the analysis 
presented in the proposed rule.

Small Business Regulatory Enforcement Fairness Act of 1996

    This rule is not a major rule as defined by section 251 of the 
Small Business Regulatory Enforcement Fairness Act of 1996 (as 
amended), 5 U.S.C. 804(2). The Office of Management and Budget's Office 
of Information and Regulatory Affairs has not found that this rule is 
likely to result in an annual effect on the economy of $100,000,000 or 
more; a major increase in costs or prices; or significant adverse 
effects on competition, employment, investment, productivity, 
innovation, or on the ability of United States-based companies to 
compete with foreign-based companies in domestic and export markets.

National Environmental Policy Act

    DHS reviews proposed actions to determine whether the National 
Environmental Policy Act (NEPA) applies to them and, if so, what degree 
of analysis is required. DHS Directive

[[Page 68601]]

023-01 Rev. 01 (Directive) and Instruction Manual 023-01-001-01 Rev. 01 
(Instruction Manual) establish the procedures that DHS and its 
components use to comply with NEPA and the Council on Environmental 
Quality (CEQ) regulations for implementing NEPA, 40 CFR parts 1500 
through 1508.
    The CEQ regulations allow federal agencies to establish, with CEQ 
review and concurrence, categories of actions (``categorical 
exclusions'') which experience has shown do not individually or 
cumulatively have a significant effect on the human environment and, 
therefore, do not require an Environmental Assessment (EA) or 
Environmental Impact Statement (EIS). 40 CFR 1507.3(b)(2)(ii), 1508.4. 
For an action to be categorically excluded, it must satisfy each of the 
following three conditions: (1) the entire action clearly fits within 
one or more of the categorical exclusions; (2) the action is not a 
piece of a larger action; and (3) no extraordinary circumstances exist 
that create the potential for a significant environmental effect. 
Instruction Manual section V.B(2)(a)-(c).
    This rule fits within categorical exclusion A3(a) ``Promulgation of 
rules . . . of a strictly administrative or procedural nature.'' 
Instruction Manual, Appendix A, Table 1. Furthermore, the rule is not 
part of a larger action and presents no extraordinary circumstances 
creating the potential for significant environmental impacts. 
Therefore, the rule is categorically excluded from further NEPA review.

List of Subjects in 6 CFR Part 5

    Classified information, Courts, Freedom of information, Government 
employees, Privacy.

    For the reasons stated in the preamble, DHS amends 6 CFR part 5 as 
follows:

PART 5--DISCLOSURE OF RECORDS AND INFORMATION

0
1. The authority citation for Part 5 is revised to read as follows:

    Authority: 6 U.S.C. 101 et seq.; Pub. L. 107-296, 116 Stat. 
2135; 5 U.S.C. 301; 6 U.S.C. 142; DHS Del. No. 13001, Rev. 01 (June 
2, 2020).
    Subpart A also issued under 5 U.S.C. 552.
    Subpart B also issued under 5 U.S.C. 552a and 552 note.


Sec.  5.2  [Amended]

0
2. In Sec.  5.2, remove the text ``appendix I to this subpart'' and add 
in its place the text ``appendix A to this part''.


Sec.  5.3  [Amended]

0
3. In Sec.  5.3:
0
a. In paragraph (a)(1), remove the text ``appendix I of this subpart'' 
and add in its place the text ``appendix A to this part''; and
0
b. In paragraph (b), remove the text ``appendix I of this subpart'' and 
add in its place the text ``appendix A to this part''.


Sec.  5.5  [Amended]

0
4. In Sec.  5.5:
0
a. In paragraph (a), in the first sentence, remove the text ``Appendix 
I to this subpart'' and add in its place the text ``appendix A to this 
part'' and in the last sentence, remove the text ``appendix I of this 
subpart'' and add in its place ``appendix A to this part''; and
0
b. In paragraph (e)(2), remove the text ``appendix I'' and ``appendix I 
of this subpart'' and add in their places the text ``appendix A to part 
5''.


Sec.  5.8  [Amended]

0
5. In Sec.  5.8, in paragraph (a)(1), remove the text ``appendix I to 
this subpart,'' and add in its place the text ``appendix A to this 
part,''.

Appendix I to Subpart A of Part 5--[Removed]

0
6. Remove appendix I to subpart A of part 5.

0
7. Revise subpart B to read as follows:

Subpart B--Privacy Act

Sec.
5.20 General provisions.
5.21 Requests for access to records.
5.22 Responsibility for responding to requests for access to 
records.
5.23 Responses to requests for access to records.
5.24 Classified information.
5.25 Administrative appeals for access requests.
5.26 Requests for amendment or correction of records.
5.27 Requests for an accounting of record disclosures.
5.28 Preservation of records.
5.29 Fees.
5.30 Notice of court-ordered and emergency Ddsclosures.
5.31 Security of systems of records.
5.32 Contracts for the operation of systems of records.
5.33 Use and collection of Social Security numbers.
5.34 Standards of conduct for administration of the Privacy Act.
5.35 Sanctions and penalties.
5.36 Other rights and services.

Subpart B--Privacy Act


Sec.  5.20  General provisions.

    (a) Purpose and scope. (1) This subpart contains the rules that the 
Department of Homeland Security (Department or DHS) follows in 
processing records under the Privacy Act of 1974 (Privacy Act) (5 
U.S.C. 552a) and under the Judicial Redress Act of 2015 (JRA) (5 U.S.C. 
552a note).
    (2) The rules in this subpart should be read in conjunction with 
the text of the Privacy Act and the JRA, 5 U.S.C. 552a and 5 U.S.C. 
552a note, respectively (which provide additional information abo ut 
records maintained on individuals and covered persons), and JRA 
designations issued in the Federal Register. The rules in this subpart 
apply to all records in systems of records maintained by the 
Department. These rules also apply to all records containing Social 
Security Numbers regardless of whether such records are covered by an 
applicable system of records maintained by the Department. They 
describe the procedures by which individuals may request access to 
records about themselves, request amendment or correction of those 
records, and request an accounting of disclosures by Department 
personnel and contractors. In addition, the Department processes all 
Privacy Act and JRA requests for access to records under the Freedom of 
Information Act (FOIA) (5 U.S.C. 552), following the rules contained in 
subpart A of this part, which gives requesters the benefit of both 
statutes.
    (3) The provisions established by this subpart apply to all 
Department Components, as defined in paragraph (b)(1) of this section.
    (4) DHS has a decentralized system for processing requests, with 
each component handling requests for its records.
    (b) Definitions. As used in this subpart:
    (1) Component means the office that processes Privacy Act and JRA 
requests for each separate organizational entity within DHS that 
reports directly to the Office of the Secretary.
    (2) Request for access to a record means a request made under 
Privacy Act subsection (d)(1).
    (3) Request for amendment or correction of a record means a request 
made under Privacy Act subsection (d)(2).
    (4) Request for an accounting means a request made under Privacy 
Act subsection (c)(3).
    (5) Requester means an individual who makes a request for access, a 
request for amendment or correction, or a request for an accounting 
under the Privacy Act.
    (6) Individual means, as defined by the Privacy Act, 5 U.S.C. 
552a(a)(2), a citizen of the United States or an alien lawfully 
admitted for permanent residence. Also, an individual, for

[[Page 68602]]

purposes of this subpart, but limited to the exclusive rights and civil 
remedies provided in the JRA, includes covered persons, as defined by 
the JRA, as a natural person (other than an individual) who is a 
citizen of a covered country, as designated by the Attorney General, 
with the concurrence of the Secretary of State, the Secretary of the 
Treasury, and the Secretary of Homeland Security.
    (7) Record has the same meaning as contained in the Privacy Act, 5 
U.S.C. 552a(a)(4), except that in cases covered by the JRA, the term 
``record'' has the same meaning as ``covered record'' in the JRA, 5 
U.S.C. 552a note.
    (c) Authority to request records for a law enforcement purpose. The 
head of a component or designee thereof is authorized to make written 
requests under subsection 552a(b)(7) of the Privacy Act for records 
maintained by other agencies that are necessary to carry out an 
authorized law enforcement activity.
    (d) Notice on Departmental use of (b)(1) exception. As a general 
matter, when applying the Privacy Act (b)(1) exception for authorized 
disclosures within an agency on a need to know basis, the Department 
will consider itself a single entity, meaning that information may be 
disclosed between components of the Department under the (b)(1) 
exception.


Sec.  5.21  Requests for access to records.

    (a) How made and addressed. (1) DHS has a decentralized system for 
responding to Privacy Act and JRA requests, with each component 
designating an office to process records from that component.
    (2) An individual may make a request for access to a Department of 
Homeland Security record about that individual covered by a DHS or 
Component system of records notice (SORN) by writing directly to the 
Department component that maintains the record at the address listed in 
appendix A to this part or via the internet at <a href="http://www.dhs.gov/dhs-foia-request-submission-form">http://www.dhs.gov/dhs-foia-request-submission-form</a>. A description of all DHS-wide and 
component SORNs may be found here: <a href="https://www.dhs.gov/system-records-notices-sorns">https://www.dhs.gov/system-records-notices-sorns</a>.
    (3) In most cases, a component's central FOIA office, as indicated 
in appendix A to this part, is the place to send a Privacy Act request. 
For records held by a field office of U.S. Customs and Border 
Protection, the U.S. Coast Guard, or other Department components with 
field offices other than the U.S. Secret Service and Transportation 
Security Administration, the requester must write directly to that U.S. 
Customs and Border Protection, Coast Guard, or other field office 
address, which can be found by calling the component's central FOIA 
office. Requests for U.S. Secret Service records should be sent only to 
the U.S. Secret Service central FOIA office, and requests for 
Transportation Security Administration records should be sent only to 
the Transportation Security Administration central FOIA office.
    (4) Requests for records held by the Cybersecurity and 
Infrastructure Security Agency (CISA) should be sent to the DHS Privacy 
Office.
    (5) DHS's FOIA website refers the reader to descriptions of the 
functions of each component and provides other information that is 
helpful in determining where to make a request. Each component's FOIA 
office and any additional requirements for submitting a request to a 
given component are listed in appendix A to this part. These references 
can all be used by requesters to determine where to send their requests 
within DHS.
    (6) An individual may also send a request to the Privacy Office, 
Mail Stop 0655, U.S. Department of Homeland Security, 2707 Martin 
Luther King Jr. Ave. SE, Washington DC 20528-0655, or via the internet 
at <a href="http://www.dhs.gov/dhs-foia-request-submission-form">http://www.dhs.gov/dhs-foia-request-submission-form</a>, or via fax to 
(202) 343-4011. The Privacy Office will forward the request to the 
component(s) that it determines to be most likely to maintain the 
records that are sought. For the quickest possible handling, the 
requester should mark both the request letter and the envelope 
``Privacy Act Request'' or ``Judicial Redress Act Request.''
    (b) Government-wide SORNs. A government-wide system of records is a 
system of records where one agency has regulatory authority over 
records in the custody of multiple agencies, and the agency with 
regulatory authority publishes a SORN that applies to all of the 
records regardless of their custodial location. If records are sought 
that are covered by a Government-wide SORN and requested of DHS, DHS 
will consult or refer such request, only as applicable and necessary, 
to the corresponding agency having authority over such records for 
further processing. DHS will acknowledge to the requester that it is 
referring the request to another agency or consulting with that agency 
when processing the request.
    (c) Description of records sought. A requester must describe the 
records sought in sufficient detail to enable Department personnel to 
locate the system of records covering them with a reasonable amount of 
effort. Whenever possible, the request should describe the records 
sought, the time periods in which the requester believes they were 
compiled, the office or location in which the requester believes the 
records are kept, and the name or identifying number of each system of 
records in which the requester believes they are kept. The Department 
publishes notices in the Federal Register that describe its components' 
systems of records. These notices can be found on the Department's 
website here: <a href="https://www.dhs.gov/system-records-notices-sorns">https://www.dhs.gov/system-records-notices-sorns</a>. If a 
request does not adequately describe the records sought, DHS may at its 
discretion either administratively close the request or seek additional 
information from the requester. Requests for clarification or more 
information will be made in writing (either via U.S. mail or electronic 
mail whenever possible). Requesters may respond by U.S. Mail or by 
electronic mail regardless of the method used by DHS to transmit the 
request for additional information. To be considered timely, responses 
to requests for additional information must be postmarked or received 
by electronic mail within 30 working days of the postmark date or date 
of the electronic mail request for additional information. If the 
requester does not respond timely, the request may be administratively 
closed at DHS's discretion. This administrative closure does not 
prejudice the requester's ability to submit a new request for further 
consideration with additional information.
    (d) Agreement to pay fees. DHS and components shall charge for 
processing requests under the Privacy Act or JRA. DHS and components 
will ordinarily use the most efficient and least expensive method for 
processing requested records. DHS may contact a requester for 
additional information in order to resolve any fee issues that arise 
under this section. DHS ordinarily will collect all applicable fees 
before sending copies of records to a requester. If one makes a Privacy 
Act or JRA request for access to records, it will be considered a firm 
commitment to pay all applicable fees charged under Sec.  5.29, up to 
$25.00. The component responsible for responding to a request 
ordinarily will confirm this agreement in an acknowledgement letter. 
When making a request, an individual may specify a willingness to pay a 
greater or lesser amount. Requesters must pay fees by check or money 
order made payable to the Treasury of the United States.
    (e) Verification of identity. When an individual makes a request 
for access to their own records, their identity must be verified. The 
individual must provide

[[Page 68603]]

their full name, current address, date and place of birth, and country 
of citizenship or residency. The individual must sign the request and 
provide a signature that must either be notarized or submitted by the 
requester under 28 U.S.C. 1746, a law that permits statements to be 
made under penalty of perjury, as a substitute for notarization. An 
individual may obtain more information about this process at <a href="http://www.dhs.gov/foia">http://www.dhs.gov/foia</a> or 1-866-431-0486. In order to help the identification 
and location of requested records, an individual may also voluntarily 
include other identifying information that are relevant to the request 
(e.g., passport number, Alien Registration Number (A-Number)).
    (f) Verification of guardianship. When making a request as the 
parent or guardian of a minor or as the guardian of someone determined 
by a court of competent jurisdiction to be incompetent due to physical 
or mental incapacity or age, for access to records about that 
individual, the individual submitting a request must establish:
    (1) The identity of the individual who is the subject of the 
record, by stating the name, current address, date and place of birth, 
and country of citizenship or residency of the individual;
    (2) The submitting individual's own identity, in the same manner as 
required in paragraph (e) of this section;
    (3) That the submitting individual is the parent or guardian of the 
subject of the record, which may be proven by providing a copy of the 
subject of the record's birth certificate showing parentage or by 
providing a court order establishing guardianship; and
    (4) That the submitting individual is acting on behalf of that 
individual that is the subject of the record.
    (g) Verification in the case of third-party information requests. 
Outside of requests made pursuant to paragraph (f) of this section, if 
a third party requests records about a subject individual, the third 
party requester must provide verification of the subject individual's 
identity in the manner provided in paragraph (e) of this section along 
with the subject individual's written consent authorizing disclosure of 
the records to the third party requester, or by submitting proof by the 
requester that the subject individual is deceased (e.g., a copy of a 
death certificate or an obituary). As an exercise of its administrative 
discretion, each component can require a third-party requester to 
supply additional information to verify that the subject individual has 
consented to disclosure or is deceased.


Sec.  5.22  Responsibility for responding to requests for access to 
records.

    (a) In general. Except as stated in paragraphs (c), (d), and (e) of 
this section, the component that first receives a request for access to 
a record, and has possession of that record, is the component 
responsible for responding to the request. In determining which records 
are responsive to a request, a component ordinarily will include only 
those records in its possession as of the date the component begins its 
search for them. If any other date is used, the component will inform 
the requester of that date.
    (b) Authority to grant or deny requests. The head of a component, 
or the component head's designee, is authorized to grant or deny any 
request for access or amendment to a record of that component.
    (c) Consultations, coordination, and referrals. All consultations, 
coordination, and referrals for requests of records subject to the 
Privacy Act or JRA will follow the same process and procedures as 
described in Sec.  5.4(d), including how to handle those requests that 
pertain to law enforcement information, as specified in Sec.  
5.4(d)(2), and classified information, as specified in Sec.  5.4(d)(2) 
and (e). Further, whenever a request is made for access to a record 
containing information that has been classified by or may be 
appropriate for classification by another component or agency under any 
relevant executive order concerning the classification of records, the 
receiving component will refer to Sec.  5.24 for processing.
    (d) Release of medical records. (1) Generally, an individual has 
the right to access their medical records maintained by the Department. 
Special procedures for requests from an individual requesting medical 
records that include psychological records for which direct release may 
cause harm to the individual requesting access are set forth in 
paragraph (d)(2) of this section.
    (2) If a request is made for access to medical records that include 
psychological records, and a component medical practitioner or 
qualified designee determines that direct release is likely to 
adversely affect the individual who is requesting access, the component 
will request the individual to provide the name and contact information 
of a representative who is capable of ameliorating the potential 
adverse effect. The representative may be a physician or other health 
professional who will be willing to review the record and inform the 
requester of its contents. Once provided, the component FOIA office or 
designated component official will send the medical records to the 
individual's designated representative. The component will inform the 
subject individual in writing (either via U.S. mail or electronic mail 
whenever possible) that the record has been sent to that individual's 
chosen representative. The representative does not have the discretion 
to withhold any part of the individual's record. If the subject 
individual does not comply with the procedural requirement to designate 
a representative, the component may decline to release the requested 
information.
    (3) Paragraph (d)(2) of this section does not apply to Coast Guard 
records held by another agency.
    (e) Notice of referral. Whenever a component refers all or any part 
of the responsibility for responding to a request to another component 
or agency, it ordinarily will notify the requester of the referral and 
inform the requester of the name of each component or agency to which 
the request has been referred and of the part of the request that has 
been referred.
    (f) Timing of responses to consultations and referrals. All 
consultations and referrals received by DHS will be handled according 
to the date the Privacy Act or JRA access request was initially 
received by the first component or agency, not any later date.
    (g) Agreements regarding consultations and referrals. Components 
may establish agreements with other components or agencies to eliminate 
the need for consultations or referrals with respect to types of 
records.


Sec.  5.23  Responses to requests for access to records.

    (a) In general. Components should, to the extent practicable, 
communicate with requesters having access to the internet using 
electronic means, such as email or web portal.
    (b) Acknowledgements of requests. Consistent with the procedures in 
subpart A of this part, a component will acknowledge the request and 
assign it an individualized tracking number if it will take longer than 
ten (10) working days to process. Components will include in the 
acknowledgement letter a brief description of the records sought to 
allow requesters to more easily keep track of their requests. Further, 
in the acknowledgment letter, the component will confirm the 
requester's agreement to pay fees under Sec. Sec.  5.21(d) and 5.29.
    (c) Grants of requests for access. Consistent with the procedures 
in subpart A to this part, a component will have twenty (20) working 
days from when a request is received to determine

[[Page 68604]]

whether to grant or deny the request unless there are unusual or 
exceptional circumstances as defined by the FOIA and set out in Sec.  
5.5(c). Once a component decides to grant a request for access to 
record(s) in whole or in part, it will notify the requester in writing. 
The component will inform the requester in the notice of any fee 
charged under Sec. Sec.  5.21(d) and 5.29 and will disclose records to 
the requester promptly upon payment of any applicable fee. The 
component will inform the requester of the availability of its FOIA 
Liaison to offer assistance.
    (d) Adverse determinations of requests for access. A component 
making an adverse determination denying a request for access in any 
respect will notify the requester of that determination in writing. 
Adverse determinations, or denials of requests, include decisions that: 
the requested record is exempt, in whole or in part; the requested 
record does not exist or cannot be located; or the record requested is 
not subject to the Privacy Act or JRA. Further, adverse determinations 
also include disputes regarding fees, or denials of a request for 
expedited processing. The denial letter will be signed by the head of 
the component, or the component head's designee, and will include:
    (1) The name and title or position of the person responsible for 
the denial;
    (2) A brief statement of the reason(s) for the denial, including 
any Privacy Act exemption(s) applied by the component in denying the 
request; and
    (3) A statement that the denial may be appealed under Sec.  5.25(a) 
and a description of the requirements of Sec.  5.25(a).
    (e) JRA access requests. For purposes of responding to a JRA access 
request, a covered person is subject to the same limitations, including 
exemptions and exceptions, as an individual is subject to under section 
552a of title 5, United States Code, when pursuing access to records. 
The implementing regulations and reasons provided for exemptions can be 
found in appendix C to this part.


Sec.  5.24  Classified information.

    On receipt of any request involving classified information, the 
component will determine whether information is currently and properly 
classified and take appropriate action to ensure compliance with 6 CFR 
part 7. Whenever a request is made for access to a record that is 
covered by a system of records containing information that has been 
classified by or may be appropriate for classification by another 
component or agency under any applicable executive order, the receiving 
component will consult the component or agency that classified the 
information. Whenever a record contains information that has been 
derivatively classified by a component or agency because it contains 
information classified by another component or agency, the component 
will consult the component or agency that classified the underlying 
information. Information determined to no longer require classification 
will not be withheld from a requester based on exemption (k)(1) of the 
Privacy Act. On receipt of any appeal involving classified information, 
the DHS Office of the General Counsel, or its designee, shall take 
appropriate action to ensure compliance with 6 CFR part 7.


Sec.  5.25  Administrative appeals for access requests.

    (a) Requirements for filing an appeal. An individual may appeal an 
adverse determination denying the individual's request for access in 
any respect to the appropriate Appeals Officer. For the address of the 
appropriate component Appeals Officer, an individual may contact the 
applicable component FOIA Liaison using the information in appendix A 
to this part, visit <a href="http://www.dhs.gov/foia">www.dhs.gov/foia</a>, or call 1-866-431-0486. An appeal 
must be in writing, and to be considered timely it must be postmarked 
or, in the case of electronic submissions, transmitted to the Appeals 
Officer within 90 working days, consistent with the procedures in 
subpart A to this part, after the date of the component's response. An 
electronically filed appeal will be considered timely if transmitted to 
the Appeals Officer by 11:59:59 p.m. EST or EDT on the 90th working 
day. The appeal should clearly identify the component determination 
(including the assigned request number if the requester knows it) that 
is being appealed and should contain the reasons the requester believes 
the determination was erroneous. For the quickest possible handling, an 
individual should mark both the appeal letter and the envelope 
``Privacy Act Appeal'' or ``Judicial Redress Act Appeal.''
    (b) Adjudication of appeals. The DHS Office of the General Counsel, 
or its designee, (e.g., Component Appeals Officer) is the authorized 
appeals authority for DHS. On receipt of any appeal involving 
classified information, the Appeals Officer will consult with the Chief 
Security Officer and take appropriate action to ensure compliance with 
6 CFR part 7. If the appeal becomes the subject of a lawsuit, the 
Appeals Officer is not required to act further on the appeal.
    (c) Appeal decisions. Consistent with the procedures in subpart A 
to this part, the decision on an appeal will be made in writing 
generally twenty (20) working days after receipt. However, consistent 
with the procedures in subpart A to this part, the time limit for 
responding to an appeal may be extended provided the circumstances set 
forth in 5 U.S.C. 552(a)(6)(B)(i) are met. A decision affirming an 
adverse determination in whole or in part will include a brief 
statement of the reason(s) for the affirmance, including any Privacy 
Act exemption applied, and will inform the requester of the Privacy Act 
provisions for court review of the decision. If the adverse 
determination is reversed or modified on appeal in whole or in part, 
the requester will be notified in a written decision and the request 
will be reprocessed in accordance with that appeal decision. An adverse 
determination by the DHS Office of the General Counsel or its designee 
or Component Appeals Officer will be the final action of the 
Department.
    (d) Appeal necessary before seeking court review. If an individual 
wishes to seek review by a court of any adverse determination or denial 
of a request by DHS within the allotted 20 working days to respond 
unless there are unusual or exceptional circumstances, that individual 
must first appeal it under this subpart. An appeal will not be acted on 
if the request becomes a matter of litigation.


Sec.  5.26  Requests for amendment or correction of records.

    (a) How made and addressed. Unless the record is not subject to 
amendment or correction as stated in paragraph (f) of this section, an 
individual may make a request for amendment or correction of a record 
of the Department about that individual by writing directly to the 
component that maintains the record, following the procedures in Sec.  
5.21. The request should identify each record in question, state the 
amendment or correction requested, and state the reason why the 
requester believes that the record is not accurate, relevant, timely, 
or complete. The requester may submit any documentation that the 
requester thinks would support the request. If the individual believes 
that the same record is in more than one system of records, the 
requester should state that and address the request to each component 
that maintains a system of records containing the record.
    (b) Component responses. Within ten working days of receiving a 
request for amendment or correction of records, a

[[Page 68605]]

component will send the requester a written acknowledgment of its 
receipt of the request, and it will promptly notify the requester 
whether the request is granted or denied. If the component grants the 
request in whole or in part, it will describe the amendment or 
correction made and will advise the requester of the right to obtain a 
copy of the corrected or amended record, in disclosable form. If the 
component denies the request in whole or in part, it will send the 
requester a letter signed by the head of the component, or the 
component head's designee, that will state:
    (1) The reason(s) for the denial; and
    (2) The procedure for appeal of the denial under paragraph (c) of 
this section, including the name and business address of the official 
who will act on the appeal.
    (c) Appeals. Within 90 working days after the date of the 
component's response, the requester may appeal a denial of a request 
for amendment or correction to the Component Appeals Officer or the DHS 
Office of the General Counsel or its designee. The Component Appeals 
Officer or the DHS Office of the General Counsel or its designee must 
complete its review and make a final determination on the requester's 
appeal no later than 30 days (excluding Saturdays, Sundays, and legal 
public holidays) from the date on which the individual requests such 
review unless good cause is shown, and communicated to the individual, 
for which the 30-day period may be extended for an additional 30 days. 
If the appeal is denied, the requester will be advised of the right to 
file a Statement of Disagreement as described in paragraph (d) of this 
section and of the right under the Privacy Act, 5 U.S.C. 552a(d)(3), 
for court review of the decision. If an individual wishes to seek 
review by a court of any adverse determination or denial of a request, 
that individual must first appeal it under this subpart. For purposes 
of responding to a JRA amendment request, a covered person is subject 
to the same limitations, including exemptions and exceptions, as an 
individual is subject to under section 552a of title 5, United States 
Code, when pursuing amendment to records. The implementing regulations 
and reasons provided for exemptions can be found in appendix C to this 
part, titled DHS Systems of Records Exempt from the Privacy Act.
    (d) Statements of Disagreement. If an individual's appeal under 
this section is denied in whole or in part, that individual has the 
right to file a Statement of Disagreement, unless exempt, that states 
the individual's reason(s) for disagreeing with the Department's denial 
of the request for amendment or correction. Statements of Disagreement 
must be concise, must clearly identify each part of any record that is 
disputed, and should be no longer than one typed page for each fact 
disputed. The individual's Statement of Disagreement must be sent to 
the component involved, which will place it in the system of records in 
which the disputed record is maintained and will mark the disputed 
record to indicate that a Statement of Disagreement has been filed and 
where in the system of records it may be found.
    (e) Notification of amendment/correction or disagreement. Within 30 
working days of the amendment or correction of a record, the component 
that maintains the record will, unless exempt, notify all persons, 
organizations, or agencies to which it previously disclosed the record, 
if an accounting of that disclosure was made or should have been made, 
that the record has been amended or corrected. If an individual has 
filed a Statement of Disagreement, the component will append a copy of 
it to the disputed record whenever the record is disclosed and may also 
append a concise statement of its reason(s) for denying the request to 
amend or correct the record.
    (f) Records not subject to amendment or correction. The following 
records are not subject to amendment or correction:
    (1) Transcripts of testimony given under oath or written statements 
made under oath;
    (2) Transcripts of grand jury proceedings, judicial proceedings, or 
quasi-judicial proceedings, which are the official record of those 
proceedings;
    (3) Presentence records that originated with the courts; and
    (4) Records in systems of records that have been exempted from 
amendment and correction under the Privacy Act (5 U.S.C. 552a(j) or 
(k)) pursuant to a final rule published in the Federal Register.


Sec.  5.27  Requests for an accounting of record disclosures.

    (a) How made and addressed. Except where accountings of disclosures 
are not required to be kept (as stated in paragraph (b)(1) of this 
section), an individual may make a request for an accounting of any 
disclosure that has been made by the Department to another person, 
organization, or agency of any record about the requester. This 
accounting contains the date, nature, and purpose of each disclosure, 
as well as the name and address of the person, organization, or agency 
to which the disclosure was made. A request for an accounting should 
identify each record in question and should be made by writing directly 
to the Department component that maintains the record, following the 
procedures in Sec.  5.21.
    (b) Where accountings are not required. Components are not required 
to provide accountings to the requester where they relate to:
    (1) Disclosures for which accountings are, by statute (5 U.S.C. 
552a(c)(1)), not required to be kept, such as disclosures that are made 
to officers and employees within the agency and disclosures that are 
required to be made under the FOIA, or for records covered by the JRA;
    (2) Disclosures made to law enforcement agencies for authorized law 
enforcement activities in response to written requests from those law 
enforcement agencies specifying the law enforcement activities for 
which the disclosures are sought; or
    (3) Disclosures made from systems of records that have been 
exempted from accounting requirements by a rulemaking pursuant to 5 
U.S.C. 552a(j) or (k).
    (c) Appeals. A requester may appeal a denial of a request for an 
accounting to the Component Appeals Officer or the DHS Office of the 
General Counsel or its designee in the same manner as a denial of a 
request for access to records (see Sec.  5.25) and the same procedures 
will be followed.


Sec.  5.28  Preservation of records.

    Each component will preserve all correspondence pertaining to the 
requests that it receives under this subpart, as well as copies of all 
requested records, until disposition or destruction is authorized by 
title 44 of the United States Code or the National Archives and Records 
Administration's General Records Schedule 4.2. Records will not be 
disposed of while they are the subject of a pending request, appeal, 
lawsuit, or litigation or audit hold under the Act.


Sec.  5.29  Fees.

    (a) Fees for access requests granted in full under the Privacy Act 
are limited to duplication fees, which are chargeable to the same 
extent that fees are chargeable under subpart A of this part. An access 
request not granted in full under the Privacy Act will be processed 
under the FOIA and will be subject to all fees chargeable under the 
applicable FOIA regulations. Fees are not charged for processing 
amendment and accounting requests.
    (b) DHS will not process a request under the Privacy Act or JRA 
from persons with an unpaid fee from any previous Privacy Act or JRA 
request to

[[Page 68606]]

any Federal agency until that outstanding fee has been paid in full to 
the agency.


Sec.  5.30  Notice of court-ordered and emergency disclosures.

    (a) Court-ordered disclosures. When the component discloses an 
individual's information covered by a system of records pursuant to an 
order from a court of competent jurisdiction, and the order is a matter 
of public record, the Privacy Act requires the component to send a 
notice of the disclosure to the last known address of the person whose 
record was disclosed. Notice will be given within a reasonable time 
after the component's receipt of the order, except that in a case in 
which the order is not a matter of public record, the notice will be 
given only after the order becomes public. This notice will be mailed 
to the individual's last known address and will contain a copy of the 
order and a description of the information disclosed. Notice will not 
be given if disclosure is made from a criminal law enforcement system 
of records that has been exempted from the notice requirement.
    (b) Court. For purposes of this section, a court is an institution 
of the judicial branch of the U.S. Federal Government consisting of one 
or more judges who seek to adjudicate disputes and administer justice. 
Entities not in the judicial branch of the Federal Government are not 
courts for purposes of this section.
    (c) Court order. For purposes of this section, a court order is any 
legal process which satisfies all the following conditions:
    (1) It is issued under the authority of a Federal court;
    (2) A judge or a magistrate judge of that court signs it;
    (3) It commands or permits DHS to disclose the Privacy Act 
protected information at issue; and
    (4) The court is a court of competent jurisdiction.
    (d) Court of competent jurisdiction. It is the view of DHS that 
under the Privacy Act the Federal Government has not waived sovereign 
immunity, which precludes state court jurisdiction over a Federal 
agency or official. Therefore, DHS will not honor state court orders as 
a basis for disclosure, unless DHS does so under its own discretion.
    (e) Conditions for disclosure under a court order of competent 
jurisdiction. The component may disclose information in compliance with 
an order of a court of competent jurisdiction if--
    (1) Another section of this part specifically allows such 
disclosure, or
    (2) DHS, the Secretary, or any officer or employee of DHS in their 
official capacity is properly a party in the proceeding, or
    (3) Disclosure of the information is necessary to ensure that an 
individual who is accused of criminal activity receives due process of 
law in a criminal proceeding under the jurisdiction of the judicial 
branch of the Federal Government.
    (f) In other circumstances. DHS may disclose information to a court 
of competent jurisdiction in circumstances other than those stated in 
paragraph (e) of this section. DHS will make its decision regarding 
disclosure by balancing the needs of a court while preserving the 
confidentiality of information. For example, DHS may disclose 
information under a court order that restricts the use and redisclosure 
of the information by the participants in the proceeding; DHS may offer 
the information for inspection by the court in camera and under seal; 
or DHS may arrange for the court to exclude information identifying 
individuals from that portion of the record of the proceedings that is 
available to the public.
    (g) Emergency disclosures. Upon disclosing a record pertaining to 
an individual made under compelling circumstances affecting the health 
or safety of an individual, the component will notify the individual to 
whom the record pertains of the disclosure. This notice will be mailed 
to the individual's last known address and will state the nature of the 
information disclosed; the person, organization, or agency to which it 
was disclosed; the date of disclosure; and the compelling circumstances 
justifying the disclosure.
    (h) Other regulations on disclosure of information in litigation. 
See subpart C to this part for additional rules covering disclosure of 
information and records governed by this part and requested in 
connection with legal proceedings.


Sec.  5.31  Security of systems of records.

    (a) In general. Each component will establish administrative and 
physical controls to prevent unauthorized access to its systems of 
records, to prevent unauthorized disclosure of records, and to prevent 
physical damage to or destruction of records. The stringency of these 
controls will correspond to the sensitivity of the records that the 
controls protect. At a minimum, each component's administrative and 
physical controls will ensure that:
    (1) Records are protected from public view;
    (2) The area in which records are kept is supervised during 
business hours to prevent unauthorized persons from having access to 
them;
    (3) Records are inaccessible to unauthorized persons outside of 
business hours; and
    (4) Records are not disclosed to unauthorized persons or under 
unauthorized circumstances in either oral or written form.
    (b) Procedures required. Each component will have procedures that 
restrict access to records to only those individuals within the 
Department who must have access to those records to perform their 
duties and that prevent inadvertent disclosure of records.


Sec.  5.32  Contracts for the operation of systems of records.

    As required by 5 U.S.C. 552a(m), any approved contract for the 
operation of a system of records to accomplish an agency function will 
contain the standard contract requirements issued by the General 
Services Administration to ensure compliance with the requirements of 
the Privacy Act for that system. The contracting component will be 
responsible for ensuring that the contractor complies with these 
contract requirements.


Sec.  5.33  Use and collection of Social Security numbers.

    Each component will ensure that employees authorized to collect 
information are aware:
    (a) That individuals may not be denied any right, benefit, or 
privilege because of refusing to provide their Social Security numbers, 
unless the collection is authorized either by a statute or by a 
regulation issued prior to 1975; and
    (b) That individuals requested to provide their Social Security 
numbers must be informed of:
    (1) Whether providing Social Security numbers is mandatory or 
voluntary;
    (2) Any statutory or regulatory authority that authorizes the 
collection of Social Security numbers; and
    (3) The uses that will be made of the numbers.
    (c) Including Social Security numbers of an individual on any 
document sent by mail is not permitted unless the Secretary determines 
that the inclusion of the number on the document is necessary.


Sec.  5.34  Standards of conduct for administration of the Privacy Act.

    Each component will inform its employees of the provisions of the 
Privacy Act, including the Act's civil liability and criminal penalty 
provisions referenced in Sec.  5.35. Unless otherwise permitted by law, 
the Department will:

[[Page 68607]]

    (a) Maintain only such information about an individual as is 
relevant and necessary to accomplish a purpose of the Component or the 
Department that is required to be accomplished by statute or by 
Executive order of the President;
    (b) Collect information about an individual directly from that 
individual whenever practicable and when the information may result in 
adverse determinations about an individual's rights, benefits, and 
privileges under federal programs;
    (c) Inform each individual from whom information is collected of:
    (1) The legal authority to collect the information and whether 
providing it is mandatory or voluntary;
    (2) The principal purpose for which the Department intends to use 
the information;
    (3) The routine uses the Department may make of the information; 
and
    (4) The effects on the individual, if any, of not providing the 
information;
    (d) Ensure that the component maintains no system of records 
without public notice and that it notifies appropriate Department 
officials of the existence or development of any system of records that 
is not the subject of a current or planned public notice;
    (e) Maintain all records that are used by the Department in making 
any determination about an individual with such accuracy, relevance, 
timeliness, and completeness as is reasonably necessary to ensure 
fairness to the individual in the determination;
    (f) Except as to disclosures made to an agency or made under the 
FOIA, make reasonable efforts, prior to disseminating any record about 
an individual, to ensure that the record is accurate, relevant, timely, 
and complete;
    (g) Maintain no record describing how an individual exercises their 
First Amendment rights, unless it is expressly authorized by statute or 
by the individual about whom the record is maintained, or is pertinent 
to and within the scope of an authorized law enforcement activity;
    (h) When required by the Act, maintain an accounting in the 
specified form of all disclosures of records by the Department to 
persons, organizations, or agencies;
    (i) Maintain and use records with care to prevent the unauthorized 
or inadvertent disclosure of a record to anyone; and
    (j) Disclose Privacy Act or JRA records only as permitted by 5 
U.S.C. 552a(b).


Sec.  5.35  Sanctions and penalties.

    Each component will inform its employees and contractors of the 
Privacy Act's civil liability provisions (5 U.S.C. 552a(g)) and 
criminal penalty provisions (5 U.S.C. 552a(i)) as they apply to Privacy 
Act and JRA complaints.


 Sec.  5.36  Other rights and services.

    Nothing in this subpart will be construed to entitle any person, as 
of right, to any service or to the disclosure of any record to which 
such person is not entitled under the Privacy Act or JRA.

0
8. Revise appendix A to part 5 to read as follows:

Appendix A to Part 5--FOIA/Privacy Act Offices of the Department of 
Homeland Security

    I. For the following Headquarters Offices of the Department of 
Homeland Security, FOIA and Privacy Act requests should either be 
mailed to the Department's Privacy Office, Mail Stop 0655, U.S. 
Department of Homeland Security, 2707 Martin Luther King Jr. Ave. SE, 
Washington, DC 20528-0655, or submitted electronically through <a href="https://foiarequest.dhs.gov/">https://foiarequest.dhs.gov/</a>. To respond to your FOIA or Privacy Act request as 
quickly as possible, we strongly encourage you to submit your request 
electronically. Additional contact information for questions: Phone: 
202-343-1743 or 866-431-0486, Fax: 202-343-4011, or Email: 
<a href="/cdn-cgi/l/email-protection#01676e68604169702f6569722f666e77"><span class="__cf_email__" data-cfemail="1c7a73757d5c746d3278746f327b736a">[email&#160;protected]</span></a>. The Public Liaison may also be contacted using this 
information.
    The Headquarters Offices are:

Office of the Secretary
Office of the Deputy Secretary
Office of the General Counsel (OGC)
Office of the Executive Secretary (ESEC)
Office of Intelligence and Analysis (I&A)
Office of Legislative Affairs (OLA)
Office of Operations Coordination (OPS)
Office of Partnership and Engagement (OPE)
Office of Public Affairs (OPA)
Office of Strategy, Policy, and Plans (PLCY)
Citizenship and Immigration Services Ombudsman (CISOMB)
Civil Rights and Civil Liberties (CRCL) Countering Weapons of Mass 
Destruction Office (CWMD)
Federal Protective Service (FPS)
Management Directorate (MGMT), including the Office of Biometric 
Identity Management (OBIM)
Military Advisor's Office (MIL)
Privacy Office (PRIV)
Science and Technology Directorate (S&T)

    II. For the following components and offices of the Department of 
Homeland Security, FOIA and Privacy Act requests should be sent to the 
component's FOIA Office, unless otherwise noted below. For each 
component, the Public Liaison may also be contacted using the 
information below. The components are:

Cybersecurity and Infrastructure Security Agency (CISA)

    All requests should be either be mailed to the Department's Privacy 
Office, Mail Stop 0655, U.S. Department of Homeland Security, 2707 
Martin Luther King Jr. Ave. SE, Washington, DC 20528-0655, or submitted 
electronically through <a href="https://foiarequest.dhs.gov/">https://foiarequest.dhs.gov/</a>. To respond to your 
FOIA or Privacy Act request as quickly as possible, we strongly 
encourage you to submit your request electronically. Additional contact 
information for questions: Phone: 202-343-1743 or 866-431-0486, Fax: 
202-343-4011, or Email: <a href="/cdn-cgi/l/email-protection#3f7c766c7e7970767e7f574e115b574c11585049"><span class="__cf_email__" data-cfemail="6b2822382a2d24222a2b031a450f0318450c041d">[email&#160;protected]</span></a>.

U.S. Customs and Border Protection (CBP)

    All requests should be mailed to U.S. Customs and Border 
Protection, Office of Privacy and Diversity Office, 90 K Street NE, 
Mail Stop 1181, 9th Floor, or submitted electronically at <a href="https://foiaonline.gov/foiaonline/action/public/home">https://foiaonline.gov/foiaonline/action/public/home</a> or 
<a href="/cdn-cgi/l/email-protection#1c7f7e6c7a73757d6c697e70757f70757d756f73725c7f7e6c3278746f327b736a"><span class="__cf_email__" data-cfemail="15767765737a7c74656077797c76797c747c667a7b557677653b717d663b727a63">[email&#160;protected]</span></a>. Electronic requests should be made to 
<a href="https://foiarequest.dhs.gov/">https://foiarequest.dhs.gov/</a> once CBP is no longer listed as an agency 
on <a href="https://foiaonline.gov/foiaonline/action/public/home">https://foiaonline.gov/foiaonline/action/public/home</a>. To respond to 
your FOIA or Privacy Act request as quickly as possible, we strongly 
encourage you to submit your request electronically. Additional contact 
information for questions: Phone: 202-325-0150.

Federal Emergency Management Agency (FEMA)

    All requests should be mailed to FOIA Officer, 500 C Street SW, 
Room 840, Washington, DC 20472, or submitted electronically through 
<a href="https://foiarequest.dhs.gov/">https://foiarequest.dhs.gov/</a>. To respond to your FOIA or Privacy Act 
request as quickly as possible, we strongly encourage you to submit 
your request electronically. Additional contact information for 
questions: Phone: 202-646-3323, Fax: 202-646-3347, or Email: <a href="/cdn-cgi/l/email-protection#e086858d81cd868f8981a086858d81ce848893ce878f96"><span class="__cf_email__" data-cfemail="4d2b28202c602b22242c0d2b28202c6329253e632a223b">[email&#160;protected]</span></a>.

Federal Law Enforcement Training Center (FLETC)

    All requests should be mailed to Freedom of Information Act 
Officer, Building #681, Suite B187, 1131 Chapel Crossing Road, Glico, 
GA 31524, or submitted electronically to <a href="https://foiarequest.dhs.gov/">https://foiarequest.dhs.gov/</a>. 
To respond to your FOIA or Privacy Act request as quickly as possible, 
we strongly encourage you

[[Page 68608]]

to submit your request electronically. Additional contact information 
for questions: Phone: 912-267-3103, Fax: 912-267-3113, or Email: <a href="/cdn-cgi/l/email-protection#94f2f8f1e0f7b9f2fbfdf5d4f0fce7baf3fbe2"><span class="__cf_email__" data-cfemail="b5d3d9d0c1d698d3dadcd4f5d1ddc69bd2dac3">[email&#160;protected]</span></a>.

Immigration and Customs Enforcement (ICE)

    All requests should be mailed to Freedom of Information Act Office, 
500 12th Street SW, Stop 5009, Washington, DC 20536-5009, or submitted 
electronically through <a href="https://foiarequest.dhs.gov/">https://foiarequest.dhs.gov/</a>. To respond to your 
FOIA or Privacy Act request as quickly as possible, we strongly 
encourage you to submit your request electronically. Additional contact 
information for questions: Phone: 866-633-1182, Fax: 202-732-4265, or 
Email: <a href="/cdn-cgi/l/email-protection#620b01074f040d0b03220b01074c060a114c050d14"><span class="__cf_email__" data-cfemail="046d676129626b6d65446d67612a606c772a636b72">[email&#160;protected]</span></a>.

Office of Inspector General

    All requests should be mailed to the OIG Office of Counsel, 245 
Murray Lane SW, Mail Stop--0305, Washington, DC 20528-0305, or 
submitted electronically through <a href="https://foiarequest.dhs.gov/">https://foiarequest.dhs.gov/</a>. To 
respond to your FOIA or Privacy Act request as quickly as possible, we 
strongly encourage you to submit your request electronically. 
Additional contact information for questions: Phone: 202-981-6100, Fax: 
202-245-5217, or Email: <a href="/cdn-cgi/l/email-protection#02646d6b632c6d6b65426d6b652c666a712c656d74"><span class="__cf_email__" data-cfemail="30565f59511e5f5957705f59571e5458431e575f46">[email&#160;protected]</span></a>.

Transportation Security Administration (TSA)

    All requests should be mailed to Freedom of Information Act Branch, 
6595 Springfield Center Drive, Springfield, VA 20598-6020, or submitted 
electronically through <a href="https://foiarequest.dhs.gov/">https://foiarequest.dhs.gov/</a>. To respond to your 
FOIA or Privacy Act request as quickly as possible, we strongly 
encourage you to submit your request electronically. Additional contact 
information for questions: Phone: 1-866-FOIA-TSA or 571-227-2300, Fax: 
571-227-1406, or Email: <a href="/cdn-cgi/l/email-protection#dcbab3b5bd9ca8afbdf2b8b4aff2bbb3aa"><span class="__cf_email__" data-cfemail="e3858c8a82a3979082cd878b90cd848c95">[email&#160;protected]</span></a>.

U.S. Citizenship and Immigration Services (USCIS)

    All requests should be mailed to National Records Center, FOIA/PA 
Office, P. O. Box 648010, Lee's Summit, MO. 64064-8010 or submitted 
electronically through the USCIS FOIA Portal: <a href="https://first.uscis.gov/">https://first.uscis.gov/</a>. 
To respond to your FOIA or Privacy Act request as quickly as possible, 
we strongly encourage you to submit your request electronically. 
Additional contact information for questions: Phone: 1-800-375-5283, 
USCIS Contact Center, or Email: <a href="/cdn-cgi/l/email-protection#aaece5e3ebfaebfbdfcfd9dec3c5c4d9eadfd9c9c3d984cec2d984cdc5dc"><span class="__cf_email__" data-cfemail="7e3831373f2e3f2f0b1b0d0a1711100d3e0b0d1d170d501a160d50191108">[email&#160;protected]</span></a>.

U.S. Coast Guard (USCG)

    All requests should be mailed to Commandant (CG-6P), 2703 Martin 
Luther King Jr. Ave. SE, Stop 7710, Washington, DC 20593-7710, or 
submitted electronically through <a href="https://foiarequest.dhs.gov/">https://foiarequest.dhs.gov/</a>. To 
respond to your FOIA or Privacy Act request as quickly as possible, we 
strongly encourage you to submit your request electronically. 
Additional contact information for questions: Phone: 202-475-3522, Fax: 
202-372-8413, or Email: <a href="/cdn-cgi/l/email-protection#8de8ebe2e4eccdf8feeeeaa3e0e4e1"><span class="__cf_email__" data-cfemail="066360696f674673756561286b6f6a">[email&#160;protected]</span></a>.

U.S. Secret Service (USSS)

    All requests should be mailed to Freedom of Information Act and 
Privacy Act Branch, 245 Murray Lane SW, Building T-5, Washington, DC 
20223, or submitted electronically to <a href="/cdn-cgi/l/email-protection#60262f292120151313134e0408134e070f16"><span class="__cf_email__" data-cfemail="8bcdc4c2cacbfef8f8f8a5efe3f8a5ece4fd">[email&#160;protected]</span></a>. To respond to 
your FOIA or Privacy Act request as quickly as possible, we strongly 
encourage you to submit your request electronically. Additional contact 
information for questions: Phone: 202-406-6370, Fax: 202-406-5586, or 
Email: <a href="/cdn-cgi/l/email-protection#92d4dddbd3d2e7e1e1e1bcf6fae1bcf5fde4"><span class="__cf_email__" data-cfemail="2761686e66675254545409434f5409404851">[email&#160;protected]</span></a>.

Lynn Parker Dupree,
Chief Privacy Officer, Department of Homeland Security.
[FR Doc. 2022-24871 Filed 11-15-22; 8:45 am]
BILLING CODE 4410-9B-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>
View on FederalRegister.gov →Plain-text source
Indexed from Federal Register on November 16, 2022.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.