Proposed Rule2026-06195
Implementing the Freedom of Information Act and Privacy Act
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
March 31, 2026
Issuing agencies
Office of the National Cyber Director
Abstract
The Office of the National Cyber Director (ONCD) is issuing its first Freedom of Information Act (FOIA) and Privacy Act regulations. These regulations reflect ONCD's process for responding to requests for information and affirm its commitment to provide the fullest possible disclosure of records to the public.
Full Text
<html>
<head>
<title>Federal Register, Volume 91 Issue 61 (Tuesday, March 31, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 61 (Tuesday, March 31, 2026)]
[Proposed Rules]
[Pages 15932-15942]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-06195]
=======================================================================
-----------------------------------------------------------------------
OFFICE OF THE NATIONAL CYBER DIRECTOR
32 CFR Chapter XXII
[Docket ID Number: ONCD-2025-0030]
RIN 0301-AA02
Implementing the Freedom of Information Act and Privacy Act
AGENCY: Office of the National Cyber Director, Executive Office of the
President.
ACTION: Notice of proposed rulemaking and request for public comment.
-----------------------------------------------------------------------
SUMMARY: The Office of the National Cyber Director (ONCD) is issuing
its first Freedom of Information Act (FOIA) and Privacy Act
regulations. These regulations reflect ONCD's process for responding to
requests for information and affirm its commitment to provide the
fullest possible disclosure of records to the public.
DATES: Comments must be received by May 15, 2026.
ADDRESSES: Comments must be submitted through the Federal eRulemaking
Portal at <a href="http://www.regulations.gov">http://www.regulations.gov</a> following the instructions it
provides. All comments will be posted without change including any
provided personal information.
FOR FURTHER INFORMATION CONTACT: Carina Bergal, Deputy General Counsel,
ONCD, 202-456-8708, <a href="/cdn-cgi/l/email-protection#8aece5e3ebcae5e4e9eea4efe5faa4ede5fc"><span class="__cf_email__" data-cfemail="2e4841474f6e41404d4a004b415e00494158">[email protected]</span></a> with the subject line: ``FOIA/
PRIVACY ACT PROPOSED RULEMAKING.''
SUPPLEMENTARY INFORMATION:
A. The FOIA. The FOIA, 5 U.S.C. 552, provides a right of access to
certain records that Federal agencies maintain and control. The FOIA
directs each Federal agency to publish regulations that describe how
the agency will process FOIA requests it receives from members of the
public. The FOIA Improvement Act of 2016, Public Law 114-185, requires
each agency to promulgate regulations, pursuant to notice and receipt
of public comment, specifying its FOIA policies, practices, and
procedures.
B. The Privacy Act. The Privacy Act, 5 U.S.C. 552a, governs each
federal agency's collection, maintenance, use, and dissemination of any
information about individuals that it maintains in a system of records.
The Privacy Act directs each Federal agency to publish regulations that
describe the agency's procedures for carrying out the provisions of the
Privacy Act.
Statutory and Executive Order Reviews
Regulatory Impact Analysis
This proposed regulatory action is not a significant regulatory
action subject to review by the Office of Management and Budget under
section 3(f) of Executive Order 12866. Since this regulatory action is
not a significant regulatory action under section 3(f) of Executive
Order 12866, it is not considered an Executive Order 14192 regulatory
action.
Paperwork Reduction Act
ONCD has determined that the Paperwork Reduction Act, 44 U.S.C.
3501 et seq., does not apply because these regulations do not contain
any information collection requirements subject to ONCD's approval.
Executive Order 12988--Civil Justice Reform
These regulations meet the applicable standards set forth in
Executive Order 12988, Civil Justice Reform.
[[Page 15933]]
Executive Order 13132--Federalism
These regulations will not have substantial direct effects on the
States, on the relationship between the national government and the
States, or on the distribution of power and responsibilities among the
various levels of government. Therefore, in accordance with Executive
Order 13132, ONCD has determined that these regulations do not have
sufficient federalism implications to warrant the preparation of a
federalism summary impact statement.
Regulatory Flexibility Act
ONCD, in accordance with the Regulatory Flexibility Act, 5 U.S.C.
605(b), has reviewed these regulations and certifies that it will not
have a significant economic impact on a substantial number of small
entities because they pertain to administrative matters affecting the
agency.
Unfunded Mandates Reform Act of 1995
These regulations will not result in the expenditure by State,
local, and tribal governments, in the aggregate, or by the private
sector, of $100 million or more in any one year, and will not
significantly or uniquely affect small governments. Therefore, no
actions are necessary under the provisions of the Unfunded Mandates
Reform Act of 1995, 2 U.S.C. 1501, et seq.
Small Business Regulatory Enforcement Fairness Act of 1996
These regulations are not major rules as defined by section 251 of
the Small Business Regulatory Enforcement Fairness Act of 1996, 5
U.S.C. 804. They will not result in an annual effect on the economy of
$100 million or more; a major increase in costs or prices; or
significant adverse effects on competition, employment, investment,
productivity, innovation, or the ability of United States-based
enterprises to compete with foreign-based enterprises in domestic and
export markets.
National Environmental Policy Act of 1969
ONCD has reviewed these regulations under the National
Environmental Policy Act of 1969 (NEPA), 42 U.S.C. 4321-4347, and has
determined that this action will not have a significant effect on the
human environment.
List of Subjects
32 CFR Part 2200
Administrative practice and procedure, Courts, Freedom of
information, Records.
32 CFR Part 2201
Administrative practice and procedure, Courts, Privacy, Records.
For the reasons discussed in the preamble, the Office of the
National Cyber Director proposes to add chapter XXII, consisting of
parts 2200 through 2299, to subtitle B of title 32 to read as follows:
Title 32--National Defense
Subtitle B--Other Regulations Relating to National Defense
Chapter XXII--Office of the National Cyber Director
PART 2200--REGULATIONS IMPLEMENTING THE FREEDOM OF INFORMATION ACT
PART 2201--REGULATIONS IMPLEMENTING THE PRIVACY ACT
PARTS 2202-2299 [RESERVED]
PART 2200--REGULATIONS IMPLEMENTING THE FREEDOM OF INFORMATION ACT
Sec.
2200.1 Purpose and scope.
2200.2 Delegation of authority and responsibilities.
2200.3 General policy and definitions.
2200.4 Procedure for requesting records.
2200.5 Responses to requests.
2200.6 Timing of responses to requests.
2200.7 Confidential commercial information.
2200.8 Appeal of denials.
2200.9 Fees.
2200.10 Waiver of fees.
2200.11 Maintenance of statistics.
2200.12 Disclaimer.
Authority: 5 U.S.C. 552; E.O. 13392, 70 FR 75373, 3 CFR, 2005
Comp., p. 216.
Sec. 2200.1 Purpose and scope.
The regulations in this part prescribe procedures by which
individuals may obtain access to the Office of the National Cyber
Director (ONCD) agency records under the Freedom of Information Act
(FOIA), 5 U.S.C. 552, as amended, as well as the procedures ONCD will
follow in response to requests for records under the FOIA. This part
should be read together with the FOIA and the Office of Management and
Budget's (OMB's) ``Uniform Freedom of Information Fee Schedule and
Guidelines,'' which provides information about access to records. All
requests for access to information contained within a system of records
pursuant to the Privacy Act of 1974, 5 U.S.C. 552a, shall be processed
in accordance with this part.
Sec. 2200.2 Delegation of authority and responsibilities.
(a) The Director of ONCD designates the ONCD General Counsel as the
Chief FOIA Officer, and hereby delegates to the Chief FOIA Officer the
authority to act upon all requests for agency records and to re-
delegate such authority at his or her discretion.
(b) The Chief FOIA Officer shall designate a FOIA Public Liaison,
who shall serve as the supervisory official to whom a FOIA requester
can raise concerns about the service the FOIA requestor has received
following an initial response. The FOIA Public Liaison will be listed
on the ONCD website (<a href="https://www.whitehouse.gov/oncd/information-resources/">https://www.whitehouse.gov/oncd/information-resources/</a>) and may re-delegate the FOIA Public Liaison's authority at
his or her discretion.
(c) The Director establishes a FOIA Requester Service Center that
shall be staffed by the FOIA Public Liaison. The contact information
for the FOIA Requester Service Center is: Office of the National Cyber
Director, New Executive Office Building, 725 17th Street NW,
Washington, DC 20504; Telephone: 202-395-1925; Email: <a href="/cdn-cgi/l/email-protection#492f26202809272a2d672c2639672e263f"><span class="__cf_email__" data-cfemail="15737a7c74557b76713b707a653b727a63">[email protected]</span></a>.
Updates to this contact information will be made on the ONCD website.
Sec. 2200.3 General policy and definitions.
(a) Non-exempt records available to public. Except for records
exempt from disclosure by 5 U.S.C. 552(b) or published in the Federal
Register under 5 U.S.C. 552(a)(1), ONCD's agency records subject to the
FOIA are available to any requester who requests them in accordance
with this part.
(b) Record availability on the ONCD website. ONCD shall make
records available on its website in accordance with 5 U.S.C. 552(a)(2),
as amended, and other documents that, because of the nature of their
subject matter, are likely to be the subject of FOIA requests. To save
both time and money, ONCD strongly urges requesters to review documents
available on the ONCD website before submitting a request.
(c) Definitions. For purposes of this part:
(1) All of the terms defined in the Freedom of Information Act
apply, unless otherwise defined in this part.
(2) The term agency record means a record that is:
(i) Either created or obtained by ONCD; and
(ii) Under ONCD control at the time the FOIA request is received.
(3) The term commercial use request means a request from or on
behalf of a person who seeks information for a use or purpose that
furthers his or her
[[Page 15934]]
commercial, trade, or profit interests, which can include furthering
those interests through litigation. ONCD shall determine, whenever
reasonably possible, the use to which a requester will put the
requested records. When it appears that the requester will put the
records to a commercial use, either because of the nature of the
request itself or because ONCD has reasonable cause to doubt a
requester's stated use, ONCD shall provide the requester a reasonable
opportunity to submit further clarification.
(4) The terms disclose and disclosure refer to making records
available, upon request, for examination and copying, or furnishing a
copy of records.
(5) The term direct cost means those expenditures ONCD actually
incurred in searching for and duplicating (and, in the case of
commercial use requests, reviewing) records in response to a FOIA
request. Direct costs include the salary of the personnel performing
the work (i.e., the basic rate of pay for the employee plus 16 percent
of that rate to cover benefits) and the cost of operating computers and
other electronic equipment, such as photocopiers and scanners. Direct
costs do not include overhead expenses, such as the cost of space,
heating, or lighting of the facility in which the records are stored.
(6) The term duplication means the making of a copy of a record, or
of the information contained in it, necessary to respond to a FOIA
request. Copies can take the form of paper, microform, audiovisual
materials, or electronic records (e.g., magnetic tape or disk), among
others.
(7) The term educational institution means a preschool, a public or
private elementary or secondary school, an institution of undergraduate
higher education, an institution of graduate higher education, an
institution of professional education, or an institution of vocational
education that operates a program of scholarly research. To fall within
this category, a requester must show that the request is authorized by
and is made under the auspices of a qualifying institution and that the
records are not sought for a commercial use, but rather are sought to
further scholarly research.
(8) The term fee waiver means the waiver or reduction of processing
fees if a requester can demonstrate that certain statutory standards
are satisfied.
(9) The term FOIA Public Liaison means an agency official who is
responsible for assisting requesters in defining the scope of their
request to reduce processing time, increasing transparency and
understanding of the status of requests, and assisting in the
resolution of disputes.
(10) The term non-commercial scientific institution means an
institution that is not operated on a commercial basis, as that term is
defined in these regulations, and that is operated solely for the
purpose of conducting scientific research, the results of which are not
intended to promote any particular product or industry. To fall within
this category, a requester must show that the request is authorized by
and is made under the auspices of a qualifying institution and that the
records are not sought for a commercial use, but rather are sought to
further scientific research.
(11) The term perfected request means a FOIA request for records
that reasonably describes the records sought and has been received by
ONCD in accordance with the requirements set forth in Sec. 2200.4.
(12) The terms representative of the news media and news media
requester mean any person or entity that gathers information of
potential interest to a segment of the public, uses its editorial
skills to turn the raw materials into a distinct work, and distributes
that work to an audience. In this clause, the term news means
information that is about current events or that would be of current
interest to the public. Examples of news media entities are television
or radio stations broadcasting to the public at large and publishers of
periodicals (but only if such entities qualify as disseminators of
news) who make their products available for purchase by, subscription
by, or through free distribution to the general public. These examples
are not all-inclusive. Moreover, as methods of news delivery evolve,
such as through electronic or digital means, such news sources shall be
considered to be news media entities. A freelance journalist shall be
regarded as working for a news media entity if the journalist can
demonstrate a solid basis for expecting publication through that
entity, whether or not the journalist is actually employed by the
entity. A publication contract would present a solid basis for such an
expectation; the Government may also consider the past publication
record of the requester in making such a determination.
(13) The term requester means any person, including an individual,
partnership, corporation, association, Native American tribe, or other
public or private organization, other than a Federal agency that
requests access to records.
(14) The term review means the process of examining documents
located in response to a request that is for a commercial use to
determine whether any portion of any document located is permitted to
be withheld. It includes the processing of any documents for
disclosure--i.e., doing all that is necessary to excise exempt
information and otherwise prepare them for release. Review does not
include time spent resolving general legal or policy issues regarding
the application of exemptions.
(15) The term search refers to the process of looking for and
retrieving records or information responsive to a request. It includes
page-by-page or line-by-line identification of information within
records and also includes reasonable efforts to locate and retrieve
information from records maintained in electronic form or format.
(16) The term working day means a regular Federal working day
between the hours of 9:00 a.m. and 5:00 p.m. It does not include
Saturdays, Sundays, or legal Federal holidays. Any requests received
after 5:00 p.m. on any given working day will be considered received on
the next working day.
Sec. 2200.4 Procedure for requesting records.
(a) Format of requests--(1) In general. Requests for information
must be made in writing and may be delivered by mail or electronic
mail, as specified in Sec. 2200.2(c). All requests must be made in
English. Requests for information may specify the preferred format
(including electronic formats) of the response. When a requester does
not specify the preferred format of the response, ONCD shall produce
scanned records to be delivered electronically.
(2) Records in electronic formats. (i) ONCD shall provide
responsive records in the format requested if the record or records are
readily reproducible by ONCD in that format. ONCD shall make reasonable
efforts to maintain its records in formats that are reproducible for
the purposes of disclosure. For purposes of this paragraph (a)(2)(i),
the term readily reproducible means, with respect to electronic format,
a record that can be downloaded or transferred intact to an electronic
medium using equipment currently in use by the agency processing the
request. Even though some records may initially be readily
reproducible, the need to segregate exempt records from nonexempt
records may cause the releasable material to be not readily
reproducible.
(ii) In responding to a request for records, ONCD shall make
reasonable efforts to search for the records in electronic format,
except where such efforts would interfere with the operation of the
agency's automated information system(s). For purposes of this
paragraph (a)(2)(ii), the term search
[[Page 15935]]
means to locate, manually or by automated means, agency records for the
purpose of identifying those records that are responsive to a request.
(iii) Searches for records maintained in electronic format may
require the application of codes, queries, or other minor forms of
programming to retrieve the requested records.
(3) Attachment restrictions. To protect ONCD's computer systems,
ONCD will not accept files sent as email attachments or as web links. A
requester may submit a request by postal mail, by fax, or in the body
of the email text.
(b) Contents. A request must describe the records sought in
sufficient detail to enable ONCD personnel to locate the records with a
reasonable amount of effort. To the extent possible, a requester should
include specific information that may assist ONCD personnel in
identifying the requested records, such as the date, title or name,
author, recipient, and subject matter of the record. In general, a
requester should include as much detail as possible about the specific
records or the types of records sought. Before submitting a request, a
requester may contact the ONCD FOIA Public Liaison to discuss the
records sought and to receive assistance in describing the records. If,
after receiving a request, ONCD determines that it does not reasonably
describe the records sought or that the request will be unduly
burdensome to process, ONCD shall inform the requester of the
additional information that is needed or how the request may be
modified. A Requester attempting to reformulate or modify such a
request may discuss their requests with ONCD's FOIA Public Liaison.
(c) Date of receipt. A request that complies with paragraphs (a)
and (b) of this section is deemed a ``perfected request.'' A perfected
request is deemed received on the actual date it is received by ONCD. A
request that does not comply with paragraphs (a) and (b) of this
section is deemed received when information sufficient to perfect the
request is actually received by ONCD.
(d) Contact information. A request must contain contact
information, such as the requester's phone number, email address, or
mailing address, to enable ONCD to communicate with the requester about
the request and provide released records. If ONCD cannot contact the
requester, or the requester does not respond within 30 calendar days to
ONCD's requests for clarification, ONCD will administratively close the
request.
(e) Types of records not available. The FOIA does not require ONCD
to:
(1) Compile or create records solely for the purpose of satisfying
a request for records;
(2) Provide records not yet in existence, even if such records may
be expected to come into existence at some future time; or
(3) Restore records destroyed or otherwise disposed of, except that
ONCD must notify the requester of the destruction or disposal of the
requested records.
Sec. 2200.5 Responses to requests.
(a) In general. In determining which records are responsive to a
request, ONCD will ordinarily include only records in its possession as
of the date it begins its search for records. If any other date is
used, ONCD shall inform the requester of that date.
(b) Authority to grant or deny requests. ONCD shall make initial
determinations to grant or deny, in whole or in part, a request for
records.
(c) Granting of requests. When ONCD determines that any responsive
records shall be made available, ONCD shall notify the requester in
writing and provide copies of the requested records in whole or in
part. Records disclosed in part shall be marked or annotated to show
the exemption(s) applied to the withheld information and the amount of
information withheld unless doing so would harm the interest protected
by an applicable exemption. If a requested record contains exempted
material along with nonexempt material, all reasonably segregable
material shall be disclosed.
(d) Adverse determinations. If ONCD makes an adverse determination
denying a request in any respect, it must notify the requester of that
adverse determination in writing. Adverse determinations include
decisions that: The requested record is exempt from disclosure, in
whole or in part; the request does not reasonably describe the records
sought, but only if, after discussion with the FOIA Public Liaison, the
requester refuses to modify the terms of the request; the information
requested is not a record subject to the FOIA; the requested record
does not exist, cannot be located, or has been destroyed; or the
requested record is not not readily reproducible in the form or format
sought by the requester; denials involving fee or fee waiver matters;
and denials of requests for expedited processing.
(e) Content of adverse determinations. Any adverse determination
issued by ONCD must include:
(1) A brief statement, including any FOIA exemption applied by the
agency in denying access to a record unless such inclusion would harm
the interest protected by an applicable exemption;
(2) An estimate of the volume of any records or information
withheld, although such an estimate is not required if the volume is
otherwise indicated by deletions marked on records that are disclosed
in part or if providing an estimate would harm an interest protected by
an applicable exemption;
(3) A statement that the adverse determination may be appealed
under Sec. 2200.8 and a description of the appeal requirements; and
(4) A statement notifying the requester of the assistance available
from ONCD's FOIA Public Liaison and the dispute resolution services
offered by the Office of Government Information Services.
(f) Transfer of records to the National Archives and Records
Administration (NARA). Permanent records of ONCD which have been
transferred to the control of NARA under the Federal Records Act are
not in the control of ONCD and are therefore not accessible by a FOIA
request to ONCD. Requests for such records should be directed to NARA.
(g) Consultations, referrals, and coordinations. When ONCD receives
a request for a record in its possession, it shall determine whether
another agency of the Federal Government is better able to determine
whether the record is exempt from disclosure under the FOIA and, if so,
whether it should be disclosed as a matter of administrative
discretion. If ONCD determines that it is best able to process the
record in response to the request, then it shall do so. If ONCD
determines that it is not best able to process the record, then it
shall proceed in one of the following ways:
(1) Consultation. When records originating with ONCD contain
information of interest to another Federal agency, ONCD should
typically consult with that Federal agency prior to making a release
determination.
(2) Referral. (i) When ONCD believes that a different Federal
agency is best able to determine whether to disclose the record, ONCD
should typically refer the responsibility for responding to the request
regarding that record to that agency. Ordinarily, the agency creating
the record is presumed to be the agency best able to determine whether
the record should be disclosed. If ONCD and another Federal agency
jointly agree that the agency processing the request is in the best
position to respond regarding the record, then the record may be
handled as a consultation.
(ii) Whenever ONCD refers any part of the responsibility for
responding to a
[[Page 15936]]
request to another agency it will notify the requester of the referral
and the agency which will be processing the record.
(iii) After ONCD refers a record to another Federal agency, the
agency receiving the referral shall make a disclosure determination and
respond directly to the requester. The referral of a record is not an
adverse determination and no appeal rights accrue to the requester
therefrom.
(3) Coordination. The standard referral procedure is not
appropriate where disclosure of the identity of the Federal agency to
which a referral would be made could harm an interest protected by an
applicable exemption, such as an exemption that protects personal
privacy or national security interests. For example, if a non-law
enforcement agency responding to a request for records on a living
third party locates within its files records originating with a law
enforcement agency, and if the existence of that law enforcement
interest in the third party is not publicly known, then to disclose
that law enforcement interest could cause an unwarranted invasion into
the personal privacy of the third party. Similarly, if an agency
locates within its files material originating with an Intelligence
Community agency, and the involvement of that agency in the matter is
classified and not publicly acknowledged, then to disclose or give
attribution to the involvement of that Intelligence Community agency
could harm national security interests.
Sec. 2200.6 Timing of responses to requests.
(a) In general. ONCD shall ordinarily respond to requests in order
of their receipt.
(b) Initial determinations. ONCD will exercise all reasonable
efforts to make an initial determination acknowledging and granting,
partially granting, or denying a request for records within twenty
working days (excepting Saturdays, Sundays, and legal public holidays)
after receiving a perfected request. ONCD may toll this twenty (20) day
period either one time while ONCD is awaiting information that it has
reasonably requested from the requester or any time when necessary to
clarify with the requester issues regarding fee assessment. ONCD's
receipt of the requester's response to ONCD's request for information
ends the tolling period.
(c) Extensions of response time in ``unusual circumstances.'' (1)
The twenty (20) working day period provided in paragraph (b) of this
section may be extended if unusual circumstances arise. If an extension
is necessary, ONCD shall promptly notify the requester of the
extension, briefly state the reasons for the extension, and estimate
when a response will be issued. Unusual circumstances warranting
extension are:
(i) The need to search for and collect the requested records from
field facilities or other establishments that are separate from the
office processing the request;
(ii) The need to search for, collect, and appropriately examine a
voluminous amount of separate and distinct records which are demanded
in a single request; or
(iii) The need for consultation, which shall be conducted with all
practicable speed, with another agency having a substantial interest in
the determination of the request or among two or more components of the
agency having substantial subject-matter interest therein.
(2) After ONCD notifies the requester of the reasons for the delay,
the requester will have an opportunity to modify the request or arrange
for an alternative time frame for completion of the request. To assist
in this process, ONCD shall advise the requester of the availability of
ONCD's FOIA Public Liaison to aid in the resolution of any disputes
between the requester and ONCD, and notify the requester of his or her
right to seek dispute resolution services from the Office of Government
Information Services.
(d) Expedited processing of request. (1) A requester may make a
request for expedited processing at any time.
(2) When a request for expedited processing is received, ONCD must
determine whether to grant the request for expedited processing within
ten (10) calendar days of its receipt. Such requests will be approved
only when a compelling need is established to the satisfaction of ONCD.
A compelling need is deemed to exist when:
(i) The requester can establish that failure to receive the records
quickly could reasonably be expected to pose an imminent threat to the
life or physical safety of an individual; or
(ii) The requester is primarily engaged in disseminating
information (e.g., you are a member of the news media), and can
demonstrate that an urgency to inform the public concerning actual or
alleged Federal Government activity exists.
(3)(i) A requester who seeks expedited processing must submit a
statement, certified to be true and correct, explaining in detail:
(A) The basis for making the request for expedited processing; and
(b) Why your request or appeal satisfies the requirements of
paragraph (d)(2)(i) or (ii) of this section.
(ii) If you believe that you have an urgent need to inform the
public about an actual alleged Federal Government activity, you should
provide examples of other coverage of the same or related subjects. As
a matter of administrative discretion, ONCD may waive the formal
certification requirement.
(4) ONCD will notify you within 10 calendar days whether we will
grant or deny you expedited processing.
(5) If ONCD denies you expedited processing, you may appeal that
determination using the procedures in this part.
(e) Multi-track processing. (1) ONCD may use multi-track processing
in responding to requests. Multi-track processing means placing simple
requests that require limited review in one processing track and
placing more voluminous and complex requests in one or more other
processing tracks. Requests in each track are processed on a first-in,
first-out basis.
(i) Track one--expedited requests. Track one is made up of requests
that sought and received expedited processing as provided for in
paragraph (d)(2) of this section.
(ii) Track two--simple requests. Track two is for requests of
simple to moderate complexity that do not require consultations with
other entities and do not involve voluminous records.
(iii) Track three--complex requests. Track three is for complex
requests that involve voluminous records, require lengthy or numerous
consultations, raise unique or novel legal questions, or require
submitter review under Sec. 2200.7.
(2) ONCD may provide requesters with requests in slower track(s)
the opportunity to limit the scope of their requests to qualify for
faster processing within the specified limits of faster track(s). ONCD
will do so by contacting the requester by letter, telephone, email, or
facsimile, whichever is more efficient in each case. When providing a
requester with the opportunity to limit the scope of a request, ONCD
shall also advise the requester of ONCD's FOIA Public Liaison to aid in
the resolution of any dispute arising between the requester and ONCD as
well as the requester's right to seek dispute resolution services from
the Office of Government Information Services.
(f) Aggregating requests. ONCD may aggregate requests if it
reasonably appears that multiple requests, submitted either by a single
requester or by a group of requesters, act in concert and involve
related matters. For example, ONCD may aggregate multiple
[[Page 15937]]
requests for similar information filed by a single requester within a
short period of time. ONCD may also aggregate requests where a
requester or associated requesters file a series of multiple requests,
which are merely discrete subdivisions of the information actually
sought for the purpose of avoiding or reducing applicable fees. In such
instances, ONCD may aggregate the requests and charge the applicable
fees.
Sec. 2200.7 Confidential commercial information.
(a) In general. Business information obtained by ONCD from a
submitter will be disclosed under the FOIA only under this section.
(b) Definitions. For purposes of this section:
(1) Confidential commercial information means records provided to
the government by a submitter that arguably contain material exempt
from release under 5 U.S.C. 552(b)(4).
(2) Submitter means any person or entity from whom ONCD directly or
indirectly obtains confidential commercial information. The term
includes corporations; State, local, and tribal governments;
universities; non-profit organizations; associations; and foreign
governments.
(c) Designation of business information. Either at the time of
submission or at a reasonable time thereafter, a submitter of business
information will use good-faith efforts to designate, by appropriate
markings, any portions of its submission that it considers to be
protected from disclosure under 5 U.S.C. 552(b)(4). These designations
will expire ten years after the date of submission unless the submitter
requests, and provides justification for, a longer designation period.
(d) Notice to submitters. ONCD shall provide a submitter with
prompt written notice of a FOIA request or administrative appeal that
seeks its business information to give the submitter an opportunity to
object to disclosure of any specified portion of that information. The
notice shall either describe the business information requested or
include copies of the requested records or record portions containing
the information. When notification of a voluminous number of submitters
is required, notification may be made by posting or publishing the
notice in a place reasonably likely to accomplish notification.
(e) Where notice is required. Notice shall be given to a submitter
whenever:
(1) The information has been designated in good faith by the
submitter as information considered protected from disclosure under 5
U.S.C. 552(b)(4); or
(2) ONCD has reason to believe that the information may be
protected from disclosure under 5 U.S.C. 552(b)(4).
(f) Opportunity to object to disclosure. ONCD will allow a
submitter reasonable time to respond to the notice described in
paragraph (d) of this section and will specify that time period within
the notice. If a submitter has any objection to disclosure, the
submitter must provide a detailed written statement of objections. The
statement must specify all grounds for withholding any portion of the
information under any exemption of the FOIA and, in the case of
information withheld under 5 U.S.C. 552(b)(4), the submitter must
demonstrate the reasons the submitter believes the information is a
trade secret or commercial or financial information that is privileged
or confidential. In the event that a submitter fails to adequately
respond to the notice within the time specified, the submitter will be
considered to have no objection to disclosure of the information.
Information provided by the submitter that ONCD does not receive within
the time specified shall not be considered by ONCD. Information
provided by a submitter under this paragraph (f) may itself be subject
to disclosure under the FOIA.
(g) Notice of intent to disclose. ONCD shall consider a submitter's
objections and specific grounds for nondisclosure in deciding whether
to disclose business information. Whenever ONCD determines that
disclosure is appropriate over the objection of a submitter, ONCD
shall, within a reasonable number of days prior to disclosure, provide
the submitter with written notice of the intent to disclose, which
shall include:
(1) A statement of the reason(s) why each of the submitter's
objections to disclosure was not sustained;
(2) A description of the business information to be disclosed; and
(3) A specified disclosure date, which shall be a reasonable time
subsequent to the notice.
(h) Exceptions to notice requirements. The notice requirements of
paragraphs (d) and (g) of this section shall not apply if:
(1) ONCD determines that the information should not be disclosed;
(2) The information has been lawfully published or has been
officially made available to the public;
(3) Disclosure of the information is required by statute (other
than the FOIA) or by a regulation issued in accordance with the
requirements of Executive Order 12600 of June 23, 1987;
(4) The designation made by the submitter under paragraph (c) of
this section appears obviously frivolous. In such a case, ONCD shall,
within a reasonable time prior to a specified disclosure date, give the
submitter written notice of any final decision to disclose the
information, but no opportunity to object will be offered; or
(5) The information requested was not designated by the submitter
as exempt from disclosure in accordance with this part, when the
submitter had an opportunity to do so at the time of submission of the
information or a reasonable time thereafter, unless ONCD has
substantial reason to believe that disclosure of the information would
result in competitive harm.
(i) Notice of FOIA lawsuit. Whenever a requester files a lawsuit
seeking to compel the disclosure of business information, ONCD shall
promptly notify the submitter. The submitter, as specified in paragraph
(b)(2) of this section, shall provide such litigation assistance as
required by ONCD and the Department of Justice.
(j) Notice to requesters. Whenever ONCD provides a submitter with
notice and an opportunity to object to disclosure under paragraph (d)
of this section, ONCD shall also notify the requester(s). Whenever ONCD
notifies a submitter of its intent to disclose requested information
under paragraph (g) of this section, ONCD shall also notify the
requester(s). Whenever a submitter files a lawsuit seeking to prevent
the disclosure of business information, ONCD shall notify the
requester(s).
Sec. 2200.8 Appeal of denials.
(a) Right to administrative appeal. A requester has the right to
appeal to the FOIA Public Liaison any adverse determination.
(b) Notice of appeal--(1) Time for appeal. To be considered timely,
an appeal must be postmarked, or in the case of electronic submissions,
transmitted no later than ninety (90) calendar days after the date of
the initial adverse determination or after the time limit for response
by ONCD has expired. Prior to submitting an appeal, the requester must
pay in full any outstanding fees associated with the request.
(2) Form of appeal. An appeal shall be initiated by filing a
written notice of appeal. The notice shall specify the tracking number
assigned to the FOIA request by ONCD and be accompanied by copies of
the original request and adverse determination. To expedite the
appellate process and give the requester an opportunity to present his
or her
[[Page 15938]]
arguments, the notice should contain a brief statement of the reason(s)
why the requester believes the adverse determination to be in error.
Requesters may submit appeals by mail or electronically. If sent by
regular mail, appeals shall be sent to: FOIA Public Liaison, Office of
the National Cyber Director, New Executive Office Building, 725 17th
Street NW, Washington, DC 20504. Appeals sent via electronic mail shall
be submitted to ONCD at <a href="/cdn-cgi/l/email-protection#ef8980868eaf818c8bc18a809fc1888099"><span class="__cf_email__" data-cfemail="e781888e86a7898483c9828897c9808891">[email protected]</span></a>, with subject line: ``Freedom
of Information Act Appeal.'' If your email includes attachments, you
must also explain your request in the body of the email, in addition to
the attachment. Updates to this contact information will be made on the
ONCD website. To facilitate handling, the requester should mark both
the appeal letter and envelope, if submitted by mail, or subject line
of the transmission, if submitted electronically, with ``Freedom of
Information Act Appeal.'' Your appeal must include your request's
individualized tracking number and must identify the specific ONCD
determinations you are appealing. If you fail to properly appeal a
determination that ONCD made in processing your request, you may lose
your right to challenge that determination in federal court.
(c) Decisions on appeals. ONCD shall make a determination in
writing on the appeal under 5 U.S.C. 552(a)(6)(A)(ii) within twenty
(20) working days after the receipt of the appeal. If the denial is
wholly or partially upheld, ONCD shall:
(1) Notify the requester that judicial review is available pursuant
to 5 U.S.C. 552(a)(4)(B)-(G); and
(2) Notify the requester that the Office of Government Information
Services (OGIS) offers mediation services to resolve disputes between
FOIA requesters and Federal agencies as a non-exclusive alternative to
litigation.
(d) Dispute resolution services. Dispute resolution is a voluntary
process. If ONCD agrees to participate in the dispute resolution
services provided by the Office of Government Information Services, it
will actively engage as a partner to the process in an attempt to
resolve the dispute.
(e) When appeal is required. Before seeking judicial review of
ONCD's adverse determination in Federal district court, a requester
generally must first submit a timely administrative appeal.
Sec. 2200.9 Fees.
(a) Fees generally required. ONCD shall use the most efficient and
least costly methods to comply with requests for documents made under
the FOIA. ONCD shall charge fees in accordance with paragraph (b) of
this section unless fees are waived or reduced in accordance with Sec.
2200.10.
(b) Calculation of fees. In general, fees for searching, reviewing,
and duplication will be based on the direct costs of these services,
including the average hourly salary (basic pay plus 16% for benefits)
of the personnel conducting the search, reviewing the records for
exemption, or duplicating the records. Charges for time less than a
full hour will be in increments of quarter hours.
(1) Search fees. Search fees may be charged even if responsive
documents are not located or are located but withheld on the basis of
an exemption. However, search fees shall not be charged or shall be
limited as follows:
(i) Educational, scientific, or news media requests. No search fee
shall be charged if the request is not sought for a commercial use and
is made by an educational or non-commercial scientific institution,
whose purpose is scholarly or scientific research, or by a
representative of the news media.
(ii) Other non-commercial requests. No search fee shall be charged
for the first two hours of searching if the request is not for a
commercial use and is submitted by an entity that is not an educational
or scientific institution, whose purpose is scholarly or scientific
research, or a representative of the news media.
(2) Review fees. Review fees shall be assessed only with respect to
those requesters who seek records for a commercial use. A review fee
shall be charged for the initial examination of documents located in
response to a request to determine whether the documents may be
withheld from disclosure and for the redaction of document portions
exempt from disclosure. Records or portions of records withheld under
an exemption that is subsequently determined not to apply may be
reviewed again to determine the applicability of other exemptions not
previously considered. The costs for such subsequent review are also
assessable.
(3) Duplication fees. Records will be photocopied at a rate of ten
cents ($0.10) per page. For other methods of reproduction or
duplication, ONCD will charge the actual direct costs of producing the
document(s). Duplication fees shall not be charged for the first 100
pages of copies unless the copies are requested for a commercial use.
(c) Aggregation of requests. When ONCD determines that a requester,
or a group of requesters acting in concert, is attempting to evade the
assessment of fees by submitting multiple requests in place of a
single, more complex request, ONCD may aggregate any such requests and
assess fees accordingly.
(d) Fees likely to exceed $25. If total fee charges are likely to
exceed $25, ONCD shall notify the requester of the estimated amount to
be charged. The notification shall offer the requester an opportunity
to confer with the FOIA Public Liaison to reformulate the request to
meet the requester's needs at a lower cost. ONCD may administratively
close a submitted FOIA request if the requester does not respond in
writing within thirty (30) calendar days after the date on which ONCD
notifies the requester of the fee estimate.
(e) Advance payments. Fees may be paid upon provision of the
requested records, except that payment may be required prior to that
time if the requester has previously failed to pay fees or if ONCD
determines that the total fees will exceed $250. When payment is
required in advance of the processing of a request, the time limits
prescribed in Sec. 2200.6 shall not be deemed to begin until ONCD has
received payment of the assessed fees. If the requester has previously
failed to pay fees or charges are likely to exceed $250, ONCD shall
notify the requester of the estimated cost and:
(1) Obtain satisfactory assurance from the requester, in writing,
of full payment; or
(2) ONCD may require the requester to pay the full amount of any
fees owed or make an advance payment of the full amount of ONCD's
estimated charges.
(3) If ONCD does not receive an adequate response, assurance, or
advance payment within thirty (30) calendar days of a fee determination
or notification issued under the authority of this section, ONCD will
administratively close the corresponding request.
(f) Other charges. ONCD will recover the full costs of providing
services, such as those enumerated below, when it elects to provide
them:
(1) Certifying that records are true copies; or
(2) Sending records by special methods, such as express mail.
(g) Remittances. Remittances shall be made either via personal
check or bank draft drawn on a bank in the United States, or by postal
money order. Remittances shall be made payable to the order of the
Treasury of the United States and mailed to the Chief FOIA Officer,
Office of the Office of the National Cyber Director, New Executive
Office Building, 725 17th Street NW,
[[Page 15939]]
Washington, DC 20504. Updates to this contact information will be made
on the ONCD website.
(h) Receipts and refunds. ONCD will provide a receipt for fees paid
upon request. ONCD will not refund fees paid for services actually
rendered.
Sec. 2200.10 Waiver of fees.
(a) In general. ONCD shall waive part or all of the fees assessed
under Sec. 2200.9 if, based upon information provided by a requester
or otherwise made known to ONCD the disclosure of the requested
information is in the public interest. Disclosure is in the public
interest if it is likely to contribute significantly to public
understanding of government operations or activities and is not
primarily for commercial purposes. Requests for a waiver or reduction
of fees shall be considered on a case-by-case basis. To determine
whether a fee waiver requirement is met, ONCD shall consider the
following factors:
(1) Disclosure of the requested information would shed light on the
operations or activities of the Federal Government. The subject of the
request must concern identifiable operations or activities of the
Federal Government with a connection that is direct and clear, not
remote or attenuated.
(2) Disclosure of the requested information is likely to contribute
significantly to public understanding of those operations or
activities. This factor is satisfied when the following criteria are
met:
(i) Disclosure of the requested records must be meaningfully
informative about government operations or activities. The disclosure
of information already in the public domain, in either the same or a
substantially similar form, would not be meaningfully informative if
nothing new would be added to the public's understanding.
(ii) The disclosure must contribute to the understanding of a
reasonably broad audience of persons interested in the subject, as
opposed to the individual understanding of the requester. A requester's
expertise in the subject area as well as the requester's ability and
intention to effectively convey information to the public must be
considered. ONCD will presume that a representative of the news media
will satisfy this consideration.
(3) The disclosure must not be primarily in the commercial interest
of the requester. To determine whether disclosure of the requested
information is primarily in the commercial interest of the requester,
ONCD will consider the following criteria:
(i) ONCD will identify whether the requester has any commercial
interest that would be furthered by the requested disclosure. A
commercial interest includes any commercial, trade, or profit interest.
Requesters are encouraged to provide explanatory information regarding
this consideration.
(ii) If there is an identified commercial interest, ONCD will
determine whether that is the primary interest furthered by the
request. ONCD will ordinarily presume that when a news media requester
has satisfied the conditions in paragraphs (a)(1) and (2) of this
section, the request is not primarily in the commercial interest of the
requester. Data brokers or others who merely compile and market
government information for direct economic return will not receive the
benefit of this presumption.
(b) Timing of fee waivers. A request for a waiver or reduction of
fees should be made when a request for records is first submitted to
the agency and should address the criteria referenced in paragraph (a)
of this section. A requester may submit a fee waiver request at a later
time so long as the underlying record request is pending or on
administrative appeal. When a requester who has committed to pay fees
subsequently asks for a waiver of those fees and that waiver is denied,
the requester must pay any costs incurred up to the date of the fee
waiver request was received.
(c) Clarification. Where ONCD has reasonable cause to doubt the use
to which a requester will put the records sought, or where that use is
not clear from the request itself, ONCD may seek clarification from the
requester before assigning the request to a specific category for fee
assessment purposes.
(d) Restrictions on charging fees. Except as described in
paragraphs (d)(1) through (3) of this section, if ONCD fails to comply
with the FOIA's time limits for responding to a request, it may not
charge search fees. In addition, subject to the exceptions set forth in
paragraphs (d)(1) through (3) of this section, if ONCD does not comply
with the FOIA's time limits for responding to a request, it may not
charge duplication fees when records are not sought for a commercial
use and the request is made by an educational institution, non-
commercial scientific institution, or representative of the news media.
(1) If ONCD determines that unusual circumstances, as defined by
the FOIA, apply and provides timely written notice to the requester in
accordance with the FOIA, then a failure to comply with the statutory
time limit shall be excused for an additional ten days.
(2) If ONCD determines that unusual circumstances, as defined by
the FOIA, apply and more than 5,000 pages are necessary to respond to
the request, then ONCD may charge search fees and duplication fees,
where applicable, if the following steps are taken. ONCD must:
(i) Provide timely written notice of unusual circumstances to the
requester in accordance with the FOIA; and
(ii) Discuss with the requester via postal mail, email, or
telephone (or made not less than three good-faith attempts to do so)
how the requester could effectively limit the scope of the request in
accordance with 5 U.S.C. 552(a)(6)(B)(ii).
(3) If a court determines that exceptional circumstances exist, as
defined by the FOIA, then a failure to comply with the statutory time
limits shall be excused for the length of time provided by the court
order.
Sec. 2200.11 Maintenance of statistics.
(a) ONCD shall maintain records sufficient to allow accurate
reporting of FOIA processing statistics, as required under 5 U.S.C.
552(e) and all guidelines for the preparation of annual FOIA reports
issued by the Department of Justice.
(b) ONCD shall annually, on or before February 1 of each year,
prepare and submit to the Attorney General an annual report compiling
the statistics maintained in accordance with paragraph (a) of this
section for the previous fiscal year. A copy of the report will be
available for public inspection on the ONCD website.
Sec. 2200.12 Disclaimer.
Nothing in this part shall be construed to entitle any person, as a
right, to any service or to the disclosure of any record to which such
person is not entitled under the FOIA.
PART 2201--REGULATIONS IMPLEMENTING THE PRIVACY ACT
Sec.
2201.1 General provisions.
2201.2 Requirements for making requests for access.
2201.3 Responsibility for responding to requests.
2201.4 Requests for an accounting.
2201.5 Requests for an amendment or correction.
2201.6 Appeals.
2201.7 Fees.
Authority: 5 U.S.C. 552a.
Sec. 2201.1 General provisions.
(a) Purpose and scope. This part implements the rules that the
Office of the National Cyber Director (ONCD) follows under the Privacy
Act of 1974,
[[Page 15940]]
codified as amended at 5 U.S.C. 552a (Privacy Act). This part applies
to all records in systems of records maintained by ONCD that are
retrieved by an individual's name or personal identifier. This part
describes the procedures by which individuals may request access to
records about themselves, request amendment or correction of those
records, and request an accounting of disclosures of those records by
ONCD.
(b) Definitions. As used in this part:
Request for access to a record means a request made under 5 U.S.C.
552a(d)(1).
Request for amendment or correction of a record means a request
made under 5 U.S.C. 552a(d)(2).
Request for an accounting means a request made under 5 U.S.C.
552a(c)(3).
Requester means an individual who makes a request for access, a
request for amendment or correction, or a request for an accounting
under the Privacy Act. An individual is a citizen of the United States
or an alien lawfully admitted for permanent residence.
System manager means the ONCD official identified in a system of
records notice as the manager of a system of records; and for
Government-wide systems of records, the individual designated by the
agency to act on behalf of the system manager.
(c) Providing written consent to disclose records protected under
the Privacy Act. ONCD may disclose any record contained in a system of
records by any means of communication to any person, or to another
agency, pursuant to a written request by, or with the prior written
consent of, the individual about whom the record pertains. An
individual must verify the individual's identity in the same manner as
required by Sec. 2201.2(d) when providing written consent to disclose
a record protected under the Privacy Act and pertaining to the
individual.
Sec. 2201.2 Requirements for making requests for access.
(a) How made and addressed. You may make a Privacy Act request for
access to an ONCD record by mail or delivery service, to Office of
General Counsel, Office of the National Cyber Director, 725 17th Street
NW, Washington, DC 20503 or by electronic means via email to
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="11575e5850517f72753f747e613f767e67">[email protected]</a>.
(b) Description of the records sought. In making a request for
access, you must describe the records that you want in enough detail to
enable ONCD to locate the system of records containing them with a
reasonable amount of effort. Your access request should name the system
of records or contain a concise description of such system of records.
If you are not sure which system of records you are interested in, you
may request that ONCD inform you which of its systems of records, if
any, contain records about you.
(c) Information about yourself. Your access request should also
contain sufficient information to identify yourself in order to allow
ONCD to determine if there is a record pertaining to you in a
particular system of records.
(d) Verification of identity. To ensure that information about you
is disclosed only to you or your authorized representative, you are
required to verify your identity when making a Privacy Act request for
access, as detailed in paragraphs (d)(1) through (3) of this section.
(1) You must state your name, current address, and date and place
of birth and provide either a notarized statement of identity or a
signed submission under 28 U.S.C. 1746; or
(2) When available, verify your identity through remote identity-
proofing and authentication using digital processes.
(3) ONCD may require you to supply additional information as
necessary in order to verify your identity.
(e) Verification of guardianship. When making a request for access
as the parent or guardian of a minor or as the guardian of someone
determined by a court of competent jurisdiction to be incompetent, for
access to records about that individual, you must establish the
criteria listed in paragraphs (e)(1) through (4) of this section. If
ONCD cannot verify your identity, disclosure will be limited to
information that would be required to be made available if requested
under 5 U.S.C. 552 by any person.
(1) The identity of the individual who is the subject of the
record, by stating the name, current address, and date and place of
birth;
(2) Your own identity, as required in this paragraph (e);
(3) That you are the parent or guardian of that individual, which
you may prove by providing a copy of the individual's birth certificate
showing your parentage or by providing a court order establishing your
guardianship; and
(4) That you are acting on behalf of that individual in making the
request.
(f) Submit identifying information only using approved ONCD
processes. In order to safeguard information you submit in making a
request for access for purposes of verifying your identity or verifying
guardianship, or any information about yourself that may assist in the
rapid identification of the record to which you are requesting access
(e.g., prior names, dates of employment, etc.) as well as any other
identifying information contained in an ONCD system of records, you
must use one of ONCD's approved processes as described on ONCD's
privacy program web page. Failure to submit identifying information
through an ONCD approved process may result in the failure to expunge
your information in accordance with approved ONCD records schedules
after your access request has been processed.
(g) Subsequent requests for access. If your request for access
follows a prior request under this section, and you already provided
appropriate verifications with that prior request, you do not need to
include the same verification or identifying information in the
subsequent request for access if you reference that prior request or
attach a copy of the ONCD response to that request.
Sec. 2201.3 Responsibility for responding to requests.
(a) Acknowledgment of requests. ONCD will acknowledge your request
for access in writing and provide an individualized tracking number.
Upon request, ONCD will make information available to you about the
status of your request using the assigned tracking number.
(b) Timing of responses to a Privacy Act request for access. ONCD
will respond to Privacy Act requests for access to records according to
the order in which ONCD receives the requests. Consistent with ONCD's
Freedom of Information Act (FOIA) procedures at 32 CFR part 2200, ONCD
may designate multiple processing tracks that distinguish between
simple and more complex Privacy Act requests for access, based on the
estimated amount of work or time needed to process the request.
(c) Additional information. If, after receiving a request, ONCD
determines that your request does not reasonably describe the records
sought, ONCD will inform you what additional information is needed and
why the request is otherwise insufficient. If a request does not
reasonably describe the records sought, ONCD's response to the request
may be delayed.
(d) Grant of request for access. Once ONCD makes a determination to
grant a request for access, ONCD will provide you a written response,
which may include the following:
(1) A statement as to whether ONCD will grant access by providing a
copy of the record through electronic means or the mail; and
[[Page 15941]]
(2) The amount of fees charged, if any (see Sec. 2201.7). (Fees
are applicable only to requests for duplicates.)
(e) Adverse determination of request for access. ONCD will notify
you of an adverse determination denying a request for access in
writing. Adverse determinations, or denials of requests, may consist
of: A determination to withhold any requested record in whole or in
part; a determination that a requested record does not exist or cannot
be located; a determination that what has been requested is not a
record subject to the Privacy Act or the Privacy Act exempts the system
containing your records from the requirement ONCD provide those records
upon request; a determination that ONCD prepared the records you are
seeking in reasonable anticipation of a civil action or proceeding
(that is, a lawsuit or a similar proceeding); a determination on any
disputed fee matter; or a denial of a request for expedited treatment.
ONCD's notification letter to you will include the reason for its
decision and explain how you can appeal.
Sec. 2201.4 Requests for an accounting.
You may request an accounting of disclosures by the same rules
governing requests for access, outlined in Sec. 2201.2.
Sec. 2201.5 Requests for an amendment or correction.
(a) Requirement for written requests. If you want to amend a record
that pertains to you in a system of records maintained by ONCD, you
must submit your request in writing following the procedures
established in this section. ONCD is not required to amend records that
are not subject to the Privacy Act of 1974. However, individuals who
believe that such records are inaccurate may bring this to the
attention of ONCD.
(b) Procedures. (1) You should address your request to amend a
record in a system of records to the system manager. You should include
the name of the system and a brief description of the record proposed
for amendment. If the request to amend the record is the result of you
gaining access to the record in accordance with the provisions
concerning access to records as set forth in Sec. 2201.2, you may
attach a copy of previous correspondence between you and ONCD instead
of providing a separate description of the record.
(2) If a requester cannot determine where within ONCD to send the
Privacy Act request to amend a record, the requester may send by mail
or delivery to Office of General Counsel, Office of the National Cyber
Director, 725 17th Street NW, Washington, DC 20506 or by electronic
means as described on ONCD's privacy program web page: <a href="https://www.whitehouse.gov/oncd/information-resources/">https://www.whitehouse.gov/oncd/information-resources/</a>. ONCD will forward the
request to the component(s) it believes most likely to have the
relevant records. For the quickest possible handling, the requester
should specify ``Privacy Act Record Amendment Request'' on the letter.
(3) You must validate your identity as described in Sec.
2201.2(d). If ONCD has previously verified your identity pursuant to
Sec. 2201.2(d), further verification of identity is not required as
long as the communication does not suggest that a need for verification
is present.
(4) You should clearly indicate the exact portion of the record you
seek to have amended. If possible, you should also propose alternative
language, or at a minimum, identify the facts that you believe are not
accurate, relevant, timely, or complete, with such particularity as to
permit ONCD not only to understand the basis for your request, but also
to make an appropriate amendment to the record.
(5) Your request must also state why you believe your record is not
accurate, relevant, timely, or complete, explain exactly what change(s)
you are requesting, and point out specific pieces of information in
your ONCD records that are inaccurate, irrelevant, outdated, or
incomplete. The burden of persuading ONCD to amend a record will be
upon you. You must furnish sufficient facts to persuade the official in
charge of the system of the inaccuracy, irrelevancy, timeliness, or
incompleteness of the record.
(c) ONCD action on the request. (1) ONCD will acknowledge, in
writing, receipt of a request to amend a record within 10 business days
(i.e., excluding Saturdays, Sundays, and legal Federal holidays) of
ONCD's receipt.
(2) ONCD will promptly respond to a Privacy Act request for
amendment or correction. ONCD ordinarily will respond to Privacy Act
requests for amendment or correction according to their order of
receipt. Consistent with ONCD's FOIA procedures at 32 CFR part 2200,
ONCD may designate multiple processing tracks that distinguish between
simple and more complex Privacy Act requests for amendment or
correction, based on the estimated amount of work or time needed to
process the request. The response reflecting the decision upon a
request for amendment will include the following:
(i) The decision of ONCD whether to grant in whole, or deny any
part of, the request to amend the record;
(ii) The reasons for the determination for any portion of the
request which is denied; and
(iii) A description of the procedure by which the ONCD decision to
deny your request may be appealed, including the name and address of
the official with whom you may lodge such an appeal.
Sec. 2201.6 Appeals.
(a) If you wish to appeal a decision by ONCD with regard to your
request to access or amend a record in accordance with the provisions
of Sec. Sec. 2201.2 and 2201.5, you should submit the appeal in
writing and, to the extent possible, include the information specified
in paragraph (b) of this section.
(b) Your appeal should contain a brief description of the record
involved or copies of the correspondence from ONCD in which the request
to access or to amend was denied and also the reasons why you believe
that access should be granted or the information amended, as relevant.
Your appeal should refer to the information you furnished in support of
your claim and the reasons set forth by ONCD in its decision denying
access or amendment, as required by Sec. Sec. 2201.2 and 2201.5. In
order to make the appeal process as meaningful as possible, you should
set forth your disagreement in an understandable manner. In order to
avoid the unnecessary retention of personal information, ONCD reserves
the right to dispose of the material concerning the request to access
or amend a record if ONCD receives no appeal in accordance with this
section within 180 days of the sending by ONCD of its decision upon an
initial request. ONCD may treat an appeal received after the 180-day
period as an initial request to access or amend a record.
(c) You may send your appeal by mail or delivery to the Office of
General Counsel, Office of the National Cyber Director, 725 17th Street
NW, Washington, DC 20506 or by electronic means as described on ONCD's
web page: <a href="https://www.whitehouse.gov/oncd/information-resources/">https://www.whitehouse.gov/oncd/information-resources/</a>. For
the quickest possible handling, the requester should specify ``Privacy
Act Record Appeal'' on the letter.
(d) ONCD will review your appeal, decide whether to grant or deny
it, and inform you of the decision within thirty (30) business days
(excluding Saturdays, Sundays, and legal Federal holidays) from the
date on which the individual requests such review or appeal. In the
event it is necessary to extend the time for making a decision, the
requestor will be informed of the delay and provide an explanation in
writing. If ONCD's
[[Page 15942]]
decision does not grant in full the request, the notice of the decision
will describe the steps you may take to obtain judicial review of such
a decision.
Sec. 2201.7 Fees.
(a) Prohibitions against charging fees for Privacy Act requests.
ONCD will not charge you for:
(1) The search and review of requests for records subject to this
part;
(2) Any copies of the record produced as a necessary part of the
process of making the record available for access; or
(3) Any copies of the requested record when ONCD determines that
the only way you can access the record is by providing a copy to you
through the mail.
(b) Waiver. ONCD may at no charge provide copies of a record if it
is determined the production of the copies is in the interest of the
Government.
(c) Fee schedule and method of payment. ONCD will charge fees as
provided in paragraphs (c)(1) through (5) of this section except as
provided in paragraphs (a) and (b) of this section.
(1) ONCD will duplicate records at a rate of $.10 per page for all
copying of 4 pages or more. There is no charge for duplication 3 or
fewer pages.
(2) Where ONCD anticipates that the fees chargeable under this
section will amount to more than $25.00, ONCD shall promptly notify you
of the amount of the anticipated fee or such portion thereof as can
readily be estimated. If the estimated fees will greatly exceed $25.00,
ONCD may require an advance deposit. ONCD's request for an advance
deposit shall extend an offer to the requester to consult with ONCD
personnel in order to reformulate the request in a manner which will
reduce the fees, yet still meet the needs of the requester.
(3) You should pay fees in full before the requested copies are
issued. If the requester is in arrears for previous requests, ONCD will
not provide copies for any subsequent request until the arrears have
been paid in full.
(4) Remittances shall be in the form either of a personal check or
bank draft drawn on a bank in the United States, or a postal money
order. Remittances shall be made payable to the order of the Treasury
of the United States and mailed or delivered to the Office of General
Counsel, Office of the National Cyber Director, 725 17th Street NW,
Washington, DC 20503.
(5) ONCD will provide a receipt for fees paid upon request.
PARTS 2202-2299 [RESERVED]
Dated: March 27, 2026.
Carina Bergal,
Deputy General Counsel, Office of the National Cyber Director.
[FR Doc. 2026-06195 Filed 3-30-26; 8:45 am]
BILLING CODE 3340-D3-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on March 31, 2026.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.