1. REASON FOR ISSUE: This handbook establishes Department-wide procedures that implement the policies contained in VA Directive 6300, Records and Information Management, for processing requests for records subject to the Privacy Act.

 2. SUMMARY OF CONTENTS/MAJOR CHANGES: This handbook provides procedures relating to processing requests for records subject to the Privacy Act, including instructions for submitting information for the annual Privacy Act report.

 3. RESPONSIBLE OFFICE: The Information Management Service (045A4), Office of the Deputy Assistant Secretary for Information Resources Management, is responsible for the material contained in this handbook.

 4. RELATED DIRECTIVE AND HANDBOOKS: VA Directive 6300, Records and Information Management, VA Handbooks 6300.1, Records Management Procedures, and 6300.3, Procedures for Implementing the Freedom of Information Act.

 5. RESCISSION: None

Nada D. Harris D. Mark Catlett

Deputy Assistant Secretary for Acting Assistant Secretary for Management

Information Resources Management

Distribution: RPC 0787
FD

1. Purpose 5

2. Responsibilities 5

3. Procedures for Handling Requests for Access to or Amendment of Records 6

4. Processing Requests for Disclosure of Records to Third Parties 11

5. Fees 12

6. Criminal Penalties 12

7. Application of the Privacy Act to VA Contractors 13

8. Reporting Requirements 13

9. Systems of Records on Personal Computers - Privacy Act Requirements 14

10. Definitions 15

1. PURPOSE. This handbook sets forth procedures for processing requests for access to or amendment of records under the Privacy Act. Definitions of the terms used in the Privacy Act, a discussion of criminal penalties for violating the Privacy Act, and information concerning the application of the Privacy Act to VA contractors are provided. The requirements and instructions for preparing the biennial Privacy Act Report are presented.

a. The Deputy Assistant Secretary for Information Resources Management (DAS/IRM) will designate a Department FOIA and Privacy Act (PA) Officer.

b. The responsibilities of the Department PA Officer are:

(1) Providing advice, assistance, and recommendations to the DAS/IRM regarding policies, procedures, and other requirements governing the Privacy Act and its implementation.

(2) Publishing an annual list of employees in Central Office who are designated as FOIA and Privacy Act Officers.

(3) Reviewing and transmitting Privacy Act requests to the appropriate administration or staff office Privacy Act Officers.

(4) Preparing the Department biennial Privacy Act report for submission to the Office of Management and Budget (OMB).

c. Administration Heads, Assistant Secretaries, and Other Key Officials will:

(1) Designate one or more FOIA/PA Officers who will be responsible for initial action on requests for release of information from VA records under the jurisdiction of that office and for complying with the provisions of this handbook.

(2) At the discretion of the administration head, Assistant Secretary or staff office director, the responsibilities and duties of the designated employee(s) may be delegated to individuals within the various elements of their respective offices.

(3) Ensure that the designated officers and organizational elements comply with all laws and VA regulations concerning the release of information.

(4) The name(s), title(s) and location(s) of the employee(s) designated will be reported to the Information Management Service (045A4).

d. The responsibilities of the PA Officers are:

(1) Being familiar with all laws and VA regulations concerning the release of information. The Office of General Counsel and Regional Counsels can provide legal assistance.

(2) Reviewing all initial requests for records submitted under the Privacy Act and making a determination to grant or deny the request.

(3) Preparing any reports required or responding to Privacy Act questions, as necessary.

(4) Ensuring that offices collect, maintain, use and disclose records retrieved by personal identifier in the manner prescribed by the Privacy Act of l974 and VA Handbook 6300.5.

a. General. When requests are related to litigation or anticipated litigation, coordination between VA personnel who prepare replies to requests and VA attorneys is important. The policies and procedures contained in Handbook 6300.3, paragraphs 3f and 3g, apply to handling requests involving records subject to the Privacy Act that may be related to a matter in litigation as described in this handbook.

(1) This paragraph establishes procedures whereby an individual may:

(a) Request notification of whether VA maintains, or has disclosed, a record pertaining to him or her which is maintained in any system of records;

(b) Request a copy of, or other access to, such record, or obtain an accounting of its disclosure;

(c) Request that the record be amended; and

(d) Appeal any initial adverse determination of any such request.

(2) The procedures specified in this paragraph apply only to requests for records retrieved by personal identifier from the following systems of records:

(a) The systems of VA records for which notice has been published in the Federal Register pursuant to section 552a(e)(4) of the Privacy Act.

(b) Those records contained in Governmentwide systems of personnel records of which notice has been published in the Federal Register by another agency such as the Office of Personnel Management (OPM). Notices published by those agencies govern notification, access, and amendment of such records even though they are maintained by VA.

(c) Those records contained in a system of records operated by or on behalf of VA by a Government contractor to accomplish a VA function. For this purpose any such contractor and any employee of such contractor is considered to be an employee of VA and subject to the criminal penalties contained in 5 U.S.C. 552a(i).

b. Processing requests for access to individual records in a specific record system. This section does not apply to systems of records that have been exempted pursuant to subsections (j) and (k) of the Privacy Act (i.e., 11VA51, 66VA53, 17VA26, and 55VA26). Furthermore, other agencies exempt systems of records which VA may maintain, e.g., Equal Employment Opportunity Complaint and Appeal Records.

(1) Individuals may request to be informed whether they are included in any system of VA records of which the existence and character have been published as a notice in the Federal Register. However, an individual has the right of access, under the Privacy Act, only to records which are contained in these systems of VA records and must be given access only to information that is retrieved based on the individual's own identifiers for their own records.

(2) When a veteran and a dependent of a veteran receive VA benefits, VA may maintain records on both in a single benefits file, retrieved by the veteran’s personal identifier. Only the records that pertain to the issuance of the veteran’s benefits constitute that individual’s own records. The records that pertain to the issuance of the dependent’s benefits constitute that individual’s own records.

(3) Each system notice contains a "Notifications" and an "Access" section that indicate the official to whom such requests should be directed. An individual wanting notification or access should mail or deliver a request to the office identified in the "Notice of Systems of Records." If an individual does not know the "office concerned," the request may be addressed to the FOIA/PA Officer of the nearest or any VA field station or to Department of Veterans Affairs Central Office, Washington, DC 20420. Mail requests received in an office other than the office of jurisdiction will be forwarded promptly to the office of jurisdiction and clearly identified as "Privacy Act Request." The requester will be notified of any referrals. VA Form Letter (FL) 70-17a, Acknowledgment of Request Under the Privacy Act, may be used.

(4) Requests for access to VA records in a specific system must be directed to the FOIA/PA Officer; must provide name of the individual to whom the records pertain; and the address to which a reply should be sent. Each request should state the nature of the information or action desired and should identify to the extent feasible the record and system of records that are the subject of the request. VA Form (VAF) 3288, Request for and Consent to Release of Information from Claimant's Records, may be provided to individuals to use for requesting access to records and consenting to their release to third parties.

(5) Some individuals will request to be informed whether VA maintains any records on them. A request may read: "Does VA have any records on me? If so, what are they?" When received in field stations, such requests will be referred to the station’s FOIA/PA Officer. Requests received in the Central Office mail room will be referred to the FOIA/PA Officer of the organizational element having jurisdiction over the records. If the individual has identified himself/herself with a VA file number, social security number, military service number or other identifying data, a Beneficiary Identification and Records Locator Subsystem (BIRLS) inquiry will be processed through the Benefits Delivery Network (BDN).

(a) If the BDN reply shows the existence of a VA file number (C or CSS) and location of the related claims folder, the folder will be reviewed to determine if records are maintained on the individual. If the claims folder is located in another office, the request should be forwarded to that office for reply.

(b) If the BDN reply shows the existence of an active or inactive insurance record, it may be assumed that VA maintains an insurance record on the individual.

(c) When there is evidence that a record other than a claims folder may exist, a copy of the request should be forwarded to the FOIA/PA Officer of the appropriate VA office.

(d) Identified requests will be answered to the effect that:

"The Department of Veterans Affairs (VA) is maintaining records concerning you in the following system(s) of records: (list the specific system(s), using the system title(s) as published in the Federal Register). If you believe VA may have records concerning you in any other system of records, we will be glad to check further for you. If you can identify the system of records, it would be helpful. If you cannot, please describe the nature of contacts you have had with VA and the types of records that may have been created."

(e) When the records are reasonably described but some or all are not in a Privacy Act system of records or are otherwise required to be provided under the Privacy Act, the request must be processed as a FOIA request (see VA Handbook 6300.3).

(6) If no record is identified through the BDN, or if the request contains insufficient identifying information for the BIRLS inquiry transaction, the individual will be advised of the requirements for individual identification. The individual should also be advised to indicate the specific program records, such as loan guaranty, insurance, education, or medical care, for which notification is requested. FL 70-2, Request for Additional Information, may be used to ask for additional personal information that will help in locating any records VA may have.

c. Times, places, and requirements for identification of individuals making requests.

(1) Personal contacts should normally be made during the regular duty hours of the office concerned.

(2) Identification of the individual requesting the information may be required (except in cases where the information requested would be available to the public under FOIA, 5 U.S.C. 552) consisting of name, signature, address, and the claim, insurance or other identifying file number, if any. Additional identifying data or documents may be required where the information involves sensitive medical, psychological, or other material. (See paragraph 4e of this handbook and VA regulation 38 CFR 1.577(d).)

(3) If the individual elects to inspect a record in person and desires to be accompanied by not more than one other person, the individual will present to the VA official concerned a signed statement authorizing disclosure in the presence of the accompanying person. VAF 5571, Authorization to Disclose a Record in the Presence of a Third Party, may be used. One VA official must also be present at all times during a personal review of a record to ensure the integrity of the record.

d. Disclosure of requested information to individuals.

(1) Responses to requests for access to records subject to the Privacy Act normally will be made within 10 days of receipt, excluding Saturdays, Sundays, and legal public holidays. If a response cannot be made within the 10-day period, an acknowledgment of written requests will be sent within 10 days of receipt, excluding Saturdays, Sundays, and legal public holidays. FL 70-17a, Postal Card Acknowledgment of Request Under the Privacy Act, may be used for this purpose.

(2) If a form letter response is in order, rather than a routine acknowledgment, FL 70-18, Reply to Request Under the Privacy Act, may be used to:

(a) Indicate when and where the records will be available for personal inspection;

(b) Transmit a copy of the information requested;

(c) Indicate whether the copy will be held pending receipt of fees to cover the cost of copying documents;

(d) Advise that the system of records named by the individual does or does not contain a record pertaining to him or her; or

(e) Advise of acceptance or denial of a request to amend an individual's records.

(3) When an individual presents a request in person, that individual will be told whether he or she can be granted immediate access and the location at which he or she will be granted access.

e. Special procedures for sensitive information - medical, psychological, and other (VA regulation 38 CFR 1.577(d)).

(1) Sensitive information is information that may have an adverse effect on an individual or a member of the individual's family. It may be information that: could be prejudicial to a person's mental or physical health; may require explanation or interpretation by an intermediary to preclude misinterpretation and adverse reactions or retaliatory consequences toward others or; could be construed as personally embarrassing to an individual or family member.

(2) When a request involves medical and/or psychological information believed to be sensitive, the request and related record will be referred by the FOIA/PA Officer or other appropriate official to the appropriate VA health-care facility for review by a VA physician. If the VA physician believes that disclosure of the information directly to the individual could have an adverse effect on the physical or mental health of the individual, the physician will so advise the FOIA/PA Officer. The FOIA/PA Officer will then advise the individual that VA will send the sensitive records to a VA physician. The FOIA/PA Officer will arrange for the individual to report to a VA facility for a discussion and explanation of the information contained in his or her records with a VA physician. Following such discussion, the records should generally be disclosed to the individual, except in extraordinary cases where it is still the physician's professional opinion that physical access to the information could create a medical emergency. When access is denied, the FOIA/PA Officer will promptly advise the requester:

a. that access is being deferred pending resolution of the medical emergency, and as soon as the emergency has passed, access will be granted. (It is the responsibility of the FOIA/PA Officer to monitor the situation to ensure this is being carried out.)

b. of the denial and the reasons therefor; and

c. of his or her right of administrative appeal to the General Counsel.

(3) When medical or other sensitive information is to be released, the individual may be required to submit additional information as determined necessary to verify identity and to provide assurance that the individual is not improperly requesting or obtaining access to records pertaining to someone else. The verification of identity may consist of a signed statement asserting the individual's identity. The signed statement may include the stipulation that the individual understands that knowingly or willfully seeking or obtaining access to records about someone else under false pretenses is punishable by a fine of up to $5,000. A notarized statement or other reasonable means of verification may be required where determined appropriate.

f. Processing requests for correction or amendment of records.

(1) An individual may request amendment of a record pertaining to him or her contained in a specific VA system of records by mailing or delivering the request to the office concerned. The request must be in writing and must conform to the requirements in paragraph 3b(3) of this handbook. It must state the nature of the information in the record the individual believes to be inaccurate, irrelevant, untimely, or incomplete; why the record should be changed; and the amendment desired. The requester should be advised of the title and address of the VA official who can assist in preparing the request to amend the record if assistance is desired.

(2) Not later than 10 days, excluding Saturdays, Sundays, and legal public holidays, after the date of receipt of a request to amend a record, the VA official concerned will acknowledge in writing such receipt. If a determination has not been made, the acknowledgement will inform the individual when he or she may expect to be advised of action taken on the request. VA will complete a review of the request to amend or correct a record as soon as reasonably possible, normally within 30 days from receipt of the request (excluding Saturdays, Sundays, and legal public holidays).

(3) Where VA agrees with the individual's request to amend his or her record(s), the requirements of 5 U.S.C. 552a(d) will be followed. The record(s) will be corrected promptly and the individual will be advised promptly of the correction. Amendment consists of adding information to the record, altering information in the record, or deleting information in the record. Under the Privacy Act, if information is altered or deleted, the previous version must be obliterated and illegible after amendment. The amendment should be annotated "Amended, Privacy Act, (date), (signature and title of amending official)."

(4) If the record has previously been disclosed to any person or agency, and an accounting of the disclosure was made, prior recipients of the record will be informed of the correction. FL 70-19, Notification to Other Person or Agency of Amendment to a Record, may be used.

(5) If it is determined not to grant all or any portion of the request to amend a record, the official will promptly notify the individual in writing. The individual will be advised of his or her right to file a concise statement of reasons for disagreeing with the refusal to amend. The notice will specify the reason(s) for denying the request, identify the VA regulations or statutes upon which the denial is based, and advise that the denial may be appealed in writing to the General Counsel (024), Department of Veterans Affairs, 810 Vermont Avenue, NW, Washington, DC 20420. FL 70-20, Notification of Initial Refusal to Amend a Record Under the Privacy Act, may be used for this purpose.

(6) The determination on an appeal will be made not later than 30 days, excluding Saturdays, Sundays, and legal public holidays, from the date the individual's letter of appeal is received unless the Secretary or Deputy Secretary, for good cause shown, extends such 30-day period. If the 30-day period is so extended, the individual will be notified promptly of the reasons for the extension and the date on which a final determination may be expected. The final determination in such appeals will be made by the General Counsel or Deputy General Counsel.

(7) If the General Counsel or Deputy General Counsel finds that the adverse determination should be reversed, he or she will notify the VA office or station of the remedial action to be taken. The VA office or station will promptly carry out that action. The General Counsel or Deputy General Counsel will promptly notify the individual in writing of the corrective action. The field station or Central Office organization that provided the initial decision will inform previous recipients of the record that a correction has been made.

(8) If the General Counsel or Deputy General Counsel determines that the adverse determination will not be reversed, the individual will be notified promptly in writing of that determination, the reasons therefor, and of his or her right to seek judicial review of the decision pursuant to section 3 of the Privacy Act (5 U.S.C. 552a(g)).

(9) If the adverse determination is sustained by the General Counsel or Deputy General Counsel, the individual will also be advised promptly of his or her right to file a concise statement of reasons for disagreeing with the refusal to amend. The statement may contain information that the individual believes should be substituted.

(10) When an individual files a statement disagreeing with VA's decision not to amend a record, the record will be clearly annotated so that the fact that the record is disputed is apparent to anyone who may subsequently access, use, or disclose it. When the disputed record is disclosed to persons or other agencies, the fact of the dispute will be clearly noted. Copies of the statement of disagreement will be provided, and, when appropriate, copies of a concise statement of VA's reasons for not making the amendment(s) requested will also be provided.

(11) A decision by either the General Counsel or Deputy General Counsel pursuant to paragraph 3f(7) of this handbook is final. It is subject to judicial review in the district court of the United States in which the complainant resides, or has his or her principal place of business, or in which the VA records are located, or in the District of Columbia.

a. VA will not disclose any record or information from a record contained in a VA system of records by any means of communication to any person or any other agency except by written request of, or prior written consent of, the individual to whom the record pertains, unless such disclosure is permitted by statute or VA regulation. FL 70-21, Request for Individual's Consent to Disclose Records, may be used to request consent.

b. FL 70-7, Address of Veteran May Not Be Released; Information Regarding Conditions Under Which VA Will Forward Letter to Veteran, may be used when advising a requester that VA cannot disclose the address of a veteran but may, under certain conditions, provide a mail forwarding service.

c. An individual may consent to the release of information using any form of written communication so long as there is a clearly legible signature. For example, VAF 3288, Request for and Consent to Release of Information from Claimant's Records, may be used to obtain the written consent authorizing release of VA records except for records involving alcohol, drug abuse, sickle cell anemia, or human immunodeficiency virus/AIDS. Since these records are restricted from release under 38 U.S.C. 7332, a special consent to release must be obtained. VAF 10-5345, Request for and Consent to Release of Medical Records Protected by 38 U.S.C. 7332, may be used to obtain a written consent for release of such information.

d. Except for disclosures involving individually identifiable treatment records relating to alcohol, drug abuse, sickle cell anemia, or human immunodeficiency virus/AIDS, disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of the individual to whom the record pertains. The disclosure must be within the scope of the individual’s request. In those cases, however, where the congressional inquiry indicates that the request is being made on behalf of a person other than the individual whose record is to be disclosed, the congressional office should be advised that the written consent of the subject of the record is required. The Privacy Act limitation on disclosure of personal information contained in any VA system of records shall not apply to any member or staff of the House of Representatives or the United States Senate Veterans’ Affairs or Appropriations Committees (including the Subcommittees on VA, HUD, and Independent Agencies) if an official request for the disclosure has been made for an oversight purpose on a matter within the jurisdiction of the Committee or Subcommittee.

e. An accounting is required for disclosures outside VA, even when such disclosure is at the request of the individual. A separate accounting in each individual record is not required in such actions as transfer of payroll or benefit check data to the Department of the Treasury, provided that the accounting information can be constructed when requested by the individual. The accounting will consist of the date, nature, purpose of each disclosure, the name and address of each person or agency to whom the disclosure is made, and the authority for release of the information. The authority for release of the information will be the individual's written consent, a statutory requirement, a routine use in a system of records, or other authorization contained in VA regulations 38 CFR 1.500 - 1.575. The accounting record may be maintained on VAF 5572, Accounting of Records/Information Disclosure Under Privacy Act; by creation of extra copies of the written transactions; on appropriately adapted data sheets; or in any other manner that will constitute a record. The accounting of disclosure will be retained for at least five years after the disclosure for which the accounting is made or the life of the record, whichever is longer.

f. An accounting is not required when disclosure is to VA employees who have a need for access in the performance of their official duties or when disclosure would be required under FOIA.

a. Fees for making records available under the Privacy Act will be charged in accordance with VA regulation 38 CFR 1.577(f). No fees will be charged for any search or review of the record. Fees will be waived as required by VA regulation 38 CFR 1.577(g).

b. When an individual requests such services as certification, authentication, or other special services not required under the Privacy Act, fees in addition to those required for copying will be assessed in accordance with VA regulation 38 CFR 1.526(i) or (j) or any other applicable law.

a. Criminal penalties for unauthorized disclosure of records. Any VA officer or employee who willfully discloses individually identifiable information, the disclosure of which is prohibited by rules or regulations, in any manner to any person or agency not entitled to receive it shall be guilty of a misdemeanor and fined not more than $5,000 (5 U.S.C. 522a(i)(1)).

b. Criminal penalties for failure to publish a public notice. Any VA officer or employee who willfully maintains a system of records without meeting the notice requirements of 5 U.S.C. 552a(e)(4) shall be guilty of a misdemeanor and fined not more than $5,000 (5 U.S.C. 552a(i)(2)).

c. Criminal penalties for obtaining records under false pretenses. Any person who knowingly and willfully requests or obtains any record concerning an individual from VA under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000.

d. When a court finds that an agency has acted willfully or intentionally in violation of the Privacy Act in such a manner as to have an adverse effect upon an individual (there was injury or harm to the individual), the United States will be required to pay actual damages or $1,000, whichever is greater, and court costs and attorney fees.

e. In the event a VA employee is found criminally liable, a report of the incident will be provided to the Department FOIA/PA Officer. In incidents involving employees, the report will be prepared by the administration or office for whom the employee worked. If the Department as a whole is involved, the report will be provided by the Office of the Inspector General. The report will describe the incident, identify causes, and provide suggested changes in procedures to prevent a recurrence. The Department FOIA/PA Officer will review the report and recommend to the DAS/IRM procedural changes that may be needed.

a. General. The Privacy Act provides that "when an agency provides by contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function," the provisions of the Privacy Act must be applied to the system. Under this provision the term "contract" covers any contract, written or oral, subject to the Federal Acquisition Regulation (FAR) which provides for the operation by or on behalf of the Department of a system of records necessary to accomplish a VA function. Not only must the terms of the contract provide for the operation (as opposed to design only) of such a system, but the operation of the system must be to accomplish a Department function.

b. Contract Requirements. To ensure compliance with the provisions of the Privacy Act, any contract between VA and a contractor will conform to the policies and procedures contained in FAR Subpart 24.1, Protection of Individual Privacy. This includes the design, development, operation, or maintenance of any system of records on individuals necessary to accomplish a Department function, or a contract which necessitates the use of a system of records. For each such contract, the Contracting Officer will ensure that the clauses in FAR 52.224-1, Privacy Act Notification, and 52.224-2, Privacy Act, are included in the contract document, and that the name of the applicable system of records is also included. The contract language should also make the contractor subject to VA confidentiality provisions 38 U.S.C. § 5701 (benefits records, including medical records) and § 7332 (drug, alcohol, sickle cell anemia, and HIV treatment records) to the extent applicable under the circumstances of the particular contract.

c. Review Requirements. Every two years a random sample of VA contracts will be reviewed by the responsible offices to ensure that those contracts providing for the operation of a system of records to accomplish a VA function contain the clauses required by FAR.

a. General. The Privacy Act requires the President to submit to the Speaker of the House of Representatives and the President of the Senate a biennial report covering agencies' activities in administering the Act (5 U.S.C. 552a(s)). The President's report is prepared by OMB based on information provided by each Federal agency. The exact format and timing of each agency's report is established by the Director, OMB. Within VA, the Department FOIA/PA Officer issues the necessary instructions for preparing the Department's report.

b. Reporting Procedures.

(1) Each VACO organizational component and field station activity is required to provide information and data that is used to compile a consolidated report on Privacy Act activities to OMB. This report is titled "Biennial Privacy Act Report for Calendar Years XXXX and XXXX" and is assigned RCN 72-0601. The Computer Matching and Privacy Protection Act of 1988 amended the Privacy Act to require reporting to OMB biennially, rather than annually. However, each VACO organizational component and field activity should collect and be prepared to report, on a calendar-year basis, the following information:

(a) Total number of requests by individuals for access to records about themselves in systems of records which specifically cite the Privacy Act or are submitted on a preprinted form for this purpose.

(b) The number of these requests granted in whole or in part, denied in whole, and for which no record was found.

(c) Total number of requests by individuals to amend records about themselves in systems of records when the requests, or the preprinted form utilized, specifically cite the Privacy Act.

(d) Total number of amendment requests granted in whole or in part, denied in whole, and for which no record was found.

(2) In addition to the information identified above, each VACO element should be prepared to report the following:

(a) Total number of active systems of records for which the organizational element is responsible and any changes to that number during the calendar year, that is, the number of new systems published in the Federal Register and reported to OMB; number of systems deleted; number of systems automated in whole or in part; number of existing systems for which new routine uses were established and identification of the date when the routine uses were published in the Federal Register; number of systems for which new exemptions were denied or existing exemptions deleted; and number of public comments received on publication of rules or notices.

(b) Number and description of computer matching programs in which VA participated either as a source or recipient agency.

(c) Information on the results of the Privacy Act reviews described in OMB Circular A-130, Appendix I.

(3) The General Counsel will be prepared to report the following:

(a) Number of appeals of initial denials of access and amendment requests, and the results of such appeals.

(b) Number of instances in which individuals litigated the results of appeals of access or amendment requests, and the results of such litigation.

(4) Specific formats, instructions, timing and other necessary information will be issued by the Department FOIA/PA Officer to all VACO organizational components. Administrations/offices with field facilities will collect and consolidate the data from their respective field facilities and submit a single report to OP&PA, Information Management Service. For planning purposes, offices should be prepared to submit their reports during the second quarter of the calendar year following the year covered by the report.

a. General. Personal computers (PCs) increase the efficiency and effectiveness of office workers and improve overall organizational productivity. When PCs are used to manage, store, or manipulate records on individuals that are maintained in Privacy Act systems of records, the records in the PCs are subject to all the provisions of the Privacy Act in the same manner as any other record subject to the Act. All the requirements of this handbook and VA regulations governing such records must be followed. Certain specific requirements and considerations relating to systems of records that are accessed by or maintained on personal computers are identified below.

b. Specific Requirements.

(1) If records in a Privacy Act system of records are maintained, in part or in whole, or transferred (downloaded) from data bases in mainframe computers or from other central platforms to PCs, then the system of records notice must be written in such a manner to show that the records are accessible by and/or maintained in PCs. If records on individuals are kept on PCs so that they are retrieved by an individual identifier, and the records are not covered by a previously published system notice, then a new system of records notice and report must be prepared as required by VA Handbook 6300.5.

(2) Records subject to the Privacy Act that are maintained on PCs must be protected from unauthorized disclosure in the same manner as all records subject to the Act. To ensure proper protection for records on "floppy disks," procedures will be established by management to ensure these disks are not removed or used outside of Government buildings or installations without proper authorization and documentation. "Floppy disks" containing personal information subject to the Act will be properly secured when not in use to prevent unauthorized use or access.

c. Accuracy and Timeliness. Record accuracy and timeliness are important requirements of the Privacy Act. Consequently, reasonable effort must be made to ensure that information on individuals that is transferred to a PC for subsequent use is accurate and current. For example, if records from a Privacy Act system on a mainframe computer are transferred to a PC and the records in the main data base are updated with new information that is not added to the records on the PC, the PC records are inaccurate and should not be used or released until they are verified. Failure to ensure record accuracy before using or releasing records covered by the Privacy Act may subject VA, or the employee releasing the record, to embarrassment and possible prosecution for violating the Act. One of the most critical activities related to maintaining personal records on a PC is to make sure that the information on the PC accurately reflects information contained elsewhere in the system of records.

a. Access. The process of permitting individuals to see or obtain copies of records about themselves from a Privacy Act system of records.

b. Disclosure. Providing information from a system of records, by any means, to anyone other than the individual by whose name or other identifier the record is retrieved.

c. Individual. A living citizen of the United States or an alien lawfully admitted for permanent residence. The definition of "individual" for Privacy Act purposes differs from the definition of "individual" for FOIA purposes. Deceased persons, non-resident aliens (unless lawfully admitted for permanent residence), businesses, and organizations are not "individuals" under the Privacy Act. A parent or guardian may exercise Privacy Act rights for a minor or incompetent person.

d. Maintain. To collect, keep, use, disseminate, or any combination of these recordkeeping functions. As used in the Privacy Act, VA regulations, and this handbook, this word connotes control over and, therefore, responsibility and accountability for systems of records.

e. Privacy Act Request. A request by an individual about the existence of, access to, or amendment of a record about himself or herself that is in a Privacy Act system of records. The request does not have to specifically cite or otherwise show dependence on the Act to be considered a Privacy Act request.

f. Record. Any item, collection, or grouping of information about an individual that is maintained by the Department, such as, but not limited to, his or her education, financial transactions, personal history, or medical history, and that contains his or her name or identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voice print or a photograph. The definition does not distinguish between data and information. Both are within the scope of the definition.

g. Statistical Record. A record kept only for statistical or reporting purposes. It is not used for making decisions about the rights, benefits, or entitlements of an identifiable individual.

h. System Manager. An official who is responsible for the management, operation, and release of information from a system of records subject to the Privacy Act.

i. System of Records. Any group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. A record in a system of records must contain two elements: a personal identifier and at least one item of personal information. If a retrieval of personal information is possible, but not actually done, or if it depends on memory or a sequential search, the collection of records is not a system of records. However, creating a retrieval method or cross-index arranged by personal identifier for randomly filed records makes that record collection a system subject to the provisions of the Act.

j. Routine Use. This term is unique to the Privacy Act and means the disclosure of a record for a reason that is compatible with the purpose for which it was collected. A routine use is one that is relatable and necessary to a purpose for collecting the record. To be effective, a routine use must be properly published in the Federal Register.