1. REASON FOR ISSUE: This handbook establishes Department-wide procedures that implement the policies contained in VA Directive 6300, Records and Information Management, for establishing and managing systems of records under the Privacy Act.

2. SUMMARY OF CONTENTS/MAJOR CHANGES: This handbook provides procedures relating to establishing and managing Privacy Act systems of records, including instructions for the conduct of Privacy Act reviews.

3. RESPONSIBLE OFFICE: The Information Management Service (045A4), Office of the Deputy Assistant Secretary for Information Resources Management, is responsible for the material contained in this handbook.

4. RELATED DIRECTIVE AND HANDBOOKS: VA Directive 6300, Records and Information Management, VA Handbooks 6300.1, Records Management Procedures, and 6300.4, Procedures for Processing Requests for Records Subject to the Privacy Act.

5. RESCISSION: None

Nada D. Harris D. Mark Catlett

Deputy Assistant Secretary for Acting Assistant Secretary for Management

Information Resources Management

Distribution: RPC 0791

FD

1. Purpose 5

2. Responsibilities of the System Manager 5

3. Situations Requiring a Report and Federal Register Notice 6

4. Report Content, Format, and Distribution 7

5. Notice of System of Records 10

6. Description of Privacy Act Reviews 13

Figure 3-1. Schedule of Privacy Act Reviews 14

a. This handbook sets forth procedures for establishing and managing systems of records under the Privacy Act. The Privacy Act of 1974 requires agencies to publish in the Federal Register a "notice of the existence and character of the system of records" subject to the Act (5 U.S.C. 552(e)(4)). The Privacy Act also requires agencies to send reports to Congress and OMB on the agency's intention to establish any new system of records and, under certain specified circumstances, the agency's intention to alter an existing system of records. A description of the responsibilities of system managers and situations when a report and notice are required is provided.

b. This handbook provides guidance on the report and notice content, format, and distribution. In addition, OMB Circular A-130 requires Federal agencies to conduct regularly scheduled reviews of the implementation and administration of certain provisions of the Privacy Act. This handbook also provides a description of the review requirements. Figure 3-1, Schedule of Privacy Act Reviews, identifies each review item, the VACO element responsible for conducting each review, the frequency, and the required implementing action.

The Privacy Act requires that each agency designate an agency official who is responsible for each system of records. This individual is known as the System Manager and is responsible for:

a. Ensuring that the policies, practices, and procedures governing the operation, maintenance, and release of records in the system are being followed. This includes appropriate physical, administrative, and technical safeguards to prevent unauthorized disclosure or alteration of information in the system.

b. Ensuring that the information in the system:

(1) is accurate, timely, complete, relevant and necessary to accomplish a VA mission;

(2) maintains an accounting of disclosures; and

(3) that the routine uses are compatible with the purposes for which the information was collected.

c. Ensuring that procedures for access, correction, or amendment of records that conform to the requirements of this handbook and VA regulations governing the Privacy Act are being followed.

d. Ensuring that systems of records notices are kept current and accurate, with particular emphasis on ensuring that routine use statements are current, correct and accurate.

e. Preparing new or altered system reports and related documents and ensuring that systems of records are not operated without first preparing the required notices and reports.

f. Reviewing each routine use statement every three years to ensure that the disclosures of records under each routine use are still compatible with the purpose for which the information was collected in the system of records.

g. Ensuring that the description of recordkeeping practices in the retention and disposal portion of the system notice reflects the retention and disposal of records approved by the Archivist of the United States. In the event there is no approved retention and disposal period for the records, immediate action will be initiated to obtain the approval of the Archivist of the United States.

h. Determining whether the system of records may be exempted from certain provisions of the Privacy Act under subsections (j) and (k) of the Act and taking the necessary steps to invoke the exemptions.

i. Conducting detailed risk assessments of new or altered systems of records to ensure that appropriate administrative, technical, and physical safeguards are established to protect records in the system from unauthorized disclosure, alteration or access.

a. New System. A "Report of Intention to Establish a New System" and a Federal Register Notice must be prepared when a new system of records subject to the Privacy Act is proposed. A "new" system is one for which no public notice is currently published in the Federal Register. If a public notice for any specific system of records is withdrawn, suspended, canceled, or terminated and is subsequently proposed for reinstatement, the system of records will be considered a "new" system and subject to the reporting and notice requirements of this handbook.

b. Altered Systems of Records. All changes to notices of systems of records must be published in the Federal Register. A report to OMB and Congress is required when adding a new routine use for the records or the change meets the criteria for being major, as described below.

(1) Minor change. A minor change is one that is administrative in nature and does not affect an individual's access to the record or does not meet the criteria for being a major change. For example, a change in the designation of the system manager due to a reorganization does not require a report as long as an individual's ability to gain access to his/her records is not affected. Other examples include changing applicable safeguards as a result of a risk analysis or deleting a routine use when there is no longer a need for the authorized disclosure. These examples are not intended to be all-inclusive.

(2) Major change. A major change is:

(a) A significant increase or change in the number, types or categories of individuals on whom records are maintained. For example, if a system that originally covered only residents of public housing in major cities is expanded to cover such residents nationwide, the change is major and a report is required. Increases attributable to normal growth should not be reported.

(b) A change that expands the types or categories of information maintained. For example, a personnel file that has been expanded to include medical records would require a report.

(c) A change that alters the purpose for which the information is used.

(d) A change to equipment configuration (either hardware or software) that creates substantially greater access to the records in the system. For example, locating interactive terminals at regional offices for accessing a system formerly accessible only at Central Office would require a report.

(e) The addition of an exemption pursuant to Section (j) or (k) of the Act. Note that in submitting a rulemaking for an exemption as part of a report of a new or altered system, the reporting requirements of Executive Order No. 12291 will be met and a separate submission under that order is not necessary.

(f) The addition of a routine use pursuant to 5 U.S.C. 552a(b)(3).

(3) When a change is made that affects more than one system of records, a single, consolidated new or altered system report (with changes to existing notices and supporting documentation included with the report) may be prepared. This instruction applies to information technology installation, telecommunication network, or any other general changes in information collection, processing, dissemination or storage.

a. Content. The report for new or altered systems of records has three elements: a transmittal letter, a narrative statement, and supporting documentation that includes a copy of the proposed Federal Register notice.

(1) Transmittal Letters.

(a) Transmittal letters will be prepared to send three copies of the narrative statement and supporting documentation to each of the following addressees:

1. Chairman, Committee on Governmental Affairs, U.S. Senate;

2. Ranking Member, Committee on Governmental Affairs, U.S. Senate;

3. Chairman, Committee on Government Reform and Oversight, U.S. House of Representatives;

4. Ranking Member, Committee on Government Reform and Oversight, U.S. House of Representatives; and

5. Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget, Docket Library, NEOB Room 10012, Washington, DC 20503.

(b) The transmittal letters will be prepared by the System Manager for the signature of the Assistant Secretary for Management. The letters should contain the name, title (if appropriate), office title and telephone number of the individual who can best answer questions about the system. The letters will state that written inquiries and comments may be addressed to the Secretary of Veterans Affairs, Department of Veterans Affairs (followed by the mail routing symbol of the System Manager, in parentheses), 810 Vermont Avenue, NW, Washington, DC 20420. The letters should contain the assurance that the proposed system does not duplicate any existing VA systems. They should also state that a copy of the report and Federal Register notice have been distributed to the congressional committees and OMB, as required by the Privacy Act. The letters may also include a request for waiver of the reporting time period, as described in paragraph 4b(1)(b), of this handbook.

(2) Narrative Statement. The narrative statement should be brief, normally not exceeding four pages. It will make reference, as appropriate, to information in the supporting documentation rather than restating such information. The narrative statement should contain the following information:

(a) Description of the purpose for which VA is establishing the system of records.

(b) Identification of the authority under which the system is maintained. Every effort should be made to avoid citing housekeeping or general statutes; instead, cite the underlying programmatic authority for collecting, maintaining, and using the information. When the system is being operated to support a housekeeping program, for example, a carpool locator, a general statute that authorizes the Department to keep such records may be cited.

(c) An evaluation of the probable or potential effects of the proposed system on the privacy of individuals.

(d) A brief description of the steps taken to minimize the risk of unauthorized access to the system of records, including a discussion of higher- or lower-risk alternatives that were considered for meeting the requirements of the system. A detailed assessment of the risks and specific administrative, technical, procedural, and physical safeguards established will be made available to give to the Director, Information Management Service, and OMB, if requested.

(e) An explanation of how each proposed routine use satisfies the requirement that they be compatible with the purpose for which the information is collected. For altered systems, this requirement pertains only to any new proposed routine uses not already published.

(f) Identification of OMB control numbers, expiration dates, and titles of any OMB- approved information collection requirements contained in the system of records. (See VA Directive 6310, Forms, Information Collections and Reports Management, and VA Handbook 6310.2, Information Collections Procedures.) If the request for OMB clearance of an information collection is pending, simply state the title of the collection and the date it was submitted for OMB clearance.

(3) Supporting Documentation. The following documents will be attached to the narrative statement for each new or altered system:

(a) An advance copy of the new or revised system notice, consistent with the provisions of 5 U.S.C. 552a(e)(4), proposed for publication for the new or altered system. For a proposed alteration of an existing system, the documentation will be in the same form as the public notice of the change. If the change will be in the form of a revision to the public notice, the supporting documentation will be a copy of the proposed notice of revision and a copy of the original system of records notice to ensure that reviewers can understand the changes proposed. If the change will be a resubmission of the entire existing notice, changes from the currently published notice will be highlighted by underlining all new or revised portions. If the sole change to an existing system of records is to add a routine use, either republish the entire system of records or a condensed description of the system of records, or a citation to the last full text Federal Register publication.

(b) An advance copy of any new or amended regulations or procedures, consistent with the provisions of 5 U.S.C. 552a(f), proposed for publication for the new or altered system. If no change to existing regulations or procedures is required, the report will so state. Proposed changes to existing regulations or procedures will be provided in the same manner as prescribed for the system notices.

(c) An advance copy of any proposed regulation setting forth the reasons why the system is to be exempted from any specific provision of the Act, consistent with the provisions of 5 U.S.C. 552a(j), (k) or both, if any exemptions for the new or altered systems are to be invoked.

(d) If no changes to existing rules are required, a statement to that effect will be included in the narrative portion of the report. Proposed changes to existing rules shall be provided in the same form as VA proposes to publish for formal notice and comment.

b. Timing, Routing for Concurrence, Distribution of the Report and Publication of the Federal Register Notice

(1) Timing.

(a) The report on new or altered systems of records will be prepared and distributed no later than 40 days prior to establishment of a new system of records. This 40-day period is established to provide Congress and OMB an opportunity to review the proposed new or altered system and to provide comments, if desired. The 40-day period commences on the day the transmittal letter, with attachments, is signed and dispatched.

(b) The 40-day advance notification period may be waived by the Director, OMB, provided that:

1. The transmittal letter specifically requests a waiver; and

2. The Department can demonstrate compelling reasons for not waiting the 40-day period to establish the system or to implement the altered system. To establish compelling reasons, the System Manager must show or state how the public interest would be adversely affected if a waiver were not granted, such as veterans or beneficiaries will be denied timely action on claims, delivery of benefits will be delayed, or a statutorily imposed date must be met. The transmittal letter will contain a clear, concise statement of the reason for requesting a waiver. When a waiver is granted by OMB, VA is not relieved of any other responsibility or liability under the Privacy Act, including the requirement to file a New System Report in accordance with the procedures in this handbook. OMB cannot waive time periods specifically established by the Act. The Department must still meet the statutory notice and comment periods required for establishing a routine use or claiming an exemption. OMB cannot waive the statutory 30-day notice and comment period for new routine uses.

(c) VA may assume that OMB concurs in the Privacy Act aspects of the proposed new or altered systems of records if OMB has not commented within 40 days from the date of the transmittal letter. Likewise, VA will assume Congress has no objections or comments if correspondence is not received within the 40-day time period.

(d) If comments are received from either OMB or Congress, the comments will be reviewed and a determination made whether to change the proposed new or altered system. After this determination is made, a reply will be prepared, routed for concurrence, and distributed in the same manner as the original transmittal letter and narrative report. The reply will be prepared and dispatched within a 30-day time period after receipt of the comments. If the issues raised by OMB or Congress cannot be resolved in that time period, an interim reply will be sent. If the comments received are of such a nature as to impact the operation of the new or altered system, the new or altered system will not be implemented until the concerns or issues raised by OMB or Congress have been resolved.

(2) Routing for Concurrence. The transmittal letter, narrative report, and supporting documentation will be prepared by the System Manager and submitted through routine concurrence channels using VAF 4265, Concurrence and Summary Sheet. The selection of concurring offices will be determined by the System Manager, except that the concurrences of the General Counsel, the Assistant Secretary for Management, and the Deputy Assistant Secretary for Congressional Affairs are required.

(3) Publication in the Federal Register. System and routine use notices, as well as exemption rules, may be published in the Federal Register at the same time that the new or altered system report is sent to OMB and Congress. The 40-day period for OMB and Congressional review and the 30-day notice and comment period for routine uses and exemptions will then run concurrently. To expedite the review, concurrence, and approval process, a single package may be prepared containing both the new or altered system reports and the Federal Register Notice.

c. All notices, reports, and correspondence relating to new or altered systems of records will be prepared by Central Office elements and approved by the Secretary of Veterans Affairs or his/her designee. Any systems of records established by field stations/activities and not covered by an existing notice will be reported to the VACO element which supervises the field station/activity. The VACO element will prepare the necessary notices and reports required by this handbook. Under the Privacy Act it is illegal to maintain any system of records for which a notice has not been published in the Federal Register. Consequently, all field stations and Central Office elements must exercise extreme care in creating any record system that may be subject to the Act without first reporting its existence as described herein.

a. The Office of the Federal Register prescribes the format that must be followed for notices published in the Federal Register. (See the Federal Register Document Drafting Handbook.) The Privacy Act requires the publication of specific information concerning systems of records described below:

(1) SYSTEM NUMBER. This is a sequential number assigned by the Office of Policy and Program Assistance, Information Management Service, the Department identification "VA," and the office symbol of the System Manager. For example, 55VA26 is sequential system number "55" and is the responsibility of the Director, Loan Guaranty Service.

(2) SYSTEM NAME. The name is descriptive of the records maintained in the system or the individuals on whom the records are maintained, for example, "Secretary's Official Correspondence Records-VA," or "Blood Donor File-VA." The designated title is always followed by "-VA."

(3) SYSTEM LOCATION. Specifically identify each address or location at where records are maintained. For a system with many locations, the list of addresses and locations may be included in an Appendix.

(4) CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM. Identify each category of individuals covered by the system. This identification must be specific and be stated in a manner clearly understood by the general public. For example, use the term "veterans" rather than "individuals covered by Title 38." (NOTE: Review current system notices for examples of how to describe categories of individuals.)

(5) CATEGORIES OF RECORDS IN THE SYSTEM. Identify as specifically as possible each type of record or information maintained in the system. This must be an all-inclusive list and the record description must be clear and understandable to the general public. Acronyms, abbreviations, and references to public laws and regulations will be avoided.

(6) AUTHORITY FOR MAINTENANCE OF THE SYSTEM. Identify the specific statutory provision(s) that authorizes the solicitation and maintenance of the information in the system of records. (See paragraph 4a(2)(b) of this handbook.) The authority must be statutory, not regulatory; that is, cite the United States Code or a public law, rather than the Code of Federal Regulations.

(7) PURPOSE(S). Describe the purpose(s) for which VA intends to use information in the system.

(8) ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES. These are brief, concise, clear statements of the disclosures of the information maintained in the systems of records. The term "routine use" means the disclosure of a record or information from the system for a purpose that is compatible with the purpose for which it was collected. The statement of a routine use must identify, as specifically as possible, the information that may be disclosed under the routine use, to whom the record(s) or information may be given, and the purpose(s) or use(s) for which information may be disclosed. Routine use statements will be numbered sequentially. (NOTE: This paragraph is the most critical portion of the notice. If there is no routine use statement or the statement is not written precisely, the Department may not be able to disclose information from the system of records when it wishes to initiate a disclosure or when disclosure is requested by a third party.)

(9) DISCLOSURE TO CONSUMER REPORTING AGENCIES. This item is optional only if the agency does not disclose information from the system of records to consumer reporting agencies. If the agency discloses information to consumer reporting agencies, in this part of the system notice, the system manager must describe the records disclosed to consumer reporting agencies and the situations in which VA will disclose the records.

(10) POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM.

(a) STORAGE. Specifically describe the medium and/or manner in which the records are maintained, such as microfilm, magnetic tape, floppy disk, or paper file folders. If this varies by location, such as Central Office and field facilities, explain the storage at each location.

(b) RETRIEVABILITY. Describe how the records are indexed and retrieved. For example, "Paper claims file folders are indexed by name of veteran and VA file number. Automated folders are indexed by name, VA file number, payee name, and type of benefit."

(c) SAFEGUARDS. Briefly describe measures taken to prevent unauthorized access and disclosure of records, such as physical security, personnel screening or technical safeguards. Safeguards from natural disasters, such as tornadoes, and backup and offsite storage and operations if the site is damaged or destroyed, as well as the estimated time to return the system to operation should be included. A statement such as "Standard security procedures will be followed" is not sufficient.

(d) RETENTION AND DISPOSAL. Describe how long the records are maintained and how VA disposes of them. Only the Archivist of the United States may authorize the retention and disposal of the records of the Federal Government. Approved retention and disposal periods are found in VA's Records Control Schedules (RCS) or in the General Records Schedules (GRS) published by the National Archives and Records Administration. The information in this subparagraph must reflect the same information in the RCS or the GRS. If the information is not in those documents, or if multiple retention periods apply, the following statement will be used: "Records are maintained and disposed of in accordance with records disposition authority approved by the Archivist of the United States." If the Archivist has not approved disposition authority for any records covered by the system notice, the System Manager will take immediate action to have the disposition of records in the system reviewed and paperwork initiated to obtain an approved records disposition authority in accordance with VA Handbook 6300.1, Records Management Procedures. The records may not be destroyed until VA obtains an approved records disposition authority.

(11) SYSTEM MANAGER(S) AND ADDRESS. Provide the title, office symbol and address of the VA official responsible for the policies and practices governing the system of records. Do not include the individual's name.

(12) NOTIFICATION PROCEDURE. Provide the address(es) of the VA office(s) to which inquiries should be sent and address(es) of the location at which the individual may present a request as to whether a system contains records pertaining to himself/herself. Include any identifying information that an individual is required to provide to permit the Department to determine if a system contains a record about the individual. "Notification" is the "where and how" of determining if a system contains records pertaining to the individual; whereas, a "System Manager" is the official responsible for the record system policies and procedures. Where there are several locations for a single system of records, there should be a single system manager in charge of the entire system and different VA employees handling notification inquiries at each location. If a system manager performs the notification function as well as system manager duties, "same as above" may be used.

(13) RECORD ACCESS PROCEDURES. Provide the name(s) and address(es) of the VA office(s) to which the individual may go or write to obtain information from his/her record. This information is for the individual who already knows that a system contains information about him/her.

(14) CONTESTING RECORDS PROCEDURES. Provide the address(es) of the VA office(s) to which an individual may go or write to contest a record. If this information is the same as in Record Access Procedures, the statement "Same as Records Access Procedures" may be used.

(15) RECORD SOURCE CATEGORIES. Describe as specifically as possible the source of the records or information in the system. For example, did the information come from an individual, employees, informants or some other entity or government unit?

(16) EXEMPTIONS CLAIMED FOR THE SYSTEM. State the specific provisions of the Privacy Act from which the system is being exempted and the specific reason(s) for exempting the system from those provisions. (NOTE: This item is optional. The only time an entry may be made in this paragraph is if VA regulations have been amended to identify the system as exempt.)

b. Once a system notice is published in the Federal Register, it must be kept current by publishing a notice of any changes that are made to the system. Except for changes to routine use statements, no public comment on the changes is required. When routine use statements are added to a system notice or existing statements are changed, a 30-day period for public comment is required. If comments are received during the comment period, a second notice must be published. The second notice will briefly state the nature of the comment(s) received; give the reason(s) for changing or not changing the routine use statement; and indicate how the statement is changed, if appropriate.

c. It is VA's policy to publish system notices that cover the entire complex of records used by VA in administering a particular program and which have a common purpose. For example, all medical centers and outpatient clinics maintain medical records on individuals. One notice covering all patient medical records is published, and there is one System Manager for this broad record system. The practice of using broad system notices does not change the requirement for publishing notices for systems of records maintained by only one office or field activity. The primary consideration in defining systems of records is the purpose(s) of the system.

The following is a brief description of Privacy Act activity that must be reviewed (See Figure 3-1, Schedule of Privacy Act Reviews, for a listing of areas to be reviewed, the action office(s), frequency of review, and action required.):

a. Section (m) Contracts. Contracts are required to address the security to be provided the records, and that any requests for access to, or disclosure of, the records are to be referred to the system manager for response. A sample of contracts that provide for the maintenance of a system of records on behalf of the Department to accomplish a Department function is reviewed to ensure that the wording of each contract makes the provisions of the Privacy Act apply (5 U.S.C. 552a(m)(1)). Note that the Federal Acquisition Regulation provides two paragraphs that are to be added to a contract covered by section (m), and note also that these paragraphs anticipate that VA will add the system or systems of records to be maintained by the contractor.

b. Recordkeeping Practices. Department recordkeeping and disposal policies and practices are reviewed to assure compliance with the Privacy Act, paying particular attention to the maintenance of automated record systems.

c. Routine Use Disclosures. Routine use disclosures associated with each system of records subject to the Privacy Act are reviewed to ensure that the user's (recipient's) use of the records continues to be compatible with the purpose for which the Department collected the information (5 U.S.C. 552a(a)(7) and (b)(3)).

d. Exemption of Systems of Records. Each system of records for which an agency has promulgated exemption rules pursuant to the Privacy Act is reviewed to determine whether such exemption is still needed.

e. Computer Matching Programs. Each ongoing computer matching program in which the Department has participated during the year, either as a source or recipient agency, is reviewed to ensure that the requirements of the Privacy Act, the OMB matching guidance, and VA Handbook 6300.7, Procedures for Computer Matching Programs, have been met.

f. Privacy Act Training. Training procedures are reviewed to ensure that all VA employees are familiar with the requirements of the Privacy Act, VA's implementing regulations, the provisions of this handbook, and any special requirements that their jobs entail.

g. Violations. The circumstances and actions of VA employees that resulted either in VA being found civilly liable under Section (g) of the Act, or an employee being found criminally liable under the provisions of Section (i) of the Act, are to be reviewed to determine the extent of the problem and to find the most effective way to prevent recurrence of the problem (5 U.S.C. 552a(g) and (i)). VA employees are required to report any suspected criminal law violations, including subsection (I) of the Privacy Act to the Office of Inspector General.

h. Systems of Records Notices. Each system of records notice is reviewed to ensure that it accurately describes the system and that it contains current administrative information, such as titles of VA officials, addresses, or office symbols (5 U.S.C. 552a(e)).

Figure 3-1 (Page 2 of 2)