5 U.S.C. 552a; 42 U.S.C. 12501 et seq. ; 42 U.S.C. 4950 et seq.
64 FR 19294, Apr. 20, 1999, unless otherwise noted.
(a) Amend means to make a correction to, or expunge any portion of, a record about an individual which that individual believes is not accurate, relevant, timely, or complete.
(b) Appeal Officer means the individual delegated the responsibility to act on all appeals filed under the Privacy Act.
(c) Chief Executive Officer means the Head of the Corporation.
(d) Corporation means the Corporation for National and Community Service.
(e) Individual means any citizen of the United States or an alien lawfully admitted for permanent residence.
(f) Maintain means to collect, use, store, disseminate or any combination of these recordkeeping functions; exercise of control over and therefore, responsibility and accountability for, systems of records.
(g) Personnel record means any information about an individual that is maintained in a system of records by the Corporation that is needed for personnel management or processes such as staffing, employment development, retirement, grievances, and appeals.
(h) Privacy Act Officer means the individual delegated the authority to allow access to, the release of, or the withholding of records pursuant to an official Privacy Act request. The Privacy Act Officer is further delegated the authority to make the initial determination on all requests to amend records.
(i) Record means any document or other information about an individual maintained by the agency whether collected or grouped, and including, but not limited to, information regarding education, financial transactions, medical history, criminal or employment history, or any other personal information that contains the name or other personal identification number, symbol, etc. assigned to such individual.
(j) Routine use means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.
(k) System of records means a group of any records under the maintenance and control of the Corporation from which information is retrieved by use of the name of an individual or by some personal identifier of the individual.
§ 2508.2 What is the purpose of this part?
The purpose of this part is to set forth the basic policies of the Corporation governing the maintenance of its system of records which contains personal information concerning its employees as defined in the Privacy Act (5 U.S.C. 552a). Records included in this part are those described in aforesaid act and maintained by the Corporation and/or any component thereof.
§ 2508.3 What is the Corporation's Privacy Act policy?
It is the policy of the Corporation to protect, preserve, and defend the right of privacy of any individual about whom the Corporation maintains personal information in any system of records and to provide appropriate and complete access to such records including adequate opportunity to correct any errors in said records. Further, it is the policy of the Corporation to maintain its records in such a manner that the information contained therein is, and remains material and relevant to the purposes for which it is received in order to maintain its records with fairness to the individuals who are the subjects of such records.
§ 2508.4 When can Corporation records be disclosed?
(a) (1) The Corporation will not disclose any record that is contained in its system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of the individual to whom the record pertains, unless disclosure of the record would be:
(i) To employees of the Corporation who maintain the record and who have a need for the record in the performance of their official duties;
(ii) When required under the provisions of the Freedom of Information Act (5 U.S.C. 552);
(iii) For routine uses as appropriately published in the annual notice of the Federal Register;
(iv) To the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of title 13;
(v) To a recipient who has provided the Corporation with advance adequate written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable;
(vi) To the National Archives and Records Administration of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Archivist of the United States or the designee of the Archivist to determine whether the record has such value;
(vii) To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the Corporation for such records specifying the particular portion desired and the law enforcement activity for which the record is sought. Such a record may also be disclosed by the Corporation to the law enforcement agency on its own initiative in situations in which criminal conduct is suspected provided that such disclosure has been established as a routine use or in situations in which the misconduct is directly related to the purpose for which the record is maintained;
(viii) To a person pursuant to a showing of compelling circumstances affecting the health or safety of any individual if, upon such disclosure, notification is transmitted to the last known address of such individual;
(ix) To either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee;
(x) To the Comptroller General or any of his or her authorized representatives, in the course of the performance of official duties in the General Accounting Office;
(xi) Pursuant to an order of a court of competent jurisdiction served upon the Corporation pursuant to 45 CFR 1201.3, and provided that if any such record is disclosed under such compulsory legal process and subsequently made public by the court which issued it, the Corporation must make a reasonable effort to notify the individual to whom the record pertains of such disclosure;
(xii) To a contractor, expert, or consultant of the Corporation (or an office within the Corporation) when the purpose of the release to perform a survey, audit, or other review of the Corporation's procedures and operations; and
(xiii) To a consumer reporting agency in accordance with section 3711(f) of title 31.
§ 2508.5 When does the Corporation publish its notice of its system of records?
The Corporation shall publish annually a notice of its system of records maintained by it as defined herein in the format prescribed by the General Services Administration in the Federal Register ; provided, however, that such publication shall not be made for those systems of records maintained by other agencies while in the temporary custody of the Corporation.
§ 2508.6 When will the Corporation publish a notice for new routine uses of information in its system of records?
At least 30 days prior to publication of information under the preceding section, the Corporation shall publish in the Federal Register a notice of its intention to establish any new routine use of any system of records maintained by it with an opportunity for public comments on such use. Such notice shall contain the following:
(a) The name of the system of records for which the routine use is to be established.
(b) The authority for the system.
(c) The purpose for which the record is to be maintained.
(d) The proposed routine use(s).
(e) The purpose of the routine use(s).
(f) The categories of recipients of such use. In the event of any request for an addition to the routine uses of the systems which the Corporation maintains, such request may be sent to the following office: Corporation for National and Community Service, Director, Administration and Management Services, Room 6100, 1201 New York Avenue, NW, Washington, DC 20525.
§ 2508.7 To whom does the Corporation provide reports regarding changes in its system of records?
The Corporation shall provide to the Committee on Government Operations of the House of Representatives, the Committee on Governmental Affairs of the Senate, and the Office of Management and Budget, advance notice of any proposal to establish or alter any system of records as defined herein. This report will be submitted in accordance with guidelines provided by the Office of Management and Budget.
§ 2508.8 Who is responsible for establishing the Corporation's rules of conduct for Privacy Act compliance?
(a) The Chief Executive Officer shall ensure that all persons involved in the design, development, operation or maintenance of any system of records as defined herein are informed of all requirements necessary to protect the privacy of individuals who are the subject of such records. All employees shall be informed of all implications of the Act in this area including the civil remedies provided under 5 U.S.C. 552a(g)(1) and the fact that the Corporation may be subject to civil remedies for failure to comply with the provisions of the Privacy Act and this regulation.
(b) The Chief Executive Officer shall also ensure that all personnel having access to records receive adequate training in the protection of the security of personal records, and that adequate and proper storage is provided for all such records with sufficient security to assure the privacy of such records.
§ 2508.9 What officials are responsible for the security, management and control of Corporation record keeping systems?
(a) The Director of Administration and Management Services shall have overall control and supervision of the security of all systems of records and shall be responsible for monitoring the security standards set forth in this regulation.
(b) A designated official (System Manager) shall be named who shall have management responsibility for each record system maintained by the Corporation and who shall be responsible for providing protection and accountability for such records at all times and for insuring that such records are secured in appropriate containers whenever not in use or in the direct control of authorized personnel.
§ 2508.10 Who has the responsibility for maintaining adequate technical, physical, and security safeguards to prevent unauthorized disclosure or destruction of manual and automatic record systems?
The Chief Executive Officer has the responsibility of maintaining adequate technical, physical, and security safeguards to prevent unauthorized disclosure or destruction of manual and automatic record systems. These security safeguards shall apply to all systems in which identifiable personal data are processed or maintained, including all reports and outputs from such systems that contain identifiable personal information. Such safeguards must be sufficient to prevent negligent, accidental, or unintentional disclosure, modification or destruction of any personal records or data, and must furthermore minimize, to the extent practicable, the risk that skilled technicians or knowledgeable persons could improperly obtain access to modify or destroy such records or data and shall further insure against such casual entry by unskilled persons without official reasons for access to such records or data.
(a) Manual systems. (1) Records contained in a system of records as defined herein may be used, held or stored only where facilities are adequate to prevent unauthorized access by persons within or outside the Corporation.
(2) All records, when not under the personal control of the employees authorized to use the records, must be stored in a locked metal filing cabinet. Some systems of records are not of such confidential nature that their disclosure would constitute a harm to an individual who is the subject of such record. However, records in this category shall also be maintained in locked metal filing cabinets or maintained in a secured room with a locking door.
(3) Access to and use of a system of records shall be permitted only to persons whose duties require such access within the Corporation, for routine uses as defined in §2508.4 as to any given system, or for such other uses as may be provided herein.
(4) Other than for access within the Corporation to persons needing such records in the performance of their official duties or routine uses as defined in §2508.4, or such other uses as provided herein, access to records within a system of records shall be permitted only to the individual to whom the record pertains or upon his or her written request to the Director, Administration and Management Services.
(5) Access to areas where a system of records is stored will be limited to those persons whose duties require work in such areas. There shall be an accounting of the removal of any records from such storage areas utilizing a written log, as directed by the Director, Administration and Management Services. The written log shall be maintained at all times.
(6) The Corporation shall ensure that all persons whose duties require access to and use of records contained in a system of records are adequately trained to protect the security and privacy of such records.
(7) The disposal and destruction of records within a system of records shall be in accordance with rules promulgated by the General Services Administration.
(b) Automated systems. (1) Identifiable personal information may be processed, stored or maintained by automated data systems only where facilities or conditions are adequate to prevent unauthorized access to such systems in any form. Whenever such data, whether contained in punch cards, magnetic tapes or discs, are not under the personal control of an authorized person, such information must be stored in a locked or secured room, or in such other facility having greater safeguards than those provided for herein.
(2) Access to and use of identifiable personal data associated with automated data systems shall be limited to those persons whose duties require such access. Proper control of personal data in any form associated with automated data systems shall be maintained at all times, including maintenance of accountability records showing disposition of input and output documents.
(3) All persons whose duties require access to processing and maintenance of identifiable personal data and automated systems shall be adequately trained in the security and privacy of personal data.
(4) The disposal and disposition of identifiable personal data and automated systems shall be done by shredding, burning or in the case of tapes or discs, degaussing, in accordance with any regulations now or hereafter proposed by the General Services Administration or other appropriate authority.
§ 2508.11 How shall offices maintaining a system of records be accountable for those records to prevent unauthorized disclosure of information?
(a) Each office maintaining a system of records shall account for all records within such system by maintaining a written log in the form prescribed by the Director, Administration and Management Services, containing the following information:
(1) The date, nature, and purpose of each disclosure of a record to any person or to another agency. Disclosures made to employees of the Corporation in the normal course of their duties, or pursuant to the provisions of the Freedom of Information Act, need not be accounted for.
(2) Such accounting shall contain the name and address of the person or agency to whom the disclosure was made.
(3) The accounting shall be maintained in accordance with a system of records approved by the Director, Administration and Management Services, as sufficient for the purpose but in any event sufficient to permit the construction of a listing of all disclosures at appropriate periodic intervals.
(4) The accounting shall reference any justification or basis upon which any release was made including any written documentation required when records are released for statistical or law enforcement purposes under the provisions of subsection (b) of the Privacy Act of 1974 (5 U.S.C. 552a).
(5) For the purpose of this part, the system of accounting for disclosures is not a system of records under the definitions hereof, and need not be maintained within a system of records.
(6) Any subject individual may request access to an accounting of disclosures of a record. The subject individual shall make a request for access to an accounting in accordance with §2508.13. An individual will be granted access to an accounting of the disclosures of a record in accordance with the procedures of this subpart which govern access to the related record. Access to an accounting of a disclosure of a record made under §2508.13 may be granted at the discretion of the Director, Administration and Management Services.
§ 2508.12 What are the contents of the systems of record that are to be maintained by the Corporation?
(a) The Corporation shall maintain all records that are used in making determinations about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination;
(b) In situations in which the information may result in adverse determinations about such individual's rights, benefits and privileges under any Federal program, all information placed in a system of records shall, to the greatest extent practicable, be collected from the individual to whom the record pertains.
(c) Each form or other document that an individual is expected to complete in order to provide information for any system of records shall have appended thereto, or in the body of the document:
(1) An indication of the authority authorizing the solicitation of the information and whether the provision of the information is mandatory or voluntary.
(2) The purpose or purposes for which the information is intended to be used.
(3) Routine uses which may be made of the information and published pursuant to §2508.6.
(4) The effect on the individual, if any, of not providing all or part of the required or requested information.
(d) Records maintained in any system of records used by the Corporation to make any determination about any individual shall be maintained with such accuracy, relevancy, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the making of any determination about such individual, provided, however, that the Corporation shall not be required to update or keep current retired records.
(e) Before disseminating any record about any individual to any person other than an employee in the Corporation, unless the dissemination is made pursuant to the provisions of the Freedom of Information Act (5 U.S.C. 552), the Corporation shall make reasonable efforts to ensure that such records are, or were at the time they were collected, accurate, complete, timely and relevant for Corporation purposes.
(f) Under no circumstances shall the Corporation maintain any record about any individual with respect to or describing how such individual exercises rights guaranteed by the First Amendment of the Constitution of the United States, unless expressly authorized by statute or by the individual about whom the record is maintained, or unless pertinent to and within the scope of an authorized law enforcement activity.
(g) In the event any record is disclosed as a result of the order of a court of appropriate jurisdiction, the Corporation shall make reasonable efforts to notify the individual whose record was so disclosed after the process becomes a matter of public record.
§ 2508.13 What are the procedures for acquiring access to Corporation records by an individual about whom a record is maintained?
(a) Any request for access to records from any individual about whom a record is maintained will be addressed to the Corporation for National and Community Service, Office of the General Counsel, Attn: Privacy Act Officer, Room 8200, 1201 New York Avenue, NW, Washington, DC 20525, or delivered in person during regular business hours, whereupon access to his or her record, or to any information contained therein, if determined to be releasable, shall be provided.
(b) If the request is made in person, such individual may, upon his or her request, be accompanied by a person of his or her choosing to review the record and shall be provided an opportunity to have a copy made of any record about such individual.
(c) A record may be disclosed to a representative chosen by the individual as to whom a record is maintained upon the proper written consent of such individual.
(d) A request made in person will be promptly complied with if the records sought are in the immediate custody of the Corporation. Mailed requests or personal requests for documents in storage or otherwise not immediately available, will be acknowledged within 10 working days, and the information requested will be promptly provided thereafter.
(e) With regard to any request for disclosure of a record, the following procedures shall apply:
(1) Medical or psychological records shall be disclosed to an individual unless, in the judgment of the Corporation, access to such records might have an adverse effect upon such individual. When such determination has been made, the Corporation may require that the information be disclosed only to a physician chosen by the requesting individual. Such physician shall have full authority to disclose all or any portion of such record to the requesting individual in the exercise of his or her professional judgment.
(2) Test material and copies of certificates or other lists of eligibles or any other listing, the disclosure of which would violate the privacy of any other individual, or be otherwise exempted by the provisions of the Privacy Act, shall be removed from the record before disclosure to any individual to whom the record pertains.
§ 2508.14 What are the identification requirements for individuals who request access to records?
The Corporation shall require reasonable identification of all individuals who request access to records to ensure that records are disclosed to the proper person.
(a) In the event an individual requests disclosure in person, such individual shall be required to show an identification card such as a drivers license, etc., containing a photo and a sample signature of such individual. Such individual may also be required to sign a statement under oath as to his or her identity, acknowledging that he or she is aware of the penalties for improper disclosure under the provisions of the Privacy Act.
(b) In the event that disclosure is requested by mail, the Corporation may request such information as may be necessary to reasonably ensure that the individual making such request is properly identified. In certain cases, the Corporation may require that a mail request be notarized with an indication that the notary received an acknowledgment of identity from the individual making such request.
(c) In the event an individual is unable to provide suitable documentation or identification, the Corporation may require a signed notarized statement asserting the identity of the individual and stipulating that the individual understands that knowingly or willfully seeking or obtaining access to records about another person under false pretenses is punishable by a fine of up to $5,000.
(d) In the event a requestor wishes to be accompanied by another person while reviewing his or her records, the Corporation may require a written statement authorizing discussion of his or her records in the presence of the accompanying representative or other persons.
§ 2508.15 What are the procedures for requesting inspection of, amendment or correction to, or appeal of an individual's records maintained by the Corporation other than that individual's official personnel file?
(a) A request for inspection of any record shall be made to the Director, Administration and Management Services. Such request may be made by mail or in person provided, however, that requests made in person may be required to be made upon a form provided by the Director of Administration and Management Services who shall keep a current list of all systems of records maintained by the Corporation and published in accordance with the provisions of this regulation. However, the request need not be in writing if the individual makes his or her request in person. The requesting individual may request that the Corporation compile all records pertaining to such individual at any named Service Center/State Office, AmeriCorps*NCCC Campus, or at Corporation Headquarters in Washington, DC, for the individual's inspection and/or copying. In the event an individual makes such request for a compilation of all records pertaining to him or her in various locations, appropriate time for such compilation shall be provided as may be necessary to promptly comply with such requests.
(b) Any such requests should contain, at a minimum, identifying information needed to locate any given record and a brief description of the item or items of information required in the event the individual wishes to see less than all records maintained about him or her.
(1) In the event an individual, after examination of his or her record, desires to request an amendment or correction of such records, the request must be submitted in writing and addressed to the Corporation for National and Community Service, Office of the General Counsel, Attn: Privacy Act Officer, Room 8200, 1201 New York Avenue, NW, Washington, DC 20525. In his or her written request, the individual shall specify:
(i) The system of records from which the record is retrieved;
(ii) The particular record that he or she is seeking to amend or correct;
(iii) Whether he or she is seeking an addition to or a deletion or substitution of the record; and,
(iv) His or her reasons for requesting amendment or correction of the record.
(2) A request for amendment or correction of a record will be acknowledged within 10 working days of its receipt unless the request can be processed and the individual informed of the Privacy Act Officer's decision on the request within that 10 day period.
(3) If the Privacy Act Officer agrees that the record is not accurate, timely, or complete, based on a preponderance of the evidence, the record will be corrected or amended. The record will be deleted without regard to its accuracy, if the record is not relevant or necessary to accomplish the Corporation's function for which the record was provided or is maintained. In either case, the individual will be informed in writing of the amendment, correction, or deletion and, if accounting was made of prior disclosures of the record, all previous recipients of the record will be informed of the corrective action taken.
(4) If the Privacy Act Officer does not agree that the record should be amended or corrected, the individual will be informed in writing of the refusal to amend or correct the record. He or she will also be informed that he or she may appeal the refusal to amend or correct his or her record in accordance with §2508.17.
(5) Requests to amend or correct a record governed by the regulation of another government agency will be forwarded to such government agency for processing and the individual will be informed in writing of the referral.
(c) In the event an individual disagrees with the Privacy Act Officer's initial determination, he or she may appeal such determination to the Appeal Officer in accordance with §2508.17. Such request for review must be made within 30 days after receipt by the requestor of the initial refusal to amend.
§ 2508.16 What are the procedures for filing an appeal for refusal to amend or correct records?
(a) In the event an individual desires to appeal any refusal to correct or amend records, he or she may do so by addressing, in writing, such appeal to the Corporation for National and Community Service, Office of the Chief Operating Officer, Attn: Appeal Officer, 1201 New York Avenue NW, Washington, DC 20525. Although there is no time limit for such appeals, the Corporation shall be under no obligation to maintain copies of original requests or responses thereto beyond 180 days from the date of the original request.
(b) An appeal will be completed within 30 working days from its receipt by the Appeal Officer; except that, the appeal authority may, for good cause, extend this period for an additional 30 days. Should the appeal period be extended, the individual appealing the original refusal will be informed in writing of the extension and the circumstances of the delay. The individual's request for access to or to amend or correct the record, the Privacy Act Officer's refusal to amend or correct the record, and any other pertinent material relating to the appeal will be reviewed. No hearing will be held.
(c) If the Appeal Officer determines that the record that is the subject of the appeal should be amended or corrected, the record will be amended or corrected and the individual will be informed in writing of the amendment or correction. Where an accounting was made of prior disclosures of the record, all previous recipients of the record will be informed of the corrective action taken.
(d) If the appeal is denied, the subject individual will be informed in writing:
(1) Of the denial and reasons for the denial;
(2) That he or she has a right to seek judicial review of the denial; and
(3) That he or she may submit to the Appeal Officer a concise statement of disagreement to be associated with the disputed record and disclosed whenever the record is disclosed.
(e) Whenever an individual submits a statement of disagreement to the Appeal Officer in accordance with paragraph (d)(3) of this section, the record will be annotated to indicate that it is disputed. In any subsequent disclosure, a copy of the subject individual's statement of disagreement will be disclosed with the record. If the appeal authority deems it appropriate, a concise statement of the Appeal Officer's reasons for denying the individual's appeal may also be disclosed with the record. While the individual will have access to this statement of reasons, such statement will not be subject to correction or amendment. Where an accounting was made of prior disclosures of the record, all previous recipients of the record will be provided a copy of the individual's statement of disagreement, as well as the statement, if any, of the Appeal Officer's reasons for denying the individual's appeal.
§ 2508.17 When shall fees be charged and at what rate?
(a) No fees shall be charged for search time or for any other time expended by the Corporation to review or produce a record except where an individual requests that a copy be made of the record to which he or she is granted access. Where a copy of the record must be made in order to provide access to the record (e.g., computer printout where no screen reading is available), the copy will be made available to the individual without cost.
(b) The applicable fee schedule is as follows:
(1) Each copy of each page, up to 81/2&inch;×14&inch;, made by photocopy or similar process is $0.10 per page.
(2) Each copy of each microform frame printed on paper is $0.25.
(3) Each aperture card is $0.25.
(4) Each 105-mm fiche is $0.25.
(5) Each 100′ foot role of 35-mm microfilm is $7.00.
(6) Each 100′ foot role of 16-mm microfilm is $6.00.
(7) Each page of computer printout without regard to the number of carbon copies concurrently printed is $0.20.
(8) Copying records not susceptible to photocopying (e.g., punch cards or magnetic tapes), at actual cost to be determined on a case-by-case basis.
(9) Other copying forms (e.g., typing or printing) will be charged at direct costs, including personnel and equipment costs.
(c) All copying fees shall be paid by the individual before the copying will be undertaken. Payments shall be made by check or money order payable to the “Corporation for National and Community Service,” and provided to the Privacy Act Officer processing the request.
(d) A copying fee shall not be charged or collected, or alternatively, it may be reduced, when it is determined by the Privacy Act Officer, based on a petition, that the petitioning individual is indigent and that the Corporation's resources permit a waiver of all or part of the fee. An individual is deemed to be indigent when he or she is without income or lacks the resources sufficient to pay the fees.
(e) Special and additional services provided at the request of the individual, such as certification or authentication, postal insurance and special mailing arrangement costs, will be charged to the individual.
(f) A copying fee totaling $5.00 or less shall be waived, but the copying fees for contemporaneous requests by the same individual shall be aggregated to determine the total fee.
§ 2508.18 What are the penalties for obtaining a record under false pretenses?
The Privacy Act provides, in pertinent part that:
(a) Any person who knowingly and willfully requests to obtain any record concerning an individual from the Corporation under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000 (5 U.S.C. 552a(I)(3)).
(b) A person who falsely or fraudulently attempts to obtain records under the Privacy Act also may be subject to prosecution under such other criminal statutes as 18 U.S.C. 494, 495 and 1001.
§ 2508.19 What Privacy Act exemptions or control of systems of records are exempt from disclosure?
(a) Certain systems of records that are maintained by the Corporation are exempted from provisions of the Privacy Act in accordance with exemptions (j) and (k) of 5 U.S.C. 552a.
(1) Exemption of Inspector General system of records. Pursuant to, and limited by 5 U.S.C. 552a(j)(2), the system of records maintained by the Office of the Inspector General that contains the Investigative Files shall be exempted from the provisions of 5 U.S.C. 552a, except subsections (b), (c) (1) and (2), (e)(4) (A) through (F), (e)(6)(7), (9), (10), and (11), and (I), and 45 CFR 2508.11, 2508.12, 2508.13, 2508.14, 2508.15, 2508.16, and 2508.17, insofar as the system contains information pertaining to criminal law enforcement investigations.
(2) Pursuant to, and limited by 5 U.S.C. 552a(k)(2), the system of records maintained by the Office of the Inspector General that contains the Investigative Files shall be exempted from 5 U.S.C. 552a (c)(3), (d), (e)(1), (e)(4) (G), (H), and (I), and (f), and 45 CFR 2508.11, 2508.12, 2508.13, 2508.14, 2508.15, 2508.16, and 2508.17, insofar as the system contains investigatory materials compiled for law enforcement purposes.
(b) Exemptions to the General Counsel system of records. Pursuant to, and limited by 5 U.S.C. 552a(d)(5), the system of records maintained by the Office of the General Counsel that contains the Legal Office Litigation/Correspondence Files shall be exempted from the provisions of 5 U.S.C. 552a(d)(5), and 45 CFR 2508.4, insofar as the system contains information compiled in reasonable anticipation of a civil action or proceeding.
§ 2508.20 What are the restrictions regarding the release of mailing lists?
An individual's name and address may not be sold or rented by the Corporation unless such action is specifically authorized by law. This section does not require the withholding of names and addresses otherwise permitted to be made public.