[Federal Register Volume 85, Number 200 (Thursday, October 15, 2020)]
[Rules and Regulations]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-21011]
OCCUPATIONAL SAFETY AND HEALTH REVIEW COMMISSION
29 CFR Part 2400
Regulations Implementing the Privacy Act
AGENCY: Occupational Safety and Health Review Commission.
ACTION: Final rule.
SUMMARY: The Occupational Safety and Health Review Commission (OSHRC)
is amending its regulations implementing the Privacy Act of 1974. The
amendments to the Privacy Act regulations, which were last revised in
2006, are intended to both modernize the regulations and make them
simpler to understand.
DATES: Effective October 15, 2020.
FOR FURTHER INFORMATION CONTACT: Ron Bailey, Attorney Advisor, Office
of General Counsel, by telephone at (202) 606-5410 or by email at
I. Revisions to Part 2400
OSHRC's regulations implementing the Privacy Act, 29 CFR part 2400,
were promulgated on January 19, 1979, 44 FR 3968, and revised on April
30, 1993, 58 FR 26065, and September 29, 2006, 71 FR 57421. OSHRC is
revising these regulations to both modernize and streamline them. For
the convenience of the reader, OSHRC has reproduced the regulations and
their revisions in their entirety.
Throughout part 2400, OSHRC is revising language primarily to (1)
clarify whether the word ``days'' refers to working days or calendar
days and to eliminate numbers written as words; (2) eliminate exclusive
use of male pronouns and, where possible, minimize the use of gender-
specific pronouns; (3) use the phrase ``personal records'' where
appropriate to refer to records that are about an individual; (4)
streamline or clarify sentences without changing substantive
requirements; and (5) account for deleted or renumbered provisions
referenced in this part. Additional amendments to part 2400 are
discussed below in regulatory sequence.
In 29 CFR 2400.1 (Purpose and scope), OSHRC is making several
amendments to clarify what part 2400 covers. In 2006, OSHRC amended
this provision to state that ``[t]his part is applicable only to
records that are maintained by the Occupational Safety and Health
Review Commission . . . except for records that are disclosed to
consumer reporting agencies under section 3711(e) of title 31, United
States Code.'' The statutory requirement, 5 U.S.C. 552a(m), simply
states that a consumer reporting agency to which records are disclosed
is not considered a government contractor. To clarify that point, OSHRC
is deleting the clause that pertains to consumer reporting agencies and
adding the following sentence: ``For purposes of this part, such
contractors do not include any consumer reporting agency to which a
record is disclosed under 31 U.S.C. 3711(e).''
OSHRC is also revising the last two sentences of 29 CFR 2400.1 to
read as follows: ``This part does not affect discovery in adversary
proceedings before the Commission. Discovery is governed by the
Commission's Rules of Procedures in 29 CFR part 2200, subpart D.'' This
is the same language that is used in 29 CFR 2400.1, the purpose and
scope provision of the agency's FOIA regulations.
In 29 CFR 2400.2 (Description of agency), OSHRC is revising this
section to make it identical to 29 CFR 2201.2, the agency's comparable
In 29 CFR 2400.3 (Delegation of authority), OSHRC is adding the
following requirement: ``As necessary, the Privacy Officer shall
coordinate this delegated responsibility with the Senior Agency
Official for Privacy'' (SAOP). According to OMB, ``[t]he SAOP shall
have a central role in overseeing, coordinating, and facilitating the
agency's privacy compliance efforts. In this role, the SAOP shall
ensure that the agency complies with applicable privacy requirements in
law, regulation, and policy.'' Role and Designation of Senior Agency
Officials for Privacy, OMB Memorandum 16-24 (Sept. 15, 2016). In order
for the SAOP to adequately fulfill these requirements, it is necessary
for the Privacy Officer to coordinate with the SAOP on Privacy Act
OSHRC is deleting paragraph (b) of 29 CFR 2400.3 (Delegation of
authority), as well as 29 CFR 2400.4 (Collection and disclosure of
personal information), because these sections are unnecessary under 5
U.S.C. 552a(f), the statutory provision requiring agencies that
maintain systems of records to promulgate rules that establish
procedures to implement certain aspects of the Privacy Act. Moreover,
the requirements being deleted are either already specified in the
Privacy Act, 5 U.S.C. 552a(b), (c), and (e), or are more appropriately
addressed in the agency's system-of-records notices, 5 U.S.C. 552a(e).
OSHRC is deleting paragraphs (a) and (b) of 29 CFR 2400.5
(Notification) and moving paragraph (c)--which addresses notification
of persons or other agencies who have received Privacy Act records that
have subsequently been amended--to a new section that concerns
procedures for statements of disagreement and notification of amendment
(new 29 CFR 2400.8). Also, OSHRC is incorporating the requirements set
forth in paragraph (a)(1), which pertain to written requests for
notification on whether a system contains records about the requester,
into the section that concerns procedures for requesting records
(current 29 CFR 2400.6, new 29 CFR 2400.4).
OSHRC is revising current 29 CFR 2400.6 to specify that the
procedures included in this section apply to requests for notification
of a system of records' content, as well as requests for access to
records. OSHRC also is including an additional method for requesting
notification of or access to records--submitting requests to the FOIA
Disclosure Officer in accordance with the procedures set forth at 29
CFR 2201.5(a)--to provide an alternative to mail or in-person visits.
As to the paragraph concerning ``verification of identity,'' OSHRC is
revising to simplify the verification requirements and to eliminate
verification by a notarized statement, which is unnecessary given that
verification can be accomplished by declaration in accordance with 28
U.S.C. 1746. Finally, to better reflect the contents of this section,
OSHRC is revising the section heading as follows: ``Procedures for
requesting notification of and access to personal records.''
OSHRC is revising current 29 CFR 2400.7 to divide the requirements
in paragraph (a) into two separate paragraphs. New paragraph (a)
focuses on the Privacy Officer's responsibilities, once a Privacy Act
request concerning medical records is received, and new paragraph (b)
focuses on the requirements that must be satisfied before records are
forwarded to a designated physician.
OSHRC is revising paragraph (a) of current 29 CFR 2400.8 to clarify
that requests to amend records should be requested in the same manner
as requests for notification of and access to records. Although no
substantive changes are being made to paragraph (b), it is being
revised to clarify the Privacy Officer's responsibilities, including
explicitly specifying that the requester must be notified in writing
how an amendment request has been resolved. Finally, OSHRC is revising
the section heading as follows: ``Procedures for amending personal
OSHRC is revising paragraph (a) of current 29 CFR 2400.9 to clarify
denial of ``a request to provide notification of a record, or to access
or amend a record''--in other words, request denials under new
Sec. Sec. 2400.4, 2400.5 and 2400.6--can be appealed to the Chairman.
OSHRC also is revising paragraph (b) to require that the requester be
notified, within the initial 30 working-day period for making a final
decision, if the Chairman has extended the time period for good cause.
In addition, OSHRC is moving paragraph (d) to a new section that
concerns procedures for statements of disagreement and notification of
amendment (new 29 CFR 2400.8).
OSHRC is adding new 29 CFR 2400.8, which has the heading,
``Procedures for statements of disagreement and notification of
amendment.'' The requirements for this new provision are presently
included in paragraph (c) of 29 CFR 2400.5 and paragraph (d) of 29 CFR
2400.9. OSHRC is revising these paragraphs for clarification purposes,
none of which change the substantive requirements.
The deletion of current 29 CFR 2400.4 and 29 CFR 2400.5, and the
addition of new 29 CFR 2400.8, results in current Sec. Sec. 2400.6,
2400.7, 2400.8, and 2400.9 being re-designated as Sec. Sec. 2400.4,
2400.5, 2400.6, and 2400.7, and current Sec. 2400.10 being re-
designated as Sec. 2400.9.
II. Statutory and Executive Order Reviews
Executive Orders 12866 and 13132, and the Unfunded Mandates Reform
Act of 1995: OSHRC is an independent regulatory agency and, as such, is
not subject to the requirements of E.O. 12866, E.O. 13132, or the
Unfunded Mandates Reform Act, 2 U.S.C. 1501 et seq.
Regulatory Flexibility Act: The Chairman of OSHRC certifies under
the Regulatory Flexibility Act, 5 U.S.C. 605(b), that these rules will
not have a significant economic impact on a substantial number of small
entities. The only provision in part 2400 that could economically
impact a small entity pertains to how OSHRC charges its Privacy Act
fees, and that provision is not being revised. Moreover, when fees are
assessed, the amounts are generally minimal; and it is not anticipated
that the amendments to other provisions within part 2400 will have much
affect (if any) on the number of entities responsible for paying
Privacy Act fees or the amounts of those fees. Finally, the Privacy
Act's protections apply to ``individuals,'' which typically would not
include ``small entities.'' For these reasons, a regulatory flexibility
analysis is not required.
Paperwork Reduction Act of 1995: OSHRC has determined that the
Paperwork Reduction Act, 44 U.S.C. 3501 et seq., does not apply because
these rules do not contain any information collection requirements that
require the approval of OMB.
Congressional Review Act: These revisions do not constitute a
``rule,'' as defined by the Congressional Review Act, 5 U.S.C.
804(3)(C), because they involve changes to agency organization,
procedure, or practice that do not substantially affect the rights or
obligations of non-agency parties.
List of Subjects in 29 CFR Part 2400
James J. Sullivan, Jr.,
For the reasons set forth in the preamble, OSHRC revises 29 CFR
part 2400 to read as follows:
PART 2400--REGULATIONS IMPLEMENTING THE PRIVACY ACT
2400.1 Purpose and scope.
2400.2 Description of agency.
2400.3 Delegation of authority.
2400.4 Procedures for requesting notification of and access to
2400.5 Special procedures for requesting medical records.
2400.6 Procedures for amending personal records.
2400.7 Procedures for appealing.
2400.8 Procedures for statements of disagreement and notification of
2400.9 Schedule of fees.
Authority: 5 U.S.C. 552a(f); 5 U.S.C. 553.
Sec. 2400.1 Purpose and scope.
This part provides procedures to implement the Privacy Act of 1974,
5 U.S.C. 552a. It is applicable only to records that are maintained by
the Occupational Safety and Health Review Commission (OSHRC or the
Commission), which includes all systems of records operated by an
entity on behalf of OSHRC, pursuant to a contract, to accomplish an
agency function. For purposes of this part, such contractors do not
include any consumer reporting agency to which a record is disclosed
under 31 U.S.C. 3711(e). This part does not affect discovery in
adversary proceedings before the Commission. Discovery is governed by
the Commission's Rules of Procedures in 29 CFR part 2200, subpart D.
Sec. 2400.2 Description of agency.
OSHRC adjudicates contested enforcement actions under the
Occupational Safety and Health Act of 1970, 29 U.S.C. 651-678. The
Commission decides cases after the parties are given an opportunity for
a hearing. All hearings are open to the public and are conducted at a
place convenient to the parties by an Administrative Law Judge. Any
Commissioner may direct that a decision of a Judge be reviewed by the
full Commission. The President designates one of the Commissioners as
Chairman, who is responsible on behalf of the Commission for the
administrative operations of the Commission.
Sec. 2400.3 Delegation of authority.
The Chairman shall designate an OSHRC employee as the Privacy
Officer and shall delegate to the Privacy Officer the authority to
ensure agency-wide compliance with this part. As necessary, the Privacy
Officer shall coordinate this delegated responsibility with the Senior
Agency Official for Privacy.
Sec. 2400.4 Procedures for requesting notification of and access to
The purpose of this section is to provide procedures by which an
individual may request notification about whether a system of records
contains a record about that individual (``a personal record''), or may
gain access to such a record included in a system of records.
(a) Submission of requests--(1) Manner. An individual seeking
information regarding the content of a system of records or access to a
personal record in a system of records should submit a written request
either in person or by mail to the Privacy Officer, OSHRC, One
Lafayette Centre, 1120 20th Street NW, Ninth Floor, Washington, DC
20036-3457. A request may also be submitted to the FOIA Disclosure
Officer in accordance with the procedures set forth at 29 CFR
2201.5(a). Such a request, however, must be identified as a ``Privacy
Act Request.'' The FOIA Disclosure Officer will forward any request
identified in this manner to the Privacy Officer for processing.
(2) Notification requests. A request for notification about whether
a system of records contains a personal record must specify which
system of records, as described in the agency's system-of-records
notices published in Federal Register, is the subject of the request.
(3) Access requests. A request for access to a personal record
describe the nature of the record sought, the approximate dates covered
by the record, and the system of records in which the record is thought
to be included as described in the agency's system-of-records notices
published in the Federal Register. The request should also indicate
whether the requester wishes to review the record in person or obtain a
copy by mail. If the information supplied is insufficient to locate or
identify the record, the requester shall be notified promptly and, if
necessary, informed of the additional information required.
(b) Period for response. After receiving a request, the Privacy
Officer shall respond to it no later than 10 working days from the
(c) Verification of identity. The following standards for verifying
an individual's identity are applicable to any individual who requests
a personal record under this part:
(1) An individual seeking access to a record in person shall, if
possible, present a government-issued identification that includes a
photo, such as a passport or a driver's license.
(2) An individual seeking access to a record by mail shall, if
possible, provide a signature, address, date of birth, place of birth,
and a photocopy of a government-issued identification that includes a
photo, such as a passport or a driver's license.
(3) An individual seeking access to a record either by mail or in
person who cannot provide the necessary documentation of identification
specified in paragraphs (c)(1) and (2) of this section may provide a
declaration in accordance with 28 U.S.C. 1746, swearing or affirming to
his or her identity and to the fact that he or she understands the
penalties for false statements pursuant to 18 U.S.C. 1001.
(d) Verification of guardianship. The parent or guardian of a minor
or an individual judicially determined to be incompetent and seeking to
act on behalf of such minor or incompetent shall, in addition to
establishing his or her own identity, establish the identity of the
minor or other individual he or she represents as required in paragraph
(c) of this section and establish his or her own parentage or
guardianship of the subject of the record by furnishing either a copy
of a birth certificate showing parentage or a court order establishing
(e) Accompanying persons. An individual seeking to review a
personal record in person may be accompanied by another individual of
his or her own choosing. Both the individual seeking access and the
accompanying individual shall be required to sign a form provided by
OSHRC indicating that OSHRC is authorized to discuss the contents of
the subject record in the presence of both individuals.
(f) When compliance is possible. (1) The Privacy Officer shall
inform the requester of the determination to grant the request and
shall make the personal record available to the individual in the
manner requested, that is, either by forwarding a copy of the
information to the requester or by making it available for review,
(i) It is impracticable to provide the requester with a copy, in
which case the requester shall be notified of this and informed of the
procedures set forth in paragraph (c) of this section, or
(ii) The Privacy Officer has reason to believe that the cost of a
copy is considerably more expensive than anticipated by the requester,
in which case the Privacy Officer shall notify the requester of the
estimated cost, and ascertain whether the requester still wishes to be
provided with a copy of the information.
(2) Where a personal record is to be reviewed by the requester in
person, the Privacy Officer shall inform the requester in writing of:
(i) The date on which the record shall become available for review,
the location at which it may be reviewed, and the hours for inspection;
(ii) The requirements for verifying identity as set forth in
paragraphs (c) and (d);
(iii) The requester's right to be accompanied by another individual
to review the record as set forth in paragraph (e) of this section; and
(iv) The requester's right to have another individual review the
(3) If the requester seeks to inspect the personal record without
receiving a copy, the requester shall not leave OSHRC premises with the
record and shall sign a statement identifying the specific record or
category of records that has been reviewed.
(g) When compliance is not possible. The denial of a written
request to review a personal record shall be sent to the requester in
writing and signed by the Privacy Officer. This response shall be
provided when the requested record does not exist, does not contain
personal information relating to the requester, or is exempt. The
response shall include a statement regarding the determining factors of
denial, and the requester's rights to administrative appeal and,
thereafter, judicial review in a district court of the United States.
Sec. 2400.5 Special procedures for requesting medical records.
(a) Upon an individual's request for access to any medical record
about the requester, including any psychological record, the Privacy
Officer shall make a preliminary determination on whether access to
such record(s) could have an adverse effect upon the requester. If the
Privacy Officer determines that access could have an adverse effect on
the requester, OSHRC shall notify the requester in writing and advise
that the record(s) at issue can be made available only to a physician
of the requester's designation.
(b) OSHRC shall forward such record(s) to the physician designated
by the requester once the following requirements are met:
(1) The requester has informed OSHRC of the designated physician's
(2) OSHRC has verified the identity of the physician; and
(3) The physician has agreed to review the record(s) with the
requester to both explain the meaning of the record(s) and offer
counseling designed to temper any adverse reaction.
(c) If, within 60 calendar days of OSHRC's written request for a
designation, the requester has failed to respond or designate a
physician, or the physician fails to agree to the release conditions,
then OSHRC shall hold the records(s) in abeyance and advise the
requester that this action may be construed as a technical denial.
OSHRC shall also advise the requester of his or her rights to
administrative appeal and, thereafter, judicial review in a district
court of the United States.
Sec. 2400.6 Procedures for amending personal records.
(a) Submission of requests for amendment. Upon review of an
individual's personal record, that individual may submit a request to
amend such record. This request shall be submitted in writing to the
Privacy Officer, in accordance with Sec. 2400.4(a)(1)'s procedures,
and shall include a statement of the amendment requested and the
reasons for such amendment, e.g., relevance, accuracy, timeliness or
completeness of the record.
(b) Action to be taken by the Privacy Officer. Upon receiving an
amendment request, the Privacy Officer shall promptly:
(1) Acknowledge in writing within 10 working days the receipt of
(2) Make such inquiry as is necessary to determine whether the
amendment is appropriate; and
(3) Resolve the request by either:
(i) Correcting or eliminating any information that is found to be
incomplete, inaccurate, irrelevant to a statutory purpose of OSHRC, or
untimely and notifying the requester in writing when this action is
(ii) Notifying the requester in writing of a determination not to
amend the personal record, including the reasons for the denial, and
advising the requester of his or her right to appeal in accordance with
Sec. 2400.7 Procedures for appealing.
(a) Submission of appeal. (1) If a request to provide notification
of a personal record, or to access or amend a personal record, is
denied either in whole or in part, or if no determination is made
within the period prescribed by this part, then the requester may
appeal in writing to the Chairman by mailing an appeal letter to the
following address: Privacy Appeal, OSHRC, One Lafayette Centre, 1120
20th Street NW, Ninth Floor, Washington, DC 20036-3457.
(2) To be considered timely, the requester must submit the appeal
letter within 30 calendar days of the date of denial, or within 90
calendar days of his or her request if the appeal is from a failure of
the Privacy Officer to make a determination. The appeal letter should
include, as applicable:
(i) Reasonable identification of the system to which notification
was sought, the personal record to which access was sought, or the
amendment that was requested.
(ii) A statement of the OSHRC action or failure to act being
appealed and the relief sought.
(iii) A copy of the request, the notification of denial, and any
other related correspondence.
(b) Final decisions. The Chairman must make a final decision no
later than 30 working days from the date of the request, but the
Chairman may extend this time period for good cause. The requester,
however, must be notified of the extension within the initial 30
working-day period, and the extension may not exceed 90 calendar days
from the date of the request. Any personal record found on appeal to be
incomplete, inaccurate, irrelevant, or untimely, shall within 30
working days of the date of such findings be appropriately amended.
(c) Decision requirements. The decision of the Chairman constitutes
the final decision of OSHRC on the right of the requester to be
notified of, or to access or amend, a personal record. The decision on
the appeal shall be in writing and, in the event of a denial, shall set
forth the reasons for such denial and state the individual's right to
obtain judicial review in a district court of the United States. An
indexed file of the agency's decisions on appeal shall be maintained by
the Privacy Officer.
Sec. 2400.8 Procedures for statements of disagreement and
notification of amendment.
(a) Submission of statement of disagreement. If a final decision
concerning an amendment request does not satisfy the requester, then
the requester may provide a statement of disagreement that is of
reasonable length and sets forth a position regarding the disputed
information. This statement of disagreement shall be accepted by OSHRC
and included in the relevant personal record. If deemed appropriate,
OSHRC may also include a concise statement in the record of its reasons
for not making a requested amendment.
(b) Notification of amendment and statement of disagreement. (1)
OSHRC shall inform any person or other agency about an amendment to a
personal record, or notation made to the record under paragraph (a) of
this section, if that record has been disclosed to the person or
agency, the amendment or notation was made pursuant to this part, and
an accounting of the disclosure was made pursuant to 5 U.S.C. 552a(c).
(2) When a personal record is disclosed to a person or other agency
after a notation under paragraph (a) of this section is made to the
record, OSHRC shall clearly note any portion of the record that is
disputed and provide a copy of any notation included in the record.
Sec. 2400.9 Schedule of fees.
(a) Policy. The purpose of this section is to establish fair and
equitable fees to permit reproduction of personal records for concerned
(b) Reproduction. (1) For the fees associated with reproduction of
personal records, refer to appendix A to part 2201, Schedule of Fees.
(2) OSHRC shall not normally furnish more than one copy of any
(c) Limitations. No fee shall be charged to any individual for the
process of retrieving, reviewing, or amending personal records.
[FR Doc. 2020-21011 Filed 10-14-20; 8:45 am]
BILLING CODE 7600-01-P