Federal Communications Commission FCC 21-30 Before the FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C. 20554 In the Matter of Amendment of the Commission’s Rules Implementing the Privacy Act of 1974, as Amended ) ) ) ) ) GN Docket No. 21-79 NOTICE OF PROPOSED RULEMAKING Adopted: March 3, 2021 Released: March 4, 2021 Comment Date: [30 days after publication in the Federal Register] Reply Comment Date: [60 days after publication in the Federal Register] By the Commission: I. INTRODUCTION 1. This Notice of Proposed Rulemaking seeks comment on revisions to the Commission’s rules implementing the Privacy Act of 1974 (the Act). Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 (1974) (codified at 5 U.S.C. § 552a). The Act governs the procedures by which federal agencies gather, maintain, disseminate, and use personal information. In 1975, as required by the Act, 5 U.S.C. § 552a(f); see also 5 U.S.C. § 552a(j)-(k). the Commission promulgated rules implementing the Act, which provide individuals with a way to access the records that the Commission maintains about them, and to request that the Commission amend those records where appropriate. With the exception of some small conforming and stylistic changes, these rules have not been amended in the over 45 years since the Commission adopted them. Rules to Implement the Privacy Act of 1974, Docket No. 20563, Order, 55 F.C.C.2d 630 (1975) (hereinafter 1975 Privacy Act Rules). On December 9, 1974, the Commission adopted a procedural amendment to the rules that gave individuals the ability to seek administrative review in the case that the Commission denied their request for access to records. This amendment became subsection (e) of the current section 0.555. Amendment of § 0.555, Rules and Regulations, Order, 57 F.C.C.2d 331 (1975). 2. But much has changed in that time. Advances in information technology have changed how the Commission communicates with the public, as well as how it gathers, maintains, disseminates, and uses information. The law has also developed: Congress has amended the Act over ten times; federal courts have interpreted and analyzed it; and the Office of Management and Budget (OMB) has issued extensive guidance consistent with the Act’s directive that OMB “develop guidelines and regulations” agencies could use to implement the Act, and “provide continuing assistance to and oversight of” agencies’ implementation of the Act. Privacy Act of 1974, Pub. L. No. 93-579, § 6, 88 Stat. 1896, 1909. This provision was later repealed and replaced with the current subsection (v) of the Act, 5 U.S.C. § 552a(v). See Computer Matching and Privacy Protection Act of 1988, Pub. L. No. 100-503, § 6, 102 Stat. 2507, 2513-14 (1988). 3. To evolve with the developments in the law and the directives from governmental bodies, we now propose to update and improve our privacy rules. First, we propose updating our list of exempted systems to remove systems of records that have become obsolete since the rules were enacted. Second, we propose a number of clarifying updates designed to allow members of the public to better understand their rights under the Act, including the processes that apply for administrative and judicial review in situations where a request for access to or amendment of records is denied by the agency. Third, we propose to conform our rules to guidance promulgated by OMB and current practices. We believe these proposals would not only bring the Commission’s rules up to date but would also make it easier for individuals to exercise their rights under the Privacy Act. II. BACKGROUND 4. The Act establishes a code of practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. A “system of records” is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 (1974) (codified at 5 U.S.C. § 552a); 5 U.S.C. § 552a(e)(4); see also id. § 552a(a)(2) (definition of “individual”); id. § 552a(a)(5) (definition of “system of records”). In general, the Act requires that agencies notify the public of their systems of records by publication in the Federal Register. The Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual, unless the disclosure is pursuant to one of the Act’s twelve statutory exceptions. 5 U.S.C. § 552a(b). The Act also gives individuals, with some limitations, the right to access and request the amendment of records that a federal agency maintains about them. 5 U.S.C. § 552a(d); see also id. § 552a(a)(3) (definition of “maintain”). To help effect this right of “access and amendment,” the Act requires each agency to promulgate rules explaining how individuals can identify and review records about themselves, how they can request amendment of those records and appeal an agency’s denial of their request, and how much they will be charged for copying records. 5 U.S.C. § 552a(f). The Act requires agencies to promulgate these rules under the notice-and-comment rulemaking requirements of the Administrative Procedure Act (APA). Id. 5. Three aspects of the Act are most relevant for present purposes. First, the Privacy Act gives agency heads the authority to exempt certain types of records from some of the Privacy Act’s access and disclosure requirements. The purpose of these provisions is to enable an agency to withhold records from individuals in cases where disclosing the records would frustrate the agency’s ability to carry out its statutory mission. See Office of Mgmt. & Budget, Privacy Act and Implementation, Guidelines and Responsibilities, 40 Fed. Reg. 28949, 28971 (July 9, 1975) (reviewing legislative history of the exemption provisions). One provision allows the Central Intelligence Agency and criminal law enforcement agencies, or components of agencies, to exempt their systems of records from most (but not all) of the Act’s access and disclosure requirements. 5 U.S.C. § 552a(j). Another provision gives agencies the ability to claim a more limited set of “specific exemptions” for systems of records that contain certain types of sensitive information such as classified information, personnel background information, and law enforcement investigatory materials. 5 U.S.C. § 552a(k). See, e.g., Comm. on Gov’t Operations, Privacy Act of 1974, H.R. Rep. No. 93-1416 (1974) (explaining that disclosing certain law enforcement files to individuals “could alert subjects of investigations that their activities are being scrutinized, and thus allow them time to take measures to prevent detection of illegal action or escape prosecution”). In order to promote accountability in agencies’ use of these exemptions, the Act requires agencies claiming either subsection (j) or subsection (k) exemptions for a particular system of records to do so through notice-and-comment rulemaking. 5 U.S.C. § 552a(j), (k) (requiring that exemption rules must be promulgated “in accordance with the requirements (including general notice) of section 553(b)(1), (2), and (3), (c), and (e) of this title”). Both subsections require agencies to explain, in their APA-required general statements, “the reasons why the system of records is to be exempted from a provision of this section.” Id. Relying on these provisions, the Commission’s rules currently list seven systems of records as exempt from the Privacy Act’s access and disclosure requirement. The listed systems of records include: FCC/FOB-1 – Radio Operator Records, FCC/FOB-2 – Violators File, FCC/OGC-2 – Attorney Misconduct Files, FCC/Central-6 – Personnel Investigation Records, FCC/OIG-1 – Criminal Investigative Files, FCC/OIG-2, General Investigative Files, and an unnumbered system called Licensees or Unlicensed Persons Operating Radio Equipment Improperly. 47 CFR § 0.561. Each of these seven systems no longer exists or has been updated and renamed. For example, in 2011, the Commission deleted the two OIG systems of records listed in section 0.561 (“Criminal Investigative Files-FCC/OIG-1” and “General Investigative Files-FCC/OIG-2”) and created a new, consolidated single system of records, designated as “Investigative Files-FCC/OIG-3,” to replace them. Fed. Reg. 52454 (Aug. 26, 2011). A complete listing of the systems of records the Commission currently maintains can be found on the FCC’s Privacy Act Information webpage, https://www.fcc.gov/general/privacy-act-information. Nevertheless, the systems remain listed as exempted in our current rules. 6. Second, the Act gives requesters the right to file suit in a Federal district court against an agency that refuses to grant them access to their records, 5 U.S.C. § 552a(g)(1)(B). as well as the right to file suit when an agency denies their request to amend a record. 5 U.S.C. § 552a(g)(1)(A) The Act is silent, however, on how a dissatisfied requester should appeal an agency’s denial of access to a record within the agency before filing suit. In the decades since the passage of the Act and the Commission’s adoption of its implementing rules, federal courts have interpreted the Act’s silence on this question to generally support agencies requiring the individual pursue administrative review prior to seeking judicial relief. For example, a 1990 decision by the U.S. Court of Appeals for the D.C. Circuit found that courts lack jurisdiction to consider an access appeal until a plaintiff has exhausted her administrative remedies, Haase v. Sessions, 893 F.2d 370, 373 (D.C. Cir. 1990) (finding that in the cases of both access and amendment, “a plaintiff, according to the statutory language, must initially seek an amendment or access from the agency and even seek review within the agency before coming to court”); see also Barouch v. U.S. Dep’t of Justice, 962 F. Supp. 2d 30, 67 (D.D.C. 2013) (following Haase and holding that “failure to exhaust administrative remedies under the Privacy Act is a jurisdictional deficiency because exhaustion is required by statute”). while a later Fifth Circuit decision found that courts do have such jurisdiction but should generally refrain from hearing claims until agency remedies have been exhausted. Taylor v. U.S. Treasury Dep’t, 127 F.3d 470, 475-77. (5th Cir. 1997) (finding that although the court had jurisdiction to hear the appeal, it would use its discretion to require the plaintiff first to exhaust his administrative remedies). For a longer discussion of the inconsistent case law on this provision, see U.S. DOJ, Overview of the Privacy Act of 1974, at 178-98 (2015), https://www.justice.gov/opcl/overview-privacy-act-1974-2015-edition. The Commission’s rules do not reflect either the process for administrative review established in the Communications Act See 47 U.S.C. § 155(c). or what seems to be the prevailing view that unsatisfied requesters should exhaust administrative remedies before filing suit; instead, our current rules explicitly provide only that such requesters may seek administrative review, but are unclear on whether they must do so before challenging an action in Federal district court. 47 CFR § 0.555(e). Paragraph (e) of this rule was added in late 1975 “to further implement the Privacy Act of 1974.” The intent was to provide “a means of administrative review in the event that a determination is made denying an individual access to his or her records.” Amendment of § 0.555, Rules and Regulations, Order, 57 F.C.C.2d 331 (1975). 7. Third, the Act ordered OMB to both “develop guidelines and regulations” agencies could use to implement the Act, and “provide continuing assistance to and oversight of” agencies’ implementation of the Act. Privacy Act of 1974, Pub. L. No. 93-579, § 6, 88 Stat. 1896, 1909. This provision was later repealed and replaced with the current subsection (v) of the Act, 5 U.S.C. § 552a(v). See Computer Matching and Privacy Protection Act of 1988, Pub. L. No. 100-503, § 6, 102 Stat. 2507, 2513-14 (1988). Following this mandate, OMB issued extensive Privacy Act implementation guidelines for federal agencies in July of 1975 OMB, Privacy Act and Implementation, Guidelines and Responsibilities, 40 Fed. Reg. 28948 (July 9, 1975). and has periodically issued documents addressing different aspects of Privacy Act compliance. Congress gave OMB the task of developing guidelines for implementation of the Privacy Act; 5 U.S.C. § 552a(v). Since 1975, the Commission has made only minor, editorial changes to its rules to address such matters as organizational reforms See 45 Fed. Reg. 39850 (June 12, 1980) (substituting “Office of Personnel and Management” for “Civil Service Commission”); 49 Fed. Reg. 13366 (Apr. 4, 1984) (making editorial changes to “simplify language” and reflect changes to the organizational structure of the Commission’s Bureaus and Offices); 80 Fed. Reg. 53747 (Sept. 8, 2015) (eliminating a section 0.555 provision allowing individuals to review records at Commission field offices). and the relocation of the Commission’s headquarters. See 65 Fed. Reg. 58465 (Sept. 29, 2000) (changing Commission headquarters address from 1919 M St. NW to 445 12th St. SW); 35 FCC Rcd 11534 (October 15, 2020) (changing Commission headquarters address from 445 12th St. SW to 45 L St. NE). These rules therefore do not reflect the guidance issued by OMB following the passage of the Act, nor do they account for changes in Commission practice made in response to this guidance. III. DISCUSSION 8. We propose revisions to the current rules to reflect amendments to the Privacy Act, Federal case law, OMB guidance, and the FCC’s current practices. Most notably, we propose amendments to our rules that will update them to account for the developments described above. Because these changes are scattered throughout our current Privacy Act rules, we proceed to discuss each change in this section in the order that the change appears in our revised rules. The full text of our proposed rule changes is set forth in Appendix A. A. Section 0.551 - Purpose and Scope: Definitions 9. We first propose several updates to the purpose and definition provisions of the Commission’s Privacy Act Rules, which are currently codified in section 0.551. 47 CFR § 0.551. The current text states, in part, that the purpose of the subpart is to implement the Privacy Act, and “to protect the rights of the individual in the accuracy and privacy of information concerning him which is contained in Commission records.” 47 CFR § 0.551(a). To clarify our rules, we propose a more concrete and descriptive statement of purpose. Our proposed amendment would explain that the purpose of the subpart is to establish procedures that individuals may follow to exercise their right to access and request amendment of their records under the Privacy Act. 10. We also propose several updates to section 0.551(b), which defines the terms “Individual,” “Record,” “System of Records,” “Routine Use,” and “System Manager.” We propose to amend the definition of “System of Records,” which is currently defined as “a group of records under the control of the Commission from which information is retrievable by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual,” 47 CFR § 0.551(b)(3). to add the word “any” before “records under the control of the Commission.” In addition to more closely matching the statutory language, 5 U.S.C. § 552a(a)(5). we believe that this change may better signal to the public the broad category of records that requesters may seek. 11. Current rules define “System Manager” as “the Commission official responsible for the storage, maintenance, safekeeping, and disposal of a system of records.” 47 CFR § 0.551(b)(5). To conform this definition with the Commission’s current practices and terminology, we propose to replace the term with “Privacy Analyst.” Under current practices, all Privacy Act requests submitted to the FCC are handled in the first instance by a Privacy Analyst in the Office of General Counsel, rather than by the managers or owners of any particular system of records. A Privacy Analyst coordinates with the system owner to search for, collect, and then produce responsive records. The Privacy Analyst serves as the interface between Privacy Act requesters and the Commission, and generally signs correspondence related to Privacy Act requests. Our proposed amendment would formalize that role in our rules, defining the “Privacy Analyst” as a Commission official responsible for processing and responding to requests by individuals to be notified of, to access, or to amend records pertaining to them that are maintained in the FCC’s systems of records. 12. Finally, we propose adding a new paragraph defining the position of the Commission’s Senior Agency Official for Privacy. Following a requirement that became law as part of the Consolidated Appropriations Act of 2005, Pub. L. No. 108-446, § 522, 118 Stat. 2809, 3268 (2004). OMB required agencies to identify to OMB “the senior official who has the overall agency-wide responsibility for information privacy issues.” OMB, Memo No. M-05-08, Designation of Senior Agency Officials for Privacy (Feb. 11, 2005). Following Executive Order 13719, Establishment of the Federal Privacy Council, Exec. Order No. 13,719, 81 Fed. Reg. 7685 (Feb. 12, 2016). OMB updated and broadened the responsibilities of the Senior Agency Official for Privacy in 2016 guidance. OMB, Memo No. M-16-24, Role and Designation of Senior Agency Officials for Privacy (Sep. 16, 2016). Consistent with this requirement, the FCC has designated a Senior Agency Official for Privacy since 2005. We seek comment on these definitional changes. B. Sections 0.552 – Notices Identifying Commission Systems of Records and 0.553 – New Uses of Information 13. We next propose to update and streamline the Commission’s rule requiring the publication of a “system of records notice” 47 CFR § 0.552. and the Commission’s rule about the publication of each new routine use of an existing system of records. 47 CFR § 0.553. Our proposals reflect guidance issued by OMB following the passage of the Privacy Act, and streamline the rules in a manner that provides the Commission greater flexibility to adjust its practices consistent with evolving governmentwide practice, while still ensuring that the Commission adheres to the Privacy Act’s requirement that the Commission notify the public of the establishment of and updates to its systems of records. 14. The current rule under section 0.552 explains how the Commission complies with the Privacy Act’s requirement that agencies publish “a notice of the existence and character” of their systems of records. 5 U.S.C. § 552a(e)(4). The rule recites the statutorily required elements of such a notice, including the routine uses for the information within the system of records, as well as the Act’s requirement that an agency publish notices in the Federal Register. Compare 47 CFR § 0.552 with 5 U.S.C. § 552a(e)(4). We note that the Act does not require agencies to issue rules parroting the statutory requirement, See 5 U.S.C. § 552a(f). as the Commission’s current rule does, and that OMB has since updated guidance further clarifying the elements required in a system of records notice, including the enumerated routine uses. OMB, Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act (Dec. 23, 2016) (OMB Circular A-108), available at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf. For example, OMB guidance requires federal agencies to follow specific templates for new, modified, or rescinded systems of records notices that our outdated rules do not describe. Id. at 6-8, App. II-IV. 15. Section 0.553 of the rules describes the procedure the Commission follows to publish a new routine use of an existing system of records. Under the Act, an agency can define certain “routine use[s]” of information such that disclosure of a record may be made without the consent of the data subject. 5 U.S.C. § 552a(a)(7) (defining “routine use”); see also id. § 552a(b)(3) (establishing routine use as an exception to the Act’s general prohibition on disclosure). To be permissible, a routine use must be compatible with the purpose for which a record was collected, 5 U.S.C. § 552a(a)(3). and must be published in a system of records notice with a 30-day comment period. 5 U.S.C. § 552a(e)(11). The current Commission rule contemplates publishing a standalone notice of only the new routine use, rather than republishing the entire notice along with a description of the routine use. 47 CFR § 0.553. In current practice, however, when the Commission makes significant changes to its published system of records notices (such as adding one or more routine uses), it re-publishes for comment the entire notice, not just the revised portion containing the changes, and highlights the changes so that they may easily be recognized by the public. This makes it easier for the public to understand what changes the Commission is taking. This approach is also consistent with current OMB guidance; in Circular A-108, agencies are “strongly encouraged to publish all routine uses applicable to a system of records in a single Federal Register notice for that system.” OMB Circular A-108 at 11. 16. Because OMB’s updated guidance seems to make stale the procedures recited in our rules, and because it is unnecessary for the Commission to codify these statutory requirements, we propose to combine these two sections into a single rule stating simply that upon establishment, rescission, or revision of a system of records, including the establishment of a new routine use of a system of records, the Commission will publish in the Federal Register the notice required by 5 U.S.C. § 552a(e). The proposed rule would therefore alert the public to the existence of system of records notices but would not prescribe the elements of a notice. At best, codifying a description of the requirements of a notice that may become outdated or incomplete seems to be unnecessary under the Privacy Act, and to otherwise serve little purpose, given that the obligation to publish these notices rests on the Commission, and not the public. At worst, codifying these requirements is misleading, insofar as governmentwide guidance on the required elements of a system of records notice may evolve more quickly than the Commission’s rules reciting these requirements. We seek comment on this proposal. Is there any utility to retaining the detail regarding system of records notices included in the current text of our rules that outweigh the arguments for streamlining? Alternatively, would a better approach be to delete and reserve sections 0.552 and 0.553 entirely? C. Section 0.554 – Requests for Notification of and Access to Records 17. We propose several changes to the Commission’s Privacy Act rules describing the process individuals should follow to determine whether the Commission is holding information about them in its systems of records. 47 CFR § 0.554. To begin with, we propose to amend the title of this section from the current “Procedures for requests pertaining to individual records in a system of records,” to “Requests for notification of and access to records.” The proposed amended title of the section would more clearly signify that the procedures in this subsection effectuate individuals’ ability to ascertain what information the Commission possesses about themselves, a right they are given in subsection (d)(1) of the Act. 5 U.S.C. § 552a(d)(1). We also propose deleting obsolete references to the annual report agencies were required to publish under the original Privacy Act law and to an alphabetical listing of agency system of records notices. Privacy Act of 1974, Pub. L. No. 93-579, § 3(e)(4), 88 Stat. 1896, 1899 (requiring agencies to publish notices annually in the Federal Register). This requirement was changed in 1982 to the current requirement to publish notices in the Federal Register “upon establishment or revision.” Congressional Reports Elimination Act of 1982, Pub. L. No. 97-375, § 201(a), 96 Stat. 1819, 1821. The Commission amended section 0.552 of its rules in 1984 to reflect this statutory change, 49 Fed. Reg. 13368 (Apr. 4, 1984), but did not amend similarly outdated language in section 0.554. 18. Under current Commission practice, all requests are routed to a Privacy Analyst, who directs requesters to the list of system of records notices on the Commission’s website in the event that the request does not identify the relevant system(s) of records. A complete listing of the systems of records the Commission currently maintains can be found on the FCC’s Privacy Act Information webpage, https://www.fcc.gov/general/privacy-act-information. We propose adding a sentence clarifying that a proper request must identify the system(s) of records to be searched. 19. We also propose modifying how an individual may verify their identity when requesting access to records. Currently, paragraph (b)(1) requires an individual requesting access to records to verify their identity by submitting two of the following forms of identification: Social Security card; driver’s license; employee identification card; Medicare card; birth certificate; bank credit card; or similar form of identification. This requirement seems inconsistent with recent OMB guidance explaining that while “agencies may customize the [personally identifiable information (PII)] required by their access and consent forms [to verify identity for access to or consent to disclose records] in accordance with applicable law and policy requirements and assessment of privacy risks,” “agencies shall accept [access or consent forms [developed by OMB] from individuals,” and “limit the collection of PII to the minimum that is directly relevant and necessary.” OMB, Memorandum 21-04, Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act at 3, 5, 6 (Nov. 12, 2020). Therefore, we seek comment on deleting the requirement for requesters to provide two forms of identification and allowing individuals to verify their identity by submitting an Identity Affirmation form, based on the template provided by OMB. The Privacy Analyst reviewing the request would be responsible for determining whether the form has been properly completed before any disclosure is made. Would relying on an Identity Affirmation form increase the risk of fraudulent requests? We note that the Commission could safeguard against such fraud, while minimizing the Commission’s collection of PII, by requiring that the Identify Affirmation form be notarized. We request comment on requiring that the Identity Affirmation form be notarized in lieu of the Commission collecting identification documentation from requesters. 20. We also propose making the Privacy Act request submission process consistent with the submission process established in the Commission’s most recent revision of the Freedom of Information Act rules. Amendment of Part O of the Commission’s Rules Regarding Public Information, the Inspection of Records, and Implementing the Freedom of Information Act, Order, 31 FCC Rcd 13695, para. 25 (2016) (hereinafter FOIA Rules Amendment). In current practice, the Commission receives almost all of its Privacy Act requests through its FOIAOnline web portal. Both Congress and Federal courts have acknowledged that the access provisions of the FOIA and the Privacy Act are somewhat overlapping. Congress amended subsection (t) of the Privacy Act in 1984 to clarify that agencies cannot use FOIA exemptions to deny access to records requesters have access to under the Privacy Act, or vice versa. Central Intelligence Agency Information Act, Pub. L No. 98-47, § 2(b), 98 Stat. 2209, 2211-12 (1984) (codified at 5 U.S.C. § 552a(t)(2)). Likewise, DOJ published a comprehensive analysis of the legislative history and judicial precedent on this question, which concluded that “[a]n individual’s access request for his own record maintained in a system of records should be processed under both the Privacy Act and the FOIA, regardless of the statute(s) cited.” DOJ, Overview of the Privacy Act of 1974, at 119 (2015), https://www.justice.gov/opcl/overview-privacy-act-1974-2015-edition. In fact, DOJ’s own Privacy Act rules explicitly grant requesters “the benefit of both statutes.” 28 CFR § 16.40(a). We find persuasive DOJ’s Privacy Act analysis, and believe that a best practice would be to structure our process to ensure that any requester can efficiently get the benefits of both statutes.  For example, it may be appropriate to process parts of a request under the Privacy Act and parts of it under the FOIA.  We seek comment on this interpretation. 21. Finally, we propose updates to paragraphs (c) and (d) of this section. Paragraph (c) currently requires individuals to deliver their requests for notification and access to a specific system manager or to the Associate Managing Director. Our proposed amendments to section (a) would make this requirement obsolete by permitting individuals to submit requests via the Commission’s website, by e-mail, or by mail to the Commission. We propose removing the option to hand deliver requests for access to the Commission because the Commission’s new headquarters building does not have a public filing window and cannot accept hand deliveries. See Amendment of the Commission’s Rules of Practice and Procedure, Order, DA 20-562, (OMD rel. May 28, 2020), https://docs.fcc.gov/public/attachments/DA-20-562A1.pdf. See also 85 Fed. Reg. 39075 (June 30, 2020). Therefore, we propose combining current paragraph (c) and (d) and removing reference to the method through which individuals submit requests. D. Section 0.555 – Disclosure of Record Information to Individuals 22. We propose making changes to section 0.555 to reflect current Commission practices. The current rule describes how individuals can access the records that the Commission maintains about them in its systems of records. It also lists reasons why the Commission might limit this access and describes how individuals may contest a Commission decision to deny their access to records. 23. While most individuals currently seek to access their records remotely through correspondence—whether electronically or via first-class mail—they still have a right to review records in person. The current rules urge individuals to make an appointment with the specific system manager responsible for the system of records they are interested in reviewing. 47 CFR § 0.555(a)(1). The proposed new rules would create a single point of contact for requesters who would like to inspect their records in person by stating that individuals who wish to review their records should contact the Privacy Analyst. Amendment of Part O of the Commission’s Rules Regarding Public Information, the Inspection of Records, and Implementing the Freedom of Information Act, Order, 31 FCC Rcd 13695, 13699, app. § 0.460 (2016). The Commission eliminated the ability to inspect records at FCC field offices in its 2015 field office reorganization. Reorganization of the Enforcement Bureau’s Field Operations, Order, 30 FCC Rcd 7649, 7653 (2015). The proposed changes also include modifying paragraph (a)(1) to correct a grammatical error and conform the language to subsection (d)(1) of the Privacy Act, which specifies who may accompany individuals to view records. The original language of this rule read: “However, in such cases, a written statement authorizing discussion of his or her own record in the presence of the accompanying person must be furnished. In addition, any disclosure or original Commission records must take place in the presence of a Commission representative having physical custody of the records.” Rules to Implement the Privacy Act of 1974, Docket No. 20563, Order, 55 F.C.C.2d 630, 632 (1975). The 1984 amendment substituted the verbless sentence: “However, in such cases, a written statement authorizing discussion of their record in the presence of a Commission representative having physical custody of the records.” 49 Fed. Reg. 13369 (1984). Specifically, the proposed language, “However, in such cases, the individual must provide written consent authorizing discussion of their record in the accompanying person’s presence,” would replace the seemingly incomplete sentence currently in (a)(1), “However, in such cases, a written statement authorizing discussion of their record in the presence of a Commission representative having physical custody of the records.” 24. Paragraph (b)(1) provides the Commission discretion to limit access to medical records where the Commission staff, in consultation with a medical professional, has determined that access to the records could have an adverse impact on the individual. But with very limited exceptions, FCC systems of records do not contain personal health information. Therefore, we propose deleting the medical records provision (paragraph (b)(1)). In addition, a 1993 D.C. Circuit case invalidated a similar provision on the ground that it effectively created a new substantive exemption to an individual’s Privacy Act right of access. Benavides v. U.S. Bureau of Prisons, 995 F.2d 269 (D.C. Cir. 1993). 25. Paragraph (b)(2) discusses exempting classified material, investigative material compiled for law enforcement purposes, investigatory material compiled solely for determining suitability for Federal employment or access to classified information, and certain testing or examination material from disclosure and refers to section 0.561, which lists the Commission’s exempt systems of records. Here, we propose a limited edit that would replace the current general reference to the Privacy Act with a specific cite to subsections (j) and (k) of the Privacy Act, upon which the Commission’s authority to make “specific” or “general” exemptions for certain types of sensitive information is based. 5 U.S.C. § 552a(j), (k); see Comm. on Gov’t Operations, Privacy Act of 1974, H.R. Rep. No. 93-1416 (1974) (explaining that disclosing certain law enforcement files to individuals “could alert subjects of investigations that their activities are being scrutinized, and thus allow them time to take measures to prevent detection of illegal action or escape prosecution”). In order to promote accountability in agencies’ use of these exemptions, the Act requires agencies claiming either subsection (j) or subsection (k) exemptions for a particular system of records to do so through notice-and-comment rulemaking. 5 U.S.C. § 552a(j), (k) (requiring that exemption rules must be promulgated “in accordance with the requirements (including general notice) of section 553(b)(1), (2), and (3), (c), and (e) of this title”). Both subsections require agencies to explain, in their APA-required general statements, “the reasons why the system of records is to be exempted from a provision of this section.” Id.; see Office of Mgmt. & Budget, Privacy Act and Implementation, Guidelines and Responsibilities, 40 Fed. Reg. 28949, 28971 (July 9, 1975) (reviewing legislative history of the exemption provisions). We also propose to strike some seemingly extraneous phrases from the final sentence of this paragraph—for example, by removing the unnecessary phrase “totally or partially.” 26. Paragraph (c) states that “requests involving more than 25 pages shall be submitted to the duplicating contractor.” 47 CFR § 0.555(c). While the Commission has never charged a fee for the search and review time for responsive records, the Commission has charged fees for copying responsive records that exceeded 25 pages. Because the Commission no longer employs a copying contractor, we propose eliminating the reference in paragraph (c). At the same time, we propose to make clear, consistent with the Privacy Act’s prohibition on charging fees for searching for and reviewing records in response to a Privacy Act request, 5 U.S.C. § 552a(f)(5). that we will not charge a fee for such activities in connection with records requested pursuant to section 0.554. However, we seek comment on whether the Commission should charge fees for producing copies of records. What is a reasonable fee structure for producing copies of records in response to a Privacy Act request? 27. Finally, we propose amending paragraph (e) to modify the procedures under which requesters may contest an initial staff decision denying them access to records. The Privacy Act does not specify an administrative appeal process in the case of a denial of access. The Commission addressed this silence in 1975 with a rule (paragraph 0.555(e)) that gave unsatisfied requesters the option of (1) seeking an administrative review from the system manager who denied the initial access request, or (2) immediately seeking judicial relief under the Privacy Act. 47 CFR § 0.555(e); Paragraph (e) of this rule was added in late 1975 “to further implement the Privacy Act of 1974.” The intent was to provide “a means of administrative review in the event that a determination is made denying an individual access to his or her records.” Amendment of § 0.555, Rules and Regulations, Order, 57 F.C.C.2d 331 (1975). This rule appears to be inconsistent with court rulings holding that requesters should exhaust their administrative remedies before filing suit under the Act. See Haase v. Sessions, 893 F.2d 370, 373 (D.C. Cir. 1990) (finding that in the cases of both access and amendment, “a plaintiff, according to the statutory language, must initially seek an amendment or access from the agency and even seek review within the agency before coming to court”); see also Barouch v. U.S. Dep’t of Justice, 962 F. Supp. 2d 30, 67 (D.D.C. 2013) (following Haase and holding that “failure to exhaust administrative remedies under the Privacy Act is a jurisdictional deficiency because exhaustion is required by statute”); see also Taylor v. U.S. Treasury Dep’t, 127 F.3d 470, 475-77. (5th Cir. 1997) (finding that although the court had jurisdiction to hear the appeal, it would use its discretion to require the plaintiff first to exhaust his administrative remedies). For a longer discussion of the inconsistent case law on this provision, see U.S. DOJ, Overview of the Privacy Act of 1974, at 178-98 (2015), https://www.justice.gov/opcl/overview-privacy-act-1974-2015-edition. Further, it appears to conflict with the Communications Act’s requirement that the filing of an application for review to the Commission is “a condition precedent for judicial review” of any decision made by staff. 47 U.S.C. § 155(c)(7). 28. To address these problems, we propose an administrative review process that would treat denials of requests to access or amend a record under the Privacy Act in the same way the Commission treats other appeals of decisions made under delegated authority. Specifically, the proposed rules would explain that an aggrieved requester may file a petition for reconsideration to the Senior Agency Official for Privacy or file an application for review before the Commission pursuant to the procedures specified in section 0.557. While a requester would retain the option of seeking further review by Commission staff (in the form of a petition for reconsideration), the alternative would be to file an application for review under the Commission’s existing procedures. 47 CFR § 1.115. 29. Our proposal would strike what is now paragraph (e)(2) from section 0.555, which currently provides that that an individual whose request for access has been denied may “[s]eek judicial relief in the district courts of the United States pursuant to paragraph (g)(1)(B) of the Act.” 47 CFR § 0.555(e)(2). Instead of suggesting that an aggrieved requester could immediately seek judicial review, the proposed revisions make clear that a requester has two options: seek further review by Commission staff (in the form of a petition for reconsideration), or file an application for review under the Commission’s existing procedures. 47 CFR § 1.115. Only after the Commission has been given the opportunity to review a staff decision—through the filing of an application for review pursuant to our proposed revision to section 0.557, discussed below—would judicial review become available. We seek comment on whether this approach to managing appeals to denials of access is both practical and consistent with the rights individuals have under the Privacy Act. E. Section 0.556 – Request to Correct or Amend Records 30. We propose to amend section 0.556 of the Commission’s rules to clarify the requester’s procedural rights when a request to amend a record is denied. This section of the rules implements the Act’s requirement that individuals be able to request amendments or corrections to records an agency maintains about them in a system of records. 5 U.S.C. § 552a(d)(2). The Act requires agencies to promptly respond to such requests and to give individuals the ability to appeal a denial of an amendment request. Individuals may place statements of disagreement with such decisions in their records, and the statements must be included in subsequent agency disclosures of the records. 5 U.S.C. § 552a(d)(3), (4). We address this in our rules at 47 CFR § 0.557(e)(2)(ii). 31. Throughout section 0.556, the system manager is referred to as the decision maker on requests to correct or amend records and requests to amend certain types of records (e.g., official personnel records of current or former employees) are required to be submitted to an Associate Managing Director and the Assistant Director for Work Force Information, Compliance and Investigations at the Office of Personnel Management. 47 CFR § 0.556(a), (c)-(e). The amendments we propose to this subsection would streamline the process for requesters by directing all requests to correct or amend to the Privacy Analyst and centralizing the decision making process. Just as in the case of access requests, this would reflect current practice, in which these requests are received and processed by the Privacy Analyst, who works with relevant Commission staff to locate the disputed records and consider the requests. 32. Paragraph (a) permits individuals to request an amendment of information contained in their record by submitting (1) identity verification, (2) a brief description of the information to be amended, and (3) “the reason for the requested change.” 47 CFR. § 0.556(a)(3). We propose to more closely mirror the statutory language, which permits requests to correct or amend information that “the individual believes is not accurate, relevant, timely, or complete.” 5 U.S.C. § 552a(d)(2)(B)(i). We tentatively find that the statutory language more precisely explains the reasons for which individuals may request correction or amendment of records and therefore propose adding this language to paragraphs (a) and (b). Additionally, we propose removing the option to hand deliver requests to correct or amend records to the Commission for the reason stated above – the Commission’s new headquarters building does not have a public filing window and cannot accept hand deliveries. See Amendment of the Commission’s Rules of Practice and Procedure, Order, DA 20-562, (OMD rel. May 28, 2020), https://docs.fcc.gov/public/attachments/DA-20-562A1.pdf. See also 85 Fed. Reg. 39075 (June 30, 2020). 33. Finally, the current paragraph (c)(2) provides, among other things, that the “system manager” advise an individual whose request to correct or amend a record has been denied that “review of the initial decision by the full Commission may be sought pursuant to the procedures set forth in § 0.557.” 47 CFR § 0.556(d)(2). These rules could be read to suggest that an aggrieved requester must appeal directly to the Commission, rather than seeking reconsideration of the denial at the staff level under the Commission’s ordinary procedures. 47 CFR. § 1.106. In order to clarify the procedural rights the requester has under the FCC’s rules, we propose adding language in a new paragraph (d)(2) that requires the Privacy Analyst to inform requesters that they have the right to seek reconsideration by the Senior Agency Official for Privacy or file an application with the Commission for review of a denial of a request to amend a record. This addition would match the description of the appeals process proposed for section 0.555(e), harmonizing both processes and making each more clearly consistent with the ordinary process for seeking review of staff-level actions under the Commission’s rules. F. Section 0.557 – Administrative Review of an Initial Decision Not to Provide Access or Amend a Record 34. In the preceding two sections, we have proposed additions to both section 0.555, regarding denials of access, and section 0.556, regarding denials of amendment or correction, providing that an aggrieved requester under the Privacy Act may either seek (1) staff-level review by filing a petition for reconsideration under section 1.106, or (2) review from the full Commission by filing an application for review under section 1.115 and consistent with the procedures in section 0.557. Section 0.557 currently establishes the process for seeking review of the denial of a request to amend or correct Commission records. We now propose updates to this section to harmonize it with our proposals for sections 0.555 and 0.556, and establish a process for seeking Commission-level review of denials both of requests to amend or correct records, as well as requests to access them. 35. Subsection (d)(3) of the Privacy Act 5 U.S.C. § 552a(d)(3). provides requesters who are dissatisfied with an agency response to their amendment requests the right to file an administrative appeal, but it is silent on the availability of administrative appeals of denial of access requests made under subsection (d)(1) of the Act. 5 U.S.C. § 552a(d)(1). When it published its Privacy Act rules in 1975, the Commission created two separate appeals processes—one for denied access requests, 47 CFR § 0.555(e). and another for denied amendment or correction requests. 47 CFR § 0.557. Section 0.555(e) establishes the procedure for challenging a denial of a request to access records. That section currently provides that individuals may either submit their request for administrative review to the system manager, who under the current rules makes the determination on whether to grant access to the records, or “seek judicial relief pursuant to paragraph (g)(1)(B) of the [Privacy] Act.” 47 CFR § 0.555(e). Meanwhile, section 0.557 establishes a separate procedure for challenging a denial of a request to amend or correct records. Among other requirements, section 0.557 of the current rules requires individuals to file their appeal to the full Commission within 30 days of the denial and “specify with particularity why the decision reached by the system manager is erroneous or inequitable.” 47 CFR § 0.557(a). Section 0.557 explicitly states that such a review is a prerequisite to seeking judicial review in a district court of the United States. 47 CFR § 0.557(d)(4). 36. These procedures differ in two important respects: the 30-day deadline to file an appeal and the requirement to appeal to the full Commission. Both are explicit requirements for an appeal made under section 0.557, 47 CFR § 0.557(a). but are not mentioned in 0.555. We see no clear reason for the differences in these processes. We further note that both current sections seem to depart from yet another process for challenging staff-level action—namely, the familiar procedures for review established under sections 1.106 47 CFR § 1.106. and 1.115 47 CFR § 1.115. of our rules, which provide for petitions for reconsideration and applications for review, respectively. The current dual tracks for review seem to serve only to confound those aggrieved by denials of Privacy Act requests. We seek comment on these tentative conclusions. 37. Our proposed edits would, along with the edits discussed above, harmonize the process for seeking review under these two sections. Specifically, we propose to repurpose section 0.557: instead of establishing only the process for Commission-level review of denials of a decision to amend or correct a record, our proposed edits would establish the process for Commission-level review of all Privacy Act requests—whether requests for access or requests for amendment or correction. The proposed edits to sections 0.555 and 0.556, discussed above, would point requesters aggrieved under either section to 0.557 for Commission-level review. To reflect the proposed change in the purpose of this section, we propose changing the title from the current “Administrative review of an initial decision not to amend a record” to “Commission review of a staff decision.” We believe that this change would more accurately reflect the broader scope of this section and seek comment on this proposal. 38. We also propose edits to certain paragraphs in section 0.557, to reflect that this section would serve as the procedure for seeking Commission level review of all Privacy Act-related appeals. In addition to the proposed amendments to section 0.555(e) regarding denials of requests for access discussed above, we propose simplifying the appeals process by requiring an application for review to the full Commission for denials of requests for both access and amendment or correction as a condition precedent to judicial review. 47 CFR § 1.115. This would harmonize the process for challenging denials of Privacy Act requests with the procedure for challenging other Commission decisions—reducing confusion and inconsistency. Compare 47 CFR § 1.115(k) with 47 CFR § 0.555(e). Specifically, we propose updating section 0.557(a) by removing the text regarding the 30-day deadline and the requirement that the appeal be addressed to the system manager or an official at the Office of Personnel Management, 47 CFR § 0.557(a). and instead simply citing to section 1.115 of the Commission’s rules, which sets forth standard procedures for applications for review. 47 CFR § 0.115. We also propose moving paragraphs (a)(1)-(3), which discuss additional requirements for an appeal of a denial of amendment or correction, to a new paragraph (b) and updating them to include denials of access. 47 CFR § 0.557(a)(1)-(3). For example, paragraph (a)(1) would no longer ask whether the information at issue is accurate and instead require an application for review to “clearly identify the adverse decision that is the subject of the review request.” 47 CFR § 0.557(a)(1). 39. Current paragraph (b) of section 0.557 states that the Commission “final administrative review shall be completed not later than 30 days . . . from the date on which the individual requests such review unless the Chairman determines that a fair and equitable review cannot be made within the 30 day period” and requires that the Commission inform the individual in writing of the reasons for the delay and an approximate date on which the review is expected to be completed. 47 CFR § 0.557(b). We propose to modify this language to conform with current practice and the statutory requirements of the Privacy Act, which allows the head of an agency to extend the 30-day period, “for good cause shown,” and does not require notification in writing of a delay or an anticipated date of completion for a decision on appeal. 5 U.S.C. § 552a(d)(3) (Pertaining to appeals of denials to amend records; the Privacy Act is silent on appeals of denials of access). Our proposal would be reflected in an updated paragraph (c) stating that the Commission will make every effort to act on an application for review within 30 business days after it is filed. We believe this would be consistent with section 1.115 of the Commission’s rules and the Commission’s obligations under the Privacy Act. 40. Next, we propose updating paragraph (d) and adding a new paragraph (e) to describe the potential outcomes for an application for review. The current paragraph (d) only discusses Commission actions regarding an application for review of a denial of amendment; 47 CFR § 0.557(d). however, as discussed, we propose to expand section 0.557 to be inclusive of both types of appeals under the Privacy Act: appeals of denials of access and denials of amendment or correction. Under both proposed subsections, the Commission would notify individuals of their right to pursue judicial review of the Commission’s decision. Additionally, proposed paragraph (e) would retain the notice requirements listed under current paragraph (d) regarding an individual’s right to provide a signed statement disagreeing with the Commission’s decision, but update the addressee of the statement from the “system manager,” to the Privacy Analyst. 47 CFR § 0.557(d). Finally, proposed paragraph (e)(3) would reflect the requirement under the Privacy Act 5 U.S.C. § 552a(d)(4). that the statement of disagreement be annotated so that the disputed portion of a record becomes apparent to anyone who may subsequently have access to, use, or disclose the record and that a copy of the statement accompany any subsequent disclosure of the record. We seek comment on these proposals, which we believe would simplify the process for seeking review. 41. Furthermore, we propose delegating to the General Counsel authority to dismiss Privacy Act applications for review that do not contain any statement required under § 1.115(a) or (b), or does not comply with the filing requirements of § 1.115(d) or (f) of this chapter. We seek comment on whether this proposal to create a single administrative review process is practical and consistent with individuals’ rights under the Privacy Act. 42. Because part of this section addresses the disposition of appeals of requests to amend records, we propose to move the contents of section 0.559, which pertains to an individual’s right to file a statement of disagreement with the Commission’s decision not to amend a record, 47 CFR § 0.559. to section 0.557, the rule that describes the administrative review process. As a result, we additionally propose deleting and reserving section 0.559 to avoid repetition in our rules. G. Section 0.558 – Advice and Assistance 43. Section 0.558 directs individuals who have questions about or need assistance with the procedures set forth in this subpart or the notices described in 0.552 to contact the Privacy Liaison Officer, a position that no longer exists. 44. We propose to amend section 0.558 to update the rules’ description of where to find contact information when an individual needs advice or assistance on their rights under the Privacy Act with respect to records held by the Commission. The proposed revision would refer individuals to the Privacy Analyst, the Senior Agency Official for Privacy, and the Privacy Act Information page on the FCC website. See OMB, Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, at 29 (Dec. 23, 2016) (requiring agencies to “maintain a central resource page dedicated to their privacy program”). We believe that providing this updated information will make clear the avenues available to the public to exercise fully their rights under the Privacy Act. See 5 U.S.C. § 552a(f)(4). H. Section 0.560 – Penalty for False Representation of Identity 45. This section restates the Privacy Act’s criminal penalty for an individual who fraudulently requests or obtains information from an agency about an individual. 5 U.S.C. § 552a(i)(3). The section provides, “any individual who knowingly and willfully requests or obtains under false pretenses any record concerning an individual from any system of records maintained by the Commission shall be guilty of a misdemeanor and subject to a fine of not more than $5,000.” 47 CFR § 0.560. 46. Following OMB guidance, OMB, Memorandum 21-04, Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act (Nov. 12, 2020). we propose adding language restating the criminal penalty under 18 U.S.C. § 1001 for providing false information to the federal government. Notably, this statute provides more serious consequences than those recited in the current rules—including a fine of not more than $10,000, imprisonment of not more than five years, or both. We believe that this proposed edit should, among other things, serve as a greater deterrent to fraudulent requests by making clear the serious criminal penalties for doing so. I. Section 0.561 - Exemptions 47. Section 0.561 currently asserts exemptions for seven separate systems of records. The listed systems of records include: FCC/FOB-1, Radio Operator Records; FCC/FOB-2, Violators File; FCC/OGC-2, Attorney Misconduct Files; FCC/Central-6, Personnel Investigation Records; FCC/OIG-1, Criminal Investigative Files; FCC/OIG-2, General Investigative Files; and an unnumbered system called Licensees or Unlicensed Persons Operating Radio Equipment Improperly. The listed systems, however, no longer correspond to systems of records that the Commission maintains. For example, the two OIG systems listed in the current rules (“Criminal Investigative Files – FCC/OIG-1” and “General Investigative Files – FCC/OIG-2”) have been superseded by “Investigative Files-FCC/OIG-3.” 48. After reviewing the Commission’s current systems of records, it appears that there are only five systems of records that contain exemptible information. These systems of records include: FCC/EB-5, Enforcement Bureau Activity Tracking System; FCC/OMD-16, Personnel Security Files; FCC/WTB-5, Application Review List for Present or Former Licensees, Operators, or Unlicensed Persons Operating Radio Equipment Improperly; FCC/WTB-6, Archival Radio Operator Records; and FCC/OIG-3, Investigative Files. We propose updating this section to strike the seven outdated lists from this section and list and describe the five current systems, which contain exemptible information. In order to comply with the requirement that agencies explicitly explain “the reasons why the system of records is to be exempted from a provision of [the Privacy Act],” 5 U.S.C. § 552a(j)-(k). we also propose rules that more fully justify each exemption we propose to claim. We seek comment on these proposals. 49. Four systems contain information that is exemptible under certain “specific exemptions” listed in subsection (k) of the Privacy Act. The Enforcement Bureau Activity Tracking System (EBATS) (FCC/EB-5) and the other supportive platforms to the EBATS boundary contain investigatory material compiled for law enforcement purposes, which is covered by exemption (k)(2). An agency head can exempt a system of records from certain portions of the Privacy Act by promulgating regulations when the system of records maintains “investigatory material compiled for law enforcement purposes, other than material within the scope of subsection (j)(2) of this section: Provided, however, That if any individual is denied any right, privilege, or benefit that he would otherwise be entitled by Federal law, or for which he would otherwise be eligible, as a result of the maintenance of such material, such material shall be provided to such individual, except to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section, under an implied promise that the identity of the source would be held in confidence.” 5 U.S.C. § 552a(k)(2). The Security Operations Center’s Personnel Security Files (FCC/OMD-16) contains information covered by exemption (k)(5) including investigatory material related to suitability determinations for Federal employment. An agency head can exempt a system of records from certain portions of the Privacy Act by promulgating regulations when the system of records maintains “investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, military service, Federal contracts, or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section, under an implied promise that the identity of the source would be held in confidence.” 5 U.S.C. § 552a(k)(5). The Commission also maintains WTB-5, Application Review List for Present or Former Licensees, Operators, or Unlicensed Persons Operating Radio Equipment Improperly and WTB-6, Archival Radio Operator Records, both of which contain investigatory material compiled for law enforcement purposes covered by exemption (k)(2). 50. Finally, the Office of Inspector General’s investigative files (OIG-3) contains information that is exemptible under both subsections (j) and (k). Following the guidance of courts that Inspector General offices can be viewed as agency components whose principal function is to perform an activity pertaining to the enforcement of criminal laws, See Seldowitz v. Office of the Inspector General, 238 F.3d 414 (Table) at 4 (4th Cir. 2000) (per curiam). we propose that this system is exempt under both general exemption (j)(2) and the specific exemption (k)(2), which exempts investigatory material compiled for law enforcement purposes. Additionally, FCC/OIG-3 supersedes FCC/OIG-1 and FCC/OIG-2 referenced in the current section 0.561 of the Commission’s rules. We seek comment on these exemptions. IV. PROCEDURAL MATTERS 51. Comment Filing Procedures. Pursuant to sections 1.415 and 1.419 of the Commission’s rules, 47 CFR §§ 1.415, 1.419, interested parties may file comments and reply comments on or before the dates indicated on the first page of this document. Comments may be filed using the Commission’s Electronic Comment Filing System (ECFS). § Electronic Filers: Comments may be filed electronically using the Internet by accessing the ECFS: https://www.fcc.gov/ecfs/. · Paper Filers: Parties who choose to file by paper must file an original and one copy of each filing. · Filings can be sent by commercial overnight courier, or by first-class or overnight U.S. Postal Service mail. All filings must be addressed to the Commission’s Secretary, Office of the Secretary, Federal Communications Commission. · Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701.U.S. Postal Service first-class, Express, and Priority mail must be addressed to 45 L Street NE Washington, DC 20554. · Effective July 7, 2020, the Commission has permanently closed its filing location at FCC Headquarters. This change is for security measures and in connection with our FCC Headquarters move. See Amendment of the Commission’s Rules of Practice and Procedure, Order, DA 20-562, (OMD rel. May 28, 2020), https://docs.fcc.gov/public/attachments/DA-20-562A1.pdf. See also 85 Fed. Reg. 39075 (June 30, 2020). · During the time the Commission’s building is closed to the general public and until further notice, if more than one docket or rulemaking number appears in the caption of a proceeding, paper filers need not submit two additional copies for each additional docket or rulemaking number; an original and one copy are sufficient. 52. People with Disabilities. To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an e-mail to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (TTY). 53. Ex Parte Presentations. The proceeding this Notice initiates shall be treated as a “permit-but-disclose” proceeding in accordance with the Commission’s ex parte rules. 47 CFR §§ 1.1200 et seq. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter’s written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule 1.1206(b). In proceedings governed by rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g., .docx, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission’s ex parte rules. 54. Initial Regulatory Flexibility Certification. The Regulatory Flexibility Act of 1980 (RFA), as amended, See 5 U.S.C. § 601 et seq. requires agencies to prepare a regulatory flexibility analysis for rulemaking proceedings, unless the agency certifies that “the rule will not have a significant economic impact on a substantial number of small entities.” 5 U.S.C. § 605(b). The RFA generally defines “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” 5 U.S.C. § 601(6). In addition, the term “small business” has the same meaning as the term “small business concern” under the Small Business Act. 5 U.S.C. § 601(3) (incorporating by reference the definition of “small business concern” in Small Business Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies “unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.” 5 U.S.C. § 601(3). A small business concern is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the Small Business Administration (SBA). Small Business Act, 15 U.S.C. § 632. 55. In this NPRM, we propose to amend the Commission’s Privacy Act rules in order to modernize them and conform them to current Commission practice. The process of seeking to access or amend records under the Privacy Act is generally undertaken by individuals, who are not categorized as “small entities” under the Regulatory Flexibility Act. Furthermore, the rule changes proposed herein consist primarily of minor procedural adjustments to how the Commission handles and responds to Privacy Act matters. Such changes are unlikely to have any significant economic impact. Therefore, we certify that the proposals in this NPRM, if adopted, will not have a significant economic impact on a substantial number of small entities. 56. The Commission will send a copy of this NPRM, including a copy of this Initial Regulatory Flexibility Certification, to the Chief Counsel for Advocacy of the SBA. 5 U.S.C. § 605(b). The initial certification will also be published in the Federal Register. Id. 57. Paperwork Reduction Act. This document does not contain new or revised information collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. 44 U.S.C. §§ 3501-3520. In addition, therefore, it does not contain any new or modified “information burden for small business concerns with fewer than 25 employees” pursuant to the Small Business Paperwork Relief Act of 2002. See 44 U.S.C. § 3506(c)(4). V. ORDERING CLAUSES 58. ACCORDINGLY, IT IS ORDERED that, pursuant to the authority contained in sections 1, 4, and 5 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151, 154, 155, and the Privacy Act of 1974, as amended, 5 U.S.C. § 552a, this Notice of Proposed Rulemaking is ADOPTED. 59. IT IS FURTHER ORDERED that the Commission’s Consumer and Governmental Affairs Bureau, Reference Information Center, SHALL SEND a copy of this Notice, including the Initial Regulatory Flexibility Certification, to the Chief Counsel for Advocacy of the Small Business Administration. FEDERAL COMMUNICATIONS COMMISSION Marlene H. Dortch Secretary 2 APPENDIX Proposed Rules Chapter I of Title 47 of the Code of Federal Regulations is proposed to be amended as follows: PART 0 – COMMISSION ORGANIZATION 1. The authority citation for part 0 continues to read as follows: Authority: 47 U.S.C. 151, 154(i), 154(j), 155, 225, and 409, unless otherwise noted. 2. Section 0.251 is amended by adding new paragraph (k) to read as follows: § 0.251 Authority Delegated ***** (k) The General Counsel is delegated authority to dismiss Privacy Act applications for review that do not contain any statement required under § 1.115(a) or (b), or do not comply with the filing requirements of § 1.115(d) or (f) of this chapter. Part 0, Subpart E is amended by revising it to read as follows: Subpart E – Privacy Act Regulations Sec. 0.551 Purpose and scope; definitions. 0.552 Notice. 0.553 [Removed and Reserved] 0.554 Requests for notification of and access to records. 0.555 Disclosure of record information to individuals. 0.556 Request to correct or amend records. 0.557 Administrative review of an initial decision not to amend a record. 0.558 Privacy Act assistance. 0.559 [Removed and Reserved] 0.560 Penalty for false representation of identity. 0.561 Exemptions. Authority: 47 U.S.C. 154, 303; 5 U.S.C. 552a(f). § 0.551   Purpose and scope; definitions. (a) The purpose of this subpart is to implement the Privacy Act of 1974, 5 U.S.C. 552a, which regulates the collection, maintenance, use, and dissemination of information about individuals identified in Federal agencies’ information systems. As required by subsection (f) of the Privacy Act, these rules establish procedures individuals may follow to be notified of and gain access to records pertaining to themselves that are maintained in the FCC’s systems of records, and to request amendment of any portion of these records that they believe are not accurate, relevant, timely, or complete. The rules in this subpart should be read together with the Privacy Act, which provides additional information about records maintained on individuals. (b) In this subpart: Individual means a citizen of the United States or an alien lawfully admitted for permanent residence. Privacy Analyst means a Commission official responsible for processing and responding to requests by individuals to be notified of, to access, or to amend records pertaining to them that are maintained in the FCC’s systems of records. Record means any item, collection, or grouping of information about an individual that is maintained by the Commission, including but not limited to, such individual's education, financial transactions, medical history, and criminal or employment history, and that contains such individual's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. Routine Use means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected. Senior Agency Official for Privacy means the senior Commission official who has agency-wide responsibility and accountability for the Commission’s privacy program. System of Records means a group of any records under the control of the Commission from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. § 0.552   Notice. Upon establishment, rescission, or revision of a system of records, including the establishment of a new routine use of a system of records, the Commission publishes in the Federal Register the notice required by 5 U.S.C. § 552a(e). § 0.553 [Removed and Reserved] § 0.554   Requests for notification of and access to records. (a) Individuals may ask the Commission if it maintains any records pertaining to them in the Commission’s Systems of Records, and, subject to the provisions of § 0.555(b), the Commission will notify the requesting individuals of any responsive records and permit them to gain access to such records. A proper request must identify the System(s) of Records the individual wants searched. All requests for notification and access made under this subsection shall be: (1) Filed electronically using the web portal identified on the FOIA page of the Federal Communications Commission’s website (www.fcc.gov) or by e-mail to privacy@fcc.gov; or (2) Mailed to the Privacy Analyst, Office of the General Counsel, at the appropriate address listed in § 0.401(a). Note: Regardless of the statute cited in the request, an individual’s request for access to records pertaining to him or her will be processed under both the Privacy Act, following the rules contained in this subpart, and the Freedom of Information Act (5 U.S.C. 552), following the rules contained in §§ 0.441-0.470 of this part, as appropriate. (b) Reasonable identification is required of all individuals making requests pursuant to paragraph (a) of this section in order to assure that disclosure of any information is made to the proper person. (1) Individuals may verify their identity by submitting the Identity Affirmation form found on the Commission privacy webpage. (2) If positive identification cannot be made on the basis of the information submitted, and if data in the record is so sensitive that unauthorized access could cause harm or embarrassment to the individual to whom the record pertains, the Commission reserves the right to deny access to the record pending the production of additional more satisfactory evidence of identity. Note: The Commission will require verification of identity only where it has determined that knowledge of the existence of record information or its substance is not subject to the public disclosure requirements of the Freedom of Information Act, 5 U.S.C. 552, as amended. (c) A written acknowledgement of receipt of a request for notification and/or access will be provided within 10 days (excluding Saturdays, Sundays, and federal holidays) to the individual making the request. Such an acknowledgement may request that the individual specify the systems of records to be searched and, if necessary, any additional information needed to locate a record. A search of all systems of records identified in the individual's request will be made to determine if any records pertaining to the individual are contained therein, and the individual will be notified of the search results as soon as the search has been completed. Normally, a request will be processed and the individual notified of the search results within 30 days (excluding Saturdays, Sundays, and legal holidays) from the date the inquiry is received. However, in some cases, as where records have to be recalled from Federal Record Centers, notification may be delayed. If it is determined that a record pertaining to the individual making the request does exist, the notification will include the responsive record(s) or state approximately when the record(s) will be available for review. No separate acknowledgement is required if the request can be processed and the individual notified of the search results within the ten-day period. § 0.555   Disclosure of record information to individuals. (a) Individuals having been notified that the Commission maintains a record pertaining to them in a system of records may access such record either by in-person inspection at Commission headquarters in Washington, D.C., or by correspondence with the Privacy Analyst by postal or electronic mail. (1) Individuals who wish to review their records at Commission headquarters should contact the Privacy Analyst to arrange a time during regular Commission business hours when they can review and request copies of such records. Verification of identity is required as in § 0.554(b) before access will be granted to an individual appearing in person. Individuals may be accompanied by a person of their own choosing when reviewing a record. However, in such cases, the individual must provide written consent authorizing discussion of their record in the accompanying person’s presence. (2) Individuals may request that copies of records be sent directly to them. In such cases, individuals must verify their identity as described in § 0.554(b) and provide an accurate return postal or electronic mail address. Records shall be sent only to that address. (b) Records pertaining to the enforcement of criminal laws, classified material, investigative material compiled for law enforcement purposes, investigatory material compiled solely for determining suitability for Federal employment or access to classified information, and certain testing or examination material may be removed from the records to the extent permitted by subsections (j) and (k) of the Privacy Act of 1974, 5 U.S.C. 552a(j), (k). Section 0.561 of this subpart sets forth the systems of records which the Commission has exempted from disclosure. (c) The Commission will not charge a fee for searching for and reviewing records requested pursuant to § 0.554. Note: Requests processed under the Freedom of Information Act will be subject to the fee provisions detailed in § 0.467 of this part. (d) The provisions of this section in no way give an individual the right to access any information compiled in reasonable anticipation of a civil action or proceeding. (e) In the event that a determination is made denying an individual access to records pertaining to that individual for any reason, such individual may file a petition for reconsideration to the Senior Agency Official for Privacy under § 1.106 of this chapter, or an application for review by the Commission following the procedures set forth in § 0.557 of this subpart and in § 1.115 of this chapter. § 0.556   Request to correct or amend records. (a) An individual may request the amendment of information contained in a record pertaining to that individual if the individual believes the information is not accurate, relevant, timely, or complete. Amendment requests should be submitted in writing to the FCC’s Privacy Analyst either: (1) Via postal mail to the appropriate address listed in § 0.401(a), or (2) Via electronic mail to the email address listed on the Privacy Act Information section of the Commission’s public website (fcc.gov). (b) Any request to amend should contain at a minimum: (1) The identity verification information required by § 0.554(b); (2) A brief description of the item or items of information to be amended; and (3) A brief statement explaining why the individual believes the information is not accurate, relevant, timely, or complete. (c) A written acknowledgement of the receipt of a request to amend a record will be provided within 10 days (excluding Saturdays, Sundays, and federal holidays) to the individual requesting the amendment. Such an acknowledgement may, if necessary, request any additional information needed to make a determination. There will be no acknowledgement if the request can be reviewed, processed, and the individual notified of compliance or denial within the 10-day period. (d) A Privacy Analyst will (normally within 30 days) take one of the following actions regarding a request to amend: (1) If the FCC agrees that an amendment to the record is warranted, the Privacy Analyst will: (i) So advise the individual in writing; (ii) Verify with the system manager that the record has been corrected in compliance with the individual's request; and (iii) If an accounting of disclosures has been made, advise all previous recipients of the fact that the record has been corrected and of the substance of the correction. (2) If the FCC does not agree that all or any portion of the record merits amendment, the Privacy Analyst will: (i) Notify the individual in writing of such refusal to amend and the reasons therefor; (ii) Advise the individual of the right to file a petition for reconsideration to the Senior Agency Official for Privacy under § 1.106 of this chapter, or an application for review by the Commission following the procedures set forth in § 0.557 of this subpart and § 1.115 of this chapter. (e) In reviewing a record in response to a request to amend, the FCC will assess the accuracy, relevance, timeliness, or completeness of the record in light of each data element placed into controversy and the use of the record in making decisions that could possibly affect the individual. Moreover, the FCC will adjudge the merits of any request to delete information based on whether or not the information in controversy is both relevant and necessary to accomplish a statutory purpose required of the Commission by law or executive order of the President. § 0.557   Commission review of a staff decision. (a) Upon the FCC’s determination not to grant an individual access to a record under § 0.555 of this subpart or a determination not to grant an individual’s request to amend a record under § 0.556 of this subpart, the individual may file an application for review by the Commission following the procedures described in § 1.115 of this chapter. (b) In addition to the requirements contained in § 1.115 of this chapter, any application for review must: (1) Clearly identify the adverse decision that is the subject of the review request; (2) Specify with particularity why the decision reached by the FCC is erroneous or inequitable; and (3) In the case of an amendment request made under § 0.556 of this subpart, clearly state how the record should be amended or corrected. (c) The Commission will make every effort to act on an application for review within 30 business days after it is filed. The Commission may seek such additional information as is necessary to make a determination. (d) In the case of a request for access to a record under § 0.554 of this subpart: (1) If upon review of the application, the Commission agrees that the individual is entitled to access to the requested record, the Commission will provide the individual access to the requested record; (2) If instead the Commission finds that the individual is not entitled to access to the requested record, it will notify the individual in writing of its determination and the reasons therefor; the Commission will also advise the individual that judicial review of this determination is available in a district court of the United States. (e) In the case of a request to amend a record under § 0.556 of this subpart: (1) If upon review of the application, the Commission agrees with the individual that the requested amendment is warranted, it will proceed in accordance with § 0.556(d)(1)(i) through (iii). (2) If after reviewing the application, the Commission refuses to amend the record as requested, it shall: (i) Notify the individual in writing of this determination and the reasons therefor; (ii) Advise the individual that a concise statement of the reasons for disagreeing with the determination of the Commission may be filed; (iii) Inform the individual: (A) That such a statement should be signed and addressed to the Privacy Analyst; (B) That the statement will be made available to anyone to whom the record is subsequently disclosed together with, at the Commission’s discretion, a summary of the Commission’s reasons for refusing to amend the record; and (C) That prior recipients of the record will be provided a copy of the statement of dispute to the extent that an accounting of such disclosures is maintained; (iv) Advise the individual that judicial review of the Commission’s determination not to amend the record is available in a district court of the United States. (3) If the Commission determines not to amend a record consistent with an individual's request, and if the individual files a statement of disagreement pursuant to § 0.557(e)(2) of this subpart, the record shall be clearly annotated so that the disputed portion becomes apparent to anyone who may subsequently have access to, use, or disclose the record. A copy of the individual's statement of disagreement shall accompany any subsequent disclosure of the record. If the Commission has chosen to include a written summary of its reasons for refusing to amend the record, it shall also accompany any subsequent disclosure. Such statements become part of the individual's record for granting access, but are not subject to the amendment procedures of § 0.556 of this subpart. § 0.558 Privacy Act assistance. In order to assist individuals in exercising their rights under the Privacy Act, the Commission maintains a Privacy Act Information web page on its public website (fcc.gov). In addition, the Commission’s privacy officials will endeavor to provide assistance to any individual who requests information about the Commission’s systems of records or the procedures contained in this subpart for gaining access to a particular system of records or for contesting the content of a record, either administratively or judicially. Individuals can seek such advice: 1) Via postal mail to the appropriate address listed in § 0.401(a) of this chapter, or 2) Via the telephone numbers or electronic mail addresses of the Senior Agency Official for Privacy (SAOP) or the Privacy Analyst, which are listed on the Privacy Act Information page of the FCC’s public website (fcc.gov). § 0.559 [Removed and Reserved] § 0.560   Penalty for false representation of identity. Under subsection (i)(3) of the Privacy Act, any individual who knowingly and willfully requests or obtains under false pretenses any record concerning an individual from any system of records maintained by the Commission shall be guilty of a misdemeanor and subject to a fine of not more than $5,000. Under 18 USC § 1001, an individual who knowingly and willfully provides false information to the United States Government shall be fined not more than $10,000 or imprisoned for not more than five years, or both. § 0.561   Exemptions. Because the Commission has determined that applying certain requirements of the Privacy Act to certain Commission records would have an undesirable and unacceptable effect on the conduct of its business, the Commission exempts the following systems of records from the listed requirements of the Act. (a) FCC/EB-5, Enforcement Bureau Activity Tracking System (EBATS). Pursuant to subsection (k)(2) of the Privacy Act, this system of records is exempt from subsections (c)(3), (d), (e)(1), (e)(4) (G), (H), and (I), and (f) of the Privacy Act, and from §§ 0.554 through 0.557 of this subpart insofar as it contains investigatory material compiled for law enforcement purposes. These exemptions are justified for the following reasons: (1) From subsection (c)(3) because providing an accounting of disclosures to an individual could alert that person that he or she is the subject of an investigation by the Enforcement Bureau (EB) or by the recipient entity and allow that person to take actions to impede or compromise the investigation. (2) From subsection (e)(1) because in the early stages of an investigation it is not always possible to determine if specific information is relevant or necessary for the investigation. It is also possible that information collected during an investigation turns out not to be relevant or necessary for that investigation, but helps EB establish patterns of misconduct or suggests that other laws or rules have been violated. (3)From subsections (d), (e)(4)(G) and (H), and (f) because giving an individual access to information in this system could notify the individual that he or she is the subject of an EB investigation and provide information about the sources, witnesses, tactics, and procedures EB employs to conduct the investigation, which could allow that person to take actions to impede or compromise the investigation. (4) From subsection (e)(4)(I) because disclosing the categories of sources of records in the system would risk disclosing the methods EB uses to select investigation targets and the techniques and procedures EB uses to conduct investigations. It could also compromise the confidentiality of the EB’s sources and witnesses. (b) FCC/OIG-3, Investigative Files. Pursuant to sections (j)(2) and (k)(2) of the Privacy Act, this system of records is exempt from subsections (c)(3)-(4), (d), (e)(1),(2), (3), (5), and (8), (e)(4)(G), (H), and (I), (f), and (g) of the Privacy Act, 5 U.S.C. 552a, and from §§ 0.554 through 0.557 of this subpart insofar as it contains information related to the enforcement of criminal laws, classified information, and investigatory material compiled for law enforcement purposes. These exemptions are justified for the following reasons: (1) From subsection (c)(3) because providing an accounting of disclosures to an individual could alert that person that he or she is the subject of an investigation by the Office of Inspector General (OIG) or that the OIG shared the individual’s information with another law enforcement entity; (2) From subsections (d), (c)(4), (e)(4)(G) and (H), (f), and (g) because giving an individual access to and the right to amend information in this system could notify the individual that he or she is the subject of an OIG investigation and provide information about the sources, witnesses, tactics, and procedures OIG employs to conduct the investigation, which could allow that person to take actions to impede or compromise the investigation. (3) From subsections (e)(1) and (5) because in the early stages of an investigation it is not always possible to determine if specific information is relevant, accurate, timely, or complete. It is also possible that information collected during an investigation turns out not to be relevant or necessary for that investigation, but helps OIG establish patterns of misconduct or suggests that other laws or rules have been violated. (4) From subsections (e)(2) and (3) because collecting information directly from an individual and/or notifying the individual of the purposes of the collection could impair investigations by alerting the individual that he or she is the subject of an investigation. It may also be necessary to collect information from sources other than the individual to verify the accuracy of evidence. Furthermore, in some situations, the subject of an investigation cannot be required to provide information about him or herself. (5) From subsection (e)(8) because notifying an individual that a record has been made available to a person through compulsory process could prematurely reveal an ongoing investigation to the subject of the investigation. (6) From subsection (e)(4)(I) because disclosing the categories of sources of records in the system would risk disclosing the methods OIG uses to select investigation targets and the techniques and procedures OIG uses to conduct investigations. (c) FCC/OMD-16, Personnel Security Files. Pursuant to sections (k)(1), (k)(2), and (k)(5) of the Privacy Act, this system of records is exempt from subsections (c)(3), (d), (e)(1), (e)(4) (G), (H), and (I), and (f) of the Privacy Act, and from §§ 0.554 through 0.557 of this subpart insofar as it contains classified material or investigatory material compiled for the purpose of Federal employment eligibility to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence. These exemptions are justified for the following reasons: (1) From subsection (c)(3) because providing an accounting of disclosures to an individual could identify other individuals who received information about the subject individual to elicit information in connection with a personnel background investigation. (2) From subsections (d), (e)(4)(G) and (H), and (f) because giving an individual access to information in this system could reveal the identity of persons who confidentially provided information as part of a personnel background investigation, which could restrict the flow of information necessary to determine the suitability of an employee candidate. (3) From subsection (e)(4)(I) because disclosing the categories of sources of records in the system would risk disclosing the techniques and procedures used to conduct investigations. (4) From subsection (e)(1) because it is impossible to determine in advance what exact information may be necessary to collect in order to determine the suitability of an employee candidate. (d) FCC/WTB-5, Application Review List for Present or Former Licensees, Operators, or Unlicensed Persons Operating Radio Equipment Improperly. Pursuant to section (k)(2) of the Privacy Act, this system of records is exempt from subsections (c)(3), (d), (e)(4) (G), (H), and (I), and (f) of the Privacy Act, and from §§ 0.554 through 0.557 of this subpart insofar as it contains classified material or investigatory material compiled for the purpose of determining whether the license application for an individual who operated radio equipment improperly should be granted, denied, or set for a hearing. These exemptions are justified for the following reasons: (1) From subsection (c)(3) because providing an accounting of disclosure to an individual could identify other individuals who received information about the subject individual to elicit information in connection with an investigation into the improper operation of radio equipment. (2) From subsections (d), (e)(4)(G) and (H), and (f) because giving an individual access to information in this system could reveal the identity of persons who confidentially provided information as part of an investigation into the improper operation of radio equipment, which could restrict the flow of information necessary to determine whether a license should be granted. (3) From subsection (e)(4)(I) because disclosure of sources of records in the system would risk disclosing the techniques and procedures used to conduct investigations. (e) FCC/WTB-6, Archival Radio Operator Records. Pursuant to sections (k)(1) and (k)(2) of the Privacy Act, this system of records is exempt from subsections (c)(3), (d), (e)(4) (G), (H), and (I), and (f) of the Privacy Act, and from §§ 0.554 through 0.557 of this subpart insofar as it contains classified material or investigatory material compiled for the purpose of determining whether the license application for an individual who operated radio equipment improperly should be granted, denied, or set for a hearing and the referral of possible violations to the FCC’s Enforcement Bureau, Office of General Counsel, or another agency. These exemptions are justified for the following reasons: (1) From subsection (c)(3) because providing an accounting of disclosure to an individual could identify other individuals who received information about the subject individual to elicit information in connection with an investigation into the violation of law. (2) From subsections (d), (e)(4)(G) and (H), and (f) because giving an individual access to information in this system could reveal the identity of persons who confidentially provided information as part of an investigation into a violation of law. (3) From subsection (e)(4)(I) because disclosure of sources of records in the system would risk disclosing the techniques and procedures used to conduct investigations.