TREASURY DIRECTIVE 25-04

DATE: May 6, 2024

SUBJECT: The Privacy Act of 1974, As Amended

  1. PURPOSE. This Directive restates policy and assigns responsibilities for carrying out the requirements of the Privacy Act of 1974, as amended (the “Privacy Act” or the “Act”). This Directive also authorizes the issuance of Treasury Directive Publication (TD P) 25-04, “Privacy Act Handbook.”
  2. SCOPE. This Directive applies to all bureaus, offices, and organizations in the Department of the Treasury (“Treasury” or “the Department”), including the offices of Inspectors General within the Department. The provisions of this Directive shall not be construed to interfere with or impede the authorities or independence of the Department’s Inspectors General.
  3. POLICY. It is the policy of the Department that all employees and contractors shall be made aware of and comply with the Privacy Act, and that information about individuals shall be collected, maintained, used, and disseminated in accordance with the Act and Treasury regulations set forth at 31 Code of Federal Regulations (CFR) Part 1, Subpart C, Office of Management and Budget (OMB) privacy memoranda and circulars, and National Institute for Standards and Technology (NIST) privacy standards mandated by OMB.
  4. BACKGROUND. The Privacy Act provides safeguards against an invasion of privacy through the misuse of records by Federal agencies. Employees are expected to safeguard information about other individuals to which they are exposed during their employment with the Department. Records about an individual may not be disclosed unless the disclosure is permitted by the Act or made pursuant to an applicable published routine use. The Act requires that information maintained in an agency’s systems of records be accurate, complete, timely, and relevant. The Act permits individuals to receive notification if a system of records contains a record pertaining to them. Subject to certain exemptions, the Act also requires the Department to provide the following to an individual upon request: access to any record it maintains about the individual in a system of records; an accounting of any disclosures made; the amendment of a record, if needed; and the ability to appeal any initial determination not to amend a record. The Act also requires that agencies “establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.”
  5. DEFINITIONS. The definitions in the Privacy Act, 5 USC 552a (a), and the Treasury Privacy Act regulations, 31 CFR 1.21, apply to the same terms when used in this Directive. Other terms used (but not defined) in the Privacy Act or the Treasury Privacy Act regulations that are applicable are:
    1. Responsible Official. The official having custody of the records requested, or a designated official, who make initial determinations whether to grant or deny requests for notification, access to records, account of disclosure, and amendments of records.
    2. System Manager. The official identified in the system of records notice as the manager of the system of records;
    3. Bureau Privacy and Civil Liberties Officer. An individual assigned by each Treasury Bureau Head to serve as the point of contact for matters related to all bureau privacy and civil liberties issues.
  6. RESPONSIBILITIES. System managers, program managers, personnel employees, procurement employees, attorneys, advisors, and disclosure personnel shall be knowledgeable about the provisions and requirements of the Act. All other Department personnel and contractors shall be aware of their responsibilities to protect Privacy Act-covered records.
    1. The Assistant Secretary for Management (ASM) is the Treasury's Senior Agency Official for Privacy (SAOP) and is responsible for activities relating to the Privacy Act, including rules of conduct, training, and redress that stem from adverse agency determinations for amendment of records under the Act.
    2. The Deputy Assistant Secretary for Privacy, Transparency, and Records (DASPTR) shall:
      1. 1) provide leadership, planning, policy, and general oversight of the Department's privacy and civil liberties program;
      2. 2) report to the ASM/SAOP;
      3. 3) ensure Departmental Offices’ and Departmentwide compliance with responsibilities assigned to Heads of Bureaus in this Directive; and
      4. 4) ensure implementation of the Treasury Enterprise Privacy Risk Management Strategy.
    3. The Director of Privacy and Civil Liberties within the Office of Privacy, Transparency, & Records is responsible for managing and coordinating the Department's privacy and civil liberties program, serving as the Department's liaison to the Office of Management and Budget (OMB) and the National Archives and Records Administration, providing leadership and guidance to bureau privacy officers, and issuing data calls to the bureaus and offices, as needed, to obtain information necessary to implement and address compliance with this Directive and to meet statutory and other privacy reporting requirements. The Director also serves as the Privacy and Civil Liberties Officer for Departmental Offices.
    4. The Departmental Privacy Act Officer is responsible for ensuring that privacy compliance requirements are fully incorporated into the privacy and civil liberties compliance framework.
    5. The Heads of Bureaus, as it relates to their respective bureaus, shall:
      1. 1) establish internal procedures to ensure the effectiveness of Treasury’s Privacy Act program and to safeguard individual privacy in the collection, compilation, maintenance, use, and dissemination of Federal records;
      2. 2) ensure the review of bureau capital investment plans, budgetary requests, and acquisitions involving Information Technology (IT) to confirm that privacy compliance issues, required controls, and associated costs are identified and explicitly addressed in all plans, requests, and acquisitions with respect to any IT resources that will be used to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of personally identifiable information (PII);
      3. 3) ensure that appropriate Federal Acquisition Regulation (FAR) clauses are inserted in agreements when the bureau provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function as required by 5 USC 552a, subsection (m)(1);
      4. 4) ensure bureau privacy planning, budgeting, governance, acquisition, and management of personally identifiable information, personnel, equipment, funds, IT resources, and supporting infrastructure and services, including hiring, training, and professional development needs of privacy personnel;
      5. 5) ensure the implementation of the Treasury Enterprise Privacy Risk Management Strategy or a bureau privacy risk management strategy that includes a privacy continuous monitoring component;
      6. 6) submit the following to the Office of Privacy, Transparency and Records for the review and approval of the DASPTR:
        1. a) a notice and report for each new or altered system of records;
        2. b) a proposed and final rule for any determination to exempt a system of records from provisions of the Privacy Act;
        3. c) a notice and report of the establishment or alteration of a matching program; and
        4. d) any proposed or final rules applicable to existing Privacy Act system of records for review and concurrence prior to the review and concurrence procedures under Treasury Directives 28-03 and 28-04.
      7. 7) establish procedures allowing an individual to appeal an initial adverse agency determination regarding a request for amendment of records;
      8. 8) submit to the DASPTR a copy of the bureau’s initial determination and response to an appeal regarding a request to amend records;
      9. 9) report to the SAOP, at least annually, upon request from the Office of Privacy, Transparency, & Records, regarding the implementation of the requirements in this Directive; and
      10. 10) seek input or advice at any time, as the bureau deems necessary, from the SAOP (through the DASPTR) regarding issues discussed in this Directive.
    6. System Managers shall:
      1. 1) establish, maintain, revise, or delete systems of records in accordance with applicable laws and regulations relating to privacy and Federal records;
      2. 2) establish administrative and physical controls to ensure the protection of records systems from unauthorized access or disclosure, and from physical damage or destruction;
      3. 3) provide an appropriate means for the accounting of disclosures of records;
      4. 4) retain records in accordance with an approved record retention schedule and dispose of such records in a manner that will not compromise personally identifiable information (PII); and
      5. 5) prepare reports or provide data to the Office of Privacy, Transparency, & Records as required by statute, Executive Order, OMB, Government Accountability Office (GAO), or the SAOP.
    7. Responsible Officials shall ensure that Privacy Act requests for notification, access to and amendment of records are processed in accordance with Treasury’s disclosure implementing regulations, at 31 CFR Part 1, and that a determination is issued.
    8. The Assistant General Counsel (General Law, Ethics, and Regulation) shall provide assistance as the DASPTR requires in clearing reports, notices of systems of records, proposed rules, and other related matters to be submitted by Treasury to Congress, OMB, and other parties.
    9. The Chief Information Officer (CIO) shall:
      1. 1) provide assistance as needed to the DASPTR regarding any proposed or anticipated change to computer installations, communications networks, or other electronic data collecting mechanisms that may be subject to the Privacy Act;
      2. 2) assist the bureaus in the implementation of uniform and consistent policies and standards governing the acquisition, maintenance, and use of computers or other electronic or telecommunications equipment in the collection, maintenance, use, or dissemination of Privacy Act records; and
      3. 3) provide the DASPTR with proposed data collection screens, or other electronic data collecting mechanisms used to collect information about individuals, for Privacy Act compliance review prior to their use on the Intranet or Internet; and
      4. 4) ensure the notification of the Director for Privacy and Civil Liberties of meetings and document reviews (including IT authorization packages) involving CIO reviews of IT (capital investment plans, budgetary requests, acquisitions, selection and assessment of privacy controls, and IT authorization) involving the collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of PII:
        1. a) to confirm that privacy compliance issues, required controls, and associated costs are identified and explicitly addressed in all plans, requests, and IT acquisitions;
        2. b) to ensure appropriate FAR clauses are inserted in agreements when any Treasury bureau or office provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function as required by 5 USC 552a, subsection (m)(1); and
        3. c) to ensure privacy personnel involvement in planning, reviewing, and approving the security categorization and authorization of information systems that maintain PII.
  7. AUTHORITIES.
    1. Privacy Act of 1974, as amended, 5 USC 552a.
    2. Treasury Order 102-25, “Delegation of Authority Concerning Privacy and Civil Liberties.”
    3. Department of the Treasury Regulations, 31 CFR Part 1, Subpart C.
  8. REFERENCES.
    1. E-Government Act of 2002.
    2. Department of the Treasury Employee Rules of Conduct, 31 CFR Part 0 (February 19, 2016).
    3. OMB Circular A-108, “Federal Agency Responsibilities for Review, Reporting, and Publication Under the Privacy Act" (December 23, 2016).
    4. OMB Circular A-130, “Managing Information as a Strategic Resource (July 28, 2016).
    5. M-03-22, “OMB Guidance for Implementing the Privacy Provisions of the EGovernment Act of 2002” (September 30, 2003).
    6. Office of Personnel Management, Privacy Procedures for Personnel Records, 5 CFR 297.
    7. TD 25-06, “The Treasury Data Integrity Board.”
    8. TD 25-07, “Privacy and Civil Liberties Impact Assessment (PCLIA)."”
    9. TD 25-08, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.”
    10. TD P 25-04, “Privacy Act Handbook.”
    11. TD P 85-01, "Department of the Treasury Information Technology (IT) Security Program."
    12. Treasury Enterprise Privacy Risk Management Strategy.
  9. CANCELLATION. Treasury Directive 25-04, "The Privacy Act of 1974, As Amended," dated September 28, 2023, is superseded.
  10. OFFICE OF PRIMARY INTEREST. Office of the Deputy Assistant Secretary for Privacy, Transparency & Records and the Office of the Assistant Secretary for Management.

 

/S/
Anna Canfield Roth
Assistant Secretary for Management