TREASURY DIRECTIVE 25-04

DATE: August 27, 2021

SUBJECT: The Privacy Act of 1974, As Amended

  1. PURPOSE. This Directive establishes policy assigns responsibilities for carrying out the requirements of the Privacy Act of 1974, as amended (the "Privacy Act" or the "Act"). It also authorizes the release of Treasury Directive Publication (TD P) 25-04, "Privacy Act Handbook."
  2. SCOPE. This Directive applies to all bureaus, offices, and organizations in the Department of the Treasury ("Treasury" or the "Department"), including the Offices of Inspector General. The provisions of this Directive shall not be construed to interfere with or impede the authorities or independence of the Offices of Inspectors General.
  3. POLICY. It is the policy of the Department of the Treasury that all employees and contractors shall be made aware of and comply with the Privacy Act, and that information about individuals shall be collected, maintained, used, and disseminated in accordance with the Act and Treasury regulations set forth in 31 Code of Federal Regulations (CFR) Part 1, Subpart C.
  4. BACKGROUND. The Privacy Act provides safeguards against an invasion of privacy through the misuse of records by Federal agencies. Employees are expected to safeguard information about other individuals to which they are exposed to during their employment with the Department. Records about an individual may not be disclosed unless the disclosure is permitted by the Act or made pursuant to an applicable published routine use. The Act requires that information maintained in an agency’s systems of records be accurate, complete, timely, and relevant. The Act requires that information maintained in an agency's systems of records be accurate, complete, timely, and relevant. The Act permits individuals to receive notification if a system of records contains a record pertaining to them. Subject to certain exemptions, the Act also requires the Department to provide the following: access to any record it maintains about the individual in a system of records; an accounting of any disclosures to the individual upon request; the amendment of a record, if needed; and the ability to appeal any initial determination not to amend a record.
  5. RESPONSIBILITIES. System managers, program managers, personnel employees, procurement employees, attorneys/advisors, and disclosure personnel shall be knowledgeable about the provisions and requirements of the Act. All other Department personnel and contractors shall be aware of their responsibilities to protect Privacy Act records.
    1. The Assistant Secretary for Management (ASM) is the Treasury's Senior Agency Official for Privacy (SAOP) and is responsible for activities relating to the Privacy Act, including rules of conduct, training, and redress that stem from adverse agency determinations for amendment of records under the act.
    2. The Deputy Assistant Secretary for Privacy, Transparency, & Records (DASPTR) reports to the SAOP and is responsible for leadership, planning, policy, and general oversight of the Department's privacy and civil liberties program.
    3. The Director of Privacy and Civil Liberties within the Office of Privacy, Transparency, & Records is responsible for managing and coordinating the Department's privacy and civil liberties program, serving as the Department's liaison to the Office of Management and Budget (OMB) and the National Archives and Records Administration, and providing leadership and guidance to bureau privacy officers.
    4. The Departmental Privacy Act Officer is responsible for ensuring that privacy compliance requirements are fully incorporated into the privacy and civil liberties compliance framework.
    5. The Heads of Bureaus, as it relates to their respective bureaus, shall:
      1. 1) establish internal procedures to ensure the effectiveness of Treasury’s Privacy Act program and to safeguard individual privacy in the collection, maintenance, use, and dissemination of Federal records;
      2. 2) Submit the following to the Office of Privacy, Transparency & Records for the review and approval of the DASPTR:
        1. a) a notice and report for each new or altered system of records;
        2. b) a proposed and final rule for any determination to exempt a system of records from certain provisions of the Privacy Act;
        3. c) a notice and report of the establishment or alteration of a matching program; and
        4. d) any proposed or final rules applicable to existing Privacy Act system of records for review and concurrence prior to the review and concurrence procedures.
      3. 3) establish procedures allowing an individual to appeal an initial adverse agency determination regarding a request for amendment of records; and
      4. 4) submit to the DASPTR a copy of the bureau’s initial determination and response to an appeal regarding a request to amend records.
    6. System Managers shall:
      1. 1) establish, maintain, revise, or delete systems of records in accordance with applicable laws and regulations relating to privacy and Federal records;
      2. 2) establish administrative and physical controls to ensure the protection of records systems from unauthorized access or disclosure, and from physical damage or destruction;
      3. 3) provide an appropriate means for the accounting of disclosures of records;
      4. 4) retain records in accordance with an approved record retention schedule and dispose of such records in a manner that will not compromise personally identifiable information (PII); and
      5. 5) prepare reports or provide data to the Office of Privacy, Transparency, & Records as required by statute, Executive Order, OMB, Government Accountability Office (GAO), or the SAOP.
    7. Responsible Officials shall ensure that Privacy Act requests for notification, access to and amendment of records are processed in accordance with Treasury’s disclosure implementing regulations, at 31 CFR Part 1, and that a determination is issued.
    8. The Assistant General Counsel (General Law, Ethics, and Regulation) shall provide assistance as the DASPTR requires in clearing reports, notices of systems of records, proposed rules, and other related matters to be submitted by Treasury to Congress, OMB, and other parties.
    9. The Chief Information Officer (CIO) shall:
      1. 1) provide assistance as needed to the DASPTR regarding any proposed or anticipated change to computer installations, communications networks, or other electronic data collecting mechanisms that may be potentially subject to the Privacy Act;
      2. 2) assist the bureaus in the implementation of uniform and consistent policies and standards governing the acquisition, maintenance and use of computers or other electronic or telecommunications equipment in the collection, maintenance, use, or dissemination of Privacy Act records; and
      3. 3) provide the DASPTR with proposed data collection screens, or other electronic data collecting mechanisms used to collect information about individuals, for Privacy Act compliance review prior to their use on the Intranet or Internet.
  6. AUTHORITIES.
    1. Privacy Act of 1974, as amended, 5 USC 552a.
    2. Treasury Order 102-25, “Delegation of Authority Concerning Privacy and Civil Liberties.”
    3. Department of the Treasury Regulations, 31 CFR Part 1, Subpart C.
  7. REFERENCES.
    1. E-Government Act of 2002.
    2. Department of the Treasury Employee Rules of Conduct, 31 CFR Part 0 (February 19, 2016).
    3. OMB Circular A-108, “Federal Agency Responsibilities for Review, Reporting, and Publication Under the Privacy Act" (December 23, 2016).
    4. OMB Circular A-130, “Managing Information as a Strategic Resource (July 28, 2016).
    5. M-03-22, “OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002” (September 30, 2003).
    6. Office of Personnel Management, Privacy Procedures for Personnel Records, 5 CFR 297.
    7. TD 25-06, “The Treasury Data Integrity Board.”
    8. TD 25-07, “Privacy and Civil Liberties Impact Assessment (PCLIA)."”
    9. TD 25-08, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.”
    10. TD P 25-04, “Privacy Act Handbook.”
    11. TD P 85-01, "Department of the Treasury Information Technology (IT) Security Program."
  8. CANCELLATION. TD 25-04, "The Privacy Act of 1974, As Amended," Dated January 27, 2014, is superseded.
  9. OFFICE OF PRIMARY INTEREST. Office of the Deputy Assistant Secretary for Privacy, Transparency & Records and the Office of the Assistant Secretary for Management.

 

/S/
Trevor Norris
Acting Assistant Secretary for Management