25 CFR §273.181

1. (a)When a contractor operates a system of records to accomplish a Bureau function, the contractor must comply with subpart K of 43 CFR part 2 which implements the Privacy Act (5 U.S.C. 552a). Examples of the contractor's responsibilities are:
   1. (1)To continue maintaining systems of records declared by the Bureau to be subject to the Privacy Act;
   2. (2)To make such records available to individuals involved;
   3. (3)To disclose an individual's record to third parties only after receiving permission from the individual to whom the record pertains, and in accordance with the exceptions listed in 43 CFR 2.231;
   4. (4)To establish a procedure to account for access, disclosures, denials, and amendments to records; and
   5. (5)To provide safeguards for the protection of the records.
2. (b)The contractor may not, without prior approval of the Bureau:
   1. (1)Discontinue or alter any established systems of records;
   2. (2)Deny requests for notification or access of records; or
   3. (3)Approve or deny requests for amendments of records.
3. (c)The contractor may not establish a new system of records without prior approval of the Department of Interior and the Office of Management and Budget.
4. (d)The contractor may not collect information about an individual unless it is relevant or necessary to accomplish a purpose of the Bureau as required by statute or Executive Order.
5. (e)The contractor is subject to 5 U.S.C. 552a(i)(1), which imposes criminal penalties for knowingly and willfully disclosing a record about an individual without the written request or consent of that individual unless disclosure is permitted under one of the exceptions.