§ 603.3 Privacy Act program responsibilities.
(a) The NCPC shall designate a Senior Agency Official for Privacy (SAOP) to establish and oversee the NCPC's Privacy Act Program and ensure compliance with privacy laws, regulations and the NCPC's privacy policies. Specific responsibilities of the SAOP shall include:
(1) Reporting to the Office of Management and Budget (OMB) and Congress on the establishment of or revision to Privacy Act Systems;
(2) Reporting periodically to OMB on Privacy Act activities as required by law and OMB;
(3) Signing Privacy Act SORNS for publication in the Federal Register;
(4) Approving and signing PIAs; and
(5) Serving as head of the agency response team when responding to a large-scale information breach.
(b) The NCPC shall designate a Privacy Act Officer (PAO) to coordinate and implement the NCPC's Privacy Act program. Specific responsibilities of the PAO shall include:
(1) Developing, issuing and updating, as necessary, the NCPC's Privacy Act policies, standards, and procedures;
(2) Maintaining Privacy Act program Records and documentation;
(3) Responding to Privacy Act Requests for Records and coordinating appeals of Adverse Determinations for Requests for access to Records, Requests for Amendment or Correction of Records, and Requests for accounting for disclosures;
(4) Informing Individuals of information disclosures;
(5) Working with the NCPC's Division Directors or designated staff to develop an appropriate form for collection of Privacy Act information and including in the form a Privacy Act statement explaining the purpose for collecting the information, how it will be used, the authority for such collection, its routine uses, and the effect upon the Individual of not providing the requested information;
(6) Assisting in the development of new or revised SORNs;
(7) Developing SORN reports for OMB and Congress;
(8) Submitting new or revised SORNS to the Federal Register for publication;
(9) Assisting in the development of computer matching systems;
(10) Preparing Privacy Act, Computer Matching, and other reports to OMB as required; and
(11) Evaluating PIA to ensure compliance with E-Government Act requirements.
(c) Other Privacy related responsibilities shall be shared by the NCPC Division Directors, the NCPC Chief Information Officer (CIO), the NCPC System Developers and Designers, the NCPC Configuration Control Board, the NCPC employees, and the Chairman of the Commission.
(1) The NCPC Division Directors shall be responsible for coordinating with the PAO the implementation of the requirements set forth in this part for Systems of Records applicable to their area of management and the preparation of PIA prior to development or procurement of new systems that collect, maintain or disseminate IIF. Specific responsibilities include:
(i) Reviewing existing SOR for need, relevance, and purpose for existence, and proposing SOR changes to the PAO as necessary in response to altered circumstances;
(ii) Reviewing existing SOR to ensure information is accurate, complete and up to date;
(iii) Coordinating with the PAO the preparation of new or revised SORN;
(iv) Coordinating with the PAO the development of an appropriate form for collection of Privacy Act information and including in the form a Privacy Act statement explaining the purpose for collecting the information, how it will be used, the authority for such collection, its routine uses, and the effect upon the Individual of not providing the requested information;
(v) Collecting information directly from individuals whenever possible;
(vi) Assisting the PAO with providing access to Individuals who request information in accordance with the procedures established in §§ 603.12, 603.13, 603.14 and 603.15.
(vii) Amending Records if and when appropriate, and working with the PAO to inform recipients of former Records of such amendments;
(viii) Ensuring that System information is used only for its stated purpose;
(ix) Establishing and overseeing appropriate administrative, technical, and physical safeguards to ensure security and confidentiality of Records; and
(x) Working with the SAOP, the PAO and Configuration Control Board (CCB) on SORs, preparing a PIA, if needed, and obtaining SAOP approval for a PIA prior to its publication on the NCPC Web site.
(2) The CIO shall be responsible for implementing IT security management to include security for information protected by the Privacy Act and the E-Government Act of 2002. Specific responsibilities include:
(i) Overseeing security policy for privacy data; and
(ii) Reviewing PIAs prepared for information security considerations.
(3) The NCPC System Developers and Designers shall be responsible for ensuring that the IT system design and specifications conform to privacy standards and requirements and that technical controls are in place for safeguarding personal information from unauthorized access.
(4) The NCPC CCB shall, among other responsibilities, verify that a PIA has been prepared prior to approving a request to develop or procure information technology that collects, maintains, or disseminates Information in Identifiable Form.
(5) The NCPC employees shall ensure that any personal information they use in the conduct of their official responsibilities is protected in accordance with the rules set forth in this part.
(6) The Chairman of the Commission shall be responsible for acting on all appeals of Adverse Determinations.
[82 FR 44046, Sept. 20, 2017; 82 FR 44879, Sept. 27, 2017]