41 C.F.R. Subpart 105–64.1—Policies and Responsibilities
Title 41 - Public Contracts and Property Management
GSA Heads of Services and Staff Offices and Regional Administrators are responsible for ensuring that all systems of records under their jurisdiction meet the provisions of the Privacy Act and these rules. System managers are responsible for the system(s) of records assigned to them. The GSA Privacy Act Officer oversees the GSA Privacy Program and establishes privacy-related policy and procedures for the agency under the direction of the GSA Senior Agency Official for Privacy. No information contained in a Privacy Act system of records will be disclosed to third parties without the written consent of you, the individual of record, except under the conditions cited in §105–64.501. System managers must collect information that is used to determine your rights, benefits, or privileges under GSA programs directly from you whenever practical, and use the information only for the intended purpose(s). When soliciting information from you or a third party for a system of records, system managers must: cite the authority for collecting the information; say whether providing the information is mandatory or voluntary; give the purpose for which the information will be used; state the routine uses of the information; and describe the effect on you, if any, of not providing the information. Any information solicitation forms will contain this information. Statutory or regulatory authority must exist for collecting Social Security Numbers for record systems that use the SSNs as a method of identification. Systems without statutory or regulatory authority implemented after January 1, 1975, will not collect Social Security Numbers. System managers will ensure that all Privacy Act records are accurate, relevant, necessary, timely, and complete. Employees who design, develop, operate, or maintain Privacy Act record systems will protect system security, avoid unauthorized disclosure of information, both verbal and written, and ensure that no system of records is maintained without public notice. All such employees will follow the standards of conduct in 5 CFR part 2635, 5 CFR part 6701, 5 CFR part 735, and 5 CFR part 2634 to protect personal information. System managers will establish administrative, technical, and physical safeguards to ensure the security and confidentiality of records, protect the records against possible threats or hazards, and permit access only to authorized persons. Automated systems will incorporate security controls such as password protection, verification of identity of authorized users, detection of break-in attempts, firewalls, or encryption, as appropriate. In cases where GSA has either permanent or temporary custody of other agencies' records, system managers will coordinate with those agencies on any release of information. Office of Personnel Management (OPM) records that are in GSA's custody are subject to OPM's Privacy Act rules. System managers will establish computer matching programs or agreements for sharing information with other agencies only with the consent and under the direction of the GSA Data Integrity Board that will be established when and if computer matching programs are used at GSA. These rules take precedence over any GSA directive that may conflict with the requirements stated here. GSA officials will ensure that no such conflict exists in new or existing directives.
Title 41: Public Contracts and Property Management
PART 105–64—GSA PRIVACY ACT RULES
Subpart 105–64.1—Policies and Responsibilities
§ 105-64.101 Who is responsible for enforcing these rules?
§ 105-64.102 What is GSA's policy on disclosure of information in a system of records?
§ 105-64.103 What is GSA's policy on collecting and using information in a system of records?
§ 105-64.104 What must the system manager tell me when soliciting personal information?
§ 105-64.105 When may Social Security Numbers (SSNs) be collected?
§ 105-64.106 What is GSA's policy on information accuracy in a system of records?
§ 105-64.107 What standards of conduct apply to employees with privacy-related responsibilities?
§ 105-64.108 How is personal information safeguarded?
§ 105-64.109 How does GSA handle other agencies' records?
§ 105-64.110 When may GSA establish computer matching programs?
§ 105-64.111 What is GSA's policy on directives that may conflict with these rules?
