A user may be either internal or external to the agency or agency organization responsible for the facility.

"Validation of compilers" means the process of testing a given compiler against certain predetermined conditions and specifying which, if any, conditions are met.

"Want list" means an inventory of ADPE requirements maintained by GSA on the basis of needs expressed by Federal agencies for which demand may be potentially satisfied from

excess or exchange/sale ADPE when reported.

"Withdrawal" means a request for cancellation of a report of excess ADPE.

[FIRMR Amdt. 1, 50 FR 4334, Jan. 30, 1985, as amended by FIRMR Amdt. 2, 50 FR 26365, June, 26, 1985; FIRMR Amdt. 3, 50 FR 26910, June 28, 1985; FIRMR Amdt. 4, 50 FR 27145, 27147, July 1, 1985; 50 FR 28208, July 11, 1985; FIRMR Amdt. 7, 51 FR 9958, Mar. 24, 1986; Amdt. 12, 53 FR 24722, June 30, 1988]

PARTS 201-3-201-5 [RESERVED]

Sec.

PART 201-6-PROTECTION OF

PERSONAL PRIVACY

Subpart 201-6.2—Listening-in or Recording of Telephone Conversations

201-6.201 Applicability. 201-6.202 General.

201-6.202-1 Nonconsensual listening-in or recording.

201-6.202-2 Consensual listening-in or recording.

201-6.203 Agency responsibilities. 201-6.204 GSA responsibilities.

201-6.205 Use of line identification equipment.

AUTHORITY: Sec. 205(c), 63 Stat. 390; 40 U.S.C. 486(c) and sec. 101(f), 100 Stat. 1783345; 40 U.S.C. 751(f).

SOURCE: FIRMR Amdt. 1, 50 FR 4339, Jan. 30, 1985, unless otherwise noted.

§ 201-6.000 Scope of part.

This part prescribes policies and procedures that apply requirements of the Privacy Act of 1974 (5 U.S.C. 552a) and OMB Circular No. A-130, December 12, 1985, to ADP and telecommunications service arrangements involving, or potentially involving a system of records on individuals. This part also provides policies and procedures regarding listening-in or recording of telephone conversations.

[FIRMR Amdt. 1, 50 FR 4339, Jan. 30, 1985, as amended by Amdt. 12, 53 FR 24723, June 30, 1988]

other establishment in the executive branch of the Government (including the Executive Office of the President), and any independent regulatory agency.

"Government contractor, as used in Subpart 201-6.1” means any individual or other entity who provides by a contract for the operation by or on behalf of an agency of a system of records to accomplish an agency function.

“Individual, as used in Subpart 2016.1" means a citizen of the United States or an alien lawfully admitted for permanent residence.

“Maintain, as used in Subpart 2016.1" means maintain, collect, use, and disseminate.

"Record, as used in Subpart 201-6.1” means any item collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, the individual's education, financial transactions, medical history, and criminal or employment history and that contains the name, identifying number, symbol, other identifying particular assigned to the individual, such as a fingerprint or voice print or a photograph.

or

"Rules of conduct, as used in Subpart 201-6.1" means those administrative procedures, methods of work, and standards of conduct that together define the manner in which persons involved in the design, development, operation, or maintenance of systems of records will design, maintain, collect, use, or disseminate the records.

"Safeguards, as used in Subpart 2016.1" means those procedures, methods, and devices that have as their specific function the prevention or mitigation of the effects of threats and hazards to a system of records on individuals to accomplish an executive agency function subject to the Privacy Act.

"Systems of records on individuals, as used in Subpart 201-6.1" means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

"Threats and hazards, as used in Subpart 201-6.1” means man-made or natural events, the occurrence of which may result in the loss, alteration, or unauthorized access to data in a system of records on individuals to accomplish an executive agency function subject to the Privacy Act.

"Consensual, as used in Subpart 201-6.2" means that one party to a telephone conversation has given prior consent to the interception or recording of the conversation.

"Determination, as used in Subpart 201-6.2" means a written document (usually a letter) that specifies the operational need for listening-in or recording of telephone conversations, indicates the specific system and location where it is to be performed, lists the number of telephones and/or recorders involved, establishes operating times and an expiration date, and justifies the use. It is signed by the agency head or the agency head's designee.

"Listening-in devices, as used in Subpart 201-6.2" means such devices that can intercept any telephone communication and be used to listen-in or record telephone conversations without the knowledge of one or more of the parties to the conversation.

“Nonconsensual, as used in Subpart 201-6.2" means that none of the parties to a telephone conversation has given consent to the interception or recording of the conversation.

Subpart 201-6.1—Protection of
Individual Privacy

§ 201-6.101 Applicability.

This subpart applies only to agencies as defined in § 201-6.001.

§ 201-6.102 Requirements.

(a) The Privacy Act of 1974 sets forth certain safeguards to protect personal privacy by requiring agencies to abide by the provisions of the Act. Keeping only an essential minimum of records is the most effective protection against further incursions into personal privacy and is a major goal of the Act. Agencies shall also comply with 201-32.302 and FAR Subpart 24.1, Protection of Individual Privacy when acquiring ADP equipment, soft

ware, maintenance, or services and/or telecommunications equipment, maintenance, or services.

(b) The Privacy Act of 1974 requires each agency that maintains a system of records to do the following:

(1) Maintain in its records only that information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President (5 U.S.C. 552a(e)(1)). Thus, protection of privacy is promoted by limiting the amount of information maintained.

(2) Establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records or in maintaining any record, and instruct each such person with respect to those rules and the requirements of this section, including rules and procedures adopted pursuant to this section and the penalties U.S.C. for noncompliance (5

552a(e)(9)).

(3) Establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained (5 U.S.C. 552a(e)(10)). It should be noted that the development of appropriate safeguards will necessarily be tailored to the requirements of the system of records being maintained. In addition, the need to provide safeguards may be influenced by other considerations, such as ensuring continuity of agency operations, protecting proprietary data, protecting national security information, and ensuring accuracy and reliability of information.

[FIRMR Amdt. 1, 50 FR 4339, Jan. 30, 1985, as amended by Amdt. 12, 53 FR 24723, June 30, 1988]

§ 201-6.103 Interagency services.

Special considerations and responsibilities apply in those instances in which one agency (the user agency) makes use of services or equipment provided, operated, managed, or ad

ministered by another (the provider agency) in the course of maintaining or operating systems of records. These instances include services obtained through sharing and the Federal Data Processing Centers (see Part 201-31.)

§ 201-6.103-1 User agency responsibilities. A user agency shall

(a) Make all reports and notices required under OMB Circular No. A-130;

(b) Determine its data confidentiality and security requirements before storing, processing, or transmitting systems of records at a provider agency's facility;

(c) Include in its screening of ADP and telecommunications services and equipment resources an examination of the ability of each (provider agency) resource to meet user agency's data confidentiality and security requirements (specifically, the adequacy of available technical, administrative, and physical safeguards to counter anticipated threats and hazards must be evaluated);

(d) Satisfy itself that the rules of conduct governing the activities of personnel of the provider agency are commensurate with user agency's data confidentiality and security requirements;

(e) Obtain services from only those provider agencies that fully meet the user agency's data confidentiality and security requirements;

(f) Recognize that the records the user agency transmits, stores, or processes at the facility of a provider agency will be considered to be maintained by the user agency; and

(g) Establish written rules governing the disclosure by a provider agency of records considered to be maintained by the user agency.

[FIRMR Amdt. 1, 50 FR 4339, Jan. 30, 1985, as amended by Amdt. 12, 53 FR 24723, June 30, 1988]

§ 201-6.103-2 Provider agency responsibilities.

A provider agency shall

(a) As specified in § 201-6.102(b), develop rules of conduct for personnel involved in the design, development, operation, or maintenance of equipment, systems, or services used to

store, process, or transmit systems of records;

(b) In accordance with § 2016.102(b), undertake a continuing program of review of its operations to ensure that threats and hazards to data confidentiality and security are properly identified and that appropriate safeguards are implemented;

(c) Make available rules of conduct and information on safeguards to user agencies;

(d) Refrain from disclosing any records stored, processed, or transmitted for a user agency except to that agency or under written rules established and provided by that user agency; and

(e) Make known to user agencies changes in its perception of threats and hazards to data confidentiality and security or any changes in the safeguards implemented to protect against those threats and hazards. User agencies may use information on such changes to reevaluate their usage of the provider agency's services or equipment.

§ 201-6.104 Implementation in contracts.

Contract clauses are prescribed in Part 201-32 for use when an agency contracts for the design, development, operation, or maintenance of a system of records on individuals to accomplish an agency function. See also FAR Subpart 24.1.

Subpart 201-6.2-Listening-in or Recording of Telephone Conversations

§ 201-6.201 Applicability.

This subpart applies to Federal agencies as defined in § 201–2.001.

§ 201-6.202 General.

(a) Federal agencies may listen-in or record telephone conversations only under limited circumstances. This Subpart 201-6.2 describes the circumstances and prescribes policies that limit the practice within the Federal government.

(b) The provisions of the subpart do not apply to telecommunications monitoring conducted in accordance with Executive Order 12036 dated January

24, 1978 (3 CFR). Nothing in this regulation shall be construed as authorization for the listening-in or recording of any telephone conversations for the purpose of committing any criminal or tortious act in violation of the Constitution or the laws of the United States.

§ 201-6.202-1 Nonconsensual listening-in or recording.

Nonconsensual listening-in or recording of telephone conversations shall be authorized and handled in accordance with the requirements of the Omnibus Crime Control and Safe Streets Act of 1968, as amended (18 U.S.C. 2510 et seq.), and the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).

§ 201-6.202-2 Consensual listening-in or recording.

Consensual listening-in or recording of telephone conversations on the Federal Telecommunications System (FTS) or any other telephone system approved in accordance with the Federal Property and Administrative Services Act of 1949, section 201(a) (1) and (3) (40 U.S.C. 481(a) (1) and (3)), and implementing regulations thereof is prohibited except under the following conditions:

(a) When performed for law enforcement purposes in accordance with procedures established by the agency head, as required by the Attorney General's Guidelines for Administration of the Omnibus Crime Control and Safe Streets Act of 1968, and in accordance with procedures established by the Attorney General.

(b) When performed for counter-intelligence purposes and approved by the Attorney General or the Attorney General's designee.

(c) When performed by any Federal employee for public safety purposes and when documented by a written determination of the agency head or the designee citing the public safety needs. The determination must identify the segment of the public needing protection and cite examples of the hurt, injury, danger, or risks from which the public is to be protected. Examples of these practices are police and fire de

partment operations, air traffic safety control, and air/sea rescue operations.

(d) When performed by a handicapped employee, provided a physician has certified (and the head of the agency or designee concurs) that the employee is physically handicapped and the head of the agency or designee determines that the use of a listening-in or recording device is required to fully perform the duties of the official position description. Equipment shall be for the exclusive use of the handicapped employee. The records of any interceptions by handicapped employees shall be used, safeguarded, and destroyed in accordance with appropriate agency records management and disposition systems.

(e) When performed by any Federal agency for service monitoring but only after analysis of alternatives and a determination by the agency head or the agency head's designee that monitoring is required to effectively perform the agency mission. Strict controls must be established and adhered to for this type of monitoring. (See § 2016.203 on agency responsibilities for minimal procedures.)

(f) When performed by any Federal employee with the consent of all parties for each specific instance. This includes telephone conferences, secretarial recording, and other acceptable administrative practices. Strict supervisory controls shall be maintained to eliminate any possible abuse of this privilege. The agency head or the agency head's designee shall be informed of this capability for listeningin or recording telephone conversations.

§ 201-6.203 Agency responsibilities.

Each agency shall ensure that:

(a) All listening-in or recording of telephone conversations as described in § 201-6.202-2(c), (d), or (e) shall have a written determination approved by the agency head or the agency head's designee before operations commence.

(b) Service personnel who monitor listening-in or recording devices under § 201-6.202-2(e) shall be designated in writing. They shall be provided with written policies covering telephone