The SEC proposed amendments under the Privacy Act of 1974 intended to clarify and streamline the language of several provisions. The proposed revisions, which would replace the current regulations in their entirety, would, among other benefits, update the rules to account for modern technology. Comments are due on the later of 30 days after publication in the Federal Register or April 17, 2023 (The Commission's Privacy Act Regulations, Release No. 34-96906, February 14, 2023).
Privacy Act. The Privacy Act governs the handling of personal information in the federal government, and the Commission last updated its regulations under the Act in 2011. According to the release, in the course of reviewing these regulations, the Commission identified areas where it could clarify, update, and streamline language. Due to the scope of the revisions, the proposal would replace the Commission's current regulations (17 CFR 200.301 through 200.313) in their entirety.
Clarifications. First, several provisions would be amended to clarify, update, and streamline them. Among other changes, the proposed revisions:
- clarify the purpose and scope of the regulations (proposed Section 200.301);
- update definitions so that the processes set forth in the regulations are more plainly described (proposed 17 CFR 200.302);
- simplify the processes for submitting and receiving responses to Privacy Act inquiries, requests, and administrative appeals (proposed 17 CFR 200.303, 305, 306, 307, and 308);
- allow for requesters to electronically verify their identities, including by facsimile, email, or an online Commission form (proposed 17 CFR 200.303); and
- provide for a shorter Commission response time to Privacy Act inquiries as to whether a specific system of records maintained by the Commission contains a record pertaining to the requester, which aligns with other relevant timelines (proposed 17 CFR 200.304.
Provisions eliminated. The proposal would also eliminate in their entirety two sections of the current regulations and certain provisions within the existing regulations. The sections to be eliminated are: Section 200.305, which provides special procedures for requests for medical records and Section 200.311, which restates the statutory penalties set forth in the Privacy Act itself. These provisions are unnecessary, the release explains. A number of subsections are similarly proposed to be eliminated as unnecessary, covered elsewhere, or obsolete.
New provisions. Finally, the release would add a provision covering the processing of Privacy Act requests. Proposed 17 CFR 200.307 concerns requests by individuals for an accounting of record disclosures about the requester, to include the date, nature, and purpose of each disclosure, that the Commission has made available to another person, organization, or agency. The proposal would also add a provision implementing a 90- day time period for requesters to file administrative appeals.
“I am pleased to support this proposal because, if adopted, it would broadly update our Privacy Act rules to account for modern technology, as well as provide the public with greater transparency into the Commission's use of this data,” SEC Chair Gary Gensler said. “These amendments would provide more clarity on how the public can access their records maintained by the Commission and request amendments. I look forward to public comment on the proposal.”
The release is No. 34-96906.