FAQs for GRS 4.2, Information Access and Protection Records
Download all Frequently Asked Questions of Individual GRS Schedules in a PDF
QUESTION RELATED TO ITEM 030, 031, and 032
1. Items 030, 031, and 032 are related to each other topically and all have very short retention periods. Why aren’t they merged into one item with a unified retention period?
These items state the minimum amount of time that agencies should have a strictly business use for each type of record. If an agency, for its convenience, wishes to collapse items 030, 031, and 032 into a unified item (sometimes referred to as a bucket) with a single retention period, it can do so because we authorize longer retention periods for all three items if required for business use. The retention period for the bucket would then be the longest of the retention periods the agency needs for any one of the included items.
QUESTION RELATED TO ITEM 050
2. GRS 4.2, item 050 seems to cover some of the same records as GRS 4.2, item 020. What records are unique to item 050?
The Privacy Act at 5 U.S.C. § 552a(c) requires agencies to document all disclosures it makes of Privacy records (records protected under the Privacy Act). The seeming conflict between items 020 and 050 comes from the two ways an agency may maintain this documentation.
The first way is to file disclosure documentation with the disclosed records themselves. The resulting file then contains both the disclosed records (governed by an applicable schedule) and the disclosure documentation (governed by item 020). The agency must ensure the joint file is retained for the longer of the two retention periods. Under this model, records proving that the agency is complying with 5 U.S.C. § 552a(c) are scattered piecemeal throughout these other files. The agency may therefore decide to keep a log that documents the specific details of all disclosures in one location. Item 050 uniquely governs such a log.
The second way an agency may maintain disclosure documentation is to file all such documentation in a separate records series it creates solely for that purpose. The agency schedules such a records series, which may or may not include copies of the disclosed records, under item 020. Under this model, an agency does not need to create a log in order to document all disclosures in one place, so it may not create records covered under item 050.
QUESTION RELATED TO ITEMS 060 AND 061
3. Why are items 060 and 061 separate, and not a single item?
The instructions reflect the different ways agencies may maintain these records, which impact how the agencies subsequently dispose of them. An agency may file records documenting erroneous release of records with the erroneously-released records themselves (item 060). In this case, the agency retains the documentation records as long as it retains the related records. Another agency may maintain a separate series of all erroneous release cases divorced from the records they concern (item 061), in which case the agency may destroy the documentation records 6 years after the erroneous release. In either case, agencies must retain records documenting an erroneous release for at least 6 years.
QUESTION RELATED TO ITEM 120
4. Why is there no disposition authority for this item?
The disposition instruction for this item (classified information nondisclosure agreements maintained in the individual’s official personnel folder) is really a filing instruction telling agencies to file the records in the OPF. It does not include authority to destroy records.
QUESTIONS RELATED TO ITEMS 150, 160, AND 161
5. Why does this schedule not cover Privacy Act Statements (PASs)?
The Privacy Act requires agencies to tell individuals providing personal information destined for a system of records how the agency will use that information and to whom the agency will disclose it. The vehicle for this is a PAS. This schedule does not cover PASs because they are not stand-alone documents or a records series in themselves. Rather, agencies tend to incorporate them into the very forms on which they ask individuals to enter data. They generally appear as part of a form’s “small print,” often at the bottom of the page.
6. If my agency posts SORNs and PIAs post to its web pages, are those the record copy covered by this item?
The GRS is agnostic on where, how, and by whom records are retained. An agency may choose to retain its record copy of active SORNs and PIAs on its external or internal web pages. An agency should determine as part of its policies and procedures where and how it keeps recordkeeping copies.
7. Why must I retain a copy of a System of Records Notice (SORN) when I can always get it from the Federal Register, where it is a permanent record?
Item 150 covers not only a copy of the SORN itself, but also significant background material showing its development. These records have continuing business use as long as a SORN is in effect.
8. Does item 161 cover internal Privacy Impact Assessments (PIAs)—information collection from agency employees—as well as PIAs about information collection from the public?
Yes. The item covers all PIAs, regardless of whether the agency collects the information from the public or from the subset of the public known as agency employees. OMB memo M-03-22, “Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002,” indicates agencies must use the same stringent measures to protect information about agency employees as well as the public.
QUESTION RELATED TO ITEM 170
9. What is the OMB “Final Guidance” to which this item refers?
OMB guidance on Computer Matching Agreements appears in several documents, some of them post-dating the 1989 document bearing the word “final” in its title. See:
- Final Guidance interpreting the Provisions of Public Law 100-503, published in the Federal Register (54 FR 25818, June 19, 1989)
- OMB Circular A-130, Appendix I (which, as of August 2016, is in the process of being revised and moved to Circular A-108)
- The Computer Matching and Privacy Protection Amendments of 1990 and the Privacy act of 1974, published in the Federal Register (56 FR 18599, April 23, 1991)
- Privacy Act of 1974: Revised Supplemental Guidance for Conducting Matching Programs, published in the Federal Register (47 FR 21656, May 19, 1982)