Text

Subject:

NRC Response to OMB Request for Information Regarding Agency Policies on Privacy Breach Notification

1. Does your agency have a statutory requirement to notify record subjects if their personal information has been compromised through negligent disclosure or unauthorized third-party access? If their personal information may have been compromised?

NRC Response: The NRC has been unable to identify a statutory requirement to notify record subjects if their personal information has been compromised, or may have been compromised, whether through negligent or inadvertent disclosure, or unauthorized third-party access.

2. Does your agency have a policy or guideline regarding breach notification to record subjects, even in the absence of a statutory requirement? If so, kindly provide a copy of your policy or guideline.

NRC Response: The NRC has no policy or guideline regarding breach notification to record subjects.

3. Does your agency in fact notify record subjects that personally identifiable information has been compromised, even in the absence of a formal policy or guideline? If their personal information may have been compromised? If so, kindly describe your considerations in determining whether to provide notice and what information such notice contains.

NRC Response: Each situation would be evaluated on a case-by-case basis and, depending on the severity of the situation and the extent of release, individual notification of the record subject may be advisable. The NRC may notify record subjects individually by memorandum and may also make an agency-wide announcement to allay concerns of all employees and provide information about the release, actions taken to correct it and to avoid recurrence.