The Commission believes that the Privacy Act should require the head of each agency to designate one official to oversee the agency's implementation of the Act's requirements. [(j)(1)] The official should be "the head of an office designated or created by the agency head, with as many components, field offices, or other supporting structures and staff as the agency head deems necessary." [(j)(1)(A)] In a small agency, this provision need not require the full-time attention of one employee. To assure the accountability and good management, however, it is essential that responsibility for implementation of the Act be vested in a designated official.
The Commission found that those agencies that established formal, structured approaches and mechanisms to implement the Privacy Act were the most successful in their implementation of it. These agencies have provided the best training for their personnel, issued detailed, consistent internal guidelines, and devised procedures for auditing their own compliance with the Act.
The designated official would "issue such instructions, guidelines, and standards, and make such determinations" as may be necessary to implement the Act. [(j)(1)(B)] Where an agency's implementation of the current law's accuracy, timeliness, and completeness requirements, or of its safeguarding requirement, has been weak, the weakness often appears to be the product of the agency's failure to issue implementation guidelines. By placing responsibility and authority for providing such guidance in a designated office, fewer decisions should be made by default and agency employees will have a place to turn for answers to questions that arise in the course of implementation.
Finally, the Commission would retain, with little change, the requirement that agencies publish rules in the Federal Register defining their individual access, correction, and amendment procedures. [(j)(2)] The one modification is in the special procedures for the disclosure of medical records and medical-record information. [(b)(5)] Consistent with its recommendations with respect to private-sector medical-care providers and keepers of medical-record information, the Commission believes that an individual should be allowed to designate a lay representative to receive a medical record or medical-record information that an agency does not want to disclose to him directly for fear that knowledge of its contents would be harmful to him.