SEC revises its regulations under the Privacy Act

The revisions are connected to the principal law governing the handling of personal information in the federal government.

On Wednesday, the US Securities and Exchange Commission approved a rule that revises the commission’s regulations under the Privacy Act, which is the principal law governing the handling of personal information in the federal government.

The updated rules further describe (and in some cases amend) the procedures by which individuals can inquire about or request access to records about themselves, request an amendment or correction of those records, and request an accounting of disclosures of those records from the SEC.

Privacy Act rule updates

More specifically, among other things, the final rule does the following:

  • Offers greater clarity for how individuals can access information held by the SEC and pertaining to themselves — and request amendments to that information;
  • Allows for requesters to electronically verify their identities, including by facsimile, email, or an online SEC form;
  • Provides for a shorter response time to Privacy Act inquiries rom the SEC as to whether a system of records maintained by the agency contains a record pertaining to the requester;
  • Adds electronic methods to verify one’s identity and submit Privacy Act requests;
  • Updates the list of records that are exempt from certain provisions of the Privacy Act; and
  • Implements a 90-day time period for requesters to file administrative appeals.

The changes also clarify the fee provisions and formally adopt the current practice of charging requesters only for the direct costs of duplicating a record, so there’s no fee in most cases involving electronic records.


These updates were first proposed in February, and the agency last updated its rules related to the Privacy Act in 2011.

The overarching Privacy Act under which the SEC’s privacy rule exists is a 1974 law, issued by the US Department of Justice at a time in US history when Congress was concerned with curbing the illegal surveillance of individuals by federal agencies that had been exposed during the Watergate scandal.

Lawmakers were further concerned with potential abuses presented by the government’s increasing use of computers to store and retrieve personal data by means of a universal identifier — such as an individual’s social security number.

According to the Privacy World information site maintained by the law firm Squire Patton Boggs, the SEC processes roughly 100 to 300 requests per year under the Privacy Act.

 The final rule announced on Wednesday becomes effective 30 days after publication in the Federal Register.