An official website of the United States government.

This is not the current EPA website. To navigate to the current EPA website, please go to This website is historical material reflecting the EPA website as it existed on January 19, 2021. This website is no longer updated and links to external websites and some internal pages may not work. More information »

Privacy Act Rules of Conduct

EPA's Privacy Act Rules of Conduct provide:

  • Privacy rules of conduct
  • Consequence of non-compliance
  • Penalties associated with the failure to comply with the provisions of the Privacy Act and Agency regulations and policies

The EPA workforce shall:

  • Comply with the provisions of the Privacy Act (PA) and Agency regulations and policies pertaining to collecting, accessing, using, disseminating and storing personally identifiable information (PII) and Privacy Act information.
  • Ensure that personal information contained in a system of records, to which they have access in the performance of their duties, is protected so that the security and confidentiality of the information is preserved.
  • Not disclose any personal information contained in any system of records or PII collection, except as authorized.
  • Follow the Agency’s procedures for reporting any unauthorized disclosures or breaches of personally identifiable information.

EPA managers shall:

  • Ensure that all personnel who have access to PII or PA records are made aware of their responsibilities for handling such records, including protecting the records from unauthorized access and disclosure.
  • Not maintain any official files on individuals that are retrieved by name or other personal identifier without first ensuring that a notice of the system of records has been published in the Federal Register.
  • Promptly prepare system of record notices for new or amended PA systems and submit them to the Agency Privacy Act Officer for approval prior to publication in the Federal Register.
  • Educate employees about their responsibilities.

Consequences for Not Complying

Individuals that fail to comply with these Rules of Conduct will be subject to appropriate administrative, civil, or criminal penalties, as afforded by law, if they knowingly, willfully, or negligently disclose Privacy Act or PII to unauthorized persons.

Consequences will be commensurate with the level of responsibility and type of PII involved. Consequences may include reprimand, suspension, removal, or other actions in accordance with applicable law and Agency policy. For any employee or manager who demonstrates egregious disregard or a pattern of error in safeguarding PII is subject to having his/her access to information or systems that contain PII revoked.