Postal Service records release policies are based on legal requirements, best practices, and business needs. When considering whether to release records publicly, it is the policy of the Postal Service to make its records available to the public to the maximum extent consistent with the public interest. This policy is in accordance with the Freedom of Information Act (FOIA) (5 U.S.C. 552), the Privacy Act (5 U.S.C. 552a) and is implemented in Title 39 Code of Federal Regulations (CFR) 265, and Handbook AS-353, Guide to Privacy, the Freedom of Information Act and Records Management.
Protecting Postal Service information resources and sensitive and Personal Information, such as customer and employee information, including address information, is an essential element of privacy considerations, and can be particularly important when the Postal Service purchases IT or other information processing and information gathering services or when the purchase involves the collection and generation of information pertaining to individuals. In such cases, coordination with the Privacy and Records Office and the Corporate Information Security Office (CISO) is necessary, as discussed in section 8-4, Information Technology and section 3-5, Protection of Postal Service Information and Media, of Handbook AS-805, Information Security, and Clause 4-19: Application Information Security Requirements.
Suppliers that have access to Postal Service information pertaining to individuals, or operate on the Postal Service’s behalf, a file, database, or program from which information about customers, employees, or individuals is retrieved by name or other identifier, are subject to the Postal Service’s privacy policy http://usps.com/privacypolicy) and the requirements of Clause 1-1: Privacy Protection. Clause 1-1 contains provisions that are intended to (1) protect Personal Information from misuse or unauthorized access, (2) respond to actual or suspected unauthorized access of such information, and (3) require suppliers to indemnify the Postal Service in the event of a violation. Clause 1-1 is incorporated by reference in Clause 4-2: Contract Terms and Conditions Required to Implement Policies, Statutes or Executive Orders when checked off by the contracting officer. Clause 1-1 must be included in:
- Contracts in which a supplier or subcontractor operates a Privacy Act system of records on the Postal Service’s behalf;
- Contracts in which a supplier or subcontractor will have access to any Postal Service Personal Information, including address information;
- Contracts in which a supplier or subcontractor assists the Postal Service in establishing or administering a customer Web site or places links or ad banners on a Postal Service Web site or any Web site on the Postal Service’s behalf; or
- Contracts in which a supplier or subcontractor assists the Postal Service to conduct a marketing e-mail campaign.
In most cases, suppliers must turn over all Personal Information in its possession to the Postal Service upon completion of the contract. Under certain circumstances, suppliers will retain the information, and in these cases the contracting officer must work with the Chief Privacy Officer (CPO) and assigned counsel to ensure that all interests are protected. In all cases, purchase/SCM teams should work with the CPO and assigned counsel to ensure that the Postal Service’s privacy commitments are upheld.