[Federal Register Volume 61, Number 100 (Wednesday, May 22, 1996)]
[Rules and Regulations]
[Pages 25561-25566]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 96-12856]



=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE


Defense Finance and Accounting Service

32 CFR Part 324

[DFAS Reg. 5400.11-R]

DFAS Privacy Act Program

AGENCY: Defense Finance and Accounting Service, DOD.
ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This rule establishes the Defense Finance and Accounting 
Service Privacy Act Program. The Defense Finance and Accounting Service 
(DFAS) was established to provide finance and accounting services for 
the DoD Components and other Federal activities, as designated by the 
Comptroller, DoD.
    The Defense Finance and Accounting Service was activated on January 
15, 1991, to improve the overall effectiveness of DoD financial 
management through the consolidation, standardization and integration 
of finance and accounting systems, procedures and operations. DFAS is 
also responsible for identifying and implementing finance and 
accounting requirements, systems and functions for appropriated and 
non-appropriated funds, as well as working capital, revolving funds and 
trust fund activities--including security assistance.
EFFECTIVE DATE: May 1, 1996.

FOR FURTHER INFORMATION CONTACT: Ms. Genevieve Turney (703) 607-5165 or 
DSN 327-5165.

SUPPLEMENTARY INFORMATION: Executive Order 12866. The Director, 
Administration and Management, Office of the Secretary of Defense has 
determined that this Privacy Act rule for the Department of Defense 
does not constitute `significant regulatory action'. Analysis of the 
rule indicates that it does not have an annual effect on the economy of 
$100 million or more; does not create a serious inconsistency or 
otherwise interfere with an action taken or planned by another agency; 
does not materially alter the budgetary impact of entitlements, grants, 
user fees, or loan programs or the rights and obligations of recipients 
thereof; does not raise novel legal or policy issues arising out of 
legal mandates, the President's priorities, or the principles set forth 
in Executive Order 12866 (1993).

Regulatory Flexibility Act of 1980. The Director, Administration and 
Management, Office of the Secretary of Defense certifies that this 
Privacy Act rule for the Department of Defense does not have 
significant economic impact on a substantial number of small entities 
because it is concerned only with the administration of Privacy Act 
systems of records within the Department of Defense.

Paperwork Reduction Act. The Director, Administration and Management, 
Office of the Secretary of Defense certifies that this Privacy Act rule 
for the Department of Defense imposes no information requirements 
beyond the Department of Defense and that the information collected 
within the Department of Defense is necessary and consistent with 5 
U.S.C. 552a, known as the Privacy Act of 1974.

    This rule establishes the Defense Finance and Accounting Service 
(DFAS) Privacy Act Program. DFAS was established to provide finance and 
accounting services for the DoD Components and other Federal 
activities, as designated by the Comptroller, DoD. The proposed rule 
was previously published on March 1, 1996, at 61 FR 8003. No comments 
were received resulting in any contrary determinations, therefore, DFAS 
is adopting the rule as published.

List of subjects in 32 CFR part 324

    Privacy.

    Accordingly, 32 CFR part 324 is added to read as follows:

PART 324-DFAS PRIVACY ACT PROGRAM


Subpart A-General Information

324.1 Issuance and purpose.
324.2 Applicability and scope.
324.3 Policy.
324.4 Responsibilities.

Subpart B-Systems of Records

324.5 General information.
324.6 Procedural rules.
324.7 Exemption rules.

Subpart C-Individual Access to Records

324.8 Right of access.
324.9 Notification of record's existence.
324.10 Individual requests for access.
324.11 Denials.
324.12 Granting individual access to records
324.13 Access to medical and psychological records.
324.14 Relationship between the Privacy Act and the Freedom of 
Information Act.

Appendix A to part 324 - DFAS Reporting Requirements

[[Page 25562]]

Appendix B to part 324 - System of Records Notice

    Authority:  Pub. L. 93-579, 88 Stat 1896 (5 U.S.C. 552a).

Subpart A - General information


Sec. 324.1  Issuance and purpose.

    The Defense Finance and Accounting Service fully implements the 
policy and procedures of the Privacy Act and the DoD 5400.11-R \1\, 
`Department of Defense Privacy Program' (see 32 CFR part 310). This 
regulation supplements the DoD Privacy Program only to establish policy 
for the Defense Finance and Accounting Service (DFAS) and provide DFAS 
unique procedures.
---------------------------------------------------------------------------

    \1\ Copies may be obtained at cost from the National Technical 
Information Service, 5285 Port Royal Road, Springfield, VA 22161.
---------------------------------------------------------------------------


Sec. 324.2  Applicability and scope.

    This regulation applies to all DFAS, Headquarters, DFAS Centers, 
the Financial System Organization (FSO), and other organizational 
components. It applies to contractor personnel who have entered a 
contractual agreement with DFAS. Prospective contractors will be 
advised of their responsibilities under the Privacy Act Program.


Sec. 324.3  Policy.

    DFAS personnel will comply with the Privacy Act of 1974, the DoD 
Privacy Program and the DFAS Privacy Act Program. Strict adherence is 
required to ensure uniformity in the implementation of the DFAS Privacy 
Act Program and to create conditions that will foster public trust. 
Personal information maintained by DFAS organizational elements will be 
safeguarded. Information will be made available to the individual to 
whom it pertains to the maximum extent practicable. Specific DFAS 
policy is provided for Privacy Act training, responsibilities, 
reporting procedures and implementation requirements. DFAS Components 
will not define policy for the Privacy Act Program.


Sec. 324.4  Responsibilities.

    (a) Director, DFAS.
    (1) Ensures the DFAS Privacy Act Program is implemented at all DFAS 
locations.
    (2) The Director, DFAS, will be the Final Denial Appellate 
Authority. This authority may be delegated to the Director for Resource 
Management.
    (3) Appoints the Director for External Affairs and Administrative 
Support, or a designated replacement, as the DFAS Headquarters Privacy 
Act Officer.
    (b) DFAS Headquarters General Counsel.
    (1) Ensures uniformity is maintained in legal rulings and 
interpretation of the Privacy Act.
    (2) Consults with DoD General Counsel on final denials that are 
inconsistent with other final decisions within DoD. Responsible to 
raise new legal issues of potential significance to other Government 
agencies.
    (3) Provides advice and assistance to the DFAS Director, Center 
Directors, and the FSO as required, in the discharge of their 
responsibilities pertaining to the Privacy Act.
    (4) Acts as the DFAS focal point on Privacy Act litigation with the 
Department of Justice.
    (5) Reviews Headquarters' denials of initial requests and appeals.
    (c) DFAS Center Directors.
    (1) Ensures that all DFAS Center personnel, all personnel at 
subordinate levels, and contractor personnel working with personal data 
comply with the DFAS Privacy Act Program.
    (2) Serves as the DFAS Center Initial Denial Authority for requests 
made as a result of denying release of requested information at 
locations within DFAS Center authority. Initial denial authority may 
not be redelegated. Initial denial appeals will be forwarded to the 
appropriate DFAS Center marked to the attention of the DFAS Center 
Initial Denial Authority.
    (d) Director, FSO.
    (1) Ensures that FSO and subordinate personnel and contractors 
working with personal data comply with the Privacy Act Program.
    (2) Serves as the FSO Initial Denial Authority for requests made as 
a result of denying release of requested information at locations 
within FSO authority. FSO Initial denial authority may not be 
redelegated.
    (3) Appoints a Privacy Act Officer for the FSO and each Financial 
System Activity (FSA).
    (e) DFAS Headquarters Privacy Act Officer.
    (1) Establishes, issues and updates policy for the DFAS Privacy Act 
Program and monitors compliance. Serves as the DFAS single point of 
contact on all matters concerning Privacy Act policy. Resolves any 
conflicts resulting from implementation of the DFAS Privacy Act Program 
policy.
    (2) Serves as the DFAS single point of contact with the Department 
of Defense Privacy Office. This duty may be delegated.
    (3) Ensures that the collection, maintenance, use and/or 
dissemination of records of identifiable personal information is for a 
necessary and lawful purpose, that the information is current and 
accurate for the intended use and that adequate security safeguards are 
provided.
    (4) Monitors system notices for agency systems of records. Ensures 
that new, amended, or altered notices are promptly prepared and 
published. Reviews all notices submitted by the DFAS Privacy Act 
Officers for correctness and submits same to the Department of Defense 
Privacy Office for publication in the Federal Register. Maintains and 
publishes a listing of DFAS Privacy Act system notices.
    (5) Establishes DFAS Privacy Act reporting requirement due dates. 
Compiles all Agency reports and submits the completed annual report to 
the Defense Privacy Office. DFAS reporting requirements are provided in 
Appendix A to this part.
    (6) Conducts annual Privacy Act Program training for DFAS 
Headquarters (HQ) personnel. Ensures that subordinate DFAS Center and 
FSO Privacy Act Officers fulfill annual training requirements.
    (f) FSO and Financial System Activities (FSAs) Legal Support. The 
FSO and subordinate FSA organizational elements will be supported by 
the appropriate DFAS-HQ or DFAS Center General Counsel office.
    (g) DFAS Center(s) Assistant General Counsel.
    (1) Ensures uniformity is maintained in legal rulings and 
interpretation of the Privacy Act and this regulation. Consults with 
the DFAS-HQ General Counsel as required.
    (2) Provides advice and assistance to the DFAS Center Director and 
the FSA in the discharge of his/her responsibilities pertaining to the 
Privacy Act.
    (3) Coordinates on DFAS Center and the FSA denials of initial 
requests.
    (h) DFAS Center Privacy Act Officer.
    (1) Implements and administers the DFAS Privacy Act Program for all 
personnel, to include contractor personnel, within the Center, 
Operating Locations (OpLocs) and Defense Accounting Offices (DAOs).
    (2) Ensures that the collection, maintenance, use, or dissemination 
of records of identifiable personal information is in a manner that 
assures that such action is for a necessary and lawful purpose; the 
information is timely and accurate for its intended use; and that 
adequate safeguards are provided to prevent misuse of such information. 
Advises the Program Manager that systems notices must be published in 
the Federal Register prior to collecting or maintenance of the 
information. Submits system notices to the DFAS-HQ Privacy Act Officer 
for

[[Page 25563]]

review and subsequent submission to the Department of Defense Privacy 
Office.
    (3) Administratively controls and processes Privacy Act requests. 
Ensures that the provisions of this regulation and the DoD Privacy Act 
Program are followed in processing requests for records. Ensures all 
Privacy Act requests are promptly reviewed. Coordinates the reply with 
other organizational elements as required.
    (4) Prepares denials and partial denials for the Center Director's 
signature and obtain required coordination with the assistant General 
Counsel. Responses will include written justification citing a specific 
exemption or exemptions.
    (5) Prepares input for the annual Privacy Act Report as required 
using the guidelines provided in Appendix A to this part.
    (6) Conducts training on the DFAS Privacy Act Program for Center 
personnel.
    (i) FSO Privacy Act Officer.
    (1) Implements and administers the DFAS Privacy Act Program for all 
personnel, to include contractor personnel, within the FSO.
    (2) Ensures that the collection, maintenance, use, or dissemination 
of records of identifiable personal information is in a manner that 
assures that such action is for a necessary and lawful purpose; the 
information is timely and accurate for its intended use; and that 
adequate safeguards are provided to prevent misuse of such information. 
Advises the Program Manager that systems notices must be published in 
the Federal Register prior to collecting or maintenance of the 
information. Submits system notices to the DFAS-HQ Privacy Act Officer 
for review and subsequent submission to the Department of Defense 
Privacy Office.
    (3) Administratively controls and processes Privacy Act requests. 
Ensures that the provisions of this regulation and the DoD Privacy Act 
Program are followed in processing requests for records. Ensure all 
Privacy Act requests are promptly reviewed. Coordinate the reply with 
other organizational elements as required.
    (4) Prepares denials and partial denials for signature by the 
Director, FSO and obtains required coordination with the assistant 
General Counsel. Responses will include written justification citing a 
specific exemption or exemptions.
    (5) Prepares input for the annual Privacy Act Report (RCS: DD 
DA&M(A)1379) as required using the guidelines provided in Appendix A to 
this part.
    (6) Conducts training on the DFAS Privacy Act Program for FSO 
personnel.
    (j) DFAS employees.
    (1) Will not disclose any personal information contained in any 
system of records, except as authorized by this regulation.
    (2) Will not maintain any official files which are retrieved by 
name or other personal identifier without first ensuring that a system 
notice has been published in the Federal Register.
    (3) Reports any disclosures of personal information from a system 
of records or the maintenance of any system of records not authorized 
by this regulation to the appropriate Privacy Act Officer for action.
    (k) DFAS system managers (SM).
    (1) Ensures adequate safeguards have been established and are 
enforced to prevent the misuse, unauthorized disclosure, alteration, or 
destruction of personal information contained in system records.
    (2) Ensures that all personnel who have access to the system of 
records or are engaged in developing or supervising procedures for 
handling records are totally aware of their responsibilities to protect 
personal information established by the DFAS Privacy Act Program.
    (3) Evaluates each new proposed system of records during the 
planning stage. The following factors should be considered:
    (i) Relationship of data to be collected and retained to the 
purpose for which the system is maintained. All information must be 
relevant to the purpose.
    (ii) The impact on the purpose or mission if categories of 
information are not collected. All data fields must be necessary to 
accomplish a lawful purpose or mission.
    (iii) Whether informational needs can be met without using personal 
identifiers.
    (iv) The disposition schedule for information.
    (v) The method of disposal.
    (vi) Cost of maintaining the information.
    (4) Complies with the publication requirements of DoD 5400.11-R, 
`Department of Defense Privacy Program' (see 32 CFR part 310). Submits 
final publication requirements to the appropriate DFAS Privacy Act 
Officer.
    (l) DFAS program manager(s). Reviews system alterations or 
amendments to evaluate for relevancy and necessity. Reviews will be 
conducted annually and reports prepared outlining the results and 
corrective actions taken to resolve problems. Reports will be forwarded 
to the appropriate Privacy Act Officer.
    (m) Federal government contractors. When a DFAS organizational 
element contracts to accomplish an agency function and performance of 
the contract requires the operation of a system of records or a portion 
thereof, DoD 5400.11-R, `Department of Defense Privacy Program' (see 32 
CFR part 310) and this part apply. For purposes of criminal penalties, 
the contractor and its employees shall be considered employees of DFAS 
during the performance of the contract.
    (1) Contracting Involving Operation of Systems of Records. 
Consistent with Federal Acquisition Regulation (FAR) \2\ and the DoD 
Supplement to the Federal Acquisition Regulation (DFAR) \3\, Part 
224.1, contracts involving the operation of a system of records or 
portion thereof shall specifically identify the record system, the work 
to be performed and shall include in the solicitations and resulting 
contract such terms specifically prescribed by the FAR and DFAR.
---------------------------------------------------------------------------

    \2\ Copies may be obtained at cost from the Superintendent of 
Documents, P.O. Box 37195, Pittsburgh, PA 15250-7954.
    \3\ See footnote 2 to Sec. 324.4(m)(1)
---------------------------------------------------------------------------

    (2) Contracting. For contracting subject to this part, the Agency 
shall:
    (i) Informs prospective contractors of their responsibilities under 
the DFAS Privacy Act Program.
    (ii) Establishes an internal system for reviewing contractor 
performance to ensure compliance with the DFAS Privacy Act Program.
    (3) Exceptions. This rule does not apply to contractor records that 
are:
    (i) Established and maintained solely to assist the contractor in 
making internal contractor management decisions, such as records 
maintained by the contractor for use in managing the contract.
    (ii) Maintained as internal contractor employee records, even when 
used in conjunction with providing goods or services to the agency.
    (4) Contracting procedures. The Defense Acquisition Regulatory 
Council is responsible for developing the specific policies and 
procedures for soliciting, awarding, and administering contracts.
    (5) Disclosing records to contractors. Disclosing records to a 
contractor for use in performing a DFAS contract is considered a 
disclosure within DFAS. The contractor is considered the agent of DFAS 
when receiving and maintaining the records for the agency.

[[Page 25564]]

Subpart B - Systems of Records


Sec. 324.5  General information.

    (a) The provisions of DoD 5400.11-R, `Department of Defense Privacy 
Program' (see 32 CFR part 310) apply to all DFAS systems of records. 
DFAS Privacy Act Program Procedural Rules, DFAS Exemption Rules and 
System of Record Notices are the three types of documents relating to 
the Privacy Act Program that must be published in the Federal Register.
    (b) A system of records used to retrieve records by a name or some 
other personal identifier of an individual must be under DFAS control 
for consideration under this regulation. DFAS will maintain only those 
Systems of Records that have been described through notices published 
in the Federal Register.
    (1) First amendment guarantee. No records will be maintained that 
describe how individuals exercise their rights guaranteed by the First 
Amendment unless maintenance of the record is expressly authorized by 
Statute, the individual or for an authorized law enforcement purpose.
    (2) Conflicts. In case of conflict, the provisions of DoD 5400.11-R 
take precedence over this supplement or any DFAS directive or procedure 
concerning the collection, maintenance, use or disclosure of 
information from individual records.
    (3) Record system notices. Record system notices are published in 
the Federal Register as notices and are not subject to the rule making 
procedures. The public must be given 30 days to comment on any proposed 
routine uses prior to implementing the system of record.
    (4) Amendments. Amendments to system notices are submitted in the 
same manner as the original notices.


Sec. 324.6  Procedural rules.

    DFAS procedural rules (regulations having a substantial and direct 
impact on the public) must be published in the Federal Register first 
as a proposed rule to allow for public comment and then as a final 
rule. Procedural rules will be submitted through the appropriate DFAS 
Privacy Act Officer to the Department of Defense Privacy Office. 
Appendix B to this part provides the correct format. Guidance may be 
obtained from the DFAS-HQ and DFAS Center Records Managers on the 
preparation of procedural rules for publication.


Sec. 324.7  Exemption rules.

    (a) Submitting proposed exemption rules. Each proposed exemption 
rule submitted for publication in the Federal Register must contain: 
The agency identification and name of the record system for which an 
exemption will be established; The subsection(s) of the Privacy Act 
which grants the agency authority to claim an exemption for the system; 
The particular subsection(s) of the Privacy Act from which the system 
will be exempt; and the reasons why an exemption from the particular 
subsection identified in the preceding subparagraph is being claimed. 
No exemption to all provisions of the Privacy Act for any System of 
records will be granted. Only the Director, DFAS may make a 
determination that an exemption should be established for a system of 
record.
    (b) Submitting exemption rules for publication. Exemption rules 
must be published in the Federal Register first as proposed rules to 
allow for public comment, then as final rules. No system of records 
shall be exempt from any provision of the Privacy Act until the 
exemption rule has been published in the Federal Register as a final 
rule. The DFAS Privacy Act Officer will submit proposed exemption 
rules, in proper format, to the Defense Privacy Office, for review and 
submission to the Federal Register for publication. Amendments to 
exemption rules are submitted in the same manner as the original 
exemption rules.
    (c) Exemption for classified records. Any record in a system of 
records maintained by the Defense Finance and Accounting Service which 
falls within the provisions of 5 U.S.C. 552a(k)(1) may be exempt from 
the following subsections of 5 U.S.C. 552a: (c)(3), (d), (e)(1), 
(e)(4)(G)-(e)(4)(I) and (f) to the extent that a record system contains 
any record properly classified under Executive Order 12589 and that the 
record is required to be kept classified in the interest of national 
defense or foreign policy. This specific exemption rule, claimed by the 
Defense Finance and Accounting Service under authority of 5 U.S.C. 
552a(k)(1), is applicable to all systems of records maintained, 
including those individually designated for an exemption herein as well 
as those not otherwise specifically designated for an exemption, which 
may contain isolated items of properly classified information
    (1) General exemptions. (Reserved)
    (2) Specific exemptions. (Reserved)

Subpart C - Individual Access to Records


Sec. 324.8  Right of access.

    The provisions of DoD 5400.11-R, `Department of Defense Privacy 
Program' (see 32 CFR part 310) apply to all DFAS personnel about whom 
records are maintained in systems of records. All information that can 
be released consistent with applicable laws and regulations should be 
made available to the subject of record.


Sec. 324.9  Notification of record's existence.

    All DFAS Privacy Act Officers shall establish procedures for 
notifying an individual, in response to a request, if the system of 
records contains a record pertaining to him/her.


Sec. 324.10  Individual requests for access.

    Individuals shall address requests for access to records to the 
appropriate Privacy Act Officer by mail or in person. Requests for 
access should be acknowledged within 10 working days after receipt and 
provided access within 30 working days. Every effort will be made to 
provide access rapidly; however, records cannot usually be made 
available for review on the day of request. Requests must provide 
information needed to locate and identify the record, such as 
individual identifiers required by a particular system, to include the 
requester's full name and social security number.


Sec. 324.11  Denials.

    Only a designated denial authority may deny access. The denial must 
be in writing.


Sec. 324.12  Granting individual access to records.

    (a) The individual should be granted access to the original record 
(or exact copy) without any changes or deletions. A record that has 
been amended is considered the original.
    (b) The DFAS component that maintains control of the records will 
provide an area where the records can be reviewed. The hours for review 
will be set by each DFAS location.
    (c) The custodian will require presentation of identification prior 
to providing access to records. Acceptable identification forms include 
military or government civilian identification cards, driver's license, 
or other similar photo identification documents.
    (d) Individuals may be accompanied by a person of their own 
choosing when reviewing the record; however, the custodian will not 
discuss the record in the presence of the third person without written 
authorization.
    (e) On request, copies of the record will be provided at a cost of 
$.15 per page. Fees will not be assessed if the cost is less that 
$30.00. Individuals requesting copies of their official personnel 
records are entitled to one

[[Page 25565]]

free copy and then a charge will be assessed for additional copies.


Sec. 324.13  Access to medical and psychological records.

    Individual access to medical and psychological records should be 
provided, even if the individual is a minor, unless it is determined 
that access could have an adverse effect on the mental or physical 
health of the individual. In this instance, the individual will be 
asked to provide the name of a personal physician, and the record will 
be provided to that physician in accordance with guidance in Department 
of Defense 5400.11-R, `Department of Defense Privacy Program' (see 32 
CFR part 310).


Sec. 324.14  Relationship between the Privacy Act and the Freedom of 
Information Act.

    Access requests that specifically state or reasonably imply that 
they are made under FOIA, are processed pursuant to the DFAS Freedom of 
Information Act Regulation. Access requests that specifically state or 
reasonably imply that they are made under the PA are processed pursuant 
to this regulation. Access requests that cite both the FOIA and the PA 
are processed under the Act that provides the greater degree of access. 
Individual access should not be denied to records otherwise releasable 
under the PA or the FOIA solely because the request does not cite the 
appropriate statute. The requester should be informed which Act was 
used in granting or denying access.


Appendix A to part 324-DFAS Reporting Requirements

    By February 1, of each calendar year, DFAS Centers and Financial 
Systems Organizations will provide the DFAS Headquarters Privacy Act 
Officer with the following information:
    1. Total Number of Requests for Access:
    a. Number granted in whole:
    b. Number granted in part:
    c. Number wholly denied:
    d. Number for which no record was found:
    2. Total Number of Requests to Amend Records in the System:
    a. Number granted in whole:
    b. Number granted in part:
    c. Number wholly denied:
    3. The results of reviews undertaken in response to paragraph 3a of 
Appendix I to OMB Circular A-130 \4\.
---------------------------------------------------------------------------

    \4\ Copies available from the Office of Personnel Management, 
1900 E. Street, Washington, DC 20415.
---------------------------------------------------------------------------


Appendix B to part 324-System of Records Notice

    The following data captions are required for each system of records 
notice published in the Federal Register. An explanation for each 
caption is provided.
    1. System identifier. The system identifier must appear in all 
system notices. It is limited to 21 positions, including agency code, 
file number, symbols, punctuation, and spaces.
    2. Security classification. Self explanatory. (DoD does not publish 
this caption. However, each agency is responsible for maintaining the 
information.)
    3. System name. The system name must indicate the general nature of 
the system of records and, if possible, the general category of 
individuals to whom it pertains. Acronyms should be established 
parenthetically following the first use of the name (e.g., `Field Audit 
Office Management Information System (FMIS)'). Acronyms shall not be 
used unless preceded by such an explanation. The system name may not 
exceed 55 character positions, including punctuation and spaces.
    4. Security classification. This category is not published in the 
Federal Register but is required to be kept by the Headquarters Privacy 
Act Officer.
    5. System location. a. For a system maintained in a single 
location, provide the exact office name, organizational identity, 
routing symbol, and full mailing address. Do not use acronyms in the 
location address.
    b. For a geographically or organizationally decentralized system, 
describe each level of organization or element that maintains a portion 
of the system of records.
    c. For an automated data system with a central computer facility 
and input or output terminals at geographically separate locations, 
list each location by category.
    d. If multiple locations are identified by type of organization, 
the system location may indicate that official mailing addresses are 
published as an appendix to the agency's compilation of systems of 
records notices in the Federal Register. If no address directory is 
used, or if the addresses in the directory are incomplete, the address 
of each location where a portion of the record system is maintained 
must appear under the `system location' caption.
    e. Classified addresses shall not be listed but the fact that they 
are classified shall be indicated.
    f. The U.S. Postal Service two-letter state abbreviation and the 
nine-digit zip code shall be used for all domestic addresses.
    6. Categories of individuals covered by the system. Use clear, non 
technical terms which show the specific categories of individuals to 
whom records in the system pertain. Broad descriptions such as `all 
DFAS personnel' or `all employees' should be avoided unless the term 
actually reflects the category of individuals involved.
    7. Categories of records in the system. Use clear, non technical 
terms to describe the types of records maintained in the system. The 
description of documents should be limited to those actually retained 
in the system of records. Source documents used only to collect data 
and then destroyed should not be described.
    8. Authority for maintenance of the system. The system of records 
must be authorized by a Federal law or Executive Order of the 
President, and the specific provision must be cited. When citing 
federal laws, include the popular names (e.g., `5 U.S.C. 552a, The 
Privacy Act of 1974') and for Executive Orders, the official titles 
(e.g., `Executive Order 9397, Numbering System for Federal Accounts 
Relating to Individual Persons').
    9. Purpose(s). The specific purpose(s) for which the system of 
records was created and maintained; that is, the uses of the records 
within DFAS and the rest of the Department of Defense should be listed.
    10. Routine uses of records maintained in the system, including 
categories of users and purposes of the uses. All disclosures of the 
records outside DoD, including the recipient of the disclosed 
information and the uses the recipient will make of it should be 
listed. If possible, the specific activity or element to which the 
record may be disclosed (e.g., `to the Department of Veterans Affairs, 
Office of Disability Benefits') should be listed. General statements 
such as `to other Federal Agencies as required' or `to any other 
appropriate Federal Agency' should not be used. The blanket routine 
uses, published at the beginning of the agency's compilation, applies 
to all system notices, unless the individual system notice states 
otherwise.
    11. Disclosure to consumer reporting agencies: This entry is 
optional for certain debt collection systems of records.
    12. Policies and practices for storing, retrieving, accessing, 
retaining, and disposing of records in the system. This section is 
divided into four parts.
    13. Storage: The method(s) used to store the information in the 
system (e.g., `automated, maintained in computers

[[Page 25566]]

and computer output products' or `manual, maintained in paper files' or 
`hybrid, maintained in paper files and in computers') should be stated. 
Storage does not refer to the container or facility in which the 
records are kept.
    14. Retrievability: How records are retrieved from the system 
(e.g., `by name,' `by SSN,' or `by name and SSN') should be indicated.
    15. Safeguards: The categories of agency personnel who use the 
records and those responsible for protecting the records from 
unauthorized access should be stated. Generally the methods used to 
protect the records, such as safes, vaults, locked cabinets or rooms, 
guards, visitor registers, personnel screening, or computer `fail-safe' 
systems software should be identified. Safeguards should not be 
described in such detail as to compromise system security.
    16. Retention and disposal: Describe how long records are 
maintained. When appropriate, the length of time records are maintained 
by the agency in an active status, when they are transferred to a 
Federal Records Center, how long they are kept at the Federal Records 
Center, and when they are transferred to the National Archives or 
destroyed should be stated. If records eventually are destroyed, the 
method of destruction (e.g., shredding, burning, pulping, etc.) should 
be stated. If the agency rule is cited, the applicable disposition 
schedule shall also be identified.
    17. System manager(s) and address. The title (not the name) and 
address of the official or officials responsible for managing the 
system of records should be listed. If the title of the specific 
official is unknown, such as with a local system, the local director or 
office head as the system manager should be indicated. For 
geographically separated or organizationally decentralized activities 
with which individuals may correspond directly when exercising their 
rights, the position or title of each category of officials responsible 
for the system or portion thereof should be listed. Addresses that 
already are listed in the agency address directory or simply refer to 
the directory should not be included.
    18. Notification procedures. (1) Notification procedures describe 
how an individual can determine if a record in the system pertains to 
him/her. If the record system has been exempted from the notification 
requirements of subsection (f)(l) or subsection (e)(4)(G) of the 
Privacy Act, it should be so stated. If the system has not been 
exempted, the notice must provide sufficient information to enable an 
individual to request notification of whether a record in the system 
pertains to him/her. Merely referring to a DFAS regulation is not 
sufficient. This section should also include the title (not the name) 
and address of the official (usually the Program Manager) to whom the 
request must be directed; any specific information the individual must 
provide in order for DFAS to respond to the request (e.g., name, SSN, 
date of birth, etc.); and any description of proof of identity for 
verification purposes required for personal visits by the requester.
    19. Record access procedures. This section describes how an 
individual can review the record and obtain a copy of it. If the system 
has been exempted from access and publishing access procedures under 
subsections (d)(1) and (e)(4)(H), respectively, of the Privacy Act, it 
should be so indicated. If the system has not been exempted, describe 
the procedures an individual must follow in order to review the record 
and obtain a copy of it, including any requirements for identity 
verification. If appropriate, the individual may be referred to the 
system manager or another DFAS official who shall provide a detailed 
description of the access procedures. Any addresses already listed in 
the address directory should not be repeated.
    20. Contesting records procedures. This section describes how an 
individual may challenge the denial of access or the contents of a 
record that pertains to him or her. If the system of record has been 
exempted from allowing amendments to records or publishing amendment 
procedures under subsections (d)(1) and (e)(4)(H), respectively, of the 
Privacy Act, it should be so stated. If the system has not been 
exempted, this caption describes the procedures an individual must 
follow in order to challenge the content of a record pertaining to him/
her, or explain how he/she can obtain a copy of the procedures (e.g., 
by contacting the Program Manager or the appropriate DFAS Privacy Act 
Officer).
    21. Record source categories: If the system has been exempted from 
publishing record source categories under subsection (e)(4)(I) of the 
Privacy Act, it should be so stated. If the system has not been 
exempted, this caption must describe where DFAS obtained the 
information maintained in the system. Describing the record sources in 
general terms is sufficient; specific individuals, organizations, or 
institutions need not be identified.
    22. Exemptions claimed for the system. If no exemption has been 
established for the system, indicate `None.' If an exemption has been 
established, state under which provision of the Privacy Act it is 
established (e.g., `Portions of this system of records may be exempt 
under the provisions of 5 U.S.C. 552a(k)(2).')
    Dated: May 15, 1996.




L. M. Bynum,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 96-12856 Filed 5-21-96; 8:45 am]
BILLING CODE 5000-04-F