[Federal Register Volume 72, Number 71 (Friday, April 13, 2007)]
[Rules and Regulations]
[Pages 18758-18790]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-6118]
[[Page 18757]]
-----------------------------------------------------------------------
Part II
Department of Defense
-----------------------------------------------------------------------
32 CFR Part 310
Department of Defense Privacy Program; Final Rule
��Federal Register / Vol. 72, No. 71 / Friday, April 13, 2007 / Rules
and Regulations��
[[Page 18758]]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
[DoD-2006-OS-0129]
RIN 0790-AB03
32 CFR Part 310
Department of Defense Privacy Program
AGENCY: Department of Defense.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Defense is updating policies and
responsibilities for the Defense Privacy Program which implements the
Privacy Act of 1974.
EFFECTIVE DATE: April 13, 2007.
FOR FURTHER INFORMATION CONTACT: Mr. Vahan Moushegian, Jr., at (703)
607-2943.
SUPPLEMENTARY INFORMATION: The proposed rule was published in the
Federal Register on July 14, 2006 at 71 FR 40282. No public comments
were received. Some administrative changes were made as a result of
comments on the corresponding DoD issuance and Office of Management and
Budget guidance. Changes involve revision of the terms for personal and
compromised information; the incorporation of additional considerations
when determining if a social security number will be collected; a
reorganization of the procedures involving Congressional or General
Accountability Office access to records; an expanded explanation of
record disposal procedures and the access exemption; additional
consideration involving training and technical/special security
requirements; and new notification procedures when there is a loss or
theft of information.
Executive Order (E.O.) 12866, ``Regulatory Planning and Review''
It has been determined that 32 CFR part 310 is not a significant
regulatory action. The rule does not
(1) Have an annual effect on the economy of $100 million or more or
adversely affect in a material way the economy; a sector of the
economy; productivity; competition; jobs; the environment; public
health or safety; or State, local, or tribal governments or
communities;
(2) Create a serious inconsistency or otherwise interfere with an
action taken or planned by another Agency;
(3) Materially alter the budgetary impact of entitlements, grants,
user fees, or loan programs, or the rights and obligations of
recipients thereof; or
(4) Raise novel legal or policy issues arising out of legal
mandates, the President's priorities, or the principles set forth in
this Executive Order.
Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. Chapter 6)
It has been determined that this rule is not subject to the
Regulatory Flexibility Act because it would not, if promulgated, have a
significant economic impact on a substantial number of small entities
because it is only concerned with the administration of Privacy Program
within the Department of Defense.
Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)
It has been determined that this rule does not impose information
requirements beyond the Department of Defense and that the information
collected within the Department of Defense is necessary and consistent
with 5 U.S.C. 552a, known as the Privacy Act of 1974.
Section 202, Public Law 104-4, ``Unfunded Mandates Reform Act''
It has been determined that the rule does not involve a Federal
mandate that may result in the expenditure by State, local and tribal
governments, in the aggregate, or by the private sector, of $100
million or more in any one year.
Executive Order 13132, ``Federalism''
It has been determined that this rule does not have federalism
implications. The rule does not have substantial direct effects on the
States, the relationship between the National Government and the
States, or on the distribution of power and responsibilities among the
various levels of government.
List of Subjects in 32 CFR Part 310
Privacy.
0
Accordingly, 32 CFR part 310 is revised as follows.
PART 310--DOD PRIVACY PROGRAM
Subpart A--DoD Policy
Sec.
310.1 Reissuance.
310.2 Purpose.
310.3 Applicability and scope.
310.4 Definitions.
310.5 Policy.
310.6 Responsibilities.
310.7 Information requirements.
310.8 Rules of conduct.
310.9 Privacy boards and office, composition and responsibilities.
Subpart B--Systems of Records
310.10 General.
310.11 Standards of accuracy.
310.12 Government contractors.
310.13 Safeguarding personal information.
310.14 Notification when information is lost, stolen, or
compromised.
Subpart C--Collecting Personal Information
310.15 General considerations.
310.16 Forms.
Subpart D--Access by Individuals
310.17 Individual access to personal information.
310.18 Denial of individual access.
310.19 Amendment of records.
310.20 Reproduction fees.
Subpart E--Disclosure of Personal Information to Other Agencies and
Third Parties
310.21 Conditions of disclosure.
310.22 Non-consensual conditions of disclosure.
310.23 Disclosures to commercial enterprises.
310.24 Disclosures to the public from medical records.
310.25 Disclosure accounting.
Subpart F--Exemptions
310.26 Use and establishment of exemptions.
310.27 Access exemption.
310.28 General exemption.
310.29 Specific exemptions.
Subpart G--Publication Requirements
310.30 Federal Register publication.
310.31 Exemption rules.
310.32 System notices.
310.33 New and altered record systems.
310.34 Amendment and deletion of system notices.
Subpart H--Training Requirements
310.35 Statutory training requirements.
310.36 OMB training guidelines.
310.37 DoD training programs.
310.38 Training methodology and procedures.
310.39 Funding for training.
Subpart I--Reports
310.40 Requirement for reports.
310.41 Suspense for submission of reports.
310.42 Reports control symbol.
Subpart J--Inspections
310.43 Privacy Act inspections.
310.44 Inspection reporting.
Subpart K--Privacy Act Violations
310.45 Administrative remedies.
310.46 Civil actions.
310.47 Civil remedies.
310.48 Criminal penalties.
310.49 Litigation status sheet.
310.50 Lost, stolen, or compromised information.
Subpart L--Computer Matching Program Procedures
310.51 General.
310.52 Computer matching publication and review requirements.
310.53 Computer matching agreements (CMAs).
Appendix A to Part 310--Safeguarding Personally Identifiable
Information
Appendix B to Part 310--Sample Notification Letter
[[Page 18759]]
Appendix C to Part 310--DoD Blanket Routine Uses
Appendix D to Part 310--Provisions of the Privacy Act From Which a
General or Specific Exemption May Be Claimed
Appendix E to Part 310--Sample of New or Altered System of Records
Notice in Federal Register Format
Appendix F to Part 310--Format for New or Altered System Report
Appendix G to Part 310--Sample Amendments or Deletions to System
Notices in Federal Register Format
Appendix H to Part 310--Litigation Status Sheet
Authority: Pub. L. 93-579, 88 Stat. 1896 (5 U.S.C. 552a).
Subpart A--DoD Policy
Sec. 310.1 Reissuance.
This part consolidates into a single location (32 CFR part 310)
Department of Defense (DoD) policies and procedures for implementing
the Privacy Act of 1974, as amended (5 U.S.C. 552a) by authorizing the
development, publication and maintenance of the DoD Privacy Program set
forth by DoD Directive 5400.11 \1\ and 5400.11-R,\2\ both entitled:
``DoD Privacy Program.''
---------------------------------------------------------------------------
\1\ Copies may be obtained at http://www.dtic.mil/whs/directives.
\2\ See footnote 1 to Sec. 310.1.
---------------------------------------------------------------------------
Sec. 310.2 Purpose.
This part:
(a) Updates policies and responsibilities of the DoD Privacy
Program under 5 U.S.C. 552a and OMB Circular A-130.
(b) Authorizes the Defense Privacy Board, the Defense Privacy Board
Legal Committee, and the Defense Data Integrity Board.
(c) Continues to authorize the publication of DoD 5400.11-R.
(d) Continues to delegate authorities and responsibilities for the
effective administration of the DoD Privacy Program.
Sec. 310.3 Applicability and scope.
This part:
(a) Applies to the Office of the Secretary of Defense (OSD), the
Military Departments, the Chairman of the Joint Chiefs of Staff, the
Combatant Commands, the Office of the Inspector General of the
Department of Defense (IG, DoD), the Defense Agencies, the DoD Field
Activities, and all other organizational entities in the Department of
Defense (hereinafter referred to collectively as ``the DoD
Components'').
(b) Shall be made applicable to DoD contractors who are operating a
system of records on behalf of a DoD Component, to include any of the
activities, such as collecting and disseminating records, associated
with maintaining a system of records.
(c) This part does not apply to:
(1) Requests for information made under the Freedom of Information
Act. They are processed in accordance with DoD 5400.7-R.\3\
---------------------------------------------------------------------------
\3\ See footnote 1 to Sec. 310.3(c)(1).
---------------------------------------------------------------------------
(2) Requests for information from systems of records controlled by
the Office of Personnel Management (OPM), although maintained by a DoD
Component. These are processed in accordance with policies established
by OPM ``Privacy Procedures for Personnel Records'' (5 CFR 297).
(3) Requests for personal information from the General Accounting
Office. These are processed in accordance with DoD Directive 7650.1.\4\
---------------------------------------------------------------------------
\4\ See footnote 1 to Sec. 310.3(c)(1).
---------------------------------------------------------------------------
(4) Requests for personal information from Congress. These are
processed in accordance with DoD Directive 5400.4 except those specific
provisions in Subpart E--Disclosure of Personal Information to Other
Agencies and Third Parties.
Sec. 310.4. Definitions.
(a) Access. The review of a record or a copy of a record or parts
thereof in a system of records by any individual.
(b) Agency. For the purposes of disclosing records subject to the
Privacy Act among the DoD Components, the Department of Defense is a
considered a single agency. For all other purposes to include requests
for access and amendment, denial of access or amendment, appeals from
denials, and record keeping as relating to release of records to non-
DoD Agencies, each DoD Component is considered an agency within the
meaning of the Privacy Act.
(c) Computer Matching Program. The computerized comparison of two
or more automated systems of records or a system of records with non-
Federal records. Manual comparison of systems of records or a system of
records with non-Federal records are not covered.
(d) Confidential source. A person or organization who has furnished
information to the Federal Government under an express promise, if made
on or after September 27, 1975, that the person's or the organization's
identity shall be held in confidence or under an implied promise of
such confidentiality if this implied promise was made on or before
September 26, 1975.
(e) Disclosure. The transfer of any personal information from a
system of records by any means of communication (such as oral, written,
electronic, mechanical, or actual review) to any person, private
entity, or Government Agency, other than the subject of the record, the
subject's designated agent or the subject's legal guardian.
(f) Federal benefit program. A program administered or funded by
the Federal Government, or by any agent or State on behalf of the
Federal Government, providing cash or in-kind assistance in the form of
payments, grants, loans, or loan guarantees to individuals.
(g) Federal personnel. Officers and employees of the Government of
the United States, members of the uniformed services (including members
of the Reserve Components), individuals entitled to receive immediate
or deferred retirement benefits under any retirement program of the
United States (including survivor benefits).
(h) Individual. A living person who is a citizen of the United
States or an alien lawfully admitted for permanent residence. The
parent of a minor or the legal guardian of any individual also may act
on behalf of an individual. Members of the United States Armed Forces
are ``individuals.'' Corporations, partnerships, sole proprietorships,
professional groups, businesses, whether incorporated or
unincorporated, and other commercial entities are not ``individuals''
when acting in an entrepreneurial capacity with the Department of
Defense but are ``individuals'' otherwise (e.g., security clearances,
entitlement to DoD privileges or benefits, etc.).
(i) Individual access. Access to information pertaining to the
individual by the individual or his or her designated agent or legal
guardian.
(j) Lost, stolen, or compromised information. Actual or possible
loss of control, unauthorized disclosure, or unauthorized access of
personal information where persons other than authorized users gain
access or potential access to such information for an other than
authorized purpose where one or more individuals will be adversely
affected. Such incidents also are known as breaches.
(k) Maintain. To maintain, collect, use, or disseminate records
contained in a system of records.
(l) Non-Federal agency. Any state or local government, or agency
thereof, which receives records contained in a system of records from a
source agency for use in a computer matching program.
(m) Official use. Within the context of this part, this term is
used when officials and employees of a DoD Component have a
demonstrated a need for the record or the information
[[Page 18760]]
contained therein in the performance of their official duties, subject
to DoD 5200.1-R.\5\
---------------------------------------------------------------------------
\5\ See footnote 1 to Sec. 310.1.
---------------------------------------------------------------------------
(n) Personal information. Information about an individual that
identifies, links, relates, or is unique to, or describes him or her,
e.g., a social security number; age; military rank; civilian grade;
marital status; race; salary; home/office phone numbers; other
demographic, biometric, personnel, medical, and financial information,
etc. Such information also is known as personally identifiable
information (i.e., information which can be used to distinguish or
trace an individual's identity, such as their name, social security
number, date and place of birth, mother's maiden name, biometric
records, including any other personal information which is linked or
linkable to a specified individual).
(o) Privacy Act request. A request from an individual for
notification as to the existence of, access to, or amendment of records
pertaining to that individual. These records must be maintained in a
system of records.
(p) Member of the public. Any individual or party acting in a
private capacity to include Federal employees or military personnel.
(q) Recipient agency. Any agency, or contractor thereof, receiving
records contained in a system of records from a source agency for use
in a computer matching program.
(r) Record. Any item, collection, or grouping of information,
whatever the storage media (e.g., paper, electronic, etc.), about an
individual that is maintained by a DoD Component, including, but not
limited to, his or her education, financial transactions, medical
history, criminal or employment history, and that contains his or her
name, or the identifying number, symbol, or other identifying
particular assigned to the individual, such as a finger or voice print
or a photograph.
(s) Risk assessment. An analysis considering information
sensitivity, vulnerabilities, and cost in safeguarding personal
information processed or stored in the facility or activity.
(t) Routine use. The disclosure of a record outside the Department
of Defense for a use that is compatible with the purpose for which the
information was collected and maintained by the Department of Defense.
The routine use must be included in the published system notice for the
system of records involved.
(u) Source agency. Any agency which discloses records contained in
a system of records to be used in a computer matching program, or any
state or local government, or agency thereof, which discloses records
to be used in a computer matching program.
(v) Statistical record. A record maintained only for statistical
research or reporting purposes and not used in whole or in part in
making determinations about specific individuals.
(w) System of records. A group of records under the control of a
DoD Component from which personal information about an individual is
retrieved by the name of the individual or by some other identifying
number, symbol, or other identifying particular assigned, that is
unique to the individual.
Sec. 310.5 Policy.
It is DoD policy that:
(a) The privacy of an individual is a personal and fundamental
right that shall be respected and protected.
(1) The Department's need to collect, maintain, use, or disseminate
personal information about individuals for purposes of discharging its
statutory responsibilities shall be balanced against the right of the
individual to be protected against unwarranted invasions of their
privacy.
(2) The legal rights of individuals, as guaranteed by Federal law,
regulation, and policy, shall be protected when collecting,
maintaining, using, or disseminating personal information about
individuals.
(3) DoD personnel, to include contractors, have an affirmative
responsibility to protect an individual's privacy when collecting,
maintaining, using, or disseminating personal information about an
individual.
(4) Departmental legislative, regulatory, or other policy proposals
shall be evaluated to ensure that privacy implications, including those
relating to the collection, maintenance, use, or dissemination of
personal information, are assessed, to include, when required and
consistent with the Privacy Provision of the E-Government Act of 2002
(44 U.S.C. 3501, Note), the preparation of a Privacy Impact Assessment.
(b) Personal information shall be collected, maintained, used, or
disclosed to ensure that:
(1) It shall be relevant and necessary to accomplish a lawful DoD
purpose required to be accomplished by statute or Executive order.
(2) It shall be collected to the greatest extent practicable
directly from the individual.
(3) The individual shall be informed as to why the information is
being collected, the authority for collection, what uses will be made
of it, whether disclosure is mandatory or voluntary, and the
consequences of not providing that information.
(4) It shall be relevant, timely, complete, and accurate for its
intended use; and
(5) Appropriate administrative, technical, and physical safeguards
shall be established, based on the media (e.g., paper, electronic,
etc.) involved, to ensure the security of the records and to prevent
compromise or misuse during storage, transfer, or use, including
working at authorized alternative worksites.
(c) No record shall be maintained on how an individual exercises
rights guaranteed by the First Amendment to the Constitution, except as
follows:
(1) When specifically authorized by statute;
(2) When expressly authorized by the individual on whom the record
is maintained; or
(3) When the record is pertinent to and within the scope of an
authorized law enforcement activity.
(d) Notices shall be published in the Federal Register and reports
shall be submitted to Congress and the Office of Management and Budget,
in accordance with, and as required by, 5 U.S.C. 552a, OMB Circular A-
130, and DoD 5400.11-R, as to the existence and character of any system
of records being established or revised by the DoD Components.
Information shall not be collected, maintained, used, or disseminated
until the required publication and review requirements, as set forth in
5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R, are satisfied.
(e) Individuals shall be permitted, to the extent authorized by 5
U.S.C. 552a and DoD 5400.11-R, to:
(1) Determine what records pertaining to them are contained in a
system of records.
(2) Gain access to such records and obtain a copy of those records
or a part thereof.
(3) Correct or amend such records once it has been determined that
the records are not accurate, relevant, timely, or complete.
(4) Appeal a denial of access or a request for amendment.
(f) Disclosure of records pertaining to an individual from a system
of records shall be prohibited except with the consent of the
individual or as otherwise authorized by 5 U.S.C. 552a, DoD 5400.11-R,
and DoD 5400.7-R. When disclosures are made, the individual shall be
permitted, to the
[[Page 18761]]
extent authorized by references 5 U.S.C. 552a and/or DoD 5400.11-R, to
seek an accounting of such disclosures from the DoD Component making
the release.
(g) Disclosure of records pertaining to personnel of the National
Security Agency, the Defense Intelligence Agency, the National
Reconnaissance Office, and the National Geospatial-Intelligence Agency
shall be prohibited to the extent authorized by Public Law 86-36 (1959)
and 10 U.S.C. 424. Disclosure of records pertaining to personnel of
overseas, sensitive, or routinely deployable units shall be prohibited
to the extent authorized by 10 U.S.C. 130b. Disclosure of medical
records is prohibited except as authorized by DoD 6025.18-R.\6\
---------------------------------------------------------------------------
\6\ See footnote 1 to Sec. 310.1.
---------------------------------------------------------------------------
(h) Computer matching programs between the DoD Components and the
Federal, State, or local governmental agencies shall be conducted in
accordance with the requirements of 5 U.S.C. 552a, OMB Circular A-130,
and DoD 5400.11-R.
(i) DoD personnel and system managers shall conduct themselves
consistent with established rules of conduct 310.8 so that personal
information to be stored in a system of records only shall be
collected, maintained, used, and disseminated as is authorized by this
part, 5 U.S.C. 552a and DoD 5400.11-R.
(j) DoD personnel, including but not limited to family members,
retirees, contractor employees, and volunteers, shall be notified, in a
timely manner, consistent with the requirements of DoD 5400.11-R, if
their personal information, whether or not included in a system of
records, is lost, stolen, or compromised.
(k) DoD Field Activities shall receive Privacy Program support from
the Director, Washington Headquarters Services.
Sec. 310.6 Responsibilities.
(a) The Director of Administration and Management, Office of the
Secretary of Defense, shall:
(1) Serve as the Senior Privacy Official for the Department of
Defense.
(2) Provide policy guidance for, and coordinate and oversee
administration of, the DoD Privacy Program to ensure compliance with
policies and procedures in 5 U.S.C. 552a and OMB Circular A-130.
(3) Publish DoD 5400.11-R and other guidance, including Defense
Privacy Board Advisory Opinions, to ensure timely and uniform
implementation of the DoD Privacy Program.
(4) Serve as the Chair to the Defense Privacy Board and the Defense
Data Integrity Board (see Sec. 310.9).
(5) Supervise and oversee the activities of the Defense Privacy
Office (see Sec. 310.9).
(b) The Director, WHS, under the DA&M, shall provide Privacy
Program support for DoD Field Activities.
(c) The General Counsel of the Department of Defense shall:
(1) Provide advice and assistance on all legal matters arising out
of, or incident to, the administration of the DoD Privacy Program.
(2) Review and be the final approval authority on all advisory
opinions issued by the Defense Privacy Board or the Defense Privacy
Board Legal Committee.
(3) Serve as a member of the Defense Privacy Board, the Defense
Data Integrity Board, and the Defense Privacy Board Legal Committee
(310.9).
(d) The Secretaries of the Military Departments and the Heads of
the Other DoD Components, except as noted in Sec. 310.5(k), shall:
(1) Provide adequate funding and personnel to establish and support
an effective DoD Privacy Program, to include the appointment of a
senior official to serve as the principal point of contact (POC) for
DoD Privacy Program matters.
(2) Establish procedures, as well as rules of conduct, necessary to
implement this part and DoD 5400.11-R to ensure compliance with the
requirements of 5 U.S.C. 552a and OMB Circular A-130.
(3) Conduct training, consistent with the requirements of DoD
5400.11-R, on the provisions of this part, 5 U.S.C. 552a, OMB Circular
A-130, and DoD 5400.11-R, for assigned, employed and detailed, to
include contractor, personnel and individuals having primary
responsibility for implementing the DoD Privacy Program.
(4) Ensure all Component legislative proposals, policies, or
programs having privacy implications, such as the DoD Privacy Impact
Assessment Program, are evaluated to ensure consistency with the
information privacy principles of this part and DoD 5400.11-R.
(5) Assess the impact of technology on the privacy of personal
information and, when feasible, adopt privacy-enhancing technology both
to preserve and protect personal information contained in Component
systems of records and to permit auditing of compliance with the
requirements of this part and DoD 5400.11-R.
(6) Ensure the DoD Privacy Program periodically shall be reviewed
by the Inspectors General or other officials, who shall have
specialized knowledge of the DoD Privacy Program.
(7) Submit reports, consistent with the requirements of DoD
5400.11-R, as mandated by 5 U.S.C. 552a and OMB Circular A-130, and DoD
Directive 5500.1, and as otherwise directed by the DPO.
(e) The Secretaries of the Military Departments shall provide
support to the Combatant Commands, as identified in DoD Directive
5100.3,\7\ in the administration of the DoD Privacy Program.
---------------------------------------------------------------------------
\7\ See footnote 1 to Sec. 310.1.
---------------------------------------------------------------------------
Sec. 310.7 Information requirements.
The reporting requirements in Sec. 310.6(d)(7) are assigned Report
Control Symbol DD-DA&M(A)1379.
Sec. 310.8 Rules of conduct.
(a) DoD personnel shall:
(1) Take such actions, as considered appropriate, to ensure that
personal information contained in a system of records, to which they
have access to or are using incident to the conduct of official
business, shall be protected so that the security and confidentiality
of the information shall be preserved.
(2) Not disclose any personal information contained in any system
of records except as authorized by DoD 5400.11-R or other applicable
law or regulation. Personnel willfully making such a disclosure when
knowing that disclosure is prohibited are subject to possible criminal
penalties and/or administrative sanctions.
(3) Report any unauthorized disclosures of personal information
from a system of records or the maintenance of any system of records
that are not authorized by this part to the applicable Privacy POC for
his or her DoD Component.
(b) DoD System Managers for each system of records shall:
(1) Ensure that all personnel who either shall have access to the
system of records or who shall develop or supervise procedures for
handling records in the system of records shall be aware of their
responsibilities and are properly trained to safeguard personal
information being collected and maintained under the DoD Privacy
Program.
(2) Prepare promptly any required new, amended, or altered system
notices for the system of records and submit them through their DoD
Component Privacy POC to the DPO for publication in the Federal
Register.
(3) Not maintain any official files on individuals which are
retrieved by name or other personal identifier without first
[[Page 18762]]
ensuring that a notice for the system of records shall have been
published in the Federal Register. Any official who willfully maintains
a system of records without meeting the publication requirements, as
prescribed by 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R, is
subject to possible criminal penalties and/or administrative sanctions.
Sec. 310.9 Privacy boards and office, composition and
responsibilities.
(a) The Defense Privacy Board--(1) Membership. The Board shall
consist of the DA&M, OSD, who shall serve as the Chair; the Director of
the DPO, DA&M, who shall serve as the Executive Secretary and as a
member; the representatives designated by the Secretaries of the
Military Departments; and the following officials or their designees:
the Deputy Under Secretary of Defense for Program Integration
(DUSD(PI)); the Assistant Secretary of Defense for Health Affairs; the
Assistant Secretary of Defense for Networks and Information Integration
(ASD) (NII)/Chief Information Officer (CIO); the Director, Executive
Services and Communications Directorate, WHS; the GC, DoD; and the
Director for Information Technology Management Directorate (ITMD), WHS.
The designees also may be the principal POC for the DoD Component for
privacy matters.
(2) Responsibilities. (i) The Board shall have oversight
responsibility for implementation of the DoD Privacy Program. It shall
ensure the policies, practices, and procedures of that Program are
premised on the requirements of 5 U.S.C. 552a and OMB Circular A-130,
as well as other pertinent authority, and the Privacy Programs of the
DoD Component are consistent with, and in furtherance of, the DoD
Privacy Program.
(ii) The Board shall serve as the primary DoD policy forum for
matters involving the DoD Privacy Program, meeting as necessary, to
address issues of common concern so as to ensure uniform and consistent
policy shall be adopted and followed by the DoD Components. The Board
shall issue advisory opinions as necessary on the DoD Privacy Program
so as to promote uniform and consistent application of 5 U.S.C. 552a,
OMB Circular A-130, and DoD 5400.11-R.
(iii) Perform such other duties as determined by the Chair or the
Board.
(b) The Defense Data Integrity Board--(1) Membership. The Board
shall consist of the DA&M, OSD, who shall serve as the Chair; the
Director of the DPO, DA&M, who shall serve as the Executive Secretary;
and the following officials or their designees: the representatives
designated by the Secretaries of the Military Departments; the
DUSD(PI); the (ASD) (NII)/CIO; the GC, DoD; the Inspector General, DoD;
the ITMD, WHS; and the Director, Defense Manpower Data Center. The
designees also may be the principal points of contact for the DoD
Component for privacy matters.
(2) Responsibilities. (i) The Board shall oversee and coordinate,
consistent with the requirements of 5 U.S.C. 552a, OMB Circular A-130,
and DoD 5400.11-R, all computer matching programs involving personal
records contained in system of records maintained by the DoD
Components.
(ii) The Board shall review and approve all computer matching
agreements between the Department of Defense and the other Federal,
State or local governmental agencies, as well as memoranda of
understanding when the match is internal to the Department of Defense,
to ensure, under 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R,
appropriate procedural and due process requirements shall have been
established before engaging in computer matching activities.
(c) The Defense Privacy Board Legal Committee--(1) Membership. The
Committee shall consist of the Director, DPO, DA&M, who shall serve as
the Chair and the Executive Secretary; the GC, DoD, or designee; and
civilian and/or military counsel from each of the DoD Components. The
General Counsels (GCs) and The Judge Advocates General of the Military
Departments shall determine who shall provide representation for their
respective Department to the Committee. This does not preclude
representation from each office. The GCs of the other DoD Components
shall provide legal representation to the Committee. Other DoD civilian
or military counsel may be appointed by the Executive Secretary, after
coordination with the DoD Component concerned, to serve on the
Committee on those occasions when specialized knowledge or expertise
shall be required.
(2) Responsibilities. (i) The Committee shall serve as the primary
legal forum for addressing and resolving all legal issues arising out
of or incident to the operation of the DoD Privacy Program.
(ii) The Committee shall consider legal questions regarding the
applicability of 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R
and questions arising out of or as a result of other statutory and
regulatory authority, to include the impact of judicial decisions, on
the DoD Privacy Program. The Committee shall provide advisory opinions
to the Defense Privacy Board and, on request, to the DoD Components.
(d) The DPO--(1) Membership. It shall consist of a Director and a
staff. The Director also shall serve as the Executive Secretary and a
member of the Defense Privacy Board; as the Executive Secretary to the
Defense Data Integrity Board; and as the Chair and the Executive
Secretary to the Defense Privacy Board Legal Committee.
(2) Responsibilities. (i) Manage activities in support of the
Privacy Program oversight responsibilities of the DA&M.
(ii) Provide operational and administrative support to the Defense
Privacy Board, the Defense Data Integrity Board, and the Defense
Privacy Board Legal Committee.
(iii) Direct the day-to-day activities of the DoD Privacy Program.
(iv) Provide guidance and assistance to the DoD Components in their
implementation and execution of the DoD Privacy Program.
(v) Review DoD legislative, regulatory, and other policy proposals
which implicate information privacy issues relating to the Department's
collection, maintenance, use, or dissemination of personal information,
to include any testimony and comments having such implications under
DoD Directive 5500.1.
(vi) Review proposed new, altered, and amended systems of records,
to include submission of required notices for publication in the
Federal Register and, when required, providing advance notification to
the OMB and the Congress, consistent with 5 U.S.C. 552a, OMB Circular
A-130, and DoD 5400.11-R.
(vii) Review proposed DoD Component privacy rulemaking, to include
submission of the rule to the Office of the Federal Register for
publication and providing to the OMB and the Congress reports,
consistent with 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R.
(viii) Develop, coordinate, and maintain all DoD computer matching
agreements, to include the submission of required match notices for
publication in the Federal Register and the provision of advance
notification to the OMB and the Congress, consistent with 5 U.S.C.
552a, OMB Circular A-130, and DoD 5400.11-R.
(ix) Provide advice and support to the DoD Components to ensure:
(A) All information requirements developed to collect or maintain
personal data conform to DoD Privacy Program standards;
[[Page 18763]]
(B) Appropriate procedures and safeguards shall be developed,
implemented, and maintained to protect personal information when it is
stored in either a manual and/or automated system of records or
transferred by electronic or non-electronic means; and
(C) Specific procedures and safeguards shall be developed and
implemented when personal data is collected and maintained for research
purposes.
(x) Serve as the principal POC for coordination of privacy and
related matters with the OMB and other Federal, State, and local
governmental agencies.
(xi) Compile and submit the ``Biennial Matching Activity Report''
to the OMB as required by OMB Circular A-130 and DoD 5400.11-R, and the
Quarterly and Annual Federal Information Security Management Agency
(FISMA) Privacy Reports, as required by 44 U.S.C. 3544(c), such other
reports as may be required.
(xii) Update and maintain this part and DoD 5400.11-R.
Subpart B--Systems of Records
Sec. 310.10 General.
(a) System of Records. To be subject to the provisions of this
part, a ``system of records'' must:
(1) Consist of ``records'' (as defined in 310.4(r)) that are
retrieved by the name of an individual or some other personal
identifier; and
(2) Be under the control of a DoD Component.
(b) Retrieval practices. (1) Records in a group of records that MAY
be retrieved by a name or personal identifier are not covered by this
part even if the records contain personal data and are under control of
a DoD Component. The records MUST be retrieved by name or other
personal identifier to become a system of records for the purpose of
this part.
(i) When records are contained in an automated (Information
Technology) system that is capable of being manipulated to retrieve
information about an individual, this does not automatically transform
the system into a system of records as defined in this part.
(ii) In determining whether an automated system is a system of
records that is subject to this part, retrieval policies and practices
shall be evaluated. If DoD Component policy is to retrieve personal
information by the name or other unique personal identifier, it is a
system of records. If DoD Component policy prohibits retrieval by name
or other identifier, but the actual practice of the Component is to
retrieve information by name or identifier, even if done infrequently,
it is a system of records.
(2) If records are retrieved by name or personal identifier, a
system notice must be submitted in accordance with Sec. 310.33.
(3) If records are not retrieved by name or personal identifier but
then are rearranged in such a manner that they are retrieved by name or
personal identifier, a new systems notice must be submitted in
accordance with Sec. 310.33.
(4) If records in a system of records are rearranged so that
retrieval is no longer by name or other personal identifier, the
records are no longer subject to this part and the system notice for
the records shall be deleted in accordance with Sec. 310.34.
(c) Relevance and necessity. Information or records about an
individual shall only be maintained in a system of records that is
relevant and necessary to accomplish a DoD Component purpose required
by a Federal statute or an Executive Order.
(d) Authority to establish systems of records. Identify the
specific statute or the Executive Order that authorizes maintaining
personal information in each system of records. The existence of a
statute or Executive Order mandating the maintenance of a system of
records does not abrogate the responsibility to ensure that the
information in the system of records is relevant and necessary. If a
statute or Executive Order does not expressly direct the creation of a
system of records, but the establishment of a system of records is
necessary in order to discharge the requirements of the statute or
Executive Order, the statute or Executive Order shall be cited as
authority.
(e) Exercise of First Amendment rights. (1) Do not maintain any
records describing how an individual exercises his or her rights
guaranteed by the First Amendment of the U.S. Constitution except when:
(i) Expressly authorized by Federal statute;
(ii) Expressly authorized by the individual; or
(iii) Maintenance of the information is pertinent to and within the
scope of an authorized law enforcement activity.
(2) First Amendment rights include, but are not limited to, freedom
of religion, freedom of political beliefs, freedom of speech, freedom
of the press, the right to assemble, and the right to petition.
(f) System Manager's evaluation. (1) Evaluate the information to be
included in each new system before establishing the system and evaluate
periodically the information contained in each existing system of
records for relevancy and necessity. Such a review shall also occur
when a system notice alteration or amendment is prepared (see Sec.
310.33 and Sec. 310.34).
(2) Consider the following:
(i) The relationship of each item of information retained and
collected to the purpose for which the system is maintained;
(ii) The specific impact on the purpose or mission of not
collecting each category of information contained in the system;
(iii) The possibility of meeting the informational requirements
through use of information not individually identifiable or through
other techniques, such as sampling;
(iv) The length of time each item of personal information must be
retained;
(v) The cost of maintaining the information; and
(vi) The necessity and relevancy of the information to the purpose
for which it was collected.
(g) Discontinued information requirements. (1) Stop collecting
immediately any category or item of personal information for which
retention is no longer justified. Also delete this information from
existing records, when feasible.
(2) Do not destroy any records that must be retained in accordance
with disposal authorizations established under 44 U.S.C. 3303a,
Examination by Archivist of Lists and Schedules of Records Lacking
Preservation Value; Disposal of Records.''
Sec. 310.11 Standards of accuracy.
(a) Accuracy of information maintained. Maintain all personal
information used or may be used to make any determination about an
individual with such accuracy, relevance, timeliness, and completeness
as is reasonably necessary to ensure fairness to the individual in
making any such determination.
(b) Accuracy determinations before dissemination. Before
disseminating any personal information from a system of records to any
person outside the Department of Defense, other than a Federal Agency,
make reasonable efforts to ensure the information to be disclosed is
accurate, relevant, timely, and complete for the purpose it is being
maintained (see Sec. 310.21(d)).
Sec. 310.12 Government contractors.
(a) Applicability to government contractors. (1) When a DoD
Component contract requires the operation or maintenance of a system of
records or a portion of a system of records or
[[Page 18764]]
requires the performance of any activities associated with maintaining
a system of records, including the collection, use, and dissemination
of records, the record system or the portion of the record system
affected are considered to be maintained by the DoD Component and are
subject to this part. The Component is responsible for applying the
requirements of this part to the contractor. The contractor and its
employees are to be considered employees of the DoD Component for
purposes of the criminal provisions of 5 U.S.C 552a(i) during the
performance of the contract. Consistent with the Federal Acquisition
Regulation (FAR), Part 24.1, contracts requiring the maintenance or
operation of a system of records or the portion of a system of records
shall include in the solicitation and resulting contract such terms as
are prescribed by the FAR.
(2) If the contractor must use, have access to, or disseminate
individually identifiable information subject to this part in order to
perform any part of a contract, and the information would have been
collected, maintained, used, or disseminated by the DoD Component but
for the award of the contract, these contractor activities are subject
to this part.
(3) The restriction in paragraphs (a)(1) and (2) of this section do
not apply to records:
(i) Established and maintained to assist in making internal
contractor management decisions, such as records maintained by the
contractor for use in managing the contract;
(ii) Maintained as internal contractor employee records even when
used in conjunction with providing goods and services to the Department
of Defense; or
(iii) Maintained as training records by an educational organization
contracted by a DoD Component to provide training when the records of
the contract students are similar to and commingled with training
records of other students (for example, admission forms, transcripts,
academic counseling and similar records).
(iv) Maintained by a consumer reporting agency to which records
have been disclosed under contract in accordance with the Federal
Claims Collection Act of 1966, 31 U.S.C. 3711(e).
(v) Maintained by the contractor incident to normal business
practices and operations.
(4) The DoD Components shall publish instructions that:
(i) Furnish DoD Privacy Program guidance to their personnel who
solicit, award, or administer Government contracts;
(ii) Inform prospective contractors of their responsibilities, and
provide training as appropriate, regarding the DoD Privacy Program; and
(iii) Establish an internal system of contractor performance review
to ensure compliance with the DoD Privacy Program.
(b) Contracting procedures. The Defense Acquisition Regulations
Council shall develop the specific policies and procedures to be
followed when soliciting bids, awarding contracts or administering
contracts that are subject to this part.
(c) Contractor compliance. Through the various contract
surveillance programs, ensure contractors comply with the procedures
established in accordance with Sec. 310.12(b).
(d) Disclosure of records to contractors. Disclosure of records
contained in a system of records by a DoD Component to a contractor for
use in the performance of a DoD contract is considered a disclosure
within the Department of Defense (see Sec. 310.21(b)). The contractor
is considered the agent of the contracting DoD Component and to be
maintaining and receiving the records for that Component.
Sec. 310.13 Safeguarding personal information.
(a) General responsibilities. DoD Components shall establish
appropriate administrative, technical and physical safeguards to ensure
that the records in each system of records are protected from
unauthorized access, alteration, or disclosure and that their
confidentiality is preserved and protected. Records shall be protected
against reasonably anticipated threats or hazards that could result in
substantial harm, embarrassment, inconvenience, or unfairness to any
individual about whom information is kept.
(b) Minimum standards. (1) Tailor system safeguards to conform to
the type of records in the system, the sensitivity of the personal
information stored, the storage medium used and, to a degree, the
number of records maintained.
(2) Treat all unclassified records that contain personal
information that normally would be withheld from the public under
Freedom of Information Exemption Numbers 6 and 7 of 286.12, subpart C
of 32 CFR part 286 (``DoD Freedom of Information Act Program'') as
``For Official Use Only,'' and safeguard them accordingly, in
accordance with DoD 5200.1-R even if they are not actually marked ``For
Official Use Only.''
(3) Personal information that does not meet the criteria discussed
in paragraph (b)(2) of this section shall be accorded protection
commensurate with the nature and type of information involved.
(4) Special administrative, physical, and technical procedures are
required to protect data that is stored or processed in an information
technology system to protect against threats unique to an automated
environment (see Appendix A).
(5) Tailor safeguards specifically to the vulnerabilities of the
system.
(c) Records disposal. (1) Dispose of records containing personal
data so as to prevent inadvertent compromise. Disposal methods are
those approved by the Component or the National Institute of Standards
and Technology. For paper records, disposal methods, such as tearing,
burning, melting, chemical decomposition, pulping, pulverizing,
shredding, or mutilation are acceptable. For electronic records, and
media, disposal methods, such as overwriting, degaussing,
disintegration, pulverization, burning, melting, incineration,
shredding or sanding, are acceptable.
(2) Disposal methods are considered adequate if the personal data
is rendered unrecognizable or beyond reconstruction.
Sec. 310.14 Notification when information is lost, stolen, or
compromised.
(a) If records containing personal information are lost, stolen, or
compromised, the potential exists that the records may be used for
unlawful purposes, such as identity theft, fraud, stalking, etc. The
personal impact on the affected individual may be severe if the records
are misused. To assist the individual, the Component shall promptly
notify the individual of any loss, theft, or compromise (See also,
Sec. 310.50 for reporting of the breach to Senior Component Official
for Privacy and the Defense Privacy Office).
(1) The notification shall be made whenever a breach occurs that
involves personal information pertaining to a service member, civilian
employee (appropriated or non-appropriated fund), military retiree,
family member, DoD contractor, other persons that are affiliated with
the Component (e.g., volunteer), and/or any other member of the public
on whom information is maintained by the Component or by a contractor
on behalf of the Component.
(2) The notification shall be made as soon as possible, but not
later than 10 working days after the loss, theft, or compromise is
discovered and the identities of the individuals ascertained.
[[Page 18765]]
(i) The 10 day period begins to run after the Component is able to
determine the identities of the individuals whose records were lost.
(ii) If the Component is only able to identify some but not all of
the affected individuals, notification shall be given to those that can
be identified with follow-up notifications made to those subsequently
identified.
(iii) If the Component cannot readily identify the affected
individuals or will not be able to identify the individuals, the
Component shall provide a generalized notice to the potentially
impacted population by whatever means the Component believes is most
likely to reach the affected individuals.
(3) When personal information is maintained by a DoD contractor on
behalf of the Component, the contractor shall notify the Component
immediately upon discovery that a loss, theft or compromise has
occurred.
(i) The Component shall determine whether the Component or the
contractor shall make the required notification.
(ii) If the contractor is to notify the impacted population, it
shall submit the notification letters to the Component for review and
approval. The Component shall coordinate with the Contractor to ensure
the letters meet the requirements of Sec. 310.14.
(4) Subject to paragraph (a)(2) of this section, the Component
shall inform the Deputy Secretary of Defense of the reasons why notice
was not provided to the individuals or the affected population within
the 10-day period.
(i) If for good cause (e.g., law enforcement authorities request
delayed notification as immediate notification will jeopardize
investigative efforts), notice can be delayed, but the delay shall only
be for a reasonable period of time. In determining what constitutes a
reasonable period of delay, the potential harm to the individual must
be weighed against the necessity for delayed notification.
(ii) The required notification shall be prepared and forwarded to
the Senior Component Official for Privacy who shall forward it to the
Defense Privacy Office. The Defense Privacy Office, in coordination
with the Office of the Under Secretary of Defense for Personnel and
Readiness, shall forward the notice to the Deputy Secretary.
(5) The notice to the individual, at a minimum, shall include the
following:
(i) The individuals shall be advised of what specific data was
involved. It is insufficient to simply state that personal information
has been lost. Where names, social security numbers, and dates of birth
are involved, it is critical that the individual be advised that these
data elements potentially have been compromised.
(ii) The individual shall be informed of the facts and
circumstances surrounding the loss, theft, or compromise. The
description of the loss should be sufficiently detailed so that the
individual clearly understands how the compromise occurred.
(iii) The individual shall be informed of what protective actions
the Component is taking or the individual can take to mitigate against
potential future harm. The Component should refer the individual to the
Federal Trade Commission's public Web site on identity theft at http://www.consumer.gov/idtheft/con_steps.htm. The site provides valuable
information as to what steps individuals can take to protect themselves
if their identities potentially have been or are stolen.
(iv) A sample notification letter is at Appendix B.
(b) The notification shall be made whether or not the personal
information is contained in a system of records (See Sec. 310.10(a)).
Subpart C--Collecting Personal Information
Sec. 310.15 General considerations.
(a) Collect directly from the individual. Collect to the greatest
extent practicable personal information directly from the individual to
whom it pertains if the information may result in adverse determination
about an individual's rights, privileges, or benefits under any Federal
program.
(b) Collecting social security numbers (SSNs). (1) It is unlawful
for any Federal, State, or local governmental agency to deny an
individual any right, benefit, or privilege provided by law because the
individual refuses to provide his or her SSN. However, if a Federal
statute requires the SSN be furnished or if the SSN is furnished to a
DoD Component maintaining a system of records in existence that was
established and in operation before January 1, 1975, and the SSN was
required under a statute or regulation adopted prior to this date for
purposes of verifying the identity of an individual, this restriction
does not apply.
(2) When an individual is requested to provide his or her SSN, he
or she must be told:
(i) What uses will be made of the SSN;
(ii) The statute, regulation, or rule authorizing the solicitation
of the SSN; and
(iii) Whether providing the SSN is voluntary or mandatory.
(3) Include in any systems notice for any system of records that
contains SSNs a statement indicating the authority for maintaining the
SSN.
(4) E.O. 9397,''Numbering System for Federal Accounts Relating to
Individual Persons'', November 30, 1943, authorizes solicitation and
use of SSNs as a numerical identifier for Federal personnel that are
identified in most Federal record systems. However, it does not
constitute authority for mandatory disclosure of the SSN.
(5) Upon entrance into military service or civilian employment with
the Department of Defense, individuals are asked to provide their SSNs.
The SSN becomes the service or employment number for the individual and
is used to establish personnel, financial, medical, and other official
records. The notification in paragraph (b)(2) of this section shall be
provided the individual when originally soliciting his or her SSN. The
notification is not required if an individual is requested to furnish
his SSN for identification purposes and the SSN is solely used to
verify the SSN that is contained in the records. However, if the SSN is
solicited and retained for any purposes other than verifying the
existing SSN in the records, the requesting official shall provide the
individual the notification required by paragraph (b)(2) of this
section.
(6) Components shall ensure that the SSN is only collected when
there is a demonstrated need for collection. If collection is not
essential for the purposes for which the record or records are being
maintained, it should not be solicited.
(7) DoD Components shall continually review their use of the SSN to
determine whether such use can be eliminated, restricted, or concealed
in Component business processes, systems and paper and electronic
forms. While use of the SSN may be essential for program integrity and
national security when information about an individual is disclosed
outside the DoD, it may not be as critical when the information is
being used for internal Departmental purposes.
(c) Collecting personal information from third parties. When
information being solicited is of an objective nature and is not
subject to being altered, the information should first be collected
from the individual. But it may not be practicable to collect personal
information first from the individual in all cases. Some examples of
this are:
(1) Verification of information through third-party sources for
security
[[Page 18766]]
or employment suitability determinations;
(2) Seeking third-party opinions such as supervisor comments as to
job knowledge, duty performance, or other opinion-type evaluations;
(3) When obtaining information first from the individual may impede
rather than advance an investigative inquiry into the actions of the
individual; and
(4) Contacting a third party at the request of the individual to
furnish certain information such as exact periods of employment,
termination dates, copies of records, or similar information.
(d) Privacy Act Statements. (1) When an individual is requested to
furnish personal information about himself or herself for inclusion in
a system of records, a Privacy Act Statement is required regardless of
the medium used to collect the information (forms, personal interviews,
telephonic interviews, or other methods). The Privacy Act Statement
consists of the elements set forth in paragraph (d)(2)of this section.
The statement enables the individual to make an informed decision
whether to provide the information requested. If the personal
information solicited is not to be incorporated into a system of
records, the statement need not be given. However, personal information
obtained without a Privacy Act Statement shall not be incorporated into
any system of records. When soliciting SSNs for any purpose, see
paragraph (b)(2) of this section.
(2) The Privacy Act Statement shall include:
(i) The Federal statute or Executive Order that authorizes
collection of the requested information (See Sec. 310.10(d)).
(ii) The principal purpose or purposes for which the information is
to be used;
(iii) The routine uses that will be made of the information (See
Sec. 310.22(d));
(iv) Whether providing the information is voluntary or mandatory
(See paragraph (e) of this section); and
(v) The effects on the individual if he or she chooses not to
provide the requested information.
(3) The Privacy Act Statement shall be concise, current, and easily
understood.
(4) The Privacy Act statement may appear as a public notice (sign
or poster), conspicuously displayed in the area where the information
is collected, such as at check-cashing facilities or identification
photograph facilities (but see Sec. 310.16(a)).
(5) The individual normally is not required to sign the Privacy Act
Statement.
(6) The individual shall be provided a written copy of the Privacy
Act Statement upon request. This must be done regardless of the method
chosen to furnish the initial advisement.
(e) Mandatory as opposed to voluntary disclosures. Include in the
Privacy Act Statement specifically whether furnishing the requested
personal data is mandatory or voluntary. A requirement to furnish
personal data is mandatory only when the DoD Component is authorized to
impose a penalty on the individual for failure to provide the requested
information. If a penalty cannot be imposed, disclosing the information
is always voluntary.
Sec. 310.16 Forms.
(a) DoD Forms. (1) DoD Instruction 7750.7 \8\ provides guidance for
preparing Privacy Act Statements for use with forms (see also paragraph
(b) of this section).
---------------------------------------------------------------------------
\8\ See footnote 1 to Sec. 310.1.
---------------------------------------------------------------------------
(2) When forms are used to collect personal information, the
Privacy Act Statement shall appear as follows (listed in the order of
preference):
(i) In the body of the form, preferably just below the title so
that the reader will be advised of the contents of the statement before
he or she begins to complete the form;
(ii) On the reverse side of the form with an appropriate annotation
under the title giving its location;
(iii) On a tear-off sheet attached to the form; or
(iv) As a separate supplement to the form.
(b) Forms issued by non-DoD activities. (1) Forms subject to the
Privacy Act issued by other Federal Agencies must have a Privacy Act
Statement. Always ensure the statement prepared by the originating
Agency is adequate for the purpose for which the form shall be used by
the DoD activity. If the Privacy Act Statement provided is inadequate,
the DoD Component concerned shall prepare a new statement or a
supplement to the existing statement before using the form.
(2) Forms issued by agencies not subject to the Privacy Act (State,
municipal, and other local agencies) do not contain Privacy Act
Statements. Before using a form prepared by such agencies to collect
personal data subject to this part, an appropriate Privacy Act
Statement must be added.
Subpart D--Access by Individuals
Sec. 310.17 Individual access to personal information.
(a) Individual access. (1) The access provisions of this part are
intended for use by individuals who seek access to records about
themselves that are maintained in a system of records. Release of
personal information to individuals under this part is not considered
public release of the information.
(2) Make available to the individual to whom the record pertains
all of the personal information contained in the system of records
except where access may be denied pursuant to an exemption claimed for
the system (see subpart F to this part). However, when the access
provisions of this subpart are not available to the individual due to a
claimed exemption, the request shall be processed to provide
information that is disclosable pursuant to the DoD Freedom of
Information Act program (see 32 CFR, part 286).
(b) Individual requests for access. Individuals shall address
requests for access to personal information in a system of records to
the system manager or to the office designated in the DoD Component
procedural rules or the system notice.
(c) Verification of identity. (1) Before granting access to
personal data, an individual may be required to provide reasonable
proof of his or her identity.
(2) Identity verification procedures shall not:
(i) Be so complicated as to discourage unnecessarily individuals
from seeking access to information about themselves; or
(ii) Be required of an individual seeking access to records that
normally would be available under the DoD Freedom of Information Act
Program (see 32 CFR, part 286).
(iii) When an individual seeks personal access to records
pertaining to themselves in person, proof of identity is normally
provided by documents that an individual ordinarily possesses, such as
employee and military identification cards, driver's license, other
licenses, permits or passes used for routine identification purposes.
(iv) When access is requested by mail, identity verification may
consist of the individual providing certain minimum identifying data,
such as full name, date and place of birth, or such other personal
information necessary to locate the record sought and information that
is ordinarily only known to the individual. If the information sought
is of a sensitive nature, additional identifying data may be required.
An unsworn declaration under penalty of perjury (28 U.S.C. 1746,
``Unsworn Declaration under Penalty of Perjury'') or notarized
signatures are acceptable as a means of proving the identity of the
individual.
[[Page 18767]]
(A) If an unsworn declaration is executed within the United States,
its territories, possessions, or commonwealths, it shall read ``I
declare (or certify, verify, or state) under penalty of perjury that
the foregoing is true and correct. Executed on (date). (Signature).''
(B) If an unsworn declaration is executed outside the United
States, it shall read ``I declare (or certify, verify, or state) under
penalty of perjury under the laws of the United States of America that
the foregoing is true and correct. Executed on (date). (Signature).''
(v) If an individual wishes to be accompanied by a third party when
seeking access to his or her records or to have the records released
directly to a third party, the individual may be required to furnish a
signed access authorization granting the third-party access.
(vi) An individual shall not be refused access to his or her record
solely because he or she refuses to divulge his or her SSN unless the
SSN is the only method by which retrieval can be made. (See Sec.
310.15(b).)
(vii) The individual is not required to explain or justify his or
her need for access to any record under this part.
(viii) Only a denial authority may deny access and the denial must
be in writing and contain the information required by 310.18.
(d) Granting individual access to records. (1) Grant the individual
access to the original record or an exact copy of the original record
without any changes or deletions, except when deletions have been made
in accordance with paragraph (e) of this Section. For the purpose of
granting access, a record that has been amended under Sec. 310.19(b)is
considered to be the original. See paragraph (e) of this Section for
the policy regarding the use of summaries and extracts.
(2) Provide exact copies of the record when furnishing the
individual copies of records under this part.
(3) Explain in terms understood by the requestor any record or
portion of a record that is not clear.
(e) Illegible, incomplete, or partially exempt records. (1) Do not
deny an individual access to a record or a copy of a record solely
because the physical condition or format of the record does not make it
readily available (for example, deteriorated state or on magnetic
tape). Either prepare an extract or recopy the document exactly.
(2) If a portion of the record contains information that is exempt
from access, an extract or summary containing all of the information in
the record that is releasable shall be prepared.
(3) When the physical condition of the record or its state makes it
necessary to prepare an extract for release, ensure the extract can be
understood by the requester.
(4) Explain to the requester all deletions or changes to the
records.
(f) Access to medical records. (1) Access to medical records is not
only governed by the access provisions of this part but also by the
access provisions of DoD 6025.18-R. The Privacy Act, as implemented by
this part, however, provides greater access to an individual's medical
record than that authorized by DoD 6025.18-R.
(2) Medical records in a system of records shall be disclosed to
the individual to whom they pertain, even if a minor, but when it is
believed that access to such records could have an adverse effect on
the mental or physical health of the individual or may result in harm
to a third party, the following special procedures apply.
(i) If a determination is made in consultation with a medical
doctor that release of the medical information may be harmful to the
mental or physical health of the individual or to a third party, the
Component shall:
(A) Send the record to a physician named by the individual; and
(B) In the transmittal letter to the physician explain why access
by the individual without proper professional supervision could be
harmful (unless it is obvious from the record).
(ii) The Component shall not require the physician to request the
records for the individual.
(3) If the individual refuses or fails to designate a physician,
the record shall not be provided. Such refusal of access is not
considered a denial under the Privacy Act (see paragraph (a) of Sec.
310.18).
(4) If records are provided the designated physician, but the
physician declines or refuses to provide the records to the individual,
the DoD Component is under an affirmative duty to take action to
deliver the records to the individual by whatever means deemed
appropriate. Such action should be taken expeditiously especially if
there has been a significant delay between the time the records were
furnished the physician and the decision by the physician not to
release the records.
(5) Access to a minor's medical records may be granted to his or
her parents or legal guardians. However, access is subject to the
restrictions as set forth at paragraph C9.7.3 of DoD 6025.18-R.
(6) All members of the Military Services and all married persons
are not considered minors regardless of age, and the parents of these
individual do not have access to their medical records without written
consent of the individual.
(g) Access to information compiled in anticipation of civil action
(see Sec. 310.27).
(h) Non-Agency Records. (1) Certain documents under the physical
control of DoD personnel and used to assist them in performing official
functions, are not considered ``Agency records'' within the meaning of
this part. Uncirculated personal notes and records that are not
disseminated or circulated to any person or organization (for example,
personal telephone lists or memory aids) that are retained or discarded
at the author's discretion and over which the Component exercises no
direct control are not considered Agency records. However, if personnel
are officially directed or encouraged, either in writing or orally, to
maintain such records, they may become ``Agency records,'' and may be
subject to this part.
(2) The personal uncirculated handwritten notes of unit leaders,
office supervisors, or military supervisory personnel concerning
subordinates are not systems of records within the meaning of this
part. Such notes are an extension of the individual's memory. These
notes, however, must be maintained and discarded at the discretion of
the individual supervisor and not circulated to others. Any established
requirement to maintain such notes (such as, written or oral
directives, regulations, or command policy) may transform these notes
into ``Agency records'' and they then must be made a part of a system
of records. If the notes are circulated, they must be made a part of a
system of records. Any action that gives personal notes the appearance
of official Agency records is prohibited, unless the notes have been
incorporated into a system of records.
(i) Relationship between the Privacy Act (5 U.S.C. 552a) and the
FOIA (5 U.S.C. 552). Not all requesters are knowledgeable of the
appropriate statutory authority to cite when requesting records. In
some instances, they may cite neither Act, but will imply one or both
Acts. The below guidelines are provided to ensure requesters are given
the maximum amount of information as authorized under both statutes.
(1) Process requests for individual access as follows:
(i) If the records are required to be released under the Privacy
Act, the FOIA (32 CFR part 286) does not bar release even if a FOIA
exemption could
[[Page 18768]]
be invoked if the request had been processed solely under FOIA.
Conversely, if the records are required to be released under the FOIA,
the Privacy Act does not bar disclosure.
(ii) Requesters who seek records about themselves contained in a
Privacy Act system of records, and who cite or imply only the Privacy
Act, will have their records processed under the provisions of this
part and the FOIA (32 CFR part 286). If the system of records is exempt
from the access provisions of this part, and if the records, or any
portion thereof, are exempt under the FOIA, the requester shall be
advised and informed of the appropriate Privacy and FOIA exemption.
Only if the records can be denied under both statutes may the
Department withhold the records from the individual. Appeals shall be
processed under both Acts.
(iii) Requesters who seek records about themselves that are not
contained in a Privacy Act system of records, and who cite or imply
only the Privacy Act, will have their requests processed under the
provisions of the FOIA (32 CFR part 286), because the access provisions
of this part do not apply. Appeals shall be processed under the FOIA.
(iv) Requesters who seek records about themselves that are
contained in a Privacy Act system of records, and who cite or imply the
FOIA or both Acts, will have their requests processed under the
provisions of this part and the FOIA (32 CFR part 286). If the system
of records is exempt from the access provisions of this part, and if
the records, or any portion thereof, are exempt under the FOIA, the
requester shall be advised and informed of the appropriate Privacy and
FOIA exemption. Appeals shall be processed under both Acts.
(v) Requesters who seek records about themselves that are not
contained in a Privacy Act system of records, and who cite or imply the
Privacy Act and FOIA, will have their requests processed under the FOIA
(32 CFR part 286), because the access provisions of this part do not
apply. Appeals shall be processed under the FOIA.
(2) Do not deny individuals' access to personal information
concerning themselves that would otherwise be releasable to them under
either Act solely because they fail to cite or imply either Act or cite
the wrong Act or part.
(3) Explain to the requester which Act(s) was(were) used when
granting or denying access under either Act.
(j) Time limits. DoD Components normally shall acknowledge requests
for access within 10 working days after receipt and provide access
within 30 working days.
(k) Privacy case file. Establish a Privacy Act case file when
required. (See paragraph (p) of Sec. 310.19.)
Sec. 310.18 Denial of individual access.
(a) Denying individual access. (1) An individual may be denied
access to a record pertaining to him or her only if the record:
(i) Was compiled in reasonable anticipation of a civil action or
proceeding (see Sec. 310.27).
(ii) Is in a system of records that has been exempted from the
access provisions of this part under one of the permitted exemptions.
(See Sec. 310.28 and Sec. 310.29.)
(iii) Contains classified information that has been exempted from
the access provision of this part under the blanket exemption for such
material claimed for all DoD records systems. (See Sec. 310.26(c).).
(iv) Is contained in a system of records for which access may be
denied under some other Federal statute that excludes the record from
coverage of the Privacy Act (5 U.S.C. 552a).
(2) Where a basis for denial exists, do not deny the record, or
portions of the record, if denial does not serve a legitimate
governmental purpose.
(b) Other reasons to refuse access:
(1) An individual may be refused access if:
(i) The record is not described well enough to enable it to be
located with a reasonable amount of effort on the part of an employee
familiar with the file; or
(ii) Access is sought by an individual who fails or refuses to
comply with the established procedural requirements, including refusing
to name a physician to receive medical records when required (see
paragraph (f) of Sec. 310.17) or to pay fees (see Sec. 310.20).
(2) Always explain to the individual the specific reason access has
been refused and how he or she may obtain access.
(c) Notifying the individual. Formal denials of access must be in
writing and include as a minimum:
(1) The name, title or position, and signature of a designated
Component denial authority.
(2) The date of the denial.
(3) The specific reason for the denial, including specific citation
to the appropriate sections of the Privacy Act (5 U.S.C. 552a) or other
statutes, this part, DoD Component instructions, or CFR authorizing the
denial;
(4) Notice to the individual of his or her right to appeal the
denial through the Component appeal procedure within 60 calendar days;
and
(5) The title or position and address of the Privacy Act appeals
official for the Component.
(d) DoD Component appeal procedures. Establish internal appeal
procedures that, as a minimum, provide for:
(1) Review by the Head of the Component or his or her designee of
any appeal by an individual from a denial of access to Component
records.
(2) Formal written notification to the individual by the appeal
authority that shall:
(i) If the denial is sustained totally or in part, include as a
minimum:
(A) The exact reason for denying the appeal to include specific
citation to the provisions of the Act or other statute, this part,
Component instructions or the CFR upon which the determination is
based;
(B) The date of the appeal determination;
(C) The name, title, and signature of the appeal authority; and
(D) A statement informing the applicant of his or her right to seek
judicial relief.
(ii) If the appeal is granted, notify the individual and provide
access to the material to which access has been granted.
(3) The written appeal notification granting or denying access is
the final Component action as regards access.
(4) The individual shall file any appeal from denial of access
within no less than 60 calendar days of receipt of the denial
notification.
(5) Process all appeals within 30 days of receipt unless the appeal
authority determines that a fair and equitable review cannot be made
within that period. Notify the applicant in writing if additional time
is required for the appellate review. The notification must include the
reasons for the delay and state when the individual may expect an
answer to the appeal.
(e) Denial of appeals by failure to act. A requester may consider
his or her appeal formally denied if the appeal authority fails:
(1) To act on the appeal within 30 days;
(2) To provide the requester with a notice of extension within 30
days; or
(3) To act within the time limits established in the Component's
notice of extension (see paragraph (d)(5) of this section).
(f) Denying access to OPM records held by the DoD Components. (1)
The records in all systems of records maintained in accordance with the
OPM Government-wide system notices are technically only in the
temporary custody of the Department of Defense.
(2) All requests for access to these records must be processed in
accordance with 5 CFR part 297 as well as applicable Component
procedures.
[[Page 18769]]
(3) When a DoD Component refuses to grant access to a record in an
OPM system, the Component shall advise the individual that his or her
appeal must be directed to the Assistant Director for Workforce
Information, Personnel Systems and Oversight Group, U.S. Office of
Personnel Management, 1900 E Street, NW., Washington, DC, in accordance
with the procedures of 5 CFR part 297.
Sec. 310.19 Amendment of records.
(a) Individual review and correction. Individuals are encouraged to
review the personal information being maintained about them by the DoD
Components periodically and to avail themselves of the procedures
established by this part and other Regulations to update their records.
(b) Amending records. (1) An individual may request the amendment
of any record contained in a system of records pertaining to him or her
unless the system of records has been exempted specifically from the
amendment procedures of this part under paragraph (b) of Sec. 310.26.
Normally, amendments under this part are limited to correcting factual
matters and not matters of official judgment, such as performance
ratings, promotion potential, and job performance appraisals.
(2) While a Component may require that the request for amendment be
in writing, this requirement shall not be used to discourage
individuals from requesting valid amendments or to burden needlessly
the amendment process.
(3) A request for amendment must include:
(i) A description of the item or items to be amended;
(ii) The specific reason for the amendment;
(iii) The type of amendment action sought (deletion, correction, or
addition); and
(iv) Copies of available documentary evidence supporting the
request.
(c) Burden of proof. The applicant must support adequately his or
her claim.
(d) Identification of requesters. (1) Individuals may be required
to provide identification to ensure that they are indeed seeking to
amend a record pertaining to themselves and not, inadvertently or
intentionally, the record of others.
(2) The identification procedures shall not be used to discourage
legitimate requests or to burden needlessly or delay the amendment
process. (See paragraph (c) of Sec. 310.17.)
(e) Limits on attacking evidence previously submitted. (1) The
amendment process is not intended to permit the alteration of records
presented in the course of judicial or quasi-judicial proceedings. Any
amendments or changes to these records normally are made through the
specific procedures established for the amendment of such records.
(2) Nothing in the amendment process is intended or designed to
permit a collateral attack upon what has already been the subject of a
judicial or quasi-judicial determination. However, while the individual
may not attack the accuracy of the judicial or quasi-judicial
determination under this part, he or she may challenge the accuracy of
the recording of that action.
(f) Sufficiency of a request to amend. Consider the following
factors when evaluating the sufficiency of a request to amend:
(1) The accuracy of the information; and
(2) The relevancy, timeliness, completeness, and necessity of the
recorded information.
(g) Time limits. (1) Provide written acknowledgement of a request
to amend within 10 working days of its receipt by the appropriate
systems manager. There is no need to acknowledge a request if the
action is completed within 10 working days and the individual is so
informed.
(2) The letter of acknowledgement shall clearly identify the
request and advise the individual when he or she may expect to be
notified of the completed action.
(3) Only under the most exceptional circumstances shall more than
30 days be required to reach a decision on a request to amend. Document
fully and explain in the Privacy Act case file (see paragraph (p) of
this section) any such decision that takes more than 30 days to
resolve.
(h) Agreement to amend. If the decision is made to grant all or
part of the request for amendment, amend the record accordingly and
notify the requester.
(i) Notification of previous recipients. (1) Notify all previous
recipients of the record, as reflected in the disclosure accounting
records, that an amendment has been made and the substance of the
amendment. Recipients who are known to be no longer retaining the
information need not be advised of the amendment. All DoD Components
and Federal agencies known to be retaining the record or information,
even if not reflected in a disclosure record, shall be notified of the
amendment. Advise the requester of these notifications.
(2) Honor all requests by the requester to notify specific Federal
agencies of the amendment action.
(j) Denying amendment. If the request for amendment is denied in
whole or in part, promptly advise the individual in writing of the
decision to include:
(1) The specific reason and authority for not amending;
(2) Notification that he or she may seek further independent review
of the decision by the Head of the DoD Component or his or her
designee;
(3) The procedures for appealing the decision citing the position
and address of the official to whom the appeal shall be addressed; and
(4) Where he or she can receive assistance in filing the appeal.
(k) DoD Component appeal procedures. Establish procedures to ensure
the prompt, complete, and independent review of each amendment denial
upon appeal by the individual. These procedures must ensure:
(1) The appeal with all supporting materials both that furnished
the individual and that contained in Component records is provided to
the reviewing official; and
(2) If the appeal is denied completely or in part, the individual
is notified in writing by the reviewing official that:
(i) The appeal has been denied and the specific reason and
authority for the denial;
(ii) The individual may file a statement of disagreement with the
appropriate authority and the procedures for filing this statement;
(iii) If filed properly, the statement of disagreement shall be
included in the records, furnished to all future recipients of the
records, and provided to all prior recipients of the disputed records
who are known to hold the record; and
(iv) The individual may seek a judicial review of the decision not
to amend.
(3) If the record is amended, ensure:
(i) The requester is notified promptly of the decision;
(ii) All prior known recipients of the records who are known to be
retaining the record are notified of the decision and the specific
nature of the amendment (see (l) of this Section); and
(iii) The requester is notified which DoD Components and Federal
agencies have been told of the amendment.
(4) Process all appeals within 30 days unless the appeal authority
determines that a fair review cannot be made within this time limit. If
additional time is required for the appeal, notify the requester, in
writing, of the delay, the reason for the delay, and when he or she may
expect a final decision on the
[[Page 18770]]
appeal. Document fully all requirements for additional time in the
Privacy Case File. (See paragraph (p) of this section.)
(l) Denying amendment of OPM records held by the DoD Components.
(1) The records in all systems of records controlled by the OPM
Government-wide system notices are technically only temporarily in the
custody of the Department of Defense.
(2) All requests for amendment of these records must be processed
in accordance with 5 CFR part 297. The Component denial authority may
deny a request. However, when an amendment request is denied, the DoD
Component shall advise the individual that his or her appeal must be
directed to the Assistant Director for Workforce Information, Personnel
Systems and Oversight Group, U.S. Office of Personnel Management, 1900
E Street, Washington, DC 20415 in accordance with the procedures of 5
CFR 297.
(m) Statements of disagreement submitted by individuals. (1) If the
appellate authority refuses to amend the record as requested, the
individual may submit a concise statement of disagreement setting forth
his or her reasons for disagreeing with the decision not to amend.
(2) If an individual chooses to file a statement of disagreement,
annotate the record to indicate that the statement has been filed (see
paragraph (n) of this section).
(3) Furnish copies of the statement of disagreement to all DoD
Components and Federal agencies that have been provided copies of the
disputed information and who may be maintaining the information.
(n) Maintaining statements of disagreement. (1) When possible,
incorporate the statement of disagreement into the record.
(2) If the statement cannot be made a part of the record, establish
procedures to ensure that it is apparent from the records a statement
of disagreement has been filed and maintain the statement so that it
can be obtained readily when the disputed information is used or
disclosed.
(3) Automated record systems that are not programmed to accept
statements of disagreement shall be annotated or coded so they clearly
indicate that a statement of disagreement is on file, and clearly
identify the statement with the disputed information in the system.
(4) Provide a copy of the statement of disagreement whenever the
disputed information is disclosed for any purpose.
(o) The DoD Component statement of reasons for refusing to amend.
(1) A statement of reasons for refusing to amend may be included with
any record for which a statement of disagreement is filed.
(2) Include in this statement only the reasons furnished to the
individual for not amending the record. Do not comment on or respond to
comments contained in the statement of disagreement. Normally, both
statements are filed together.
(3) When disclosing information for which a statement of reasons
has been filed, a copy of the statement may be released whenever the
record and the statement of disagreement are disclosed.
(p) Privacy case files. (1) Establish a separate Privacy case file
to retain the documentation received and generated during the amendment
or access process.
(2) The Privacy case file shall contain as a minimum:
(i) The request for amendment and access.
(ii) Copies of the DoD Component's reply granting or denying the
request;
(iii) Any appeals from the individual;
(iv) Copies of the action regarding the appeal with supporting
documentation that is not in the basic file; and
(v) Any other correspondence generated in processing the appeal, to
include coordination documentation.
(3) Only the items listed in paragraphs (p)(4) and (p)(5) of this
section may be included in the system of records challenged for
amendment or for which access is sought. Do not retain copies of the
original record in the basic record system if the request for amendment
is granted and the record has been amended.
(4) The following items relating to an amendment request may be
included in the disputed record system:
(i) Copies of the amended record.
(ii) Copies of the individual's statement of disagreement (see
paragraph (m) of this section).
(iii) Copies of the Component's statement of reasons for refusing
to amend (see paragraph (o) of this section).
(iv) Supporting documentation submitted by the individual.
(5) The following items relating to an access request may be
included in the basic records system:
(i) Copies of the request;
(ii) Copies of the Component's action granting total or partial
access. (Note: A separate Privacy case file need not be created in such
cases.)
(iii) Copies of the Component's action denying access.
(iv) Copies of any appeals filed.
(v) Copies of the reply to the appeal.
(6) Privacy case files shall not be furnished or disclosed to
anyone for use in making any determination about the individual other
than determinations made under this part.
Sec. 310.20 Reproduction fees.
(a) Assessing fees. (1) Charge the individual only the direct cost
of reproduction.
(2) Do not charge reproduction fees if copying is:
(i) The only means to make the record available to the individual
(for example, a copy of the record must be made to delete classified
information); or
(ii) For the convenience of the DoD Component (for example, the
Component has no reading room where an individual may review the
record, or reproduction is done to keep the original in the Component's
file).
(iii) No fees shall be charged when the record may be obtained
without charge under any other Regulation, Directive, or statute.
(iv) Do not use fees to discourage requests.
(b) No minimum fees authorized. Use fees only to recoup direct
reproduction costs associated with granting access. Minimum fees for
duplication are not authorized and there is no automatic charge for
processing a request.
(c) Prohibited fees. Do not charge or collect fees for:
(1) Search and retrieval of records;
(2) Review of records to determine releasability;
(3) Copying records for the DoD Component convenience or when the
individual has not specifically requested a copy;
(4) Transportation of records and personnel; or
(5) Normal postage.
(d) Waiver of fees. (1) Normally, fees are waived automatically if
the direct costs of a given request are less than $30. This fee waiver
provision does not apply when a waiver has been granted to the
individual before, and later requests appear to be an extension or
duplication of that original request. A DoD Component may, however, set
aside this automatic fee waiver provision when, on the basis of good
evidence, it determines the waiver of fees is not in the public
interest.
(2) Decisions to waive or reduce fees that exceed the automatic
waiver threshold shall be made on a case-by-case basis.
(e) Fees for Members of Congress. Do not charge members of Congress
for copying records furnished even when the records are requested under
the Privacy Act on behalf of a constituent (See Sec. 310.22(i)). When
replying to a constituent inquiry and the fees involved are
substantial, consider
[[Page 18771]]
suggesting to the Congressman that the constituent can obtain the
information directly by writing to the appropriate offices and paying
the costs. When practical, suggest to the Congressman that the record
can be examined at no cost if the constituent wishes to visit the
custodian of the record.
(f) Reproduction fees computation. Compute fees using the
appropriate portions of the fee schedule in 32 CFR part 286.
Subpart E--Disclosure of Personal Information to Other Agencies and
Third Parties
Sec. 310.21 Conditions of disclosure.
(a) Disclosures to third parties. (1) The Privacy Act only compels
disclosure of records from a system of records to the individuals to
whom they pertain unless the records are contained in a system for
which an exemption to the access provisions of this part has been
claimed.
(2) Requests by other individuals (third parties) for the records
of individuals that are contained in a system of records shall be
processed under 32 CFR part 286 except for requests by the parents of a
minor or the legal guardian of an individual for access to the records
pertaining to the minor or individual.
(b) Disclosures among the DoD Components. For the purposes of
disclosure and disclosure accounting, the Department of Defense is
considered a single agency (see Sec. 310.22(a)).
(c) Disclosures outside the Department of Defense. Do not disclose
personal information from a system of records outside the Department of
Defense unless:
(1) The record has been requested by the individual to whom it
pertains.
(2) The written consent of the individual to whom the record
pertains has been obtained for release of the record to the requesting
Agency, activity, or individual; or
(3) The release is authorized pursuant to one of the specific non-
consensual conditions of disclosure as set forth in Sec. 310.22.
(d) Validation before disclosure. Except for releases made in
accordance with 32 CFR part 286, the following steps shall be taken
before disclosing any records to any recipient outside the Department
of Defense, other than a Federal agency or the individual to whom it
pertains:
(1) Ensure the records are accurate, timely, complete, and relevant
for agency purposes;
(2) Contact the individual, if reasonably available, to verify the
accuracy, timeliness, completeness, and relevancy of the information,
if this cannot be determined from the record; or
(3) If the information is not current and the individual is not
reasonably available, advise the recipient that the information is
believed accurate as of a specific date and any other known factors
bearing on its accuracy and relevancy.
Sec. 310.22 Non-consensual conditions of disclosure.
(a) Disclosures within the Department of Defense. (1) Records
pertaining to an individual may be disclosed to a DoD official or
employee provided:
(i) The requester has a need for the record in the performance of
his or her assigned duties. The requester shall articulate in
sufficient detail why the records are required so the custodian of the
records may make an informed decision regarding their release;
(ii) The intended use of the record generally relates to the
purpose for which the record is maintained; and
(iii) Only those records as are minimally required to accomplish
the intended use are disclosed. The entire record is not released if
only a part of the record will be responsive to the request.
(2) Rank, position, or title alone does not authorize access to
personal information about others.
(b) Disclosures required by the FOIA. (1) All records must be
disclosed if their release is required by FOIA (5 U.S.C. 552), as
implemented by 32 CFR part 286. The FOIA requires records be made
available to the public unless withholding is authorized pursuant to
one of nine exemptions or one of three law enforcement exclusions under
the Act.
(i) The DoD Component must be in receipt of a FOIA request and a
determination made that the records are not withholdable pursuant to a
FOIA exemption or exclusion before the records may be disclosed.
(ii) Records that have traditionally been released to the public by
the Components may be disclosed whether or not a FOIA request has been
received.
(2) The standard for exempting most personal records, such as
personnel, medical, and similar records, is FOIA Exemption 6 (32 CFR
part 286.12(e)). Under that exemption, records can be withheld when
disclosure, if other than to the individual about whom the information
pertains, would result in a clearly unwarranted invasion of the
individual's personal privacy.
(3) The standard for exempting personal records compiled for law
enforcement purposes, including personnel security investigation
records, is FOIA Exemption 7(C) (32 CFR part 286.12(g)). Under that
exemption, records can be withheld when disclosure, if other than to
the individual about whom the information pertains, would result in an
unwarranted invasion of the individual's personal privacy.
(4) If records or information are exempt from disclosure pursuant
to the standards set forth in paragraphs (b)(2) and/or (b)(3) of this
section, and the records are contained in a system of records (See
Sec. 310.10(a) of subpart B, the Privacy Act (5 U.S.C. 552a) prohibits
release.
(5) Personal information that is normally releasable. (i) DoD
civilian employees. (A) Some examples of personal information regarding
DoD civilian employees that normally may be released without a clearly
unwarranted invasion of personal privacy include:
(1) Name.
(2) Present and past position titles.
(3) Present and past grades.
(4) Present and past annual salary rates.
(5) Present and past duty stations.
(6) Office and duty telephone numbers.
(7) Position descriptions.
(B) All disclosures of personal information regarding Federal
civilian employees shall be made in accordance with OPM release
policies (see 5 CFR part 293.311).
(ii) Military members. (A) While it is not possible to identify
categorically information that must be released or withheld from
military personnel records in every instance, the following items of
personal information regarding military members normally may be
disclosed without a clearly unwarranted invasion of their personal
privacy:
(1) Full name.
(2) Rank.
(3) Date of rank.
(4) Gross salary.
(5) Past duty assignments.
(6) Present duty assignment.
(7) Future assignments that are officially established.
(8) Office or duty telephone numbers.
(9) Source of commission.
(10) Promotion sequence number.
(11) Awards and decorations.
(12) Attendance at professional military schools.
(13) Duty status at any given time.
(14) Home of record (identification of the state only).
(15) Length of military service.
(16) Basic Pay Entry Date.
(17) Official Photo.
(B) All disclosures of personal information regarding military
members
[[Page 18772]]
shall be made in accordance with 32 CFR part 286.
(iii) Civilian employees not under the authority of OPM. (A) While
it is not possible to identify categorically those items of personal
information that must be released regarding civilian employees not
subject to 5 CFR parts 293, 294, and 297, such as nonappropriated fund
employees, normally the following items may be released without a
clearly unwarranted invasion of personal privacy:
(1) Full name.
(2) Grade or position.
(3) Date of grade.
(4) Gross salary.
(5) Present and past assignments.
(6) Future assignments, if officially established.
(7) Office or duty telephone numbers.
(B) All releases of personal information regarding civilian
personnel in this category shall be made in accordance with 32 CFR part
286.
(6) When military or civilian personnel are assigned, detailed, or
employed by the National Security Agency, the Defense Intelligence
Agency, the National Reconnaissance Office, or the National Geospatial-
Intelligence agency, information about such personnel may only be
disclosed as authorized by Public Law 86-36 (``National Security
Agency-Officers and Employees'') and 10 U.S.C 424 (``Disclosure of
Organizational and Personnel Information: Exemption for Specified
Intelligence Agencies''). When military and civilian personnel are
assigned, detailed or employed by an overseas unit, a sensitive unit,
or to a routinely deployable unit, information about such personnel may
only be disclosed as authorized by 10 U.S.C. 130b (``Personnel in
Overseas, Sensitive, or Routinely Deployed Units: Nondisclosure of
Personally Identifying Information'').
(7) Information about military or civilian personnel that otherwise
may be disclosable consistent with Sec. 310.22(b)(5) may not be
releasable if a requester seeks listings of personnel currently or
recently assigned/detailed/employed within a particular component,
unit, organization or office with the Department of Defense if the
disclosure of such a list would pose a privacy or security threat.
(c) Disclosures for established routine uses. (1) Records may be
disclosed outside the Department of Defense pursuant to a routine use
that has been established for the system of records that contains the
records.
(2) A routine use shall:
(i) Be compatible with the purpose for which the record was
collected;
(ii) Identify the persons or organizations to whom the record may
be released;
(iii) Identify specifically the intended uses of the information by
the persons or organization; and
(iv) Have been published in the Federal Register (see Sec.
310.32(i)).
(3) If a Federal statute or an E.O. of the President directs
records contained in a system of records be disclosed outside the
Department of Defense, the statute or E.O. serves as authority for the
establishment of a routine use.
(4) New or altered routine uses must be published in the Federal
Register at least 30 days before any records may be disclosed pursuant
to the terms of the routine use (see subpart G of this part).
(5) In addition to the specific routine uses established for each
of the individual system notices, blanket routine uses have been
established (see Appendix 3) that are applicable to all DoD system of
records. However, in order for the blanket routine uses to apply to a
specific system of records, the system notice shall expressly state
that the blanket routine uses apply. These blanket routine uses are
published only at the beginning of the listing of system notices for
each Component in the Federal Register.
(d) Disclosures to the Bureau of the Census. Records in DoD systems
of records may be disclosed without the consent of the individuals to
whom they pertain to the Bureau of the Census for purposes of planning
or carrying out a census survey or related activities pursuant to the
provisions of 13 U.S.C. 6 (``Information from other Federal Departments
and Agencies'').
(e) Disclosures for statistical research or reporting. (1) Records
may be disclosed for statistical research or reporting but only after
the intended recipient provides, in writing, the purpose for which the
records are sought and assurances that the records will be used only
for statistical research or reporting purposes.
(2) The records shall be transferred to the requester in a form
that is not individually identifiable. DoD Components disclosing
records under this provision are required to assure information being
disclosed cannot reasonably be used in any way to make determinations
about individuals.
(3) The records will not be used, in whole or in part, to make any
determination about the rights, benefits, or entitlements of specific
individuals.
(4) The written statement by the requester shall be made part of
the Component's accounting of disclosures (See paragraph (a) of
310.25).
(f) Disclosures to the National Archives and Record Administration
(NARA), General Services Administration (GSA). (1) Records may be
disclosed to the NARA if they:
(i) Have historical or other value to warrant continued
preservation; or
(ii) For evaluation by the Archivist of the United States, or his
or her designee, to determine if a record has such historical or other
value.
(2) Records transferred to a Federal Records Center (FRC) for
safekeeping and storage do not fall within this category. These records
are owned by the Component and remain under the control of the
transferring Component. FRC personnel are considered agents of the
Component that retains control over the records. No disclosure
accounting is required for the transfer of records to the FRCs.
(g) Disclosures for law enforcement purposes. (1) Records may be
disclosed to another Agency or an instrumentality of any Governmental
jurisdiction within or under the control of the United States for a
civil or criminal law enforcement activity, provided:
(i) The civil or criminal law enforcement activity is authorized by
law;
(ii) The head of the law enforcement activity or a designee has
made a written request specifying the particular records desired and
the law enforcement purpose (such as criminal investigations,
enforcement of a civil law, or a similar purpose) for which the record
is sought; and
(iii) There is no Federal statute that prohibits the disclosure of
the records.
(2) Blanket requests for any and all records pertaining to an
individual shall not be honored absent justification.
(3) When a record is released to a law enforcement activity under
this subparagraph, the disclosure accounting (see Sec. 310.25) for the
release shall not be made available to the individual to whom the
record pertains if the law enforcement activity requests that the
disclosure not be disclosed.
(4) The blanket routine use for law enforcement (Appendix C,
Section A) applies to all DoD Component systems notices (see paragraph
(b)(6) of this section). This permits Components, on their own
initiative, to report indications of violations of law found in a
system of records to a law enforcement activity.
(5) Disclosures may be made to Federal, State, or local, but not
foreign law enforcement agencies. Disclosures to Foreign law
enforcement agencies may be made if a routine use has been established
for the system of records
[[Page 18773]]
from which the records are to be released.
(h) Emergency disclosures. (1) Records may be disclosed if
disclosure is made under compelling circumstances affecting the health
or safety of any individual. The affected individual need not be the
subject of the record disclosed.
(2) When such a disclosure is made, the Component shall notify the
individual who is the subject of the record. Notification sent to the
last known address of the individual as known to the Component is
sufficient.
(3) The specific data to be disclosed is at the discretion of the
Component.
(4) Emergency medical information may be released by telephone.
(i) Disclosures to Congress. (1) Records may be disclosed to either
House of the Congress or to any committee, joint committee or
subcommittee of Congress if the release pertains to a matter within the
jurisdiction of the committee. Disclosure is only authorized when in
response to an official request on behalf of either House, committee,
subcommittee, or joint committee.
(2) Requests from members of Congress who are seeking records in
their individual capacity or on behalf of a constituent.
(i) Requests made in their individual capacity. Request for records
shall be processed under the provisions of DoD 5400.7-R.
(ii) Requests made on behalf of constituents.
(A) The blanket routine use for ``Congressional Inquiries'' (see
Appendix C, section D) applies to all systems. When an individual
requests the assistance of the Congressional member, the blanket
routine use permits the disclosure of records pertaining to the
individual without the express written consent of the individual.
(B) If necessary, accept constituent letters requesting a member of
Congress to investigate a matter pertaining to the individual as
written authorization to provide access to the records to the
congressional member or his or her staff.
(C) When a Congressional inquiry indicates that the request is
being made on the basis of a request from the individual to whom the
record pertains, consent can be inferred even if the constituent
request is not provided the Component. The verbal statement by a
Congressional staff member is acceptable to establish that a request
has been received by the Member of Congress from the person to whom the
records pertain.
(D) If the constituent inquiry is being made on behalf of someone
other than the individual to whom the record pertains, the Member of
Congress shall be provided only that information releasable under DoD
5400.7-R. Advise the Congressional member that the written consent of
the individual to whom the record pertains is required before any
additional information may be disclosed. Do not contact individuals to
obtain their consents for release to Congressional members unless a
Congressional office specifically requests that this be done.
(E) Nothing in paragraph (i)(2)(ii)(A) of this section prohibits a
Component, when appropriate, from providing the record directly to the
individual and notifying the Congressional office that this has been
done without providing the record to the Congressional member.
(3) See paragraph (e) of Sec. 310.20 for the policy on assessing
fees for Members of Congress.
(4) Make a disclosure accounting each time a record is disclosed to
either House of Congress, to any committee, joint committee, or
subcommittee of Congress, or to any congressional member.
(j) Disclosures to the General Accountability Office. Records may
be disclosed to the Comptroller General, or any of his authorized
representatives, in the course of the performance of the duties of the
General Accountability Office.
(k) Disclosures under court orders. (1) Records may be disclosed
without the consent of the person to whom they pertain under a court
order signed by a judge of a court of competent jurisdiction.
(2) When a record is disclosed under this provision, make
reasonable efforts to notify the individual to whom the record
pertains, if the legal process is a matter of public record.
(3) If the process is not a matter of public record at the time it
is issued, seek information as to when the process is to be made public
and make reasonable efforts to notify the individual at that time.
(4) Notification sent to the last known address of the individual
as reflected in the records is considered a reasonable effort to
notify.
(5) Make a disclosure accounting each time a record is disclosed
under a court order or compulsory legal process.
(l) Disclosures to Consumer Reporting Agencies. (1) Certain
personal information may be disclosed to consumer reporting agencies as
provided in the Federal Claims Collection Act (31 U.S.C. 3711(e)).
(2) Under the provisions of paragraph (l)(1) of this section, the
following information may be disclosed to a consumer reporting agency:
(i) Name, address, taxpayer identification number (SSN), and other
information necessary to establish the identity of the individual.
(ii) The amount, status, and history of the claim.
(iii) The Agency or program under which the claim arose.
(3) The Federal Claims Collection Act (31 U.S.C. 3711(e)) requires
the system notice for the system of records from which the information
will be disclosed, indicates that the information may be disclosed to a
consumer reporting agency.
Sec. 310.23 Disclosures to commercial enterprises.
(a) General policy. (1) Make releases of personal information to
commercial enterprises under the criteria established by 32 CFR part
286.
(2) The relationship of commercial enterprises to their clients or
customers and to the Department of Defense is not changed by this part.
(3) The DoD policy on personal indebtedness for military personnel
is contained 32 CFR part 112, ``Indebtedness of Military Personnel,''
and for civilian employees in 5 CFR part 735.
(b) Release of personal information. (1) Any information that must
be released under 32 CFR part 286, the ``DoD Freedom of Information Act
Program,'' may be released to a commercial enterprise without the
individual's consent (see paragraph (b) of Sec. 310.22).
(2) Commercial enterprises may present a signed consent statement
setting forth specific conditions for release of personal information.
Statements such as the following, if signed by the individual, are
considered valid:
I hereby authorize the Department of Defense to verify my Social
Security Number or other identifying information and to disclose my
home address and telephone number to authorized representatives of
(name of commercial enterprise) so that they may use this
information in connection with my commercial dealings with that
enterprise. All information furnished shall be used in connection
with my financial relationship with (name of commercial enterprise).
(3) When a statement of consent as outlined in paragraph (b)(2) of
this section is presented, provide the requested information if its
release is not prohibited by some other regulation or statute.
(4) Blanket statements of consent that do not identify the
Department of Defense or any of its Components, or
[[Page 18774]]
that do not specify exactly the type of information to be released, may
be honored if it is clear the individual in signing the consent
statement intended to obtain a personal benefit (for example, a loan to
buy a house) and was aware of the type of information that would be
sought. Care should be exercised in these situations to release only
the minimum amount of personal information essential to obtain the
benefit sought.
(5) Do not honor requests from commercial enterprises for official
evaluation of personal characteristics, such as evaluation of personal
financial habits.
Sec. 310.24 Disclosures to the public from medical records.
(a) Disclosures from medical records are not only governed by the
requirement of this part but also by the disclosure provisions of DoD
6025.18-R.''
(b) Any medical records that are subject to both this part and DoD
6025.18-R may only be disclosed if disclosure is authorized under both.
If disclosure is permitted under this part (e.g., pursuant to a routine
use), but the disclosure is not authorized under DoD 6025.18-R,
disclosure is not authorized. If a disclosure is authorized under DoD
6025.18-R (e.g., releases outside the Department of Defense), but the
disclosure is not authorized under this part, disclosure is not
authorized.
Sec. 310.25 Disclosure accounting.
(a) Disclosure accountings. (1) Keep an accurate record of all
disclosures made from any system of records except disclosures:
(i) To DoD personnel for use in the performance of their official
duties; or
(ii) Under 5 U.S.C. 552, the FOIA.
(2) In all other cases a disclosure accounting is required even if
the individual has consented to the disclosure of the information.
(3) Disclosure accountings:
(i) Permit individuals to determine to whom information has been
disclosed;
(ii) Enable the activity to notify past recipients of disputed or
corrected information (Sec. 310.19(i)); and
(iii) Provide a method of determining compliance with paragraph (c)
of Sec. 310.21.
(b) Contents of disclosure accountings. As a minimum, disclosure
accounting shall contain:
(1) The date of the disclosure.
(2) A description of the information released.
(3) The purpose of the disclosure.
(4) The name and address of the person or Agency to whom the
disclosure was made.
(c) Methods of disclosure accounting. Use any system of disclosure
accounting that shall provide readily the necessary disclosure
information (see paragraph (a)(3) of this section).
(d) Accounting for mass disclosures. When numerous similar records
are released, identify the category of records disclosed and include
the data required by paragraph (b) of this section in a form that can
be used to construct an accounting disclosure record for individual
records if required (see paragraph (a)(3) of this section).
(e) Disposition of disclosure accounting records. Retain disclosure
accounting records for 5 years after the disclosure or the life of the
record, whichever is longer.
(f) Furnishing disclosure accountings to the individual. (1) Make
available to the individual to whom the record pertains all disclosure
accountings except when:
(i) The disclosure has been made to a law enforcement activity
under paragraph (g) of Sec. 310.22 and the law enforcement activity
has requested that disclosure not be made; or
(ii) The system of records has been exempted from the requirement
to furnish the disclosure accounting under the provisions of Sec.
310.26(b).
(2) If disclosure accountings are not maintained with the record
and the individual requests access to the accounting, prepare a listing
of all disclosures (see paragraph (b) of this section) and provide this
to the individual upon request.
Subpart F--Exemptions
Sec. 310.26 Use and establishment of exemptions.
(a) Types of exemptions. (1) There are three types of exemptions
permitted by the Privacy Act (5 U.S.C. 552a).
(i) An access exemption that exempts records compiled in reasonable
anticipation of a civil action or proceeding from the access provisions
of the Act.
(ii) General exemptions that authorize the exemption of a system of
records from all but certain specifically identified provisions of the
Act (see Appendix D).
(iii) Specific exemptions that allow a system of records to be
exempted only from certain designated provisions of the Act (see
Appendix D).
(2) Nothing in the Act permits exemption of any system of records
from all provisions of the Act.
(b) Establishing exemptions. (1) The access exemption is self-
executing. It does not require an implementing rule to be effective.
(2) Neither a general nor a specific exemption is established
automatically for any system of records. The Heads of the DoD
Components maintaining the system of records must make a determination
whether the system is one for which an exemption properly may be
claimed and then propose and establish an exemption rule for the
system. No system of records within the Department of Defense shall be
considered exempted until the Head of the Component has approved the
exemption and an exemption rule has been published as a final rule in
the Federal Register (See Sec. 310.30(e).)
(3) Only the Head of the DoD Component or an authorized designee
may claim an exemption for a system of records.
(4) A system of records is considered exempt only from those
provision of the Privacy Act (5 U.S.C. 552a) that are identified
specifically in the Component exemption rule for the system and that
are authorized by the Privacy Act.
(5) To establish an exemption rule, see Sec. 310.31.
(c) Blanket exemption for classified material. (1) Component rules
shall include a blanket exemption under 5 U.S.C. 552a(k)(1) of the
Privacy Act from the access provisions (5 U.S.C. 552a(d)) and the
notification of access procedures (5 U.S.C. 522a(e)(4)(H)) of the Act
for all classified material in any systems of records maintained.
(2) Do not claim specifically an exemption under section 552a(k)(1)
of the Privacy Act for any system of records. The blanket exemption
affords protection to all classified material in all system of records
maintained.
(d) Provisions from which exemptions may be claimed. The Head of a
DoD Component may claim an exemption from any provision of the Act from
which an exemption is allowed (see Appendix D).
(e) Use of exemptions. (1) Use exemptions only for the specific
purposes set forth in the exemption rules (see paragraph (b) of Sec.
310.31).
(2) Use exemptions only when they are in the best interest of the
Government and limit them to the specific portions of the records
requiring protection.
(3) Do not use an exemption to deny an individual access to any
record to which he or she would have access under 32 CFR part 286.
(f) Exempt records in non-exempt systems. (1) Exempt records
temporarily in the custody of another Component are considered the
property of the originating Component. Access to these records is
controlled by the system
[[Page 18775]]
notices and rules of the originating Component.
(2) Exempt records that have been incorporated into a nonexempt
system of records are still exempt but only to the extent to which the
provisions of the Act for which an exemption has been claimed are
identified and an exemption claimed for the system of records from
which the record is obtained and only when the purposes underlying the
exemption for the record are still valid and necessary to protect the
contents of the record.
(3) If a record is accidentally misfiled into a system of records,
the system notice and rules for the system in which it should actually
be filed shall govern.
Sec. 310.27 Access exemption.
(a) An individual is not entitled to access information that is
compiled in reasonable anticipation of a civil action or proceeding.
(b) The term ``civil action or proceeding'' is intended to include
court proceedings, preliminary judicial steps, and quasi-judicial
administrative hearings or proceedings (i.e., adversarial proceedings
that are subject to rules of evidence).
(c) Any information prepared in anticipation of such actions or
proceedings, to include information prepared to advise the DoD
Component officials of the possible legal or other consequences of a
given course of action, is protected.
(d) The exemption is similar to the attorney work-product privilege
except that it applies even when the information is prepared by
nonattorneys.
(e) The exemption does not apply to information compiled in
anticipation of criminal actions or proceedings.
Sec. 310.28 General exemption.
(a) Use of specific exemptions. A DoD Component is not authorized
to claim the exemption for records maintained by the Central
Intelligence Agency established by 5 U.S.C. 552a(j)(1) of the Privacy
Act.
(b) The general exemption established by 5 U.S.C. 552a(j)(2) of the
Privacy Act may be claimed to protect investigative records created and
maintained by law-enforcement activities of a DoD Component.
(c) To qualify for the (j)(2) exemption, the system of records must
be maintained by a DoD Component, or element thereof, that performs as
its principal function any activity pertaining to the enforcement of
criminal laws, such as the U.S. Army Criminal Investigation Command,
the Naval Investigative Service, the Air Force Office of Special
Investigations, and military police activities. However, where DoD
offices perform multiple functions, but have an investigative
component, such as the DoD Inspector General Defense Criminal
Investigative Service or Criminal Law Divisions of Staff Judge
Advocates Offices, the exemption may be claimed. Law enforcement
includes police efforts to detect, prevent, control, or reduce crime,
to apprehend or identify criminals; and the activities of military
trial counsel, correction, probation, pardon, or parole authorities.
(d) Information that may be protected under the (j)(2) exemption
includes:
(1) Records compiled for the purpose of identifying criminal
offenders and alleged offenders consisting only of identifying data and
notations of arrests, the nature and disposition of criminal charges,
sentencing, confinement, release, parole, and probation status (so-
called criminal history records);
(2) Reports and other records compiled during criminal
investigations, including supporting documentation.
(3) Other records compiled at any stage of the criminal law
enforcement process from arrest or indictment through the final release
from parole supervision, such as pre-sentence and parole reports.
(e) The (j)(2) exemption does not apply to:
(1) Investigative records prepared or maintained by activities
without primary law-enforcement missions. It may not be claimed by any
activity that does not have law enforcement as its principal function
except as indicated in paragraph (c) of this section.
(2) Investigative records compiled by any activity concerning
employee suitability, eligibility, qualification, or for individual
access to classified material regardless of the principal mission of
the compiling DoD Component.
Sec. 310.29 Specific exemptions.
(a) Use of specific exemptions. The specific exemption established
by 5 U.S.C. 552a(k) of the Privacy Act may be claimed to protect
records that meet the following criteria (parenthetical references are
to the appropriate subsection of the Act:
(1) (k)(1). Information subject to 5 U.S.C. 552(b)(1), (DoD 5200.1-
R) (see also paragraph (c) of this section).
(2) (k)(2). Investigatory information compiled for law-enforcement
purposes, other than information that is covered by the general
exemption (see Sec. 310.28). If an individual is denied any right,
privilege or benefit he or she is otherwise entitled by Federal law or
for which he or she would otherwise be eligible as a result of the
maintenance of the information, the individual shall be provided access
to the information except to the extent that disclosure would reveal
the identity of a confidential source. This exemption provides limited
protection of investigative reports maintained in a system of records
used in personnel or administrative actions.
(i) The information must be compiled for some investigative law
enforcement purpose, such as a criminal investigation by a DoD office,
whose principal function is not law enforcement, or a civil
investigation.
(ii) The exemption does not apply to investigations conducted
solely for the purpose of a routine background investigation (see
paragraph (a)(5) of this section), but will apply if the investigation
is for the purpose of investigating DoD personnel who are suspected of
violating statutory or regulatory authority.
(iii) The exemption can continue to be claimed even after the
investigation has concluded and there is no future likelihood of
further enforcement proceedings.
(3) (k)(3). Records maintained in connection with providing
protective services to the President and other individuals under 18
U.S.C. 3056, ``Powers, Authorities, and Duties of United States Secret
Service.''
(4) (k)(4). Records maintained solely for statistical research or
program evaluation purposes and that are not used to make decisions on
the rights, benefits, or entitlement of an individual except for census
records that may be disclosed under 13 U.S.C. 6, ``Information for
other Federal Departments and Agencies.
(5) (k)(5). Investigatory material compiled solely for the purpose
of determining suitability, eligibility, or qualifications for Federal
civilian employment, military service, Federal contracts, or access to
classified information, but only to the extent such material would
reveal the identity of a confidential source.
(i) This exemption permits protection of confidential sources used
in background investigations, employment inquiries, and similar
inquiries that are for personnel screening to determine suitability,
eligibility, or qualifications.
(ii) This exemption is applicable not only to investigations
conducted prior to the hiring of an employee, but it also applies to
investigations conducted to determine continued employment suitability
or eligibility.
[[Page 18776]]
(6) (k)(6). Testing or examination material used solely to
determine individual qualifications for appointment or promotion in the
Federal or military service, if the disclosure would compromise the
objectivity or fairness of the test or examination process.
(7) (k)(7). Evaluation material used to determine potential for
promotion in the Military Services, but only to the extent that the
disclosure of such material would reveal the identity of a confidential
source.
(b) Promises of confidentiality. (1) Only the identity of sources
that have been given an express promise of confidentiality may be
protected from disclosure under paragraphs (a)(1), (5), and (7) of this
section. However, the identity of sources who were given implied
promises of confidentiality in inquiries conducted before September 27,
1975, also may be protected from disclosure.
(2) Ensure promises of confidentiality are not automatically given
but are used sparingly. Establish appropriate procedures and identify
fully categories of individuals who may make such promises. Promises of
confidentiality shall be made only when they are essential to obtain
the information sought (see 5 CFR part 736).
(c) Access to records for which specific exemptions are claimed.
Deny the individual access only to those portions of the records for
which the claimed exemption applies.
Subpart G--Publication Requirements
Sec. 310.30 Federal Register publication.
(a) What must be published in the Federal Register.
(1) Four types of documents relating to the Privacy Program must be
published in the Federal Register:
(i) DoD Component Privacy Procedural rules;
(ii) DoD Component exemption rules; and
(iii) System notices.
(iv) Match notices (See subpart L to this part).
(2) See DoD 5025.1-M,\9\ ``Directive Systems Procedures'' and
Administrative Instruction (AI) No. 102,\10\ ``Office of the Secretary
of Defense Federal Register System'' for information pertaining to the
preparation of documents for publication in the Federal Register.
---------------------------------------------------------------------------
\9\ See footnote 1 to Sec. 310.1.
\10\ See footnote 1 to Sec. 310.1.
---------------------------------------------------------------------------
(b) The effect of publication in the Federal Register. Publication
of a document in the Federal Register constitutes official public
notice of the existence and content of the document.
(c) DoD Component rules. (1) Component Privacy Program procedures
and Component exemption rules are subject to the rulemaking procedures
prescribed in AI 102.
(2) System notices are not subject to formal rulemaking and are
published in the Federal Register as ``Notices,'' not rules.
(3) Privacy procedural and exemption rules are incorporated
automatically into the CFR. System notices are not published in the
CFR.
(d) Submission of rules for publication. (1) Submit to the DPO,
ODA&M, all proposed rules implementing this part in proper format (see
DoD 5025.1-M and AI 102) for publication in the Federal Register.
(2) This part has been published as a final rule in the Federal
Register. Therefore, incorporate it into your Component rules rather
than by republication (see AI 102).
(3) DoD Component procedural rules that simply implement this
Regulation need only be published as final rules in the Federal
Register (see DoD 5025.1-M and AI 102). If the Component procedural
rule supplements this part in any manner, they must be published as a
proposed rule before being published as a final rule.
(4) Amendments to Component rules are submitted like the basic
rules.
(5) The DPO submits the rules and amendments thereto to the Federal
Register for publication.
(e) Submission of exemption rules for publication. (1) No system of
records within the Department of Defense shall be considered exempt
from any provision of this part until the exemption and the exemption
rule for the system has been published as a final rule in the Federal
Register.
(2) Submit exemption rules in proper format to the DPO. All
exemption rules are coordinated with the DoD Office of General Counsel.
After coordination, the DPO shall submit the rules to the Federal
Register for publication.
(3) Exemption rules require publication both as proposed rules and
final rules (see AI 102).
(4) Sec. 310.31(b) discusses the content of an exemption rule.
(5) Submit amendments to exemption rules in the same manner used
for establishing these rules.
(f) Submission of system notices for publication. (1) System
notices are not subject to formal rulemaking procedures. However, the
Privacy Act (5 U.S.C. 552a) requires a system notice be published in
the Federal Register of the existence and character of a new or altered
system of records. Until publication of the notice, DoD Components
shall not begin to operate the system of records (i.e., collect and use
the information). The notice procedures require:
(i) The system notice describes what kinds of records are in the
system, on whom they are maintained, what uses are made of the records,
and how an individual may access, or contest, the records contained in
the system.
(ii) The public be given 30 days to comment on any proposed routine
uses before any disclosures are made pursuant to the routine use; and
(iii) The notice contain the date on which the system shall become
effective.
(2) Submit system notices to the DPO in the Federal Register format
(see AI 102 and Appendix E to this part). The DPO transmits the notices
to the Federal Register for publication.
(3) Sec. 310.32 discusses the specific elements required in a
system notice.
Sec. 310.31 Exemption rules.
(a) General procedures. Subpart F of this part provides the general
guidance for establishing exemptions for systems of records.
(b) Contents of exemption rules. (1) Each exemption rule submitted
for publication must contain the following:
(i) The record system identifier and title of the system for which
the exemption is claimed. (See Sec. 310.32(b) and (c));
(ii) The specific sections of the Privacy Act under which the
exemption for the system is claimed (for example, 5 U.S.C. 552a(j)(2),
5 U.S.C. 552a(k)(3); or 5 U.S.C. 552a(k)(7);
(iii) The specific sections of the Privacy Act from which the
system is to be exempted (for example, 5 U.S.C. 552a(c)(3), or 5 U.S.C.
552a(d)(l)-(5)) (see Appendix D)); and
(iv) The specific reasons why an exemption is being claimed from
each section of the Act identified.
(2) Do not claim an exemption for classified material for
individual systems of records. The blanket exemption applies. (See
paragraph (c) of Sec. 310.26.)
Sec. 310.32 System notices.
(a) Contents of the system notices. (1) The following data captions
are included in each system notice:
(i) Systems identifier. (see paragraph (b) of this section).
(ii) System name. (see paragraph (c) of this section).
(iii) System location. (see paragraph (d) of this section).
[[Page 18777]]
(iv) Categories of individuals covered by the system. (see
paragraph (e) of this section).
(v) Categories of records in the system. (see paragraph (f) of this
section).
(vi) Authority for maintenance of the system. (see paragraph (g) of
this section).
(vii) Purpose(s). (see paragraph (h) of this section).
(viii) Routine uses of records maintained in the system, including
categories of users and the purposes of such uses. (see paragraph (i)
of this section).
(ix) Disclosure to Consumer Reporting Agencies. This element is
optional but required when disclosing to consumer reporting agencies
(See paragraph (l) of Sec. 310.22.)
(x) Policies and practices for storing, retrieving, accessing,
retaining, and disposing of records in the system. (see paragraph (j)
of this section).
(xi) Systems manager(s) and address. (see paragraph (k) of this
section).
(xii) Notification procedure. (see paragraph (l) of this section).
(xiii) Record access procedures. (see paragraph (m) of this
section).
(xiv) Contesting records procedures. (see paragraph (n) of this
section).
(xv) Record source categories. (see paragraph (o) of this section).
(xvi) Exemptions claimed for the system. (see paragraph (p) of this
section).
(2) The captions listed in paragraph (a)(1) of this Section have
been mandated by the Office of Federal Register and must be used
exactly as presented.
(3) A sample system notice is shown in Appendix E of this part.
(b) System Identifier. The system identifier must appear on all
system notices and is limited to 21 positions, unless an exception is
granted by the DPO, including Component code, file number and symbols,
punctuation, and spacing.
(c) System Name. (1) The name of the system reasonably identifies
the general purpose of the system and, if possible, the general
categories of individuals involved.
(2) Use acronyms only parenthetically following the title or any
portion thereof, such as, ``Joint Uniform Military Pay System
(JUMPS).'' Do not use acronyms not commonly known unless they are
preceded by an explanation.
(3) The system name may not exceed 55 character positions, unless
an exception is granted by the DPO, including punctuation and spacing.
(4) The system name should not be the name of the database or the
IT system if the name does not meet the criteria in paragraph (c)(1) of
this section.
(d) System Location. (1) For systems maintained in a single
location provide the exact office name, organizational identity, and
address.
(2) For geographically or organizationally decentralized systems,
specify each level of organization or element that maintains a segment
of the system, to include their mailing address, or indicate the
official mailing addresses are published as an Appendix to the
Component's compilation of system of records notices, or provide an
address where a complete listing of locations can be obtained.
(3) Use the standard U.S. Postal Service two-letter State
abbreviation symbols and 9-digit Zip Codes for all domestic addresses.
(e) Categories of individuals covered by the system. (1) Set forth
the specific categories of individuals to whom records in the system
pertain in clear, easily understood, non-technical terms.
(2) Avoid the use of broad over-general descriptions, such as ``all
Army personnel'' or ``all military personnel'' unless this actually
reflects the category of individuals involved.
(f) Categories of records in the system. (1) Describe in clear,
non-technical terms the types of records maintained in the system.
(2) Only documents actually maintained in the system of records
shall be described, not source documents that are used only to collect
data and then destroyed.
(g) Authority for maintenance of system. (1) Cite the specific
provision of the Federal statute or E.O. that authorizes the
maintenance of the system.
(2) Include with citations for statutes the popular names, when
appropriate (for example, Section 2103 of title 51, United States Code,
``Tea-Tasters Licensing Act''), and for E.O.s, the official title (for
example, E.O. No. 9397, ``Numbering System for Federal Accounts
Relating to Individual Persons'').
(3) If direct statutory authority or an Executive Order does not
exist, indirect statutory authority may be cited if the authority
requires the operation or administration of a program, the execution of
which will require the collection and maintenance of a system of
records.
(4) If direct or indirect authority does not exist, the Department
of Defense, as well as the Army, Navy, and Air Force general
``housekeeping'' statutes (i.e., 5 U.S.C. 301 (``Departmental
Regulations''), 10 U.S.C. 3013 (``Secretary of the Army''), 5013
(``Secretary of the Navy''), and 8013 (``Secretary of the Air Force'')
may be cited if the Secretary, or those offices to which responsibility
has been delegated, are required to collect and maintain systems of
records in order to discharge assigned responsibilities. If the
housekeeping statute is cited, the regulatory authority implementing
the statute within the Department or Component also shall be
identified.
(5) If the social security number is being collected and
maintained, E.O. 9397 (``Numbering Systems for Federal Accounts
Relating to Indivdiual Persons'') shall be cited.
(h) Purpose or Purposes. (1) List the specific purposes for
maintaining the system of records by the Component.
(2) All internal uses of the information within the Department or
Component shall be identified. Such uses are the so-called ``internal
routine uses.''
(i) Routine Uses. (1) Except as otherwise authorized by subpart E
of this part, disclosure of information from a system of records to any
person or entity outside the Department of Defense (see Sec.
310.21(b)) may only be made pursuant to a routine use that has been
established for the specific system of records. Such uses are the so-
called ``external routine uses.''
(2) Each routine use shall include to whom the information is being
disclosed and what use and purpose the information will be used.
Routine uses shall be written as follows:
(i) ``To* * *.[person or entity outside of DoD that will receive
the information] to* * *.[what will be done with the information] for
the purpose(s) of * * *[what objective is sought to be achieved].''
(ii) To the extent practicable, general statements, such as ``to
other Federal agencies as required'' or ``to any other appropriate
Federal agency'' shall be avoided.
(3) Blanket routine uses (Appendix C to this part) have been
adopted that apply to all Component system notices. The blanket routine
uses appear at the beginning of each Component's compilation of its
system notices.
(i) Each system notice shall contain a statement whether or not the
blanket routine uses apply to the system.
(ii) Each notice may state that none of the blanket routine uses
apply or that one or more do not apply.
(j) Policies and Practices For Storing, Retiring, Accessing,
Retaining, and Disposing of Records. This caption is subdivided into
four parts:
(1) Storage. Indicate the medium in which the records are
maintained. (For
[[Page 18778]]
example, a system may be ``automated, maintained on compact disks,
diskettes,'' ``manual, maintained in paper files,'' or ``hybrid,
maintained in a combination of paper and automated form.'') Storage
does not refer to the container or facility in which the records are
kept.
(2) Retrievability. Specify how the records are retrieved (for
example, name, SSN, or some other unique personal identifier assigned
the individual).
(3) Safeguards. Identify the system safeguards (such as storage in
safes, vaults, locked cabinets or rooms, use of guards, visitor
registers, personnel screening, or password protected IT systems). Also
identify personnel who have access to the systems. Do not describe
safeguards in such detail as to compromise system security.
(4) Retention and Disposal. Indicate how long the record is
retained. When appropriate, also state the length of time the records
are maintained by the Component, when they are transferred to a FRC,
time of retention at the Records Center and when they are transferred
to the National Archivist or are destroyed. A reference to a Component
regulation without further detailed information is insufficient. If
records are eventually destroyed as opposed to being retired, identify
the method of destruction (e.g., shredding, burning, pulping, etc).
(k) System manager or managers and address. (1) List the title and
address of the official responsible for the management of the system.
(2) If the title of the specific official is unknown, such as for a
local system, specify the local commander or office head as the systems
manager.
(3) For geographically separated or organizationally decentralized
activities for which individuals may deal directly with officials at
each location in exercising their rights, list the position or duty
title of each category of officials responsible for the system or a
segment thereof.
(4) Do not include business or duty addresses if they are listed in
the Component address directory.
(l) Notification Procedures. (1) Describe how an individual may
determine if there are records pertaining to him or her in the system.
The procedural rules may be cited, but include a brief procedural
description of the needed data. Provide sufficient information in the
notice to allow an individual to exercise his or her rights without
referral to the formal rules.
(2) As a minimum, the caption shall include:
(i) The official title (normally the system manager) and official
address to which the request is to be directed.
(ii) The specific information required to determine if there is a
record of the individual in the system.
(iii) Identification of the offices through which the individual
may obtain notification; and
(iv) A description of any proof of identity required. (see Sec.
310.17(c)).
(3) When appropriate, the individual may be referred to a Component
official who shall provide this information to him or her.
(m) Record Access Procedures. (1) Describe how an individual can
gain access to the records pertaining to him or her in the system. The
procedural rules may be cited, but include a brief procedural
description of the needed data. Provide sufficient information in the
notice to allow an individual to exercise his or her rights without
referral to the formal rules.
(2) As a minimum, the caption shall include:
(i) The official title (normally the system manager) and official
address to which the request is to be directed.
(ii) A description of any proof of identity required. (see Sec.
310.17(c)).
(iii) When appropriate, the individual may be referred to a
Component official who shall provide the records to him or her.
(n) Contesting Record Procedures. (1) Describe how an individual
may contest the content of a record pertaining to him or her in the
system.
(2) The detailed procedures for contesting a record need not be
identified if the Component procedural rules are readily available to
the public. (For example, ``The Office of the Secretary of Defense''
rules for contesting contents are contained in 32 CFR 311.) All
Component procedural rules are set forth at a Departmental public Web
site (http://www.defenselink.mil/privacy/cfr-rules.html).
(3) The individual may also be referred to the system manager to
determine these procedures.
(o) Record Source Categories. (1) Describe where (the individual,
other Component documentation, other Federal agencies, etc) the
information contained in the system was obtained.
(2) Specific individuals or institutions need not be identified by
name, particularly if these sources have been granted confidentiality.
(see Sec. 310.29(b)).
(p) Exemptions claimed for the System. (1) If no exemption has been
claimed for the system, indicate ``None.''
(2) If an exemption is claimed, cite the exemption as well as
identifying the CFR section containing the exemption rule for the
system.
(q) Maintaining the Master DoD System Notice Registry. (1) The DPO
maintains a master registry of all DoD record systems notices.
(2) The DPO also posts all DoD system notices to a public Web site
(see http://www.defenselink.mil/privacy/notices).
Sec. 310.33 New and altered record systems.
(a) Criteria for a new record system. (1) If a Component is
maintaining a system of records as contemplated by Sec. 310.10(a), and
a system notice has not been published for it in the Federal Register,
the Component shall establish a system notice consistent with the
requirements of this subpart.
(2) If a notice for a system of records has been canceled or
deleted but a determination is subsequently made that the system will
be reinstated or reused, the system may not be operated (i.e.,
information collected or used) until a new notice is published in the
Federal Register.
(b) Criteria for an altered record system. A system is considered
altered whenever one of the following actions occurs or is proposed:
(1) A significant increase or change in the number or type of
individuals about whom records are maintained.
(i) Only changes that alter significantly the character and purpose
of the record system are considered alterations.
(ii) Increases in numbers of individuals due to normal growth are
not considered alterations unless they truly alter the character and
purpose of the system.
(iii) Increases that change significantly the scope of population
covered (for example, expansion of a system of records covering a
single command's enlisted personnel to include all of the Component's
enlisted personnel would be considered an alteration).
(iv) A reduction in the number of individuals covered is not an
alteration, but only an amendment. (see Sec. 310.34(a).)
(v) All changes that add new categories of individuals to system
coverage require a change to the ``Categories of individuals covered by
the system'' caption of the notice (see Sec. 310.32(e)) and may
require changes to the ``Purpose(s)'' caption (see Sec. 310.32(h)).
(2) An expansion in the types or categories of information
maintained.
(i) The addition of any new category of records not described under
the
[[Page 18779]]
``Categories of Records in the System'' caption is considered an
alteration.
(ii) Adding a new data element that is clearly within the scope of
the categories of records described in the existing notice is an
amendment. (see Sec. 310.34(a)). An amended notice may not be required
if the data element is clearly covered by the record category
identified in the existing system notice.
(iii) All changes under this criterion require a change to the
``Categories of Records in the System'' caption of the notice. (see
Sec. 310.32(f)).
(3) An alteration of how the records are organized or the manner in
which the records are indexed and retrieved.
(i) The change must alter the nature of use or scope of the records
involved (for example, combining records systems in a reorganization).
(ii) Any change under this criteria requires a change in the
``Retrievability'' caption of the system notice. (see Sec.
310.32(j)(2)).
(iii) If the records are no longer retrieved by name or personal
identifier cancel the system notice. (see Sec. 310.10(b)).
(4) A change in the purpose for which the information in the system
is used.
(i) The new purpose must not be compatible with the existing
purposes for which the system is maintained.
(ii) If the use is compatible and reasonably expected, there is no
change in purpose and no alteration occurs.
(iii) Any change under this criterion requires a change in the
``Purpose(s)'' caption (see Sec. 310.32(h)) and may require a change
in the ``Authority for maintenance of the system'' caption (see Sec.
310.32).
(5) Changes that alter the computer environment (such as changes to
equipment configuration, software, or procedures) so as to create the
potential for greater or easier access.
(i) Increasing the number of offices with direct access is an
alteration.
(ii) Software applications, such as operating systems and system
utilities, that provide for easier access are considered alterations.
(iii) The addition of an on-line capability to a previously batch-
oriented system is an alteration.
(iv) The addition of peripheral devices such as tape devices, disk
devices, card readers, printers, and similar devices to an existing IT
system constitute an amendment if system security is preserved. (see
Sec. 310.34).
(v) Changes to existing equipment configuration with on-line
capability need not be considered alterations to the system if:
(A) The change does not alter the present security posture; or
(B) The addition of terminals does not extend the capacity of the
current operating system and existing security is preserved.
(vi) The connecting of two or more formerly independent automated
systems or networks together creating a potential for greater access is
an alteration.
(vii) Any change under this caption requires a change to the
``Storage'' caption element of the systems notice. (see Sec.
310.32(j)(i)).
(c) Reports of new and altered systems. (1) Components shall submit
a report for all new or altered systems to the DPO consistent with the
requirements of this subpart and in the format prescribed at Appendix F
of this part.
(i) Components shall include the following when submitting an
alteration for a system notice for publication in the Federal Register:
(A) The system identifier and name. (see Sec. 310.32(b) and (c)).
(B) A description of the nature and specific changes proposed.
(ii) The full text of the system notice need not be submitted if
the master registry contains a current system notice for the system.
(see Sec. 310.32(q)).
(2) The DPO coordinates all reports of new and altered systems with
the Office of the Assistant Secretary of Defense (Legislative Affairs),
Department of Defense.
(3) The DPO prepares and sends a transmittal letter that forwards
the report, as well as the new or altered system notice, to OMB and
Congress.
(4) The DPO shall publish in the Federal Register a system notice
for new or altered systems.
(d) Time restrictions on the operation of a new or altered system.
(1) The reports, and the new or altered system notice, must be provided
OMB and Congress at least 40 days prior to the operation of the new or
altered system. The 40 day review period begins on the date the
transmittal letters are signed and dated.
(2) The system notice must be published in the Federal Register
before a Component begins to operate the system (i.e., collect and use
the information). If the new system has routine uses or the altered
system adds a new routine use, no records may be disclosed pursuant to
the routine use until the public has had 30 days to comment on the
proposed use.
(3) The time periods run concurrently.
(e) Exemptions for new systems. See Sec. 310.30(e) for the
procedures to follow in submitting exemption rules for a new system of
records or for submitting an exemption rule for an existing system of
records.
Sec. 310.34 Amendment and deletion of system notices.
(a) Criteria for an amended system notice. (1) Certain minor
changes to published systems notices are considered amendments and not
alterations. (see Sec. 310.33(b)).
(2) Amendments do not require a report of an altered system (see
Sec. 310.33(c)), but must be published in the Federal Register.
(b) System notices for amended systems. Components shall include
the following when submitting an amendment for a system notice for
publication in the Federal Register:
(1) The system identifier and name. (see Sec. 310.32 (b) and (c)).
(2) A description of the nature and specific changes proposed.
(3) The full text of the system notice need not be submitted if the
master registry contains a current system notice for the system. (see
Sec. 310.32(q)).
(c) Deletion of system notices. (1) Whenever a system is
discontinued, combined into another system, or determined no longer to
be subject to this part, a deletion notice is required.
(2) The notice of deletion shall include:
(i) The system identification and name.
(ii) The reason for the deletion.
(3) When the system is eliminated through combination or merger,
identify the successor system or systems in the deletion notice.
(d) Submission of amendments and deletions for publication. (1)
Submit amendments and deletions to the DPO for transmittal to the
Federal Register for publication.
(2) Multiple deletions and amendments may be combined into a single
submission.
Subpart H--Training Requirements
Sec. 310.35 Statutory training requirements.
The Privacy Act (5 U.S.C. 552a) requires each Agency to establish
rules of conduct for all persons involved in the design, development,
operation, and maintenance of any system of record and to train these
persons with respect to these rules.
Sec. 310.36 OMB training guidelines.
The OMB guidelines (OMB Privacy Guidelines, 40 FR 28948 (July 9,
1975) require all agencies additionally to:
(a) Instruct their personnel in their rules of conduct and other
rules and procedures adopted in implementing the Act, to ensure that
they are reminded of their specific
[[Page 18780]]
responsibilities for safeguarding personally identifiable information,
the rules for acquiring and using such information, and the penalties
for non-compliance.
(b) Incorporate training on the special requirements of the Act
into both formal and informal (on-the-job) training programs.
Sec. 310.37 DoD training programs.
(a) The training shall include information regarding information
privacy laws, regulations, policies and procedures governing the
Department's collection, maintenance, use, or dissemination of personal
information. The objective is to establish a culture of sensitivity to,
and knowledge about, privacy issues involving individuals throughout
the Department.
(b) To meet these training requirements, Components may establish
three general levels of training for those persons, to include
contractor personnel, who are involved in any way with the design,
development, operation, or maintenance of privacy protected systems of
records. These are:
(1) Orientation. Training that provides basic understanding of this
part as it applies to the individual's job performance. This training
shall be provided to personnel, as appropriate, and should be a
prerequisite to all other levels of training.
(2) Specialized training. Training that provides information as to
the application of specific provisions of this part to specialized
areas of job performance. Personnel of particular concern include, but
are not limited to medical, personnel, and intelligence specialists,
finance officers, DoD personnel who may be expected to deal with the
news media or the public, special investigators, paperwork managers,
and other specialists (reports, forms, records, and related functions),
computer systems development personnel, computer systems operations
personnel, statisticians dealing with personal data and program
evaluations, contractors that will either operate systems of records on
behalf of the Component or will have access to such systems incident to
performing the contract, and anyone responsible for implementing or
carrying out functions under this part.
(3) Management. Training designed to identify for responsible
managers (such as, senior system managers, denial authorities, and
decision-makers) considerations that they shall take into account when
making management decisions regarding operational programs and
activities having privacy implications.
(c) Include Privacy Act training in other courses of training when
appropriate. Stress individual responsibilities and advise individuals
of their rights and responsibilities under this part to ensure that it
is understood that, where personally identifiable information is
involved, individuals should handle and treat the information as if it
was their information.
Sec. 310.38 Training methodology and procedures.
(a) Each DoD Component is responsible for the development of
training procedures and methodology.
(b) The DPO shall assist the Components in developing these
training programs and may develop privacy training programs for use by
all DoD Components.
(c) Components shall conduct training as frequently as believed
necessary so that personnel who are responsible for or are in receipt
of information protected by 5 U.S.C. 552a are sensitive to the
requirements of this part, especially the access, use, and
dissemination restrictions. Components shall give consideration to
whether annual training and/or annual certification should be mandated
for all or specified personnel whose duties and responsibilities
require daily interaction with personally identifiable information.
(d) Components shall conduct training that reaches the widest
possible audience. Web-based training and video conferencing have been
effective means to provide such training.
Sec. 310.39 Funding for training.
Each DoD Component shall fund its own privacy training program.
Subpart I--Reports
Sec. 310.40 Requirement for reports.
The DPO shall establish requirements for DoD Privacy Reports and
the DoD Components may be required to provide data.
Sec. 310.41 Suspense for submission of reports.
The suspenses for submission of all reports shall be established by
the DPO.
Sec. 310.42 Reports control symbol.
Any report established by this subpart in support of the Privacy
Program shall be assigned Report Control Symbol DD-COMP(A)1379.
Subpart J--Inspections
Sec. 310.43 Privacy Act inspections.
During internal inspections, Component inspectors shall be alert
for compliance with this part and for managerial, administrative, and
operational problems associated with the implementation of the Defense
Privacy Program. Programs shall be reviewed as frequently as considered
necessary by Components or the Component Inspector General.
Sec. 310.44 Inspection reporting.
(a) Document the findings of the inspectors in official reports
that are furnished the responsible Component officials. These reports,
when appropriate, shall reflect overall assets of the Component Privacy
Program inspected, or portion thereof, identify deficiencies,
irregularities, and significant problems. Also document remedial
actions taken to correct problems identified.
(b) Retain inspections reports and later follow-up reports in
accordance with established records disposition standards. These
reports shall be made available to the Privacy Program officials
concerned upon request.
Subpart K--Privacy Act Violations
Sec. 310.45 Administrative remedies.
Any individual who believes he or she has a legitimate complaint or
grievance against the Department of Defense or any DoD employee
concerning any right granted by this part shall be permitted to seek
relief through appropriate administrative channels.
Sec. 310.46 Civil actions.
An individual may file a civil suit against a DoD Component if the
individual believes his or her rights under the Act have been violated.
(See 5 U.S.C. 552a(g).)
Sec. 310.47 Civil remedies.
In addition to specific remedial actions, the Privacy Act provides
for the payment of damages, court costs, and attorney fees in some
cases.
Sec. 310.48 Criminal penalties.
(a) The Act also provides for criminal penalties. (See 5 U.S.C.
552a(i).) Any official or employee may be found guilty of a misdemeanor
and fined not more than $5,000 if he or she willfully:
(1) Discloses information from a system of records, knowing
dissemination is prohibited to anyone not entitled to receive the
information (see subpart E of this part); or
(2) Maintains a system of records without publishing the required
public notice in the Federal Register. (See subpart G of this part.)
(b) Any person who knowingly and willfully requests or obtains
access to
[[Page 18781]]
any record concerning another individual under false pretenses may be
found guilty of misdemeanor and fined up to $5,000.
Sec. 310.49 Litigation status sheet.
Whenever a complaint citing the Privacy Act is filed in a U.S.
District Court against the Department of Defense, a DoD Component, or
any DoD employee, the responsible system manager shall notify the DPO.
The litigation status sheet at Appendix H to this part provides a
standard format for this notification. The initial litigation status
sheet forwarded shall, as a minimum, provide the information required
by items 1 through 6 of the status sheet. A revised litigation status
sheet shall be provided at each stage of the litigation. When a court
renders a formal opinion or judgment, copies of the judgment and
opinion shall be provided to the DPO with the litigation status sheet
reporting that judgment or opinion.
Sec. 310.50 Lost, stolen, or compromised information.
(a) When a loss, theft, or compromise of information occurs (see
Sec. 310.14), the breach shall be reported to:
(1) The United States Computer Emergency Readiness Team (US CERT)
within one hour of discovering that a breach of personally identifiable
information has occurred. Components shall establish procedures to
ensure that US CERT reporting is accomplished in accordance with the
guidance set forth at http://www.us-cert.gov.
(i) The underlying incident that led to the loss or suspected loss
of PII (e.g., computer incident, theft, loss of material, etc.) shall
continue to be reported in accordance with established procedures
(e.g., to designated Computer Network Defense (CND) Service Providers
(reference (z)), law enforcement authorities, the chain of command,
etc.).
(ii) [Reserved]
(2) The Senior Component Official for Privacy within 24 hours of
discovering that a breach of personally identifiable information has
occurred. The Senior Component Official for Privacy, or their designee,
shall notify the Defense Privacy Office of the breach within 48 hours
upon being notified that a loss, theft, or compromise has occurred. The
notification shall include the following information:
(i) Identify the Component/organization involved.
(ii) Specify the date of the breach and the number of individuals
impacted, to include whether they are DoD civilian, military, or
contractor personnel; DoD civilian or military retirees; family
members; other Federal personnel or members of the public, etc.
(iii) Briefly describe the facts and circumstances surrounding the
loss, theft, or compromise.
(iv) Briefly describe actions taken in response to the breach, to
include whether the incident was investigated and by whom; the
preliminary results of the inquiry if then known; actions taken to
mitigate any harm that could result from the breach; whether the
affected individuals are being notified, and if this will not be
accomplished within 10 working days, that action will be initiated to
notify the Deputy Secretary (see Sec. 310.14); what remedial actions
have been, or will be, taken to prevent a similar such incident in the
future, e.g., refresher training conducted, new or revised guidance
issued; and any other information considered pertinent as to actions to
be taken to ensure that information is properly safeguarded.
(2) The Component shall determine whether administrative or
disciplinary action is warranted and appropriate for those individuals
determined to be responsible for the loss, theft, or compromise.
Subpart L--Computer Matching Program Procedures
Sec. 310.51 General.
(a) A computer matching program covers two kinds of matching
programs (see OMB Matching Guidelines, 54 FR 25818 (June 19, 1989)). If
covered, the matches are subject to the requirements of this subpart.
The covered programs are:
(1) Matches using records from Federal personnel or payroll systems
of records, or
(2) Matches involving Federal benefits program if:
(i) To determine eligibility for a Federal benefit,
(ii) To determine compliance with benefit program requirements, or
(iii) To effect recovery of improper payments or delinquent debts
under a Federal benefit program.
(b) The requirements of this part do not apply if matches are:
(1) Performed solely to produce aggregated statistical data without
any personal identifiers. Personally identifying data can be used for
purposes of conducting the match. However, the results of the match
shall be stripped of any data that would identify an individual. Under
no circumstances shall match results be used to take action against
specific individuals.
(2) Performed to support research or statistical projects.
Personally identifying data can be used for purposes of conducting the
match and the match results may contain identifying data about
individuals. However, the match results shall not be used to make a
decision that affects the rights, benefits, or privileges of specific
individuals.
(3) Performed by an agency, or a component thereof, whose principal
function is the enforcement of criminal laws, subsequent to the
initiation of a specific criminal or civil law enforcement
investigation of a named individual or individuals.
(i) The match must flow from an investigation already underway
which focuses on a named person or persons. ``Fishing expeditions'' in
which the subjects are generically identified, such as ``program
beneficiaries'' are not covered.
(ii) The match must be for the purpose of gathering evidence
against the named individual or individuals.
(4) Performed for tax information-related purposes.
(5) Performed for routine administrative purposes using records
relating to Federal personnel.
(i) The records to be used in the match must predominantly relate
to Federal personnel (i.e., the percentage of records in the system of
records that are about Federal personnel must be greater than of any
other category).
(ii) The purpose of the match must not be for purposes of taking
any adverse financial, personnel, disciplinary, or other unfavorable
action against an individual.
(6) Performed using only records from systems of records maintained
by an agency.
(i) The purpose of the match must not be for purposes of taking any
adverse financial, personnel, disciplinary, or other unfavorable action
against an individual.
(ii) A match of DoD personnel using records in a system of records
for purposes of identifying fraud, waste, and abuse is not covered.
(7) Performed to produce background checks for security clearances
of Federal or contractor personnel or performed for foreign counter-
intelligence purposes.
Sec. 310.52 Computer matching publication and review requirements.
(a) DoD Components shall identify the systems of records that will
be used in the match to ensure the publication requirements of subpart
G have been satisfied. If the match will require disclosure of records
outside the Department of Defense, Components shall ensure a routine
use has been established, and that the publication
[[Page 18782]]
and review requirements have been met, before any disclosures are made
(see subpart G of this part).
(b) If a computer matching program is contemplated, the DoD
Component shall contact the DPO and provide information regarding the
contemplated match. The DoD DPO shall ensure that any proposed computer
matching program satisfies the requirements of the Privacy Act (5
U.S.C. 552a) and OMB Matching Guidelines (54 FR 25818 (June 19, 1989)).
(c) A computer matching agreement (CMA) shall be prepared by the
Component, consistent with the requirements of Sec. 310.53 of this
subpart and submitted to the DPO. If the CMA satisfies the requirements
of the Privacy Act (5 U.S.C. 552a) and OMB Matching Guidelines (54 FR
25818 (June 19, 1989)), as well as this subpart, it shall be forwarded
to the Defense Data Integrity Board (DIB) for approval or disapproval.
(1) If the CMA is approved by the DIB, the DPO shall prepare and
forward a report to both Houses of Congress and to OMB as required by,
and consistent with, OMB Circular A-130, ``Management of Federal
Information Resources,'' February 8, 1996, as amended. Congress and OMB
shall have 40 days to review and comment on the proposed match. Any
comments received must be resolved before matching can take place.
(2) If the CMA is approved by the DIB, the DPO shall prepare and
forward a match notice as required by OMB Circular A-130, ``Management
of Federal Information Resources,'' February 8, 1996, as amended, for
publication in the Federal Register. The public shall be given 30 days
to comment on the proposed match. Any comments received must be
resolved before matching can take place.
Sec. 310.53 Computer matching agreements (CMAs).
(a) If a match is to be conducted internally within DoD, a
memorandum of understanding (MOU) shall be prepared. It shall contain
the same elements as a CMA, except as otherwise indicated in paragraph
(b)(4)(ii) of this section.
(b) A CMA shall contain the following elements:
(1) Purpose. Why the match is being proposed and what will be
achieved by conducting the match.
(2) Legal authority. What is the Federal or state statutory or
regulatory basis for conducting the match. The Privacy Act does not
constitute independent authority for matching. Other legal authority
shall be identified.
(3) Justification and expected results. Explain why computer
matching as opposed to some other administrative means is being
proposed and what the expected results will be, including a specific
estimate of any savings (see paragraph (b)(13) of this section).
(4) Records description. Identify:
(i) The system of records or non-Federal records. For DoD systems
of records, provide the Federal Register citation for the system
notice;
(ii) The specific routine use in the system notice if records are
to be disclosed outside the Department of Defense (see Sec.
310.22(c)). If records are disclosed within the Department of Defense
for an internal match, disclosures are permitted pursuant to paragraph
(a) of Sec. 310.22.
(iii) The number of records involved;
(iv) The data elements to be included in the match;
(v) The projected start and completion dates of the match. CMAs
remain in effect for 18 months but can be renewed for an additional 12
months provided:
(A) The match will be conducted without any change, and
(B) Each party to the match certifies in writing that the program
has been conducted in compliance with the CMA or MOU.
(vi) How frequently will the records be matched.
(5) Records accuracy assessment. Provide an assessment by the
source and recipient agencies as to the quality of the information that
will be used for the match. The poorer the quality, the more likely
that the program will not be cost-effective.
(6) Notice Procedures. Identify what direct and indirect means will
be used to inform individuals that matching will take place.
(i) Direct notice. Indicate whether the individual is advised that
matching may be conducted when he or she applies for a Federal benefit
program. Such an advisory should normally be part of the Privacy Act
Statement that is contained in the application for benefits. Individual
notice sometimes is provided by a separate notice that is furnished the
individual upon receipt of the benefit.
(ii) Indirect notice. Indicate whether the individual is advised
that matching may be conducted by constructive notice. Indirect or
constructive notice is achieved by publication of a routine use in the
Federal Register when the matching is between agencies or is achieved
by publication of the match notice in the Federal Register.
(7) Verification procedures. Explain how information produced as a
result of the match will be independently verified to ensure any
adverse information obtained is that of the individual identified in
the match.
(8) Due process procedures. Describe what procedures will be used
to notify individuals of any adverse information uncovered as a result
of the match and to give such individuals an opportunity to either
explain the information or how to contest the information. No adverse
action shall be taken against the individual until the due process
procedures have been satisfied.
(i) Unless other statutory or regulatory authority provides for a
longer period of time, the individual shall be given 30 calendar days
from the date of the notice to respond to the notice.
(ii) If an individual contacts the agency within the notice period
and indicates his or her acceptance of the validity of the adverse
information, the agency may take final action. If the period expires
without a response, the agency may take final action.
(iii) If the agency determines that there is a potentially
significant effect on public health or safety, it may take appropriate
action notwithstanding the due process provisions.
(9) Security procedures. Describe the administrative, technical,
and physical safeguards that will be established to preserve and
protect the privacy and confidentiality of the records involved in the
match. The level of security must be commensurate with the level of the
sensitivity of the records.
(10) Records usage, duplication, and redisclosure restrictions.
Describe any restrictions imposed by the source agency or by statute or
regulation on the collateral uses of the records. Recipient agencies
may not use the records obtained for matching purposes for any other
purpose absent a specific statutory requirement or where the disclosure
is essential to the conduct of the matching program.
(11) Disposition procedures. Clearly state that the records used in
the match will be retained only for the time required for conducting
the match. Once the matching purpose has been achieved, the records
will be destroyed unless the records must be retained as directed by
other legal authority. Unless the source agency requests that the
records be returned, identify the means by which destruction will
occur, i.e., shredding, burning, electronic erasure, etc.
(12) Comptroller General access. Include a statement that the
Comptroller General may have access to all records of the recipient
agency to monitor or verify compliance with the terms of the CMA.
(13) Cost-benefit analysis.
[[Page 18783]]
(i) A cost-benefit analysis shall be conducted for the proposed
computer matching program unless:
(A) The Data Integrity Board waives the requirement, or
(B) The matching program is required by a specific statute.
(ii) The analysis must demonstrate that the program is likely to be
cost-effective. This analysis is to ensure agencies are following sound
management practices. The analysis provides an opportunity to examine
the programs and to reject those that will only produce marginal
results.
Appendix A to Part 310--Safeguarding Personally Identifiable
Information (PII)
(See Sec. 310.13 of Subpart B)
A. General
1. The IT environment subjects personal information to special
hazards as to unauthorized compromise, alteration, dissemination,
and use. Therefore, special considerations must be given to
safeguarding personal information in IT systems consistent with the
requirements of DoD Directive 8500.1 and DoD Instruction 8500.2.
2. Personally identifiable information must also be protected
while it is being processed or accessed in computer environments
outside the data processing installation (such as, remote job entry
stations, terminal stations, minicomputers, microprocessors, and
similar activities).
3. IT facilities authorized to process classified material have
adequate procedures and security for the purposes of this
Regulation. However, all unclassified information subject to this
Regulation must be processed following the procedures used to
process and access information designated ``For Official Use Only.''
(See DoD 5200.1-R.)
B. Risk Management and Safeguarding Standards
1. Establish administrative, technical, and physical safeguards
that are adequate to protect the information against unauthorized
disclosure, access, or misuse. (See OMB Circular A-130 and DoD
Instruction 8500.2.)
2. Tailor safeguards to the type of system, the nature of the
information involved, and the specific threat to be countered.
C. Minimum Administrative Safeguards
The minimum safeguarding standards as set forth in Sec.
310.13(b) apply to all personal data within any IT system. In
addition:
1. Consider the following when establishing IT safeguards:
a. The sensitivity of the data being processed, stored and
accessed.
b. The installation environment.
c. The risk of exposure.
d. The cost of the safeguard under consideration.
2. Label or designate media products containing personal
information that do not contain classified material in such a manner
as to alert those using or handling the information of the need for
special protection. Designating products ``For Official Use Only''
in accordance with the requirements of DoD 5200.1-R satisfies this
requirement.
3. Mark and protect all computer products containing classified
data in accordance with the requirements of DoD 5200.1-R and DoD
Directive 8500.1.
4. Mark and protect all computer products containing ``For
Official Use Only'' material in accordance with the requirements of
DoD 5200.1-R.
5. Ensure that safeguards for protected information stored at
secondary sites are appropriate.
6. If there is a computer failure, restore all protected
information being processed at the time of the failure using proper
recovery procedures to ensure data integrity.
7. Train personnel involved in processing information subject to
this Regulation in proper safeguarding procedures.
D. Physical Safeguards
1. For all unclassified facilities, areas, and devices that
process information subject to this Regulation, establish physical
safeguards that protect the information against reasonably
identifiable threats that could result in unauthorized access or
alteration.
2. Develop access procedures for unclassified computer rooms,
tape libraries, micrographic facilities, decollating shops, product
distribution areas, or other direct support areas that process or
contain personal information subject to this Regulation that control
adequately access to these areas.
3. Safeguard on-line devices directly coupled to IT systems that
contain or process information from systems of records to prevent
unauthorized disclosure, use, or alteration.
4. Dispose of paper records following appropriate record
destruction procedures. (See Sec. 310.13(c) and DoD 5200.1-R.)
E. Technical Safeguards
1. Components are to ensure that all PII not explicitly cleared
for public release is protected according to Confidentially Level
Sensitive, as established in DoD Instruction 8500.2. In addition,
all DoD information and data owners shall conduct risk assessments
of compilations of PII and identify those needing more stringent
protection for remote access or mobile computing.
2. Encrypt unclassified personal information in accordance with
current Information Assurance (IA) policies and procedures, as
issued.
3. Remove personal data stored on magnetic storage media by
methods that preclude reconstruction of the data.
4. Ensure that personal information is not inadvertently
disclosed as residue when transferring magnetic media between
activities.
5. Only DoD authorized devices shall be used for remote access.
Any remote access, whether for user or privileged functions, must
conform to IA controls specified in DoD Instruction 8500.2.
6. Remote access for processing PII should comply with the
latest IA policies and procedures.
7. Minimize access to data fields necessary to accomplish an
employee's task-normally, access shall be granted only to those data
elements (fields) required for the employee to perform his or her
job rather than granting access to the entire database.
8. Do not totally rely on proprietary software products to
protect personnel data during processing or storage.
F. Special Procedures
1. Managers shall:
a. Prepare and submit for publication all system notices and
amendments and alterations thereto. (See Sec. 310.30(f).)
b. Identify required controls and individuals authorized access
to PII and maintain updates to the access authorizations.
c. When required, ensure Privacy Impact Assessments are prepared
consistent with the requirements of the DoD Deputy Chief Information
Officer Memorandum, ``DoD Privacy Impact Assessment Guidance,''
October 28, 2005.
d. Train all personnel whose official duties require access to
the system of records in the proper safeguarding and use of the
information and ensure that they receive Privacy Act training.
G. Record Disposal
1. Dispose of records subject to this Regulation so as to
prevent compromise. (See Sec. 310.13(c).) Magnetic tapes or other
magnetic medium may be cleared by degaussing, overwriting, or
erasing. (See DoD Memorandum, ``Disposition of Unclassified DoD
Computer Hard Drives,'' June 4, 2001.)
2. Do not use respliced waste computer products containing
personal data.
Appendix B to Part 310--Sample Notification Letter
(See Sec. 310.14 of subpart C)
Dear Mr. John Miller:
On January 1, 2006, a Department of Defense (DoD) laptop
computer was stolen from the parked car of a DoD employee in
Washington, DC after normal duty hours while the employee was
running a personal errand. The laptop contained personally
identifying information on 100 DoD employees who were participating
in the xxx Program. The compromised information is the name, social
security number, residential address, date of birth, office and home
email address, office and home telephone numbers of the Program
participants.
The theft was immediately reported to local and DoD law
enforcement authorities who are now conducting a joint inquiry into
the loss.
We believe that the laptop was the target of the theft as
opposed to any information that the laptop might contain. Because
the information in the laptop was password protected and encrypted,
we also believe that the probability is low that the information
will be acquired and used for an unlawful purpose. However, we
cannot say with certainty that this might not occur. We therefore
believe that you should consider taking such actions as are possible
to protect against the potential that someone might use the
information to steal your identity.
[[Page 18784]]
You should be guided by the actions recommended by the Federal
Trade Commission at its Web site at http://www.consumer.gov/idtheft/con_steps.htm. The FTC urges that you immediately place an initial
fraud alert on your credit file. The Fraud alert is for a period of
90 days, during which, creditors are required to contact you before
a new credit card is issued or an existing card changed. The site
also provides other valuable information that can be taken now or in
the future if problems should develop.
The DoD takes this loss very seriously and is reviewing its
current policies and practices with a view of determining what must
be changed to preclude a similar occurrence in the future. At a
minimum, we will be providing additional training to personnel to
ensure that they understand that personally identifiable information
must at all times be treated in a manner that preserves and protects
the confidentiality of the data.
We deeply regret and apologize for any inconvenience and concern
this theft may cause you.
Should you have any questions, please call ------------.
Sincerely,
Signature Block
(Directorate level or higher)
Appendix C to Part 310--DoD Blanket Routine Uses
(See paragraph (c) of Sec. 310.22 of subpart E)
A. Routine Use--Law Enforcement
If a system of records maintained by a DoD Component to carry
out its functions indicates a violation or potential violation of
law, whether civil, criminal, or regulatory in nature, and whether
arising by general statute or by regulation, rule, or order issued
pursuant thereto, the relevant records in the system of records may
be referred, as a routine use, to the agency concerned, whether
Federal, State, local, or foreign, charged with the responsibility
of investigating or prosecuting such violation or charged with
enforcing or implementing the statute, rule, regulation, or order
issued pursuant thereto.
B. Routine Use--Disclosure When Requesting Information
A record from a system of records maintained by a Component may
be disclosed as a routine use to a Federal, State, or local agency
maintaining civil, criminal, or other relevant enforcement
information or other pertinent information, such as current
licenses, if necessary to obtain information relevant to a Component
decision concerning the hiring or retention of an employee, the
issuance of a security clearance, the letting of a contract, or the
issuance of a license, grant, or other benefit.
C. Routine Use--Disclosure Of Requested Information
A record from a system of records maintained by a Component may
be disclosed to a Federal agency, in response to its request, in
connection with the hiring or retention of an employee, the issuance
of a security clearance, the reporting of an investigation of an
employee, the letting of a contract, or the issuance of a license,
grant, or other benefit by the requesting agency, to the extent that
the information is relevant and necessary to the requesting agency's
decision on the matter.
D. Routine Use--Congressional Inquiries
Disclosure from a system of records maintained by a Component
may be made to a congressional office from the record of an
individual in response to an inquiry from the congressional office
made at the request of that individual.
E. Routine Use--Private Relief Legislation
Relevant information contained in all systems of records of the
Department of Defense published on or before August 22, 1975, may be
disclosed to the Office of Management and Budget in connection with
the review of private relief legislation as set forth in OMB
Circular A-19 at any stage of the legislative coordination and
clearance process as set forth in that circular.
F. Routine Use--Disclosures Required By International Agreements
A record from a system of records maintained by a Component may
be disclosed to foreign law enforcement, security, investigatory, or
administrative authorities to comply with requirements imposed by,
or to claim rights conferred in, international agreements and
arrangements, including those regulating the stationing and status
in foreign countries of Department of Defense military and civilian
personnel.
G. Routine Use--Disclosure to State and Local Taxing Authorities
Any information normally contained in Internal Revenue Service
(IRS) Form W-2 which is maintained in a record from a system of
records maintained by a Component may be disclosed to State and
local taxing authorities with which the Secretary of the Treasury
has entered into agreements under 5 U.S.C., sections 5516, 5517,
5520, and only to those State and local taxing authorities for which
an employee or military member is or was subject to tax regardless
of whether tax is or was withheld. This routine use is in accordance
with Treasury Fiscal Requirements Manual Bulletin No. 76-07.
H. Routine Use--Disclosure to the Office of Personnel Management
A record from a system of records subject to the Privacy Act and
maintained by a Component may be disclosed to the Office of
Personnel Management (OPM) concerning information on pay and leave,
benefits, retirement reductions, and any other information necessary
for the OPM to carry out its legally authorized government-wide
personnel management functions and studies.
I. Routine Use--Disclosure to the Department of Justice for Litigation
A record from a system of records maintained by a Component may
be disclosed as a routine use to any component of the Department of
Justice for the purpose of representing the Department of Defense,
or any officer, employee or member of the Department in pending or
potential litigation to which the record is pertinent.
J. Routine Use--Disclosure to Military Banking Facilities
Information as to current military addresses and assignments may
be provided to military banking facilities who provide banking
services overseas and who are reimbursed by the Government for
certain checking and loan losses. For personnel separated,
discharged, or retired from the Armed Forces, information as to last
known residential or home of record address may be provided to the
military banking facility upon certification by a banking facility
officer that the facility has a returned or dishonored check
negotiated by the individual or the individual has defaulted on a
loan and that if restitution is not made by the individual, the U.S.
Government will be liable for the losses the facility may incur.
K. Routine Use--Disclosure of Information to the General Services
Administration
A record from a system of records maintained by a Component may
be disclosed as a routine use to the General Services Administration
(GSA) for the purpose of records management inspections conducted
under authority of 44 U.S.C. 2904 and 2906.
L. Routine Use--Disclosure of Information to the National Archives and
Records Administration
A record from a system of records maintained by a Component may
be disclosed as a routine use to the National Archives and Records
Administration (NARA) for the purpose of records management
inspections conducted under authority of 44 U.S.C. 2904 and 2906.
M. Routine Use--Disclosure to the Merit Systems Protection Board
A record from a system of records maintained by a Component may
be disclosed as a routine use to the Merit Systems Protection Board,
including the Office of the Special Counsel, for the purpose of
litigation, including administrative proceedings, appeals, special
studies of the civil service and other merit systems, review of OPM
or Component rules and regulations, investigation of alleged or
possible prohibited personnel practices, including administrative
proceedings involving any individual subject of a DoD investigation,
and such other functions, promulgated in 5 U.S.C. 1205 and 1206 or
as may be authorized by law.
N. Routine Use--Counterintelligence Purposes
A record from a system of records maintained by a Component may
be disclosed as a routine use outside the Department of Defense
(DoD) or the U.S. Government for the purpose of counterintelligence
activities authorized by U.S. law or Executive Order or for the
purpose of enforcing laws that protect the national security of the
United States.
[[Page 18785]]
Appendix D to Part 310--Provisions of the Privacy Act From Which a
General or Specific Exemption May Be Claimed
(See paragraph (d) of Sec. 310.26 )
------------------------------------------------------------------------
Exemptions
------------------------------------------------- Section of the Privacy
(j)(2) (k) (1-7) Act
------------------------------------------------------------------------
No..................... No..................... (b)(1) Disclosures
within the Department
of Defense.
No..................... No..................... (2) Disclosures to the
public.
No..................... No..................... (3) Disclosures for a
``Routine Use.''
No..................... No..................... (4) Disclosures to the
Bureau of Census.
No..................... No..................... (5) Disclosures for
statistical research
and reporting.
No..................... No..................... (6) Disclosures to the
NARA.
No..................... No..................... (7) Disclosures for
law enforcement
purposes.
No..................... No..................... (8) Disclosures under
emergency
circumstances.
No..................... No..................... (9) Disclosures to the
Congress.
No..................... No..................... (10) Disclosures to
the GAO.
No..................... No..................... (11) Disclosures
pursuant to court
orders.
No..................... No..................... (12) Disclosure to
consumer reporting
agencies.
No..................... No..................... (c)(1) Making
disclosure
accountings.
No..................... No..................... (2) Retaining
disclosure
accountings.
Yes.................... Yes.................... (c)(3) Making
disclosure accounting
available to the
individual.
Yes.................... No..................... (c)(4) Informing prior
recipients of
corrections.
Yes.................... Yes.................... (d)(1) Individual
access to records.
Yes.................... Yes.................... (2) Amending records.
Yes.................... Yes.................... (3) Review of the
Component's refusal
to amend a record.
Yes.................... Yes.................... (4) Disclosure of
disputed information.
Yes.................... Yes.................... (5) Access to
information compiled
in anticipation of
civil action.
Yes.................... Yes.................... (e)(1) Restrictions on
collecting
information.
Yes.................... No..................... (e)(2) Collecting
directly from the
individual.
Yes.................... No..................... (3) Informing
individuals from whom
information is
requested.
No..................... No..................... (e)(4)(A) Describing
the name and location
of the system.
No..................... No..................... (B) Describing
categories of
individuals.
No..................... No..................... (C) Describing
categories of
records.
No..................... No..................... (D) Describing routine
uses.
No..................... No..................... (E) Describing records
management policies
and practices.
No..................... No..................... (F) Identifying
responsible
officials.
Yes.................... Yes.................... (e)(4)(G) Procedures
for determining if a
system contains a
record on an
individual.
Yes.................... Yes.................... (H) Procedures for
gaining access.
Yes.................... Yes.................... (I) Describing
categories of
information sources.
Yes.................... No..................... (e)(5) Standards of
accuracy.
No..................... No..................... (e)(6) Validating
records before
disclosure.
No..................... No..................... (e)(7) Records of
First Amendment
activities.
No..................... No..................... (e)(8) Notification of
disclosure under
compulsory legal
process.
No..................... No..................... (e)(9) Rules of
conduct.
No..................... No..................... (e)(10)
Administrative,
technical, and
physical safeguards.
No..................... No..................... (11) Notice for new
and revised routine
uses.
Yes.................... Yes.................... (f)(1) Rules for
determining if an
individual is subject
of a record.
Yes.................... Yes.................... (f)(2) Rules for
handling access
requests.
Yes.................... Yes.................... (f)(3) Rules for
granting access.
Yes.................... Yes.................... (f)(4) Rules for
amending records.
Yes.................... Yes.................... (f)(5) Rules regarding
fees.
Yes.................... No..................... (g)(1) Basis for civil
action.
Yes.................... No..................... (g)(2) Basis for
judicial review and
remedies for refusal
to amend.
Yes.................... No..................... (g)(3) Basis for
judicial review and
remedies for denial
of access.
Yes.................... No..................... (g)(4) Basis for
judicial review and
remedies for other
failure to comply.
Yes.................... No..................... (g)(5) Jurisdiction
and time limits.
Yes.................... No..................... (h) Rights of legal
guardians.
No..................... No..................... (i)(1) Criminal
penalties for
unauthorized
disclosure.
No..................... No..................... (2) Criminal penalties
for failure to
publish.
No..................... No..................... (3) Criminal penalties
for obtaining records
under false
pretenses.
Yes \1\................ No..................... (j) Rulemaking
requirement.
N/A.................... No..................... (j)(1) General
exemption for the
Central Intelligence
Agency.
N/A.................... No..................... (j)(2) General
exemption for
criminal law
enforcement records.
Yes.................... No..................... (k)(1) Exemption for
classified material.
N/A.................... No..................... (k)(2) Exemption for
law enforcement
material.
Yes.................... N/A.................... (k)(3) Exemption for
records pertaining to
Presidential
protection.
Yes.................... N/A.................... (k)(4) Exemption for
statistical records.
Yes.................... N/A.................... (k)(5) Exemption for
investigatory
material compiled for
determining
suitability for
employment or
service.
Yes.................... N/A.................... (k)(6) Exemption for
testing or
examination material.
Yes.................... N/A.................... (k)(7) Exemption for
promotion evaluation
materials used by the
Armed Forces.
Yes.................... No..................... (l)(1) Records stored
in GSA records
centers.
Yes.................... No..................... (l)(2) Records
archived before
September 27, 1975.
Yes.................... No..................... (l)(3) Records
archived on or after
September 27, 1975.
[[Page 18786]]
Yes.................... No..................... (m) Applicability to
Government
contractors.
Yes.................... No..................... (n) Mailing lists.
Yes \1\................ No..................... (o) Reports on new
systems.
Yes \1\................ No..................... (p) Annual report.
------------------------------------------------------------------------
\1\ See paragraph (d) of Sec. 310.26.
Appendix E to Part 310--Sample of New or Altered System of Records
Notice in Federal Register Format
(See paragraph (f) of Sec. 310.30)
New system of records notice
DEPARTMENT OF DEFENSE
Office of the Secretary
Privacy Act of 1974; System of Records
AGENCY: Office of the Secretary, DoD.
ACTION: Notice to add a system of records.
SUMMARY: The Office of the Secretary of Defense proposes to add a
system of records to its inventory of record systems subject to the
Privacy Act of 1974 (5 U.S.C. 552a), as amended.
DATES: The changes will be effective on (insert date thirty days
after publication in the Federal Register) unless comments are
received that would result in a contrary determination.
ADDRESSES: Send comments to OSD Privacy Act Coordinator, Records
Management Section, Washington Headquarters Services, 1155 Defense
Pentagon, Washington, DC 20301-1155.
FOR FURTHER INFORMATION CONTACT: Ms. Mary Smith at (703) 000-0000.
SUPPLEMENTARY INFORMATION: The Office of the Secretary of Defense
notices for systems of records subject to the Privacy Act of 1974 (5
U.S.C. 552a), as amended, have been published in the Federal
Register and are available from the address above.
The proposed systems reports, as required by 5 U.S.C. 552a(r) of
the Privacy Act of 1974, as amended, were submitted on January 20,
2006, to the House Committee on Government Reform, the Senate
Committee on Homeland Security and Governmental Affairs, and the
Office of Management and Budget (OMB) pursuant to paragraph 4c of
Appendix I to OMB Circular No. A-130, ``Federal Agency
Responsibilities for Maintaining Records About Individuals,'' dated
February 8, 1996 (February 20, 1996, 61 FR 6427).
Dated: February 1, 2006.
John Miller,
OSD Federal Register Liaison Officer, Department of Defense.
NSLRB 01
System name: The National Security Labor Relations Board
(NSLRB).
System location: National Security Labor Relations Board
(NSLRB), 1401 Wilson Boulevard, Arlington, VA 22209-2325.
Categories of individuals covered by the system: Current and
former civilian Federal Government employees who have filed unfair
labor practice charges, negotiability disputes, exceptions to
arbitration awards, and impasses with the National Security Labor
Relations Board (NSLRB) pursuant to the National Security Personnel
System (NSPS).
Categories of records in the system: Documents relating to the
proceedings before the Board, including the name of the individual
initiating NSLRB action, statements of witnesses, reports of
interviews and hearings, examiner's findings and recommendations, a
copy of the original decision, and related correspondence and
exhibits.
Authority for maintenance of the system: The National Defense
Authorization Act for FY 2004, Public Law 108-136, Section 1101; 5
U.S.C. 9902(m), Labor Management Relations in the Department of
Defense; and 5 CFR 9901.907, National Security Labor Relations
Board.
Purpose(s): To establish a system of records that will document
adjudication of unfair labor practice charges, negotiability
disputes, exceptions to arbitration awards, and impasses filed with
the National Security Labor Relations Board.
Routine uses of records maintained in the system, including
categories of users and the purposes of such uses: In addition to
those disclosures generally permitted under 5 U.S.C. 552a(b) of the
Privacy Act, these records or information contained therein may
specifically be disclosed outside the DoD as a routine use pursuant
to 5 U.S.C. 552a(b)(3) as follows:
To the Federal Labor Relations Authority (FLRA) or the Equal
Employment Opportunity Commission, when requested, for performance
of functions authorized by law.
To disclose, in response to a request for discovery or for
appearance of a witness, information that is relevant to the subject
matter involved in a pending judicial or administrative proceeding.
To provide information to officials of labor organizations
recognized under 5 U.S.C. 71 when relevant and necessary to their
duties of exclusive representation concerning personnel policies,
practices, and matters affecting work conditions.
The DoD ``Blanket Routine Uses'' set forth at the beginning of
OSD's compilation of systems of records notices apply to this
system.
Policies and practices for storing, retrieving, accessing,
retaining, and disposing of records in the system:
Storage: Records are maintained on electronic storage media and
paper.
Retrievability: Records will be retrieved in the system by the
following identifiers: assigned case number; individual's name;
labor organizations filing the unfair labor practice charges;
negotiability disputes; exceptions to arbitration awards; date,
month, year or filing; complaint type; and the organizational
component from which the complaint arises.
Safeguards: Records are maintained in a controlled facility.
Physical entry is restricted by the use of locks, guards, and is
accessible only to authorized personnel. Access to records is
limited to person(s) responsible for servicing the record in
performance of their official duties and who are properly screened
and cleared for need-to-know. Access to computerized data is
restricted by passwords, which are changed periodically.
Retention and disposal: Records are disposed of 5 years after
final resolution of case.
System manager(s) and address: Executive Director, National
Security Personnel System, Program Executive Office, 1401 Wilson
Boulevard, Arlington, VA 22209-2325.
Notification procedure: Individuals seeking to determine whether
this system of records contains information about themselves should
address written inquiries to the Executive Director, National
Security Personnel System, Program Executive Office, 1401 Wilson
Boulevard, Arlington, VA 22209-2325.
Request should contain name; assigned case number; approximate
case date (day, month, and year); case type; the names of the
individuals and/or labor organizations filed the unfair labor
practice charges; negotiability disputes; exceptions to arbitration
awards; and impasses.
Record access procedures: Individuals seeking access to records
about themselves contained in this system of records should address
written inquiries to the Executive Director, National Security
Personnel System, Program Executive Office, 1401 Wilson Boulevard,
Arlington, VA 22209-2325.
Request should contain name; assigned case number; approximate
case date (day, month, and year); case type; the names of the
individuals and/or labor organizations filed the unfair labor
practice charges; negotiability disputes; exceptions to arbitration
awards; and impasses.
Contesting record procedures: The OSD's rules for accessing
records, for contesting contents and appealing initial agency
determinations are published in OSD Administrative Instruction No.
81; 32 CFR part 311; or may be obtained from the system manager.
Record source categories: Individual; other officials or
employees; and departmental and other records containing information
pertinent to the NSLRB action.
Exemptions claimed for the system: None.
[[Page 18787]]
Altered System of Record Notice
DEPARTMENT OF DEFENSE
Defense Logistics Agency
Privacy Act of 1974; Systems of Records
AGENCY: Defense Logistics Agency.
ACTION: Notice to alter a system of records.
Summary: The Defense Logistics Agency proposes to alter a system of
records notice in its inventory of record systems subject to the
Privacy Act of 1974 (5 U.S.C. 552a), as amended. The alteration adds
two routine uses, revises the purpose category, and makes other
administrative changes to the system notice.
DATES: This action will be effective without further notice on
(insert date thirty days after publication in the Federal Register)
unless comments are received that would result in a contrary
determination.
ADDRESSES: Send comments to the Privacy Act Officer, Headquarters,
Defense Logistics Agency, ATTN: DSS-B, 8725 John J. Kingman Road,
Suite 2533, Fort Belvoir, VA 22060-6221.
FOR FURTHER INFORMATION CONTACT: Ms. Mary Smith at (703) 000-0000.
SUPPLEMENTARY INFORMATION: The Defense Logistics Agency notices for
systems of records subject to the Privacy Act of 1974 (5 U.S.C.
552a), as amended, have been published in the Federal Register and
are available from the address above.
The proposed system report, as required by 5 U.S.C. 552a(r) of
the Privacy Act of 1974, as amended, was submitted on January 29,
2004, to the House Committee on Government Reform, the Senate
Committee on Governmental Affairs, and the Office of Management and
Budget (OMB) pursuant to paragraph 4c of Appendix I to OMB Circular
No. A-130, `Federal Agency Responsibilities for Maintaining Records
About Individuals,' dated February 8, 1996 (February 20, 1996, 61 FR
6427).
Dated: February 2, 2004.
John Miller,
Alternate OSD Federal Register Liaison Officer, Department of
Defense.
S253.10 DLA-G
System name: Invention Disclosure (February 22, 1993, 58 FR
10854).
Changes:
* * * * *
System identifier: Replace `S253.10 DLA-G' with `S100.70'.
* * * * *
Categories of individuals covered by the system: Delete `to the
DLA General Counsel' at the end of the sentence and replace with `to
DLA.'
* * * * *
Categories of records in the system: Delete entry and replace
with `Inventor's name, Social Security Number, address, and
telephone numbers; descriptions of inventions; designs or drawings,
as appropriate; evaluations of patentability; recommendations for
employee awards; licensing documents; and similar records. Where
patent protection is pursued by DLA, the file may also contain
copies of applications, Letters Patent, and related materials.'
* * * * *
Authority for maintenance of the system: Delete entry and
replace with `5 U.S.C. 301, Departmental Regulations; 5 U.S.C. 4502,
General provisions; 10 U.S.C. 2320, Rights in technical data; 15
U.S.C. 3710b, Rewards for scientific, engineering, and technical
personnel of federal agencies; 15 U.S.C. 3711d, Employee activities;
35 U.S.C. 181-185, Secrecy of Certain Inventions and Filing
Applications in Foreign Countries; E.O. 9397 (SSN); and E.O. 10096
(Inventions Made by Government Employees) as amended by E.O. 10930.'
* * * * *
Purpose(s): Delete entry and replace with `Data is maintained
for making determinations regarding and recording DLA interest in
the acquisition of patents; for documenting the patent process; and
for documenting any rights of the inventor. The records may also be
used in conjunction with the employee award program, where
appropriate.'
* * * * *
Routine uses of records maintained in the system, including
categories of users and the purpose of such uses: Add two new
paragraphs: `To the U.S. Patent and Trademark Office for use in
processing applications and performing related functions and
responsibilities under Title 35 of the U.S. Code.
To foreign government patent offices for the purpose of securing
foreign patent rights.'
* * * * *
Safeguards: Delete entry and replace with `Access is limited to
those individuals who require the records for the performance of
their official duties. Paper records are maintained in buildings
with controlled or monitored access. During non-duty hours, records
are secured in locked or guarded buildings, locked offices, or
guarded cabinets. The electronic records systems employ user
identification and password or smart card technology protocols.'
* * * * *
Retention and disposal: Delete entry and replace with `Records
maintained by Headquarters and field Offices of Counsel are
destroyed 26 years after file is closed. Records maintained by field
level Offices of Counsel where patent applications are not prepared
are destroyed 7 years after closure.'
* * * * *
Record source categories: Delete entry and replace with
`Inventors, reviewers, evaluators, officials of U.S. and foreign
patent offices, and other persons having a direct interest in the
file.'
* * * * *
S100.70
System name: Invention Disclosure.
System location: Office of the General Counsel, HQ DLA-DG, 8725
John J. Kingman Road, Stop 2533, Fort Belvoir, VA 22060-6221, and
the offices of counsel of the DLA field activities. Official mailing
addresses are published as an appendix to DLA's compilation of
systems of records notices.
Categories of individuals covered by the system: Employees and
military personnel assigned to DLA who have submitted invention
disclosures to DLA.
Categories of records in the system: Inventor's name, Social
Security Number, address, and telephone numbers; descriptions of
inventions; designs or drawings, as appropriate; evaluations of
patentability; recommendations for employee awards; licensing
documents; and similar records. Where patent protection is pursued
by DLA, the file may also contain copies of applications, Letters
Patent, and related materials.
Authority for maintenance of the system: 5 U.S.C. 301,
Departmental Regulations; 5 U.S.C. 4502, General provisions; 10
U.S.C. 2320, Rights in technical data; 15 U.S.C. 3710b, Rewards for
scientific, engineering, and technical personnel of federal
agencies; 15 U.S.C. 3711d, Employee activities; 35 U.S.C. 181-185,
Secrecy of Certain Inventions and Filing Applications in Foreign
Countries; E.O. 9397 (SSN); and E.O. 10096 (Inventions Made by
Government Employees) as amended by E.O. 10930.
Purpose(s): Data is maintained for making determinations
regarding and recording DLA interest in the acquisition of patents,
for documenting the patent process, and for documenting any rights
of the inventor. The records may also be used in conjunction with
the employee award program, where appropriate.
Routine uses of records maintained in the system, including
categories of users and the purposes of such uses: In addition to
those disclosures generally permitted under 5 U.S.C. 552a(b) of the
Privacy Act, these records or information contained therein may
specifically be disclosed outside the DoD as a routine use pursuant
to 5 U.S.C. 552a(b)(3) as follows:
To the U.S. Patent and Trademark Office for use in processing
applications and performing related functions and responsibilities
under Title 35 of the U. S. Code.
To foreign government patent offices for the purpose of securing
foreign patent rights.
Information may be referred to other government agencies or to
non-government agencies or to non-government personnel (including
contractors or prospective contractors) having an identified
interest in a particular invention and the Government's rights
therein.
The DoD `Blanket Routine Uses' set forth at the beginning of
DLA's compilation of systems of records notices apply to this
system.
Policies and practices for storing, retrieving, accessing,
retaining, and disposing of records in the system:
Storage: Records are maintained in paper and computerized form.
Retrievability: Filed by names of inventors.
Safeguards: Access is limited to those individuals who require
the records for the performance of their official duties. Paper
records are maintained in buildings with controlled or monitored
access. During non-duty hours, records are secured in locked or
guarded buildings, locked offices, or guarded cabinets. The
electronic records systems
[[Page 18788]]
employ user identification and password or smart card technology
protocols.
Retention and disposal: Records maintain by the HQ and field
Offices of Counsel are destroyed 26 years after file is closed.
Records maintained by field level Offices of Counsel where patent
applications are not prepared are destroyed 7 years after closure.
System manager(s) and address: Office of the General Counsel,
Headquarters, Defense Logistics Agency, ATTN: DG, 8725 John J.
Kingman Road, Stop 2533, Fort Belvoir, VA 22060-6221.
Notification procedure: Individuals seeking to determine whether
information about themselves is contained in this system should
address written inquiries to the Privacy Officer, Headquarters,
Defense Logistics Agency, ATTN: DSS-B, 8725 John J. Kingman Road,
Stop 6220, Fort Belvoir, VA 22060-6221, or the Privacy Officers at
DLA field activities. Official mailing addresses are published as an
appendix to DLA's compilation of systems of records notices.
Record access procedures: Individuals seeking access to
information about themselves contained in this system should address
written inquiries to the Privacy Officer, Headquarters, Defense
Logistics Agency, ATTN: DSS-B, 8725 John J. Kingman Road, Stop 6220,
Fort Belvoir, VA 22060-6221, or the Privacy Officers at the DLA
field activities. Official mailing addresses are published as an
appendix to DLA's compilation of systems of records notices.
Individuals should provide information that contains full name,
current address and telephone numbers of requester.
For personal visits, each individual shall provide acceptable
identification, e.g., driver's license or identification card.
Contesting record procedures: The DLA rules for accessing
records, contesting contents, and appealing initial agency
determinations are contained in 32 CFR part 323, or may be obtained
from the Privacy Act Officer, Headquarters, Defense Logistics
Agency, ATTN: DSS-B, 8725 John J. Kingman Road, Stop 6220, Fort
Belvoir, VA 22060-6221.
Record source categories: Inventors, reviewers, evaluators,
officials of U.S. and foreign patent offices, and other persons
having a direct interest in the file.
Exemptions claimed for the system: None.
Appendix F to Part 310--Format for New or Altered System Report
(See paragraph (c) of Sec. 310.33)
The report on a new or altered system shall consist of a
transmittal letter, a narrative statement, and include supporting
documentation.
A. Transmittal Letter
The transmittal letter shall be prepared by the Defense Privacy
Office and shall contain assurances that the new or altered system
does not duplicate any existing Component systems, DoD-wide systems
or government-wide systems. The narrative statement, and the system
notice, shall be attached thereto.
B. Narrative Statement
The statement shall include information on the following:
1. System Identifier and name;
2. Responsible official;
3. Purpose of establishing the system [for a new system only] or
Nature of the changes proposed for the system [for altered system
only];
4. Authority for maintenance of the System;
5. Probable or potential effects on the privacy of individuals;
6. Is the system, in whole or part, being maintained by a
contractor;
7. Steps taken to minimize risk of unauthorized access;
8. Routine use compatibility;
9. OMB information collection requirements; and
10. Supporting documentation.
Attachment 1--Sample Format for Narrative Statement
DEPARTMENT OF DEFENSE
[Component Name]
Narrative Statement on a [New/Altered] System of Records
Under the Privacy Act of 1974
1. System Identifier and Name. This caption sets forth the
identification and name of the system (see subparagraphs (b)((c) of
Sec. 310.32).
2. Responsible Official. The name, title, address, and telephone
number of the official responsible for the report and to whom
inquiries and comments about the report may be directed by Congress,
the Office of Management and Budget, or the Defense Privacy Office.
3. Purpose of establishing the system or nature of the changes
proposed for the system: Describe the purpose of the new system or
how an existing system is being changed.
4. Authority for maintenance of the system. See paragraph (g) of
Sec. 310.32.
5. Probable or potential effects on the privacy of individuals.
What effect, if any, will the new or altered system impact the
personal privacy of the affected individuals.
6. Is the system, in whole or in part, being maintained by a
contractor. If yes, Components shall ensure that the contract has
incorporated the Federal Acquisition privacy clause (see paragraph
(a)(1) of Sec. 310.12).
7. Steps taken to minimize risk of unauthorized access. Describe
actions taken to reduce the vulnerability of the system to potential
threats. See Appendix A to this part.
8. Routine use compatibility. Provide assurances that any
records contained in the system that are disclosed outside the DoD
shall be for a use that is compatible with the purpose for which the
record was collected. Advise whether or not the blanket routine uses
apply to this system.
9. OMB collection requirements. If information is to be
collected from members of the public, the requirements of reference
( ) apply and OMB must be advised.
10. Supporting documentation. The following are typical
enclosures that may be required:
a. An advance copy of the system notice for a new or altered
system that is proposed for publication.
b. An advance copy of a proposed exemption rule if the new or
altered system is to be exempted in accordance with subpart F.
c. Any other supporting documentation that may be pertinent or
helpful in understanding the need for the system or clarifying its
intended use.
Attachment 2--SAMPLE NARRATIVE STATEMENT
DEPARTMENT OF DEFENSE
Office of the Secretary
Narrative Statement on a New System of Records
Under the Privacy Act of 1974
1. System identifier and name: NSLRB 01, entitled ``The National
Security Labor Relations Board (NSLRB).''
2. Responsible official: Mr. John Miller, National Security
Labor Relations Board (NSLRB), 0000 Smith Boulevard, Arlington, VA
22209, Telephone (703) 000-0000.
3. Purpose of establishing the system: The Office of the
Secretary of Defense is proposing to establish a system of records
that will document adjudication of unfair labor practice charges,
negotiability disputes, exceptions to arbitration awards, and
impasses filed with the National Security Labor Relations Board.
4. Authority for the maintenance of the system: The National
Defense Authorization Act for FY 2004, Pub Law 108-136, Section
1101; 5 U.S.C. 9902(m), Labor Management Relations in the Department
of Defense; and 5 CFR 9901.907, National Security Labor Relations
Board.
5. Probable or potential effects on the privacy of individuals:
None
6. Is the system, in whole or in part, being maintained by a
contractor? No
7. Steps taken to minimize risk of unauthorized access: Records
are maintained in a controlled facility. Physical entry is
restricted by the use of locks, guards, and is accessible only to
authorized personnel. Access to records is limited to person(s)
responsible for servicing the record in performance of their
official duties and who are properly screened and cleared for need-
to-know. Access to computerized data is restricted by passwords,
which are changed periodically.
8. Routine use compatibility: Any release of information
contained in this system of records outside of the DoD will be
compatible with purposes for which the information is collected and
maintained. The DoD ``Blanket Routine Uses'' apply to this system of
records.
9. OMB information collection requirements: None.
10. Supporting documentation: None.
Appendix G to Part 310--Sample Amendments or Deletions to System
Notices in Federal Register Format
(See Sec. 310.34)
[[Page 18789]]
Amendment of system notice
DEPARTMENT OF DEFENSE
Department of the Army
Privacy Act of 1974; System of Records
AGENCY: Department of the Army, DoD.
ACTION: Notice to Amend a System of Records.
SUMMARY: The Department of the Army is proposing to amend a system
of records notice in its existing inventory of records systems
subject to the Privacy Act of 1974, (5 U.S.C. 552a), as amended.
DATES: This proposed action will be effective without further notice
on (insert date thirty days after publication in Federal Register)
unless comments are received which result in a contrary
determination.
ADDRESSES: Department of the Army, Freedom of Information/Privacy
Division, U.S. Army Records Management and Declassification Agency,
ATTN: AHRC-PDD-FPZ, 7701 Telegraph Road, Casey Building, Suite 144,
Alexandria, VA 22325-3905.
FOR FURTHER INFORMATION CONTACT: Ms. Mary Smith at (703) 000-0000.
SUPPLEMENTARY INFORMATION: The Department of the Army systems of
records notices subject to the Privacy Act of 1974, (5 U.S.C. 552a),
as amended, have been published in the Federal Register and are
available from the address above.
The specific changes to the records systems being amended are
set forth below followed by the notices, as amended, published in
their entirety. The proposed amendments are not within the purview
of subsection (r) of the Privacy Act of 1974, (5 U.S.C. 552a), as
amended, which requires the submission of a new or altered system
report.
Dated: February 3, 2006.
John Miller,
OSD Federal Register Liaison Officer, Department of Defense.
A0055 USEUCOM
System name: Europe Command Travel Clearance Records (August 23,
2004, 69 FR 51817).
Changes:
* * * * *
System name: Delete system identifier and replace with: ``A0055
USEUCOM DoD''.
* * * * *
A0055 USEUCOM DoD
System name: Europe Command Travel Clearance Records.
System location: Headquarters, United States European Command,
Computer Network Operations Center, Building 2324, P.O. Box 1000,
APO AE 09131-1000.
Categories of individuals covered by the system: Military, DoD
civilians, and non-DoD personnel traveling under DoD sponsorship
(e.g., contractors, foreign nationals and dependents) and includes
temporary travelers within the United States European Command's
(USEUCOM) area of responsibility as defined by the DoD Foreign
Clearance Guide Program.
Categories of records in the system: Travel requests, which
contain the individual's name; rank/pay grade; Social Security
Number; military branch or department; passport number; Visa Number;
office address and telephone number, official and personal email
address, detailed information on sites to be visited, visitation
dates and purpose of visit.
Authority for the maintenance of the system: 10 U.S.C. 3013,
Secretary of the Army; 10 U.S.C. 5013, Secretary of the Navy; 10
U.S.C. 8013, Secretary of the Air Force; DoD 4500.54-G, Department
of Defense Foreign Clearance Guide; Public Law 99-399, Omnibus
Diplomatic Security and Antiterrorism Act of 1986; 22 U.S.C. 4801,
4802, and 4805, Foreign Relations and Intercourse; E.O. 12333,
United States Intelligence Activities; Army Regulation 55-46, Travel
Overseas; and E.O. 9397 (SSN).
Purpose(s): To provide the DoD with an automated system to clear
and audit travel within the United States European Command's area of
responsibility and to ensure compliance with the specific clearance
requirements outline in the DoD Foreign Clearance Guide; to provide
individual travelers with intelligence and travel warnings; and to
provide the Defense Attach[eacute] and other DoD authorized
officials with information necessary to verify official travel by
DoD personnel.
Routine uses of records maintained in the system, including
categories of users and the purposes of such uses: In addition to
those disclosures generally permitted under 5 U.S.C. 552a(b) of the
Privacy Act, these records or information contained therein may
specifically be disclosed outside the DoD as a routine use pursuant
to 5 U.S.C. 552a(b)(3) as follows:
To the Department of State Regional Security Officer, U.S.
Embassy officials, and foreign police for the purpose of
coordinating security support for DoD travelers.
The DoD `Blanket Routine Uses' set forth at the beginning of the
Army's compilation of systems of records notices also apply to this
system.
Policies and practices for storing, retiring, accessing,
retaining, and disposing of records.
Storage: Electronic storage media.
Retrievability: Retrieved by individual's surname, Social
Security Number and/or passport number.
Safeguards: Electronic records are located in the United States
European Command's Theater Requirements Automated Clearance System
(TRACS) computer database with built in safeguards. Computerized
records are maintained in controlled areas accessible only to
authorized personnel with an official need to know access. In
addition, automated files are password protected and in compliance
with the applicable laws and regulations. Another built in safeguard
of the system is records are access to the data through secure
network.
Retention and disposal: Records are destroyed 3 months after
travel is completed.
System manager(s) and address: Special Assistant for Security
Matters, Headquarters, United States European Command, Unit 30400,
P.O. Box 1000, APO AE 09131-1000.
Notification procedures: Individuals seeking to determine
whether information about themselves is contained in this system of
records should address written inquiries to the Special Assistant
for Security Matters, Headquarters, United States European Command,
Unit 30400, P.O. Box 1000, APO AE 09131-1000.
Requests should contain individual's full name, Social Security
Number, and/or passport number.
Record access procedures: Individuals seeking to access
information about themselves that is contained in this system of
records should address written inquiries to the Special Assistant
for Security Matters, Headquarters, United States European Command,
Unit 30400, P.O. Box 1000, APO AE 09131-1000.
Requests should contain individual's full name, Social Security
Number, and/or passport number.
Contesting record procedures: The Army's rules for accessing
records and for contesting contents and appealing initial agency
determinations are contained in Army Regulation 340-21; 32 CFR part
505; or may be obtained from the system manager.
Record source categories: From individuals.
Exemptions claimed for the system: None.
Deletion of System Notice
DEPARTMENT OF DEFENSE
Office of the Secretary
Privacy Act of 1974; System of Records
AGENCY: Office of the Secretary, DoD.
ACTION: Notice to delete systems of records.
SUMMARY: The Office of the Secretary of Defense is deleting a system
of records notice from its existing inventory of records systems
subject to the Privacy Act of 1974, (5 U.S.C. 552a), as amended.
DATES: This proposed action will be effective without further notice
on (insert date thirty days after publication in Federal Register)
unless comments are received which result in a contrary
determination.
ADDRESSES: OSD Privacy Act Coordinator, Records Management Section,
Washington Headquarters Services, 1155 Defense Pentagon, Washington,
DC 20301-1155.
FOR FURTHER INFORMATION CONTACT: Ms. Mary Smith at (703) 000-0000.
SUPPLEMENTARY INFORMATION: The Office of the Secretary of Defense
systems of records notices subject to the Privacy Act of 1974, (5
U.S.C. 552a), as amended, have been published in the Federal
Register and are available from the address above.
The specific changes to the records system being amended are set
forth below followed by the notice, as amended, published in its
entirety. The proposed amendments are not within the purview of
subsection (r) of the Privacy Act of 1974, (5 U.S.C. 552a), as
amended, which requires the submission of a new or altered system
report.
Dated: April 2, 2006.
John Miller,
OSD Federal Register Liaison Officer, Department of Defense.
[[Page 18790]]
DODDS 27
System name: DoD Domestic and Elementary School Employee File (May
9, 2003, 68 FR 24935).
Reason: The records contained in this system of records are covered
by OPM/GOVT-1 (General Personnel Records), a government-wide system
notice.
Appendix H to Part 310--Litigation Status Sheet
(See Sec. 310.49)
Litigation Status Sheet
1. Case Number \1\
---------------------------------------------------------------------------
\1\ Number used by the Component for reference purposes.
---------------------------------------------------------------------------
2. Requester
3. Document Title or Description \2\
---------------------------------------------------------------------------
\2\ Indicate the nature of the case, such as, ``Denial of
access,'' ``Refusal to amend,'' ``Incorrect records,'' or other
violations of the Act (specify).
---------------------------------------------------------------------------
4. Litigation
a. Date Complaint Filed
b. Court
c. Case File Number \1\
5. Defendants (DoD Component and individual)
6. Remarks (brief explanation of what the case is about)
7. Court Action
a. Court's Finding
b. Disciplinary Action (as appropriate)
8. Appeal (as appropriate)
a. Date Complaint Filed
b. Court
c. Case File Number
d. Court's Finding
e. Disciplinary Action (as appropriate)
Dated: March 28, 2007.
L.M. Bynum,
Alternate OSD Federal Register Liaison Officer, DoD.
[FR Doc. E7-6118 Filed 4-12-07; 8:45 am]
BILLING CODE 5001-06-P