[Federal Register Volume 73, Number 197 (Thursday, October 9, 2008)]
[Proposed Rules]
[Pages 59582-59585]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-23999]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 325

[DOD-2008-OS-0067]
RIN 0790-AI30


Defense Contract Management Agency (DCMA) Privacy Program

AGENCY: Department of Defense.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This part provides policies and procedures for the Defense 
Contract Management Agency's (DCMA) implementation of a Privacy Program 
under the Privacy Act of 1974, as amended.

DATES: Comments must be received by December 8, 2008.

ADDRESSES: You may submit comments, identified by docket number and/or 
RIN number and title, by any of the following methods:
     Federal Rulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Mail: Federal Docket Management System Office, 1160 
Defense Pentagon, Washington, DC 20301-1160.
    Instructions: All submissions received must include the agency name 
and docket number or Regulatory Information Number (RIN) for this

[[Page 59583]]

Federal Register document. The general policy for comments and other 
submissions from members of the public is to make these submissions 
available for public viewing on the Internet at http://www.regulations.gov as they are received without change, including any 
personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: Ms. Debbie Gendreau, (703) 428-1487.

SUPPLEMENTARY INFORMATION:

Executive Order 12866, ``Regulatory Planning and Review''

    It has been determined that Privacy Act rules for the Department of 
Defense are not significant rules. This rule does not (1) Have an 
annual effect on the economy of $100 million or more or adversely 
affect in a material way the economy; a sector of the economy; 
productivity; competition; jobs; the environment; public health or 
safety; or State, local, or tribal governments or communities; (2) 
Create a serious inconsistency or otherwise interfere with an action 
taken or planned by another Agency; (3) Materially alter the budgetary 
impact of entitlements, grants, user fees, or loan programs, or the 
rights and obligations of recipients thereof; or (4) Raise novel legal 
or policy issues arising out of legal mandates, the President's 
priorities, or the principles set forth in this Executive order.

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. Chapter 6)

    It has been determined that this Privacy Act rule for the 
Department of Defense does not have significant economic impact on a 
substantial number of small entities because it is concerned only with 
the administration of the Privacy Act within the Department of Defense.

Public Law 95-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)

    It has been determined that this Privacy Act rule for the 
Department of Defense imposes no information requirements beyond the 
Department of Defense and that the information collected within the 
Department of Defense is necessary and consistent with 5 U.S.C. 552a, 
known as the Privacy Act of 1974.

Section 202, Public Law 104-4, ``Unfunded Mandates Reform Act''

    It has been determined that this Privacy Act rulemaking for the 
Department of Defense does not involve a Federal mandate that may 
result in the expenditure by State, local and tribal governments, in 
the aggregate, or by the private sector, of $100 million or more and 
that such rulemaking will not significantly or uniquely affect small 
governments.

Executive Order 13132, ``Federalism''

    It has been determined that the Privacy Act rules for the 
Department of Defense do not have federalism implications. The rule 
does not have substantial direct effects on the States, on the 
relationship between the National Government and the States, or on the 
distribution of power and responsibilities among the various levels of 
government.

List of Subjects in 32 CFR Part 325

    Privacy.

    Accordingly 32 CFR Part 325 is added to read as follows:

Sec.
325.1 Purpose and Scope.
325.2 Definitions.
325.3 Policy.
325.4 Responsibilities.
325.5 Procedures.
Appendix A to Part 325--DCMA Non Disclosure Statement
Appendix B to Part 325--DCMA PII Breach Notification Responsibility 
Statement

    Authority: Privacy Act of 1974, Pub. L. 93-579, Stat. 1896 (5 
U.S.C. 552a).


Sec.  325.1  Purpose and scope.

    This part provides policies and procedures for the Defense Contract 
Management Agency's (DCMA) implementation of a Privacy Program under 
the Privacy Act of 1974, as amended (5 U.S.C. 552a), OMB Circular A-
130,\1\ 32 CFR part 310, OMB Memorandum M-07-16,\2\ and DoD Policy 
Memo, subject: Safeguarding Against and Responding to the Breach of 
Personally Identifiable Information (PII). \3\
---------------------------------------------------------------------------

    \1\ Available at http://www.whitehouse.gov/omb/circulars/a130/a130trans4.pdf.
    \2\ Available at http://www.whitehouse.gov/omb/memoranda/fy2007/m-16.pdf.
    \3\ Available at http://www.defenselink.mil/privacy/pdfdocs/Safeguarding%20Against%20and%20Responding%20to%20the%20Breach%20of%20PII%20%20-%20OSD%2015041-07.pdf.
---------------------------------------------------------------------------

    (a) This part applies to all DCMA organizational elements which 
includes the Headquarters, Divisions, and any Field Activities, and 
supersedes previously issued guidance on the DCMA Privacy Program.
    (b) This part shall be made applicable to DCMA contractors who are 
operating or maintaining a system of records or portion of a system of 
records, to include collecting and disseminating records associated 
with accomplishing the Agency's mission.


Sec.  325.2  Definitions.

    Agency. For the purpose of disclosing records subject to the 
Privacy Act among DoD Components, the Department of Defense is 
considered a single agency. For all other purposes including 
applications for access and amendment, denial of access or amendment, 
appeals from denials, and record keeping as regards release to non-DoD 
agencies, DCMA is considered an agency within the meaning of the 
Privacy Act.
    Government Contractor. The company and its employees who administer 
or work under a government contract awarded by DCMA. The Contractor and 
its employees are not considered employees for purposes of FAR 37.104 
unless otherwise authorized by statute. However, the Contractor and its 
employees are considered employees of DCMA for purposes of the criminal 
provisions of 5 U.S.C. 552a(i) during the performance of the contract 
whenever a DCMA contract requires the performance of any activities 
associated with maintaining a system of records subject to the Privacy 
Act, including the collection, use, and dissemination of records on 
behalf of the Agency.
    Personal Information. Information about an individual that 
identifies, links, relates, or is unique to, or describes him or her 
(e.g., a social security number; age; military rank; civilian grade; 
marital status; race; salary; home or office phone numbers; other 
demographic, biometric, personnel, medical, and financial information, 
etc). Such information also is known as personally identifiable 
information (e.g., information which can be used to distinguish or 
trace an individual's identity, such as his or her name; social 
security number; date and place of birth; mother's maiden name; and 
biometric records, including any other personal information which is 
linked or linkable to a specified individual).


Sec.  325.3  Policy.

    It is DCMA policy that:
    (a) Individuals have a fundamental right to privacy and the 
expectation that this Agency, including contractors, will safeguard PII 
it maintains to the maximum extent practicable.
    (1) DCMA shall balance the right of the individual to be protected 
against unwarranted invasions of personal privacy against agency need 
when setting any requirement to collect, maintain, use, and disseminate 
PII, ensuring that such activities are relevant and necessary to 
achieve a purpose required by statute, Executive Order or regulation.

[[Page 59584]]

    (2) DCMA personnel, including contractors, have an affirmative 
responsibility to protect an individual's privacy when collecting, 
maintaining, using, or disseminating PII.
    (3) DCMA shall ensure that policy proposals with potential impact 
to privacy rights of individuals are evaluated for those impacts and, 
when required and consistent with the Privacy Provisions of the E-
Government Act of 2002 (44 U.S.C. 3501, Note), shall prepare a Privacy 
Impact Assessment (PIA).
    (b) DCMA shall adhere to the rules, regulations, policies, and 
definitions set forth for implementing a Privacy Act Program by DoD in 
32 CFR part 310. DCMA shall create and maintain Privacy Act policy only 
where it is not already addressed in the authorities listed.


Sec.  325.4  Responsibilities.

    (a) The Director, DCMA, or his/her designee, shall:
    (1) Provide adequate funding and personnel to establish and support 
an effective Privacy Program.
    (2) Serve as the Agency Appellate Authority as required under 32 
CFR 310.18 and 310.19.
    (b) The DCMA Privacy Act Officer, or his/her designee, shall:
    (1) Formulate policies, procedures, and standards necessary for 
uniform compliance with the Privacy Act and 32 CFR part 310 by DCMA 
activities.
    (2) Prepare any Privacy Act Reports as may be mandated by OMB 
Circular A-130, 32 CFR part 310, and subsequent DoD policy.
    (3) Establish and conduct training consistent with the requirements 
of 32 CFR part 310 for DCMA personnel.
    (4) Serve as an Access Denial Authority (ADA) for Headquarters as 
required under 32 CFR 310.18 and 310.19.
    (5) Direct the day-to-day activities of the DCMA Privacy Program.
    (6) Coordinate with the DCMA Chief Information Officer (CIO) to 
formulate procedures and standards for safeguarding against, assessing 
risk of, handling, reporting, and making proper notification of DCMA 
PII breaches.
    (7) Prepare any required new, amended, or altered system notices 
for systems of records subject to the Privacy Act and submit them to 
the Defense Privacy Office for subsequent publication in the Federal 
Register.
    (8) Coordinate with DCMA CIO to review PII holdings in accordance 
with DoD policy.
    (9) Develop and maintain a Rules and Consequences policy applicable 
to all DCMA employees (including managers) and its contractors, 
licensees, certificate holders and grantees in accordance with DoD 
policy.
    (c) The General Counsel, DCMA, or his/her designee, shall:
    (1) Advise and assist the Privacy Act Officer and other DCMA 
organization Privacy Act Managers as required in the discharge of their 
responsibilities.
    (2) Advise the Defense Privacy Office on the status of DCMA Privacy 
Act-related litigation.
    (3) Consult with DOD General Counsel on final denials, involving 
issues not able to be resolved within DCMA, or that raise new or 
significant legal issues of potential significance to other Government 
agencies.
    (4) Coordinate Privacy Act litigation with the Department of 
Justice.
    (5) Coordinate on denials of initial requests and appeals.
    (d) The Chief Information Officer, Information Technology, DCMA, or 
his/her designee, shall:
    (1) Formulate and implement protective standards for DCMA PII 
maintained in automated data processing systems and facilities.
    (2) Coordinate with the DCMA Privacy Officer to formulate 
procedures and standards for safeguarding against, assessing risk of, 
handling, reporting, and making proper notification of DCMA PII 
breaches.
    (3) Prepare PIAs when required by other authority.
    (e) DCMA Division Directors, or their designees, shall:
    (1) Assume responsibility for the overall management of the Privacy 
Act Program within their respective Divisions.
    (2) Ensure the Division's internal operating procedures provide for 
effective compliance with the Privacy Act.
    (3) Designate a Privacy Act Manager to serve as the principal 
point-of-contact on privacy matters.
    (4) Serve as an Access Denial Authority for their respective 
Division. This authority shall not be delegated.
    (f) The Division Privacy Act Manager, or his/her designee, shall:
    (1) Manage the DCMA Privacy Act Program in accordance with this 
part and applicable DCMA, DoD, and Federal policies and regulations.
    (2) Provide guidelines for managing, administering, and 
implementing the DCMA Privacy Act Program.
    (3) Ensure that the collection, maintenance, use, or dissemination 
of PII records is in a manner that assures such actions are relevant 
and necessary for a lawful purpose; that the information is timely, 
accurate, relevant, and complete for its intended use; and that 
appropriate safeguards are provided to prevent misuse of such 
information.
    (g) DCMA Procurement Center Officials shall:
    (1) Ensure that all contracts awarded by DCMA whose services would 
subject Government Contractors to the requirements of this part include 
contractual provisions required by FAR Subpart 24.1 or FAR 39.105.
    (2) Ensure that all contracts awarded by DCMA shall require 
Government Contractor employees to participate in Privacy Act training 
mandated by DCMA, DoD, or other authority.
    (3) Ensure that each contractor covered by this part is 
contractually required to have its employees sign Certificates of Non-
Disclosure prior to being given individual access to DCMA PII (Appendix 
A to Part 325).
    (h) DCMA Military Members and Civilian Employees shall:
    (1) Not disclose any PII, except as authorized by this part, DoD or 
other Federal regulations.
    (2) Not maintain any official files which are retrieved by name or 
other personal identifier without first ensuring a system of records 
notice has been published in the Federal Register.
    (3) Participate in Privacy Act training mandated by DCMA, DoD, or 
other authority.
    (4) Report any disclosures of personal information from a system of 
records or the maintenance of any system of records that are not 
authorized by this part to the appropriate Privacy Act officials for 
action.
    (5) Forward to the Division Privacy Act Manager any Privacy Act 
requests received directly from a member of the public, so that the 
request may be administratively controlled and processed in accordance 
with this part.
    (6) Adhere to the Standards of Conduct addressed in 32 CFR part 
310.
    (i) DCMA Contractors shall:
    (1) Sign a DCMA Certificate of Non-Disclosure prior to gaining 
initial access to DCMA PII. (Appendix A to Part 325)
    (2) Not disclose any PII, except as authorized by this part.
    (3) Not maintain any official files which are retrieved by name or 
other personal identifier without first ensuring a system of records 
notice has been published in the Federal Register.
    (4) Participate in Privacy Act training mandated by DCMA, DoD, or 
other authority in accordance with their contract.
    (5) Report any disclosures of personal information from a system of 
records or the maintenance of any system of records that are not 
authorized by this part to the appropriate Privacy Act officials for 
action.

[[Page 59585]]

    (6) Forward to the Division Privacy Act Manager any Privacy Act 
requests received directly from a member of the public, so that the 
request may be administratively controlled and processed.


Sec.  325.5  Procedures.

    (a) Access to records. (1) Requests for information contained in a 
DCMA system of records should be addressed to the DCMA Privacy Officer, 
6350 Walker Lane, Alexandria, VA 22310. Requests will be processed in 
accordance with the Privacy Act of 1974 (5 U.S.C. 552a), 32 CFR part 
310, the Freedom of Information Act (5 U.S.C. 552), and this part.
    (2) Denial of access. Access to information contained in a DCMA 
system of records may be formally denied in accordance with the Privacy 
Act of 1974 (5 U.S.C. 552a), and 32 CFR part 310.
    (b) Notification when information is lost, stolen, or compromised. 
(1) DCMA will respond to breaches in accordance with 32 CFR part 310 as 
augmented by OMB Memorandum M-07-16, and DoD Policy Memo, subject: 
Safeguarding Against and Responding to the Breach of Personally 
Identifiable Information (PII).
    (2) DCMA will establish appropriate administrative, technical, and 
physical safeguards to protect information against unauthorized 
disclosure, access or misuse.
    (c) Clauses in DCMA agreements with other government entities. DCMA 
will include a DCMA PII Breach Notification Responsibility Statement in 
all agreements with other government entities that maintain or 
otherwise have access to DCMA generated personal information. (See 
Appendix B to Part 325)

Appendix A to Part 325--DCMA Certificate of Non Disclosure

(See section 325.4(h))

NON-DISCLOSURE AGREEMENT

CONTRACT NO.-----------------------------------------------------------

DELIVERY/TASK ORDER NO.------------------------------------------------

    I, ------------, (hereinafter RECIPIENT), an employee and 
authorized representative of ------------, a Contractor providing 
support services to the Defense Contract Management Agency (DCMA) 
with likely access to nonpublic, information, understand and agree 
to the following:
    RECIPIENT is engaged in delivering support services to DCMA 
under contract; and
    It is the intention of DCMA to protect and prevent access to and 
disclosure of nonpublic sensitive information to anyone other than 
employees or authorized contractor personnel of the United States 
Government who have a need to know unless so authorized by the 
Contracting Officer and/or the Contracting Officer's representative; 
and
    DCMA acknowledges that RECIPIENT will have or require access to 
such nonpublic information in the course of delivering the contract 
services; and, finally,
    ``Nonpublic information'' includes such information as 
proprietary information (e.g., information submitted by a contractor 
marked as proprietary), advanced procurement information (e.g., 
future requirements, statements of work, and acquisition 
strategies), source selection information (e.g., bids before being 
made public, source selection plans, and rankings of proposals), 
trade secrets and other confidential business information (e.g., 
confidential business information submitted by a contractor), 
attorney work product, information protected by the Privacy Act 
(e.g., social security numbers, home addresses and telephone 
numbers), and other sensitive information that would not be released 
by DCMA under the Freedom of Information Act (e.g., program, 
planning and budgeting system information);
    RECIPIENT further agrees to and promises as follows:
    RECIPIENT shall not seek access to nonpublic information beyond 
what is required for the performance of the support services 
contract;
    RECIPIENT will ensure that his or her status as a contractor 
employee is known when seeking access to and receiving such 
nonpublic information from Government employees;
    As to any nonpublic information to which RECIPIENT has or is 
given access, RECIPIENT shall not use or disclose such information 
for any purpose other than providing the contract support services, 
and will not use or disclose the information for any personal or 
other commercial purpose; and
    If RECIPIENT becomes aware of any improper release or disclosure 
of such nonpublic information, RECIPIENT will advise the contracting 
officer or a duly authorized representative in writing as soon as 
possible.
    The RECIPIENT agrees to return any nonpublic information given 
to him or her pursuant to this agreement, including any 
transcriptions by RECIPIENT of nonpublic information to which 
RECIPIENT was given access, if not already destroyed, upon RECIPIENT 
leaving the employ of the contractor providing services to DCMA.
    RECIPIENT understands that any unauthorized use, release or 
disclosure of nonpublic information in violation of this 
CERTIFICATE, whether during or after leaving the contractor's 
employ, will subject the RECIPIENT to administrative, civil or 
criminal remedies as may be authorized by law.

RECIPIENT:-------------------------------------------------------------

 (Signature)
DATE:------------------------------------------------------------------

PRINTED NAME:----------------------------------------------------------

TITLE:-----------------------------------------------------------------

Appendix B to Part 325--DCMA PII Breach Notification Responsibility 
Statement

(See section 325.5(c))

    Personally Identifiable Information (PII). In the event (name of 
signatory to MOU) is collecting and maintaining PII on behalf of 
DCMA and the information is lost, stolen, or otherwise compromised, 
(name of signatory to MOU) shall notify the DCMA Privacy Officer, 
6350 Walker Lane, Alexandria, VA 22310, (703) 428-1453, within 24 
hours and provide all necessary information regarding the breach. A 
determination will be made at that time whether DCMA or (name of 
signatory to the MOU) will notify the affected individuals impacted 
by the breach. (name of signatory to MOU) is responsible for filing 
the Breach notification with US-CERT.

    Dated: September 30, 2008.
Patricia L. Toppings,
OSD Federal Register Liaison Officer, Department of Defense.

[FR Doc. E8-23999 Filed 10-8-08; 8:45 am]
BILLING CODE 5001-06-P