[Federal Register Volume 74, Number 209 (Friday, October 30, 2009)]
[Rules and Regulations]
[Pages 56113-56117]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-26183]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

[DoD-2006-OS-0033; RIN 0790-AI26]

32 CFR Part 311


Office of the Secretary of Defense and Joint Staff Privacy 
Program

AGENCY: Department of Defense.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This rule revises 32 CFR part 311 to update Office of the 
Secretary of Defense (OSD) and Joint Staff (JS) policy, assigns 
responsibilities, and prescribes procedures for the effective 
administration of the Privacy Act (PA) Program in OSD and JS. This rule 
supplements and implements 32 CFR part 310, the DoD Privacy Program.

DATES: Effective Date: This rule is effective November 30, 2009.

FOR FURTHER INFORMATION CONTACT: Cindy Allard, 703-588-6830.

SUPPLEMENTARY INFORMATION: A proposed rule published in the Federal 
Register on January 23, 2007 (72 FR 2819-2823). No comments were 
received.
    The following has been included in the final rule based on internal 
comments received on the corresponding DoD administrative instruction: 
A reordering of some sections was accomplished to facilitate 
readability. A new section ``OSD/JS Privacy Office Processes'' was 
added to define the role of the OSD/JS Privacy Office in the program.

Executive Order 12866, ``Regulatory Planning and Review''

    It has been certified that 32 CFR part 311 does not:
    (1) Have an annual effect on the economy of $100 million or more or 
adversely affect in a material way the economy; a section of the 
economy; productivity; competition; jobs; the environment; public 
health or safety; or State, local, or tribunal governments or 
communities;
    (2) Create a serious inconsistency or otherwise interfere with an 
action taken or planned by another Agency;
    (3) Materially alter the budgetary impact of entitlements, grants, 
user fees, or loan programs, or the rights and obligations of 
recipients thereof; or
    (4) Raise novel legal or policy issues arising out of legal 
mandates, the President's priorities, or the principles set forth in 
this Executive Order 12866, as amended by Executive Order 13422.

Sec. 202, Pub. L. 104-4, ``Unfunded Mandates Reform Act''

    It has been certified that 32 CFR part 311 does not contain a 
Federal mandate that may result in the expenditure by State, local and 
tribunal governments, in aggregate, or by the private sector, of $100 
million or more in any one year.

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. 601)

    It has been certified that 32 CFR part 311 is not subject to the 
Regulatory Flexibility Act (5 U.S.C. 601) because it would not, if 
promulgated, have a significant economic impact on a substantial number 
of small entities. The rule implements the procedures for the effective 
administration of the Privacy Act Program in OSD and the JS.

Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)

    It has been certified that 32 CFR part 311 does not impose 
reporting or recordkeeping requirements under the Paperwork Reduction 
Act of 1995.

Executive Order 13132, ``Federalism''

    It has been certified that 32 CFR part 311 does not have federalism 
implications, as set forth in Executive Order 13132. This rule does not 
have substantial direct effects on:
    (1) The States;

[[Page 56114]]

    (2) The relationship between the National Government and the 
States; or
    (3) The distribution of power and responsibilities among the 
various levels of Government.

List of Subjects in 32 CFR Part 311

    Privacy Act.

0
Accordingly, 32 CFR part 311 is revised to read as follows:

PART 311--OFFICE OF THE SECRETARY OF DEFENSE AND JOINT STAFF 
PRIVACY PROGRAM

Sec.
311.1 Purpose.
311.2 Applicability.
311.3 Definitions.
311.4 Policy.
311.5 Responsibilities.
311.6 Procedures.
311.7 OSD/JS Privacy Office Processes.

    Authority: 5 U.S.C. 552a.


Sec.  311.1.  Purpose.

    This part revises 32 CFR part 311 to update Office of the Secretary 
of Defense (OSD) and Joint Staff (JS) policy, assigns responsibilities, 
and prescribes procedures for the effective administration of the 
Privacy Program in OSD and the JS. This part supplements and implements 
part 32 CFR part 310, the DoD Privacy Program.


Sec.  311.2.  Applicability.

    This part:
    (a) Applies to OSD, the Office of the Chairman of the Joint Chiefs 
of Staff and the Joint Staff, and all other activities serviced by 
Washington Headquarters Services (WHS) that receive privacy program 
support from OSD/JS Privacy Office, Executive Services Directorate 
(ESD), WHS (hereafter referred to collectively as the ``WHS-Serviced 
Components).''
    (b) Covers systems of records maintained by the WHS-Serviced 
Components and governs the maintenance, access, change, and release 
information contained in those systems of records, from which 
information about an individual is retrieved by a personal identifier.


Sec.  311.3.  Definitions.

    (a) Access. The review of a record or a copy of a record or parts 
thereof in a system of records by any individual.
    (b) Computer matching program. A program that matches the personal 
records in computerized databases of two or more Federal agencies.
    (c) Disclosure. The transfer of any personal information from a 
system of records by any means of communication (such as oral, written, 
electronic, mechanical, or actual review) to any person, private 
entity, or Government Agency, other than the subject of the record, the 
subject's designated agent or the subject's legal guardian.
    (d) Individual. A living person who is a citizen of the United 
States or an alien lawfully admitted for permanent residence. The 
parent of a minor or the legal guardian of any individual also may act 
on behalf of an individual. Members of the United States Armed Forces 
are ``individuals.'' Corporations, partnerships, sole proprietorships, 
professional groups, businesses, whether incorporated or 
unincorporated, and other commercial entities are not ``individuals'' 
when acting in an entrepreneurial capacity with the Department of 
Defense but are ``individuals'' otherwise (e.g., security clearances, 
entitlement to DoD privileges or benefits, etc.).
    (e) Individual access. Access to information pertaining to the 
individual by the individual or his or her designated agent or legal 
guardian.
    (f) Maintain. To maintain, collect, use, or disseminate records 
contained in a system of records.
    (g) Personal information. Information about an individual that 
identifies, links, relates, or is unique to, or describes him or her, 
e.g., a social security number; age; military rank; civilian grade; 
marital status; race; salary; home/office phone numbers; other 
demographic, biometric, personnel, medical, and financial information, 
etc. Such information also is known as personally identifiable 
information (i.e., information which can be used to distinguish or 
trace an individual's identity, such as their name, social security 
number, date and place of birth, mother's maiden name, biometric 
records, including any other personal information which is linked or 
linkable to a specified individual).
    (h) Record. Any item, collection, or grouping of information, 
whatever the storage media (e.g., paper, electronic, etc.), about an 
individual that is maintained by a WHS-Serviced Component, including, 
but not limited to, his or her education, financial transactions, 
medical history, criminal or employment history, and that contains his 
or her name, or the identifying number, symbol, or other identifying 
particular assigned to the individual, such as a finger or voice print 
or a photograph.
    (i) System manager. A WHS-Serviced Component official who has 
overall responsibility for a system of records. The system manager may 
serve at any level in OSD. Systems managers are indicated in the 
published systems of records notices. If more than one official is 
indicated as a system manager, initial responsibility resides with the 
manager at the appropriate level (i.e., for local records, at the local 
activity).
    (j) System of records. A group of records under the control of a 
WHS-Serviced Component from which personal information about an 
individual is retrieved by the name of the individual or by some other 
identifying number, symbol, or other identifying particular assigned, 
that is unique to the individual.


Sec.  311.4.  Policy.

    It is DoD policy, in accordance with 32 CFR part 310, that:
    (a) Personal information contained in any system of records 
maintained by any DoD organization shall be safeguarded. To the extent 
authorized by section 552a of title 5, United States Code, commonly 
known and hereafter referred to as the ``Privacy Act'' and Appendix I 
of Office of Management and Budget Circular No. A-130 (available at 
http://www.whitehouse.gov/omb/assets/omb/circulars/a130/a130trans4.pdf), an individual shall be permitted to know what existing 
records pertain to him or her consistent with 32 CFR part 310.
    (b) Each office maintaining records and information about 
individuals shall ensure that this data is protected from unauthorized 
collection, use, dissemination and/or disclosure of personal 
information. These offices shall permit individuals to have access to 
and have a copy made of all or any portion of records about them, 
except as provided in 32 CFR 310.17 and 310.18. The individuals will 
also have an opportunity to request that such records be amended as 
provided by 32 CFR 310.19 . Individuals requesting access to their 
records shall receive concurrent consideration under section 552 of 
title 5, United States Code (commonly known and hereafter referred to 
as the ``Freedom of Information Act'').
    (c) Necessary records of a personal nature that are individually 
identifiable will be maintained in a manner that complies with the law 
and DoD policy. Any information collected by WHS-Serviced Components 
must be as accurate, relevant, timely, and complete as is reasonable to 
ensure fairness to the individual. Adequate safeguards must be provided 
to prevent misuse or unauthorized release of such information, 
consistent with the Privacy Act.


Sec.  311.5.  Responsibilities.

    (a) The Director, WHS, under the authority, direction, and control 
of the

[[Page 56115]]

Director, Administration and Management, shall:
    (1) Direct and administer the OSD/JS Privacy Program for the WHS-
Serviced Components.
    (2) Ensure implementation of and compliance with standard and 
procedures established in 32 CFR part 310.
    (3) Coordinate with the WHS General Counsel on all WHS-Serviced 
Components denials of appeals for amending records and review actions 
to confirm denial of access to records.
    (4) Provide advice and assistance to the WHS-Serviced Components on 
matters pertaining to the Privacy Act.
    (5) Direct the OSD/JS Privacy Office to implement all aspects of 32 
CFR part 310 as directed in Sec.  311.7 of this part.
    (b) The Heads of the WHS-Serviced Components shall:
    (1) Designate an individual in writing as the point of contact for 
Privacy Act matters and advise the Chief, OSD/JS Privacy Office, of 
names of officials so designated.
    (2) Designate an official in writing to deny initial requests for 
access to an individual's records or changes to records and advise the 
Chief, OSD/JS Privacy Office of names of officials so designated.
    (3) Provide opportunities for appointed personnel to attend 
periodic Privacy Act training.
    (4) Report any new record system, or changes to an existing system, 
to the Chief, OSD/JS Privacy Office at least 90 days before the 
intended use of the system.
    (5) Formally review each system of records notice on a biennial 
basis and update as necessary.
    (6) In accordance with 32 CFR 310.12, include appropriate Federal 
Acquisition Regulation clause (48 CFR 24.104) in all contracts that 
provide for contractor personnel to access WHS-Serviced Component 
records systems covered by the Privacy Act.
    (7) Review all implementing guidance prepared by the WHS-Serviced 
Components as well as all forms or other methods used to collect 
information about individuals to ensure compliance with 32 CFR part 
310.
    (8) Establish administrative processes in WHS-Serviced Component 
organizations to comply with the procedures listed in this part and 32 
CFR part 310.
    (9) Coordinate with WHS General Counsel on all proposed denials of 
access to records.
    (10) Provide justification to the OSD/JS Privacy Office when access 
to a record is denied in whole or in part.
    (11) Provide the record to the OSD/JS Privacy Office when the 
initial denial of a request for access to such record has been appealed 
by the requester or at the time of initial denial if an appeal seems 
likely.
    (12) Maintain an accurate administrative record documenting the 
actions resulting in a denial for access to a record or for the 
correction of a record. The administrative record should be maintained 
so it can be relied upon and submitted as a complete record of 
proceedings if litigation occurs in accordance with 32 CFR part 310.
    (13) Ensure all personnel are aware of the requirement to take 
appropriate Privacy Act training as required by 32 CFR part 310 and the 
Privacy Act.
    (14) Forward all requests for access to records received directly 
from an individual to the OSD/JS Freedom of Information Act Requester 
Service Center for processing under 32 CFR part 310 and 32 CFR part 
286.
    (15) Maintain a record of each disclosure of information (other 
than routine use) from a system of records as required by 32 CFR part 
310.


Sec.  311.6.  Procedures.

    (a) Publication of Notice in the Federal Register. (1) A notice 
shall be published in the Federal Register of any record system meeting 
the definition of a system of records in 32 CFR 310.4.
    (2) The Heads of the WHS-Serviced Component shall submit notices 
for new or revised systems of records to the Chief, OSD/JS Privacy 
Office, for review at least 90 days prior to desired implementation.
    (3) The Chief, OSD/JS Privacy Office shall forward completed 
notices to the Defense Privacy Office (DPO) for review in accordance 
with 32 CFR 310.30. Publication in the Federal Register starts a 30-day 
comment window which provides the public with an opportunity to submit 
written data, views, or arguments to the DPO for consideration before a 
system of record is established or modified.
    (b) Access to Systems of Records Information. (1) As provided in 
the Privacy Act, records shall be disclosed only to the individual they 
pertain to and under whose individual name or identifier they are 
filed, unless exempted by the provisions in 32 CFR 310.31. If an 
individual is accompanied by a third party, the individual shall be 
required to furnish a signed access authorization granting the third 
party access according to 32 CFR 310.17.
    (2) Individuals seeking access to records that pertain to 
themselves, and that are filed by name or other personal identifier, 
may submit the request in person or by mail, in accordance with these 
procedures:
    (i) Any individual making a request for access to records in person 
shall provide personal identification to the appropriate system owner, 
as identified in the system of records notice published in the Federal 
Register, to verify the individual's identity according to 32 CFR 
310.17.
    (ii) Any individual making a request for access to records by mail 
shall address such request to the OSD/JS FOIA Requester Service Center, 
Office of Freedom of Information, 1155 Pentagon, Washington, DC 20301-
1155. To verify his or her identity, the requester shall include either 
a signed notarized statement or an unsworn declaration in the format 
specified by 32 CFR part 286.
    (iii) All requests for records shall describe the record sought and 
provide sufficient information to enable the material to be located 
(e.g., identification of system of records, approximate date it was 
initiated, originating organization, and type of document).
    (iv) All requesters shall comply with the procedures in 32 CFR part 
310 for inspecting and/or obtaining copies of requested records.
    (v) If the requester is not satisfied with the response, he or she 
may file a written appeal as provided in paragraph (f)(8) of this 
section. The requester must provide proof of identity by showing a 
driver's license or similar credentials.
    (3) There is no requirement that an individual be given access to 
records that are not in a group of records that meet the definition of 
a system of records in the Privacy Act. (For an explanation of the 
relationship between the Privacy Act and the Freedom of Information 
Act, and for guidelines to ensure requesters are given the maximum 
amount of information authorized by both Acts, see 32 CFR part 310.17
    (4) Granting access to a record containing personal information 
shall not be conditioned upon any requirement that the individual state 
a reason or otherwise justify the need to gain access.
    (5) No verification of identity shall be required of an individual 
seeking access to records that are otherwise available to the public.
    (6) Individuals shall not be denied access to a record in a system 
of records about themselves because those records are exempted from 
disclosure under 32 CFR part 286. Individuals may only be denied access 
to a record in a system of records about themselves when those records 
are exempted from the access provisions of 32 CFR 310.26.

[[Page 56116]]

    (7) Individuals shall not be denied access to their records for 
refusing to disclose their Social Security Number (SSN), unless 
disclosure of the SSN is required by statute, by regulation adopted 
before January 1, 1975, or if the record's filing identifier and only 
means of retrieval is by SSN (Privacy Act, note).
    (c) Access to Records or Information Compiled for Law Enforcement 
Purposes.
    (1) Requests are processed under 32 CFR part 310 and 32 CFR part 
286 to give requesters a greater degree of access to records on 
themselves.
    (2) Records (including those in the custody of law enforcement 
activities) that have been incorporated into a system of records 
exempted from the access conditions of 32 CFR part 310, will be 
processed in accordance with 32 CFR 286.12. Individuals shall not be 
denied access to records solely because they are in the exempt system. 
They will have the same access that they would receive under 32 CFR 
part 286. (See also 32 CFR 310.17.)
    (3) Records systems exempted from access conditions will be 
processed under 32 CFR 310.26 or 32 CFR 286.12, depending upon which 
regulation gives the greater degree of access. (See also 32 CFR 
310.17.)
    (4) Records systems exempted from access under 32 CFR 310.27 that 
are temporarily in the hands of a non-law enforcement element for 
adjudicative or personnel actions, shall be referred to the originating 
agency. The requester will be informed in writing of this referral.
    (d) Access to Illegible, Incomplete, or Partially Exempt Records. 
(1) An individual shall not be denied access to a record or a copy of a 
record solely because the physical condition or format of the record 
does not make it readily available (e.g., deteriorated state or on 
magnetic tape). The document will be prepared as an extract, or it will 
be exactly recopied.
    (2) If a portion of the record contains information that is exempt 
from access, an extract or summary containing all of the information in 
the record that is releasable shall be prepared.
    (3) When the physical condition of the record makes it necessary to 
prepare an extract for release, the extract shall be prepared so that 
the requester will understand it.
    (4) The requester shall be informed of all deletions or changes to 
records.
    (e) Access to Medical Records. (1) Medical records shall be 
disclosed to the individual and may be transmitted to a medical doctor 
named by the individual concerned.
    (2) The individual may be charged reproduction fees for copies or 
records as outlined in 32 CFR 310.20.
    (f) Amending and Disputing Personal Information in Systems of 
Records.
    (1) The Head of a WHS-Serviced Component, or designated official, 
shall allow individuals to request amendment to their records to the 
extent that such records are not accurate, relevant, timely, or 
complete.
    (2) Requests shall be submitted in person or by mail to the office 
designated in the system of records notice. They should contain, as a 
minimum, identifying information to locate the record, a description of 
the items to be amended, and the reason for the change. Requesters 
shall be required to provide verification of their identity as stated 
in paragraphs (b)(2)(i) and (b)(2)(ii) of this section to ensure that 
they are seeking to amend records about themselves and not, 
inadvertently or intentionally, the records of others.
    (3) Requests shall not be rejected nor required to be resubmitted 
unless additional information is essential to process the request.
    (4) The appropriate system manager shall mail a written 
acknowledgment to an individual's request to amend a record within 10 
workdays after receipt. Such acknowledgment shall identify the request 
and may, if necessary, request any additional information needed to 
make a determination. No acknowledgment is necessary if the request can 
be reviewed and processed and if the individual can be notified of 
compliance or denial within the 10-day period. Whenever practical, the 
decision shall be made within 30 working days. For requests presented 
in person, written acknowledgment may be provided at the time the 
request is presented.
    (5) The Head of a WHS-Serviced Component, or designated official, 
shall promptly take one of three actions on requests to amend the 
records:
    (i) If the WHS-Serviced Component official agrees with any portion 
or all of an individual's request, he or she will proceed to amend the 
records in accordance with existing statutes, regulations, or 
administrative procedures and inform the requester of the action taken 
in accordance with 32 CFR 310.19. The WHS-Serviced Component official 
shall also notify all previous holders of the record that the amendment 
has been made and shall explain the substance of the correction.
    (ii) If the WHS-Serviced Component official disagrees with all or 
any portion of a request, the individual shall be informed promptly of 
the refusal to amend a record, the reason for the refusal, and the 
procedure to submit an appeal as described in paragraph (f)(8) of this 
section.
    (iii) If the request for an amendment pertains to a record 
controlled and maintained by another Federal agency, the request shall 
be referred to the appropriate agency and the requester advised of 
this.
    (6) When personal information has been disputed by the requestor, 
the Head of a WHS-Serviced Component, or designated official, shall:
    (i) Determine whether the requester has adequately supported his or 
her claim that the record is inaccurate, irrelevant, untimely, or 
incomplete.
    (ii) Limit the review of a record to those items of information 
that clearly bear on any determination to amend the record, and shall 
ensure that all those elements are present before a determination is 
made.
    (7) If the Head of a WHS-Serviced Component, or designated 
official, after an initial review of a request to amend a record, 
disagrees with all or any portion of the request to amend a record, he 
or she shall:
    (i) Advise the individual of the denial and the reason for it.
    (ii) Inform the individual that he or she may appeal the denial.
    (iii) Describe the procedures for appealing the denial, including 
the name and address of the official to whom the appeal should be 
directed. The procedures should be as brief and simple as possible.
    (iv) Furnish a copy of the justification of any denial to amend a 
record to the OSD/JS Privacy Office.
    (8) If an individual disagrees with the initial WHS-Serviced 
Component determination, he or she may file an appeal. If the record is 
created and maintained by a WHS-Serviced Component, the appeal should 
be sent to the Chief, OSD/JS Privacy Office, WHS, 1155 Defense 
Pentagon, Washington, DC 20301-1155.
    (9) If, after review, the Chief, OSD/JS Privacy Office, determines 
the system of records should not be amended as requested, the Chief, 
OSD/JS Privacy Office, shall provide a copy of any statement of 
disagreement to the extent that disclosure accounting is maintained in 
accordance with 32 CFR 310.25 and shall advise the individual:
    (i) Of the reason and authority for the denial.
    (ii) Of his or her right to file a statement of the reason for 
disagreeing with the OSD/JS Privacy Office's decision.
    (iii) Of the procedures for filing a statement of disagreement.

[[Page 56117]]

    (iv) That the statement filed shall be made available to anyone the 
record is disclosed to, together with a brief statement by the WHS-
Serviced Component summarizing its reasons for refusing to amend the 
records.
    (10) If the Chief, OSD/JS Privacy Office, determines that the 
record should be amended in accordance with the individual's request, 
the WHS-Serviced Component shall amend the record, advise the 
individual, and inform previous recipients where a disclosure 
accounting has been maintained in accordance with 32 CFR 310.25.
    (11) All appeals should be processed within 30 workdays after 
receipt by the proper office. If the Chief, OSD/JS Privacy Office, 
determines that a fair and equitable review cannot be made within that 
time, the individual shall be informed in writing of the reasons for 
the delay and of the approximate date the review is expected to be 
completed.
    (g) Disclosure of Disputed Information. (1) If the OSD/JS Privacy 
Office determines the record should not be amended and the individual 
has filed a statement of disagreement under paragraph (f)(8) of this 
section, the WHS-Serviced Component shall annotate the disputed record 
so it is apparent to any person to whom the record is disclosed that a 
statement has been filed. Where feasible, the notation itself shall be 
integral to the record. Where disclosure accounting has been made, the 
WHS-Serviced Component shall advise previous recipients that the record 
has been disputed and shall provide a copy of the individual's 
statement of disagreement in accordance with 32 CFR 310.21.
    (i) This statement shall be maintained to permit ready retrieval 
whenever the disputed portion of the record is disclosed.
    (ii) When information that is the subject of a statement of 
disagreement is subsequently disclosed, the WHS-Serviced Component 
designated official shall note which information is disputed and 
provide a copy of the individual's statement.
    (2) The WHS-Serviced Component shall include a brief summary of its 
reasons for not making a correction when disclosing disputed 
information. Such statement shall normally be limited to the reasons 
given to the individual for not amending the record.
    (3) Copies of the WHS-Serviced Component summary will be treated as 
part of the individual's record; however, it will not be subject to the 
amendment procedure outlined in paragraph (f) of this section.
    (h) Penalties. (1) Civil Action. An individual may file a civil 
suit against the WHS-Serviced Component or its employees if the 
individual feels certain provisions of the Privacy Act have been 
violated.
    (2) Criminal Action. (i) Criminal penalties may be imposed against 
an officer or employee of a WHS-Serviced Component for these offenses 
listed in the Privacy Act:
    (A) Willful unauthorized disclosure of protected information in the 
records;
    (B) Failure to publish a notice of the existence of a record system 
in the Federal Register; and
    (C) Requesting or gaining access to the individual's record under 
false pretenses.
    (ii) An officer or employee of a WHS-Serviced Component may be 
fined up to $5,000 for a violation as outlined in paragraphs 
(h)(2)(i)(A) through (h)(2)(i)(C) of this section.
    (i) Litigation Status Sheet. Whenever a complaint citing the 
Privacy Act is filed in a U.S. District Court against the Department of 
Defense, a WHS-Serviced Component, or any employee of a WHS-Serviced 
Component, the responsible system manager shall promptly notify the 
OSD/JS Privacy Office, which shall notify the DPO. The litigation 
status sheet in Appendix H of 32 CFR part 310 provides a standard 
format for this notification. (The initial litigation status sheet 
shall, as a minimum, provide the information required by items 1 
through 6). A revised litigation status sheet shall be provided at each 
stage of the litigation. When a court renders a formal opinion or 
judgment, copies of the judgment or opinion shall be provided to the 
OSD/JS Privacy Office with the litigation status sheet reporting that 
judgment or opinion.
    (j) Computer Matching Programs. 32 CFR 310.52 prescribes that all 
requests for participation in a matching program (either as a matching 
agency or a source agency) be submitted to the DPO for review and 
compliance. The WHS-Serviced Components shall submit a courtesy copy to 
the OSD/JS Privacy Office at the time of transmittal to the DPO.


Sec.  311.7.  OSD/JS Privacy Office Processes.

    The OSD/JS Privacy Office shall:
    (a) Exercise oversight and administrative control of the OSD/JS 
Privacy Program for the WHS-Serviced Components.
    (b) Provide guidance and training to the WHS-Serviced Components as 
required by 32 CFR 310.37.
    (c) Collect and consolidate data from the WHS-Serviced Components 
and submit reports to the DPO, as required by 32 CFR 310.40 or 
otherwise requested by the DPO.
    (d) Coordinate and consolidate information for reporting all record 
systems, as well as changes to approved systems, to the DPO for final 
processing to the Office of Management and Budget, the Congress, and 
the Federal Register, as required by 32 CFR part 310.
    (e) In coordination with DPO, serve as the appellate authority for 
the WHS-Serviced Components when a requester appeals a denial for 
access as well as when a requester appeals a denial for amendment or 
initiates legal action to correct a record.
    (f) Refer all matters about amendments of records and general and 
specific exemptions under 32 CFR 310.19, 310.28 and 310.29 to the 
proper WHS-Serviced Components.

    Dated: October 26, 2009.
Patricia L. Toppings,
OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. E9-26183 Filed 10-29-09; 8:45 am]
BILLING CODE 5001-06-P