(a) System of records. To be subject to the provisions of this part a “system of records” must:

(1) Consist of “records” (as defined in § 310.3(n)) that are retrieved by the name of an individual or some other personal identifier, and

(2) Be under the control of a DoD Component.

(b) Retrieval practices. (1) Records in a group of records that may be retrieved by a name or personal identifier are not covered by this part even if the records contain personal data and are under control of a DoD Component. The records must be, in fact, retrieved by name or other personal identifier to become a system of records for the purpose of this part.

(2) If files that are not retrieved by name or personal identifier are rearranged in such manner that they are retrieved by name or personal identifier, a new systems notice must be submitted in accordance with §310.63(c) of subpart G.

(3) If records in a system of records are rearranged so that retrieval is no longer by name or other personal identifier, the records are no longer subject to this part and the system notice for the records shall be deleted in accordance with § 310.64(c) of subpart G.

(c) Relevance and necessity. Retain in a system of records only that personal information which is relevant and necessary to accomplish a purpose required by a federal statute or an Executive Order.

(d) Authority to establish systems of records. Identify the specific statute or the Executive Order that authorize maintaining personal information in each system of records. The existance of a statute or Executive order mandating the maintenance of a system of records does not abrogate the responsibility to ensure that the information in the system of records is relevant and necessary.

(e) Exercise of First Amendment rights. (1) Do not maintain any records describing how an individual exercises his or her rights guaranteed by the First Amendment of the U.S. Constitution except when:

(i) Expressly authorized by federal statute;

(ii) Expressly authorized by the individual; or

(iii) Maintenance of the information is pertinent to and within the scope of an authorized law enforcement activity.

(2) First Amendment rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition.

(f) System manager's evaluation. (1) Evaluate the information to be included in each new system before establishing the system and evaluate periodically the information contained in each existing system of records for relevancy and necessity. Such a review shall also occur when a system notice amendment or alteration is prepared (see §§ 310.63 and 310.64 of subpart G).

(2) Consider the following:

(i) The relationship of each item of information retained and collected to the purpose for which the system is maintained;

(ii) The specific impact on the purpose or mission of not collecting each category of information contained in the system;

(iii) The possibility of meeting the information requirements through use of information not individually identifiable or through other techniques, such as sampling;

(iv) The length of time each item of personal information must be retained;

(v) The cost of maintaining the information; and

(vi) The necessity and relevancy of the information to the purpose for which it was collected.

(g) Discontinued information requirements. (1) Stop collecting immediately any category or item of personal information from which retention is no longer justified. Also excise this information from existing records, when feasible.

(2) Do not destroy any records that must be retained in accordance with disposal authorizations established under 44 U.S.C. 303a, “Examination by the Administrator of General Services of Lists and Schedules of Records Lacking Preservation Value, Disposal of Records.”

(a) Accuracy of information maintained. Maintain all personal information that is used or may be used to make any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in making any such determination.

(b) Accuracy determination before dissemination. Before disseminating any personal information from a system of records to any person outside the Department of Defense, other than a federal agency, make reasonable efforts to ensure that the information to be disclosed is accurate, relevant, timely, and complete for the purpose it is being maintained (see also § 310.30(d), subpart D and § 310.40(d), subpart E).

(a) Applicability to government contractors. (1) When a DoD Component contracts for the operation or maintenance of a system of records or a portion of a system of records by a contractor, the record system or the portion of the record system affected are considered to be maintained by the DoD Component and are subject to this part. The Component is responsible for applying the requirements of this part to the contractor. The contractor and its employees are to be considered employees of the DoD Component for purposes of the sanction provisions of the Privacy Act during the performance of the contract. Consistent with the Defense Acquisition Regulation (DAR), § 1.327, “Protection of Individual Privacy” contracts requiring the maintenance of a system of records or the portion of a system of records shall identify specifically the record system and the work to be performed and shall include in the solicitation and resulting contract such terms as are prescribed by the DAR.

(2) If the contractor must use or have access to individually identifiable information subject to this part to perform any part of a contract, and the information would have been collected and maintained by the DoD Component but for the award of the contract, these contractor activities are subject to this Regulation.

(3) The restriction in paragraphs (a) (1) and (2) of § 310.12 do not apply to records:

(i) Established and maintained to assist in making internal contractor management decisions, such as records maintained by the contractor for use in managing the contract;

(ii) Maintained as internal contractor employee records even when used in conjunction with providing goods and services to the Department of Defense; or

(iii) Maintained as training records by an educational organization contracted by a DoD Component to provide training when the records of the contract students are similar to and comingled with training records of other students (for example, admission forms, transcripts, academic counselling and similar records);

(iv) Maintained by a consumer reporting agency to which records have been disclosed under contract in accordance with the Federal Claims Collection Act of 1966, 31 U.S.C. 952(d).

(4) DoD Components must publish instruction that:

(i) Furnish DoD Privacy Program guidance to their personnel who solicit, award, or administer government contracts;

(ii) Inform prospective contractors of their responsibilities regarding the DoD Privary Program; and

(iii) Establish an internal system of contractor performance review to ensure compliance with the DoD Privacy Program.

(b) Contracting procedures. The Defense Systems Acquisition Regulatory Council (DSARC) is responsible for developing the specific policies and procedures to be followed when soliciting bids, awarding contracts or administering contracts that are subject to this part.

(c) Contractor compliance. Through the various contract surveillance programs, ensure contractors comply with the procedures established in accordance with paragraph (b) above of this subpart.

(d) Disclosure of records to contractors. Disclosure of personal records to a contractor for the use in the performance of any DoD contrtact by a DoD Component is considered a disclosure within the Department of Defense (see § 310.40(b), subpart E). The contractor is considered the agent of the contracting DoD Component and to be maintaining and receiving the records for that Component.

(a) General responsibilities. Establish appropriate administrative, technical and physical safeguards to ensure that the records in every system of records are protected from unauthorized alteration or disclosure and that their confidentiality is protected. Protect the records against reasonably anticipated threats or hazards that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual about whom information is kept.

(b) Minimum standards. (1) Tailor system safeguards to conform to the type of records in the system, the sensitivity of the personal information stored, the storage medium used and, to a degree, the number of records maintained.

(2) Treat all unclassified records that contain personal information that normally would be withheld from the public under Exemption Numbers 6 and 7, of § 286.31, subpart D of 32 CFR part 286 (DoD Freedom of Information Act Program) as if they were designated “For Official Use Only” and safeguard them in accordance with the standards established by subpart E of 32 CFR part 286 (DoD FOIA Program) even if they are not actually marked “For Official Use Only.”

(3) Afford personal information that does not meet the criteria discussed in paragraph (c)(3) of this section that degree of security which provides protection commensurate with the nature and type of information involved.

(4) Special administrative, physical, and technical procedures are required to protect data that is stored or being processed temporarily in an automated data processing (ADP) system or in a word processing activity to protect it against threats unique to those environments (see Appendices A and B).

(5) Tailor safeguards specifically to the vulnerabilities of the system.

(c) Records disposal. (1) Dispose of records containing personal data so as to prevent inadvertent compromise. Disposal methods such as tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding, or mutilation are considered adequate if the personal data is rendered unrecognizable or beyond reconstruction.

(2) The transfer of large quantities of records containing personal data (for example, computer cards and printouts) in bulk to a disposal activity, such as the Defense Property Disposal Office, is not a release of personal information under this part. The sheer volume of such transfers make it difficult or impossible to identify readily specific individual records.

(3) When disposing of or destroying large quantities of records containing personal information, care must be exercised to ensure that the bulk of the records is maintained so as to prevent specific records from being readily identified. If bulk is maintained, no special procedures are required. If bulk cannot be maintained or if the form of the records make individually identifiable information easily available, dispose of the record in accordance with paragraph (c)(1) of this section.

(a) Collect directly from the individual. Collect to the greatest extent practicable personal information directly from the individual to whom it pertains if the information may be used in making any determination about the rights, privileges, or benefits of the individual under any federal program (see also paragraph (c) of this section).

(b) Collecting Social Security Numbers (SSNs). (1) It is unlawful for any federal, state, or local governmental agency to deny an individual any right, benefit, or privilege provided by law because the individual refuses to provide his or her SSN. However, if a federal statute requires that the SSN be furnished or if the SSN is required to verify the identity of the individual in a system of records that was established and in use before January 1, 1975, and the SSN was required as an identifier by a statute or regulation adopted before that date, this restriction does not apply.

(2) When an individual is requested to provide his or her SSN, he or she must be advised:

(i) The uses that will be made of the SSN;

(ii) The statute, regulation, or rule authorizing the solicitation of the SSN; and

(iii) Whether providing the SSN is voluntary or mandatory.

(3) Include in any systems notice for any system of records that contains SSNs a statement indicating the authority for maintaining the SSN and the sources of the SSNs in the system. If the SSN is obtained directly from the individual indicate whether this is voluntary or mandatory.

(4) Executive Order 9397, “Numbering System For Federal Accounts Relating to Individual Persons,” November 30, 1943, authorizes solicitation and use of SSNs as numerical identifier for individuals in most Federal records systems. However, it does not provide mandatory authority for soliciting SSNs.

(5) Upon entrance into military service or civilian employment with the Department of Defense, individuals are asked to provide their SSNs. The SSN becomes the service or employment number for the individual and is used to establish personnel, financial, medical, and other official records. Provide the notification in paragraph (b)(2) of this section to the individual when originally soliciting his or her SSN. After an individual has provided his or her SSN for the purpose of establishing a record, the notification in paragraph (b)(2) is not required if the individual is only requested to furnish or verify the SSNs for identification purposes in connection with the normal use of his or her records. However, if the SSN is to be written down and retained for any purpose by the requesting official, the individual must be provided the notification required by paragraph (b)(2) of this section.

(6) Consult the Office of Personnel Management, Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735) when soliciting SSNs for use in OPM records systems.

(c) Collecting personal information from third parties. It may not be practical to collect personal information directly from the individual in all cases. Some examples of this are:

(1) Verification of information through third party sources for security or employment suitability determinations;

(2) Seeking third party opinions such as supervisory comments as to job knowledge, duty performance, or other opinion-type evaluations;

(3) When obtaining the needed information directly from the individual is exceptionally difficult or may result in unreasonable costs; or

(4) Contacting a third party at the request of the individual to furnish certain information such as exact periods of employment, termination dates, copies of records, or similar information.

(d) Privacy Act Statements. (1) When an individual is requested to furnish personal information about himself or herself for inclusion in a system of records, a Privacy Act Statement is required regardless of the medium used to collect the information (forms, personal interviews, stylized formats, telephonic interviews, or other methods). The Privacy Act Statement consists of the elements set forth in paragraph (d)(2) of this section. The statement enables the individual to make an informed decision whether to provide the information requested. If the personal information solicited is not to be incoporated into a system of records, the statement need not be given. However, personal information obtained without a Privacy Act Statement shall not be incorporated into any system of records. When soliciting SSNs for any purpose, see paragraph (b)(2) of this section.

(2) The Privacy Act Statement shall include:

(i) The specific federal statute or Executive Order that authorizes collection of the requested information (see paragraph (d) of § 310.10).

(ii) The principal purpose or purposes for which the information is to be used;

(iii) The routine uses that will be made of the information (see § 310.41(e), subpart E);

(iv) Whether providing the information is voluntary or mandatory (see paragraph (e) of this section); and

(v) The effects on the individual if he or she chooses not to provide the requested information.

(3) The Privacy Act Statement shall be concise, current, and easily understood.

(4) The Privacy Act statement may appear as a public notice (sign or poster), conspicuously displayed in the area where the information is collected, such as at check-cashing facilities or identification photograph facilities.

(5) The individual normally is not required to sign the Privacy Act Statement.

(6) Provide the individual a written copy of the Privacy Act Statement upon request. This must be done regardless of the method chosen to furnish the initial advisement.

(e) Mandatory as opposed to voluntary disclosures. Include in the Privacy Act Statement specifically whether furnishing the requested personal data is mandatory or voluntary. A requirement to furnish personal data is mandatory only when a federal statute, Executive Order, regulation, or other lawful order specifically imposes a duty on the individual to provide the information sought, and the individual is subject to a penalty if he or she fails to provide the requested information. If providing the information is only a condition of or prerequisite to granting a benefit or privilege and the individual has the option of requesting the benefit or privilege, providing the information is always voluntary. However, the loss or denial of the privilege, benefit, or entitlement sought may be listed as a consequence of not furnishing the requested information.

(a) DoD forms. (1) DoD Directive 5000.21, “Forms Management Program” provides guidance for preparing Privacy Act Statements for use with forms (see also paragraph (b)(1) of this section).

(2) When forms are used to collect personal information, the Privacy Act Statement shall appear as follows (listed in the order of preference):

(i) In the body of the form, preferably just below the title so that the reader will be advised of the contents of the statement before he or she begins to complete the form;

(ii) On the reverse side of the form with an appropriate annotation under the title giving its location;

(iii) On a tear-off sheet attached to the form; or

(iv) As a separate supplement to the form.

(b) Forms issued by non-DoD activities. (1) Forms subject to the Privacy Act issued by other federal agencies have a Privacy Act Statement attached or included. Always ensure that the statement prepared by the originating agency is adequate for the purpose for which the form will be used by the DoD activity. If the Privacy Act Statement provided is inadequate, the DoD Component concerned shall prepare a new statement or a supplement to the existing statement before using the form.

(2) Forms issued by agencies not subject to the Privacy Act (state, municipal, and other local agencies) do not contain Privacy Act Statements. Before using a form prepared by such agencies to collect personal data subject to this part, an appropriate Privacy Act Statement must be added.

(a) Individual access. (1) The access provisions of this part are intended for use by individuals about whom records are maintained in systems of records. Release of personal information to individuals under this part is not considered public release of information.

(2) Make available to the individual to whom the record pertains all of the personal information that can be released consistent with DoD responsibilities.

(b) Individual requests for access. Individuals shall address requests for access to personal information in a system of records to the system manager or to the office designated in the DoD Component rules or the system notice.

(c) Verification of identity. (1) Before granting access to personal data, an individual may be required to provide reasonable verification of his or her identity.

(2) Identity verification procedures shall not:

(i) Be so complicated as to discourage unnecessarily individuals from seeking access to information about themselves; or

(ii) Be required of an individual seeking access to records which normally would be available under the “DoD Freedom of Information Act Program” (32 CFR part 286).

(3) Normally, when individuals seek personal access to records pertaining to themselves, identification is made from documents that normally are readily available, such as employee and military identification cards, driver's license, other licenses, permits or passes used for routine identification purposes.

(4) When access is requested by mail, identity verification may consist of the individual providing certain minimum identifying data, such as full name, date and place of birth, or such other personal information necessary to locate the record sought. If the information sought is of a sensitive nature, additional identifying data may be required. If notarization of requests is required, procedures shall be established for an alternate method of verification for individuals who do not have access to notary services, such as military members overseas.

(5) If an individual wishes to be accompanied by a third party when seeking access to his or her records or to have the records released directly to a third party, the individual may be required to furnish a signed access authorization granting the third party access.

(6) An individual shall not be refused access to his or her record solely because he or she refuses to divulge his or her SSN unless the SSN is the only method by which retrieval can be made. (See § 310.20(b)).

(7) The individual is not required to explain or justify his or her need for access to any record under this part.

(8) Only a denial authority may deny access and the denial must be in writing and contain the information required by paragraph (b) of § 310.31.

(d) Granting individual access to records. (1) Grant the individual access to the original record or an exact copy of the original record without any changes or deletions, except when changes or deletions have been made in accordance with paragraph (e) of this section. For the purpose of granting access, a record that has been amended under § 310.31(b) is considered to be the original. See pargraph (e) of this section for the policy regarding the use of summaries and extracts.

(2) Provide exact copies of the record when furnishing the individual copies of records under this part.

(3) Explain in terms understood by the requestor any record or portion of a record that is not clear.

(e) Illegible, incomplete, or partially exempt records. (1) Do not deny an individual access to a record or a copy of a record solely because the physical condition or format of the record does not make it readily available (for example, deteriorated state or on magnetic tape). Either prepare an extract or recopy the document exactly.

(2) If a portion of the record contains information that is exempt from access, an extract or summary containing all of the information in the record that is releasable shall be prepared.

(3) When the physical condition of the record or its state makes it necessary to prepare an extract for release, ensure that the extract can be understood by the requester.

(4) Explain to the requester all deletions or changes to the records.

(f) Access to medical records. (1) Disclose medical records to the individual to whom they pertain, even if a minor, unless a judgment is made that access to such records could have an adverse effect on the mental or physical health of the individual. Normally, this determination shall be made in consultation with a medical doctor.

(2) If it is determined that the release of the medical information may be harmful to the mental or physical health of the individual:

(i) Send the record to a physician named by the individual; and

(ii) In the transmittal letter to the physician explain why access by the individual without proper professional supervision could be harmful (unless it is obvious from the record).

(3) Do not require the physician to request the records for the individual.

(4) If the individual refuses or fails to designate a physician, the record shall not be provided. Such refusal of access is not considered a denial for Privacy Act reporting purposes. (See paragraph (a) of § 310.31).

(5) Access to a minor's medical records may be granted to his or her parents or legal guardians. However, observe the following procedures:

(i) In the United States, the laws of the particular state in which the records are located may afford special protection to certain types of medical records (for example, records dealing with treatment for drug or alcohol abuse and certain psychiatric records). Even if the records are maintained by a military medical facilities these statutes may apply.

(ii) For the purposes of parental access to the medical records and medical determinations regarding minors at overseas installation the age of majority is 18 years except when:

(A) A minor at the time he or she sought or consented to the treatment was between 15 and 17 years of age;

(B) The treatment was sought in a program which was authorized by regulation or statute to offer confidentiality of treatment records as a part of the program;

(C) The minor specifically requested or indicated that he or she wished the treatment record to be handled with confidence and not released to a parent or guardian; and

(D) The parent or guardian seeking access does not have the written authorization of the minor or a valid court order granting access.

(iii) If all four of the above conditions are met, the parent or guardian shall be denied access to the medical records of the minor. Do not use these procedures to deny the minor access to his or her own records under this part or any other statutes.

(6) All members of the Military Services and all married persons are not considered minors regardless of age, and the parents of these individuals do not have access to their medical records without written consent of the individual.

(g) Access to information compiled in anticipation of civil action. (1) An individual is not entitled under this part to gain access to information compiled in reasonable anticipation of a civil action or proceeding.

(2) The term “civil proceeding” is intended to include quasi-judicial and pretrial judicial proceedings that are the necessary preliminary steps to formal litigation.

(3) Attorney work products prepared in conjunction with quasi-judicial pretrial, and trial proceedings, to include those prepared to advise DoD Component officials of the possible legal consequences of a given course of action, are protected.

(h) Access to investigatory records. (1) Requests by individuals for access to investigatory records pertaining to themselves and compiled for law enforcement purposes are processed under this part of the DoD Freedom of Information Program (32 CFR part 286) depending on which part gives them the greatest degree of access.

(2) Process requests by individuals for access to investigatory record pertaining to themselves compiled for law enforcement purposes and in the custody of law enforcement activities that have been incorporated into systems of records exempted from the access provisions of this part in accordance with section B of chapter 5 under reference (f). Do not deny an individual access to the record solely because it is in the exempt system, but give him or her automatically the same access he or she would receive under the Freedom of Information Act (5 U.S.C. 552). (See also paragraph (h) of this section.)

(3) Process requests by individuals for access to investigatory records pertaining to themselves that are in records systems exempted from access provisions under paragraph (a) of § 310.52, subpart F, under this part, or the DoD Freedom of Information Act Program (32 CFR part 286) depending upon which regulation gives the greatest degree of access (see also paragraph (j) of this section).

(4) Refer individual requests for access to investigatory records exempted from access under a general exemption temporarily in the hands of a noninvestigatory element for adjudicative or personnel actions to the originating investigating agency. Inform the requester in writing of these referrals.

(i) Nonagency records. (1) Certain documents under the physical control of DoD personnel and used to assist them in performing official functions, are not considered “agency records” within the meaning of this Regulation. Uncirculated personal notes and records that are not disseminated or circulated to any person or organization (for example, personal telephone lists or memory aids) that are retained or discarded at the author's discretion and over which the Component exercises no direct control, are not considered agency records. However, if personnel are officially directed or encouraged, either in writing or orally, to maintain such records, they may become “agency records,” and may be subject to this part.

(2) The personal uncirculated handwritten notes of unit leaders, office supervisors, or military supervisory personnel concerning subordinates are not systems of records within the meaning of this part. Such notes are an extension of the individual's memory. These notes, however, must be maintained and discarded at the discretion of the individual supervisor and not circulated to others. Any established requirement to maintain such notes (such as, written or oral directives, regulations, or command policy) make these notes “agency records” and they then must be made a part of a system of records. If the notes are circulated, they must be made a part of a system of records. Any action that gives personal notes the appearance of official agency records is prohibited, unless the notes have been incorporated into a system of records.

(j) Relationship between the Privacy Act and the Freedom of Information Act. (1) Process requests for individual access as follows:

(i) Requests by individuals for access to records pertaining to themselves made under the Freedom of Information Act (5 U.S.C. 552) or the DoD Freedom of Information Act Program (32 CFR part 286) or DoD Component instuctions implementing the DoD Freedom of Information Act Program are processed under the provisions of that reference.

(ii) Requests by individuals for access to records pertaining to themselves made under the Privacy Act of 1971 (5 U.S.C. 552a), this part, or the DoD Component instructions implementing this part are processed under this part.

(iii) Requests by individuals for access to records about themselves that cite both Acts or the implementing regulations and instructions for both Acts are processed under this part except:

(A) When the access provisions of the DoD Freedom of Information Act Program (32 CFR part 286) provide a greater degree of access; or

(B) When access to the information sought is controlled by another federal statute.

(C) If the former applies, follow the provisions of 32 CFR part 286; and if the later applies, follow the access procedures established under the controlling statute.

(iv) Requests by individuals for access to information about themselves in systems of records that do not cite either Act or the implementing regulations or instructions for either Act are processed under the procedures established by this part. However, there is no requirement to cite the specific provisions of this part or the Privacy Act (5 U.S.C. 552a) when responding to such requests. Do not count these requests as Privacy Act request for reporting purposes (see subpart I).

(2) Do not deny individuals access to personal information concerning themselves that would otherwise be releasable to them under either Act solely because they fail to cite either Act or cite the wrong Act, regulation, or instruction.

(3) Explain to the requester which Act or procedures have been used when granting or denying access under either Act (see also paragraph (j)(1)(iv) of this section).

(k) Time limits. Normally acknowledge requests for access within 10 working days after receipt and provide access within 30 working days.

(l) Privacy case file. Establish a Privacy Act case file when required (see paragraph (p) of § 310.32 of this subpart).

(a) Denying individual access. (1) An individual may be denied formally access to a record pertaining to him or her only if the record:

(i) Was compiled in reasonable anticipation of civil action (see paragraph (g) of § 310.30)

(ii) Is in a system of records that has been exempted from the access provisions of this regulation under one of the permitted exemptions (see subpart F).

(iii) Contains classified information that has been exempted from the access provision of this part under blanket exemption for such material claimed for all DoD records system (see §310.50(c) of subpart F).

(iv) Is contained in a system of records for which access may be denied under some other federal statute.

(2) Only deny the individual access to those portions of the records from which the denial of access serves some legitimate governmental purpose.

(b) Other reasons to refuse access. (1) An individual may be refused access if:

(i) The record is not described well enough to enable it to be located with a reasonable amount of effort on the part of an employee familiar with the file; or

(ii) Access is sought by an individual who fails or refuses to comply with the established procedural requirements, including refusing to name a physician to receive medical records when required (see paragraph (f) of §310.30) or to pay fees (see §310.33 of this subpart).

(2) Always explain to the individual the specific reason access has been refused and how he or she may obtain access.

(c) Notifying the individual. Formal denials of access must be in writing and include as a minimum:

(1) The name, title or position, and signature of a designated Component denial authority;

(2) The date of the denial;

(3) The specific reason for the denial, including specific citation to the appropriate sections of the Privacy Act (5 U.S.C. 552a) or other statutes, this part, DoD Component instructions or Code of Federal Regulations (CFR) authorizing the denial;

(4) Notice to the individual of his or her right to appeal the denial through the Component appeal procedure within 60 calendar days; and

(5) The title or position and address of the Privacy Act appeals official for the Component.

(d) DoD Component appeal procedures. Establish internal appeal procedures that, as a minimum, provide for:

(1) Review by the head of the Component or his or her designee of any appeal by an individual from a denial of access to Component records.

(2) Formal written notification to the individual by the appeal authority that shall:

(i) If the denial is sustained totally or in part, include as a minimum:

(A) The exact reason for denying the appeal to include specific citation to the provisions of the Act or other statute, this part, Component instructions or the CFR upon which the determination is based;

(B) The date of the appeal determination;

(C) The name, title, and signature of the appeal authority;

(D) A statement informing the applicant of his or her right to seek judicial relief.

(ii) If the appeal is granted, notify the individual and provide access to the material to which access has been granted.

(3) The written appeal notification granting or denying access is the final Component action as regards access.

(4) The individual shall file any appeals from denial of access within no less than 60 calendar days of receipt of the denial notification.

(5) Process all appeals within 30 days of receipt unless the appeal authority determines that a fair and equitable review cannot be made within that period. Notify the applicant in writing if additional time is required for the appellate review. The notification must include the reasons for the delay and state when the individual may expect an answer to the appeal.

(e) Denial of appeals by failure to act. A requester may consider his or her appeal formally denied if the authority fails:

(1) To act on the appeal within 30 days;

(2) To provide the requester with a notice of extension within 30 days; or

(3) To act within the time limits established in the Component's notice of extension (see paragraph (d)(5) of this section).

(f) Denying access to OPM records held by DoD Components. (1) The records in all systems of records maintained in accordance with the OPM government-wide system notices are technically only in the temporary custody of the Department of Defense.

(2) All requests for access to these records must be processed in accordance with the Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735) as well as the applicable Component procedures.

(3) When a DoD Component refuses to grant access to a record in an OPM system, the Component shall instruct the individual to direct his or her appeal to the appropriate Component appeal authority, not the Office of Personnel Management.

(4) The Component is responsible for the administrative review of its denial of access to such records.

(a) Individual review and correction. Individuals are encouraged to review the personnel information being maintained about them by DoD Components periodically and to avail themselves of the procedures established by this part and any other Component regulations to update their records.

(b) Amending records. (1) An individual may request the amendment of any record contained in a system of records pertaining to him or her unless the system of record has been exempted specifically from the amendment procedures of this part under paragraph (b) of § 310.50, subpart F. Normally, amendments under this part are limited to correcting factual matters and not matters of official judgment, such as performance ratings, promotion potential, and job performance appraisals.

(2) While a Component may require that the request for amendment be in writing, this requirement shall not be used to discourage individuals from requesting valid amendments or to burden needlessly the amendment process.

(3) A request for amendment must include:

(i) A description of the item or items to be amended;

(ii) The specific reason for the amendment;

(iii) The type of amendment action sought (deletion, correction, or addition); and

(iv) Copies of available documentary evidence supporting the request.

(c) Burden of proof. The applicant must support adequately his or her claim.

(d) Identification of requesters. (1) Individuals may be required to provide identification to ensure that they are indeed seeking to amend a record pertaining to themselves and not, inadvertently or intentionally, the record of others.

(2) The indentification procedures shall not be used to discourage legitimate requests or to burden needlessly or delay the amendment process. (See paragraph (c) of § 310.30).

(e) Limits on attacking evidence previously submitted. (1) The amendment process is not intended to permit the alteration of evidence presented in the course of judicial or quasi-judicial proceedings. Any amendments or changes to these records normally are made through the specific procedures established for the amendment of such records.

(2) Nothing in the amendment process is intended or designed to permit a collateral attack upon what has already been the subject of a judicial or quasi-judicial determination. However, while the individual may not attack the accuracy of the judicial or quasi-judicial determination under this part, he or she may challenge the accuracy of the recording of that action.

(f) Sufficiency of a request to amend. Consider the following factors when evaluating the sufficiency of a request to amend:

(1) The accuracy of the information itself; and

(2) The relevancy, timeliness, completeness, and necessity of the recorded information for accomplishing an assigned mission or purpose.

(g) Time limits. (1) Provide written acknowledgement of a request to amend within 10 working days of its receipt by the appropriate systems manager. There is no need to acknowledge a request if the action is completed within 10 working days and the individual is so informed.

(2) The letter of acknowledgement shall clearly identify the request and advise the individual when he or she may expect to be notified of the completed action.

(3) Only under the most exceptional circumstances shall more than 30 days be required to reach a decision on a request to amend. Document fully and explain in the Privacy Act case file (see paragraph (p) of this section) any such decision that takes more than 30 days to resolve.

(h) Agreement to amend. If the decision is made to grant all or part of the request for amendment, amend the record accordingly and notify the requester.

(i) Notification of previous recipients. (1) Notify all previous recipients of the information, as reflected in the disclosure accounting records, that an amendment has been made and the substance of the amendment. Recipients who are known to be no longer retaining the information need not be advised of the amendment. All DoD Components and federal agencies known to be retaining the record or information, even if not reflected in a disclosure record, shall be notified of the amendment. Advise the requester of these notifications.

(2) Honor all requests by the requester to notify specific federal agencies of the amendment action.

(j) Denying amendment. If the request for amendment is denied in whole or in part, promptly advise the individual in writing of the decision to include:

(1) The specific reason and authority for not amending;

(2) Notification that he or she may seek further independent review of the decision by the head of the Component or his or her designee;

(3) The procedures for appealing the decision citing the position and address of the official to whom the appeal shall be addressed; and

(4) Where he or she can receive assistance in filing the appeal.

(k) DoD Component appeal procedures. Establish procedures to ensure the prompt, complete, and independent review of each amendment denial upon appeal by the individual. These procedures must ensure that:

(1) The appeal with all supporting materials both that furnished the individual and that contained in Component records is provided to the reviewing official, and

(2) If the appeal is denied completely or in part, the individual is notified in writing by the reviewing official that:

(i) The appeal has been denied and the specific reason and authority for the denial;

(ii) The individual may file a statement of disagreement with the appropriate authority and the procedures for filing this statement;

(iii) If filed properly, the statement of disagreement shall be included in the records, furnished to all future recipients of the records, and provided to all prior recipients of the disputed records who are known to hold the record; and

(iv) The individual may seek a judicial review of the decision not to amend.

(3) If the record is amended, ensure that:

(i) The requester is notified promptly of the decision;

(ii) All prior known recipients of the records who are known to be retaining the record are notified of the decision and the specific nature of the amendment (see paragraph (i) of this section); and

(iii) The requester is notified as to which DoD Components and federal agencies have been told of the amendment.

(4) Process all appeals within 30 days unless the appeal authority determines that a fair review cannot be made within this time limit. If additional time is required for the appeal, notify the requester, in writing, of the delay, the reason for the delay, and when he or she may expect a final decision on the appeal. Document fully all requirements for additional time in the Privacy Case File. (See paragraph (p) of this section)

(l) Denying amendment of OPM records held by DoD Components. (1) The records in all systems of records controlled by the Office of Personnel Management (OPM) government-wide system notices are technically only temporarily in the custody of the Department of Defense.

(2) All requests for amendment of these records must be processed in accordance with the OPM Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735). The Component denial authority may deny a request. However, the appeal process for all such denials must include a review by the Assistant Director for Agency Compliance and Evaluation, Office of Personnel Management, 1900 E Street NW, Washington, DC 20415.

(3) When an appeal is received from a Component's denial of amendment of the OPM controlled record, process the appeal in accordance with the OPM Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735) and notify the OPM appeal authority listed above.

(4) The individual may appeal any Component decision not to amend the OPM records directly to OPM.

(5) OPM is the final review authority for any appeals from a denial to amend the OPM records.

(m) Statements of disagreement submitted by individuals. (1) If the reviewing authority refuses to amend the record as requested, the individual may submit a concise statement of disagreement setting forth his or her reasons for disagreeing with the decision not to amend.

(2) If an individual chooses to file a statement of disagreement, annotate the record to indicate that the statement has been filed (see paragraph (n) of this section).

(3) Furnish copies of the statement of disagreement to all DoD Components and federal agencies that have been provided copies of the disputed information and who may be maintaining the information.

(n) Maintaining statements of disagreement. (1) When possible, incorporate the statement of disagreement into the record.

(2) If the statement cannot be made a part of the record, establish procedures to ensure that it is apparent from the records that a statement of disagreement has been filed and maintain the statement so that it can be obtained readily when the disputed information is used or disclosed.

(3) Automated record systems that are not programed to accept statements of disagreement shall be annotated or coded so that they clearly indicate that a statement of disagreement is on file, and clearly identify the statement with the disputed information in the system.

(4) Provide a copy of the statement of disagreement whenever the disputed information is disclosed for any purpose.

(o) DoD Component summaries of reasons for refusing to amend. (1) A summary of reasons for refusing to amend may be included with any record for which a statement of disagreement is filed.

(2) Include in this summary only the reasons furnished to the individual for not amending the record. Do not include comments on the statement of disagreement. Normally, the summary and statement of disagreement are filed together.

(3) When disclosing information for which a summary has been filed, a copy of the summary may be included in the release, if the Component desires.

(p) Privacy Case Files. (1) Establish a separate Privacy Case File to retain the documentation received and generated during the amendment or access process.

(2) The Privacy Case File shall contain as a minimum:

(i) The request for amendment or access;

(ii) Copies of the DoD Component's reply granting or denying the request;

(iii) Any appeals from the individual;

(iv) Copies of the action regarding the appeal with supporting documentation which is not in the basic file; and

(v) Any other correspondence generated in processing the appeal, to include coordination documentation.

(3) Only the items listed in paragraphs (p)(4) and (s) of this section may be included in the system of records challenged for amendment or for which access is sought. Do not retain copies of unamended records in the basic record system if the request for amendment is granted.

(4) The following items relating to an amendment request may be included in the disputed record system:

(i) Copies of the amended record.

(ii) Copies of the individual's statement of disagreement (see paragraph (m) of this section).

(iii) Copies of Component summaries (see paragraph (o) of this section).

(iv) Supporting documentation submitted by the individual.

(5) The following items relating to an access request may be included in the basic records system:

(i) Copies of the request;

(ii) Copies of the Component's action granting total access.

(iii) Copies of the Component's action denying access;

(iv) Copies of any appeals filed;

(v) Copies of the reply to the appeal.

(6) There is no need to establish a Privacy case file if the individual has not cited the Privacy Act (reference (b)), this part, or the Component implementing instruction for this part.

(7) Privacy case files shall not be furnished or disclosed to anyone for use in making any determination about the individual other than determinations made under this part.

(a) Assessing fees. (1) Charge the individual only the direct cost of reproduction.

(2) Do not charge reproduction fees if copying is:

(i) The only means to make the record available to the individual (for example, a copy of the record must be made to delete classified information); or

(ii) For the convenience of the DoD Component (for example, the Component has no reading room where an individual may review the record, or reproduction is done to keep the original in the Component's file).

(3) No fees shall be charged when the record may be obtained without charge under any other regulation, directive, or statute.

(4) Do not use fees to discourage requests.

(b) No minimum fees authorized. Use fees only to recoup direct reproduction costs associated with granting access. Minimum fees for duplication are not authorized and there is no automatic charge for processing a request.

(c) Prohibited fees. Do not charge or collect fees for:

(1) Search and retrieval of records;

(2) Review of records to determine releasability;

(3) Copying records for DoD Component convenience or when the individual has not specifically requested a copy;

(4) Transportation of records and personnel; or

(5) Normal postage.

(d) Waiver of fees. (1) Normally, fees are waived automatically if the direct costs of a given request is less than $30. This fee waiver provision does not apply when a waiver has been granted to the individual before, and later requests appear to be an extension or duplication of that original request. A DoD Component may, however, set aside this automatic fee waiver provision when on the basis of good evidence it determines that the waiver of fees is not in the public interest.

(2) Decisions to waiver or reduce fees that exceed the automatic waiver threshold shall be made on a case-by-case basis.

(e) Fees for members of Congress. Do not charge members of Congress for copying records furnished even when the records are requested under the Privacy Act on behalf of a constituent (see § 310.41(k) of subpart E). When replying to a constituent inquiry and the fees involved are substantial, consider suggesting to the Congressman that the constituent can obtain the information directly by writing to the appropriate offices and paying the costs. When practical, suggest to the Congressman that the record can be examined at no cost if the constituent wishes to visit the custodian of the record.

(f) Reproduction fees computation. Compute fees using the appropriate portions of the fee schedule in subpart G of the DoD Freedom of Information Program (32 CFR part 286).

(a) Disclosures to third parties. (1) The Privacy Act only compels disclosure of records from a system of records to the individuals to whom they pertain.

(2) All requests by individual for personal information about other individuals (third parties) shall be processed under the DoD Freedom of Information Program (32 CFR part 286), except for requests by the parents of a minor, or legal guardians of an individual, for access to the records pertaining to the minor or individual.

(b) Disclosures among DoD Components. For the purposes of disclosure and disclosure accounting, the Department of Defense is considered a single agency (see § 310.41(a)).

(c) Disclosures outside the Department of Defense. Do not disclose personal information from a system of records outside the Department of Defense unless:

(1) The record has been requested by the individual to whom it pertains.

(2) The written consent of the individual to whom the record pertains has been obtained for release of the record to the requesting agency, activity, or individual, or

(3) The release is for one of the specific nonconsensual purposes set forth in § 310.41 of this part.

(d) Validation before disclosure. Except for releases made in accordance with the Freedom of Information Act (5 U.S.C. 552), before disclosing any personal information to any recipient outside the Department of Defense other than a federal agency or the individual to whom it pertains:

(1) Ensure that the records are accurate, timely, complete, and relevant for agency purposes;

(2) Contact the individual, if reasonably available, to verify the accuracy, timeliness, completeness, and relevancy of the information, if the cannot be determined from the record; or

(3) If the information is not current and the individual is not reasonably available, advise the recipient that the information is believed accurate as of a specific date and any other known factors bearing on its accuracy and relevancy.

(a) Disclosures within the Department of Defense. (1) Records pertaining to an individual may be disclosed without the consent of the individual to any DoD official who has need for the record in the performance of his or her assigned duties.

(2) Rank, position, or title alone do not authorize access to personal information about others. An official need for the information must exist before disclosure.

(b) Disclosures under the Freedom of Information Act. (1) All records must be disclosed if their release is required by the Freedom of Information Act (5 U.S.C 552) see also the DoD Freedom of Information Program (32 CFR part 286). The Freedom of Information Act requires that records be made available to the public unless exempted from disclosure by one of the nine exemptions found in the Act. It follows, therefore, that if a record is not exempt from disclosure it must be disclosed.

(2) The standard for exempting most personal records, such as personnel records, medical records, and similar records, is found in Exemption Number 6 of 32 CFR 286.31. Under that exemption, release of personal information can only be denied when its release would be a “clearly unwarranted invasion of personal privacy.”

(3) Release of personal information in investigatory records including personnel security investigation records is controlled by the broader standard of an “unwarranted invasion of personal privacy” found in Exemption Number 7 of 32 CFR 286.31. This broader standard applies only to investigatory records.

(4) See 32 CFR part 286 for the standards to use in applying these exemptions.

(c) Personal information that is normally releasable—(1) DoD civilian employees. (i) Some examples of personal information regarding DoD civilian employees that normally may be released without a clearly unwarranted invasion of personal privacy include:

(A) Name.

(B) Present and past postion titles.

(C) Present and past grades.

(D) Present and past salaries.

(E) Present and past duty stations.

(F) Office or duty telephone numbers.

(ii) All disclosures of personal information regarding federal civilian employees shall be made in accordance with the Federal Personnel Manual (FPM) 5 CFR parts 293, 294, 297 and 735.

(2) Military members. (i) While it is not possible to identify categorically information that must be released or withheld from military personnel records in every instance, the following items of personal information regarding military members normally may be disclosed without a clearly unwarranted invasion of their personal privacy:

(A) Full name.

(B) Rank.

(C) Date of rank.

(D) Gross salary.

(E) Past duty assignments.

(F) Present duty assignment.

(G) Future assignments that are officially established.

(H) Office of duty telephone numbers.

(I) Source of commission.

(J) Promotion sequence number.

(K) Awards and decorations.

(L) Attendance at professional military schools.

(M) Duty status at any given time.

(ii) All releases of personal information regarding military members shall be made in accordance with the standards established by 32 CFR part 286.

(3) Civilian employees not under the FPM. (i) While it is not possible to identify categorically those items of personal information that must be released regarding civilian employees not subject to the Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735), such as nonappropriated fund employees, normally the following items may be released without a clearly unwarranted invasion of personal privacy:

(A) Full name.

(B) Grade or position.

(C) Date of grade.

(D) Gross salary.

(E) Present and past assignments.

(F) Future assignments, if officially established.

(G) Office or duty telephone numbers.

(ii) All releases of personal information regarding civilian personnel in this category shall be made in accordance with the standards established by 32 CFR part 286, the DoD Freedom of Information Program.

(d) Release of home addresses and home telephone numbers. (1) The release of home addresses and home telephone numbers normally is considered a clearly unwarranted invasion of personal privacy and is prohibited. However, these may be released without prior specific consent of the individual if:

(i) The individual has indicated previously that he or she interposes no objection to their release (see paragraphs (d) (3) and (4) of this section);

(ii) The source of the information to be released is a public document such as commercial telephone directory or other public listing;

(iii) The release is required by federal statute (for example, pursuant to federally-funded state programs to locate parents who have defaulted on child support payments (42 U.S.C. 653); or

(iv) The releasing official releases the information under the provisions of the DoD Freedom of Information Act Program (32 CFR part 286).

(2) A request for a home address or telephone number may be referred to the last known address of the individual for a direct reply by him or her to the requester. In such cases the requester shall be notified of the referral.

(3) When collecting lists of home addresses and telephone numbers, the individual may be offered the option of authorizing the information pertaining to him or her to be disseminated without further permission for specific purposes, such as locator services. In these cases, the information may be disseminated for the stated purpose without further consent. However, if the information is to be disseminated for any other purpose, a new consent is required. Normally such consent for release is in writing and signed by the individual.

(4) Before listing home addresses and home telephone numbers in DoD telephone directories, give the individuals the opportunity to refuse such a listing. Excuse the individual from paying any additional cost that may be associated with maintaining an unlisted number for government-owned telephone services if the individual requests his or her number not be listed in the directory under this part.

(5) Do not sell or rent lists of individual names and addresses unless such action is specifically authorized.

(e) Disclosures for established routine uses. (1) Records may be disclosed outside the Department of Defense without consent of the individual to whom they pertain for an established routine use.

(2) A routine use shall:

(i) Be compatible with and related to the purpose for which the record was compiled;

(ii) Identify the persons or organizations to whom the record may be released;

(iii) Identify specifically the uses to which the information may be put by the receiving agency; and

(iv) Have been published previously in the Federal Register (see § 310.62(i), subpart G).

(3) Establish a routine use for each user of the information outside the Department of Defense who need official access to the records.

(4) Routine uses may be established, discontinued, or amended without the consent of the individuals involved. However, new or changed routine uses must be published in the Federal Register at least 30 days before actually disclosing any records under their provisions (see subpart G).

(5) In addition to the routine uses established by the individual system notices, common blanket routine uses for all DoD-maintained systems of records have been established (see appendix C). These blanket routine uses are published only at the beginning of the listing of system notices for each Component in the Federal Register (see paragraph § 310.62(a)(1), subpart G). Unless a system notice specifically excludes a system from a given blanket routine use, all blanket routine uses apply.

(6) If the recipient has not been identified in the Federal Register or a use to which the recipient intends to put the record has not been published in the system notice as a routine use, the written permission of the individual is required before release or use of the record for that purpose.

(f) Disclosures to the Bureau of the Census. Records in DoD systems of records may be disclosed without the consent of the individuals to whom they pertain to the Bureau of the Census for purposes of planning or carrying out a census survey or related activities pursuant to the provisions of 13 U.S.C. 8.

(g) Disclosures for statistical research and reporting. (1) Records may be disclosed for statistical research and reporting without the consent of the individuals to whom they pertain. Before such disclosures the recipient must provide advance written assurance that:

(i) The records will be used as statistical research or reporting records;

(ii) The records will only be transferred in a form that is not individually identifiable; and

(iii) The records will not be used, in whole or in part, to make any determination about the rights, benefits, or entitlements of specific individuals.

(2) A disclosure accounting (see paragraph (a) of § 310.44) is not required when information that is not identifiable individually is released for statistical research or reporting.

(h) Disclosures to the National Archives and Records Administration (NARA). (1) Records may be disclosed without the consent of the individual to whom they pertain to the NARA if they:

(i) Have historical or other value to warrant continued preservation; or

(ii) For evaluation by the NARA to determine if a record has such historical or other value.

(2) Records transferred to a Federal Records Center (FRC) for safekeeping and storage do not fall within this category. These remain under the control of the transferring Component, and the FRC personnel are considered agents of the Component which retains control over the records. No disclosure accounting is required for the transfer of records to the FRCs.

(i) Disclosures for law enforcement purposes. (1) Records may be disclosed without the consent of the individual to whom they pertain to another agency or an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity, provided:

(i) The civil or criminal law enforcement activity is authorized by law;

(ii) The head of the law enforcement activity or a designee has made a written request specifying the particular records desired and the law enforcement purpose (such as criminal investigations, enforcement of a civil law, or a similar purpose) for which the record is sought; and

(iii) There is no federal statute that prohibits the disclosure of the records.

(2) Normally, blanket requests for access to any and all records pertaining to an individual are not honored.

(3) When a record is released to a law enforcement activity under paragraph (i)(1) of this section, maintain a disclosure accounting. This disclosure accounting shall not be made available to the individual to whom the record pertains if the law enforcement activity requests that the disclosure not be released.

(4) The blanket routine use for Law Enforcement (appendix C, section A.) applies to all DoD Component systems notices (see paragraph (e)(5) of this section). Only by including this routine use can a Component, on its own initiative, report indications of violations of law found in a system of records to a law enforcement activity without the consent of the individual to whom the record pertains (see paragraph (i)(1) of this section when responding to requests from law enforcement activities).

(j) Emergency disclosures. (1) Records may be disclosed without the consent of the individual to whom they pertain if disclosure is made under compelling circumstances affecting the health or safety of any individual. The affected individual need not be the subject of the record disclosed.

(2) When such a disclosure is made, notify the individual who is the subject of the record. Notification sent to the last known address of the individual as reflected in the records is sufficient.

(3) The specific data to be disclosed is at the discretion of releasing authority.

(4) Emergency medical information may be released by telephone.

(k) Disclosures to Congress and the General Accounting Office. (1) Records may be disclosed without the consent of the individual to whom they pertain to either House of the Congress or to any committee, joint committee or subcommittee of Congress if the release pertains to a matter within the jurisdiction of the committee. Records may also be disclosed to the General Accounting Office (GAO) in the course of the activities of GAO.

(2) The blanket routine use for “Congressional Inquiries” (see appendix C, section D.) applies to all systems; therefore, there is no need to verify that the individual has authorized the release of his or her record to a congressional member when responding to a congressional constituent inquiry.

(3) If necessary, accept constituent letters requesting a member of Congress to investigate a matter pertaining to the individual as written authorization to provide access to the records to the congressional member or his or her staff.

(4) The verbal statement by a congressional staff member is acceptable to establish that a request has been received from the person to whom the records pertain.

(5) If the constituent inquiry is being made on behalf of someone other than the individual to whom the record pertains, provide the congressional member only that information releasable under the Freedom of Information Act (5 U.S.C. 552). Advise the congressional member that the written consent of the individual to whom the record pertains is required before any additional information may be released. Do not contact individuals to obtain their consents for release to congressional members unless a congressional office specifically requests that this be done.

(6) Nothing in paragraph (k)(2) of this section prohibits a Component, when appropriate, from providing the record directly to the individual and notifying the congressional office that this has been done without providing the record to the congressional member.

(7) See paragraph (e) of § 310.33 for the policy on assessing fees for Members of Congress.

(8) Make a disclosure accounting each time a record is disclosed to either House of Congress, to any committee, joint committee, or subcommittee of Congress, to any congressional member, or GAO.

(l) Disclosures under court orders. (1) Records may be disclosed without the consent of the person to whom they pertain under a court order signed by a judge of a court of competent jurisdiction. Releases may also be made under the compulsory legal process of federal or state bodies having authority to issue such process.

(2) When a record is disclosed under this provision, make reasonable efforts to notify the individual to whom the record pertains, if the legal process is a matter of public record.

(3) If the process is not a matter of public record at the time it is issued, seek to be advised when the process is made public and make reasonable efforts to notify the individual at that time.

(4) Notification sent to the last known address of the individual as reflected in the records is considered reasonable effort to notify.

(5) Make a disclosure accounting each time a record is disclosed under a court order or compulsory legal process.

(m) Disclosures to consumer reporting agencies. (1) Certain personal information may be disclosed to consumer reporting agencies as defined by the Federal Claims Collection Act of 1966, as amended (31 U.S.C. 952(d)).

(2) Under the provisions of paragraph (m)(1) of this section, the following information may be disclosed to a consumer reporting agency:

(i) Name, address, taxpayer identification number (SSN), and other information necessary to establish the identity of the individual.

(ii) The amount, status, and history of the claim.

(iii) The agency or program under which the claim arose.

(3) The Federal Claims Collection Act of 1966, as amended (31 U.S.C. 952(d)) specifically requires that the system notice for the system of records from which the information will be disclosed indicates that the information may be disclosed to a “consumer reporting agency.”

(a) General policy. (1) Make releases of personal information to commercial enterprises under the criteria established by the DoD Freedom of Information Program (32 CFR part 286).

(2) The relationship of commercial enterprises to their clients or customers and to the Department of Defense are not changed by this part.

(3) The DoD policy on personal indebtedness for military personnel is contained in 32 CFR part 43a and for civilian employees in the Office of Personnel Management, Federal Personnel Manual (5 CFR part 550).

(b) Release of personal information. (1) Any information that must be released under the Freedom of Information (5 U.S.C. 552) may be released to a commercial enterprise without the individual's consent (see paragraph (b) of § 310.41 of this subpart).

(2) Commercial enterprises may present a signed consent statement setting forth specific conditions for release of personal information. Statements such as the following, if signed by the individual, are considered valid:

(3) When a statement of consent as outlined in paragraph (b)(2) of this section is presented, provide the requested information if its release is not prohibited by some other regulation or statute.

(4) Blanket statements of consent that do not identify specifically the Department of Defense or any of its Components, or that do not specify exactly the type of information to be released, may be honored if it is clear that the individual in signing the consent statement intended to obtain a personal benefit (for example, a loan to buy a house) and was aware of the type information that would be sought. Care should be exercised in these situations to release only the minimum amount of personal information essential to obtain the benefit sought.

(5) Do not honor request from commercial enterprises for official evaluation of personal characteristics, such as evaluation of personal financial habits.

(a) Section applicability. This section applies to the release of information to the news media or the public concerning persons treated or hospitalized in DoD medical facilities and patients of nonfederal medical facilities for whom the cost of the care is paid by the Department of Defense.

(b) General disclosure. Normally, the following may be released without the patient's consent.

(1) Personal information concerning the patient. See 32 CFR part 286, The DoD Freedom of Information Act Program and paragraph (c) of § 310.41.

(2) Medical condition:

(i) Date of admission or disposition;

(ii) The present medical assessment of the individual's condition in the following terms if the medical doctor has volunteered the information:

(A) The individual's condition is presently (stable) (good) (fair) (serious) or (critical), and

(B) Whether the patient is conscious, semiconscious, or unconscious.

(c) Individual consent. (1) Detailed medical and other personal information may be released in response to inquiries from the news media and public if the patient has given his or her informed consent to such a release.

(2) If the patient is not conscious or competent, no personal information except that required by the Freedom of Information Act (5 U.S.C. 552) shall be released until there has been enough improvement in the patient to ensure he or she can give informed consent or a guardian has been appointed legally for the patient and the guardian has given consent on behalf of the patient.

(3) The consent described in paragraph (c)(1) of this section regarding patients who are minors must be given by the parent of legal guardian.

(d) Information that may be released with individual consent. (1) Any item of personal information may be released, if the patient has given his or her informed consent to its release.

(2) Releasing medical information about patients shall be done with discretion, so as not to embarrass the patient, his or her family, or the Department of Defense, needlessly.

(e) Disclosures to other government agencies. This subpart does not limit the disclosures of personal medical information to other government agencies for use in determining eligibility for special assistance or other benefits.

(a) Disclosure accountings. (1) Keep an accurate record of all disclosures made from any system of records except disclosures:

(i) To DoD personnel for use in the performance of their official duties; or

(ii) Under 32 CFR part 286, The DoD Freedom of Information Program.

(2) In all other cases a disclosure accounting is required even if the individual has consented to the disclosure of the information pertaining to him or her.

(3) Disclosure accountings:

(i) Permit individuals to determine to whom information has been disclosed;

(ii) Enable the activity to notify past recipients of disputed or corrected information (§ 310.32(i)(1), subpart D); and

(iii) Provide a method of determining compliance with paragraph (c) of § 310.40.

(b) Contents of disclosure accountings. As a minimum, disclosure accounting shall contain:

(1) The date of the disclosure.

(2) A description of the information released.

(3) The purpose of the disclosure.

(4) The name and address of the person or agency to whom the disclosure was made.

(c) Methods of disclosure accounting. Use any system of disclosure accounting that will provide readily the necessary disclosure information (see paragraph (a)(3) of this section).

(d) Accounting for mass disclosures. When numerous similar records are released (such as transmittal of payroll checks to a bank), identify the category of records disclosed and include the data required by paragraph (b) of this section in some form that can be used to construct an accounting disclosure record for individual records if required (see paragraph (a)(3) of this section).

(e) Disposition of disclosure accounting records. Retain disclosure accounting records for 5 years after the disclosure or the life of the record, whichever is longer.

(f) Furnishing disclosure accountings to the individual. (1) Make available to the individual to whom the record pertains all disclosure accountings except when:

(i) The disclosure has been made to a law enforcement activity under paragraph (i) of § 310.41 and the law enforcement activity has requested that disclosure not be made; or

(ii) The system of records has been exempted from the requirement to furnish the disclosure accounting under the provisions of § 310.50(b), subpart F.

(2) If disclosure accountings are not maintained with the record and the individual requests access to the accounting, prepare a listing of all disclosures (see paragraph (b) of this section) and provide this to the individual upon request.

(a) Types of exemptions. (1) There are two types of exemptions permitted by the Privacy Act.

(i) General exemptions that authorize the exemption of a system of records from all but certain specifically identified provisions of the Act.

(ii) Specific exemptions that allow a system of records to be exempted only from certain designated provisions of the Act.

(2) Nothing in the Act permits exemption of any system of records from all provisions of the Act (see appendix D).

(b) Establishing exemptions. (1) Neither general nor specific exemptions are established automatically for any system of records. The head of the DoD Component maintaining the system of records must make a determination whether the system is one for which an exemption properly may be claimed and then propose and establish an exemption rule for the system. No system of records within the Department of Defense shall be considered exempted until the head of the Component has approved the exemption and an exemption rule has been published as a final rule in the Federal Register (see § 310.60(e), subpart G).

(2) Only the head of the DoD Component or an authorized designee may claim an exemption for a system of records.

(3) A system of records is considered exempt only from those provisions of the Privacy Act (5 U.S.C. 552a) which are identified specifically in the Component exemption rule for the system and which are authorized by the Privacy Act.

(4) To establish an exemption rule, see § 310.61 of subpart G.

(c) Blanket exemption for classified material. (1) Include in the Component rules a blanket exemption under 5 U.S.C. 552a(k)(1) of the Privacy Act from the access provisions (5 U.S.C. 552a(d)) and the notification of access procedures (5 U.S.C. 522a(e)(4)(H)) of the Act for all classified material in any system of records maintained.

(2) Do not claim specifically an exemption under section 552a(k)(1) of the Privacy Act for any system of records. The blanket exemption affords protection to all classified material in all systems of records maintained.

(d) Provisions from which exemptions may be claimed. (1) The head of a DoD Component may claim an exemption from any provision of the Act from which an exemption is allowed (see appendix D).

(2) Notify the Defense Privacy Office ODASD(A) before claiming an exemption for any system of records from the following:

(i) The exemption rule publication requirement (5 U.S.C. 552a(j)) of the Privacy Act.

(ii) The requirement to report new systems of records (5 U.S.C. 552a(o)); or

(iii) The annual report requirement (5 U.S.C. 552a(p)).

(e) Use of exemptions. (1) Use exemptions only for the specific purposes set forth in the exemption rules (see paragraph (b) of § 310.61, subpart G).

(2) Use exemptions only when they are in the best interest of the government and limit them to the specific portions of the records requiring protection.

(3) Do not use an exemption to deny an individual access to any record to which he or she would have access under the Freedom of Information Act (5 U.S.C. 552).

(f) Exempt records in nonexempt systems. (1) Exempt records temporarily in the hands of another Component are considered the property of the originating Component and access to these records is controlled by the system notices and rules of the originating Component.

(2) Records that are actually incorporated into a system of records may be exempted only to the extent the system of records into which they are incorporated has been granted an exemption, regardless of their original status or the system of records for which they were created.

(3) If a record is accidentally misfiled into a system of records, the system notice and rules for the system in which it should actually be filed will govern.

(a) Use of the general exemptions. (1) No DoD Component is authorized to claim the exemption for records maintained by the Central Intelligence Agency established by 5 U.S.C. 552a(j)(1) of the Privacy Act.

(2) The general exemption established by 5 U.S.C. 552a(j)(2) of the Privacy Act may be claimed to protect investigative records created and maintained by law-enforcement activities of a DoD Component.

(3) To qualify for the (j)(2) exemption, the system of records must be maintained by an element that performs as its principal function enforcement of the criminal law, such as U.S. Army Criminal Investigation Command (CIDC), Naval Investigative Service (NIS), the Air Force Office of Special Investigations (AFOSI), and military police activities. Law enforcement includes police efforts to detect, prevent, control, or reduce crime, to apprehend or identify criminals; and the activities of correction, probation, pardon, or parole authorities.

(4) Information that may be protected under the (j)(2) exemption include:

(i) Records compiled for the purpose of identifying criminal offenders and alleged offenders consisting only of identifying data and notations of arrests, the nature and disposition of criminal charges, sentencing, confinement, release, parole, and probation status (so-called criminal history records);

(ii) Reports and other records compiled during criminal investigations, to include supporting documentation.

(iii) Other records compiled at any stage of the criminal law enforcement process from arrest or indictment through the final release from parole supervision, such as presentence and parole reports.

(5) The (j)(2) exemption does not apply to:

(i) Investigative records prepared or maintained by activities without primary law-enforcement missions. It may not be claimed by any activity that does not have law enforcement as its principal function.

(ii) Investigative records compiled by any activity concerning employee suitability, eligibility, qualification, or for individual access to classified material regardless of the principal mission of the compiling DoD Component.

(6) The (j)(2) exemption claimed by the law-enforcement activity will not protect investigative records that are incorporated into the record system of a nonlaw enforcement activity or into nonexempt systems of records (see paragraph (f)(2) of § 310.50). Therefore, all system managers are cautioned to comply with the various regulations prohibiting or limiting the incorporation of investigatory records into system of records other than those maintained by law-enforcement activities.

(b) Access to records for which a (j)(2) exemption is claimed. Access to investigative records in the hands of a law-enforcement activity or temporarily in the hands of a military commander or other criminal adjudicative activity shall be processed under 32 CFR part 286, The DoD Freedom of Information Act Program, provided that the system of records from which the file originated is a law enforcement record system that has been exempted from the access provisions of this part (see paragraph (h) of § 310.30, subpart D).

(a) Use of the specific exemptions. The specific exemptions permit certain categories of records to be exempted from certain specific provisions of the Privacy Act (see appendix D). To establish a specific exemption, the records must meet the following criteria (parenthetical references are to the appropriate subsection of the Privacy Act (5 U.S.C. 552a(k)):

(1) The (k)(1). Information specifically authorized to be classified under the DoD Information Security Program Regulation, 32 CFR part 159. (see also paragraph (c) of this section).

(2) The (k)(2). Investigatory information compiled for law-enforcement purposes by nonlaw enforcement activities and which is not within the scope of § 310.51(a). If an individual is denied any right, privilege or benefit that he or she is otherwise entitled by federal law or for which he or she would otherwise be eligible as a result of the maintenance of the information, the individual will be provided access to the information except to the extent that disclosure would reveal the identity of a confidential source. This subsection when claimed allows limited protection of investigative reports maintained in a system of records used in personnel or administrative actions.

(3) The (k)(3). Records maintained in connection with providing protective services to the President and other individuals under 18 U.S.C. 3506.

(4) The (k)(4). Records maintained solely for statistical research or program evaluation purposes and which are not used to make decisions on the rights, benefits, or entitlement of an individual except for census records which may be disclosed under 13 U.S.C. 8.

(5) The (k)(5). Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information, but only to the extent such material would reveal the identity of a confidential source. This provision allows protection of confidential sources used in background investigations, employment inquiries, and similar inquiries that are for personnel screening to determine suitability, eligibility, or qualifications.

(6) The (k)(6). Testing or examination material used solely to determine individual qualifications for appointment or promotion in the federal or military service, if the disclosure would compromise the objectivity or fairness of the test or examination process.

(7) The (k)(7). Evaluation material used to determine potential for promotion in the Military Services, but only to the extent that the disclosure of such material would reveal the identity of a confidential source.

(b) Promises of confidentiality. (1) Only the identity of sources that have been given an express promise of confidentiality may be protected from disclosure under paragraphs (a)(2), (5) and (7) of this section. However, the identity of sources who were given implied promises of confidentiality in inquiries conducted before September 27, 1975, may also be protected from disclosure.

(2) Ensure that promises of confidentiality are used on a limited basis in day-to-day operations. Establish appropriate procedures and identify fully those categories of individuals who may make such promises. Promises of confidentiality shall be made only when they are essential to obtain the information sought.

(c) Access to records for which specific exemptions are claimed. Deny the individual access only to those portions of the records for which the claimed exemption applies.

(a) What must be published in the Federal Register. (1) Three types of documents relating to the Privacy Program must be published in the Federal Register:

(i) DoD Component Privacy Program rules;

(ii) Component exemption rules; and

(iii) System notices.

(2) See DoD 5025.1-M, “Directives Systems Procedures,” and DoD Directive 5400.9, (32 CFR part 296) “Publication of Proposed and Adopted Regulations Affecting the Public” for information pertaining to the preparation of documents for publication in the Federal Register.

(b) The effect of publication in the Federal Register. Publication of a document in the Federal Register constitutes official public notice of the existence and content of the document.

(c) DoD Component rules. (1) Component Privacy Program procedures and Component exemption rules are subject to the rulemaking procedures prescribed in 32 CFR part 296.

(2) System notices are not subject to formal rulemaking and are published in the Federal Register as “Notices,” not rules.

(3) Privacy procedural and exemption rules are incorporated automatically into the Code of Federal Regulations (CFR). System notices are not published in the CFR.

(d) Submission of rules for publication. (1) Submit to the Defense Privacy Office, ODASD(A), all proposed rules implementing this part in proper format (see Appendices E, F and G) for publication in the Federal Register.

(2) This part has been published as a final rule in the Federal Register (32 CFR part 310). Therefore, incorporate it into your Component rules by reference rather than by republication.

(3) DoD Component rules that simply implement this part need only be published as final rules in the Federal Register (see DoD 5025.1-M, “Directives System Procedures,” and DoD Directive 5400.9, “Publication of Proposed and Adopted Regulations Affecting the Public,” (32 CFR part 296).

(4) Amendments to Component rules are submitted like the basic rules.

(5) The Defense Privacy Office ODASD(A) submits the rules and amendments thereto to the Federal Register for publication.

(e) Submission of exemption rules for publication. (1) No system of records within the Department of Defense shall be considered exempt from any provision of this part until the exemption and the exemption rule for the system has been published as a final rule in the Federal Register (see paragraph (c) of this section).

(2) Submit exemption rules in proper format to the Defense Privacy Office ODASD(A). After review, the Defense Privacy Office will submit the rules to the Federal Register for publication.

(3) Exemption rules require publication both as proposed rules and final rules (see DoD Directive 5400.9, 32 CFR part 296).

(4) Section 310.61 of this subpart discusses the content of an exemption rule.

(5) Submit amendments to exemption rules in the same manner used for establishing these rules.

(f) Submission of system notices for publication. (1) While system notices are not subject to formal rulemaking procedures, advance public notice must be given before a Component may begin to collect personal information or use a new system of records. The notice procedures require that:

(i) The system notice describes the contents of the record system and the routine uses for which the information in the system may be released.

(ii) The public be given 30 days to comment on any proposed routine uses before implementation; and

(iii) The notice contain the data on which the system will become effective.

(2) Submit system notices to the Defense Privacy Office in the Federal Register format (see appendix E). The Defense Privacy Office transmits the notices to the Federal Register for publication.

(3) Section 310.62 of this subpart discusses the specific elements required in a system notice.

(a) General procedures. Paragraph (b)(1) of § 310.50, subpart F, provides the general guidance for establishing exemptions for systems of records.

(b) Contents of exemption rules. (1) Each exemption rule submitted for publication must contain the following:

(i) The record system identification and title of the system for which the exemption is claimed (see § 310.62 of this subpart);

(ii) The specific subsection of the Privacy Act under which exemptions for the system are claimed (for example, 5 U.S.C. 552a(j)(2), 5 U.S.C. 552a(k)(3); or 5 U.S.C. 552a(k)(7);

(iii) The specific provisions and subsections of the Privacy Act from which the system is to be exempted (for example, 5 U.S.C. 552a(c)(3), or 5 U.S.C. 552a(d)(1)-(5)) (see appendix D); and

(iv) The specific reasons why an exemption is being claimed from each subsection of the Act identified.

(2) Do not claim an exemption for classified material for individual systems of records, since the blanket exemption applies (see paragraph (c) of § 310.50 of subpart F).

(a) Contents of the system notices. (1) The following data captions are included in each system notice:

(i) System identification (see paragraph (b) of this section).

(ii) System name (see paragraph (c) of this section).

(iii) System location (see paragraph (d) of this section).

(iv) Categories of individuals covered by the system (see paragraph (e) of this section).

(v) Categories of records in the system (see paragraph (f) of this section).

(vi) Authority for maintenance of the system (see paragraph (g) of this section).

(vii) Purpose(s) (see paragraph (h) of this section).

(viii) Routine uses of records maintained in the system, including categories of users, uses, and purposes of such uses (see paragraph (i) of this section).

(ix) Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system (see paragraph (j) of this section).

(x) Systems manager(s) and address (see paragraph (k) of this section).

(xi) Notification procedure (see paragraph (l) of this section).

(xii) Record access procedures (see paragraph (m) of this section).

(xiii) Contesting records procedures (see paragraph (n) of this section.)

(xiv) Record source categories (see paragraph (o) of this section).

(xv) Systems exempted from certain provision of the Act (see paragraph (p) of this section).

(2) The captions listed in paragraph (a)(1) of this section have been mandated by the Office of Federal Register and must be used exactly as presented.

(3) A sample system notice is shown in appendix E.

(b) System identification. The system identifier must appear on all system notices and is limited to 21 positions, including Component code, file number and symbols, punctuation, and spacing.

(c) System name. (1) The name of the system should reasonably identify the general purpose of the system and, if possible, the general categories of individuals involved.

(2) Use acronyms only parenthetically following the title or any portion thereof, such as, “Joint Uniform Military Pay System (JUMPS).” Do not use acronyms that are not commonly known unless they are preceded by an explanation.

(3) The system name may not exceed 55 character positions including punctuation and spacing.

(d) System location. (1) For systems maintained in a single location provide the exact office name, organizational identity, and address or routing symbol.

(2) For geographically or organizationally decentralized systems, specify each level of organization or element that maintains a segment of the system.

(3) For automated data systems with a central computer facility and input/output terminals at several geographically separated locations, list each location by category.

(4) When multiple locations are identified by type of organization, the system location may indicate that official mailing addresses are contained in an address directory published as an appendix to the Component system notices in the Federal Register. Information concerning format requirements for preparation of an address directory may be obtained from the project officer, Air Force 1st Information Systems Group (AF/1ISG/GNR), Washington, DC 20330-6345.

(5) If no address directory is used or the addresses in the directory are incomplete, the address of each location where a segment of the record system is maintained must appear under the “System Location” caption.

(6) Classified addresses are not listed, but the fact that they are classified is indicated.

(7) Use the standard U.S. Postal Service two letter state abbreviation symbols and zip codes for all domestic addresses.

(e) Categories of individuals covered by the system. (1) Set forth the specific categories of individuals to whom records in the system pertain in clear, easily understood, nontechnical terms.

(2) Avoid the use of broad over-general descriptions, such as “all Army personnel” or “all military personnel” unless this actually reflects the category of individuals involved.

(f) Categories of records in the system. (1) Describe in clear, nontechnical terms the types of records maintained in the system.

(2) Only documents actually retained in the system of records shall be described, not source documents that are used only to collect data and then destroyed.

(g) Authority for maintenance of the system. (1) Cite the specific provision of the federal statute or Executive Order that authorizes the maintenance of the system.

(2) Include with citations for statutes the popular names, when appropriate (for example, Title 51, U.S. Code, section 2103, “Tea-Tasters Licensing Act”), and for Executive Orders, the official title (for example, Executive Order No. 9397, “Numbering System for Federal Accounts Relating to Individual Persons”).

(3) Cite the statute or Executive Order establishing the Component for administrative housekeeping records.

(4) If the Component is chartered by a DoD Directive, cite that Directive as well as the Secretary of Defense authority to issue the Directive. For example, “Pursuant to the authority contained in the National Security Act of 1947, as amended (10 U.S.C. 133d), the Secretary of Defense has issued DoD Directive 5105.21, the charter of the Defense Intelligence Agency (DIA) as a separate Agency of the Department of Defense under his control. Therein, the Director, DIA, is charged with the responsibility of maintaining all necessary and appropriate records.”

(h) Purpose or purposes. (1) List the specific purposes for maintaining the system of records by the Component.

(2) Include the uses made of the information within the Component and the Department of Defense (so-called “internal routine uses”).

(i) Routine uses. (1) The blanket routine uses (appendix C) that appear at the beginning of each Component compilation apply to all systems notices unless the individual system notice specifically states that one or more of them do not apply to the system. List the blanket routine uses at the beginning of the Component listing of system notices (see paragraph (e)(5) of § 310.41 of subpart E).

(2) For all other routine uses, when practical, list the specific activity to which the record may be released, to include any routine automated system interface (for example, “to the Department of Justice, Civil Rights Compliance Division,” “to the Veterans Administration, Office of Disability Benefits,” or “to state and local health agencies”).

(3) For each routine user identified, include a statement as to the purpose or purposes for which the record is to be released to that activity (see § 310.41(e) of subpart E). The routine uses should be compatible with the purpose for which the record was collected or obtained (see § 310.3(p), subpart A).

(4) Do not use general statements, such as, “to other federal agencies as required” or “to any other appropriate federal agency.”

(j) Policies and practices for storing, retiring, accessing, retaining, and disposing of records. This caption is subdivided into four parts:

(1) Storage. Indicate the medium in which the records are maintained. (For example, a system may be “automated”, maintained on magnetic tapes or disks, “manual”, maintained in paper files, or “hybrid”, maintained in a combination of paper and automated form.) Storage does not refer to the container or facility in which the records are kept.

(2) Retrievability. Specify how the records are retrieved (for example, name and SSN, name, SSN) and indicate whether a manual or computerized index is required to retrieve individual records.

(3) Safeguards. List the categories of Component personnel having immediate access and those responsible for safeguarding the records from unauthorized access. Generally identify the system safeguards (such as storage in safes, vaults, locked cabinets or rooms, use of guards, visitor registers, personnel screening, or computer “fail-safe” systems software). Do not describe safeguards in such detail so as to compromise system security.

(4) Retention and disposal. Indicate how long the record is retained. When appropriate, also state the length of time the records are maintained by the Component, when they are transferred to a Federal Records Center, length of retention at the Record Center and when they are transferred to the National Archivist or are destroyed. A reference to a Component regulation without further detailed information is insufficient.

(k) System manager(s) and address. (1) List the title and address of the official responsible for the management of the system.

(2) If the title of the specific official is unknown, such as for a local system, specify the local commander or office head as the systems manager.

(3) For geographically separated or organizationally decentralized activities for which individuals may deal directly with officials at each location in exercising their rights, list the position or duty title of each category of officials responsible for the system or a segment thereof.

(4) Do not include business or duty addresses if they are listed in the Component address directory.

(l) Notification procedures. (1) If the record system has been exempted from subsection (e)(4)(G) of the Privacy Act (5 U.S.C. 552a) (see § 310.50)(d), so indicate.

(2) For all nonexempt systems, describe how an individual may determine if there are records pertaining to him or her in the system. The procedural rules may be cited, but include a brief procedural description of the needed data. Provide sufficient information in the notice to allow an individual to exercise his or her rights without referral to the formal rules.

(3) As a minimum, the caption shall include:

(i) The official title (normally the system manager) and official address to which the request is to be directed;

(ii) The specific information required to determine if there is a record of the individual in the system.

(iii) Identification of the offices through which the individual may obtain access; and

(iv) A description of any proof of identity required (see § 310.30(c)(1)).

(4) When appropriate, the individual may be referred to a Component official who shall provide this data to him or her.

(m) Record access procedures. (1) If the record system has been exempted from subsection (e)(4)(H) of the Privacy Act (5 U.S.C. 552a) (see § 310.50(d)), so indicate.

(2) For all nonexempt records systems, describe the procedures under which individuals may obtain access to the records pertaining to them in the system.

(3) When appropriate, the individual may be referred to the system manager or Component official to obtain access procedures.

(4) Do not repeat the addresses listed in the Component address directory but refer the individual to that directory.

(n) Contesting record procedures. (1) If the record system has been exempted from subsection (e)(4)(H) of the Privacy Act (5 U.S.C. 552a) (see § 310.50(d)), so indicate.

(2) For all nonexempt systems of records, state briefly how an individual may contest the content of a record pertaining to him or her in the system.

(3) The detailed procedures for contesting record accuracy, refusal of access or amendment, or initial review and appeal need not be included if they are readily available elsewhere and can be referred to by the public. (For example, “The Defense Mapping Agency rules for contesting contents and for appealing initial determinations are contained in DMA Instruction 5400.11 (32 CFR part 295c).”)

(4) The individual may also be referred to the system manager to determine these procedures.

(o) Record source categories. (1) If the record system has been exempted from subsection (e)(4)(I) of the Privacy Act (5 U.S.C. 552a) (see § 310.50(d), subpart F), so indicate.

(2) For all nonexempt systems of records, list the sources of the information in the system.

(3) Specific individuals or institutions need not be identified by name, particularly if these sources have been granted confidentiality (see § 310.52(b), subpart F).

(p) System exempted from certain provisions of the Act. (1) If no exemption has been claimed for the system, indicate “None.”

(2) If there is an exemption claimed indicate specifically under which subsection of the Privacy Act (5 U.S.C. 552a) it is claimed.

(3) Cite the regulation and CFR section containing the exemption rule for the system. (For example, “Parts of this record system may be exempt under Title 5 U.S. Code, 552a(k)(2) and (5), as applicable. See exemption rules contained in Army Regulation 340-21 (32 CFR part 505).”)

(q) Maintaining the master DoD system notice registry. (1) The Defense Privacy Office, ODASD(A) maintains a master registry of all DoD record systems notices.

(2) Coordinate with the Defense Privacy Office, ODASD(A) to ensure that all new systems are added to the master registry and all amendments and alterations are incorporated into the master registry.

(a) Criteria for a new record system. (1) A new system of records is one for which there has been no system notice published in the Federal Register.

(2) If a notice for a system of records has been canceled or deleted before reinstating or reusing the system, a new system notice must be published in the Federal Register.

(b) Criteria for an altered record system. A system is considered altered whenever one of the following actions occurs or is proposed:

(1) A significant increase or change in the number or type of individuals about whom records are maintained.

(i) Only changes that alter significantly the character and purpose of the record system are considered alterations.

(ii) Increases in numbers of individuals due to normal growth are not considered alterations unless they truly alter the character and purpose of the system;

(iii) Increases that change significantly the scope of population covered (for example, expansion of a system of records covering a single command's enlisted personnel to include all of the Component's enlisted personnel would be considered an alteration).

(iv) A reduction in the number of individuals covered is not an alteration, but only an amendment (see paragraph (a) of § 310.64 of this subpart).

(v) All changes that add new categories of individuals to system coverage require a change to the “Categories of individuals covered by the system” caption of the notice (§ 310.62(e)) and may require changes to the “Purpose(s)” caption (§ 310.62(h)).

(2) An expansion in the types or categories of information maintained.

(i) The addition of any new category of records not described under the “Categories of Records in System” caption is considered an alteration.

(ii) Adding a new data element which is clearly within the scope of the categories of records described in the existing notice is an amendment (see § 310.64(a) of this subpart).

(iii) All changes under this criterion require a change to the “Categories of Records in System” caption of the notice (see § 310.62(f) of this subpart).

(3) An alteration in the manner in which the records are organized or the manner in which the records are indexed and retrieved.

(i) The change must alter the nature of use or scope of the records involved (for example, combining records systems in a reorganization).

(ii) Any change under this criteria requires a change in the “Retrievability” caption of the system notice (see § 310.62(j)(2) of this subpart).

(iii) If the records are no longer retrieved by name or personal identifier cancel the system notice (see § 310.10(a) of subpart B).

(4) A change in the purpose for which the information in the system is used.

(i) The new purpose must not be compatible with the existing purposes for which the system is maintained or a use that would not reasonably be expected to be an alteration.

(ii) If the use is compatible and reasonably expected, there is no change in purpose and no alteration occurs.

(iii) Any change under this criterion requires a change in the “Purpose(s)” caption (see § 310.62(h) of this subpart) and may require a change in the “Authority for maintenance of the system” caption (see § 310.62(g) of this subpart).

(5) Changes that alter the computer environment (such as changes to equipment configuration, software, or procedures) so as to create the potential for greater or easier access.

(i) Increasing the number of offices with direct access is an alteration.

(ii) Software releases, such as operating systems and system utilities that provide for easier access are considered alterations.

(iii) The addition of an on-line capability to a previously batch-oriented system is an alteration.

(iv) The addition of peripheral devices such as tape devices, disk devices, card readers, printers, and similar devices to an existing ADP system constitute an amendment if system security is preserved (see paragraph (a) of § 310.64 of this subpart).

(v) Changes to existing equipment configuration with on-line capability need not be considered alterations to the system if:

(A) The change does not alter the present security posture; or

(B) The addition of terminals does not extend the capacity of the current operating system and existing security is preserved;

(vi) The connecting of two or more formerly independent automated systems or networks together creating a potential for greater access is an alteration.

(vii) Any change under this caption requires a change to the “Storage” caption element of the systems notice (see § 310.62(j)(1) of this subpart).

(c) Reports of new and altered systems. (1) Submit a report of a new or altered system to the Defense Privacy Office before collecting information for or using a new system or altering an existing system (see appendix F and paragraph (d) of this section).

(2) The Defense Privacy Office, ODASD(A) coordinates all reports of new and altered systems with the Office of the Assistant Secretary of Defense (Legislative Affairs) and the Office of the General Counsel, Department of Defense.

(3) The Defense Privacy Office prepares for the DASD(A)'s approval and signature the transmittal letters sent to OMB and Congress (see paragraph (e) of this section).

(d) Time restrictions on the operation of a new or altered system. (1) All time periods begin from the date the DASD(A) signs the transmittal letters (see paragraph (c)(3) of this section). The specific time limits are:

(i) 60 days must elapse before data collection forms or formal instructions pertaining to the system may be issued.

(ii) 60 days must elapse before the system may become operational; (that is, collecting, maintaining, using, or disseminating records from the system) (see also § 310.60(f) of this subpart).

(iii) 60 days must elapse before any public issuance of a Request for Proposal or Invitation to Bid for a new ADP or telecommunication system.

(iv) Normally 30 days must elapse before publication in the Federal Register of the notice of a new or altered system (see § 310.60(f) of this subpart) and the preamble to the Federal Register notice must reflect the date the transmittal letters to OMB and Congress were signed by DASD(A).

(2) Do not operate a system of records until the waiting periods have expired (see § 310.103 of subpart K).

(e) Outside review of new and altered systems reports. If no objections are received within 30 days of a submission to the President of the Senate, Speaker of the House of Representatives, and the Director, OMB, of a new or altered system report it is presumed that the new or altered systems have been approved as submitted.

(f) Exemptions for new systems. See § 310.60(e) of this subpart for the procedures to follow in submitting exemption rules for a new system of records.

(g) Waiver of time restrictions. (1) The OMB may authorize a federal agency to begin operation of a system of records before the expiration of time limits set forth in § 310.63(d) of this subpart.

(2) When seeking such a waiver, include in the letter of transmittal to the Defense Privacy Office, ODASD(A) an explanation why a delay of 60 days in establishing the system of records would not be in the public interest. The transmittal must include:

(i) How the public interest will be affected adversely if the established time limits are followed; and

(ii) Why earlier notice was not provided.

(3) When appropriate, the Defense Privacy Office, ODASD(A) shall contact OMB and attempt to obtain the waiver.

(i) If a waiver is granted, the Defense Privacy Office, ODASD(A) shall notify the subcommittee and submit the new or altered system notice along with any applicable procedural or exemption rules for publication in the Federal Register.

(ii) If the waiver is disapproved, the Defense Privacy Office, ODASD(A) shall process the system the same as any other new or altered system and notify the subcommittee of the OMB decision.

(4) Under no circumstances shall the routine uses for new or altered system be implemented before 30 days have elapsed after publication of the system notice containing the routine uses in the Federal Register . This period cannot be waived.

(a) Criteria for an amended system notice. (1) Certain minor changes to published systems notices are considered amendments and not alterations (see § 310.63(b) of this subpart).

(2) Amendments do not require a report of an altered system (see § 310.63(c) of this subpart), but must be published in the Federal Register.

(b) System notices for amended systems. When submitting an amendment for a system notice for publication in the Federal Register include:

(1) The system identification and name (see paragraph (b) and (c) of § 310.62 of this subpart).

(2) A description of the nature and specific changes proposed.

(3) The full text of the system notice is not required if the master registry contains a current system notice for the system (see § 310.62(q) of this subpart).

(c) Deletion of system notices. (1) Whenever a system is discontinued, combined into another system, or determined no longer to be subject to this part, a deletion notice is required.

(2) The notice of deletion shall include:

(i) The system identification and name.

(ii) The reason for the deletion.

(3) When the system is eliminated through combination or merger, identify the successor system or systems in the deletion notice.

(d) Submission of amendments and deletions for publication. (1) Submit amendments and deletions to the Defense Privacy Office, ODASD(A) for transmittal to the Federal Register for publication.

(2) Include in the submission at least one original (not a reproduced copy) in proper Federal Register format (see appendix G).

(3) Multiple deletions and amendments may be combined into a single submission.

The Privacy Act of 1974, as amended (5 U.S.C. 552a), requires each agency to establish rules of conduct for all persons involved in the design, development, operation, and maintenance of any system of record and to train these persons with respect to these rules.

The OMB guidelines require all agencies additionally to:

(a) Instruct their personnel in their rules of conduct and other rules and procedures adopted in implementing the Act, and inform their personnel of the penalties for noncompliance.

(b) Incorporate training on the special requirements of the Act into both formal and informal (on-the-job) training programs.

(a) Each DoD Component is responsible for the development of training procedures and methodology.

(b) The Defense Privacy Office, ODASD(A) will assist the Components in developing these training programs and may develop Privacy training programs for use by all DoD Components.

(c) All training programs shall be coordinated with the Defense Privacy Office, ODASD(A) to avoid duplication and to ensure maximum effectiveness.

Each DoD Component shall fund its own Privacy training program.

The Defense Privacy Office, ODASD(A) shall establish requirements for DoD Privacy Reports and DoD Components may be required to provide data.

The suspenses for submission of all reports shall be established by the Defense Privacy Office, ODASD(A).

Any report established by this subpart in support of the Defense Privacy Program shall be assigned Report Control Symbol DD-COMP(A)1379. Special one-time reporting requirements shall be licensed separately in accordance with DoD Directive 5000.19 “Policies for the Management and Control of Information Requirements” and DoD Directive 5000.11, “Data Elements and Data Codes Standardization Program.”

During internal inspections, Component inspectors shall be alert for compliance with this part and for managerial, administrative, and operational problems associated with the implementation of the Defense Privacy Program.

(a) Document the findings of the inspectors in official reports that are furnished the responsible Component officials. These reports, when appropriate, shall reflect overall assets of the Component Privacy Program inspected, or portion thereof, identify deficiencies, irregularities, and significant problems. Also document remedial actions taken to correct problems identified.

(b) Retain inspections reports and later follow-up reports in accordance with established records disposition standards. These reports shall be made available to the Privacy Program officials concerned upon request.

Any individual who feels he or she has a legitimate complaint or grievance against the Department of Defense or any DoD employee concerning any right granted by this part shall be permitted to seek relief through appropriate administrative channels.

An individual may file a civil suit against a DoD Component or its employees if the individual feels certain provisions of the Act have been violated (see 5 U.S.C. 552a(g), of the Privacy Act.

In addition to specific remedial actions, subsection (g) of the Privacy Act (5 U.S.C. 552a) provides for the payment of damages, court cost, and attorney fees in some cases.

(a) The Act also provides for criminal penalties (see 5 U.S.C. 552a(i). Any official or employee may be found guilty of a misdemeanor and fined not more than $5,000 if he or she willfully:

(1) Discloses personal information to anyone not entitled to receive the information (see subpart E); or

(2) Maintains a system of records without publishing the required public notice in the Federal Register (see subpart G).

(b) A person who requests or obtains access to any record concerning another individual under false pretenses may be found guilty of misdemeanor and fined up to $5,000.

Whenever a complaint citing the Privacy Act is filed in a U.S. District Court against the Department of Defense, a DoD Component, or any DoD employee, the responsible system manager shall notify promptly the Defense Privacy Office, ODASD(A). The litigation status sheet at appendix H provides a standard format for this notification. The initial litigation status sheet forwarded shall, as a minimum, provide the information required by items 1 through 6. A revised litigation status sheet shall be provided at each stage of the litigation. When a court renders a formal opinion or judgment, copies of the judgment and opinion shall be provided to the Defense Privacy Office with the litigation status sheet reporting that judgment or opinion.

The OMB has issued special guidelines to be followed in programs that match the personal records in the computerized data bases of two or more federal agencies by computer (see appendix I). These guidelines are intended to strike a balance between the interest of the government in maintaining the integrity of federal programs and the need to protect individual privacy expectations. They do not authorize matching programs as such and each matching program must be justified individually in accordance with the OMB guidelines.

(a) Forward all requests for matching programs to include necessary routine use amendments (see § 310.62(i) of subpart G) and analysis and proposed matching program reports (see subsection E.6. of appendix I) to the Defense Privacy Office, ODASD(A).

(b) The Defense Privacy Office shall review each request and supporting material and forward the report and system notice amendments to the Federal Register, OMB, and Congress, as appropriate.

(c) Changes to existing matching programs shall be processed in the same manner as a new matching program report.

(a) No time limits are set by the OMB guidelines. However, in order to establish a new routine use for a matching program, the amended system notice must have been published in the Federal Register at least 30 days before implementation (see § 310.60(f) of subpart G).

(b) Submit the documentation required by § 310.111(a) of this subpart to the Defense Privacy Office at least 45 days before the proposed initiation date of the matching program.

(c) The Defense Privacy Office may grant waivers to the 45 days’ deadline for good cause shown. Requests for waivers shall be in writing and fully justified.

(a) For the purpose of the OMB guidelines, the Department of Defense and all DoD Components are considered a single agency.

(b) Before initiating a matching program using only the records of two or more DoD Components, notify the Defense Privacy Office that the match is to occur. The Defense Privacy Office may request further information from the Component proposing the match.

(c) There is no need to notify the Defense Privacy Office of computer matches using only the records of a single Component.

The system manager shall review annually each system of records to determine if records from the system are being used in matching programs and whether the OMB Guidelines have been complied with.

(a) This part consolidates into a single document, the Defense Contract Audit Agency policies and procedures for implementing the Privacy Act of 1974 (5 U.S.C. 552a), as amended, by authorizing the development, publication and maintenance of the DCAA Privacy Act Program set forth by DCAA Regulation 5410.10 1 , “Privacy Act Program”, and DCAA Manual 5410.16 2 , “DCAA Privacy Act Processing Guide.”

(b) Its purpose is to delegate authorities and assign responsibilities for the administration of the DCAA Privacy Act Program and to prescribe uniform procedures for agency personnel consistent with DoD 5025.1-M 3 , “DoD Directives System Procedures.”

(a) This part applies to all DCAA organizational elements and takes precedence over all regional regulatory issuances that supplement the DCAA Privacy Program.

(b) This part shall be made applicable by contract or other legally binding action to contractors whenever a DCAA contract provides for the operation of a system of records or portion of a system of records to accomplish an agency function.

(a) Access. The review of a record or a copy of a record or parts thereof in a system of records by any individual.

(b) Agency. For the purposes of disclosing records subject to the Privacy Act among DoD components, the Department of Defense is considered a single agency. For all other purposes to include applications for access and amendment, denial of access or amendment, appeals from denials, and recordkeeping as regards release to non-DoD agencies; each DoD component, including DCAA, is considered an agency within the meaning of the Privacy Act.

(c) Confidential source. A person or organization who has furnished information to the Federal Government under an express promise that the person's or the organization's authority will be held in confidence or under an implied promise of such confidentiality if this implied promise was made before September 27, 1975.

(d) Defense Data Integrity Board. Consists of members of the Defense Privacy Board, as established pursuant to 32 CFR part 310, and in addition the Inspector General, DoD or the designee, when convening to oversee, coordinate and approve or disapprove all DoD component computer matching covered by the Privacy Act.

(e) Disclosure. The transfer of any personal information from a system of records by any means of communication (such as oral, written, electronic, mechanical, or actual review) to any person, private entity, or government agency, other than the subject of the record, the subject's designated agent or the subject's legal guardian.

(f) Federal benefit program. Any program administered or funded by the Federal Government, or by any agent or state on behalf of the Federal Government, providing cash or in-kind assistance in the form of payments, grants, loans, or loan guarantees to individuals.

(g) Federal benefit program match. A computerized comparison of two or more automated systems of records or an automated system of records with automated non-Federal records for the purpose of establishing or verifying the eligibility of or continuing compliance with statutory and regulatory requirements by, applicants for, recipients and beneficiaries (both present and past) of, participants in, or providers of services with respect to, cash or in-kind assistance or payments under Federal benefit programs; or recouping payments or delinquent debts under such Federal benefit programs.

(h) Federal personnel. Officers and employees of the Government of the United States, members of the uniformed services (including members of the reserve components), individuals entitled to receive immediate or deferred retirement benefits under any retirement program of the Government of the United States (including survivor benefits).

(i) Federal personnel match. A computerized comparison of two or more automated Federal personnel or payroll systems of records or an automated Federal personnel or payroll system of records with automated non-Federal records.

(j) Individual. A living citizen of the United States or an alien lawfully admitted to the United States for permanent residence. The legal guardian of an individual has the same rights as the individual and may act on his or her behalf. No rights are vested in the representative of a dead person under this chapter and the term “individual” does not embrace an individual acting in an interpersonal capacity (for example, sole proprietorship or partnership).

(k) Individual access. Access to information pertaining to the individual by the individual or his or her designated agent or legal guardian.

(l) Maintain. Includes maintain, collect, use, or disseminate.

(m) Matching agency. The agency which actually performs the match.

(n) Matching program. (1) The term means any computerized comparison of:

(i) Two or more automated systems of records or a system of records with non-Federal records for the purpose of:

(A) Establishing or verifying the eligibility of, or continuing compliance with statutory and regulatory requirements by, applicants for, recipients or beneficiaries of, participants in, or providers of services with respect to, cash or in-kind assistance or payments under Federal benefit programs, or

(B) Recouping payments or delinquent debts under such Federal benefit programs, or

(ii) Two or more automated Federal personnel or payroll systems of records or a system of Federal personnel or payroll records with non-Federal records,

(iii) But does not include:

(A) Matches performed to produce aggregate statistical data without any personal identifiers.

(B) Matches performed to support any research for statistical project, the specific data of which may not be used to make decisions concerning the rights, benefits, or privileges of specific individuals.

(C) Matches performed by an agency which performs as its principal function any activity pertaining to the enforcement of criminal laws, subsequent to the initiation of a specific criminal or civil law enforcement investigation of a named person or persons for the purpose of gathering evidence against such person or persons.

(iv) Matches of tax information.

(A) Pursuant to section 6103(d) of the Internal Revenue Code of 1986.

(B) For purposes of tax administration as defined in section 6301(b)(4) of such Code.

(C) For the purpose of intercepting a tax refund due an individual under authority granted by section 464 or 1137 of the Social Security Act; or

(D) For the purpose of intercepting a tax refund due an individual under any other tax refund intercept program authorized by statute which has been determined by the Director of the Office of Management and Budget to contain verification, notice, and hearing requirements that are substantially similar to the procedures in section 1137 of the Social Security Act.

(E) Matches. (1) Using records predominantly relating to Federal personnel, that are performed for routine administrative purposes (subject to guidance provided by the Director of the Office of Management and Budget pursuant to subsection (v) of the Privacy Act).

(2) Conducted by an agency using only records from systems of records maintained by that agency; if the purpose of the match is not to take any adverse financial, personnel, disciplinary, or other adverse action against Federal personnel; or

(F) Matches performed for foreign counterintelligence purposes or to produce background checks for security clearances of Federal personnel or Federal contractor personnel.

(o) Member of the public. Any individual or party acting in a private capacity to include Federal employees or military personnel.

(p) Non-Federal agency. Any state or local government, or agency thereof, which receives records contained in a system of records from a source agency for use in a matching program.

(q) Official use. Within the context of this chapter, this term is used when officials and employees of the Agency have a demonstrated need for the use of any record or the information contained therein in the performance of their official duties, subject to DCAA Regulation 5410.10.

(r) Personal information. Information about an individual that is intimate or private to the individual, as distinguished from information related solely to the individual's official functions or public life.

(s) Privacy Act. The Privacy Act of 1974 (5 U.S.C. 552a), as amended.

(t) Privacy Act request. A request from an individual for notification as to the existence of, access to, or amendment of records pertaining to that individual. These records must be maintained in a system of records. The request must indicate that it is being made under the Privacy Act to be considered a Privacy Act request.

(u) Recipient agency. Any agency, or contractor thereof, receiving records contained in a system of records from a source agency for use in a matching program.

(v) Record. Any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, the individual's education, financial transactions, medical history, and criminal or employment history, and that contains the individual's name, or identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.

(w) Risk assessment. An analysis considering information sensitivity, vulnerabilities, and the cost to a computer facility or word processing activity in safeguarding personal information processed or stored in the facility or activity. Applies to manual and automated systems.

(x) Routine use. The disclosure of a record outside the Agency for a use that is compatible with the purpose for which the information was collected and maintained by the Agency. The routine use must be included in the published system notice for the system of records involved.

(y) Source agency. Any agency which discloses records contained in a system of records to be used in a matching program, or any state or local government, or agency thereof, which discloses records to be used in a matching program.

(z) Statistical record. A record maintained only for statistical research or reporting purposes and not used in whole or in part in making determinations about specific individuals.

(aa) System of records. A group of records under the control of the Agency from which information is retrieved by the individual's name or by some identifying number, symbol, or other identifying particular assigned to the individual. System notices for all Privacy Act systems of records must be published in the Federal Register.

(bb) Word processing equipment. Any combination of electronic hardware and computer software integrated in a variety of forms (programmable software, hard wiring, or similar equipment) that permits the processing of textual data.

(cc) Word processing system. A combination of equipment employing automated technology, systematic procedures, and trained personnel for the primary purpose of manipulating human thoughts and verbal or written communications into a form suitable to the originator.

It is DCAA policy that personnel will comply with the DCAA Privacy Program and the Privacy Act of 1974. Strict adherence is necessary to ensure uniformity in the implementation of the DCAA Privacy Program and create conditions that will foster public trust. It is also agency policy to safeguard personal information contained in any system of records maintained by DCAA organizational elements and to make that information available to the individual to whom it pertains to the maximum extent practicable. DCAA policy specifically requires that DCAA organizational elements:

(a) Collect, maintain, use, and disseminate personal information only when it is relevant and necessary to achieve a purpose required by statute or Executive Order.

(b) Collect personal information directly from the individuals to whom it pertains to the greatest extent practical.

(c) Inform individuals who are asked to supply personal information for inclusion in any system of records:

(1) The authority for the solicitation.

(2) Whether furnishing the information is mandatory or voluntary.

(3) The intended uses of the information.

(4) The routine disclosures of the information that may be made outside of Department of Defense; and

(5) The effect on the individual of not providing all or any part of the requested information.

(d) Ensure that records used in making determinations about individuals and those containing personal information are accurate, relevant, timely, and complete for the purposes for which they are being maintained before making them available to any recipients outside of Department of Defense, other than a Federal agency, unless the disclosure is made under DCAA Regulation 5410.10, DCAA Freedom of Information Act Program (32 CFR part 290).

(e) Keep no record that describes how individuals exercise their rights guaranteed by the First Amendment to the U.S. Constitution, unless expressly authorized by statute or by the individual to whom the records pertain or is pertinent to and within the scope of an authorized law enforcement activity.

(f) Notify individuals whenever records pertaining to them are made available under compulsory legal processes, if such process is a matter of public record.

(g) Establish safeguards to ensure the security of personal information and to protect this information from threats or hazards that might result in substantial harm, embarrassment, inconvenience, or unfairness to the individual.

(h) Establish rules of conduct for DCAA personnel involved in the design, development, operation, or maintenance of any system of records and train them in these rules of conduct.

(i) Assist individuals in determining what records pertaining to them are being collected, maintained, used, or disseminated.

(j) Permit individual access to the information pertaining to them maintained in any system of records, and to correct or amend that information, unless an exemption for the system has been properly established for an important public purpose.

(k) Provide, on request, an accounting of all disclosures of the information pertaining to them except when disclosures are made:

(1) To DoD personnel in the course of their official duties.

(2) Under 32 CFR part 290; and

(3) To another agency or to an instrumentality of any governmental jurisdiction within or under control of the United States conducting law enforcement activities authorized by law.

(l) Advise individuals on their rights to appeal any refusal to grant access to or amend any record pertaining to them, and file a statement of disagreement with the record in the event amendment is refused.

(a) Headquarters. (1) The Assistant Director, Resources has overall responsibility for the DCAA Privacy Act Program and will serve as the sole appellate authority for appeals to decisions of respective initial denial authorities. Under his direction, the Chief, Information Resources Management Branch, under the supervision of the Chief, Administrative Management Division shall:

(i) Establish, issue, and update policies for the DCAA Privacy Act Program; monitor compliance with this part; and provide policy guidance for the DCAA Privacy Act Program.

(ii) Resolve conflicts that may arise regarding implementation of DCAA Privacy Act policy.

(iii) Designate an agency Privacy Act Advisor, as a single point of contact, to coordinate on matters concerning Privacy Act policy.

(iv) Make the initial determination to deny an individual's written Privacy Act request for access to or amendment of documents filed in Privacy Act systems of records. This authority cannot be delegated.

(2) The DCAA Privacy Act Advisor under the supervision of the Chief, Information Resources Management Branch shall:

(i) Manage the DCAA Privacy Act Program in accordance with this part and applicable DCAA policies, as well as Department of Defense and Federal regulations.

(ii) Provide guidelines for managing, administering, and implementing the DCAA Privacy Act Program.

(iii) Implement and administer the Privacy Act program at the Headquarters.

(iv) Ensure that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; that the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information.

(v) Maintain and publish DCAA Pamphlet 5410.13 4 , “DCAA Compilation of Privacy Act System Notices”; DCAA Pamphlet 5410.15 5 , “Privacy Act of 1974, An Employee Guide to Privacy”; and DCAA Manual 5410.16, “DCAA Privacy Act Processing Guide.”

(vi) Prepare promptly any required new, amended, or altered system notices for systems of records subject to the Privacy Act and submit them to the Defense Privacy Office for subsequent publication in the Federal Register.

(vii) Prepare the annual Privacy Act Report as required by 32 CFR part 310, “DoD Privacy Act Program.”

(viii) Conduct training on the Privacy Act program for agency personnel.

(3) Heads of Principal Staff Elements are responsible for:

(i) Reviewing all regulations or other policy and guidance issuances for which they are the proponent to ensure consistency with the provisions of this part.

(ii) Ensuring that the provisions of this part are followed in processing requests for records.

(iii) Forwarding to the DCAA Privacy Act Advisor, any Privacy Act requests received directly from a member of the public, so that the request may be administratively controlled and processed.

(iv) Ensuring the prompt review of all Privacy Act requests, and when required, coordinating those requests with other organizational elements.

(v) Providing recommendations to the DCAA Privacy Act Advisor regarding the releasability of DCAA records to members of the public, along with the responsive documents.

(vi) Providing the appropriate documents, along with a written justification for any denial, in whole or in part, of a request for records to the DCAA Privacy Act Advisor. Those portions to be excised should be bracketed in red pencil, and the specific exemption or exemptions cited which provide the basis for denying the requested records.

(4) The General Counsel is responsible for:

(i) Ensuring uniformity is maintained in the legal position, and the interpretation of the Privacy Act (32 CFR part 310), and this part.

(ii) Consulting with General Counsel, Department of Defense on final denials that are inconsistent with decisions of other DoD components, involve issues not previously resolved, or raise new or significant legal issues of potential significance to other Government agencies.

(iii) Providing advice and assistance to the Assistant Director, Resources; Regional Directors; and the Regional Privacy Act Officer, through the DCAA Privacy Act Advisor, as required, in the discharge of their responsibilities.

(iv) Coordinating Privacy Act litigation with the Department of Justice.

(v) Coordinating on Headquarters denials of initial requests.

(5) Each Regional Director is responsible for the overall management of the Privacy Act program within their respective regions. Under his/her direction, the Regional Resources Manager is responsible for the management and staff supervision of the program and for designating a Regional Privacy Act Officer.

(i) Regional Directors will, as designee of the Director, make the initial determination to deny an individual's written Privacy Act request for access to or amendment of documents filed in Privacy Act systems of records. This authority cannot be delegated.

(ii) Regional Privacy Act Officers will:

(A) Implement and administer the Privacy Act program throughout the region.

(B) Ensure that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; that the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information.

(C) Prepare input for the annual Privacy Act Report as shown in DCAA Manual 5410.16 when requested by the DCAA Information and Privacy Advisor.

(D) Conduct training on the Privacy Act program for regional and FAO personnel.

(E) Provide recommendations to the Regional Director through the Regional Resources Manager regarding the releasability of DCAA records to members of the public.

(6) Managers, Field Audit Offices (FAOs) will:

(i) Ensure that the provisions of this part are followed in processing requests for records.

(ii) Forward to the Regional Privacy Act Officer, any Privacy Act requests received directly from a member of the public, so that the request may be administratively controlled and processed.

(iii) Ensure the prompt review of all Privacy Act requests, and when required, coordinating those requests with other organizational elements.

(iv) Provide recommendations to the Regional Privacy Act Officer regarding the releasibility of DCAA records to members of the public, along with the responsive documents.

(v) Provide the appropriate documents, along with a written justification for any denial, in whole or in part, of a request for records to the Regional Privacy Act Officer. Those portions to be excised should be bracketed in red pencil, and the specific exemption or exemptions cited which provide the basis for denying the requested records.

(7) DCAA Employees will:

(i) Not disclose any personal information contained in any system of records, except as authorized by this part.

(ii) Not maintain any official files which are retrieved by name or other personal identifier without first ensuring that a notice for the system has been published in the Federal Register.

(iii) Report any disclosures of personal information from a system of records or the maintenance of any system of records that are not authorized by this part to the appropriate Privacy Act officials for their action.

Procedures for processing material in accordance with the Privacy Act of 1974 are outlined in subparts B through L of this part.

(a) System of records. To be subject to this part, a “system of records” must:

(1) Consist of “records” that are retrieved by the name or some other personal identifier of an individual, and

(2) Be under the control of the Agency.

(b) Retrieval practices. (1) Records in a group of records that could be retrieved by personal identifiers, but are not covered by this part, even if the records contain information about individuals and are under the control of the agency. The records must, in fact, be retrieved by personal identifiers in order to become a system of records.

(2) If records previously not retrieved by personal identifiers are rearranged so they are retrieved by personal identifiers, a new system of records is created and a notice of the system must be published in the Federal Register of its existence.

(3) If records in a system of records are rearranged so retrieval no longer is by personal identifiers, the records are no longer subject to this part and the records system notice shall be deleted.

(c) Recordkeeping standards. A record maintained in a system of records must meet the following criteria:

(1) The record must be accurate--all information in the record must be factually correct.

(2) The record must be relevant--all information contained in the record must be related to the individual who is the subject of record and also must be related to a lawful purpose or mission of the agency.

(3) The record must be timely--all information in the record must be reviewed periodically to ensure that it has not changed due to time or later events.

(4) The record must be complete--it must be able to stand alone in accomplishing the purpose for which it is maintained.

(5) The record must be necessary--all information in the record must be needed to accomplish the agency mission or purpose established by Federal law or Executive Order of the President.

(d) Authority to establish systems of records. The specific Federal statute or Executive Order of the President should be identified that authorizes maintaining each system of records. A statute or Executive Order authorizing a system of records does not negate the responsibility to ensure the information in the system of records is relevant and necessary.

(e) Exercise of first amendment rights. (1) Records should not be maintained describing how an individual exercises rights guaranteed by the first amendment of the U.S. Constitution unless:

(i) Expressly authorized by Federal law;

(ii) Expressly authorized by the individual; or

(iii) Pertinent to and within the scope of an authorized law enforcement activity.

(2) First amendment rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition.

(f) System manager's evaluations and reviews. (1) Each new proposed system of records shall be evaluated.

(i) The information to be included in the system should be evaluated before establishing it.

(ii) The following factors should be considered:

(A) The relationship of each item of information to be collected and retained to the purpose for which the system is maintained. All information must be relevant to the purpose.

(B) The specific impact on the purpose or mission if each category of information is not collected. All information must be necessary to accomplish a lawful purpose or mission.

(C) The ability to meet the informational needs without using personal identifiers (will anonymous statistical records meet the needs?).

(D) The length of time each item of information must be kept.

(E) The methods of disposal; and

(F) The cost of maintaining the information.

(2) All existing systems of records shall be evaluated and reviewed.

(i) When an alteration or amendment of an existing system is prepared, an evaluation must be performed.

(ii) Reviews should be conducted often and reports prepared which outline the results and corrective actions taken to resolve problems uncovered.

(A) Training practices should be reviewed annually to ensure all personnel are familiar with the requirements of the Privacy Act and any special needs their specific jobs entail.

(B) Recordkeeping and disposal practices should be reviewed annually to ensure compliance with this part.

(C) Each ongoing computer matching program in which records from the system have been matched with non-DoD records should be reviewed annually to ensure that the applicable requirements have been met.

(D) Actions of agency personnel that resulted in either the agency being found civilly liable or an employee being found criminally liable should be reviewed annually to determine the extent of the problem and find the most effective way of preventing the problem in the future.

(E) Each system of records notice should be reviewed annually to ensure it accurately describes the system. Where minor changes are needed, amend the system notice. If major changes are needed, alter the system notice.

(F) A random sample of agency contracts that provide for the operation of a system of records on behalf of the agency to accomplish an agency function should be reviewed every even-numbered year to ensure the wording of each contract complies with the provisions of the Privacy Act of 1974 (5 U.S.C. 552a).

(G) The routine use disclosures associated with each system of records should be reviewed every three years to ensure the recipient's use of the records continues to be compatible with the purpose for which the agency originally collected the information.

(H) Each system of records for which exemption rules have been established should be reviewed every three years to determine whether each exemption is still needed.

(iii) When directed, the reports should be sent through proper channels to the agency Privacy Act Advisor who will forward them to the Defense Privacy Office.

(g) Discontinued information requirements. (1) Any category or item of information about individuals that is no longer justified should not be collected, and when feasible, the information should be removed from existing records.

(2) Records that must be kept in accordance with retention and disposal needs established under DCAA Manual 5015.1 6 , “Files and Disposition Manual,” shall not be destroyed.

(h) Review records before disclosing them outside the Federal government. Before disclosing a record from a system of records to anyone outside the Federal government, reasonable steps should be taken to ensure the record to be disclosed is accurate, relevant, timely, and complete for the purposes it is being maintained.

(a) Applicability to Federal government contractors. (1) When the agency contracts for the operation of a system of records or portion thereof to accomplish an agency function, this part and 5 U.S.C. 552a are applicable. For purposes of the criminal penalties, the contractor and its employees shall be considered employees of the agency during the performance of the contract.

(2) Consistent with Parts 24 and 52 of the Federal Acquisition Regulation 7 , contracts for the operation of a system of records or portion thereof shall identify specifically the record system and the work to be performed, and shall include in the solicitations and resulting contract such terms specifically prescribed by the FAR.

(3) If the contractor must use records that are subject to this part to perform any part of a contract, and the information would have been collected and maintained by the agency but for the contract, the contractor activities are subject to this rule.

(4) This rule does not apply to records of a contractor that are:

(i) Established and maintained solely to assist the contractor in making internal contractor management decisions, such as records maintained by the contractor for use in managing the contract; or

(ii) Maintained as internal contractor employee records, even when used in conjunction with providing goods or services to the agency.

(iii) For contracting that is subject to this part, the agency shall:

(A) Inform prospective contractors of their responsibilities under the DCAA Privacy Program.

(B) Establish an internal system for reviewing contractor performance to ensure compliance with the DCAA Privacy Program; and

(C) Provide for the biennial review of a random sampling of agency contracts that are subject to this rule.

(b) Contracting procedures. The Defense Acquisition Regulatory Council is responsible for developing the specific policies and procedures for soliciting, awarding, and administering contracts.

(c) Contractor compliance. The agency shall establish contract surveillance programs to ensure contractors comply with the procedures established by the Defense Acquisition Regulatory Council pursuant to the preceding subsection.

(d) Disclosing records to contractors. Disclosing records to a contractor for use in performing a contract for the agency is considered a disclosure within the agency. The contractor is considered the agent of DCAA when receiving and maintaining the records for the agency.

(a) General responsibilities. Appropriate administrative, technical, and physical safeguards shall be established to ensure the records in every system of records are protected from unauthorized alteration, destruction, or disclosure. The records shall be protected from reasonably anticipated threats or hazards that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.

(b) Minimum standards. (1) Risk analysis and management planning shall be conducted for each system of records. Sensitivity and use of the records, present and projected threats and vulnerabilities, and present and projected cost-effectiveness of safeguards should be considered. The risk analysis may vary from an informal review of a small, relatively insensitive system to a formal, fully quantified risk analysis of a large, complex, and highly sensitive system.

(2) All personnel operating a system of records or using records from a system of records should be trained in proper record security procedures.

(3) Information exempt from disclosure under DCAA Freedom of Information Act Program (32 CFR part 290), shall be labeled to reflect its sensitivity, such as “FOR OFFICIAL USE ONLY,” “PRIVACY ACT SENSITIVE: DISCLOSE ON A NEED-TO-KNOW BASIS ONLY,” or some other language that alerts individuals to the sensitivity of the records.

(4) Special administrative, physical, and technical safeguards shall be employed to protect records stored or processed in an automated data processing or word processing system from threats unique to those environments.

(c) Records disposal. (1) Records from systems of records should be disposed of to prevent inadvertent disclosure. Disposal methods such as tearing, burning, melting, chemical decomposition, burying, pulping, pulverizing, shredding, or mutilation are considered adequate if the records are rendered unrecognizable or beyond reconstruction. Magnetic media may be cleared by degaussing, overwriting, or completely erasing.

(2) The transfer of large volumes of records (e.g., computer cards and printouts) in bulk to a disposal activity such as a Defense Reutilization and Marketing Office for authorized disposal is not a disclosure of records under this rule if volume of the records, coding of the information, or some other factor renders it impossible to recognize any personal information about a specific individual.

(3) When disposing or destroying large quantities of records from a system of records, care must be taken to ensure that the bulk of the records is maintained to prevent easy identification of specific records. If such bulk is maintained, no special procedures are required. If bulk is not maintained, or if the form of the records makes individually identifiable information easily discernible, dispose of the records in accordance with paragraph (c)(1) of this section.

(a) Collect directly from the individual. To the greatest extent practicable, information should be collected for systems of records directly from the individual to whom the record pertains if the record may be used to make an adverse determination about the individual's rights, benefits, or privileges under Federal programs.

(b) Soliciting the Social Security number. (1) It is unlawful for any Federal, State, or local government agency to deny an individual a right, benefit, or privilege provided by law because the individual refuses to provide the Social Security Number (SSN). However, this prohibition does not apply if:

(i) A Federal law requires that the SSN be provided, or

(ii) The SSN is required by a law or regulation adopted before January 1, 1975, to verify the individual's identity for a system of records established and in use before that date.

(2) Before requesting an individual to provide the SSN, the individual shall be told:

(i) Whether providing the SSN is voluntary or mandatory,

(ii) By what law or other authority the SSN is solicited, and

(iii) What uses will be made of the SSN.

(3) The notice published in the Federal Register for each system of records containing SSNs solicited from individuals must indicate the authority for soliciting the SSNs and whether it is mandatory for the individuals to provide their SSNs. Executive Order 9397 permits Federal agencies to solicit SSNs as numerical identifiers for individuals in Federal records systems.

(4) Upon entrance into employment with the agency, individuals must provide their SSNs; therefore, they must be given the notification. The SSN is then the individual's numerical identifier and used to establish personnel, financial, medical, and other official records. After the individual has provided the SSN to establish the records, the notification is not required when the SSN is requested only for verification or to locate the records.

(5) The Federal Personnel Manual should be consulted when soliciting SSNs for use in systems of records controlled by the Office of Personnel Management.

(c) Collecting information about individuals from third persons. It might not always be practical to collect all information about the individual directly from the individual, such as when:

(1) Verifying information through other sources for security or employment suitability determinations.

(2) Seeking other opinions, such as a supervisor's comments on past performance or other evaluations.

(3) Obtaining the necessary information directly from the individual will be exceptionally difficult or will result in unreasonable costs or delays; or

(4) The individual requests or consents to contacting another person to obtain the information.

(d) Privacy Act statement. (1) When an individual is requested to furnish information about himself or herself for a system of records, a Privacy Act statement must be provided to the individual, regardless of the method used to collect the information (forms, personal interviews, telephonic interviews, etc.). If the information requested will not be included in a system of records, a Privacy Act statement is not required.

(2) The Privacy Act statement shall include the following:

(i) The Federal law or Executive Order of the President that authorizes collecting the information.

(ii) Whether it is voluntary or mandatory for the individual to provide the requested information.

(iii) The principal purposes for which the information will be used.

(iv) The routine uses that will be made of the information (to whom and why it will be disclosed outside the Department of Defense); and

(v) The effects, if any, on the individual if all or part of the information is not provided.

(3) The Privacy Act statement must appear on the form used to collect the information or on a separate form that can be retained by the individual requesting it. If the information is collected other than by the individual completing a form, such as when the information is solicited by telephone, the Privacy Act statement should be read to the individual and a copy sent to him or her on request.

(4) It is mandatory for an individual to furnish information about himself or herself for a system of records only when a Federal law or Executive Order of the President specifically imposes a duty to furnish the information and provides a penalty, e.g., criminal sanctions, for failure to do so. If furnishing the information is only a condition for granting a benefit or privilege voluntarily sought by the individual (such as a request for annual leave), it is voluntary for the individual to give the information. However, the denial of the benefit or privilege must be listed in the Privacy Act statement as one of the effects of not providing the information, i.e., the effects on the individual if the information is not provided.

(a) DCAA forms. (1) DCAA Regulation 5015.3 8 , “DCAA Forms Management Program,” provides guidance for preparing the Privacy Act statement for use with DCAA forms.

(a) Right of access (1) The access provisions of this part are for individuals who are subjects of records maintained in DCAA systems of records.

(2) All information that can be released consistent with applicable laws and regulations should be made available to the subject of record.

(b) Notification of record's existence. Record managers of system of records shall establish procedures for notifying an individual, in response to a request, if the system of records contains a record pertaining to him or her.

(c) Individual requests for access. (1) Individuals shall address requests for access to records in systems of records to the responsible system manager or the regional Privacy Act officer.

(2) Requests for access may be oral or written; however, only written requests are to be maintained in the Privacy Act case file and counted when compiling the annual Privacy Act report.

(d) Verifying identity. (1) An individual shall provide reasonable verification of identity before obtaining access to records.

(2) Procedures for verifying identity shall not be complicated merely to discourage individuals from seeking access to records.

(3) When an individual seeks access in person, identification can be verified by documents normally carried by the individual, such as an identification card, driver's license, or other license, permit or pass normally used for identification purposes.

(4) When access is requested other than in person, identity may be verified by the individual's providing minimum identifying data such as full name, date and place of birth, or other information necessary to locate the record sought. If the information sought is sensitive, additional identifying data may be required.

(5) The individual may be accompanied by a person of his or her choice when viewing the record; however, the individual may be required to provide written authorization to have the record discussed in front of the other person.

(6) An individual shall not be denied access to a record solely for refusing to divulge the SSN, unless it is the only means of retrieving the record or verifying identity.

(7) An individual shall not be required to explain why he or she is seeking access to a record.

(8) Only a designated denial authority may deny access. The denial must be in writing.

(9) If notarization of requests is required for access, procedures shall be established for an alternate method of verification for individuals who do not have access to notary services, such as military members overseas. The following formats may be used as prescribed by 28 U.S.C. 1746:

(i) If executed outside of the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).”

(ii) If executed within the United States, its territories, possessions, or commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).”

(e) Granting individual access to records. (1) The individual should be granted access to the original record (or exact copy) without any changes or deletions. A record that has been amended is considered the original.

(2) The individual's request should be granted for an exact copy of the record, and, upon the signed authorization of the individual, a copy should be provided to anyone designated by the individual. In either case, the copying fees may be assessed to the individual.

(3) If requested, explain any record or portion of a record that is not understood, as well as any changes or deletions.

(f) Illegible, incomplete, or exempt records. (1) Illegible or incomplete records. Individual access should not be denied solely because the physical condition or format of the record does not make it readily available, such as when the record is in a deteriorated state or on magnetic tape. In this case, the document should be recopied exactly or an extract can be prepared.

(2) Exempt records. A request for a record that is wholly or partially exempt from access shall also be processed under the Freedom of Information Act (FOIA). The requester shall be granted access to all information that is releasable under either this part or the FOIA. The agency may provide this information in the form of an extract or summary of the record. The provisions of this rule or the FOIA under which access was granted should be cited.

(g) Access to medical and psychological records. (1) Individual access to medical and psychological records should be provided, even if the individual is a minor, unless it is determined that access could have an adverse effect on the mental or physical health of the individual. This determination normally should be made in consultation with a medical practitioner.

(2) If it is medically indicated that access could have an adverse mental or physical effect on the individual, the record should be provided to a medical practitioner named by the individual, along with an explanation why access without medical supervision could be harmful to the individual.

(3) The named medical practitioner should not be required to request the record for the individual.

(4) If the individual refuses or fails to designate a medical practitioner, access shall be refused. The refusal is not considered a denial for reporting purposes under the Privacy Act.

(h) Access by parents and legal guardians. (1) The parent of any minor, an individual under 18 years of age who is neither a member of a Military Service nor married, or the legal guardian of any individual declared by a court of competent jurisdiction to be incompetent due to physical or mental incapacity or age, may obtain access to the record of the minor or incompetent individual if the parent or legal guardian is acting on behalf of the minor or incompetent (i.e., for the benefit of the minor or incompetent). However, with respect to access by parents and legal guardians to medical records and medical determinations about minors, observe the following procedures:

(i) In the United States, the laws of the state where the records are located might afford special protection to certain medical records such as drug and alcohol abuse treatment records and psychiatric records. The state statutes might apply even if the records are maintained by a military medical facility.

(ii) For installations located outside the United States, the parent or legal guardian of a minor shall be denied access if all four of the following conditions are met:

(A) The minor at the time of the treatment or consultation was 15, 16, or 17 years old.

(B) The treatment or consultation was within a program authorized by law or regulation to provide confidentiality to the minor.

(C) The minor specifically indicated a desire that the treatment or consultation record be handled in confidence and not disclosed to a parent or guardian, and

(D) The parent or legal guardian does not have the written authorization of the minor or a valid court order granting access.

(2) A minor or incompetent has the same right of access as any other individual. The right of access of the parent or legal guardian is in addition to that of the minor or incompetent.

(i) Access to information compiled in anticipation of a civil proceeding. (1) An individual is not entitled to access information compiled in reasonable anticipation of a civil action or proceeding.

(2) The term “civil action or proceeding” includes quasi-judicial and pretrial judicial proceedings as well as formal litigation.

(3) Paragraphs (i)(1) and (2) of this section do not prohibit access to records compiled or used for purposes other than litigation, nor prohibit access to systems of records solely because they are frequently subject to litigation. The information must have been compiled for the primary purpose of litigation.

(4) Attorney work products prepared in conjunction with the paragraphs (i)(1) and (2) of this section are also protected.

(j) Non-agency records. (1) Certain documents under the control of DCAA personnel and used to assist them in performing official functions may not be considered agency records within the meaning of this part. Such documents, if maintained in accordance with the following subparagraph, are not systems of records that are subject to this part. Examples are personal telephone lists and personal notes kept to refresh the memory of the author.

(2) To be considered non-agency records, the documents must:

(i) Be maintained and discarded solely at the discretion of the author.

(ii) Be created only for the author's personal convenience.

(iii) Not be the result of official direction or encouragement, whether oral or written; and

(iv) Not be shown to other persons for any reason.

(k) Relationship between the Privacy Act and the Freedom of Information Act (FOIA). (1) Access requests that specifically state or reasonably imply that they are made under the Freedom of Information Act (5 U.S.C. 552), are processed pursuant to DCAA Regulation 5410.10 (32 CFR part 290).

(2) Access requests that specifically state or reasonably imply that they are made under the Privacy Act of 1974 (5 U.S.C. 552a) are processed pursuant to this part.

(3) Access requests that cite both the FOIA and the Privacy Act are processed under the Act that provides the greater degree of access. The requester should be informed which Act was used in granting or denying access.

(4) Individual access should not be denied to records otherwise releasable under the Privacy Act or the Freedom of Information Act solely because the request does not cite the appropriate statute.

(l) Time limits. Access requests should be acknowledged within 10 working days after receipt, and access should be granted or denied within 30 working days, excluding Federal holidays.

(a) Fee schedules. The fees charged requesters shall include only the direct cost of reproduction and shall not include costs of:

(1) Time or effort devoted by agency personnel to searching for or reviewing the record.

(2) Fees not associated with the actual cost of reproduction.

(3) Producing a copy when it must be provided to the individual without cost under another regulation, directive, or law.

(4) Normal postage.

(5) Transportation of records or personnel, or

(6) Producing a copy when the individual has requested only to review the record and has not requested a copy to keep, and

(i) The only means of allowing review is to make a copy (e.g., the record is stored in a computer and a copy must be printed to provide individual access), or

(ii) The agency does not wish to surrender temporarily the original record for the individual to review.

(7) Compute fees using the appropriate portions of the fee schedule in 32 CFR part 286, subpart F.

(b) Fee waivers. (1) Fees shall be waived automatically if the direct cost of reproduction is less than $30, unless the individual is requesting an obvious extension or duplication of a previous request for which he or she was granted a waiver.

(2) Decisions to waive or reduce fees that exceed $30 may be made on a case-by-case basis.

(a) Denying individual access. The subject of record may be denied access only if it:

(1) Was compiled in reasonable anticipation of a civil action or proceeding; or

(2) Is in a system of records that has been exempted from the access provisions of this part.

(3) The individual should be denied access only to those portions of the record for which the denial will serve a legitimate governmental purpose.

(4) An individual may be refused access for failure to comply with established procedural requirements, but must be told the specific reason for the refusal and the proper access procedures.

(b) Notifying the individual. Written denial of access must be given to the individual and must be documented in a Privacy Act case file. The denial shall include:

(1) The name, title, and signature of a designated denial authority.

(2) The date of the denial.

(3) The specific reason for the denial, citing the appropriate sections of the Privacy Act or this part authorizing the denial.

(4) Notice of the individual's right to appeal the denial within 60 calendar days of the date the notice is mailed; and

(5) The title and address of the appeal official.

(c) Appeal procedures. Appeal procedures provide for the following:

(1) Review by the Assistant Director, Resources, DCAA Headquarters, or his or her designee, of any appeal by an individual.

(2) Written notification to the individual by the Assistant Director, Resources shall:

(i) If the denial is sustained totally or in part, include:

(A) The reason for denying the appeal, citing the provision of the Privacy Act or this part upon which the denial is based.

(B) The date of the appeal determination.

(C) The name, title, and signature of the appeal authority; and

(D) A statement informing the applicant of the right to seek judicial relief in Federal District Court.

(ii) If the appeal is granted, advise the individual and provide access to the record sought.

(d) Final action, time limits, and documentation. (1) The written appeal notification granting or denying access is the final agency action on the initial request for access.

(2) All appeals shall be processed within 30 working days, excluding Federal holidays, of receipt, unless the appeal authority finds that an adequate review cannot be completed within that period. If additional time is needed, notify the applicant in writing, explaining the reason for the delay and when the appeal will be completed.

(3) All actions on appeals must be documented in the Privacy Act case file.

(e) Denial of appeal by the agency's failure to act. An individual may consider his or her appeal denied if the appeal authority fails:

(1) To take final action on the appeal within 30 working days, excluding Federal holidays, of receipt when no extension of time notice was given; or

(2) To take final action within the period established by the extension of time notice.

(f) Denying access to Office of Personnel Management (OPM) records held by the agency. (1) The records in all systems of records maintained in accordance with the OPM Government-wide system notices are only in the temporary custody of the agency.

(2) All requests for access to these records must be processed in accordance with the OPM Federal Personnel Manual as well as DCAA Manual 1400.1 9 , “DCAA Personnel Management Manual.”

(a) Documents used in processing notification, access, and amendment requests made under the Privacy Act or this part shall be filed in a Privacy Act case file established for each request, not in the record to which they pertain.

(b) Privacy Act case files should contain the following information:

(1) The request to be notified if a system of records contains a record pertaining to the individual and the request for access and amendment.

(2) Approval, denial, request for appeal, action on appeal, coordination action, and other documents relating to the request; and

(3) Documentation of reasons for exceeding the established time limits for processing the request.

(c) The Privacy Act case file shall not contain a copy of the record and shall not be used to make any determination about the individual, other than determinations about the Privacy Act request.

(d) The case file shall be used only to process requests and provide statistics such as for the annual report required by the Privacy Act.

Individuals are encouraged to review periodically the information maintained about them in systems of records, and to avail themselves of the amendment procedures established by this part.

(a) Right to request amendment. An individual may request the amendment of any record retrieved by his or her personal identifier from a system of records, unless the system has been exempted from the amendment procedures. See § 317.133. Amendments are limited to correcting factual matters, not matters of opinion such as those contained in evaluations of promotion potential and performance appraisals.

(b) Written amendment request. The agency may require that amendment requests be in writing; however, this requirement shall not be used merely to discourage individuals from requesting valid amendments or to burden needlessly the amendment process. Only written amendment requests must be documented in the Privacy Act case file.

(c) Content of amendment request. An amendment request must include:

(1) A description of the information to be amended.

(2) The reason for the amendment.

(3) The type of amendment action sought (deletion, correction, or addition); and

(4) Copies of available documentary evidence supporting the request.

The individual must provide adequate support for the request.

The individual may be required to provide identification to prevent the inadvertent or intentional amendment of another's record.

This part does not permit the alteration of evidence presented in the course of judicial or quasi-judicial proceedings. Amendments to such records must be made in accordance with procedures established for such proceedings. This part does not permit a collateral attack on a judicial or quasi-judicial finding; however, it may be used to challenge the accuracy of recording the finding in a system of records.

Within 10 working days, excluding Federal holidays, of receiving an amendment request, provide the individual a written acknowledgment of the request. If action on the amendment request is completed within the 10 working days and the individual is so informed, no separate acknowledgment is necessary. The acknowledgment must clearly identify the request and advise the individual when to expect notification of the completed action. Only under exceptional circumstances shall more than 30 working days, excluding Federal holidays, be required to complete the action on an amendment request. If a completed action takes longer than 30 working days, the delay must be explained fully in the Privacy Act case file.

(a) Notify the requester. To the extent the amendment request is granted, the individual shall be notified and make the appropriate amendment.

(b) Notify previous recipients. All previous recipients of the information (as reflected in the disclosure accounting records) should be notified that the amendment has been made and provide each a copy of the amended record. Recipients who are known to be no longer retaining the record need not be advised of the amendment. If it is known that other DoD components or other Federal Agencies have been provided the information that was amended, or if the individual requests that other DoD components or other Federal agencies be notified, provide the notification even if those components or agencies are not listed in the disclosure accounting.

(c) Documentation. The action should be documented in the Privacy Act case file if the request for amendment was in writing.

(a) If the amendment request is denied in whole or in part, the individual should be promptly notified in writing and document the action in the Privacy Act case file. The notification to the individual shall include:

(b) Basis for denial. Those sections of the Privacy Act or this part upon which the denial is based.

(c) Right to appeal. Advice that the individual may appeal to the Assistant Director, Resources, or his or her designee for an independent review of the initial denial.

(d) Appeal procedures. The procedures for requesting an appeal, including the title and address of the official to whom the appeal should be sent; and

(e) Appeal assistance. Where the individual can receive assistance in filing the appeal.

Procedures to ensure the prompt, complete, and independent review of each denial of an amendment request if the individual appeals must ensure:

(a) Appeals are forwarded. The appeal with all supporting documentation, including that furnished by the individual and that contained in agency records, is provided to the Assistant Director, Resources, or his or her designee.

(b) Standards for review. The standard for deciding the appeal is whether the unamended record is accurate, relevant, timely, complete, and necessary. If the unamended record does not meet each of these criteria, the amendment request shall be granted to the extent necessary to meet them.

(c) Time limits. The appeal is processed within 30 working days, excluding Federal holidays, unless the appeal official determines that an adequate review cannot be completed within that period and gives the individual a written explanation of the reason and when the review will be completed.

(d) Denial notification. If the appeal is denied completely or in part, the individual is provided written notification that:

(1) The appeal has been denied, citing the sections of the Privacy Act or this rule on which the denial was based.

(2) The individual may file a statement of disagreement. An explanation of the filing procedures will be included in the written notification.

(3) If properly filed, the statement of disagreement shall be included in the record and furnished to all future recipients of the record and to all prior recipients of the record as listed on the disclosure accounting, except those known to be no longer retaining the record; and

(4) The individual may seek judicial review of the decision not to amend the record.

(e) Amendment notification. If the record is amended:

(1) The individual is notified promptly of the decision.

(2) All previous recipients of the record, as listed in the disclosure accounting (except those known to be no longer retaining the record), are notified of the amendment and provided a copy; and

(3) Any previous recipient known to be holding a copy of the record (but not listed in the disclosure accounting), as well as any other DoD component or other Federal agency named by the individual, also should be informed of the amendment and provided a copy.

(f) Documentation. All actions on the appeal shall be documented in the Privacy Act case file.

The records in an OPM Government-wide system of records are only temporarily in the custody of the agency. Requests for amendment of these records must be processed in accordance with the OPM Federal Personnel Manual. The agency denial authority may deny a request, but all denials are subject to review by the Assistant Director for Workforce Information, Personnel Systems Oversight Group, Office of Personnel Management, 1900 E Street NW, Washington, DC 20415-0001.

(a) Right to submit. If the appeal authority refuses to amend the record as requested, the individual may submit a concise statement of disagreement listing the reasons for disagreeing with the refusal to amend.

(b) Filing the statement. If possible, incorporate the statement of disagreement into the record. If that is not possible, the record should be annotated to reflect that the statement was filed and maintain the statement so that it can be obtained readily when the disputed information is used or disclosed. For instance, automated record systems not programmed to accept statements of disagreement must be capable of having indicators entered to reflect the presence of statements on file and how to obtain them.

(c) Inform previous recipients. Copies of the statement of disagreement should be furnished to all individuals listed in the disclosure accounting of the record (except those known to be no longer retaining the record), as well as to all other known holders of copies of the record.

(d) Disclosure. Whenever the disputed information is disclosed for any purpose, ensure that the statement of disagreement also is used or disclosed.

(a) Right to file. If the individual files a statement of disagreement, the agency may file a statement of reasons containing a concise summary of the agency's reasons for denying the amendment request.

(b) Content. The statement of reasons shall contain only those reasons given to the individual by the appeal official and shall not contain any comments on the individual's statement of disagreement.

(c) Disclosure. At the discretion of the agency, the statement of reasons may be disclosed to those individuals, DoD components, and other Federal agencies that receive the statement of disagreement.

(a) Documents that must be published in the Federal Register. (1) Three types of documents relating to the Privacy Program must be published in the Federal Register:

(i) DCAA Privacy Program procedural rules (32 CFR part 317).

(ii) DCAA exemption rules (32 CFR part 317), and

(iii) Record system notices.

(2) DoD 5025.1-M, “DoD Directives System Procedures,” and DoD Directive 5400.9, “Publication of Proposed and Adopted Regulations Affecting the Public” (32 CFR part 336), contain information on preparing documents for publication in the Federal Register.

(b) Effect of publication in the Federal Register. Publishing a document in the Federal Register constitutes official public notice of the existence and content of the document.

(c) Formal rulemaking and notices. (1) DCAA Privacy Program procedural and exemption rules are subject to the rulemaking procedures prescribed by 32 CFR part 336. These are incorporated automatically into the Code of Federal Regulations.

(2) Record system notices are published in the Federal Register as “notices.” They are not subject to the rulemaking procedures or automatic incorporation into the Code of Federal Regulations.

(d) Submitting Privacy Program procedural rules for publication. (1) Procedural rules must be published in the Federal Register first as proposed rules to allow for public comment, then as final rules.

(2) The DCAA Privacy Advisor will submit to the Defense Privacy Office all proposed rules implementing this rule. The submission must conform to the Federal Register format.

(3) This part published as a final rule in the Federal Register shall be incorporated by regions as their own rules by reference rather than by republication. A region that simply implements this part as its own rule need not publish it as a final rule in the Federal Register.

(4) Amendments to agency rules are submitted in the same manner as the original rules.

(5) The Defense Privacy Office, DA&M, reviews and submits all DoD component rules, and amendments to rules to the Federal Register for publication.

(e) Submitting exemption rules for publication. (1) Exemption rules must be published in the Federal Register first as proposed rules to allow for public comment, then as final rules.

(2) No system of records shall be exempt from any provision of the Privacy Act until the exemption rule has been published in the Federal Register as a final rule.

(3) Proposed exemption rules should be submitted in proper format through the agency Privacy Advisor to the Defense Privacy Office, DA&M, for review and submittal to the Federal Register for publication.

(4) Amendments to exemption rules are submitted in the same manner as the original exemption rules.

(f) Submitting record system notices for publication. (1) Although system notices are not subject to formal rulemaking procedures, advance public notice must be given before the agency may begin to collect information for or maintain a new system of records. The notice procedures require that:

(i) The record system notice describe the contents of the record system and the purposes and routine uses for which the information will be used and disclosed.

(ii) The public be given 30 days to comment on any proposed routine uses before the routine uses are implemented; and

(iii) The notice contain the date the system of records will become effective.

(2) System notices shall be submitted though the agency Privacy Advisor to the Defense Privacy Office, DA&M, for publication in the Federal Register.

(a) Contents of a record system notice. The following data captions are prescribed by the Office of the Federal Register and must be included for each system notice:

(1) System identifier.

(2) System name.

(3) System location.

(4) Categories of individuals covered by the system.

(5) Categories of records in the system.

(6) Authority for maintenance of the system.

(7) Purpose(s).

(8) Routine uses of records maintained in the system, including categories of users and purposes of the uses.

(9) Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system.

(10) System manager(s) and address.

(11) Notification procedures.

(12) Record access procedures.

(13) Contesting records procedures.

(14) Record source categories; and

(15) Exemptions claimed for the system.

(b) System identification. The system identifier must appear in all system notices. It is limited to 21 positions, including agency code, file number, symbols, punctuation, and spaces.

(c) System name. (1) The system name must indicate the general nature of the system of records and, if possible, the general category of individuals to whom it pertains.

(2) Acronyms should be established parenthetically following the first use of the name (e.g., “Field Audit Office Management Information System (FMIS)”). Acronyms shall not be used unless preceded by such an explanation.

(3) The system name may not exceed 55 character positions, including punctuation and spaces.

(d) System location. (1) For a system maintained in a single location, provide the exact office name, organizational identity, routing symbol, and full mailing address. Do not use acronyms in the location address.

(2) For a geographically or organizationally decentralized system, describe each level of organization or element that maintains a portion of the system of records.

(3) For an automated data system with a central computer facility and input or output terminals at geographically separate locations, list each location by category.

(4) If multiple locations are identified by type of organization, the system location may indicate that official mailing addresses are published as an appendix to the agency's compilation of systems of records notices in the Federal Register. If no address directory is used, or if the addresses in the directory are incomplete, the address of each location where a portion of the record system is maintained must appear under the “system location” caption.

(5) Classified addresses shall not be listed, but the fact that they are classified shall be indicated.

(6) The U.S. Postal Service two-letter state abbreviation and the nine-digit zip code shall be used for all domestic addresses.

(e) Categories of individuals covered by the system. (1) Clear, nontechnical terms shall state the specific categories of individuals to whom records in the system pertain.

(2) Broad descriptions such as “all DCAA personnel” or “all employees,” should be avoided unless the term actually reflects the category of individuals involved.

(f) Categories of records in the system. (1) Clear, nontechnical terms shall be used to describe the types of records maintained in the system.

(2) The description of documents should be limited to those actually retained in the system of records. Source documents should not be described that are used only to collect data and then are destroyed.

(g) Authority for maintenance of the system. (1) The system of records must be authorized by a Federal law or Executive Order of the President, and the specific provision must be cited.

(2) When citing federal laws, include the popular names (e.g.,“5 U.S.C. 552a, The Privacy Act of 1974”) and for Executive Orders, the official titles (e.g., “Executive Order 9397, Numbering System for Federal Accounts Relating to Individual Persons”).

(3) The Directive establishing the agency, DoD Directive 5105.36 (32 CFR part 357), as well as the law that authorizes the Secretary of Defense to issue Directives, 10 U.S.C. 133 should be cited.

(h) Purpose(s). The specific purpose(s) for which the system of records was created and maintained; that is, the uses of the records within the agency and the rest of the Department of Defense should be listed.

(i) Routine uses. (1) All disclosures of the records outside the agency, including the recipient of the disclosed information and the uses the recipient will make of it should be listed.

(2) If possible, the specific activity or element to which the record may be disclosed (e.g., “to the Department of Veterans Affairs, Office of Disability Benefits”) should be listed.

(3) General statements such as “to other Federal Agencies as required” or “to any other appropriate Federal agency” should not be used.

(4) The blanket routine uses, published at the beginning of the agency's compilation, applies to all system notices, unless the individual system notice states otherwise.

(j) Policies and practices for storing, retrieving, accessing, retaining, and disposing of records. This section is divided into four parts.

(1) Storage: The method(s) used to store the information in the system (e.g., “automated, maintained in computers and computer output products” or “manual, maintained in paper files” or “hybrid, maintained in paper files and in computers”) should be stated. Storage does not refer to the container or facility in which the records are kept.

(2) Retrievability: How records are retrieved from the system (e.g., “by name,” “by SSN,” or “by name and SSN”) should be indicated.

(3) Safeguards: The categories of agency personnel who use the records and those responsible for protecting the records from unauthorized access should be stated. Generally the methods used to protect the records, such as safes, vaults, locked cabinets or rooms, guards, visitor registers, personnel screening, or computer “fail-safe” systems software should be identified. Safeguards should not be described in such detail as to compromise system security.

(4) Retention and disposal: Describe long records are maintained. When appropriate, the length of time records are maintained by the agency in an active status, when they are transferred to a Federal Records Center, how long they are kept at the Federal Records Center, and when they are transferred to the National Archives or destroyed should be stated. If records eventually are destroyed, the method of destruction (e.g., shredding, burning, pulping, etc), should be stated. If the agency rule is cited, the applicable disposition schedule shall also be identified.

(k) System manager(s) and address. (1) The title (not the name) and address of the official or officials responsible for managing the system of records should be listed.

(2) If the title of the specific official is unknown, such as with a local system, the local director or office head as the system manager should be indicated.

(3) For geographically separated or organizationally decentralized activities with which individuals may correspond directly when exercising their rights, the position or title of each category of officials responsible for the system or portion thereof should be listed.

(4) Addresses that already are listed in the agency address directory; or simply refer to the directory should not be included.

(l) Notification procedures. (1) Notification procedures describe how an individual can determine if a record in the system pertains to him or her.

(2) If the record system has been exempted from the notification requirements of subsection (f)(1) or subsection (e)(4)(G) of the Privacy Act, it should be so stated.

(3) If the system has not been exempted, the notice must provide sufficient information to enable an individual to request notification of whether a record in the system pertains to him or her. Merely referring to the agency's procedural rules is not sufficient.

(4) This section should also include:

(i) The title (not the name) and address of the official (usually the system manager) to whom the request must be directed;

(ii) Any specific information the individual must provide in order for the agency to respond to the request (e.g., name, SSN, date of birth, etc.); and

(iii) Any description of proof of identity for verification purposes required for personal visits by the requester.

(m) Record access procedures. (1) This section describes how an individual can review the record and obtain a copy of it.

(2) If the system has been exempted from access and publishing access procedures under subsections (d)(1) and (e)(4)(H), respectively, of the Privacy Act, it should be so indicated.

(3) If the system has not been exempted, describe the procedures an individual must follow in order to review the record and obtain a copy of it, including any requirements for identity verification.

(4) If appropriate, the individual may be referred to the system manager or another agency official who shall provide a detailed description of the access procedures. Any addresses already listed in the address directory should not be repeated.

(n) Contesting record procedures. (1) This section describes how an individual may challenge the denial of access or the contents of a record that pertains to him or her.

(2) If the record system has been exempted from allowing amendments to records or publishing amendment procedures under subsections (d)(2) and (e)(4)(H), respectively, of the Privacy Act, it should be so stated.

(3) If the system has not been exempted, the procedures an individual must follow should be described in order to challenge the content of a record pertaining to him or her, or explain how he or she can obtain a copy of the procedures (e.g., by contacting the system manager or another agency official).

(o) Record source categories. (1) If the system has been exempted from publishing record source categories under subsection (e)(4)(I) of the Privacy Act, it should be so stated.

(2) If the system has not been exempted, this caption must describe where the agency obtained the information maintained in the system.

(3) Describing the record sources in general terms is sufficient; specific individuals, organizations, or institutions need not be identified.

(p) Exemptions claimed for the system. (1) If no exemption has been established for the system, indicate “None.”

(2) If an exemption has been established, state under which provision of the Privacy Act it is established (e.g., “Parts of this system of records may be exempt under 5 U.S.C. 552a(k)(2)”).

(a) Criteria for a new record system. (1) A new system of records is one for which no existing system notice has been published in the Federal Register.

(2) If a notice for a system of records has been canceled or deleted and the agency desires to reinstate or reuse the system, a new system notice must be published in the Federal Register.

(b) Criteria for an altered record system. A system is considered altered when any one of the following actions occurs or is proposed:

(1) A significant increase or change in the number or types of individuals about whom records are maintained requires a change to the “categories of individuals covered by the system” caption in the system notice and might require changes to the “purpose(s)” caption.

(i) For example, a decision to expand a system of records that originally covered personnel assigned to only one location to cover personnel at several locations would constitute an altered system.

(ii) An increase in the number of individuals covered due to normal growth is not an alteration.

(iii) A decrease in the number of individuals covered is not an alteration, but it is an amendment.

(2) A change that expands the types or categories of information maintained requires a change in the “categories of records in the system” caption in the system notice.

(i) For example, a personnel file that has been expanded to include medical records would be an alteration.

(ii) Adding to a personnel file a new data element that is clearly within the scope of the categories of records described in the existing notice is not an alteration, but is an amendment.

(3) A change that alters the purpose for which the information is used requires changing the “purpose(s)” caption in the system notice. In order to be an alteration, the change must be one that is not reasonably inferred from any of the existing purposes.

(4) A change to equipment configuration (either hardware or software) that creates substantially greater use of records in the system requires changing the “storage” caption in the system notice. For example, placing interactive computer terminals at regional offices to use a system formerly used only at the Headquarters would be an alteration.

(5) A change in the manner in which records are organized or in the method by which records are retrieved requires changing the “Retrievability” caption in the system notice.

(i) Combining record systems due to a reorganization within the agency would be an alteration.

(ii) Retrieving by SSNs records that previously were retrieved only by names would be an alteration if the present notice failed to indicate retrieval by SSNs.

(c) Reports of new and altered systems of records. (1) Under subsection (o) of the Privacy Act, reports of new and altered systems of records must be submitted to Congress and the Office of Management and Budget.

(2) The agency shall submit reports of new or altered systems to the Defense Privacy Office, DA&M, before collecting information for new systems or altering an existing system.

(3) The Defense Privacy Office, DA&M, shall coordinate all reports of new or altered systems with the Office of the Assistant Secretary of Defense (Legislative Affairs) and the Office of the General Counsel, Department of Defense.

(4) The Defense Privacy Office, DA&M, shall prepare, for the approval and signature of the Director, Administration and Management, Office of the Secretary of Defense, transmittal letters to Congress and the Office of Management and Budget.

(d) Time limits before implementing routine uses. After publishing a system notice in the Federal Register, 30 days must elapse before routine uses may be employed.

(a) Criteria for an amended record system. Minor changes to published system notices are considered amendments rather than alterations. Amendments must also be published in the Federal Register, but a new or altered system report does not have to be accomplished.

(b) Amending a system notice. In submitting an amendment to a system notice for publication in the Federal Register, the agency must include:

(1) The system identification and name.

(2) A description of the specific changes proposed; and

(3) The full text of the system notice as amended.

(c) Deleting a system notice. (1) When a system of records is discontinued, incorporated into another system, or determined to be no longer subject to this rule, a deletion notice must be published in the Federal Register.

(2) The deletion notice shall include:

(i) The system identification number and name.

(ii) The Federal Register citation of the latest publication of the system.

(iii) The reason for the deletion.

(3) If a system is deleted through combination or merger with another system, identify the successor system in the deletion notice.

(d) Submitting amendments and deletions for publication. (1) Amendments and deletions should be submitted through the agency Privacy Advisor to the Defense Privacy Office, DA&M, which will transmit them to the Federal Register for publication.

(2) At least one original in proper format should be included in the submission.

(3) Multiple amendments and deletions, and combinations of amendments and deletions, may be submitted together.

(a) Establishing rules of conduct. Under subsection (e)(9) of the Privacy Act, the agency is required to establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record.

(b) Training. The agency shall train all personnel involved in the functions described in the preceding paragraph. The training shall include instruction in the rules of conduct and all requirements prescribed by the Privacy Act, including the penalties for noncompliance.

(a) Personnel to be trained. (1) To conform with Office of Management and Budget guidance, compliance with the statutory training requirements requires informed and active support of all agency personnel. All personnel who in any way use or operate systems of records, or who are engaged in the development of procedures for handling records, must be taught the requirements of the Privacy Act and must be trained in the agency's procedures for the implementation of the Privacy Act.

(2) Personnel to be trained include, but are not limited to, those engaged in the following:

(i) Personnel management.

(ii) Personnel finance.

(iii) Medical care.

(iv) Investigations of personnel.

(v) Records management (reports, forms, records, and related functions).

(vi) Computer systems development and operation.

(vii) Communications.

(viii) Statistical data collection and analysis, and

(ix) Performing other functions subject to this rule.

(b) Types of training. The agency shall establish the following three levels of training for those persons who are involved with the design, development, operation, or maintenance of any system of records. The training shall be provided to persons before or shortly after assuming the duties associated with the level of involvement.

(1) Orientation training. Orientation training that provides a general understanding of the individual's rights under the Privacy Act.

(2) Specialized training. Training concerning the application of this part to specialized areas of job performance.

(3) Management training. Training concentrated on factors affecting decisions made by managers under the Privacy Program, such as system managers, denial authorities, and managers of the specific functions listed.

(c) Methods of training. The agency is responsible for developing training methods that will meet this criteria. Such methods may include formal and informal (on-the-job) programs, if those personnel giving the training have, themselves, been trained.

An individual who alleges he or she has been affected adversely by a violation of the Privacy Act shall be permitted to seek relief from the Assistant Director, Resources, through proper administrative channels.

After exhausting all administrative remedies, an individual may file suit (5 U.S.C 552a(y)) in the Federal court against the agency for any of the following acts:

(a) Denial of an amendment request. The Assistant Director, Resources, or designee refuses the individual's request for review of the initial denial of an amendment or, after review, refuses to amend the record.

(b) Denial of access. The agency refuses to allow the individual to review the record or denies his or her request for a copy of the record.

(c) Failure to meet recordkeeping standards. The agency fails to maintain the individual's record with the accuracy, relevance, timeliness, and completeness necessary to assure fairness in any determination about the individual's rights, benefits, or privileges and, in fact, makes an adverse determination based on the record.

(d) Failure to comply with the Privacy Act. The agency fails to comply with any other provision of the Privacy Act or any rule or regulation promulgated under the Privacy Act and thereby causes the individual to be adversely affected.

The Privacy Act (5 U.S.C. 552a(i)) authorizes three criminal penalties against individuals. All three are misdemeanors punishable by fines of $5,000.

(a) Wrongful disclosure. Any member or employee of the agency who, by virtue of his or her employment or position, has possession of or access to records and willfully makes a disclosure to anyone not entitled to receive the information.

(b) Maintaining unauthorized records. Any member or employee of the agency who willfully maintains a system of records for which a notice has not been published.

(c) Wrongful requesting or obtaining records. Any person who knowingly and willfully requests or obtains a record concerning an individual from the agency under false pretenses.

Whenever a civil complaint citing the Privacy Act is filed against the agency in Federal court or whenever criminal charges are brought against an individual in Federal court (including referral to a court-martial) for any offense, the agency shall notify the Defense Privacy Office, DA&M. The litigation status report included in appendix C to this part provides a format for this notification. An initial litigation status report shall be forwarded providing, as a minimum, the information specified. An updated litigation status report shall be sent at each stage of litigation. When the court renders a formal disposition of the case, copies of the court's action, along with the litigation status report reporting the action, shall be sent to the Defense Privacy Office, DA&M.

(a) Annual review. The agency shall review annually the actions of its personnel that have resulted in either the agency being found civilly liable or an agency member being found criminally liable under the Privacy Act.

(b) Reporting results. The agency shall be prepared to report the results of the annual review to the Defense Privacy Office, DA&M.

(a) Statutory requirements. Subsection (p) of the Privacy Act requires a report and assigns to the Office of Management and Budget the responsibility for compiling the report.

(b) OMB requirements. (1) In addition to the report, the Office of Management and Budget requires that all agencies be prepared to report the results of the reviews.

(2) All reports of the agency concerning implementation of the Privacy Act shall be submitted to the Defense Privacy Office, DA&M, which shall prescribe the contents and suspense for such reports.

(a) Submission to the Defense Privacy Office. The agency shall prepare statistics and other documentation for the preceding calendar year concerning those items prescribed for the annual report and any reports of the reviews required, and when directed, send them to the Defense Privacy Office, DA&M.

(b) Report Control Symbol. Unless otherwise directed, any report concerning implementation of the Privacy Program shall be assigned Report Control Symbol DD-DA&M(A)1379.

(c) Content of annual report. The Defense Privacy Office, DA&M, shall prescribe the content of the annual report but, at a minimum, the annual report shall contain the following:

(1) Name and address of reporting agency.

(2) Name and telephone number of agency official who can best answer questions about this report.

(3) Agency Privacy Act Officials.

(i) Senior Agency Official.

(ii) Privacy Act Officer.

(4) If your agency was involved in any litigation involving the Privacy Act.

(i) Provide a citation to the case and a brief description of the background, issues and results.

(ii) If the cases required your agency to change its practices, describe how.

(5) Systems of Records Inventory:

(i) Total number of systems of records as of December 31, 19XX.

(ii) Number of exempt systems.

(iii) Number of automated systems (either in whole or part).

(iv) Number of systems deleted.

(v) Number of systems added.

(vi) Number of routine uses added.

(vii) Number of routine uses deleted.

(viii) Number of existing systems to which an exemption(s) was added, and

(ix) Number of new systems to which an exemption(s) was added.

(6) If your agency received any public comments on any of its systems of other Privacy Act implementing activities, briefly describe:

(7) Access requests (first party requests which cited the Privacy Act):

(i) Number of requests.

(ii) Number granted in whole or in part.

(iii) Number denied in whole.

(iv) Number for which no record was found.

(8) Amendment requests (first party requests which cited the Privacy Act):

(i) Number of requests.

(ii) Number granted in whole or part.

(iii) Number denied in whole.

(9) Appeals of denial:

(i) Number of access denials appealed.

(ii) Number in which denial was upheld.

(iii) Number of amendment denials appealed.

(iv) Number in which denial was upheld.

(10) Suggestions:

(a) Types of exemptions. (1) There are two types of exemptions permitted by the Privacy Act:

(i) General exemptions that authorize the exemption of a system of records from all but specifically identified provisions of the Privacy Act, and

(ii) Specific exemptions that allow a system of records to be exempted from only a few designated provisions of the Privacy Act.

(2) Neither the Privacy Act nor this part permits exemption of a system of records from all provisions of the Privacy Act.

(b) Establishing exemptions. (1) Neither general nor specific exemptions are established automatically for a system of records. Only the Director of DCAA or his/her designee shall make a determination that the system is one for which an exemption may be established and then propose and establish an exemption rule for the system. No system of records within the agency shall be considered exempted until the Assistant Director, Resources, DCAA has approved the exemption and an exemption rule has been published as a final rule in the Federal Register for this part.

(2) Only the Assistant Director, Resources, or his or her designee, may establish an exemption for a system of records.

(3) No exemption may be established for a system of records until the system itself has been established by publishing a notice in the Federal Register describing the system.

(4) A system of records is exempt from only those provisions of the Privacy Act that are identified specifically in the agency exemption rule for the system.

(c) Provisions to which exemptions may be applied. After, or along with, establishing the system of records, the Assistant Director, Resources, may establish an exemption rule that shall exempt the system of records from any provision of the Privacy Act for which an exemption is allowed.

(d) Using exemptions. (1) Exemptions should be used only for the specific purposes stated in the exemption rules and only when in the best interest of the Government. Exemptions should be applied to only the specific portions of the records that require protection.

(2) An exemption should not be used to deny an individual access to information that he or she can obtain under the FOIA.

(e) Exempt records maintained in nonexempt systems. (1) An exemption rule applies to the system of records for which it was established. If a record from an exempted system is incorporated intentionally into a system that has not been exempted, the published notice and rules for the non-exempted system will apply to the record and it will not be exempt from any provisions of the Privacy Act.

(2) A record from one DoD component's exempted system that is temporarily in the possession of another DoD component remains subject to the published system notice and rules of the originating DoD component. However, if the non-originating DoD component incorporates the record into its own system of records, the published notice and rules for the system into which it is incorporated shall apply. If that system of records has not been exempted, the record shall not be exempt from any provisions of the Privacy Act.

(3) Care should be exercised that exempt records are not accidentally misfiled into a system of records that are not exempted

(a) Using general exemptions. (1) DCAA is not authorized to establish the exemption for records maintained by the Central Intelligence agency under subsection (j)(1) of the Privacy Act.

(2) The general exemption provided by subsection (j)(2) of the Privacy Act may be established to protect criminal law enforcement records maintained by the agency.

(3) To be eligible for the (j)(2) exemption, the system of records must be maintained by an element that performs, as one of its principal functions, the enforcement of criminal laws.

(4) Criminal law enforcement includes police efforts to detect, prevent, control, or reduce crime, or to apprehend criminals, and the activities of prosecution, court, correctional, probation, pardon, or parole authorities.

(5) Information that may be protected under the (j)(2) exemption includes:

(i) Information compiled for the purpose of identifying criminal offenders and alleged criminal offenders consisting of only identifying data and notations of arrests; the nature and disposition of criminal charges; and sentencing, confinement, release, parole, and probation status.

(ii) Information compiled for the purpose of a criminal investigation, including reports of informants and investigators, and associated with an identifiable individual; and

(iii) Reports identifiable to an individual, compiled at any stage of the enforcement process, from arrest, apprehension, indictment, or preferral of charges through final release from the supervision that resulted from the commission of a crime.

(6) The (j)(2) exemption does not apply to:

(i) Investigative records maintained by an element having no criminal law enforcement activity as one of its principal functions, or

(ii) Investigative records compiled by any element concerning individuals’ suitability, eligibility, or qualification for duty, employment, or access to classified information, regardless of the principal functions of the DoD component that compiled them.

(7) The (j)(2) exemption established for a system of records maintained by a criminal law enforcement element cannot protect law enforcement records incorporated into a non-exempted system of records or any system of records maintained by an element not principally tasked with enforcing criminal laws. Agency system managers are prohibited to incorporate criminal law enforcement records into systems other than those maintained by criminal law enforcement elements.

(b) Access to records under a (j)(2) exemption. Requests for access to criminal law enforcement records maintained in a system for which a (j)(2) exemption has been established shall be processed as if also made under the FOIA.

(a) Using specific exemptions. Specific exemptions permit certain categories of records to be exempted from specific provisions of the Privacy Act. Subsections (k)(1-7) of the Privacy Act permits claiming exemptions for seven categories of records. To be eligible for a specific exemption, the record must meet the corresponding criteria.

(1) (k)(1) exemption: Information properly classified under DoD 5200.1-R 11 (32 CFR part 159) in the interest of national defense or foreign policy.

(2) (k)(2) exemption: Investigatory information compiled for law enforcement purposes. If maintaining the information causes an individual to be ineligible for or denied any right, benefit, or privilege that he or she would otherwise be eligible for or entitled to under Federal law, then he or she shall be given access to the information, except for the information that would identify a confidential source. The (k)(2) exemption, when established, allows limited protection of investigative records normally maintained in a (j)(2) exempt system for use in personnel and administrative actions.

(3) (k)(3) exemption: Records maintained in connection with providing protective services to the President of the United States and other individuals under 18 U.S.C. 3056.

(4) (k)(4) exemption: Records required by Federal law to be maintained and used solely as statistical records that are not used to make any determination about an identifiable individual, except as provided by 13 U.S.C. 8.

(5) (k)(5) exemption: Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, military service, Federal contracts, or access to classified information, but only to the extent such material would reveal the identity of a confidential source. This exemption allows protection of confidential sources in background investigations, employment inquiries, and similar inquiries used in personnel screening to determine suitability, eligibility, or qualifications.

(6) (k)(6) exemption: Testing or examination material used solely to determine individual qualifications for appointment or promotion in the Federal or military service if the disclosure would compromise the objectivity or fairness of the testing or examination process.

(7) (k)(7) exemption: Evaluation material used to determine potential for promotion in the military services, but only to the extent that disclosure would reveal the identity of a confidential source.

(b) Confidential source. (1) A “confidential source” is defined under the Privacy Act as a person or organization that has furnished information to the Federal Government under an express promise or, before September 27, 1975, under an implied promise that the identity of the person or organization would be held in confidence.

(2) Promises of confidentiality are to be given on a limited basis and only when essential to obtain the information sought. Appropriate procedures should be established for granting confidentiality and designate those categories of individuals authorized to make such promises.

(c) Access to records under specific exemptions. Requests for access to records maintained in systems of records for which specific exemptions have been established shall be processed as if also made under the FOIA.

(a) Exempt systems of records. The Director, DCAA has made a determination and claims an exemption for the following agency systems of records by publication of an appropriate exemption rule for the record system and therefore allowing the agency to invoke, at its discretion, the particular exemption permitted by the Privacy Act from certain subsections of the Privacy Act.

(b) Classified material. The Director, DCAA has made a determination that all systems of records maintained by the agency shall be exempt from 5 U.S.C. 552a(d) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(1) to the extent that the record system contains any information properly classified under Executive Order 12958 and required by the executive order to be withheld in the interest of national defense or foreign policy. This blanket exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions herein may contain items of information that have been properly classified.

(c) General exemption rules. [Reserved]

(d) Specific exemption rules. [Reserved]

The Defense Finance and Accounting Service fully implements the policy and procedures of the Privacy Act and the DoD 5400.11-R 1 , ‘Department of Defense Privacy Program’ (see 32 CFR part 310). This regulation supplements the DoD Privacy Program only to establish policy for the Defense Finance and Accounting Service (DFAS) and provide DFAS unique procedures.

This regulation applies to all DFAS, Headquarters, DFAS Centers, the Financial System Organization (FSO), and other organizational components. It applies to contractor personnel who have entered a contractual agreement with DFAS. Prospective contractors will be advised of their responsibilities under the Privacy Act Program.

DFAS personnel will comply with the Privacy Act of 1974, the DoD Privacy Program and the DFAS Privacy Act Program. Strict adherence is required to ensure uniformity in the implementation of the DFAS Privacy Act Program and to create conditions that will foster public trust. Personal information maintained by DFAS organizational elements will be safeguarded. Information will be made available to the individual to whom it pertains to the maximum extent practicable. Specific DFAS policy is provided for Privacy Act training, responsibilities, reporting procedures and implementation requirements. DFAS Components will not define policy for the Privacy Act Program.

(a) Director, DFAS. (1) Ensures the DFAS Privacy Act Program is implemented at all DFAS locations.

(2) The Director, DFAS, will be the Final Denial Appellate Authority. This authority may be delegated to the Director for Resource Management.

(3) Appoints the Director for External Affairs and Administrative Support, or a designated replacement, as the DFAS Headquarters Privacy Act Officer.

(b) DFAS Headquarters General Counsel. (1) Ensures uniformity is maintained in legal rulings and interpretation of the Privacy Act.

(2) Consults with DoD General Counsel on final denials that are inconsistent with other final decisions within DoD. Responsible to raise new legal issues of potential significance to other Government agencies.

(3) Provides advice and assistance to the DFAS Director, Center Directors, and the FSO as required, in the discharge of their responsibilities pertaining to the Privacy Act.

(4) Acts as the DFAS focal point on Privacy Act litigation with the Department of Justice.

(5) Reviews Headquarters’ denials of initial requests and appeals.

(c) DFAS Center Directors. (1) Ensures that all DFAS Center personnel, all personnel at subordinate levels, and contractor personnel working with personal data comply with the DFAS Privacy Act Program.

(2) Serves as the DFAS Center Initial Denial Authority for requests made as a result of denying release of requested information at locations within DFAS Center authority. Initial denial authority may not be redelegated. Initial denial appeals will be forwarded to the appropriate DFAS Center marked to the attention of the DFAS Center Initial Denial Authority.

(d) Director, FSO. (1) Ensures that FSO and subordinate personnel and contractors working with personal data comply with the Privacy Act Program.

(2) Serves as the FSO Initial Denial Authority for requests made as a result of denying release of requested information at locations within FSO authority. FSO Initial denial authority may not be redelegated.

(3) Appoints a Privacy Act Officer for the FSO and each Financial System Activity (FSA).

(e) DFAS Headquarters Privacy Act Officer. (1) Establishes, issues and updates policy for the DFAS Privacy Act Program and monitors compliance. Serves as the DFAS single point of contact on all matters concerning Privacy Act policy. Resolves any conflicts resulting from implementation of the DFAS Privacy Act Program policy.

(2) Serves as the DFAS single point of contact with the Department of Defense Privacy Office. This duty may be delegated.

(3) Ensures that the collection, maintenance, use and/or dissemination of records of identifiable personal information is for a necessary and lawful purpose, that the information is current and accurate for the intended use and that adequate security safeguards are provided.

(4) Monitors system notices for agency systems of records. Ensures that new, amended, or altered notices are promptly prepared and published. Reviews all notices submitted by the DFAS Privacy Act Officers for correctness and submits same to the Department of Defense Privacy Office for publication in the Federal Register. Maintains and publishes a listing of DFAS Privacy Act system notices.

(5) Establishes DFAS Privacy Act reporting requirement due dates. Compiles all Agency reports and submits the completed annual report to the Defense Privacy Office. DFAS reporting requirements are provided in appendix A to this part.

(6) Conducts annual Privacy Act Program training for DFAS Headquarters (HQ) personnel. Ensures that subordinate DFAS Center and FSO Privacy Act Officers fulfill annual training requirements.

(f) FSO and Financial System Activities (FSAs) Legal Support. The FSO and subordinate FSA organizational elements will be supported by the appropriate DFAS-HQ or DFAS Center General Counsel office.

(g) DFAS Center(s) Assistant General Counsel. (1) Ensures uniformity is maintained in legal rulings and interpretation of the Privacy Act and this regulation. Consults with the DFAS-HQ General Counsel as required.

(2) Provides advice and assistance to the DFAS Center Director and the FSA in the discharge of his/her responsibilities pertaining to the Privacy Act.

(3) Coordinates on DFAS Center and the FSA denials of initial requests.

(h) DFAS Center Privacy Act Officer. (1) Implements and administers the DFAS Privacy Act Program for all personnel, to include contractor personnel, within the Center, Operating Locations (OpLocs) and Defense Accounting Offices (DAOs).

(2) Ensures that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information. Advises the Program Manager that systems notices must be published in the Federal Register prior to collecting or maintenance of the information. Submits system notices to the DFAS-HQ Privacy Act Officer for review and subsequent submission to the Department of Defense Privacy Office.

(3) Administratively controls and processes Privacy Act requests. Ensures that the provisions of this regulation and the DoD Privacy Act Program are followed in processing requests for records. Ensures all Privacy Act requests are promptly reviewed. Coordinates the reply with other organizational elements as required.

(4) Prepares denials and partial denials for the Center Director's signature and obtain required coordination with the assistant General Counsel. Responses will include written justification citing a specific exemption or exemptions.

(5) Prepares input for the annual Privacy Act Report as required using the guidelines provided in appendix A to this part.

(6) Conducts training on the DFAS Privacy Act Program for Center personnel.

(i) FSO Privacy Act Officer. (1) Implements and administers the DFAS Privacy Act Program for all personnel, to include contractor personnel, within the FSO.

(2) Ensures that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information. Advises the Program Manager that systems notices must be published in the Federal Register prior to collecting or maintenance of the information. Submits system notices to the DFAS-HQ Privacy Act Officer for review and subsequent submission to the Department of Defense Privacy Office.

(3) Administratively controls and processes Privacy Act requests. Ensures that the provisions of this regulation and the DoD Privacy Act Program are followed in processing requests for records. Ensure all Privacy Act requests are promptly reviewed. Coordinate the reply with other organizational elements as required.

(4) Prepares denials and partial denials for signature by the Director, FSO and obtains required coordination with the assistant General Counsel. Responses will include written justification citing a specific exemption or exemptions.

(5) Prepares input for the annual Privacy Act Report (RCS: DD DA&M(A)1379) as required using the guidelines provided in appendix A to this part.

(6) Conducts training on the DFAS Privacy Act Program for FSO personnel.

(j) DFAS employees. (1) Will not disclose any personal information contained in any system of records, except as authorized by this regulation.

(2) Will not maintain any official files which are retrieved by name or other personal identifier without first ensuring that a system notice has been published in the Federal Register.

(3) Reports any disclosures of personal information from a system of records or the maintenance of any system of records not authorized by this regulation to the appropriate Privacy Act Officer for action.

(k) DFAS system managers (SM). (1) Ensures adequate safeguards have been established and are enforced to prevent the misuse, unauthorized disclosure, alteration, or destruction of personal information contained in system records.

(2) Ensures that all personnel who have access to the system of records or are engaged in developing or supervising procedures for handling records are totally aware of their responsibilities to protect personal information established by the DFAS Privacy Act Program.

(3) Evaluates each new proposed system of records during the planning stage. The following factors should be considered:

(i) Relationship of data to be collected and retained to the purpose for which the system is maintained. All information must be relevant to the purpose.

(ii) The impact on the purpose or mission if categories of information are not collected. All data fields must be necessary to accomplish a lawful purpose or mission.

(iii) Whether informational needs can be met without using personal identifiers.

(iv) The disposition schedule for information.

(v) The method of disposal.

(vi) Cost of maintaining the information.

(4) Complies with the publication requirements of DoD 5400.11-R, ‘Department of Defense Privacy Program’ (see 32 CFR part 310). Submits final publication requirements to the appropriate DFAS Privacy Act Officer.

(l) DFAS program manager(s). Reviews system alterations or amendments to evaluate for relevancy and necessity. Reviews will be conducted annually and reports prepared outlining the results and corrective actions taken to resolve problems. Reports will be forwarded to the appropriate Privacy Act Officer.

(m) Federal government contractors. When a DFAS organizational element contracts to accomplish an agency function and performance of the contract requires the operation of a system of records or a portion thereof, DoD 5400.11-R, ‘Department of Defense Privacy Program’ (see 32 CFR part 310) and this part apply. For purposes of criminal penalties, the contractor and its employees shall be considered employees of DFAS during the performance of the contract.

(1) Contracting involving operation of systems of records. Consistent with Federal Acquisition Regulation (FAR) 2 and the DoD Supplement to the Federal Acquisition Regulation (DFAR) 3 , Part 224.1, contracts involving the operation of a system of records or portion thereof shall specifically identify the record system, the work to be performed and shall include in the solicitations and resulting contract such terms specifically prescribed by the FAR and DFAR.

(2) Contracting. For contracting subject to this part, the Agency shall:

(i) Informs prospective contractors of their responsibilities under the DFAS Privacy Act Program.

(ii) Establishes an internal system for reviewing contractor performance to ensure compliance with the DFAS Privacy Act Program.

(3) Exceptions. This rule does not apply to contractor records that are:

(i) Established and maintained solely to assist the contractor in making internal contractor management decisions, such as records maintained by the contractor for use in managing the contract.

(ii) Maintained as internal contractor employee records, even when used in conjunction with providing goods or services to the agency.

(4) Contracting procedures. The Defense Acquisition Regulatory Council is responsible for developing the specific policies and procedures for soliciting, awarding, and administering contracts.

(5) Disclosing records to contractors. Disclosing records to a contractor for use in performing a DFAS contract is considered a disclosure within DFAS. The contractor is considered the agent of DFAS when receiving and maintaining the records for the agency.

(a) The provisions of DoD 5400.11-R, ‘Department of Defense Privacy Program’ (see 32 CFR part 310) apply to all DFAS systems of records. DFAS Privacy Act Program Procedural Rules, DFAS Exemption Rules and System of Record Notices are the three types of documents relating to the Privacy Act Program that must be published in the Federal Register.

(b) A system of records used to retrieve records by a name or some other personal identifier of an individual must be under DFAS control for consideration under this regulation. DFAS will maintain only those Systems of Records that have been described through notices published in the Federal Register.

(1) First amendment guarantee. No records will be maintained that describe how individuals exercise their rights guaranteed by the First Amendment unless maintenance of the record is expressly authorized by Statute, the individual or for an authorized law enforcement purpose.

(2) Conflicts. In case of conflict, the provisions of DoD 5400.11-R take precedence over this supplement or any DFAS directive or procedure concerning the collection, maintenance, use or disclosure of information from individual records.

(3) Record system notices. Record system notices are published in the Federal Register as notices and are not subject to the rule making procedures. The public must be given 30 days to comment on any proposed routine uses prior to implementing the system of record.

(4) Amendments. Amendments to system notices are submitted in the same manner as the original notices.

DFAS procedural rules (regulations having a substantial and direct impact on the public) must be published in the Federal Register first as a proposed rule to allow for public comment and then as a final rule. Procedural rules will be submitted through the appropriate DFAS Privacy Act Officer to the Department of Defense Privacy Office. Appendix B to this part provides the correct format. Guidance may be obtained from the DFAS-HQ and DFAS Center Records Managers on the preparation of procedural rules for publication.

(a) Submitting proposed exemption rules. Each proposed exemption rule submitted for publication in the Federal Register must contain: The agency identification and name of the record system for which an exemption will be established; The subsection(s) of the Privacy Act which grants the agency authority to claim an exemption for the system; The particular subsection(s) of the Privacy Act from which the system will be exempt; and the reasons why an exemption from the particular subsection identified in the preceding subparagraph is being claimed. No exemption to all provisions of the Privacy Act for any System of records will be granted. Only the Director, DFAS may make a determination that an exemption should be established for a system of record.

(b) Submitting exemption rules for publication. Exemption rules must be published in the Federal Register first as proposed rules to allow for public comment, then as final rules. No system of records shall be exempt from any provision of the Privacy Act until the exemption rule has been published in the Federal Register as a final rule. The DFAS Privacy Act Officer will submit proposed exemption rules, in proper format, to the Defense Privacy Office, for review and submission to the Federal Register for publication. Amendments to exemption rules are submitted in the same manner as the original exemption rules.

(c) Exemption for classified records. Any record in a system of records maintained by the Defense Finance and Accounting Service which falls within the provisions of 5 U.S.C. 552a(k)(1) may be exempt from the following subsections of 5 U.S.C. 552a: (c)(3), (d), (e)(1), (e)(4)(G)-(e)(4)(I) and (f) to the extent that a record system contains any record properly classified under Executive Order 12589 and that the record is required to be kept classified in the interest of national defense or foreign policy. This specific exemption rule, claimed by the Defense Finance and Accounting Service under authority of 5 U.S.C. 552a(k)(1), is applicable to all systems of records maintained, including those individually designated for an exemption herein as well as those not otherwise specifically designated for an exemption, which may contain isolated items of properly classified information

(1) General exemptions. [Reserved]

(2) Specific exemptions. [Reserved]

The provisions of DoD 5400.11-R, ‘Department of Defense Privacy Program’ (see 32 CFR part 310) apply to all DFAS personnel about whom records are maintained in systems of records. All information that can be released consistent with applicable laws and regulations should be made available to the subject of record.

All DFAS Privacy Act Officers shall establish procedures for notifying an individual, in response to a request, if the system of records contains a record pertaining to him/her.

Individuals shall address requests for access to records to the appropriate Privacy Act Officer by mail or in person. Requests for access should be acknowledged within 10 working days after receipt and provided access within 30 working days. Every effort will be made to provide access rapidly; however, records cannot usually be made available for review on the day of request. Requests must provide information needed to locate and identify the record, such as individual identifiers required by a particular system, to include the requester's full name and social security number.

Only a designated denial authority may deny access. The denial must be in writing.

(a) The individual should be granted access to the original record (or exact copy) without any changes or deletions. A record that has been amended is considered the original.

(b) The DFAS component that maintains control of the records will provide an area where the records can be reviewed. The hours for review will be set by each DFAS location.

(c) The custodian will require presentation of identification prior to providing access to records. Acceptable identification forms include military or government civilian identification cards, driver's license, or other similar photo identification documents.

(d) Individuals may be accompanied by a person of their own choosing when reviewing the record; however, the custodian will not discuss the record in the presence of the third person without written authorization.

(e) On request, copies of the record will be provided at a cost of $.15 per page. Fees will not be assessed if the cost is less that $30.00. Individuals requesting copies of their official personnel records are entitled to one free copy and then a charge will be assessed for additional copies.

Individual access to medical and psychological records should be provided, even if the individual is a minor, unless it is determined that access could have an adverse effect on the mental or physical health of the individual. In this instance, the individual will be asked to provide the name of a personal physician, and the record will be provided to that physician in accordance with guidance in Department of Defense 5400.11-R, ‘Department of Defense Privacy Program’ (see 32 CFR part 310).

Access requests that specifically state or reasonably imply that they are made under FOIA, are processed pursuant to the DFAS Freedom of Information Act Regulation. Access requests that specifically state or reasonably imply that they are made under the PA are processed pursuant to this regulation. Access requests that cite both the FOIA and the PA are processed under the Act that provides the greater degree of access. Individual access should not be denied to records otherwise releasable under the PA or the FOIA solely because the request does not cite the appropriate statute. The requester should be informed which Act was used in granting or denying access.