(a) Purpose. This part provides policies and procedures for the DoD implementation of the Freedom of Information Act, as amended (5 U.S.C. 552), and DoD Directive 5400.7 1 , and promotes uniformity in the DoD Freedom of Information Act (FOIA) Program.

(b) Applicability. This part applies to the Office of the Secretary of Defense (OSD), the Military Departments, the Chairman of the Joint Chiefs of Staff, the Combatant Command, the Inspector General of the Department of Defense (IG DoD), the Defense Agencies, and the DoD Field Activities (hereafter referred to collectively as “the DoD components”). This part takes precedence over all DoD Component publications that supplement and implement the DoD FOIA Program. A list of DoD Components is at appendix F.

(a) Public information. (1) The public has a right to information concerning the activities of its Government. DoD policy is to conduct its activities in an open manner and provide the public with a maximum amount of accurate and timely information concerning its activities, consistent always with the legitimate public and private interests of the American people. A record requested by a member of the public who follows rules established by proper authority in the Department of Defense shall not be withheld in whole or in part unless the record is exempt from mandatory partial or total disclosure under the FOIA. As a matter of policy, DoD Components shall make discretionary disclosures of exempt records or information whenever disclosure would not foreseeably harm an interest protected by a FOIA exemption, but this policy does not create any right enforceable in court. In order that the public may have timely information concerning DoD activities, records requested through public information channels by news media representatives that would not be withheld if requested under the FOIA should be released upon request. Prompt responses to requests for information from news media representatives should be encouraged to eliminate the need for these requesters to invoke the provisions of the FOIA and thereby assist in providing timely information to the public. Similarly, requests from other members of the public for information that would not be withheld under the FOIA should continue to be honored through appropriate means without requiring the requester to involve the FOIA.

(2) Within the OSD, the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence, as Chief Information Officer, in conjunction with the Assistant Secretary of Defense for Public Affairs, is responsible for ensuring preparation of reference material or a guide for requesting records or information from the Department of Defense, subject to the nine exemptions of the FOIA. This publication shall also include an index of all major information systems, and a description of major information and record locator systems, as defined by the Office of the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence. DoD FOIA Components shall coordinate with the appropriate office(s) to insure that this is also accomplished within their department or organization.

(3) DoD Components shall also prepare, in addition to normal FOIA regulations, a handbook for the use of the public in obtaining information from their organization. This handbook should be a short, simple explanation to the public of what the FOIA is designed to do, and how a member of the public can use it to access government records. Each DoD Component should explain the types of records that can be obtained through FOIA requests, why some records cannot, by law, be made available, and how the DoD Component determines whether the record can be released. The handbook should also explain how to make a FOIA request, how long the requester can expect to wait for a reply, and explain the right of appeal. The handbook should supplement other information locator systems, such as the Government Information Locator Service (GILS), and explain how a requester can obtain more information about those systems. The handbook should be available on paper and through electronic means and contain the following additional information, complete with electronic links to the below elements; the location of reading room(s) within the Component and the types and categories of information available, the location of Component's World Wide Web page, a reference to the component's FOIA regulation and how to obtain a copy, a reference to the Component's FOIA annual report and how to obtain a copy and the location of the Component's GILS page. Also, the DoD Components’ Freedom of Information Act Annual Reports should refer to the handbook and how to obtain it.

(b) Control system. A request for records that invokes the FOIA shall enter a formal control system designed to ensure accountability and compliance with the FOIA. Any request for DoD records that either explicitly or implicitly cites the FOIA shall be processed under the provisions of this part, unless otherwise required by § 286.4(m).

As used in this part, the following terms and meanings shall be applicable:

Administrative appeal. A request by a member of the general public, made under the FOIA, asking the appellate authority of a DOD Component to reverse a decision: to withhold all or part of a requested record; to deny a fee category claim by a requester, to deny a request for waiver or reduction of fees; to deny a request to review an initial fee estimate; to deny a request for expedited processing due to demonstrated compelling need under § 286.4(d)(3) of this part; to confirm that no records were located during the initial search. Requesters also may appeal the failure to receive a response determination within the statutory time limits, and any determination that the requester believes is adverse in nature.

Agency record. (1) The products of data compilation, such as all books, papers, maps, and photographs, machine readable materials, inclusive of those in electronic form or format, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law in connection with the transaction of public business and in Department of Defense possession and control at the time the FOIA request is made. Care should be taken not to exclude records from being considered agency records, unless they fall within one of the categories in paragraph (2) of this definition.

(2) The following age not included within the definition of the word “record”.

(i) Objects or articles, such as structures, furniture, vehicles and equipment, whatever their historical value, or value as evidence.

(ii) Anything that is not a tangible or documentary record, such as an individual's memory or oral communication.

(iii) Personal records of an individual not subject to agency creation or retention requirements, created and maintained primarily for the convenience of an agency employee, and not distributed to other agency employees for their official use. Personal papers fall into three categories: those created before entering Government service; private materials brought into, created, or received in the office that were not created or received in the course of transacting Government business; and work-related personal papers that are not used in the transaction of Government business (see “Personal Papers of Executive Branch Officials: A Management Guide” 2 ).

(3) A record must exist and be in the possession and control of the Department of Defense at the time of the request to be considered subject to this part and the FOIA. There is no obligation to create, compile, or obtain a record to satisfy a FOIA request. See § 286.4(g)(2) on creating a record in the electronic environment.

(4) Hard copy or electronic records, that are subject to FOIA requests under 5 U.S.C. 552(a)(3), and that are available to the public through an established distribution system, or through the Federal Register, the National Technical Information Service, or the Internet, normally need not be processed under the provisions of the FOIA. If a request is received for such information, DoD Components shall provide that requester with guidance inclusive of any written notice to the public, on how to obtain the information. However, if the requester insists that the request be processed under the FOIA, then the request shall be processed under the FOIA. If there is any doubt as to whether the request must be processed, contact the Directorate for Freedom of Information and Security Review.

Appellate authority. The Head of the DoD Component or the Component head's designee having jurisdiction for this purpose over the record, or any of the other adverse determinations outlined in definitions “Initial denial authority (IDA)” and “Administrative appeal”.

DoD Component. An element of the Department of Defense, as defined in § 286.1(b), authorized to receive and act independently on FOIA requests. (See appendix F of this part.) A DoD Component has its own initial denial authority (IDA), appellate authority, and legal counsel.

Electronic record. Records (including e-mail) that are created, stored, and retrievable by electronic means.

Federal agency. As defined by 5 U.S.C. 552(f)(1), a Federal agency is any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency.

FOIA request. A written request for DoD records that reasonably describes the record(s) sought, made by any person, including a member of the public (U.S. or foreign citizen/entity), an organization, or a business, but not including a Federal Agency or a fugitive from the law, that either explicitly or implicitly invokes the FOIA, DoD Directive 5400.7, this part, or DoD Component supplementing regulations or instructions. Requesters should also indicate a willingess to pay fees associated with the processing of their request or, in the alternative, why a waiver of fees may be appropriate. Written requests may be received by postal service or other commercial delivery means, by fascimile, or electronically. Requests received by fascimile or electronically must have a postal mailing address included since it may be practical to provide a substantive response electrically. The request is considered properly received, or perfected, when the above conditions have been met and the request arrives at the FOIA office of the Component in possession of the records.

Initial denial authority (IDA). An official who has been granted authority by the head of DoD component to withhold records requested under the FOIA for one or more of the nine categories of records exempt from mandatory disclosure. IDA's may also deny a fee category claim by a requester; deny a request for expedited processing due to demonstrated compelling need under § 286.4(d)(3) of this part; deny a request for a waiver or reduction of fees; review a fee estimate; and confirm that no records were located in response to a request.

Public interest. The interest in obtaining official information that sheds light on an agency's performance of its statutory duties because the information falls within the statutory purpose of the FOIA to inform citizens about what their Government is doing. That statutory purpose, however, is not fostered by disclosure of information about private citizens accumulated in various governmental files that reveals nothing about an agency's or officials own conduct.

(a) Compliance with the FOIA. DoD personnel are expected to comply with the FOIA, this part, and DoD FOIA policy in both better and spirit. This strict adherence is necessary to provide uniformity in the implementation of the DoD FOIA Program and to create conditions that will promote public trust.

(b) Openiness with the public. The Department of Defense shall conduct its activities in an open manner consistent with the need for security and aherence to other requirements of law and regulation. Records not exempt from disclosure under the Act shall, upon request, be made readily accessible to the public in accordance with rules promulgated by competent authority, whether or not the Act is invoked.

(c) Avoidance of procedural obstacles. DoD Components shall ensure that procedural matters do not unnecessarily impede a requester from obtaining DoD records promptly. Components shall provide assistance to requesters to help them understand and comply with procedures established by this part and any supplemental regulations published by the DoD Components.

(d) Prompt action on requests. (1) Generally, when a member of the public complies with the procedures established in this part and DoD Component regulations or instructions for obtaining DoD records, and after the request is received by the official designated to respond, DoD Components shall endeavor to provide a final response determination within the statutory 20 working days. If a significant number of requests, or the complexity of the requests prevent a final response determination within the statutory time period, DoD Components shall advise the requester of this fact, and explain how the request will be responded to within its multitrack processing system (see § 286.4(d)(2)). A final response determination is notification to the requester that the records are released, or will be released on a certain date, or the records are denied under the appropriate FOIA exemption, or the records cannot be provided for one or more of the other reasons in § 286.23(b). Interim responses acknowledging receipt of the request, negotiations with the requester concerning the scope of the request, the response timeframe, and fee agreements are encouraged; however, such actions do not constitute a final response determination pursuant to the FOIA. If a request fails to meet minimum requirements as set forth in § 286.3, definition “FOIA request”, Components shall inform the requester how to perfect or correct the request. The statutory 20 working day time limit applies upon receipt of a perfected or correct FOIA request which complies with the requirements outlined in § 286.3, definition “FOIA request”.

(2) Multitrack processing. When a Component has a significant number of pending requests that prevents a response determination being made within 20 working days, the requests shall be processed in a multitrack processing system, based on the date of receipt, the amount of work and time involved in processing the requests, and whether the request qualifies for expedited processing as described in paragraph (d)(3) of this section. DoD Components may establish as many processing queues as they wish; however, as a minimum, three processing tracks shall be established, all based on a first-in, first-out concept, and rank ordered by the date of receipt of the request. One track shall be a processing queue for simple requests, one track for complex requests, and one track shall be a processing queue for expedited processing as described in paragraph (d)(3) of this section. Determinations as to whether a request is simple or complex shall be made by each DoD Component. DoD Components shall provide a requester whose request does not qualify for the fastest queue (except for expedited processing as described in paragraph (d)(3) of this section), an opportunity to limit in writing hard copy, facsimile, or electronically, the scope of the request in order to qualify for the fastest queue. This multitrack processing system does not obviate components’ responsibility to exercise due diligence in processing requests in the most expeditious manner possible.

(3) Expedited processing. A separate queue shall be established for requests meeting the test for expedited processing. Expedited processing shall be granted to a requester after the requester requests such and demonstrates a compelling need for the information. Notice of the determination as to whether to grant expedited processing in response to a requester's compelling need shall be provided to the requester within 10 calendar days after receipt of the request in the DoD Component's office that will determine whether to grant expedited processing. Once the DoD Component has determined to grant expedited processing, the request shall be processed as soon as practicable. Actions by DoD Components to initially deny or affirm the initial denial on appeal of a request for expedited processing, and failure to respond in a timely manner shall be subject to judicial review.

(i) Compelling need means that the failure to obtain the records on an expedited basis could reasonably be expected to pose an imminent threat to the life or physical safety of an individual.

(ii) Compelling need also means that the information is urgently needed by an individual primarily engaged in disseminating information in order to inform the public concerning actual or alleged Federal Government activity. An individual primarily engaged in disseminating information means a person whose primary activity involves publishing or otherwise disseminating information to the public. Representatives of the news media (see § 286.28(e)) would normally qualify as individuals primarily engaged in disseminating information. Other persons must demonstrate that their primary activity involves publishing or otherwise disseminating information to the public.

(A) Urgently needed means that the information has a particular value that will be lost if not disseminated quickly. Ordinarily this means a breaking news story of general public interest. However, information of historical interest only, or information sought for litigation or commercial activities would not qualify, nor would a news media publication or broadcast deadline unrelated to the news breaking nature of the information.

(B) [Reserved]

(iii) A demonstration of compelling need by a requester shall be made by a statement certified by the requester to be true and correct to the best of their knowledge. This statement must accompany the request in order to be considered and responded to within the 10 calendar days required for decisions on expedited access.

(iv) Other reasons for expedited processing. Other reasons that merit expedited processing by DoD Components are an imminent loss of substantial due process rights and humanitarian need. A demonstration of imminent loss of substantial due process rights shall be made by a statement certified by the requester to be true and correct to the best of his or her knowledge. Humanitarian need means that disclosing the information will promote the welfare and interest of mankind. A demonstration of humanitarian need shall be also made by a statement certified by the requester to be true and correct to the best of his or her knowledge. Both statements mentioned above must accompany the request in order to be considered and responded to within the 10 calendar days required for decisions on expedited access. Once the decision has been made to expedite the request for either of these reasons, the request may be processed in the expedited processing queue behind those requests qualifying for compelling need.

(v) These same procedures also apply to requests for expedited processing of administrative appeals.

(e) Use of exemptions. It is DoD policy to make records publicly available, unless the record qualifies for exemption under one or more of the nine exemptions. It is DoD policy that DoD Components shall make discretionary releases whenever possible; however, a discretionary release is normally not appropriate for records clearly exempt under exemptions 1, 3, 4, 6, 7(C) and 7(F) (see subpart C of this part). Exemptions 2, 5, and 7(A)(B)(D) and (E) (see subpart C of this part) are discretionary in nature, and DoD Components are encouraged to exercise discretionary releases whenever possible. Exemptions 4, 6 and 7(C) cannot be claimed when the requester is the submitter of the information.

(f) Public domain. Nonexempt records released under the authority of this part are considered to be in the public domain. Such records may also be made available in Components’ reading rooms in paper form, as well as electronically, to facilitate public access. Discretionary releases to FOIA requesters constitute a waiver of the FOIA exemption that may otherwise apply. Disclosure to a properly constituted advisory committee, to Congress, or to other Federal Agencies does not waive the exemption. (See § 286.22(d).) Exempt records disclosed without authorization by the appropriate DoD official do not lose their exempt status. Also, while authority may exist to disclose records to individuals in their official capacity, the provisions of this Part apply if the same individual seeks the records in a private or personal capacity.

(g) Creating a record. (1) A record must exist and be in the possession and control of the Department of Defense at the time of the search to be considered subject to this part and the FOIA. There is no obligation to create, compile, or obtain a record to satisfy a FOIA request. A DoD Component, however, may compile a new record when so doing would result in a more useful response to the requester, or be less burdensome to the agency than providing existing records, and the requester does not object. Cost of creating or compiling such a record may not be charged to the requester unless the fee for creating the record is equal to or less than the fee which would be charged for providing the existing record. Fee assessments shall be in accordance with subpart F of this part.

(2) About electronic data, the issue of whether records are actually created or merely extracted from an existing database is not always readily apparent. Consequently, when responding to FOIA requests for electronic data where creation of a record, programming, or particular format are questionable, Components should apply a standard of reasonableness. In other words, if the capability exists to respond to the request, and the effort would be a business as usual approach, then the request should be processed. However, the request need not be processed where the capability to respond does not exist without a significant expenditure of resources, thus not being a normal business as usual approach. As used in this sense, a significant expenditure of resources in both time and manpower, that would cause a significant interference with the operation of the Component's automated information system would not be a business as usual approach.

(h) Description of requested record. (1) Identification of the record desired is the responsibility of the requester. The requester must provide a description of the desired record, that enables the Government to locate the record with a reasonable amount of effort. In order to assist DoD Components in conducting more timely searches, requesters should endeavor to provide as much identifying information as possible. When a DoD Component receives a request that does not reasonably describe the requested record, it shall notify the requester of the defect in writing. The requester should be asked to provide the type of information outlined in paragraph (h)(2) of this section. DoD Components are not obligated to act on the request until the requester responds to the specificity letter. When practicable, DoD Components shall offer assistance to the requester in identifying the records sought and in reformulating the request to reduce the burden on the agency in complying with the Act.

(2) The following guidelines are provided to deal with generalized requests and are based on the principle of reasonable effort (Descriptive information about a record may be divided into two broad categories.):

(i) Category I is file-related and includes information such as type of record (for example, memorandum), title, index citation, subject area, date the record was created, and originator.

(ii) Category II is event-related and includes the circumstances that resulted in the record being created or the date and circumstances surrounding the event the record covers.

(3) Generally, a record is not reasonably described unless the description contains sufficient Category I information to permit the conduct of an organized, non-random search based on the DoD Component's filing arrangements and existing retrieval systems, or unless the record contains sufficient Category II information to permit inference of the Category I elements needed to conduct such a search.

(4) The following guidelines deal with requests for personal records: Ordinarily, when personal identifiers are provided only in connection with a request for records concerning the requester, only records in a Privacy Act System of records that can be retrieved by personal identifiers need be searched. However, if a DoD Component has reason to believe that records on the requester may exist in a record system other than a Privacy Act system, the DoD Component shall search that system under the provisions of the FOIA. In either case, DoD Components may request a reasonable description of the records desired before searching for such records under the provisions of the FOIA and the Privacy Act. If the record is required to be released under the FOIA, the Privacy Act does not bar its disclosure. See paragraph (m) of this section for the relationship between the FOIA and the Privacy Act.

(5) The previous guidelines notwithstanding, the decision of the DoD Component concerning reasonableness of description must be based on knowledge of its files. If the description enables DoD Component personnel to locate the record with reasonable effort, the description is adequate. The fact that a FOIA request is broad or burdensome in its magnitude does not, in and of itself, entitle a DoD Component to deny the request on the ground that it does not reasonably describe the records sought. The key factor is the ability of the DoD Component's staff to reasonably ascertain and locate which records are being requested.

(i) Referrals. (1) The DoD FOIA referral policy is based upon the concept of the originator of a record making a release determination on its information. If a DoD Component receives a request for records originated by another DoD Component, it should contact the DoD Component to determine if it also received the request, and if not, obtain concurrence from the other DoD Component to refer the request. In either situation, the requester shall be advised of the action taken, unless exempt information would be revealed. While referrals to originators of information result in obtaining the best possible decision on release of the information, the policy does not relieve DoD Components from the responsibility of making a release decision on a record should the requester object to referral of the request and the record. Should this situation occur, DoD Components should coordinate with the originator of the information prior to making a release determination. A request received by a DoD Component having no records responsive to a request shall be referred routinely to another DoD Component, if the other DoD Component has reason to believe it has the requested record. Prior to notifying a requester of a referral to another DoD Component, the DoD Component receiving the initial request shall consult with the other DoD Component to determine if that DoD Component's association with the material is exempt. If the association is exempt, the DoD Component receiving the initial request will protect the association and any exempt information without revealing the identity of the protected DoD Component. The protected DoD Component shall be responsible for submitting the justifications required in any litigation. Any DoD Component receiving a request that has been misaddressed shall refer the request to the proper address and advise the requester. DoD Components making referrals of requests or records shall include with the referral, a point of contact by name, a telephone number, and an e-mail address.

(2) A DoD Component shall refer for response directly to the requester, a FOIA request for a record that it holds to another DoD Component or agency outside the DoD, if the record originated in the other DoD Component or outside agency. Whenever a record or a portion of a record is referred to another DoD Component or to a Government Agency outside of the DoD for a release determination and direct response, the requester shall be informed of the referral, unless it has been determined that notification would reveal exempt information. Referred records shall only be identified to the extent consistent with security requirements.

(3) A DoD Component may refer a request for a record that it originated to another DoD Component or agency when the other DoD Component or agency has a valid interest in the record, or the record was created for the use of the other DoD Component or agency. In such situations, provide the record and a release recommendation on the record with the referral action. Ensure you include a point of contact with the telephone number. An example of such a situation is a request for audit reports prepared by the Defense Contract Audit Agency. These advisory reports are prepared for the use of contracting officers and their release to the audited contractor shall be at the discretion of the contracting officer. A FOIA request shall be referred to the appropriate DoD Component and the requester shall be notified of the referral, unless exempt information would be revealed. Another example is a record originated by a DoD Component or agency that involves foreign relations, and could affect a DoD Component or organization in a host foreign country. Such a request and any responsive records may be referred to the affected DoD Component or organization for consultation prior to a final release determination within the Department of Defense. See also § 286.22(e) of this part.

(4) Within the Department of Defense, a DoD Component shall ordinarily refer a FOIA request and a copy of the records it holds, but that was originated by other DoD Component or that contains substantial information obtained from another DoD Component, to that Component for direct response, after direct coordination and obtaining concurrence from the Component. The requester then shall be notified by such referral. DoD Components shall not, in any case, release or deny such records without prior consultation with the other DoD Component, except as provided in § 286.22(e) of this part.

(5) DoD Components that receive referred requests shall answer them in accordance with the time limits established by the FOIA, this part, and their multitrack processing queues, based upon the date of initial receipt of the request at the referring component or agency.

(6) Agencies outside the Department of Defense that are subject to the FOIA.

(i) A DoD Component may refer a FOIA request for any record that originated in an agency outside the Department of Defense or that is based on information obtained from an outside agency to the agency for direct response to the requester after coordination with the outside agency, if that agency is subject to FOIA. Otherwise, the DoD Component must respond to the request.

(ii) A DoD Component shall refer to the agency that provided the record any FOIA request for investigative, intelligence, or any other type of records that are on loan to the Department of Defense for a specific purpose, if the records are restricted from further release and so marked, However, if for investigative or intelligence purposes, the outside agency desires anonymity, a DoD Component may only respond directly to the requester after coordination with the outside agency.

(7) DoD Components that receive requests for records of the National Security Council (NSC), the White House, or the White House Military Office (WHMO) shall process the requests. DoD records in which the NSC or White House has a concurrent reviewing interest, and NSC, White House, or WHMO records discovered in DoD Components’ files shall be forwarded to the Directorate for Freedom of Information and Security Review (DFOISR). The DFOISR shall coordinate with the NSC, White House, or WHMO and return the records to the originating agency after coordination.

(8) To the extent referrals are consistent with the policies expressed by this section, referrals between offices of the same DoD Component are authorized.

(9) On occasion, the Department of Defense receives FOIA requests for General Accounting Office (GAO) records containing DoD information. Even though the GAO is outside the executive Branch, and not subject to the FOIA, all FOIA requests for GAO documents containing DoD information received either from the public, or on referral from the GAO, shall be processed under the provisions of the FOIA.

(j) Authentication. Records provided under this part shall be authenticated with an appropriate seal, whenever necessary, to fulfill an official government or other legal function. This service, however, is in addition to that required under the FOIA and is not included in the FOIA fee schedule. DoD Components may charge for the service at a rate of $5.20 for each authentication.

(k) Combatant Commands. (1) The Combatant Commands are placed under the jurisdiction of the OSD, instead of the administering Military Department or the Chairman of the Joint Chiefs of Staff, only for the purpose of administering the DoD FOIA Program. This policy represents an exception to the policies directed in DoD Directive 5100.3; 3 it authorizes and requires the Combatant Commands to process FOIA requests in accordance with DoD Directive 5400.7 and this part. The Combatant Commands shall forward directly to the Director, Freedom of Information and Security Review all correspondence associated with the appeal of an initial denial for records under the provisions of the FOIA. Procedures to effect this administrative requirement are outlined in appendix A of this part.

(2) Combatant Commands shall maintain an electronic reading room for FOIA-processed 5 U.S.C. 552(a)(2)(D) records in accordance with subpart B of this part. Records qualifying for this means of public access also shall be maintained in hard copy for public access at Combatant Commands’ respective locations.

(l) Records management. FOIA records shall be maintained and disposed of in accordance with the National Archives and Records Administration General Records Schedule, and DoD Component records schedules.

(m) Relationship between the FOIA and the Privacy Act (PA). Not all requesters are knowledgeable of the appropriate statutory authority to cite when requesting records, nor are all of them aware of appeal procedures. In some instances, they may cite neither Act, but will imply one or both Acts. For these reasons, the following guidelines are provided to ensure that requesters receive the greatest amount of access rights under both Acts. See also § 286.24 regarding appeal rights.

(1) If the record is required to be released under the FOIA, the Privacy Act does not bar its disclosure. Unlike the FOIA, the Privacy Act applies only to U.S. citizens and aliens admitted for permanent residence.

(2) Requesters who seek records about themselves contained in a Privacy Act system of records and who cite or imply only the Privacy Act, will have their requests processed under the provisions of both the Privacy Act and the FOIA. If the Privacy Act system of records is exempt from the provisions of 5 U.S.C. 552a(d)(1) and if the records, or any portion thereof, are exempt under the FOIA, the requester shall be so advised with the appropriate Privacy Act and FOIA exemption. Appeals shall be processed under both Acts.

(3) Requesters who seek records about themselves that are not contained in a Privacy Act system of records and who cite or imply the Privacy Act will have their requests processed under the provisions of the FOIA, since the Privacy Act does not apply to these records. Appeals shall be processed under the FOIA.

(4) Requesters who seek records about themselves that are contained in a Privacy Act system of records and who cite or imply the FOIA or both Acts will have their requests processed under the provisions of both the Privacy Act and the FOIA. If the Privacy Act system of records is exempt from the provisions of 5 U.S.C. 552a(d)(1) and if the records or any portion thereof, are exempt under the FOIA, the requester shall be so advised with the appropriate Privacy Act and FOIA exemption. Appeals shall be processed under both Acts.

(5) Requesters who seek access to agency records that are not part of a Privacy Act system of records, and who cite or imply the Privacy Act and FOIA, will have their requests processed under the FOIA since the Privacy Act does not apply to these records. Appeals shall be processed under the FOIA.

(6) Requesters who seek access to agency records and who cite or imply the FOIA will have their requests an appeals processed under the FOIA.

(7) Requesters shall be advised in the final response letter which Act(s) was (were) used, inclusive of appeal rights as outlined in paragraphs (m)(1) through (m)(6) of this section.

(n) Non-responsive information in responsive records. DoD Components shall interpret FOIA requests liberally when determining which records are responsive to the requests, and may release non-responsive information. However, should DoD Components desire to withhold non-responsive information, the following steps shall be accomplished:

(1) Consult with the requester, and ask if the requester views the information as responsive, and if not, seek the requester's concurrence to deletion of non-responsive information without a FOIA exemption. Reflect this concurrence in the response letter.

(2) If the responsive record is unclassified, and the requester does not agree to deletion of non-responsive information without a FOIA exemption, release all non-responsive and responsive information which is not exempt. For non-responsive information that is exempt, notify the requester that even if the information were determined responsive, it would likely be exempt under (state appropriate exemption(s)). Advise the requester of the right to request this information under a separate FOIA request. The separate request shall be placed in the same location within the processing queue as the original request.

(3) If the responsive record is classified, and the requester does not agree to deletion of non-responsive information without a FOIA exemption, release all unclassified responsive and non-responsive information which is not exempt. If the non-responsive information is exempt, follow the procedures in paragraph (n)(2) of this section. The classified, non-responsive information need not be reviewed for declassification at this point. Advise the requester that even if the classified information were determined responsive, it would likely be exempt under 5 U.S.C. 552(b)(1), and other exemptions if appropriate. Advise the requester of the right to request this information under a separate FOIA request. The separate request shall be placed in the same location within the processing queue as the original request.

(o) Honoring form or format requests. DoD Components shall provide the record in any form or format requested by the requester if the record is readily reproducible in that form or format. DoD Components shall make reasonable efforts to maintain their records in forms or formats that are reproducible. In responding to requests for records, DoD Components shall make reasonable efforts to search for records in electronic form or format, except when such efforts would significantly interfere with the operation of the DoD Components’ automated information system. Such determinations shall be made on a case by case basis. See also paragraph (g)(2) of this section.

(a) Reading room. Each DoD Component shall provide an appropriate facility or facilities where the public may inspect and copy or have copied the records described in paragraph (b) of this section and § 286.8(a). In addition to the records described in paragraph (b) of this section and § 286.8(a), DoD Components may elect to place other records in their reading room, and also make them electronically available to the public. DoD Components may share reading room facilities if the public is not unduly inconvenienced, and also may establish decentralized reading rooms. When appropriate, the cost of copying may be imposed on the person requesting the material in accordance with the provisions of subpart F of this part.

(b) Record availability. The FOIA requires that records described in 5 U.S.C. 552(a)(2) (A), (B), (C), and (D) created on or after November 1, 1996, shall be made available electronically by November 1, 1997, as well as in hard copy in the FOIA reading room for inspection and copying, unless such records are published and copies are offered for sale. Personal privacy information, that if disclosed to a third party requester, would result in an invasion of the first party's personal privacy, and contractor submitted information, that if disclosed to a competing contractor, would result in competitive harm to the submitting contractor shall be deleted from all 5 U.S.C. 552(A)(2) records made available to the general public. In every case, justification for the deletion must be fully explained in writing, and the extent of such deletion shall be indicated on the record which is made publicly available, unless such indication would harm an interest protected by an exemption under which the deletion was made. If technically feasible, the extent of the deletion in electronic records or any other form of record shall be indicated at the place in the record where the deletion was made. However, a DoD Component may publish in the Federal Register a description of the basis upon which it will delete identifying details of particular types of records to avoid clearly unwarranted invasions of privacy, or competitive harm to business submitters. In appropriate cases, the DoD Component may refer to this description rather than write a separate justification for each deletion. 5 U.S.C. 552(a)(2) (A), (B), (C) and (D) records are:

(1) (a)(2)(A) records. Final opinions, including concurring and dissenting opinions, and orders made in the adjudication of cases, as defined in 5 U.S.C. 551, that may be cited, used, or relied upon as precedents in future adjudications.

(2) (a)(2)(B) records. Statements of policy and interpretations that have been adopted by the agency and are not published in the Federal Register.

(3) (a)(2)(C) records. Administrative staff manuals and instructions, or portions therefo, that establish DoD policy or interpretations of policy that affect a member of the public. This provision does not apply to instructions for employees on tactics and techniques to be used in performing their duties, or to instructions relating only to the internal management of the DoD Component. Examples of manuals and instructions not normally made available are:

(i) Those issued for audit, investigation, and inspection purposes, or those that prescribe operational tactics, standards of performance, or criterial for defense, prosecution, or settlement of cases.

(ii) Operations and maintenance manuals and technical information concerning munitions, equipment, systems, and intelligence activities.

(4) (a)(2)(D) records. Those 5 U.S.C. 552(a)(3) records, which because of the nature of the subject matter, have become or are likely to become the subject of subsequent requests for substantially the same records. These records are referred to as FOIA-processed (a)(2) records.

(i) DoD Components shall decide on a case by case basis whether records fall into this category, based on the following factors:

(A) Previous experience of the DoD Component with simular records.

(B) Particular circumstances of the records involved, including their nature and the type of information contained in them.

(C) The identify and number of requesters and whether there is widespread press, historic, or commercial interest in the records.

(ii) This provision is intended for situations where public access in a timely manner is important, and it is not intended to apply where there may be a limited number of requests over a short period of time from a few requesters. DoD Components may remove the records from this access medium when the appropriate officials determine that access is no longer necessary.

(iii) Should a requester submit a FOIA request for FOIA-processed (a)(2) records, and insist that the request be processed, DoD Components shall process the FOIA request. However, DoD Components have no obligation to process a FOIA request for 5 U.S.C. 552(a)(2) (A), (B), and (C) records because these records are required to be made public and not FOIA-processed under paragraph (a)(3) of the FOIA.

(a) “(a)(2)” materials. (1) Each DoD Component shall maintain in each facility prescribed in § 286.7(a), an index of materials described in § 286.7(b) that are issued, adopted, or promulgated, after July 4, 1967. No “(a) (2)” materials issued, promulgated, or adopted after July 4, 1967, that are not indexed and either made available or published may be relied upon, used or cited as precedent against any individual unless such individual has actual and-timely notice of the contents of such materials. Such materials issued, promulgated, or adopted before July 4, 1967, need not be indexed, but must be made available upon request if not exempted under this part.

(2) Each DoD Component shall promptly publish quarterly or more frequently, and distribute, by sale or otherwise, copies of each index of “(a)(2)” materials or supplements thereto unless it publishes in the Federal Register an order containing a determination that publication is unnecessary and impracticable. A copy of each index or supplement not published shall be provided to a requester at a cost not to exceed the direct cost of duplication as set forth in subpart F of this part.

(3) Each index of “(a)(2)” materials or supplement thereto shall be arranged topical or by descriptive words rather than by case name or numbering system so that members of the public can readily locate material. Case name and numbering arrangements, however, may also be included for DoD Component convenience.

(4) A general index of FOIA-processed (a)(2) records referred to in § 286.7(b)(4), shall be made available to the public, both in hard copy and electronically by December 31, 1999.

(b) Other materials. (1) Any available index of DoD Component material published in the Federal Register, such as material required to be published by Section 552(a)(1) of the FOIA, shall be made available in DoD Component FOIA reading rooms, and electronically to the public.

(2) Although not required to be made available in response to FOIA requests or made available in FOIA Reading Rooms, “(a)(1)” materials shall, when feasible, be made available to the public in FOIA reading rooms for inspection and copying, and by electronic means. Examples of “(a)(1)” materials are: descriptions of any agency's central and field organization, and to the extent they affect the public, rules of procedures, descriptions of forms available, instruction as to the scope and contents of papers, reports, or examinations, and any amendment, revision, or report of the aforementioned.

Records that meet the exemption criteria of the FOIA may be withheld from public disclosure and need not be published in the Federal Register, made available in a library reading room, or provided in response to a FOIA request.

The following types of records may be withheld in whole or in part from public disclosure under the FOIA, unless otherwise prescribed by law: A discretionary release of a record (see also § 286.4(e)) to one requester shall prevent the withholding of the same record under a FOIA exemption if the record is subsequently requested by someone else. However, a FOIA exemption may be invoked to withhold information that is similar or related that has been the subject of a discretionary release. In applying exemptions, the identity of the requester and the purpose for which the record is sought are irrelevant with the exception that an exemption may not be invoked where the particular interest to be protected is the requester's interest. However, if the subject of the record is the requester for the record and the record is contained in a Privacy Act system of records, it may only be denied to the requester if withholding is both authorized by DoD 5400.11-R 4 and by a FOIA exemption.

(a) Number 1 (5 U.S.C. 552(b)(1)). Those properly and currently classified in the interest of national defense or foreign policy, as specifically authorized under the criteria established by Executive Order and implemented by regulations, such as DoD 5200.1-R.5 Although material is not classified at the time of the FOIA request, a classification review may be undertaken to determine whether the information should be classified. The procedures in DoD 5200.1-R apply. If the information qualifies as exemption 1 information, there is no discretion regarding its release. In addition, this exemption shall be invoked when the following situations are apparent:

(1) The fact of the existence or nonexistence of a record would itself reveal classified information. In this situation, Components shall neither confirm nor deny the existence or nonexistence of the record being requested. A “refusal to confirm or deny” response must be used consistently, not only when a record exists, but also when a record does not exist. Otherwise, the pattern of using a “no record” response when a record does not exist, and a “refusal to confirm or deny” when a record does exist will itself disclose national security information.

(2) Compilations of items of information that are individually unclassified may be classified if the compiled information reveals additional association or relationship that meets the standard for classification under an existing executive order for classification and DoD 5200.R-1, and is not otherwise revealed in the individual items of information.

(b) Number 2 (5 U.S.C. 552(b)(2)). Those related solely to the internal personnel rules and practices of the Department of Defense or any of its Components. This exemption is entirely discretionary. This exemption has two profiles, high (b)(2) and low (b)(2). Paragraph (b)(2) of this section contains a brief discussion on the low (b)(2) profile; however, that discussion is for information purposes only. When only a minimum Government interest would be affected (administrative burden), there is a great potential for discretionary disclosure of the information. Consequently, DoD Components shall not invoke the low (b)(2) profile.

(1) Records qualifying under high (b)(2) are those containing or constituting statues, rules, regulations, orders, manuals, directives, instructions, and security classification guides, the release of which would allow circumvention of these records thereby substantially hindering the effective performance of a significant function of the Department of Defense. Examples include:

(i) Those operating rules, guidelines, and manuals for DoD investigators, inspectors, auditors, and examiners that must remain privileged in order for the DoD Component to fulfill a legal requirement.

(ii) Personnel and other administrative matters, such as examination questions and answers used in training courses or in the determination of the qualifications of candidates for employment, entrance on duty, advancement, or promotion.

(iii) Computer software, the release of which would allow circumvention of a statute or DoD rules, regulations, orders, manuals, directives, or instructions. In this situation, the use of the software must be closely examined to ensure a circumvention possibility exists.

(2) Records qualifying under the low (b)(2) profile are those that are trivial and housekeeping in nature for which there is no legitimate public interest or benefit to be gained by release, and it would constitute an administrative burden to process the request in order to disclose the records. Examples include rules of personnel's use of parking facilities or regulation of lunch hours, statements of policy as to sick leave, and administrative data such as file numbers, mail routing stamps, initials, data processing notations, brief references to previous communications, and other like administrative markings. DoD Components shall not invoke the low (b)(2) profile.

(c) Number 3 (5 U.S.C. 552(b)(3)). Those concerning matters that a statute specifically exempts from disclosure by terms that permit no discretion on the issue, or in accordance with criteria established by that statute for withholding or referring to particular types of matters to be withheld. The Directorate for Freedom of Information and Security Review maintains a list of (b)(3) statutes used within the Department of Defense, and provides updated lists of these statutes to DoD Components on a periodic basis. A few examples of such statutes are:

(1) Patent Secrecy, 35 U.S.C. 181-188. Any records containing information relating to inventions that are the subject of patent applications on which Patent Secrecy Orders have been issued.

(2) Restricted Data and Formerly Restricted Data, 42 U.S.C. 2162.

(3) Communication Intelligence, 18 U.S.C. 798.

(4) Authority to Withhold From Public Disclosure Certain Technical Data, 10 U.S.C. 130 and DoD Directive 5230.25.6

(5) Confidentiality of Medical Quality Assurance Records: Qualified Immunity for Participants, 10 U.S.C. 1102f.

(6) Physical Protection of Special Nuclear Material: Limitation on Dissemination of Unclassified Information, 10 U.S.C. 128.

(7) Protection of Intelligence Sources and Methods, 50 U.S.C. 403-3(c)(6).

(8) Protection of Contractor Submitted Proposals, 10 U.S.C. 2305(g).

(9) Procurement Integrity, 41 U.S.C. 423.

(d) Number 4 (5 U.S.C. 552(b)(4)). Those containing trade secrets or commercial or financial information that a DoD Component receives from a person or organization outside the Government with the understanding that the information or record will be retained on a privileged or confidential basis in accordance with the customary handling of such records. Records within the exemption must contain trade secrets, or commercial or financial records, the disclosure of which is likely to cause substantial harm to the competitive position of the source providing the information; impair the Government's ability to obtain necessary information in the future; or impair some other legitimate Government interest. Commercial or financial information submitted on a voluntary basis, absent any exercised authority prescribing criteria for submission is protected without any requirement to show competitive harm (see paragraph (d)(8) of this section). If the information qualifies as exemption 4 information, there is no discretion in its release. Examples include:

(1) Commercial or financial information received in confidence in connection with loans, bids, contracts, or proposals set forth in or incorporated by reference in a contract entered into between the DoD Component and the offeror that submitted the proposal, as well as other information received in confidence or privileged, such as trade secrets, inventions, discoveries, or other proprietary data. See also § 286.23(h)(2) of this part. Additionally, when the provisions of 10 U.S.C. 2305(g), and 41 U.S.C. 423 are met, certain proprietary and source selection information may be withheld under exemption 3.

(2) Statistical data and commercial or financial information concerning contract performance, income, profits, losses, and expenditures, if offered and received in confidence from a contractor or potential contractor.

(3) Personal statements given in the course of inspections, investigations, or audits, when such statements are received in confidence from the individual and retained in confidence because they reveal trade secrets or commercial or financial information normally considered confidential or privileged.

(4) Financial data provided in confidence by private employers in connection with locality wage surveys that are used to fix and adjust pay schedules applicable to the prevailing wage rate of employees within the Department of Defense.

(5) Scientific and manufacturing processes or developments concerning technical or scientific data or other information submitted with an application for a research grant, or with a report while research is in progress.

(6) Technical or scientific data developed by a contractor or subcontractor exclusively at private expense, and technical or scientific data developed in part with Federal funds and in part at private expense, wherein the contractor or subcontractor has retained legitimate proprietary interests in such data in accordance with 10 U.S.C. 2320-2321 and DoD Federal Acquisition Regulation Supplement (DFARS), Chapter 2 of 48 CFR, Subpart 227.71-227.72. Technical data developed exclusively with Federal funds may be withheld under Exemption Number 3 if it meets the criteria of 10 U.S.C. 130 and DoD Directive 5230.25 (see paragraph (c)(4) of this section).

(7) Computer software which is copyrighted under the Copyright Act of 1976 (17 U.S.C. 106), the disclosure of which would have an adverse impact on the potential market value of a copyrighted work.

(8) Proprietary information submitted strictly on a voluntary basis, absent any exercised authority prescribing criteria for submission. Examples of exercised authorities prescribing criteria for submission are statutes, Executive Orders, regulations, invitations for bids, requests for proposals, and contracts. Submission of information under these authorities is not voluntary. (See also §286.23(h)(3).)

(e) Number 5 (5 U.S.C. 552(b)(5)). Those containing information considered privileged in litigation, primarily under the deliberative process privilege. Except as provided in paragraphs (e)(2) through (e)(5) of this section, internal advice, recommendations, and subjective evaluations, as contrasted with factual matters, that are reflected in deliberative records pertaining to the decision-making process of an agency, whether within or among agencies (as defined in 5 U.S.C. 552(e)), or within or among DoD Components. In order to meet the test of this exemption, the record must be both deliberative in nature, as well as part of a decision-making process. Merely being an internal record is insufficient basis for withholding under this exemption. Also potentially exempted are records pertaining to the attorney-client privilege and the attorney work-product privilege. This exemption is entirely discretionary.

(1) Examples of the deliberative process include:

(i) The non factual portions of staff papers, to include after-action reports, lessons learned, and situation reports containing staff evaluations, advice, opinions, or suggestions.

(ii) Advice, suggestions, or evaluations prepared on behalf of the Department of Defense by individual consultants or by boards, committees, councils, groups, panels, conferences, commissions, task forces, or other similar groups that are formed for the purpose of obtaining advice and recommendations.

(iii) Those non factual portions of evaluations by DoD Component personnel of contractors and their products.

(iv) Information of a speculative, tentative, or evaluative nature or such matters as proposed plans to procure, lease or otherwise acquire and dispose of materials, real estate, facilities or functions, when such information would provide undue or unfair competitive advantage to private personal interests or would impede legitimate government functions.

(v) Trade secret or other confidential research development, or commercial information owned by the Government, where premature release is likely to affect the Government's negotiating position or other commercial interest.

(vi) Those portions of official reports of inspection, reports of the Inspector General, audits, investigations, or surveys pertaining to safety, security, or the internal management, administration, or operation of one or more DoD Components, when these records have traditionally been treated by the courts as privileged against disclosure in litigation.

(vii) Planning, programming, and budgetary information that is involved in the defense planning and resource allocation process.

(2) If any such intra- or inter-agency record or reasonably segregable portion of such record hypothetically would be made available routinely through the discovery process in the course of litigation with the Agency, then it should not be withheld under the FOIA. If, however, the information hypothetically would not be released at all, or would only be released in a particular case during civil discovery where a party's particularized showing of need might override a privilege, then the record may be withheld. Discovery is the formal process by which litigants obtain information from each other for use in the litigation. Consult with legal counsel to determine whether exemption 5 material would be routinely made available through the discovery process.

(3) Intra- or inter-agency memoranda or letters that are factual, or those reasonably segregable portions that are factual, are routinely made available through discovery, and shall be made available to a requester, unless the factual material is otherwise exempt from release, inextricably intertwined with the exempt information, so fragmented as to be uninformative, or so redundant of information already available to the requester as to provide no new substantive information.

(4) A direction or order from a superior to a subordinate, though contained in an internal communication, generally cannot be withheld from a requester if it constitutes policy guidance or a decision, as distinguished from a discussion of preliminary matters or a request for information or advice that would compromise the decision-making process.

(5) An internal communication concerning a decision that subsequently has been made a matter of public record must be made available to a requester when the rationale for the decision is expressly adopted or incorporately by reference in the record containing the decision.

(f) Number 6 (5 U.S.C. 552(b)(6)). Information in personnel and medical files, as well as similar personal information in other files, that, if disclosed to a requester, other than the person about whom the information is about, would result in a clearly unwarranted invasion of personal privacy. Release of information about an individual contained in a Privacy Act System of records that would constitute a clearly unwarranted invasion of privacy is prohibited, and could subject the releaser to civil and criminal penalties. If the information qualifies as exemption 6 information, there is no discretion in its release.

(1) Examples of other files containing personal information similar to that contained in personnel and medical files include:

(i) Those compiled to evaluate or adjudicate the suitability of candidates for civilian employment or membership in the Armed Forces, and the eligibility of individuals (civilian, military, or contractor employees) for security clearances, or for access to particularly sensitive classified information.

(ii) Files containing reports, records, and other material pertaining to personnel matters in which administrative action, including disciplinary action, may be taken.

(2) Home addresses, including private e-mail addresses, are normally not releasable without the consent of the individuals concerned. This includes lists of home addresses and military quarters’ addresses without the occupant's name. Additionally, the names and duty addresses (postal and/or e-mail) of DoD military and civilian personnel who are assigned to units that are sensitive, routinely deployable, or stationed in foreign territories can constitute a clearly unwarranted invasion of personal privacy.

(i) Privacy interest. A privacy interest may exist in personal information even though the information has been disclosed at some place and time. If personal information is not freely available from sources other than the Federal Government, a privacy interest exists in its nondisclosure. The fact that the Federal Government expended funds to prepare, index and maintain records on personal information, and the fact that a requester invokes FOIA to obtain these records indicates the information is not freely available.

(ii) Names and duty addresses (postal and/or e-mail) published in telephone directories, organizational charts, rosters and similar materials for personnel assigned to units that are sensitive, routinely deployable, or stationed in foreign territories are withholdable under this exemption.

(3) This exemption shall not be used in an attempt to protect the privacy of a deceased person, but it may be used to protect the privacy of the deceased person's family if disclosure would rekindle grief, anguish, pain, embarrassment, or even disruption of peace of mind of surviving family members. In such situations, balance the surviving family members’ privacy against the public's right to know to determine if disclosure is in the public interest. Additionally, the deceased's social security number should be withheld since it is used by the next of kin to receive benefits. Disclosures may be made to the immediate next of kin as defined in DoD Directive 5154.24.7

(4) A clearly unwarranted invasion of the privacy of third parties identified in a personnel, medical or similar record constitutes a basis for deleting those reasonably segregable portions of that record. When withholding third party personal information from the subject of the record and the record is contained in a Privacy Act system of records, consult with legal counsel.

(5) This exemption also applies when the fact of the existence or nonexistence of a responsive record would itself reveal personally private information, and the public interest in disclosure is not sufficient to outweigh the privacy interest. In this situation, DoD Components shall neither confirm nor deny the existence or nonexistence of the record being requested. This is a Glomar response, and exemption 6 must be cited in the response. Additionally, in order to insure personal privacy is not violated during referrals, DoD Components shall coordinate with other DoD Components or Federal Agencies before referring a record that is exempt under the Glomar concept.

(i) A “refusal to confirm or deny” response must be used consistently, not only when a record exists, but also when a record does not exist. Otherwise, the pattern of using a “no records” response when a record does not exist and a “refusal to confirm or deny” when a record does exist will itself disclose personally private information.

(ii) Refusal to confirm or deny should not be used when:

(A) The person whose personal privacy is in jeopardy has provided the requester a waiver of his or her privacy rights.

(B) The person initiated or directly participated in an investigation that lead to the creation of any agency record seeks access to that record.

(C) The person whose personal privacy is in jeopardy is deceased, the Agency is aware of that fact, and disclosure would not invade the privacy of the deceased's family. See paragraph (f)(3) of this section.

(g) Number 7 (5 U.S.C. 552(b)(7)). Records or information complied for law enforcement purposes; i.e., civil, criminal, or military law, including the implementation of Executive orders or regulations issued pursuant to law. This exemption may be invoked to prevent disclosure of documents not originally created for, but later gathered for law enforcement purposes. With the exception of parts (C) and (F) (see paragraph (g)(1)(iii) of this section) of this exemption, this exemption is discretionary. If information qualifies as exemption (7)(C) or (7)(F) (see paragraph (g)(1)(iii) of this section) information, there is no discretion in its release.

(1) This exemption applies, however, only to the extent that production of such law enforcement records or information could result in the following:

(i) Could reasonably be expected to interfere with enforcement proceedings (5 U.S.C. 552(b)(7)(A)).

(ii) Would deprive a person of the right to a fair trial or to an impartial adjudication (5 U.S.C. 552(b)(7)(B)).

(iii) Could reasonably be expected to constitute an unwarranted invasion of personal privacy of a living person, including surviving family members of an individual identified in such a record (5 U.S.C. 552(b)(7)(C)).

(A) this exemption also applies when the fact of the existence or nonexistence of a responsive record would itself reveal personally private information, and the public interest in disclosure is not sufficient to outweigh the privacy interest. In this situation, Components shall neither confirm nor deny the existence or nonexistence of the record being requested. This a Glomar response, and exemption (7)(C) must be cited in the response. Additionally, in order to insure personal privacy is not violated during referrals, DoD Components shall coordinate with other DoD Components or Federal Agencies before referring a record that is exempt under the Glomar concept.

(B) A “refusal to confirm or deny” response must be used consistently, not only when a record exists, but also when a record does not exist. Otherwise, the pattern of using a “no records” response when a record does not exist and a “refusal to confirm or deny” when a record does exist will itself disclose personally private information.

(C) Refusal to confirm or deny should not be used when:

(1) The person whose personal privacy is in jeopardy has provided the requester with a waiver of his or her privacy rights.

(2) The person whose personal privacy is in jeopardy is deceased, and the Agency is aware of that fact.

(D) Could reasonably be expected to disclose the identity of a confidential source, including a source within the Department of Defense; a State, local, or foreign agency or authority; or any private institution that furnishes the information on a confidential basis; and could disclose information furnished from a confidential source and obtained by a criminal law enforcement authority in a criminal investigation or by an agency conducting a lawful national security intelligence investigation (5 U.S.C. 552(b)(7)(D)).

(E) Would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably be expected to risk circumvention of the law (5 U.S.C. 552(b)(7)(E)).

(F) Could reasonably be expected to endanger the life or physical safety of any individual (5 U.S.C. 552(b)(7)(F)).

(2) Some examples of exemption 7 are:

(i) Statements of witnesses and other material developed during the course of the investigation and all materials prepared in connection with related Government litigation or adjudicative proceedings.

(ii) The identify of firms or individuals being investigated for alleged irregularities involving contracting with the Department of Defense when no indictment has been obtained nor any civil action filed against them by the United States.

(iii) Information obtained in confidence, expressed or implied, in the course of a criminal investigation by a criminal law enforcement agency or office within a DoD Component, or a lawful national security intelligence investigation conducted by an authorized agency or office with a DoD Component. National security intelligence investigations include background security investigations and those investigations conducted for the purpose of obtaining affirmative or counterintelligence information.

(3) The right of individual litigants to investigative records currently available by law (such as, the Jencks Act, 18 U.S.C. 3500)) is not diminished.

(4) Exclusions. Excluded from exemption 7 are the following two situations applicable to the Department of Defense. (Components considering invoking an exclusion should first consult with the Department of Justice, Office of Information and Privacy.):

(i) Whenever a request is made that involves access to records or information compiled for law enforcement purposes, and the investigation or proceeding involves a possible violation of criminal law where there is reason to believe that the subject of the investigation or proceeding is unaware of its pendency, and the disclosure of the existence of the records could reasonably be expected to interfere with enforcement proceedings, Components may, during only such times as that circumstances continues, treat the records of information as not subject to the FOIA. In such situation, the response to the requester will state that no records were found.

(ii) Whenever informant records maintained by a criminal law enforcement organization within a DoD Component under the informant's name or personal identifier are requested by a third party using the informant's name or personal identifier, the Component may treat the records as not subject to the FOIA, unless the informant's status as an informant has been officially confirmed. If it is determined that the records are not subject to 5 U.S.C. 552(b)(7), the response to the request will state that no records were found.

(h) Number 8 (U.S.C. 552 (b)(8)). Those contained in or related to examination, operation or condition reports prepared by, on behalf of, or for the use of any agency responsible for the regulation or supervision of financial institutions.

(i) Number 9 (5 U.S.C. 552(b)(9)). Those containing geological and geophysical information and data (including maps) concerning wells.

(a) General. Information that has not been given a security classification pursuant to the criteria of an Executive Order, but which may be withheld from the public because disclosure would cause a foreseeable harm to an interest protected by one or more FOIA exemptions 2 through 9 (see subpart C of this part) shall be considered as being for official use only (FOUO). No other material shall be considered FOUO, and FOUO is not authorized as an anemic form of classification to protect national security interests. Additional information on FOUO and other controlled, unclassified information may be found in DoD 5200. 1-R or by contacting the Directorate for Security, Office of the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence).

(b) Prior FOUO application. The prior application of FOUO markings is not a conclusive basis for withholding a record that is requested under the FOIA. When such a record is requested, the information in it shall be evaluated to determine whether disclosure would result in a foreseeable harm to an interest protected by one or more FOIA exemptions 2 through 9. Even if any exemptions apply, the record shall be released as a discretionary matter when it is determined that there is no foreseeable harm to an interest protected by the exemptions.

(c) Historical papers. Records such as notes, working papers, and drafts retained as historical evidence of DoD Component actions enjoy no special apart from the exemptions under the FOIA.

(d) Time to mark records. The marking of records at the time of their creation provides notice of FOUO content and facilitates review when a record is requested under the FOIA. Records requested under the FOIA that do not bear such markings shall not be assumed to be releasable without examination for the presence of information that requires continued protection and qualifies as exempt from public release.

(e) Distribution statement. Information in a technical document that requires a distribution statement pursuant to DoD Directive 5230.24 8 shall bear that statement and may be marked FOUO, as appropriate.

(a) Location of markings. (1) An unclassified document containing FOUO information shall be marked “For Official Use Only” at the bottom on the outside of the front cover (if any), on each page containing FOUO information, and on the outside of the back cover (if any). Each paragraph containing FOUO information shall be marked as such.

(2) Within a classified document, an individual page that contains both FOUO and classified information shall be marked at the top and bottom with the highest security classification of information appearing on the page. Individual paragraphs shall be marked at the appropriate classification level, as well as unclassified or FOUO, as appropriate.

(3) Within a classified document, an individual page that contains FOUO information but no classified information shall be marked “For Official Use Only” at the top and bottom of the page, as well as each paragraph that contains FOUO information.

(4) Other records, such as photographs, films, tapes, or slides, shall be marked “For Official Use Only” or “FOUO” in a manner that ensures that a recipient or viewer is aware of the status of the information therein.

(5) FOUO material transmitted outside the Department of Defense requires application of an expanded marking to explain the significance of the FOUO marking. This may be accomplished by typing or stamping the following statement on the record prior to transfer:

(b) [Reserved]

(a) During duty hours. During normal working hours, records determined to be FOUO shall be placed in an out-of-sight location if the work area is accessible to nongovernment personnel.

(b) During nonduty hours. At the close of business, FOUO records shall be stored so as to prevent unauthorized access. Filing such material with other unclassified records in unlocked files or desks, etc., is adequate when normal U.S. Government or Government-contractor internal building security is provided during nonduty hours. When such internal security control is not exercised, locked buildings or rooms normally provide adequate after-hours protection. If such protection is not considered adequate, FOUO material shall be stored in locked receptacles such as file cabinets, desks, or bookcases. FOUO records that are subject to the provisions of the National Security Act of 1959 shall meet the safeguards outlined for that group of records.

(a) Termination. The originator or other competent authority; e.g., initial denial and appellate authorities, shall terminate “For Official Use Only” markings or status when circumstances indicate that the information no longer requires protection from public disclosure. When FOUO status is terminated, all known holders shall be notified, to the extent practical. Upon notification, holders shall efface or remove the “For Official Use Only” markings, but records in file or storage need not be retrieved solely for that purpose.

(b) Disposal. (1) Nonrecord copies of FOUO materials may be destroyed by tearing each copy into pieces to prevent reconstructing, and placing them in regular trash containers. When local circumstances or experience indicates that this destruction method is not sufficiently protective of FOUO information, local authorities may direct other methods but must give due consideration to the additional expense balanced against the degree of sensitivity of the type of FOUO information contained in the records.

(2) Record copies of FOUO documents shall be disposed of in accordance with the disposal standards established under 44 U.S.C. 3301-3314, as implemented by DoD Component instructions concerning records disposal.

(c) Unauthorized disclosure. The unauthorized disclosure of FOUO records does not constitute an unauthorized disclosure of DoD information classified for security purposes. Appropriate administrative action shall be taken, however, to fix responsibility for unauthorized disclosure whenever feasible, and appropriate disciplinary action shall be taken against those responsible. Unauthorized disclosure of FOUO information that is protected by the Privacy Act may also result in civil and criminal sanctions against responsible persons. The DoD Component that originated the FOUO information shall be informed of its unauthorized disclosure.

(a) Public information. (1) Since the policy of the Department of Defense is to make the maximum amount of information available to the public consistent with its other responsibilities, written requests for a DoD record made under the provisions of 5 U.S.C. 552(a)(3) of the FOIA may be denied only when:

(i) Disclosure would result in a foreseeable harm to an interest protected by a FOIA exemption, and the record is subject to one or more of the exemptions of FOIA.

(ii) The record has not been described well enough to enable the DoD Component to locate it with a reasonable amount of effort by an employee familiar with the files.

(iii) The requester has failed to comply with the procedural requirements, including the written agreement to pay or payment of any required fee imposed by the instructions of the DoD Component concerned. When personally identifiable information in a record is requested by the subject of the record or the subject's attorney, notarization of the request, or a statement certifying under the penalty of perjury that their identity is true and correct may be required. Additionally, written consent of the subject of the record is required for disclosure from a Privacy Act System of records, even to the subject's attorney.

(2) Individuals seeking DoD information should address their FOIA requests to one of the addresses listed in appendix B of this part.

(b) Requests from private parties. The provisions of the FOIA are reserved for persons with private interest as opposed to U.S. Federal Agencies seeking official information. Requests from private persons will be made in writing, and should clearly show all other addressees within the Federal Government to which the request was also sent. This procedure will reduce processing time requirements, and ensure better inter- and intra-agency coordination. However, if the requester does not show all other addressees to which the request was also sent, DoD Components shall still process the request. DoD Components should encourage requesters to send requests by mail, facsimile, or by electronic means. Disclosure of records to individuals under the FOIA is considered public release of information, except as provided for in § 286.4(f) and § 286.12.

(c) Requests from government officials. Requests from officials of State or local Governments for DoD Component records shall be considered the same as any other requester. Requests from members of Congress not seeking records on behalf of a Congressional Committee, Subcommittee, either House sitting as a whole, or made on behalf of their constituents shall be considered the same as any other requester (see also § 286.4(f) and paragraph (d) of this section). Requests from officials of foreign governments shall be considered the same as any other requester. Requests from officials of foreign governments that do not invoke the FOIA shall be referred to appropriate foreign disclosure channels and the requester so notified.

(d) Privileged release outside of the FOIA to U.S. Government officials. (1) Records exempt from release to the public under the FOIA may be disclosed in accordance with DoD Component regulations to agencies of the Federal Government, whether legislative, executive, or administrative, as follows:

(i) In response to a request of a Committee or Subcommittee of Congress, or to either House sitting as a whole in accordance with DoD Directive 5400.4.

(ii) To other Federal Agencies, both executive and administrative, as determined by the head of a DoD Component or designee.

(iii) In response to an order of a Federal court, DoD Components shall release information along with a description of the restrictions on its release to the public.

(2) DoD Components shall inform officials receiving records under the provisions of this paragraph that those records are exempt from public release under the FOIA. DoD Components also shall advise officials of any special handling instructions. Classified information is subject to the provisions of DoD 5200.1-R, and information contained in Privacy Act systems of records is subject to DoD 5400.11-R.

(e) Consultation with affected DoD component. (1) When a DoD Component receives a FOIA request for a record in which an affected DoD organization (including a Combatant Command) has a clear and substantial interest in the subject matter, consultation with that affected DoD organization is required. As an example, where a DoD Component receives a request for records related to DoD operations in a foreign country, the cognizant Combatant Command for the area involved in the request shall be consulted before a release is made. Consultations may be telephonic, electronic, or in hard copy.

(2) The affected DoD Component shall review the circumstances of the request for host-nation relations, and provide, where appropriate, FOIA processing assistance to the responding DoD Component regarding release of information. Responding DoD Components shall provide copies of responsive records to the affected DoD Component when requested by the affected DoD Component. The affected DoD Component shall receive a courtesy copy of all releases in such circumstances.

(3) Nothing in paragraphs (e)(1) and (e)(2) of this section shall impede the processing of the FOIA request initially received by a DoD Component.

(a) Initial denial authority. (1) Components shall limit the number of IDAs appointed. In designating its IDAs, a DoD Component shall balance the goals of centralization of authority to promote uniform decisions and decentralization to facilitate responding the each request within the time limitations of the FOIA.

(2) The initial determination whether to make a record available upon request may be made by any suitable official designated by the DoD Component in published regulations. The presence of the marking “For Official Use Only” does not relieve the designated official of the responsibility to review the requested record for the purpose of determining whether an exemption under the FOIA is applicable.

(3) The officials designated by DoD Components to make initial determinations should consult with public affairs officers (PAOs) to become familiar with subject matter that is considered to be newsworthy, and advise PAOs of all requests from news media representatives. In addition, the officials should inform PAOs in advance when they intend to withhold or partially withhold a record, if it appears that the withholding action may be challenged in the media.

(b) Reasons for not releasing a record. The following are reasons for not complying with a request for a record under 5 U.S.C. 552(a)(3):

(1) No records. A reasonable search of files failed to identify responsive records.

(2) Referrals. The request is transferred to another DoD Component, or to another Federal Agency.

(3) Request withdrawn. The request is withdrawn by the requester.

(4) Fee-related reason. The requester is unwilling to pay fees associated with a request; the requester is past due in the payment of fees from a previous FOIA request; or the requester disagrees with the fee estimate.

(5) Records not reasonably described. A record has not been described with sufficient particularity to enable the DoD Component to locate it by conducting a reasonable search.

(6) Not a proper FOIA request for some other reason. The requester has failed unreasonably to comply with procedural requirements, other than fee-related, imposed by this part or DoD Component supplementing regulations.

(7) Not an agency record. The information requested is not a record within the meaning of the FOIA and this part.

(8) Duplicate request. The request is a duplicate request (e.g., a requester asks for the same information more than once). This includes identical requests received via different means (e.g., electronic mail, facsimile, mail, courier) at the same or different times.

(9) Other (specify). Any other reason a requester does not comply with published rules other than those outlined paragraphs (b)(1) through (b)(8) of this section.

(10) Partial or total denial. The record is denied in whole or in part in accordance with procedures set forth in the FOIA.

(c) Denial tests. To deny a requested record that is in the possession and control of a DoD Component, it must be determined that disclosure of the record would result in a foreseeable harm to an interest protected by a FOIA exemption, and the record is exempt under one or more of the exemptions of the FOIA. An outline of the FOIA's exemptions is contained in subpart C of this part.

(d) Reasonably segregable portions. Although portions of some records may be denied, the remaining reasonably segregable portions must be released to the requester when it reasonably can be assumed that a skillful and knowledgeable person could not reconstruct the excised information. Unless indicating the extent of the deletion would harm an interest protected by an exemption, the amount of deleted information shall be indicated on the released portion of paper records by use of brackets or darkened areas indicating removal of information. In no case shall the deleted areas be left “white” without the use of brackets to show the bounds of deleted information. In the case of electronic deletion, or deletion in audiovisual or microfiche records, if technically feasible, the amount of redacted information shall be indicated at the place in the record such deletion was made, unless including the indication would harm an interest protected by the exemption under which the deletion is made. This may be done by use of brackets, shaded areas, or some other identifiable technique that will clearly show the limits of the deleted information. When a record is denied in whole, the responsive advising the requester of that determination will specifically state that it is not reasonable to segregate portions of the record for release.

(e) Response to requester. (1) Whenever possible, initial determinations to release or deny a record normally shall be made and the decision reported to the requester within 20 working days after receipt of the request by the official designated to respond. When a DoD Component has a significant number of pending requests which prevent a response determination within the 20 working day period, the requester shall be so notified in an interim response, and advised whether their request qualifies for the fast track or slow track within the DoD Components’ multitrack processing system. Requesters who do not meet the criteria for fast track processing shall be given the opportunity to limit the scope of their request in order to qualify for fast track processing. See also § 286.4(d)(2), for greater detail on multitrack processing and compelling need meriting expedited processing.

(2) When a decision is made to release a record, a copy should be made available promptly to the requester once he has complied with preliminary procedural requirements.

(3) When a request for a record is denied in whole or in part, the official designated to respond shall inform the requester in writing of the name and title or position of the official who made the determination, and shall explain to the requester the basis for the determination in sufficient detail to permit the requester to make a decision concerning appeal. The requester specifically shall be informed of the exemptions on which the denial is based, inclusive of a brief statement describing what the exemption(s) cover. When the initial denial is based in whole or in part on a security classification, the explanation should include a summary of the applicable Executive Order criteria for classification, as well as an explanation, to the extent reasonably feasible, of how those criteria apply to the particular record in question. The requester shall also be advised of the opportunity and procedures for appealing an unfavorable determination to a higher final authority within the DoD Component.

(4) The final response to the requester should contain information concerning the fee status of the request, consistent with the provisions of subpart F of this part. When a requester is assessed fees for processing a request, the requester's fee category shall be specified in the response letter. Components also shall provide the requester with a complete cost breakdown (e.g., 15 pages of office reproduction at $0.15 per page; 5 minutes of computer search time at $43.50 per minute, 2 hours of professional level search at $25 per hour, etc.) in the response letter.

(5) The explanation of the substantive basis for a denial shall include specific citation of the statutory exemption applied under provisions of this part; e.g., 5 U.S.C. 552(b)(1). Merely referring to a classification; to a “For Official Use Only” marking on the requested record; or to this part or a DoD Component's regulation does not constitute a proper citation or explanation of the basis for invoking an exemption.

(6) When the time for response becomes an issue, the official responsible for replying shall acknowledge to the requester the date of the receipt of the request.

(7) When denying a request for records, in whole or in a part, a DoD Component shall make a reasonable effort to estimate the volume of the records denied and provide this estimate to the requester, unless providing such an estimate would harm an interest protected by an exemption of the FOIA. This estimate should be in number of pages or in some other reasonable form of estimation, unless the volume is otherwise indicated through deletions on records disclosed in part.

(8) When denying a request for records in accordance with a statute qualifying as a FOIA exemption 3 statute, DoD Components shall, in addition to sitting the particular statute relied upon to deny the information, also state whether a court has upheld the decision to withhold the information under the particular statute, and a concise description of the scope of the information being withheld.

(f) Extension of time. (1) In unusual circumstances, when additional time is needed to respond to the initial request, the DoD Component shall acknowledge the request in writing the 20 day period, describe the circumstances requiring the delay, and indicate the anticipated date for a substantive response that may not exceed 10 additional working days, except as follows:

(2) With respect to a request for which a written notice has extended the time limits by 10 additional working days, and the Component determines that it cannot make a response determination within that additional 10 working day period, the requester shall be notified and provided an opportunity to limit the scope of the request so that it may be processed within the extended time limit, or an opportunity to arrange an alternative time frame for processing the request or a modified request. Refusal by the requester to reasonably modify the request or arrange for an alternative time frame shall be considered a factor in determining whether exceptional circumstances exist with respect to DoD Components’ request backlogs. Exceptional circumstances do not include a delay that results from predictable component backlogs, unless the DoD Component demonstrates reasonable progress in reducing its backlog.

(3) Unusual circumstances that may justify delay are:

(i) The need to search for and collect the requested records from other facilities that are separate from the office determined responsible for a release or denial decision on the requested information.

(ii) The need to search for, collect, and appropriately examine a voluminous amount of separate and distinct records which are requested in a single request.

(iii) The need for consultation, which shall be conducted with all practicable speed, with other agencies having a substantial interest in the determination of the request, or among two or more DoD Components having a substantial subject-matter interest in the request.

(4) DoD Components may aggregate certain requests by the same requester, or by a group of requesters acting in concert, if the DoD Component reasonably believes that such requests actually constitute a single request, which would otherwise satisfy the unusual circumstances set forth in paragraph (f)(3) of this section, and the requests involve clearly related matters. Multiple requests involving unrelated matters shall not be aggregated. If the requests are aggregated under these conditions, the requester or requesters shall be so notified.

(5) In cases where the statutory time limits cannot be met and no informal extension of time has been agreed to, the inability to process any part of the request within the specified time should be explained to the requester with a request that he agree to await a substantive response by an anticipated date. If should be made clear that any such agreement does not prejudice the right of the requester to appeal the initial decision after it is made. DoD Components are reminded that the requester still retains the right to treat this delay as a de facto denial with full administrative remedies.

(6) As an alternative to the taking of formal extensions of time as described in § 286.23(f), the negotiation by the cognizant FOIA coordinating office of informal extensions in time with requesters is encouraged where appropriate.

(g) Misdirected requests. Misdirected requests shall be forwarded promptly to the DoD Component or other Federal Agency with the responsibility for the records requested. The period allowed for responding to the request misdirected by the requester shall not begin until the request is received by the DoD Component that manages the records requested.

(h) Records of non-U.S. government source. (1) When a request is received for a record that falls under exemption 4 (see § 286.12(d)), that was obtained from a non-U.S. Government source, or for a record containing information clearly identified as having been provided by a non-U.S. Government source, the source of the record or information (also known as “the submitter” for matters pertaining to proprietary data under 5 U.S.C. 552, Exemption (b)(4)) (§ 286.12(d), this part and E.O. 12600 (3 CFR, 1987 Comp., p. 235)) shall be notified promptly of that request and afforded reasonable time (e.g., 30 calendar days) to present any objections concerning the release, unless it is clear that there can be no valid basis for objection. This practice is required for those FOIA requests for data not deemed clearly exempt from disclosure under exemption (b)(4) of 5 U.S.C. 552. If, for example, the record or information was provided with actual or presumptive knowledge of the non-U.S. Government source and established that it would be made available to the public upon request, there is no obligation to notify the source. Any objections shall be evaluated. The final decision to disclose information claimed to be exempt under exemption (b)(4) shall be made by an official equivalent in rank to the official who would make the decision to withhold that information under the FOIA. When a substantial issue has been raised, the DoD Component may seek additional information from the source of the information and afford the source and requester reasonable opportunities to present their arguments on the legal and substantive issues involved prior to making an agency determination. When the source advises it will seek a restraining order or take court action to prevent release of the record or information, the requester shall be notified, and action on the request normally shall not be taken until after the outcome of that court action is known. When the requester brings court action to compel disclosure, the submitter shall be promptly notified of this action.

(2) If the submitted information is a proposal in response to a solicitation for a competitive proposal, and the proposal is in the possession and control of DoD, and meets the requirements of 10 U.S.C. 2305(g), the proposal shall not be disclosed, and no submitter notification and subsequent analysis is required. The proposal shall be withheld from public disclosure pursuant to 10 U.S.C. 2305(g) and exemption (b)(3) of 5 U.S.C. 552. This statute does not apply to bids, unsolicited proposals, or any proposal that is set forth or incorporated by reference in a contract between a DoD Component and the offeror that submitted the proposal. In such situations, normal submitter notice shall be conducted in accordance with paragraph (h)(1) of this section, except for sealed bids that are opened and read to the public. The term proposal means information contained in or originating from any proposal, including a technical, management, or cost proposal submitted by an offeror in response to solicitation for a competitive proposal, but does not include an offeror's name or total price or unit prices when set forth in a record other than the proposal itself. Submitter notice, and analysis as appropriate, are required for exemption (b)(4) matters that are not specifically incorporated in 10 U.S.C. 2305(g).

(3) If the record or information was submitted on a strictly voluntary basis, absent any exercised authority that prescribes criteria for submission, and after consultation with the submitter, it is absolutely clear that the record or information would customarily not be released to the public, the submitter need not be notified. Examples of exercised authorities prescribing criteria for submission are statutes, Executive Orders, regulations, invitations for bids, requests for proposals, and contracts. Records or information submitted under these authorities are not voluntary in nature. When it is not clear whether the information was submitted on a voluntary basis, absent any exercised authority, and whether it would customarily be released to the public by the submitter, notify the submitter and ask that it describe its treatment of the information, and render an objective evaluation. If the decision is made to release the information over the objection of the submitter, notify the submitter and afford the necessary time to allow the submitter to seek a restraining order, or take court action to prevent release of the record or information.

(4) The coordination provisions of this paragraph also apply to any non-U.S. Government record in the possession and control of the DoD from multi-national organizations, such as the North Atlantic Treaty Organization (NATO), United Nations Commands, the North American Aerospace Defense Command (NORAD), the Inter-American Defense Board, or foreign governments. Coordination with foreign governments under the provisions of this paragraph may be made through Department of State, or the specific foreign embassy.

(i) File of initial denials. Copies of all initial denials shall be maintained by each DoD Component in a form suitable for rapid retrieval, periodic statistical compilation, and management evaluation. Records denied for any of the reasons contained in paragraph (b) of this section shall be maintained for a period of six years to meet the statute of limitations requirement.

(j) Special mail services. Components are authorized to use registered mail, certified mail, certificates of mailing and return receipts. However, their use should be limited to instances where it appears advisable to establish proof of dispatch or receipt of FOIA correspondence. The requester shall be notified that they are responsible for the full costs of special services.

(k) Receipt accounts. The Treasurer of the United States has established two accounts for FOIA receipts, and all money orders or checks remitting FOIA fees should be made payable to the U.S. Treasurer. These accounts, which are described in paragraphs (k)(1) and (k)(2) of this section shall be used for depositing all FOIA receipts, except receipts for Working Capital and non appropriated funded activities. Components are reminded that the below account numbers must be preceded by the appropriate disbursing office two digit prefix. Working Capital and non appropriated funded activity FOIA receipts shall be deposited to the applicable fund.

(1) Receipt account 3210 sale of publications and reproductions, Freedom of Information Act. This account shall be used when depositing funds received from providing existing publications and forms that meet the Receipt Account Series description found in Federal Account Symbols and Titles.

(2) Receipt account 3210 fees and other charges for services, Freedom of Information Act. This account is used to deposit search fees, fees for duplicating and reviewing (in the case of commercial requesters) records to satisfy requests that could not be filled with existing publications or forms.

(a) General. If the official designated DoD Component to make initial determinations on requests for records declines to provide a record because the official considers it exempt under one or more of the exemptions of the FOIA, that decision may be appealed by the requester, in writing, to a designated appellate authority. The appeal should be accompanied by a copy of the letter denying the initial request. Such appeals should contain the basis for disagreement with the initial refusal. Appeal procedures also apply to the disapproval of a fee category claim by a requester, disapproval of a request for waiver or reduction of fees, disputes regarding fee estimates, review on an expedited basis a determination not to grant expedited access to agency records, for no record determinations when the requester considers such responses adverse in nature, not providing a response determination to a FOIA request within the statutory time limits, or any determination found to be adverse in nature by the requester. When denials have been made under the provisions of the Privacy Act and the FOIA, and the denied information is contained in a Privacy Act system of records, appeals shall be processed under both the Privacy Act and the FOIA. If the denied information is not maintained in a Privacy Act system of records, the appeal shall be processed under the FOIA. Appeals of Office of the Secretary of Defense and Chairman of the Joint Chiefs of Staff determinations may be sent to the address in appendix B of this part. If a request is merely misaddressed, and the receiving DoD Component simply advises the requester of such and refers the request to the appropriate DoD Component, this shall not be considered a no record determination.

(b) Time of receipt. A FOIA appeal has been received by a DoD Component when it reaches the office of an appellate authority having jurisdiction. Misdirected appeals should be referred expeditiously to the proper appellate authority.

(c) Time limits. (1) The requester shall be advised to file an appeal so that it is postmarked no later than 60 calendar days after the date of the initial denial letter. If no appeal is received, or if the appeal is postmarked after the conclusion of this 60-day period, the appeal may be considered closed. However, exceptions to the above may be considered on a case by case basis. In cases where the requester is provided several incremental determinations for a single request, the time for the appeal shall not begin until the date of the final response. Records that are denied shall be retained for a period of six years to meet the statute of limitations requirement.

(2) Final determinations on appeals normally shall be made within 20 working days after receipt. When a DoD Component has a significant number of appeals preventing a response determination within 20 working days, the appeals shall be processed in a multitrack processing system, based at a minimum, on the three processing tracks established for initial requests. See § 286.4(d) of this part. All of the provisions of § 286.4(d) apply also to appeals of initial determinations, to include establishing additional processing queues as needed.

(d) Delay in responding to an appeal. (1) If additional time is needed due to the unusual circumstances described in § 286.23(f), the final decision may be delayed for the number of working days (not to exceed 10), that were not used as additional time for responding to the initial request.

(2) If a determination cannot be made and the requester notified within 20 working days, the appellate authority shall acknowledge to the requester, in writing, the date of receipt of the appeal, the circumstances surrounding the delay, and the anticipated date for substantive response. Requesters shall be advised that, if the delay exceeds the statutory extension provision or is for reasons other than the unusual circumstances identified in § 286.23(f), they may consider their administrative remedies exhausted. They may, however, without prejudicing their right of judicial remedy, await a substantiative response. The DoD component shall continue to process the case expeditiously.

(e) Response to the requester. (1) When an appellate authority makes a final determination to release all or a portion of records withheld by an IDA, a written response and a copy of the records so released should be forwarded promptly to the requester after compliance with any preliminary procedural requirements, such as payment of fees.

(2) Final refusal of an appeal must be made in writing by the appellate authority or by a designated representative. The response, at a minimum, shall include the following:

(i) The basis for the refusal shall be explained to the requester in writing, both with regard to the applicable statutory exemption or exemptions invoked under provisions of the FOIA, and with respect to other appeal matters as set forth in paragraph (a) of this section.

(ii) When the final refusal is based in whole or in part on a security classification, the explanation shall include a determination that the record meets the cited criteria and rationale of the governing Executive Order, and that this determination is based on a declassification review, with the explanation of how that review confirmed the continuing validity of the security classification.

(iii) The final denial shall include the name and title or position of the official responsible for the denial.

(iv) In the case of appeals for total denial of records, the response shall advise the requester that the information being denied does not contain meaningful portions that are reasonably segregable.

(v) When the denial is based upon an exemption 3 statute (subpart C of this part), the response, in addition to citing the statute relied upon to deny the information, shall state whether a court has upheld the decision to withhold the information under the statute, and shall contain a concise description of the scope of the information withheld.

(vi) The response shall advise the requester of the right to judicial review.

(f) Consultation. (1) Final refusal involving issues not previously resolved or that the DoD Component knows to be inconsistent with rulings of other DoD Components ordinarily should not be made before consultation with the DoD Office of the General Counsel.

(2) Tentative decisions to deny records that raise new or significant legal issues of potential significance to other Agencies of the Government shall be provided to the DoD Office of the General Counsel.

(a) General. (1) This section states current legal and procedural rules for the convenience of the reader. The statemetns of rules do not create rights or remedies not otherwise available, nor do they bind the Department of Defense to particular judicial interpretations or procedures.

(2) A requester may seek an order from a U.S. District Court to compel release of a record after administrative remedies have been exhausted; i.e., when refused a record by the head of a Component or an appellate designee or when the DoD Component has failed to respond with the time limits prescribed by the FOIA and in this part.

(b) Jurisdiction. The requester may bring suit in the U.S. District Court in the district in which the requester resides or is the requesters place of business, in the district in which the record is located, or in the District of Columbia.

(c) Burden of proof. The burden of proof is on the DoD Component to justify its refusal to provide a record. The court shall evaluate the case de novo (anew) and may elect to examine any requester record in camera (in private) to determine whether the denial was justified.

(d) Actions by the court. (1) When a DoD Component has failed to make a determination within the statutory time limits but can demonstrate due diligence in exceptional circumstances, to include negotiating with the requester to modify the scope of their request, the court may retain jurisdiction and allow the Component additional time to complete its review of the records.

(2) If the court determines that the requester's complaint is substantially correct, it may require the United States to pay reasonable attorney fees and other litigation costs.

(3) When the court orders the release of denied records, it may also issue a written finding that the circumstances surrounding the witholding raise questions whether DoD Component personnel acted arbitrarily and capriciously. In these cases, the special counsel of the Merit System Protection Board shall conduct an investigation to determine whether or not disciplinary action is warranted. The DoD Component is obligated to take the action recommended by the special counsel.

(4) The court may punish the responsible official for contempt when a DoD Component fails to comply with the court order to produce records that it determines have been withheld improperly.

(e) Non-United States government source information. A requester may bring suit in a U.S. District Court to compel the release of records obtained from a non-government source or records based on information obtained from a non-government source. Such source shall be notified promptly of the court action. When the source advises that it is seeking court action to prevent release, the DoD Component shall defer answering or otherwise pleading to the complainant as long as permitted by the Court or until a decision is rendered in the court action of the source, whichever is sooner.

(f) FOIA litigation. Personnel responsible for processing FOIA requests at the DoD Component level shall be aware of litigation under the FOIA. Such information will provide management insights into the use of the nine exemptions by Component personnel. Whenever a complaint under the FOIA is filed in a U.S. District Court, the DoD Component named in the complaint shall forward a copy of the complaint by any means to the Director, Freedom of Information and Security Review with an information copy to the DoD Office of the General counsel, ATTN: Office of Legal Counsel.

(a) Authorities. The Freedom of Information Act, as amended; the Paperwork Reduction Act (44 U.S.C. Chapter 35), as amended; the Privacy Act of 1974, as amended; the Budget and Accounting Act of 1921 and the Budget and Accounting Procedures Act, as amended (see 31 U.S.C.); and 10 U.S.C. 2328.

(b) Application. (1) The fees described in this subpart apply to FOIA requests, and conform to the Office of Management and Budget Uniform Freedom of Information Act Fee Schedule and Guidelines. They reflect direct costs for search, review (in the case of commercial requesters); and duplication of documents, collection of which is permitted by the FOIA. They are neither intended to imply that fees must be charged in connection with providing information to the public in the routine course of business, nor are they meant as a substitute for any other schedule of fees, such as DoD 7000.14-R,\11\ which does not supersede the collection of fees under the FOIA. Nothing in this subpart shall supersede fees chargeable under a statute specifically providing for setting the level of fees for particular types of records. A “statute specifically providing for setting the level of fees for particular types of records” (5 U.S.C. 552(a)(4)(a)(vi)) means any statute that enables a Government Agency such as the Government Printing Office (GPO) or the National Technical Information Service (NTIS), to set and collect fees. Components should ensure that when documents that would be responsive to a request are maintained for distribution by agencies operating statutory-based fee schedule programs such as the GPO or NTIS, they inform requesters of the steps necessary to obtain records from those sources.

(2) The term “direct costs” means those expenditures a Component actually makes in searching for, reviewing (in the case of commercial requesters), and duplicating documents to respond to a FOIA request. Direct costs include, for example, the salary of the employee performing the work (the basic rate of pay for the employee plus 16 percent of that rate to cover benefits), and the costs of operating duplicating machinery. These factors have been included in the fee rates prescribed at § 286.29 of this subpart. Not included in direct costs are overhead expenses such as costs of space, heating or lighting the facility in which the records are stored.

(3) The term “search” includes all time spent looking, both manually and electronically, for material that is responsive to a request. Search also includes a page-by-page or line-by-line identification (if necessary) of material in the record to determine if it, or portions thereof are responsive to the request. Components should ensure that searches are done in the most efficient and least expensive manner so as to minimize costs for both the Component and the requester. For example, Components should not engage in line-by-line searches when duplicating an entire document known to contain responsive information would prove to be the less expensive and quicker method of complying with the request. Time spent reviewing documents in order to determine whether to apply one or more of the statutory exemptions is not search time, but review time. See paragraph (b)(5) of this section, for the definition of review, and paragraph (c)(5) of this section and § 286.29(b)(2), for information pertaining to computer searches.

(4) The term “duplication” refers to the process of making a copy of a document in response to a FOIA request. Such copies can take the form of paper copy, microfiche, audiovisual, or machine readable documentation (e.g., magnetic tape or disc), among others. Every effort will be made to ensure that the copy provided is in a form that is reasonably usable, the requester shall be notified that the copy provided is the best available and that the Agency's master copy shall be made available for review upon appointment. For duplication of computer tapes and audiovisual, the actual cost, including the operator's time, shall be charged. In practice, if a Component estimates that assessable duplication charges are likely to exceed $25.00, it shall notify the requester of the estimate, unless the requester has indicated in advance his or her willingness to pay fees as high as those anticipated. Such a notice shall offer a requester the opportunity to confer with Component personnel with the object of reformulating the request to meet his or her needs at a lower cost.

(5) The term “review” refers to the process of examining documents located in response to a FOIA request to determine whether one or more of the statutory exemptions permit withholding. It also includes processing the documents for disclosure, such as excising them for release. Review does not include the time spent resolving general legal or policy issues regarding the application of exemptions. It should be noted that charges for commercial requesters may be assessed only for the initial review. Components may not charge for reviews required at the administrative appeal level of an exemption already applied. However, records or portions of records withheld in full under an exemption that is subsequently determined not to apply may be reviewed again to determine the applicability of other exemptions not previously considered. The costs for such a subsequent review would be properly assessable.

(c) Fee restrictions. (1) No fees may be charged by any DoD Component if the costs of routine collection and processing of the fee are likely to equal or exceed the amount of the fee. With the exception of requesters seeking documents for a commercial use, Components shall provide the first two hours of search time, and the first one hundred pages of duplication without charge. For example, for a request (other than one from a commercial requester) that involved two hours and ten minutes of search time, and resulted in one hundred and five pages of documents, a Component would determine the cost of only ten minutes of search time, and only five pages of reproduction. If this processing cost was equal to, or less than, the cost to the Component for billing the requester and processing the fee collected, no charges would result.

(2) Requesters receiving the first two hours of search and the first one hundred pages of duplication without charge are entitled to such only once per request. Consequently, if a Component, after completing its portion of a request, finds it necessary to refer the request to a subordinate office, another DoD Component, or another Federal Agency to action their portion of the request, the referring Component shall inform the recipient of the referral of the expended amount of search time and duplication cost to date.

(3) The elements to be considered in determining the “cost of collecting a fee” are the administrative costs to the Component of receiving and recording a remittance, and processing the fee for deposit in the Department of Treasury's special account. The cost to the Department of Treasury to handle such remittance is negligible and shall not be considered in Components’ determinations.

(4) For the purposes of these restrictions, the word “pages” refers to paper copies of a standard size, which will normally be 81/2″×11″ or 11″×14″. Thus, requesters would not be entitled to 100 microfiche or 100 computer disks, for example. A microfiche containing the equivalent of 100 pages or 100 pages of computer printout however, might meet the terms of the restriction.

(5) In the case of computer searches, the first two free hours will be determined against the salary scale of the individual operating the computer for the purposes of the search. As an example, when the direct costs of the computer central processing unit, input-output devices, and memory capacity equal $24.00 (two hours of equivalent search at the clerical level), amounts of computer costs in excess of that amount are chargeable as computer search time. In the event the direct operating cost of the hardware configuration cannot be determined, computer search shall be based on the salary scale of the operator executing the computer search. See § 286.29, this subpart, for further details regarding fees for computer searches.

(d) Fee waivers. (1) Documents shall be furnished without charge, or at a charge reduced below fees assessed to the categories of requesters in paragraph (e) of this section when the Component determines that waiver or reduction of the fees is in the public interest because furnishing the information is likely to contribute significantly to public understanding of the operations or activities of the Department of Defense and is not primarily in the commercial interest of the requester.

(2) When assessable costs for a FOIA request total $15.00 or less, fees shall be waived automatically for all requesters, regardless of category.

(3) Decisions to waive or reduce fees that exceed the automatic waiver threshold shall be made on a case-by-case basis, consistent with the following factors:

(i) Disclosure of the information “is in the public interest because it is likely to contribute significantly to public understanding of the operations or activities of the Government.”

(A) The subject of the request. Components should analyze whether the subject matter of the request involves issues that will significantly contribute to the public understanding of the operations or activities of the Department of Defense. Requests for records in the possession of the Department of Defense which were originated by non-government organizations and are sought for their intrinsic content, rather than informative value, will likely not contribute to public understanding of the operations or activities of the Department of Defense. An example of such records might be press clippings, magazine articles, or records forwarding a particular opinion or concern from a member of the public regarding a DoD activity. Similarly, disclosures of records of considerable age may or may not bear directly on the current activities of the Department of Defense; however, the age of a particular record shall not be the sole criteria for denying relative significance under this factor. It is possible to envisage an informative issue concerning the current activities of the Department of Defense, based upon historical documentation. Requests of this nature must be closely reviewed consistent with the requester's stated purpose for desiring the records and the potential for public understanding of the operations and activities of the Department of Defense.

(B) The informative value of the information to be disclosed. This factor requires a close analysis of the substantive contents of a record, or portion of the record, to determinate whether disclosure is meaningful, and shall inform the public on the operations or activities of the Department of Defense. While the subject of a request may contain information that concerns operations or activities of the Department of Defense, it may not always hold great potential for contributing to a meaningful understanding of these operations or activities. An example of such would be a previously released record that has been heavily redacted, the balance of which may contain only random words, fragmented sentences, or paragraph headings. A determination as to whether a record in this situation will contribute to the public understanding of the operations or activities of the Department of Defense must be approached with caution, and carefully weighed against the arguments offered by the requester. Another example is information already known to be in the public domain. Disclosure of duplicative, or nearly identical information already existing in the public domain may add no meaningful new information concerning the operations and activities of the Department of Defense.

(C) The contribution to an understanding of the subject by the general public likely to result from disclosure. The key element in determining the applicability of this factor is whether disclosure will inform, or have the potential to inform the public, rather than simply the individual requester or small segment of interested persons. The identity of the requester is essential in this situation in order to determine whether such requester has the capability and intention to disseminate the information to the public. Mere assertions of plans to author a book, researching a particular subject, doing doctoral dissertation work, or indigence are insufficient without demonstrating the capacity to further disclose the information in a manner that will be informative to the general public. Requesters should be asked to describe their qualifications, the nature of their research, the purpose of the requested information, and their intended means of dissemination to the public.

(D) The significance of the contribution to public understanding. In applying this factor, Components must differentiate the relative significance or impact of the disclosure against the current level of public knowledge, or understanding which exists before the disclosure. In other words, will disclosure on a current subject of wide public interest be unique in contributing unknown facts, thereby enhancing public knowledge, or will it basically duplicate what is already known by the general public? A decision regarding significance requires objective judgment, rather than subjective determination, and must be applied carefully to determine whether disclosure will likely lead to a significant understanding of the issue. Components shall not make value judgments as to whether the information is important enough to be made public.

(ii) Disclosure of the information “is not primarily in the commercial interest of the requester.”

(A) The existence and magnitude of a commercial interest. If the request is determined to be of a commercial interest, Components should address the magnitude of that interest to determine if the requester's commercial interest is primary, as opposed to any secondary personal or non-commercial interest. In addition to profitmaking organizations, individual persons or other organizations may have a commercial interest in obtaining certain records. Where it is difficult to determine whether the requester is of a commercial nature, Components may draw inference from the requester's identity and circumstances of the request. In such situations, the provisions of paragraph (e) of this section apply. Components are reminded that in order to apply the commercial standards of the FOIA, the requester's commercial benefit must clearly override any personal or non-profit interest.

(B) The primary interest in disclosure. Once a requester's commercial interest has been determined, Components should then determine if the disclosure would be primarily in that interest. This requires a balancing test between the commercial interest of the request against any public benefit to be derived as a result of that disclosure. Where the public interest is served above and beyond that of the requester's commercial interest, a waiver or reduction of fees would be appropriate. Conversely, even if a significant public interest exists, and the relative commercial interest of the requester is determined to be greater than the public interest, then a waiver or reduction of fees would be inappropriate. As examples, news media organizations have a commercial interest as business organizations; however, their inherent role of disseminating news to the general public can ordinarily be presumed to be of a primary interest. Therefore, any commercial interest becomes secondary to the primary interest in serving the public. Similarly, scholars writing books or engaged in other forms of academic research, may recognize a commercial benefit, either directly, or indirectly (through the institution they represent); however, normally such pursuits are primarily undertaken for educational purposes, and the application of a fee charge would be inappropriate. Conversely, data brokers or others who merely compile government information for marketing can normally be presumed to have an interest primarily of a commercial nature.

(4) Components are reminded that the factors and examples used in this subsection are not all inclusive. Each fee decision must be considered on a case-by-case basis and upon the merits of the information provided in each request. When the element of doubt as to whether to charge or waive the fee cannot be clearly resolved, Components should rule in favor of the requester.

(5) In addition, the following circumstances describe situations where waiver or reduction of fees are most likely to be warranted:

(i) A record is voluntarily created to prevent an otherwise burdensome effort to provide voluminous amounts of available records, including additional information not requested.

(ii) A previous denial of records is reversed in total, or in part, and the assessable costs are not substantial (e.g. $15.00-$30.00).

(e) Fee assessment. (1) Fees may not be used to discourage requesters, and to this end, FOIA fees are limited to standard charges for direct document search, review (in the case of commercial requesters) and duplication.

(2) In order to be as responsive as possible to FOIA requests while minimizing unwarranted costs to the taxpayer, Components shall adhere to the following procedures:

(i) Analyze each request to determine the category of the requester. If the Component determination regarding the category of the requester is different than that claimed by the requester, the Component shall:

(A) Notify the requester to provide additional justification to warrant the category claimed, and that a search for responsive records will not be initiated until agreement has been attained relative to the category of the requester. Absent further category justification from the requester, and within a reasonable period of time (i.e., 30 calendar days), the Component shall render a final category determination, and notify the requester of such determination, to include normal administrative appeal rights of the determination.

(B) Advise the requester that, notwithstanding any appeal, a search for responsive records will not be initiated until the requester indicates a willingness to pay assessable costs appropriate for the category determined by the Component.

(ii) Requesters should submit a fee declaration appropriate for the following categories.

(A) Commercial. Requesters should indicate a willingness to pay all search, review and duplication costs.

(B) Educational or noncommercial scientific institution or news media. Requesters should indicate a willingness to pay duplication charges in excess of 100 pages if more than 100 pages of records are desired.

(C) All others. Requesters should indicate a willingness to pay assessable search and duplication costs if more than two hours of search effort or 100 pages of records are desired.

(iii) If the above conditions are not met, then the request need not be processed and the requester shall be so informed.

(iv) In the situations described by paragraphs (e)(2)(i) and (e)(2)(ii) of this section, Components must be prepared to provide an estimate of assessable fees if desired by the requester. While it is recognized that search situations will vary among Components, and that an estimate is often difficult to obtain prior to an actual search, requesters who desire estimates are entitled to such before committing to a willingness to pay. Should Components’ actual costs exceed the amount of the estimate or the amount agreed to by the requester, the amount in excess of the estimate or the requester's agreed amount shall not be charged without the requester's agreement.

(v) No DoD Component may require advance payment of any fee; i.e., payment before work is commenced or continued on a request, unless the requester has previously failed to pay fees in a timely fashion, or the agency has determined that the fee will exceed $250.00. As used in this sense, a timely fashion is 30 calendar days from the date of billing (the fees have been assessed in writing) by the Component.

(vi) Where a Component estimates or determines that allowable charges that a requester may be required to pay are likely to exceed $250.00, the Component shall notify the requester of the likely cost and obtain satisfactory assurance of full payment where the requester has a history of prompt payments, or require an advance payment of an amount up to the full estimated charges in the case of requesters with no history of payment.

(vii) Where a requester has previously failed to pay a fee charged in a timely fashion (i.e., within 30 calendar days from the date of the billing), the Component may require the requester to pay the full amount owed, plus any applicable interest, or demonstrate that he or she has paid the fee, and to make an advance payment of the full amount of the estimated fee before the Component begins to process a new or pending request from the requester. Interest will be at the rate prescribed in 31 U.S.C. 3717, and confirmed with respective Finance and Accounting Offices.

(viii) After all work is completed on a request, and the documents are ready for release, Components may request payment before forwarding the documents, particularly for those requesters who have no payment history, or for those requesters who have failed previously to pay a fee in a timely fashion (i.e., within 30 calendar days from the date of the billing). In the case of the latter, the previsions of paragraph (e)(2)(vii) of this section, apply.

(ix) When Components act under paragraphs (e)(2)(i) through (e)(2)(vii) of this section, the administrative time limits of the FOIA will begin only after the Component has received a willingness to pay fees and satisfaction as to category determination, or fee payments (if appropriate).

(x) Components may charge for time spent searching for records, even if that search fails to locate records responsive to the request. Components may also charge search and review (in the case of commercial requesters) time in records located are determined to be exempt from disclosure. In practice, if the Components estimates that search charges are likely to exceed $25.00, it shall notify the requester of the estimated amount of fees, unless the requester has indicated in advance his or her willingness to pay fees as high as those anticipated. Such a notice shall offer the requester the opportunity to confer with Component personnel with the object or reformulating the request to meet his or her needs at a lower cost.

(3) Commercial requesters. Fees shall be limited to reasonable standard charges for document search, review and duplication when records are requested for commerical use. Requesters must reasonably describe the records sought. (See § 286.4(h)).

(i) The term “commercial use” request refers to a request from, or on behalf of one who seeks information for a use or purpose that furthers the commercial, trade, or profit interest of the requester or the person on whose behalf the request is made. In determining whether a requester properly belongs in this category. Components must determine the use to which a requester will put the documents requested. Moreover, where a Component has reasonable cause to doubt the use to which a requester will put the records sought, or where that use is not clear from the request itself, Components should seek additional clarification before assigning the request to a specific category.

(ii) When Components receive a request for documents for commercial use, they should assess charges which recover the full direct costs of searching for, reviewing for release, and duplicating the records sought. Commerical requesters (unlike other requesters) are not entitled to two hours of free search time, nor 100 free pages of reproduction of documents. Moreover, commerical requesters are not normally entitled to a waiver or reduction of fees based upon an assertion that disclosure would be in the public interest. However, because use is the exclusive determining criteria, it is possible to envision a commerical enterprise making a request that is not for commercial use. It is also possible that a non-profit organization could make a request that is for commerical use. Such situations must be addressed on a case-by-case basis.

(4) Educational institution requesters. Fees shall be limited to only reasonable standard charges for document duplication (excluding charges for the first 100 pages) when the request is made by an educational institution whose purpose is scholarly research. Requesters must reasonably describe the records sought (see § 286.4(h).). The term “educational institution” refers to a pre-school, a public or private elementary or secondary school, an institution of graduate high education, an institution of undergraduate higher education, an institution of professional education, and an institution of vocational education, which operates a program or programs of scholarly research. Fees shall be waived or reduced in the public interest if the criteria of paragraph (d) of this section, have been met.

(5) Non-commercial scientific institution requesters. Fees shall be limited to only reasonable standard charges for document duplication (excluding charges for the first 100 pages) when the request is made by a non-commerical scientific institution whose purpose is scientific research. Requesters must reasonbly describe the records sought (see § 286.4(h)). The term “non-commercial scientific institution” refers to an institution that is not operated on a “commercial” basis as defined in paragraph (e)(3) of this section, and that is operated solely for the purpose of conducting scientific research, the results of which are not intended to promote any particular product or industry. Fees shall be waived or reduced in the public interest if the criteria of paragraph (d) of this section, have beem met.

(6) Components shall provide documents to requesters in paragraphs (e)(4) and (e)(5) of this section for the cost of duplication alone, excluding charges for the first 100 pages. To be eligible for inclusion in these categories, requesters must show that the request is being made under the auspices of a qualifying institution and that the records are not sought for commercial use, but in furtherance of scholarly (from an educational institution) or scientific (from a non-commercial scientific institution) research.

(7) Representatives of the news media. Fees shall be limited to only reasonable standard charges for document duplication (excluding charges for the first 100 pages) when the request is made by a representative of the news media. Requesters must reasonably describe the records sought (see § 286.4(h)). Fees shall be waived or reduced if the criteria of paragraph (d) of this section, have been met.

(i) The term “representative of the news media” refers to any person actively gathering news for an entity that is organized and operated to publish or broadcast news to the public. The term “news” means information that is about current events or that would be of current interest to the public. Examples of news media entities include television or radio stations broadcasting to the public at large, and publishers of periodicals (but only in those instances when they can qualify as disseminators of “news”) who make their products available for purchase or subscription by the general public. These examples are not meant to be all-inclusive. Moreover, as traditional methods of news delivery evolve (e.g., electronic dissemination of newspapers through telecommunications services), such alternative media would be included in this category. In the case of “freelance” journalists they may be regarded as working for a news organization if they can demonstrate a solid basis for expecting publication through that organization, even though not actually employed by it. A publication contract would be the clearest proof, but Components may also look to the past publication record of a requester in making this determination.

(ii) To be eligible for inclusion in this category, a requester must meet the criteria in paragraph (e)(7)(i) of this section, and his or her request must not be made for commercial use. A request for records supporting the news dissemination function of the requester shall not be considered to be a request that is for a commercial use. For example, a document request by a newspaper for records relating to the investigation of a defendant in a current criminal trial of public interest could be presumed to be a request from an entity eligible for inclusion in this category, and entitled to records at the cost of reproduction alone (excluding charges for the first 100 pages).

(iii) “Representative of the news media” does not include private libraries, private repositories of Government records, information vendors, data brokers or similar marketers of information whether to industries and businesses, or other entities.

(8) All other requesters. Components shall charge requesters who do not fit into any of the categories described in paragraphs (e)(3), (e)(4), (e)(5), or (e)(7) of this section, fees which recover the full direct cost of searching for and duplicating records, except that the first two hours of search time and the first 100 pages of duplication shall be furnished without charge. Requesters must reasonably describe the records sought (see § 286.4(h)). Requests from subjects about themselves will continue to be treated under the fee provisions of the Privacy Act of 1974, which permit fees only for duplication. Components are reminded that this category of requester may also be eligible for a waiver or reduction of fees if disclosure of the information is in the public interest as defined under paragraph (d)(1) of this section. (See also paragraph (e)(3)(ii) of this section.)

(f) Aggregating requests. Except for requests that are for a commercial use, a Component may not charge for the first two hours of search time or for the first 100 pages of reproduction. However, a requester may not file multiple requests at the same time, each seeking portions of a document of documents, solely in order to avoid payment of fees. When a Component reasonably believes that a requester or, on rare occasions, a group of requesters acting on concert, is attempting to break a request down into a series of requests for the purpose of avoiding the assessment of fees, the Agency may aggregate any such requests and charge accordingly. One element to be considered in determining whether a belief would be reasonable is the time period in which the requests have occurred. For example, it would be reasonable to presume that multiple requests of this type made within a 30 day period had been made to avoid fees. For requests made over a longer period however, such a presumption becomes harder to sustain and Components should have a solid basis for determining that aggregation is warranted in such cases. Components are cautioned that before aggregating requests from more than one requester, they must have a concrete basis on which to conclude that the requesters are acting in concert and are acting specifically to avoid payment of fees. In no case may Components aggregate multiple requests on unrelated subjects from one requester.

(g) Effect of the Debt Collection Act of 1982 (5 U.S.C. 5515 note). The Debt Collection Act of 1982 (5 U.S.C. 5515 note) provides for a minimum annual rate of interest to be charged on overdue debts owed the Federal Government. Components may levy this interest penalty for any fees that remain outstanding 30 calendar days from the date of billing (the first demand notice) to the requester of the amount owed. The interest rate shall be as prescribed in 31 U.S.C. 3717. Components should verify the current interest rate with respective Finance and Accounting Offices. After one demand letter has been sent, and 30 calendar days have lapsed with no payment, Components may submit the debt to respective Finance and Accounting Offices for collection pursuant to 5 U.S.C. 5515 note.

(h) Computation of fees. The fee schedule in this subpart shall be used to compute the search, review (in the case of commercial requesters) and duplication costs associated with processing a given FOIA request. Costs shall be computed on time actually spent. Neither time-based nor dollar-based minimum charges for search, review and duplication are authorized. The appropriate fee category of the requester shall be applied before computing fees.

(i) Refunds. In the event that a Component discovers that it has overcharged a requester or a requester has overpaid, the Component shall promptly refund the charge to the requester by reimbursement methods that are agreeable to the requester and the Component.

(a) Collection of fees. Collection of fees will be made at the time of providing the documents to the requester or recipient when the requester specifically states that the costs involved shall be acceptable or acceptable up to a specified limit that covers the anticipated costs. Collection of fees may not be made in advance unless the requester has failed to pay previously assessed fees within 30 calendar days from the date of the billing by the DoD Component, or the Component has determined that the fee will be in excess of $250 (see § 286.28(e)).

(b) Search time—(1) Manual search.

(2) Computer search. Fee assessments for computer search consists of two parts; individual time (hereafter referred to as human time), and machine time.

(i) Human time. Human time is all the time spent by humans performing the necessary tasks to prepare the job for a machine to execute the run command. If execution of a run requires monitoring by a human, that human time may be also assessed as computer search. The terms “programmer/operator” shall not be limited to the traditional programmers or operators. Rather, the terms shall be interpreted in their broadest sense to incorporate any human involved in performing the computer job (e.g. technician, administrative support, operator, programmer, database administrator, or action officer).

(ii) Machine time. Machine time involves only direct costs of the Central Processing Unit (CPU), input/output devices, and memory capacity used in the actual computer configuration. Only this CPU rate shall be charged. No other machine related costs shall be charged. In situations where the capability does not exist to calculate CPU time, no machine costs can be passed on to the requester. When CPU calculations are not available, only human time costs shall be assessed to requesters. Should DoD Components lease computers, the services charged by the lessor shall not be passed to the requester under the FOIA.

(c) Duplication.

(d) Review time (in the case of commercial requesters).

(e) Audiovisual documentary materials. Search costs are computed as for any other record. Duplication cost is the actual direct cost of reproducing the material, including the wage of the person doing the work. Audiovisual materials provided to a requester need not be in reproducible format or quality.

(f) Other records. Direct search and duplication cost for any record not described in this section shall be computed in the manner described for audiovisual documentary material.

(g) Costs for special services. Complying with requests for special services is at the discretion of the Components. Neither the FOIA, nor its fee structure cover these kinds of services. Therefore, Components may recover the costs of special services requested by the requester after agreement has been obtained in writing from the requester to pay for one or more of the following services:

(1) Certifying that records are true copies.

(2) Sending records by special methods such as express mail, etc.

(a) Fees for technical data. Technical data, other than technical data that discloses critical technology with military or space application, if required to be released under the FOIA, shall be released after the person requesting such technical data pays all reasonable costs attributed to search, duplication and review of the records to be released. Technical data, as used in this section, means recorded information, regardless of the form or method of the recording of a scientific or technical nature (including computer software documentation). This term does not include computer software, or data incidental to contract administration, such as financial and/or management information. DoD Components shall retain the amounts received by such a release, and it shall be merged with and available for the same purpose and the same time period as the appropriation from which the costs were incurred in complying with request. All reasonable costs as used in this sense are the full costs to the Federal Government of rendering the service, or fair market value of the service, whichever is higher. Fair market value shall be determined in accordance with commercial rates in the local geographical area. In the absence of a known market value, charges shall be based on recovery of full costs to the Federal Government. The full costs shall include all direct and indirect costs to conduct the search and to duplicate the records responsive to the request. This cost is to be differentiated from the direct costs allowable under § 286.29 of this subpart for other types of information released under the FOIA.

(b) Waiver. Components shall waive the payment of costs required in paragraph (a) of this section, which are greater than the costs that would be required for release of this same information under § 286.29 of this subpart if:

(1) The request is made by a citizen of the United States or a United States corporation, and such citizen or corporation certifies that the technical data requested is required to enable it to submit an offer, or determine whether it is capable of submitting an offer to provide the product to which the technical data relates to the United States or a contractor with the United States. However, Components may require the citizen or corporation to pay a deposit in an amount equal to not more than the cost of complying with the request, which will be refunded upon submission of an offer by the citizen or corporation;

(2) The release of technical data is requested in order to comply with the terms of an international agreement; or

(3) The Component determines in accordance with § 286.28(d)(1), that such a waiver is in the interest of the United States.

(c) Fee rates—(1) Search time—(i) Manual search: clerical.

(ii) Manual search: professional and executive (To be established at actual hourly rate prior to search. A minimum charge will be established at 1/2 hourly rates).

(2) Computer search is based on the total cost of the central processing unit, input-output devices, and memory capacity of the actual computer configuration. The wage (based upon the scale in paragraph (c)(1)(i) of this section) for the computer operator and/or programmer determining how to conduct, and subsequently executing the search will be recorded as part of the computer search. See § 286.29(b)(2) for further details regarding computer search.

(3) Duplication.

(4) Review time—(i) Clerical.

(ii) Professional and executive (To be established at actual hourly rate prior to review. A minimum charge will be established at 1/2 hourly rates).

(d) Other technical data records. Charges for any additional services not specifically provided in paragraph (c) of this section, consistent with Volume 11A of DoD 7000.14-R, shall be made by Components at the following rates:

(a) General. (1) The Annual Freedom of Information Act Report is mandated by the statute and reported on a fiscal year basis. Due to the magnitude of the requested statistics and the need to ensure accuracy of reporting, DoD Components shall track this data as requests are processed. This will also facilitate a quick and accurate compilation of statistics. DoD Components shall forward their report to the Directorate for Freedom of Information and Security Review no later than November 30 following the fiscal year's close. It may be submitted electronically and via hard copy accompanied by a computer diskette. In turn, DoD will produce a consolidated report for submission to the Attorney General, and ensure that a copy of the DoD consolidated report is placed on the Internet for public access.

(2) Existing DoD standards and registered data elements are to be utilized to the greatest extent possible in accordance with the provisions of DoD Manual 8320.1-M,\12\ “Data Administration Procedures.”

(3) The reporting requirement outlined in this subpart is assigned Report Control Symbol DD-DA&M(A)1365, Freedom of Information Act Report to Congress.

(b) Annual Report. The current edition of DD Form 2564 shall be used to submit component input. DD Form 2564 is available on the Internet at http://www.defenselink.mil/pubs/ under Regulations and Forms. Instructions for completion follow:

(1) Item 1: Initial request determinations. Please note that initial Privacy Act requests which are also processed as initial FOIA requests are reported here. They will also be reported as “Privacy Act requests” on the Annual Privacy Act Report. See § 286.4(m), Relationship between the FOIA and the Privacy Act (PA).

(i) Total requests processed. Enter the total number of initial FOIA requests responded to (completed) during the fiscal year. Since more than one action frequently is taken on a completed case, total actions (see (b)(1)(vi) of this section) the sum of Items (b)(1)(ii) through (b)(1)(v) of this section, may exceed total requests processed (See appendix E of this part for form layout.)

(ii) Granted in full. Enter the total number of initial FOIA requests responded to that were granted in full during the fiscal year. (This may include requests granted by your office, yet still requiring action by another office.)

(iii) Denied in part. Enter the total number of initial FOIA requests responded to and denied in part based on one or more of the FOIA exemptions. (Do not report “other reason responses” as a partial denial here, unless a FOIA exemption is used also.)

(iv) Denied in full. Enter the total number of initial FOIA requests responded to and denied in full based on one or more of the FOIA exemptions. (Do not report “other reason responses” as denials here, unless a FOIA exemption is used also.)

(v) “Other reason” responses. Enter the total number of initial FOIA requests in which you were unable to provide all or part of the requested information based on an “other reason” response. Paragraph (b)(2)(ii) of this section explains the nine possible “other reasons.”

(vi) Total actions. Enter the total number of FOIA actions taken during the fiscal year. This number will be the sum of (b)(1)(ii) through (b)(1)(v) of this section. Total actions must be equal to or greater than the number of total requests processed (paragraph (b)(1)(i) of this section).

(2) Item 2: Initial request exemptions and other reasons—(i) Exemptions invoked on initial request determinations. Enter the number of times an exemption was claimed for each request that was denied in full or in part. Since more than one exemption may be claimed when responding to a single request, this number will be equal to or greater than the sum of (b)(1)(iii) and (b)(1)(iv) of this section. The (b)(7) exemption is reported by subcategories identified in paragraphs (b)(2)(i)(A) through (b)(2)(i)(F) of this section:

(A) Interfere with enforcement;

(B) Fair trial right;

(C) Invasion of privacy;

(D) Protect confidential source;

(E) Disclose techniques; and

(F) Endanger life or safety.

(ii) “Other reasons” cited on initial determinations. Identify the “other reason” response cited when responding to a FOIA request and enter the number of times each was claimed.

(A) No records. Enter the number of times a reasonable search of files failed to identify records responsive to subject request.

(B) Referrals. Enter the number of times a request was referred to another DoD Component or Federal Agency for action.

(C) Request withdrawn. Enter the number of times a request and/or appeal was withdrawn by a requester. (For appeals, report number in Item 4b on the report form. (See appendix E of this part.))

(D) Fee-related reason. Requester is unwilling to pay the fees associated with a request; the requester is past due in the payment of fees from a previous FOIA request; or the requester disagrees with a fee estimate.

(E) Records not reasonably described. Enter the number of times a FOIA request could not be acted upon since the record had not been described with sufficient particularity to enable the DoD Component to locate it by conducting a reasonable search.

(F) Not a proper FOIA request for some other reason. Enter the number of times the requester has failed unreasonably to comply with procedural requirements, other than fee-related (described in paragraph (b)(2)(ii)(D) of this section), imposed by this part or a DoD Component's supplementing regulation.

(G) Not an agency record. Enter the number of times a requester was provided a response indicating the requested information was not a record within the meaning of the FOIA and this part.

(H) Duplicate request. Record number of duplicate requests closed for that reason (e.g., request for the same information by the same requester). This includes identical requests received via different means (e.g., electronic mail, facsimile, mail, courier) at the same or different times.

(I) Other (specify). Any other reason a requester does not comply with published rules, other than those reasons outlined in paragraphs (b)(2)(ii)(A) through (b)(2)(ii)(H) of this section.

(J) Total. Enter the sum of paragraphs (b)(2)(ii)(A) through (b)(2)(ii)(I) of this section in the block provided on the form. This number will be equal to or greater than the number in paragraph (b)(1)(v) of this section since more than one reason may be claimed for each “other reason” response.

(iii) (b)(3) statutes invoked on initial determinations. Identify the number of times you have used a specific statute to support each (b)(3) exemption. List the statutes used to support each (b)(3) exemption; the number of instances in which the statute was cited; note whether or not the statute has been upheld in a court hearing; and provide a concise description of the material withheld in each individual case by the statute's use. Ensure you cite the specific sections of the acts invoked. The total number of instances reported will be equal to or greater than the total number of (b)(3) exemptions listed in Item 2a on the report form.

(3) Item 3: Appeal determinations. Please note that Privacy Act appeals which are also processed as FOIA appeals are reported here. They will also be reported as “Privacy Act appeals” on the Annual Privacy Act Report. See § 286.4(m), Relationship Between the FOIA and the Privacy Act (PA).

(i) Total appeal responses. Enter the total number of FOIA appeals responded to (completed) during the fiscal year.

(ii) Granted in full. Enter the total number of FOIA appeals responded to and granted in full during the year.

(iii) Denied in part. Enter the total number of FOIA appeals responded to and denied in part based on one or more of the FOIA exemptions. (Do not report “other reason responses” as a partial denial here, unless a FOIA exemption is used also.)

(iv) Denied in Full. Enter the total number of FOIA appeals responded to and denied in full based on one or more of the FOIA exemptions. (Do not report “other reason responses” as denials here, unless a FOIA exemption is used also.)

(v) “Other reason” responses. Enter the total number of FOIA appeals in which you were unable to provide the requested information based on an “other reason” response (as outlined in “other reasons” in paragraph (b)(2)(ii) of this section).

(vi) Total actions. Enter the total number of FOIA appeal actions taken during the fiscal year. This number will be the sum of paragraphs (b)(3)(ii) through (b)(3)(v) of this section, and should be equal to or greater than the number of total appeal responses, paragraph (b)(3)(i) of this section.

(4) Item 4: Appeal exemptions and other reasons—(i) Exemptions invoked on appeal determinations. Enter the number of times an exemption was claimed for each appeal that was denied in full or in part. Since more than one exemption may be claimed when responding to a single request, this number will be equal to or greater than the sum of paragraphs (b)(3)(iii) and (b)(3)(iv) of this section. Note that the (b)(7) exemption is reported by subcategories identified in paragraphs (b)(4)(i)(A) through (b)(4)(i)(F) of this section:

(A) Interfere with enforcement;

(B) Fair trial right;

(C) Invasion of privacy;

(D) Protect confidential source;

(E) Disclose techniques; and

(F) Endanger life or safety.

(ii) “Other reasons” cited on appeal determinations. Identify the “other reason” response cited when responding to a FOIA appeal and enter the number of times each was claimed. See paragraph (b)(2)(ii) of this section for description of “other reasons.” This number may be equal to or possibly greater than the number in paragraph (b)(3)(v) of this section since more than one reason may be claimed for each “other reason” response.

(iii) (b)(3) statutes invoked on appeal determinations. Identify the number of times a specific statute has been used to support each (b)(3) exemption identified in item 4a on the report form (Appendix E of this part). List the statutes used to support each (b)(3) exemption; the number of instances in which the statute was cited; note whether or not the statute has been upheld in a court hearing; and provide a concise description of the material withheld in each individual case by the statute's use. Ensure citation to the specific sections of the statute invoked. The total number of instances reported will be equal to or greater than the total number of (b)(3) exemptions listed in Item 4a on the report form.

(5) Item 5: Number and median age of initial cases pending: (i) Total initial cases pending:

(ii) Beginning and ending report period: Midnight, 2400 hours, September 30 of the Preceding Year—OR—0001 hours, October 1 is the beginning of the report period. Midnight, 2400 hours, is the close of the reporting period.

(iii) Median age of initial requests pending: Report the median age in days (including holidays and weekends) of initial requests pending.

(iv) Examples of median calculation. (A) If given five cases aged 10, 25, 35, 65, and 100 days from date of receipt as of the previous September 30th, the total requests pending is five (5). The median age (days) of open requests is the middle, not average value, in this set of numbers (10, 25, 35, 65, and 100), 35 (the middle value in the set).

(B) If given six pending cases, aged 10, 20, 30, 50, 120, and 200 days from date of receipt, as of the previous September 30th, the total requests pending is six (6). The median age (days) of open requests 40 days (the mean [average] of the two middle numbers in the set, in this case the average of middle values 30 and 50).

(v) Accuracy of calculations. Components must ensure the accuracy of calculations. As backup, the raw data used to perform calculations should be recorded and preserved. This will enable recalculation of median (and mean values) as necessary. Components may require subordinate elements to forward raw data, as deemed necessary and appropriate.

(vi) Average. If a Component believes that “average” (mean) processing time is a better measure of performance, then report “averages” (means) as well as median values (e.g., with data reflected and plainly labeled on plain bond as an attachment to the report). However, “average” (mean) values will not be included in the consolidated DoD report unless all Components report it.

(6) Item 6: Number of initial requests received during the fiscal year. Enter the total number of initial FOIA requests received during the reporting period (fiscal year being reported).

(7) Item 7: Types of requests processed and median age. Information is reported for three types of initial requests completed during the reporting period: Simple; Complex; and Expedited Processing. The following items of information are reported for these requests:

(i) Total number of initial requests. Enter the total number of initial requests processed [completed] during the reporting period (fiscal year) by type (Simple, Complex and Expedited Processing) in the appropriate row on the form.

(ii) Median age (days). Enter the median number of days [calendar days including holidays and weekends] required to process each type of case (Simple, Complex and Expedited Processing) during the period in the appropriate row on the form.

(iii) Example. Given seven initial requests, multitrack—simple completed during the fiscal year, aged 10, 25, 35, 65, 79, 90 and 400 days when completed. The total number of requests completed was seven (7). The median age (days) of completed requests is 65, the middle value in the set.

(8) Item 8: Fees collected from the public. Enter the total amount of fees collected from the public during the fiscal year. This includes search, review and reproduction costs only.

(9) Item 9: FOIA program costs—(i) Number of full time staff. Enter the number of personnel your agency had dedicated to working FOIA full time during the fiscal year. This will be expressed in work-years (manyears). For example: “5.1, 3.2, 1.0, 6.5, et al.” A sample calculation follows:

(ii) Number of part time staff: Enter the number of personnel your agency had dedicated to working FOIA part time during the fiscal year. This will be expressed in work-years (manyears). For example: “5.1, 3.2, 1.0, 6.5, et al.” A sample calculation follows:

(iii) Estimated litigation cost: Report your best estimate of litigation costs for the FY. Include all direct and indirect expenses associated with FOIA litigation in U.S. District Courts, U.S. Circuit Courts of Appeals, and the U.S. Supreme Court.

(iv) Total program cost: Report the total cost of FOIA program operation within your agency. Include your litigation costs in this total. While you do not have to report detailed cost information as in the past, you should be able to explain the technique by which you derived your agency's total cost figures if the need arises.

(A) Before the close of each fiscal year, the Directorate for Freedom of Information and Security Review (DFOISR) will dispatch the latest OSD Composite Rate Chart for military personnel to DoD Components. This information may be used in computing military personnel costs.

(B) DoD Components should compute their civilian personnel costs using rates from local Office of Personnel Management (OPM) Salary Tables and shall add 16% for benefits.

(C) Data captured on DD Form 2086, Record of Freedom of Information (FOI) Processing Cost and DD Form 2086-1, Record of Freedom of Information (FOI) Processing Cost for Technical Data, shall be summarized and used in computing total costs.

(D) An overhead rate of 25% shall be added to all calculated costs for supervision, space, and administrative support.

(10) Item 10: Authentication. The official that approves the agency's report submission to DoD will sign and date; enter typed name and duty title; and provide both the agency's name and phone number for questions about the report.

(c) Electronic publication. The consolidated DoD Annual FOIA Program Report will be made available to the public in either paper or electronic format.

(a) Responsibility. The Head of each DoD Component is responsible for the establishment of educational and training programs on the provisions and requirements of this part. The educational programs should be targeted toward all members of the DoD Component, developing a general understanding and appreciation of the DoD FOIA Program; whereas, the training programs should be focused toward those personnel who are involved in the day-to-day processing of FOIA requests, and should provide a thorough understanding of the procedures outlined in this part.

(b) Purpose. The purpose of the educational and training programs is to promote a positive attitude among DoD personnel and raise the level of understanding and appreciation of the DoD FOIA Program, thereby improving the interaction with members of the public and improving the public trust in the DoD.

(c) Scope and principles. Each Component shall design its FOIA educational and training programs to fit the particular requirements of personnel dependent upon their degree of involvement in the implementation of this part. The program should be designed to accomplish the following objectives:

(1) Familiarize personnel with the requirements of the FOIA and its implementation by this part.

(2) Instruct personnel, who act in FOIA matters, concerning the provisions of this part, advising them of the legal hazards involved and the strict prohibition against arbitrary and capricious withholding of information.

(3) Provide for the procedural and legal guidance and instruction, as may be required, in the discharge of the responsibilities of initial denial and appellate authorities.

(4) Advise personnel of the penalties for noncompliance with the FOIA.

(d) Implementation. To ensure uniformity of interpretation, all major educational and training programs concerning the implementation of this part should be coordinated with the Director, Freedom of Information and Security Review.

(e) Uniformity of legal interpretation. In accordance with DoD Directive 5400.7, the DoD Office of the General Counsel shall ensure uniformity in the legal position and interpretation of the DoD FOIA Program.

This part is reissued to consolidate into a single document (32 CFR part 310) Department of Defense (DoD) policies and procedures for implementing the Privacy Act of 1974, as amended (5 U.S.C. 522a) by authorizing the development, publication and maintenance of the DoD Privacy Program set forth by DoD Directive 5400.11,1 December 13, 1999, and 5400.11-R,2 August 31, 1983, both entitled: “DoD Privacy Program.”

This part:

(a) Updates policies and responsibilities of the DoD Privacy Program under 5 U.S.C. 552a, and under OMB Circular A-130.3

(b) Authorizes the Defense Privacy Board, the Defense Privacy Board Legal Committee and the Defense Data Integrity Board.

(c) Continues to authorize the publication of DoD 5400.11-R.

(d) Continues to delegate authorities and responsibilities for the effective administration of the DoD Privacy Program.

This part:

(a) Applies to the Office of the Secretary of Defense (OSD), the Military Departments, the Chairman of the Joint Chiefs of Staff, the Combatant Commands, the Inspector General of the Department of Defense (IG, DoD), the Uniformed Services University of the Health Sciences, the Defense agencies, and the DoD Field Activities (hereafter referred to collectively as “the DoD Components”). This part is mandatory for use by all DoD Components. Heads of DoD Components may issue supplementary instructions only when necessary to provide for unique requirements within their Components. Such instructions will not conflict with the provisions of this part.

(b) Shall be made applicable to DoD contractors who are operating a system of records on behalf of a DoD Component, to include any of the activities, such as collecting and disseminating records, associated with maintaining a system of records.

(c) This part does not apply to:

(1) Requests for information from systems of records controlled by the Office of Personnel Management (OPM), although maintained by a DoD Component. These are processed in accordance with OPM's ‘Privacy Procedures for Personnel Records’ (5 CFR part 297).

(2) Requests for personal information from the General Accounting Office (GAO). These are processed in accordance with DoD Directive 7650.1,4 “General Accounting Office Access to Records,” September 11, 1997.

(3) Requests for personal information from Congress. These are processed in accordance with DoD Directive 5400.4,5 “Provisions of Information to Congress,” January 30, 1978, except for those specific provisions in Subpart E—Disclosure of Personal Information to Other Agencies and Third Parties.

(4) Requests for information made under the Freedom of Information Act (5 U.S.C. 552). These are processed in accordance with “DoD Freedom of Information Act Program Regulation” (32 CFR part 286).

Access. The review of a record or a copy of a record or parts thereof in a system of records by any individual.

Agency. For the purposes of disclosing records subject to the Privacy Act among DoD Components, the Department of Defense is considered a single agency. For all other purposes to include applications for access and amendment, denial of access or amendment, appeals from denials, and record keeping as regards release to non-DoD agencies; each DoD Component is considered an agency within the meaning of the Privacy Act.

Confidential source. A person or organization who has furnished information to the federal government under an express promise that the person's or the organization's identity will be held in confidence or under an implied promise of such confidentiality if this implied promise was made before September 27, 1975.

Disclosure. The transfer of any personal information from a system of records by any means of communication (such as oral, written, electronic, mechanical, or actual review) to any person, private entity, or government agency, other than the subject of the record, the subject's designated agent or the subject's legal guardian.

Individual. A living person who is a citizen of the United States or an alien lawfully admitted for permanent residence. The parent of a minor or the legal guardian of any individual also may act on behalf of an individual. Corporations, partnerships, sole proprietorships, professional groups, businesses, whether incorporated or unincorporated, and other commercial entities are not “individuals.”

Law enforcement activity. Any activity engaged in the enforcement of criminal laws, including efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities of prosecutors, courts, correctional, probation, pardon, or parole authorities.

Maintain. Includes maintain, collect, use or disseminate.

Official use. Within the context of this part, this term is used when officials and employees of a DoD Component have a demonstrated need for the use of any record or the information contained therein in the performance of their official duties, subject to DoD 5200.1-R 6 “DoD Information Security Program Regulation.”

Personal information. Information about an individual that identifies, relates or is unique to, or describes him or her; e.g., a social security number, age, military rank, civilian grade, marital status, race, salary, home/office phone numbers, etc.

Privacy Act request. A request from an individual for notification as to the existence of, access to, or amendment of records pertaining to that individual. These records must be maintained in a system of records.

Member of the public. Any individual or party acting in a private capacity to include federal employees or military personnel.

Record. Any item, collection, or grouping of information, whatever the storage media (e.g., paper, electronic, etc.), about an individual that is maintained by a DoD Component, including but not limited to, his or her education, financial transactions, medical history, criminal or employment history and that contains his or her name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.

Risk assessment. An analysis considering information sensitivity, vulnerabilities, and the cost to a computer facility or word processing activity in safeguarding personal information processed or stored in the facility or activity.

Routine use. The disclosure of a record outside the Department of Defense for a use that is compatible with the purpose for which the information was collected and maintained by the Department of Defense. The routine use must be included in the published system notice for the system of records involved.

Statistical record. A record maintained only for statistical research or reporting purposes and not used in whole or in part in making determinations about specific individuals.

System manager. The DoD Component official who is responsible for the operation and management of a system of records.

System of records. A group of records under the control of a DoD Component from which personal information is retrieved by the individual's name or by some identifying number, symbol, or other identifying particular assigned to an individual.

Word processing system. A combination of equipment employing automated technology, systematic procedures, and trained personnel for the primary purpose of manipulating human thoughts and verbal or written or graphic presentations intended to communicate verbally or visually with another individual.

Word processing equipment. Any combination of electronic hardware and computer software integrated in a variety of forms (firmware, programable software, handwiring, or similar equipment) that permits the processing of textual data. Generally, the equipment contains a device to receive information, a computer-like processor with various capabilities to manipulate the information, a storage medium, and an output device.

It is DoD policy that:

(a) The personal privacy of an individual shall be respected and protected.

(b) Personal information shall be collected, maintained, used or disclosed to ensure that:

(1) It shall be relevant and necessary to accomplish a lawful DoD purpose required to be accomplished by statute or Executive Order.

(2) It shall be collected to the greatest extent practicable directly from the individual.

(3) The individual shall be informed as to why the information is being collected, the authority for collection, what uses will be made of it, whether disclosure is mandatory or voluntary, and the consequences of not providing that information.

(4) It shall be relevant, timely, complete and accurate for its intended use; and

(5) Appropriate administrative, technical, and physical safeguards shall be established, based on the media (e.g., paper, electronic, etc.) involved, to ensure the security of the records and to prevent compromise or misuse during storage or transfer.

(c) No record shall be maintained on how an individual exercises rights guaranteed by the First Amendment to the Constitution, except as follows:

(1) Specifically authorized by statute.

(2) Expressly authorized by the individual on whom the record is maintained; or

(3) When the record is pertinent to and within the scope of an authorized law enforcement activity.

(d) Notices shall be published in the Federal Register and reports shall be submitted to Congress and the Office of Management and Budget, in accordance with, and as required by, 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R, as to the existence and character of any system of records being established or revised by the DoD Components. Information shall not be collected, maintained, used, or disseminated until the required publication/review requirements, as set forth in 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R, are satisfied.

(e) Individuals shall be permitted, to the extent authorized by 5 U.S.C. 552a and DoD 5400.11-R, to:

(1) Determine what records pertaining to them are contained in a system of records.

(2) Gain access to such records and to obtain a copy of those records or a part thereof.

(3) Correct or amend such records on a showing that the records are not accurate, relevant, timely or complete.

(4) Appeal a denial of access or a request for amendment.

(f) Disclosure of records pertaining to an individual from a system of records shall be prohibited except with the consent of the individual or as otherwise authorized by 5 U.S.C. 552a, DoD 5400.11-R, and DoD 5400.7-R.7 When disclosures are made, the individual shall be permitted, to the extent authorized by 5 U.S.C. and DoD 5400.11-R, to seek an accounting of such disclosures from the DoD Component making the release.

(g) Disclosure of records pertaining to personnel of the National Security Agency, the Defense Intelligence Agency, the National Reconnaissance Office, and the National Imagery and Mapping Agency shall be prohibited to the extent authorized by Pub. L. 86-36 (1959) and 10 U.S.C. 424.

(h) Computer matching programs between the DoD Components and the Federal, State, or local governmental agencies shall be conducted in accordance with the requirements of 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R.

(i) DoD personnel and system managers shall conduct themselves, consistent with § 310.8 so that personal information to be stored in a system of records only shall be collected, maintained, used, and disseminated as is authorized by this part, 5 U.S.C. 552a, and DoD 5400.11-R.

(a) The Director of Administration and Management, Office of the Secretary of Defense, shall:

(1) Serve as the Senior Privacy Official for the Department of Defense.

(2) Provide policy guidance for, and coordinate and oversee administration of, the DoD Privacy Program to ensure compliance with policies and procedures in 5 U.S.C. 552a and OMB A-130.

(3) Publish DoD 5400.11-R and other guidance, to include Defense Privacy Board Advisory Opinions, to ensure timely and uniform implementation of the DoD Privacy Program.

(4) Serve as the Chair to the Defense Privacy Board and the Defense Data Integrity Board (§ 310.7).

(b) The Director of Washington Headquarters Services shall supervise and oversee the activities of the Defense Privacy Office (§ 310.7).

(c) The General Counsel of the Department of Defense shall:

(1) Provide advice and assistance on all legal matters arising out of, or incident to, the administration of the DoD Privacy Program.

(2) Review and be the final approval authority on all advisory opinions issued by the Defense Privacy Board or the Defense Privacy Board Legal Committee.

(3) Serve as a member of the Defense Privacy Board, the Defense Data Integrity Board, and the Defense Privacy Board Legal Committee (§ 310.7).

(d) The Secretaries of the Military Departments and the Heads of the Other DoD Components shall:

(1) Provide adequate funding and personnel to establish and support an effective DoD Privacy Program, to include the appointment of a senior official to serve as the principal point of contact (POC) for DoD Privacy Program matters.

(2) Establish procedures, as well as rules of conduct, necessary to implement this part and DoD 5400.11-R so as to ensure compliance with the requirements of 5 U.S.C. 552a and OMB Circular A-130.

(3) Conduct training, consistent with the requirements of DoD 5400.11-R, on the provisions of this part, 5 U.S.C. 552a, and OMB Circular A-130, and DoD 5400.11-R, for assigned and employed personnel and for those individuals having primary responsibility for implementing the DoD Privacy Program.

(4) Ensure that the DoD Privacy Program periodically shall be reviewed by the Inspectors General or other officials, who shall have specialized knowledge of the DoD Privacy Program.

(5) Submit reports, consistent with the requirements of DoD 5400.11-R, as mandated by 5 U.S.C. 552a and Chapter 8, OMB Circular A-130, and 32 CFR part 275, and as otherwise directed by the Defense Privacy Office.

(e) The Secretaries of the Military Departments shall provide support to the Combatant Commands, as identified in DoD Directive 5100.3,8 in the administration of the DoD Privacy Program.

The reporting requirements in § 310.6(d)(5) are assigned Report Control Symbol DD-DA&M(A)1379.

(a) DoD personnel shall:

(1) Take such actions, as considered appropriate, to ensure that personal information contained in a system of records, to which they have access to or are using incident to the conduct of official business, shall be protected so that the security and confidentiality of the information shall be preserved.

(2) Not disclose any personal information contained in any system of records except as authorized by DoD 5400.11-R or other applicable law or regulation. Personnel willfully making such a disclosure when knowing that disclosure is prohibited are subject to possible criminal penalties and/or administrative sanctions.

(3) Report any unauthorized disclosures of personal information from a system of records or the maintenance of any system of records that are not authorized by this part to the applicable Privacy POC for his or her DoD Component.

(b) DoD system managers for each system of records shall:

(1) Ensure that all personnel who either shall have access to the system of records or who shall develop or supervise procedures for handling records in the system of records shall be aware of their responsibilities for protecting personal information being collected and maintained under the DoD Privacy Program.

(2) Prepare promptly any required new, amended, or altered system notices for the system of records and submit them through their DoD Component Privacy POC to the Defense Privacy Office for publication in the Federal Register.

(3) Not maintain any official files on individuals that are retrieved by name or other personal identifier without first ensuring that a notice for the system of records shall have been published in the Federal Register. Any official who willfully maintains a system of records without meeting the publication requirements, as prescribed by 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R, is subject to possible criminal penalties and/or administrative sanctions.

(a) The Defense Privacy Board.—(1) Membership. The Board shall consist of the Director of Administration and Management, OSD (DA&M), who shall serve as the Chair; the Director of the Defense Privacy Office, Washington Headquarters Services (WHS), who shall serve as the Executive Secretary and as a member; the representatives designated by the Secretaries of the Military Departments; and the following officials or their designees: the Deputy Under Secretary of Defense for Program Integration (DUSD(PI)); the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence (ASD(C31)); the Director, Freedom of Information and Security Review, WHS; the General Counsel of the Department of Defense (GC, DoD); and the Director for Information Operations and Reports, WHS (DIO&R). The designees also may be the principal POC for the DoD Component for privacy matters.

(2) Responsibilities. (i) The Board shall have oversight responsibility for implementation of the DoD Privacy Program. It shall ensure that the policies, practices, and procedures of that Program are premised on the requirements of 5 U.S.C. 552a and OMB Circular A-130, as well as other pertinent authority, and that the Privacy Programs of the DoD Component are consistent with, and in furtherance of, the DoD Privacy Program.

(ii) The Board shall serve as the primary DoD policy forum for matters involving the DoD Privacy Program, meeting as necessary, to address issues of common concern so as to ensure that uniform and consistent policy shall be adopted and followed by the DoD Components. The Board shall issue advisory opinions as necessary on the DoD Privacy Program so as to promote uniform and consistent application of 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R.

(iii) Perform such other duties as determined by the Chair or the Board.

(b) The Defense Data Integrity Board.—(1) Membership. The Board shall consist of the DA&M, OSD, who shall serve as the Chair; the Director of the Defense Privacy Office, WHS, who shall serve as the Executive Secretary; and the following officials or their designees: the representatives designated by the Secretaries of the Military Departments; the DUSD (PI); the ASD(C3I); the GC, DoD; the IG, DoD; the DIOR (WHS); and the Director, Defense Manpower Data Center. The designees also may be the principal POC for the DoD Component for privacy matters.

(2) Responsibilities. (i) The Board shall oversee and coordinate, consistent with the requirements of 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R, all computer matching programs involving personal records contained in system of records maintained by the DoD Components.

(ii) The Board shall review and approve all computer matching agreements between the Department of Defense and the other Federal, State or local governmental agencies, as well as memoranda of understanding when the match is internal to the Department of Defense, to ensure that, under 5 U.S.C. 552a, and OMB Circular A-130 and DoD 5400.11-R, appropriate procedural and due process requirements shall have been established before engaging in computer matching activities.

(c) The Defense Privacy Board Legal Committee.—(1) Membership. The Committee shall consist of the Director, Defense Privacy Office, WHS, who shall serve as the Chair and the Executive Secretary; the GC, DoD, or designee; and civilian and/or military counsel from each of the DoD Components. The General Counsels (GCs) and The Judge Advocates General of the Military Departments shall determine who shall provide representation for their respective Department to the Committee. That does not preclude representation from each office. The GCs of the other DoD Components shall provide legal representation to the Committee. Other DoD civilian or military counsel may be appointed by the Executive Secretary, after coordination with the DoD Component concerned, to serve on the Committee on those occasions when specialized knowledge or expertise shall be required.

(2) Responsibilities. (i) The Committee shall serve as the primary legal forum for addressing and resolving all legal issues arising out of or incident to the operation of the DoD Privacy Program.

(ii) The Committee shall consider legal questions regarding the applicability of 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R and questions arising out of or as a result of other statutory and regulatory authority, to include the impact of judicial decisions, on the DoD Privacy Program. The Committee shall provide advisory opinions to the Defense Privacy Board and, on request, to the DoD Components.

(c) The Defense Privacy Office.—(1) Membership. It shall consist of a Director and a staff. The Director also shall serve as the Executive Secretary and a member of the Defense Privacy Board; as the Executive Secretary to the Defense Data Integrity Board; and as the Chair and the Executive Secretary to the Defense Privacy Board Legal Committee.

(2) Responsibilities. (i) Manage activities in support of the Privacy Program oversight responsibilities of the DA&M.

(ii) Provide operational and administrative support to the Defense Privacy Board, the Defense Data Integrity Board, and the Defense Privacy Board Legal Committee.

(iii) Direct the day-to-day activities of the DoD Privacy Program.

(iv) Provide guidance and assistance to the DoD Components in their implementation and execution of the DoD Privacy Program.

(v) Review proposed new, altered, and amended systems of records, to include submission of required notices for publication in the Federal Register and, when required, providing advance notification to the Office of Management and Budget (OMB) and the Congress, consistent with 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R.

(vi) Review proposed DoD Component privacy rulemaking, to include submission of the rule to the Office of the Federal Register for publication and providing to the OMB and the Congress reports, consistent with 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R, and to the Office of the Comptroller General of the United States, consistent with 5 U.S.C. Chapter 8.

(vii) Develop, coordinate, and maintain all DoD computer matching agreements, to include submission of required match notices for publication in the Federal Register and advance notification to the OMB and the Congress of the proposed matches, consistent with 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R.

(viii) Provide advice and support to the DoD Components to ensure that:

(A) All information requirements developed to collect or maintain personal data conform to DoD Privacy Program standards.

(B) Appropriate procedures and safeguards shall be developed, implemented, and maintained to protect personal information when it is stored in either a manual and/or automated system of records or transferred by electronic on non-electronic means; and

(C) Specific procedures and safeguards shall be developed and implemented when personal data is collected and maintained for research purposes.

(ix) Serve as the principal POC for coordination of privacy and related matters with the OMB and other Federal, State, and local governmental agencies.

(x) Compile and submit the “Biennial ‘Privacy Act’ Report” and the “Biennial Matching Activity Report” to the OMB as required by OMB Circular A-130 and DoD 5400.11-R

(xi) Update and maintain this part and DoD 5400.11-R.

(a) System of records. To be subject to the provisions of this part a “system of records” must:

(1) Consist of “records” (as defined in § 310.3(n)) that are retrieved by the name of an individual or some other personal identifier, and

(2) Be under the control of a DoD Component.

(b) Retrieval practices. (1) Records in a group of records that may be retrieved by a name or personal identifier are not covered by this part even if the records contain personal data and are under control of a DoD Component. The records must be, in fact, retrieved by name or other personal identifier to become a system of records for the purpose of this part.

(2) If files that are not retrieved by name or personal identifier are rearranged in such manner that they are retrieved by name or personal identifier, a new systems notice must be submitted in accordance with §310.63(c) of subpart G.

(3) If records in a system of records are rearranged so that retrieval is no longer by name or other personal identifier, the records are no longer subject to this part and the system notice for the records shall be deleted in accordance with § 310.64(c) of subpart G.

(c) Relevance and necessity. Retain in a system of records only that personal information which is relevant and necessary to accomplish a purpose required by a federal statute or an Executive Order.

(d) Authority to establish systems of records. Identify the specific statute or the Executive Order that authorize maintaining personal information in each system of records. The existance of a statute or Executive order mandating the maintenance of a system of records does not abrogate the responsibility to ensure that the information in the system of records is relevant and necessary.

(e) Exercise of First Amendment rights. (1) Do not maintain any records describing how an individual exercises his or her rights guaranteed by the First Amendment of the U.S. Constitution except when:

(i) Expressly authorized by federal statute;

(ii) Expressly authorized by the individual; or

(iii) Maintenance of the information is pertinent to and within the scope of an authorized law enforcement activity.

(2) First Amendment rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition.

(f) System manager's evaluation. (1) Evaluate the information to be included in each new system before establishing the system and evaluate periodically the information contained in each existing system of records for relevancy and necessity. Such a review shall also occur when a system notice amendment or alteration is prepared (see §§ 310.63 and 310.64 of subpart G).

(2) Consider the following:

(i) The relationship of each item of information retained and collected to the purpose for which the system is maintained;

(ii) The specific impact on the purpose or mission of not collecting each category of information contained in the system;

(iii) The possibility of meeting the information requirements through use of information not individually identifiable or through other techniques, such as sampling;

(iv) The length of time each item of personal information must be retained;

(v) The cost of maintaining the information; and

(vi) The necessity and relevancy of the information to the purpose for which it was collected.

(g) Discontinued information requirements. (1) Stop collecting immediately any category or item of personal information from which retention is no longer justified. Also excise this information from existing records, when feasible.

(2) Do not destroy any records that must be retained in accordance with disposal authorizations established under 44 U.S.C. 303a, “Examination by the Administrator of General Services of Lists and Schedules of Records Lacking Preservation Value, Disposal of Records.”

(a) Accuracy of information maintained. Maintain all personal information that is used or may be used to make any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in making any such determination.

(b) Accuracy determination before dissemination. Before disseminating any personal information from a system of records to any person outside the Department of Defense, other than a federal agency, make reasonable efforts to ensure that the information to be disclosed is accurate, relevant, timely, and complete for the purpose it is being maintained (see also § 310.30(d), subpart D and § 310.40(d), subpart E).

(a) Applicability to government contractors. (1) When a DoD Component contracts for the operation or maintenance of a system of records or a portion of a system of records by a contractor, the record system or the portion of the record system affected are considered to be maintained by the DoD Component and are subject to this part. The Component is responsible for applying the requirements of this part to the contractor. The contractor and its employees are to be considered employees of the DoD Component for purposes of the sanction provisions of the Privacy Act during the performance of the contract. Consistent with the Defense Acquisition Regulation (DAR), § 1.327, “Protection of Individual Privacy” contracts requiring the maintenance of a system of records or the portion of a system of records shall identify specifically the record system and the work to be performed and shall include in the solicitation and resulting contract such terms as are prescribed by the DAR.

(2) If the contractor must use or have access to individually identifiable information subject to this part to perform any part of a contract, and the information would have been collected and maintained by the DoD Component but for the award of the contract, these contractor activities are subject to this Regulation.

(3) The restriction in paragraphs (a) (1) and (2) of § 310.12 do not apply to records:

(i) Established and maintained to assist in making internal contractor management decisions, such as records maintained by the contractor for use in managing the contract;

(ii) Maintained as internal contractor employee records even when used in conjunction with providing goods and services to the Department of Defense; or

(iii) Maintained as training records by an educational organization contracted by a DoD Component to provide training when the records of the contract students are similar to and comingled with training records of other students (for example, admission forms, transcripts, academic counselling and similar records);

(iv) Maintained by a consumer reporting agency to which records have been disclosed under contract in accordance with the Federal Claims Collection Act of 1966, 31 U.S.C. 952(d).

(4) DoD Components must publish instruction that:

(i) Furnish DoD Privacy Program guidance to their personnel who solicit, award, or administer government contracts;

(ii) Inform prospective contractors of their responsibilities regarding the DoD Privary Program; and

(iii) Establish an internal system of contractor performance review to ensure compliance with the DoD Privacy Program.

(b) Contracting procedures. The Defense Systems Acquisition Regulatory Council (DSARC) is responsible for developing the specific policies and procedures to be followed when soliciting bids, awarding contracts or administering contracts that are subject to this part.

(c) Contractor compliance. Through the various contract surveillance programs, ensure contractors comply with the procedures established in accordance with paragraph (b) above of this subpart.

(d) Disclosure of records to contractors. Disclosure of personal records to a contractor for the use in the performance of any DoD contrtact by a DoD Component is considered a disclosure within the Department of Defense (see § 310.40(b), subpart E). The contractor is considered the agent of the contracting DoD Component and to be maintaining and receiving the records for that Component.

(a) General responsibilities. Establish appropriate administrative, technical and physical safeguards to ensure that the records in every system of records are protected from unauthorized alteration or disclosure and that their confidentiality is protected. Protect the records against reasonably anticipated threats or hazards that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual about whom information is kept.

(b) Minimum standards. (1) Tailor system safeguards to conform to the type of records in the system, the sensitivity of the personal information stored, the storage medium used and, to a degree, the number of records maintained.

(2) Treat all unclassified records that contain personal information that normally would be withheld from the public under Exemption Numbers 6 and 7, of § 286.31, subpart D of 32 CFR part 286 (DoD Freedom of Information Act Program) as if they were designated “For Official Use Only” and safeguard them in accordance with the standards established by subpart E of 32 CFR part 286 (DoD FOIA Program) even if they are not actually marked “For Official Use Only.”

(3) Afford personal information that does not meet the criteria discussed in paragraph (c)(3) of this section that degree of security which provides protection commensurate with the nature and type of information involved.

(4) Special administrative, physical, and technical procedures are required to protect data that is stored or being processed temporarily in an automated data processing (ADP) system or in a word processing activity to protect it against threats unique to those environments (see Appendices A and B).

(5) Tailor safeguards specifically to the vulnerabilities of the system.

(c) Records disposal. (1) Dispose of records containing personal data so as to prevent inadvertent compromise. Disposal methods such as tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding, or mutilation are considered adequate if the personal data is rendered unrecognizable or beyond reconstruction.

(2) The transfer of large quantities of records containing personal data (for example, computer cards and printouts) in bulk to a disposal activity, such as the Defense Property Disposal Office, is not a release of personal information under this part. The sheer volume of such transfers make it difficult or impossible to identify readily specific individual records.

(3) When disposing of or destroying large quantities of records containing personal information, care must be exercised to ensure that the bulk of the records is maintained so as to prevent specific records from being readily identified. If bulk is maintained, no special procedures are required. If bulk cannot be maintained or if the form of the records make individually identifiable information easily available, dispose of the record in accordance with paragraph (c)(1) of this section.

(a) Collect directly from the individual. Collect to the greatest extent practicable personal information directly from the individual to whom it pertains if the information may be used in making any determination about the rights, privileges, or benefits of the individual under any federal program (see also paragraph (c) of this section).

(b) Collecting Social Security Numbers (SSNs). (1) It is unlawful for any federal, state, or local governmental agency to deny an individual any right, benefit, or privilege provided by law because the individual refuses to provide his or her SSN. However, if a federal statute requires that the SSN be furnished or if the SSN is required to verify the identity of the individual in a system of records that was established and in use before January 1, 1975, and the SSN was required as an identifier by a statute or regulation adopted before that date, this restriction does not apply.

(2) When an individual is requested to provide his or her SSN, he or she must be advised:

(i) The uses that will be made of the SSN;

(ii) The statute, regulation, or rule authorizing the solicitation of the SSN; and

(iii) Whether providing the SSN is voluntary or mandatory.

(3) Include in any systems notice for any system of records that contains SSNs a statement indicating the authority for maintaining the SSN and the sources of the SSNs in the system. If the SSN is obtained directly from the individual indicate whether this is voluntary or mandatory.

(4) Executive Order 9397, “Numbering System For Federal Accounts Relating to Individual Persons,” November 30, 1943, authorizes solicitation and use of SSNs as numerical identifier for individuals in most Federal records systems. However, it does not provide mandatory authority for soliciting SSNs.

(5) Upon entrance into military service or civilian employment with the Department of Defense, individuals are asked to provide their SSNs. The SSN becomes the service or employment number for the individual and is used to establish personnel, financial, medical, and other official records. Provide the notification in paragraph (b)(2) of this section to the individual when originally soliciting his or her SSN. After an individual has provided his or her SSN for the purpose of establishing a record, the notification in paragraph (b)(2) is not required if the individual is only requested to furnish or verify the SSNs for identification purposes in connection with the normal use of his or her records. However, if the SSN is to be written down and retained for any purpose by the requesting official, the individual must be provided the notification required by paragraph (b)(2) of this section.

(6) Consult the Office of Personnel Management, Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735) when soliciting SSNs for use in OPM records systems.

(c) Collecting personal information from third parties. It may not be practical to collect personal information directly from the individual in all cases. Some examples of this are:

(1) Verification of information through third party sources for security or employment suitability determinations;

(2) Seeking third party opinions such as supervisory comments as to job knowledge, duty performance, or other opinion-type evaluations;

(3) When obtaining the needed information directly from the individual is exceptionally difficult or may result in unreasonable costs; or

(4) Contacting a third party at the request of the individual to furnish certain information such as exact periods of employment, termination dates, copies of records, or similar information.

(d) Privacy Act Statements. (1) When an individual is requested to furnish personal information about himself or herself for inclusion in a system of records, a Privacy Act Statement is required regardless of the medium used to collect the information (forms, personal interviews, stylized formats, telephonic interviews, or other methods). The Privacy Act Statement consists of the elements set forth in paragraph (d)(2) of this section. The statement enables the individual to make an informed decision whether to provide the information requested. If the personal information solicited is not to be incoporated into a system of records, the statement need not be given. However, personal information obtained without a Privacy Act Statement shall not be incorporated into any system of records. When soliciting SSNs for any purpose, see paragraph (b)(2) of this section.

(2) The Privacy Act Statement shall include:

(i) The specific federal statute or Executive Order that authorizes collection of the requested information (see paragraph (d) of § 310.10).

(ii) The principal purpose or purposes for which the information is to be used;

(iii) The routine uses that will be made of the information (see § 310.41(e), subpart E);

(iv) Whether providing the information is voluntary or mandatory (see paragraph (e) of this section); and

(v) The effects on the individual if he or she chooses not to provide the requested information.

(3) The Privacy Act Statement shall be concise, current, and easily understood.

(4) The Privacy Act statement may appear as a public notice (sign or poster), conspicuously displayed in the area where the information is collected, such as at check-cashing facilities or identification photograph facilities.

(5) The individual normally is not required to sign the Privacy Act Statement.

(6) Provide the individual a written copy of the Privacy Act Statement upon request. This must be done regardless of the method chosen to furnish the initial advisement.

(e) Mandatory as opposed to voluntary disclosures. Include in the Privacy Act Statement specifically whether furnishing the requested personal data is mandatory or voluntary. A requirement to furnish personal data is mandatory only when a federal statute, Executive Order, regulation, or other lawful order specifically imposes a duty on the individual to provide the information sought, and the individual is subject to a penalty if he or she fails to provide the requested information. If providing the information is only a condition of or prerequisite to granting a benefit or privilege and the individual has the option of requesting the benefit or privilege, providing the information is always voluntary. However, the loss or denial of the privilege, benefit, or entitlement sought may be listed as a consequence of not furnishing the requested information.

(a) DoD forms. (1) DoD Directive 5000.21, “Forms Management Program” provides guidance for preparing Privacy Act Statements for use with forms (see also paragraph (b)(1) of this section).

(2) When forms are used to collect personal information, the Privacy Act Statement shall appear as follows (listed in the order of preference):

(i) In the body of the form, preferably just below the title so that the reader will be advised of the contents of the statement before he or she begins to complete the form;

(ii) On the reverse side of the form with an appropriate annotation under the title giving its location;

(iii) On a tear-off sheet attached to the form; or

(iv) As a separate supplement to the form.

(b) Forms issued by non-DoD activities. (1) Forms subject to the Privacy Act issued by other federal agencies have a Privacy Act Statement attached or included. Always ensure that the statement prepared by the originating agency is adequate for the purpose for which the form will be used by the DoD activity. If the Privacy Act Statement provided is inadequate, the DoD Component concerned shall prepare a new statement or a supplement to the existing statement before using the form.

(2) Forms issued by agencies not subject to the Privacy Act (state, municipal, and other local agencies) do not contain Privacy Act Statements. Before using a form prepared by such agencies to collect personal data subject to this part, an appropriate Privacy Act Statement must be added.

(a) Individual access. (1) The access provisions of this part are intended for use by individuals about whom records are maintained in systems of records. Release of personal information to individuals under this part is not considered public release of information.

(2) Make available to the individual to whom the record pertains all of the personal information that can be released consistent with DoD responsibilities.

(b) Individual requests for access. Individuals shall address requests for access to personal information in a system of records to the system manager or to the office designated in the DoD Component rules or the system notice.

(c) Verification of identity. (1) Before granting access to personal data, an individual may be required to provide reasonable verification of his or her identity.

(2) Identity verification procedures shall not:

(i) Be so complicated as to discourage unnecessarily individuals from seeking access to information about themselves; or

(ii) Be required of an individual seeking access to records which normally would be available under the “DoD Freedom of Information Act Program” (32 CFR part 286).

(3) Normally, when individuals seek personal access to records pertaining to themselves, identification is made from documents that normally are readily available, such as employee and military identification cards, driver's license, other licenses, permits or passes used for routine identification purposes.

(4) When access is requested by mail, identity verification may consist of the individual providing certain minimum identifying data, such as full name, date and place of birth, or such other personal information necessary to locate the record sought. If the information sought is of a sensitive nature, additional identifying data may be required. If notarization of requests is required, procedures shall be established for an alternate method of verification for individuals who do not have access to notary services, such as military members overseas.

(5) If an individual wishes to be accompanied by a third party when seeking access to his or her records or to have the records released directly to a third party, the individual may be required to furnish a signed access authorization granting the third party access.

(6) An individual shall not be refused access to his or her record solely because he or she refuses to divulge his or her SSN unless the SSN is the only method by which retrieval can be made. (See § 310.20(b)).

(7) The individual is not required to explain or justify his or her need for access to any record under this part.

(8) Only a denial authority may deny access and the denial must be in writing and contain the information required by paragraph (b) of § 310.31.

(d) Granting individual access to records. (1) Grant the individual access to the original record or an exact copy of the original record without any changes or deletions, except when changes or deletions have been made in accordance with paragraph (e) of this section. For the purpose of granting access, a record that has been amended under § 310.31(b) is considered to be the original. See pargraph (e) of this section for the policy regarding the use of summaries and extracts.

(2) Provide exact copies of the record when furnishing the individual copies of records under this part.

(3) Explain in terms understood by the requestor any record or portion of a record that is not clear.

(e) Illegible, incomplete, or partially exempt records. (1) Do not deny an individual access to a record or a copy of a record solely because the physical condition or format of the record does not make it readily available (for example, deteriorated state or on magnetic tape). Either prepare an extract or recopy the document exactly.

(2) If a portion of the record contains information that is exempt from access, an extract or summary containing all of the information in the record that is releasable shall be prepared.

(3) When the physical condition of the record or its state makes it necessary to prepare an extract for release, ensure that the extract can be understood by the requester.

(4) Explain to the requester all deletions or changes to the records.

(f) Access to medical records. (1) Disclose medical records to the individual to whom they pertain, even if a minor, unless a judgment is made that access to such records could have an adverse effect on the mental or physical health of the individual. Normally, this determination shall be made in consultation with a medical doctor.

(2) If it is determined that the release of the medical information may be harmful to the mental or physical health of the individual:

(i) Send the record to a physician named by the individual; and

(ii) In the transmittal letter to the physician explain why access by the individual without proper professional supervision could be harmful (unless it is obvious from the record).

(3) Do not require the physician to request the records for the individual.

(4) If the individual refuses or fails to designate a physician, the record shall not be provided. Such refusal of access is not considered a denial for Privacy Act reporting purposes. (See paragraph (a) of § 310.31).

(5) Access to a minor's medical records may be granted to his or her parents or legal guardians. However, observe the following procedures:

(i) In the United States, the laws of the particular state in which the records are located may afford special protection to certain types of medical records (for example, records dealing with treatment for drug or alcohol abuse and certain psychiatric records). Even if the records are maintained by a military medical facilities these statutes may apply.

(ii) For the purposes of parental access to the medical records and medical determinations regarding minors at overseas installation the age of majority is 18 years except when:

(A) A minor at the time he or she sought or consented to the treatment was between 15 and 17 years of age;

(B) The treatment was sought in a program which was authorized by regulation or statute to offer confidentiality of treatment records as a part of the program;

(C) The minor specifically requested or indicated that he or she wished the treatment record to be handled with confidence and not released to a parent or guardian; and

(D) The parent or guardian seeking access does not have the written authorization of the minor or a valid court order granting access.

(iii) If all four of the above conditions are met, the parent or guardian shall be denied access to the medical records of the minor. Do not use these procedures to deny the minor access to his or her own records under this part or any other statutes.

(6) All members of the Military Services and all married persons are not considered minors regardless of age, and the parents of these individuals do not have access to their medical records without written consent of the individual.

(g) Access to information compiled in anticipation of civil action. (1) An individual is not entitled under this part to gain access to information compiled in reasonable anticipation of a civil action or proceeding.

(2) The term “civil proceeding” is intended to include quasi-judicial and pretrial judicial proceedings that are the necessary preliminary steps to formal litigation.

(3) Attorney work products prepared in conjunction with quasi-judicial pretrial, and trial proceedings, to include those prepared to advise DoD Component officials of the possible legal consequences of a given course of action, are protected.

(h) Access to investigatory records. (1) Requests by individuals for access to investigatory records pertaining to themselves and compiled for law enforcement purposes are processed under this part of the DoD Freedom of Information Program (32 CFR part 286) depending on which part gives them the greatest degree of access.

(2) Process requests by individuals for access to investigatory record pertaining to themselves compiled for law enforcement purposes and in the custody of law enforcement activities that have been incorporated into systems of records exempted from the access provisions of this part in accordance with section B of chapter 5 under reference (f). Do not deny an individual access to the record solely because it is in the exempt system, but give him or her automatically the same access he or she would receive under the Freedom of Information Act (5 U.S.C. 552). (See also paragraph (h) of this section.)

(3) Process requests by individuals for access to investigatory records pertaining to themselves that are in records systems exempted from access provisions under paragraph (a) of § 310.52, subpart F, under this part, or the DoD Freedom of Information Act Program (32 CFR part 286) depending upon which regulation gives the greatest degree of access (see also paragraph (j) of this section).

(4) Refer individual requests for access to investigatory records exempted from access under a general exemption temporarily in the hands of a noninvestigatory element for adjudicative or personnel actions to the originating investigating agency. Inform the requester in writing of these referrals.

(i) Nonagency records. (1) Certain documents under the physical control of DoD personnel and used to assist them in performing official functions, are not considered “agency records” within the meaning of this Regulation. Uncirculated personal notes and records that are not disseminated or circulated to any person or organization (for example, personal telephone lists or memory aids) that are retained or discarded at the author's discretion and over which the Component exercises no direct control, are not considered agency records. However, if personnel are officially directed or encouraged, either in writing or orally, to maintain such records, they may become “agency records,” and may be subject to this part.

(2) The personal uncirculated handwritten notes of unit leaders, office supervisors, or military supervisory personnel concerning subordinates are not systems of records within the meaning of this part. Such notes are an extension of the individual's memory. These notes, however, must be maintained and discarded at the discretion of the individual supervisor and not circulated to others. Any established requirement to maintain such notes (such as, written or oral directives, regulations, or command policy) make these notes “agency records” and they then must be made a part of a system of records. If the notes are circulated, they must be made a part of a system of records. Any action that gives personal notes the appearance of official agency records is prohibited, unless the notes have been incorporated into a system of records.

(j) Relationship between the Privacy Act and the Freedom of Information Act. (1) Process requests for individual access as follows:

(i) Requests by individuals for access to records pertaining to themselves made under the Freedom of Information Act (5 U.S.C. 552) or the DoD Freedom of Information Act Program (32 CFR part 286) or DoD Component instuctions implementing the DoD Freedom of Information Act Program are processed under the provisions of that reference.

(ii) Requests by individuals for access to records pertaining to themselves made under the Privacy Act of 1971 (5 U.S.C. 552a), this part, or the DoD Component instructions implementing this part are processed under this part.

(iii) Requests by individuals for access to records about themselves that cite both Acts or the implementing regulations and instructions for both Acts are processed under this part except:

(A) When the access provisions of the DoD Freedom of Information Act Program (32 CFR part 286) provide a greater degree of access; or

(B) When access to the information sought is controlled by another federal statute.

(C) If the former applies, follow the provisions of 32 CFR part 286; and if the later applies, follow the access procedures established under the controlling statute.

(iv) Requests by individuals for access to information about themselves in systems of records that do not cite either Act or the implementing regulations or instructions for either Act are processed under the procedures established by this part. However, there is no requirement to cite the specific provisions of this part or the Privacy Act (5 U.S.C. 552a) when responding to such requests. Do not count these requests as Privacy Act request for reporting purposes (see subpart I).

(2) Do not deny individuals access to personal information concerning themselves that would otherwise be releasable to them under either Act solely because they fail to cite either Act or cite the wrong Act, regulation, or instruction.

(3) Explain to the requester which Act or procedures have been used when granting or denying access under either Act (see also paragraph (j)(1)(iv) of this section).

(k) Time limits. Normally acknowledge requests for access within 10 working days after receipt and provide access within 30 working days.

(l) Privacy case file. Establish a Privacy Act case file when required (see paragraph (p) of § 310.32 of this subpart).

(a) Denying individual access. (1) An individual may be denied formally access to a record pertaining to him or her only if the record:

(i) Was compiled in reasonable anticipation of civil action (see paragraph (g) of § 310.30)

(ii) Is in a system of records that has been exempted from the access provisions of this regulation under one of the permitted exemptions (see subpart F).

(iii) Contains classified information that has been exempted from the access provision of this part under blanket exemption for such material claimed for all DoD records system (see §310.50(c) of subpart F).

(iv) Is contained in a system of records for which access may be denied under some other federal statute.

(2) Only deny the individual access to those portions of the records from which the denial of access serves some legitimate governmental purpose.

(b) Other reasons to refuse access. (1) An individual may be refused access if:

(i) The record is not described well enough to enable it to be located with a reasonable amount of effort on the part of an employee familiar with the file; or

(ii) Access is sought by an individual who fails or refuses to comply with the established procedural requirements, including refusing to name a physician to receive medical records when required (see paragraph (f) of §310.30) or to pay fees (see §310.33 of this subpart).

(2) Always explain to the individual the specific reason access has been refused and how he or she may obtain access.

(c) Notifying the individual. Formal denials of access must be in writing and include as a minimum:

(1) The name, title or position, and signature of a designated Component denial authority;

(2) The date of the denial;

(3) The specific reason for the denial, including specific citation to the appropriate sections of the Privacy Act (5 U.S.C. 552a) or other statutes, this part, DoD Component instructions or Code of Federal Regulations (CFR) authorizing the denial;

(4) Notice to the individual of his or her right to appeal the denial through the Component appeal procedure within 60 calendar days; and

(5) The title or position and address of the Privacy Act appeals official for the Component.

(d) DoD Component appeal procedures. Establish internal appeal procedures that, as a minimum, provide for:

(1) Review by the head of the Component or his or her designee of any appeal by an individual from a denial of access to Component records.

(2) Formal written notification to the individual by the appeal authority that shall:

(i) If the denial is sustained totally or in part, include as a minimum:

(A) The exact reason for denying the appeal to include specific citation to the provisions of the Act or other statute, this part, Component instructions or the CFR upon which the determination is based;

(B) The date of the appeal determination;

(C) The name, title, and signature of the appeal authority;

(D) A statement informing the applicant of his or her right to seek judicial relief.

(ii) If the appeal is granted, notify the individual and provide access to the material to which access has been granted.

(3) The written appeal notification granting or denying access is the final Component action as regards access.

(4) The individual shall file any appeals from denial of access within no less than 60 calendar days of receipt of the denial notification.

(5) Process all appeals within 30 days of receipt unless the appeal authority determines that a fair and equitable review cannot be made within that period. Notify the applicant in writing if additional time is required for the appellate review. The notification must include the reasons for the delay and state when the individual may expect an answer to the appeal.

(e) Denial of appeals by failure to act. A requester may consider his or her appeal formally denied if the authority fails:

(1) To act on the appeal within 30 days;

(2) To provide the requester with a notice of extension within 30 days; or

(3) To act within the time limits established in the Component's notice of extension (see paragraph (d)(5) of this section).

(f) Denying access to OPM records held by DoD Components. (1) The records in all systems of records maintained in accordance with the OPM government-wide system notices are technically only in the temporary custody of the Department of Defense.

(2) All requests for access to these records must be processed in accordance with the Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735) as well as the applicable Component procedures.

(3) When a DoD Component refuses to grant access to a record in an OPM system, the Component shall instruct the individual to direct his or her appeal to the appropriate Component appeal authority, not the Office of Personnel Management.

(4) The Component is responsible for the administrative review of its denial of access to such records.

(a) Individual review and correction. Individuals are encouraged to review the personnel information being maintained about them by DoD Components periodically and to avail themselves of the procedures established by this part and any other Component regulations to update their records.

(b) Amending records. (1) An individual may request the amendment of any record contained in a system of records pertaining to him or her unless the system of record has been exempted specifically from the amendment procedures of this part under paragraph (b) of § 310.50, subpart F. Normally, amendments under this part are limited to correcting factual matters and not matters of official judgment, such as performance ratings, promotion potential, and job performance appraisals.

(2) While a Component may require that the request for amendment be in writing, this requirement shall not be used to discourage individuals from requesting valid amendments or to burden needlessly the amendment process.

(3) A request for amendment must include:

(i) A description of the item or items to be amended;

(ii) The specific reason for the amendment;

(iii) The type of amendment action sought (deletion, correction, or addition); and

(iv) Copies of available documentary evidence supporting the request.

(c) Burden of proof. The applicant must support adequately his or her claim.

(d) Identification of requesters. (1) Individuals may be required to provide identification to ensure that they are indeed seeking to amend a record pertaining to themselves and not, inadvertently or intentionally, the record of others.

(2) The indentification procedures shall not be used to discourage legitimate requests or to burden needlessly or delay the amendment process. (See paragraph (c) of § 310.30).

(e) Limits on attacking evidence previously submitted. (1) The amendment process is not intended to permit the alteration of evidence presented in the course of judicial or quasi-judicial proceedings. Any amendments or changes to these records normally are made through the specific procedures established for the amendment of such records.

(2) Nothing in the amendment process is intended or designed to permit a collateral attack upon what has already been the subject of a judicial or quasi-judicial determination. However, while the individual may not attack the accuracy of the judicial or quasi-judicial determination under this part, he or she may challenge the accuracy of the recording of that action.

(f) Sufficiency of a request to amend. Consider the following factors when evaluating the sufficiency of a request to amend:

(1) The accuracy of the information itself; and

(2) The relevancy, timeliness, completeness, and necessity of the recorded information for accomplishing an assigned mission or purpose.

(g) Time limits. (1) Provide written acknowledgement of a request to amend within 10 working days of its receipt by the appropriate systems manager. There is no need to acknowledge a request if the action is completed within 10 working days and the individual is so informed.

(2) The letter of acknowledgement shall clearly identify the request and advise the individual when he or she may expect to be notified of the completed action.

(3) Only under the most exceptional circumstances shall more than 30 days be required to reach a decision on a request to amend. Document fully and explain in the Privacy Act case file (see paragraph (p) of this section) any such decision that takes more than 30 days to resolve.

(h) Agreement to amend. If the decision is made to grant all or part of the request for amendment, amend the record accordingly and notify the requester.

(i) Notification of previous recipients. (1) Notify all previous recipients of the information, as reflected in the disclosure accounting records, that an amendment has been made and the substance of the amendment. Recipients who are known to be no longer retaining the information need not be advised of the amendment. All DoD Components and federal agencies known to be retaining the record or information, even if not reflected in a disclosure record, shall be notified of the amendment. Advise the requester of these notifications.

(2) Honor all requests by the requester to notify specific federal agencies of the amendment action.

(j) Denying amendment. If the request for amendment is denied in whole or in part, promptly advise the individual in writing of the decision to include:

(1) The specific reason and authority for not amending;

(2) Notification that he or she may seek further independent review of the decision by the head of the Component or his or her designee;

(3) The procedures for appealing the decision citing the position and address of the official to whom the appeal shall be addressed; and

(4) Where he or she can receive assistance in filing the appeal.

(k) DoD Component appeal procedures. Establish procedures to ensure the prompt, complete, and independent review of each amendment denial upon appeal by the individual. These procedures must ensure that:

(1) The appeal with all supporting materials both that furnished the individual and that contained in Component records is provided to the reviewing official, and

(2) If the appeal is denied completely or in part, the individual is notified in writing by the reviewing official that:

(i) The appeal has been denied and the specific reason and authority for the denial;

(ii) The individual may file a statement of disagreement with the appropriate authority and the procedures for filing this statement;

(iii) If filed properly, the statement of disagreement shall be included in the records, furnished to all future recipients of the records, and provided to all prior recipients of the disputed records who are known to hold the record; and

(iv) The individual may seek a judicial review of the decision not to amend.

(3) If the record is amended, ensure that:

(i) The requester is notified promptly of the decision;

(ii) All prior known recipients of the records who are known to be retaining the record are notified of the decision and the specific nature of the amendment (see paragraph (i) of this section); and

(iii) The requester is notified as to which DoD Components and federal agencies have been told of the amendment.

(4) Process all appeals within 30 days unless the appeal authority determines that a fair review cannot be made within this time limit. If additional time is required for the appeal, notify the requester, in writing, of the delay, the reason for the delay, and when he or she may expect a final decision on the appeal. Document fully all requirements for additional time in the Privacy Case File. (See paragraph (p) of this section)

(l) Denying amendment of OPM records held by DoD Components. (1) The records in all systems of records controlled by the Office of Personnel Management (OPM) government-wide system notices are technically only temporarily in the custody of the Department of Defense.

(2) All requests for amendment of these records must be processed in accordance with the OPM Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735). The Component denial authority may deny a request. However, the appeal process for all such denials must include a review by the Assistant Director for Agency Compliance and Evaluation, Office of Personnel Management, 1900 E Street NW, Washington, DC 20415.

(3) When an appeal is received from a Component's denial of amendment of the OPM controlled record, process the appeal in accordance with the OPM Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735) and notify the OPM appeal authority listed above.

(4) The individual may appeal any Component decision not to amend the OPM records directly to OPM.

(5) OPM is the final review authority for any appeals from a denial to amend the OPM records.

(m) Statements of disagreement submitted by individuals. (1) If the reviewing authority refuses to amend the record as requested, the individual may submit a concise statement of disagreement setting forth his or her reasons for disagreeing with the decision not to amend.

(2) If an individual chooses to file a statement of disagreement, annotate the record to indicate that the statement has been filed (see paragraph (n) of this section).

(3) Furnish copies of the statement of disagreement to all DoD Components and federal agencies that have been provided copies of the disputed information and who may be maintaining the information.

(n) Maintaining statements of disagreement. (1) When possible, incorporate the statement of disagreement into the record.

(2) If the statement cannot be made a part of the record, establish procedures to ensure that it is apparent from the records that a statement of disagreement has been filed and maintain the statement so that it can be obtained readily when the disputed information is used or disclosed.

(3) Automated record systems that are not programed to accept statements of disagreement shall be annotated or coded so that they clearly indicate that a statement of disagreement is on file, and clearly identify the statement with the disputed information in the system.

(4) Provide a copy of the statement of disagreement whenever the disputed information is disclosed for any purpose.

(o) DoD Component summaries of reasons for refusing to amend. (1) A summary of reasons for refusing to amend may be included with any record for which a statement of disagreement is filed.

(2) Include in this summary only the reasons furnished to the individual for not amending the record. Do not include comments on the statement of disagreement. Normally, the summary and statement of disagreement are filed together.

(3) When disclosing information for which a summary has been filed, a copy of the summary may be included in the release, if the Component desires.

(p) Privacy Case Files. (1) Establish a separate Privacy Case File to retain the documentation received and generated during the amendment or access process.

(2) The Privacy Case File shall contain as a minimum:

(i) The request for amendment or access;

(ii) Copies of the DoD Component's reply granting or denying the request;

(iii) Any appeals from the individual;

(iv) Copies of the action regarding the appeal with supporting documentation which is not in the basic file; and

(v) Any other correspondence generated in processing the appeal, to include coordination documentation.

(3) Only the items listed in paragraphs (p)(4) and (s) of this section may be included in the system of records challenged for amendment or for which access is sought. Do not retain copies of unamended records in the basic record system if the request for amendment is granted.

(4) The following items relating to an amendment request may be included in the disputed record system:

(i) Copies of the amended record.

(ii) Copies of the individual's statement of disagreement (see paragraph (m) of this section).

(iii) Copies of Component summaries (see paragraph (o) of this section).

(iv) Supporting documentation submitted by the individual.

(5) The following items relating to an access request may be included in the basic records system:

(i) Copies of the request;

(ii) Copies of the Component's action granting total access.

(iii) Copies of the Component's action denying access;

(iv) Copies of any appeals filed;

(v) Copies of the reply to the appeal.

(6) There is no need to establish a Privacy case file if the individual has not cited the Privacy Act (reference (b)), this part, or the Component implementing instruction for this part.

(7) Privacy case files shall not be furnished or disclosed to anyone for use in making any determination about the individual other than determinations made under this part.

(a) Assessing fees. (1) Charge the individual only the direct cost of reproduction.

(2) Do not charge reproduction fees if copying is:

(i) The only means to make the record available to the individual (for example, a copy of the record must be made to delete classified information); or

(ii) For the convenience of the DoD Component (for example, the Component has no reading room where an individual may review the record, or reproduction is done to keep the original in the Component's file).

(3) No fees shall be charged when the record may be obtained without charge under any other regulation, directive, or statute.

(4) Do not use fees to discourage requests.

(b) No minimum fees authorized. Use fees only to recoup direct reproduction costs associated with granting access. Minimum fees for duplication are not authorized and there is no automatic charge for processing a request.

(c) Prohibited fees. Do not charge or collect fees for:

(1) Search and retrieval of records;

(2) Review of records to determine releasability;

(3) Copying records for DoD Component convenience or when the individual has not specifically requested a copy;

(4) Transportation of records and personnel; or

(5) Normal postage.

(d) Waiver of fees. (1) Normally, fees are waived automatically if the direct costs of a given request is less than $30. This fee waiver provision does not apply when a waiver has been granted to the individual before, and later requests appear to be an extension or duplication of that original request. A DoD Component may, however, set aside this automatic fee waiver provision when on the basis of good evidence it determines that the waiver of fees is not in the public interest.

(2) Decisions to waiver or reduce fees that exceed the automatic waiver threshold shall be made on a case-by-case basis.

(e) Fees for members of Congress. Do not charge members of Congress for copying records furnished even when the records are requested under the Privacy Act on behalf of a constituent (see § 310.41(k) of subpart E). When replying to a constituent inquiry and the fees involved are substantial, consider suggesting to the Congressman that the constituent can obtain the information directly by writing to the appropriate offices and paying the costs. When practical, suggest to the Congressman that the record can be examined at no cost if the constituent wishes to visit the custodian of the record.

(f) Reproduction fees computation. Compute fees using the appropriate portions of the fee schedule in subpart G of the DoD Freedom of Information Program (32 CFR part 286).

(a) Disclosures to third parties. (1) The Privacy Act only compels disclosure of records from a system of records to the individuals to whom they pertain.

(2) All requests by individual for personal information about other individuals (third parties) shall be processed under the DoD Freedom of Information Program (32 CFR part 286), except for requests by the parents of a minor, or legal guardians of an individual, for access to the records pertaining to the minor or individual.

(b) Disclosures among DoD Components. For the purposes of disclosure and disclosure accounting, the Department of Defense is considered a single agency (see § 310.41(a)).

(c) Disclosures outside the Department of Defense. Do not disclose personal information from a system of records outside the Department of Defense unless:

(1) The record has been requested by the individual to whom it pertains.

(2) The written consent of the individual to whom the record pertains has been obtained for release of the record to the requesting agency, activity, or individual, or

(3) The release is for one of the specific nonconsensual purposes set forth in § 310.41 of this part.

(d) Validation before disclosure. Except for releases made in accordance with the Freedom of Information Act (5 U.S.C. 552), before disclosing any personal information to any recipient outside the Department of Defense other than a federal agency or the individual to whom it pertains:

(1) Ensure that the records are accurate, timely, complete, and relevant for agency purposes;

(2) Contact the individual, if reasonably available, to verify the accuracy, timeliness, completeness, and relevancy of the information, if the cannot be determined from the record; or

(3) If the information is not current and the individual is not reasonably available, advise the recipient that the information is believed accurate as of a specific date and any other known factors bearing on its accuracy and relevancy.

(a) Disclosures within the Department of Defense. (1) Records pertaining to an individual may be disclosed without the consent of the individual to any DoD official who has need for the record in the performance of his or her assigned duties.

(2) Rank, position, or title alone do not authorize access to personal information about others. An official need for the information must exist before disclosure.

(b) Disclosures under the Freedom of Information Act. (1) All records must be disclosed if their release is required by the Freedom of Information Act (5 U.S.C 552) see also the DoD Freedom of Information Program (32 CFR part 286). The Freedom of Information Act requires that records be made available to the public unless exempted from disclosure by one of the nine exemptions found in the Act. It follows, therefore, that if a record is not exempt from disclosure it must be disclosed.

(2) The standard for exempting most personal records, such as personnel records, medical records, and similar records, is found in Exemption Number 6 of 32 CFR 286.31. Under that exemption, release of personal information can only be denied when its release would be a “clearly unwarranted invasion of personal privacy.”

(3) Release of personal information in investigatory records including personnel security investigation records is controlled by the broader standard of an “unwarranted invasion of personal privacy” found in Exemption Number 7 of 32 CFR 286.31. This broader standard applies only to investigatory records.

(4) See 32 CFR part 286 for the standards to use in applying these exemptions.

(c) Personal information that is normally releasable—(1) DoD civilian employees. (i) Some examples of personal information regarding DoD civilian employees that normally may be released without a clearly unwarranted invasion of personal privacy include:

(A) Name.

(B) Present and past postion titles.

(C) Present and past grades.

(D) Present and past salaries.

(E) Present and past duty stations.

(F) Office or duty telephone numbers.

(ii) All disclosures of personal information regarding federal civilian employees shall be made in accordance with the Federal Personnel Manual (FPM) 5 CFR parts 293, 294, 297 and 735.

(2) Military members. (i) While it is not possible to identify categorically information that must be released or withheld from military personnel records in every instance, the following items of personal information regarding military members normally may be disclosed without a clearly unwarranted invasion of their personal privacy:

(A) Full name.

(B) Rank.

(C) Date of rank.

(D) Gross salary.

(E) Past duty assignments.

(F) Present duty assignment.

(G) Future assignments that are officially established.

(H) Office of duty telephone numbers.

(I) Source of commission.

(J) Promotion sequence number.

(K) Awards and decorations.

(L) Attendance at professional military schools.

(M) Duty status at any given time.

(ii) All releases of personal information regarding military members shall be made in accordance with the standards established by 32 CFR part 286.

(3) Civilian employees not under the FPM. (i) While it is not possible to identify categorically those items of personal information that must be released regarding civilian employees not subject to the Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735), such as nonappropriated fund employees, normally the following items may be released without a clearly unwarranted invasion of personal privacy:

(A) Full name.

(B) Grade or position.

(C) Date of grade.

(D) Gross salary.

(E) Present and past assignments.

(F) Future assignments, if officially established.

(G) Office or duty telephone numbers.

(ii) All releases of personal information regarding civilian personnel in this category shall be made in accordance with the standards established by 32 CFR part 286, the DoD Freedom of Information Program.

(d) Release of home addresses and home telephone numbers. (1) The release of home addresses and home telephone numbers normally is considered a clearly unwarranted invasion of personal privacy and is prohibited. However, these may be released without prior specific consent of the individual if:

(i) The individual has indicated previously that he or she interposes no objection to their release (see paragraphs (d) (3) and (4) of this section);

(ii) The source of the information to be released is a public document such as commercial telephone directory or other public listing;

(iii) The release is required by federal statute (for example, pursuant to federally-funded state programs to locate parents who have defaulted on child support payments (42 U.S.C. 653); or

(iv) The releasing official releases the information under the provisions of the DoD Freedom of Information Act Program (32 CFR part 286).

(2) A request for a home address or telephone number may be referred to the last known address of the individual for a direct reply by him or her to the requester. In such cases the requester shall be notified of the referral.

(3) When collecting lists of home addresses and telephone numbers, the individual may be offered the option of authorizing the information pertaining to him or her to be disseminated without further permission for specific purposes, such as locator services. In these cases, the information may be disseminated for the stated purpose without further consent. However, if the information is to be disseminated for any other purpose, a new consent is required. Normally such consent for release is in writing and signed by the individual.

(4) Before listing home addresses and home telephone numbers in DoD telephone directories, give the individuals the opportunity to refuse such a listing. Excuse the individual from paying any additional cost that may be associated with maintaining an unlisted number for government-owned telephone services if the individual requests his or her number not be listed in the directory under this part.

(5) Do not sell or rent lists of individual names and addresses unless such action is specifically authorized.

(e) Disclosures for established routine uses. (1) Records may be disclosed outside the Department of Defense without consent of the individual to whom they pertain for an established routine use.

(2) A routine use shall:

(i) Be compatible with and related to the purpose for which the record was compiled;

(ii) Identify the persons or organizations to whom the record may be released;

(iii) Identify specifically the uses to which the information may be put by the receiving agency; and

(iv) Have been published previously in the Federal Register (see § 310.62(i), subpart G).

(3) Establish a routine use for each user of the information outside the Department of Defense who need official access to the records.

(4) Routine uses may be established, discontinued, or amended without the consent of the individuals involved. However, new or changed routine uses must be published in the Federal Register at least 30 days before actually disclosing any records under their provisions (see subpart G).

(5) In addition to the routine uses established by the individual system notices, common blanket routine uses for all DoD-maintained systems of records have been established (see appendix C). These blanket routine uses are published only at the beginning of the listing of system notices for each Component in the Federal Register (see paragraph § 310.62(a)(1), subpart G). Unless a system notice specifically excludes a system from a given blanket routine use, all blanket routine uses apply.

(6) If the recipient has not been identified in the Federal Register or a use to which the recipient intends to put the record has not been published in the system notice as a routine use, the written permission of the individual is required before release or use of the record for that purpose.

(f) Disclosures to the Bureau of the Census. Records in DoD systems of records may be disclosed without the consent of the individuals to whom they pertain to the Bureau of the Census for purposes of planning or carrying out a census survey or related activities pursuant to the provisions of 13 U.S.C. 8.

(g) Disclosures for statistical research and reporting. (1) Records may be disclosed for statistical research and reporting without the consent of the individuals to whom they pertain. Before such disclosures the recipient must provide advance written assurance that:

(i) The records will be used as statistical research or reporting records;

(ii) The records will only be transferred in a form that is not individually identifiable; and

(iii) The records will not be used, in whole or in part, to make any determination about the rights, benefits, or entitlements of specific individuals.

(2) A disclosure accounting (see paragraph (a) of § 310.44) is not required when information that is not identifiable individually is released for statistical research or reporting.

(h) Disclosures to the National Archives and Records Administration (NARA). (1) Records may be disclosed without the consent of the individual to whom they pertain to the NARA if they:

(i) Have historical or other value to warrant continued preservation; or

(ii) For evaluation by the NARA to determine if a record has such historical or other value.

(2) Records transferred to a Federal Records Center (FRC) for safekeeping and storage do not fall within this category. These remain under the control of the transferring Component, and the FRC personnel are considered agents of the Component which retains control over the records. No disclosure accounting is required for the transfer of records to the FRCs.

(i) Disclosures for law enforcement purposes. (1) Records may be disclosed without the consent of the individual to whom they pertain to another agency or an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity, provided:

(i) The civil or criminal law enforcement activity is authorized by law;

(ii) The head of the law enforcement activity or a designee has made a written request specifying the particular records desired and the law enforcement purpose (such as criminal investigations, enforcement of a civil law, or a similar purpose) for which the record is sought; and

(iii) There is no federal statute that prohibits the disclosure of the records.

(2) Normally, blanket requests for access to any and all records pertaining to an individual are not honored.

(3) When a record is released to a law enforcement activity under paragraph (i)(1) of this section, maintain a disclosure accounting. This disclosure accounting shall not be made available to the individual to whom the record pertains if the law enforcement activity requests that the disclosure not be released.

(4) The blanket routine use for Law Enforcement (appendix C, section A.) applies to all DoD Component systems notices (see paragraph (e)(5) of this section). Only by including this routine use can a Component, on its own initiative, report indications of violations of law found in a system of records to a law enforcement activity without the consent of the individual to whom the record pertains (see paragraph (i)(1) of this section when responding to requests from law enforcement activities).

(j) Emergency disclosures. (1) Records may be disclosed without the consent of the individual to whom they pertain if disclosure is made under compelling circumstances affecting the health or safety of any individual. The affected individual need not be the subject of the record disclosed.

(2) When such a disclosure is made, notify the individual who is the subject of the record. Notification sent to the last known address of the individual as reflected in the records is sufficient.

(3) The specific data to be disclosed is at the discretion of releasing authority.

(4) Emergency medical information may be released by telephone.

(k) Disclosures to Congress and the General Accounting Office. (1) Records may be disclosed without the consent of the individual to whom they pertain to either House of the Congress or to any committee, joint committee or subcommittee of Congress if the release pertains to a matter within the jurisdiction of the committee. Records may also be disclosed to the General Accounting Office (GAO) in the course of the activities of GAO.

(2) The blanket routine use for “Congressional Inquiries” (see appendix C, section D.) applies to all systems; therefore, there is no need to verify that the individual has authorized the release of his or her record to a congressional member when responding to a congressional constituent inquiry.

(3) If necessary, accept constituent letters requesting a member of Congress to investigate a matter pertaining to the individual as written authorization to provide access to the records to the congressional member or his or her staff.

(4) The verbal statement by a congressional staff member is acceptable to establish that a request has been received from the person to whom the records pertain.

(5) If the constituent inquiry is being made on behalf of someone other than the individual to whom the record pertains, provide the congressional member only that information releasable under the Freedom of Information Act (5 U.S.C. 552). Advise the congressional member that the written consent of the individual to whom the record pertains is required before any additional information may be released. Do not contact individuals to obtain their consents for release to congressional members unless a congressional office specifically requests that this be done.

(6) Nothing in paragraph (k)(2) of this section prohibits a Component, when appropriate, from providing the record directly to the individual and notifying the congressional office that this has been done without providing the record to the congressional member.

(7) See paragraph (e) of § 310.33 for the policy on assessing fees for Members of Congress.

(8) Make a disclosure accounting each time a record is disclosed to either House of Congress, to any committee, joint committee, or subcommittee of Congress, to any congressional member, or GAO.

(l) Disclosures under court orders. (1) Records may be disclosed without the consent of the person to whom they pertain under a court order signed by a judge of a court of competent jurisdiction. Releases may also be made under the compulsory legal process of federal or state bodies having authority to issue such process.

(2) When a record is disclosed under this provision, make reasonable efforts to notify the individual to whom the record pertains, if the legal process is a matter of public record.

(3) If the process is not a matter of public record at the time it is issued, seek to be advised when the process is made public and make reasonable efforts to notify the individual at that time.

(4) Notification sent to the last known address of the individual as reflected in the records is considered reasonable effort to notify.

(5) Make a disclosure accounting each time a record is disclosed under a court order or compulsory legal process.

(m) Disclosures to consumer reporting agencies. (1) Certain personal information may be disclosed to consumer reporting agencies as defined by the Federal Claims Collection Act of 1966, as amended (31 U.S.C. 952(d)).

(2) Under the provisions of paragraph (m)(1) of this section, the following information may be disclosed to a consumer reporting agency:

(i) Name, address, taxpayer identification number (SSN), and other information necessary to establish the identity of the individual.

(ii) The amount, status, and history of the claim.

(iii) The agency or program under which the claim arose.

(3) The Federal Claims Collection Act of 1966, as amended (31 U.S.C. 952(d)) specifically requires that the system notice for the system of records from which the information will be disclosed indicates that the information may be disclosed to a “consumer reporting agency.”

(a) General policy. (1) Make releases of personal information to commercial enterprises under the criteria established by the DoD Freedom of Information Program (32 CFR part 286).

(2) The relationship of commercial enterprises to their clients or customers and to the Department of Defense are not changed by this part.

(3) The DoD policy on personal indebtedness for military personnel is contained in 32 CFR part 43a and for civilian employees in the Office of Personnel Management, Federal Personnel Manual (5 CFR part 550).

(b) Release of personal information. (1) Any information that must be released under the Freedom of Information (5 U.S.C. 552) may be released to a commercial enterprise without the individual's consent (see paragraph (b) of § 310.41 of this subpart).

(2) Commercial enterprises may present a signed consent statement setting forth specific conditions for release of personal information. Statements such as the following, if signed by the individual, are considered valid:

(3) When a statement of consent as outlined in paragraph (b)(2) of this section is presented, provide the requested information if its release is not prohibited by some other regulation or statute.

(4) Blanket statements of consent that do not identify specifically the Department of Defense or any of its Components, or that do not specify exactly the type of information to be released, may be honored if it is clear that the individual in signing the consent statement intended to obtain a personal benefit (for example, a loan to buy a house) and was aware of the type information that would be sought. Care should be exercised in these situations to release only the minimum amount of personal information essential to obtain the benefit sought.

(5) Do not honor request from commercial enterprises for official evaluation of personal characteristics, such as evaluation of personal financial habits.

(a) Section applicability. This section applies to the release of information to the news media or the public concerning persons treated or hospitalized in DoD medical facilities and patients of nonfederal medical facilities for whom the cost of the care is paid by the Department of Defense.

(b) General disclosure. Normally, the following may be released without the patient's consent.

(1) Personal information concerning the patient. See 32 CFR part 286, The DoD Freedom of Information Act Program and paragraph (c) of § 310.41.

(2) Medical condition:

(i) Date of admission or disposition;

(ii) The present medical assessment of the individual's condition in the following terms if the medical doctor has volunteered the information:

(A) The individual's condition is presently (stable) (good) (fair) (serious) or (critical), and

(B) Whether the patient is conscious, semiconscious, or unconscious.

(c) Individual consent. (1) Detailed medical and other personal information may be released in response to inquiries from the news media and public if the patient has given his or her informed consent to such a release.

(2) If the patient is not conscious or competent, no personal information except that required by the Freedom of Information Act (5 U.S.C. 552) shall be released until there has been enough improvement in the patient to ensure he or she can give informed consent or a guardian has been appointed legally for the patient and the guardian has given consent on behalf of the patient.

(3) The consent described in paragraph (c)(1) of this section regarding patients who are minors must be given by the parent of legal guardian.

(d) Information that may be released with individual consent. (1) Any item of personal information may be released, if the patient has given his or her informed consent to its release.

(2) Releasing medical information about patients shall be done with discretion, so as not to embarrass the patient, his or her family, or the Department of Defense, needlessly.

(e) Disclosures to other government agencies. This subpart does not limit the disclosures of personal medical information to other government agencies for use in determining eligibility for special assistance or other benefits.

(a) Disclosure accountings. (1) Keep an accurate record of all disclosures made from any system of records except disclosures:

(i) To DoD personnel for use in the performance of their official duties; or

(ii) Under 32 CFR part 286, The DoD Freedom of Information Program.

(2) In all other cases a disclosure accounting is required even if the individual has consented to the disclosure of the information pertaining to him or her.

(3) Disclosure accountings:

(i) Permit individuals to determine to whom information has been disclosed;

(ii) Enable the activity to notify past recipients of disputed or corrected information (§ 310.32(i)(1), subpart D); and

(iii) Provide a method of determining compliance with paragraph (c) of § 310.40.

(b) Contents of disclosure accountings. As a minimum, disclosure accounting shall contain:

(1) The date of the disclosure.

(2) A description of the information released.

(3) The purpose of the disclosure.

(4) The name and address of the person or agency to whom the disclosure was made.

(c) Methods of disclosure accounting. Use any system of disclosure accounting that will provide readily the necessary disclosure information (see paragraph (a)(3) of this section).

(d) Accounting for mass disclosures. When numerous similar records are released (such as transmittal of payroll checks to a bank), identify the category of records disclosed and include the data required by paragraph (b) of this section in some form that can be used to construct an accounting disclosure record for individual records if required (see paragraph (a)(3) of this section).

(e) Disposition of disclosure accounting records. Retain disclosure accounting records for 5 years after the disclosure or the life of the record, whichever is longer.

(f) Furnishing disclosure accountings to the individual. (1) Make available to the individual to whom the record pertains all disclosure accountings except when:

(i) The disclosure has been made to a law enforcement activity under paragraph (i) of § 310.41 and the law enforcement activity has requested that disclosure not be made; or

(ii) The system of records has been exempted from the requirement to furnish the disclosure accounting under the provisions of § 310.50(b), subpart F.

(2) If disclosure accountings are not maintained with the record and the individual requests access to the accounting, prepare a listing of all disclosures (see paragraph (b) of this section) and provide this to the individual upon request.

(a) Types of exemptions. (1) There are two types of exemptions permitted by the Privacy Act.

(i) General exemptions that authorize the exemption of a system of records from all but certain specifically identified provisions of the Act.

(ii) Specific exemptions that allow a system of records to be exempted only from certain designated provisions of the Act.

(2) Nothing in the Act permits exemption of any system of records from all provisions of the Act (see appendix D).

(b) Establishing exemptions. (1) Neither general nor specific exemptions are established automatically for any system of records. The head of the DoD Component maintaining the system of records must make a determination whether the system is one for which an exemption properly may be claimed and then propose and establish an exemption rule for the system. No system of records within the Department of Defense shall be considered exempted until the head of the Component has approved the exemption and an exemption rule has been published as a final rule in the Federal Register (see § 310.60(e), subpart G).

(2) Only the head of the DoD Component or an authorized designee may claim an exemption for a system of records.

(3) A system of records is considered exempt only from those provisions of the Privacy Act (5 U.S.C. 552a) which are identified specifically in the Component exemption rule for the system and which are authorized by the Privacy Act.

(4) To establish an exemption rule, see § 310.61 of subpart G.

(c) Blanket exemption for classified material. (1) Include in the Component rules a blanket exemption under 5 U.S.C. 552a(k)(1) of the Privacy Act from the access provisions (5 U.S.C. 552a(d)) and the notification of access procedures (5 U.S.C. 522a(e)(4)(H)) of the Act for all classified material in any system of records maintained.

(2) Do not claim specifically an exemption under section 552a(k)(1) of the Privacy Act for any system of records. The blanket exemption affords protection to all classified material in all systems of records maintained.

(d) Provisions from which exemptions may be claimed. (1) The head of a DoD Component may claim an exemption from any provision of the Act from which an exemption is allowed (see appendix D).

(2) Notify the Defense Privacy Office ODASD(A) before claiming an exemption for any system of records from the following:

(i) The exemption rule publication requirement (5 U.S.C. 552a(j)) of the Privacy Act.

(ii) The requirement to report new systems of records (5 U.S.C. 552a(o)); or

(iii) The annual report requirement (5 U.S.C. 552a(p)).

(e) Use of exemptions. (1) Use exemptions only for the specific purposes set forth in the exemption rules (see paragraph (b) of § 310.61, subpart G).

(2) Use exemptions only when they are in the best interest of the government and limit them to the specific portions of the records requiring protection.

(3) Do not use an exemption to deny an individual access to any record to which he or she would have access under the Freedom of Information Act (5 U.S.C. 552).

(f) Exempt records in nonexempt systems. (1) Exempt records temporarily in the hands of another Component are considered the property of the originating Component and access to these records is controlled by the system notices and rules of the originating Component.

(2) Records that are actually incorporated into a system of records may be exempted only to the extent the system of records into which they are incorporated has been granted an exemption, regardless of their original status or the system of records for which they were created.

(3) If a record is accidentally misfiled into a system of records, the system notice and rules for the system in which it should actually be filed will govern.

(a) Use of the general exemptions. (1) No DoD Component is authorized to claim the exemption for records maintained by the Central Intelligence Agency established by 5 U.S.C. 552a(j)(1) of the Privacy Act.

(2) The general exemption established by 5 U.S.C. 552a(j)(2) of the Privacy Act may be claimed to protect investigative records created and maintained by law-enforcement activities of a DoD Component.

(3) To qualify for the (j)(2) exemption, the system of records must be maintained by an element that performs as its principal function enforcement of the criminal law, such as U.S. Army Criminal Investigation Command (CIDC), Naval Investigative Service (NIS), the Air Force Office of Special Investigations (AFOSI), and military police activities. Law enforcement includes police efforts to detect, prevent, control, or reduce crime, to apprehend or identify criminals; and the activities of correction, probation, pardon, or parole authorities.

(4) Information that may be protected under the (j)(2) exemption include:

(i) Records compiled for the purpose of identifying criminal offenders and alleged offenders consisting only of identifying data and notations of arrests, the nature and disposition of criminal charges, sentencing, confinement, release, parole, and probation status (so-called criminal history records);

(ii) Reports and other records compiled during criminal investigations, to include supporting documentation.

(iii) Other records compiled at any stage of the criminal law enforcement process from arrest or indictment through the final release from parole supervision, such as presentence and parole reports.

(5) The (j)(2) exemption does not apply to:

(i) Investigative records prepared or maintained by activities without primary law-enforcement missions. It may not be claimed by any activity that does not have law enforcement as its principal function.

(ii) Investigative records compiled by any activity concerning employee suitability, eligibility, qualification, or for individual access to classified material regardless of the principal mission of the compiling DoD Component.

(6) The (j)(2) exemption claimed by the law-enforcement activity will not protect investigative records that are incorporated into the record system of a nonlaw enforcement activity or into nonexempt systems of records (see paragraph (f)(2) of § 310.50). Therefore, all system managers are cautioned to comply with the various regulations prohibiting or limiting the incorporation of investigatory records into system of records other than those maintained by law-enforcement activities.

(b) Access to records for which a (j)(2) exemption is claimed. Access to investigative records in the hands of a law-enforcement activity or temporarily in the hands of a military commander or other criminal adjudicative activity shall be processed under 32 CFR part 286, The DoD Freedom of Information Act Program, provided that the system of records from which the file originated is a law enforcement record system that has been exempted from the access provisions of this part (see paragraph (h) of § 310.30, subpart D).

(a) Use of the specific exemptions. The specific exemptions permit certain categories of records to be exempted from certain specific provisions of the Privacy Act (see appendix D). To establish a specific exemption, the records must meet the following criteria (parenthetical references are to the appropriate subsection of the Privacy Act (5 U.S.C. 552a(k)):

(1) The (k)(1). Information specifically authorized to be classified under the DoD Information Security Program Regulation, 32 CFR part 159. (see also paragraph (c) of this section).

(2) The (k)(2). Investigatory information compiled for law-enforcement purposes by nonlaw enforcement activities and which is not within the scope of § 310.51(a). If an individual is denied any right, privilege or benefit that he or she is otherwise entitled by federal law or for which he or she would otherwise be eligible as a result of the maintenance of the information, the individual will be provided access to the information except to the extent that disclosure would reveal the identity of a confidential source. This subsection when claimed allows limited protection of investigative reports maintained in a system of records used in personnel or administrative actions.

(3) The (k)(3). Records maintained in connection with providing protective services to the President and other individuals under 18 U.S.C. 3506.

(4) The (k)(4). Records maintained solely for statistical research or program evaluation purposes and which are not used to make decisions on the rights, benefits, or entitlement of an individual except for census records which may be disclosed under 13 U.S.C. 8.

(5) The (k)(5). Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information, but only to the extent such material would reveal the identity of a confidential source. This provision allows protection of confidential sources used in background investigations, employment inquiries, and similar inquiries that are for personnel screening to determine suitability, eligibility, or qualifications.

(6) The (k)(6). Testing or examination material used solely to determine individual qualifications for appointment or promotion in the federal or military service, if the disclosure would compromise the objectivity or fairness of the test or examination process.

(7) The (k)(7). Evaluation material used to determine potential for promotion in the Military Services, but only to the extent that the disclosure of such material would reveal the identity of a confidential source.

(b) Promises of confidentiality. (1) Only the identity of sources that have been given an express promise of confidentiality may be protected from disclosure under paragraphs (a)(2), (5) and (7) of this section. However, the identity of sources who were given implied promises of confidentiality in inquiries conducted before September 27, 1975, may also be protected from disclosure.

(2) Ensure that promises of confidentiality are used on a limited basis in day-to-day operations. Establish appropriate procedures and identify fully those categories of individuals who may make such promises. Promises of confidentiality shall be made only when they are essential to obtain the information sought.

(c) Access to records for which specific exemptions are claimed. Deny the individual access only to those portions of the records for which the claimed exemption applies.

(a) What must be published in the Federal Register. (1) Three types of documents relating to the Privacy Program must be published in the Federal Register:

(i) DoD Component Privacy Program rules;

(ii) Component exemption rules; and

(iii) System notices.

(2) See DoD 5025.1-M, “Directives Systems Procedures,” and DoD Directive 5400.9, (32 CFR part 296) “Publication of Proposed and Adopted Regulations Affecting the Public” for information pertaining to the preparation of documents for publication in the Federal Register.

(b) The effect of publication in the Federal Register. Publication of a document in the Federal Register constitutes official public notice of the existence and content of the document.

(c) DoD Component rules. (1) Component Privacy Program procedures and Component exemption rules are subject to the rulemaking procedures prescribed in 32 CFR part 296.

(2) System notices are not subject to formal rulemaking and are published in the Federal Register as “Notices,” not rules.

(3) Privacy procedural and exemption rules are incorporated automatically into the Code of Federal Regulations (CFR). System notices are not published in the CFR.

(d) Submission of rules for publication. (1) Submit to the Defense Privacy Office, ODASD(A), all proposed rules implementing this part in proper format (see Appendices E, F and G) for publication in the Federal Register.

(2) This part has been published as a final rule in the Federal Register (32 CFR part 310). Therefore, incorporate it into your Component rules by reference rather than by republication.

(3) DoD Component rules that simply implement this part need only be published as final rules in the Federal Register (see DoD 5025.1-M, “Directives System Procedures,” and DoD Directive 5400.9, “Publication of Proposed and Adopted Regulations Affecting the Public,” (32 CFR part 296).

(4) Amendments to Component rules are submitted like the basic rules.

(5) The Defense Privacy Office ODASD(A) submits the rules and amendments thereto to the Federal Register for publication.

(e) Submission of exemption rules for publication. (1) No system of records within the Department of Defense shall be considered exempt from any provision of this part until the exemption and the exemption rule for the system has been published as a final rule in the Federal Register (see paragraph (c) of this section).

(2) Submit exemption rules in proper format to the Defense Privacy Office ODASD(A). After review, the Defense Privacy Office will submit the rules to the Federal Register for publication.

(3) Exemption rules require publication both as proposed rules and final rules (see DoD Directive 5400.9, 32 CFR part 296).

(4) Section 310.61 of this subpart discusses the content of an exemption rule.

(5) Submit amendments to exemption rules in the same manner used for establishing these rules.

(f) Submission of system notices for publication. (1) While system notices are not subject to formal rulemaking procedures, advance public notice must be given before a Component may begin to collect personal information or use a new system of records. The notice procedures require that:

(i) The system notice describes the contents of the record system and the routine uses for which the information in the system may be released.

(ii) The public be given 30 days to comment on any proposed routine uses before implementation; and

(iii) The notice contain the data on which the system will become effective.

(2) Submit system notices to the Defense Privacy Office in the Federal Register format (see appendix E). The Defense Privacy Office transmits the notices to the Federal Register for publication.

(3) Section 310.62 of this subpart discusses the specific elements required in a system notice.

(a) General procedures. Paragraph (b)(1) of § 310.50, subpart F, provides the general guidance for establishing exemptions for systems of records.

(b) Contents of exemption rules. (1) Each exemption rule submitted for publication must contain the following:

(i) The record system identification and title of the system for which the exemption is claimed (see § 310.62 of this subpart);

(ii) The specific subsection of the Privacy Act under which exemptions for the system are claimed (for example, 5 U.S.C. 552a(j)(2), 5 U.S.C. 552a(k)(3); or 5 U.S.C. 552a(k)(7);

(iii) The specific provisions and subsections of the Privacy Act from which the system is to be exempted (for example, 5 U.S.C. 552a(c)(3), or 5 U.S.C. 552a(d)(1)-(5)) (see appendix D); and

(iv) The specific reasons why an exemption is being claimed from each subsection of the Act identified.

(2) Do not claim an exemption for classified material for individual systems of records, since the blanket exemption applies (see paragraph (c) of § 310.50 of subpart F).

(a) Contents of the system notices. (1) The following data captions are included in each system notice:

(i) System identification (see paragraph (b) of this section).

(ii) System name (see paragraph (c) of this section).

(iii) System location (see paragraph (d) of this section).

(iv) Categories of individuals covered by the system (see paragraph (e) of this section).

(v) Categories of records in the system (see paragraph (f) of this section).

(vi) Authority for maintenance of the system (see paragraph (g) of this section).

(vii) Purpose(s) (see paragraph (h) of this section).

(viii) Routine uses of records maintained in the system, including categories of users, uses, and purposes of such uses (see paragraph (i) of this section).

(ix) Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system (see paragraph (j) of this section).

(x) Systems manager(s) and address (see paragraph (k) of this section).

(xi) Notification procedure (see paragraph (l) of this section).

(xii) Record access procedures (see paragraph (m) of this section).

(xiii) Contesting records procedures (see paragraph (n) of this section.)

(xiv) Record source categories (see paragraph (o) of this section).

(xv) Systems exempted from certain provision of the Act (see paragraph (p) of this section).

(2) The captions listed in paragraph (a)(1) of this section have been mandated by the Office of Federal Register and must be used exactly as presented.

(3) A sample system notice is shown in appendix E.

(b) System identification. The system identifier must appear on all system notices and is limited to 21 positions, including Component code, file number and symbols, punctuation, and spacing.

(c) System name. (1) The name of the system should reasonably identify the general purpose of the system and, if possible, the general categories of individuals involved.

(2) Use acronyms only parenthetically following the title or any portion thereof, such as, “Joint Uniform Military Pay System (JUMPS).” Do not use acronyms that are not commonly known unless they are preceded by an explanation.

(3) The system name may not exceed 55 character positions including punctuation and spacing.

(d) System location. (1) For systems maintained in a single location provide the exact office name, organizational identity, and address or routing symbol.

(2) For geographically or organizationally decentralized systems, specify each level of organization or element that maintains a segment of the system.

(3) For automated data systems with a central computer facility and input/output terminals at several geographically separated locations, list each location by category.

(4) When multiple locations are identified by type of organization, the system location may indicate that official mailing addresses are contained in an address directory published as an appendix to the Component system notices in the Federal Register. Information concerning format requirements for preparation of an address directory may be obtained from the project officer, Air Force 1st Information Systems Group (AF/1ISG/GNR), Washington, DC 20330-6345.

(5) If no address directory is used or the addresses in the directory are incomplete, the address of each location where a segment of the record system is maintained must appear under the “System Location” caption.

(6) Classified addresses are not listed, but the fact that they are classified is indicated.

(7) Use the standard U.S. Postal Service two letter state abbreviation symbols and zip codes for all domestic addresses.

(e) Categories of individuals covered by the system. (1) Set forth the specific categories of individuals to whom records in the system pertain in clear, easily understood, nontechnical terms.

(2) Avoid the use of broad over-general descriptions, such as “all Army personnel” or “all military personnel” unless this actually reflects the category of individuals involved.

(f) Categories of records in the system. (1) Describe in clear, nontechnical terms the types of records maintained in the system.

(2) Only documents actually retained in the system of records shall be described, not source documents that are used only to collect data and then destroyed.

(g) Authority for maintenance of the system. (1) Cite the specific provision of the federal statute or Executive Order that authorizes the maintenance of the system.

(2) Include with citations for statutes the popular names, when appropriate (for example, Title 51, U.S. Code, section 2103, “Tea-Tasters Licensing Act”), and for Executive Orders, the official title (for example, Executive Order No. 9397, “Numbering System for Federal Accounts Relating to Individual Persons”).

(3) Cite the statute or Executive Order establishing the Component for administrative housekeeping records.

(4) If the Component is chartered by a DoD Directive, cite that Directive as well as the Secretary of Defense authority to issue the Directive. For example, “Pursuant to the authority contained in the National Security Act of 1947, as amended (10 U.S.C. 133d), the Secretary of Defense has issued DoD Directive 5105.21, the charter of the Defense Intelligence Agency (DIA) as a separate Agency of the Department of Defense under his control. Therein, the Director, DIA, is charged with the responsibility of maintaining all necessary and appropriate records.”

(h) Purpose or purposes. (1) List the specific purposes for maintaining the system of records by the Component.

(2) Include the uses made of the information within the Component and the Department of Defense (so-called “internal routine uses”).

(i) Routine uses. (1) The blanket routine uses (appendix C) that appear at the beginning of each Component compilation apply to all systems notices unless the individual system notice specifically states that one or more of them do not apply to the system. List the blanket routine uses at the beginning of the Component listing of system notices (see paragraph (e)(5) of § 310.41 of subpart E).

(2) For all other routine uses, when practical, list the specific activity to which the record may be released, to include any routine automated system interface (for example, “to the Department of Justice, Civil Rights Compliance Division,” “to the Veterans Administration, Office of Disability Benefits,” or “to state and local health agencies”).

(3) For each routine user identified, include a statement as to the purpose or purposes for which the record is to be released to that activity (see § 310.41(e) of subpart E). The routine uses should be compatible with the purpose for which the record was collected or obtained (see § 310.3(p), subpart A).

(4) Do not use general statements, such as, “to other federal agencies as required” or “to any other appropriate federal agency.”

(j) Policies and practices for storing, retiring, accessing, retaining, and disposing of records. This caption is subdivided into four parts:

(1) Storage. Indicate the medium in which the records are maintained. (For example, a system may be “automated”, maintained on magnetic tapes or disks, “manual”, maintained in paper files, or “hybrid”, maintained in a combination of paper and automated form.) Storage does not refer to the container or facility in which the records are kept.

(2) Retrievability. Specify how the records are retrieved (for example, name and SSN, name, SSN) and indicate whether a manual or computerized index is required to retrieve individual records.

(3) Safeguards. List the categories of Component personnel having immediate access and those responsible for safeguarding the records from unauthorized access. Generally identify the system safeguards (such as storage in safes, vaults, locked cabinets or rooms, use of guards, visitor registers, personnel screening, or computer “fail-safe” systems software). Do not describe safeguards in such detail so as to compromise system security.

(4) Retention and disposal. Indicate how long the record is retained. When appropriate, also state the length of time the records are maintained by the Component, when they are transferred to a Federal Records Center, length of retention at the Record Center and when they are transferred to the National Archivist or are destroyed. A reference to a Component regulation without further detailed information is insufficient.

(k) System manager(s) and address. (1) List the title and address of the official responsible for the management of the system.

(2) If the title of the specific official is unknown, such as for a local system, specify the local commander or office head as the systems manager.

(3) For geographically separated or organizationally decentralized activities for which individuals may deal directly with officials at each location in exercising their rights, list the position or duty title of each category of officials responsible for the system or a segment thereof.

(4) Do not include business or duty addresses if they are listed in the Component address directory.

(l) Notification procedures. (1) If the record system has been exempted from subsection (e)(4)(G) of the Privacy Act (5 U.S.C. 552a) (see § 310.50)(d), so indicate.

(2) For all nonexempt systems, describe how an individual may determine if there are records pertaining to him or her in the system. The procedural rules may be cited, but include a brief procedural description of the needed data. Provide sufficient information in the notice to allow an individual to exercise his or her rights without referral to the formal rules.

(3) As a minimum, the caption shall include:

(i) The official title (normally the system manager) and official address to which the request is to be directed;

(ii) The specific information required to determine if there is a record of the individual in the system.

(iii) Identification of the offices through which the individual may obtain access; and

(iv) A description of any proof of identity required (see § 310.30(c)(1)).

(4) When appropriate, the individual may be referred to a Component official who shall provide this data to him or her.

(m) Record access procedures. (1) If the record system has been exempted from subsection (e)(4)(H) of the Privacy Act (5 U.S.C. 552a) (see § 310.50(d)), so indicate.

(2) For all nonexempt records systems, describe the procedures under which individuals may obtain access to the records pertaining to them in the system.

(3) When appropriate, the individual may be referred to the system manager or Component official to obtain access procedures.

(4) Do not repeat the addresses listed in the Component address directory but refer the individual to that directory.

(n) Contesting record procedures. (1) If the record system has been exempted from subsection (e)(4)(H) of the Privacy Act (5 U.S.C. 552a) (see § 310.50(d)), so indicate.

(2) For all nonexempt systems of records, state briefly how an individual may contest the content of a record pertaining to him or her in the system.

(3) The detailed procedures for contesting record accuracy, refusal of access or amendment, or initial review and appeal need not be included if they are readily available elsewhere and can be referred to by the public. (For example, “The Defense Mapping Agency rules for contesting contents and for appealing initial determinations are contained in DMA Instruction 5400.11 (32 CFR part 295c).”)

(4) The individual may also be referred to the system manager to determine these procedures.

(o) Record source categories. (1) If the record system has been exempted from subsection (e)(4)(I) of the Privacy Act (5 U.S.C. 552a) (see § 310.50(d), subpart F), so indicate.

(2) For all nonexempt systems of records, list the sources of the information in the system.

(3) Specific individuals or institutions need not be identified by name, particularly if these sources have been granted confidentiality (see § 310.52(b), subpart F).

(p) System exempted from certain provisions of the Act. (1) If no exemption has been claimed for the system, indicate “None.”

(2) If there is an exemption claimed indicate specifically under which subsection of the Privacy Act (5 U.S.C. 552a) it is claimed.

(3) Cite the regulation and CFR section containing the exemption rule for the system. (For example, “Parts of this record system may be exempt under Title 5 U.S. Code, 552a(k)(2) and (5), as applicable. See exemption rules contained in Army Regulation 340-21 (32 CFR part 505).”)

(q) Maintaining the master DoD system notice registry. (1) The Defense Privacy Office, ODASD(A) maintains a master registry of all DoD record systems notices.

(2) Coordinate with the Defense Privacy Office, ODASD(A) to ensure that all new systems are added to the master registry and all amendments and alterations are incorporated into the master registry.

(a) Criteria for a new record system. (1) A new system of records is one for which there has been no system notice published in the Federal Register.

(2) If a notice for a system of records has been canceled or deleted before reinstating or reusing the system, a new system notice must be published in the Federal Register.

(b) Criteria for an altered record system. A system is considered altered whenever one of the following actions occurs or is proposed:

(1) A significant increase or change in the number or type of individuals about whom records are maintained.

(i) Only changes that alter significantly the character and purpose of the record system are considered alterations.

(ii) Increases in numbers of individuals due to normal growth are not considered alterations unless they truly alter the character and purpose of the system;

(iii) Increases that change significantly the scope of population covered (for example, expansion of a system of records covering a single command's enlisted personnel to include all of the Component's enlisted personnel would be considered an alteration).

(iv) A reduction in the number of individuals covered is not an alteration, but only an amendment (see paragraph (a) of § 310.64 of this subpart).

(v) All changes that add new categories of individuals to system coverage require a change to the “Categories of individuals covered by the system” caption of the notice (§ 310.62(e)) and may require changes to the “Purpose(s)” caption (§ 310.62(h)).

(2) An expansion in the types or categories of information maintained.

(i) The addition of any new category of records not described under the “Categories of Records in System” caption is considered an alteration.

(ii) Adding a new data element which is clearly within the scope of the categories of records described in the existing notice is an amendment (see § 310.64(a) of this subpart).

(iii) All changes under this criterion require a change to the “Categories of Records in System” caption of the notice (see § 310.62(f) of this subpart).

(3) An alteration in the manner in which the records are organized or the manner in which the records are indexed and retrieved.

(i) The change must alter the nature of use or scope of the records involved (for example, combining records systems in a reorganization).

(ii) Any change under this criteria requires a change in the “Retrievability” caption of the system notice (see § 310.62(j)(2) of this subpart).

(iii) If the records are no longer retrieved by name or personal identifier cancel the system notice (see § 310.10(a) of subpart B).

(4) A change in the purpose for which the information in the system is used.

(i) The new purpose must not be compatible with the existing purposes for which the system is maintained or a use that would not reasonably be expected to be an alteration.

(ii) If the use is compatible and reasonably expected, there is no change in purpose and no alteration occurs.

(iii) Any change under this criterion requires a change in the “Purpose(s)” caption (see § 310.62(h) of this subpart) and may require a change in the “Authority for maintenance of the system” caption (see § 310.62(g) of this subpart).

(5) Changes that alter the computer environment (such as changes to equipment configuration, software, or procedures) so as to create the potential for greater or easier access.

(i) Increasing the number of offices with direct access is an alteration.

(ii) Software releases, such as operating systems and system utilities that provide for easier access are considered alterations.

(iii) The addition of an on-line capability to a previously batch-oriented system is an alteration.

(iv) The addition of peripheral devices such as tape devices, disk devices, card readers, printers, and similar devices to an existing ADP system constitute an amendment if system security is preserved (see paragraph (a) of § 310.64 of this subpart).

(v) Changes to existing equipment configuration with on-line capability need not be considered alterations to the system if:

(A) The change does not alter the present security posture; or

(B) The addition of terminals does not extend the capacity of the current operating system and existing security is preserved;

(vi) The connecting of two or more formerly independent automated systems or networks together creating a potential for greater access is an alteration.

(vii) Any change under this caption requires a change to the “Storage” caption element of the systems notice (see § 310.62(j)(1) of this subpart).

(c) Reports of new and altered systems. (1) Submit a report of a new or altered system to the Defense Privacy Office before collecting information for or using a new system or altering an existing system (see appendix F and paragraph (d) of this section).

(2) The Defense Privacy Office, ODASD(A) coordinates all reports of new and altered systems with the Office of the Assistant Secretary of Defense (Legislative Affairs) and the Office of the General Counsel, Department of Defense.

(3) The Defense Privacy Office prepares for the DASD(A)'s approval and signature the transmittal letters sent to OMB and Congress (see paragraph (e) of this section).

(d) Time restrictions on the operation of a new or altered system. (1) All time periods begin from the date the DASD(A) signs the transmittal letters (see paragraph (c)(3) of this section). The specific time limits are:

(i) 60 days must elapse before data collection forms or formal instructions pertaining to the system may be issued.

(ii) 60 days must elapse before the system may become operational; (that is, collecting, maintaining, using, or disseminating records from the system) (see also § 310.60(f) of this subpart).

(iii) 60 days must elapse before any public issuance of a Request for Proposal or Invitation to Bid for a new ADP or telecommunication system.

(iv) Normally 30 days must elapse before publication in the Federal Register of the notice of a new or altered system (see § 310.60(f) of this subpart) and the preamble to the Federal Register notice must reflect the date the transmittal letters to OMB and Congress were signed by DASD(A).

(2) Do not operate a system of records until the waiting periods have expired (see § 310.103 of subpart K).

(e) Outside review of new and altered systems reports. If no objections are received within 30 days of a submission to the President of the Senate, Speaker of the House of Representatives, and the Director, OMB, of a new or altered system report it is presumed that the new or altered systems have been approved as submitted.

(f) Exemptions for new systems. See § 310.60(e) of this subpart for the procedures to follow in submitting exemption rules for a new system of records.

(g) Waiver of time restrictions. (1) The OMB may authorize a federal agency to begin operation of a system of records before the expiration of time limits set forth in § 310.63(d) of this subpart.

(2) When seeking such a waiver, include in the letter of transmittal to the Defense Privacy Office, ODASD(A) an explanation why a delay of 60 days in establishing the system of records would not be in the public interest. The transmittal must include:

(i) How the public interest will be affected adversely if the established time limits are followed; and

(ii) Why earlier notice was not provided.

(3) When appropriate, the Defense Privacy Office, ODASD(A) shall contact OMB and attempt to obtain the waiver.

(i) If a waiver is granted, the Defense Privacy Office, ODASD(A) shall notify the subcommittee and submit the new or altered system notice along with any applicable procedural or exemption rules for publication in the Federal Register.

(ii) If the waiver is disapproved, the Defense Privacy Office, ODASD(A) shall process the system the same as any other new or altered system and notify the subcommittee of the OMB decision.

(4) Under no circumstances shall the routine uses for new or altered system be implemented before 30 days have elapsed after publication of the system notice containing the routine uses in the Federal Register . This period cannot be waived.

(a) Criteria for an amended system notice. (1) Certain minor changes to published systems notices are considered amendments and not alterations (see § 310.63(b) of this subpart).

(2) Amendments do not require a report of an altered system (see § 310.63(c) of this subpart), but must be published in the Federal Register.

(b) System notices for amended systems. When submitting an amendment for a system notice for publication in the Federal Register include:

(1) The system identification and name (see paragraph (b) and (c) of § 310.62 of this subpart).

(2) A description of the nature and specific changes proposed.

(3) The full text of the system notice is not required if the master registry contains a current system notice for the system (see § 310.62(q) of this subpart).

(c) Deletion of system notices. (1) Whenever a system is discontinued, combined into another system, or determined no longer to be subject to this part, a deletion notice is required.

(2) The notice of deletion shall include:

(i) The system identification and name.

(ii) The reason for the deletion.

(3) When the system is eliminated through combination or merger, identify the successor system or systems in the deletion notice.

(d) Submission of amendments and deletions for publication. (1) Submit amendments and deletions to the Defense Privacy Office, ODASD(A) for transmittal to the Federal Register for publication.

(2) Include in the submission at least one original (not a reproduced copy) in proper Federal Register format (see appendix G).

(3) Multiple deletions and amendments may be combined into a single submission.

The Privacy Act of 1974, as amended (5 U.S.C. 552a), requires each agency to establish rules of conduct for all persons involved in the design, development, operation, and maintenance of any system of record and to train these persons with respect to these rules.

The OMB guidelines require all agencies additionally to:

(a) Instruct their personnel in their rules of conduct and other rules and procedures adopted in implementing the Act, and inform their personnel of the penalties for noncompliance.

(b) Incorporate training on the special requirements of the Act into both formal and informal (on-the-job) training programs.

(a) Each DoD Component is responsible for the development of training procedures and methodology.

(b) The Defense Privacy Office, ODASD(A) will assist the Components in developing these training programs and may develop Privacy training programs for use by all DoD Components.

(c) All training programs shall be coordinated with the Defense Privacy Office, ODASD(A) to avoid duplication and to ensure maximum effectiveness.

Each DoD Component shall fund its own Privacy training program.

The Defense Privacy Office, ODASD(A) shall establish requirements for DoD Privacy Reports and DoD Components may be required to provide data.

The suspenses for submission of all reports shall be established by the Defense Privacy Office, ODASD(A).

Any report established by this subpart in support of the Defense Privacy Program shall be assigned Report Control Symbol DD-COMP(A)1379. Special one-time reporting requirements shall be licensed separately in accordance with DoD Directive 5000.19 “Policies for the Management and Control of Information Requirements” and DoD Directive 5000.11, “Data Elements and Data Codes Standardization Program.”

During internal inspections, Component inspectors shall be alert for compliance with this part and for managerial, administrative, and operational problems associated with the implementation of the Defense Privacy Program.

(a) Document the findings of the inspectors in official reports that are furnished the responsible Component officials. These reports, when appropriate, shall reflect overall assets of the Component Privacy Program inspected, or portion thereof, identify deficiencies, irregularities, and significant problems. Also document remedial actions taken to correct problems identified.

(b) Retain inspections reports and later follow-up reports in accordance with established records disposition standards. These reports shall be made available to the Privacy Program officials concerned upon request.

Any individual who feels he or she has a legitimate complaint or grievance against the Department of Defense or any DoD employee concerning any right granted by this part shall be permitted to seek relief through appropriate administrative channels.

An individual may file a civil suit against a DoD Component or its employees if the individual feels certain provisions of the Act have been violated (see 5 U.S.C. 552a(g), of the Privacy Act.

In addition to specific remedial actions, subsection (g) of the Privacy Act (5 U.S.C. 552a) provides for the payment of damages, court cost, and attorney fees in some cases.

(a) The Act also provides for criminal penalties (see 5 U.S.C. 552a(i). Any official or employee may be found guilty of a misdemeanor and fined not more than $5,000 if he or she willfully:

(1) Discloses personal information to anyone not entitled to receive the information (see subpart E); or

(2) Maintains a system of records without publishing the required public notice in the Federal Register (see subpart G).

(b) A person who requests or obtains access to any record concerning another individual under false pretenses may be found guilty of misdemeanor and fined up to $5,000.

Whenever a complaint citing the Privacy Act is filed in a U.S. District Court against the Department of Defense, a DoD Component, or any DoD employee, the responsible system manager shall notify promptly the Defense Privacy Office, ODASD(A). The litigation status sheet at appendix H provides a standard format for this notification. The initial litigation status sheet forwarded shall, as a minimum, provide the information required by items 1 through 6. A revised litigation status sheet shall be provided at each stage of the litigation. When a court renders a formal opinion or judgment, copies of the judgment and opinion shall be provided to the Defense Privacy Office with the litigation status sheet reporting that judgment or opinion.

The OMB has issued special guidelines to be followed in programs that match the personal records in the computerized data bases of two or more federal agencies by computer (see appendix I). These guidelines are intended to strike a balance between the interest of the government in maintaining the integrity of federal programs and the need to protect individual privacy expectations. They do not authorize matching programs as such and each matching program must be justified individually in accordance with the OMB guidelines.

(a) Forward all requests for matching programs to include necessary routine use amendments (see § 310.62(i) of subpart G) and analysis and proposed matching program reports (see subsection E.6. of appendix I) to the Defense Privacy Office, ODASD(A).

(b) The Defense Privacy Office shall review each request and supporting material and forward the report and system notice amendments to the Federal Register, OMB, and Congress, as appropriate.

(c) Changes to existing matching programs shall be processed in the same manner as a new matching program report.

(a) No time limits are set by the OMB guidelines. However, in order to establish a new routine use for a matching program, the amended system notice must have been published in the Federal Register at least 30 days before implementation (see § 310.60(f) of subpart G).

(b) Submit the documentation required by § 310.111(a) of this subpart to the Defense Privacy Office at least 45 days before the proposed initiation date of the matching program.

(c) The Defense Privacy Office may grant waivers to the 45 days’ deadline for good cause shown. Requests for waivers shall be in writing and fully justified.

(a) For the purpose of the OMB guidelines, the Department of Defense and all DoD Components are considered a single agency.

(b) Before initiating a matching program using only the records of two or more DoD Components, notify the Defense Privacy Office that the match is to occur. The Defense Privacy Office may request further information from the Component proposing the match.

(c) There is no need to notify the Defense Privacy Office of computer matches using only the records of a single Component.

The system manager shall review annually each system of records to determine if records from the system are being used in matching programs and whether the OMB Guidelines have been complied with.

(a) This part consolidates into a single document, the Defense Contract Audit Agency policies and procedures for implementing the Privacy Act of 1974 (5 U.S.C. 552a), as amended, by authorizing the development, publication and maintenance of the DCAA Privacy Act Program set forth by DCAA Regulation 5410.10 1 , “Privacy Act Program”, and DCAA Manual 5410.16 2 , “DCAA Privacy Act Processing Guide.”

(b) Its purpose is to delegate authorities and assign responsibilities for the administration of the DCAA Privacy Act Program and to prescribe uniform procedures for agency personnel consistent with DoD 5025.1-M 3 , “DoD Directives System Procedures.”

(a) This part applies to all DCAA organizational elements and takes precedence over all regional regulatory issuances that supplement the DCAA Privacy Program.

(b) This part shall be made applicable by contract or other legally binding action to contractors whenever a DCAA contract provides for the operation of a system of records or portion of a system of records to accomplish an agency function.

(a) Access. The review of a record or a copy of a record or parts thereof in a system of records by any individual.

(b) Agency. For the purposes of disclosing records subject to the Privacy Act among DoD components, the Department of Defense is considered a single agency. For all other purposes to include applications for access and amendment, denial of access or amendment, appeals from denials, and recordkeeping as regards release to non-DoD agencies; each DoD component, including DCAA, is considered an agency within the meaning of the Privacy Act.

(c) Confidential source. A person or organization who has furnished information to the Federal Government under an express promise that the person's or the organization's authority will be held in confidence or under an implied promise of such confidentiality if this implied promise was made before September 27, 1975.

(d) Defense Data Integrity Board. Consists of members of the Defense Privacy Board, as established pursuant to 32 CFR part 310, and in addition the Inspector General, DoD or the designee, when convening to oversee, coordinate and approve or disapprove all DoD component computer matching covered by the Privacy Act.

(e) Disclosure. The transfer of any personal information from a system of records by any means of communication (such as oral, written, electronic, mechanical, or actual review) to any person, private entity, or government agency, other than the subject of the record, the subject's designated agent or the subject's legal guardian.

(f) Federal benefit program. Any program administered or funded by the Federal Government, or by any agent or state on behalf of the Federal Government, providing cash or in-kind assistance in the form of payments, grants, loans, or loan guarantees to individuals.

(g) Federal benefit program match. A computerized comparison of two or more automated systems of records or an automated system of records with automated non-Federal records for the purpose of establishing or verifying the eligibility of or continuing compliance with statutory and regulatory requirements by, applicants for, recipients and beneficiaries (both present and past) of, participants in, or providers of services with respect to, cash or in-kind assistance or payments under Federal benefit programs; or recouping payments or delinquent debts under such Federal benefit programs.

(h) Federal personnel. Officers and employees of the Government of the United States, members of the uniformed services (including members of the reserve components), individuals entitled to receive immediate or deferred retirement benefits under any retirement program of the Government of the United States (including survivor benefits).

(i) Federal personnel match. A computerized comparison of two or more automated Federal personnel or payroll systems of records or an automated Federal personnel or payroll system of records with automated non-Federal records.

(j) Individual. A living citizen of the United States or an alien lawfully admitted to the United States for permanent residence. The legal guardian of an individual has the same rights as the individual and may act on his or her behalf. No rights are vested in the representative of a dead person under this chapter and the term “individual” does not embrace an individual acting in an interpersonal capacity (for example, sole proprietorship or partnership).

(k) Individual access. Access to information pertaining to the individual by the individual or his or her designated agent or legal guardian.

(l) Maintain. Includes maintain, collect, use, or disseminate.

(m) Matching agency. The agency which actually performs the match.

(n) Matching program. (1) The term means any computerized comparison of:

(i) Two or more automated systems of records or a system of records with non-Federal records for the purpose of:

(A) Establishing or verifying the eligibility of, or continuing compliance with statutory and regulatory requirements by, applicants for, recipients or beneficiaries of, participants in, or providers of services with respect to, cash or in-kind assistance or payments under Federal benefit programs, or

(B) Recouping payments or delinquent debts under such Federal benefit programs, or

(ii) Two or more automated Federal personnel or payroll systems of records or a system of Federal personnel or payroll records with non-Federal records,

(iii) But does not include:

(A) Matches performed to produce aggregate statistical data without any personal identifiers.

(B) Matches performed to support any research for statistical project, the specific data of which may not be used to make decisions concerning the rights, benefits, or privileges of specific individuals.

(C) Matches performed by an agency which performs as its principal function any activity pertaining to the enforcement of criminal laws, subsequent to the initiation of a specific criminal or civil law enforcement investigation of a named person or persons for the purpose of gathering evidence against such person or persons.

(iv) Matches of tax information.

(A) Pursuant to section 6103(d) of the Internal Revenue Code of 1986.

(B) For purposes of tax administration as defined in section 6301(b)(4) of such Code.

(C) For the purpose of intercepting a tax refund due an individual under authority granted by section 464 or 1137 of the Social Security Act; or

(D) For the purpose of intercepting a tax refund due an individual under any other tax refund intercept program authorized by statute which has been determined by the Director of the Office of Management and Budget to contain verification, notice, and hearing requirements that are substantially similar to the procedures in section 1137 of the Social Security Act.

(E) Matches. (1) Using records predominantly relating to Federal personnel, that are performed for routine administrative purposes (subject to guidance provided by the Director of the Office of Management and Budget pursuant to subsection (v) of the Privacy Act).

(2) Conducted by an agency using only records from systems of records maintained by that agency; if the purpose of the match is not to take any adverse financial, personnel, disciplinary, or other adverse action against Federal personnel; or

(F) Matches performed for foreign counterintelligence purposes or to produce background checks for security clearances of Federal personnel or Federal contractor personnel.

(o) Member of the public. Any individual or party acting in a private capacity to include Federal employees or military personnel.

(p) Non-Federal agency. Any state or local government, or agency thereof, which receives records contained in a system of records from a source agency for use in a matching program.

(q) Official use. Within the context of this chapter, this term is used when officials and employees of the Agency have a demonstrated need for the use of any record or the information contained therein in the performance of their official duties, subject to DCAA Regulation 5410.10.

(r) Personal information. Information about an individual that is intimate or private to the individual, as distinguished from information related solely to the individual's official functions or public life.

(s) Privacy Act. The Privacy Act of 1974 (5 U.S.C. 552a), as amended.

(t) Privacy Act request. A request from an individual for notification as to the existence of, access to, or amendment of records pertaining to that individual. These records must be maintained in a system of records. The request must indicate that it is being made under the Privacy Act to be considered a Privacy Act request.

(u) Recipient agency. Any agency, or contractor thereof, receiving records contained in a system of records from a source agency for use in a matching program.

(v) Record. Any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, the individual's education, financial transactions, medical history, and criminal or employment history, and that contains the individual's name, or identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.

(w) Risk assessment. An analysis considering information sensitivity, vulnerabilities, and the cost to a computer facility or word processing activity in safeguarding personal information processed or stored in the facility or activity. Applies to manual and automated systems.

(x) Routine use. The disclosure of a record outside the Agency for a use that is compatible with the purpose for which the information was collected and maintained by the Agency. The routine use must be included in the published system notice for the system of records involved.

(y) Source agency. Any agency which discloses records contained in a system of records to be used in a matching program, or any state or local government, or agency thereof, which discloses records to be used in a matching program.

(z) Statistical record. A record maintained only for statistical research or reporting purposes and not used in whole or in part in making determinations about specific individuals.

(aa) System of records. A group of records under the control of the Agency from which information is retrieved by the individual's name or by some identifying number, symbol, or other identifying particular assigned to the individual. System notices for all Privacy Act systems of records must be published in the Federal Register.

(bb) Word processing equipment. Any combination of electronic hardware and computer software integrated in a variety of forms (programmable software, hard wiring, or similar equipment) that permits the processing of textual data.

(cc) Word processing system. A combination of equipment employing automated technology, systematic procedures, and trained personnel for the primary purpose of manipulating human thoughts and verbal or written communications into a form suitable to the originator.

It is DCAA policy that personnel will comply with the DCAA Privacy Program and the Privacy Act of 1974. Strict adherence is necessary to ensure uniformity in the implementation of the DCAA Privacy Program and create conditions that will foster public trust. It is also agency policy to safeguard personal information contained in any system of records maintained by DCAA organizational elements and to make that information available to the individual to whom it pertains to the maximum extent practicable. DCAA policy specifically requires that DCAA organizational elements:

(a) Collect, maintain, use, and disseminate personal information only when it is relevant and necessary to achieve a purpose required by statute or Executive Order.

(b) Collect personal information directly from the individuals to whom it pertains to the greatest extent practical.

(c) Inform individuals who are asked to supply personal information for inclusion in any system of records:

(1) The authority for the solicitation.

(2) Whether furnishing the information is mandatory or voluntary.

(3) The intended uses of the information.

(4) The routine disclosures of the information that may be made outside of Department of Defense; and

(5) The effect on the individual of not providing all or any part of the requested information.

(d) Ensure that records used in making determinations about individuals and those containing personal information are accurate, relevant, timely, and complete for the purposes for which they are being maintained before making them available to any recipients outside of Department of Defense, other than a Federal agency, unless the disclosure is made under DCAA Regulation 5410.10, DCAA Freedom of Information Act Program (32 CFR part 290).

(e) Keep no record that describes how individuals exercise their rights guaranteed by the First Amendment to the U.S. Constitution, unless expressly authorized by statute or by the individual to whom the records pertain or is pertinent to and within the scope of an authorized law enforcement activity.

(f) Notify individuals whenever records pertaining to them are made available under compulsory legal processes, if such process is a matter of public record.

(g) Establish safeguards to ensure the security of personal information and to protect this information from threats or hazards that might result in substantial harm, embarrassment, inconvenience, or unfairness to the individual.

(h) Establish rules of conduct for DCAA personnel involved in the design, development, operation, or maintenance of any system of records and train them in these rules of conduct.

(i) Assist individuals in determining what records pertaining to them are being collected, maintained, used, or disseminated.

(j) Permit individual access to the information pertaining to them maintained in any system of records, and to correct or amend that information, unless an exemption for the system has been properly established for an important public purpose.

(k) Provide, on request, an accounting of all disclosures of the information pertaining to them except when disclosures are made:

(1) To DoD personnel in the course of their official duties.

(2) Under 32 CFR part 290; and

(3) To another agency or to an instrumentality of any governmental jurisdiction within or under control of the United States conducting law enforcement activities authorized by law.

(l) Advise individuals on their rights to appeal any refusal to grant access to or amend any record pertaining to them, and file a statement of disagreement with the record in the event amendment is refused.

(a) Headquarters. (1) The Assistant Director, Resources has overall responsibility for the DCAA Privacy Act Program and will serve as the sole appellate authority for appeals to decisions of respective initial denial authorities. Under his direction, the Chief, Information Resources Management Branch, under the supervision of the Chief, Administrative Management Division shall:

(i) Establish, issue, and update policies for the DCAA Privacy Act Program; monitor compliance with this part; and provide policy guidance for the DCAA Privacy Act Program.

(ii) Resolve conflicts that may arise regarding implementation of DCAA Privacy Act policy.

(iii) Designate an agency Privacy Act Advisor, as a single point of contact, to coordinate on matters concerning Privacy Act policy.

(iv) Make the initial determination to deny an individual's written Privacy Act request for access to or amendment of documents filed in Privacy Act systems of records. This authority cannot be delegated.

(2) The DCAA Privacy Act Advisor under the supervision of the Chief, Information Resources Management Branch shall:

(i) Manage the DCAA Privacy Act Program in accordance with this part and applicable DCAA policies, as well as Department of Defense and Federal regulations.

(ii) Provide guidelines for managing, administering, and implementing the DCAA Privacy Act Program.

(iii) Implement and administer the Privacy Act program at the Headquarters.

(iv) Ensure that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; that the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information.

(v) Maintain and publish DCAA Pamphlet 5410.13 4 , “DCAA Compilation of Privacy Act System Notices”; DCAA Pamphlet 5410.15 5 , “Privacy Act of 1974, An Employee Guide to Privacy”; and DCAA Manual 5410.16, “DCAA Privacy Act Processing Guide.”

(vi) Prepare promptly any required new, amended, or altered system notices for systems of records subject to the Privacy Act and submit them to the Defense Privacy Office for subsequent publication in the Federal Register.

(vii) Prepare the annual Privacy Act Report as required by 32 CFR part 310, “DoD Privacy Act Program.”

(viii) Conduct training on the Privacy Act program for agency personnel.

(3) Heads of Principal Staff Elements are responsible for:

(i) Reviewing all regulations or other policy and guidance issuances for which they are the proponent to ensure consistency with the provisions of this part.

(ii) Ensuring that the provisions of this part are followed in processing requests for records.

(iii) Forwarding to the DCAA Privacy Act Advisor, any Privacy Act requests received directly from a member of the public, so that the request may be administratively controlled and processed.

(iv) Ensuring the prompt review of all Privacy Act requests, and when required, coordinating those requests with other organizational elements.

(v) Providing recommendations to the DCAA Privacy Act Advisor regarding the releasability of DCAA records to members of the public, along with the responsive documents.

(vi) Providing the appropriate documents, along with a written justification for any denial, in whole or in part, of a request for records to the DCAA Privacy Act Advisor. Those portions to be excised should be bracketed in red pencil, and the specific exemption or exemptions cited which provide the basis for denying the requested records.

(4) The General Counsel is responsible for:

(i) Ensuring uniformity is maintained in the legal position, and the interpretation of the Privacy Act (32 CFR part 310), and this part.

(ii) Consulting with General Counsel, Department of Defense on final denials that are inconsistent with decisions of other DoD components, involve issues not previously resolved, or raise new or significant legal issues of potential significance to other Government agencies.

(iii) Providing advice and assistance to the Assistant Director, Resources; Regional Directors; and the Regional Privacy Act Officer, through the DCAA Privacy Act Advisor, as required, in the discharge of their responsibilities.

(iv) Coordinating Privacy Act litigation with the Department of Justice.

(v) Coordinating on Headquarters denials of initial requests.

(5) Each Regional Director is responsible for the overall management of the Privacy Act program within their respective regions. Under his/her direction, the Regional Resources Manager is responsible for the management and staff supervision of the program and for designating a Regional Privacy Act Officer.

(i) Regional Directors will, as designee of the Director, make the initial determination to deny an individual's written Privacy Act request for access to or amendment of documents filed in Privacy Act systems of records. This authority cannot be delegated.

(ii) Regional Privacy Act Officers will:

(A) Implement and administer the Privacy Act program throughout the region.

(B) Ensure that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; that the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information.

(C) Prepare input for the annual Privacy Act Report as shown in DCAA Manual 5410.16 when requested by the DCAA Information and Privacy Advisor.

(D) Conduct training on the Privacy Act program for regional and FAO personnel.

(E) Provide recommendations to the Regional Director through the Regional Resources Manager regarding the releasability of DCAA records to members of the public.

(6) Managers, Field Audit Offices (FAOs) will:

(i) Ensure that the provisions of this part are followed in processing requests for records.

(ii) Forward to the Regional Privacy Act Officer, any Privacy Act requests received directly from a member of the public, so that the request may be administratively controlled and processed.

(iii) Ensure the prompt review of all Privacy Act requests, and when required, coordinating those requests with other organizational elements.

(iv) Provide recommendations to the Regional Privacy Act Officer regarding the releasibility of DCAA records to members of the public, along with the responsive documents.

(v) Provide the appropriate documents, along with a written justification for any denial, in whole or in part, of a request for records to the Regional Privacy Act Officer. Those portions to be excised should be bracketed in red pencil, and the specific exemption or exemptions cited which provide the basis for denying the requested records.

(7) DCAA Employees will:

(i) Not disclose any personal information contained in any system of records, except as authorized by this part.

(ii) Not maintain any official files which are retrieved by name or other personal identifier without first ensuring that a notice for the system has been published in the Federal Register.

(iii) Report any disclosures of personal information from a system of records or the maintenance of any system of records that are not authorized by this part to the appropriate Privacy Act officials for their action.

Procedures for processing material in accordance with the Privacy Act of 1974 are outlined in subparts B through L of this part.

(a) System of records. To be subject to this part, a “system of records” must:

(1) Consist of “records” that are retrieved by the name or some other personal identifier of an individual, and

(2) Be under the control of the Agency.

(b) Retrieval practices. (1) Records in a group of records that could be retrieved by personal identifiers, but are not covered by this part, even if the records contain information about individuals and are under the control of the agency. The records must, in fact, be retrieved by personal identifiers in order to become a system of records.

(2) If records previously not retrieved by personal identifiers are rearranged so they are retrieved by personal identifiers, a new system of records is created and a notice of the system must be published in the Federal Register of its existence.

(3) If records in a system of records are rearranged so retrieval no longer is by personal identifiers, the records are no longer subject to this part and the records system notice shall be deleted.

(c) Recordkeeping standards. A record maintained in a system of records must meet the following criteria:

(1) The record must be accurate--all information in the record must be factually correct.

(2) The record must be relevant--all information contained in the record must be related to the individual who is the subject of record and also must be related to a lawful purpose or mission of the agency.

(3) The record must be timely--all information in the record must be reviewed periodically to ensure that it has not changed due to time or later events.

(4) The record must be complete--it must be able to stand alone in accomplishing the purpose for which it is maintained.

(5) The record must be necessary--all information in the record must be needed to accomplish the agency mission or purpose established by Federal law or Executive Order of the President.

(d) Authority to establish systems of records. The specific Federal statute or Executive Order of the President should be identified that authorizes maintaining each system of records. A statute or Executive Order authorizing a system of records does not negate the responsibility to ensure the information in the system of records is relevant and necessary.

(e) Exercise of first amendment rights. (1) Records should not be maintained describing how an individual exercises rights guaranteed by the first amendment of the U.S. Constitution unless:

(i) Expressly authorized by Federal law;

(ii) Expressly authorized by the individual; or

(iii) Pertinent to and within the scope of an authorized law enforcement activity.

(2) First amendment rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition.

(f) System manager's evaluations and reviews. (1) Each new proposed system of records shall be evaluated.

(i) The information to be included in the system should be evaluated before establishing it.

(ii) The following factors should be considered:

(A) The relationship of each item of information to be collected and retained to the purpose for which the system is maintained. All information must be relevant to the purpose.

(B) The specific impact on the purpose or mission if each category of information is not collected. All information must be necessary to accomplish a lawful purpose or mission.

(C) The ability to meet the informational needs without using personal identifiers (will anonymous statistical records meet the needs?).

(D) The length of time each item of information must be kept.

(E) The methods of disposal; and

(F) The cost of maintaining the information.

(2) All existing systems of records shall be evaluated and reviewed.

(i) When an alteration or amendment of an existing system is prepared, an evaluation must be performed.

(ii) Reviews should be conducted often and reports prepared which outline the results and corrective actions taken to resolve problems uncovered.

(A) Training practices should be reviewed annually to ensure all personnel are familiar with the requirements of the Privacy Act and any special needs their specific jobs entail.

(B) Recordkeeping and disposal practices should be reviewed annually to ensure compliance with this part.

(C) Each ongoing computer matching program in which records from the system have been matched with non-DoD records should be reviewed annually to ensure that the applicable requirements have been met.

(D) Actions of agency personnel that resulted in either the agency being found civilly liable or an employee being found criminally liable should be reviewed annually to determine the extent of the problem and find the most effective way of preventing the problem in the future.

(E) Each system of records notice should be reviewed annually to ensure it accurately describes the system. Where minor changes are needed, amend the system notice. If major changes are needed, alter the system notice.

(F) A random sample of agency contracts that provide for the operation of a system of records on behalf of the agency to accomplish an agency function should be reviewed every even-numbered year to ensure the wording of each contract complies with the provisions of the Privacy Act of 1974 (5 U.S.C. 552a).

(G) The routine use disclosures associated with each system of records should be reviewed every three years to ensure the recipient's use of the records continues to be compatible with the purpose for which the agency originally collected the information.

(H) Each system of records for which exemption rules have been established should be reviewed every three years to determine whether each exemption is still needed.

(iii) When directed, the reports should be sent through proper channels to the agency Privacy Act Advisor who will forward them to the Defense Privacy Office.

(g) Discontinued information requirements. (1) Any category or item of information about individuals that is no longer justified should not be collected, and when feasible, the information should be removed from existing records.

(2) Records that must be kept in accordance with retention and disposal needs established under DCAA Manual 5015.1 6 , “Files and Disposition Manual,” shall not be destroyed.

(h) Review records before disclosing them outside the Federal government. Before disclosing a record from a system of records to anyone outside the Federal government, reasonable steps should be taken to ensure the record to be disclosed is accurate, relevant, timely, and complete for the purposes it is being maintained.

(a) Applicability to Federal government contractors. (1) When the agency contracts for the operation of a system of records or portion thereof to accomplish an agency function, this part and 5 U.S.C. 552a are applicable. For purposes of the criminal penalties, the contractor and its employees shall be considered employees of the agency during the performance of the contract.

(2) Consistent with Parts 24 and 52 of the Federal Acquisition Regulation 7 , contracts for the operation of a system of records or portion thereof shall identify specifically the record system and the work to be performed, and shall include in the solicitations and resulting contract such terms specifically prescribed by the FAR.

(3) If the contractor must use records that are subject to this part to perform any part of a contract, and the information would have been collected and maintained by the agency but for the contract, the contractor activities are subject to this rule.

(4) This rule does not apply to records of a contractor that are:

(i) Established and maintained solely to assist the contractor in making internal contractor management decisions, such as records maintained by the contractor for use in managing the contract; or

(ii) Maintained as internal contractor employee records, even when used in conjunction with providing goods or services to the agency.

(iii) For contracting that is subject to this part, the agency shall:

(A) Inform prospective contractors of their responsibilities under the DCAA Privacy Program.

(B) Establish an internal system for reviewing contractor performance to ensure compliance with the DCAA Privacy Program; and

(C) Provide for the biennial review of a random sampling of agency contracts that are subject to this rule.

(b) Contracting procedures. The Defense Acquisition Regulatory Council is responsible for developing the specific policies and procedures for soliciting, awarding, and administering contracts.

(c) Contractor compliance. The agency shall establish contract surveillance programs to ensure contractors comply with the procedures established by the Defense Acquisition Regulatory Council pursuant to the preceding subsection.

(d) Disclosing records to contractors. Disclosing records to a contractor for use in performing a contract for the agency is considered a disclosure within the agency. The contractor is considered the agent of DCAA when receiving and maintaining the records for the agency.

(a) General responsibilities. Appropriate administrative, technical, and physical safeguards shall be established to ensure the records in every system of records are protected from unauthorized alteration, destruction, or disclosure. The records shall be protected from reasonably anticipated threats or hazards that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.

(b) Minimum standards. (1) Risk analysis and management planning shall be conducted for each system of records. Sensitivity and use of the records, present and projected threats and vulnerabilities, and present and projected cost-effectiveness of safeguards should be considered. The risk analysis may vary from an informal review of a small, relatively insensitive system to a formal, fully quantified risk analysis of a large, complex, and highly sensitive system.

(2) All personnel operating a system of records or using records from a system of records should be trained in proper record security procedures.

(3) Information exempt from disclosure under DCAA Freedom of Information Act Program (32 CFR part 290), shall be labeled to reflect its sensitivity, such as “FOR OFFICIAL USE ONLY,” “PRIVACY ACT SENSITIVE: DISCLOSE ON A NEED-TO-KNOW BASIS ONLY,” or some other language that alerts individuals to the sensitivity of the records.

(4) Special administrative, physical, and technical safeguards shall be employed to protect records stored or processed in an automated data processing or word processing system from threats unique to those environments.

(c) Records disposal. (1) Records from systems of records should be disposed of to prevent inadvertent disclosure. Disposal methods such as tearing, burning, melting, chemical decomposition, burying, pulping, pulverizing, shredding, or mutilation are considered adequate if the records are rendered unrecognizable or beyond reconstruction. Magnetic media may be cleared by degaussing, overwriting, or completely erasing.

(2) The transfer of large volumes of records (e.g., computer cards and printouts) in bulk to a disposal activity such as a Defense Reutilization and Marketing Office for authorized disposal is not a disclosure of records under this rule if volume of the records, coding of the information, or some other factor renders it impossible to recognize any personal information about a specific individual.

(3) When disposing or destroying large quantities of records from a system of records, care must be taken to ensure that the bulk of the records is maintained to prevent easy identification of specific records. If such bulk is maintained, no special procedures are required. If bulk is not maintained, or if the form of the records makes individually identifiable information easily discernible, dispose of the records in accordance with paragraph (c)(1) of this section.

(a) Collect directly from the individual. To the greatest extent practicable, information should be collected for systems of records directly from the individual to whom the record pertains if the record may be used to make an adverse determination about the individual's rights, benefits, or privileges under Federal programs.

(b) Soliciting the Social Security number. (1) It is unlawful for any Federal, State, or local government agency to deny an individual a right, benefit, or privilege provided by law because the individual refuses to provide the Social Security Number (SSN). However, this prohibition does not apply if:

(i) A Federal law requires that the SSN be provided, or

(ii) The SSN is required by a law or regulation adopted before January 1, 1975, to verify the individual's identity for a system of records established and in use before that date.

(2) Before requesting an individual to provide the SSN, the individual shall be told:

(i) Whether providing the SSN is voluntary or mandatory,

(ii) By what law or other authority the SSN is solicited, and

(iii) What uses will be made of the SSN.

(3) The notice published in the Federal Register for each system of records containing SSNs solicited from individuals must indicate the authority for soliciting the SSNs and whether it is mandatory for the individuals to provide their SSNs. Executive Order 9397 permits Federal agencies to solicit SSNs as numerical identifiers for individuals in Federal records systems.

(4) Upon entrance into employment with the agency, individuals must provide their SSNs; therefore, they must be given the notification. The SSN is then the individual's numerical identifier and used to establish personnel, financial, medical, and other official records. After the individual has provided the SSN to establish the records, the notification is not required when the SSN is requested only for verification or to locate the records.

(5) The Federal Personnel Manual should be consulted when soliciting SSNs for use in systems of records controlled by the Office of Personnel Management.

(c) Collecting information about individuals from third persons. It might not always be practical to collect all information about the individual directly from the individual, such as when:

(1) Verifying information through other sources for security or employment suitability determinations.

(2) Seeking other opinions, such as a supervisor's comments on past performance or other evaluations.

(3) Obtaining the necessary information directly from the individual will be exceptionally difficult or will result in unreasonable costs or delays; or

(4) The individual requests or consents to contacting another person to obtain the information.

(d) Privacy Act statement. (1) When an individual is requested to furnish information about himself or herself for a system of records, a Privacy Act statement must be provided to the individual, regardless of the method used to collect the information (forms, personal interviews, telephonic interviews, etc.). If the information requested will not be included in a system of records, a Privacy Act statement is not required.

(2) The Privacy Act statement shall include the following:

(i) The Federal law or Executive Order of the President that authorizes collecting the information.

(ii) Whether it is voluntary or mandatory for the individual to provide the requested information.

(iii) The principal purposes for which the information will be used.

(iv) The routine uses that will be made of the information (to whom and why it will be disclosed outside the Department of Defense); and

(v) The effects, if any, on the individual if all or part of the information is not provided.

(3) The Privacy Act statement must appear on the form used to collect the information or on a separate form that can be retained by the individual requesting it. If the information is collected other than by the individual completing a form, such as when the information is solicited by telephone, the Privacy Act statement should be read to the individual and a copy sent to him or her on request.

(4) It is mandatory for an individual to furnish information about himself or herself for a system of records only when a Federal law or Executive Order of the President specifically imposes a duty to furnish the information and provides a penalty, e.g., criminal sanctions, for failure to do so. If furnishing the information is only a condition for granting a benefit or privilege voluntarily sought by the individual (such as a request for annual leave), it is voluntary for the individual to give the information. However, the denial of the benefit or privilege must be listed in the Privacy Act statement as one of the effects of not providing the information, i.e., the effects on the individual if the information is not provided.

(a) Right of access (1) The access provisions of this part are for individuals who are subjects of records maintained in DCAA systems of records.

(2) All information that can be released consistent with applicable laws and regulations should be made available to the subject of record.

(b) Notification of record's existence. Record managers of system of records shall establish procedures for notifying an individual, in response to a request, if the system of records contains a record pertaining to him or her.

(c) Individual requests for access. (1) Individuals shall address requests for access to records in systems of records to the responsible system manager or the regional Privacy Act officer.

(2) Requests for access may be oral or written; however, only written requests are to be maintained in the Privacy Act case file and counted when compiling the annual Privacy Act report.

(d) Verifying identity. (1) An individual shall provide reasonable verification of identity before obtaining access to records.

(2) Procedures for verifying identity shall not be complicated merely to discourage individuals from seeking access to records.

(3) When an individual seeks access in person, identification can be verified by documents normally carried by the individual, such as an identification card, driver's license, or other license, permit or pass normally used for identification purposes.

(4) When access is requested other than in person, identity may be verified by the individual's providing minimum identifying data such as full name, date and place of birth, or other information necessary to locate the record sought. If the information sought is sensitive, additional identifying data may be required.

(5) The individual may be accompanied by a person of his or her choice when viewing the record; however, the individual may be required to provide written authorization to have the record discussed in front of the other person.

(6) An individual shall not be denied access to a record solely for refusing to divulge the SSN, unless it is the only means of retrieving the record or verifying identity.

(7) An individual shall not be required to explain why he or she is seeking access to a record.

(8) Only a designated denial authority may deny access. The denial must be in writing.

(9) If notarization of requests is required for access, procedures shall be established for an alternate method of verification for individuals who do not have access to notary services, such as military members overseas. The following formats may be used as prescribed by 28 U.S.C. 1746:

(i) If executed outside of the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).”

(ii) If executed within the United States, its territories, possessions, or commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).”

(e) Granting individual access to records. (1) The individual should be granted access to the original record (or exact copy) without any changes or deletions. A record that has been amended is considered the original.

(2) The individual's request should be granted for an exact copy of the record, and, upon the signed authorization of the individual, a copy should be provided to anyone designated by the individual. In either case, the copying fees may be assessed to the individual.

(3) If requested, explain any record or portion of a record that is not understood, as well as any changes or deletions.

(f) Illegible, incomplete, or exempt records. (1) Illegible or incomplete records. Individual access should not be denied solely because the physical condition or format of the record does not make it readily available, such as when the record is in a deteriorated state or on magnetic tape. In this case, the document should be recopied exactly or an extract can be prepared.

(2) Exempt records. A request for a record that is wholly or partially exempt from access shall also be processed under the Freedom of Information Act (FOIA). The requester shall be granted access to all information that is releasable under either this part or the FOIA. The agency may provide this information in the form of an extract or summary of the record. The provisions of this rule or the FOIA under which access was granted should be cited.

(g) Access to medical and psychological records. (1) Individual access to medical and psychological records should be provided, even if the individual is a minor, unless it is determined that access could have an adverse effect on the mental or physical health of the individual. This determination normally should be made in consultation with a medical practitioner.

(2) If it is medically indicated that access could have an adverse mental or physical effect on the individual, the record should be provided to a medical practitioner named by the individual, along with an explanation why access without medical supervision could be harmful to the individual.

(3) The named medical practitioner should not be required to request the record for the individual.

(4) If the individual refuses or fails to designate a medical practitioner, access shall be refused. The refusal is not considered a denial for reporting purposes under the Privacy Act.

(h) Access by parents and legal guardians. (1) The parent of any minor, an individual under 18 years of age who is neither a member of a Military Service nor married, or the legal guardian of any individual declared by a court of competent jurisdiction to be incompetent due to physical or mental incapacity or age, may obtain access to the record of the minor or incompetent individual if the parent or legal guardian is acting on behalf of the minor or incompetent (i.e., for the benefit of the minor or incompetent). However, with respect to access by parents and legal guardians to medical records and medical determinations about minors, observe the following procedures:

(i) In the United States, the laws of the state where the records are located might afford special protection to certain medical records such as drug and alcohol abuse treatment records and psychiatric records. The state statutes might apply even if the records are maintained by a military medical facility.

(ii) For installations located outside the United States, the parent or legal guardian of a minor shall be denied access if all four of the following conditions are met:

(A) The minor at the time of the treatment or consultation was 15, 16, or 17 years old.

(B) The treatment or consultation was within a program authorized by law or regulation to provide confidentiality to the minor.

(C) The minor specifically indicated a desire that the treatment or consultation record be handled in confidence and not disclosed to a parent or guardian, and

(D) The parent or legal guardian does not have the written authorization of the minor or a valid court order granting access.

(2) A minor or incompetent has the same right of access as any other individual. The right of access of the parent or legal guardian is in addition to that of the minor or incompetent.

(i) Access to information compiled in anticipation of a civil proceeding. (1) An individual is not entitled to access information compiled in reasonable anticipation of a civil action or proceeding.

(2) The term “civil action or proceeding” includes quasi-judicial and pretrial judicial proceedings as well as formal litigation.

(3) Paragraphs (i)(1) and (2) of this section do not prohibit access to records compiled or used for purposes other than litigation, nor prohibit access to systems of records solely because they are frequently subject to litigation. The information must have been compiled for the primary purpose of litigation.

(4) Attorney work products prepared in conjunction with the paragraphs (i)(1) and (2) of this section are also protected.

(j) Non-agency records. (1) Certain documents under the control of DCAA personnel and used to assist them in performing official functions may not be considered agency records within the meaning of this part. Such documents, if maintained in accordance with the following subparagraph, are not systems of records that are subject to this part. Examples are personal telephone lists and personal notes kept to refresh the memory of the author.

(2) To be considered non-agency records, the documents must:

(i) Be maintained and discarded solely at the discretion of the author.

(ii) Be created only for the author's personal convenience.

(iii) Not be the result of official direction or encouragement, whether oral or written; and

(iv) Not be shown to other persons for any reason.

(k) Relationship between the Privacy Act and the Freedom of Information Act (FOIA). (1) Access requests that specifically state or reasonably imply that they are made under the Freedom of Information Act (5 U.S.C. 552), are processed pursuant to DCAA Regulation 5410.10 (32 CFR part 290).

(2) Access requests that specifically state or reasonably imply that they are made under the Privacy Act of 1974 (5 U.S.C. 552a) are processed pursuant to this part.

(3) Access requests that cite both the FOIA and the Privacy Act are processed under the Act that provides the greater degree of access. The requester should be informed which Act was used in granting or denying access.

(4) Individual access should not be denied to records otherwise releasable under the Privacy Act or the Freedom of Information Act solely because the request does not cite the appropriate statute.

(l) Time limits. Access requests should be acknowledged within 10 working days after receipt, and access should be granted or denied within 30 working days, excluding Federal holidays.

(a) Fee schedules. The fees charged requesters shall include only the direct cost of reproduction and shall not include costs of:

(1) Time or effort devoted by agency personnel to searching for or reviewing the record.

(2) Fees not associated with the actual cost of reproduction.

(3) Producing a copy when it must be provided to the individual without cost under another regulation, directive, or law.

(4) Normal postage.

(5) Transportation of records or personnel, or

(6) Producing a copy when the individual has requested only to review the record and has not requested a copy to keep, and

(i) The only means of allowing review is to make a copy (e.g., the record is stored in a computer and a copy must be printed to provide individual access), or

(ii) The agency does not wish to surrender temporarily the original record for the individual to review.

(7) Compute fees using the appropriate portions of the fee schedule in 32 CFR part 286, subpart F.

(b) Fee waivers. (1) Fees shall be waived automatically if the direct cost of reproduction is less than $30, unless the individual is requesting an obvious extension or duplication of a previous request for which he or she was granted a waiver.

(2) Decisions to waive or reduce fees that exceed $30 may be made on a case-by-case basis.

(a) Denying individual access. The subject of record may be denied access only if it:

(1) Was compiled in reasonable anticipation of a civil action or proceeding; or

(2) Is in a system of records that has been exempted from the access provisions of this part.

(3) The individual should be denied access only to those portions of the record for which the denial will serve a legitimate governmental purpose.

(4) An individual may be refused access for failure to comply with established procedural requirements, but must be told the specific reason for the refusal and the proper access procedures.

(b) Notifying the individual. Written denial of access must be given to the individual and must be documented in a Privacy Act case file. The denial shall include:

(1) The name, title, and signature of a designated denial authority.

(2) The date of the denial.

(3) The specific reason for the denial, citing the appropriate sections of the Privacy Act or this part authorizing the denial.

(4) Notice of the individual's right to appeal the denial within 60 calendar days of the date the notice is mailed; and

(5) The title and address of the appeal official.

(c) Appeal procedures. Appeal procedures provide for the following:

(1) Review by the Assistant Director, Resources, DCAA Headquarters, or his or her designee, of any appeal by an individual.

(2) Written notification to the individual by the Assistant Director, Resources shall:

(i) If the denial is sustained totally or in part, include:

(A) The reason for denying the appeal, citing the provision of the Privacy Act or this part upon which the denial is based.

(B) The date of the appeal determination.

(C) The name, title, and signature of the appeal authority; and

(D) A statement informing the applicant of the right to seek judicial relief in Federal District Court.

(ii) If the appeal is granted, advise the individual and provide access to the record sought.

(d) Final action, time limits, and documentation. (1) The written appeal notification granting or denying access is the final agency action on the initial request for access.

(2) All appeals shall be processed within 30 working days, excluding Federal holidays, of receipt, unless the appeal authority finds that an adequate review cannot be completed within that period. If additional time is needed, notify the applicant in writing, explaining the reason for the delay and when the appeal will be completed.

(3) All actions on appeals must be documented in the Privacy Act case file.

(e) Denial of appeal by the agency's failure to act. An individual may consider his or her appeal denied if the appeal authority fails:

(1) To take final action on the appeal within 30 working days, excluding Federal holidays, of receipt when no extension of time notice was given; or

(2) To take final action within the period established by the extension of time notice.

(f) Denying access to Office of Personnel Management (OPM) records held by the agency. (1) The records in all systems of records maintained in accordance with the OPM Government-wide system notices are only in the temporary custody of the agency.

(2) All requests for access to these records must be processed in accordance with the OPM Federal Personnel Manual as well as DCAA Manual 1400.1 9 , “DCAA Personnel Management Manual.”

(3) When DCAA initially denies access to a record in an OPM Government-wide system, the agency shall instruct the individual to direct any appeal to the Assistant Director for Workforce Information, Personnel Systems and Oversight Group, Office of Personnel Management, 1900 E Street, NW, Washington, DC 20415-0001.

(a) Documents used in processing notification, access, and amendment requests made under the Privacy Act or this part shall be filed in a Privacy Act case file established for each request, not in the record to which they pertain.

(b) Privacy Act case files should contain the following information:

(1) The request to be notified if a system of records contains a record pertaining to the individual and the request for access and amendment.

(2) Approval, denial, request for appeal, action on appeal, coordination action, and other documents relating to the request; and

(3) Documentation of reasons for exceeding the established time limits for processing the request.

(c) The Privacy Act case file shall not contain a copy of the record and shall not be used to make any determination about the individual, other than determinations about the Privacy Act request.

(d) The case file shall be used only to process requests and provide statistics such as for the annual report required by the Privacy Act.

Individuals are encouraged to review periodically the information maintained about them in systems of records, and to avail themselves of the amendment procedures established by this part.

(a) Right to request amendment. An individual may request the amendment of any record retrieved by his or her personal identifier from a system of records, unless the system has been exempted from the amendment procedures. See § 317.133. Amendments are limited to correcting factual matters, not matters of opinion such as those contained in evaluations of promotion potential and performance appraisals.

(b) Written amendment request. The agency may require that amendment requests be in writing; however, this requirement shall not be used merely to discourage individuals from requesting valid amendments or to burden needlessly the amendment process. Only written amendment requests must be documented in the Privacy Act case file.

(c) Content of amendment request. An amendment request must include:

(1) A description of the information to be amended.

(2) The reason for the amendment.

(3) The type of amendment action sought (deletion, correction, or addition); and

(4) Copies of available documentary evidence supporting the request.

The individual must provide adequate support for the request.

The individual may be required to provide identification to prevent the inadvertent or intentional amendment of another's record.

This part does not permit the alteration of evidence presented in the course of judicial or quasi-judicial proceedings. Amendments to such records must be made in accordance with procedures established for such proceedings. This part does not permit a collateral attack on a judicial or quasi-judicial finding; however, it may be used to challenge the accuracy of recording the finding in a system of records.

The record which the individual requests to be amended must meet agency recordkeeping standards. The record must be accurate, relevant, timely, complete, and necessary. If the record in its present state does not meet each of the criteria, the amendment request shall be granted to the extent necessary to meet them.

Within 10 working days, excluding Federal holidays, of receiving an amendment request, provide the individual a written acknowledgment of the request. If action on the amendment request is completed within the 10 working days and the individual is so informed, no separate acknowledgment is necessary. The acknowledgment must clearly identify the request and advise the individual when to expect notification of the completed action. Only under exceptional circumstances shall more than 30 working days, excluding Federal holidays, be required to complete the action on an amendment request. If a completed action takes longer than 30 working days, the delay must be explained fully in the Privacy Act case file.

(a) Notify the requester. To the extent the amendment request is granted, the individual shall be notified and make the appropriate amendment.

(b) Notify previous recipients. All previous recipients of the information (as reflected in the disclosure accounting records) should be notified that the amendment has been made and provide each a copy of the amended record. Recipients who are known to be no longer retaining the record need not be advised of the amendment. If it is known that other DoD components or other Federal Agencies have been provided the information that was amended, or if the individual requests that other DoD components or other Federal agencies be notified, provide the notification even if those components or agencies are not listed in the disclosure accounting.

(c) Documentation. The action should be documented in the Privacy Act case file if the request for amendment was in writing.

(a) If the amendment request is denied in whole or in part, the individual should be promptly notified in writing and document the action in the Privacy Act case file. The notification to the individual shall include:

(b) Basis for denial. Those sections of the Privacy Act or this part upon which the denial is based.

(c) Right to appeal. Advice that the individual may appeal to the Assistant Director, Resources, or his or her designee for an independent review of the initial denial.

(d) Appeal procedures. The procedures for requesting an appeal, including the title and address of the official to whom the appeal should be sent; and

(e) Appeal assistance. Where the individual can receive assistance in filing the appeal.

Procedures to ensure the prompt, complete, and independent review of each denial of an amendment request if the individual appeals must ensure:

(a) Appeals are forwarded. The appeal with all supporting documentation, including that furnished by the individual and that contained in agency records, is provided to the Assistant Director, Resources, or his or her designee.

(b) Standards for review. The standard for deciding the appeal is whether the unamended record is accurate, relevant, timely, complete, and necessary. If the unamended record does not meet each of these criteria, the amendment request shall be granted to the extent necessary to meet them.

(c) Time limits. The appeal is processed within 30 working days, excluding Federal holidays, unless the appeal official determines that an adequate review cannot be completed within that period and gives the individual a written explanation of the reason and when the review will be completed.

(d) Denial notification. If the appeal is denied completely or in part, the individual is provided written notification that:

(1) The appeal has been denied, citing the sections of the Privacy Act or this rule on which the denial was based.

(2) The individual may file a statement of disagreement. An explanation of the filing procedures will be included in the written notification.

(3) If properly filed, the statement of disagreement shall be included in the record and furnished to all future recipients of the record and to all prior recipients of the record as listed on the disclosure accounting, except those known to be no longer retaining the record; and

(4) The individual may seek judicial review of the decision not to amend the record.

(e) Amendment notification. If the record is amended:

(1) The individual is notified promptly of the decision.

(2) All previous recipients of the record, as listed in the disclosure accounting (except those known to be no longer retaining the record), are notified of the amendment and provided a copy; and

(3) Any previous recipient known to be holding a copy of the record (but not listed in the disclosure accounting), as well as any other DoD component or other Federal agency named by the individual, also should be informed of the amendment and provided a copy.

(f) Documentation. All actions on the appeal shall be documented in the Privacy Act case file.

The records in an OPM Government-wide system of records are only temporarily in the custody of the agency. Requests for amendment of these records must be processed in accordance with the OPM Federal Personnel Manual. The agency denial authority may deny a request, but all denials are subject to review by the Assistant Director for Workforce Information, Personnel Systems Oversight Group, Office of Personnel Management, 1900 E Street NW, Washington, DC 20415-0001.

(a) Right to submit. If the appeal authority refuses to amend the record as requested, the individual may submit a concise statement of disagreement listing the reasons for disagreeing with the refusal to amend.

(b) Filing the statement. If possible, incorporate the statement of disagreement into the record. If that is not possible, the record should be annotated to reflect that the statement was filed and maintain the statement so that it can be obtained readily when the disputed information is used or disclosed. For instance, automated record systems not programmed to accept statements of disagreement must be capable of having indicators entered to reflect the presence of statements on file and how to obtain them.

(c) Inform previous recipients. Copies of the statement of disagreement should be furnished to all individuals listed in the disclosure accounting of the record (except those known to be no longer retaining the record), as well as to all other known holders of copies of the record.

(d) Disclosure. Whenever the disputed information is disclosed for any purpose, ensure that the statement of disagreement also is used or disclosed.