Pub. L. 93-579, 88 Stat 1896 (5 U.S.C. 552a).
65 FR 20372, Apr. 17, 2000, unless otherwise noted.
This part implements the basic policies and procedures outlined in the Privacy Act of 1974, as amended (5 U.S.C. 552a), and 32 CFR part 310; and establishes the National Reconnaissance Office Privacy Program (NRO) by setting policies and procedures for the collection and disclosure of information maintained in records on individuals, the handling of requests for amendment or correction of such records, appeal and review of NRO decisions on these matters, and the application of exemptions.
Obligations under this part apply to all employees detailed, attached, or assigned to or authorized to act as agents of the National Reconnaissance Office. The provisions of this part shall be made applicable by contract or other legally binding action to government contractors whenever a contract is let for the operation of a system of records or a portion of a system of records.
(a)
(1)
(i)
(ii)
(2)
(3)
(4)
(b)
(1) Relationship of each item of information to the statutory purpose for which the system is maintained;
(2) Specific adverse consequences of not collecting each category of information; and
(3) Techniques for purging parts of the records.
(c)
(1) To those employees of the NRO who have an official need for the record in the performance of their duties.
(2) Required to be disclosed to a member of the public under the Freedom of Information Act, as amended.
(3) For a routine use as defined in the Privacy Act.
(4) To the Census Bureau for the purpose of conducting a census or survey or related activity authorized by law.
(5) To a recipient who has provided the NRO with advance, adequate written assurance that the record will be used solely as statistical research and that the record is to be transferred in a form in which the individual is not identifiable.
(6) To the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the U. S. Government.
(7) To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the U.S. for a civil or criminal law enforcement activity if such activity is authorized by law and if the head of the agency or governmental entity has made a written request to the NRO specifying the particular portion of the
(8) To a person showing compelling circumstances affecting the health or safety of an individual if, upon such disclosure, notification is sent to the last known address of the individual to whom the record pertains (emergency medical information may be released by telephone).
(9) To Congress or any committee, joint committee, or subcommittee of Congress with respect to a matter under its jurisdiction. This provision does not authorize the disclosure of a record to members of Congress acting in their individual capacities or on behalf of their constituents making third party requests. However, such releases may be made pursuant to the blanket routine use for Congressional inquiries when a constituent has sought the assistance of his Congressman forthe constituent's individual record(s).
(10) To the Comptroller General or any of his authorized representatives in the course of the performance of the duties of the General Accounting Office.
(11) Pursuant to an order of a court of competent jurisdiction. When the record is disclosed under compulsory legal process and when the issuance of that order or subpoena is made public by the court which issued it, the NRO will make reasonable efforts to notify the individual to whom the record pertains by mail at the most recent address contained in NRO records.
(12) To a consumer reporting agency in accordance with 31 U.S.C. 3711(f).
(d)
(e)
(f)
(g)
(1) When required by the individual to whom the record pertains, or
(2) When necessary to inform previous recipients of any amended records. The accounting shall be retained for at least five years or for the life of the record, whichever is longer, to be available for review by the subject of the record at his request except for disclosures made under paragraph (c)(7) of this section.
(h)
(i)
(j)
(1) Identification information at doorways, building directories, desks, lockers, name tags, etc.
(2) Geographical or agency contact cards.
(3) Property receipts and control logs for building passes, credentials, vehicles, etc.
(4) Personal working notes of employees that are merely an extension of the author's memory, if maintained properly, do not come under the Privacy Act. Personal notes are not considered official NRO records if they meet the following requirements:
(i) Keeping or discarding notes must be at the sole discretion of the author. Any requirement by supervising authority, whether by oral or written directive, regulation, policy, or memo to maintain such notes, likely would cause the notes to become official agency records.
(ii) Such notes must be restricted to the author's personal use as memory aids, and only the author may have access to them. Passing them to a successor or showing them to other personnel (including supporting staff such as secretaries) would likely cause them to become agency records.
(5) Rosters. The NRO has no restriction against rosters that contain only corporate information such as name, work telephone number, and position. Good recordkeeping practices dictate that only rosters that are relevant and necessary to the NRO's operations may be maintained, and therefore convenience rosters, which by definition do not satisfy the test, may not be maintained.
(a) The Director, NRO (DNRO):
(1) Supervises the execution of the Privacy Act and this part within the NRO.
(2) Appoints:
(i) The Chief, Information Access and Release Center as the NRO Privacy Act Coordinator.
(ii) The Director of Security, the Director of Policy, and the NRO General Counsel as the NRO Appeals Panel; and
(iii) The Chief of Staff as the Senior Official for Privacy Policy and the Privacy Act Appeal Authority.
(b) The Privacy Act Coordinator, NRO:
(1) Establishes, issues, and updates policy for the NRO Privacy Act Program, monitors compliance, and serves as the principal NRO point of contact on all Privacy Act matters.
(2) Receives, processes, and responds to all PrivacyAct requests received by the NRO, including:
(i) Granting, granting in part, or denying an initial Privacy Act request for access or amendment to a record,
(ii) Granting a requester access to all or part ofa record under dispute when, after a review, a decision is made in favor of a requester.
(iii) Directing the appropriate NRO component to amend a record and advising other record holders to amend a record when a decision is made in favor of a requester.
(iv) Notifying a requester, if a request is denied, of the reasons for denial and the procedures for appeal to the Privacy Act Appeal Authority.
(v) Notifying a requester of his right to file a concise statement of his reasons for disagreement with the NRO's refusal to amend a record.
(vi) Directing that a requester's statement of reasons for the request to amend, his concise statement of disagreement with the NRO's refusal to amend a record, and the NRO's letter of denial be included in the file containing the disputed record.
(vii) Referring all appeals to the Privacy Act Appeals Panel and Appeal Authority.
(viii) Notifying a requester of any required fees and delivering such collected fees to the Comptroller.
(ix) Obtaining supplemental information from the requester when required.
(3) Serves as the NRO point of contact with the Defense Privacy Office.
(4) Reviews NRO use of records, and at least 40 calendar days prior to establishing a new agency system of records, ensures that new or amended notices are prepared and published in the
(5) Coordinates with forms managers to ensure that a Privacy Act Statement is on all forms or in all other methods used to collect personal information for inclusion in any NRO records system;
(6) Prepares the NRO Privacy Act report for submission to the DoD Privacy Office and to other authorities, as required by 32 CFR part 310.
(7) Reviews all procedures, including forms, which require an individual to furnish information for conformity with the Privacy Act.
(8) Retains the accounting of disclosures for at least five years or for the life of the record, whichever is longer, to be available for review by the subject of the record at his request except for disclosures made under paragraph (c)(7) of § 326.4; and
(9) Develops and oversees Privacy Act Program training for NRO personnel.
(c) The Privacy Act Appeals Panel, NRO:
(1) Meets and reviews all denials appealed by means of the NRO internal appeals process; and
(2) Recommends a finding to the Privacy Act Appeal Authority by a majority vote of those present at the meeting and based on the written record and the panel's deliberations.
(d) The Privacy Act Appeal Authority, NRO:
(1) Determines all NRO Privacy Act appeals.
(2) Reports the determination to the PA Coordinator.
(3) Signs the final appeal letter to the requester.
(e) General Counsel, NRO:
(1) Ensures uniformity in NRO legal positions concerning the Privacy Act and reviews proposed responses to Privacy Act requests to ensure legal sufficiency, as appropriate.
(2) Consults with DoD General Counsel on final denials that may be inconsistent with other final decisions within DoD; raises new legal issues of potential significance to other government agencies.
(3) Provides advice and assistance to the DNRO, the PA Coordinator, and component Directors, as required, in the discharge of their responsibilities pertaining to the Privacy Act.
(4) Advises on all legal matters concerning the Privacy Act, including legal decisions, rulings by the Department of Justice, and actions by DoD and other commissions on the Privacy Act.
(5) Approves all Privacy Act Statements prior to their reproduction and distribution.
(6) Acts as the NRO focal point for Privacy Act litigation with the Department of Justice.
(7) Provides a status report to the Defense Privacy Office, consistent with the requirements of 32 CFR part 310, whenever an individual brings suit
(f) Chief Information Officer (CIO), NRO:
(1) Ensures that NRO systems of records databases have procedures to protect the confidentiality of personal records maintained or processed by means of automatic data processing (ADP) systems and ensures that ADP systems contain appropriate safeguards for the privacy of personnel.
(2) Coordinates with the PA Coordinator before developing or modifying CIO-sponsored ADP supported files subject to the provisions of this part.
(g) Directorate and Office Managers, NRO:
(1) Ensure that records contained in their directorate or office systems of records are disclosed only to those NRO officials or employees who require the records for official purposes.
(2) Review their own directorate and office systems of records to ensure and certify that no systems of records other than those listed in the
(3) Maintain only such information about an individual as is relevant and necessary to accomplish a purpose which is required by statute or Executive Order and identify the specific provision of law or Executive Order which provides authority for the maintenance of information in each system of records.
(h) System Managers, NRO:
(1) Ensure that adequate safeguards have been established and are enforced to prevent the misuse, unauthorized disclosure, alteration, or destruction of personal information contained in system records.
(2) Ensure that all personnel who have access tothe system of records, or are engaged in developing or supervising procedures for handling records, are aware of their responsibilities established by the NRO Privacy Act Program.
(3) Evaluate each system of records during the planning stage and at regular intervals. The following factors should be considered:
(i) Relationship of data to be collected and retained to the purposes for which the system is maintained (all information must be relevant and necessary to the purpose for which it is collected).
(ii) The specific impact on the purpose or mission if categories of information are not collected (all data fields must be necessary to accomplish a lawful purpose or mission).
(iii) Whether informational needs can be met without using personal identifiers.
(iv) The cost of maintaining and disposing of records within the systems of records and the length of time each item of information must be retained according to the NRO Records Control Schedule as approved by the National Archives and Records Administration.
(4) Review system alterations or amendments to evaluate for relevancy and necessity.
(i) Forms and Information Managers. All NRO individualsresponsible for forms or methods used to collect personal information from individuals will:
(1) Ensure that Privacy Act Statements are on appropriate forms and that new forms have the required Privacy Act Statement.
(2) Determine, with General Counsel's concurrence, which forms require Privacy Act Statements and will prepare such statements.
(3) Assist the initiators in determining whether a form, format, questionnaire, or report requires a Privacy Act Statement. Privacy Act Statements must be complete, specific, written in plain English, and approved by the Office of General Counsel.
(j) Employees, NRO:
(1) Will be familiar with the provisions of this part regarding the maintenance of systems of records, authorized access, and authorized disclosure;
(2) Will collect, maintain, use, and/or disseminate records containing identifiable personal information only for lawful purposes; will keep the information current, complete, relevant, and accurate for its intended use; and will safeguard the records in a system and keep them the minimum time required;
(3) Will not disclose any personal information contained in any system of records, except as authorized by the Privacy Act and this part;
(4) Will maintain no system of records concerning individuals except those authorized, and will maintain no other information concerning individuals except as necessary for the conduct of business at the NRO;
(5) Will provide individuals a Privacy Act Statement when asking them to provide information about themselves. The Privacy Act Statement will include the authority under which the information is being requested, whether disclosure of the information is mandatory or voluntary, the purposes for which it is being requested, the uses to which it will be put, and the consequences of not providing the information;
(6) May not deny an individual any right or privilege provided by law because of that individual's failure to disclose his SSN unless such information is required by federal statute or disclosure was required by statute or regulations adopted prior to January 1, 1975. If disclosure of the SSN is not required, NRO directorates and offices are not precluded from requesting it from individuals; however, the Privacy Act Statement must make clear that the disclosure of the SSN is voluntary and, if the individual refuses to disclose it, must be prepared to identify him by alternate means.
(7) Will collect personal information directly from the subject whenever possible; employees may collect information from third parties when that information must be verified, opinions or evaluations are required, the subject cannot be contacted, or the subject requests it.
(8) Will keep paper and electronic records which contain personal information and are retrieved by name or personal identifier only in approved systems published in the Federal Register.
(9) Will amend and correct records when directed by the PA Coordinator.
(10) Will report to the PA Coordinator any disclosures of personal information from a system of records, or the maintenance of any system of records, not authorized by this part.
(a) An individual's written request for access to records about himself which does not specify the Act under which the request is made will be processed under both the Freedom of Information Act (FOIA) and the Privacy Act and the applicable regulations. Such requests will be processed under both Acts regardless of whether the requester cites one Act, both, or neither in the request in order to ensure the maximum possible disclosure to the requester. Individuals may not be denied access to a record pertaining to themselves merely because those records are exempt from disclosure under the FOIA.
(b) A Privacy Act request that neither specifies the system(s) of records to be searched nor identifies the substantive nature of the information sought will be processed by searching the systems of records categorized as Environmental Health, Safety and Fitness, FOIA/Privacy, General, and Security.
(c) A Privacy Act request that does not designate the system(s) of records to be searched but does identify the substantive nature of the information sought will be processed by searching those systems of records likely to have information similar to that sought by the requester.
(d) The NRO will not disclose any record to any person or government agency except by written request or prior written consent of the subject of the record unless the disclosure is required by law or is within the exceptions of the Privacy Act. If a requester authorizes another individual to obtain the requested records on his behalf, the requester shall provide a written, signed, notarized statement appointing that individual as his representative and certifying that the individual appointed may have access to the requester's records and that such access shall not constitute an invasion of his privacy nor a violation of his rights under the Privacy Act. In lieu of a notarized statement, the NRO will accept a declaration in accordance with 28 U.S.C. 1746.
(e) Upon receipt of a written request, the Privacy Act Coordinator (PA Coordinator) will release to the requester those records which are releasable and applicable to the individual making the request. Records about individuals include data stored electronically or in electronic media. Documentary material qualifies as a record if the record is maintained in a system of records.
(f) Initial availability, potential for release, and cost determination will usually be made within ten working days of the date on which a written request for any identifiable record is received by the NRO (and acknowledgement is sent to the individual). If additional time is needed due to unusual circumstances, a written notification of the delay will be forwarded to the requester within the ten working day period. This notification will briefly explain the circumstances for the delay and indicate the anticipated date for a substantive response.
(g) All requests will be handled in the order received on a ‘first-in, first-out’ basis. Requests will be considered for expedited processing only if the NRO determines that there is a genuine health, humanitarian, or due process reason involving possible deprivation of life or liberty which creates an exceptional and urgent need, that there is no alternative forum for the records sought, and that substantive records relevantto the stated needs may exist and be releasable.
(h) Records provided or originated by another agency or containing other agency information will not be released prior to coordination with the other agency involved.
(i) Requesting or obtaining access to records under false pretenses is a violation of the Privacy Act and is subject to criminal penalties.
(a) To the maximum extent practical, personal information about an individual will be obtained directly from that individual.
(b) Whenever an individual is asked to provide personal information, including Social Security Number (SSN) or a personal identifier, about himself, a Privacy Act Statement will be furnished that will advise him of the authority (whether by statute or by Executive Order) under which the information is requested, whether disclosure of the information is voluntaryor mandatory, the purposes for which it is requested, the uses to which it will be put, and the consequences of not providing the information.
(c) When asking third parties to provide information about other individuals, NRO employees will advise them:
(1) Of the purpose of the request, and
(2) That their identities and the information they are furnishing may be released to the individual unless they expressly request confidentiality. All persons interviewed must be informed of their rights and offered confidentiality.
(a)
(1)
(i) In addition, an alien lawfully admitted for permanent residence shall provide his Alien Registration Number and the date that status was acquired.
(ii) The parent or guardian of a minor or of a person judicially determined to
(2)
(3)
(b)
(a) The PA Coordinator shall acknowledge receipt of the request in writing within ten working days.
(b) Upon receipt of a request, the PA Coordinator shall refer the request to those components most likely to possess responsive records. The components shall search all relevant record systems within their cognizance and shall:
(1) Determine whether a responsive record exists in a system of records.
(2) Determine whether access must be denied and on what legal basis. An individual may be denied access to his records under the Privacy Act only if an exemption has been properly claimed for all or part of the records or information requested; or if the information was compiled in reasonable anticipation of a civil action or proceeding.
(3) Approve the disclosure of records for which they are the originator.
(4) Forward to the PA Coordinator all records approved for release or necessary for coordination with or referral to another originator or interested party as well as notification of the specific determination for any denial.
(c) When all records have been collected, the PA Coordinator shall notify the individual of the determination and shall provide an exact copy of records deemed to be accessible if a copy has been requested.
(d) When an original record is illegible, incomplete, or partially exempt from release, the PA Coordinator shall explain in terms understood by the requester the portions of a record that are unclear.
(e) If access to requested records, or any portion thereof, is denied, the PA Coordinator shall inform the requester in writing of the specific reason(s) for denial, including the specific citation to appropriate sections of the Privacy Act or other statutes, this and other NRO regulations, or the Code of Federal Regulations authorizing denial, and the right to appeal this determination through the NRO appeal procedure within 60 calendar days. The denial shall include the date of denial, the name and title/position of the denial authority, and the address of the NRO Appeal Authority. Access may be refused when the records are exempt by the Privacy Act. Usually an individual will not be denied access to the entire record, but only to those portions to which the denial of access furthers the purpose for which an exemption was claimed.
(a) Any individual whose request for access is denied may request a review
(1) The PA Coordinator, after acknowledging receipt of the appeal, shall promptly refer the appeal to the record-holding components, informing them of the date of receipt of the appeal and requesting that the component head or his designee review the appeal.
(2) The record-holding components shall review the initial denial of access to the requested records and shall inform the PA Coordinator of their review determination.
(3) The PA Coordinator shall consolidate the component responses, review the record, direct such additional inquiry or investigation as is deemed necessary to make a fair and equitable determination, and make a recommendation to the NRO Appeals Panel, which makes a recommendation to the Appeal Authority.
(4) The Appeal Authority shall notify the PA Coordinator of the result of the determination on the appeal, who shall notify the individual of the determination in writing.
(5) If the determination reverses the initial denial, the PA Coordinator shall provide a copy of the records requested. If the determination upholds the initial denial, the PA Coordinator shall inform the requester of his right to judicial review in U.S. District Court and shall include the exact reasons for denial with specific citations to the provisions of the Privacy Act, other statutes, NRO regulations, or the Code of Federal Regulations upon which the determination is based.
(b) The Appeal Authority shall act on the appeal or provide a notice of extension within 30 working days.
When requested medical and psychological records are not exempt from disclosure, the PA Coordinator may determine which non-exempt medical or psychological records should not be sent directly to the requester because of possible harm or adverse impact to the requester or another person. In that event, the information may be disclosed to a physician named by the requester. The appointment of the physician will be in the same notarized form or declaration as described in § 326.8 and will certify that the physician is licensed to practice in the appropriate specialty (medicine, psychology, or psychiatry). Upon designation, verification of the physician's identity, and agreement by the physician to review the documents with the requester to explain the meaning of the documents and to offer counseling designed to mitigate any adverse reaction, the NRO will forward such records to the designated physician. If the requester refuses or fails to designate a physician, the record shall not be provided. Under such circumstances refusal of access is not considered a denial for Privacy Act reporting purposes. However, if the designated physician declines to furnish the records to the individual, the PA Coordinator will take action to ensure that the records are provided to the individual.
(a) An individual may request amendment or correction of a record pertaining to him/her by addressing such request in writing, to the Privacy Act Coordinator, National Reconnaissance Office, 14675 Lee Road, Chantilly, VA 20151-1715. Incomplete or inaccurate requests will not be rejected categorically; instead, the requester will be asked to clarify the request as needed. A request will not be rejected or require resubmission unless additional information is essential to process the request. Usually, amendments under this part are limited to correcting factual errors and not matters of official judgment, such as promotion ratings
(1) The particular record he wishes to amend or correct, specifying the number of pages and documents, the titles of the documents, form numbers if any, dates on documents, and individuals who signed them. Any reasonable description of the documents is acceptable. A clear and specific description of passages, pages, or documents to be amended will expedite processing the request.
(2) The desired amending language. The requester should specify the type of amendment, including complete removal of data, passages, or documents from record or correction of information to make it accurate, more timely, complete, or relevant.
(3) A justification for such amendment or correctionto include any documentary evidence supporting the request.
(b) Individuals will be required to provide verification of identity as in § 326.8. to ensure that the requester is seeking to amend records pertaining to himself and not, inadvertently or intentionally, the records of another individual.
(c) Minor factual errors in an individual's personal record may be corrected routinely upon request without resort to the Privacy Act or the provisions of this part, if the requester and the record holder agree to that procedure and the requester receives a copy of the corrected record whenever possible. A written request is not required when individuals indicate amendments during routine annual review and updating of records programs conducted by the NRO for civilian personnel and the Services for military personnel. Requests for deletion, removal of records, and amendment of substantive factual information will be processed according to the Privacy Act and the provisions of this part.
(d) The PA Coordinator shall acknowledge receipt of the request in writing within ten working days. No separate acknowledgement of receipt is necessary if the request can be either approved or denied and the requester advised within the ten-day period. For written requests presented in person, written acknowledgement may be provided at the time the request is presented.
(e) The PA Coordinator shall refer such request to the record-holder components, shall advise those components of the date of receipt, and shall request that those components make a prompt determination on such request.
(f) The record-holder components shall promptly:
(1) Make any amendment or correction to any portion of the record which the individual believes is not accurate, relevant, timely, or complete and notify the PA Coordinator and all holders and recipients of such records and their amendments that the correction was made; or
(2) Set forth the reasons for the refusal, if they determine that the requested amendment or correction will not be made or if they decline to make the requested amendment but instead augment the official record, and so inform the PA Coordinator.
(g) The Privacy Act Coordinator shall:
(1) Inform the requester of the agency's determination to make the amendment or correction as requested and notify all prior recipients of the change to the disputed records for which an accounting had been required; or
(2) Inform the requester of the specific reasons and legal authorities for the agency's refusal and the procedures established for him to request a review of that refusal.
(h) The amendment procedure is not intended to replace other existing procedures such as those for registering grievances or appealing performance appraisal reports. In such cases the requester will be apprised of the appropriate procedures for such actions.
(i) This part does not permit the alteration of evidence presented to courts, boards, or other official proceedings.
(a) Any individual whose request for amendment or correction is denied may request a review of the initial decision within 60 calendar days of the
(1) The PA Coordinator, after acknowledging receipt of the appeal, shall promptly refer the appeal to the record-holding components, informing them of the date of receipt of the appeal and requesting that the component head or his designee review the appeal.
(2) The record-holding components shall review the initial denial of access to the requested records and shall inform the PA Coordinator of their review determination.
(3) The PA Coordinator shall act as secretary of the Appeals Panel. He shall:
(i) Consolidate the component responses and reasons for the initial denial.
(ii) Provide all supporting materials both furnished to and by the requester and the record-holding component.
(iii) Review the record.
(iv) Direct such additional inquiry or investigation as is deemed necessary to make a fair and equitable determination.
(v) Prepare the record and schedule the appeal for the next meeting of the Appeals Panel. The Appeals Panel shall recommend a finding to the Appeal Authority by a majority vote of those present at the meeting based on the written record and the Panel's deliberations. No personal appearances shall be permitted without the express permission of the Panel.
(4) The Appeal Authority shall notify the PA Coordinator of the result of the determination on the appeal who shall notify the individual of the determination in writing.
(5) The Appeal Authority will notify the PA Coordinator if the determination is that the record should be amended. The PA Coordinator will promptly advise the requester and the office holding the record to amend the record and to notify all prior recipients of the records for which an accounting was required of the change.
(6) If the determination upholds the initial denial, in whole or in part, the PA Coordinator shall inform the requester:
(i) Of the denial and the reason.
(ii) Of his right to file in NRO records within 60 calendar days a concise statement of the reasons for disputing the information contained in the record. If the requester elects to file a statement of disagreement, the PA Coordinator will be responsible for clearly noting any portion of the record that is disputed and for appending into the file the requester's statement as well as a copy of the NRO's letter to the requester denying the disputed information, if appropriate. The requester's statement and the NRO denial letter will be made available to anyone to whom the record is subsequently disclosed, and prior recipients of the disputed record will be provided a copy of both to the extent that an accounting of disclosures is maintained.
(iii) Of his right to judicial review in U.S. District Court.
(7) The Appeal Authority shall act on the appeal or provide a notice of extension within 30 working days.
(a) Personal records contained in a Privacy Act system of records maintained by NRO shall not be disclosed by any means to any person or agency outside the NRO except with the written consent of the individual subject of the record, unless as provided in this part.
(b) Except for disclosure made to members of the NRO in connection with their official duties and disclosures required by the Freedom of Information Act, an accounting will be kept of all disclosures of records maintained in NRO systems of records and of all disclosures of investigative information. Accounting entries will record the date, kind of information, purpose of each disclosure, and the name and address of the person or agency to
Individuals requesting copies of their official personnel records are entitled to one free copy; a charge will be assessed for additional copies. There is a cost of $.15 per page. Fees will not be assessed if the cost is less than $30.00. Fees should be paid by check or postal money order payable to the Treasurer of the United States and forwarded to the Privacy Act Coordinator, NRO, at the time the copy of the record is delivered. In some instances, fees will be due in advance.
Each request shall be treated as a certification by the requester that he is the individual named in the request. The Privacy Act provides criminal penalties for any person who knowingly and willfully requests or obtains any information concerning an individual under false pretenses.
(a) All systems of records maintained by the NRO shall be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 552a(k)(1) to the extent that the system contains any information properly classified under Executive Order 12958 and which is required by the Executive Order to be withheld in the interest of national defense of foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions herein may contain items of information that have been properly classified.
(b) No system of records within the NRO shall be considered exempt under subsection (j) or (k) of the Privacy Act until the exemption and the exemption rule for the system of records has been published as a final rule in the
(c) An individual is not entitled to have access to any information compiled in reasonable anticipation of a civil action or proceeding (5 U.S.C. 552a(d)(5)).
(d) Proposals to exempt a system of records will be forwarded to the Defense Privacy Office, consistent with the requirements of 32 CFR part 310, for review and action.
Pub. L. 93-579, 88 Stat. 1896 (5 U.S.C. 522a).
65 FR 39806, June 28, 2000, unless otherwise noted.
This part implements the basic policies and procedures for the implementation of the Privacy Act of 1974, as amended (5 U.S.C. 552a); OMB Circular A-130;
This part applies to Headquarters, Field Operating Activities (FOA), Regions, Zones, Central Distribution Centers (CDC), Commissaries of DeCA, and contractors during the performance of a contract with DeCA. All personnel are expected to comply with the procedures established herein.
(a)
(2) Appoints:
(i) The Executive Director for Support as the DeCA Initial Denial Authority for the DeCA Privacy Act Program.
(ii) The Records Manager, Office of Safety, Security, and Administration as the DeCA Privacy Act Officer.
(b)
(2) Provides guidance, assistance and training.
(3) Controls and monitors all requests received and prepares documentation to the office of primary responsibility (OPR) for response.
(4) Prepares response to requester based on information provided by the OPR.
(5) Signs all response requests for releasable information to the requester after coordination through the General Counsel. Ensures that all denied requests for information are released by the DeCA Initial Denial Authority.
(6) Publishes instructions to contractors that:
(i) Provide DeCA Privacy program guidance to their personnel who solicit, award, or administer government contracts;
(ii) Inform prospective contractors of their responsibilities regarding the DeCA Privacy Program; and
(iii) Establish an internal system of contractor performance review to ensure compliance with DeCA's Privacy program.
(iv) Prepare and submit System Notices to the Defense Privacy Office for publication in the
(7) Maintain Privacy Case files and records of disclosure accounting.
(8) Submit the DeCa Annual Privacy Act Report (RCS: DD-DA&M(A)1379) to the Defense Privacy Office.
(c)
(2) In the event the information is to be denied release, the requested information and rationale for denial will be forwarded to the PA Officer for denial determination.
(d)
(e)
(2) Collect all information available and forward to the DeCA PA Officer. If the requested information is not available, provide the DeCA PA Officer the rationale to respond to the requester.
(f)
(2) Collect all information available and forward it to the Region Coordinator for submission to DeCA PA Officer. If requested information is not available, provide the Region Coordinator the rationale so they can prepare a response to the DeCA PA Officer. If the information is available but determined to be exempt, provide the Region Coordinator with the requested information and specific reasons why the request should be denied. The Region Coordinator will formalize a reply to the DeCA PA Officer, forwarding requested information and reasons for denial. The DeCA PA Officer will prepare the response to the requester with coordination by the General Counsel and signature by the IDA.
(a)
(1) Consist of “records” that are retrieved by the name of an individual or some other personal identifier, and
(2) Be under the control of DeCA.
(b)
(c)
(d)
(1) DeCA will not maintain any records describing how an individual exercises his or her rights guaranteed by the First Amendment of the U.S. Constitution.
(2) These rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition.
(e)
(1) The relationship of each item of information retained and collected to the purpose for which the system is maintained.
(2) The specific impact on the purpose or mission of not collecting each category of information contained in the system.
(3) The possibility of meeting the informational requirements through use of information not individually identifiable or through other techniques, such as sampling.
(4) The length of time each item of personal information must be retained.
(5) The cost of maintaining the information.
(6) The necessity and relevancy of the information to the purpose for which it was collected.
(f)
(2) Disposition of these records will be provided by the DeCA PA Officer in accordance with the DeCA Filing System.
(g)
(2) If the contractor must use or have access to individually identifiable information subject to this part to perform any part of a contract, and the information would have been collected and maintained by DeCA but for the award of the contract, these contractor activities are subject to this part.
(3) The restrictions in paragraphs (g)(1) and (g)(2) of this section do not apply to records:
(i) Established and maintained to assist in making internal contractor management decisions such as those maintained for use in managing the contract.
(ii) Those maintained as internal contractor employee records even when used in conjunction with providing goods and services to DeCA.
(4) Disclosure of records to contractors. Disclosure of personal records to a contractor for the use in the performance of any DeCA contract is considered a disclosure within the Department of Defense (DoD). The contractor is considered the agent of DeCA and is to be maintaining and receiving the records for DeCA.
(h)
(1) Supervisor/Manager paper records maintained by DeCA personnel will be treated as ‘For Official Use Only’ (FOUO) documents and secured in locked file cabinets, desks or bookcases during non-duty hours. During normal working hours, these records will be out-of-sight if the working area is accessible to non-government personnel.
(2) Personnel records maintained by DeCA computer room or stand alone systems, will be safeguarded at all times. Printed computer reports containing personal data must carry the markings FOUO. Other media storing personal data such as tapes, reels, disk packs, etc., must be marked with labels which bear FOUO and properly safeguarded.
(3) Adherence to paragraphs (h)(1) and (h)(2) of this section, fulfills the requirements of 32 CFR part 285.
(i)
(2) The transfer of large quantities of DeCA records containing personal data to disposal activities is not considered a release of personal information under this part. The volume of such transfers makes it difficult or impossible to identify easily specific individual
(a)
(b)
(1) Verification of information through third party sources for security or employment suitability determinations;
(2) Seeking third party opinions such as supervisory comments as to job knowledge, duty performance, or other opinion-type evaluations;
(3) When obtaining the needed information directly from the individual is exceptionally difficult or may result in unreasonable costs; or
(4) Contacting a third party at the request of the individual to furnish certain information such as exact periods of employment, termination dates, copies of records, or similar information.
(c)
(2) When an individual is requested to provide their SSN, they must be told:
(i) the uses that will be made of the SSN;
(ii) The statute, regulation or rule authorizing the solicitation of the SSN; and
(iii) Whether providingthe SSN is voluntary or mandatory.
(3) Once the SSN has been furnished for the purpose of establishing a record, the notification in paragraph (c)(2) of this section is not required if the individual is only requested to furnish or verify the SSNs for identification purposes in connection with the normal use of his or her records.
(d)
(1)
(i) The specific Federal statute or Executive Order that authorized collection of the requested information;
(ii) The principal purpose or purposes for which the information is to be used;
(iii) The routine uses that will be made of the information;
(iv) Whether providing the information is voluntary or mandatory; and
(v) The effects on the individual if he or she chooses not to provide the requested information.
(2)
(i) Below the title of the form and positioned so the individual will be advised of the requested information,
(ii) Within the body of the form with a notation of its location below the title of the form,
(iii) On the reverse of the form with a notation of its location below the title of the form,
(iv) Attached to the form as a tear-off sheet, or
(v) Issued as a separate supplement to the form.
(3)
(a)
(1)
(ii) If an individual wishes to be accompanied by a third party when seeking access to his or her records or to have the records released directly to the third party, a signed access authorization granting the third party access is required.
(iii) A DeCA individual will not be denied access to his or her records because he or she refuses to provide his or her SSN unless the SSN is the only way retrieval can be made.
(2)
(ii) DeCA personnel may be denied access to information compiled in reasonable anticipation of a civil action or proceeding. The term “civil proceeding” is intended to include quasi-judicial and pretrial judicial proceedings. Information prepared in conjunction with the quasi-judicial, pretrial and trial proceedings to include those prepared by DeCA legal and non-legal officials of the possible consequences of a given course of action are protected from access.
(iii) Requests by DeCA personnel for access to investigatory records pertaining to themselves, compiled for law enforcement purposes, are processed under this part and that of 32 CFR part 310. Those requests by DeCA personnel for investigatory records pertaining to themselves that are in records systems exempt from access provisions shall be processed under this part or 32 CFR part 285, depending upon which provides the greatest degree of access.
(3)
(ii) Personal uncirculate handwritten notes of team leaders, office supervisors, or military supervisory personnel concerning subordinates are not a system of records within the meaning of this part. Such notes are an extension of the individual's memory. These notes, however, must be maintained and discarded at the discretion of the individual supervisor and not circulated to others. Any established requirement to maintain such notes (written or oral directives, regulation or command policy) make these notes “AGENCY RECORDS.” If the notes are circulated, they must be made a part of the system of records. Any action that gives personal notes the appearance of official agency records is prohibited unless they have been incorporated into a DeCA system of records.
(b)
(2) Request from DeCA individuals or access to a record pertaining to themselves are processed under this part and 32 CFR part 310.
(3) Requests from DeCA individuals for access to records about themselves that cite both Acts or the DeCA implementing directives for both Acts are processed under this part except:
(i) When the access provisions of the FOIA provide a greater degree of access process under the FOIA, or
(ii) When access to the information sought is controlled by another Federal statute process access procedures under the controlling statute.
(4) Requests from DeCA individuals for access to information about themselves in a system of records that do not cite either Act or DeCA implementing directive are processed under the procedures established by this part.
(5) DeCA requesters will not be denied access to personal information concerning themselves that would be releasable to them under either Act because they fail to cite either Act or the wrong Act. The Act or procedures used in granting or denying access will be explained to requesters.,
(6) DeCA requesters should receive access to their records within 30 days.
(7) Records in all DeCA systems maintained in accordance with the Government-wide systems notices are in temporary custody of DeCA, and all requests or amend these records will be processed in accordance with this part.
(c)
(i) Was compiled in reasonable anticipation of civil action.
(ii) Is in a system of records that has been exempt from access provisions of this part.
(iii) All systems of records maintained by the Defense Commissary Agency shall be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 552a(k)(1) to the extent that the system contains any information properly classified under Executive Order 12958 and which is required by the Executive Order to be withheld in the interest of national defense or foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions herein may contain items of information that have been properly classified.
(iv) Is contained in a system of records for which access may be denied under some other Federal statute.
(v) All systems of records maintained by the DeCA shall be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 552a(k)(1) to the extent that the system contains any information properly classified under Executive Order 12958 and which is required by the Executive Order to be withheld in the interest of national defense of foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions herein may contain items of information that have been properly classified.
(2) DeCA individuals will only be denied access to those portions of the records from which the denial of access
(3) Other reasons to refuse DeCA individuals are:
(i) The request is not described well enough to locate it within a reasonable amount of effort by the PA Officer or PA Coordinator; or
(ii) An individual fails to comply with the established requirements including refusing to name a physician to receive medical records when required or to pay fees.
(4) Only the DeCA IDA can deny access. This denial must be in writing and contain:
(i) The date of the denial, name, title of position, and signature of the DeCA Initial Denial Authority.
(ii) The specific reasons for the denial, including specific reference to the appropriate sections of the PA, other statutes, this part or the Code of Federal Regulations (CFR);
(iii) Information providing the right to appeal the denial through the DeCa appeal procedure within 60 days, and the title, position and address of the DeCA PA Appellate Authority.
(5)
(i) Assign a control number and process the appeal to the Director, DeCA or the designee appointed by the Director.
(ii) Provide formal written notification to the individual by the appeal authority explaining whether the denial is sustained totally or in part and the exact reasons for the denial to include provisions of the Act, other statute, this part or the CFR whichever the determination is based, or
(iii) Provide the individual access to the material if the appeal is granted.
(iv) Process all appeals within 30 days of receipt unless the appeal authority determines the review cannot be made within that period and provide notification to the individual the reasons for the delay and when an answer may be expected.
(d)
(i) A description of the item or items to be amended.
(ii) The specific reason for the amendment.
(iii) The type of amendment action such as deletion, correction or addition.
(iv) Copies of evidence supporting the request.
(v) DeCA employees may be required to provide identification to make sure that they are indeed seeking to amend a record pertaining to themselves.
(2) The amendment process is not intended to permit the alteration of evidence presented in the course of judicial or quasi-judicial proceedings. Amendments to these records are made through specific procedures established for the amendment of these records.
(i) Written notification will be provided to the requester within 10 working days of its receipt by the DeCA PA Officer. No notification will be provided to the requester if the action completed within the 10 days. Only under exceptional circumstances will more than 30 days be required to reach the decision to amend a request. If the decision is to grant all or in part of the request for amendment, the record will be amended and the requester informed and all other offices/personnel known to be keeping the information.
(ii) If the request for amendment is denied in whole or in part, The PA Officer will notify the individual in writing and provide the specific reasons and the procedures for appealing the decision.
(iii) All appeals are to be processed within 30 days. If additional time is required, the requester will be informed and provided when a final decision may be expected.
(e)
(i) Copying is performed for the convenience of the Government or is the only means to make the record available for the individual.
(ii) No reading room is available for the individual to review the record or a copy is made to keep the original in DeCA files.
(iii) The information may be obtained without charge under any other regulation, directive, or statute.
(2) No fees will be collected for search, retrieval, and review of records to determine releasability, copying of records when the individual has not requested a copy, transportation of records and personnel, or normal postage.
(a)
(2) For the purposes of disclosure and disclosure accounting, the Department of Defense is considered a single agency.
(3) Personal information from DeCA systems of records will not be disclosed outside the DoD unless:
(i) The record has been requested by the individual to whom it pertains,
(ii) Written consent has been given by the individual to whom the record pertains for release to the requesting agency, activity, or individual, or
(iii) The release is pursuant to one of the specific nonconsensual purposes set forth in the Act.
(4) Records may be disclosed without the consent of a DeCA individual to any DoD official who has need for the record in the performance of their assigned duties. Rank, position, or title alone does not authorize this access. An official need for this information must exist.
(5) DeCA records must be disclosed if their release is required by 32 CFR part 285, which is implemented by DeCA Directive 30-12.
(b)
(1) Civilian employees:
(i) Name,
(ii) Present and past position titles,
(iii) Present and past grades,
(iv) Present and past salaries,
(v) Present and past duty stations,
(vi) Office or duty telephone numbers,
(2) Military members:
(i) Full name,
(ii) Rank,
(iii) Date of rank,
(iv) Gross salary,
(v) Past duty assignments,
(vi) Present duty assignments,
(vii) Future assignments that are officially established,
(viii) Office or duty telephone numbers,
(ix) Source of commission,
(x) Promotion sequence number,
(xi) Awards and decorations,
(xii) Attendance at professional military schools,
(xiii) Duty status at any given time.
(3) All disclosures of personal information on civilian employees shall be made in accordance with the Office of Personnel Management (OPM) and all disclosures of personal information on military members shall be made in accordance with the standards established by 32 CFR part 285.
(4) The release of DeCA employees' home addresses and home telephone numbers is considered a clearly unwarranted invasion of personal privacy and is prohibited; however, these may be released without prior consent of the employee if:
(i) The employee has indicated previously that he or she consents to their release,
(ii) The releasing official was requested to release the information under the provisions of 32 CFR part 285.
(5) Before listing home addresses and home telephone numbers in any DeCA telephone directory, give the individuals the opportunity to refuse such a listing.
(c)
(2) A routine use shall:
(i) Be compatible with the purpose for which the record was collected;
(ii) Indicate to whom the record may be released;
(iii) Indicate the uses to which the information may be put by the receiving agency; and
(iv) Have been published previously in the
(3) A routine use will be established for each user of the information outside DeCA who need official access to the records. This use may be discontinued or amended without the consent of the individual/s involved. Any routine use that is new or changed is published in the
(d)
(1) The civil or criminal law enforcement activity is authorized by law (Federal, State, or local); and
(2) The head of the agency or instrumentality (or designee) has made a written request to the Component specifying the particular record or portion desired and the law enforcement activity for which it is sought.
(3) Blanket requests for any and all records pertaining to an individual shall not be honored. The requesting agency or instrumentality must specify each record or portion desired and how each relates to the authorized law enforcement activity.
(4) This disclosure provision applies when the law enforcement agency or instrumentality request the record, If the DoD Component discloses a record outside the DoD for law enforcement purposes without the individual's consent and without an adequate written request, the disclosure must be pursuant to an established routine use, such as the blanket routine use for law enforcement.
(e)
(i) Personal information concerning the patient that is provided in § 327.8 and under provisions of 32 CFR part 285.
(ii) The medical condition such as the date of admission or disposition and the present medical assessment of the individual's condition in the following terms if the medical doctor has volunteered the information:
(A) The individual's condition is presently (stable) (good) (fair) (serious) or (critical), and
(B) Whether the patient is conscious, semi-conscious or unconscious.
(2) Detailed medical and other personal information may be released on a DeCA employee only if the employee has given consent to the release. If the employee is not conscious or competent, no personal information, except that required by 32 CFR part 285, will be released until there has been enough improvement in the patient's condition for them to give informed consent.
(3) Any item of personal information may be released on a DeCA patient if the patient has given consent to its release.
(4) This part does not limit the disclosure of personal medical information for other government agencies' use in determining eligibility for special assistance or other benefits provided disclosure in pursuant to a routine use.
Dear Mrs. Employee: This responds to your Privacy Act request dated (enter date of request), in which you requested (describe requested records).
Your request has been referred to our headquarters for further processing. They will respond directly to you. Any questions concerning your request may be made telephonically (enter Privacy Officer's telephone number) or in writing to the following address:
Defense Commissary Agency, Safety, Security, and Administration, Attention: FOIA/PA Officer, Fort Lee, VA 23801-1800.
I trust this information is responsive to your needs.
(a)
(b)
(c)
(d)
(e)
(f)
(g)
(h)
(1) Risk: If prescribed policies, procedures and responsibilities of the Privacy Act Program are not adhered to, sensitive private information on individuals can be given out to individuals.
(2) Control Objectives: The prescribed policies, procedures and responsibilities contained in 5 U.S.C. 552a are followed to protect individual privacy and information release.
(3) Control Techniques: 32 CFR part 310 and DeCA Directive 30-13,
(i) Ensure that a PA program is established and implemented.
(ii) Appoint an individual with PA responsibilities and ensure the designation of appropriate staff to assist.
(4) Test Questions: Explain rationale for YES responses or provide cross-references where rationale can be found. For NO responses, cross-reference to where corrective action plans can be found. If response is NA, explain rationale.
(i) Is a PA program established and implemented in DeCA to encompass procedures for subordinate activities? (DeCA HQ/SA, Region IM). Response: Yes / No / NA. Remarks:
(ii) Is an individual appointed PA responsibilities? (DeCA HQ/SA, Region IM). Response: Yes / No / NA. Remarks:
(iii) Are the current names and office telephone numbers furnished OSD, Private Act Office of the PA Officer and the IDA? (DeCA HQ/SA). Response: Yes / No / NA. Remarks:
(iv) Is the annual PA report prepared and forwarded to OSD, Defense Privacy Office? (DeCA HQ/SA). Response: Yes / No / NA. Remarks:
(v) Is PA awareness training/orientation provided? Is in-depth training provided for personnel involved in the establishment, development, custody, maintenance and use of a system of records? (DeCA HQ/SA, Region). Response: Yes / No / NA. Remarks:
(vi) Is the PA Officer consulted by information systems developers for privacy requirements which need to be included as part of the life cycle management of information consideration in information systems design? (DeCA HQ/SA, Region). Response: Yes / No / NA. Remarks:
(vii) Is each system of records maintained by DeCA supported by a Privacy Act System Notice and has the systems notice been published in the
(i)
(1) Risk: Failure to process PA requests correctly could result in privacy information being released which subjects the Department of Defense, DeCA or individuals to criminal penalties.
(2) Control Objective: PA requests are processed correctly.
(3) Control Technique:
(i) Ensure PA requests are logged into a formal control system.
(ii) Ensure PA requests are answered promptly and correctly.
(iii) Ensure DeCA records are only withheld when they fall under the general and
(iv) Ensure all requests are coordinated through the General Counsel.
(v) Ensure all requests are denied by the DeCA IDA.
(vi) Ensure all appeals are forwarded to the Director DeCA or his designee.
(4) Test Questions:
(i) Are PA requests logged into a formal control system? (DeCA HQ/SA, Region IM). Response: Yes / No / NA. Remarks:
(ii) Are individual requests for access acknowledged within 10 working days after receipt? (DeCA HQ/SA, Region IM). Response: Yes / No / NA. Remarks:
(iii) when more than 10 working days are required to respond to a PA request, is the requester informed, explaining the circumstances for the delay and provided an approximate date for completion? (DeCA HQ/SA, Region IM). Response: Yes / No / NA. Remarks:
(iv) Are DeCA records withheld only when they fall under one or more of the general or specific exemptions of the PA or one or more of the nine exemptions of the FOIA? (DeCA HQ/SA, Region IM). Response: Yes / No / NA. Remarks:
(v) Do denial letters contain the name and title or position of the official who made the determination, cite the exemption(s) on which the denial is based and advise the PA requester of their right to appeal the denial to the Director DeCA or designee? (DeCA HQ/SA). Response: Yes / No / NA. Remarks:
(vi) Are PA requests denied only by the HQ DeCA IDA? (All). Response: Yes / No / NA. Remarks:
(vii) Is coordination met with the General Counsel prior to forwarding a PA request to the IDA? (DeCA HQ/SA). Response: Yes / No / NA. Remarks:
(j)
(1) Risk: Obtaining personal information resulting in a violation of the PA.
(2) Control Objective: Establish a system before data collection and storage to ensure no violation of the privacy of individuals.
(3) Control Technique: Ensure Privacy Act Statement to obtain personal information is furnished to individuals before data collection.
(4) Test Questions:
(i) Are all forms used to collect information about individuals which will be part of a system of records staffed with the PA Officer for correctness of the Privacy Act Statement? (DeCA HQ/SA, Region). Response: Yes / No / NA. Remarks:
(ii) Are Privacy Statements prepared and issued for all forms, formats and questionnaires that are subject to the PA, coordinated with the DeCA forms manager? (DeCA HQ/SA, Region). Response: Yes / No / NA. Remarks:
(iii) Do Privacy Act Statements furnished to individuals provide the following:
(A) The authority for the request.
(B) The principal purpose for which the information will be used.
(C) Any routine uses.
(D) The consequences of failing to provide the requested information. Yes / No / NA. Remarks:
(k)
(1) Risk: Unprotected records allowing individuals without a need to know access to privacy information.
(2) Control Objective: PA records are properly maintained throughout their life cycle.
(3) Control Technique: Ensure the prescribed policies and procedures are followed during the life cycle of information.
(4) Test Questions:
(i) Are file cabinets/containers that house PA records locked at all times to prevent unauthorized access? (All). Response: Yes / No / NA. Remarks:
(ii) Are personnel with job requirement (need to know) only allowed access to PA information? (All). Response: Yes / No / NA. Remarks:
(iii) Are privacy act records treated as unclassified records and designated ‘For Official Use Only’? (All). Response: Yes / No / NA. Remarks:
(iv) Are computer printouts that contain privacy act information as well as disks, tapes and other media marked ‘For Official Use Only’? (All). Response: Yes / No / NA. Remarks:
(v) Is a Systems Manager appointed for each automated/manual PA systems of records? (DeCA HQ/SA, Region). Response: Yes / No / NA. Remarks:
(vi) Are PA records maintained and disposed of in accordance with DeCA Directive 30-2,
(1) I attest that the above listed internal controls provide reasonable assurance that DeCA resources are adequately safeguarded. I am satisfied that if the above controls are fully operational, the internal controls for this sub-task throughout DeCA are adequate.
Safety, Security and Administration.
FUNCTIONAL PROPONENT.
I have reviewed this sub-task within my organization and have supplemented the prescribed internal control review checklist when warranted by unique environmental circumstances. The controls prescribed in this checklist, as amended, are in place and operational for my organization (except for
ASSESSABLE UNIT MANAGER (Signature).
(a)
(b)
(c)
(d)
(e)
(f)
(g)
(h)
(i)
(j)
(k)
(l)
(m)
(n)
10 U.S.C. 125.
This part:
(a) Establishes a policy and procedure by which the Department of Defense will invite the comments of the public on those of its proposed regulations and other types of rulemaking as described hereafter which originate within the Department of Defense as a requirement of general applicability and future effect designed to implement, interpret, or prescribe law or policy, or practice or procedure requirements of a component. This requirement applies to those regulations which constitute the authority for actions having a substantial and direct impact on the public when consistent with other responsibilities of the Department for the efficient and responsible conduct of public business.
(b) Implements the provisions of 5 U.S.C. 552 relating to the kinds of regulations that must be published in the
(a) The provisions of this part apply to the Office of the Secretary of Defense, the Military Departments, the Organization of the Joint Chiefs of Staff, and the Defense Agencies (hereinafter referred to singularly as a “DoD component” or collectively as “DoD components”).
(b) These provisions are applicable to those directives, instructions, regulations, policy memoranda, manuals, and other forms of rulemaking (hereinafter referred to as “regulations”) that have a substantial and direct impact on the public. Only a regulation which must be published in the
(c) The determination by the component originating a regulation shall be final and conclusive in determining whether a regulation or a proposed regulation comes within the purview of this part. Consideration shall be given, however, to the definition of “rulemaking” found in 5 U.S.C. 551 as it relates to the requirements of 5 U.S.C. 553 in making this determination.
(d) The requirement for inviting public comment on a proposed regulation shall not be deemed applicable to any proposed regulation coming within one or more of the following exemptions or exceptions to the rulemaking procedures set forth in 5 U.S.C. 553.
(1) Any matter pertaining to a military or foreign affairs function of the United States which has been determined under the criteria of an Executive Order or statute to require a security classification in the interests of national defense or foreign policy.
(2) Any matter relating to (i) agency management, (ii) agency personnel, or (iii) public contracts (e.g., the Armed Services Procurement Regulation), including nonappropriated fund contracts.
(3) Any matter involving (i) interpretative rules, (ii) general statements of policy, or (iii) rules of agency organization, procedure, or practice.
(4) Any situation in which the DoD Component for good cause finds that inviting public comment on a proposed regulation is (i) impracticable, (ii) unnecessary, or (iii) contrary to the public interest, and incorporates in the adopted regulation that determination and its basis.
(e) Exceptions to the requirement in 5 U.S.C. 552 for publication in the
(a) It is the policy of the Department of Defense to encourage the maximum practicable participation of the public in the formulation of regulations having a substantial and direct impact on the public, and to inform the public fully through publication in the
(b) A proposed regulation which would originate a Department of Defense policy having a substantial and direct impact on the public should be published, along with a notice of purpose and authority, in the
(c) After their adoption, all regulations for the guidance of the public shall be published in the
(a) The general notice of a proposed regulation shall be published in the
(b) The notice shall include:
(1) A statement of the purpose and objective of the proposed regulation;
(2) Reference to the legal authority under which the regulation is proposed; and
(3) The terms or substance of the proposed regulation.
(c) Whenever the originating DoD Component finds that notice and prepublication of a proposed regulation for public comment are impracticable, unnecessary, or contrary to the public interest, it shall incorporate that finding and a brief statement of its reasons in the adopted regulation, or it may adopt and publish in the
(d) Following the publication of notice and the proposed regulation in the
Subject to the exemptions set forth in 32 CFR 286.6:
(a) Each DoD Component shall publish in the
(b) Information to be published in the
(1) Descriptions of the central and field organization of the component concerned, and the established places at which, the employees or members of the armed forces from whom, and the methods whereby the public may secure information, make submittals or requests, or obtain decisions.
(2) The procedures by which a DoD Component conducts its business with the public, both formally and informally.
(3) The rules of procedure which must be followed, the description of forms which must be completed, or the source from which forms may be obtained, and instructions on the scope and content of papers, reports, examinations required to be submitted pursuant to such rules of procedures, as adopted by the component.
(4) Directives, instructions, regulations, manuals, policy memorandums, statements of general policy, or interpretation of general applicability adopted by the agency, and other substantive rules of general applicability affecting the public.
(c) With the approval of the Director of the
(1) In order to be eligible for incorporation by reference, the matter must be in the nature of published data, criteria, standards, specifications, techniques, illustrations, or other published information reasonably available to members of class affected thereby.
(2) Incorporation by reference is not acceptable as a complete substitute for promulgating in full text material required to be published by 5 U.S.C. 552.
(3) Incorporation by reference is acceptable as a means of avoiding unnecessary repetition within the promulgated document of published information already reasonably available to the class affected. Examples include:
(i) Construction standards promulgated by a professional association or architects, engineers, or builders.
(ii) Code of ethics promulgated by professional organizations.
(iii) Forms and formats publicly or privately published and readily available to the persons required to use them.
(d) It is incumbent upon each component to review all information of the type described in paragraph (b) of this section, to insure that it is published on an up-to-date basis in the
Each component shall accord any interested person the right to petition for the issuance, amendment, or repeal of a regulation that originates or would originate, for the Department of Defense or that component, a policy, requirement, or procedure coming within the scope of § 336.4. Any such petition shall be given full and prompt consideration by the component charged with the responsibility for issuing such a regulation. The petitioner shall be advised in writing of the disposition, and the reason for the disposition, of any written petition for the issuance, amendment, or repeal of a regulation. The official responsibility for disposition of the petition may at his absolute discretion, grant the petitioner a right to appear for the purpose of supporting his petition if this is compatible with the orderly conduct of public business.
This part becomes effective on February 1, 1975, but is applicable only to the regulations promulgated under the authority of a component after April 1, 1975. Two copies of implementing regulations shall be forwarded to the General Counsel of the Department of Defense on or before April 1, 1975.
10 U.S.C. 133, 31 U.S.C. 483a.
DoD Directives, DoD Instructions, and changes published in Chapter 2—Number Index section of DoD 5025.1-I, “DoD Directives System Annual Index” (except those issuances identified as classified) are available to the public and Government Agencies, at cost, from the National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161, telephone 703-487-4650.
DoD publications and changes published in Chapter 3—Publications section of DoD 5025.1-l, “DoD Directives System Annual Index” are available from the various sources that are identified in the Availability Column. Addresses for forwarding written requests to the various sources are listed at the beginning of chapter 3. A fee will be charged for DoD Publications ordered from the National Technical Information Service.
10 U.S.C. 133, 5 U.S.C. 552.
(a) The DNA issuances published in the DNA indexes are published under the following subject groups:
(b) Copies of DNA indexes and instructions may be ordered by telephone or letter. The commercial telephone number is (703) 325-7095. Include personal or company name, street address or post office box, city, state, country (if applicable) and zip code when submitting requests. Submit written requests to: Defense Nuclear Agency, Public Affairs Office, Washington, DC 20305-1000.
(c) This service is provided to the public and to federal agencies other than the Department of Defense. DNA does not charge for requests for an index and one instruction; however, fees for larger orders are determined on a case-by-case basis.