This part updates and implements basic policies and procedures outlined in 5 U.S.C. 552a, OMB Circular A-130,1 and DoD 5400.11-R 2 and provides guidance and procedures for use in establishing the Privacy Program in the Office of the Secretary of Defense (OSD) and those organizations assigned to OSD for administrative support.

This part:

(a) Applies to the OSD, the Chairman of the Joint Chiefs of Staff, Uniformed Services University of the Health Sciences (USUHS) and other activities assigned to OSD for administrative support hereafter referred to collectively as “OSD Components.”

(b) Covers record systems maintained by OSD Components and governs the maintenance, access, change, and release of information contained in OSD Component record systems, from which information about an individual is retrieved by a personal identifier.

Access. Any individual's review of a record or a copy of a record or parts of a system of records.

Disclosure. The transfer of any personal information from a system of records by any means of oral, written, electronic, mechanical, or other communication, to any person, private entity, or Government agency, other than the subject of the record, the subject's designated agent, or the subject's guardian.

Individual. A living citizen of the United States or an alien lawfully admitted to the United States for permanent residence. The legal guardian of an individual has the same rights as the individual and may act on his or her behalf.

Individual access. Access to personal information pertaining to the individual, by the individual, his or her designated agent or legal guardian.

Maintain. Includes maintenance, collection, use or dissemination.

Personal information. Information about an individual that is intimate or private, as distinguished from information related solely to the individual's official functions or public life.

(a) It is DoD policy to safeguard personal information contained in any system of records maintained by any DoD Component and to permit any individual to know what existing records pertain to him or her in any OSD Component covered by this part.

(b) Each office maintaining records and information about individuals shall ensure that their privacy is protected from unauthorized disclosure of personal information. These offices shall permit individuals to have access to, and to have a copy made of all, or any portion of records about them, except as provided in Chapters 3 and 5, DoD 5400.11-R, and to have an opportunity to request that such records be amended as provided by the Privacy Act of 1974 and Chapter 3 of DoD 5400.11-R. Individuals requesting access to their records shall receive concurrent consideration under 5 U.S.C. 552a and the Freedom of Information Act, as amended, if appropriate.

(c) Heads of OSD Components shall maintain any necessary record of a personal nature that is individually identifiable in a manner that complies with the law and DoD policy. Any information collected must be as accurate, relevant, timely, and complete as is reasonable to ensure fairness to the individual. Adequate safeguards must be provided to prevent misuse or unauthorized release of such information.

(a) The Director of Administration and Management, Office of the Secretary of Defense (DA&M, OSD) shall:

(1) Direct and administer the DoD Privacy Program for OSD Components.

(2) Establish standards and procedures to ensure implementation of and compliance with the Privacy Act of 1974, OMB Circular No. A-130, and DoD 5400.11-R.

(3) Designate the Director for Freedom of Information and Security Review as the point of contact for individuals requesting information of access to records and copies about themselves.

(4) Serve as the appellate authority within OSD when a requester appeals a denial for access to records under the Privacy Act.

(5) Serve as the appellate authority within OSD when a requester appeals a denial for amendment of a record or initiates legal action to correct a record.

(6) Evaluate and decide, in coordination with The General Counsel of the Department of Defense (GC, DoD), appeals resulting from denials of access or amendments to records by the OSD Components.

(7) Designate the Directives and Records Division, Correspondence and Directives Directorate, Washington Headquarters Services (WHS) as the office responsible for all aspects of the Privacy Act, except that portion about receiving and acting on public requests for personal records. As such, the Directives and Records Division shall:

(i) Exercise oversight and administrative control of the Privacy Act Program in OSD and those organizations assigned to OSD for administrative support.

(ii) Provide guidance and training to organizational entities as required by 5 U.S.C. 552a and OMB Circular A-130. Periodic training will be provided to public affairs officers and others who may be expected to deal with the news media or the public.

(iii) Collect and consolidate data from OSD Components, and submit an annual report to the Defense Privacy Office, as required by 5 U.S.C. 552a, OMB Circular A-130, and DoD -5400.11-R.

(iv) Coordinate and consolidate information for reporting all record systems, as well as changes to approved systems, to the OMB, the Congress, and the Federal Register, as required by 5 U.S.C. 552a, OMB Circular E A-130, and DoD -5400.11-R.

(v) Collect information from OSD Components, and prepare consolidated reports required by 5 U.S.C. 552a and DoD 5400.11-R.

(b) The Director for Freedom of Information and Security Review shall:

(1) Forward requests for information or access to records to the appropriate OSD Component having primary responsibility for any pertinent system of records under 5 U.S.C. 552a, or to OSD Components, under the Freedom of Information Act, as amended.

(2) Maintain deadlines to ensure that responses are made within the time limits prescribed in DoD 5400.7-R,3 DoD Instruction 5400.10,4 and this part.

(3) Collect fees charged and assessed for reproducing requested materials.

(4) Refer all matters about amendments of records and general and specific exemptions under the 5 U.S.C. 552a to the proper OSD Components.

(c) The General Counsel of the Department of Defense shall:

(1) Coordinate all OSD final denials of appeals for amending records, and review actions to confirm denial of access to records, as appropriate.

(2) Provide advice and assistance to the DA&M, OSD in the discharge of appellate and review responsibilities, and to the DFOISR on all access matters.

(3) Provide advice and assistance to OSD Components on legal matters pertaining to the Privacy Act of 1974.

(d) The Heads of the OSD Components shall:

(1) Designate an individual as the point of contact for Privacy Act matters; designate an official to deny initial requests for access to an individual's records or changes to records; and advise both DA&M, OSD and DFOISR of names of officials so designated.

(2) Report any new record system, or changes to an existing system, to the Chief, Directives and Records Division, WHS, at least 90 days before the intended use of the system.

(3) Review all contracts that provide for maintaining records systems, by or on behalf of his or her office, to ensure within his or her authority, that language is included that provides that such systems shall be maintained in a manner consistent with 5 U.S.C. 552a.

(4) Revise procurement guidance to ensure that any contract providing for the maintenance of a records system, by or on behalf of his or her office, includes language that ensures that such system shall be maintained in accordance with 5 U.S.C. 552a.

(5) Revise computer and telecommunications procurement policies to ensure that agencies review all proposed contracts for equipment and services to comply with 5 U.S.C. 552a.

(6) Coordinate with Automatic Data Processing (ADP) and word processing managers providing services to ensure that an adequate risk analysis is conducted to comply with DoD 5400.11-R.

(7) Review all Directives that require forms or other methods used to collect information about individuals to ensure that they are in compliance with 5 U.S.C. 552a.

(8) Establish administrative systems in OSD Component organizations to comply with the procedures listed in this part and DoD 5400.11-R.

(9) Coordinate with the GC, DoD on all proposed denials of access to records.

(10) Provide justification to the DFOISR when access to a record is denied in whole or in part.

(11) Provide the record to the DFOISR when the initial denial of a request for access to such record has been appealed by the requester, or at the time of initial denial when appeal seems likely.

(12) Maintain an accurate account of the actions resulting in a denial for access to a record or for the correction of a record. This account should be maintained so that it can be readily certified as the complete record of proceedings if litigation occurs.

(13) Ensure that all personnel who either have access to the system of records, or who are engaged in developing or supervising procedures for handling records in the system, are aware of their responsibilities for protecting personal information as established in the Privacy Act and DoD 5400.11-R.

(14) Forward all requests for access to records received directly from an individual to the DFOISR for appropriate suspense control and recording.

(15) Provide DFOISR with a copy of the requested record when the request is granted.

(e) The requester who desires to submit a request is responsible for:

(1) Determining whether to submit the request in writing or in person. A requester who seeks access to records pertaining to himself or herself which are filed by his or her name or personal identifier:

(i) May make such a request in person to the custodian of the records. If the requester is not satisfied with the response, however, in order to invoke any provision of 5 U.S.C. 552a, DoD 5400.11-R, or this part, the requester must file a request in writing as provided in § 311.6(b)(10). The requester must provide proof of identify by showing drivers license or similar credentials.

(ii) Describing the record sought, and providing sufficient information to enable the material to be located (e.g., identification of system of records, approximate date it was initiated, originating organization, and type of document).

(iii) Complying with procedures provided in DoD 5400.11-R for inspecting and/or obtaining copies of requested records.

(iv) Submitting a written request to amend the record to the system manager or to the office designated in the system notice.

(a) Publication of notice in the Federal Register. (1) A notice shall be published in the Federal Register of any record system meeting the definition of a system of records in DoD 5400.11-R.

(2) Regarding new or revised records systems, each OSD Component shall provide the Chief, Directives and Records Division with 90 days advance notice of any anticipated new or revised system of records. This material shall be submitted to the OMB and to Congress at least 60 days before use and to the Federal Register at least 30 days before being put into use, to provide an opportunity for interested persons to submit written data, views, or arguments to the OSD Components. Instructions on content and preparation are outlined in DoD 5400.11-R.

(b) Access to information on records systems. (1) Upon request, and as provided by the Privacy Act, records shall be disclosed only to the individual they pertain to and under whose individual name or identifier they are filed, unless exempted by provisions stated in DoD 5400.11-R.

(2) There is not requirement under 5 U.S.C. 552a that a record be created or that an individual be given access to records that are not in a group of records that meet this definition of a system of records in 5 U.S.C. 552a.

(3) Granting access to a record containing personal information shall not be conditioned upon any requirement that the individual state a reason or otherwise justify the need to gain access.

(4) No verification of identity shall be required of an individual seeking access to records that are otherwise available to the public.

(5) Individuals shall not be denied access to a record in a system of records about themselves because those records are exempted from disclosure under DoD 5400.7-R. Individuals may only be denied access to a record in a system of records about themselves when those records are exempted from the access provisions of the Privacy Act under DoD 5400.11-R, Chapter 5.

(6) Individuals shall not be denied access to their records for refusing to disclose their Social Security Numbers (SSNs), unless disclosure of the SSN is required by statute, by regulation adopted before January 1, 1975, or if the record's filing identifier and only means of retrieval is by SSN.

(7) Individuals may request access to their records, in person or by mail, in accordance with the procedures outlined in paragraph (b)(8) of this section.

(8) Information necessary to identify a record is: the individual's name, date of birth, place of birth, identification of the records system as listed in the Federal Register, or sufficient information to identify the type of records being sought, and the approximate date the records might have been created. Any individual making a request for access to records in person shall come to the Directorate for Freedom of Information and Security Review (DFOISR), Room 2C757, Pentagon, Washington, DC 20301-1155; and shall provide personal identification acceptable to the Director, DFOISR, to verify the individual's identity (e.g., driver's license, other licenses, permits, or passes used for routine identification purposes).

(9) If an individual wishes to be accompanied by a third party when seeking access to records or wishes to have the record released directly to a third party, the individual may be required to furnish a signed access authorization granting the third party access.

(10) Any individual submitting a request by mail for access to information shall address such request to the Directorate for Freedom of Information and Security Review, Pentagon, Room 2C757, Washington, DC 20301-1155. To verify the identity of the individual, the request shall include either a signed notarized statement or an unsworn declaration in the format specified by 28 U.S.C. 1746.

(11) The following procedures shall apply to requests for access to records or information complied for law enforcement purposes:

(i) Individuals requesting access to records or information about themselves and complied for law enforcement purposes are processed under DoD 5400.11-R and DoD 5400.7-R to give them the greater degree of access.

(ii) Individual requests for access to records or information about themselves and compiled for law enforcement purposes (and in the custody of law enforcement activities) that have been incorporated into the records system, exempted from the access provisions of 5 U.S.C. 552a, will be processed in accordance with subsection C1.5.13 and Chapter 5, DoD 5400.7-R. Individuals shall not be denied access to records solely because they are in the exempt system, but they will have the same access that they would receive under DoD 5400.7-R. (Also see subsection A.10., Chapter 3, DoD 5400.11-R).)

(iii) Requests by the individuals for access to records or information about themselves and compiled for law enforcement purposes that are in records systems exempted from access provisions will be processed under subsection C.1., Chapter 5 of DoD 5400.11-R or DoD 5400.7-R, depending upon which regulation gives the greater degree of access. (See also subsection A. 10., Chapter 3, DoD 5400.1-R)

(iv) Individual requests for access to records or information about themselves and complied for law enforcement purposes exempted from access under Section B, Chapter 5 of DoD 54.11-R, that are temporarily in the hands of a non-law enforcement element for adjudicative or personnal actions, shall be referred to the originating agency. The requester will be informed in writing of these referrals.

(12) The following procedures shall apply to requests for illegible, incomplete, or partially exempt records:

(i) An individual shall not be denied access to a record or a copy of a record solely because the physical condition or format of the record does not make it readily available (e.g., deteriorated state or on magnetic tape). The document will be prepared as an extract, or it will be exactly recopied.

(ii) If a portion of the record contains information that is exempt from access, an extract or summary containing all of the information in the record that is releasable shall be prepared.

(iii) When the physical condition to the record makes it necessary to prepare an extract for release, the extract shall be prepared so that the requester will understand it.

(iv) The requester shall be informed of all deletions or changes to records.

(13) Medical records shall be disclosed to the individual they pertain to, unless a determination is made in consultation with a medical doctor, that the disclosure could have adverse effects on the individual's physical or mental health. Such information may be transmitted to a medical doctor named by the individual concerned. If the named medical doctor declines to provide the record to the individual, the OSD Components shall take positive action to ensure that the requested records are provided the individual.

(14) The individual may be charged reproduction fees for copies or records as outlined in DoD 5400.11-R.

(c) Requested to amend personal information in records systems and disputes. (1) The Head of an OSD Component, or the designated official, shall allow individuals to request amendment to their records to the extent that such records are not accurate, relevant, timely, or complete. Requests should be as brief and as simple as possible and should contain, as a minimum, identifying information to locate the record, as description of the items to be amended, and the reason for a change. A request shall not be rejected nor required to be resubmitted unless additional information is essential to process the request. Requesters shall be required to provide verification of their identify as stated in paragraph (b)(8) of this section, to ensure that they are seeking to amend records about themselves, and not, inadvertently or intentially, the records of others.

(2) The appropriate system manager shall mail a written acknowledgement to an individual's request to amend a record within 10 days after receipt, excluding Saturdays, Sundays, and legal public holidays. Such acknowledgement shall identify the request and may, if necessary, request any additional information needed to make a determination. No acknowledgment is necessary if the request can be reviewed, processed, and if the individual can be notified of compliance or denial within the 10-day period. Whenever practical, the decision shall be made within 30 working days. For requests presented in person, written acknowledgment may be provided at the time the request is presented.

(3) The Head of an OSD Component, or designated official, shall promptly take one of the following actions on requests to amend the records:

(i) If the OSD Component official agrees with any portion or all of an individual's request, he or she will proceed to amend the records in accordance with existing statutes, requlations, or administrative procedures, and inform the requester of the action taken. The OSD Component official shall also notify all previous holders of the record that the amendment has been made, and shall explain the substance of the correction.

(ii) If the OSD Component official disagrees with all or any portion of a request, the individual shall be informed promptly of the refusal to amend a record, the reason for the refusal, and the procedure established by OSD for an appeal as outlined in paragraph (c)(6) of this section.

(iii) If the request for an amendment pertains to a record controlled and maintained by another Federal Agency, the request shall be referred to the appropriate Agency, and the requester advised of this:

(4) The following procedures shall be used when reviewing records under dispute:

(i) In response to a request for an amendment to records, officials shall determine whether the requester has adequately supported their claim that the record is inaccurate, irrelevant, untimely, or incomplete.

(ii) The Head of an OSD Component, or designated official, shall limit the review of a record of those items of information that clearly bear on any determination to amend the records and shall ensure that all those elements are present before determination is made.

(5) If the Head of an OSD Component, or designated official, after an initial review of a request to amend a record, disagrees with all or any portion of a record, he or she shall:

(i) Advise the individual of the denial and the reason for it.

(ii) Inform the individual that he or she may appeal the denial.

(iii) Describe the procedures for appealing the denial including the name and address of the official to whom the appeal should be directed. The procedures should be as brief and simple as possible.

(iv) Furnish a copy of the justification of any denial to amend a record to the DA&M, OSD.

(6) If an individual disagrees with the initial OSD determination, he or she may file an appeal. The request should be sent to the Director of Administration and Management, Office of the Secretary of Defense (DA&M, OSD), 1950 Defense Pentagon, Washington, D.C. 20301-1950, if the record is created and maintained by an OSD Component.

(7) If, after review, the DA&M, OSD further refuses to amend the record as requested, he shall advise the individual:

(i) Of the refusal and the reason and authority for the denial.

(ii) Of his or her right to file a statement of the reason for disagreeing with the DA&M's decision.

(iii) Of the procedures for filing a statement of disagreements.

(iv) That the statement filed shall be made available to anyone the record is dislosed to, together with a brief statement, at the discretion of the OSD Component, summarizing its reasons for refusing to amend the records.

(v) That prior recipients of copies of disputed records by provided by a copy of any statement of dispute to the extent that an accounting of disclosure is maintained.

(vi) Of his or her right to seek judicial review of the DA&M's refusal to amend a record.

(8) If, after the review, the DA&M, OSD, determines that the record should be amended in accordance with the individual's request, the OSD Component shall amend the record, advise the individual, and inform previous recipients where an accounting of disclosure has been maintained.

(9) All appeals should be processed within 30 days (excluding Saturdays, Sundays, and legal public holidays) after receipt by the proper office. If the DA&M determines that a fair and equitable review cannot be made within that time, the individual shall be informed in writing of the reasons for the delay and of the approximate date the review is expected to be completed.

(d) Disclosure of disputed information. (1) If the DA&M, OSD, has refused to amend a record and the individual has filed a statement under paragraph (c)(7) of this section, the OSD Component shall clearly annotate the disputed record so that it is apparent to any person to whom the record is disclosed that a statement has been filed. Where feasible, the notation itself shall be integral to the record. Where an accounting of a disclosure has been made, the OSD Component shall advise previous recipients that the record has been disputed and shall provide a copy of the individual's statement.

(i) This statement shall be maintained to permit ready retrieval whenever the disputed portion of the record is to be disclosed.

(ii) When information that is the subject of a statement of dispute is subsequently disclosed, the OSD Component's designated official shall note which information is disputed and provide a copy of the individual's statement.

(2) The OSD Component shall include a brief summary of its reasons for not making a correction when disclosing disputed information. Such statement shall normally be limited to the reasons given to the individual for not amending the record.

(3) Copies of the OSD Component's summary will be treated as part of the individual's record; however, it will not be subject to the amendment procedure outlined in paragraph (c)(3)(iii) of this section.

(e) Penalties—(1) Civil action. (i) An individual may file a civil suit against the United States and may recover damages, for:

(A) Refusal to amend a record.

(B) Improper denial of the access to a record.

(C) Failure to maintain an accurate, relevant, timely, and complete record that is used to make determinations adverse to the individual.

(ii) An individual may also file a suit against the United States for failure to implement a provision of the Privacy Act when such failure leads to an adverse determination.

(iii) If the individual's suit is upheld, the court may direct the United States to pay the court costs and attorney's fees.

(2) Criminal action. (i) Criminal penalties may be imposed against an OSD officer or employee for certain offenses listed in section (i) of the Privacy Act, as follows: willful unauthorized disclosure of protected information in the records; failure to publish a notice of the existence of a record system in the Federal Register; requesting or gaining access to the individual's record under false pretenses.

(ii) An OSD officer or employee may be fine up to $5,000 for a violation as outlined in paragraph (e)(2)(i) of this section.

(3) Litigation status sheet. Whenever a complaint citing 5 U.S.C. 552a is filed in a U.S. District Court against the Department of Defense, a DoD component, or any DoD employee, the responsible system manager shall promptly notify the Defense Privacy Office. The litigation status sheet in DoD 5400.II-R provides a standard format for this notification. (The initial litigation status sheet shall, as a minimum, provide the information required by items 1. through 6.) A revised litigation status sheet shall be provided at each stage of the litigation. When a court renders a formal opinion or judgment, copies of the judgment or opinion shall be provided to the Defense Privacy Office with the litigation status sheet reporting that judgment or opinion.

(f) Computer matching programs. Paragraph B of Chapter 11 of DoD 5400.11-R prescribes that all requests for participation in a matching program (either as a matching agency or a source agency) be submitted to the Defense Privacy Office for review and compliance. OSD Components shall submit these request through the Directives and Records Division.

The Defense Privacy Office shall establish requirements and deadlines for DoD privacy reports. These reports shall be licensed in accordance with DoD Directive 8910.1.5

(a) General information. The Secretary of Defense designates those Office of the Secretary of Defense (OSD) systems of records which will be exempt from certain provisions of the Privacy Act. There are two types of exemptions, general and specific. The general exemption authorizes the exemption of a system of records from all but a few requirements of the Act. The specific exemption authorizes exemption of a system of records or portion thereof, from only a few specific requirements. If an OSD Component originates a new system of records for which it proposes an exemption, or if it proposes an additional or new exemption for an existing system of records, it shall submit the recommended exemption with the records system notice as outlined in § 311.6. No exemption of a system of records shall be considered automatic for all records in the system. The systems manager shall review each requested record and apply the exemptions only when this will serve significant and legitimate Government purpose.

(b) General exemptions. The general exemption provided by 5 U.S.C. 552a(j)(2) may be invoked for protection of systems of records maintained by law enforcement activities. Certain functional records of such activities are not subject to access provisions of the Privacy Act of 1974. Records identifying criminal offenders and alleged offenders consisting of identifying data and notations of arrests, the type and disposition of criminal charges, sentencing, confinement, release, parole, and probation status of individuals are protected from disclosure. Other records and reports compiled during criminal investigations, as well as any other records developed at any stage of the criminal law enforcement process from arrest to indictment through the final release from parole supervision are excluded from release.

(1) System identifier and name: DWHS P42.0, DPS Incident Reporting and Investigations Case Files.

(i) Exemption. Portions of this system that fall within 5 U.S.C. 552a(j)(2) are exempt from the following provisions of 5 U.S.C. 552a, Sections (c) (3) and (4); (d)(1) through (d)(5); (e)(1) through (e)(3); (e)(5); (f)(1) through (f)(5); (g)(1) through (g)(5); and (h) of the Act.

(ii) Authority: 5 U.S.C. 552a(j)(2).

(iii) Reason: The Defense Protective Service is the law enforcement body for the jurisdiction of the Pentagon and immediate environs. The nature of certain records created and maintained by the DPS requires exemption from access provisions of the Privacy Act of 1974. The general exemption, 5 U.S.C. 552a(j)(2), is invoked to protect ongoing investigations and to protect from access criminal investigation information contained in this record system, so as not to jeopardize any subsequent judicial or administrative process taken as a result of information contained in the file.

(2) System identifier and name: JS006.CND, Department of Defense Counternarcotics C4I System.

(i) Exemption: Portions of this system that fall within 5 U.S.C. 552a(j)(2) are exempt from the following provisions of 5 U.S.C. 552a, section (c) (3) and (4); (d)(1) through (d)(5); (e)(1) through (e)(3); (e)(4)(G) and (e)(4)(H); (e)(5); (f)(1) through (f)(5); (g)(1) through (g)(5) of the Act.

(ii) Authority: 5 U.S.C. 552a(j)(2).

(iii) Reason: From subsection (c)(3) because the release of accounting of disclosure would inform a subject that he or she is under investigation. This information would provide considerable advantage to the subject in providing him or her with knowledge concerning the nature of the investigation and the coordinated investigative efforts and techniques employed by the cooperating agencies. This would greatly impede USSOUTHCOM's criminal law enforcement.

(iv) For subsections (c)(4) and (d) because notification would alert a subject to the fact that an investigation of that individual is taking place, and might weaken the on-going investigation, reveal investigatory techniques, and place confidential informants in jeopardy.

(v) From subsections (e)(4) (G) and (H) because this system of records is exempt from the access provisions of subsection (d) pursuant to subsection (j).

(vi) From subsection (f) because the agency's rules are inapplicable to those portions of the system that are exempt and would place the burden on the agency of either confirming or denying the existence of a record pertaining to a requesting individual might in itself provide an answer to that individual relating to an on-going criminal investigation. The conduct of a successful investigation leading to the indictment of a criminal offender precludes the applicability of established agency rules relating to verification of record, disclosure of the record to that individual, and record amendment procedures for this record system.

(vii) For compatibility with the exemption claimed from subsection (f), the civil remedies provisions of subsection (g) must be suspended for this record system. Because of the nature of criminal investigations, standards of accuracy, relevance, timeliness and completeness cannot apply to this record system. Information gathered in criminal investigations is often fragmentary and leads relating to an individual in the context of one investigation may instead pertain to a second investigation.

(viii) From subsection (e)(1) because the nature of the criminal investigative function creates unique problems in prescribing a specific parameter in a particular case with respect to what information is relevant or necessary. Also, due to USSOUTHCOM's close liaison and working relationships with the other Federal, as well as state, local and foreign country law enforcement agencies, information may be received which may relate to a case under the investigative jurisdiction of another agency. The maintenance of this information may be necessary to provide leads for appropriate law enforcement purposes and to establish patterns of activity which may relate to the jurisdiction of other cooperating agencies.

(ix) From subsection (e)(2) because collecting information to the greatest extent possible directly from the subject individual may or may not be practicable in a criminal investigation. The individual may choose not to provide information and the law enforcement process will rely upon significant information about the subject from witnesses and informants.

(x) From subsection (e)(3) because supplying an individual with a form containing a Privacy Act Statement would tend to inhibit cooperation by many individuals involved in a criminal investigation. The effect would be somewhat inimical to established investigative methods and techniques.

(xi) From subsection (e)(5) because the requirement that records be maintained with attention to accuracy, relevance, timeliness, and completeness would unfairly hamper the criminal investigative process. It is the nature of criminal law enforcement for investigations to uncover the commission of illegal acts at diverse stages. It is frequently impossible to determine initially what information is accurate, relevant, timely, and least of all complete. With the passage of time, seemingly irrelevant or untimely information may acquire new significant as further investigation brings new details to light.

(xii) From subsection (e)(8) because the notice requirements of this provision could present a serious impediment to criminal law enforcement by revealing investigative techniques, procedures, and existence of confidential investigations.

(c) Specific exemptions. All systems of records maintained by any OSD Component shall be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to subsection (k)(1) of that section to the extent that the system contains any information properly classified under Executive Order 11265, ‘National Security Information,' dated June 28, 552a(d) pursuant to subsection (k)(1) of that section to the extent that the system contains any information properly classified under E.O. 11265, ‘National Security Information,' dated June 28, 1979, as amended, and required by the Executive Order to be kept classified in the interest of national defense or foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions may contain isolated information which has been properly classified. The Secretary of Defense has designated the following OSD system of records described below specifically exempted from the appropriate provisions of the Privacy Act pursuant to the designated authority contained therein:

(1) System identifier and name: DGC 16, Political Appointment Vetting Files.

(i) Exemption. Portions of this system of records that fall within the provisions of 5 U.S.C. 552a(k)(5) may be exempt from the following subsections (d)(1) through (d)(5).

(ii) Authority. 5 U.S.C. 552a(k)(5).

(iii) Reasons. From (d)(1) through (d)(5) because the agency is required to protect the confidentiality of sources who furnished information to the Government under an expressed promise of confidentiality or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence. This confidentiality is needed to maintain the Government's continued access to information from persons who otherwise might refuse to give it. This exemption is limited to disclosures that would reveal the identity of a confidential source.

(2) System identifier and name: DWHS P28, The Office of the Secretary of Defense Clearance File.

(i) Exemption. This system of records is exempt from subsections (c)(3) and (d) of 5 U.S.C. 552a, which would require the disclosure of investigatory material compiled solely for the purpose of determining access to classified information but only to the extent that disclosure of such material would reveal the identity of a source who furnished information to the Government under an expressed promise that the identity of the source would be held in confidence or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence. A determination will be made at the time of the request for a record concerning the specific information which would reveal the identity of the source.

(ii) Authority. 5 U.S.C. 552a(k)(5).

(iii) Reasons. This exemption is required to protect the confidentiality of the sources of information compiled for the purpose of determining access to classified information. This confidentiality helps maintain the Government's continued access to information from persons who would otherwise refuse to give it.

(3) System identifier and name: DGC 04, Industrial Personnel Security Clearance Case Files.

(i) Exemption. All portions of this system which fall under 5 U.S.C. 552a(k)(5) are exempt from the following provisions of Title 5 U.S.C. 552a: (c)(3); (d).

(ii) Authority. 5 U.S.C. 552a(k)(5).

(iii) Reasons. This system of records is exempt from subsections (c)(3) and (d) of section 552a of 5 U.S.C. which would require the disclosure of investigatory material compiled solely for the purpose of determining access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an expressed promise that the identity of the source would be held in confidence, or prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence. A determination will be made at the time of the request for a record concerning whether specific information would reveal the identity of a source. This exemption is required in order to protect the confidentiality of the sources of information compiled for the purpose of determining access to classified information. This confidentiality helps maintain the Government's continued access to information from persons who would otherwise refuse to give it.

(4) System identifier and name: DWHS P32, Standards of Conduct Inquiry File.

(i) Exemption. This system of records is exempted from subsections (c)(3) and (d) of 5 U.S.C. 552a, which would require the disclosure of: Investigatory material compiled for law enforcement purposes; or investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, military service, or Federal contracts, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence. If any individual is denied any right, privilege, or benefit that he would otherwise be entitled by Federal law, or otherwise be eligible, as a result of the maintenance of investigatory material compiled for law enforcement purposes, the material shall be provided to that individual, except to the extent that its disclosure would reveal the identity of a source who furnished information to the Government under an express promise or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence. At the time of the request for a record, a determination will be made concerning whether a right, privilege, or benefit is denied or specific information would reveal the identity of a source.

(ii) Authority. 5 U.S.C. 552a(k) (2) and (5).

(iii) Reasons. These exemptions are necessary to protect the confidentiality of the records compiled for the purpose of: enforcement of the conflict of interest statutes by the Department of Defense Standards of Conduct Counselor, General Counsel, or their designees; and determining suitability, eligibility or qualifications for Federal civilian employment, military service, or Federal contracts of those alleged to have violated or caused others to violate the Standards of Conduct regulations of the Department of Defense.

(5) System identifier and name: DUSDP 02, Special Personnel Security Cases.

(i) Exemption: All portions of this system which fall under 5 U.S.C. 552a(k)(5) are exempt from the following provisions of 5 U.S.C. 552a: (c)(3); (d).

(ii) Authority: 5 U.S.C. 552a(k)(5).

(iii) Reasons: This system of records is exempt from subsections (c)(3) and (d) of 5 U.S.C. 552a which would require the disclosure of investigatory material compiled solely for the purpose of determining access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an expressed promise that the identity of the source would be held in confidence or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence. A determination will be made at the time of the request for a record concerning whether specific information would reveal the identity of a source. This exemption is required in order to protect the confidentiality of the sources of information compiled for the purpose of determining access to classified information. This confidentiality helps maintain the Government's continued access to information from persons who would otherwise refuse to give it.

(6) System identifier and name: DODDS 02.0, Educator Application Files.

(i) Exemption. All portions of this system which fall within 5 U.S.C. 552a(k)(5) may be exempt from the following provisions of 5 U.S.C. 552a: (c)(3); (d).

(ii) Authority. 5 U.S.C. 552a(k)(5).

(iii) Reasons. It is imperative that the confidential nature of evaluation and investigatory material on teacher application files furnished the Department of Defense Dependent Schools (DoDDS) under promises of confidentiality be exempt from disclosure to the individual to insure the candid presentation of information necessary to make determinations involving applicants suitability for DoDDS teaching positions.

(7) System identifier and name: DGC 20, DoD Presidential Appointee Vetting File.

(i) Exemption: Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information may be exempt pursuant to 5 U.S.C. 552a(k)(5), but only to the extent that such material would reveal the identity of a confidential source. Portions of this system of records that may be exempt pursuant to 5 U.S.C. 552a(k)(5) are subsections (d)(1) through (d)(5).

(ii) Authority: 5 U.S.C. 552a(k)(5).

(iii) Reason: From (d)(1) through (d)(5) because the agency is required to protect the confidentiality of sources who furnished information to the government under an expressed promise of confidentiality or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence. This confidentiality is needed to maintain the Government's continued access to information from persons who otherwise might refuse to give it.

(8) System identifier and name: DWHS P29, Personnel Security Adjudications File.

(i) Exemption: Portions of this system of records that fall within the provisions of 5 U.S.C. 552a(k)(5) may be exempt from the following subsections (d)(1) through (d)(5).

(ii) Authority: 5 U.S.C. 552a(k)(5).

(iii) Reasons. From (d)(1) through (d)(5) because the agency is required to protect the confidentiality of sources who furnished information to the Government under an expressed promise of confidentiality or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence. This confidentiality is needed to maintain the Government's continued access to information from persons who otherwise might refuse to give it. This exemption is limited to disclosures that would reveal the identity of a confidential source. At the time of the request for a record, a determination will be made concerning whether a right, privilege, or benefit is denied or specific information would reveal the identity of a source.

(9) System identifier and name: JS004SECDIV, Joint Staff Security Clearance Files.

(i) Exemption: Portions of this system of records are exempt pursuant to the provisions of 5 U.S.C. 552a(k)(5) from subsections 5 U.S.C. 552a(d)(1) through (d)(5).

(ii) Authority: 5 U.S.C. 552a(k)(5).

(iii) Reasons: From subsections (d)(1) through (d)(5) because the agency is required to protect the confidentiality of sources who furnished information to the government under an expressed promise of confidentiality or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence. This confidentiality is needed to maintain the Government's continued access to information from persons who otherwise might refuse to give it. This exemption is limited to disclosures that would reveal the identity of a confidential source. At the time of the request for a record, a determination will be made concerning whether a right, privilege, or benefit is denied or specific information would reveal the identity of a source.

(10) System identifier and name: DFMP 26, Vietnamese Commando Compensation Files.

(i) Exemption: Information classified under E.O. 12958, as implemented by DoD 5200.1-R, may be exempt pursuant to 5 U.S.C. 552a(k)(1).

(ii) Authority: 5 U.S.C. 552a(k)(1).

(iii) Reasons: From subsection 5 U.S.C. 552a(d) because granting access to information that is properly classified pursuant to E.O. 12958, as implemented by DoD 5200.1-R, may cause damage to the national security.

(11) System identifier and name: DUSP 11, POW/Missing Personnel Office Files.

(i) Exemption: Information classified under E.O. 12958, as implemented by DoD 5200.1-R, may be exempt pursuant to 5 U.S.C. 552a(k)(1).

(ii) Authority: 5 U.S.C. 552a(k)(1).

(iii) Reasons: From subsection 5 U.S.C. 552a(d) because granting access to information that is properly classified pursuant to E.O. 12958, as implemented by DoD 5200.1-R, may cause damage to the national security.

Pursuant to the requirements of the Privacy Act of 1974 (5 U.S.C. 552a) and 32 CFR part 286a-DoD Privacy Program, the following rules of procedures are established with respect to access and amendment of records maintained by the Office of the Inspector General (OIG) on individual subjects of these records.

(a) All terms used in this part which are defined in 5 U.S.C. 552a shall have the same meaning herein.

(b) As used in this part, the term “agency” means the Office of the Inspector General (OIG), Department of Defense.

Individuals should submit inquiries regarding all OIG files by mail to the Assistant Inspector General for Investigations, ATTN: FOIA/PA Division, 400 Army Navy Drive, Arlington, VA 22202-2884. All personal visits will require some form of common identification.

Only upon proper identification will any individual be granted access to records which pertain to him/her. Identification is required both for accurate record identification and to avoid disclosing records to unauthorized individuals. Requesters must provide their full name and as much information as possible about the record being sought in order that a proper search for records can be accomplished. Inclusion of a telephone number for the requester is recommended to expedite certain matters. Requesters applying in person must provide an identification with photograph, such as a driver's license, military identification card, building pass, etc.

(a) No individual will be allowed access to any information compiled or maintained in reasonable anticipation of civil or criminal actions or proceedings or otherwise exempt under § 312.12. Requests for pending investigations will be denied and the requester instructed to forward another request giving adequate time for the investigation to be completed. Requesters shall be provided the telephone number so they can call and check on the status in order to know when to resubmit the request.

(b) Any individual may authorize the OIG to provide a copy of his/her records to a third part. This authorization must be in writing, must designate the recipient by name, must specify the records or portion to be provided to the recipient, and should accompany the initial request to the OIG.

Requesters will be charged only for the reproduction of requested documents and special postal methods, such as express mail, if applicable. There will be no charge for the first copy of a record provided to any individual. Thereafter, fees will be computed as set forth in appropriate DoD Directives and Regulations.

(a) Requests to correct or amend a file shall be addressed to the system manager in which the file is located. The request must reasonably describe the record to be amended, the items to be changed as specifically as possible, the type of amendment (e.g., deletion, correction, amendment), and the reason for amendment. Reasons should address at least one of the following categories: Accuracy, relevance, timeliness, completeness, fairness. The request should also include appropriate evidence which provide a basis for evaluating the request. Normally all documents submitted, to include court orders, should be certified. Amendments under this part are limited to correcting factual matters and not matters of official judgment or opinions, such as performance ratings, promotion potential, and job performance appraisals.

(b) Requirements of identification as outlined in § 312.4 apply to requests to correct or amend a file.

(c) Incomplete requests shall not be honored, but the requester shall be contacted for the additional information needed to process the request.

(d) The amendment process is not intended to permit the alteration of evidence presented in the course of judicial or quasi-judicial proceedings. Any amendments or changes to these records normally are made through the specific procedures established for the amendment of such records.

(e) Nothing in the amendment process is intended or designed to permit a collateral attack upon what has already been the subject of a judicial or quasi-judicial determination. However, while the individual may not attack the accuracy of the judicial or quasi-judicial determination, he or she may challenge the accuracy of the recording of that action.

(a) A written acknowledgement of the receipt of a request for amendment of a record will be provided to the requester within 10 working days, unless final action regarding approval or denial will constitute acknowledgement.

(b) Where there is a determination to grant all or a portion of a request to amend a record, the record shall be promptly amended and the requesting individual notified. Individuals, agencies or DoD components shown by disclosure accounting records to have received copies of the record, or to whom disclosure has been made, will be notified of the amendment by the responsible OIG official.

(c) Where there is a determination to deny all or a portion of a request to amend a record, OIG will promptly advise the requesting individual of the specifics of the refusal and the reasons; and inform the individual that he/she may request a review of the denial(s) from the OIG designated official.

(a) All appeals of an initial amendment decision should be addressed to the Assistant Inspector General for Investigations, ATTN: FOIA/PA Division, 400 Army Navy Drive, Arlington, VA 22202-2884. The appeal should be concise and should specify the reasons the requester believes that the initial amendment action by the OIG was not satisfactory. Upon receipt of the appeal, the designated official will review the request and make a determination to approve or deny the appeal.

(b) If the OIG designated official decides to amend the record, the requester and all previous recipients of the disputed information will be notified of the amendment. If the appeal is denied, the designated official will notify the requester of the reason of the denial, of the requester's right to file a statement of dispute disagreeing with the denial, that such statement of dispute will be retained in the file, that the statement will be provided to all future users of the file, and that the requester may file suit in a federal district court to contest the OIG decision not to amend the record.

(c) The OIG designated official will respond to all appeals within 30 working days or will notify the requester of an estimated date of completion if the 30 day limit cannot be met.

No record containing personally identifiable information within a OIG system of records shall be disclosed by any means to any person or agency outside the Department of Defense, except with the written consent of the individual subject of the record or as provided for in the Act and DoD 5400.11-R (32 CFR part 286a).

(a) An individual may bring a civil action against the OIG to correct or amend the record, or where there is a refusal to comply with an individual request or failure to maintain any records with accuracy, relevance, timeliness and completeness, so as to guarantee fairness, or failure to comply with any other provision of the Privacy Act. The court may order correction or amendment of records. The court may enjoin the OIG from withholding the records and order the production of the record.

(b) Where it is determined that the action was willful or intentional with respect to 5 U.S.C. 552a(g)(1) (C) or (D), the United States shall be liable for the actual damages sustained, but in no case less than the sum of $1,000 and the costs of the action with attorney fees.

(c) Criminal penalties may be imposed against an officer or employee of the OIG who discloses material, which he/she knows is prohibited from disclosure, or who willfully maintains a system of records without compliance with the notice requirements.

(d) Criminal penalties may be imposed against any person who knowingly and willfully requests or obtains any record concerning another individual from an agency under false pretenses.

(e) All of these offenses are misdemeanors with a fine not to exceed $5,000.

(a) Exemption for classified records. Any record in a system of records maintained by the Office of the Inspector General which falls within the provisions of 5 U.S.C. 552a(k)(1) may be exempt from the following subsections of 5 U.S.C. 552a: (c)(3), (d), (e)(1), (e)(4)(G) through (I) and (f) to the extent that a record system contains any record properly classified under Executive Order 12958 and that the record is required to be kept classified in the interest of national defense or foreign policy. This specific exemption rule, claimed by the Inspector General under authority of 5 U.S.C. 552a(k)(1), is applicable to all systems of records maintained, including those individually designated for an exemption herein as well as those not otherwise specifically designated for an exemption, which may contain isolated items of properly classified information

(b) The Inspector General of the Department of Defense claims an exemption for the following record systems under the provisions of 5 U.S.C. 552a(j) and (k)(1)-(7) from certain indicated subsections of the Privacy Act of 1974. The exemptions may be invoked and exercised on a case by case basis by the Deputy Assistant Inspector General for Investigations or the Director, Investigative Support Directorate and Freedom of Information Act/Privacy Act Division Chief which serves as the Systems Program Managers. Exemptions will be exercised only when necessary for a specific, significant and legitimate reason connected with the purpose of the records system.

(c) No personal records releasable under the provisions of The Freedom of Information Act (5 U.S.C. 552) will be withheld from the subject individual based on these exemptions.

(d) System Identifier: CIG-04

(1) System name: Case Control System.

(2) Exemption: Any portion of this system which falls within the provisions of 5 U.S.C. 552a(j)(2) may be exempt from the following subsections of 5 U.S.C. 552a: (c)(3), (c)(4), (d), (e)(1), (e)(2), (e)(3), (e)(4)(G), (H), (I), (e)(5), (e)(8), (f), and (g).

(3) Authority: 5 U.S.C. 552a(j)(2).

(4) Reasons: From subsection (c)(3) because the release of accounting of disclosure would inform a subject that he or she is under investigation. This information would provide considerable advantage to the subject in providing him or her with knowledge concerning the nature of the investigation and the coordinated investigative efforts and techniques employed by the cooperating agencies. This would greatly impede OIG's criminal law enforcement.

(5) From subsection (c)(4) and (d), because notification would alert a subject to the fact that an open investigation on that individual is taking place, and might weaken the on-going investigation, reveal investigatory techniques, and place confidential informants in jeopardy.

(6) From subsection (e)(1) because the nature of the criminal and/or civil investigative function creates unique problems in prescribing a specific parameter in a particular case with respect to what information is relevant or necessary. Also, due to OIG's close liaison and working relationships with other Federal, state, local and foreign country law enforcement agencies, information may be received which may relate to a case under the investigative jurisdiction of another agency. The maintenance of this information may be necessary to provide leads for appropriate law enforcement purposes and to establish patterns of activity which may relate to the jurisdiction of other cooperating agencies.

(7) From subsection (e)(2) because collecting information to the fullest extent possible directly from the subject individual may or may not be practical in a criminal and/or civil investigation.

(8) From subsection (e)(3) because supplying an individual with a form containing a Privacy Act Statement would tend to inhibit cooperation by many individuals involved in a criminal and/or civil investigation. The effect would be somewhat adverse to established investigative methods and techniques.

(9) From subsection (e)(4) (G) through (I) because this system of records is exempt from the access provisions of subsection (d).

(10) From subsection (e)(5) because the requirement that records be maintained with attention to accuracy, relevance, timeliness, and completeness would unfairly hamper the investigative process. It is the nature of law enforcement for investigations to uncover the commission of illegal acts at diverse stages. It is frequently impossible to determine initially what information is accurate, relevant, timely, and least of all complete. With the passage of time, seemingly irrelevant or untimely information may acquire new significance as further investigation brings new details to light.

(11) From subsection (e)(8) because the notice requirements of this provision could present a serious impediment to law enforcement by revealing investigative techniques, procedures, and existence of confidential investigations.

(12) From subsection (f) because the agency's rules are inapplicable to those portions of the system that are exempt and would place the burden on the agency of either confirming or denying the existence of a record pertaining to a requesting individual might in itself provide an answer to that individual relating to an on-going investigation. The conduct of a successful investigation leading to the indictment of a criminal offender precludes the applicability of established agency rules relating to verification of record, disclosure of the record to that individual, and record amendment procedures for this record system.

(13) For comparability with the exemption claimed from subsection (f), the civil remedies provisions of subsection (g) must be suspended for this record system. Because of the nature of criminal investigations, standards of accuracy, relevance, timeliness, and completeness cannot apply to this record system. Information gathered in an investigation is often fragmentary and leads relating to an individual in the context of one investigation may instead pertain to a second investigation.

(e) System Identification: CIG-06.

(1) System name: Investigative Files.

(2) Exemption: Any portion of this system which falls within the provisions of 5 U.S.C. 552a(j)(2) may be exempt from the following subsections of 5 U.S.C. 552a (c)(3), (c)(4), (d), (e)(1), (e)(2), (e)(3), (e)(4) (G), (H), (I), (e)(5), (e)(8), (f), and (g).

(3) Authority: 5 U.S.C. 552a(j)(2).

(4) Reasons: From subsection (c)(3) because the release of accounting of disclosure would inform a subject that he or she is under investigation. This information would provide considerable advantage to the subject in providing him or her with knowledge concerning the nature of the investigation and the coordinated investigative efforts and techniques employed by the cooperating agencies. This would greatly impede OIG's criminal law enforcement.

(5) From subsection (c)(4) and (d), because notification would alert a subject to the fact that an open investigation on that individual is taking place, and might weaken the on-going investigation, reveal investigatory techniques, and place confidential informants in jeopardy.

(6) From subsection (e)(1) because the nature of the criminal and/or civil investigative function creates unique problems in prescribing a specific parameter in a particular case with respect to what information is relevant or necessary. Also, due to OIG's close liaison and working relationships with other Federal, state, local and foreign country law enforcement agencies, information may be received which may relate to a case under the investigative jurisdiction of another agency. The maintenance of this information may be necessary to provide leads for appropriate law enforcement purposes and to establish patterns of activity which may relate to the jurisdiction of other cooperating agencies.

(7) From subsection (e)(2) because collecting information to the fullest extent possible directly from the subject individual may or may not be practical in a criminal and/or civil investigation.

(8) From subsection (e)(3) because supplying an individual with a form containing a Privacy Act Statement would tend to inhibit cooperation by many individuals involved in a criminal and/or civil investigation. The effect would be somewhat adverse to established investigative methods and techniques.

(9) From subsection (e)(4) (G) through (I) because this system of records is exempt from the access provisions of subsection (d).

(10) From subsection (e)(5) because the requirement that records be maintained with attention to accuracy, relevance, timeliness, and completeness would unfairly hamper the investigative process. It is the nature of law enforcement for investigations to uncover the commission of illegal acts at diverse stages. It is frequently impossible to determine initially what information is accurate, relevant, timely, and least of all complete. With the passage of time, seemingly irrelevant or untimely information may acquire new significance as further investigation brings new details to light.

(11) From subsection (e)(8) because the notice requirements of this provision could present a serious impediment to law enforcement by revealing investigative techniques, procedures, and existence of confidential investigations.

(12) From subsection (f) because the agency's rules are inapplicable to those portions of the system that are exempt and would place the burden on the agency of either confirming or denying the existence of a record pertaining to a requesting individual might in itself provide an answer to that individual relating to an on-going investigation. The conduct of a successful investigation leading to the indictment of a criminal offender precludes the applicability of established agency rules relating to verification of record, disclosure of the record to that individual, and record amendment procedures for this record system.

(13) For comparability with the exemption claimed from subsection (f), the civil remedies provisions of subsection (g) must be suspended for this record system. Because of the nature of criminal investigations, standards of accuracy, relevance, timeliness, and completeness cannot apply to this record system. Information gathered in an investigation is often fragmentary and leads relating to an individual in the context of one investigation may instead pertain to a second investigation.

(f) System identifier: CIG-15.

(1) System name: Departmental Inquiries Case System.

(2) Exemption: Investigatory material compiled for law enforcement purposes may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of such information, the individual will be provided access to such information except to the extent that disclosure would reveal the identity of a confidential source. Any portions of this system which fall under the provisions of 5 U.S.C. 552a(k)(2) may be exempt from the following subsection of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I).

(3) Authority: 5 U.S.C. 552a(k)(2).

(4) Reasons: From subsection (c)(3) because disclosures from this system could interfere with the just, thorough and timely resolution of the compliant or inquiry, and possibly enable individuals to conceal their wrongdoing or mislead the course of the investigation by concealing, destroying or fabricating evidence or documents.

(5) From subsection (d) because disclosures from this system could interfere with the just thorough and timely resolution of the compliant or inquiry, and possibly enable individuals to conceal their wrongdoing or mislead the course of the investigation by concealing, destroying or fabricating evidence or documents. Disclosures could also subject sources and witnesses to harassment or intimidation which jeopardize the safety and well-being of themselves and their families.

(6) From subsection (e)(1) because the nature of the investigation function creates unique problems in prescribing specific parameters in a particular case as to what information is relevant or necessary. Due to close liaison and working relationships with other Federal, state, local and foreign country law enforcement agencies, information may be received which may relate to a case under the investigative jurisdiction of another government agency. It is necessary to maintain this information in order to provide leads for appropriate law enforcement purposes and to establish patterns of activity which may relate to the jurisdiction of other cooperating agencies.

(7) From subsection (e)(4) (G) through (H) because this system of records is exempt from the access provisions of subsection (d).

(8) From subsection (f) because the agency's rules are inapplicable to those portions of the system that are exempt and would place the burden on the agency of either confirming or denying the existence of a record pertaining to a requesting individual might in itself provide an answer to that individual relating to an on-going investigation. The conduct of a successful investigation leading to the indictment of a criminal offender precludes the applicability of established agency rules relating to verification of record, disclosure of the record to that individual, and record amendment procedures for this record system.

(g) System Identifier: CIG-16.

(1) System name: DOD Hotline Program Case Files.

(2) Exemption: Any portions of this system of records which fall under the provisions of 5 U.S.C. 552a(k)(2) and (k)(5) may be exempt from the following subsections of 5 U.S.C. 552a: (c)(3), (d), (e)(1), (e)(4)(G), (H), and (f).

(3) Authority: 5 U.S.C. 552a(k)(2) and (k)(5).

(4) Reasons: From subsection (c)(3) because disclosures from this system could interfere with the just, thorough and timely resolution of the complaint or inquiry, and possibly enable individuals to conceal their wrongdoing or mislead the course of the investigation by concealing, destroying or fabricating evidence or documents.

(5) From subection (d) because disclosures from this system could interfere with the just, thorough and timely resolution of the complaint or inquiry, and possibly enable individuals to conceal their wrongdoing or mislead the course of the investigation by concealing, destroying or fabricating evidence or documents. Disclosures could also subject sources and witnesses to harassment or intimidation which jeopardize the safety and well-being of themselves and their families.

(6) From subsection (e)(1) because the nature of the investigation functions creates unique problems in prescribing specific paramenters in a particular case as to what information is relevant or necessary. Due to close liaison and working relationships with other Federal, state, local, and foreign country law enforcement agencies, information may be received which may relate to a case under the investigative jurisdiction of another government agency. It is necessary to maintain this information in order to provide leads for appropriate law enforcment purposes and to establish patterns of activity which may relate to the jurisdiction of other cooperating agencies.

(7) From subsection (e)(4)(G) through (H) because this system of records is exempt from the access provisions of subsection (d).

(8) From subsection (f) because the agency's rules are inapplicable to those portions of the system that are exempt and would place the burden on the agency of either confirming or denying the existence of a record pertaining to a requesting individual might in itself provide an answer to that individual relating to an on-going investigation. The conduct of a successful investigation leading to the indictment of a criminal offender precludes the applicability of established agency rules relating to verification of record, disclosure of the record to that individual, and record amendment procedures for this record system.

(a) Criminal and or civil investigative reports shall not be retained by DoD recipient organizations. Such reports are the property of OIG and are on loan to the recipient organization for the purpose for which requested or provided. All copies of such reports shall be destroyed within 180 days after the completion of the final action by the requesting organization.

(b) Investigative reports which require longer periods of retention may be retained only with the specific written approval of OIG.

An OIG system of records may contain records other DoD Components or Federal agencies originated, and who may have claimed exemptions for them under the Privacy Act of 1974. When any action is initiated on a portion of any several records from another agency which may be exempt, consultation with the originating agency or component will be affected. Documents located within OIG system of records coming under the cognizance of another agency will be referred to that agency for review and direct response to the requester.

The Office of the Joint Chiefs of Staff is governed by the Privacy Act implementation regulations of the Office of the Secretary of Defense, 32 CFR part 311.

The Defense Advanced Research Projects Agency is governed by the Privacy Act implementation regulations of the Office of the Secretary of Defense, 32 CFR part 311.

This part delineates responsibility and provides guidance for the implementation of Pub. L. 93-579 (Privacy Act of 1974).

This part applies to Headquarters, Defense Information Systems Agency (DISA) and DISA field activities.

This part is published in accordance with the authority contained in 32 CFR part 310, August 1975.

Add to the definitions contained in 32 CFR 310.6 the following:

System Manager: The DISA official who is responsible for policies and procedures governing a DISA System of Record. His title and duty address will be found in the paragraph entitled Sysmanager in DISA's Record System Notices which are published in the Federal Register in compliance with provisions of the Privacy Act of 1974.

It is the policy of DISA:

(a) To preserve the personal privacy of individuals, to permit an individual to know what records exist pertaining to him in the DISA, and to have access to and have a copy made of all or any portion of such records and to correct or amend such records.

(b) To collect, maintain, use, or disseminate any record of identifiable personal information in a manner that assures that such action is for a necessary and lawful purpose; that the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information.

(a) The Counsel, DISA, is hereby designated the Privacy Act Officer for DISA and is responsible for insuring that an internal DISA Privacy Program is established and maintained. He will also insure that all echelons of DISA effectively comply with and implement 32 CFR part 310.

(b) The Civilian Assistant to the Chief of Staff will be responsible for the annual reporting requirements contained in 32 CFR 310.5.

(c) DISA System Managers and other appropriate DISA officials will:

(1) Insure compliance with the provisions of 32 CFR 310.9.

(2) Comply with the provisions of 32 CFR 286a.11. In this area the Assistant to the Director for Administration will provide assistance.

(3) Adhere to the following:

(i) Within DISA, the System Manager of any record system will assure that records pertaining to an individual will be disclosed, upon request, to the individual to whom the record pertains. The individual need not state a reason or otherwise justify the need to gain access. A person of the individual's choosing may accompany the individual when the record is disclosed. The System Manager may require the individual to furnish a written statement authorizing discussion of the individual's records in the presence of the accompanying person. If requested, the System Manager will have a copy made of all or any portion of the record pertaining to the individual in a form comprehensible to the requester.

(ii) The System Manager may release records to the individual's representative who has the written consent of the individual. The System Manager will require reasonable identification of individuals to assure that rec-ords are disclosed to the proper person. No verification of identity will be required of an individual seeking access to records which are otherwise available to any member of the public under the Freedom of Information Act. Identification requirements should be consistent with the nature of the records being disclosed. For disclosure of records to an individual in person, the System Manager will require that the individual show some form of identification. For records disclosed to an individual in person or by mail, the System Manager may require whatever identifying information is needed to locate the record; i.e., name, social security number, date of birth. If the sensitivity of the data warrants, the System Manager may require a signed notarized statement of identity. The System Manager may compare the signatures of the requester with those in the records to verify identity. An individual will not be denied access to his record for refusing to disclose his social security number unless disclosure is required by statute or by regulation adopted before 1 January 1975. An individual will not be denied access to records pertaining to him because the records are exempted from disclosure under the provisions of the Freedom of Information Act.

(iii) The System Manager will not deny access to a record or a copy thereof to an individual solely because its physical presence is not readily available (i.e. on magnetic tape) or because the context of the record may disclose sensitive information about another individual. To protect the personal privacy of other individuals who may be identified in a record, the System Manager shall prepare an extract to delete only that information which would not be releasable to the requesting individual under the Freedom of Information Act.

(iv) When the System Manager is of the opinion that the disclosure of medical information could have an adverse effect upon the individual to whom it pertains, the System Manager will promptly request the individual to submit the name and address of a doctor who will determine whether the medical record may be disclosed directly to the individual. The System Manager will then request the opinion of the doctor named by the individual on whether a medical record may be disclosed to the individual. The System Manager shall disclose the medical record to the individual to whom it pertains unless, in the judgment of the doctor, access to the record could have an adverse effect upon the individual's physical or mental health. In this event the System Manager will transmit the record to the doctor and immediately inform the individual.

(v) The fees to be charged, if any, to an individual for making copies of his record, excluding the cost of any search for and review of the record, will be in accordance with the “Schedule of Fees” as set forth in 32 CFR 286.5 and 286.10.

(vi) The System Manager of the record will permit an individual to request amendment of a record pertaining to the individual. Requests to amend records shall be in person or in writing and shall be submitted to the System Manager who maintains the records. Such requests should contain as a minimum, identifying information needed to locate the record, a brief description of the item or items of information to be amended, and the reason for the requested change.

(vii) The System Manager will provide a written acknowledgment of the receipt of a request to amend a record to the individual who requested the amendment within 10 days (excluding Saturdays, Sundays, and legal public holidays) after the date of receipt of such request. Such an acknowledgment may, if necessary, request any additional information needed to make a determination. No acknowledgment is required if the request can be reviewed and processed and the individual notified of compliance or denial within the 10 day period.

(viii) The System Manager will promptly take one of the following actions on requests to amend records:

(A) Refer the request to the agency or office that has control of and maintains the record in those instances where the record requested remains the property of the controlling office or agency.

(B) In accordance with existing statute, regulation, or administrative procedure, make any correction of any portion thereof which the individual believes is not accurate, relevant, timely or complete, or

(C) Inform the individual of the System Manager's refusal to amend the record in accordance with the individual's request, the reason for the refusal, and the individual's right to request a review of the refusal by the Director, DISA, through the DISA Privacy Act Board.

(ix) The DISA Privacy Act Board will be comprised of the DISA Counsel, as Chairman; the Assistant to the Director for Administration, and the Assistant to the Director for Personnel; or in their absence, their authorized representatives. The individual who disagrees with the refusal of the System Manager to amend his record may request a review of this refusal by the DISA Privacy Act Board. The request for the review may be made orally or in writing and shall be made to the System Manager. The System Manager will promptly forward the request for review to the Chairman of the Board to make a proper review. The Board will promptly review the matter. If, after review, the Board is unanimous in its decision that the record be amended in accordance with the request of the individual then the Chairman of the Board shall so notify the System Manager. The System Manager will immediately make the necessary corrections to the record and will promptly notify the individual. The System Manager will, if an accounting of disclosure of the record has been made, advise all previous recipients of the record, which was corrected, of the correction and its substance. This will be done in all instances when a record is amended. If, after review, the Board decides that the request for amendment should be denied, it will promptly forward its recommendation to the Director, DCA. A majority vote of the members of the Board will constitute a recommendation to the Director.

(x) The Director, DISA, upon receipt of the Board's recommendation, will complete the review and make a final determination.

(xi) If the Director, DISA, after his review, agrees with the individual's request to amend the record, he will, through the DISA Counsel, so advise the individual in writing. The System Manager will receive a copy of the Director's decision and will assure that the record is corrected accordingly and that if an accounting of disclosure of the record has been made, advise all previous recipients of the record which was corrected of the correction and its substance.

(xii) If, after his review, the Director refuses to amend the records as the individual requested, he will, through the DISA Counsel, advise the individual of his refusal and the reasons for it; of the individual's right to file a concise statement setting forth the reasons for the individual's disagreement with the decision of the Director, DISA; that the statement which is filed will be made available to anyone to whom the record is subsequently disclosed together with, at the discretion of the Agency, a brief statement by the Agency summarizing its reasons for refusing to amend the record; that prior recipients of the disputed record will be provided a copy of any statement of dispute to the extent that an accounting of disclosures was maintained; and of the individual's right to seek judicial review of the Agency's refusal to amend a record.

(xiii) The Director's final determination on the individual's request for a review of the System Manager's initial refusal to amend the record must be concluded within 30 days (excluding Saturdays, Sundays, and legal public holidays) from the date on which the individual requested such review unless the Director determines that a fair and equitable review cannot be made within that time. If additional time is required, the individual will be informed in writing of reasons for the delay and of the approximate date on which the review is expected to be completed.

(xiv) After the Director, DISA has refused to amend a record and the individual has filed a statement setting forth the reasons for the individual's disagreement with the decision of the Director, the System Manager will clearly note any portion of the record which is disputed. The System Manager's notation should make clear that the record is disputed and this should be apparent to anyone who may subsequently have access to, use, or disclose the record. When the System Manager has previously disclosed or will subsequently disclose that portion of the record which is disputed he will note that that portion of the record is disputed and will provide the recipients of the record with a copy of the individual's statement setting forth the reasons for the individual's disagreement with the decision of the Director not to amend the record. The System Manager will also provide recipients of the disputed record with a brief summary of the Director's reasons for not making the requested amendments to the record.

(xv) Nothing herein shall allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding.

(xvi) Any requests by an individual for access to or copies of his records shall be processed in accordance with this part and 32 CFR part 310.

(d) DISA System Managers will be:

(1) Responsible for complying with the provisions contained in 32 CFR 310.8 relating to the disclosure to others of personal records, obtaining the written consent of individuals to whom the record pertains, and for keeping an accurate accounting of each disclosure of a record.

(2) Responsible for providing to the Civilian Assistant to the Chief of Staff the information requested in 32 CFR 310.5. However, the information will be reported on a quarterly basis with the first report due to the Civilian Assistant to the Chief of Staff by 31 December 1975.

(e) The Assistant to the Director for Administration, Headquarters, DCA will:

(1) Be responsible for furnishing written guidelines to assist System Managers and other DISA officials in evaluating and implementing paperwork management procedures required under the Privacy Act of 1974. In this regard it should be noted that the Act establishes a number of requirements. Among these are the requirements:

(i) To disclose records contained in a system of records only under conditions specified in the law,

(ii) To maintain an accounting of such disclosures,

(iii) To establish procedures for the disclosure to an individual of his record or information pertaining to him,

(iv) For reviewing a request concerning the amendment of such record, and

(v) For permitting individuals to file a statement of disagreement which will be forwarded with subsequent disclosures.

(2) Be responsible for providing the “Forms” which are required to comply with 32 CFR 310.9(b).

(f) The Assistant to the Director for Personnel, Headquarters, DISA will:

(1) Be responsible for development, within DISA, of an appropriate training program for all DISA personnel whose duties involve responsibilities for systems of records affected by the Privacy Act.

(2) Assure that DISA personnel involved in the design, development, operation, or maintenance of any system of records, as defined in 32 CFR 310.6 are informed of all requirements to protect the privacy of the individuals who are subjects of the records. The criminal penalties and civil suit aspects of the Privacy Act will be emphasized.

(3) Assure that within DISA administrative and physical safeguards are established to protect information from unauthorized or unintentional access, disclosure, modification or destruction and to insure that all persons whose official duties require access to or processing and maintenance of personal information are trained in the proper safeguarding and use of such information.

Questions on both the substance and procedure of the Privacy Act and the DISA implementation thereof should be addressed to the DISA Counsel by the most expeditious means possible, including telephone calls.

Section 5 U.S.C. 552a (3)(j) and (3)(k) authorize an agency head to exempt certain systems of records or parts of certain systems of records from some of the requirements of the act. This part reserves to the Director, DISA, as head of an agency, the right to create exemptions pursuant to the exemption provisions of the act. All systems of records maintained by DISA shall be exempt from the requirements of 5 U.S.C. 552a (d) pursuant to 5 U.S.C. 552a(3)(k)(1) to the extent that the system contains any information properly classified under Executive Order 11652, “Classification and Declassification of National Security Information and Material,” dated March 8, 1972 (37 FR 10053, May 19, 1972) and which is required by the executive order to be kept secret in the interest of national defense or foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions may contain isolated information which has been properly classified.

This part provides policies and procedures for the Defense Contract Audit Agency's implementation of the Privacy Act of 1974 (DCAA Regulation 5410.10,1 as amended, (5 U.S.C. 552a); DoD 5400.11 and DoD 5400.11-R,2 “DoD Privacy Program” (32 CFR part 310); and is intended to promote uniformity within DCAA.

(a) This part applies to all DCAA organizational elements and takes precedence over all regional regulatory issuances that supplement the DCAA Privacy Program.

(b) This part shall be made applicable by contract or other legally binding action to contractors whenever a DCAA contract provides for the operation of a system of records or portion of a system of records to accomplish an Agency function.

(a) It is DCAA policy that personnel will comply with the DCAA Privacy Program; the Privacy Act of 1974; and the DoD Privacy Program (32 CFR part 310). Strict adherence is necessary to ensure uniformity in the implementation of the DCAA Privacy Program and create conditions that will foster public trust. It is also Agency policy to safeguard personal information contained in any system of records maintained by DCAA organizational elements and to make that information available to the individual to whom it pertains to the maximum extent practicable.

(b) DCAA policy specifically requires that DCAA organizational elements:

(1) Collect, maintain, use, and disseminate personal information only when it is relevant and necessary to achieve a purpose required by statute or Executive Order.

(2) Collect personal information directly from the individuals to whom it pertains to the greatest extent practical.

(3) Inform individuals who are asked to supply personal information for inclusion in any system of records:

(i) The authority for the solicitation.

(ii) Whether furnishing the information is mandatory or voluntary.

(iii) The intended uses of the information.

(iv) The routine disclosures of the information that may be made outside of DoD.

(v) The effect on the individual of not providing all or any part of the requested information.

(4) Ensure that records used in making determinations about individuals and those containing personal information are accurate, relevant, timely, and complete for the purposes for which they are being maintained before making them available to any recipients outside of DoD, other than a Federal agency, unless the disclosure is made under DCAA Regulation 5410.8, DCAA Freedom of Information Act Program.3

(5) Keep no record that describes how individuals exercise their rights guaranteed by the First Amendment to the U.S. Constitution, unless expressly authorized by statute or by the individual to whom the records pertain or is pertinent to and within the scope of an authorized law enforcement activity.

(6) Notify individuals whenever records pertaining to them are made available under compulsory legal processes, if such process is a matter of public record.

(7) Establish safeguards to ensure the security of personal information and to protect this information from threats or hazards that might result in substantial harm, embarrassment, inconvenience, or unfairness to the individual.

(8) Establish rules of conduct for DCAA personnel involved in the design, development, operation, or maintenance of any system of records and train them in these rules of conduct.

(9) Assist individuals in determining what records pertaining to them are being collected, maintained, used, or disseminated.

(10) Permit individual access to the information pertaining to them maintained in any system of records, and to correct or amend that information, unless an exemption for the system has been properly established for an important public purpose.

(11) Provide, on request, an accounting of all disclosures of the information pertaining to them except when disclosures are made:

(i) To DoD personnel in the course of their official duties.

(ii) Under DCAA Regulation 5410.8, DCAA Freedom of Information Act Program.

(iii) To another agency or to an instrumentality of any governmental jurisdiction within or under control of the United States conducting law enforcement activities authorized by law.

(12) Advise individuals on their rights to appeal any refusal to grant access to or amend any record pertaining to them, and file a statement of disagreement with the record in the event amendment is refused.

(a) The Assistant Director, Resources has overall responsibility for the DCAA Privacy Act Program and will serve as the sole appellate authority for appeals to decisions of respective initial denial authorities.

(b) The Chief, Administrative Management Division under the direction of the Assistant Director, Resources, shall:

(1) Establish, issue, and update policies for the DCAA Privacy Act Program; monitor compliance with this part; and provide policy guidance for the DCAA Privacy Act Program.

(2) Resolve conflicts that may arise regarding implementation of DCAA Privacy Act policy.

(3) Designate an Agency Privacy Act Advisor, as a single point of contact, to coordinate on matters concerning Privacy Act policy.

(4) Make the initial determination to deny an individual's written Privacy Act request for access to or amendment of documents filed in Privacy Act systems of records. This authority cannot be delegated.

(c) The DCAA Privacy Act Advisor under the supervision of the Chief, Administrative Management Division shall:

(1) Manage the DCAA Privacy Act Program in accordance with this part and applicable DCAA policies, as well as DoD and Federal regulations.

(2) Provide guidelines for managing, administering, and implementing the DCAA Privacy Act Program.

(3) Implement and administer the Privacy Act program at the Headquarters.

(4) Ensure that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; that the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information.

(5) Maintain and publish DCAA Pamphlet 5410.13, DCAA Compilation of Privacy Act System Notices.4

(6) Prepare promptly any required new, amended, or altered system notices for systems of records subject to the Privacy Act and submit them to the Defense Privacy Office for subsequent publication in the Federal Register.

(7) Prepare the annual Privacy Act Report as required by DoD 5400.11-5, DoD Privacy program.

(8) Conduct training on the Privacy Act program for Agency personnel.

(d) Heads of Principal Staff Elements are responsible for:

(1) Reviewing all regulations or other policy and guidance issuances for which they are the proponent to ensure consistency with the provisions of this part.

(2) Ensuring that the provisions of this part are followed in processing requests for records.

(3) Forwarding to the DCAA Privacy Act Advisor, any Privacy Act requests received directly from a member of the public, so that the request may be administratively controlled and processed.

(4) Ensuring the prompt review of all Privacy Act requests, and when required, coordinating those requests with other organizational elements.

(5) Providing recommendations to the DCAA Privacy Act Advisor regarding the releasability of DCAA records to members of the public, along with the responsive documents.

(6) Providing the appropriate documents, along with a written justification for any denial, in whole or in part, of a request for records to the DCAA Privacy Act Advisor. Those portions to be excised should be bracketed in red pencil, and the specific exemption or exemptions cites which provide the basis for denying the requested records.

(e) The General Counsel is responsible for:

(1) Ensuring uniformity is maintained in the legal position, and the interpretation of the Privacy Act; 32 CFR part 310; and this part.

(2) Consulting with DoD General Counsel on final denials that are inconsistent with decisions of other DoD components, involve issues not previously resolved, or raise new or significant legal issues of potential significance to other Government agencies.

(3) Providing advice and assistance to the Assistant Director, Resources; Regional Directors; and the Regional Privacy Act Officer, through the DCAA Privacy Act Advisor, as required, in the discharge of their responsibilities.

(4) Coordinating Privacy Act litigation with the Department of Justice.

(5) Coordinating on Headquarters denials of initial requests.

(f) Each Regional Director is responsible for the overall management of the Privacy Act program within their respective regions. Under his/her direction, the Regional Resources Manager is responsible for the management and staff supervision of the program and for designating a Regional Privacy Act Officer. Regional Directors will, as designee of the Director, make the initial determination to deny an individual's written Privacy Act request for access to or amendment of documents filed in Privacy Act systems of records. This authority cannot be delegated.

(g) Regional Privacy Act Officers will:

(1) Implement and administer the Privacy Act program throughout the region.

(2) Ensure that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a DCAAR 5410.10 manner that assures that such action is for a necessary and lawful purpose; that the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information.

(3) Prepare input for the annual Privacy Act Report when requested by the DCAA Information and Privacy Advisor.

(4) Conduct training on the Privacy Act program for regional and FAO personnel.

(5) Provide recommendations to the Regional Director through the Regional Resources Manager regarding the releasability of DCAA records to members of the public.

(h) Managers, Field Audit Offices (FAOs) will:

(1) Ensure that the provisions of this part are followed in processing requests for records.

(2) Forward to the Regional Privacy Act Officer, any Privacy Act requests received directly from a member of the public, so that the request may be administratively controlled and processed.

(3) Ensure the prompt review of all Privacy Act requests, and when required, coordinating those requests with other organizational elements.

(4) Provide recommendation to the Regional Privacy Act Officer regarding the releasability of DCAA records to members of the public, along with the responsive documents.

(5) Provide the appropriate documents, along with a written justification for any denial, in whole or in part, of a request for records to the Regional Privacy Act Officer. Those portions to be excised should be bracketed in red pencil, and the specific exemption or exemptions cited which provide the basis for denying the requested records.

(i) DCAA Employees will:

(1) Not disclose any personal information contained in any system of records, except as authorized by this part.

(2) Not maintain any official files which are retrieved by name or other personal identifier without first ensuring that a notice for the system has been published in the Federal Register.

(3) Report any disclosures of personal information from a system of records or the maintenance of any system of records that are not authorized by this part to the appropriate Privacy Act officials for their action.

The Report Control Symbol. Unless otherwise directed, any report concerning implementation of the Privacy Program shall be assigned Report Control Symbol DD-DA&M(A)1379.

(a) This part updates the policies, responsibilities, and procedures of the DTRA Privacy Program under the Privacy Act of 1974, as amended (5 U.S.C. 552a), OMB Circular A-130,1 and the DoD Privacy Program (32 CFR part 310).

(b) This rule establishes procedures whereby individuals can:

(1) Request notification of whether Defense Threat Reduction Agency (DTRA) maintains or has disclosed a record pertaining to them in any nonexempt system of records;

(2) Request a copy or other access to such a record or to an accounting of its disclosure;

(3) Request that the record be amended; and

(4) Appeal any initial adverse determination of any such request.

(c) Specifies those system of records which the Director, Defense Threat Reduction Agency has determined to be exempt from the procedures established by this rule and by certain provisions of the Privacy Act.

(d) DTRA policy encompasses the safeguarding of individual privacy from any misuse of DTRA records and the provides the fullest access practicable by individuals to DTRA records concerning them.

(a) This part applies to all members of the Armed Forces and Department of Defense civilians assigned to the DTRA at any of its duty locations.

(b) This part shall be made applicable to DoD contractors who are operating a system of records on behalf of DTRA, to include any of the activities, such as collecting and disseminating records, associated with maintaining a system of records.

Access. The review of a record or a copy of a record or parts thereof in a system of records by any individual.

Agency. For the purposes of disclosing records subject to the Privacy Act among DoD Components, the Department of Defense is considered a single agency. For all other purposes to include applications for access and amendment, denial of access or amendment, appeals from denials, and record keeping as regards release to non-DoD agencies; each DoD Component is considered an agency within the meaning of the Privacy Act.

Confidential source. A person or organization who has furnished information to the federal government under an express promise that the person's or the organization's identity will be held in confidence or under an implied promise of such confidentiality if this implied promise was made before September 27, 1975.

Disclosure. The transfer of any personal information from a system of records by any means of communication (such as oral, written, electronic, mechanical, or actual review) to any person, private entity, or government agency, other than the subject of the record, the subject's designated agent or the subject's legal guardian.

Individual. A living person who is a citizen of the United States or an alien lawfully admitted for permanent residence. The parent of a minor or the legal guardian of any individual also may act on behalf of an individual. Corporations, partnerships, sole proprietorships, professional groups, businesses, whether incorporated or unincorporated, and other commercial entities are not “individuals.”

Law enforcement activity. Any activity engaged in the enforcement of criminal laws, including efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities of prosecutors, courts, correctional, probation, pardon, or parole authorities.

Maintain. Includes maintain, collect, use or disseminate.

Official use. Within the context of this part, this term is used when officials and employees of a DoD Component have a demonstrated need for the use of any record or the information contained therein in the performance of their official duties, subject to DoD 5200.1-R,2 “DoD Information Security Program Regulation”.

Personal information. Information about an individual that identifies, relates or is unique to, or describes him or her; e.g., a social security number, age, military rank, civilian grade, marital status, race, salary, home/office phone numbers, etc.

Privacy Act request. A request from an individual for notification as to the existence of, access to, or amendment of records pertaining to that individual. These records must be maintained in a system of records.

Member of the public. Any individual or party acting in a private capacity to include federal employees or military personnel.

Record. Any item, collection, or grouping of information, whatever the storage media (e.g., paper, electronic, etc.), about an individual that is maintained by a DoD Component, including but not limited to, his or her education, financial transactions, medical history, criminal or employment history and that contains his or her name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.

Risk assessment. An analysis considering information sensitivity, vulnerabilities, and the cost to a computer facility or word processing activity in safeguarding personal information processed or stored in the facility or activity.

Routine use. The disclosure of a record outside the Department of Defense for a use that is compatible with the purpose for which the information was collected and maintained by the Department of Defense. The routine use must be included in the published system notice for the system of records involved.

Statistical record. A record maintained only for statistical research or reporting purposes and not used in whole or in part in making determinations about specific individuals.

System manager. The DoD Component official who is responsible for the operation and management of a system of records.

System of records. A group of records under the control of a DoD Component from which personal information is retrieved by the individual's name or by some identifying number, symbol, or other identifying particular assigned to an individual.

Word processing system. A combination of equipment employing automated technology, systematic procedures, and trained personnel for the primary purpose of manipulating human thoughts and verbal or written or graphic presentations intended to communicate verbally or visually with another individual.

Word processing equipment. Any combination of electronic hardware and computer software integrated in a variety of forms (firmware, programmable software, handwiring, or similar equipment) that permits the processing of textual data. Generally, the equipment contains a device to receive information, a computer-like processor with various capabilities to manipulate the information, a storage medium, and an output device

(a) It is DTRA policy that:

(1) The personal privacy of an individual shall be respected and protected. Personal information shall be collected, maintained, used, or disclosed to insure that:

(2) It shall be relevant and necessary to accomplish a lawful DTRA purpose required to be accomplished by Federal statute or Executive order;

(3) It shall be collected to the greatest extent practicable directly from the individual;

(4) The individual shall be informed as to why the information is being collected, the authority for collection, what uses will be made of it, whether disclosure is mandatory or voluntary, and the consequences of not providing the information;

(5) It shall be relevant, timely, complete and accurate for its intended use; and

(6) Appropriate administrative, technical, and physical safeguards shall be established, based on the media (e.g., paper, electronic, etc.) involved, to ensure the security of the records and to prevent compromise or misuse during storage or transfer.

(b) No record shall be maintained on how an individual exercises rights guaranteed by the First Amendment to the Constitution, except as specifically authorized by statute; expressly authorized by the individual on whom the record is maintained; or when the record is pertinent to and within the scope of an authorized law enforcement activity.

(c) Notices shall be published in the Federal Register and reports shall be submitted to Congress and the Office of Management and Budget, in accordance with, and as required by 5 U.S.C. 552a, OMB Circular A-130, and 32 CFR part 310, as to the existence and character of any system of records being established or revised by the DoD Components. Information shall not be collected, maintained, or disseminated until the required publication/review requirements are satisfied.

(d) Individuals shall be permitted, to the extent authorized by this part:

(1) To determine what records pertaining to them are contained in a system of records;

(2) Gain access to such records and obtain a copy of those records or a part thereof;

(3) Correct or amend such records on a showing the records are not accurate, relevant, timely, or complete.

(4) Appeal a denial of access or a request for amendment.

(e) Disclosure of records pertaining to an individual from a system of records shall be prohibited except with the consent of the individual or as otherwise authorized by 5 U.S.C. 552a and 32 CFR part 286. When disclosures are made, the individual shall be permitted, to the extent authorized by 5 U.S.C. 552a and 32 CFR part 310, to seek an accounting of such disclosures from DTRA.

(f) Computer matching programs between DTRA and Federal, State, or local governmental agencies shall be conducted in accordance with the requirements of 5 U.S.C. 552a, OMB Circular A-130, and 32 CFR part 310.

(g) DTRA personnel and Systems Managers shall conduct themselves, pursuant to established rules of conduct, so that personal information to be stored in a system of records shall only be collected, maintained, used, and disseminated as authorized by this part.

(a) The Director, DTRA shall:

(1) Provide adequate funding and personnel to establish and support an effective Privacy Program.

(2) Appoint a senior official to serve as the Agency Privacy Act Officer.

(3) Serve as the Agency Appellate Authority.

(b) The Privacy Act Officer shall:

(1) Implement the Agency's Privacy Program in accordance with the specific requirements set forth in this part, 5 U.S.C. 552a, OMB Circular A-130, and 32 CFR part 310.

(2) Establish procedures, as well as rules of conduct, necessary to implement this part so as to ensure compliance with the requirements of 5 U.S.C. 552a, OMB Circular A-130, and 32 CFR part 310.

(3) Ensure that the DTRA Privacy Program periodically shall be reviewed by the DTRA Inspectors General or other officials, who shall have specialized knowledge of the DoD Privacy Program.

(4) Serve as the Agency Initial Denial Authority.

(c) The Privacy Act Program Manager shall:

(1) Manage activities in support of the DTRA Programoversight in accordance with part, 5 U.S.C. 552a, OMB Circular A-130, and 32 CFR part 310.

(2) Provide operational support, guidance and assistance to Systems Managers for responding to requests for access/amendment of records.

(3) Direct the day-by-day activities of the DTRA Privacy Program.

(4) Provide guidance and assistance to DTRA elements in their implementation and execution of the DTRA Privacy Program.

(5) Prepare and submit proposed new, altered, andamended systems of records, to include submission of required notices for publication in the Federal Register consistent with this part, 5 U.S.C. 552a, OMB Circular A-130, and 32 CFR part 310.

(6) Prepare and submit proposed DTRA privacy rulemaking, to include documentation for submission of the proposed rule to the Office of the Federal Register for publication. Additionally, provide required documentation for reporting to the OMB and Congress, consistent with this part, 5 U.S.C. 552a, OMB Circular A-130, and 32 CFR part 310.

(7) Provide advice and support to DTRA elements to ensure that:

(i) All information requirements developed to collect and/or maintain personal data conform to DoD Privacy Act Program standards;

(ii) Appropriate procedures and safeguards shall be developed, implemented, and maintained to protect personal information when it is stored in either a manual and/or automated system of records or transferred by electronic or non-electronic means; and

(iii) Specific procedures and safeguards shall be developed and implemented when personal data is collected and maintained for research purposes.

(8) Conduct reviews, and prepare and submit reports consistent with the requirements in this part, 5 U.S.C. 552a, OMB Circular A-130, and 32 CFR part 310, or as otherwise directed by the Defense Privacy Office.

(9) Conduct training for all assigned and employed DTRA personnel and for those individuals having primary responsibility for DTRA Privacy Act Record Systems consistent with requirements of this part, 5 U.S.C. 552a, OMB Circular A-130, and 32 CFR part 310.

(10) Serve as the principal points of contact for coordination of privacy and related matters.

(d) The Directorate Heads and Office Chiefs shall:

(1) Recognize and support the DTRA Privacy Act Program.

(2) Appoint an individual to serve as Privacy Act Point of Contact within their purview.

(3) Initiate prompt, constructive management actions on agreed-upon actions identified in agency Privacy Act reports.

(e) The Chief, Information Systems shall:

(1) Ensure that all personnel who have access to information from an automated system of records during processing or who are engaged in developing procedures for processing such information are aware of the provisions of this Instruction.

(2) Promptly notify automated system managers and the Privacy Act Officer whenever they are changes to Agency Information Technology that may require the submission of an amended system notice for any system of records.

(3) Establish rules of conduct for Agency personnel involved in the design, development, operation, or maintenance of any automated system of records and train them in these rules of conduct.

(f) Agency System Managers shall exercise the Rules of Conduct as specified in 32 CFR part 310.

(g) Agency personnel shall exercise the Rules of Conduct as specified in 32 CFR part 310.

(a) The Defense Threat Reduction Agency, upon receiving a request for notification of the existence of a record or for access to a record, shall acknowledge receipt of the request within 10 working days.

(b) Determine whether or not such record exists.

(c) Determine whether or not such request for access is available under the Privacy Act.

(d) Notify requester of determinations within 30 working days after receipt of such request.

(e) Provide access to information pertaining to that person which has been determined to be available within 30 working days.

(f) Notify the individual if fees will be assessed for reproducing copies of the records. Fee schedule and rules for assessing fees are contained in § 318.11.

(a) An individual may request that the Defense Threat Reduction Agency correct, amend, or expunge any record, or portions thereof, pertaining to the requester that he/she believe to be inaccurate, irrelevant, untimely, or incomplete.

(b) Such requests shall specify the particular portions of the records in question, be in writing and should be mailed to the FOIA/Privacy Act Division, Defense Threat Reduction Agency, 45045 Aviation Drive, Dulles, VA 20166-7517.

(c) The requester shall provide sufficient information to identify the record and furnish material to substantiate the reasons for requesting corrections, amendments, or expurgation.

(a) The Agency will acknowledge a request for correction or amendment within 10 working days of receipt. The acknowledgment will be in writing and will indicate the date by which the Agency expects to make its initial determination.

(b) The Agency shall complete its consideration of requests to correct or amend records within 30 working days, and inform the requester of its initial determination.

(c) If it is determined that records should be corrected or amended in whole or in part, the Agency shall advise the requester in writing of its determination; and correct or amend the records accordingly. The Agency shall then advise prior recipients of the records of the fact that a correction or amendment was made and provide the substance of the change.

(d) If the Agency determines that a record should not be corrected or amended, in whole or in part, as requested by the individual, the Agency shall advise the requester in writing of its refusal to correct or amend the records and the reasons therefor. The notification will inform the requester that the refusal may be appealed administratively and will advise theindividual of the procedures for such appeals.

(a) An individual who disagrees with the denial or partial denial of his or her request for access, correction, or amendment of Agency records pertaining the himself/herself, may file a request for administrative review of such refusal within 30 days after the date of notification of the denial or partial denial.

(b) Such requests shall be made in writing and mailed to the FOIA/Privacy Act Division, Defense Threat Reduction Agency, 45045 Aviation Drive, Dulles, VA 20166-7517.

(c) The requester shall provide a brief written statement setting for the reasons for his or her disagreement with the initial determination and provide such additional supporting material as the individual feels necessary to justify the appeal.

(d) Within 30 working days of receipt of the request for review, the Agency shall advise the individual of the final disposition of the request.

(e) In those cases where the initial determination is reversed, the individual will be so informed and the Agency will take appropriate action.

(f) In those cases where the initial determination is sustained, the individual shall be advised:

(1) In the case of a request for access to a record, of theindividual's right to seek judicial review of the Agency refusal for access.

(2) In the case of a request to correct or amend the record:

(i) Of the individual's right to file a concise statement of his or her reasons for disagreeing with the Agency's decision in the record,

(ii) Of the procedures for filing a statement of the disagreement, and

(iii) Of the individual's right to seek judicial review of the Agency's refusal to correct or amend a record.

(a) General. No record contained in a system of records maintained by DTRA shall be disclosed by any means to any person or agency within or outside the Department of Defense without the request or consent of the subject of the record, except as described in 32 CFR 310.41, Appendix C to part 310, and/or a Defense Threat Reduction Agency system of records notice.

(b) Accounting of disclosures. Except for disclosures made to members of the DoD in connection with their official duties, anddisclosures required by the Freedom of Information Act, an accounting will be kept of all disclosures of records maintained in DTRA system of records.

(1) Accounting entries will normally be kept on a DTRA form, which will be maintained in the record file jacket, or in a document that is part of the record.

(2) Accounting entries will record the date, nature and purpose of each disclosure, and the name and address of the person or agency to whom the disclosure is made.

(3) Accounting records will be maintained for at least 5 years after the last disclosure, of for the life of the record, whichever is longer.

(4) Subjects of DTRA records will be given access to associated accounting records upon request, except for those disclosures made to law enforcement activities when the law enforcement activity has requested that the disclosure not be made, and/or as exempted under § 318.16.

Procedures and sanctions are set forth in 5 U.S.C. 552a, OMB Circular A-130, and 32 CFR part 310.

(a) Blanket routine uses. Certain ‘blanket routine uses’ of the records have been established that are applicable to every record system maintained within the Department of Defense unless specifically stated otherwise within a particular record system. These additional blanket routine uses of the records are published only once in the interest of simplicity, economy and to avoid redundancy.

(b) Routine Use—Law Enforcement. If a system of records maintained by a DoD Component, to carry out its functions, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or by regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the agency concerned, whether Federal, State, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto.

(c) Routine Use—Disclosure When Requesting Information. A record from a system of records maintained by a Component may be disclosed as a routine use to a Federal, State, or local agency maintaining civil, criminal, or other relevant enforcement information or other pertinent information, such as current licenses, if necessary to obtain information relevant to a Component decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit.

(d) Routine Use—Disclosure of Requested Information. A record from a system of records maintained by a Component may be disclosed to a Federal agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision on the matter.

(e) Routine Use—Congressional Inquiries. Disclosure from a system of records maintained by a Component may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

(f) Routine Use—Private Relief Legislation. Relevant information contained in all systems of records of the Department of Defense published on or before August 22, 1975, will be disclosed to the OMB in connection with the review of private relief legislation as set forth in OMB Circular A-19 at any stage of the legislative coordination and clearance process as set forth in that Circular.

(g) Routine Use—Disclosures Required by International Agreements. A record from a system of records maintained by a Component may be disclosed to foreign law enforcement, security, investigatory, or administrative authorities to comply with requirements imposed by, or to claim rights conferred in, international agreements and arrangements including those regulating the stationing and status in foreign countries of DoD military and civilian personnel.

(h) Routine Use—Disclosure to State and Local Taxing Authorities. Any information normally contained in Internal Revenue Service (IRS) Form W-2 which is maintained in a record from a system of records maintained by a Component may be disclosed to State and local taxing authorities with which the Secretary of the Treasury has entered into agreements under 5 U.S.C. 5516, 5517, and 5520 and only to those State and local taxing authorities for which an employee or military member is or was subject to tax regardless of whether tax is or was withheld. This routine use is in accordance with Treasury Fiscal Requirements Manual Bulletin No. 76-07.

(i) Routine Use—Disclosure to the Office of Personnel Management. A record from a system of records subject to the Privacy Act and maintained by a Component may be disclosed to the Office of Personnel Management (OPM) concerning information on pay and leave, benefits, retirement deduction, and any other information necessary for the OPM to carry out its legally authorized government-wide personnel management functions and studies.

(j) Routine Use—Disclosure to the Department of Justice for Litigation. A record from a system of records maintained by this component may be disclosed as a routine use to any component of the Department of Justice for the purpose of representing the Department of Defense, or any officer, employee or member of the Department in pending or potential litigation to which the record is pertinent.

(k) Routine Use—Disclosure to Military Banking Facilities Overseas. Information as to current military addresses and assignments may be provided to military banking facilities who provide banking services overseas and who are reimbursed by the Government for certain checking and loan losses. For personnel separated, discharged, or retired from the Armed Forces, information as to last known residential or home of record address may be provided to the military banking facility upon certification by a banking facility officer that the facility has a returned or dishonored check negotiated by the individual or the individual has defaulted on a loan and that if restitution is not made by the individual, the U.S. Government will be liable for the losses the facility may incur.

(l) Routine Use—Disclosure of Information to the General Services Administration (GSA). A record from a system of records maintained by this component may be disclosed as a routine use to the General Services Administration (GSA) for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906.

(m) Routine Use—Disclosure of Information to the National Archives and Records Administration (NARA). A record from a system of records maintained by this component may be disclosed as a routine use to the National Archives and Records Administration (NARA) for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906.

(n) Routine Use—Disclosure to the Merit Systems Protection Board. A record from a system of records maintained by this component may be disclosed as a routine use to the Merit Systems Protection Board, including the Office of the Special Counsel for the purpose of litigation, including administrative proceedings, appeals, special studies of the civil service and other merit systems, review of OPM or component rules and regulations, investigation of alleged or possible prohibited personnel practices; including administrative proceedings involving any individual subject of a DoD investigation, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as may be authorized by law.

(o) Routine Use—Counterintelligence Purpose. A record from a system of records maintained by this component may be disclosed as a routine use outside the DoD or the U.S. Government for the purpose of counterintelligence activities authorized by U.S. Law or Executive Order or for the purpose of enforcing laws which protect the national security of the United States.

(a) DTRA personnel shall:

(1) Take such actions, as considered appropriate, to ensure that personal information contained in a system of records, to which they have access or are using incident to the conduct of official business, shall be protected so that the security and confidentiality of the information shall be preserved.

(2) Not disclose any personal information contained in any system of records except as authorized by 32 CFR part 310 or other applicable law or regulation. Personnel willfully making such a disclosure when knowing the disclosure is prohibited are subject to possible criminal penalties and/or administrative sanctions.

(3) Report any unauthorized disclosure of personal information from a system of records or the maintenance of any system of records that are not authorized by the Instruction to the DTRA Privacy Act Officer.

(b) DTRA system managers for each system of records shall:

(1) Ensure that all personnel who either have access to the system of records or who shall develop or supervise procedures for the handling of records in the system of records shall be aware of their responsibilities for protecting personnel information being collected and maintained under the DTRA Privacy Program.

(2) Promptly notify the Privacy Act Officer of any required new, amended, or altered system notices for the system of records.

(3) Not maintain any official files on individuals, which are retrieved by name or other personal identifier without first ensuring that a notice for the system of records shall have been published in the “Federal Register.” Any official who willfully maintains a system of records without meeting the publication requirements, as prescribed by 5 U.S.C. 552a, OMB Circular A-130, and 32 CFR part 310, is subject to possible criminal penalties and/or administrative sanctions.

(a) Exemption for classified material. All systems of records maintained by the Defense Threat Reduction Agency shall be exempt under section (k)(1) of 5 U.S.C. 552a, to the extent that the systems contain any information properly classified under E.O. 12598 and that is required by that E.O. to be kept secret in the interest of national defense or foreign policy. This exemption is applicable to parts of all systems of records including those not otherwise specifically designated for exemptions herein which contain isolated items of properly classified information.

(b) System identifier and name: HDTRA 007, Security Operations.

(1) Exemption: Portions of this system of records may be exempt from the provisions of 5 U.S.C. 552a(c)(3), (d)(1) through (d)(4), (e)(1), (e)(4)(G), (H), (I), and (f).

(2) Authority: 5 U.S.C. 552a(k)(5).

(3) Reasons: (i) From subsection (c)(3) because it will enable DTRA to safeguard certain investigations and relay law enforcement information without compromise of the information, and protect the identities of confidential sources who might not otherwise come forward and who have furnished information under an express promise that the sources' identity would be held in confidence (or prior to the effective date of the Act, under an implied promise.)

(ii) From subsection (d)(1) through (d)(4) and (f) because providing access to records of a civil investigation and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of security investigations. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding.

(iii) From subsection (e)(1), (e)(4)(G), (H), (I) because it will provide protection against notification of investigatory material including certain reciprocal investigations and counterintelligence information, which might alert a subject to the fact that an investigation of that individual is taking place, and the disclosure of which would weaken the on-going investigation, reveal investigatory techniques, and place confidential informants in jeopardy who furnished information; under an express promise that the sources' identity would be held in confidence (or prior to the effective date of the Act, under an implied promise.)

(c) System identifier and name: HDTRA 011, Inspector General Investigation Files.

(1) Exemption: Portions of this system of records may be exempt from the provisions of 5 U.S.C. 552a(c)(3); (d)(1) through (4); (e)(1); (e)(4)(G), (H), and (I); and (f).

(2) Authority: 5 U.S.C. 552a(k)(2).

(3) Reasons: (i) From subsection (c)(3) because it will enable DTRA to conduct certain investigations and relay law enforcement information without compromise of the information, protection of investigative techniques and efforts employed, and identities of confidential sources who might not otherwise come forward and who furnished information under an express promise that the sources' identity would be held in confidence (or prior to the effective date of the Act, under an implied promise.)

(ii) From subsection (d)(1) through (d)(4) and (f) because providing access to records of a civil investigation and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of the investigation and impede case preparation. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding.

(iii) From subsection (e)(1), (e)(4)(G), (H), and (I) because it will provide protection against notification of investigatory material including certain reciprocal investigations and counterintelligence information, which might alert a subject to the fact that an investigation of that individual is taking place, and the disclosure of which would weaken the on-going investigation, reveal investigatory techniques, and place confidential informants in jeopardy who furnished information under an express promise that the sources' identity would be held in confidence (or prior to the effective date of the Act, under an implied promise).

Pursuant to the requirements of section 553 of Title 5 of the United States Code, the Defense Intelligence Agency promulgates its rules for the implementation of the Privacy Act of 1974, Pub. L. 93-579, 5 U.S.C. 552a (f) and (k).

(a) To promulgate rules providing procedures by which individuals may exercise their rights granted by the act to:

(1) Determine whether a Defense Intelligence Agency system of records contains a record pertaining to themselves;

(2) Be granted access to all or portions thereof;

(3) Request administrative correction or amendment of such records;

(4) Request an accounting of disclosures from such records; and

(5) Appeal any adverse determination for access or correction/amendment of records.

(b) To set forth Agency policy and fee schedule for cost of duplication.

(c) To identify records subject to the provisions of these rules.

(d) To specify those systems of records for which the Director, Defense Intelligence Agency, claims an exemption.

(a) Any individual who is a citizen of the United States or an alien lawfully admitted for permanent residence in the United States may submit an inquiry to the Defense Intelligence Agency.

(b) These rules apply to those systems of records:

(1) Maintained by the Defense Intelligence Agency;

(2) For which the Defense Intelligence Agency prescribes the content and disposition pursuant to statute or executive order of the President, which may be in the physical custody of another Federal agency;

(3) Not exempted from certain provisions of the act by the Director, Defense Intelligence Agency.

(c) The Defense Intelligence Agency may have physical custody of the official records of another Federal agency which exercises dominion and control over the records, their content, and access thereto. In such cases, the Defense Intelligence Agency maintenance of the records is considered subject to the rules of the other Federal agency. Except for a request for a determination of the existence of the record, when the Defense Intelligence Agency receives requests related to these records, the DIA will immediately refer the request to the controlling agency for all decisions regarding the request and will notify the individual making the request of the referral.

(d) Records subject to provisions of the Act which are transferred to the Washington National Records Center for storage shall be considered to be maintained by the Defense Intelligence Agency. Disclosure from such records—to other than an element of the Defense Intelligence Agency—can only be made with the prior approval of the Defense Intelligence Agency.

(e) Records subject to provisions of the act which are transferred to the National Archives shall be considered to be maintained by the National Archives and are no longer records of the Agency.

(a) All terms used in this part which are defined in 5 U.S.C. 552a shall have the same meaning herein.

(b) As used in this part:

(1) The term Act means the Privacy Act of 1974, Pub. L. 93-579, 5 U.S.C. 552a.

(2) The term Agency means the Defense Intelligence Agency.

(a) An individual seeking notification of whether a system of records, maintained by the Defense Intelligence Agency, contains a record pertaining to himself/herself and who desires to review, have copies made of such records, or to be provided an accounting of disclosures from such records, shall submit his or her request in writing. Requesters are encouraged to review the systems of records notices published by the Agency so as to specifically identify the particular record system(s) of interest to be accessed.

(b) In addition to meeting the requirements set forth in § 319.5 of this part, the individual seeking notification, review or copies, and an accounting of disclosures will provide in writing his or her full name, address, social security account number or date of birth and a telephone number where the requester can be contacted should questions arise concerning his or her request. This information will be used only for the purpose of identifying relevant records in response to an individual's inquiry. It is further recommended that individuals indicate any present or past relationship or affiliations, if any, with the Agency and the appropriate dates in order to facilitate a more thorough search of the record system specified and any other system which may contain information concerning the individual. A signed notarized statement may also be required.

(c) An individual who wishes to be accompanied by another individual when reviewing his or her records, must provide the Agency with written consent authorizing the Agency to disclose or discuss such records in the presence of the accompanying individual.

(d) A request for medical records must be submitted as set forth in § 319.7, of this part.

(e) Individuals should mail their written request to the Defense Intelligence Agency, DSP-1A, Washington, DC 20340-3299 and indicate clearly on the outer envelope “Privacy Act Request”.

(f) An individual who makes a request on behalf of a minor or legal incompetent shall provide a signed notarized statement affirming the relationship.

(g) When an individual wishes to authorize another person access to his or her records, the individual shall provide a signed notarized statement authorizing and consenting to access by the designated person.

(h) Except as provided by section 552a(b) of the act, 5 U.S.C. 552a(b), the written request or prior written consent of the individual to whom a record pertains shall be required before such record is disclosed to any person or to another agency outside the Department of Defense.

(i) Any person who knowingly and willfully requests or obtains any record concerning an individual from this Agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000.

The Defense Intelligence Agency, upon receiving a request for notification of the existence of a record or for access to a record, shall:

(a) Determine whether such record exists;

(b) Determine whether access is available under the Privacy Act;

(c) Notify the requester of those determinations within 10 days (excluding Saturday, Sunday and legal public holidays); and

(d) Provide access to information pertaining to that person which has been determined to be available.

Medical records, requested pursuant to § 319.5 of this part, will be disclosed to the requester unless the disclosure of such records directly to the requester could, in the judgment of a physician, have an adverse effect on the physical or mental health or safety and welfare of the requester or other persons with whom he may have contact. In such an instance, the information will be transmitted to a physician named by the requester or to a person qualified to make a psychiatric or medical determination.

(a) An individual may request that the Defense Intelligence Agency correct, amend, or expunge any record, or portions thereof, pertaining to the requester that he believes to be inaccurate, irrelevant, untimely, or incomplete.

(b) Such requests shall be in writing and may be mailed to DSP-1A as indicated in § 319.5.

(c) The requester shall provide sufficient information to identify the record and furnish material to substantiate the reasons for requesting corrections, amendments or expurgation.

(a) The Agency will acknowledge a request for correction or amendment of a record within 10 days (excluding Saturday, Sunday, and legal public holidays) of receipt. The acknowledgment will be in writing and will indicate the date by which the Agency expects to make its initial determination.

(b) The Agency shall complete its consideration of requests to correct or amend records within 30 days (excluding Saturday, Sunday, and legal holidays) and inform the requester of its initial determination.

(c) If it is determined that records should be corrected or amended in whole or in part, the Agency shall advise the requester in writing of its determination; and correct or amend the records accordingly. The Agency shall then advise prior recipients of the records of the fact that a correction or amendment was made and provide the substance of the change.

(d) If the Agency determines that a record should not be corrected or amended, in whole or in part, as requested by the individual, the Agency shall advise the requester in writing of its refusal to correct or amend the records and the reasons therefor. The notification will inform the requester that the refusal may be appealed administratively and will advise the individual of the procedures for such appeals.

(a) An individual who disagrees with the denial or partial denial of his or her request for access, correction, or amendment of Agency records pertaining to himself/herself, may file a request for administrative review of such refusal within 30 days after the date of notification of the denial or partial denial.

(b) Such requests should be in writing and may be mailed to RTS-1 as indicated in § 319.5.

(c) The requester shall provide a brief written statement setting forth the reasons for his or her disagreement with the initial determination and provide such additional supporting material as the individual feels necessary to justify his or her appeal.

(d) Within 30 days (excluding Saturday, Sunday, and legal public holidays) of the receipt of request for review, the Agency shall advise the individual of the final disposition of his or her request.

(e) In those cases where the initial determination is reversed, the individual will be so informed and the Agency will take appropriate action.

(f) In those cases where the initial determinations are sustained, the individual shall be advised:

(1) In the case of a request for access to a record, of the individual's right to seek judicial review of the Agency refusal for access.

(2) In the case of a request to correct or amend the record:

(i) Of the individual's right to file with record in question a concise statement of his or her reasons for disagreeing with the Agency's decision,

(ii) Of the procedures for filing a statement of disagreement, and

(iii) Of the individual's right to seek judicial review of the Agency's refusal to correct or amend a record.

(a) The schedule of fees chargeable is contained at § 286.60 et seq. As a component of the Department of Defense, the applicable published Departmental rules and schedules with respect to fees will also be the policy of DIA.

(b) Current employees of the Agency will not be charged for the first copy of a record provided by the Agency.

(c) In the absence of an agreement to pay required anticipated costs, the time for responding to a request begins on resolution of this agreement to pay.

(d) The fees may be paid by check, draft or postal money order payable to the Treasurer of the United States. Remittance will be forwarded to the office designated in § 319.5(e).

(a) All systems of records maintained by the Director Intelligence Agency shall be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 552a(k)(1) to the extent that the system contains any information properly classified under Executive order to be kept secret in the interest of national defense or foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not specifically designated for exemption may contain isolated information which has been properly classified.

(b) The Director, Defense Intelligence Agency, designated the systems of records listed below for exemptions under the specified provisions of the Privacy Act of 1974, as amended (Pub. L. 93-579):

(c) System identification and name: LDIA 0271, Investigations and Complaints.

(1) Exemption: Any portion of this record system which falls within the provisions of 5 U.S.C. 552a(k) (2) and (5) may be exempt from the following subsections of 5 U.S.C. 552a: (c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), and (e)(4)(I).

(2) Authority: 5 U.S.C. 552a(k) (2) and (5).

(3) Reasons: The reasons for asserting these exemptions are to ensure the integrity of the Inspector General process within the Agency. The execution requires that information be provided in a free and open manner without fear of retribution or harassment in order to facilitate a just, thorough and timely resolution of the complaint or inquiry. Disclosures from this system can enable individuals to conceal their wrongdoing or mislead the course of the investigation by concealing, destroying or fabricating evidence or documents. Also, disclosures can subject sources and witnesses to harassment or intimidation which may cause individuals not to seek redress for wrongs through Inspector General channels for fear of retribution or harassment.

(d) System identification and name: LDIA 0275, DoD Hotline Referrals.

(1) Exemption: Any portion of this record system which falls within the provisions of 5 U.S.C. 552a(k) (2) and (5) may be exempt from the following subsections of 5 U.S.C. 552a: (c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), and (e)(4)(I).

(2) Authority: 5 U.S.C. 552a(k) (2) and (5).

(3) Reason: The reasons for asserting these exemptions are to ensure that informants can report instances of fraud and mismanagement without fear of reprisal or unauthorized disclosure of their identity. The execution of this function requires that information be provided in a free and open manner without fear of retribution of harassment in order to facilitate a just, thorough and timely resolution of the case. These records are privileged Director, DIA, documents and information contained therein is not routinely released or disclosed to anyone.

(e) System identification and name: LDIA 0660, Security Files.

(1) Exemption: Any portion of this record system which falls within the provisions of 5 U.S.C. 552a(k) (2) and (5) may be exempt from the following subsections of 5 U.S.C. 552a: (c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), and (e)(4)(I).

(2) Authority: 5 U.S.C. 552a(k) (2) and (5).

(3) Reason: The reasons for asserting these exemptions are to ensure the integrity of the adjudication process used by the Agency to determine the suitability, eligibility or qualification for Federal service with the Agency and to make determinations concerning the questions of access to classified materials and activities. The proper execution of this function requires that the Agency have the ability to obtain candid and necessary information in order to fully develop or resolve pertinent information developed in the process. Potential sources, out of fear or retaliation, exposure or other action, may be unwilling to provide needed information or may not be sufficiently frank to be a value in personnel screening, thereby seriously interfering with the proper conduct and adjudication of such matters.

(f) System identification and name: LDIA 0800, Operation Record System.

(1) Exemption: Any portion of this record system which falls within the provisions of 5 U.S.C. 552a(k) (2) and (5) may be exempt from the following subsections of 5 U.S.C. 552a: (c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), and (e)(4)(I).

(2) Authority: 5 U.S.C. 552a(k) (2) and (5).

(3) Reason: The reasons for asserting these exemptions are to ensure the integrity of ongoing foreign intelligence collection and/or training activities conducted by the Defense Intelligence Agency and the Department of Defense. The execution of these functions requires that information in response to national level intelligence requirements be provided in a free and open manner without fear of retribution or unauthorized disclosure. Disclosures from this system can jeopardize sensitive sources and methodology.

(a) This part is published pursuant to the Privacy Act of 1974, as amended (5 U.S.C. 552a), (hereinafter the “Privacy Act”). This part:

(1) Establishes or advises of the procedures whereby an individual can:

(i) Request notification of whether the National Imagery and Mapping Agency (NIMA) maintains or has disclosed a record pertaining to him in any nonexempt system of records,

(ii) Request a copy or other access to such a record or to an accounting of its disclosure,

(iii) Request that the record be amended and

(iv) Appeal any initial adverse determination of any such request;

(2) Specifies those systems of records which the Director, Headquarters NIMA has determined to be exempt from the procedures established by this regulation and from certain provisions of the Privacy Act. NIMA policy encompasses the safeguarding of individual privacy from any misuse of NIMA records and the provision of the fullest access practicable to individuals to NIMA records concerning them.

As used in this part:

(a) Appellate authority (AA). A NIMA employee who has been granted authority to review the decision of the Initial Denial Authority (IDA) that has been appealed by the Privacy Act requester and make the appeal determination for NIMA on the release ability of the records in question.

(b) Individual. A living person who is a citizen of the United States or an alien lawfully admitted for permanent residence. The parent of a minor or the legal guardian of any individual also may act on behalf of an individual. Corporations, partnerships, sole proprietorships, professional groups, businesses, whether incorporated or unincorporated, and other commercial entities are not “individuals”.

(c) Initial denial authority (IDA). A NIMA employee, or designee, who has been granted authority to make an initial determination for NIMA that records requested in a Privacy Act request should be withheld from disclosure or release.

(d) Maintain. Includes maintain, collect, use or disseminate.

(e) Personal information. Information about an individual that identifies, relates to or is unique to, or describes him or her; e.g., a social security number, age, military rank, civilian grade, marital status, race, or salary, home/office phone numbers, etc.

(f) Record. Any item, collection, or grouping of information, whatever the storage media (e.g., paper, electronic, etc.), about an individual that is maintained by NIMA, including, but not limited to education, financial transactions, medical history, criminal or employment history, and that contains the individual's name or the identifying number, symbol or other identifying particulars assigned to the individual such as a finger or voice print or a photograph.

(g) Routine use. The disclosure of a record outside the Department of Defense for a use that is compatible with the purpose for which the information was collected and maintained by the Department of Defense. The routine use must be included in the published system notice for the system of records involved.

(h) System of records. A group of records under the control of NIMA from which personal information is retrieved by the individual's name or by some identifying number, symbol, or other identifying particular assigned to the individual.

(i) System manger. The NIMA official who is responsible for the operation and management of a system of records.

(a) Director of NIMA:

(1) Implements the NIMA privacy program.

(2) Designates the Director of the Public Affairs Office as the NIMA Initial Denial Authority;

(3) Designates the Chief of Staff as the Appellate Authority.

(4) Designates the General Counsel as the NIMA Privacy Act Officer and the principal point of contact for matters involving the NIMA privacy program.

(b) NIMA General Counsel:

(1) Oversees systems of records maintained throughout NIMA, administered by Information Services. This includes coordinating all notices of new systems of records and changes to existing systems for publication in the Federal Register.

(2) Coordinates all denials of requests for access to or amendment of records.

(3) Assesses and collects fees for costs associated with processing Privacy Act requests and approves or denies requests for fee waivers. Fees collected are forwarded through Financial Management Directorate to the U.S. Treasury.

(4) Prepares the annual report to the Defense Privacy Office.

(5) Oversees investigations of allegations of unauthorized maintenance, disclosure, or destruction of records.

(6) Conducts or coordinates Privacy Act training for NIMA personnel as needed, including training for public affairs officers and others who deal with the public and news media.

(c) NIMA System Managers:

(1) Ensure that all personnel who either have access to a system of records or who are engaged in developing or supervising procedures for handling records in a system of records are aware of their responsibilities for protecting personal information.

(2) Prepare notices of new systems of records and changes to existing systems for publication in the Federal Register.

(3) Ensure that no records subject to this part are maintained for which a systems notice has not been published.

(4) Respond to requests by individuals for access, correction, or amendment to records maintained pursuant to the NIMA privacy program.

(5) Provide recommendations to General Counsel for responses to requests from individuals for access, correction, or amendment to records.

(6) Safeguard records to ensure that they are protected from unauthorized alteration or disclosure.

(7) Dispose of records in accordance with accepted records management practices to prevent inadvertent compromise. Disposal methods such as tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding, or mutilation are considered adequate if the personal data is rendered unrecognizable or beyond reconstruction.

(a) Upon request in person or by mail, any individual, as defined in § 320.2, shall be informed whether or not any NIMA system of records contains a record pertaining to him.

(b) Any individual requesting such information in person may appear at NIMA General Counsel Office (refer to the NIMA address list at paragraph (e) of this section) or at the NIMA office thought to maintain the record in question and shall provide:

(1) Information sufficient to identify the record, e.g., the individual's own name, date of birth, place of birth, and, if possible, an indication of the type of record believed to contain information concerning the individual, and

(2) Acceptable identification to verify the individual's identity, e.g., driver's license, employee identification card or Medicare card.

(c) Any individual requesting such information by mail shall address the request to the Office of General Counsel (refer to paragraph (e) of this section) or NIMA office thought to maintain the record in question and shall include in such request the following:

(1) Information sufficient to identify the record, e.g., the individual's own name, date of birth, place of birth, and, if possible, an indication of the type of record believed to contain information concerning the individual, and

(2) A notarized statement or unsworn declaration in accordance with 28 U.S.C. 1746 to verify the individual's identity, if, in the opinion of the NIMA system manager, the sensitivity of the material involved warrants.

(d) NIMA procedures on requests for information. Upon receipt of a request for information made in accordance with these regulations, notice of the existence or nonexistence of any records described in such requests will be furnished to the requesting party within ten working days of receipt.

(e) Written requests for access to records should be sent to NIMA Bethesda, ATTN: NIMA/GC, Mail Stop D-10, 4600 Sangamore Road, Bethesda, MD 20816-5003.

(f) Requests for information made under the Freedom of Information Act are processed in accordance with “DoD Freedom of Information Act Program Regulation” (32 CFR part 286).

(g) Requests for personal information from the Government Accounting Office (GAO) are processed in accordance with DoD Directive 7650.1 1 “GAO Access to Records”.

(a) Upon request by an individual made in accordance with the procedures set forth in this section, such individual shall be granted access to any pertinent record which is contained in a nonexempt NIMA system of records. However, nothing in this section shall allow an individual access to any information compiled by NIMA in reasonable anticipation of a civil or criminal action or proceeding.

(b) Procedures for requests for access to records. Any individual may request access to a pertinent NIMA record in person or by mail.

(1) Any individual making such request in person shall appear at Office of General Counsel, NIMA Bethesda, ATTN: NIMA/GC, Mail Stop D-10, 4600 Sangamore Road, Bethesda, MD 20816-5003, and shall provide identification to verify the individuals' identity, e.g., driver's license, employee identification card, or Medicare card.

(2) Any individual making a request for access to records by mail shall address such request to the Office of General Counsel, NIMA Bethesda, ATTN: NIMA/GC, Mail Stop D-10, 4600 Sangamore Road, Bethesda, MD 20816-5003; and shall include therein a signed, notarized statement, or an unsworn statement or declaration in accordance with 28 U.S.C. 1746, to verify identity.

(3) Any individual requesting access to records under this section in person may be accompanied by a person of the individual's own choosing while reviewing the record requested. If an individual elects to be so accompanied, said individual shall give notice of such election in the request and shall provide a written statement authorizing disclosure of the record in the presence of the accompanying person. Failure to so notify NIMA in a request for access shall be deemed to be a decision by the individual not to be accompanied.

(c) NIMA determination of requests for access.

(1) Upon receipt of a request made in accordance with this section, the NIMA Office of General Counsel or NIMA office having responsibility for maintenance of the record in question shall release the record, or refer it to an Initial Denial Authority, who shall:

(i) Determine whether such request shall be granted.

(ii) Make such determination and provide notification within 30 working days after receipt of such request.

(iii) Notify the individual that fees for reproducing copies of records will be assessed and should be remitted before the copies may be delivered. Fee schedule and rules for assessing fees are contained in § 320.9.

(iv) Requests for access to personal records may be denied only by an agency official authorized to act as an Initial Denial Authority or Final Denial Authority, after coordination with the Office of General Counsel.

(2) If access to a record is denied because such information has been compiled by NIMA in reasonable anticipation of a civil or criminal action or proceeding, the individual will be notified of such determination and his right to judicial appeal under 5 U.S.C. 552a(g).

(d) Manner of providing access.

(1) If access is granted, the individual making the request shall notify NIMA whether the records requested are to be copied and mailed.

(2) If the records are to be made available for personal inspection the individual shall arrange for a mutually agreeable time and place for inspection of the record. NIMA reserves the right to require the presence of a NIMA officer or employee during personal inspection of any record pursuant to this section and to request of the individual that a signed acknowledgment of the fact be provided that access to the record in question was granted by NIMA.

(a) Any individual may request amendment of a record pertaining to said individual.

(b) After inspection of a pertinent record, the individual may file a request in writing with the NIMA Office of General Counsel for amendment. Such requests shall specify the particular portions of the record to be amended, the desired amendments and the reasons, supported by documentary proof, if available.

(a) Not later than 10 working days after receipt of a request to amend a record, in whole or in part, the NIMA Office of General Counsel, or NIMA office having responsibility for maintenance of the record in question, shall correct any portion of the record which the individual demonstrates is not accurate, relevant, timely or complete, and thereafter either inform the individual of such correction or process the request for denial.

(b) Denials of requests for amendment of a record will be made only by an agency official authorized to act as an Initial Denial Authority, after coordination with the Office of General Counsel. The denial letter will inform the individual of the denial to amend the record setting forth the reasons therefor and notifying the individual of his right to appeal the decision to NIMA.

(c) Any person or other agency to whom the record has been previously disclosed shall be informed of any correction or notation of dispute with respect to such records.

(d) These provisions for amending records are not intended to permit the alteration of evidence previously presented during any administrative or quasi-judicial proceeding, such as an employee grievance case. Any changes in such records should be made only through the established procedures for such cases. Further, these provisions are not designed to permit collateral attack upon what has already been the subject of an administrative or quasi-judicial action. For example, an individual may not use this procedure to challenge the final decision on a grievance, but the individual would be able to challenge the fact that such action has been incorrectly recorded in his file.

(a) An individual whose request for amendment of a record pertaining to him may further request a review of such determination in accordance with this section.

(b) Not later than 30 working days following receipt of notification of denial to amend, an individual may file an appeal of such decision with NIMA. The appeal shall be in writing, mailed or delivered to NIMA, ATTN: Mail Stop D-10, 4600 Sangamore Road, Bethesda, MD 20816-5003. The appeal must identify the records involved, indicate the dates of the request and adverse determination, and indicate the express basis for that determination. In addition, the letter of appeal shall state briefly and succinctly the reasons why the adverse determination should be reversed.

(c) Upon appeal from a denial to amend a record the NIMA Appellate Authority or designee shall make a determination whether to amend the record and must notify the individual of that determination by mail, not later than 10 working days after receipt of such appeal, unless extended pursuant to paragraph (d) of this section.

(1) The Appellate Authority or designee shall also notify the individual of the provisions of the Privacy Act of 1974 regarding judicial review of the NIMA Appellate Authority's determination.

(2) If on appeal the denial to amend the record is upheld, the individual shall be permitted to file a statement setting forth the reasons for disagreement with the Appellate Authority's determination and such statement shall be appended to the record in question.

(d) The Appellate Authority or designee may extend up to 30 days the time period in which to make a determination on an appeal from denial to amend a record for the reason that a fair and equitable review cannot be completed within the prescribed time period.

(a) No officer or employee of NIMA will disclose any record which is contained in a system of records, by any means of communication to any person or agency within or outside the Department of Defense without the request or consent of the individual to whom the record pertains, except as described in to 32 CFR 310.41; Appendix C to part 310 of this chapter; and/or a NIMA Privacy Act system of records notice.

(b) Any such record may be disclosed to any person or other agency only upon written request, of the individual to whom the record pertains.

(c) In the absence of a written consent from the individual to whom the record pertains, such record may be disclosed only provided such disclosure is:

(1) To those officers and employees of the DoD who have a need for the record in the performance of their duties.

(2) Required under the Freedom of Information Act (32 CFR part 286).

(3) For a routine use established within the system of records notice.

(4) To the Bureau of Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of title 13.

(5) To a recipient who has provided the NIMA with adequate advance written assurance that the record will be used solely as a statistical research or reporting record and the record is transferred in a form that is not individually identifiable and will not be used to make any decisions about the rights, benefits or entitlements of an individual.

(6) To the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the U.S. Government or for evaluation by the Administrator of the General Services Administration or his designee to determine whether the record has such value.

(7) To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the U.S. for a civil or criminal law enforcement activity authorized by law, provided the head of the agency or instrumentality has made a prior written request to the Director, NIMA specifying the particular record and the law enforcement activity for which it is sought.

(8) To a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual, if upon such disclosure notification is transmitted to the last known address of such individual.

(9) To either house of Congress, and, to the extent of the matter within its jurisdiction, any committee or subcommittee or joint committee of Congress.

(10) To the Comptroller General or any of his authorized representatives in the course of the performance of the duties of the GAO.

(11) Under an order of a court of competent jurisdiction.

(12) To a consumer reporting agency in accordance with section 3711(f) of title 31.

(d) Except for disclosures made pursuant to paragraphs (c)(1) and (2) of this section, an accurate accounting will be kept of the data, nature and purpose of each disclosure of a record to any person or agency, and the name and address of the person or agency to whom the disclosure was made. The accounting of disclosures will be made available for review by the subject of a record at his request except for disclosures made pursuant to paragraph (c)(7) of this section. If an accounting of disclosure has been made, any person or agency contained therein will be informed of any correction or notation of dispute made pursuant to section 320.6 of this part.

Individuals may request copies for retention of any documents to which they are granted access to NIMA records pertaining to them. Requesters will not be charged for the first copy of any records provided; however, duplicate copies will require a charge to cover costs of reproduction. Such charges will be computed in accordance with 32 CFR part 310.

The Privacy Act of 1974 (5 U.S.C. 552a(i)(3)) makes it a misdemeanor subject to a maximum fine of $5,000, to knowingly and willfully request or obtain any record concerning an individual under false pretenses. The Act also establishes similar penalties for violations by NIMA employees of the Act or regulations established thereunder.

(a) Exempt systems of record. All systems of records maintained by the NIMA and its components shall be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 552a(k)(1) to the extent that the system contains any information properly classified under Executive Order 12958 and that is required by Executive Order to be withheld in the interest of national defense or foreign policy. This exemption is applicable to parts of all systems of records, including those not otherwise specifically designated for exemptions herein, which contain isolated items of properly classified information.

(b) [Reserved]

(a) This part establishes rules, policies and procedures for the disclosure of personal records in the custody of the Defense Security Service (DSS) to the individual subjects, the handling of requests for amendment or correction of such records, appeal and review of DSS decisions on these matters, and the application of general and specific exemptions, under the provisions of the Privacy Act of 1974. It also prescribes other policies and procedures to effect compliance with the Privacy Act of 1974 and DoD Directive 5400.11 1 .

(b) The procedures set forth in this part do not apply to DSS personnel seeking access to records pertaining to themselves which previously have been available. DSS personnel will continue to be granted ready access to their personnel, security, and other records by making arrangements directly with the maintaining office. DSS personnel should contact the Office of Freedom of Information and Privacy, DSSHQ, for access to investigatory records pertaining to themselves or any assistance in obtaining access to other records pertaining to themselves, and may follow the procedures outlined in these rules in any case.

(a) All terms used in this part which are defined in 5 U.S.C. 552a shall have the same meaning herein.

(b) As used in this part, the term agency means the Defense Security Service.

(a) General. Any individual may request and receive notification of whether he is the subject of a record in any system of records maintained by DSS using the information and procedures described in this section.

(1) Paragraphs (b) and (c) of this section give information that will assist an individual in determining in what systems of DSS records (if any) he may be the subject. This information is presented as a convenience to the individual in that he may avoid consulting the lengthy systems notices elsewhere in the Federal Register.

(2) Paragraph (d) of this section details the procedure an individual should use to contact DSS and request notification. It will be helpful if the individual states what his connection with DSS has or may have been, and about what record system(s) he is inquiring. Such information is not required, but its absence may cause some delay.

(b) DSS Records Systems. A list of DSS records systems is available by contacting Defense Security Service, Office of FOI and Privacy, 1340 Braddock Place, Alexandria, VA, 22314-1551.

(c) Categories of individuals in DSS Record Systems. (1) Any person who is the subject or co-subject of an ongoing or completed investigation by DSS should have an investigative case file/record in system V5-01, if the record meets retention criteria. An index to such files should be in V5-02.

(2) If an individual has ever made a formal request to DSS under the Freedom of Information Act or the Privacy Act of 1974, a record pertaining to that request under the name of the requester, or subject matter, will be in system V1-01.

(3) Persons of Counterintelligence interest who have solicited from industrial contractors/DoD installations information which may appear to be sensitive in nature may have a record in system V5-04.

(4) Individuals who have been applicants for employment with DSS, or nominees for assignment to DSS, but who have not completed their DSS affiliation, may be subjects in systems V4-04, V5-01, V5-02, V5-03, or V6-01.

(5) Any individual who is a subject, victim or cross-referenced personally in an investigation by an investigative element of any DoD component, may be referenced in the Defense Clearance and Investigations Index, system V5-02, in an index to the location, file number, and custodian of the case record.

(6) Individuals who have ever presented a complaint to or have been connected with a DSS Inspector General inquiry may be subjects of records in system V2-01.

(7) If an individual has ever attended the Defense Industrial Security Institute or completed training with the DSS Training Office he should be subject of a record in V7-01.

(8) If an individual has ever been a guest speaker or instructor at the Defense Industrial Security Institute, he should be the subject of a record in V7-01.

(9) If an individual is an employee or major stockholder of a government contractor or other DoD-affiliated company or agency and has been issued, now possesses or has been processed for a security clearance, he may be subject to a record in V5-03.

(d) Procedures. The following procedures should be followed to determine if an individual is a subject of records maintained by DSS, and to request notification and access.

(1) Individuals should submit inquiries in person or by mail to the Defense Security Service, Office of FOI and Privacy, 1340 Braddock Place, Alexandria, VA 22314-1651. Inquiries by personal appearance should be made Monday through Friday from 8:30 to 11:30 a.m. and 1:00 to 4:00 p.m. The information requested in Sec. 321.4 must be provided if records are to be accurately identified. Telephonic requests for records will not be honored. In a case where the system of records is not specified in the request, only systems that would reasonably contain records of the individual will be checked, as described in paragraph (b) of this section.

(2) Only the Director or Chief, Office of FOI and Privacy may authorize exemptions to notification of individuals in accordance with § 321.13.

(a) General. Only upon proper identification, made in accordance with the provisions of this section, will any individual be granted notification concerning and access to all releasable records pertaining to him which are maintained in a DSS system.

(b) Identification. Identification of individuals is required both for accurate record identification and to verify identity in order to avoid disclosing records to unauthorized persons. Individuals who request notification of, access to, or amendment of records pertaining to themselves, must provide their full name (and additional names such as aliases, maiden names, alternate spellings, etc., if a check of these variants is desired), date and place of birth, and social security number (SSN).

(1) Where reply by mail is requested, a mailing address is required, and a telephone number is recommended to expedite certain matters. For military requesters residing in the United States, home address or P.O. Box number is preferred in lieu of duty assignment address.

(2) Signatures must be notarized on requests received by mail. Exceptions may be made when the requester is well known to releasing officials. For requests made in person, a photo identification card, such as military ID, driver's license or building pass, must be presented.

(3) While it is not required as a condition of receiving notification, in many cases the SSN may be necessary to obtain an accurate search of DCII (V5-02) records.

(c) A DSS Form 30 (Request for Notification of/Access to Personal Records) will be provided to any individual inquiring about records pertaining to himself whose mailed request was not notarized. This form is also available at the DSS Office of FOI and Privacy, 1340 Braddock Place, Alexandria, VA 22314-1651, for those who make their requests in person.

(a) General. (1) Individuals may request access to records pertaining to themselves in person or by mail in accordance with this section. However, nothing in this section shall allow an individual access to any information compiled or maintained by DSS in reasonable anticipation of a civil or criminal action or proceeding, or otherwise exempted under the provisions of § 321.13.

(2) A request for a pending personnel security investigation will be held in abeyance until completion of the investigation and the requester will be so notified.

(b) Manner of access. (1) Requests by mail or in person for access to DSS records should be made to the DSS Office of FOI and Privacy, 1340 Braddock Place, Alexandria, VA 22314-1651.

(2) Any individual who makes a request for access in person shall:

(i) Provide identification as specified in Sec. 321.4.

(ii) Complete and sign a request form.

(3) Any individual making a request for access to records by mail shall include a signed and notarized statement to verify his identity, which may be the DSS request form if he has received one.

(4) Any individual requesting access to records in person may be accompanied by an identified person of his own choosing while reviewing the record. If the individual elects to be accompanied, he shall make this known in his written request, and include a statement authorizing disclosure of the record contents to the accompanying person. Without written authorization of the subject individual, records will not be disclosed to third parties accompanying the subject.

(5) During the course of official business, members of DSS field elements may be given access to records maintained by the field elements/Operations Center without referral to the Office of FOI and Privacy. An account of such access will be kept for reporting purposes.

(6) In all requests for access, the requester must state whether he or she desires access in person or mailed copies of records. During personal access, where copies are made for retention, a fee for reproduction and postage may be assessed as provided in Sec. 321.11. Where copies are mailed because personal appearance is impractical, there will be no fee.

(7) All individuals who are not affiliates of DSS will be given access to records, if authorized, in the Office of FOI and Privacy, or by means of mailed copies.

General. Medical records that are part of DSS records systems will generally be included with those records when access is granted to the subject to which they pertain. However, if it is determined that such access could have an adverse effect upon the individual's physical or mental health, the medical record in question will be released only to a physician named by the requesting individual.

(a) General. Upon request and proper identification by any individual who has been granted access to DSS records pertaining to himself or herself, that individual may request, either in person or through the mail, that the record be amended. Such a request must be made in writing and addressed to the Defense Security Service, Office of FOI and Privacy, 1340 Braddock Place, Alexandria, VA 22314-1651.

(b) Content. The following information must be included to insure effective action on the request:

(1) Description of the record. Requesters should specify the number of pages and documents, the titles of the documents, form numbers if there are any, dates on the documents and names of individuals who signed them. Any reasonable description of the document is acceptable.

(2) Description of the items to be amended. The description of the passages, pages or documents to be amended should be as clear and specific as possible.

(i) Page, line and paragraph numbers should be cited where they exist.

(ii) A direct quotation of all or a portion of the passage may be made if it isn’t otherwise easily identifiable. If the passage is long, a quotation of its beginning and end will suffice.

(iii) In appropriate cases, a simple substantive request may be appropriate, e.g., ‘delete all references to my alleged arrest in July 1970.’

(iv) If the requester has received a copy of the record, he may submit an annotated copy of documents he wishes amended.

(3) Type of amendment. The requester must clearly state the type of amendment he is requesting.

(i) Deletion or expungement, i.e., a complete removal from the record of data, sentences, passages, paragraphs or documents.

(ii) Correction of the information in the record to make it more accurate, e.g., rectify mistaken identities, dates, data pertaining to the individual, etc.

(iii) Additions to make the record more relevant, accurate or timely may be requested.

(iv) Other changes may be requested; they must be specifically and clearly described.

(4) Reason for amendment. Requests for amendment must be based on specific reasons, included in writing. Categories of reasons are as follows:

(i) Accuracy. Amendment may be requested where matters of fact are believed incorrectly recorded, e.g., dates, names, addresses, identification numbers, or any other information concerning the individual. The request, whenever possible, should contain the accurate information, copies of verifying documents, or indication of how the information can be verified.

(ii) Relevance. Amendment may be requested when information in a record is believed not to be relevant or necessary to the purposes of the record system.

(iii) Timeliness. Amendment may be requested when information is thought to be so old as to no longer be pertinent to the stated purposes of the records system. It may also be requested when there is recent information of a pertinent type that is not included in the record.

(iv) Completeness. Amendment may be requested where information in a record is incomplete with respect to its purpose. The data thought to have been omitted should be included or identified with the request.

(v) Fairness. Amendment may be requested when a record is thought to be unfair concerning the subject, in terms of the stated purposes of the record. In such cases, a source of additional information to increase the fairness of the record should be identified where possible.

(vi) Other reasons. Reasons for requesting amendment are not limited to those cited above. The content of the records is authorized in terms of their stated purposes which should be the basis for evaluating them. However, any matter believed appropriate may be submitted as a basis of an amendment request.

(vii) Court orders and statutes may require amendment of a file. While they do not require a Privacy Act request for execution, such may be brought to the attention of DSS by these procedures.

(c) Assistance. Individuals seeking to request amendment of records pertaining to themselves that are maintained by DSS will be assisted as necessary by DSS officials. Where a request is incomplete, it will not be denied, but the requester will be contacted for the additional information necessary to his request.

(d) This section does not permit the alteration of evidence presented to courts, boards and other official proceedings.

(a) General. Upon receipt from any individual of a request to amend a record pertaining to himself and maintained by the Defense Security Service, Office of FOI and Privacy will handle the request as follows:

(1) A written acknowledgment of the receipt of a request for amendment of a record will be provided to the individual within 10 working days, unless final action regarding approval or denial can be accomplished within that time. In that case, the notification of approval or denial will constitute adequate acknowledgment.

(2) Where there is a determination to grant all or a portion of a request to amend a record, the record shall be promptly amended and the requesting individual notified. Individuals, agencies or components shown by accounting records to have received copies of the record, or to whom disclosure has been made, will be notified, if necessary, of the amendment by the responsible official. Where a DoD recipient of an investigative record cannot be located, the notification, if necessary, will be sent to the personnel security element of the parent Component.

(3) Where there is a determination to deny all or a portion of a request to amend a record, the office will promptly:

(i) Advise the requesting individual of the specifics of the refusal and the reasons;

(ii) Inform the individual that he may request a review of the denial(s) from ‘Director, Defense Security Service, 1340 Braddock Place, Alexandria, VA 22314-1651.’ The request should be brief, in writing, and enclose a copy of the denial correspondence.

(b) DSS determination to approve or deny. Determination to approve or deny and request to amend a record or portion thereof may necessitate additional investigation or inquiry be made to verify assertions of individuals requesting amendment. Coordination will be made with the Director for Investigations and the Director of the Personnel Investigations Center in such instances.

(a) General. Upon receipt from any individual of an appeal to review a DSS refusal to amend a record, the Defense Security Service, Office of FOI and Privacy will assure that such appeal is handled in compliance with the Privacy Act of 1974 and DoD Directive 5400.11 and accomplish the following:

(1) Review the record, request for amendment, DSS action on the request and the denial, and direct such additional inquiry or investigation as is deemed necessary to make a fair and equitable determination.

(2) Recommend to the Director whether to approve or deny the appeal.

(3) If the determination is made to amend a record, advise the individual and previous recipients (or an appropriate office) where an accounting of disclosures has been made.

(4) Where the decision has been made to deny the individual's appeal to amend a record, notify the individual:

(i) Of the denial and the reason;

(ii) Of his right to file a concise statement of reasons for disagreeing with the decision not to amend the record;

(iii) That such statement may be sent to the Defense Security Service, Office of FOI and Privacy, (GCF), 1340 Braddock Place, Alexandria, VA 22314-1651, and that it will be disclosed to users of the disputed record;

(iv) That prior recipients of the disputed record will be provided a copy of the statement of disagreement, or if they cannot be reached (e.g., through deactivation) the personnel security element of their DoD component;

(v) And, that he may file a suit in a Federal District Court to contest DSS's decision not to amend the disputed record.

(b) Time limit for review of appeal. If the review of an appeal of a refusal to amend a record cannot be accomplished within 30 days, the Office of FOI and Privacy will notify the individual and advise him of the reasons, and inform him of when he may expect the review to be completed.

(a) General. No record contained in a system of records maintained by DSS shall be disclosed by any means to any person or agency outside the Department of Defense, except with the written consent or request of the individual subject of the record, except as provided in this section. Disclosures that may be made without the request or consent of the subject of the record are as follows:

(1) To those officials and employees of the Department of Defense who have a need for the record in the performance of their duties, when the use is compatible with the stated purposes for which the record is maintained.

(2) Required to be disclosed by the Freedom of Information Act.

(3) For a routine use as described in DoD Directive 5400.11.

(4) To the Census Bureau, National Archives, the U.S. Congress, the Comptroller General or General Accounting Office under the conditions specified in DoD Directive 5400.11.

(5) At the written request of the head of an agency outside DoD for a law enforcement activity as authorized by DoD Directive 5400.11.

(6) For statistical purposes, in response to a court order, or for compelling circumstances affecting the health or safety of an individual as described in DoD Directive 5400.11.

(7) Legal guardians recognized by the Act.

(b) Accounting of disclosures. Except for disclosures made to members of the DoD in connection with their routine duties, and disclosures required by the Freedom of Information Act, an accounting will be kept of all disclosures of records maintained in DSS systems.

(1) Accounting entries will normally be kept on a DSS form, which will be maintained in the record file jacket, or in a document that is part of the record.

(2) Accounting entries will record the date, nature and purpose of each disclosure, and the name and address of the person or agency to whom the disclosure is made.

(3) An accounting of disclosures made to agencies outside the DoD of records in the Defense Clearance and Investigations Index (V5-02) will be kept as prescribed by the Director of Systems, DSS.

(4) Accounting records will be maintained for at least 5 years after the last disclosure, or for the life of the record, whichever is longer.

(5) Subjects of DSS records will be given access to associated accounting records upon request, except as exempted under § 321.13.

(a) An individual may bring a civil action against the DSS to correct or amend the record, or where there is a refusal to comply with an individual request or failure to maintain any record with accuracy, relevance, timeliness and completeness, so as to guarantee fairness, or failure to comply with any other provision of 5 U.S.C. 552a. The court may order correction or amendment. It may assess against the United States reasonable attorney fees and other costs, or may enjoin the DSS from withholding the records and order the production to the complainant.

(b) Where it is determined that the action was willful or intentional with respect to 5 U.S.C. 552a(g)(1) (C) or (D), the United States shall be liable for the actual damages sustained, but in no case less than the sum of $1,000 and the costs of the action with attorney fees.

(c) Criminal penalties may be imposed against an officer or employee of the DSS who fully discloses material, which he knows is prohibited from disclosure, or who willfully maintains a system of records without the notice requirements; or against any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses. These offenses shall be misdemeanors with a fine not to exceed $5,000.

(a) General. The Director of the Defense Security Service establishes the following exemptions of records systems (or portions thereof) from the provisions of these rules, and other indicated portions of Pub. L. 93-579, in this section. They may be exercised only by the Director, Defense Security Service and the Chief of the Office of FOI and Privacy. Exemptions will be exercised only when necessary for a specific, significant and legitimate reason connected with the purpose of a records system, and not simply because they are authorized by statute. Personal records releasable under the provisions of 5 U.S.C. 552 will not be withheld from subject individuals based on these exemptions.

(b) All systems of records maintained by DSS shall be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 552a(k)(1) to the extent that the system contains any information properly classified under Executive Order 12958 and which is required by the Executive Order to be withheld in the interest of national defense of foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions herein may contain items of information that have been properly classified.

(c) System identifier: V1-01.

(1) System name: Privacy and Freedom of Information Request Records.

(2) Exemptions: (i) Investigatory material compiled for law enforcement purposes may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of such information, the individual will be provided access to such information except to the extent that disclosure would reveal the identity of a confidential source.

(ii) Records maintained in connection with providing protective services to the President and other individuals under 18 U.S.C. 3506, may be exempt pursuant to 5 U.S.C. 552a(k)(3).

(iii) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information may be exempt pursuant to 5 U.S.C. 552a(k)(5), but only to the extent that such material would reveal the identity of a confidential source.

(iv) Any portion of this system that falls under the provisions of 5 U.S.C. 552a(k)(2), (k)(3), (k)(5) may be exempt from the following subsections of 5 U.S.C. 552a(c)(3); (d); (e)(1); (e)(4)(G), (H) and (I); and (f).

(3) Authority: 5 U.S.C. 552a(k)(2), (k)(3), (k)(5).

(4) Reasons: (i) From subsection (c)(3) because it will enable DSS to conduct certain investigations and relay law enforcement information without compromise of the information, protection of investigative techniques and efforts employed, and identities of confidential sources who might not otherwise come forward and who furnished information under an express promise that the sources’ identity would be held in confidence (or prior to the effective date of the Act, under an implied promise);

(ii) From subsections (e)(1), (e)(4)(G), (H), and (I) because it will provide protection against notification of investigatory material including certain reciprocal investigations and counterintelligence information, which might alert a subject to the fact that an investigation of that individual is taking place, and the disclosure of which would weaken the on-going investigation, reveal investigatory techniques, and place confidential informants in jeopardy who furnished information under an express promise that the sources’ identity would be held in confidence (or prior to the effective date of the Act, under an implied promise);

(iii) From subsections (d) and (f) because requiring DSS to grant access to records and agency rules for access and amendment of records would unfairly impede the agency's investigation of allegations of unlawful activities. To require DSS to confirm or deny the existence of a record pertaining to a requesting individual may in itself provide an answer to that individual relating to an on-going investigation. The investigation of possible unlawful activities would be jeopardized by agency rules requiring verification of record, disclosure of the record to the subject, and record amendment procedures.

(d) System identifier: V5-01.

(1) System name: Investigative Files System

(2) Exemption: (i) Investigatory material compiled for law enforcement purposes may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of such information, the individual will be provided access to such information except to the extent that disclosure would reveal the identity of a confidential source.

(ii) Records maintained in connection with providing protective services to the President and other individuals under 18 U.S.C. 3506, may be exempt pursuant to 5 U.S.C. 552a(k)(3).

(iii) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information may be exempt pursuant to 5 U.S.C. 552a(k)(5), but only to the extent that such material would reveal the identity of a confidential source.

(iv) Any portion of this system that falls under the provisions of 5 U.S.C. 552a(k)(2), (k)(3), or (k)(5) may be exempt from the following subsections of 5 U.S.C. 552a(c)(3); (d); (e)(1); (e)(4)(G), (H), and (I); and (f).

(3) Authority: 5 U.S.C. 552a(k)(2), (k)(3), or (k)(5).

(4) Reasons: (i) From subsection (c)(3) because it will enable DSS to conduct certain investigations and relay law enforcement information without compromise of the information, protection of investigative techniques and efforts employed, and identities of confidential sources who might not otherwise come forward and who furnished information under an express promise that the sources’ identity would be held in confidence (or prior to the effective date of the Act, under an implied promise).

(ii) From subsections (e)(1), (e)(4)(G), (H), and (I) because it will provide protection against notification of investigatory material including certain reciprocal investigations and counterintelligence information, which might alert a subject to the fact that an investigation of that individual is taking place, and the disclosure of which would weaken the on-going investigation, reveal investigatory techniques, and place confidential informants in jeopardy who furnished information under an express promise that the sources’ identity would be held in confidence (or prior to the effective date of the Act, under an implied promise).

(iii) From subsections (d) and (f) because requiring DSS to grant access to records and agency rules for access and amendment of records would unfairly impede the agency's investigation of allegations of unlawful activities. To require DSS to confirm or deny the existence of a record pertaining to a requesting individual may in itself provide an answer to that individual relating to an on-going investigation. The investigation of possible unlawful activities would be jeopardized by agency rules requiring verification of record, disclosure of the record to the subject, and record amendment procedures.

(e) System identifier: V5-02.

(1) System name: Defense Clearance and Investigations Index (DCII).

(2) Exemption: Investigatory material compiled for law enforcement purposes may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of such information, the individual will be provided access to such information except to the extent that disclosure would reveal the identity of a confidential source. Any portion of this system that falls under the provisions of 5 U.S.C. 552a(k)(2) may be exempt from the following subsections of 5 U.S.C. 552a(c)(3); (d); (e)(1); (e)(4)(G), (H), and (I), and (f).

(3) Authority: 5 U.S.C. 552a(k)(2).

(4) Reasons: (i) From subsection (c)(3) because it will enable DSS to conduct certain investigations and relay law enforcement information without compromise of the information, protection of investigative techniques and efforts employed, and identities of confidential sources who might not otherwise come forward and who furnished information under an express promise that the sources’ identity would be held in confidence (or prior to the effective date of the Act, under an implied promise).

(ii) From subsections (e)(1), (e)(4)(G), (H), and (I) because it will provide protection against notification of investigatory material including certain reciprocal investigations and counterintelligence information, which might alert a subject to the fact that an investigation of that individual is taking place, and the disclosure of which would weaken the on-going investigation, reveal investigatory techniques, and place confidential informants in jeopardy who furnished information under an express promise that the sources’ identity would be held in confidence (or prior to the effective date of the Act, under an implied promise).

(iii) From subsections (d) and (f) because requiring DSS to grant access to records and agency rules for access and amendment of records would unfairly impede the agency's investigation of allegations of unlawful activities. To require DSS to confirm or deny the existence of a record pertaining to a requesting individual may in itself provide an answer to that individual relating to an on-going investigation. The investigation of possible unlawful activities would be jeopardized by agency rules requiring verification of record, disclosure of the record to the subject, and record amendment procedures.

(f) System identifier: V5-03.

(1) System name: Case Control Management System (CCMS).

(2) Exemption: (i) Investigatory material compiled for law enforcement purposes may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of such information, the individual will be provided access to such information except to the extent that disclosure would reveal the identity of a confidential source.

(ii) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information may be exempt pursuant to 5 U.S.C. 552a(k)(5), but only to the extent that such material would reveal the identity of a confidential source. Any portion of this system that falls under the provisions of 5 U.S.C. 552a(k)(2) or (k)(5) may be exempt from the following subsections of 5 U.S.C. 552a: (c)(3); (d); (e)(1); (e)(4)(G), (H), and (I); and (f).

(3) Authority. 5 U.S.C. 552a(k)(2) and (k)(5).

(4) Reasons. (i) From subsection (c)(3) because it will enable DSS to conduct certain investigations and relay law enforcement information without compromise of the information, protection of investigative techniques and efforts employed, and identities of confidential sources who might not otherwise come forward and who furnished information under an express promise that the sources’ identity would be held in confidence (or prior to the effective date of the Act, under an implied promise).

(ii) From subsections (e)(1), (e)(4)(G), (H), and (I) because it will provide protection against notification of investigatory material including certain reciprocal investigations and counterintelligence information, which might alert a subject to the fact that an investigation of that individual is taking place, and the disclosure of which would weaken the on-going investigation, reveal investigatory techniques, and place confidential informants in jeopardy who furnished information under an express promise that the sources’ identity would be held in confidence (or prior to the effective date of the Act, under an implied promise).

(iii) From subsections (d) and (f) because requiring DSS to grant access to records and agency rules for access and amendment of records would unfairly impede the agency's investigation of allegations of unlawful activities. To require DSS to confirm or deny the existence of a record pertaining to a requesting individual may in itself provide an answer to that individual relating to an on-going investigation. The investigation of possible unlawful activities would be jeopardized by agency rules requiring verification of record, disclosure of the record to the subject, and record amendment procedures.

(g) System identifier: V5-04.

(1) System name: Counterintelligence Issues Database (CII-DB).

(2) Exemption: (i) Information specifically authorized to be classified under E.O. 12958, as implemented by DoD 5200.1-R, may be exempt pursuant to 5 U.S.C. 552a(k)(1).

(ii) Investigatory material compiled for law enforcement purposes may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of such information, the individual will be provided access to such information except to the extent that disclosure would reveal the identity of a confidential source.

(iii) Records maintained in connection with providing protective services to the President and other individuals under 18 U.S.C. 3506, may be exempt pursuant to 5 U.S.C. 552a(k)(3).

(iv) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information may be exempt pursuant to 5 U.S.C. 552a(k)(5), but only to the extent that such material would reveal the identity of a confidential source.

(v) Any portion of this system that falls within the provisions of 5 U.S.C. 552a(k)(1), (k)(2), (k)(3) and (k)(5) may be exempt from the following subsections (c)(3); (d)(1) through (d)(5); (e)(1); (e)(4)(G), (H), and (I); and (f).

(3) Authority. 5 U.S.C. 552a(k)(1), (k)(2), (k)(3) and (k)(5).

(4) Reasons. (i) From subsection (c)(3) because giving the individual access to the disclosure accounting could alert the subject of an investigation to the existence and nature of the investigation and reveal investigative or prosecutive interest by other agencies, particularly in a joint-investigation situation. This would seriously impede or compromise the investigation and case preparation by prematurely revealing its existence and nature; compromise or interfere with witnesses or make witnesses reluctant to cooperate with the investigators; lead to suppression, alteration, fabrication, or destruction of evidence; and endanger the physical safety of confidential sources, witnesses, law enforcement personnel and their families.

(ii) From subsection (d) because the application of these provisions could impede or compromise an investigation or prosecution if the subject of an investigation had access to the records or were able to use such rules to learn of the existence of an investigation before it would be completed. In addition, the mere notice of the fact of an investigation could inform the subject and others that their activities are under or may become the subject of an investigation and could enable the subjects to avoid detection or apprehension, to influence witnesses improperly, to destroy evidence, or to fabricate testimony.

(iii) From subsection (e)(1) because during an investigation it is not always possible to detect the relevance or necessity of each piece of information in the early stages of an investigation. In some cases, it is only after the information is evaluated in light of other evidence that its relevance and necessity will be clear. In other cases, what may appear to be a relevant and necessary piece of information may become irrelevant in light of further investigation. In addition, during the course of an investigation, the investigator may obtain information that related primarily to matters under the investigative jurisdiction of another agency, and that information may not be reasonably segregated. In the interest of effective law enforcement, DSS investigators should retain this information, since it can aid in establishing patterns of criminal activity and can provide valuable leads for Federal and other law enforcement agencies.

(iv) From subsections (e)(4)(G), (e)(4)(H), (e)(4)(I) and (f) because this system is exempt from subsection (d) of the Act, concerning access to records. These requirements are inapplicable to the extent that these records will be exempt from these subsections. However, DSS has published information concerning its notification and access procedures, and the records source categories because under certain circumstances, DSS could decide it is appropriate for an individual to have access to all or a portion of his/her records in this system of records.

(a) General. The implementation of the Privacy Act of 1974 within DSS is as prescribed by DoD Directive 5400.11. This section provides special rules and information that extend or amplify DoD policies with respect to matters of particular concern to the Defense Security Service.

(b) Privacy Act rules application. Any request which cites neither Act, concerning personal record information in a system or records, by the individual to whom such information pertains, for access, amendment, correction, accounting of disclosures, etc., will be governed by the Privacy Act of 1974, DoD Directive 5400.11 and these rules exclusively. Requests for like information which cite only the Freedom of Information Act will be governed by the Freedom of Information Act, DoD Regulation 5400.7R 2 . Any denial or exemption of all or part of a record from notification, access, disclosure, amendment or other provision, will also be processed under these rules, unless court order or other competent authority directs otherwise.

(c) First amendment rights. No DSS official or element may maintain any information pertaining to the exercise by an individual of his rights under the First Amendment without the permission of that individual unless such collection is specifically authorized by statute or necessary to and within the scope of an authorized law enforcement activity.

(d) Standards of accuracy and validation of records. (1) All individuals or elements within DSS which create or maintain records pertaining to individuals will insure that they are reasonably accurate, relevant, timely and complete to serve the purpose for which they are maintained and to assure fairness to the individual to whom they pertain. Information that is not pertinent to a stated purpose of a system of records will not be maintained within those records. Officials compiling investigatory records will make every reasonable effort to assure that only reports that are impartial, clear, accurate, complete, fair and relevant with respect to the authorized purpose of such records are included, and that reports not meeting these standards or serving such purposes are not included in such records.

(2) Prior to dissemination to an individual or agency outside DoD of any record about an individual (except for a Freedom of Information Act action or access by a subject individual under these rules) the disclosing DSS official will by review, make a reasonable effort to assure that such record is accurate, complete, timely, fair and relevant to the purpose for which they are maintained.

(e) The Defense Clearance and Investigations Index (DCII). It is the policy of DSS, as custodian, that each DoD component or element that has direct access to or contributes records to the DCII (V5-02), is individually responsible for compliance with the Privacy Act of 1974 and DoD Directive 5400.11 with respect to requests for notification, requests for access by subject individuals, granting of such access, request for amendment and corrections by subjects, making amendments or corrections, other disclosures, accounting for disclosures and the exercise of exemptions, insofar as they pertain to any record placed in the DCII by that component or element. Any component or element of the DoD that makes a disclosure of any record whatsoever to an individual or agency outside the DoD, from the DCII, is individually responsible to maintain an accounting of that disclosure as prescribed by the Privacy Act of 1974 and DoD Directive 5400.11 and to notify the element placing the record in the DCII of the disclosure. Use of and compliance with the procedures of the DCII Disclosure Accounting System will meet these requirements. Any component or element of DoD with access to the DCII that, in response to a request concerning an individual, discovers a record pertaining to that individual placed in the DCII by another component or element, may refer the requester to the DoD component that placed the record into the DCII without making an accounting of such referral, although it involves the divulging of the existence of that record. Generally, consultation with, and referral to, the component or element placing a record in the DCII should be effected by any component receiving a request pertaining to that record to insure appropriate exercise of amendment or exemption procedures.

(f) Investigative operations. (1) DSS agents must be thoroughly familiar with and understand these rules and the authorities, purposes and routine uses of DSS investigative records, and be prepared to explain them and the effect of refusing information to all sources of investigative information, including subjects, during interview, in response to questions that go beyond the required printed and oral notices. Agents shall be guided by DSS Handbook for Personnel Security Investigations in this respect.

(2) All sources may be advised that the subject of an investigative record may be given access to it, but that the identities of sources may be withheld under certain conditions. Such advisement will be made as prescribed in DSS Handbook for Personnel Security Investigations, and the interviewing agent may not urge a source to request a grant of confidentiality. Such pledges of confidence will be given sparingly and then only when required to obtain information relevant and necessary to the stated purpose of the investigative information being collected.

(g) Non-system information on individuals. The following information is not considered part of personal records systems reportable under the Privacy Act of 1974 and may be maintained by DSS members for ready identification, contact, and property control purposes only. If at any time the information described in this paragraph is to be used for other than these purposes, that information must become part of a reported, authorized record system. No other information concerning individuals except that described in the records systems notice and this paragraph may be maintained within DSS.

(1) Identification information at doorways, building directories, desks, lockers, name tags, etc.

(2) Identification in telephone directories, locator cards and rosters.

(3) Geographical or agency contact cards.

(4) Property receipts and control logs for building passes, credentials, vehicles, weapons, etc.

(5) Temporary personal working notes kept solely by and at the initiative of individual members of DSS to facilitate their duties.

(h) Notification of prior recipients. Whenever a decision is made to amend a record, or a statement contesting a DSS decision not to amend a record is received from the subject individual, prior recipients of the record identified in disclosure accountings will be notified to the extent possible. In some cases, prior recipients cannot be located due to reorganization or deactivations. In these cases, the personnel security element of the receiving Defense Component will be sent the notification or statement for appropriate action.

(i) Ownership of DSS Investigative Records. Personnel security investigative reports shall not be retained by DoD recipient organizations. Such reports are considered to be the property of the investigating organization and are on loan to the recipient organization for the purpose for which requested. All copies of such reports shall be destroyed within 120 days after the completion of the final personnel security determination and the completion of all personnel action necessary to implement the determination. Reports that are required for longer periods may be retained only with the specific written approval of the investigative organization.

(j) Consultation and referral. DSS system of records may contain records originated by other components or agencies which may have claimed exemptions for them under the Privacy Act of 1974. When any action that may be exempted is initiated concerning such a record, consultation with the originating agency or component will be effected. Where appropriate such records will be referred to the originating component or agency for approval or disapproval of the action.

(a) The purpose of this rule is to comply with and implement title 5 U.S.C. 552a, sections (f) and (k), hereinafter identified as the Privacy Act. It establishes the procedures by which an individual may be notified whether a system of records contains information pertaining to the individual; defines times, places and requirements for identification of the individual requesting records, for disclosure of requested records where appropriate; special handling for medical and psychological records; for amendment of records; appeal of denials of requests for amendment; and provides a schedule of fees to be charged for making copies of requested records. In addition, this rule contains the exemptions promulgated by the Director, NSA, pursuant to 5 U.S.C. 552a(k), to exempt Agency systems of records from subsections (c)(3); (d); (e)(1); (e)(4)(G), (H), (I); and (f) of section 552a.

(b) The procedures established and exemptions claimed apply to systems of records for which notice has been published in the Federal Register pursuant to the Privacy Act. Requests from individuals for records pertaining to themselves will be processed in accordance with these procedures and consistent with the exemptions claimed. Requests for records which do not specify the statute pursuant to which they are made but which may be reasonably construed to be requests by an individual for records pertaining to that individual will also be processed in accordance with these procedures and consistent with exemptions claimed. To the extent appropriate, these procedures apply to records maintained by this Agency pursuant to system of records notices published by the Civil Service Commission. The primary category of records affected by a Commission notice is that maintained in conjunction with the CSC system identified as “CSC-Retirement Life Insurance and Health Benefits Records System.” Authority pursuant to 44 U.S.C. 3101 to maintain each system of records for which notice has been published is implied in each “authority for maintenance of a system” of each systems notice.

(a) Access to the NSA headquarters: means current and continuing daily access to those facilities making up the NSA headquarters.

(b) Individual: means a natural person who is a citizen of the United States or an alien lawfully admitted for permanent residence.

(c) Request: means a request in writing for records pertaining to the requester contained in a system of rec- -ords and made pursuant to the Privacy Act or if no statute is identified considered by the Agency to be made pursuant to that Act.

(d) System of Records: means a grouping of records maintained by the Agency for which notice has been published in the Federal Register pursuant to section 552a(e)(4) of Title 5 U.S.C.

(a)(1) Notification. Any individual may be notified in response to a request if any system of records contains a record pertaining to the requester by sending a request addressed to: Information Officer, National Security Agency, Fort George G. Meade, Maryland 20755. Such request shall be in writing, shall be identified on the envelope and the request as a “Privacy Act Request,” shall designate the system or systems of records using the names of the systems as published in the system notices, shall contain the full name, present address, date of birth, social security number and dates of affiliation or contact with NSA/CSS of the requester and shall be signed in full by the requester.

(2) A request pertaining to records concerning the requester which does not specify the Act pursuant to which the request is made shall be processed as a Privacy Act request. A request which does not designate the system or systems of records to be searched shall be processed by checking the following systems of records: Applicants; Personnel; Health, Medical and Safety.

(b)(1) Identification. Any individual currently not authorized access to the National Security Agency headquarters who requests disclosure of records shall provide the following information with the written request for disclosure: full name, present address, date of birth, social security number, and date of first affiliation or contact with NSA/CSS and date of last affiliation or contact with NSA/CSS.

(2) Any individual currently authorized access to the National Security Agency headquarters shall provide the following information with the request for notification: full name, present organizational assignment, date of birth, social security number.

(3) Such request shall be treated as a certification of the requester that the requester is the individual named. Individuals should be aware that the Privacy Act provides criminal penalties for any person who knowingly and willfully requests or obtains any rec- -ords concerning an individual under false pretenses.

(a) Individual not currently affiliated with NSA:

(1) Request procedure. Any individual currently not authorized access to the National Security Agency headquarters shall make the request for notification in writing and shall include the required identifying data. Upon verification of the existence in systems of records pertaining to the requester, a copy of the records located shall be mailed to the requester subject to appropriate specific exemptions, applicable Public Laws, special procedures pertaining to medical rec- -ords, including psychological records, and the exclusion for information compiled in reasonable anticipation of a civil action or proceeding. If the request cannot be processed within ten working days from the time of receipt of the request, an acknowledgment of receipt of the request will be sent to the requester.

(2) Appointment of other individual. If a requester wishes another individual to obtain the requested records on his behalf, the requester shall provide a written, signed, notarized statement appointing that individual as his representative, certifying that the individual appointed may have access to the records of the requester and that such access shall not constitute an invasion of the privacy of the requester nor a violation of his rights under the Privacy Act of 1974.

(b) Individual currently affiliated with NSA—(1) Request procedure. Any individual currently authorized access to the National Security Agency headquarters may make the request for notification to the appropriate official delegated responsibility for a system of records pursuant to internal agency regulations pertaining to the Privacy Act of 1974. In the alternative, such individual may direct the request to the NSA Information Officer in writing in the same form and including the data required in § 322.4(a)(1) above. In the case of any denial of notification by officials delegated responsibility for a system the request shall be referred to the NSA Information Officer for review.

(2) Appointment of other individual. If the requester makes a request pursuant to this paragraph and wishes to designate another individual to accompany him, the same procedures as provided in paragraph (a)(2) of this section apply. If the individual appointed is currently authorized access to the National Security Agency headquarters, he may accompany the requester. If the individual appointed is not currently authorized access, a copy of the records located may be mailed to the appointed individual subject to appropriate specific exemptions, applicable Public Laws, special procedures pertaining to medical records including psychological records, and the exclusion for information compiled in reasonable anticipation of a civil action or proceeding.

If the request includes records of a medical or psychological nature, and if an Agency doctor makes the determination that the records requested contain information which would have an adverse effect upon the requester, the requester will be advised to appoint a medical doctor in the appropriate discipline to receive the information. The appointment of the doctor shall be in the same form as that indicated in § 322.4(a)(2) and shall include a certification that the doctor appointed is authorized to practice the appropriate specialty by virtue of a license to practice same in the state which granted the license.

Parents or legal guardians acting on behalf of minors who request rec-ords concerning NSA/CSS applicants or employees who are minors shall be subject to the same requirements contained in § 322.4(a)(1) appointment of other individuals, including the requirement for written authorization. Requests by parents or legal guardians acting on behalf of minors will be processed in the same manner and in accordance with the procedures established herein for individuals not currently authorized access to the NSA headquarters.

(a) Request procedure. Any request for amendment of a record or records contained in a system of records shall be in writing addressed to the Information Officer, National Security Agency, Fort George G. Meade, Md. 20755, Attention: Privacy Act Amendment, and shall contain sufficient details concerning the requested amendment, justification for the amendment, and a copy of the record(s) to be amended or sufficient identifying data concerning the affected record(s) to permit its timely retrieval. Such requests may not be used to accomplish actions for which other procedures have been established such as grievances, performance appraisal protests, etc. In such cases the requester will be advised of the appropriate procedures for such actions.

(b) Initial determination: The NSA Information Officer may make an initial determination concerning the requested amendment within ten working days or shall acknowledge receipt of the amendment request within that period if a determination cannot be completed. The determination shall advise the requester of action taken to make the requested amendment or inform the requester of the rejection of the request, the reason(s) for the rejection and the procedures established by the Agency for review of rejected amendment requests.

(c) Request on appeal: A requester may appeal the rejection by the NSA Information Officer of a request for amendment to the Executive for Staff Services. Such appeal shall be in writing, addressed to the Executive for Staff Services, National Security Agency, Fort George G. Meade, Md. 20755, Attention: Privacy Act Amendment Appeal.

The Executive for Staff Services shall acknowledge receipt of the appeal within ten working days. A determination concerning the appeal shall be provided to the requester within 30 working days, unless the Director, National Security Agency, extends the period for good cause. The Executive for Staff Services shall advise the requester of the action taken to make the requested amendment or inform the requester of the rejection of the appeal, the right to submit for incorporation in the file containing the disputed record(s) a concise statement of disagreement, and notify the requester of the right of judicial review of the denial pursuant to subsection (g)(1)(A) of 5 U.S.C. 552a.

A fee may be charged for the reproduction of copies of any requested rec- -ords, provided one copy is made available without charge where access is limited to mail service only. Fees shall be charged in accordance with The Uniform Schedule of Fees established by the Department of Defense pursuant to Pub. L. 93-502.

(a)(1) The following National Security Agency systems of records, published in the Federal Register, are specifically exempted from the provisions of 5 U.S.C. 552a, subsections (c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I) and (f) pursuant to subsection (k) of section 552a to the extent that each system contains individual rec-ords or files within the category or categories provided by subsection (k). Notice is hereby given that individual records and files within each NSA system of records may be subject to specific provisions of Pub. L. 86-36, Pub. L. 88-290 and Title 18 U.S.C. 798 and other laws limiting access to certain types of information or application of laws to certain categories of information.

(2) In addition, those records maintained pursuant to notice of systems of records published by the CSC are exempted pursuant to Title 5 U.S.C. 552a(k)(1) to the extent that they contain classified information in order to protect such information from unauthorized disclosure. Such records may also be subject to other specific exemptions pursuant to rules promulgated by the CSC.

(b) Systems of records subject to specific exemptions:

This part 323 implements the Privacy Act of 1974 (5 U.S.C. 552a) and DoD Directive and DoD Regulation 5400.11, Department of Defense Privacy Program (32 CFR part 286a). It applies to Headquarters, Defense Logistics Agency (HQ DLA) and all DLA field activities.

It is the policy of DLA to safeguard personal information contained in any system of records maintained by DLA activities and to make that information available to the individual to whom it pertains to the maximum extent practicable. DLA policy specifically requires that DLA activities:

(a) Collect, maintain, use, and disseminate personal information only when it is relevant and necessary to achieve a purpose required by statute or Executive Order.

(b) Collect personal information directly from the individuals to whom it pertains to the greatest extent practical.

(c) Inform individuals who are asked to supply personal information for inclusion in any system of records:

(1) The authority for the solicitation.

(2) Whether furnishing the information is mandatory or voluntary.

(3) The intended uses of the information.

(4) The routine disclosures of the information that may be made outside DoD.

(5) The effect on the individual of not providing all of any part of the requested information.

(d) Ensure that all records used in making determinations about individuals are accurate, relevant, timely, and complete.

(e) Make reasonable efforts to ensure that records containing personal information are accurate, relevant, timely, and complete for the purposes for which they are being maintained before making them available to any recipients outside DoD, other than a Federal agency, unless the disclosure is made under DLAR 5400.14, DLA Freedom of Information Act Program (32 CFR part 1285).

(f) Keep no record that describes how individuals exercise their rights guaranteed by the First Amendment of the U.S. Constitution, unless expressly authorized by statute or by the individual to whom the records pertain or is pertinent to and within the scope of an authorized law enforcement activity.

(g) Make reasonable efforts, when appropriate, to notify individuals whenever records pertaining to them are made available under compulsory legal process, if such process is a matter of public record.

(h) Establish safeguards to ensure the security of personal information and to protect this information from threats or hazards that might result in substantial harm, embarrassment, inconvenience, or unfairness to the individual.

(i) Establish rules of conduct for DoD personnel involved in the design, development, operation, or maintenance of any system of records and train them in these rules of conduct.

(j) Assist individuals in determining what records pertaining to them are being collected, maintained, used, or disseminated.

(k) Permit individual access to the information pertaining to them maintained in any system of records, and to correct or amend that information, unless an exemption for the system has been properly established for an important public purpose.

(l) Provide, on request, an accounting of all disclosures of the information pertaining to them except when disclosures are made:

(1) To DoD personnel in the course of their official duties.

(2) Under 32 CFR part 1285 (DLAR 5400.14).

(m) Advise individuals on their rights to appeal any refusal to grant access to or amend any record pertaining to them, and to file a statement of disagreement with the record in the event amendment is refused.

(a) Access. The review of a record or a copy of a record or parts thereof in a system of records by any individual.

(b) Agency. For the purpose of disclosing records subject to the Privacy Act among DoD Components, the Department of Defense is considered a single agency. For all other purposes including applications for access and amendment, denial of access or amendment, appeals from denials, and recordkeeping as regards release to non-DoD agencies, DLA is considered an agency within the meaning of the Privacy Act.

(c) Confidential source. A person or organization who has furnished information to the Federal Government under an express promise that the person's or the organization's identity will be held in confidence or under an implied promise of such confidentiality if this implied promise was made before September 27, 1975.

(d) Disclosure. The transfer of any personal information from a system of records by any means of communication to any person, private entity, or Government agency, other than the subject of the record, the subject's designated agent or the subject's legal guardian.

(e) Individual. A living citizen of the United States or an alien lawfully admitted to the United States for permanent residence. The legal guardian of an individual has the same rights as the individual and may act on his or her behalf.

(f) Individual access. Access to information pertaining to the individual by the individual or his or her designated agent or legal guardian.

(g) Maintain. Includes maintain, collect, use, or disseminate.

(h) Member of the public. Any individual or party acting in a private capacity to include Federal employees or military personnel.

(i) Official use. Within the context of this part, this term is used when officials and employees of a DLA activity have a demonstrated need for the use of any record or the information contained therein in the performance of their official duties.

(j) Personal information. Information about an individual that is intimate or private to the individual, as distinguished from information related solely to the individual's official functions or public life.

(k) Privacy Act. The Privacy Act of 1974, as amended, 5 U.S.C. 552a.

(l) Privacy Act request. A request from an individual for notification as to the existence of, access to, or amendment of records pertaining to that individual. These records must be maintained in a system of records. The request must indicate that it is being made under the Privacy Act to be considered a Privacy Act request.

(m) Record. Any item, collection, or grouping of information about an individual that is maintained by DLA, including, but not limited to, the individual's education, financial transactions, medical history, and criminal or employment history, and that contains the individual's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.

(n) Risk assessment. An analysis considering information sensitivity, vulnerabilities, and the cost to a computer facility or word processing activity in safeguarding personal information processed or stored in the facility or activity.

(o) Routine use. The disclosure of a record outside DoD for a use that is compatible with the purpose for which the information was collected and maintained by DoD. The routine use must be included in the published system notice for the system of records involved.

(p) Statistical record. A record maintained only for statistical research or reporting purposes and not used in whole or in part in making determinations about specific individuals.

(q) System of Records. A group of records under the control of a DLA activity from which information is retrieved by the individual's name or by some identifying number, symbol, or other identifying particular assigned to the individual. System notices for all Privacy Act systems of records must be published in the Federal Register.

(a) Headquarters Defense Logistics Agency.

(1) The Staff Director, Corporate Communications, DLA Support Services (DSS-C) will:

(i) Formulate policies, procedures, and standards necessary for uniform compliance with the Privacy Act by DLA activities.

(ii) Serve as the DLA Privacy Act Officer and DLA representative on the Defense Privacy Board.

(iii) Maintain a master registry of system notices published by DLA.

(iv) Develop or compile the rules, notices, and reports required under this part.

(v) Establish training programs for all individuals with public affairs duties, and all other personnel whose duties require access to or contact with systems of records affected by the Privacy Act. Initial training will be given to new employees and military members upon assignment. Refresher training will be provided annually or more frequently if conditions warrant.

(2) The General Counsel, DLA (DLA-GC) will:

(i) Serve as the appellate authority for denials of individual access and amendment of records.

(ii) Provide representation to the Defense Privacy Board Legal Committee.

(iii) Advise the Defense Privacy Office on the status of DLA privacy litigation.

(3) The DLA Chief Information Office (J-6) will formulate and implement protective standards for personal information maintained in automated data processing systems and facilities.

(b) The Heads of DLA Primary Level Field Activities (PLFAs) will:

(1) Ensure that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; that the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information.

(2) Designate a Privacy Act Officer to serve as the principal point of contact on privacy matters.

(3) Ensure the internal operating procedures provide for effective compliance with the Privacy Act.

(4) Establish training programs for all individuals with public affairs duties, and all other personnel whose duties require access to or contact with systems of records affected by the Privacy Act. Initial training will be given to new employees and military members upon assignment. Refresher training will be provided annually or more frequently if conditions warrant.

(a) Individual access. (1) The access provisions of this part are intended for use by individuals whose records are maintained in systems of records. Release of personal information to individuals under this part is not considered public release of information.

(2) Individuals will address requests for access to personal information about themselves in a system of records to the system manager or to the office designated in the system notice. Before being granted access to personal data, an individual may be required to provide reasonable verification of his or her identity. Identity verification procedures will be simple so as not to discourage individuals from seeking access to information about themselves; or be required of an individual seeking access to records which normally would be available under 32 CFR part 1285 (DLAR 5400.14).

(i) Normally, when individuals seek personal access to records pertaining to themselves, identification will be made from documents that normally are readily available, such as employee and military identification cards, driver's license, other licenses, permits, or passes used for routine identification purposes.

(ii) When access is requested by mail, identity verification may consist of the individual providing certain minimum identifying data, such as full name, date and place of birth, or such other personal information necessary to locate the record sought. If the information sought is sensitive, additional identifying data may be required. If notarization of requests is required, procedures will be established for an alternate method of verification for individuals who do not have access to notary services, such as military members overseas.

(3) If an individual wishes to be accompanied by a third party when seeking access to his or her records or to have the records released directly to a third party, the individual may be required to furnish a signed access authorization granting the third party access. An individual will not be refused access to his or her record solely for failure to divulge his or her social security number (SSN) unless it is the only method by which retrieval can be made. The individual is not required to explain or justify his or her need for access to any record under this part.

(4) Disclose medical records to the individual to whom they pertain, even if a minor, unless a judgment is made that access to such records could have an adverse effect on the mental or physical health of the individual. Normally, this determination will be made in consultation with a medical doctor. If it is determined that the release of the medical information may be harmful to the mental or physical health of the individual, send the record to a physician named by the individual and in the transmittal letter to the physician, explain why access by the individual without proper professional supervision could be harmful (unless it is obvious from the record). Do not require the physician to request the records for the individual. If the individual refuses or fails to designate a physician, the record will not be provided. Such refusal of access is not considered a denial for reporting purposes.

(5) Requests by individuals for access to investigatory records pertaining to themselves and compiled for law enforcement purposes are processed under this part or 32 CFR part 1285 depending on which part gives them the greatest degree of access.

(6) Certain documents under the physical control of DoD personnel and used to assist them in performing official functions, are not considered “agency records” within the meaning of this part. Uncirculated personal notes and records that are not disseminated or circulated to any person or organization (for example, personal telephone lists or memory aids) that are retained or discarded at the author's discretion and over which DLA exercises no direct control, are not considered agency records. However, if personnel are officially directed or encouraged, either in writing or orally, to maintain such records, they may become “agency records,” and may be subject to the Privacy Act of 1974 (5 U.S.C. 552a) and this part.

(7) Acknowledge requests for access within 10 working days after receipt and provide access within 30 working days.

(b) Denial of individual access. (1) Individuals may be formally denied access to a record pertaining to them only if the record was compiled in reasonable anticipation of civil action; is in a system of records that has been exempted from the access provisions of this part under one of the permitted exemptions; contains classified information that has been exempted from the access provision of this part under the blanket exemption for such material claimed for all DoD records systems; or is contained in a system of records for which access may be denied under some other Federal statute. Only deny the individual access to those portions of the records from which the denial of access serves some legitimate Governmental purpose.

(2) An individual may be refused access if the record is not described well enough to enable it to be located with a reasonable amount of effort on the part of an employee familiar with the file; or access is sought by an individual who fails or refuses to comply with the established procedural requirements, including refusing to name a physician to receive medical records when required or to pay fees. Always explain to the individual the specific reason access has been refused and how he or she may obtain access.

(3) Formal denials of access must be in writing and include as a minimum:

(i) The name, title or position, and signature of the appropriate Head of the HQ DLA principal staff element or primary level field activity.

(ii) The date of the denial.

(iii) The specific reason for the denial, including specific citation to the appropriate sections of the Privacy Act of 1974 (5 U.S.C. 552a) or other statutes, this part, or DLAR 5400.21 authorizing the denial.

(iv) Notice to the individual of his or her right to appeal the denial within 60 calendar days of the date of the denial letter and to file any such appeal with the HQ DLA Privacy Act Officer, Defense Logistics Agency (DSS-CA), 8725 John J. Kingman Road, Suite 2533, Fort Belvoir, VA 22060-6221.

(4) DLA will process all appeals within 30 days of receipt unless a fair an equitable review cannot be made within that period. The written appeal notification granting or denying access is the final DLA action on access.

(5) The records in all systems of records maintained in accordance with the Office of Personnel Management (OPM) Government-wide system notices are technically only in the temporary custody of DLA. All requests for access to these records must be processed in accordance with the Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735) as well as this part. DLA-GC is responsible for the appellate review of denial of access to such records.

(c) Amendment of records. (1) Individuals are encouraged to review the personal information being maintained about them by DLA and to avail themselves of the procedures established by this part to update their records. An individual may request the amendment of any record contained in a system of records pertaining to him or her unless the system of record has been exempted specifically from the amendment procedures of this part. Normally, amendments under this part are limited to correcting factual matters and not matters of official judgment, such as performance ratings promotion potential, and job performance appraisals.

(2) The applicant must adequately support his or her claim and may be required to provide identification to ensure that they are indeed seeking to amend a record pertaining to themselves and not, inadvertently or intentionally, the record of others. Consider the following factors when evaluating the sufficiency of a request to amend:

(i) The accuracy of the information itself.

(ii) The relevancy, timeliness, completeness, and necessity of the recorded information for accomplishing an assigned mission or purpose.

(3) Provide written acknowledgement of a request to amend within 10 working days of its receipt by the appropriate systems manager. There is no need to acknowledge a request if the action is completed within 10 working days and the individual is so informed. The letter of acknowledgement shall clearly identify the request and advise the individual when he or she may expect to be notified of the completed action. Only under the most exceptional circumstances will more than 30 days be required to reach a decision on a request to amend.

(4) If the decision is made to grant all or part of the request for amendment, amend the record accordingly and notify the requester. Notify all previous recipients of the information, as reflected in the disclosure accounting records, that an amendment has been made and the substance of the amendment. Recipients who are known to be no longer retaining the information need not be advised of the amendment. All DoD Components and Federal agencies known to be retaining the record or information, even if not reflected in disclosure records, will be notified of the amendment. Advise the requester of these notifications, and honor all requests by the requester to notify specific Federal agencies of the amendment action.

(5) If the request for amendment is denied in whole or in part, promptly advise the individual in writing of the decision to include:

(i) The specific reason and authority for not amending.

(ii) Notification that he or she may seek further independent review of the decision by filing an appeal with the HQ DLA Privacy Act Officer, Defense Logistics Agency (DSS-CA), 8725 John J. Kingman Road, Suite 2533, Fort Belvoir, VA 22060-6221, and including all supporting materials.

(6) DLA will process all appeals within 30 days unless a fair review cannot be made within this time limit.

(i) If the appeal is granted, DLA will promptly notify the requester and system manager of the decision. The system manager will amend the record(s) as directed and ensure that all prior known recipients of the records who are known to be retaining the record are notified of the decision and the specific nature of the amendment and that the requester is notified as to which DoD Components and Federal agencies have been told of the amendment.

(ii) If the appeal is denied completely or in part, the individual is notified in writing by the reviewing official that:

(A) The appeal has been denied and the specific reason and authority for the denial.

(B) The individual may file a statement of disagreement with the appropriate authority and the procedures for filing this statement.

(C) If filed properly, the statement of disagreement shall be included in the records, furnished to all future recipients of the records, and provided to all prior recipients of the disputed records who are known to hold the record.

(D) The individual may seek a judicial review of the decision not to amend.

(7) The records in all systems of records controlled by the Office of Personnel Management (OPM) Government-wide system notices are technically only temporarily in the custody of DLA. All requests for amendment of these records must be processed in accordance with the Federal Personnel Manual (FPM). A DLA denial authority may deny a request. However, the appeal process for all such denials must include a review by the Assistant Director for Agency Compliance and Evaluation, Office of Personnel Management, 1900 E Street, NW., Washington, DC 20415. When an appeal is received from a DLA denial of amendment of the OPM controlled record, process the appeal in accordance with the FPM and notify the OPM appeal authority listed above. The individual may appeal any DLA decision not to amend the OPM records directly to OPM. OPM is the final review authority for any appeal from a denial to amend the OPM records.

(8) If the reviewing authority refuses to amend the record as requested, the individual may submit a concise statement of disagreement setting forth his or her reasons for disagreeing with the decision not to amend.

(i) If an individual chooses to file a statement of disagreement, annotate the record to indicate that the statement has been filed. Furnish copies of the statement of disagreement to all DoD Components and Federal agencies that have been provided copies of the disputed information and who may be maintaining the information.

(ii) When possible, incorporate the statement of disagreement into the record. If the statement cannot be made a part of the record, establish procedures to ensure that it is apparent from the records that a statement of disagreement has been filed and maintain the statement so that it can be obtained readily when the disputed information is used or disclosed. Automated record systems that are not programmed to accept statements of disagreement shall be annotated or coded so that they clearly indicate that a statement of disagreement is on file, and clearly identify the statement with the disputed information in the system. Provide a copy of the statement of disagreement whenever the disputed information is disclosed for any purpose.

(9) A summary of reasons for refusing to amend may be included with any record for which a statement of disagreement is filed. Include in this summary only the reasons furnished to the individual for not amending the record. Do not include comments on the statement of disagreement. Normally, the summary and statement of disagreement are filed together. When disclosing information for which a summary has been filed, a copy of the summary may be included in the release, if desired.

(d) Documentation. Establish a separate Privacy Case File to retain the documentation received and generated during the amendment or access process. There is no need to establish a Privacy Case File if the individual has not cited the Privacy Act or this part. Privacy Case Files shall not be furnished or disclosed to anyone for use in making any determination about the individual other than determinations made under this part. Only the items listed below may be included in the system of records challenged for amendment or for which access is sought. Do not retain copies of unamended records in the basis record system if the request for amendment is granted.

(1) The following items relating to an amendment request may be included in the disputed record system:

(i) Copies of the amended record.

(ii) Copies of the individual's statement of disagreement.

(iii) Copies of activity summaries.

(iv) Supporting documentation submitted by the individual.

(2) The following items relating to an access request may be included in the basic records system:

(i) Copies of the request.

(ii) Copies of the activity action granting total access. (Note: A separate Privacy Case File need not be created in such cases.)

(iii) Copies of the activity action denying access.

(iv) Copies of any appeals filed.

(v) Copies of the reply to the appeal.

(e) Fees. An individual may be charged only for the direct cost of copying and reproduction, computed using the appropriate portions of the fee schedule in DLAR 5400.14 (32 CFR part 1285) under the provisions of this part. Normally, fees are waived automatically if the direct costs of a given request is less than $30. This fee waiver provision does not apply when a waiver has been granted to the individual before, and later requests appear to be an extension or duplication of that original request. DLA activities may, however, set aside this automatic fee waiver provision when on the basis of good evidence it determines that the waiver of fees is not in the public interest. Decisions to waive or reduce fees that exceed the automatic waiver threshold will be made on a case-by-case basis. Fees may not be charged when:

(1) Copying is performed for the convenience of the Government or is the only means to make the record available to the individual.

(2) The record may be obtained without charge under any other part, directive, or statute.

(3) Providing documents to members of Congress for copying records furnished even when the records are requested under the Privacy Act on behalf of a constituent.

(f) Disclosures of personal information. (1) For the purposes of disclosure and disclosure accounting, the Department of Defense is considered a single agency. Records pertaining to an individual may be disclosed without the consent of the individual to any DoD official who has need for the record in the performance of his or her assigned duties. Do not disclose personnel information from a system of records outside the Department of Defense unless the record has been requested by the individual to whom it pertains; the written consent of the individual to whom the record pertains has been obtained for release of the record to the requesting agency, activity, or individual; or the release is for one of the specific nonconsensual purposes set forth in this part or DLAR 5400.14, (32 CFR part 1285).

(2) Except for releases made in accordance with DLAR 5400.14, (32 CFR part 1285) before disclosing any personal information to any recipient outside DoD other than a Federal agency or the individual to whom it pertains;

(i) Ensure that the records are accurate, timely, complete, and relevant for agency purposes.

(ii) Contact the individual, if reasonably available, to verify the accuracy, timeliness, completeness, and relevancy of the information, if this cannot be determined from the record.

(iii) If the information is not current and the individual is not reasonably available, advise the recipient that the information is believed accurate as of a specific date and any other known factors bearing on its accuracy and relevancy.

(3) All records must be disclosed if their release is required by the Freedom of Information Act. DLAR 5400.14, (32 CFR part 1285) requires that records be made available to the public unless exempted from disclosure by one of the nine exemptions found in the Freedom of Information Act. The standard for exempting most personal records, such as personnel records, medical records, and similar records, is found in DLAR 5400.14 (32 CFR part 1285). Under the exemption, release of personal information can only be denied when its release would be a ‘clearly unwarranted invasion of personal privacy.'

(i) All disclosures of personal information regarding Federal civilian employees will be made in accordance with the Federal Personnel Manual. Some examples of personal information regarding DoD civilian employees that normally may be released without a clearly unwarranted invasion of personal privacy include:

(A) Name.

(B) Present and past position titles.

(C) Present and past grades.

(D) Present and past salaries.

(E) Present and past duty stations.

(F) Office and duty telephone numbers.

(ii) All release of personal information regarding military members shall be made in accordance with the standards established by DLAR 5400.14, (32 CFR part 1285). While it is not possible to identify categorically information that must be released or withheld from military personnel records in every instance, the following items of personal information regarding military members normally may be disclosed without a clearly unwarranted invasion of their personal privacy:

(A) Full name.

(B) Rank.

(C) Date of rank.

(D) Gross salary.

(E) Past duty assignments.

(F) Present duty assignment.

(G) Future assignments that are officially established.

(H) Office or duty telephone numbers.

(I) Source of commission.

(J) Promotion sequence number.

(K) Awards and decorations.

(L) Attendance at professional military schools.

(M) Duty status at any given time.

(iii) All releases of personal information regarding civilian personnel not subject to the FPM shall be made in accordance with the standards established by DLAR 5400.14 (32 CFR part 1285). While it is not possible to identify categorically those items of personal information that must be released regarding civilian employees not subject to the FPM, such as nonappropriated fund employees, normally the following items may be released without a clearly unwarranted invasion of personal privacy:

(A) Full name.

(B) Grade or position.

(C) Date of grade.

(D) Gross salary.

(E) Present and past assignments.

(F) Future assignments, if officially established.

(G) Office or duty telephone numbers.

(4) A request for a home address or telephone number may be referred to the last known address of the individual for a direct reply by him or her to the requester. In such cases the requester will be notified of the referral. The release of home addresses and home telephone numbers normally is considered a clearly unwarranted invasion of personal privacy and is prohibited. However, these may be released without prior specific consent of the individual if:

(i) The individual has indicated previously that he or she has no objection to their release.

(ii) The source of the information to be released is a public document such as commercial telephone directory or other public listing.

(iii) The release is required by Federal statute (for example, pursuant to Federally-funded state programs to locate parents who have defaulted on child support payments (42 U.S.C. section 653).)

(iv) The releasing official releases the information under the provisions of DLAR 5400.14, (32 CFR part 1285).

(5) Records may be disclosed outside DoD without consent of the individual to whom they pertain for an established routine use. Routine uses may be established, discontinued, or amended without the consent of the individuals involved. However, new or changed routine uses must be published in the Federal Register at least 30 days before actually disclosing any records under their provisions. In addition to the routine uses established by the individual system notices, common blanket routine uses for all DLA-maintained systems of records have been established. These blanket routine uses are published in DLAH 5400.1,1 DLA Systems of Records Handbook. Unless a system notice specifically excludes a system from a given blanket routine use, all blanket routine uses apply.

(6) Records in DLA systems of records may be disclosed without the consent of the individuals to whom they pertain to the Bureau of the Census for purposes of planning or carrying out a census survey or related activities.

(7) Records may be disclosed for statistical research and reporting without the consent of the individuals to whom they pertain. Before such disclosures, the recipient must provide advance written assurance that the records will be used as statistical research or reporting records; the records will only be transferred in a form that is not individually identifiable; and the records will not be used, in whole or in part, to make any determination about the rights, benefits, or entitlements of specific individuals. A disclosure accounting is not required.

(8) Records may be disclosed without the consent of the individual to whom they pertain to the National Archives and Records Administration (NARA) if they have historical or other value to warrant continued preservation; or for evaluation by NARA to determine if a record has such historical or other value. Records transferred to a Federal Record Center (FRC) for safekeeping and storage do not fall within this category. These remain under the control of the transferring activity, and the FRC personnel are considered agents of the activity which retain control over the records. No disclosure accounting is required for the transfer of records to FRCs.

(9) Records may be disclosed without the consent of the individual to whom they pertain to another agency or an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity, provided the civil or criminal law enforcement activity is authorized by law; the head of the law enforcement acitivity or a designee has made a written request specifying the particular records desired and the law enforcement purpose (such as criminal investigations, enforcement of civil law, or a similar propose) for which the record is sought; and there is no Federal statute that prohibits the disclosure of the records. Normally, blanket requests for access to any and all records pertaining to an individual are not honored. When a record is released to a law enforcement activity, maintain a disclosure accounting. This disclosure accounting will not be made available to the individual to whom the record pertains if the law enforcement activity requests that the disclosure not be released.

(10) Records may be disclosed without the consent of the individual to whom they pertain if disclosure is made under compelling circumstances affecting the health or safety of any individual. The affected individual need not be the subject of the record disclosed. When such a disclosure is made, notify the individual who is the subject of the record. Notification sent to the last known address of the individual as reflected in the records is sufficient.

(11) Records may be disclosed without the consent of the individual to whom they pertain to either House of the Congress or to any committee, joint committee or subcommittee of Congress if the release pertains to a matter within the jurisdiction of the committee. Records may also be disclosed to the General Accounting Office (GAO) in the course of the activities of GAO.

(12) Records may be disclosed without the consent of the person to whom they pertain under a court order signed by a judge of a court of competent jurisdiction. Releases may also be made under the compulsory legal process of Federal or state bodies having authority to issue such process.

(i) When a record is disclosed under this provision, make reasonable efforts to notify the individual to whom the record pertains, if the legal process is a matter of public record.

(ii) If the process is not a matter of public record at the time it is issued, seek to be advised when the process is made public and make reasonable efforts to notify the individual at that time.

(iii) Notification sent to the last known address of the individual as reflected in the records is considered reasonable effort to notify. Make a disclosure accounting each time a record is disclosed under a court order or compulsory legal process.

(13) Certain personal information may be disclosed to consumer reporting agencies as defined by the Federal Claims Collection Act. Information which may be disclosed to a consumer reporting agency includes:

(i) Name, address, taxpayer identification number (SSN), and other information necessary to establish the identity of the individual.

(ii) The amount, status, and history of the claim.

(iii) The agency or program under which the claim arose.

(g) Disclosure accounting. (1) Keep an accurate record of all disclosures made from any system of records except disclosures to DoD personnel for use in the performance of their official duties or under DLAR 5400.14 (32 CFR part 1285). In all other cases a disclosure accounting is required even if the individual has consented to the disclosure of the information pertaining to him or her.

(2) Use any system of disclosure accounting that will provide the necessary disclosure information. As a minimum, disclosure accounting will contain the date of the disclosure, a description of the information released, the purpose of the disclosure, the name and address of the person or agency to whom the disclosure was made. When numerous similar records are released (such as transmittal of payroll checks to a bank), identify the category of records disclosed and include the data required in some form that can be used to construct an accounting disclosure record for individual records if required. Retain disclosure accounting records for 5 years after the disclosure or the life of the record, whichever is longer.

(3) Make available to the individual to whom the record pertains all disclosure accountings except when the disclosure has been made to a law enforcement activity and the law enforcement activity has requested that disclosure not be made, or the system of records has been exempted from the requirement to furnish the disclosure accounting. If disclosure accountings are not maintained with the record and the individual requests access to the accounting, prepare a listing of all disclosures and provide this to the individual upon request.

(h) Collecting personal information. (1) Collect to the greatest extent practicable personal information directly from the individual to whom it pertains if the information may be used in making any determination about the rights, privileges, or benefits of the individual under any Federal program.

(2) When an individual is requested to furnish personal information about himself or herself for inclusion in a system of records, a Privacy Act Statement is required regardless of the medium used to collect the information (forms, personal interviews, stylized formats, telephonic interviews, or other methods). The statement enables the individual to make an informed decision whether to provide the information requested. If the personal information solicited is not to be incorporated into a system of records, the statement need not be given. The Privacy Act Statement shall be concise, current, and easily understood. It must include:

(i) The specific Federal statute or Executive Order that authorizes collection of the requested information.

(ii) The principal purpose or purposes for which the information is to be used.

(iii) The routine uses that will be made of the information.

(iv) Whether providing the information is voluntary or mandatory.

(v) The effects on the individual if he or she chooses not to provide the requested information.

(3) The Privacy Act Statement may appear as a public notice (sign or poster), conspicuously displayed in the area where the information is collected, such as at check-cashing facilities or identification photograph facilities. The individual normally is not required to sign the Privacy Act Statement. Provide the individual a written copy of the Privacy Act Statement upon request. This must be done regardless of the method chosen to furnish the initial advisement.

(4) Include in the Privacy Act Statement specifically whether furnishing the requested personal data is mandatory or voluntary. A requirement to furnish personal data is mandatory only when a Federal statute, Executive order, regulation, or other lawful order specifically imposes a duty on the individual to provide the information sought, and the individual is subject to a penalty if he or she fails to provide the requested information. If providing the information is only a condition of a prerequisite to granting a benefit or privilege and the individual has the option of requesting the benefit or privilege, providing the information is always voluntary. However, the loss or denial of the privilege, benefit, or entitlement sought may be listed as a consequence of not furnishing the requested information.

(5) It is unlawful for any Federal, state, or local government agency to deny an individual any right, benefit, or privilege provided by law because the individual refuses to provide his or her social security number (SSN). However, if a Federal statute requires that the SSN be furnished or if the SSN is required to verify the identity of the individual in a system of records that was established and in use before January 1, 1975, and the SSN was required as an identifier by a statute or regulation adopted before that date, this restriction does not apply.

(i) When an individual is requested to provide his or her SSN, he or she must be told:

(A) The uses that will be made of the SSN.

(B) The statute, regulation, or rule authorizing the solicitation of the SSN.

(C) Whether providing the SSN is voluntary or mandatory.

(ii) Include in any systems notice for any system of records that contains SSNs a statement indicating the authority for maintaining the SSN and the source of the SSNs in the system. If the SSN is obtained directly from the individual indicate whether this is voluntary or mandatory.

(iii) Upon entrance into Military Service of civilian employment with DoD, individuals are asked to provide their SSNs. The SSN becomes the service or employment number for the individual and is used to establish personnel, financial, medical, and other official records. After an individual has provided his or her SSN for the purpose of establishing a record, a Privacy Act Statement is not required if the individual is only requested to furnish or verify the SSNs for identification purposes in connection with the normal use of his or her records. However, if the SSN is to be written down and retained for any purpose by the requesting official, the individual must be provided a Privacy Act Statement.

(6) DLAI 5530.1, Publications, Forms, Printing, Duplicating, Micropublishing, Office Copying, and Automated Information Management Programs,2 provides guidance on administrative requirements for Privacy Act Statements used with DLA forms. Forms subject to the Privacy Act issued by other Federal agencies have a Privacy Act Statement attached or included. Always ensure that the statement prepared by the originating agency is adequate for the purpose for which the form will be used by the DoD activity. If the Privacy Act Statement provided is inadequate, the activity concerned will prepare a new statement of a supplement to the existing statement before using the form. Forms issued by agencies not subject to the Privacy Act (state, municipal, and other local agencies) do not contain Privacy Act Statements. Before using a form prepared by such agencies to collect personal data subject to this part, an appropriate Privacy Act Statement must be added.

(i) Systems of records. (1) To be subject to this part, a “system of records” must consist of records retrieved by the name of an individual or some other personal identifier and be under the control of a DLA activity. Records in a group of records that may be retrieved by a name or personal identifier are not covered by this part. The records must be, in fact, retrieved by name or other personal identifier to become a system of records for the purpose of this part.

(2) Retain in a system of records only that personal information which is relevant and necessary to accomplish a purpose required by a Federal statute or an Executive Order. The existence of a statute or Executive order mandating that maintenance of a system of records does not abrogate the responsibility to ensure that the information in the system of records is relevant and necessary.

(3) Do not maintain any records describing how an individual exercises his or her rights guaranteed by the First Amendment of the U.S. Constitution unless expressly authorized by Federal statute or the individual. First Amendment rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition.

(4) Maintain all personal information used to make any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in making any such determination. Before disseminating any personal information from a system of records to any person outside DoD, other than a Federal agency, make reasonable efforts to ensure that the information to be disclosed is accurate, relevant, timely, and complete for the purpose it is being maintained.

(5) Establish appropriate administrative, technical and physical safeguards to ensure that the records in every system of records are protected from unauthorized alteration or disclosure and that their confidentiality is protected. Protect the records against reasonably anticipated threats or hazards. Tailor safeguards specifically to the vulnerabilities of the system and the type of records in the system, the sensitivity of the personal information stored, the storage medium used and, to a degree, the number of records maintained.

(i) Treat all unclassified records that contain personal information that normally would be withheld from the public as if they were designated “For Official Use Only” and safeguard them in accordance with the standards established by DLAR 5400.14 (32 CFR part 1285) even if they are not marked “For Official Use Only.”

(ii) Special administrative, physical, and technical procedures are required to protect data that are stored or being processed temporarily in an automated data processing (ADP) system or in a word processing activity to protect it against threats unique to those environments (see DLAR 5200.17, Security Requirements for Automated Information and Telecommunications Systems,3 and appendix D to this part).

(6) Dispose of records containing personal data so as to prevent inadvertent compromise. Disposal methods such as tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding, or mutilation are considered adequate if the personal data is rendered unrecognizable or beyond reconstruction.

(i) The transfer of large quantities of records containing personal data (for example, computer cards and printouts) in bulk to a disposal activity, such as the Defense Property Disposal Office, is not a release of personal information under this part. The sheer volume of such transfers makes it difficult or impossible to identify readily specific individual records.

(ii) When disposing of or destroying large quantities of records containing personal information, care must be exercised to ensure that the bulk of the records is maintained so as prevent specific records from being readily identified. If bulk is maintained, no special procedures are required.

(7) When DLA contracts for the operation or maintenance of a system of records or a portion of a system of records by a contractor, the record system or the portion of the record system affected are considered to be maintained by DLA and are subject to this part. The activity concerned is responsible for applying the requirements of this part to the contractor. The contractor and its employees are to be considered employees of DLA for purposes of the sanction provisions of the Privacy Act during the performance of the contract. See the Federal Acquisition Regulation (FAR), section 24.000 (48 CFR chapter 1).

(j) System Notices. (1) A notice of the existence of each system of records must be published in the Federal Register. While system notices are not subject to formal rulemaking procedures, advance public notice must be given before an activity may begin to collect personal information or use a new system of records. The notice procedures require that:

(i) The system notice describes the contents of the record system and the routine uses for which the information in the system may be released.

(ii) The public be given 30 days to comment on any proposed routine uses before implementation.

(iii) The notice contains the date on which the system will become effective.

(2) Appendix A of this part discusses the specific elements required in a system notice. DLAH 5400.1 4 contains systems notices published by DLA.

(3) In addition to system notices, reports are required for new and altered systems of records. The criteria of these reports are outlined in appendixes B and C of this part. No report is required for amendments to existing systems which do not meet the criteria for altered record systems.

(4) System managers shall evaluate the information to be included in each new system before establishing the system and evaluate periodically the information contained in each existing system of records for relevancy and necessity. Such a review will also occur when a system notice amendment or alteration is prepared. Consider the following:

(i) The relationship of each item of information retained and collected to the purpose for which the system is maintained.

(ii) The specific impact on the purpose or mission of not collecting each category of information contained in the system.

(iii) The possibility of meeting the informational requirements through use of information not individually identifiable or through other techniques, such as sampling.

(iv) The length of time each item of personal information must be retained.

(v) The cost of maintaining the information.

(vi) The necessity and relevancy of the information to the purpose for which it was collected.

(5) Systems notices and reports of new and altered systems will be submitted to DLA Support Services (DSS-CA) as required.

(k) Exemptions. The Director, DLA will designate the DLA records which are to be exempted from certain provisions of the Privacy Act. DLA Support Services (DSS-CA) will publish in the Federal Register information specifying the name of each designated system, the specific provisions of the Privacy Act from which each system is to be exempted, the reasons for each exemption, and the reason for each exemption of the record system.

(1) General Exemptions. To qualify for a general exemption, as defined in the Privacy Act, the system of records must be maintained by a system manager who performs as his/her principal function any activity pertaining to the enforcement of criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities or prosecutors, courts, correctional, probation, pardon, or parole authorities. Such system of records must consist of:

(i) Information compiled for the purpose of identifying individual criminal offenders and alleged offenders and containing only identifying data and notations or arrests, the nature and disposition of criminal charges, sentencing, confinement, release, and parole, and probation status.

(ii) Information compiled for the purpose of a criminal investigation, including reports of informants and investigators, and associated with an identifiable individual.

(iii) Reports identifiable to an individual compiled at any stage of the process of enforcement of the criminal laws from arrest or indictment through release from supervision.

(2) Specific exemption. To qualify for a specfic exemption, as defined by the Privacy Act, the systems of records must be:

(i) Specifically authorized under criteria established by an Executive Order to be kept classified in the interest of national defense or foreign policy and are in fact properly classified pursuant to such Executive Order.

(ii) Investigatory material compiled for law enforcement purposes other than material covered under a general exemption. However, an individual will not be denied access to information which has been used to deny him/her a right or privilege unless disclosure would reveal a source who furnished information to the Government under a promise that the identity of the source would be held in confidence. For investigations made after September 27, 1975, the identity of the source may be treated as confidential only if based on the expressed guarantee that the identity would not be revealed.

(iii) Maintained in connection with providing protective services to the President of the United States or other individuals protected pursuant to 18 U.S.C. 3056.

(iv) Used only to generate aggregate statistical data or for other similarly evaluative or analytic purposes, and which are not used to make decisions on the rights, benefits, or entitlements of individuals except for the disclosure of a census record permitted by 13 U.S.C. 8.

(v) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, Military Service, Federal contracts, or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the source would be held in confidence, or prior to September 27 1975, under an implied promise that the identity of the source would be held in confidence.

(vi) Testing or examination material used solely to determine individual qualifications for appointment or promotion in the Federal service, the disclosure of which would compromise the objectivity or fairness of the testing or elimination process.

(vii) Evaluation material used to determine potential for promotion in the Military Services, but only the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence or prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence. System managers will specify those categories of individuals for whom pledges of confidentiality may be made when obtaining information on an individual's suitability for promotion.

(viii) Exemption rules for DLA systems of records are published in appendix H of this part.

(l) Matching Program Procedures. The OMB has issued special guidelines to be followed in programs that match the personal records in the computerized data bases of two or more Federal agencies by computer (see appendix E). These guidelines are intended to strike a balance between the interest of the Government in maintaining the integrity of Federal programs and the need to protect individual privacy expectations. They do not authorize matching programs as such and each matching program must be justified individually in accordance with the OMB guidelines.

(1) Forward all requests for matching programs to include necessary routine use amendments and analysis and proposed matching program reports to DLA Support Services. Changes to existing matching programs shall be processed in the same manner as a new matching program report.

(2) No time limits are set by the OMB guidelines. However, in order to establish a new routine use for a matching program, the amended system notice must have been published in the Federal Register at least 30 days before implementation. Submit the documentation required above to DLA Support Services (DSS-CA) at least 60 days before the proposed initiation date of the matching program. Waivers to the 60 days' deadline may be granted for good cause shown. Requests for waivers will be in writing a fully justified.

(3) For the purpose of the OMB guidelines, DoD and all DoD Components are considered a single agency. Before initiating a matching program using only the records of two or more DoD activities, notify DLA Support Services (DSS-CA) that the match is to occur. Further information may be requested from the activity proposing the match.

(4) System managers shall review annually each system of records to determine if records from the system are being used in matching programs and whether the OMB Guidelines have been complied with.

DLA activities may be required to provide data under reporting requirements established by the Defense Privacy Office and DLA Support Services (DSS-CA). Any report established shall be assigned Report Control Symbol DD-DA&M(A)1379.

This part implements the basic policies and procedures outlined in the Privacy Act of 1974, as amended (5 U.S.C. 552a), and 32 CFR part 310; and establishes the National Reconnaissance Office Privacy Program (NRO) by setting policies and procedures for the collection and disclosure of information maintained in records on individuals, the handling of requests for amendment or correction of such records, appeal and review of NRO decisions on these matters, and the application of exemptions.

Obligations under this part apply to all employees detailed, attached, or assigned to or authorized to act as agents of the National Reconnaissance Office. The provisions of this part shall be made applicable by contract or other legally binding action to government contractors whenever a contract is let for the operation of a system of records or a portion of a system of records.

Access. The review or copying of a record or its parts contained in a system of records by a requester.

Agency. Any executive or military department, other establishment, or entity included in the definition of agency in 5 U.S.C. 522(f).

Control. Ownership or authority of the NRO pursuant to federal statute or privilege to regulate official or public access to records.

Disclosure. The authorized transfer of any personal information from a system of records by any means of communication (such as oral, written, electronic, mechanical, or actual review) to any person, private entity, or government agency other than the subject of the record, the subject's designated agent, or the subject's legal guardian.

He, him, and himself. Generically used in this part to refer to both males and females.

Individual or requester. A living citizen of the U.S. or an alien lawfully admitted to the U.S. for permanent residence and to whom a record might pertain. The legal guardian or legally authorized agent of an individual has the same rights as the individual and may act on his behalf. No rights are vested in the representative of a dead person or in persons acting in an entrepreneurial (for example, sole proprietorship or partnership) capacity under this part.

Interested party. Any official in the executive (including military), legislative, or judicial branches of government, U.S. or foreign, or U.S. Government contractor who, in the sole discretion of the NRO, has a subject matter or physical interest in the documents or information at issue.

Maintain. To collect, use, store, disclose, retain, or disseminate when used in connection with records.

Originator. The NRO employee or contractor who created the document at issue or his successor in office or any official who has been delegated release or declassification authority pursuant to law.

Personal information. Information about any individual that is intimate or private to the individual, as distinguished from ‘corporate information’ which is in the public domain and related solely to the individual's official functions or public life (i.e., employee's name, job title, work phone, grade/rank, job location).

Privacy Act Coordinator. The NRO Information and Access Release Center Chief who serves as the NRO manager ofthe information review and release program instituted under the Privacy Act.

Record. Any item, collection, or grouping of information about an individual that is maintained by the NRO, including, but not limited to, the individual's education, financial transactions, medical history, and criminal or employment history, and that contains the individual's name or identifying number (such as Social Security or employee number), symbol, or other identifying particular assigned to the individual, such as fingerprint, voice print, or photograph. Records include data about individuals which is stored in computers.

Responsive record. Documents or records that the NRO has determined to be within the scope of a Privacy Act request.

Routine use. The disclosure of a record outside the Department of Defense (DoD) for a use that is compatible with the purpose for which the information was collected and maintained by NRO. Routine use encompasses not only common or ordinary use, but also all the proper and necessary uses of the record even if such uses occur infrequently. All routine uses must be published in the Federal Register.

System managers. Officials who have overall responsibility for a Privacy Act system of records.

System notice. The official public notice published in the Federal Register of the existence and general content of the system of records.

System of records. A group of any records under the control of the NRO from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to that individual.

Working days. Days when the NRO is operating and specifically excludes Saturdays, Sundays, and legal public holidays.

(a) Records about individuals—

(1) Collection. The NRO will safeguard the privacy of individuals identified in its records. Information about an individual will, to the greatest extent practicable, be collected directly from the individual, and personal information will be protected from unintentional or unauthorized disclosure by treating it as marked ‘For Official Use Only.’ Access to personal information will be restricted to those employees whose official duties require it during the regular course of business.

(i) Privacy Act Statement. When an individual is requested to furnish personal information about himself for inclusion in a system of records, a Privacy Act Statement is required to enable him to make an informed decision whether to provide the information requested. A Privacy Act Statement may appear, in order of preference, at the top or bottom of a form, on the reverse side of a form, or attached to the form as a tear-off sheet.

(ii) Social Security Numbers (SSNs). It is unlawful for any governmental agency to deny an individual any right, benefit, or privilege provided by law because the individual refuses to provide his SSN. However, if a federal statute requires that the SSN be furnished or if the SSN is required to verify the identity of an individual in a system of records that was established and in use before January 1, 1975, this restriction does not apply. When collecting the SSN, a ‘qualified’ Privacy Act Statement must be provided even if the SSN will not be maintained in a system of records. The 'qualified' Privacy Act Statement shall inform the individual whether the disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.

(2) Maintenance. The NRO will maintain in its records only such information about an individual which is accurate, relevant, timely, and necessary to accomplish a purpose which is required by statute or Executive Order. All records used by the NRO to make determinations about individuals will be maintained with such accuracy and completeness as is reasonably necessary to assure fairness to the individual.

(3) Existence. The applicability of the Privacy Act depends on the existence of an identifiable record. The procedures described in NRO regulations do not require that a record be created or that an individual be given access to records that are not retrieved by name or other individual identifier. Nor do these procedures entitle an individual to have access to any information compiled in reasonable anticipation of a civil action or proceeding. NRO will maintain only those systems of records that have been described through notices published in the Federal Register. A system of records from which records may be retrieved by a name or some other personal identifier must be under NRO control for consideration under this part.

(4) Disposal. The NRO will archive, dispose of, or destroy records containing personal data in a manner to prevent specific records from being readily identified or inadvertently compromised.

(b) Evaluation of records. Statutory authority to establish and maintain a system of records does not grant unlimited authority to collect and maintain all information which may be useful or convenient. Directorates and offices maintaining records will evaluate each category of information in records systems for necessity and relevance prior to republication of all system notices in the Federal Register and during the design phase or change of a system of records. The following will be considered in the evaluation:

(1) Relationship of each item of information to the statutory purpose for which the system is maintained;

(2) Specific adverse consequences of not collecting each category of information; and

(3) Techniques for purging parts of the records.

(c) Disclosure of records. The NRO will provide the fullest access practicable by individuals to NRO records concerning them. Release of personal information to such individuals is not considered public release of information. Upon receipt of a written request, the NRO will release to individuals those records that are releasable and applicable to the individual making the request. Generally, information, other than that exempted by law and this part, will be provided to the individual. NRO personnel will comply with the Privacy Act of 1974, as amended, the DoD Privacy Act Program (32 CFR part 310), and the NRO Privacy Act Program. No NRO records shall be disclosed by any means of communication to any person or to any agency except pursuant to a written request by or the prior written consent of the individual to whom it pertains, unless disclosure of the record will be:

(1) To those employees of the NRO who have an official need for the record in the performance of their duties.

(2) Required to be disclosed to a member of the public under the Freedom of Information Act, as amended.

(3) For a routine use as defined in the Privacy Act.

(4) To the Census Bureau for the purpose of conducting a census or survey or related activity authorized by law.

(5) To a recipient who has provided the NRO with advance, adequate written assurance that the record will be used solely as statistical research and that the record is to be transferred in a form in which the individual is not identifiable.

(6) To the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the U. S. Government.

(7) To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the U.S. for a civil or criminal law enforcement activity if such activity is authorized by law and if the head of the agency or governmental entity has made a written request to the NRO specifying the particular portion of the record and the law enforcement activity for which the record is sought (blanket requests will not be accepted); a record may also be disclosed to a law enforcement agency at the initiative of the NRO pursuant to the blanket routine use for law enforcement when criminal conduct is indicated in the record.

(8) To a person showing compelling circumstances affecting the health or safety of an individual if, upon such disclosure, notification is sent to the last known address of the individual to whom the record pertains (emergency medical information may be released by telephone).

(9) To Congress or any committee, joint committee, or subcommittee of Congress with respect to a matter under its jurisdiction. This provision does not authorize the disclosure of a record to members of Congress acting in their individual capacities or on behalf of their constituents making third party requests. However, such releases may be made pursuant to the blanket routine use for Congressional inquiries when a constituent has sought the assistance of his Congressman forthe constituent's individual record(s).

(10) To the Comptroller General or any of his authorized representatives in the course of the performance of the duties of the General Accounting Office.

(11) Pursuant to an order of a court of competent jurisdiction. When the record is disclosed under compulsory legal process and when the issuance of that order or subpoena is made public by the court which issued it, the NRO will make reasonable efforts to notify the individual to whom the record pertains by mail at the most recent address contained in NRO records.

(12) To a consumer reporting agency in accordance with 31 U.S.C. 3711(f).

(d) Allocation of resources. NRO components shall exercise due diligence in their responsibilities under the Privacy Act and must devote a reasonable level of personnel to respond to requests on a ‘first-in, first-out’ basis. In allocating Privacy Act resources, the component shall consider its imposed business demands, the totality of resources available to it, the information review and release demands imposed by Congress and other governmental authorities, and the rights of the public under various disclosure laws. The PA Coordinator will establish priorities for cases consistent with established law to ensure that smaller as well as larger ‘project’ cases receive equitable attention.

(e) Written permission for disclosure. Disclosures made under circumstances not delineated in this part shall be made only if the written permission of the individual involved has been obtained. Written permission shall be recorded on or appended to the document transmitting the personal information to the other agency, in which case no separate accounting of the disclosure need be made. Written permission is required in each case; that is, once obtained, written permission for one case does not constitute blanket permission for other disclosures.

(f) Coordination with other government agencies. Records systems of the NRO may contain records originated by other agencies that may have claimed exemptions for them under the Privacy Act. Where appropriate, coordination will be effected with the originating agency. The NRO will comply with the instructions issued by another agency responsible for a system of records (e.g., Office of Personnel Management) in granting access to such records. Records containing information or interests of another government agency will not be released until coordination with the other agency involved. A request for information pertaining to the individual in an NRO record system received from another federal agency will be coordinated with the originating agency.

(g) Accounting for disclosure. Except for disclosures made under paragraphs (c)(1) and (c)(2) of this section, an accurate account of the disclosures shall be kept by the record holder in consultation with the Privacy Act Coordinator (PA Coordinator). There need not be a notation on a single document of every disclosure of a particular record. The record holder should be able to construct from its system of records the accounting information:

(1) When required by the individual to whom the record pertains, or

(2) When necessary to inform previous recipients of any amended records. The accounting shall be retained for at least five years or for the life of the record, whichever is longer, to be available for review by the subject of the record at his request except for disclosures made under paragraph (c)(7) of this section.

(h) Application of rules. Any request for access, amendment, correction, etc., of personal record information in a system of records by an individual to whom such information pertains will be governed by the Privacy Act of 1974, as amended, DoD regulatory authority, and this part, exclusively. Any denial or exemption of all or part of a record from access, disclosure, amendment, correction, etc., will be processed under DoD regulatory authority and this part, unless court order or other competent authority directs otherwise.

(i) First Amendment rights. No NRO official or component may maintain any information pertaining to the exercise by an individual of his rights under the First Amendment without the permission of that individual unless such collection is specifically authorized by statute or pertains to an authorized law enforcement activity.

(j) Non-system information on individuals. The following information is not considered part of personal records systems reportable under this part and may be maintained by NRO for ready identification, contact, and property control purposes only, provided it is not maintained in a system of records. If at any time the information described in this paragraph is being maintained in a system of records, the information is subject to the Privacy Act.

(1) Identification information at doorways, building directories, desks, lockers, name tags, etc.

(2) Geographical or agency contact cards.

(3) Property receipts and control logs for building passes, credentials, vehicles, etc.

(4) Personal working notes of employees that are merely an extension of the author's memory, if maintained properly, do not come under the Privacy Act. Personal notes are not considered official NRO records if they meet the following requirements:

(i) Keeping or discarding notes must be at the sole discretion of the author. Any requirement by supervising authority, whether by oral or written directive, regulation, policy, or memo to maintain such notes, likely would cause the notes to become official agency records.

(ii) Such notes must be restricted to the author's personal use as memory aids, and only the author may have access to them. Passing them to a successor or showing them to other personnel (including supporting staff such as secretaries) would likely cause them to become agency records.

(5) Rosters. The NRO has no restriction against rosters that contain only corporate information such as name, work telephone number, and position. Good recordkeeping practices dictate that only rosters that are relevant and necessary to the NRO's operations may be maintained, and therefore convenience rosters, which by definition do not satisfy the test, may not be maintained.

(a) An individual's written request for access to records about himself which does not specify the Act under which the request is made will be processed under both the Freedom of Information Act (FOIA) and the Privacy Act and the applicable regulations. Such requests will be processed under both Acts regardless of whether the requester cites one Act, both, or neither in the request in order to ensure the maximum possible disclosure to the requester. Individuals may not be denied access to a record pertaining to themselves merely because those records are exempt from disclosure under the FOIA.

(b) A Privacy Act request that neither specifies the system(s) of records to be searched nor identifies the substantive nature of the information sought will be processed by searching the systems of records categorized as Environmental Health, Safety and Fitness, FOIA/Privacy, General, and Security.

(c) A Privacy Act request that does not designate the system(s) of records to be searched but does identify the substantive nature of the information sought will be processed by searching those systems of records likely to have information similar to that sought by the requester.

(d) The NRO will not disclose any record to any person or government agency except by written request or prior written consent of the subject of the record unless the disclosure is required by law or is within the exceptions of the Privacy Act. If a requester authorizes another individual to obtain the requested records on his behalf, the requester shall provide a written, signed, notarized statement appointing that individual as his representative and certifying that the individual appointed may have access to the requester's records and that such access shall not constitute an invasion of his privacy nor a violation of his rights under the Privacy Act. In lieu of a notarized statement, the NRO will accept a declaration in accordance with 28 U.S.C. 1746.

(e) Upon receipt of a written request, the Privacy Act Coordinator (PA Coordinator) will release to the requester those records which are releasable and applicable to the individual making the request. Records about individuals include data stored electronically or in electronic media. Documentary material qualifies as a record if the record is maintained in a system of records.

(f) Initial availability, potential for release, and cost determination will usually be made within ten working days of the date on which a written request for any identifiable record is received by the NRO (and acknowledgement is sent to the individual). If additional time is needed due to unusual circumstances, a written notification of the delay will be forwarded to the requester within the ten working day period. This notification will briefly explain the circumstances for the delay and indicate the anticipated date for a substantive response.

(g) All requests will be handled in the order received on a ‘first-in, first-out’ basis. Requests will be considered for expedited processing only if the NRO determines that there is a genuine health, humanitarian, or due process reason involving possible deprivation of life or liberty which creates an exceptional and urgent need, that there is no alternative forum for the records sought, and that substantive records relevantto the stated needs may exist and be releasable.

(h) Records provided or originated by another agency or containing other agency information will not be released prior to coordination with the other agency involved.

(i) Requesting or obtaining access to records under false pretenses is a violation of the Privacy Act and is subject to criminal penalties.

(a) To the maximum extent practical, personal information about an individual will be obtained directly from that individual.

(b) Whenever an individual is asked to provide personal information, including Social Security Number (SSN) or a personal identifier, about himself, a Privacy Act Statement will be furnished that will advise him of the authority (whether by statute or by Executive Order) under which the information is requested, whether disclosure of the information is voluntaryor mandatory, the purposes for which it is requested, the uses to which it will be put, and the consequences of not providing the information.

(c) When asking third parties to provide information about other individuals, NRO employees will advise them:

(1) Of the purpose of the request, and

(2) That their identities and the information they are furnishing may be released to the individual unless they expressly request confidentiality. All persons interviewed must be informed of their rights and offered confidentiality.

(a) The PA Coordinator shall acknowledge receipt of the request in writing within ten working days.

(b) Upon receipt of a request, the PA Coordinator shall refer the request to those components most likely to possess responsive records. The components shall search all relevant record systems within their cognizance and shall:

(1) Determine whether a responsive record exists in a system of records.

(2) Determine whether access must be denied and on what legal basis. An individual may be denied access to his records under the Privacy Act only if an exemption has been properly claimed for all or part of the records or information requested; or if the information was compiled in reasonable anticipation of a civil action or proceeding.

(3) Approve the disclosure of records for which they are the originator.

(4) Forward to the PA Coordinator all records approved for release or necessary for coordination with or referral to another originator or interested party as well as notification of the specific determination for any denial.

(c) When all records have been collected, the PA Coordinator shall notify the individual of the determination and shall provide an exact copy of records deemed to be accessible if a copy has been requested.

(d) When an original record is illegible, incomplete, or partially exempt from release, the PA Coordinator shall explain in terms understood by the requester the portions of a record that are unclear.

(e) If access to requested records, or any portion thereof, is denied, the PA Coordinator shall inform the requester in writing of the specific reason(s) for denial, including the specific citation to appropriate sections of the Privacy Act or other statutes, this and other NRO regulations, or the Code of Federal Regulations authorizing denial, and the right to appeal this determination through the NRO appeal procedure within 60 calendar days. The denial shall include the date of denial, the name and title/position of the denial authority, and the address of the NRO Appeal Authority. Access may be refused when the records are exempt by the Privacy Act. Usually an individual will not be denied access to the entire record, but only to those portions to which the denial of access furthers the purpose for which an exemption was claimed.

(a) Any individual whose request for access is denied may request a review of the initial decision within 60 calendar days of the date of the notification of denial of access by appealing within the NRO internal appeals process. If a requester elects to request NRO review, the request shall be sent in writing to the Privacy Act Coordinator, National Reconnaissance Office, 14675 Lee Road, Chantilly, VA 20151-1715, briefly identifying the particular record which is the subject of the request and setting forth the reasons for the appeal. The request should enclose a copy of the denial correspondence. The following procedures apply to appeals within the NRO:

(1) The PA Coordinator, after acknowledging receipt of the appeal, shall promptly refer the appeal to the record-holding components, informing them of the date of receipt of the appeal and requesting that the component head or his designee review the appeal.

(2) The record-holding components shall review the initial denial of access to the requested records and shall inform the PA Coordinator of their review determination.

(3) The PA Coordinator shall consolidate the component responses, review the record, direct such additional inquiry or investigation as is deemed necessary to make a fair and equitable determination, and make a recommendation to the NRO Appeals Panel, which makes a recommendation to the Appeal Authority.

(4) The Appeal Authority shall notify the PA Coordinator of the result of the determination on the appeal, who shall notify the individual of the determination in writing.

(5) If the determination reverses the initial denial, the PA Coordinator shall provide a copy of the records requested. If the determination upholds the initial denial, the PA Coordinator shall inform the requester of his right to judicial review in U.S. District Court and shall include the exact reasons for denial with specific citations to the provisions of the Privacy Act, other statutes, NRO regulations, or the Code of Federal Regulations upon which the determination is based.

(b) The Appeal Authority shall act on the appeal or provide a notice of extension within 30 working days.

When requested medical and psychological records are not exempt from disclosure, the PA Coordinator may determine which non-exempt medical or psychological records should not be sent directly to the requester because of possible harm or adverse impact to the requester or another person. In that event, the information may be disclosed to a physician named by the requester. The appointment of the physician will be in the same notarized form or declaration as described in § 326.8 and will certify that the physician is licensed to practice in the appropriate specialty (medicine, psychology, or psychiatry). Upon designation, verification of the physician's identity, and agreement by the physician to review the documents with the requester to explain the meaning of the documents and to offer counseling designed to mitigate any adverse reaction, the NRO will forward such records to the designated physician. If the requester refuses or fails to designate a physician, the record shall not be provided. Under such circumstances refusal of access is not considered a denial for Privacy Act reporting purposes. However, if the designated physician declines to furnish the records to the individual, the PA Coordinator will take action to ensure that the records are provided to the individual.

(a) An individual may request amendment or correction of a record pertaining to him/her by addressing such request in writing, to the Privacy Act Coordinator, National Reconnaissance Office, 14675 Lee Road, Chantilly, VA 20151-1715. Incomplete or inaccurate requests will not be rejected categorically; instead, the requester will be asked to clarify the request as needed. A request will not be rejected or require resubmission unless additional information is essential to process the request. Usually, amendments under this part are limited to correcting factual errors and not matters of official judgment, such as promotion ratings and job performance appraisals. The requester must adequately support his claim and must identify:

(1) The particular record he wishes to amend or correct, specifying the number of pages and documents, the titles of the documents, form numbers if any, dates on documents, and individuals who signed them. Any reasonable description of the documents is acceptable. A clear and specific description of passages, pages, or documents to be amended will expedite processing the request.

(2) The desired amending language. The requester should specify the type of amendment, including complete removal of data, passages, or documents from record or correction of information to make it accurate, more timely, complete, or relevant.

(3) A justification for such amendment or correctionto include any documentary evidence supporting the request.

(b) Individuals will be required to provide verification of identity as in § 326.8. to ensure that the requester is seeking to amend records pertaining to himself and not, inadvertently or intentionally, the records of another individual.

(c) Minor factual errors in an individual's personal record may be corrected routinely upon request without resort to the Privacy Act or the provisions of this part, if the requester and the record holder agree to that procedure and the requester receives a copy of the corrected record whenever possible. A written request is not required when individuals indicate amendments during routine annual review and updating of records programs conducted by the NRO for civilian personnel and the Services for military personnel. Requests for deletion, removal of records, and amendment of substantive factual information will be processed according to the Privacy Act and the provisions of this part.

(d) The PA Coordinator shall acknowledge receipt of the request in writing within ten working days. No separate acknowledgement of receipt is necessary if the request can be either approved or denied and the requester advised within the ten-day period. For written requests presented in person, written acknowledgement may be provided at the time the request is presented.

(e) The PA Coordinator shall refer such request to the record-holder components, shall advise those components of the date of receipt, and shall request that those components make a prompt determination on such request.

(f) The record-holder components shall promptly:

(1) Make any amendment or correction to any portion of the record which the individual believes is not accurate, relevant, timely, or complete and notify the PA Coordinator and all holders and recipients of such records and their amendments that the correction was made; or

(2) Set forth the reasons for the refusal, if they determine that the requested amendment or correction will not be made or if they decline to make the requested amendment but instead augment the official record, and so inform the PA Coordinator.

(g) The Privacy Act Coordinator shall:

(1) Inform the requester of the agency's determination to make the amendment or correction as requested and notify all prior recipients of the change to the disputed records for which an accounting had been required; or

(2) Inform the requester of the specific reasons and legal authorities for the agency's refusal and the procedures established for him to request a review of that refusal.

(h) The amendment procedure is not intended to replace other existing procedures such as those for registering grievances or appealing performance appraisal reports. In such cases the requester will be apprised of the appropriate procedures for such actions.

(i) This part does not permit the alteration of evidence presented to courts, boards, or other official proceedings.

(a) Any individual whose request for amendment or correction is denied may request a review of the initial decision within 60 calendar days of the date of the notification of denial by appealing within the NRO internal appeals process. If a requester elects to request NRO review, the request shall be sent in writing to the Privacy Act Coordinator, National Reconnaissance Office, 14675 Lee Road, Chantilly, VA 20151-1715, briefly identifying the particular record which is the subject of the request and setting forth the reasons for the appeal. The request should enclose a copy of the denial correspondence. The following procedures apply to appeals within the NRO:

(1) The PA Coordinator, after acknowledging receipt of the appeal, shall promptly refer the appeal to the record-holding components, informing them of the date of receipt of the appeal and requesting that the component head or his designee review the appeal.

(2) The record-holding components shall review the initial denial of access to the requested records and shall inform the PA Coordinator of their review determination.

(3) The PA Coordinator shall act as secretary of the Appeals Panel. He shall:

(i) Consolidate the component responses and reasons for the initial denial.

(ii) Provide all supporting materials both furnished to and by the requester and the record-holding component.

(iii) Review the record.

(iv) Direct such additional inquiry or investigation as is deemed necessary to make a fair and equitable determination.

(v) Prepare the record and schedule the appeal for the next meeting of the Appeals Panel. The Appeals Panel shall recommend a finding to the Appeal Authority by a majority vote of those present at the meeting based on the written record and the Panel's deliberations. No personal appearances shall be permitted without the express permission of the Panel.

(4) The Appeal Authority shall notify the PA Coordinator of the result of the determination on the appeal who shall notify the individual of the determination in writing.

(5) The Appeal Authority will notify the PA Coordinator if the determination is that the record should be amended. The PA Coordinator will promptly advise the requester and the office holding the record to amend the record and to notify all prior recipients of the records for which an accounting was required of the change.

(6) If the determination upholds the initial denial, in whole or in part, the PA Coordinator shall inform the requester:

(i) Of the denial and the reason.

(ii) Of his right to file in NRO records within 60 calendar days a concise statement of the reasons for disputing the information contained in the record. If the requester elects to file a statement of disagreement, the PA Coordinator will be responsible for clearly noting any portion of the record that is disputed and for appending into the file the requester's statement as well as a copy of the NRO's letter to the requester denying the disputed information, if appropriate. The requester's statement and the NRO denial letter will be made available to anyone to whom the record is subsequently disclosed, and prior recipients of the disputed record will be provided a copy of both to the extent that an accounting of disclosures is maintained.

(iii) Of his right to judicial review in U.S. District Court.

(7) The Appeal Authority shall act on the appeal or provide a notice of extension within 30 working days.

(a) Personal records contained in a Privacy Act system of records maintained by NRO shall not be disclosed by any means to any person or agency outside the NRO except with the written consent of the individual subject of the record, unless as provided in this part.

(b) Except for disclosure made to members of the NRO in connection with their official duties and disclosures required by the Freedom of Information Act, an accounting will be kept of all disclosures of records maintained in NRO systems of records and of all disclosures of investigative information. Accounting entries will record the date, kind of information, purpose of each disclosure, and the name and address of the person or agency to whom the disclosure is made. Accounting records will be maintained for at least five years after the last disclosure or for the life of the record, whichever is longer. Subjects of NRO records will be given access to associated accounting records upon request except for disclosures made pursuant to § 326.4, or where an exemption has been properly claimed for the system of records.

Individuals requesting copies of their official personnel records are entitled to one free copy; a charge will be assessed for additional copies. There is a cost of $.15 per page. Fees will not be assessed if the cost is less than $30.00. Fees should be paid by check or postal money order payable to the Treasurer of the United States and forwarded to the Privacy Act Coordinator, NRO, at the time the copy of the record is delivered. In some instances, fees will be due in advance.

Each request shall be treated as a certification by the requester that he is the individual named in the request. The Privacy Act provides criminal penalties for any person who knowingly and willfully requests or obtains any information concerning an individual under false pretenses.

(a) All systems of records maintained by the NRO shall be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 552a(k)(1) to the extent that the system contains any information properly classified under Executive Order 12958 and which is required by the Executive Order to be withheld in the interest of national defense of foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions herein may contain items of information that have been properly classified.

(b) No system of records within the NRO shall be considered exempt under subsection (j) or (k) of the Privacy Act until the exemption and the exemption rule for the system of records has been published as a final rule in the Federal Register.

(c) An individual is not entitled to have access to any information compiled in reasonable anticipation of a civil action or proceeding (5 U.S.C. 552a(d)(5)).

(d) Proposals to exempt a system of records will be forwarded to the Defense Privacy Office, consistent with the requirements of 32 CFR part 310, for review and action.

(e) QNRO-23.

(1) System name: Counterintelligence Issue Files.

(2) Exemptions: (i) Investigatory material compiled for law enforcement purposes may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of such information, the individual will be provided access to such information except to the extent that disclosure would reveal the identity of a confidential source.

(ii) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information may be exempt pursuant to 5 U.S.C. 552a(k)(5), but only to the extent that such material would reveal the identity of a confidential source.

(iii) Therefore, portions of this system of records may be exempt pursuant to 5 U.S.C. 552a(k)(2) and/or (k)(5) from the following subsections of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H) and (I), and (f).

(3) Authority: 5 U.S.C. 552a(k)(2) and (k)(5).

(4) Reasons: (i) From subsection (c)(3) because to grant access to the accounting for each disclosure as required by the Privacy Act, including the date, nature, and purpose of each disclosure and the identity of the recipient, could alert the subject to the identity of the recipient, could alert the subject to the existence of the investigation or prosecutable interest by NRO or other agencies. This could seriously compromise case preparation by prematurely revealing its existence and nature; compromise or interfere with witnesses or make witnesses reluctant to cooperate; and lead to suppression, alteration, or destruction of evidence.

(ii) From subsections (d)(1) through (d)(4), and (f) because providing access to records of a civil or administrative investigation and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of the investigation and impede case preparation. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; enable individuals to conceal their wrongdoing or mislead the course of the investigation; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding.

(iii) From subsection (e)(1) because it is not always possible to detect the relevance or necessity of each piece of information in the early stages of an investigation. In some cases, it is only after the information is evaluated in light of other evidence that its relevance and necessity will be clear.

(iv) From subsections (e)(4)(G) and (H) because this system of records is compiled for law enforcement purposes and is exempt from the access provisions of subsections (d) and (f).

(v) From subsection (e)(4)(I) because to the extent that this provision is construed to require more detailed disclosure than the broad, generic information currently published in the system notice, an exemption from this provision is necessary to protect the confidentiality of sources of information and to protect privacy and physical safety of witnesses and informants. NRO will, nevertheless, continue to publish such a notice in broad generic terms as is its current practice.

(vi) Consistent with the legislative purpose of the Privacy Act of 1974, the NRO will grant access to nonexempt material in the records being maintained. Disclosure will be governed by NRO's Privacy Regulation, but will be limited to the extent that the identity of confidential sources will not be compromised; subjects of an investigation of an actual or potential criminal violation will not be alerted to the investigation; the physical safety of witnesses, informants and law enforcement personnel will not be endangered, the privacy of third parties will not be violated; and that the disclosure would not otherwise impede effective law enforcement. Whenever possible, information of the above nature will be deleted from the requested documents and the balance made available. The controlling principle behind this limited access is to allow disclosures except those indicated above. The decisions to release information from these systems will be made on a case-by-case basis.

(f) QNRO-10, Inspector General Investigative Files—(1) Exemption: This system may be exempt pursuant to 5 U.S.C. 552a(j)(2) if the information is compiled and maintained by a component of the agency which performs as its principle function any activity pertaining to the enforcement of criminal laws. Any portion of this system which falls within the provisions of 5 U.S.C. 552a(j)(2) may be exempt from the following subsections of 5 U.S.C. 552a (c)(3), (c)(4), (d), (e)(1), (e)(2), (e)(3), (e)(4)(G), (H), and (I), (e)(5), (e)(8), (f), and (g).

(2) Authority: 5 U.S.C. 552a(j)(2).

(3) Reasons. (i) From subsection (c)(3) because the release of accounting of disclosure would inform a subject that he or she is under investigation. This information would provide considerable advantage to the subject in providing him or her with knowledge concerning the nature of the investigation and the coordinated investigative efforts and techniques employed by the cooperating agencies. This would greatly impede the NRO IG's criminal law enforcement.

(ii) From subsection (c)(4) and (d), because notification would alert a subject to the fact that an open investigation on that individual is taking place, and might weaken the on-going investigation, reveal investigative techniques, and place confidential informants in jeopardy.

(iii) From subsection (e)(1) because the nature of the criminal and/or civil investigative function creates unique problems in prescribing a specific parameter in a particular case with respect to what information is relevant or necessary. Also, due to NRO IG's close liaison and working relationships with other Federal, state, local and foreign country law enforcement agencies, information may be received which may relate to a case under the investigative jurisdiction of another agency. The maintenance of this information may be necessary to provide leads for appropriate law enforcement purposes and to establish patterns of activity, which may relate to the jurisdiction of other cooperating agencies.

(iv) From subsection (e)(2) because collecting information to the fullest extent possible directly from the subject individual may or may not be practical in a criminal and/or civil investigation.

(v) From subsection (e)(3) because supplying an individual with a form containing a Privacy Act Statement would tend to inhibit cooperation by many individuals involved in a criminal and/or civil investigation. The effect would be somewhat adverse to established investigative methods and techniques.

(vi) From subsection (e)(4) (G) through (I) because this system of records is exempt from the access provisions of subsection (d).

(vii) From subsection (e)(5) because the requirement that records be maintained with attention to accuracy, relevance, timeliness, and completeness would unfairly hamper the investigative process. It is the nature of law enforcement for investigations to uncover the commission of illegal acts at diverse stages. It is frequently impossible to determine initially what information is accurate, relevant, timely, and least of all complete. With the passage of time, seemingly irrelevant or untimely information may acquire new significance as further investigation brings new details to light.

(viii) From subsection (e)(8) because the notice requirements of this provision could present a serious impediment to law enforcement by revealing investigative techniques, procedures, and existence of confidential investigations.

(ix) From subsection (f) because the agency's rules are inapplicable to those portions of the system that are exempt and would place the burden on the agency of either confirming or denying the existence of a record pertaining to a requesting individual might in itself provide an answer to that individual relating to an on-going investigation. The conduct of a successful investigation leading to the indictment of a criminal offender precludes the applicability of established agency rules relating to verification of record, disclosure of the record to that individual, and record amendment procedures for this record system.

(x) From subsection (g) because this system of records should be exempt to the extent that the civil remedies relate to provisions of 5 U.S.C. 552a from which this rule exempts the system.

(4) Exemptions. (i) Investigative material compiled for law enforcement purposes, other than material within the scope of subsection (j)(2), may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of such information, the individual will be provided access to such information except to the extent that disclosure would reveal the identity of a confidential source.

(ii) Investigative material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information may be exempt pursuant to 5 U.S.C. 552a(k)(5), but only to the extent that such material would reveal the identity of a confidential source.

(iii) Therefore, portions of this system of records may be exempt pursuant to 5 U.S.C. 552a(k)(2) and/or (k)(5) from the following subsections of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H) and (I), and (f).

(5) Authority. 5 U.S.C. 552a(k)(2) and (k)(5).

(6) Reasons. (i) From subsection (c)(3) because to grant access to the accounting for each disclosure as required by the Privacy Act, including the date, nature, and purpose of each disclosure and the identity of the recipient, could alert the subject to the existence of the investigation or prosecutable interest by the NRO or other agencies. This could seriously compromise case preparation by prematurely revealing its existence and nature; compromise or interfere with witnesses or make witnesses reluctant to cooperate; and lead to suppression, alteration, or destruction of evidence.

(ii) From subsections (d) and (f) because providing access to investigative records and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of the investigation and impede case preparation. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; enable individuals to conceal their wrongdoing or mislead the course of the investigation; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding.

(iii) From subsection (e)(1) because it is not always possible to detect the relevance or necessity of each piece of information in the early stages of an investigation. In some cases, it is only after the information is evaluated in light of other evidence that its relevance and necessity will be clear.

(iv) From subsections (e)(4)(G) and (H) because this system of records is compiled for investigative purposes and is exempt from the access provisions of subsections (d) and (f).

(v) From subsection (e)(4)(I) because to the extent that this provision is construed to require more detailed disclosure than the broad, generic information currently published in the system notice, an exemption from this provision is necessary to protect the confidentiality of sources of information and to protect privacy and physical safety of witnesses and informants. NRO will, nevertheless, continue to publish such a notice in broad generic terms as is its current practice.

(vi) Consistent with the legislative purpose of the Privacy Act of 1974, the NRO will grant access to nonexempt material in the records being maintained. Disclosure will be governed by NRO's Privacy Regulation, but will be limited to the extent that the identity of confidential sources will not be compromised; subjects of an investigation of an actual or potential criminal or civil violation will not be alerted to the investigation; the physical safety of witnesses, informants and law enforcement personnel will not be endangered, the privacy of third parties will not be violated; and that the disclosure would not otherwise impede effective law enforcement. Whenever possible, information of the above nature will be deleted from the requested documents and the balance made available. The controlling principle behind this limited access is to allow disclosures except those indicated above. The decisions to release information from these systems will be made on a case-by-case basis.

(g) QNRO-15, Facility Security Files.

(1) Exemptions. (i) Investigative material compiled for law enforcement purposes may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of such information, the individual will be provided access to such information except to the extent that disclosure would reveal the identity of a confidential source.

(ii) Investigative material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information may be exempt pursuant to 5 U.S.C. 552a(k)(5), but only to the extent that such material would reveal the identity of a confidential source.

(iii) Therefore, portions of this system of records may be exempt pursuant to 5 U.S.C. 552a(k)(2) and/or (k)(5) from the following subsections of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H) and (I), and (f).

(2) Authority. 5 U.S.C. 552a(k)(2) and (k)(5).

(3) Reasons. (i) From subsection (c)(3) because to grant access to the accounting for each disclosure as required by the Privacy Act, including the date, nature, and purpose of each disclosure and the identity of the recipient, could alert the subject to the existence of the investigation or prosecutable interest by the NRO or other agencies. This could seriously compromise case preparation by prematurely revealing its existence and nature; compromise or interfere with witnesses or make witnesses reluctant to cooperate; and lead to suppression, alteration, or destruction of evidence.

(ii) From subsections (d)(1) through (d)(4), and (f) because providing access to investigative records and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of the investigation and impede case preparation. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; enable individuals to conceal their wrongdoing or mislead the course of the investigation; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding.

(iii) From subsection (e)(1) because it is not always possible to detect the relevance or necessity of each piece of information in the early stages of an investigation. In some cases, it is only after the information is evaluated in light of other evidence that its relevance and necessity will be clear.

(iv) From subsections (e)(4)(G) and (H) because this system of records is compiled for investigative purposes and is exempt from the access provisions of subsections (d) and (f).

(v) From subsection (e)(4)(I) because to the extent that this provision is construed to require more detailed disclosure than the broad, generic information currently published in the system notice, an exemption from this provision is necessary to protect the confidentiality of sources of information and to protect privacy and physical safety of witnesses and informants. NRO will, nevertheless, continue to publish such a notice in broad generic terms as is its current practice.

(vi) Consistent with the legislative purpose of the Privacy Act of 1974, the NRO will grant access to nonexempt material in the records being maintained. Disclosure will be governed by NRO's Privacy Regulation, but will be limited to the extent that the identity of confidential sources will not be compromised; subjects of an investigation of an actual or potential criminal or civil violation will not be alerted to the investigation; the physical safety of witnesses, informants and law enforcement personnel will not be endangered; the privacy of third parties will not be violated; and that the disclosure would not otherwise impede effective law enforcement. Whenever possible, information of the above nature will be deleted from the requested documents and the balance made available. The controlling principle behind this limited access is to allow disclosures except those indicated above. The decisions to release information from these systems will be made on a case-by-case basis.

(h) QNRO-19.

(1) System name: Customer Security Services Personnel Security Files.

(2) Exemptions: (i) Investigatory material compiled for law enforcement purposes may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of such information, the individual will be provided access to such information except to the extent that disclosure would reveal the identity of a confidential source.

(ii) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information may be exempt pursuant to 5 U.S.C. 552a(k)(5), but only to the extent that such material would reveal the identity of a confidential source.

(iii) Therefore, portions of this system of records may be exempt pursuant to 5 U.S.C. 552a(k)(2) and/or (k)(5) from the following subsections of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H) and (I), and (f).

(3) Authority: 5 U.S.C. 552a(k)(2) and (k)(5).

(4) Reasons: (i) From subsection (c)(3) because to grant access to the accounting for each disclosure as required by the Privacy Act, including the date, nature, and purpose of each disclosure and the identity of the recipient, could alert the subject to the existence of the investigation or prosecutable interest by the NRO or other agencies. This could seriously compromise case preparation by prematurely revealing its existence and nature; compromise or interfere with witnesses or make witnesses reluctant to cooperate; and lead to suppression, alteration, or destruction of evidence.

(ii) From subsections (d)(1) through (d)(4), and (f) because providing access to investigatory records and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of the investigation and impede case preparation. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; enable individuals to conceal their wrongdoing or mislead the course of the investigation; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding.

(iii) From subsection (e)(1) because it is not always possible to detect the relevance or necessity of each piece of information in the early stages of an investigation. In some cases, it is only after the information is evaluated in light of other evidence that its relevance and necessity will be clear.

(iv) From subsections (e)(4)(G) and (H) because this system of records is compiled for investigatory purposes and is exempt from the access provisions of subsections (d) and (f).

(v) From subsection (e)(4)(I) because to the extent that this provision is construed to require more detailed disclosure than the broad, generic information currently published in the system notice, an exemption from this provision is necessary to protect the confidentiality of sources of information and to protect privacy and physical safety of witnesses and informants. NRO will, nevertheless, continue to publish such a notice in broad generic terms as is its current practice.

(vi) Consistent with the legislative purpose of the Privacy Act of 1974, the NRO will grant access to nonexempt material in the records being maintained. Disclosure will be governed by NRO's Privacy Regulation, but will be limited to the extent that the identity of confidential sources will not be compromised; subjects of an investigation of an actual or potential criminal or civil violation will not be alerted to the investigation; the physical safety of witnesses, informants and law enforcement personnel will not be endangered; the privacy of third parties will not be violated; and that the disclosure would not otherwise impede effective law enforcement. Whenever possible, information of the above nature will be deleted from the requested documents and the balance made available. The controlling principle behind this limited access is to allow disclosures except those indicated in this paragraph. The decisions to release information from these systems will be made on a case-by-case basis.

(i) NRO-21.

(1) System name: Personnel Security Files.

(2) Exemptions: (i) Investigatory material compiled for law enforcement purposes may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of such information, the individual will be provided access to such information except to the extent that disclosure would reveal the identity of a confidential source.

(ii) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information may be exempt pursuant to 5 U.S.C. 552a(k)(5), but only to the extent that such material would reveal the identity of a confidential source.

(iii) Therefore, portions of this system of records may be exempt pursuant to 5 U.S.C. 552a(k)(2) and/or (k)(5) from the following subsections of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H) and (I), and (f).

(3) Authority: 5 U.S.C. 552a(k)(2) and (k)(5).

(4) Reasons: (i) From subsection (c)(3) because to grant access to the accounting for each disclosure as required by the Privacy Act, including the date, nature, and purpose of each disclosure and the identity of the recipient, could alert the subject to the existence of the investigation or prosecutable interest by the NRO or other agencies. This could seriously compromise case preparation by prematurely revealing its existence and nature; compromise or interfere with witnesses or make witnesses reluctant to cooperate; and lead to suppression, alteration, or destruction of evidence.

(ii) From subsections (d)(1) through (d)(4), and (f) because providing access to records of a civil or administrative investigation and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of the investigation and impede case preparation. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; enable individuals to conceal their wrongdoing or mislead the course of the investigation; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding.

(iii) From subsection (e)(1) because it is not always possible to detect the relevance or necessity of each piece of information in the early stages of an investigation. In some cases, it is only after the information is evaluated in light of other evidence that its relevance and necessity will be clear.

(iv) From subsections (e)(4)(G) and (H) because this system of records is compiled for law enforcement purposes and is exempt from the access provisions of subsections (d) and (f).

(v) From subsection (e)(4)(I) because to the extent that this provision is construed to require more detailed disclosure than the broad, generic information currently published in the system notice, an exemption from this provision is necessary to protect the confidentiality of sources of information and to protect privacy and physical safety of witnesses and informants. NRO will, nevertheless, continue to publish such a notice in broad generic terms as is its current practice.

(vi) Consistent with the legislative purpose of the Privacy Act of 1974, the NRO will grant access to nonexempt material in the records being maintained. Disclosure will be governed by NRO's Privacy Regulation, but will be limited to the extent that the identity of confidential sources will not be compromised; subjects of an investigation of an actual or potential criminal violation will not be alerted to the investigation; the physical safety of witnesses, informants and law enforcement personnel will not be endangered; the privacy of third parties will not be violated; and that the disclosure would not otherwise impede effective law enforcement. Whenever possible, information of the above nature will be deleted from the requested documents and the balance made available. The controlling principle behind this limited access is to allow disclosures except those indicated above. The decisions to release information from these systems will be made on a case-by-case basis.

(j) QNRO-4.

(1) System name: Freedom of Information Act and Privacy Act Files.

(2) Exemption: During the processing of a Freedom of Information Act/Privacy Act request, exempt materials from other systems of records may in turn become part of the case record in this system. To the extent that copies of exempt records from those “other” systems of records are entered into this system, the NRO hereby claims the same exemptions for the records from those “other” systems that are entered into this system, as claimed for the original primary system of which they are a part.

(3) Authority: 5 U.S.C. 552a(j)(2), (k)(1), (k)(2), (k)(3), (k)(4), (k)(5), (k)(6), and (k)(7).

(4) Records are only exempt from pertinent provisions of 5 U.S.C. 552a to the extent such provisions have been identified and an exemption claimed for the original record and the purposes underlying the exemption for the original record still pertain to the record which is now contained in this system of records. In general, the exemptions were claimed in order to protect properly classified information relating to national defense and foreign policy, to avoid interference during the conduct of criminal, civil, or administrative actions or investigations, to ensure protective services provided the President and others are not compromised, to protect the identity of confidential sources incident to Federal employment, military service, contract, and security clearance determinations, and to preserve the confidentiality and integrity of Federal evaluation materials. The exemption rule for the original records will identify the specific reasons why the records are exempt from specific provisions of 5 U.S.C. 552a.

This part applies to Headquarters, Field Operating Activities (FOA), Regions, Zones, Central Distribution Centers (CDC), Commissaries of DeCA, and contractors during the performance of a contract with DeCA. All personnel are expected to comply with the procedures established herein.

(a) The Director, DeCA. (1) Supervises the execution of the Privacy Act and this part within the DeCA, and serves as the DeCA Privacy Act Appeal Authority.

(2) Appoints:

(i) The Executive Director for Support as the DeCA Initial Denial Authority for the DeCA Privacy Act Program.

(ii) The Records Manager, Office of Safety, Security, and Administration as the DeCA Privacy Act Officer.

(b) The Privacy Act Officer, DeCA. (1) Establishes and manages the PA program for DeCA.

(2) Provides guidance, assistance and training.

(3) Controls and monitors all requests received and prepares documentation to the office of primary responsibility (OPR) for response.

(4) Prepares response to requester based on information provided by the OPR.

(5) Signs all response requests for releasable information to the requester after coordination through the General Counsel. Ensures that all denied requests for information are released by the DeCA Initial Denial Authority.

(6) Publishes instructions to contractors that:

(i) Provide DeCA Privacy program guidance to their personnel who solicit, award, or administer government contracts;

(ii) Inform prospective contractors of their responsibilities regarding the DeCA Privacy Program; and

(iii) Establish an internal system of contractor performance review to ensure compliance with DeCA's Privacy program.

(iv) Prepare and submit System Notices to the Defense Privacy Office for publication in the Federal Register.

(7) Maintain Privacy Case files and records of disclosure accounting.

(8) Submit the DeCa Annual Privacy Act Report (RCS: DD-DA&M(A)1379) to the Defense Privacy Office.

(c) DeCA Directorates/Staff Offices. (1) Provide response and the information requested to the PA Officer for release to the individual.

(2) In the event the information is to be denied release, the requested information and rationale for denial will be forwarded to the PA Officer for denial determination.

(d) Regions. Regional Directors will appoint a Regional PA Coordinator who will maintain suspense control of PA actions, prepare documentation to the OPR for response, forward the information to the DeCA PA Officer for release determination, and notify the requester that the response will be received from the DeCA PA Officer using the format in Appendix A to this part.

(e) DeCA Field Operating Activities (FOAs). (1) Upon receipt of a PA request that has not been received from the DeCA PA Officer, notify the DeCA PA Officer within 2 days.

(2) Collect all information available and forward to the DeCA PA Officer. If the requested information is not available, provide the DeCA PA Officer the rationale to respond to the requester.

(f) Central Distribution Centers (CDCs) and Commissaries. (1) Upon receipt of a PA request, not received from the Region Coordinator, notify the Region Coordinator within 2 days.

(2) Collect all information available and forward it to the Region Coordinator for submission to DeCA PA Officer. If requested information is not available, provide the Region Coordinator the rationale so they can prepare a response to the DeCA PA Officer. If the information is available but determined to be exempt, provide the Region Coordinator with the requested information and specific reasons why the request should be denied. The Region Coordinator will formalize a reply to the DeCA PA Officer, forwarding requested information and reasons for denial. The DeCA PA Officer will prepare the response to the requester with coordination by the General Counsel and signature by the IDA.

Access. The review of a record of a copy of a record or parts thereof in a system of records by any individual.

Agency. For the purposes of disclosing records subject to the Privacy Act among DoD Components, the Department of Defense is considered a single agency. For all other purposes to include applications for access and amendment, denial of access or amendment, appeals from denials, and record keeping as regards release to non-DoD agencies; each DoD Component is considered an agency within the meaning of the Privacy Act.

Computer room. Any combination of electronic hardware and software integrated in a variety of forms (firmware, programmable software, hard wiring, or similar equipment) that permits the processing of textual data. The equipment contains device to receive information and other processors with various capabilities to manipulate the information, store and provide input.

Confidential source. A person or organization who has furnished information to the federal government under an express promise that the person's or the organization's identity will be held in confidence or under an implied promise of such confidentiality if this implied promise was made before September 27, 1975.

Disclosure. The transfer of any personal information from a system of records by any means of communication (such as oral, written, electronic, mechanical, or actual review) to any person, private entity, or government agency, other than the subject of the record, the subject's designated agent or the subject's legal guardian.

Federal Register system. Established by Congress to inform the public of interim, proposed, and final regulations or rulemaking documents having substantial impact on the public. In this case, DeCA directives have the same meaning as regulations or rulemaking documents. The secondary role of the Federal Register system is to publish notice documents of public interest.

Individual. A living person who is a citizen of the United States or an alien lawfully admitted for permanent residence. The parent of a minor or the legal guardian of any individual also may act on behalf of an individual. Corporations, partnerships, sole proprietorships, professional groups, businesses, whether incorporated or unincorporated, and other commercial entities are not “individuals.”

Individual access. Access to information pertaining to the individual by the individual or his or her designated agent or legal guardian.

Law enforcement activity. Any activity engaged in the enforcement of criminal laws, including efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities of prosecutors, courts, correctional, probation, pardon, or parole authorities.

Maintain. Includes maintain, collect, use or disseminate.

Official use. Within the context of this part, this term is used when officials and employees of a DoD Component have a demonstrated need for the use of any record or the information contained therein in the performance of their official duties, subject to DoD 5200.1-R,2 “DoD Information Security Program Regulation.”

Personal information. Information about an individual that identifies, relates or is unique to, or describes him or her; e.g., a social security number, age, military rank, civilian grade, marital status, race, salary, home/office phone numbers, etc.

Privacy Act. The Privacy Act of 1974, as amended, (5 U.S.C. 552a).

Privacy Act request. A request from an individual for notification as to the existence of, access to, or amendment of records pertaining to that individual. These records must be maintained in a system of records.

Member of the public. Any individual or party acting in a private capacity to include federal employees or military personnel.

Record. Any item, collection, or grouping of information, whatever the storage media (e.g., paper, electronic, etc.), about an individual that is maintained by a DoD Component, including but not limited to, his or her education, financial transactions, medical history, criminal or employment history and that contains his or her name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.

Risk assessment. An analysis considering information sensitivity, vulnerabilities, and the cost to a computer facility or word processing activity in safeguarding personal information processed or stored in the facility or activity.

Routine use. The disclosure of a record outside the Department of Defense for a use that is compatible with the purpose for which the information was collected and maintained by the Department of Defense. The routine use must be included in the published system notice for the system of records involved.

Statistical record. A record maintained only for statistical research or reporting purposes and not used in whole or in part in making determinations about specific individuals.

System manager. The DoD Component official who is responsible for the operation and management of a system of records.

System of records. A group of records under the control of a DoD Component from which personal information is retrieved by the individual's name or by some identifying number, symbol, or other identifying particular assigned to an individual.

Word processing system. A combination of equipment employing automated technology, systematic procedures, and trained personnel for the primary purpose of manipulating human thoughts and verbal or written or graphic presentations intended to communicate verbally or visually with another individual.

Word processing equipment. Any combination of electronic hardware and computer software integrated in a variety of forms (firmware, programmable software, hard wiring, or similar equipment) that permits the processing of textual data. Generally, the equipment contains a device to recieve information, a computer-like processor with various capabilities to manipulate the information, a storage medium, and an output device.

(a) System of records. To be subject to the provisions of this part, a “system of records” must:

(1) Consist of “records” that are retrieved by the name of an individual or some other personal identifier, and

(2) Be under the control of DeCA.

(b) Retrieval practices. Records in a group of records that may be retrieved by a name or personal identifier are not covered by this part even if the records contain personal data and are under the control of DeCA. The records MUST BE, in fact, retrieved by name or other personal identifier to become a system of records for DeCA.

(c) Relevance and necessity. Only those records that contain personal information which is relevant and necessary to accomplish a purpose required by Federal statute or an Executive Order will be maintained by DeCA.

(d) Authority to establish systems of records. Director, DeCA has the authority to establish systems of records; however, each time a system of records is established, the Executive Order or Federal statute that authorizes maintaining the personal information must be identified.

(1) DeCA will not maintain any records describing how an individual exercises his or her rights guaranteed by the First Amendment of the U.S. Constitution.

(2) These rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition.

(e) System manager's evaluation. Systems managers, along with the DeCA Privacy Officer, shall evaluate the information to be included in each new system before establishing the system and evaluate periodically the information contained in each existing system of records for relevancy and necessity. Such a review will also occur when a system notice amendment or alteration is prepared. Consider the following:

(1) The relationship of each item of information retained and collected to the purpose for which the system is maintained.

(2) The specific impact on the purpose or mission of not collecting each category of information contained in the system.

(3) The possibility of meeting the informational requirements through use of information not individually identifiable or through other techniques, such as sampling.

(4) The length of time each item of personal information must be retained.

(5) The cost of maintaining the information.

(6) The necessity and relevancy of the information to the purpose for which it was collected.

(f) Discontinued information requirements. (1) When notification is received to stop collecting any category or item of personal information, the DeCA PA Officer will issue instructions to stop immediately and also excise this information from existing records, when feasible, and amend existing notice.

(2) Disposition of these records will be provided by the DeCA PA Officer in accordance with the DeCA Filing System.3

(g) Government contractors. (1) When DeCA contracts for the operation or maintenance of a system of records or a portion of a system of records by a contractor, the record system or the portion affected are considered to be maintained by DeCA and are subject to this part. DeCA is responsible for applying the requirements of this part to the contractor. The contractor and its employees are to be considered employees of DeCA for the purposes of the approved provisions of the Privacy Act during the performance of the contract. Consistent with the Defense Acquisition Regulation, contracts requiring the maintenance of a system of records or the portion of a system of records shall identify specifically the record system and the work to be performed and shall include in the solicitation and resulting contract such terms as are prescribed in the Defense Acquisition Regulation (DAR).4

(2) If the contractor must use or have access to individually identifiable information subject to this part to perform any part of a contract, and the information would have been collected and maintained by DeCA but for the award of the contract, these contractor activities are subject to this part.

(3) The restrictions in paragraphs (g)(1) and (g)(2) of this section do not apply to records:

(i) Established and maintained to assist in making internal contractor management decisions such as those maintained for use in managing the contract.

(ii) Those maintained as internal contractor employee records even when used in conjunction with providing goods and services to DeCA.

(4) Disclosure of records to contractors. Disclosure of personal records to a contractor for the use in the performance of any DeCA contract is considered a disclosure within the Department of Defense (DoD). The contractor is considered the agent of DeCA and is to be maintaining and receiving the records for DeCA.

(h) Safeguarding personal information. DeCA personnel will protect records in every system of records for confidentiality against alteration, unauthorized disclosure, embarrassment, or unfairness to any individual about when information is kept.

(1) Supervisor/Manager paper records maintained by DeCA personnel will be treated as ‘For Official Use Only’ (FOUO) documents and secured in locked file cabinets, desks or bookcases during non-duty hours. During normal working hours, these records will be out-of-sight if the working area is accessible to non-government personnel.

(2) Personnel records maintained by DeCA computer room or stand alone systems, will be safeguarded at all times. Printed computer reports containing personal data must carry the markings FOUO. Other media storing personal data such as tapes, reels, disk packs, etc., must be marked with labels which bear FOUO and properly safeguarded.

(3) Adherence to paragraphs (h)(1) and (h)(2) of this section, fulfills the requirements of 32 CFR part 285.

(i) Records disposal. (1) DeCA records containing personal data will be shredded or torn to render the record unrecognizable or beyond reconstruction.

(2) The transfer of large quantities of DeCA records containing personal data to disposal activities is not considered a release of personal information under this part. The volume of such transfers makes it difficult or impossible to identify easily specific individual records. Care must be exercised to ensure that the bulk is maintained so as to prevent specific records from becoming readily identifiable. If the bulk is amintained, no special procedures are required. if the bulk cannot be maintained, dispose of the records by shredding or tearing to render the record unrecognizable or beyond reconstruction.

(a) Collect directly from the individual. To the greatest extent practicable, collect personal information directly from the individual to whom it pertains if the information may be used in making any determination about the rights, privileges, or benefits of the individual under any Federal program.

(b) Collecting personal information from third parties. It may not be practical to collect personal information directly from an individual in all cases. Some examples of this are:

(1) Verification of information through third party sources for security or employment suitability determinations;

(2) Seeking third party opinions such as supervisory comments as to job knowledge, duty performance, or other opinion-type evaluations;

(3) When obtaining the needed information directly from the individual is exceptionally difficult or may result in unreasonable costs; or

(4) Contacting a third party at the request of the individual to furnish certain information such as exact periods of employment, termination dates, copies of records, or similar information.

(c) Collecting social security numbers (SSNs). (1) It is unlawful for DeCA to deny an individual any right, benefit, or privilege provided by law because an individual refuses to provide his or her SSN. Executive Order 9397 authorizes solicitation and use of SSNs as numerical identifiers for individuals in most Federal record systems, however, it does not provide mandatory authority for soliciting.

(2) When an individual is requested to provide their SSN, they must be told:

(i) the uses that will be made of the SSN;

(ii) The statute, regulation or rule authorizing the solicitation of the SSN; and

(iii) Whether providingthe SSN is voluntary or mandatory.

(3) Once the SSN has been furnished for the purpose of establishing a record, the notification in paragraph (c)(2) of this section is not required if the individual is only requested to furnish or verify the SSNs for identification purposes in connection with the normal use of his or her records.

(d) Privacy act statements. When a DeCA individual is requested to furnish personal information about himself or herself for inclusion in a system of records, a Privacy Act Statement is required regardless of the medium used to collect the information, e.g. forms, personal interviews, telephonic interviews. The statement allows the individual to make a decision whether to provide the information requested. The statement will be concise, curent, and easily understood and must state whether providing the information is voluntary or mandatory. if furnishing the data is mandatory, a Federal statute, Executive Order, regulation or other lawful order must be cited. If the personal information solicited is not to be incorporated into a DeCA system of records, a PA statement is not required. This information obtained without the PA statement will not be incorporated into any DeCA systems of records.

(1) The DeCA Privacy Act Statement will include:

(i) The specific Federal statute or Executive Order that authorized collection of the requested information;

(ii) The principal purpose or purposes for which the information is to be used;

(iii) The routine uses that will be made of the information;

(iv) Whether providing the information is voluntary or mandatory; and

(v) The effects on the individual if he or she chooses not to provide the requested information.

(2) Forms. When DeCA uses forms to collect personal information, placement of the Privacy Act advisory statement should be in the following order of preference:

(i) Below the title of the form and positioned so the individual will be advised of the requested information,

(ii) Within the body of the form with a notation of its location below the title of the form,

(iii) On the reverse of the form with a notation of its location below the title of the form,

(iv) Attached to the form as a tear-off sheet, or

(v) Issued as a separate supplement to the form.

(3) Forms issued by non-DoD Activities. Ensure that the statement prepared by the originating agency on their forms is adequate for the purpose for which DeCA will use the form. If the statement is inadequate, DeCA will prepare a new statement before using the form. Forms issued by other agencies not subject to the Privacy Act but its use requires DeCA to collect personal data, a Privacy Act Statement will be added.

(a) Individual access to personal information. Release of personal information to individuals whose records are maintained in a systems of records under this part is not considered public release of information. DeCA will release to the individuals all of the personal information, except to the extent the information is contained in an exempt system of records.

(1) Requests for access. (i) Individuals in DeCA Headquarters and FOAs will address requests for access to their personal information to the DeCA Privacy Act Officers. Individuals in Regions, CDCs, and commissaries, will address requests to their respective Region Privacy Act Coordinator. The individual is not required to explain or justify why access is being sought.

(ii) If an individual wishes to be accompanied by a third party when seeking access to his or her records or to have the records released directly to the third party, a signed access authorization granting the third party access is required.

(iii) A DeCA individual will not be denied access to his or her records because he or she refuses to provide his or her SSN unless the SSN is the only way retrieval can be made.

(2) Granting access. (i) If the record is not part of an exempt system, DeCA personnel will be granted access to the original record or an exact copy of the original record without any changes or deletions. Medical records will be disclosed to the individual to whom they pertain unless an individual fails to comply with the established requirements. This includes refusing to name a physician to receive medical records when required, refusing to pay fees, or when a judgment is made that access to such records may have an adverse effect on the mental or physical health of the individual. Where an adverse effect may result, a release will be made in consultation with a physician.

(ii) DeCA personnel may be denied access to information compiled in reasonable anticipation of a civil action or proceeding. The term “civil proceeding” is intended to include quasi-judicial and pretrial judicial proceedings. Information prepared in conjunction with the quasi-judicial, pretrial and trial proceedings to include those prepared by DeCA legal and non-legal officials of the possible consequences of a given course of action are protected from access.

(iii) Requests by DeCA personnel for access to investigatory records pertaining to themselves, compiled for law enforcement purposes, are processed under this part and that of 32 CFR part 310. Those requests by DeCA personnel for investigatory records pertaining to themselves that are in records systems exempt from access provisions shall be processed under this part or 32 CFR part 285, depending upon which provides the greatest degree of access.

(3) Non agency records. (i) Uncirculated personal notes and records that are not given or circulated to any person or organization (example, personal telephone list) that are kept or discarded at the author's discretion and over which DeCA exercises no direct control, are not considered DeCA records. However, if personnel are officially directed or encouraged, either in writing or orally, to maintain such records, they may become “agency records” and may be subject to this part.

(ii) Personal uncirculate handwritten notes of team leaders, office supervisors, or military supervisory personnel concerning subordinates are not a system of records within the meaning of this part. Such notes are an extension of the individual's memory. These notes, however, must be maintained and discarded at the discretion of the individual supervisor and not circulated to others. Any established requirement to maintain such notes (written or oral directives, regulation or command policy) make these notes “AGENCY RECORDS.” If the notes are circulated, they must be made a part of the system of records. Any action that gives personal notes the appearance of official agency records is prohibited unless they have been incorporated into a DeCA system of records.

(b) Relationship between the Privacy Act and the Freedom of Information Act (FOIA). (1) Requests from DeCA individuals for access to a record pertaining to themselves made under the FOIA are processed under the provisions of this part, 32 CFR part 310 and DeCA Directive 30-12, Freedom of Information Act (FOIA) Program. 5

(2) Request from DeCA individuals or access to a record pertaining to themselves are processed under this part and 32 CFR part 310.

(3) Requests from DeCA individuals for access to records about themselves that cite both Acts or the DeCA implementing directives for both Acts are processed under this part except:

(i) When the access provisions of the FOIA provide a greater degree of access process under the FOIA, or

(ii) When access to the information sought is controlled by another Federal statute process access procedures under the controlling statute.

(4) Requests from DeCA individuals for access to information about themselves in a system of records that do not cite either Act or DeCA implementing directive are processed under the procedures established by this part.

(5) DeCA requesters will not be denied access to personal information concerning themselves that would be releasable to them under either Act because they fail to cite either Act or the wrong Act. The Act or procedures used in granting or denying access will be explained to requesters.,

(6) DeCA requesters should receive access to their records within 30 days.

(7) Records in all DeCA systems maintained in accordance with the Government-wide systems notices are in temporary custody of DeCA, and all requests or amend these records will be processed in accordance with this part.

(c) Denial of individual access. (1) A DeCA individual may be denied formal access to a record pertaining to him/her only if the record:

(i) Was compiled in reasonable anticipation of civil action.

(ii) Is in a system of records that has been exempt from access provisions of this part.

(iii) All systems of records maintained by the Defense Commissary Agency shall be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 552a(k)(1) to the extent that the system contains any information properly classified under Executive Order 12958 and which is required by the Executive Order to be withheld in the interest of national defense or foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions herein may contain items of information that have been properly classified.

(iv) Is contained in a system of records for which access may be denied under some other Federal statute.

(v) All systems of records maintained by the DeCA shall be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 552a(k)(1) to the extent that the system contains any information properly classified under Executive Order 12958 and which is required by the Executive Order to be withheld in the interest of national defense of foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions herein may contain items of information that have been properly classified.

(2) DeCA individuals will only be denied access to those portions of the records from which the denial of access serves some legitimate governmental purpose.

(3) Other reasons to refuse DeCA individuals are:

(i) The request is not described well enough to locate it within a reasonable amount of effort by the PA Officer or PA Coordinator; or

(ii) An individual fails to comply with the established requirements including refusing to name a physician to receive medical records when required or to pay fees.

(4) Only the DeCA IDA can deny access. This denial must be in writing and contain:

(i) The date of the denial, name, title of position, and signature of the DeCA Initial Denial Authority.

(ii) The specific reasons for the denial, including specific reference to the appropriate sections of the PA, other statutes, this part or the Code of Federal Regulations (CFR);

(iii) Information providing the right to appeal the denial through the DeCa appeal procedure within 60 days, and the title, position and address of the DeCA PA Appellate Authority.

(5) DeCA Appeal Procedures. The Director of DeCA, or the designee, will review any appeal by an individual from a denial of access to DeCA records. Formal written notification will be provided to the individual explaining whether the denial is sustained totally or in part. The DeCA PA Officer will:

(i) Assign a control number and process the appeal to the Director, DeCA or the designee appointed by the Director.

(ii) Provide formal written notification to the individual by the appeal authority explaining whether the denial is sustained totally or in part and the exact reasons for the denial to include provisions of the Act, other statute, this part or the CFR whichever the determination is based, or

(iii) Provide the individual access to the material if the appeal is granted.

(iv) Process all appeals within 30 days of receipt unless the appeal authority determines the review cannot be made within that period and provide notification to the individual the reasons for the delay and when an answer may be expected.

(d) Amendment of records. (1) DeCA employees are encouraged to review the personal information being maintained abut them periodically. An individual may request amendment of any record contained in a system of records unless the system of records has been exempt specifically from the amendment procedures by the Director, DeCa. A request for amendment must include:

(i) A description of the item or items to be amended.

(ii) The specific reason for the amendment.

(iii) The type of amendment action such as deletion, correction or addition.

(iv) Copies of evidence supporting the request.

(v) DeCA employees may be required to provide identification to make sure that they are indeed seeking to amend a record pertaining to themselves.

(2) The amendment process is not intended to permit the alteration of evidence presented in the course of judicial or quasi-judicial proceedings. Amendments to these records are made through specific procedures established for the amendment of these records.

(i) Written notification will be provided to the requester within 10 working days of its receipt by the DeCA PA Officer. No notification will be provided to the requester if the action completed within the 10 days. Only under exceptional circumstances will more than 30 days be required to reach the decision to amend a request. If the decision is to grant all or in part of the request for amendment, the record will be amended and the requester informed and all other offices/personnel known to be keeping the information.

(ii) If the request for amendment is denied in whole or in part, The PA Officer will notify the individual in writing and provide the specific reasons and the procedures for appealing the decision.

(iii) All appeals are to be processed within 30 days. If additional time is required, the requester will be informed and provided when a final decision may be expected.

(e) Fee assessments. (1) DeCA personnel will only be charged the direct cost of copying and reproduction, computed using the appropriate portions of the fee schedule in DeCA Directive 30-12.6 Normally, fees are waived automatically if the direct costs of a given request are less than $30. This fee waiver provision does not apply when a waiver has been granted to the individual before, and later requests appear to be an extension or duplication of that original request. Decisions to waive or reduce fees that exceed the automatic waiver threshold will be made on a case-by-case basis. Fees may not be charged when:

(i) Copying is performed for the convenience of the Government or is the only means to make the record available for the individual.

(ii) No reading room is available for the individual to review the record or a copy is made to keep the original in DeCA files.

(iii) The information may be obtained without charge under any other regulation, directive, or statute.

(2) No fees will be collected for search, retrieval, and review of records to determine releasability, copying of records when the individual has not requested a copy, transportation of records and personnel, or normal postage.

(a) Disclosures and nonconsensual disclosures. (1) All requests made by DeCA individuals for personal information about other individuals (third parties) will be processed under DeCA Directive 30-12 7 except when the third party personal information is contained in the Privacy record of the individual making the request.

(2) For the purposes of disclosure and disclosure accounting, the Department of Defense is considered a single agency.

(3) Personal information from DeCA systems of records will not be disclosed outside the DoD unless:

(i) The record has been requested by the individual to whom it pertains,

(ii) Written consent has been given by the individual to whom the record pertains for release to the requesting agency, activity, or individual, or

(iii) The release is pursuant to one of the specific nonconsensual purposes set forth in the Act.

(4) Records may be disclosed without the consent of a DeCA individual to any DoD official who has need for the record in the performance of their assigned duties. Rank, position, or title alone does not authorize this access. An official need for this information must exist.

(5) DeCA records must be disclosed if their release is required by 32 CFR part 285, which is implemented by DeCA Directive 30-12.8 32 CFR part 285 requires that records be made available to the public unless exempt from disclosure under the FOIA.

(b) Normally releasable information. Personal information that is normally releasable without the consent of a DeCA individual that does not imply a clearly unwarranted invasion of personal privacy:

(1) Civilian employees:

(i) Name,

(ii) Present and past position titles,

(iii) Present and past grades,

(iv) Present and past salaries,

(v) Present and past duty stations,

(vi) Office or duty telephone numbers,

(2) Military members:

(i) Full name,

(ii) Rank,

(iii) Date of rank,

(iv) Gross salary,

(v) Past duty assignments,

(vi) Present duty assignments,

(vii) Future assignments that are officially established,

(viii) Office or duty telephone numbers,

(ix) Source of commission,

(x) Promotion sequence number,

(xi) Awards and decorations,

(xii) Attendance at professional military schools,

(xiii) Duty status at any given time.

(3) All disclosures of personal information on civilian employees shall be made in accordance with the Office of Personnel Management (OPM) and all disclosures of personal information on military members shall be made in accordance with the standards established by 32 CFR part 285.

(4) The release of DeCA employees' home addresses and home telephone numbers is considered a clearly unwarranted invasion of personal privacy and is prohibited; however, these may be released without prior consent of the employee if:

(i) The employee has indicated previously that he or she consents to their release,

(ii) The releasing official was requested to release the information under the provisions of 32 CFR part 285.

(5) Before listing home addresses and home telephone numbers in any DeCA telephone directory, give the individuals the opportunity to refuse such a listing.

(c) Disclosures for established routine uses. (1) Records may be disclosed outside of DeCA without consent of the individual to whom they pertain for an established routine use.

(2) A routine use shall:

(i) Be compatible with the purpose for which the record was collected;

(ii) Indicate to whom the record may be released;

(iii) Indicate the uses to which the information may be put by the receiving agency; and

(iv) Have been published previously in the Federal Register.

(3) A routine use will be established for each user of the information outside DeCA who need official access to the records. This use may be discontinued or amended without the consent of the individual/s involved. Any routine use that is new or changed is published in the Federal Register 30 days before actually disclosing the record. In addition to routine uses established by DeCA individual system notices, blanket routine uses have been established. See Appendix C to this part.

(d) Disclosure without consent. DeCA records may be disclosed without the consent of the individual to whom they pertain to another agency within or under the control of the U.S. for a civil or criminal law enforcement activity if:

(1) The civil or criminal law enforcement activity is authorized by law (Federal, State, or local); and

(2) The head of the agency or instrumentality (or designee) has made a written request to the Component specifying the particular record or portion desired and the law enforcement activity for which it is sought.

(3) Blanket requests for any and all records pertaining to an individual shall not be honored. The requesting agency or instrumentality must specify each record or portion desired and how each relates to the authorized law enforcement activity.

(4) This disclosure provision applies when the law enforcement agency or instrumentality request the record, If the DoD Component discloses a record outside the DoD for law enforcement purposes without the individual's consent and without an adequate written request, the disclosure must be pursuant to an established routine use, such as the blanket routine use for law enforcement.

(e) Disclosures to the public from health care records. (1) The following general information may be released to the news media or public concerning a DeCA employee treated or hospitalized in DoD medical facilities and non-Federal facilities for whom the cost of the care is paid by DoD:

(i) Personal information concerning the patient that is provided in § 327.8 and under provisions of 32 CFR part 285.

(ii) The medical condition such as the date of admission or disposition and the present medical assessment of the individual's condition in the following terms if the medical doctor has volunteered the information:

(A) The individual's condition is presently (stable) (good) (fair) (serious) or (critical), and

(B) Whether the patient is conscious, semi-conscious or unconscious.

(2) Detailed medical and other personal information may be released on a DeCA employee only if the employee has given consent to the release. If the employee is not conscious or competent, no personal information, except that required by 32 CFR part 285, will be released until there has been enough improvement in the patient's condition for them to give informed consent.

(3) Any item of personal information may be released on a DeCA patient if the patient has given consent to its release.

(4) This part does not limit the disclosure of personal medical information for other government agencies' use in determining eligibility for special assistance or other benefits provided disclosure in pursuant to a routine use.