[Federal Register Volume 79, Number 25 (Thursday, February 6, 2014)]
[Proposed Rules]
[Pages 7114-7117]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-01882]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 317
[DOD-2008-OS-0068]
RIN 0790-AI31
Defense Contract Audit Agency (DCAA) Privacy Act Program
AGENCY: Department of Defense.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Defense (DoD) is proposing to amend the
Defense Contract Audit Agency (DCAA) Privacy Act Program Regulation.
Specifically, an exemption section is being added to include an
exemption for
[[Page 7115]]
RDCAA 900.1, DCAA Internal Review Case Files. This rulemaking provides
policies and procedures for the DCAA's implementation of the Privacy
Act of 1974, as amended.
DATES: Comments must be received by April 7, 2014.
ADDRESSES: You may submit comments, identified by docket number and/or
RIN number and title, by any of the following methods:
Federal Rulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Mail: Federal Docket Management System Office, 4800 Mark
Center Drive, East Tower, Suite 02G09, Alexandria, VA 22350-3100.
Instructions: All submissions received must include the agency name
and docket number or Regulatory Information Number (RIN) for this
Federal Register document. The general policy for comments and other
submissions from members of the public is to make these submissions
available for public viewing on the Internet at http://www.regulations.gov as they are received without change, including any
personal identifiers or contact information.
FOR FURTHER INFORMATION CONTACT: Mr. Keith Mastromichalis, FOIA/PA
Management Analyst, DCAA HQ, 703-767-1022.
SUPPLEMENTARY INFORMATION:
The revisions to this rule are part of DoD's retrospective plan
under EO 13563 completed in August 2011. DoD's full plan can be
accessed at http://exchange.regulations.gov/exchange/sites/default/files/doc_files/Department%20of%20Defense%20Final%20Plan.pdf.
Executive Summary
I. Purpose of This Regulatory Action
a. This rule provides policies and procedures for DCAA's
implementation of the Privacy Act of 1974, as amended.
b. Authority: Privacy Act of 1974, Public Law 93-579, Stat. 1896 (5
U.S.C. 552a).
II. Summary of the Major Provisions of This Regulatory Action
DCAA is adding an exemption section to include an exemption for
RDCAA 900.1, DCAA Internal Review Case Files.
III. Costs and Benefits of This Regulatory Action
This regulatory action imposes no monetary costs to the Agency or
public. The benefit to the public is the accurate reflection of the
Agency's Privacy Program to ensure that policies and procedures are
known to the public.
Regulatory Procedures
Executive Order 12866, ``Regulatory Planning and Review'' and Executive
Order 13563, ``Improving Regulation and Regulatory Review''
It has been determined that Privacy Act rules for the Department of
Defense are not significant rules. This rule does not (1) Have an
annual effect on the economy of $100 million or more or adversely
affect in a material way the economy; a sector of the economy;
productivity; competition; jobs; the environment; public health or
safety; or State, local, or tribal governments or communities; (2)
Create a serious inconsistency or otherwise interfere with an action
taken or planned by another Agency; (3) Materially alter the budgetary
impact of entitlements, grants, user fees, or loan programs, or the
rights and obligations of recipients thereof; or (4) Raise novel legal
or policy issues arising out of legal mandates, the President's
priorities, or the principles set forth in these Executive Orders.
Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. Chapter 6)
It has been determined that this Privacy Act rule for the
Department of Defense does not have significant economic impact on a
substantial number of small entities because it is concerned only with
the administration of Privacy Act within the Department of Defense.
Public Law 95-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)
It has been determined that this Privacy Act rule for the
Department of Defense imposes no information collection requirements on
the public under the Paperwork Reduction Act of 1995.
Section 202, Public Law 104-4, ``Unfunded Mandates Reform Act''
It has been determined that this Privacy Act rulemaking for the
Department of Defense does not involve a Federal mandate that may
result in the expenditure by State, local and tribal governments, in
the aggregate, or by the private sector, of $100 million or more and
that such rulemaking will not significantly or uniquely affect small
governments.
Executive Order 13132, ``Federalism''
It has been determined that the Privacy Act rule for the Department
of Defense does not have federalism implications. The rule does not
have substantial direct effects on the States, on the relationship
between the National Government and the States, or on the distribution
of power and responsibilities among the various levels of government.
List of Subjects in 32 CFR Part 317
Privacy.
Accordingly the Department proposes to revise 32 CFR Part 317 to
read as follows:
PART 317--DCAA PRIVACY ACT PROGRAM
Sec.
317.1 Purpose
317.2 Applicability and scope.
317.3 Policy.
317.4 Responsibilities.
317.5 Procedures.
317.6 Procedures for exemptions
Authority: Pub. L. 93-579, 88 Stat. 1896 (5 U.S.C. 552a).
Sec. 317.1 Purpose.
This part provides policies and procedures for the Defense Contract
Audit Agency's (DCAA) implementation of the Privacy Act of 1974 (5
U.S.C. 552a) and 32 CFR part 310, and is intended to promote uniformity
within DCAA.
Sec. 317.2 Applicability and scope.
(a) This part applies to all DCAA organizational elements and takes
precedence over all regional regulatory issuances that supplement the
DCAA Privacy Program.
(b) This part shall be made applicable by contract or other legally
binding action to contractors whenever a DCAA contract provides for the
operation of a system of records or portion of a system of records to
accomplish an Agency function.
Sec. 317.3 Policy.
(a) It is DCAA policy that personnel will comply with the DCAA
Privacy Program; the Privacy Act of 1974; and the DoD Privacy Program
(32 CFR part 310). Strict adherence is necessary to ensure uniformity
in the implementation of the DCAA Privacy Program and create conditions
that will foster public trust. It is also Agency policy to safeguard
personal information contained in any system of records maintained by
DCAA organizational elements and to make that information available to
the individual to whom it pertains to the maximum extent practicable.
(b) DCAA policy specifically requires that DCAA organizational
elements:
(1) Collect, maintain, use, and disseminate personal information
only when it is relevant and necessary to
[[Page 7116]]
achieve a purpose required by statute or Executive Order.
(2) Collect personal information directly from the individuals to
whom it pertains to the greatest extent practical.
(3) Inform individuals who are asked to supply personal information
for inclusion in any system of records:
(i) The authority for the solicitation.
(ii) Whether furnishing the information is mandatory or voluntary.
(iii) The intended uses of the information.
(iv) The routine disclosures of the information that may be made
outside of DoD.
(v) The effect on the individual of not providing all or any part
of the requested information.
(4) Ensure that records used in making determinations about
individuals and those containing personal information are accurate,
relevant, timely, and complete for the purposes for which they are
being maintained before making them available to any recipients outside
of DoD, other than a Federal agency, unless the disclosure is made
under DCAA Regulation 5410.8, DCAA Freedom of Information Act Program.
(5) Keep no record that describes how individuals exercise their
rights guaranteed by the First Amendment to the U.S. Constitution,
unless expressly authorized by statute or by the individual to whom the
records pertain or is pertinent to and within the scope of an
authorized law enforcement activity.
(6) Notify individuals whenever records pertaining to them are made
available under compulsory legal processes, if such process is a matter
of public record.
(7) Establish safeguards to ensure the security of personal
information and to protect this information from threats or hazards
that might result in substantial harm, embarrassment, inconvenience, or
unfairness to the individual.
(8) Establish rules of conduct for DCAA personnel involved in the
design, development, operation, or maintenance of any system of records
and train them in these rules of conduct.
(9) Assist individuals in determining what records pertaining to
them are being collected, maintained, used, or disseminated.
(10) Permit individual access to the information pertaining to them
maintained in any system of records, and to correct or amend that
information, unless an exemption for the system has been properly
established for an important public purpose.
(11) Provide, on request, an accounting of all disclosures of the
information pertaining to them except when disclosures are made:
(i) To DoD personnel in the course of their official duties.
(ii) Under DCAA Regulation 5410.8, DCAA Freedom of Information Act
Program.
(iii) To another agency or to an instrumentality of any
governmental jurisdiction within or under control of the United States
conducting law enforcement activities authorized by law.
(12) Advise individuals on their rights to appeal any refusal to
grant access to or amend any record pertaining to them, and file a
statement of disagreement with the record in the event amendment is
refused.
Sec. 317.4 Responsibilities.
(a) The Assistant Director, Resources has overall responsibility
for the DCAA Privacy Act Program and will serve as the sole appellate
authority for appeals to decisions of respective initial denial
authorities.
(b) The Chief, Administrative Management Division under the
direction of the Assistant Director, Resources, shall:
(1) Establish, issue, and update policies for the DCAA Privacy Act
Program; monitor compliance with this part; and provide policy guidance
for the DCAA Privacy Act Program.
(2) Resolve conflicts that may arise regarding implementation of
DCAA Privacy Act policy.
(3) Designate an Agency Privacy Act Advisor, as a single point of
contact, to coordinate on matters concerning Privacy Act policy.
(4) Make the initial determination to deny an individual's written
Privacy Act request for access to or amendment of documents filed in
Privacy Act systems of records. This authority cannot be delegated.
(c) The DCAA Privacy Act Advisor under the supervision of the
Chief, Administrative Management Division shall:
(1) Manage the DCAA Privacy Act Program in accordance with this
part and applicable DCAA policies, as well as DoD and Federal
regulations.
(2) Provide guidelines for managing, administering, and
implementing the DCAA Privacy Act Program.
(3) Implement and administer the Privacy Act program at the
Headquarters.
(4) Ensure that the collection, maintenance, use, or dissemination
of records of identifiable personal information is in a manner that
assures that such action is for a necessary and lawful purpose; that
the information is timely and accurate for its intended use; and that
adequate safeguards are provided to prevent misuse of such information.
(5) Prepare promptly any required new, amended, or altered system
notices for systems of records subject to the Privacy Act and submit
them to the Defense Privacy Office for subsequent publication in the
Federal Register.
(6) Conduct training on the Privacy Act program for Agency
personnel.
(d) Heads of Principal Staff Elements are responsible for:
(1) Reviewing all regulations or other policy and guidance
issuances for which they are the proponent to ensure consistency with
the provisions of this part.
(2) Ensuring that the provisions of this part are followed in
processing requests for records.
(3) Forwarding to the DCAA Privacy Act Advisor, any Privacy Act
requests received directly from a member of the public, so that the
request may be administratively controlled and processed.
(4) Ensuring the prompt review of all Privacy Act requests, and
when required, coordinating those requests with other organizational
elements.
(5) Providing recommendations to the DCAA Privacy Act Advisor
regarding the releasability of DCAA records to members of the public,
along with the responsive documents.
(6) Providing the appropriate documents, along with a written
justification for any denial, in whole or in part, of a request for
records to the DCAA Privacy Act Advisor. Those portions to be excised
should be bracketed in red pencil, and the specific exemption or
exemptions cites which provide the basis for denying the requested
records.
(e) The General Counsel is responsible for:
(1) Ensuring uniformity is maintained in the legal position, and
the interpretation of the Privacy Act; 32 CFR part 310; and this part.
(2) Consulting with DoD General Counsel on final denials that are
inconsistent with decisions of other DoD components, involve issues not
previously resolved, or raise new or significant legal issues of
potential significance to other Government agencies.
(3) Providing advice and assistance to the Assistant Director,
Resources; Regional Directors; and the Regional Privacy Act Officer,
through the DCAA Privacy Act Advisor, as required, in the discharge of
their responsibilities.
[[Page 7117]]
(4) Coordinating Privacy Act litigation with the Department of
Justice.
(5) Coordinating on Headquarters denials of initial requests.
(f) Each Regional Director is responsible for the overall
management of the Privacy Act program within their respective regions.
Under his/her direction, the Regional Resources Manager is responsible
for the management and staff supervision of the program and for
designating a Regional Privacy Act Officer. Regional Directors will, as
designee of the Director, make the initial determination to deny an
individual's written Privacy Act request for access to or amendment of
documents filed in Privacy Act systems of records. This authority
cannot be delegated.
(g) Regional Privacy Act Officers will:
(1) Implement and administer the Privacy Act program throughout the
region.
(2) Ensure that the collection, maintenance, use, or dissemination
of records of identifiable personal information is in compliance with
this part to assure that such action is for a necessary and lawful
purpose; that the information is timely and accurate for its intended
use; and that adequate safeguards are provided to prevent misuse of
such information.
(3) Prepare input for the annual Privacy Act Report when requested
by the DCAA Information and Privacy Advisor.
(4) Conduct training on the Privacy Act program for regional and
FAO personnel.
(5) Provide recommendations to the Regional Director through the
Regional Resources Manager regarding the releasability of DCAA records
to members of the public.
(h) Managers, Field Audit Offices (FAOs) will:
(1) Ensure that the provisions of this part are followed in
processing requests for records.
(2) Forward to the Regional Privacy Act Officer, any Privacy Act
requests received directly from a member of the public, so that the
request may be administratively controlled and processed.
(3) Ensure the prompt review of all Privacy Act requests, and when
required, coordinating those requests with other organizational
elements.
(4) Provide recommendation to the Regional Privacy Act Officer
regarding the releasability of DCAA records to members of the public,
along with the responsive documents.
(5) Provide the appropriate documents, along with a written
justification for any denial, in whole or in part, of a request for
records to the Regional Privacy Act Officer. Those portions to be
excised should be bracketed in red pencil, and the specific exemption
or exemptions cited which provide the basis for denying the requested
records.
(i) DCAA Employees will:
(1) Not disclose any personal information contained in any system
of records, except as authorized by this part.
(2) Not maintain any official files which are retrieved by name or
other personal identifier without first ensuring that a notice for the
system has been published in the Federal Register.
(3) Report any disclosures of personal information from a system of
records or the maintenance of any system of records that are not
authorized by this part to the appropriate Privacy Act officials for
their action.
Sec. 317.5 Procedures.
Procedures for processing material in accordance with the Privacy
Act of 1974 are outlined in DoD 5400.11-R, DoD Privacy Program (32 CFR
part 310).
Sec. 317.6 Procedures for exemptions.
(a) General information. There are two types of exemptions, general
and specific. The general exemption authorizes the exemption of a
system of records from all but a few requirements of the Privacy Act.
The specific exemption authorizes exemption of a system of records or
portion thereof, from only a few specific requirements. If a new system
of records originates for which an exemption is proposed, or an
additional or new exemption for an existing system of records is
proposed, the exemption shall be submitted with the system of records
notice. No exemption of a system of records shall be considered
automatic for all records in the system. The systems manager shall
review each requested record and apply the exemptions only when this
will serve significant and legitimate Government purposes.
(b) Specific Exemptions. (1) System identifier and name: RDCAA
900.1, DCAA Internal Review Case Files
(i) Exemption: Any portions of this system of records which fall
under the provisions of 5 U.S.C. 552a(k)(2) and (k)(5) may be exempt
from the following subsections of 5 U.S.C. 552a: (c)(3), (d), (e)(1),
(e)(4)(G), (H), and (f).
(ii) Authority: 5 U.S.C. 552a(k)(2) and (k)(5).
(iii) Reason: (A) From subsection (c)(3) because disclosures from
this system could interfere with the just, thorough and timely
resolution of the complaint or inquiry, and possibly enable individuals
to conceal their wrongdoing or mislead the course of the investigation
by concealing, destroying or fabricating evidence or documents.
(B) From subsection (d) because disclosures from this system could
interfere with the just, thorough and timely resolution of the
complaint or inquiry, and possibly enable individuals to conceal their
wrongdoing or mislead the course of the investigation by concealing,
destroying or fabricating evidence or documents. Disclosures could also
subject sources and witnesses to harassment or intimidation which
jeopardize the safety and well-being of themselves and their families.
(C) From subsection (e)(1) because the nature of the investigation
functions creates unique problems in prescribing specific parameters in
a particular case as to what information is relevant or necessary. Due
to close liaison and working relationships with other Federal, state,
local, foreign country law enforcement agencies, and other governmental
agencies, information may be received which may relate to a case under
the investigative jurisdiction of another government agency. It is
necessary to maintain this information in order to provide leads for
appropriate law enforcement purposes and to establish patterns of
activity which may relate to the jurisdiction of other cooperating
agencies.
(D) From subsection (e)(4)(G) through (H) because this system of
records is exempt from the access provisions of subsection (d).
(E) From subsection (f) because the agency's rules are inapplicable
to those portions of the system that are exempt and would place the
burden on the agency of either confirming or denying the existence of a
record pertaining to a requesting individual might in itself provide an
answer to that individual relating to an on-going investigation. The
conduct of a successful investigation leading to the indictment of a
criminal offender precludes the applicability of established agency
rules relating to verification of record, disclosure of the record to
that individual, and record amendment procedures for this record
system.
Dated: January 21, 2014.
Patricia L. Toppings,
OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2014-01882 Filed 2-5-14; 8:45 am]
BILLING CODE 5001-06-P