Department of Defense.
Proposed rule.
This rule proposed updates and implements policies and procedures for the Privacy Act Program in the Office of the Secretary of Defense and organizations provided administrative support by the Washington Headquarters Services.
Comments must be received by March 26, 2007.
You may submit comments, identified by docket number and or RIN number and title, by any of the following methods:
•
•
Ms. J. Irvin, 703–696–4940.
It has been determined that 32 CFR part 311 is not a significant regulatory action. The rule does not:
(1) Have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy; a section of the economy; productivity; competition; jobs; the environment; public health or safety; or State, local, or tribal governments or communities;
(2) Create a serious inconsistency or otherwise interfere with an action taken or planned by another Agency;
(3) Materially alter the budgetary impact of entitlements, grants, user fees, or loan programs, or the rights and obligations of recipients thereof; or
(4) Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in this Executive Order.
It has been certified that this rule does not contain a Federal mandate that may result in the expenditure by State, local and tribal governments, in aggregate, or by the private sector, of $100 million or more in any one year.
It has been certified that this rule is not subject to the Regulatory Flexibility Act (5 U.S.C. 601) because it would not, if promulgated, have a significant economic impact on a substantial number of small entities. Certification is required.
It has been certified that this rule does impose reporting or recordkeeping requirements under the Paperwork Reduction Act of 1995. The reporting and recordkeeping requirements have been submitted to OMB for review.
It has been certified that this rule does not have federalism implications, as set forth in Executive Order 13132. This rule does not have substantial direct effects on:
(1) The States;
(2) The relationship between the National Government and the States; or
(3) The distribution of power and responsibilities among the various levels of Government.
Privacy.
Accordingly, 32 CFR part 311 is proposed to be revised to read as follows:
Pub. L. 93–579, 88 Stat. 1986 (5 U.S.C. 552a).
This part updates and implement the policies and procedures outlined in 5 U.S.C. 552a, Office of Management and Budget (OMB) Circular No. A–130, DoD Directive 5400.11,
This part:
(a) Applies to the OSD, the Chairman of the Joint Chiefs of Staff, and other activities receiving administrative support from the WHS (hereafter referred to collectively as the “OSD Components”).
(b) Covers systems of records maintained by the OSD Components and governs the maintenance, access, change, and release of information contained in those systems of records, from which information about an individual is retrieved by a personal identifier.
(a) According to DoD 5400.11–R,
(b) Each office maintaining records and information about individuals shall ensure that this data is protected from unauthorized disclosure. These offices shall permit individuals to have access to and have a copy made of all or any portion of records about them, except as provided in Chapters 3 and 5 of DoD 5400.11–R. The individuals will also have an opportunity to request that such records be amended as provided by 5 U.S.C. 552a and Chapter 3 of DoD 5400.11–R. Individuals requesting access to their records shall receive concurrent consideration under 5 U.S.C. 552 and 552a, if appropriate.
(c) The Heads of the OSD Components shall maintain any necessary record of a personal nature that is individually identifiable in a manner that complies with the law and DoD policy. Any information collected must be as accurate, relevant, timely, and complete as is reasonable to ensure fairness to the individual. Adequate safeguards must be provided to prevent misuse or unauthorized release of such information.
(a) The Director, WHS, shall:
(1) Direct and administer the DoD Privacy Program for the OSD Components.
(2) Establish standards and procedures to ensure implementation of and compliance with 5 U.S.C. 552a, OMB Circular No. A–130, DoD Directive 5400.11 and DoD 5400.11–R.
(3) Ensure the Records and Declassification Division, Executive Services Directorate (ESD), WHS, implements all aspects of 5 U.S.C. 552a, except that portion about receiving and acting on public requests for personal records. As such, the Records and Declassification Division shall:
(i) Exercise oversight and administrative control of the Privacy Act Program for the OSD Components.
(ii) Provide guidance and training to the OSD Components as required by 5 U.S.C. 552a and OMB Circular A–130. Periodic training will be provided to public affairs officers and others who may be expected to deal with the news media or the public.
(iii) Collect and consolidate data from the OSD Components and submit reports to the Defense Privacy Office (DPO), as required by 5 U.S.C. 522a; OMB Circular A–130, DoD Directive 5400.11, DoD 5400.1–R, and the DPO.
(iv) Coordinate and consolidate information for reporting all record systems, as well as changes to approved systems, to the OMB, the Congress, and the
(v) Serve as the appellate authority for OSD Components when a requester appeals a denial for access to records under 5 U.S.C. 552a.
(vi) Serve as the appellate authority for OSD Components when a requester appeals a denial for amendment of a record or initiates legal action to correct a record.
(vii) Evaluate and decide, in coordination with the DPO, appeals resulting from denials of access or amendments to records by the OSD Components.
(4) Ensure the Freedom of Information Division, ESD, WHS, complies with all aspects of 5 U.S.C. 552a including that portion about receiving and acting on public requests for personal records. As such, the Freedom of Information Division shall:
(i) Forward requests for information or access to records to the appropriate OSD Component having primary responsibility for any pertinent system of records under 5 U.S.C. 552a or to the OSD Components under 5 U.S.C. 552.
(ii) Maintain deadlines to ensure responses are made within the time limits prescribed in 5 U.S.C. 552, DoD Instruction 5400.10
(iii) Collect fees charged and assessed for reproducing requested materials.
(iv) Refer all matters about amendments of records and general and specific exemptions under 5 U.S.C. 552a to the proper OSD Components.
(5) Coordinate with the DoD General Counsel, or the WHS General Counsel when appropriate, on OSD Components' denials of appeals for amending records, and review actions to confirm denial of access to records, as appropriate.
(b) The DoD General Council shall provide advice and assistance to the:
(1) Chief, Records and Declassification Division, in the discharge of appellate and review responsibilities.
(2) Chief, Freedom of Information Division, on all access matters.
(3) OSD Component on legal matters pertaining to 5 U.S.C. 552a.
(c) The Heads of the OSD Components shall:
(1) Designate an individual as the point of contact for Privacy Act matters; advise the Chief, Records and Declassification Division, and the Chief, Freedom of Information Division, of the names of officials so designated.
(2) Report any new record system, or changes to an existing system, to the Chief, Records and Declassification Division, at least 90 days before the intended use of the system.
(3) Review all contracts pertaining to the maintenance of records systems, by or on behalf of the OSD Component, to ensure within his or her authority that language is included that provides such systems shall be maintained consistent with 5 U.S.C. 552a.
(4) Revise procurement guidance to ensure contracts providing for the maintenance of a records system, by or on behalf of the OSD Component, includes language that such system shall be maintained in accordance with 5 U.S.C. 552a.
(5) Ensure computer and telecommunications equipment or service procurements comply with 5 U.S.C. 552.
(6) Coordinate with the Chief, Information Officer, for the OSD Component to ensure a risk analysis is conducted in compliance with DoD 5400.11–R.
(7) Coordinate with the OSD Chief, Information Officer, to ensure a Privacy Impact Assessment is conducted in compliance with DoD CIO memorandum dated October 28, 2005
(8) Ensure all DoD issuances prepared by the OSD Component that require forms or other methods to collect information about individuals are in compliance with 5 U.S.C. 552a.
(9) Establish internal administrative procedures to comply with the procedures listed in this part and DoD 5400.11–R.
(10) Coordinate with legal counsel on all proposed denials of access to records.
(11) Provide justification to the Freedom of Information Division when access to a record is denied in whole or in part.
(12) Provide the record of an initial denial or access to a record that is appealed to the Freedom of Information Division at the time of initial denial.
(13) Maintain an accurate accounting of the actions resulting in a denial for access to a record or for the correction of a record. This accounting should be maintained so it can be readily certified as the complete record of proceedings if litigation occurs in accordance with DoD 5400.11–R.
(14) Ensure all personnel who either have access to a system of records, or who are engaged in developing or overseeing the procedures for handling records in a system, are aware of their responsibilities for protecting personal information according to 5 U.S.C. 552a and DoD 5400.11–R.
(15) Forward all requests for access to records received directly from an individual to the Freedom of Information Division for appropriate suspense control and recording.
(16) Provide the Freedom of Information Division with a copy of the requested record when the request is granted.
(d) The requester shall:
(1) Submit a request for access to records pertaining to oneself in writing or in person to the OSD Component's custodian of the records. If the requester is not satisfied with the response, he or she may file another request in writing as provided in paragraph 311.1(b)(2). The requester must provide personal identification to verify identity according to Chapter 3 of DoD 5400.11–R and provide a signed notarized statement or a sworn declaration in the format specified by DoD 5400.7–R.
(2) Describe the record sought and provide sufficient information to enable the material to be located (
(3) Comply with the procedures provided in DoD 5400.11–R for inspecting and/or obtaining copies of requested records.
(4) Submit a written request to amend a record to the office designated in the system of records notice.
(a) Publication of notice in the
(2) OSD Components shall provide the Chief, Records and Declassification Division, with 90 days advance notice of any anticipated new or revised system of records. This information shall be submitted to the OMB and Congress at least 60 days before use and published in the
(b)
(2) Individuals may request access to their records, in person or by mail, in accordance with the following procedures:
(i)
(ii)
(3) There is no requirement that an individual be given access to records that are not in a group of records that meet the definition of a system of records in 5 U.S.C. 552a.
(4) Granting access to a record containing personal information shall not be conditional upon any requirement that the individual state a reason or otherwise justify the need to gain access.
(5) No verification of identity shall be required of an individual seeking access to records that are otherwise available to the public.
(6) Individuals shall not be denied access to a record in a system of records about themselves because those records are exempted from disclosure under 5 U.S.C. 552. Individuals may only be denied access to a record in a system of records about themselves when those records are exempted from the access provisions of Chapter 5 of DoD 5400.11–R.
(7) Individuals shall not be denied access to their records for refusing to disclose their Social Security Number (SSN), unless disclosure of the SSN is required by statute, by regulation adopted before January 1, 1975, or if the record's filing identifier and only means of retrieval is by SSN.
(c)
(2) Records in the custody of law enforcement activities that have been incorporated into a system of records or exempted from the access conditions of DoD Directive 5400.11 will be processed in accordance with 5 U.S.C. 552. Individuals shall not be denied access to records solely because they are in the exempt system. They will have the same access that they would receive under 5 U.S.C. 552. (Also see section A.10., Chapter 3, DoD 5400.11–R)
(3) Records exempted from access conditions will be processed in accordance with DoD Directive 5400.11 or 5 U.S.C. 552, depending upon which regulation gives the greater degree of access. (See also section A.10.1., Chapter 3, DoD 5400.11–R)
(4) Records exempted from access under Section B, Chapter 5 of DoD 5400.11–R, that are temporarily in the custody of a non-law enforcement element for adjudicative or personnel actions, shall be referred to the originating agency.
(d)
(2) If a portion of the record contains information that is exempt from access, an extract or summary containing all releasable information in the record shall be prepared.
(3) When the physical condition of the record makes it necessary to prepare an extract for release, the extract shall be prepared so that the requester will understand it.
(4) The requester shall be informed of all deletions or changes to records.
(e)
(2) The individual may be charged reproduction fees for copies or records according to DoD 5400.11–R.
(f)
(2) The appropriate system of records system manager shall mail a written acknowledgment of an individual's request to amend a record within 10 workdays after receipt. Such acknowledgment shall identify the request and may, if necessary, request any additional information needed to make a determination. No acknowledgment is necessary if the request can be reviewed and processed, and the individual can be notified of compliance or denial, within the 10-day period. Whenever practical, the decision shall be made within 30 working days. For requests presented in person, written acknowledgment may be provided at the time the request is presented.
(3)
(i) If they agree with any portion or all of an individual's request, amend the records in accordance with existing statutes, regulations, or internal administrative procedures, and inform the requester of the action taken. The OSD Component shall also notify all previous holders of the record that the amendment has been made and shall explain the substance of the correction, except for disclosures of the records to officers or DoD employees, or made as required by the Freedom of Information Act, the OSD shall also notify all to whom the record was disclosed that the amendment has been made and shall explain the substance of the correction.
(ii) Notify the requester of the disapproval to amend a record and the reason for the disapproval. Notify the requester of the procedure to submit an appeal as described in paragraph (f)(5) of this section. if he or she disagrees with all or any portion of a request.
(iii) Refer requests to the appropriate Federal Agency. Advise the requester of this referral if the request for an amendment pertains to a record controlled and maintained by another Agency.
(4)
(i) Determine whether the requester has adequately supported his or her claim that the record is inaccurate, irrelevant, untimely, or incomplete.
(ii) Limit the review of a record to those items of information that clearly bear on any determination to amend the records and ensure that those elements are reviewed before a determination is made.
(5) If an individual disagrees with the initial OSD Component determination, he or she may file an appeal. The request should be sent to the Chief, Records and Declassification Division, WHS, 1155 Defense Pentagon, Washington, DC 20301–1155.
(6) If, after review, the Records and Declassification Division determines the system of records should not be amended as requested, the Records and Declassification Division shall provide a copy of any statement of disagreement to the extent that disclosure accounting is maintained in accordance with Chapter 4 or DoD 5400.11–R. The Records and Declassification Division shall advise the individual:
(i) Of the reason and authority for the denial.
(ii) Of his or her right to file a statement of the reason for disagreeing with the Records and Declassification Division decision.
(iii) Of the procedures for filing a statement of disagreements.
(iv) That the statement filed shall be made available to anyone the record is disclosed to, together with a brief statement summarizing reasons for refusing to amend the records.
(7) If the Records and Declassification Division determines that the record should be amended in accordance with the individual's request, the OSD Component shall amend the record, and advise the individual of the amendment, in accordance with Chapter 4 of DoD 5400.11–R.
(8) All appeals should be processed within 30 workdays after receipt. If the Records and Declassification Division determines that a fair and equitable review cannot be made within that time, the individual shall be informed in writing of the reasons for the delay and of the approximate date the review is expected to be completed.
(g)
(i) This statement shall be maintained to permit ready retrieval whenever the disputed portion of the record is disclosed.
(ii) When information that is the subject of a statement of disagreement is subsequently disclosed, the OSD Component's designated official shall note which information is disputed and provide a copy of the individual's statement.
(2) The OSD Component shall include a brief summary of its reasons for not making a correction when disclosing disputed information. Such statements shall normally be limited to the reasons given to the individual for not amending the record.
(3) Copies of the OSD Component's summary will be treated as part of the individual's record; however, it will not be subject to the amendment procedure outlined in paragraph (c)(3) of this section.
(h)
(2)
(A) Willful unauthorized disclosure of protected information in the records.
(B) Failure to publish a notice of the existence of a record system in the
(C) Requesting or gaining access to the individual's record under false pretenses.
(ii) An OSD officer or employee may be fined up to $5,000 for a violation as outlined in paragraph (h)(2)(i) of this section.
(i)
(j)
The DPO shall establish requirements and deadlines for DoD privacy reports. These reports shall be licensed in accordance with DoD Directive 8910.1.