Rule: Privacy Act Implementation

Thursday,
August 10, 2006
Part VI
Department of
Defense
Department of the Army
32 CFR Part 505

The Army Privacy Program; Final Rule
rwilkins on PROD1PC63 with RULES
VerDate Aug<31>2005 20:15 Aug 09, 2006 Jkt 208001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\10AUR4.SGM 10AUR4
46052 Federal Register / Vol. 71, No. 154 / Thursday, August 10, 2006 / Rules and Regulations
DEPARTMENT OF DEFENSE personal information * * *’’ The other F. Executive Order 13132 (Federalism)
concern was in § 505.2(a)(2), suggestion It has been certified that the Privacy
Department of the Army was made to clarify the section by Act rules for the Department of Defense
incorporating the DoD 6025.18–R, do not have federalism implications.
32 CFR Part 505 Privacy of Individually Identifiable The rules do not have substantial direct
RIN 0702–AA53 Health Information in DoD Health Care effects on the States, on the relationship
Programs, language. The proposed between the National Government and
[Docket No. USA–2006–0011] § 505.2 (a)(3) through § 505.2(a)(13) was the States, or on the distribution of
redesignated as § 505.2(a) (4) through power and responsibilities among the
The Army Privacy Program § 505.2(a)(14) and a new § 505.2(a)(3) various levels of government.
was added.
AGENCY: Department of the Army, DoD. Robert Dickerson,
ACTION: Final rule. B. Executive Order 12866 (Regulatory Chief, U.S. Army Freedom of Information Act
Planning and Review) and Privacy Office.
SUMMARY: The Department of the Army
is updating policies and responsibilities It has been determined that Privacy List of Subjects in 32 CFR Part 505
for the Army Privacy Program, which Act rules for the Department of Defense Privacy.
implements the Privacy Act of 1974, by are not significant rules. The rules do ■ For reasons stated in the preamble the
showing organizational realignments not (1) have an annual effect on the Department of the Army revises 32 CFR
and by revising referenced statutory and economy of $100 million or more or part 505 to read as follows:
regulatory authority, such as the Health adversely affect in a material way the
Insurance Portability and economy; a sector of the economy; PART 505—ARMY PRIVACY ACT
Accountability Act and E-Government productivity; competition; jobs; the PROGRAM
Act of 2002. This rule finalizes the environment; public health or safety; or
proposed rule that was published in the State, local, or tribal governments or Sec.
Federal Register on April 25, 2006. communities; (2) create a serious 505.1 General information.
505.2 General provisions.
DATES: Effective Date: September 11, inconsistency or otherwise interfere
505.3 Privacy Act systems of records.
2006. with an action taken or planned by 505.4 Collecting personal information.
another Agency; (3) materially alter the 505.5 Individual access to personal
ADDRESSES: U.S. Army Records budgetary impact of entitlements, information.
Management and Declassification grants, user fees, or loan programs, or 505.6 Amendment of records.
Agency, Freedom of Information and the rights and obligations of recipients 505.7 Disclosure of personal information to
Privacy Office, 7701 Telegraph Road, thereof; or (4) raise novel legal or policy other agencies and third parties.
Casey Bldg., Suite 144, Alexandria, VA issues arising out of legal mandates, the 505.8 Training requirements.
22315–3905. President’s priorities, or the principles 505.9 Reporting requirements.
FOR FURTHER INFORMATION CONTACT: Ms. 505.10 Use and establishment of
set forth in this Executive order. exemptions.
Janice Thornton at (703) 428–6503. 505.11 Federal Register publishing
SUPPLEMENTARY INFORMATION:
C. Regulatory Flexibility
requirements.
It has been certified that Privacy Act 505.12 Privacy Act enforcement actions.
A. Background
rules for the Department of Defense do 505.13 Computer Matching Agreement
In the April 25, 2006, issue of the not have significant economic impact on Program.
Federal Register (71 FR 24494), the 505.14 Recordkeeping requirements under
a substantial number of small entities the Privacy Act.
Department of the Army issued a because they are concerned only with
proposed rule to revise 32 CFR part 505. Appendix A to Part 505—References
the administration of Privacy Act Appendix B to Part 505—Denial Authorities
It incorporates Privacy Act policy systems of records within the for Records Under Their Authority
objectives to include (1) restricting Department of Defense. (Formerly Access and Amendment
disclosure of personally identifiable Refusal Authorities)
records maintained; (2) to grant D. Paperwork Reduction Act Appendix C to Part 505—Privacy Act
individuals rights of access to agency Statement Format
records maintained on themselves; (3) to It has been certified that Privacy Act Appendix D to Part 505—Exemptions;
grant individuals the right to seek rules for the Department of Defense Exceptions; and DoD Blanket Routine
amendment of agency records impose no information requirements Uses
maintained on themselves upon a beyond the Department of Defense and Appendix E to Part 505—Litigation Status
that the information collected within Sheet
showing that the records are not
the Department of Defense is necessary Appendix F to Part 505—Example of a
accurate, relevant, timely, or complete; System of Records Notice
and (4) to establish practices ensuring and consistent with 5 U.S.C. 552a,
Appendix G to Part 505—Management
the Army is complying with statutory known as the Privacy Act of 1974.
Control Evaluation Checklist
norms for collection, maintenance, and E. Unfunded Mandates Reform Act Appendix H to Part 505—Definitions
dissemination of records. The Authority: Pub. L. 93–579, 88 Stat. 1896 (5
Department of the Army received two It has been certified that the Privacy U.S.C. 552a).
comments from one commenter. No Act rulemaking for the Department of
substantive changes were requested or Defense does not involve a Federal § 505.1 General information.
made; however, the proposed changes mandate that may result in the (a) Purpose. This part sets forth
were accepted and made to the final expenditure by State, local and tribal policies and procedures that govern
rule. The commenter expressed concern governments, in the aggregate, or by the personal information maintained by the
on § 505–2(e) titled ‘‘Nomination of private sector, of $100 million or more Department of the Army (DA) in Privacy
individuals when personal information and that such rulemaking will not Act systems of records. This part also
* * *’’ It was changed to read significantly or uniquely affect small provides guidance on collecting and
‘‘Notification of individuals when governments. disseminating personal information in
Federal Register / Vol. 71, No. 154 / Thursday, August 10, 2006 / Rules and Regulations 46053
general. The purpose of the Army Management and Declassification (E) Ensure a Privacy Act Statement is
Privacy Act Program is to balance the Agency will— provided to individuals when
government’s need to maintain (i) Develop and recommend policy; information is collected that will be
information about individuals with the (ii) Execute duties as the Army’s maintained in a Privacy Act system of
right of individuals to be protected Privacy Act Officer; records, regardless of the medium used
against unwarranted invasions of their (iii) Promote Privacy Act awareness to collect the personal information (i.e.,
privacy stemming from Federal throughout the DA; forms, personal interviews, stylized
agencies’ collection, maintenance, use (iv) Serve as a voting member on the formats, telephonic interviews, or other
and disclosure of personal information Defense Data Integrity Board and the methods);
about them. Additionally, this part Defense Privacy Board; (F) Review, biennially, recordkeeping
promotes uniformity within the Army’s (v) Represent the Department of the practices to ensure compliance with the
Privacy Act Program. Army in DOD policy meetings; and Act, paying particular attention to the
(vi) Appoint a Privacy Act Manager maintenance of automated records. In
(b) References: (1) Referenced
who will— addition, ensure cooperation with
publications are listed in Appendix A of (A) Administer procedures outlined
this part. records management officials on such
in this part;
(2) DOD Computer Matching Program (B) Review and approve proposed matters as maintenance and disposal
and other Defense Privacy Guidelines new, altered, or amended Privacy Act procedures, statutory requirements,
may be accessed at the Defense Privacy systems of records notices and forms, and reports; and
Office Web site http:// (G) Review, biennially Privacy Act
subsequently submit them to the
www.defenselink.mil/privacy. training practices. This is to ensure all
Defense Privacy Office for coordination;
(c) Definitions are provided at (C) Review Department of the Army personnel are familiar with the
Appendix H of this part. Forms for compliance with the Privacy requirements of the Act.
(d) Responsibilities. (1) The Office of (6) DA Privacy Act System Managers
Act and this part;
the Administrative Assistant to the (D) Ensure that reports required by the and Developers will—
Secretary of the Army will— (i) Ensure that appropriate procedures
Privacy Act are provided upon request
(i) Act as the senior Army Privacy and safeguards are developed,
from the Defense Privacy Office;
Official with overall responsibility for (E) Review Computer Matching implemented, and maintained to protect
the execution of the Department of the Agreements and recommend approval an individual’s personal information;
(ii) Ensure that all personnel are
Army Privacy Act Program; or denial to the Chief, DA FOIA/P
aware of their responsibilities for
(ii) Develop and issue policy guidance Office;
(F) Provide Privacy Act training; protecting personal information being
for the program in consultation with the
(G) Provide privacy guidance and collected and maintained under the
Army General Counsel; and
assistance to DA activities and Privacy Act Program;
(iii) Ensure the DA Privacy Act (iii) Ensure official filing systems that
Program complies with Federal statutes, combatant commands where the Army
is the Executive Agent; retrieve records by name or other
Executive Orders, Office of Management personal identifier and are maintained
and Budget guidelines, and 32 CFR part (H) Ensure information collections are
developed in compliance with the in a Privacy Act system of records have
310. been published in the Federal Register
(2) The Chief Attorney, Office of the Privacy Act provisions;
(I) Ensure Office of Management and as a Privacy Act system of records
Administrative Assistant to the notice. Any official who willfully
Secretary of the Army (OAASA) will— Budget reporting requirements,
guidance, and policy are accomplished; maintains a system of records without
(i) Provide advice and assistance on meeting the publication requirements,
legal matters arising out of, or incident and
(J) Immediately review privacy as prescribed by 5 U.S.C. 552a, as
to, the administration of the DA Privacy amended, OMB Circular A–130, 32 CFR
Act Program; violations of personnel to locate the
problem and develop a means to part 310 and this part, will be subject to
(ii) Serve as the legal advisor to the possible criminal penalties and/or
DA Privacy Act Review Board. This prevent recurrence of the problem.
(5) Heads of Department of the Army administrative sanctions;
duty may be fulfilled by a designee in (iv) Prepare new, amended, or altered
activities, field-operating agencies,
the Chief Attorney and Legal Services Privacy Act system of records notices
direct reporting units, Major Army
Directorate, OAASA; and submit them to the DA Freedom of
commands, subordinate commands
(iii) Provide legal advice relating to Information and Privacy Office for
down to the battalion level, and
interpretation and application of the review. After appropriate coordination,
installations will—
Privacy Act of 1974; and (i) Supervise and execute the privacy the system of records notices will be
(iv) Serve as a member on the Defense program in functional areas and submitted to the Defense Privacy Office
Privacy Board Legal Committee. This activities under their responsibility; and for their review and coordination;
duty may be fulfilled by a designee in (ii) Appoint a Privacy Act Official (v) Review, biennially, each Privacy
the Chief Attorney and Legal Services who will— Act system of records notice under their
Directorate, OAASA. (A) Serve as the staff advisor on purview to ensure that it accurately
(3) The Judge Advocate General will privacy matters; describes the system of records;
serve as the Denial Authority on (B) Ensure that Privacy Act records (vi) Review, every four years, the
requests made pursuant to the Privacy collected and maintained within the routine use disclosures associated with
Act of 1974 for access to or amendment Command or agency are properly each Privacy Act system of records
of Army records, regardless of described in a Privacy Act system of notice in order to determine if such
functional category, concerning actual records notice published in the Federal routine use continues to be compatible
or potential litigation in which the Register; with the purpose for which the activity
United States has an interest. (C) Ensure no undeclared systems of collected the information;
(4) The Chief, DA Freedom of records are being maintained; (vii) Review, every four years, each
Information Act and Privacy Office (D) Ensure Privacy Act requests are Privacy Act system of records notice for
(FOIA/P), U.S. Army Records processed promptly and responsively; which the Secretary of the Army has
promulgated exemption rules pursuant (e) Legal Authority. (1) Title 5, United (5) Maintain only personal
to Sections (j) or (k) of the Act. This is States Code, Section 552a, as amended, information that is timely, accurate,
to ensure such exemptions are still The Privacy Act of 1974. complete, and relevant to the collection
appropriate; (2) Title 5, United States Code, purpose.
(viii) Review, every year, contracts Section 552, The Freedom of (6) Safeguard personal information to
that provide for the maintenance of a Information Act (FOIA). prevent unauthorized use, access,
Privacy Act system of records to (3) Office of Personnel Management, disclosure, alteration, or destruction.
accomplish an activity’s mission. This Federal Personnel Manual (5 CFR parts (7) Maintain records for the minimum
requirement is to ensure each contract 293, 294, 297, and 7351). time required in accordance with an
contains provisions that bind the (4) OMB Circular No. A–130, approved National Archives and
contractor, and its employees, to the Management of Federal Information Records Administration record
requirements of 5 U.S.C. 552a(m)(1); Resources, Revised, August 2003. disposition.
and (5) DOD Directive 5400.11, (8) Let individuals know what Privacy
(ix) Review, if applicable, ongoing Department of Defense Privacy Program, Act records the Army maintains by
Computer Matching Agreements. The November 16, 2004. publishing Privacy Act system of
Defense Data Integrity Board approves (6) DOD Regulation 5400.11–R, records notices in the Federal Register.
Computer Matching Agreements for 18 Department of Defense Privacy Program, This will enable individuals to review
months, with an option to renew for an August 1983. and make copies of these records,
additional year. This additional review (7) Title 10, United States Code, subject to the exemptions authorized by
will ensure that the requirements of the Section 3013, Secretary of the Army. law and approved by the Secretary of
Privacy Act, Office of Management and (8) Executive Order No. 9397, the Army. Department of the Army
Budget guidance, local regulations, and Numbering System for Federal Accounts Privacy Act systems of records notices
the requirements contained in the Relating to Individual Persons, are available at http://
Matching Agreements themselves have November 30, 1943. www.defenselink.mil/privacy.
been met. (9) Public Law 100–503, the Computer (9) Permit individuals to correct and
(7) All DA personnel will— Matching and Privacy Act of 1974. amend records about themselves which
(i) Take appropriate actions to ensure (10) Public Law 107–347, Section 208, they can prove are factually in error, not
personal information contained in a Electronic Government (E-Gov) Act of timely, not complete, not accurate, or
Privacy Act system of records is 2002. not relevant.
protected so that the security and (11) DOD Regulation 6025.18–R, DOD
(10) Allow individuals to request an
confidentiality of the information is Health Information Privacy Regulation,
administrative review of decisions that
preserved; January 24, 2003.
deny them access to or the right to
(ii) Not disclose any personal
§ 505.2 General provisions. amend their records.
information contained in a Privacy Act
(a) Individual privacy rights policy. (11) Act on all requests promptly,
system of records except as authorized
Army policy concerning the privacy accurately, and fairly.
by 5 U.S.C. 552a, DOD 5400.11–R, or
rights of individuals and the Army’s (12) Keep paper and electronic
other applicable laws. Personnel
responsibilities for compliance with the records that are retrieved by name or
willfully making a prohibited disclosure
Privacy Act are as follows— personal identifier only in approved
are subject to possible criminal
(1) Protect the privacy of United Privacy Act systems of records.
penalties and/or administrative
sanctions; and States living citizens and aliens lawfully (13) Maintain no records describing
(iii) Report any unauthorized admitted for permanent residence from how an individual exercises his or her
disclosures or unauthorized unwarranted intrusion. rights guaranteed by the First
maintenance of new Privacy Act (2) Deceased individuals do not have Amendment (freedom of religion,
systems of records to the applicable Privacy Act rights, nor do executors or freedom of political beliefs, freedom of
activity’s Privacy Act Official. next-of-kin in general. However, speech and press, freedom of peaceful
(8) Heads of Joint Service agencies or immediate family members may have assemblage, and petition) unless
commands for which the Army is the limited privacy rights in the manner of expressly authorized by statute,
Executive Agent or the Army otherwise death details and funeral arrangements pertinent to and within the scope of an
provides fiscal, logistical, or of the deceased individual. Family authorized law enforcement activity, or
administrative support, will adhere to members often use the deceased otherwise authorized by law or
the policies and procedures in this part. individual’s Social Security Number regulation.
(9) Commander, Army and Air Force (SSN) for federal entitlements; (14) Maintain appropriate
Exchange Service, will supervise and appropriate safeguards must be administrative technical and physical
execute the Privacy Program within that implemented to protect the deceased safeguards to ensure records are
command pursuant to this part. individual’s SSN from release. Also, the protected from unauthorized alteration
(10) Overall Government-wide Health Insurance Portability and or disclosure.
responsibility for implementation of the Accountability Act extends protection (b) Safeguard personal information.
Privacy Act is the Office of Management to certain medical information (1) Privacy Act data will be afforded
and Budget. The Department of Defense contained in a deceased individual’s reasonable safeguards to prevent
is responsible for implementation of the medical records. inadvertent or unauthorized disclosure
Act within the armed services. The (3) Personally identifiable health of records during processing, storage,
Privacy Act also assigns specific information of individuals, both living transmission, and disposal.
Government-wide responsibilities to the and deceased, shall not be used or (2) Personal information should never
Office of Personnel Management and the disclosed except for specifically be placed on shared drives that are
General Services Administration. permitted purposes. accessed by groups of individuals
(11) Government-wide Privacy Act (4) Maintain only such information unless each person has an ‘‘official need
systems of records notices are available about an individual that is necessary to to know’’ the information in the
at http://www.defenselink.mil/privacy. accomplish the Army’s mission. performance of official duties.
(3) Safeguarding methods must strike entry points. Refer to AR 25–1, para 6– protected personal information is
a balance between the sensitivity of the 4n for requirements for posting ‘‘Privacy discovered.
data, need for accuracy and reliability and Security Notices’’ on public Web (2) At a minimum, the organization
for operations, general security of the sites. Procedures related to the shall advise individuals of what specific
area, and cost of the safeguards. In some establishing, operating, and maintaining data was involved; the circumstances
situations, a password may be enough of unclassified DA Web sites can be surrounding the loss, theft, or
protection for an automated system with accessed at http://www.defenselink.mil/ compromise; and what protective
a log-on protocol. For additional webmasters/policy/DOD_web_policy. actions the individual can take.
guidance on safeguarding personal (6) Ensure public Web sites comply (3) If Army organizations are unable
information in automated records see with policies regarding restrictions on to comply with policy, they will
AR 380–67, The Department of the persistent and third party cookies. The immediately notify their superiors, who
Army Personnel Security Program. Army prohibits both persistent and will submit a memorandum through the
(c) Conveying privacy protected data third part cookies. (see AR 25–1, para 6– chain of command to the Administrative
electronically via e-mail and the World 4n) Assistant of the Secretary of the Army
Wide Web. (1) Unencrypted electronic (7) A Privacy Advisory is required on to explain why the affected individuals
transmission of privacy protected data Web sites which host information or population’s personal information
makes the Army vulnerable to systems soliciting personally identifying has been lost, stolen, or compromised.
information interception which can information, even when not maintained (4) This policy is also applicable to
cause serious harm to the individual in a Privacy Act system of records. The Army contractors who collect, maintain,
and the accomplishment of the Army’s Privacy Advisory informs the individual use, or disseminate protected personal
mission. why the information is solicited and information on behalf of the
(2) The Privacy Act requires that how it will be used. Post the Privacy organization.
appropriate technical safeguards be Advisory to the Web site page where the (f) Federal government contractors’
established, based on the media (e.g., information is being solicited, or to a compliance. (1) When a DA activity
paper, electronic) involved, to ensure well marked hyperlink stating ‘‘Privacy contracts for the design, development,
the security of the records and to Advisory—Please refer to the Privacy or operation of a Privacy Act system of
prevent compromise or misuse during and Security Notice that describes why records in order to accomplish a DA
transfer. this information is collected and how it mission, the agency must apply the
(3) Privacy Web sites and hosted will be used.’’ requirements of the Privacy Act to the
systems with privacy-protected data (d) Protecting records containing contractor and its employees working
will employ secure sockets layers (SSL) personal identifiers such as names and on the contract (See 48 CFR part 24 and
and Public Key Infrastructure (PKI) Social Security Numbers. (1) Only those other applicable supplements to the
encryption certificates or other DoD- records covered by a Privacy Act system FAR; 32 CFR part 310).
approved commercially available of records notice may be arranged to (2) System Managers will review
certificates for server authentication and permit retrieval by a personal identifier annually, contracts contained within the
client/server authentication. Individuals (e.g., an individual’s name or Social system(s) of records under their
who transmit data containing personally Security Number). AR 25–400–2, responsibility, to determine which ones
identifiable information over e-mail will paragraph 6–2 requires all records contain provisions relating to the
employ PKI or other DoD-approved covered by a Privacy Act system of design, development, or operation of a
certificates. records notice to include the system of Privacy Act system of records.
(4) When sending Privacy Act record identification number on the (3) Contractors are considered
protected information within the Army record label to serve as a reminder that employees of the Army for the purpose
using encrypted or dedicated lines, the information contained within must of the sanction provisions of the Privacy
ensure that— be safeguarded. Act during the performance of the
(i) There is an ‘‘official need to know’’ (2) Use a coversheet or DA Label 87 contract requirements.
for each addressee (including ‘‘cc’’ (For Official Use Only) for individual (4) Disclosing records to a contractor
addressees); and records not contained in properly for use in performing the requirements
(ii) The Privacy Act protected labeled file folders or cabinets. of an authorized DA contract is
information is marked For Official Use (3) When developing a coversheet, the considered a disclosure within the
Only (FOUO) to inform the recipient of following is an example of a statement agency under exception (b)(1), ‘‘Official
limitations on further dissemination. that you may use: ‘‘The information Need to Know’’, of the Act.
For example, add FOUO to the contained within is FOR OFFICIAL USE
beginning of an e-mail message, along ONLY (FOUO) and protected by the § 505.3 Privacy Act systems of records.
with the following language: ‘‘This Privacy Act of 1974.’’ (a) Systems of records. (1) A system of
contains FOR OFFICIAL USE ONLY (e) Notification of Individuals when records is a group of records under the
(FOUO) information which is protected personal information is lost, stolen, or control of a DA activity that are
under the Privacy Act of 1974 and AR compromised. (1) Whenever an Army retrieved by an individual’s name or by
340–21, The Army Privacy Program. Do organization becomes aware the some identifying number, symbol, or
not further disseminate this information protected personal information other identifying particular assigned to
without the permission of the sender.’’ pertaining to a Service member, civilian an individual.
(iii) Do not indiscriminately apply employee (appropriated or non- (2) Privacy Act systems of records
this statement. Use it only in situations appropriated fund), military retiree, must be—
when actually transmitting protected family member, or another individual (i) Authorized by Federal statute or an
Privacy Act information. affiliated with Army organization (e.g., Executive Order;
(iv) For additional information about volunteer) has been lost, stolen, or (ii) Needed to carry out DA’s mission;
marking documents ‘‘FOUO’’ review AR compromised, the organization shall and
25–55, Chapter IV. inform the affected individuals as soon (iii) Published in the Federal Register
(5) Add appropriate ‘‘Privacy and as possible, but not later than ten days in a system of records notice, which will
Security Notices’’ at major Web site after the loss or compromise of provide the public an opportunity to
comment before DA implements or (3) An amended or altered system of greatest extent practicable directly from
changes the system. records is one that has one or more of the subject of the record. This is
(3) The mere fact that records are the following: especially critical, if the information
retrievable by a name or personal (i) A significant increase in the may result in adverse determinations
identifier is not enough. Records must number, type, or category of individuals about an individual’s rights, benefits,
actually be retrieved by a name or about whom records are maintained; and privileges under federal programs
personal identifier. Records in a group (ii) A change that expands the types (See 5 U.S.C. 552a(e)(2)).
of records that may be retrieved by a of categories of information maintained; (2) It is unlawful for any Federal,
name or personal identifier but are not (iii) A change that alters the purpose State, or local government agency to
normally retrieved by this method are for which the information is used; deny anyone a legal right, benefit, or
(iv) A change to equipment privilege provided by law for refusing to
not covered by this part. However, they
configuration (either hardware or give their SSN unless the law requires
are covered by AR 25–55, the
software) that creates substantially disclosure, or a law or regulation
Department of the Army Freedom of
greater access to the records in the adopted before January 1, 1975, required
Information Act Program.
system of records; the SSN or if DA uses the SSN to verify
(4) The existence of a statute or (v) An addition of an exemption
Executive Order mandating the a person’s identity in a system of
pursuant to Section (j) or (k) of the Act; records established and in use before
maintenance of a system of records to or
perform an authorized activity does not that date. Executive Order 9397 (issued
(vi) An addition of a routine use prior to January 1, 1975) authorizes the
abolish the responsibility to ensure the pursuant to 5 U.S.C. 552a(b)(3).
information in the system of records is Army to solicit and use the SSN as a
(4) For additional guidance contact numerical identifier for individuals in
relevant and necessary to perform the the DA FOIA/P Office. most federal records systems. However,
authorized activity. (5) On behalf of DA, the Defense
the SSN should only be collected as
(b) Privacy Act system of records Privacy Office maintains a list of DOD
needed to perform official duties.
notices. (1) DA must publish notices in Components’ Privacy Act system of
Executive Order 9397 does not mandate
the Federal Register on new, amended, records notices at the Defense Privacy
the solicitation of SSNs from Army
altered, or deleted systems of records to Office’s Web site http://
personnel as a means of identification.
inform the public of the Privacy Act www.defenselink.mil/privacy. (3) Upon entrance into military
systems of records that it maintains. The (6) DA PAM 25–51 sets forth
service or civilian employment with
Privacy Act requires submission of new procedures pertaining to Privacy Act
DA, individuals are asked to provide
or significantly changed systems of system of records notices.
(7) For new systems, system managers their SSN. The SSN becomes the service
records to OMB and both houses of or employment number for the
Congress before publication in the must establish appropriate
administrative, technical, and physical individual and is used to establish
Federal Register (See Appendix E of personnel, financial, medical, and other
this part). safeguards to ensure the security and
confidentiality of records. This applies official records. After an individual has
(2) Systems managers must send a provided his or her SSN for the purpose
proposed notice at least 120 days before to all new systems of records whether
maintained manually or automated. of establishing a record, the Privacy Act
implementing a new, amended or Statement is not required if the
(i) One safeguard plan is the
altered system to the DA Freedom of individual is only requested to furnish
development and use of a Privacy
Information and Privacy Office. The or verify the SSN for identification
Impact Assessment (PIA) mandated by
proposed or altered notice must include purposes in connection with the normal
the E-Gov Act of 2002, Section 208. The
a narrative statement and supporting Office of Management and Budget use of his or her records. If the SSN is
documentation. A narrative statement specifically directs that a PIA be to be used for a purpose other than
must contain the following items: conducted, reviewed, and published for identification, the individual must be
(i) System identifier and name; all new or significantly altered informed whether disclosure of the SSN
(ii) Responsible Official, title, and information in identifiable form is mandatory or voluntary; by what
phone number; collected from or about the members of statutory authority the SSN is solicited;
(iii) If a new system, the purpose of the public. The PIA describes the and what uses will be made of the SSN.
establishing the system or if an altered appropriate administrative, technical, This notification is required even if the
system, nature of changes proposed; and physical safeguards for new SSN is not to be maintained in a Privacy
(iv) Authority for maintenance of the automated systems. This will assist in Act system of records.
system; the protection against any anticipated (4) When asking an individual for his
(v) Probable or potential effects of the threats or hazards to the security or or her SSN or other personal
system on the privacy of individuals; integrity of data, which could result in information that will be maintained in
substantial harm, embarrassment, a system of records, the individual must
(vi) Whether the system is being
inconvenience, or unfairness to any be provided with a Privacy Act
maintained, in whole or in part, by a
individual on whom information is Statement.
contractor; (b) Privacy Act Statement (PAS). (1) A
(vii) Steps taken to minimize risk of maintained. Contact your local
Information Officer for guidance on Privacy Act Statement is required
unauthorized access; whenever personal information is
(viii) Routine use compatibility; conducting a PIA.
(ii) The development of appropriate requested from an individual and will
(ix) Office of Management and Budget safeguards must be tailored to the become part of a Privacy Act system of
information collection requirements; requirements of the system as well as records. The information will be
and other factors, such as the system retrieved by the individual’s name or
(x) Supporting documentation as an environment, location, and accessibility. other personal identifier (See 5 U.S.C.
attachment. Also as an attachment 552a(e)(3)).
should be the proposed new or altered § 505.4 Collecting personal information. (2) The PAS will ensure that
system notice for publication in the (a) General provisions. (1) Employees individuals know why the information
Federal Register. will collect personal information to the is being collected so they can make an
informed decision as to providing the (iii) On the reverse side with a or personal identifier. The said ‘‘Blanket
personal information. notation of its location below the title; Routine Use’’ is listed below.
(3) In addition, the PAS will include (iv) Attached as a tear-off sheet; or ‘‘Congressional Inquiries Disclosure
language that is explicit, easily (v) Issued as a separate supplement. Routine Use: Disclosure from a system
understood, and not so lengthy as to (8) An example of a PAS is at of records maintained by a DOD
deter an individual from reading it. appendix B of this part. Component may be made to a
(4) A sign can be displayed in areas (9) Include a PAS on a Web site page congressional office from the record of
where people routinely furnish this if it collects information directly from an individual in response to an inquiry
kind of information, and a copy of the an individual and is retrieved by his or from the congressional office made at
PAS will be made available upon her name or personal identifier (See the request of that individual.’’
request by the individual. Office of Management and Budget (3) Upon a written request, an
(5) Do not ask the person to sign the Privacy Act Guidelines, 40 FR 28949, individual will be granted access to
PAS. 28961 (July 9, 1975)). information pertaining to him or her
(6) A Privacy Act Statement must (10) Army policy prohibits the that is maintained in a Privacy Act
include the following four items— collection of personally identifying system of records, unless—
(i) Authority: Cite the specific statute information on public Web sites without (i) The information is subject to an
or Executive Order, including a brief the express permission of the user. exemption, the system manager has
title or subject that authorizes the DA to Requests for exceptions must be invoked the exemption, and the
collect the personal information forwarded to the Army CIO/G–6. (See exemption is published in the Federal
requested. AR 25–1, para 6–4n.) Register; or
(ii) Principal Purpose (s): Cite the (c) Collecting personal information (ii) The information was compiled in
principal purposes for which the from third parties. (1) It may not be reasonable anticipation of a civil action
information will be used. practical to collect personal information or proceeding.
directly from the individual in all cases. (4) Legal guardians or parents acting
(iii) Routine Uses: A list of where and
Some examples of when collection from on behalf of a minor child have the
why the information will be disclosed
third parties may be necessary are minor child’s rights of access under this
OUTSIDE of DOD. Applicable routine
when— part, unless the records were created or
uses are published in the applicable
(i) Verifying information; maintained pursuant to circumstances
Privacy Act system of records notice(s).
(ii) Opinions or evaluations are where the interests of the minor child
If none, the language to be used is:
needed; were adverse to the interests of the legal
‘‘Routine Use(s): None. However the
(iii) The subject cannot be contacted; guardian or parent.
‘Blanket Routine Uses’ set forth at the (5) These provisions should allow for
beginning of the Army’s compilation of or
(iv) At the request of the subject the maximum release of information
systems of records notices apply.’’ consistent with Army and DOD’s
individual.
(iv) Disclosure: Voluntary or statutory responsibilities.
(2) When asking third parties to
Mandatory. Include in the Privacy Act (b) Individual requests for access. (1)
provide information about other
Statement specifically whether Individuals will address requests for
individuals, they will be advised of—
furnishing the requested personal data access to records in a Privacy Act
(i) The purpose of the request; and
is mandatory or voluntary. A (ii) Their rights to confidentiality as system of records to the system manager
requirement to furnish personal data is defined by the Privacy Act of 1974 or the custodian of the record
mandatory ONLY when a federal (Consult with your servicing Staff Judge designated in DA systems of records
statute, Executive Order, regulation, or Advocate for potential limitations to the notices (See DA PAM 25–51 or the
other law specifically imposes a duty on confidentiality that may be offered Defense Privacy Office’s Web site
the individual to provide the pursuant to the Privacy Act). http://www.defenselink.mil/privacy).
information sought, and when the (d) Confidentiality promises. Promises (2) Individuals do not have to state a
individual is subject to a penalty if he of confidentiality must be prominently reason or justify the need to gain access
or she fails to provide the requested annotated in the record to protect from to records under the Act.
information. If providing the disclosure any information provided in (3) Release of personal information to
information is only a condition of or confidence pursuant to 5 U.S.C. individuals under this section is not
prerequisite to granting a benefit or 552a(k)(2), (k)(5), or (k)(7). considered a ‘‘public release’’ of
privilege and the individual has the information.
option of receiving the benefit or § 505.5 Individual access to personal (c) Verification of identity for first
privilege, providing the information is information. party requesters. (1) Before granting
always voluntary. However, the loss or (a) Individual access. (1) The access access to personal data, an individual
denial of the privilege, benefit, or provisions of this part are intended for will provide reasonable verification of
entitlement sought must be listed as a use by individuals whose records are identity.
consequence of not furnishing the maintained in a Privacy Act system of (2) When requesting records in
requested information. records. If a representative acts on their writing, the preferred method of
(7) Some acceptable means of behalf, a written authorization must be verifying identity is the submission of a
administering the PAS are as follows, in provided, with the exception of notarized signature. An alternative
the order of preference— members of Congress acting on behalf of method of verifying identity for
(i) Below the title of the media used a constituent. individuals who do not have access to
to collect the personal information. The (2) A Department of the Army notary services is the submission of an
PAS should be positioned so that the ‘‘Blanket Routine Use’’ allows the un-sworn declaration in accordance
individual will be advised of the PAS release of Privacy Act protected with 28 U.S.C. 1746 in the following
before he or she provides the requested information to members of Congress format:
information; when they are acting on behalf of the (i) If executed within the United
(ii) Within the body with a notation constituent and the information is filed States, its territories, possessions, or
of its location below the title; and retrieved by the constituent’s name commonwealths: ‘‘I declare (or certify,
verify, or state) under penalty of perjury (4) Do not require the named health administrative adjudicatory
that the foregoing is true and correct. care provider to request the records for proceedings. The term ‘‘civil action or
Executed on (date). (Signature)’’. the individual. proceeding’’ includes quasi-judicial,
(ii) If executed outside of the United (5) The agency’s decision to furnish pre-trial judicial, and administrative
States: ‘‘I declare under perjury or the records to a medical designee and proceedings, as well as formal litigation;
penalty under the laws of the United not directly to the individual is not (ii) The information is about a third
States of America that the foregoing is considered a denial for reporting party and does not pertain to the
true and correct. Executed on (date). purposes under the Act and cannot be requester. A third party’s SSN and home
(Signature).’’ appealed. address will be withheld. However,
(3) When an individual seeks access (6) However, no matter what the information about the relationship
in person, identification can be verified special procedures are, DA has a between the individual and the third
by documents normally carried by the statutory obligation to ensure that access party would normally be disclosed as it
individual (such as identification card, is provided the individual. pertains to the individual;
driver’s license, or other license, permit (7) Regardless of age, all DA military (iii) The records are in a system of
or pass normally used for identification personnel and all married persons are records that has been properly
purposes). However, level of proof of considered adults. The parents of these exempted by the Secretary of the Army
identity is commensurate with the individuals do not have access to their from the access provisions of this part
sensitivity of the records sought. For medical records without written consent and the information is exempt from
example, more proof is required to of the individual. release under a provision of the
access medical records than is required (8) DOD 6025.18–R, DOD Health Freedom of Information Act (See
to access parking records. Information Privacy Regulation, issued appendix C of this part for a list of
(4) Telephonic requests will not be pursuant to the Health Insurance applicable Privacy Act exemptions,
honored. Portability and Accountability Act exceptions, and ‘‘Blanket’’ routine uses);
(5) An individual cannot be denied (HIPAA) of 1996, has placed additional
access solely for refusal to provide his (iv) The records contain properly
procedural requirements on the uses classified information that has been
or her Social Security Number (SSN) and disclosure of individually
unless the SSN was required for access exempted from the access provision of
identifiable health information beyond this part;
by statute or regulation adopted prior to those found in the Privacy Act of 1974
January 1, 1975. (v) The records are not described well
and this part. In order to be in enough to enable them to be located
(6) If an individual wishes to have his compliance with HIPAA, the additional
or her records released directly to a with a reasonable amount of effort on
guidelines and procedures will be the part of an employee familiar with
third party or to be accompanied by a reviewed before release of an
third party when seeking access to his the file. Requesters should reasonably
individual’s identifiable health describe the records they are requesting.
or her records, reasonable proof of information.
authorization must be obtained. The They do not have to designate a Privacy
(e) Personal notes. (1) The Privacy Act Act system of records notice
individual may be required to furnish a does not apply to personal notes of
signed access authorization with a identification number, but they should
individuals used as memory aids. These at least identify a type of record or
notarized signature or other proof of documents are not Privacy Act records
authenticity (i.e. telephonic functional area. For requests that ask for
and are not subject to this part. ‘‘all records about me,’’ DA personnel
confirmation) before granting the third (2) The five conditions for documents
party access. should ask the requester for more
to be considered personal notes are as
(d) Individual access to medical information to narrow the scope of his
follows—
records. (1) An individual must be given or her request; and
(i) Maintained and discarded solely at
access to his or her medical and the discretion of the author; (vi) Access is sought by an individual
psychological records unless a judgment (ii) Created only for the author’s who fails or refuses to comply with
is made that access to such records personal convenience and the notes are Privacy Act established procedural
could have an adverse effect on the restricted to that of memory aids; requirements, included refusing to pay
mental or physical health of the (iii) Not the result of official direction fees.
individual. This determination normally or encouragement, whether oral or (2) Requesters will not use
should be made in consultation with a written; government equipment, supplies,
medical doctor. Additional guidance is (iv) Not shown to others for any stationery, postage, telephones, or
provided in DOD 5400.11–R, reason; and official mail channels for making
Department of Defense Privacy Program. (v) Not filed in agency files. Privacy Act requests. System managers
In this instance, the individual will be (3) Any disclosure from personal will process such requests but inform
asked to provide the name of a personal notes, either intentional or through requesters that using government
health care provider, and the records carelessness, removes the information resources to make Privacy Act requests
will be provided to that health care from the category of memory aids and is not authorized.
provider, along with an explanation of the personal notes then become subject (3) When a request for information
why access without medical supervision to provisions of the Act. contained in a Privacy Act system of
could be harmful to the individual. (f) Denial or limitation of individual’s records is denied in whole or in part,
(2) Information that may be harmful to right to access. (1) Even if the the Denial Authority or designee shall
the record subject should not be information is filed and retrieved by an inform the requester in writing and
released to a designated individual individual’s name or personal identifier, explain why the request for access has
unless the designee is qualified to make his or her right to access may be denied been refused.
psychiatric or medical determinations. if— (4) A request for access, notification,

(3) DA activities may offer the (i) The records were compiled in or amendment of a record shall be
services of a military physician, other reasonable anticipation of a civil action acknowledged in writing within 10
than the one who provided the or proceeding including any action working days of receipt by the proper
treatment. where DA expects judicial or system manager or record custodian.
(g) Relationship between the Privacy individual may be denied the Agency in the grade of 0–5/GS–14 or
Act and the Freedom of Information information only if the information is higher. All delegations must be in
Act. (1) Not all requesters are exempt under both the PA and the writing.
knowledgeable of the appropriate Freedom of Information Act. Both PA (ii) The Denial Authority will send
statutory authority to cite when and Freedom of Information Act the names, office names, and telephones
requesting information. In some exemptions will be cited in the denial numbers of their delegates to the DA
instances, they may cite neither the PA letter and appeals will be processed in Freedom of Information and Privacy
nor the Freedom of Information Act in accordance with both Acts. Office.
their request. In some instances they (8) Each time a first party requester (iii) If a Denial Authority delegate
may cite one Act but not the other. The cites or implies the PA, perform this denies access or amendment, the
Freedom of Information Act and the PA analysis: delegate must clearly state that he or she
works together to ensure that requesters (i) Is the request from a United States is acting on behalf of the Denial
receive the greatest amount of living citizen or an alien lawfully Authority, who must be identified by
information possible. admitted for permanent residence? name and position in the written
(2) Do not deny the individual access (ii) Is the individual requesting an response to the requester. Denial
to his or her records simply because he agency record? Authority designation will not delay
or she failed to cite the appropriate (iii) Are the records within a PA processing privacy requests/actions.
statute or regulation. system of records that are filed and (iv) The official Denial Authorities are
(3) If the records are required to be retrieved by an individual’s name or for records under their authority (See
released under the Freedom of other personal identifier? (If the answer appendix B of this part). The
Information Act, the PA will never is ‘‘yes’’ to all of these questions, then individuals designated as Denial
block disclosure to requester. If the PA the records should be processed under Authorities under this part are the same
allows the DA activity to deny access to the ‘‘Privacy Act’’) and individuals designated as Initial Denial
an individual, the Freedom of (iv) Does the information requested Authorities under AR 25–55, the
Information Act must still be applied, pertain exclusively to the requester? Department of the Army Freedom of
and the information released if required (A) If yes, no further consideration of
Information Act Program. However,
by the Freedom of Information Act. Freedom of Information Act exemptions
delegation of Denial Authority pursuant
(4) Unlike the Freedom of Information required. Release all information unless
to this part does not automatically
Act, the Privacy Act applies only to U.S. a PA exemption authorizes withholding.
(B) If no, process the information that encompass delegation of Initial Denial
citizens and aliens lawfully admitted for
is not about the requester under the Authority under AR 25–55. Initial
permanent residence.
(5) Requesters who seek records about Freedom of Information Act and Denial Authority must be expressly
themselves contained in a Privacy Act withhold only if a proper Freedom of delegated pursuant to AR 25–55 for an
system of records (1st party requesters) Information Act exemption applies. individual to take action on behalf of an
and who cite or imply only the Privacy (h) Functional requests. If an Initial Denial Authority under AR 25–
Act, will have their request processed individual asks for his or her records 55.
under the provisions of both the PA and and does not cite or reasonably imply (3) The custodian of the record will
the Freedom of Information Act. If the either the Privacy Act or the Freedom of acknowledge requests for access made
information requested is not contained Information Act, and another under the provisions of the Privacy Act
in a Privacy Act system of records or is prescribing directive or regulation within 10 working days of receipt.
not about the requester, the individual’s authorizes the release, the records (4) Requests for information
request will be processed under the should be released under that other recommended for denial will be
provisions of the Freedom of directive or regulation and not the PA forwarded to the appropriate Denial
Information Act only, and the Freedom or the FOIA. Examples of functional Authority, along with a copy of the
of Information Act processing requests are military members asking to records and justification for withholding
requirements/time lines will apply. see their Official Military Personnel the record. At the same time, notify the
(6) Third party information. (i) Third Records or civilian employees asking to requester of the referral to the Denial
party information contained in a Privacy see their Official Personnel Folder. Authority for action. All documents or
Act system of records that does not (i) Procedures for denying or limiting portions thereof determined to be
pertain to the requester, such as SSN, an individual’s right to access or releasable to the requester will be
home addresses, and other purely amendment and the role of the Denial released to the requester before
personal information that is not about Authority. (1) The only officials forwarding the case to the Denial
the requester, will be processed under authorized to deny a request for records Authority.
the provisions of Freedom of or a request to amend records in a PA (5) Within 30 working days, the
Information Act only. Third party system of records pertaining to the Denial Authority will provide the
information that is not about the requesting individual, are the following notification to the requester in
requester is not subject to the Privacy appropriate Denial Authorities, their writing if the decision is to deny the
Act’s first party access provision. designees, or the Secretary of the Army requester access to the information.
(ii) Information about the relationship who will be acting through the General (6) Included in the notification will
between the first party requester and a Counsel. be:
third party is normally disclosed as (2) Denial Authorities are authorized (i) Denying Official’s name, position
pertaining to the first party requester. to deny requests, either in whole or in title, and business address;
Consult your servicing Staff Judge part, for notification, access and (ii) Date of the denial;
Advocate if there is a question about the amendment of Privacy Act records (iii) The specific reason for the denial,
release of third party information to a contained in their respective areas of citing the appropriate subsections of the
first party requester. responsibility. Privacy Act, the Freedom of Information
(7) If an individual requests (i) The Denial Authority may delegate Act, AR 25–55, The Department of the
information about them contained in a all or part of their authority to a division Army Freedom of Information Act
Privacy Act system of records, the chief under his supervision within the Program and this part; and
(iv) The individual’s right to activity, or agency outside the such documents. DA documents in
administratively appeal the denial Department of Defense, if the record which the NSC or White House have a
within 60 calendar days of the mailing originated in the other DOD Component, concurrent reviewing interest will be
date of the notice, through the Denial DA activity, or outside agency, or if the forwarded to the Department of Defense,
Authority, to the Office of the General classification is derivative. The referring Office of Freedom of Information and
Counsel, Secretary of the Army, 104 DA activity will provide the records and Security Review, which will coordinate
Army Pentagon, Washington, DC a release recommendation with the with the NSC or White House, and
20310–0104. referral action. return the documents to the originating
(7) The appeal must be in writing and (3) Any DA activity receiving a DA activity after NSC or White House
the requester should provide a copy of request that has been misaddressed will review. NSC or White House documents
the denial letter and a statement of their refer the request to the proper address discovered in DA activity files which
reasons for seeking review. and advise the requester. are responsive to a Privacy Act request
(8) For denials made by the DA when (4) Within DA, referrals will be made will be forwarded to DOD for
the record is maintained in a directly to offices having custody of the coordination and return with a release
Government-wide system of records, an requested records (unless the Denial determination.
individual’s request for further review Authority is the custodian of the (10) To the extent referrals are
must be addressed to each of the requested records). If the office consistent with the policies expressed
appropriate government Privacy Act receiving the Privacy Act request does above; referrals between offices of the
offices listed in the Privacy Act system not know where the requested records same DA activity are authorized.
of records notices. For a current listing are located, the office will contact the (l) Reproduction fees. (1) Use fees
of Government-wide Privacy Act system DA FOIA/P Office, to determine the only to recoup direct reproduction costs
of records notices see the Defense appropriate office for referral. associated with granting access.
Privacy Office’s Web site http:// (5) The requester will be informed of (2) DA activities may use discretion in
www.defenselink.mil/privacy or DA the referral whenever records or a their decision to charge for the first copy
PAM 25–51. portion of records are, after prior of records provided to an individual to
(j) No records determinations. (1) consultation, referred to another activity whom the records pertain. Thereafter,
Since a no record response may be for a release determination and direct fees will be computed pursuant to the
considered an ‘‘adverse’’ determination, response. Additionally, the DA activity fee schedule set forth in AR 25–55,
the Denial Authority must make the referral letter will accomplish the including the fee waiver provisions.
final determination that no records following— (3) Checks or money orders for fees
exist. The originating agency shall (i) Fully describe the Privacy Act should be made payable to the Treasurer
notify the requester that an initial system of records from which the of the United States and will be
determination has been made that there document was retrieved; and deposited in the miscellaneous receipts
are no responsive records, however the (ii) Indicate whether the referring of the treasury account maintained at
final determination will be made by the activity claims any exemptions in the the activity’s finance office.
Denial Authority. A no records Privacy Act system of records notice. (4) Reproduction costs shall only
certificate must accompany a no records (6) Within the DA, an activity will include the direct costs of reproduction
determination that is forwarded to the refer a Privacy Act request for records and shall not include costs of—
Denial Authority. that it holds but was originated by (i) Time or effort devoted to searching
(2) The Denial Authority must another activity, to the originating for or reviewing the records by
provide the requester with appeal rights. activity for direct response. An activity personnel;
(k) Referral of requests. (1) A request will not, in any case, release or deny (ii) Fees not associated with the actual
received by a DA activity having no such records without prior consultation cost of reproduction;
records responsive to a request shall be with the originating activity. The (iii) Producing a copy when it must be
referred to another DOD Component or requester will be notified of such provided to the individual without cost
DA activity, if the other Component or referral. under another regulation, directive, or
activity confirms that they have the (7) A DA activity may refer a Privacy law;
requested records, or verifies that they Act request for records that originated in (iv) Normal postage;
are the proper custodian for that type of an agency outside of DOD, or that is (v) Transportation of records or
record. The requester will be notified of based on information obtained from an personnel; or
the referral. In cases where the DA agency outside the DOD, to that agency (vi) Producing a copy when the
activity receiving the request has reason for direct response to the requester, only individual has requested only to review
to believe that the existence or if that agency is subject to the Privacy the records and has not requested a
nonexistence of the record may in itself Act. Otherwise, the DA activity must copy, and the only means of allowing
be classified, that activity will consult respond to the request. review is to make a copy (e.g., the
the Component or activity having (8) DA activities will not honor any records are stored in a computer and a
cognizance over the records in question Privacy Act requests for investigative, copy must be printed to provide
before referring the request. If the intelligence, or any other type of records individual access, or the activity does
Component or activity that is consulted that are on loan to the Department of not wish to surrender temporarily the
determines that the existence or Defense for a specific purpose, if the original records for the individual to
nonexistence of the records is in itself records are restricted from further review).
classified, the requester shall be so release in writing. Such requests will be (m) Privacy Act case files. (1)
notified by the DA activity originally referred to the agency that provided the Whenever an individual submits a
receiving the request that it can neither records. Privacy Act request, a case file will be
confirm nor deny the existence of the (9) A DA activity will notify established. This Privacy Act case file is
record, and no referral shall take place. requesters seeking National Security a specific type of file that is governed
(2) A DA activity shall refer a Privacy Council (NSC) or White House by a specific Privacy Act system of
Act request for a classified record that documents that they should write records notice. In no instance will the
it holds to another DOD Component, DA directly to the NSC or White House for individual’s Privacy Act request and
corresponding Army actions be applicable recordkeeping requirements accuracy, relevance, timeliness, and
included in the individual’s military prescribed in AR 25–400–2, The Army completeness.
personnel file or other military filing Records Information Management (3) If the amendment is appropriate,
systems, such as adverse action files or System (ARIMS). the system manager or custodian will
general legal files, and in no instance (4) Under the amendment provisions, physically amend the records
will the Privacy Act case file be used to an individual may not challenge the accordingly. The requester will be
make an adverse determination about merits of an adverse determination. notified of such action.
the individual. (5) U.S. Army Criminal Investigation (4) If the amendment is not warranted,
(2) The case file will be comprised of Command (USACIDC) reports of the request and all relevant documents,
the request for access/amendment, investigations (PA system of records including reasons for not amending,
grants, refusals, coordination action(s), notice A0195–2a USACIDC, Source will be forwarded to the proper Denial
and all related papers. Register; A0195–2b USACIDC, Criminal Authority within 10 working days to
Investigation and Crime Laboratory ensure that the 30 day time limit for the
§ 505.6 Amendment of records. Files) have been exempted from the final response is met. In addition, the
(a) Amended records. (1) Individuals amendment provisions of the Privacy requester will be notified of the referral.
are encouraged to periodically review Act. Requests to amend these reports (5) Based on the documentation
the information maintained about them will be considered under AR 195–2. provided, the Denial Authority will
in Privacy Act systems of records and to Actions taken by the Commander of either amend the records and notify the
familiarize themselves with the U.S. Army Criminal Investigation requester and the custodian of the
amendment procedures established by Command will constitute final action on records of all actions taken, or deny the
this part. behalf of the Secretary of the Army request. If the records are amended,
(2) An individual may request to under that regulation. those who have received the records in
amend records that are retrieved by his (6) Records placed in the National the past will receive notice of the
or her name or personal identifier from Archives are exempt from the Privacy amendment.
a system of records unless the system Act provision allowing individuals to (6) If the Denial Authority determines
has been exempted from the amendment request amendment of records. Most that the amendment is not warranted, he
provisions of the Act. The standard for provisions of the Privacy Act apply only or she will provide the requester and the
amendment is that the records are to those systems of records that are custodian of the records reason(s) for
inaccurate as a matter of fact rather than under the legal control of the originating not amending. In addition, the Denial
judgment, irrelevant, untimely, or agency; for example, an agency’s current Authority will send the requester an
incomplete. The burden of proof is on operating files or records stored at a explanation regarding his or her right to
the requester. Federal Records Center. seek further review by the DA Privacy
(3) The system manager or custodian (7) Inspector General investigative Act Review Board, through the Denial
must review Privacy Act records for files and action request/complaint files Authority, and the right to file a concise
accuracy, relevance, timeliness, and (records in system notice A0021–1 ‘‘Statement of Disagreement’’ to append
completeness. SAIG, Inspector General Records) have to the individual’s records.
(4) Amendment procedures are not been exempted from the amendment (i) On receipt of a request for further
intended to permit individuals to provisions of the Privacy Act. Requests review by the Privacy Act Review
challenge events in records that have to amend these reports will be Board, the Denial Authority will append
actually occurred. Amendment considered under AR 20–1 by the any additional records or background
procedures only allow individuals to Inspector General. Action by the information that substantiates the
amend those items that are factually Inspector General will constitute final refusal or renders the case complete;
inaccurate and not matters of official action on behalf of the Secretary of the (ii) Within 5 working days of receipt,
judgment (e.g., performance ratings, Army under that regulation. forward the appeal to the DA Privacy
promotion potential, and job (8) Other records that are exempt from Act Review Board; and
performance appraisals). In addition, an the amendment provisions of the (iii) Append the servicing Judge
individual is not permitted to amend Privacy Act are listed in the applicable Advocate’s legal review, including a
records for events that have been the PA system of records notices. determination that the Privacy Act
subject of judicial or quasi-judicial (c) Amendment procedures. (1) Review Board packet is complete.
actions/proceedings. Requests to amend records should be (d) DA Privacy Act Review Board. (1)
(b) Proper amendment requests. (1) addressed to the custodian or system The DA Privacy Act Review Board acts
Amendment requests, except for routine manager of the records. The request on behalf of the Secretary of the Army
administrative changes, will be in must reasonably describe the records to in deciding appeals of the appropriate
writing. be amended and the changes sought Denial Authority’s refusal to amend
(2) When acting on behalf of a first (e.g., deletion, addition, or amendment). records.
party requester, an individual must The burden of proof is on the requester. (2) The Board will process an appeal
provide written documentation of the The system manager or records within 30 working days of its receipt.
first party requester’s consent to allow custodian will provide the individual The General Counsel may authorize an
the individual to view his or her with a written acknowledgment of the additional 30 days when unusual
records. request within 10 working days and will circumstances and good cause so
(3) Amendment is appropriate if it can make a final response within 30 warrant.
be shown that— working days of the date the request was (3) The Board membership consists of
(i) Circumstances leading up to the received. The acknowledgment must the following principal members,
recorded event were found to be clearly identify the request and inform comprised of three voting and two non-
inaccurately reflected in the document; the individual that final action will be voting members, or their delegates.
(ii) The record is not identical to the forthcoming within 30 working days. (4) Three voting members include—
individual’s copy; or (2) Records for which amendment is (i) Administrative Assistant to the
(iii) The document was not sought must be reviewed by the proper Secretary of the Army (AASA) who acts
constructed in accordance with the system manager or custodian for as the Chairman of the Board;
(ii) The Judge Advocate General; and reasons for not amending the disputed (2) A widely used exception to
(iii) The Chief, DA Freedom of record. requests for information from local and
Information and Privacy Division, U.S. (7) It is inappropriate for the Privacy state government agencies and federal
Army Records Management and Act Review Board to consider any agencies not within the DOD is the
Declassification Agency. record which is exempt from the routine use exception to the Privacy
(5) In addition, two non-voting amendment provision of the Privacy Act.
members include— Act. (3) The most widely used exception to
(i) The Chief Attorney, OAASA (or requests for information from other DOD
designee) who serves as the legal § 505.7 Disclosure of personal information
components is the ‘‘intra-agency need to
advisor and will be present at all Board to other agencies and third parties.
know’’ exception to the Privacy Act.
sessions to provide legal advice as (a) Disclosing records to third parties. Officers and employees of the DOD who
required; and (1) DA is prohibited from disclosing a have an official need for the records in
(ii) Recording Secretary provided by record from a Privacy Act system of the performance of their official duties
the Office of the Administrative records to any person or agency without are entitled to Privacy Act protected
Assistant to the Secretary of the Army. the prior written consent of the subject information. Rank, position, or title
(e) DA Privacy Act Review Board of the record, except when— alone does not authorize access to
meetings. (1) The meeting of the Board (i) Pursuant to the twelve Privacy Act
personal information about others. An
requires the presence of all five exceptions. The twelve exceptions to
official need for the information must
members or their designated the ‘‘no disclosure without consent’’
exist before disclosure.
representatives. Other non-voting rule are those exceptions which permit (4) For the purposes of disclosure and
members with subject matter expertise the release of personal information disclosure accounting, the Department
may participate in a meeting of the without the individual’s/subject’s of Defense (DOD) is considered a single
Board, at the discretion of the Chairman. consent (See appendix C of this part). agency.
(2) Majority vote of the voting (ii) The FOIA requires the release of (c) Disclosures under AR 25–55, the
members is required to make a final the record. One of the twelve exceptions Freedom of Information Act (FOIA)
determination on a request before the to Privacy Act is the FOIA Exception. If Program. (1) Despite Privacy Act
Board. the FOIA requires the release of protections, all records must be
(3) Board members, who have denial information, the information must be disclosed if the Freedom of Information
authority, may not vote on a matter released. The Privacy Act can not Act (FOIA) requires their release. The
upon which they took Denial Authority prevent release to a third party if the FOIA requires release unless the
action. However, an individual who FOIA requires release. However, information is exempted by one or more
took Denial Authority action, or his or information must not be discretionarily of the nine FOIA exemptions.
her representative, may serve as a non- released under the FOIA if the (2) Required release under the FOIA.
voting member when the Board information is subject to the Privacy The following are examples of personal
considers matters in the Denial Act’s ‘‘no disclosure without consent’’ information that is generally not exempt
Authority’s area of functional rule. from the FOIA; therefore, it must be
specialization. (iii) A routine use applies. Another released to the public, unless covered by
(4) The Board may seek additional major exception to the ‘‘no disclosure paragraphs (d)(2) and (d)(3) of this
information, including the requester’s without consent’’ rule is the routine use section. The following list is not all
official personnel file, if relevant and exception. The Privacy Act allows inclusive:
necessary to decide the appeal. federal agencies to publish routine use (i) Military Personnel—
(5) If the Board determines that an exceptions to the Privacy Act. Some (A) Rank, date of rank, active duty
amendment is warranted (the record is routine uses are Army specific, DOD entry date, basic pay entry date, and
inaccurate as a matter of fact rather than specific, and Governmentwide. Routine gross pay (including base pay, special
judgment, irrelevant, untimely, or uses exceptions are listed in the Privacy pay, and all allowances except Basic
incomplete) it will amend the record Act system of records notice(s) Allowance for Housing);
and notify the requester, the Denial applicable to the Privacy Act records in (B) Present and past duty
Authority, the custodian of the record, question. The Army and other agencies’ assignments, future stateside
and any prior recipients of the record, system of records notices may be assignments;
of the amendment. accessed at the Defense Privacy Office’s (C) Office/unit name, duties address
(6) If the Board determines that Web site http://www.defenselink.mil/ and telephone number (DOD policy may
amendment is unwarranted, they will— privacy. require withholding of this information
(i) Obtain the General Counsel’s (2) The approved twelve exceptions to in certain circumstances);
concurrence in writing; the Privacy Act ‘‘no disclosure without (D) Source of commission, promotion
(ii) Respond to the requester with the consent’’ rule are listed at appendix C sequence number, military awards and
reasons for denial; and of this part. decorations, and professional military
(iii) Inform the requester of the right (b) Disclosing records to other DOD education;
to file a ‘‘Statement of Disagreement’’ components and to federal agencies (E) Duty status, at any given time;
with the Board’s action and to seek outside the DOD. (1) The twelve Privacy (F) Separation or retirement dates;
judicial review of the Army’s refusal to Act exceptions referred to in appendix (G) Military occupational specialty
amend. A ‘‘Statement of Disagreement’’ C of this part are available to other DOD (MOS);
must be received by the system manager components and to federal agencies (H) Active duty official attendance at
within 120 days and it will be made an outside the DOD as exceptions to the technical, scientific or professional
integral part of the pertinent record. Privacy Act’s ‘‘no disclosure without meetings; and
Anyone who may have access to, use of, consent’’ rule, with the exception of the (I) Biographies and photos of key
or need to disclose information from the FOIA exception. The FOIA is not an personnel (DOD policy may require
record will be aware that the record was appropriate mechanism for providing withholding of this information in
disputed. The disclosing authority may information to other DOD components certain circumstances).
include a brief summary of the Board’s and to federal agencies outside the DOD. (ii) Federal civilian employees—
(A) Present and past position titles, names, duty addresses, present or past release under the FOIA. Emergency
occupational series, and grade; position titles, grades, salaries, and recall rosters should only be shared
(B) Present and past annual salary performance standards of DOD military with those who have an ‘‘official need
rates (including performance awards or members and civilian employees. At the to know’’ the information, and they
bonuses, incentive awards, merit pay office director level or above, the release should be marked ‘‘For Official Use
amount, Meritorious or Distinguished of information will be limited to the Only’’ (See AR 25–55).
Executive Ranks, and allowances and name, official title, organization, and (2) Do not include a person’s SSN on
differentials); telephone number, provided a an emergency recall roster or their
(C) Present and past duty stations; determination is made that disclosure spouse’s name.
(D) Office or duty telephone number does not raise security or privacy (3) Commanders and supervisors
(DOD policy may require withholding of concerns. No other information, should give consideration to those
this information in certain including room numbers, will normally individuals with unlisted phone
circumstances); and be released about these officials. numbers. Commanders and supervisors
(E) Position descriptions, Consistent with current policy, should consider limiting access to an
identification of job elements, and information on officials below the office unlisted number within the unit.
performance standards (but not actual director level may continue to be (g) Social Rosters. (1) Before including
performance appraisals), the release of released if their positions or duties personal information such as a spouse’s
which would not interfere with law require frequent interaction with the name, home addresses, home phone
enforcement programs or severely public. numbers, and similar information on
inhibit agency effectiveness. (3) Disclosure of records pertaining to social rosters or social directories,
Performance elements and standards (or personnel of overseas, sensitive, or which will be shared with individuals,
work expectations) may also be routinely deployed units shall be always ask for the individual’s written
withheld when they are so intertwined prohibited to the extent authorized by consent. Without their written consent,
with performance appraisals, the 10 U.S.C. 130b. do not include this information.
disclosure would reveal an individual’s (e) Release of home addresses and (2) Collection of this information will
performance appraisal. home telephone numbers. (1) The require a Privacy Act Statement which
(d) Personal information that requires release of home addresses and home clearly tells the individual what
protection. (1) The following are telephone numbers normally is information is being solicited, the
examples of information that is prohibited. This release is normally purpose, to whom the disclosure of the
generally NOT releasable without the considered a clearly ‘‘unwarranted information is made, and whether
written consent of the subject. This list invasion’’ of personal privacy and is collection of the information is
is not all inclusive— exempt from mandatory release under voluntary or mandatory.
(i) Marital status; the FOIA. However, home addresses (h) Disclosure of personal information
(ii) Dependents’ names, sex and SSN and home telephone numbers may still on group orders. (1) Personal
numbers; be released if— information will not be posted on group
(iii) Civilian educational degrees and (i) The individual has indicated orders so that everyone on the orders
major areas of study (unless the request previously in writing that he or she has can view it. Such a disclosure of
for the information relates to the no objection to the release; personal information violates the
professional qualifications for Federal (ii) The source of the information to Privacy Act and this part.
employment); be released is a public document such (2) The following are some examples
(iv) School and year of graduation; as commercial telephone directory or of personal information that should not
(v) Home of record; other public listing; be contained in group orders. The
(vi) Home address and phone; (iii) The release is required by Federal following list is not all-inclusive—
(vii) Age and date of birth; statute (for example, pursuant to (i) Complete SSN;
(viii) Overseas assignments (present federally funded state programs to (ii) Home addresses and phone
or future); locate parents who have defaulted on numbers; or
(ix) Overseas office or unit mailing child support payments) (See 42 U.S.C. (iii) Date of birth.
address and duty phone of routinely 653); or (i) Disclosures for established routine
deployable or sensitive units; (iv) The releasing of information is uses. (1) Records may be disclosed
(x) Race/ethnic origin; pursuant to the routine use exception or outside the DOD without the consent of
(xi) Educational level (unless the the ‘‘intra-agency need to know’’ the individual to whom they pertain for
request for the information relates to exception to the Privacy Act. an established routine use.
professional qualifications for federal (2) A request for a home address or (2) A routine use shall—
employment); telephone number may be referred to (i) Be compatible with and related to
(xii) Social Security Number (SSN); the last known address of the individual the purpose for which the record was
and for a direct reply by the individual to compiled;
(xiii) The information that would the requester. In such cases, the (ii) Identify the persons or
otherwise be protected from mandatory requester shall be notified of the organizations to which the records may
disclosure under a FOIA exemption. referral. be released; and
(2) The Office of the Secretary of (3) Do not sell or rent lists of (iii) Have been published previously
Defense issued a policy memorandum individual names and addresses unless in the Federal Register.
in 2001 that provided greater protection such action is specifically authorized by (3) Establish a routine use for each
of DOD personnel in the aftermath of the appropriate authority. user of the information outside the
9/11 by requiring information that (f) Emergency Recall Rosters. (1) The Department of Defense who needs
personally identifies DOD personnel be release of emergency recall rosters official access to the records.
more carefully scrutinized and limited. normally is prohibited. Their release is (4) Routine uses may be established,
In general, the Department of Defense normally considered a clearly discontinued, or amended without the
has specifically advised that DOD ‘‘unwarranted invasion’’ of personal consent of the individuals involved.
components are not to release lists of privacy and is exempt from mandatory However, new or changed routine uses
must be published in the Federal accountings for 5 years after the https://www.rmda.belvoir.army.mil/
Register at least 30 days before actually disclosure, or for the life of the record, rmdaxml/rmda/FPHomePage.asp.
disclosing any records. whichever is longer. (2) The ‘‘DOJ Freedom of Information
(5) In addition to the routine uses (7) When an individual requests such Act Guide and Privacy Act Overview’’:
listed in the applicable systems of an accounting, the system manager or The U.S. Department of Justice,
records notices, ‘‘Blanket Routine Uses’’ designee will respond within 20 Executive Office for United States
for all DOD maintained systems of working days. Attorneys, Office of Legal Education,
records have been established. These 600 E. Street, NW., Room 7600,
‘‘Blanket Routine Uses’’ are applicable § 505.8 Training requirements. Washington, DC 20530, or training
to every record system maintained (a) Training. (1) The Privacy Act programs can be accessed at the Web
within the DOD unless specifically requires all heads of Army Staff site www.usdoj.gov/usao/eousa/
stated otherwise within a particular agencies, field operating agencies, direct ole.html.
record system. The ‘‘Blanket Routine reporting units, Major Commands,
Uses’’ are listed at appendix C of this subordinate commands, and § 505.9 Reporting requirements.
part. installations to establish rules of The Department of the Army will
(j) Disclosure accounting. (1) System conduct for all personnel involved in submit reports, consistent with the
managers must keep an accurate record the design, development, operation, and requirements of DOD 5400.11–R, OMB
of all disclosures made from DA Privacy maintenance of any Privacy Act system Circular A–130, and as otherwise
Act system of records, including those of records and to train the appropriate directed by the Defense Privacy Office.
made with the consent of the personnel with respect to the privacy Contact the DA FOIA/P Office for
individual, except when records are— rules including the penalties for non- further guidance regarding reporting
(i) Disclosed to DOD officials who compliance (See 5 U.S.C. 552a(e)(9)). requirements.
have a ‘‘need to know’’ the information (2) To meet the training requirements, § 505.10 Use and establishment of
to perform official government duties; or three general levels of training must be exemptions.
(ii) Required to be disclosed under the established. They are—
Freedom of Information Act. (a) Three types of exemptions. (1)
(i) Orientation. Training that provides There are three types of exemptions
(2) The purpose for the accounting of basic understanding of this part as it
disclosure is to— applicable to an individual’s right to
applies to the individual’s job access permitted by the Privacy Act.
(i) Enable an individual to ascertain performance. This training will be
those persons or agencies that have They are the Special, General, and
provided to personnel, as appropriate, Specific exemptions.
received information about them; and should be a prerequisite to all other
(ii) Enable the DA to notify past (2) Special exemption (d)(5)—Relieves
levels of training; systems of records from the access
recipients of subsequent amendments or (ii) Specialized training. Training that
‘‘Statements of Dispute’’ concerning the provision of the Privacy Act only. This
provides information as to the exemption applies to information
record; and application of specific provisions of this
(iii) Provide a record of DA compiled in reasonable anticipation of a
part to specialized areas of job civil action or proceeding.
compliance with the Privacy Act of performance. Personnel of particular
1974, if necessary. (3) General exemption (j)(2)—Relieves
concern include, but are not limited to, systems of records from most
(3) Since the characteristics of records
personnel specialists, finance officers, requirements of the Act. Only Army
maintained within DA vary widely, no
DOD personnel who may be expected to activities actually engaged in the
uniform method for keeping the
deal with the news media or the public, enforcement of criminal laws as their
disclosure accounting is prescribed.
special investigators, paperwork primary function may claim this
(4) Essential elements to include in
managers, individuals working with exemption.
each disclosure accounting report are—
(i) The name, position title, and medical and security records, records (4) Specific exemptions (k)(1)–(k)(7)–
address of the person making the managers, computer systems Relieves systems of records from only a
disclosure; development personnel, computer few provisions of the Act.
(ii) Description of the record systems operations personnel, (5) To find out if an exemption is
disclosed; statisticians dealing with personal data available for a particular record, refer to
(iii) The date, method, and purpose of and program evaluations, contractors the applicable system of records notices.
the disclosure; and and anyone responsible for System of records notices will state
(iv) The name, position title, and implementing or carrying out functions which exemptions apply to a particular
address of the person or agency to under this part. Specialized training type of record. System of records notices
which the disclosure was made. should be provided on a periodic basis; that are applicable to the Army are
(5) The record subject has the right of and contained in DA Pam 25–51 (available
access to the disclosure accounting (iii) Managerial training. Training at the Army Publishing Directorate Web
except when— designed to identify for responsible site http://www.usapa.army.mil/), the
(i) The disclosure was made for law managers (such as senior system Defense Privacy Office’s Web site
enforcement purposes under 5 U.S.C. managers, Denial Authorities, and http://www.defenselink.mil/privacy/), or
552a(b)(7); or functional managers described in this in this section). Some of the system of
(ii) The disclosure was made from a section) issues that they should consider records notices apply only to the Army
system of records for which an when making management decisions and the DOD and some notices are
exemption from 5 U.S.C. 552a(c)(3) has affected by the Privacy Act Program. applicable government-wide.
been claimed. (b) Training tools. Helpful resources (6) Descriptions of current exemptions
(6) There are no approved filing include— are listed in detail at appendix C of this
procedures for the disclosure of (1) Privacy Act training slides for part.
accounting records; however, system Major Commands and Privacy Act (b) Exemption procedures. (1) For the
managers must be able to retrieve upon Officers: Contact the DA FOIA/P Office, General and Specific exemptions to be
request. With this said, keep disclosure or slides can be accessed at the Web site applicable to the Army, the Secretary of
the Army must promulgate exemption (i) Disclosing individually identifiable records may be subject to computer
rules to implement them. This personal information to one not entitled matching, i.e., the computer comparison
requirement is not applicable to the one to the information; of automated systems of records.
Special exemption which is self- (ii) Requesting or obtaining (2) There are two specific kinds of
executing. Once an exemption is made information from another’s record under Matching Programs covered by the
applicable to the Army through the false pretenses; or Privacy Act—
exemption rules, it will be listed in the (iii) Maintaining a system of records (i) Matches using records from
applicable system of records notices to without first meeting the public notice Federal personnel or payroll systems of
give notice of which specific types of requirements of the Act. records; and
records the exemption applies to. When (b) Litigation Status Sheet. (1) When (ii) Matches involving Federal benefit
a system manager seeks to have an a complaint citing the Privacy Act is programs to accomplish one or more of
exemption applied to a certain Privacy filed in a U.S. District Court against the the following purposes—
Act system of records that is not Department of the Army, an Army (A) To determine eligibility for a
currently provided for by an existing Component, a DA Official, or any Army Federal benefit;
system of records notice, the following employee, the responsible system (B) To comply with benefit program
information will be furnished to the DA manager will promptly notify the Army requirements; and
Litigation Division, 901 North Stuart (C) To effect recovery of improper
FOIA/P Office—
Street, Arlington, VA 22203–1837. payments or delinquent debts from
(i) Applicable system of records current or former beneficiaries.
notice; (2) The Litigation Status Sheet at
appendix E of this part provides a (3) The comparison of records must be
(ii) Exemption sought; and computerized. Manual comparisons are
(iii) Justification. standard format for this notification. At
a minimum, the initial notification will not covered.
(2) After appropriate staffing and (4) Any activity that expects to
approval by the Secretary of the Army have items (a) through (f) provided.
(3) A revised Litigation Status Sheet participate in a Computer Matching
and the Defense Privacy Office, it will Program must contact the DA FOIA/P
must be provided at each stage of the
be published in the Federal Register as Office immediately.
litigation.
a proposed rule, followed by a final rule (5) In all cases, Computer Matching
(4) When a court renders a formal
60 days later. No exemption may be Agreements are processed by the
opinion or judgment, copies must be
invoked until these steps have been Defense Privacy Office and approved by
provided to the Defense Privacy Office
completed. the Defense Data Integrity Board.
by the Army Litigation Division.
(c) Administrative Remedies—Privacy Agreements will be conducted in
§ 505.11 Federal Register publishing
Act complaints. (1) The installation accordance with the requirements of 5
requirements.
level Privacy Act Officer is responsible U.S.C. 552a, and OMB Circular A–130.
(a) The Federal Register. There are (b) Other matching. Several types of
three types of documents relating to the for processing Privacy Act complaints or
computer matching are exempt from the
Privacy Act Program that must be allegations of Privacy Act violations.
restrictions of the Act such as matches
published in the Federal Register. They Guidance should be sought from the
used for statistics, pilot programs, law
are the DA Privacy Program policy and local Staff Judge Advocate and
enforcement, tax administration, routine
procedures (AR 340–21), the DA coordination made with the system
administration, background checks, and
exemption rules, and Privacy Act manager to assist in the resolution of
foreign counterintelligence. The DA
system of records notices. Privacy Act complaints. The local
FOIA/P Office should be consulted if
(b) Rulemaking procedures. (1) DA Privacy Act officer is responsible for—
(i) Reviewing allegations of Privacy there is a question as to whether the Act
Privacy Program procedures and governs a specific type of computer
exemption rules are subject to the Act violations and the evidence
provided by the complainants; matching.
formal rulemaking process.
(ii) Making an initial assessment as to § 505.14 Recordkeeping requirements
(2) Privacy Act system of records
the validity of the complaint, and taking under the Privacy Act.
notices are not subject to formal
appropriate corrective action; (a) AR 25–400–2, The Army Records
rulemaking and are published in the
(iii) Coordinating with the local Staff Information Management System
Federal Register as Notices, not Rules.
Judge Advocate to determine whether a (ARIMS). To maintain privacy records
(3) The Privacy Program procedures more formal investigation such as a
and exemption rules are incorporated are required by the Army Records
commander’s inquiry or an AR 15–6 Information Management System
into the Code of Federal Regulations investigation is appropriate; and
(CFR). Privacy Act system of records (ARIMS) to provide adequate and
(iv) Ensuring the decision at the local proper documentation of the conduct of
notices are not published in the CFR. level from either the Privacy Act Officer Army business so that the rights and
§ 505.12 Privacy Act enforcement actions. or other individual who directed a more interests of individuals and the Federal
formal investigation is provided to the Government are protected.
(a) Judicial Sanctions. The Act has
complainant in writing. (b) A full description of the records
both civil remedies and criminal
(2) The decision at the local level may prescribed by this part and their
penalties for violations of its provisions.
be appealed to the next higher disposition/retention requirements are
(1) Civil remedies. The DA is subject command level Privacy Act Officer.
to civil remedies for violations of the found on the ARIMS Web site at
(3) A legal review from the next https://www.arims.army.mil.
Privacy Act. In addition to specific higher command level Privacy Act
remedial actions, 5 U.S.C. 552a(g) may Officer’s servicing Staff Judge Advocate Appendix A to Part 505—References
provide for the payment of damages, is required prior to action on the appeal. (a) The Privacy Act of 1974 (5 U.S.C. 552a,
court costs, and attorney’s fees.

as amended).
(2) Criminal penalties. A DA official § 505.13 Computer Matching Agreement (b) OMB Circular No. A–130, Management
or employee may be found guilty of a Program. of Federal Information Resources.
misdemeanor and fined not more than (a) General provisions. (1) Pursuant to (c) AR 25–55, The Department of the Army
$5,000 for willfully— the Privacy Act and this part, DA Freedom of Information Program.
(d) DA PAM 25–51, The Army Privacy Secretary of the Army (Acquisition, Logistics and suicide policy, substance abuse programs
Program—System of Records Notices and and Technology). except for individual treatment records
Exemption Rules. (d) The Deputy Assistant Secretary of the which are the responsibility of the Surgeon
(e) DOD Directive 5400.11, Department of Army (Civilian Personnel Policy)/Director of General, retiree benefits, services, and
Defense Privacy Program. Civilian Personnel, Office of the Assistant programs (excluding individual personnel
(f) DOD 5400.11–R, Department of Defense Secretary of the Army (Manpower and records of retired military personnel, which
Privacy Program. Reserve Affairs) is authorized to act on are the responsibility of the U.S. Army
(g) AR 25–2, Information Assurance requests for civilian personnel records, Human Resources Command-St. Louis), DA
(h) AR 25–400–2, The Army Records personnel administration and other civilian dealings with Veterans Affairs, U.S. Soldier’s
Information Management System (ARIMS). personnel matters, except for EEO (civilian) and Airmen’s Home; all retention,
(i) AR 27–10, Military Justice. matters which will be acted on by the promotion, and separation records; all
(j) AR 40–66, Medical Record Administrative Assistant to the Secretary of military education records including records
Administration and Health Care the Army. The Deputy Assistant Secretary of related to the removal or suspension from a
Documentation. the Army (Civilian Personnel Policy)/ military school or class; Junior Reserve
(k) AR 60–20 and AFR 147–14, Army and Director of Civilian Personnel has delegated Officer Training Corps (JROTC) and Senior
Air Force Exchange Service Operating this authority to the Chief, Policy and Reserve Officer Training Corps (SROTC)
Policies. Program Development Division (Note: records; SROTC instructor records; U.S.
(l) AR 190–45, Law Enforcement Reporting. Requests from former civilian employees to Military Academy Cadet Records; recruiting
(m) AR 195–2, Criminal Investigation amend a record in an Office of Personnel and MOS policy issues, personnel travel and
Activities. Management system of records, such as the transportation entitlements, military strength
(n) AR 380–5, Department of Army Official Personnel Folder, should be sent to and statistics, The Army Librarian,
Information Security Program. the Office of Personnel Management, demographics, and Manprint.
(o) DOD Directive 5400–7, DOD Freedom Assistant Director for Workforce Information, (l) The Deputy Chief of Staff, G–4 is
of Information Act (FOIA) Program. Compliance, and Investigations Group: 1900 authorized to act on requests for records
(q) DOD 5400.7–R, DOD Freedom of E. Street, NW., Washington, DC 20415–0001). relating to DA logistical requirements and
Information Program. (e) The Chief Information Officer G–6 is determinations, policy concerning materiel
(r) DOD 6025.18–R, DOD Health authorized to act on requests for records maintenance and use, equipment standards,
Information Privacy Regulation (HIPAA). pertaining to Army Information Technology, and logistical readiness.
(s) U.S. Department of Justice, Freedom of command, control communications and (m) The Chief of Engineers is authorized to
Information Act Guide and Privacy Act computer systems and the Information act on requests for records involving civil
Overview. Resources Management Program (automation, works, military construction, engineer
(t) Office of Secretary of Defense telecommunications, visual information, procurement, and ecology; and the records of
memorandum, dated July 15, 2005, subject: records management, publications and the U.S. Army Engineer divisions, districts,
Notifying Individuals when Personal printing). laboratories, and field operating agencies.
Information is Lost, Stolen, or Compromised (f) The Inspector General is authorized to (n) The Surgeon General/Commander, U.S.
located at http://www.army.mil/ciog6/ act on requests for all Inspector General Army Medical Command, is authorized to act
referencs/policy/dos/OSDprivateinfo.pdf. Records. on requests for medical research and
(g) The Auditor General is authorized to act development records, and the medical
Appendix B to Part 505—Denial
on requests for records relating to audits records of active duty military personnel,
Authorities for Records Under Their done by the U.S. Army Audit Agency under dependents, and persons given physical
Authority (Formerly Access and AR 10–2. This includes requests for related examination or treatment at DA medical
Amendment Refusal Authorities) records developed by the Audit Agency. facilities, to include alcohol and drug
(a) The Administrative Assistant to the (h) The Director of the Army Staff is treatment/test records.
Secretary of the Army is authorized to act for authorized to act on requests for all records (o) The Chief of Chaplains is authorized to
the Secretary of the Army on requests for all of the Chief of Staff and its Field Operating act on requests for records involving
records maintained by the Office of the Agencies. The Director of the Army Staff has ecclesiastical relationships, rites performed
Secretary of the Army and its serviced delegated this authority to the Chief Attorney by DA chaplains, and nonprivileged
activities, as well as requests requiring the and Legal Services Directorate, U.S. Army communications relating to clergy and active
personal attention of the Secretary of the Resources & Programs Agency (See The Judge duty chaplains’ military personnel files.
Army. This also includes civilian Equal Advocate General for the General Officer (p) The Judge Advocate General is
Employment Opportunity (EEO) actions. (See Management Office actions). The Chief authorized to act on requests for records
DCS, G–1 for Military Equal Opportunity Attorney and Legal Services Director, U.S. relating to claims, courts-martial, legal
(EO) actions.) The Administrative Assistant Army Resources & Programs Agency acts on services, administrative
to the Secretary of the Army has delegated requests for records of the Chief of Staff and (q) The Chief, National Guard Bureau, is
this authority to the Chief Attorney, OAASA its Field Operating Agencies (See The Judge authorized to act on requests for all
(See DCS, G1 for Military Equal Opportunity Advocate General for the General Officer personnel and medical records of retired,
(EO) actions). Management Office actions). separated, discharged, deceased, and active
(b) The Assistant Secretary of the Army (i) The Deputy Chief of Staff, G–3/5/7 is Army National Guard military personnel,
(Financial Management and Comptroller) is authorized to act on requests for records including technician personnel, unless such
authorized to act on requests for finance and relating to International Affairs policy, records clearly fall within another Denial
accounting records. Requests for CONUS planning, integration and assessments, Authority’s responsibility. This authority
finance and accounting records should be strategy formulation, force development, includes, but is not limited to, National
referred to the Defense Finance and individual and unit training policy, strategic Guard organization and training files; plans,
Accounting Service (DFAS). The Chief and tactical command and control systems, operations, and readiness files, policy files,
Attorney, OAASA, acts on requests for non- nuclear and chemical matters, use of DA historical files, files relating to National
finance and accounting records of the forces. Guard military support, drug interdiction,
Assistant Secretary of the Army (Financial (j) The Deputy Chief of Staff, G–8 is and civil disturbances; construction, civil
Management and Comptroller). authorized to act on requests for records works, and ecology records dealing with
(c) The Assistant Secretary of the Army relating to programming, material integration armories, facilities within the States, ranges,
(Acquisition, Logistics, & Technology) is and externally directed reviews. etc.; Equal Opportunity investigative records;
authorized to act on requests for procurement (k) The Deputy Chief of Staff, G–1 is aviation program records and financial
records other than those under the purview authorized to act on the following records: records dealing with personnel, operation
of the Chief of Engineers and the Personnel board records, Equal Opportunity and maintenance, and equipment budgets.
Commander, U.S. Army Materiel Command. (military) and sexual harassment, health (r) The Chief, Army Reserve and
The Chief Attorney, OAASA, acts on requests promotions, physical fitness and well-being, Commander, U.S. Army Reserve Command
for non-procurement records of the Assistant command and leadership policy records, HIV are authorized to act on requests for all
personnel and medical records of retired, separated, discharged, deceased, and reserve funds issues, and private organizations on
separated, discharged, deceased, and reserve component military personnel, unless such Army installations.
component military personnel, and all U.S. records clearly fall within another Denial (ee) The Commander, Military Surface
Army Reserve (USAR) records, unless such Authority’s authority. Deployment and Distribution Command
records clearly fall within another Denial (w) The Commander, U.S. Army Resources (formerly Military Traffic Management
Authority’s responsibility. Records under the Command-St. Louis has been delegated Command) is authorized to act on requests
responsibility of the Chief, Army Reserve and authority to act on behalf of the U.S. Army for records pertaining to military and
the Commander, U.S. Army Reserve Human Resources Commander for requests commercial transportation and traffic
Command include records relating to USAR concerning all personnel and medical records management records.
plans, policies, and operations; changes in of retired, separated, discharged, deceased, (ff) The Director, Installation Management
the organizational status of USAR units; and reserve component military personnel, Agency (IMA) is authorized to act on requests
mobilization and demobilization policies, unless such records clearly fall within for all IMA records.
active duty tours, and the Individual another Denial Authority’s authority. The (gg) Special Denial Authority’s authority
Mobilization Augmentation program; and all authority does not include records relating to for time-event related records may be
other Office of the Chief, Army Reserve USAR plans, policies, and operations; designated on a case-by-case basis. These
(OCAR) records and Headquarters, U.S. Army changes in the organizational status of USAR will be published in the Federal Register.
Reserve Command records. units, mobilization and demobilization You may contact the Department of the
(s) The Commander, United States Army policies; active duty tours, and the individual Army, Freedom of Information and Privacy
Materiel Command (AMC) is authorized to mobilization augmentation program. Office to obtain current information on
act on requests for the records of AMC (x) The Assistant Chief of Staff for special delegations.
headquarters and to subordinate commands, Installation Management is authorized to act
units, and activities that relate to on requests for records relating to planning, Appendix C to Part 505—Privacy Act
procurement, logistics, research and programming, execution and operation of Statement Format
development, and supply and maintenance Army installations. This includes base
(a) Authority: The specific federal statute
operations. realignment and closure activities,
or Executive Order that authorizes collection
(t) The Provost Marshal General is environmental activities other than litigation,
of the requested information.
authorized to act on all requests for provost facilities and housing activities, and
(b) Principal Purpose(s): The principal
marshal activities and law enforcement installation management support activities.
purpose or purposes for which the
functions for the Army, all matters relating to (y) The Commander, U.S. Army
information is to be used.
police intelligence, physical security, Intelligence and Security Command, is
(c) Routine Uses(s): Disclosure of the
criminal investigations, corrections and authorized to act on requests for intelligence
information outside DOD.
internment (to include confinement and and security records, foreign scientific and
(d) Disclosure: Whether providing the
correctional programs for U.S. prisoners, technological records, intelligence training,
information is voluntary or mandatory and
criminal investigations, provost marshal intelligence threat assessments, and foreign
the effects on the individual if he or she
activities, and military police support. The liaison information, mapping and geodesy
chooses not to provide the requested
Provost Marshal General is responsible for information, ground surveillance records,
information.
the Office of Security, Force Protection, and intelligence threat assessment, and missile
(1) Example of a Privacy Act Statement
Law Enforcement Division and is the intelligence data relating to tactical land
(i) Authority: Emergency Supplement Act
functional proponent for AR 190-series warfare systems.
of 2000; Public Law 106–246; 5 U.S.C. 3013,
(Military Police) and 195-series (Criminal (z) The Commander, U.S. Army Combat
Secretary of the Army; 10 U.S.C. 5013,
Investigation), AR 630–10 Absent Without Readiness Center (formerly U.S. Army Safety
Secretary of the Navy; 10 U.S.C. 8013,
Leave, Desertion, and Administration of Center), is authorized to act on requests for
Secretary of the Air Force; Department of
Personnel Involved in Civilian Court Army safety records.
Defense Directive 8500.aa, Information
Proceedings, and AR 633–30, Military (aa) The Commander, U.S. Army Test and
Assurance (IA); and E.O. 9397 (SSN).
Sentences to Confinement. Evaluation Command (ATEC), is authorized
(ii) Principal Purpose(s): To control access
(u) The Commander, U.S. Army Criminal to act on requests for the records of ATEC
to DOD information, information based
Investigation Command, is authorized to act headquarters, its subordinate commands,
systems and facilities by authenticating the
on requests for criminal investigative records units, and activities that relate to test and
identity of a person using a measurable
of USACIDC headquarters, and its evaluation operations.
physical characteristic(s). This computer
subordinate activities, and military police (bb) The General Counsel, Army and Air
system uses software programs to create
reports. This includes criminal investigation Force Exchange Service, is authorized to act
biometrics templates and summary statistics,
records, investigation-in-progress records, on requests for Army and Air Force Exchange
which are used for purposes such as
and all military police records and reports Service records, under AR 60–20/AFR 147–
assessing system performance or identifying
that result in criminal investigation reports. 14.
problem areas.
This authority has been delegated to the (cc) The Commandant, United States
(iii) Routine Use(s): None. The DoD
Director, U.S. Army Crime Records Center. Disciplinary Barracks (USDB) is authorized
‘‘Blanket Routine Uses’’ set forth at the
(v) The Commander, U.S. Army Human to act on records pertaining to USDB
beginning of the Army’s Compilations of
Resources Command, is authorized to act on functional area responsibilities relating to the
System of Records Notices applies to this
requests for military personnel files relating administration and confinement of
system.
to active duty personnel including, but not individual military prisoners at the USDB.
(iv) Disclosure: Voluntary; however, failure
limited to military personnel matters, This includes, but is not limited to, all
to provide the requested information may
military education records including records records pertaining to the treatment of
result in denial of access to DOD information
related to the removal or suspension from a military prisoners; investigation of prisoner
based systems and/or DOD facilities.
military school or class; personnel locator, misconduct; management, operation, and
(2) [Reserved].
physical disability determinations, and other administration of the USDB confinement
military personnel administration records; facility; and related programs which fall Appendix D to Part 505—Exemptions;
records relating to military casualty and directly within the scope of the Exceptions; and DoD Blanket Routine
memorialization activities; heraldic Commandant’s functional area of command Uses
activities, voting, records relating to and control.
identification cards, naturalization and (dd) The Commander, U.S. Army (a) Special Exemption. 5 U.S.C.
citizenship, commercial solicitation, Military Community and Family Support Center 552a(d)(5)—Denies individual access to any
Postal Service Agency and Army postal and (USACFSC) is authorized to act on requests information compiled in reasonable
unofficial mail service. The Commander, U.S. for records pertaining to morale, welfare, anticipation of civil action or proceeding.
Army Human Resources Command, is also recreation, and entertainment programs; (b) General and Specific Exemptions. The
authorized to act on requests concerning all community and family action programs; Secretary of the Army may exempt Army
personnel and medical records of retired, child development centers; non-appropriated systems of records from certain requirements
of the Privacy Act. The two kinds of Congressional member acting on behalf of a agency, to the extent that the information is
exemptions that require Secretary of the constituent are not included in this relevant and necessary to the requesting
Army enactment are General and Specific exception, but may be covered by a routine agency’s decision on the matter.
exemptions. The Army system of records use exception to the Privacy Act (See (4) Congressional Inquiries Disclosure
notices for a particular type of record will applicable Army system of records notice). Routine Use. Disclosure from a system of
state whether the Secretary of the Army has (10) 5 U.S.C. 552a(b)(10)—To the records maintained by a DOD component
authorized a particular General and Specific Comptroller General or authorized may be made to a congressional office from
exemption to a certain type of record. The representatives, in the course of the the record of an individual in response to an
Army system of records notices are published performance of the duties of the Government inquiry from the congressional office made at
in DA Pam 25–51 and on the Defense Privacy Accountability Office. the request of that individual.
Office’s Web site http://www.defenselink.mil/ (11) 5 U.S.C. 552a(b)(11)—Pursuant to the (5) Private Relief Legislation Routine Use.
privacy/. order of a court of competent jurisdiction. Relevant information contained in all
(c) Twelve Exceptions to the ‘‘No The order must be signed by a judge. systems of records of DOD published on or
Disclosure without Consent’’ rule of the (12) 5 U.S.C. 552a(b)(12)—To a consumer before August 22, 1975, may be disclosed to
Privacy Act. reporting agency in accordance with section Office of Management and Budget in
(1) 5 U.S.C. 552a(b)(1)—To DOD officers 3711(e) of Title 31 of the U.S. Code. The connection with the review of private relief
and employees who have a need for the name, address, SSN, and other information legislation, as set forth in OMB Circular A–
record in the performance of their official identifying the individual; amount, status, 19, at any stage of the legislative coordination
duties. This is the ‘‘official need to know and history of the claim; and the agency or and clearance process as set forth in that
concept. program under which the case arose may be Circular.
(2) 5 U.S.C. 552a(b)(2)—FOIA requires disclosed. However, before doing so, agencies (6) Disclosures Required by International
release of the information. must complete a series of steps designed to Agreements Routine Use. A record from a
(3) 5 U.S.C. 552a(b)(3)—The Routine Use validate the debt and to offer the individual system of records maintained by a DOD
Exception. The Routine Use must be an opportunity to repay it. Component may be disclosed to foreign law
published in the Federal Register and the (d) DOD Blanket Routine Uses. In addition enforcement, security, investigatory, or
purpose of the disclosure must be compatible to specific routine uses which are listed in administrative authorities in order to comply
with the purpose for the published Routine the applicable Army system of record with requirements imposed by, or to claim
Use. The applicable Routine Uses for a notices, certain ‘‘Blanket Routine Uses’’ rights conferred in, international agreements
particular record will be listed in the apply to all DOD maintained systems of and arrangements including those regulating
applicable Army Systems Notice. records. These are listed on the Defense the stationing and status in foreign countries
(4) 5 U.S.C. 552a(b)(4)—To the Bureau of Privacy Office’s Web site http:// of DOD military and civilian personnel.
the Census to plan or carry out a census or www.defenselink.mil/privacy/. These (7) Disclosure to State and Local Taxing
survey, or related activity pursuant to Title ‘‘Blanket Routine Uses’’ are not specifically Authorities Routine Use. Any information
13 of the U.S. Code. listed in each system of records notice as the normally contained in Internal Revenue
(5) 5 U.S.C. 552a(b)(5)—To a recipient who specific routine uses are. The current DOD Service Form W–2, which is maintained in
has provided DA or DOD with advance ‘‘Blanket Routine Uses’’ are as follows— a record from a system of records maintained
adequate written assurance that the record (1) Law Enforcement Routine Use. If a by a DOD component, may be disclosed to
will be used solely as a statistical research or system of records maintained by a DOD state and local taxing authorities with which
reporting record, and the record is to be component to carry out its functions the Secretary of the Treasury has entered into
transferred in a form that is not individually indicates a violation or potential violation of agreements pursuant to 5 U.S.C. sections
identifiable. law, whether civil, criminal or regulatory in 5516, 5517, and 5520 and only to those state
(6) 5 U.S.C. 552a(b)(6)—To the National nature, and whether arising by general statute and local taxing authorities for which an
Archives and Records Administration as a or by regulation, rule, or order issued employee or military member is or was
record that has sufficient historical or other pursuant thereto, the relevant records in the subject to tax regardless of whether tax is or
value to warrant its continued preservation system of records may be referred, as a was withheld. This routine use is in
by the U.S. Government, or for evaluation by routine use, to the agency concerned, accordance with Treasury Fiscal
the Archivist of the United States or the whether federal, state, local, or foreign, Requirements Manual Bulletin 76–07.
designee of the Archivist to determine charged with the responsibility of (8) Disclosure to the Office of Personnel
whether the record has such value. investigating or prosecuting such violation or Management Routine Use. A record from a
Note: Records transferred to the Federal charged with enforcing or implementing the system of records subject to the Privacy Act
Records Centers for storage remain under the statute, rule, regulation or order issued and maintained by a DA activity may be
control of the DA and no accounting for pursuant thereto. disclosed to the Office of Personnel
disclosure is required under the Privacy Act. (2) Disclosure When Requesting Management concerning information on pay
(7) 5 U.S.C. 552a(b)(7)—To another agency Information Routine Use. A record from a and leave, benefits, retirement deductions,
or instrumentality of any governmental system of records maintained by a DOD and any other information necessary for
jurisdiction within or under the control of component may be disclosed as a routine use Office of Personnel Management to carry out
the United States for a civil or criminal law to a Federal, State, or local agency its legally authorized Government-wide
enforcement activity, if the activity is maintaining civil, criminal, or other relevant personnel management functions and
authorized by law, and if the head of the enforcement information or other pertinent studies.
agency or instrumentality has made a written information, such as current licenses, if (9) Disclosure to the Department of Justice
request to the Army or the DOD specifying necessary to obtain information relevant to a for Litigation Routine Use. A record from a
the particular portion desired and the law DOD Component decision concerning the system of records maintained by a DOD
enforcement activity for which the record is hiring or retention of an employee, the component may be disclosed as a routine use
sought. issuance of a security clearance, the letting of to any component of the Department of
(8) 5 U.S.C. 552a(b)(8)—To a person a contract, or the issuance of a license, grant Justice for the purpose of representing the
pursuant to a showing of compelling or other benefit. Department of Defense, or any officer,
circumstances affecting the health or safety of (3) Disclosure of Requested Information employee, or member of the Department in
an individual if upon such disclosure, Routine Use. A record from a system of pending or potential litigation to which the
notification is transmitted to the last known records maintained by a DOD component record is pertinent.
address of such individual. may be disclosed to a Federal agency, in (10) Disclosure to Military Banking
(9) 5 U.S.C. 552a(b)(9)—To either House of response to its request, in connection with Facilities Overseas Routine Use. Information
Congress, or, to the extent the matter is the hiring or retention of an employee, the as to current military addresses and
within its jurisdiction, any committee or issuance of a security clearance, the reporting assignments may be provided to military
subcommittee thereof, or any joint committee of an investigation of an employee, the letting banking facilities who provide banking
of Congress or subcommittee of any such of a contract, or the issuance of a license, services overseas and who are reimbursed by
joint committee. Requests from a grant, or other benefit by the requesting the Government for certain checking and
loan losses. For personnel separated, (g) Appeal (If applicable): Date complaint purpose or purposes for which the record is
discharged, or retired from the Armed forces, filed, court, case File Number, court’s to release to that activity. Do not use general
information as to last known residential or finding, disciplinary action (if applicable). statements, such as ‘‘To other federal
home of record address may be provided to agencies as required’’ or ‘‘To any other
the military banking facility upon Appendix F to Part 505—Example of a appropriate federal agency’’.
certification by a banking facility officer that System of Records Notice (j) Polices and Practices for Storing,
the facility has a returned or dishonored (a) Additional information and guidance Retrieving, Accessing, Retaining, and
check negotiated by the individual or the on Privacy Act system of records notices are Disposing of Records in the System:
individual has defaulted on a loan and that found in DA PAM 25–51. The following (k) Storage: State the medium in which DA
if restitution is not made by the individual, maintains the records; for example, in file
elements comprise a Privacy Act system of
the U.S. Government will be liable for the folders, card files, microfiche, computer, or a
records notice for publication in the Federal
losses the facility may incur. combination of those methods. Storage does
Register:
(11) Disclosure of Information to the not refer to the storage container.
(b) System Identifier: A0025–55 AHRC—
General Services Administration Routine (l) Retrievability: State how the Army
DA FOIA/P Office assigns the notice number,
Use. A record from a system of records retrieves the records; for example, by name,
for example, A0025–55, where ‘‘A’’ indicates
maintained by a DOD component may be fingerprints or voiceprints.
‘‘Army,’’ the next number represents the
disclosed as a routine use to the General (m) Safeguards: Identify the system
publication series number related to the
Services Administration for the purpose of safeguards; for example, storage in safes,
records management inspections conducted subject matter, and the final letter group vaults, locked cabinets or rooms, use of
under authority of 44 U.S.C. Sections 2904 shows the system manager’s command. In guards, visitor controls, personnel screening,
and 2906. this case, it would be U.S. Army Human computer systems software, and so on.
(12) Disclosure of Information to National Resources Command. Describe safeguards fully without
Archives and Records Administration (c) System Name: Use a short, specific, compromising system security.
Routine Use. A record from a system of plain language title that identifies the (n) Retention and Disposal. State how long
records maintained by a DOD component system’s general purpose (limited to 55 AR 25–400–2 requires the activity to
may be disclosed as a routine use to characters). maintain the records. Indicate when or if the
NATIONAL ARCHIVES AND RECORDS (d) System Location: Specify the address of records may be transferred to a Federal
ADMINISTRATION for the purpose of the primary system and any decentralized Records Center and how long the record stays
records management inspections conducted elements, including automated data systems there. Specify when the Records Center sends
under authority of 44 U.S.C. sections 2904 with a central computer facility and input or the record to the National Archives or
and 2906. output terminals at separate locations. Use destroys it. Indicate how the records may be
(13) Disclosure to the Merit Systems street address, 2-letter state abbreviations and destroyed.
Protection Board Routine Use. A record from 9-digit ZIP Codes. Spell out office names. Do (o) System Manager(s) and Address: List
a system of records maintained by a DOD not use office symbols. the position title and duty address of the
component may be disclosed as a routine use (e) Categories of Individuals: Describe the system manager. For decentralized systems,
to the Merit Systems Protection Board, individuals covered by the system. Use non- show the locations, the position, or duty title
including the Office of the Special Counsel technical, specific categories of individuals of each category of officials responsible for
for the purpose of litigation, including about whom the Department of Army keeps any segment of the system.
administrative procedures, appeals, special records. Do not use categories like ’’all Army (p) Notification Procedures: List the title
studies of the civil service and other merit personnel’’ unless that is truly accurate. and duty address of the official authorized to
systems, review of Office of Personnel (f) Categories of Records in the System: tell requesters if their records are in the
Management or component rules and Describe in clear, plain language, all system. Specify the information a requester
regulations, investigation of alleged or categories of records in the system. List only must submit; for example, full name, military
possible prohibited personnel practices, documents actually kept in the system. Do status, SSN, date of birth, or proof of identity,
including administrative proceedings not identify source documents that are used and so on.
involving any individual subject of a DOD to collect data and then destroyed. Do not list (q) Record Access Procedures: Explain how
investigation, and such other functions, form numbers. individuals may arrange to access their
promulgated in 5 U.S.C. sections 1205 and (g) Authority for Maintenance of the records. Include the titles or categories of
1206, or as may be authorized by law. System: Cite the specific law or Executive officials who may assist; for example, the
(14) Counterintelligence Purposes Routine Order that authorizes the maintenance of the system manager.
Use. A record from a system of records system. Cite the DOD directive/instruction or (r) Contesting Records Procedures: The
maintained by a DOD component may be Department of the Army Regulation(s) that standard language to use is ‘‘The Army’s
disclosed as a routine use outside the DOD authorizes the Privacy Act system of records. rules for accessing records, and for contesting
or the U.S. Government for the purpose of Always include titles with the citations. contents and appealing initial agency
counterintelligence activities authorized by Note: Executive Order 9397 authorizes using determinations are contained in Army
U.S. Law or Executive Order or for the the SSN as a personal identifier. Include this Regulation 25–71; 32 CFR part 505; or may
purpose of enforcing laws, which protect the authority whenever the SSN is used to be obtained from the system manager.’’
national security of the United States. retrieve records. (s) Record Source Categories: Show
(h) Purpose(s): List the specific purposes categories of individuals or other information
Appendix E to Part 505—Litigation for maintaining the system of records by the sources for the system. Do not list
Status Sheet activity. confidential sources protected by 5 U.S.C.
(a) Case Number: The number used by a (i) Routine Use(s): The blanket routine uses 552a(k)(2), (k)(5), or (k)(7).
DA activity for reference purposes; that appear at the beginning of each (t) Exemptions Claimed for the System:
Requester; Component compilation apply to all systems Specifically list any approved exemption
(b) Document Title or Description: notice unless the individual system notice including the subsection in the Act. When a
Indicates the nature of the case, such as specifically states that one or more of them system has no approved exemption, write
‘‘Denial of access’’, ‘‘Refusal to amend,’’ do not apply to the system. Blanket Routine ‘‘none’’ under this heading.
‘‘Incorrect records’’, or other violations of the Uses are located at the beginning of the Appendix G to Part 505—Management
Act (specify); Component listing of systems notices and are
not contained in individual system of records
Control Evaluation Checklist
(c) Litigation: Date complaint filed, Court,
and Case File Number; notices. However, specific routine uses are (a) Function. The function covered by this
(d) Defendants: DOD component and listed in each applicable system of records checklist is DA Privacy Act Program.
individual; notice. List the specific activity to which the (b) Purpose. The purpose of this checklist
(e) Remarks: Brief explanation of what the record may be released, for example ‘‘To the is to assist Denial Authorities and Activity
case is about; Veterans Administration’’ or ‘‘To state and Program Coordinators in evaluating the key
(f) Court action: Court’s finding and local health agencies’’. For each routine user management controls listed below. This
disciplinary action (if applicable); and identified, include a statement as to the checklist is not intended to cover all controls.
(c) Instructions. Answer should be based back and forth between the user’s computer (n) Members of the Public. Individuals or
on the actual testing of key management and the servers. They allow user-side parties acting in a private capacity.
controls (e.g., document analysis, direct customization of Web information. Normally, (o) Minor. An individual under 18 years of
observation, sampling, simulation, other). cookies will expire after a single session. age, who is not married and who is not a
Answers that indicate deficiencies should be (g) Defense Data Integrity Board. The Board member of the Department of the Army.
explained and corrective action indicated in oversees and coordinates all computer (p) Official Use. Within the context of this
supporting documentation. These matching programs involving personal part, this term is used when Department of
management controls must be evaluated at records contained in systems of records the Army officials and employees have
least once every five years. Certificate of this maintained by the DOD Component; reviews demonstrated a need for the use of any record
evaluation has been conducted and should be and approves all computer matching or the information contained therein in the
accomplished on DA Form 11–2–R agreements between the Department of performance of their official duties.
(Management Control Evaluation Defense (DOD) and other Federal, State, and (q) Personal Information. Information
Certification Statement). local governmental agencies, as well as about an individual that identifies, relates, or
memoranda of understanding when the is unique to, or describes him or her, e.g., a
Test Questions match is internal to the DOD. social security number, age, military rank,
a. Is a Privacy Act Program established and (h) Disclosure. The transfer of any personal civilian grade, marital status, race, salary,
implemented in your organization? information from a Privacy Act system of home/office phone numbers, etc.
b. Is an individual appointed to implement records by any means of communication (r) Persistent cookies. Cookies that can be
the Privacy Act requirements? (such as oral, written, electronic mechanical, used to track users over time and across
c. Are provisions of AR 25–71 concerning or actual review) to any persons, private different Web sites to collect personal
protection of OPSEC sensitive information entity, or government agency, other than the information.
regularly brought to the attention of managers subject of the record, the subject’s designated (s) Personal Identifier. A name, number, or
responsible for responding to Privacy Act agent or the subject’s legal guardian. Within symbol that is unique to an individual,
requests and those responsible for control of the context of the Privacy Act and this part, usually the person’s name or SSN.
the Army’s records? this term applies only to personal (t) System of Records. A group of records
d. When more than twenty working days information that is a part of a Privacy Act under the control of the DA from which
are required to respond, is the Privacy Act system of records. information is filed and retrieved by
requester informed, explaining the (i) Deceased Individuals. The Privacy Act individuals’ names or other personal
circumstance requiring the delay and confers no rights on deceased persons, nor identifiers assigned to the individuals.
provided an appropriate date for completion. may their next-of-kin exercise any rights for System notices for all systems of records
e. Are Accounting Disclosures Logs being them. However, family members of deceased must be published in the Federal Register. A
maintained? grouping of records arranged chronologically
individuals have their own privacy right in
Comments: Assist in making this a better or subjectively that are not retrieved by
particularly sensitive, graphic, personal
tool for evaluating management controls. individuals’ names or identifiers is not a
details about the circumstances surrounding
Submit comments to the Department of Privacy Act system of records, even though
an individual’s death. This information may
Army, Freedom of Information and Privacy individual information could be retrieved by
be withheld when necessary to protect the
Division. individuals’ names or personal identifiers,
privacy interests of surviving family such as through a paper-by-paper search.
Appendix H to Part 505—Definitions members. Even information that is not (u) Privacy Advisory. A statement required
particularly sensitive in and of itself may be when soliciting personally identifying
Function withheld to protect the privacy interests of information by a Department of the Army
(a) Access. Review or copying a record or surviving family members if disclosure Web site and the information is not
parts thereof contained in a Privacy Act would rekindle grief, anguish, pain, maintained in a system of records. The
system of records by an individual. embarrassment, or cause a disruption of their Privacy Advisory informs the individual why
(b) Agency. For the purposes of disclosing peace minds. Because surviving family the information is being solicited and how it
records subject to the Privacy Act, members use the deceased’s Social Security will be used.
Components of the Department of Defense Number to obtain benefits, DA personnel (v) Privacy Impact Assessment (PIA). An
are considered a single agency. For other should continue to protect the SSN of analysis, which considers information
purposes including access, amendment, deceased individuals. sensitivity, vulnerability, and cost to a
appeals from denials of access or (j) Individual. A living person who is a computer facility or word processing center
amendment, exempting systems of records, citizen of the United States or an alien in safeguarding personal information
and recordkeeping for release to non-DOD lawfully admitted for permanent residence. processed or stored in the facility.
agencies, the Department of the Army is The parent or legal guardian of a minor also (w) Privacy Act (PA) Request. A request
considered its own agency. may act on behalf of an individual. Members from an individual for information about the
(c) Amendment. The process of adding, of the United States Armed Forces are existence of, access to, or amendment of
deleting, or changing information in a system individuals. Corporations, partnerships, sole records pertaining to that individual located
of records to make the data accurate, proprietorships, professional groups, in a Privacy Act system of records. The
relevant, timely, or complete. businesses, whether incorporated or request must cite or implicitly refer to the
(d) Computer Matching Agreement. An unincorporated, and other commercial Privacy Act of 1974.
agreement to conduct a computerized entities are not individuals. (x) Protected Personal Information.
comparison of two or more automated (k) Individual Access. The subject of a Information about an individual that
systems of records to verify eligibility for Privacy Act file or his or her designated agent identifies, relates to, is unique to, or
payments under Federal benefit programs or or legal guardian has access to information describes him or her (e.g., home address, date
to recover delinquent debts for these about them contained in the Privacy Act file. of birth, social security number, credit card,
programs. The term individual generally does not or charge card account, etc.).
(e) Confidential Source. A person or embrace a person acting on behalf of a (y) Records. Any item, collection, or
organization who has furnished information commercial entity (for example, sole grouping of information, whatever the storage
to the Federal Government under an express proprietorship or partnership). media (e.g., paper, electronic, etc), about an
promise that the person’s or the (l) Denial Authority (formerly Access and individual that is maintained by a DOD
organization’s identity would be held in Amendment Refusal Authority). The Army Component, including but not limited to, his
confidence or under an implied promise of Staff agency head or major Army commander or her education, financial transactions,
such confidentiality if this implied promise designated authority by this part to deny medical history, criminal or employment
was made before September 27, 1975. access to, or refuse amendment of, records in history and that contains his or her name, or
(f) Cookie. A mechanism that allows the his or her assigned area or functional the identifying number, symbol, or other
server to store its own information about a specialization. identifying particular assigned to the
user on the user’s own computer. Cookies are (m) Maintain. Includes keep, collect, use or individual, such as a finger or voice print or
embedded in the HTML information flowing disseminate. a photograph.
(z) Records Maintenance and Use. Any subject individual for a use that is compatible (ee) Third-party cookies. Cookies placed on
action involving the storage, retrieval, and with the purpose for which the information a user’s hard drive by Internet advertising
handling of records kept in offices by or for was collected and maintained by DA. A networks. The most common third-party
the agency. routine use must be included in the notice cookies are placed by the various companies
(aa) Review Authority. An official charged for the Privacy Act system of records that serve the banner ads that appear across
with the responsibility to rule on published in the Federal Register.
administrative appeals of initial denials of (cc) Statistical record. A record in a system many Web sites.
requests for notification, access, or of records maintained for statistical research (ff) Working Days. Days excluding
amendment of records. Additionally, the or reporting purposes and not used in whole Saturday, Sunday, and legal holidays.
Office of Personnel Management is the or in part in making determinations about [FR Doc. 06–6799 Filed 8–9–06; 8:45 am]
review authority for civilian official specific individuals.
personnel folders or records contained in any (dd) System Manager. An official who has BILLING CODE 3710–08–P
other OMP record. overall responsibility for policies and
(bb) Routine Use. Disclosure of a record procedures for operating and safeguarding a
outside DOD without the consent of the Privacy Act system of records.

Rule: Privacy Act Implementation

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rule: Privacy Act Implementation

Uploaded by

Copyright:

Available Formats

Thursday,

August 10, 2006

32 CFR Part 505

psychiatric or medical determinations. if— (4) A request for access, notification,

court costs, and attorney’s fees.

You might also like