§ 310.33 - System notices.  

(1) The following data captions are included in each system notice:

(2) The captions listed in paragraph (a)(1) of this Section have been mandated by the Office of Federal Register and must be used exactly as presented.

(3) A sample system notice is shown in appendix E of this part.

(1) The name of the system reasonably identifies the general purpose of the system and, if possible, the general categories of individuals involved.

(2) Use acronyms only parenthetically following the title or any portion thereof, such as, “Joint Uniform Military Pay System (JUMPS).” Do not use acronyms not commonly known unless they are preceded by an explanation.

(3) The system name may not exceed 55 character positions, unless an exception is granted by the DPO, including punctuation and spacing.

(4) The system name should not be the name of the database or the IT system if the name does not meet the criteria in paragraph (c)(1) of this section.

(1) For systems maintained in a single location provide the exact office name, organizational identity, and address.

(2) For geographically or organizationally decentralized systems, specify each level of organization or element that maintains a segment of the system, to include their mailing address, or indicate the official mailing addresses are published as an Appendix to the Component's compilation of system of records notices, or provide an address where a complete listing of locations can be obtained.

(3) Use the standard U.S. Postal Service two-letter State abbreviation symbols and 9-digit Zip Codes for all domestic addresses.

(1) Set forth the specific categories of individuals to whom records in the system pertain in clear, easily understood, non-technical terms.

(2) Avoid the use of broad over-general descriptions, such as “all Army personnel” or “all military personnel” unless this actually reflects the category of individuals involved.

(1) Describe in clear, non-technical terms the types of records maintained in the system.

(2) Only documents actually maintained in the system of records shall be described, not source documents that are used only to collect data and then destroyed.

(1) Cite the specific provision of the Federal statute or E.O. that authorizes the maintenance of the system.

(2) Include with citations for statutes the popular names, when appropriate (for example, Section 2103 of title 51, United States Code, “Tea-Tasters Licensing Act”), and for E.O.s, the official title (for example, E.O. No. 9397, “Numbering System for Federal Accounts Relating to Individual Persons”).

(3) If direct statutory authority or an Executive Order does not exist, indirect statutory authority may be cited if the authority requires the operation or administration of a program, the execution of which will require the collection and maintenance of a system of records.

(4) If direct or indirect authority does not exist, the Department of Defense, as well as the Army, Navy, and Air Force general “housekeeping” statutes (i.e., 5 U.S.C. 301 (“Departmental Regulations”), 10 U.S.C. 3013 (“Secretary of the Army”), 5013 (“Secretary of the Navy”), and 8013 (“Secretary of the Air Force”) may be cited if the Secretary, or those offices to which responsibility has been delegated, are required to collect and maintain systems of records in order to discharge assigned responsibilities. If the housekeeping statute is cited, the regulatory authority implementing the statute within the Department or Component also shall be identified.

(5) If the social security number is being collected and maintained, E.O. 9397 (“Numbering Systems for Federal Accounts Relating to Indivdiual Persons”) shall be cited.

(1) List the specific purposes for maintaining the system of records by the Component.

(2) All internal uses of the information within the Department or Component shall be identified. Such uses are the so-called “internal routine uses.”

(1) Except as otherwise authorized by subpart E of this part, disclosure of information from a system of records to any person or entity outside the Department of Defense (see § 310.21(b)) may only be made pursuant to a routine use that has been established for the specific system of records. Such uses are the so-called “external routine uses.”

(2) Each routine use shall include to whom the information is being disclosed and what use and purpose the information will be used. Routine uses shall be written as follows:

(3) Blanket routine uses (appendix C to this part) have been adopted that apply to all Component system notices. The blanket routine uses appear at the beginning of each Component's compilation of its system notices.

(1) Storage. Indicate the medium in which the records are maintained. (For example, a system may be “automated, maintained on compact disks, diskettes,” “manual, maintained in paper files,” or “hybrid, maintained in a combination of paper and automated form.”) Storage does not refer to the container or facility in which the records are kept.

(2) Retrievability. Specify how the records are retrieved (for example, name, SSN, or some other unique personal identifier assigned the individual).

(3) Safeguards. Identify the system safeguards (such as storage in safes, vaults, locked cabinets or rooms, use of guards, visitor registers, personnel screening, or password protected IT systems). Also identify personnel who have access to the systems. Do not describe safeguards in such detail as to compromise system security.

(4) Retention and disposal. Indicate how long the record is retained. When appropriate, also state the length of time the records are maintained by the Component, when they are transferred to a FRC, time of retention at the Records Center and when they are transferred to the National Archivist or are destroyed. A reference to a Component regulation without further detailed information is insufficient. If records are eventually destroyed as opposed to being retired, identify the method of destruction (e.g., shredding, burning, pulping, etc).

(1) List the title and address of the official responsible for the management of the system.

(2) If the title of the specific official is unknown, such as for a local system, specify the local commander or office head as the systems manager.

(3) For geographically separated or organizationally decentralized activities for which individuals may deal directly with officials at each location in exercising their rights, list the position or duty title of each category of officials responsible for the system or a segment thereof.

(4) Do not include business or duty addresses if they are listed in the Component address directory.

(1) Describe how an individual may determine if there are records pertaining to him or her in the system. The procedural rules may be cited, but include a brief procedural description of the needed data. Provide sufficient information in the notice to allow an individual to exercise his or her rights without referral to the formal rules.

(2) As a minimum, the caption shall include:

(3) When appropriate, the individual may be referred to a Component official who shall provide this information to him or her.

(1) Describe how an individual can gain access to the records pertaining to him or her in the system. The procedural rules may be cited, but include a brief procedural description of the needed data. Provide sufficient information in the notice to allow an individual to exercise his or her rights without referral to the formal rules.

(2) As a minimum, the caption shall include:

(1) Describe how an individual may contest the content of a record pertaining to him or her in the system.

(2) The detailed procedures for contesting a record need not be identified if the Component procedural rules are readily available to the public. (For example, “The Office of the Secretary of Defense” rules for contesting contents are contained in 32 CFR 311.) All Component procedural rules are set forth at a Departmental public Web site (http://www.defenselink.mil/privacy/cfr-rules.html).

(3) The individual may also be referred to the system manager to determine these procedures.

(1) Describe where (the individual, other Component documentation, other Federal agencies, etc) the information contained in the system was obtained.

(2) Specific individuals or institutions need not be identified by name, particularly if these sources have been granted confidentiality. (see § 310.29(b)).

(1) If no exemption has been claimed for the system, indicate “None.”

(2) If an exemption is claimed, cite the exemption as well as identifying the CFR section containing the exemption rule for the system.

(1) The DPO maintains a master registry of all DoD record systems notices.

(2) The DPO also posts all DoD system notices to a public Web site (see http://www.defenselink.mil/privacy/notices).