§ 317.130 - Establishing and using exemptions.  

(a) Types of exemptions. (1) There are two types of exemptions permitted by the Privacy Act:

(i) General exemptions that authorize the exemption of a system of records from all but specifically identified provisions of the Privacy Act, and

(ii) Specific exemptions that allow a system of records to be exempted from only a few designated provisions of the Privacy Act.

(2) Neither the Privacy Act nor this part permits exemption of a system of records from all provisions of the Privacy Act.

(b) Establishing exemptions. (1) Neither general nor specific exemptions are established automatically for a system of records. Only the Director of DCAA or his/her designee shall make a determination that the system is one for which an exemption may be established and then propose and establish an exemption rule for the system. No system of records within the agency shall be considered exempted until the Assistant Director, Resources, DCAA has approved the exemption and an exemption rule has been published as a final rule in the Federal Register for this part.

(2) Only the Assistant Director, Resources, or his or her designee, may establish an exemption for a system of records.

(3) No exemption may be established for a system of records until the system itself has been established by publishing a notice in the Federal Register describing the system.

(4) A system of records is exempt from only those provisions of the Privacy Act that are identified specifically in the agency exemption rule for the system.

(c) Provisions to which exemptions may be applied. After, or along with, establishing the system of records, the Assistant Director, Resources, may establish an exemption rule that shall exempt the system of records from any provision of the Privacy Act for which an exemption is allowed.

(d) Using exemptions. (1) Exemptions should be used only for the specific purposes stated in the exemption rules and only when in the best interest of the Government. Exemptions should be applied to only the specific portions of the records that require protection.

(2) An exemption should not be used to deny an individual access to information that he or she can obtain under the FOIA.

(e) Exempt records maintained in nonexempt systems. (1) An exemption rule applies to the system of records for which it was established. If a record from an exempted system is incorporated intentionally into a system that has not been exempted, the published notice and rules for the non-exempted system will apply to the record and it will not be exempt from any provisions of the Privacy Act.

(2) A record from one DoD component's exempted system that is temporarily in the possession of another DoD component remains subject to the published system notice and rules of the originating DoD component. However, if the non-originating DoD component incorporates the record into its own system of records, the published notice and rules for the system into which it is incorporated shall apply. If that system of records has not been exempted, the record shall not be exempt from any provisions of the Privacy Act.

(3) Care should be exercised that exempt records are not accidentally misfiled into a system of records that are not exempted