§ 317.72 - System of records notices.  

(a) Contents of a record system notice. The following data captions are prescribed by the Office of the Federal Register and must be included for each system notice:

(1) System identifier.

(2) System name.

(3) System location.

(4) Categories of individuals covered by the system.

(5) Categories of records in the system.

(6) Authority for maintenance of the system.

(7) Purpose(s).

(8) Routine uses of records maintained in the system, including categories of users and purposes of the uses.

(9) Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system.

(10) System manager(s) and address.

(11) Notification procedures.

(12) Record access procedures.

(13) Contesting records procedures.

(14) Record source categories; and

(15) Exemptions claimed for the system.

(b) System identification. The system identifier must appear in all system notices. It is limited to 21 positions, including agency code, file number, symbols, punctuation, and spaces.

(c) System name. (1) The system name must indicate the general nature of the system of records and, if possible, the general category of individuals to whom it pertains.

(2) Acronyms should be established parenthetically following the first use of the name (e.g., “Field Audit Office Management Information System (FMIS)”). Acronyms shall not be used unless preceded by such an explanation.

(3) The system name may not exceed 55 character positions, including punctuation and spaces.

(d) System location. (1) For a system maintained in a single location, provide the exact office name, organizational identity, routing symbol, and full mailing address. Do not use acronyms in the location address.

(2) For a geographically or organizationally decentralized system, describe each level of organization or element that maintains a portion of the system of records.

(3) For an automated data system with a central computer facility and input or output terminals at geographically separate locations, list each location by category.

(4) If multiple locations are identified by type of organization, the system location may indicate that official mailing addresses are published as an appendix to the agency's compilation of systems of records notices in the Federal Register. If no address directory is used, or if the addresses in the directory are incomplete, the address of each location where a portion of the record system is maintained must appear under the “system location” caption.

(5) Classified addresses shall not be listed, but the fact that they are classified shall be indicated.

(6) The U.S. Postal Service two-letter state abbreviation and the nine-digit zip code shall be used for all domestic addresses.

(e) Categories of individuals covered by the system. (1) Clear, nontechnical terms shall state the specific categories of individuals to whom records in the system pertain.

(2) Broad descriptions such as “all DCAA personnel” or “all employees,” should be avoided unless the term actually reflects the category of individuals involved.

(f) Categories of records in the system. (1) Clear, nontechnical terms shall be used to describe the types of records maintained in the system.

(2) The description of documents should be limited to those actually retained in the system of records. Source documents should not be described that are used only to collect data and then are destroyed.

(g) Authority for maintenance of the system. (1) The system of records must be authorized by a Federal law or Executive Order of the President, and the specific provision must be cited.

(2) When citing federal laws, include the popular names (e.g.,“5 U.S.C. 552a, The Privacy Act of 1974”) and for Executive Orders, the official titles (e.g., “Executive Order 9397, Numbering System for Federal Accounts Relating to Individual Persons”).

(3) The Directive establishing the agency, DoD Directive 5105.36 (32 CFR part 357), as well as the law that authorizes the Secretary of Defense to issue Directives, 10 U.S.C. 133 should be cited.

(h) Purpose(s). The specific purpose(s) for which the system of records was created and maintained; that is, the uses of the records within the agency and the rest of the Department of Defense should be listed.

(i) Routine uses. (1) All disclosures of the records outside the agency, including the recipient of the disclosed information and the uses the recipient will make of it should be listed.

(2) If possible, the specific activity or element to which the record may be disclosed (e.g., “to the Department of Veterans Affairs, Office of Disability Benefits”) should be listed.

(3) General statements such as “to other Federal Agencies as required” or “to any other appropriate Federal agency” should not be used.

(4) The blanket routine uses, published at the beginning of the agency's compilation, applies to all system notices, unless the individual system notice states otherwise.

(j) Policies and practices for storing, retrieving, accessing, retaining, and disposing of records. This section is divided into four parts.

(1) Storage: The method(s) used to store the information in the system (e.g., “automated, maintained in computers and computer output products” or “manual, maintained in paper files” or “hybrid, maintained in paper files and in computers”) should be stated. Storage does not refer to the container or facility in which the records are kept.

(2) Retrievability: How records are retrieved from the system (e.g., “by name,” “by SSN,” or “by name and SSN”) should be indicated.

(3) Safeguards: The categories of agency personnel who use the records and those responsible for protecting the records from unauthorized access should be stated. Generally the methods used to protect the records, such as safes, vaults, locked cabinets or rooms, guards, visitor registers, personnel screening, or computer “fail-safe” systems software should be identified. Safeguards should not be described in such detail as to compromise system security.

(4) Retention and disposal: Describe long records are maintained. When appropriate, the length of time records are maintained by the agency in an active status, when they are transferred to a Federal Records Center, how long they are kept at the Federal Records Center, and when they are transferred to the National Archives or destroyed should be stated. If records eventually are destroyed, the method of destruction (e.g., shredding, burning, pulping, etc), should be stated. If the agency rule is cited, the applicable disposition schedule shall also be identified.

(k) System manager(s) and address. (1) The title (not the name) and address of the official or officials responsible for managing the system of records should be listed.

(2) If the title of the specific official is unknown, such as with a local system, the local director or office head as the system manager should be indicated.

(3) For geographically separated or organizationally decentralized activities with which individuals may correspond directly when exercising their rights, the position or title of each category of officials responsible for the system or portion thereof should be listed.

(4) Addresses that already are listed in the agency address directory; or simply refer to the directory should not be included.

(l) Notification procedures. (1) Notification procedures describe how an individual can determine if a record in the system pertains to him or her.

(2) If the record system has been exempted from the notification requirements of subsection (f)(1) or subsection (e)(4)(G) of the Privacy Act, it should be so stated.

(3) If the system has not been exempted, the notice must provide sufficient information to enable an individual to request notification of whether a record in the system pertains to him or her. Merely referring to the agency's procedural rules is not sufficient.

(4) This section should also include:

(i) The title (not the name) and address of the official (usually the system manager) to whom the request must be directed;

(ii) Any specific information the individual must provide in order for the agency to respond to the request (e.g., name, SSN, date of birth, etc.); and

(iii) Any description of proof of identity for verification purposes required for personal visits by the requester.

(m) Record access procedures. (1) This section describes how an individual can review the record and obtain a copy of it.

(2) If the system has been exempted from access and publishing access procedures under subsections (d)(1) and (e)(4)(H), respectively, of the Privacy Act, it should be so indicated.

(3) If the system has not been exempted, describe the procedures an individual must follow in order to review the record and obtain a copy of it, including any requirements for identity verification.

(4) If appropriate, the individual may be referred to the system manager or another agency official who shall provide a detailed description of the access procedures. Any addresses already listed in the address directory should not be repeated.

(n) Contesting record procedures. (1) This section describes how an individual may challenge the denial of access or the contents of a record that pertains to him or her.

(2) If the record system has been exempted from allowing amendments to records or publishing amendment procedures under subsections (d)(2) and (e)(4)(H), respectively, of the Privacy Act, it should be so stated.

(3) If the system has not been exempted, the procedures an individual must follow should be described in order to challenge the content of a record pertaining to him or her, or explain how he or she can obtain a copy of the procedures (e.g., by contacting the system manager or another agency official).

(o) Record source categories. (1) If the system has been exempted from publishing record source categories under subsection (e)(4)(I) of the Privacy Act, it should be so stated.

(2) If the system has not been exempted, this caption must describe where the agency obtained the information maintained in the system.

(3) Describing the record sources in general terms is sufficient; specific individuals, organizations, or institutions need not be identified.

(p) Exemptions claimed for the system. (1) If no exemption has been established for the system, indicate “None.”

(2) If an exemption has been established, state under which provision of the Privacy Act it is established (e.g., “Parts of this system of records may be exempt under 5 U.S.C. 552a(k)(2)”).