This part updates and implement the policies and procedures outlined in 5 U.S.C. 552a, Office of Management and Budget (OMB) Circular No. A-130, DoD Directive 5400.11,^[1] and DoD 5400.11-R.^[2] This part provides guidance and procedures for implementing the Privacy Program in the Office of the Secretary of Defense (OSD) and organizations receiving administrative support from the Washington Headquarters Services (WHS), according to DoD Directive 5110.4.^[3]

This part:

(a) Applies to the OSD, the Chairman of the Joint Chiefs of Staff, and other activities receiving administrative support from the WHS (hereafter referred to collectively as the “OSD Components”).

(b) Covers systems of records maintained by the OSD Components and governs the maintenance, access, change, and release of information contained in those systems of records, from which information about an individual is retrieved by a personal identifier.

Access. Any individual's review of a record or a copy of a record or parts of a system of records.

Disclosure. The transfer of any personal information from a system of records by any means of oral, written, electronic, mechanical, or other communication, to any person, private entity, or Government Agency, other than the subject of the record, the subject's designated agent, or the subject's guardian.

Individual. A living citizen of the United States or an alien lawfully admitted to the United States for permanent residence. The legal guardian of an individual has the same rights as the individual and may act on his or her behalf.

Individual access. Access to personal information pertaining to the individual, by the individual, his or her designated agent, or legal guardian.

Maintain. For the purpose of this part, includes maintenance, collection, use, or dissemination.

Matching program. A program that matches the personal records in computerized databases of two or more Federal Agencies using a computer.

Personal information. Information about an individual that is intimate or private, as distinguished from information related solely to the individual's official functions or public life.

Records. Any item, collection, or grouping of information, whatever the storage media (e.g., paper or electronic), about an individual that is maintained by an OSD Component, including, but not limited to, his or her education, financial transactions, medical history, criminal or employment history, and that contains his or her name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or photograph.

System manager. An OSD Component official who is responsible for the operation and management of a system of records.

System of records. A group of records under the control of an OSD Component from which personal information is retrieved by the individual's name or by some identifying number, symbol, or other identifying particular assigned to an individual.

(a) According to DoD 5400.11-R,^[4] it is DoD policy to safeguard personal information contained in any system of records maintained by any DoD Component and to permit any individual to know what existing records pertain to him or her.

(b) Each office maintaining records and information about individuals shall ensure that this data is protected from unauthorized disclosure. These offices shall permit individuals to have access to and have a copy made of all or any portion of records about them, except as provided in Chapters 3 and 5 of DoD 5400.11-R. The individuals will also have an opportunity to request that such records be amended as provided by 5 U.S.C. 552a and Chapter 3 of DoD 5400.11-R. Individuals requesting access to their records shall receive concurrent consideration under 5 U.S.C. 552 and 552a, if appropriate.

(c) The Heads of the OSD Components shall maintain any necessary record of a personal nature that is individually identifiable in a manner that complies with the law and DoD policy. Any information collected must be as accurate, relevant, timely, and complete as is reasonable to ensure fairness to the individual. Adequate safeguards must be provided to prevent misuse or unauthorized release of such information.

(a) The Director, WHS, shall:

(1) Direct and administer the DoD Privacy Program for the OSD Components.

(2) Establish standards and procedures to ensure implementation of and compliance with 5 U.S.C. 552a, OMB Circular No. A-130, DoD Directive 5400.11 and DoD 5400.11-R.

(3) Ensure the Records and Declassification Division, Executive Services Directorate (ESD), WHS, implements all aspects of 5 U.S.C. 552a, except that portion about receiving and acting on public requests for personal records. As such, the Records and Declassification Division shall:

(i) Exercise oversight and administrative control of the Privacy Act Program for the OSD Components.

(ii) Provide guidance and training to the OSD Components as required by 5 U.S.C. 552a and OMB Circular A-130. Periodic training will be provided to public affairs officers and others who may be expected to deal with the news media or the public.

(iii) Collect and consolidate data from the OSD Components and submit reports to the Defense Privacy Office (DPO), as required by 5 U.S.C. 522a; OMB Circular A-130, DoD Directive 5400.11, DoD 5400.1-R, and the DPO.

(iv) Coordinate and consolidate information for reporting all record systems, as well as changes to approved systems, to the OMB, the Congress, and the Federal Register, as required by 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.1-R. Start Printed Page 2821

(v) Serve as the appellate authority for OSD Components when a requester appeals a denial for access to records under 5 U.S.C. 552a.

(vi) Serve as the appellate authority for OSD Components when a requester appeals a denial for amendment of a record or initiates legal action to correct a record.

(vii) Evaluate and decide, in coordination with the DPO, appeals resulting from denials of access or amendments to records by the OSD Components.

(4) Ensure the Freedom of Information Division, ESD, WHS, complies with all aspects of 5 U.S.C. 552a including that portion about receiving and acting on public requests for personal records. As such, the Freedom of Information Division shall:

(i) Forward requests for information or access to records to the appropriate OSD Component having primary responsibility for any pertinent system of records under 5 U.S.C. 552a or to the OSD Components under 5 U.S.C. 552.

(ii) Maintain deadlines to ensure responses are made within the time limits prescribed in 5 U.S.C. 552, DoD Instruction 5400.10 ^[5] and this part.

(iii) Collect fees charged and assessed for reproducing requested materials.

(iv) Refer all matters about amendments of records and general and specific exemptions under 5 U.S.C. 552a to the proper OSD Components.

(5) Coordinate with the DoD General Counsel, or the WHS General Counsel when appropriate, on OSD Components' denials of appeals for amending records, and review actions to confirm denial of access to records, as appropriate.

(b) The DoD General Council shall provide advice and assistance to the:

(1) Chief, Records and Declassification Division, in the discharge of appellate and review responsibilities.

(2) Chief, Freedom of Information Division, on all access matters.

(3) OSD Component on legal matters pertaining to 5 U.S.C. 552a.

(c) The Heads of the OSD Components shall:

(1) Designate an individual as the point of contact for Privacy Act matters; advise the Chief, Records and Declassification Division, and the Chief, Freedom of Information Division, of the names of officials so designated.

(2) Report any new record system, or changes to an existing system, to the Chief, Records and Declassification Division, at least 90 days before the intended use of the system.

(3) Review all contracts pertaining to the maintenance of records systems, by or on behalf of the OSD Component, to ensure within his or her authority that language is included that provides such systems shall be maintained consistent with 5 U.S.C. 552a.

(4) Revise procurement guidance to ensure contracts providing for the maintenance of a records system, by or on behalf of the OSD Component, includes language that such system shall be maintained in accordance with 5 U.S.C. 552a.

(5) Ensure computer and telecommunications equipment or service procurements comply with 5 U.S.C. 552.

(6) Coordinate with the Chief, Information Officer, for the OSD Component to ensure a risk analysis is conducted in compliance with DoD 5400.11-R.

(7) Coordinate with the OSD Chief, Information Officer, to ensure a Privacy Impact Assessment is conducted in compliance with DoD CIO memorandum dated October 28, 2005 ^[6] and DoD's implementing guidance.

(8) Ensure all DoD issuances prepared by the OSD Component that require forms or other methods to collect information about individuals are in compliance with 5 U.S.C. 552a.

(9) Establish internal administrative procedures to comply with the procedures listed in this part and DoD 5400.11-R.

(10) Coordinate with legal counsel on all proposed denials of access to records.

(11) Provide justification to the Freedom of Information Division when access to a record is denied in whole or in part.

(12) Provide the record of an initial denial or access to a record that is appealed to the Freedom of Information Division at the time of initial denial.

(13) Maintain an accurate accounting of the actions resulting in a denial for access to a record or for the correction of a record. This accounting should be maintained so it can be readily certified as the complete record of proceedings if litigation occurs in accordance with DoD 5400.11-R.

(14) Ensure all personnel who either have access to a system of records, or who are engaged in developing or overseeing the procedures for handling records in a system, are aware of their responsibilities for protecting personal information according to 5 U.S.C. 552a and DoD 5400.11-R.

(15) Forward all requests for access to records received directly from an individual to the Freedom of Information Division for appropriate suspense control and recording.

(16) Provide the Freedom of Information Division with a copy of the requested record when the request is granted.

(d) The requester shall:

(1) Submit a request for access to records pertaining to oneself in writing or in person to the OSD Component's custodian of the records. If the requester is not satisfied with the response, he or she may file another request in writing as provided in paragraph 311.1(b)(2). The requester must provide personal identification to verify identity according to Chapter 3 of DoD 5400.11-R and provide a signed notarized statement or a sworn declaration in the format specified by DoD 5400.7-R.^[7]

(2) Describe the record sought and provide sufficient information to enable the material to be located (e.g., identification of system of records, approximate date it was initiated, originating organization, and type of document).

(3) Comply with the procedures provided in DoD 5400.11-R for inspecting and/or obtaining copies of requested records.

(4) Submit a written request to amend a record to the office designated in the system of records notice.

(a) Publication of notice in the Federal Register. (1) A notice shall be published in the Federal Register of any record system meeting the definition of a system of records in DoD 5400.11-R.

(2) OSD Components shall provide the Chief, Records and Declassification Division, with 90 days advance notice of any anticipated new or revised system of records. This information shall be submitted to the OMB and Congress at least 60 days before use and published in the Federal Register at least 30 days before being put into use according to the procedures in DoD 5400.11-R. This provides the public with an opportunity to submit written data, views, or arguments to the OSD Components for consideration before a system of records is established or modified.

(b) Access to systems of records information. (1) As provided by 5 U.S.C. 552a, records shall be disclosed only to the individual they pertain to and under whose individual name or identifier they are filed, unless exempted by the provisions in DoD 5400.11-R. If an Start Printed Page 2822individual is accompanied by a third party, the individual shall be required to furnish a signed access authorization which grants the third party access according to Chapter 3 of DoD 5400.11-R.

(2) Individuals may request access to their records, in person or by mail, in accordance with the following procedures:

(i) In person. Submit a request for an appointment in writing to WHS, ESD, Freedom of Information Division, 1155 Defense Pentagon, Washington, DC 20301-1155. The individual shall provide personal identification to the Freedom of Information Division to verify the individual's identity according to Chapter 3 of DoD 5400.11-R and provide a signed notarized statement or a sworn declaration in the format specified by DoD 5400.7-R.

(ii) By mail. Address requests to WHS, ESD, Freedom of Information Division, 1155 Defense Pentagon, Washington, DC 20301-1155. To verify the identity of the individual, the request shall include either a signed notarized statement or a sworn declaration in the format specified by DoD 5400.7-R.

(3) There is no requirement that an individual be given access to records that are not in a group of records that meet the definition of a system of records in 5 U.S.C. 552a.

(4) Granting access to a record containing personal information shall not be conditional upon any requirement that the individual state a reason or otherwise justify the need to gain access.

(5) No verification of identity shall be required of an individual seeking access to records that are otherwise available to the public.

(6) Individuals shall not be denied access to a record in a system of records about themselves because those records are exempted from disclosure under 5 U.S.C. 552. Individuals may only be denied access to a record in a system of records about themselves when those records are exempted from the access provisions of Chapter 5 of DoD 5400.11-R.

(7) Individuals shall not be denied access to their records for refusing to disclose their Social Security Number (SSN), unless disclosure of the SSN is required by statute, by regulation adopted before January 1, 1975, or if the record's filing identifier and only means of retrieval is by SSN.

(c) Access to records or information compiled for law enforcement purposes. (1) Requests are processed under DoD Directive 5400.11 and 5 U.S.C. 552 to give requesters a greater degree of access to records on themselves.

(2) Records in the custody of law enforcement activities that have been incorporated into a system of records or exempted from the access conditions of DoD Directive 5400.11 will be processed in accordance with 5 U.S.C. 552. Individuals shall not be denied access to records solely because they are in the exempt system. They will have the same access that they would receive under 5 U.S.C. 552. (Also see section A.10., Chapter 3, DoD 5400.11-R)

(3) Records exempted from access conditions will be processed in accordance with DoD Directive 5400.11 or 5 U.S.C. 552, depending upon which regulation gives the greater degree of access. (See also section A.10.1., Chapter 3, DoD 5400.11-R)

(4) Records exempted from access under Section B, Chapter 5 of DoD 5400.11-R, that are temporarily in the custody of a non-law enforcement element for adjudicative or personnel actions, shall be referred to the originating agency.

(d) Access to illegible, incomplete, or partially exempt records. (1) An individual shall not be denied access to a record or a copy of a record solely because the physical condition or format of the record does not make it readily available (e.g., deteriorated state or on magnetic tape). The document will be prepared as an extract, or it will be recopied exactly as is.

(2) If a portion of the record contains information that is exempt from access, an extract or summary containing all releasable information in the record shall be prepared.

(3) When the physical condition of the record makes it necessary to prepare an extract for release, the extract shall be prepared so that the requester will understand it.

(4) The requester shall be informed of all deletions or changes to records.

(e) Access to medical records. (1) Medical records shall be disclosed to the individual and may be transmitted to a medical doctor named by the individual concerned.

(2) The individual may be charged reproduction fees for copies or records according to DoD 5400.11-R.

(f) Amending and disputing personal information in systems of records. (1) The Head of an OSD Component, or a designated official, shall allow individuals to request amendment to their records to the extent that such records are not accurate, relevant, timely, or complete. Requests should be as brief and as simple as possible and should contain adequate identifying information to locate the record, a description of the items to be amended, and the reason for the change. A request shall not be rejected nor required to be resubmitted unless additional information is essential to process the request. Requesters shall be required to provide verification of their identity as stated in paragraph (b)(2) of this section to ensure they are seeking to amend records about themselves.

(2) The appropriate system of records system manager shall mail a written acknowledgment of an individual's request to amend a record within 10 workdays after receipt. Such acknowledgment shall identify the request and may, if necessary, request any additional information needed to make a determination. No acknowledgment is necessary if the request can be reviewed and processed, and the individual can be notified of compliance or denial, within the 10-day period. Whenever practical, the decision shall be made within 30 working days. For requests presented in person, written acknowledgment may be provided at the time the request is presented.

(3) Amending personal information. The Head of an OSD Component, or designated official, shall promptly take one of the following actions on requests to amend records:

(i) If they agree with any portion or all of an individual's request, amend the records in accordance with existing statutes, regulations, or internal administrative procedures, and inform the requester of the action taken. The OSD Component shall also notify all previous holders of the record that the amendment has been made and shall explain the substance of the correction, except for disclosures of the records to officers or DoD employees, or made as required by the Freedom of Information Act, the OSD shall also notify all to whom the record was disclosed that the amendment has been made and shall explain the substance of the correction.

(ii) Notify the requester of the disapproval to amend a record and the reason for the disapproval. Notify the requester of the procedure to submit an appeal as described in paragraph (f)(5) of this section. if he or she disagrees with all or any portion of a request.

(iii) Refer requests to the appropriate Federal Agency. Advise the requester of this referral if the request for an amendment pertains to a record controlled and maintained by another Agency.

(4) Disputing personal information. The Head of an OSD Component or designated official shall:

(i) Determine whether the requester has adequately supported his or her claim that the record is inaccurate, irrelevant, untimely, or incomplete. Start Printed Page 2823

(ii) Limit the review of a record to those items of information that clearly bear on any determination to amend the records and ensure that those elements are reviewed before a determination is made.

(5) If an individual disagrees with the initial OSD Component determination, he or she may file an appeal. The request should be sent to the Chief, Records and Declassification Division, WHS, 1155 Defense Pentagon, Washington, DC 20301-1155.

(6) If, after review, the Records and Declassification Division determines the system of records should not be amended as requested, the Records and Declassification Division shall provide a copy of any statement of disagreement to the extent that disclosure accounting is maintained in accordance with Chapter 4 or DoD 5400.11-R. The Records and Declassification Division shall advise the individual:

(i) Of the reason and authority for the denial.

(ii) Of his or her right to file a statement of the reason for disagreeing with the Records and Declassification Division decision.

(iii) Of the procedures for filing a statement of disagreements.

(iv) That the statement filed shall be made available to anyone the record is disclosed to, together with a brief statement summarizing reasons for refusing to amend the records.

(7) If the Records and Declassification Division determines that the record should be amended in accordance with the individual's request, the OSD Component shall amend the record, and advise the individual of the amendment, in accordance with Chapter 4 of DoD 5400.11-R.

(8) All appeals should be processed within 30 workdays after receipt. If the Records and Declassification Division determines that a fair and equitable review cannot be made within that time, the individual shall be informed in writing of the reasons for the delay and of the approximate date the review is expected to be completed.

(g) Disclosure of disputed information. (1) If the Records and Declassification Division determines the record should not be amended and the individual has filed a statement of disagreement under paragraph (f)(7) of this section, the OSD Component shall annotate the disputed record so it is apparent under record disclosure that a statement has been filed. Where feasible, the notation itself shall be integral to the record. Where disclosure accounting has been made, the OSD Component shall advise previous recipients that the record has been disputed and shall provide a copy of the individual's statement of disagreement in accordance with Chapter 4 of DoD 5400.11-R.

(i) This statement shall be maintained to permit ready retrieval whenever the disputed portion of the record is disclosed.

(ii) When information that is the subject of a statement of disagreement is subsequently disclosed, the OSD Component's designated official shall note which information is disputed and provide a copy of the individual's statement.

(2) The OSD Component shall include a brief summary of its reasons for not making a correction when disclosing disputed information. Such statements shall normally be limited to the reasons given to the individual for not amending the record.

(3) Copies of the OSD Component's summary will be treated as part of the individual's record; however, it will not be subject to the amendment procedure outlined in paragraph (c)(3) of this section.

(h) Penalties. (1) Civil action. An individual may file a civil suit against the OSD Component or its employees if the individual feels certain provisions or the Privacy Act have been violated as stated in 5 U.S.C. 552a.

(2) Criminal action. (i) Criminal penalties may be imposed against an OSD officer or employee for offenses listed in Section (i) of 5 U.S.C. 552a, as follows:

(A) Willful unauthorized disclosure of protected information in the records.

(B) Failure to publish a notice of the existence of a record system in the Federal Register.

(C) Requesting or gaining access to the individual's record under false pretenses.

(ii) An OSD officer or employee may be fined up to $5,000 for a violation as outlined in paragraph (h)(2)(i) of this section.

(i) Litigation status sheet. Whenever a complaint citing 5 U.S.C. 552a is filed in a U.S. District Court against the Department of Defense, an OSD Component, or any OSD employee, the responsible system manager shall promptly notify the DPO. The litigation status sheet in DoD 5400.11-R provides a standard format for this notification. (The initial litigation status sheet shall, as a minimum, provide the information required by items 1, through 6. of DoD 5400.11-R) A revised litigation status sheet shall be provided at each stage of the litigation. When a court renders a formal opinion or judgment, copies of the judgment or opinion shall be provided to the DPO with the litigation status sheet reporting that judgment or opinion.

(j) Computer matching programs. Chapter 11, paragraph B of DoD 5400.11-R, prescribes that all requests for participation in a matching program (either as a matching agency or a source agency) be submitted to the DPO for review and compliance. The OSD Components shall submit these requests through the Records and Declassification Division.

The DPO shall establish requirements and deadlines for DoD privacy reports. These reports shall be licensed in accordance with DoD Directive 8910.1.^[8]