E6-21942. Privacy Act of 1974; System of Records  

  • Start Preamble

    AGENCY:

    Office of the Secretary, OSD.

    ACTION:

    Notice to amend systems of records.

    SUMMARY:

    The Office of the Secretary of Defense is amending a system of records notice in its existing inventory of record systems subject to the Privacy Act of 1974 (5 U.S.C. 552a), as amended.

    DATES:

    Effective Date: January 9, 2007.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Ms. Juanita Irvin at (703) 696-4940.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    The Notice was published on May 23, 2005, in the Federal Register (70 FR 29486). During the comment period, two public comments were received, which were virtually identical in format and content. The commenters assert that the collection and maintenance of data in the Joint Advertising, Market Research & Studies (JAMRS) Recruiting Database violates the Privacy Act of 1974. The commenters also remarked that the Department of Defense (“DoD”) should not be engaged in direct marketing activities; that the collection and use of Social Security Numbers (SSNs) is unauthorized and poses significant risks to an individual's privacy; that the transfer of information from the DoD to a private contractor is inappropriate and that adequate security for the database is lacking; and, that the Department does not provide a means by which an individual may elect to have his or her data deleted from the database. The JAMRS Database is maintained in a manner that is consistent with the Privacy Act and other statutes and regulations relating to the Department's recruiting authority. In its discretion, however, the Department has determined that the publication of a revised Systems Notice, providing further explanation and clarification of the manner in which the JAMRS Database is maintained, is appropriate at this time.

    The Department received a comment asserting that the maintenance of the JAMRS Database violates the Privacy Act. Commenters assert that Congress, in enacting the Privacy Act, sought to restrict the amount of personal information that Federal agencies could collect and maintain on individuals; that direct marketing by the DoD does not constitute an authorized purpose or use of the information; and that agencies Start Printed Page 953should be transparent in their information practices.

    The Department's use of the JAMRS Database is consistent with the Privacy Act and its underlying purposes. The Department only collects such information on individuals as is relevant and necessary to accomplish a Departmental purpose prescribed by statute or Executive Order of the President. Consistent with this mandate, and in recognition of the importance of attracting qualified individuals to serve in the nation's all-volunteer force, Congress has directed the armed services to “conduct intensive recruiting campaigns to obtain enlistments” in the military (10 U.S.C. 503(a)(1) (emphasis supplied)). To this end, the Secretary of Defense has been provided with a broad mandate to “act on a continuing basis to enhance the effectiveness of recruitment programs of the Department of Defense (including programs conducted jointly and programs conducted by the separate armed forces) through an aggressive program of advertising and market research targeted at prospective recruits for the armed forces and those who may influence prospective recruits” (10 U.S.C. 502(a)(2) (emphasis supplied)). In addition to these congressional directives to the Secretary of Defense to conduct intensive recruiting campaigns, Congress also has conferred broad grants of authority to recruit upon the Under Secretary of Defense for Personnel and Readiness and the Secretaries of the Army, Navy and Air Force. See 10 U.S.C. 136 (Under Secretary); 3013 (Secretary of the Army); 5013 (Secretary of the Navy); 8013 (Secretary of the Air Force).

    The Department disagrees with the commenters' assertion that direct marketing is not an authorized agency purpose. Indeed, in acknowledgment of the critical role of recruitment efforts in the maintenance of the nation's all-volunteer military, Congress has appropriated funds dedicated for this purpose. In particular, Congress continues to provide for the appropriation of funds to carry out advertising and market research programs to enhance the military's recruiting efforts. This is neither a new effort nor a new system of records, but rather a continuation of an ongoing activity supporting the All-Volunteer Force. In the past, direct marketing data were compiled by each of the Services independently. In order to achieve significant costs savings, information is now purchased or obtained by the Department through a variety of sources (including but not limited to state motor vehicle departments, the Selective Service System registry, and commercially-purchased lists). It is then provided to and maintained by a contractor, and then, sent to the military Services for use incident to their respective recruiting programs. In effect, the success of the All-Volunteer Force is contingent on the Secretary's continuing ability to be able to contact young Americans for purposes of making them aware of their option to serve in the United States military and to perform a vital service on behalf of their nation. Although the Department did not initiate a new data collection effort, after an internal organizational realignment, the Department published the May 23, 2005 Systems Notice.

    The commenters further remarked that data should be collected directly from the individual as much as possible, that access and correction rights should be provided, and that the adoption of the Blanket Routine Uses for this database is inappropriate. These comments reflect a lack of understanding of the requirements of the Privacy Act, as well as the practical realities of collecting and maintaining data for use in military recruiting. First, the Privacy Act requires that information be collected to the “greatest extent practicable” directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs (5 U.S.C. 552a(e)(2)). The only practical cost-effective means of identifying the entire targeted population for recruiting efforts, as contemplated by 10 U.S.C. 503(a), is to obtain the information from a variety of third-party sources as is now being done. Moreover, the collection does not adversely impact an individual, in that it will not result in the denial of any Federal benefits nor will it result in any other unfavorable action impacting the individual. Second, access and amendment procedures are currently set out in the notice as is required by the Privacy Act (5 U.S.C. 552a(e)(4)). These provisions—specifically the notification, access, and contesting sections—advise individuals how they can determine if the database contains information about themselves, how they may access such information, and how they may contest the accuracy of the information in the database. And third, the Blanket Routine Uses, which are permissive in nature, generally are incorporated in all DoD system notices for record systems covered by the Privacy Act, unless there is a statutory or regulatory basis for not doing so. Since the information in the JAMRS database is used within DoD for recruiting purposes only and is not disclosed to non-DoD agencies, the Department has revised the notice to make clear that the Blanket Routine Uses do not apply except for those specific uses relating to disclosures to the Department of Justice for litigation purposes and to the General Services Administration and the National Archives and Records Administration for records management purposes.

    The commenters also remarked that the Department lacks authority for collecting Social Security Numbers (SSNs) and that their use for purposes of identifying individuals in the database is unnecessary. These contentions are mistaken. Executive Order 9397 permits the use of the SSN where Federal agencies require a system of numerical identification for individual persons incident to administering an agency activity. A unique identification system is essential in order to accomplish the limited purposes for which the number is used. The principal purpose for collecting the number is to identify individuals who are presently members of the Armed Forces. The SSN is matched against a DoD database containing the SSNs of new recruits. Where there is a match, the information in the JAMRS Database is not released to the Services for the recruitment mailings. Other unique identifiers, such as a residential address or home telephone numbers, may not always suffice, especially in a highly mobile society where individuals frequently move. SSNs are only collected from the Selective Service System (SSS) and are not collected from any other governmental or private database. The Department has revised the notice to make clear that SSNs are not collected from all data sources. Further, the SSNs are used solely for internal database purposes and are not shared with the military Services. The commenters also expressed the concern that the use of SSNs heightens the risk of identity theft. DoD acknowledges that identity theft is an important concern for the Department and that the compromise of the SSN would constitute a significant invasion of privacy. In order to minimize potential exposure, the Department scrambles—a form of encryption—the SSN upon receipt and maintains the SSN in a scrambled format during the time it is stored in the database. These actions, along with other security features for the database, constitute reasonable and appropriate safeguards to protect and preserve the integrity of the number.

    The commenters observed that use of a private contractor to maintain the data is an “aberration” of normal practice, and also expressed concern with regard Start Printed Page 954to a perceived lack of security procedures by the contractor to prevent abuse. Contractors or subcontractors are used to perform many activities on behalf of the Department, principally because of the unique expertise they possess and because the activity can be accomplished in a more cost-effective manner. The JAMRS contract was awarded based on the unique ability of the contractor to maintain and store large amounts of data in a secure manner; the contract does not permit the contractor to use the information for any non-Department of Defense marketing efforts. The Department recognizes the importance of ensuring that all data it collects are safely compiled, handled, stored, and transferred. The subcontractor has established a highly secure and restrictive environment by putting in place appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of the database. Vulnerability and risk assessment reviews are conducted on a regular basis to ensure maximum safeguarding of the information.

    The commenters also expressed concern about whether the company will be subject to the constraints imposed by the Privacy Act, or specifically whether the contractor is subject to 5 U.S.C. 552a(m). The contract includes the Privacy Act clause of the Federal Acquisition Regulation (FAR), specifically FAR 52.224-2, under which the contractor agrees to comply with the requirements of the Privacy Act and DoD rules and regulations issued under the Act. This contract provision also treats the contractor as an employee of DoD for purposes of the Privacy Act, and it is thus subject to possible criminal penalties if the Act is violated. The contract also was recently amended to incorporate the contract clause at FAR 52.239-1, Privacy and Security Safeguards, which includes a notification requirement if new or unanticipated threats or hazards are discovered, or if existing safeguards cease to function.

    Finally, the commenters asserted that individuals should be able to opt-out from the database. The Department agrees that such an option should be available. The Department currently permits any individual who is 151/2 years or older, or a parent or guardian acting on the behalf of any minor who is between 151/2 and 18 years old, to have his or her name removed from the JAMRS list provided to the Services for recruiting purposes. Individuals may accomplish this by sending a written request to JAMRS, Attn: Opt-Out, 4040 N. Fairfax Drive, Suite 200, Arlington, VA 22203. In order to process such requests, the individual's name, address, city, State, zip, and date of birth must be provided. The “Record Access Procedures” section of the System Notice has been expanded to set forth the above-prescribed procedures.

    The specific changes to the record system being amended are set forth below followed by the notice, as amended, published in its entirety. The proposed amendments are not within the purview of subsection (r) of the Privacy Act of 1974 (5 U.S.C. 552a), as amended, which requires the submission of a new or altered system report.

    Start Signature

    Dated: December 18, 2006.

    C.R. Choate,

    Alternate OSD Federal Register Liaison Officer, Department of Defense.

    End Signature

    DHRA 04

    System name:

    Joint Advertising and Market Research Recruiting Database (May 23, 2005, 70 FR 29486).

    Changes:

    System name:

    Delete entry and replace with “Joint Advertising, Market Research & Studies Recruiting Database.”

    System location:

    Delete entry and replace with “Equifax Database Services, Inc., 500 Edgewater Drive, Suite 525, Wakefield, MA 01880-3030.”

    Categories of individuals covered by the system:

    Delete entry and replace with “Young adults aged 16 to 18; college students; Selective Service System registrants; individuals who have taken the Armed Services Vocational Aptitude Battery (ASVAB) test; individuals who have responded to various paid/non-paid advertising campaigns seeking enlistment information; current military personnel who are on Active Duty or in the Reserves and prior service individuals who still have remaining Military Service Obligation; individuals who are in the process of enlisting; and individuals who have asked to be removed from any future recruitment lists.”

    Categories of records in the system:

    Delete entry and replace with “All Records: Full name, gender, address, city, State, zip code, source code. For Young Adults aged 16 to 18: Date of birth, telephone number, high school name, graduation date, grade point average, education level, military interest, college intent, ethnicity, ASVAB test date, ASVAB Armed Forces Qualifying Test Category Score. For College Students: Telephone number, college name, college location, college type, college competitive ranking, class year, ethnicity, field of study. For Selective Service System: Date of birth, scrambled Social Security Number, Selective Service registration method. Individuals who have responded to various paid/non-paid advertising campaigns seeking enlistment information: Date of birth, telephone number, Service Code, last grade completed, e-mail address, contact immediately flag. For Military Personnel: Date of birth, scrambled Social Security Number, ethnicity, education level, application date, military service and occupation information. For Individuals who have asked to be removed from future recruitment list: Date of birth, reason code.”

    Authority for maintenance of the system:

    Delete entry and replace with “10 U.S.C. 503(a), Enlistments: Recruiting campaigns; 10 U.S.C. 136, Under Secretary of Defense for Personnel and Readiness; 10 U.S.C. 3013 (Secretary of the Army); 10 U.S.C. 5013 (Secretary of the Navy); 10 U.S.C. 8013 (Secretary of the Air Force); and E.O.9397 (SSN).”

    Purpose(s):

    Delete entry and replace with “The purpose of the system of records maintained by the Joint Advertising, Market Research and Studies (JAMRS) is to compile, process and distribute files of individuals to the Services to assist them in their direct marketing recruiting efforts. The system also provides JAMRS with the ability to measure effectiveness of list purchases through ongoing analysis and to remove the names of individuals who are currently members of, or are enlisting in, the Armed Forces or who have asked that their names be removed from future recruitment lists.”

    Routine uses of records maintained in the system, including categories of users and the purposes of such uses:

    Delete entry and replace with “In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside the DoD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

    The DoD “Blanket Routine Uses set forth at the beginning of OSD's compilation of systems of records notices do not apply to this system except:Start Printed Page 955

    To any component of the Department of Justice for the purpose of representing the Department of Defense, or any officer, employee or member of the Department, in pending or potential litigation to which the record is pertinent.

    To the General Services Administration and the National Archives and Records Administration for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906.”

    * * * * *

    Retrievability:

    Delete entry and replace with “Records may be retrieved by an individual's full name, address, and date of birth.”

    Safeguards:

    Delete entry and replace with “Access to information in the database is highly restricted and limited to those that require the records in the performance of their official duties. The database utilizes a layered approach of overlapping controls, monitoring and authentication to ensure overall security of the data, network and system resources. Sophisticated physical security, perimeter security (firewall, intrusion prevention), access control, authentication, encryption, data transfer, and monitoring solutions prevent unauthorized access from internal and external sources.”

    Retention and disposal:

    Delete entry and replace with “Destroy three years from the date the information pertaining to the individual is first distributed to the Services or, where data are subsequently collected from a different data source, from the date that subsequent data are subsequently distributed to the Services. Records for individuals who have responded to various paid/nonpaid advertising campaigns seeking enlistment are kept, for analytical purposes, until they are no longer needed. Records for individuals who wish to be removed from future recruitment lists (opted-out) are retained for ten years.”

    System manager(s) and address:

    Delete entry and replace with “Program Manager, Joint Advertising, Market Research & Studies (JAMRS), 4040 N. Fairfax Drive, Suite #200, Arlington, VA 22203-1613.”

    Notification procedure:

    Delete entry and replace with “Individuals seeking to determine whether information about them is contained in this system should address written inquiries to the Joint Advertising, Market Research & Studies (JAMRS), Direct Marketing Program Officer, 4040 N. Fairfax Drive, Suite #200, Arlington, Virginia 22203-1613.

    Requests should contain the full name, date of birth, and current address of the individual.”

    Record access procedures:

    Delete entry and replace with “Individuals seeking access to records about themselves contained in this system of records should address written inquiries to the Joint Advertising, Market Research & Studies (JAMRS), Direct Marketing Program Officer, 4040 N. Fairfax Drive, Suite #200, Arlington, Virginia 22203-1613.

    Requests should contain the full name, date of birth, and current address of the individual.

    Note 1:

    Individuals, who are 151/2 years old or older, or parents or legal guardians acting on behalf of individuals who are between the ages of 151/2 and 18 years old, seeking to have their name or the name of their child or ward, as well as other identifying data, removed from this system of records (or removed in the future when such information is obtained) should address written Opt-Out requests to the Joint Advertising, Marketing Research & Studies (JAMRS), ATTN: Opt-Out, 4040 N. Fairfax Drive, Suite #200, Arlington, Virginia 22203-1613. Such requests must contain the full name, date of birth, and current address of the individual.

    Note 2:

    Opt-Out requests will be honored for ten years. However, because opt-out screening is based, in part, on the current address of the individual, any change in address will require the submission of a new opt-out request with the new address.”

    * * * * *

    DHRA 04

    System name:

    Joint Advertising, Market Research & Studies Recruiting Database.

    System location:

    Equifax Database Services, Inc., 500 Edgewater Drive, Suite 525, Wakefield, MA 01880-3030.

    Categories of individuals covered by the system:

    Young adults aged 16 to 18; college students; Selective Service System registrants; individuals who have taken the Armed Services Vocational Aptitude Battery (ASVAB) test; individuals who have responded to various paid/non-paid advertising campaigns seeking enlistment information; current military personnel who are on Active Duty or in the Reserves and prior service individuals who still have remaining Military Service Obligation; individuals who are in the process of enlisting; and individuals who have asked to be removed from any future recruitment lists.

    Categories of records in the system:

    All Records: Full name, gender, address, city, State, zip code, source code. For Young Adults aged 16 to 18: Date of birth, telephone number, high school name, graduation date, grade point average, education level, military interest, college intent, ethnicity, ASVAB test date, ASVAB Armed Forces Qualifying Test Category Score. For College Students: Telephone number, college name, college location, college type, college competitive ranking, class year, ethnicity, field of study. For Selective Service System: Date of birth, scrambled Social Security Number, Selective Service registration method. Individuals who have responded to various paid/non-paid advertising campaigns seeking enlistment information: Date of birth, telephone number, Service Code, last grade completed, e-mail address, contact immediately flag. For Military Personnel: Date of birth, scrambled Social Security Number, ethnicity, education level, application date, military service and occupation information. For Individuals who have asked to be removed from future recruitment list: Date of birth, reason code.

    Authority for maintenance of the system:

    10 U.S.C. 503(a), Enlistments: recruiting campaigns; 10 U.S.C. 136, Under Secretary of Defense for Personnel and Readiness; 10 U.S.C. 3013 (Secretary of the Army); 10 U.S.C. 5013 (Secretary of the Navy); 10 U.S.C. 8013 (Secretary of the Air Force); and E.O. 9397 (SSN).

    Purpose(s):

    The purpose of the system of records maintained by the Joint Advertising, Market Research and Studies (JAMRS) is to compile, process and distribute files of individuals to the Services to assist them in their direct marketing recruiting efforts. The system also provides JAMRS with the ability to measure effectiveness of list purchases through ongoing analysis and to remove the names of individuals who are currently members of, or are enlisting in, the Armed Forces or who have asked that their names be removed from future recruitment lists.

    Routine uses of records maintained in the system, including categories of users and the purposes of such uses:

    In addition to those disclosures generally permitted under 5 U.S.C. Start Printed Page 956552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside the DoD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows: The DoD Blanket Routine Uses set forth at the beginning of OSD's compilation of systems of records notices do not apply to this system except:

    To any component of the Department of Justice for the purpose of representing the Department of Defense, or any officer, employee or member of the Department, in pending or potential litigation to which the record is pertinent.

    To the General Services Administration and the National Archives and Records Administration for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906.

    Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:

    Storage:

    Records are maintained on electronic storage media.

    Retrievability:

    Records may be retrieved by an individual's full name, address, and date of birth.

    Safeguards:

    Access to information in the database is highly restricted and limited to those that require the records in the performance of their official duties. The database utilizes a layered approach of overlapping controls, monitoring and authentication to ensure overall security of the data, network and system resources. Sophisticated physical security, perimeter security (firewall, intrusion prevention), access control, authentication, encryption, data transfer, and monitoring solutions prevent unauthorized access from internal and external sources.

    Retention and disposal:

    Destroy three years from the date the information pertaining to the individual is first distributed to the Services or, where data are subsequently collected from a different data source, from the date that subsequent data are subsequently distributed to the Services. Records for individuals who have responded to various paid/nonpaid advertising campaigns seeking enlistment are kept, for analytical purposes, until they are no longer needed. Records for individuals who wish to be removed from future recruitment lists (opted-out) are retained for ten years.

    System manager(s) and address:

    Program Manager, Joint Advertising, Market Research & Studies (JAMRS), 4040 N. Fairfax Drive, Suite #200, Arlington, VA 22203-1613.

    Notification procedure:

    Individuals seeking to determine whether information about them is contained in this system should address written inquiries to the Joint Advertising, Market Research & Studies (JAMRS), Direct Marketing Program Officer, 4040 N. Fairfax Drive, Suite #200, Arlington, Virginia 22203-1613.

    Requests should contain the full name, date of birth, and current address of the individual.

    Record access procedures:

    Individuals seeking access to records about themselves contained in this system of records should address written inquiries to the Joint Advertising, Market Research & Studies (JAMRS), Direct Marketing Program Officer, 4040 N. Fairfax Drive, Suite #200, Arlington, Virginia 22203-1613.

    Requests should contain the full name, date of birth, and current address of the individual.

    Note 1:

    Individuals, who are 151/2 years old or older, or parents or legal guardians acting on behalf of individuals who are between the ages of 151/2 and 18 years old, seeking to have their name or the name of their child or ward, as well as other identifying data, removed from this system of records (or removed in the future when such information is obtained) should address written Opt-Out requests to the Joint Advertising, Marketing Research & Studies (JAMRS), ATTN: Opt-Out, 4040 N. Fairfax Drive, Suite #200, Arlington, Virginia 22203-1613. Such requests must contain the full name, date of birth, and current address of the individual.

    Note 2:

    Opt-Out requests will be honored for ten years. However, because opt-out screening is based, in part, on the current address of the individual, any change in address will require the submission of a new opt-out request with the new address.

    Contesting record procedures:

    The OSD rules for accessing records, for contesting contents and appealing initial agency determinations are contained in OSD Administrative Instruction 81; 32 CFR part 311; or may be obtained from the system manager.

    Record source categories:

    Individuals; state Department of Motor Vehicle offices; commercial information brokers/vendors; Selective Service System; Defense Manpower Data Center (DMDC); United States Military Entrance Processing Command for individuals who have taken the ASVAB test; and the Military services and Congressional offices for individuals who have asked to be removed from any future recruitment lists.

    Exemptions claimed for the system:

    None.

    End Supplemental Information

    [FR Doc. E6-21942 Filed 1-8-07; 8:45 am]

    BILLING CODE 5001-06-P

Document Information

Comments Received:
0 Comments
Published:
01/09/2007
Department:
Defense Department
Entry Type:
Notice
Action:
Notice to amend systems of records.
Document Number:
E6-21942
Pages:
952-956 (5 pages)
Docket Numbers:
DOD-2006-OS-0221
PDF File:
e6-21942.pdf