96-12856. Defense Finance and Accounting Service  

  • [Federal Register Volume 61, Number 100 (Wednesday, May 22, 1996)]
    [Rules and Regulations]
    [Pages 25561-25566]
    From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
    [FR Doc No: 96-12856]
    
    
    
    =======================================================================
    -----------------------------------------------------------------------
    
    DEPARTMENT OF DEFENSE
    
    
    Defense Finance and Accounting Service
    
    32 CFR Part 324
    
    [DFAS Reg. 5400.11-R]
    
    DFAS Privacy Act Program
    
    AGENCY: Defense Finance and Accounting Service, DOD.
    ACTION: Final rule.
    
    -----------------------------------------------------------------------
    
    SUMMARY: This rule establishes the Defense Finance and Accounting 
    Service Privacy Act Program. The Defense Finance and Accounting Service 
    (DFAS) was established to provide finance and accounting services for 
    the DoD Components and other Federal activities, as designated by the 
    Comptroller, DoD.
        The Defense Finance and Accounting Service was activated on January 
    15, 1991, to improve the overall effectiveness of DoD financial 
    management through the consolidation, standardization and integration 
    of finance and accounting systems, procedures and operations. DFAS is 
    also responsible for identifying and implementing finance and 
    accounting requirements, systems and functions for appropriated and 
    non-appropriated funds, as well as working capital, revolving funds and 
    trust fund activities--including security assistance.
    EFFECTIVE DATE: May 1, 1996.
    
    FOR FURTHER INFORMATION CONTACT: Ms. Genevieve Turney (703) 607-5165 or 
    DSN 327-5165.
    
    SUPPLEMENTARY INFORMATION: Executive Order 12866. The Director, 
    Administration and Management, Office of the Secretary of Defense has 
    determined that this Privacy Act rule for the Department of Defense 
    does not constitute `significant regulatory action'. Analysis of the 
    rule indicates that it does not have an annual effect on the economy of 
    $100 million or more; does not create a serious inconsistency or 
    otherwise interfere with an action taken or planned by another agency; 
    does not materially alter the budgetary impact of entitlements, grants, 
    user fees, or loan programs or the rights and obligations of recipients 
    thereof; does not raise novel legal or policy issues arising out of 
    legal mandates, the President's priorities, or the principles set forth 
    in Executive Order 12866 (1993).
    
    Regulatory Flexibility Act of 1980. The Director, Administration and 
    Management, Office of the Secretary of Defense certifies that this 
    Privacy Act rule for the Department of Defense does not have 
    significant economic impact on a substantial number of small entities 
    because it is concerned only with the administration of Privacy Act 
    systems of records within the Department of Defense.
    
    Paperwork Reduction Act. The Director, Administration and Management, 
    Office of the Secretary of Defense certifies that this Privacy Act rule 
    for the Department of Defense imposes no information requirements 
    beyond the Department of Defense and that the information collected 
    within the Department of Defense is necessary and consistent with 5 
    U.S.C. 552a, known as the Privacy Act of 1974.
    
        This rule establishes the Defense Finance and Accounting Service 
    (DFAS) Privacy Act Program. DFAS was established to provide finance and 
    accounting services for the DoD Components and other Federal 
    activities, as designated by the Comptroller, DoD. The proposed rule 
    was previously published on March 1, 1996, at 61 FR 8003. No comments 
    were received resulting in any contrary determinations, therefore, DFAS 
    is adopting the rule as published.
    
    List of subjects in 32 CFR part 324
    
        Privacy.
    
        Accordingly, 32 CFR part 324 is added to read as follows:
    
    PART 324-DFAS PRIVACY ACT PROGRAM
    
    
    Subpart A-General Information
    
    324.1 Issuance and purpose.
    324.2 Applicability and scope.
    324.3 Policy.
    324.4 Responsibilities.
    
    Subpart B-Systems of Records
    
    324.5 General information.
    324.6 Procedural rules.
    324.7 Exemption rules.
    
    Subpart C-Individual Access to Records
    
    324.8 Right of access.
    324.9 Notification of record's existence.
    324.10 Individual requests for access.
    324.11 Denials.
    324.12 Granting individual access to records
    324.13 Access to medical and psychological records.
    324.14 Relationship between the Privacy Act and the Freedom of 
    Information Act.
    
    Appendix A to part 324 - DFAS Reporting Requirements
    
    [[Page 25562]]
    
    Appendix B to part 324 - System of Records Notice
    
        Authority:  Pub. L. 93-579, 88 Stat 1896 (5 U.S.C. 552a).
    
    Subpart A - General information
    
    
    Sec. 324.1  Issuance and purpose.
    
        The Defense Finance and Accounting Service fully implements the 
    policy and procedures of the Privacy Act and the DoD 5400.11-R \1\, 
    `Department of Defense Privacy Program' (see 32 CFR part 310). This 
    regulation supplements the DoD Privacy Program only to establish policy 
    for the Defense Finance and Accounting Service (DFAS) and provide DFAS 
    unique procedures.
    ---------------------------------------------------------------------------
    
        \1\ Copies may be obtained at cost from the National Technical 
    Information Service, 5285 Port Royal Road, Springfield, VA 22161.
    ---------------------------------------------------------------------------
    
    
    Sec. 324.2  Applicability and scope.
    
        This regulation applies to all DFAS, Headquarters, DFAS Centers, 
    the Financial System Organization (FSO), and other organizational 
    components. It applies to contractor personnel who have entered a 
    contractual agreement with DFAS. Prospective contractors will be 
    advised of their responsibilities under the Privacy Act Program.
    
    
    Sec. 324.3  Policy.
    
        DFAS personnel will comply with the Privacy Act of 1974, the DoD 
    Privacy Program and the DFAS Privacy Act Program. Strict adherence is 
    required to ensure uniformity in the implementation of the DFAS Privacy 
    Act Program and to create conditions that will foster public trust. 
    Personal information maintained by DFAS organizational elements will be 
    safeguarded. Information will be made available to the individual to 
    whom it pertains to the maximum extent practicable. Specific DFAS 
    policy is provided for Privacy Act training, responsibilities, 
    reporting procedures and implementation requirements. DFAS Components 
    will not define policy for the Privacy Act Program.
    
    
    Sec. 324.4  Responsibilities.
    
        (a) Director, DFAS.
        (1) Ensures the DFAS Privacy Act Program is implemented at all DFAS 
    locations.
        (2) The Director, DFAS, will be the Final Denial Appellate 
    Authority. This authority may be delegated to the Director for Resource 
    Management.
        (3) Appoints the Director for External Affairs and Administrative 
    Support, or a designated replacement, as the DFAS Headquarters Privacy 
    Act Officer.
        (b) DFAS Headquarters General Counsel.
        (1) Ensures uniformity is maintained in legal rulings and 
    interpretation of the Privacy Act.
        (2) Consults with DoD General Counsel on final denials that are 
    inconsistent with other final decisions within DoD. Responsible to 
    raise new legal issues of potential significance to other Government 
    agencies.
        (3) Provides advice and assistance to the DFAS Director, Center 
    Directors, and the FSO as required, in the discharge of their 
    responsibilities pertaining to the Privacy Act.
        (4) Acts as the DFAS focal point on Privacy Act litigation with the 
    Department of Justice.
        (5) Reviews Headquarters' denials of initial requests and appeals.
        (c) DFAS Center Directors.
        (1) Ensures that all DFAS Center personnel, all personnel at 
    subordinate levels, and contractor personnel working with personal data 
    comply with the DFAS Privacy Act Program.
        (2) Serves as the DFAS Center Initial Denial Authority for requests 
    made as a result of denying release of requested information at 
    locations within DFAS Center authority. Initial denial authority may 
    not be redelegated. Initial denial appeals will be forwarded to the 
    appropriate DFAS Center marked to the attention of the DFAS Center 
    Initial Denial Authority.
        (d) Director, FSO.
        (1) Ensures that FSO and subordinate personnel and contractors 
    working with personal data comply with the Privacy Act Program.
        (2) Serves as the FSO Initial Denial Authority for requests made as 
    a result of denying release of requested information at locations 
    within FSO authority. FSO Initial denial authority may not be 
    redelegated.
        (3) Appoints a Privacy Act Officer for the FSO and each Financial 
    System Activity (FSA).
        (e) DFAS Headquarters Privacy Act Officer.
        (1) Establishes, issues and updates policy for the DFAS Privacy Act 
    Program and monitors compliance. Serves as the DFAS single point of 
    contact on all matters concerning Privacy Act policy. Resolves any 
    conflicts resulting from implementation of the DFAS Privacy Act Program 
    policy.
        (2) Serves as the DFAS single point of contact with the Department 
    of Defense Privacy Office. This duty may be delegated.
        (3) Ensures that the collection, maintenance, use and/or 
    dissemination of records of identifiable personal information is for a 
    necessary and lawful purpose, that the information is current and 
    accurate for the intended use and that adequate security safeguards are 
    provided.
        (4) Monitors system notices for agency systems of records. Ensures 
    that new, amended, or altered notices are promptly prepared and 
    published. Reviews all notices submitted by the DFAS Privacy Act 
    Officers for correctness and submits same to the Department of Defense 
    Privacy Office for publication in the Federal Register. Maintains and 
    publishes a listing of DFAS Privacy Act system notices.
        (5) Establishes DFAS Privacy Act reporting requirement due dates. 
    Compiles all Agency reports and submits the completed annual report to 
    the Defense Privacy Office. DFAS reporting requirements are provided in 
    Appendix A to this part.
        (6) Conducts annual Privacy Act Program training for DFAS 
    Headquarters (HQ) personnel. Ensures that subordinate DFAS Center and 
    FSO Privacy Act Officers fulfill annual training requirements.
        (f) FSO and Financial System Activities (FSAs) Legal Support. The 
    FSO and subordinate FSA organizational elements will be supported by 
    the appropriate DFAS-HQ or DFAS Center General Counsel office.
        (g) DFAS Center(s) Assistant General Counsel.
        (1) Ensures uniformity is maintained in legal rulings and 
    interpretation of the Privacy Act and this regulation. Consults with 
    the DFAS-HQ General Counsel as required.
        (2) Provides advice and assistance to the DFAS Center Director and 
    the FSA in the discharge of his/her responsibilities pertaining to the 
    Privacy Act.
        (3) Coordinates on DFAS Center and the FSA denials of initial 
    requests.
        (h) DFAS Center Privacy Act Officer.
        (1) Implements and administers the DFAS Privacy Act Program for all 
    personnel, to include contractor personnel, within the Center, 
    Operating Locations (OpLocs) and Defense Accounting Offices (DAOs).
        (2) Ensures that the collection, maintenance, use, or dissemination 
    of records of identifiable personal information is in a manner that 
    assures that such action is for a necessary and lawful purpose; the 
    information is timely and accurate for its intended use; and that 
    adequate safeguards are provided to prevent misuse of such information. 
    Advises the Program Manager that systems notices must be published in 
    the Federal Register prior to collecting or maintenance of the 
    information. Submits system notices to the DFAS-HQ Privacy Act Officer 
    for
    
    [[Page 25563]]
    
    review and subsequent submission to the Department of Defense Privacy 
    Office.
        (3) Administratively controls and processes Privacy Act requests. 
    Ensures that the provisions of this regulation and the DoD Privacy Act 
    Program are followed in processing requests for records. Ensures all 
    Privacy Act requests are promptly reviewed. Coordinates the reply with 
    other organizational elements as required.
        (4) Prepares denials and partial denials for the Center Director's 
    signature and obtain required coordination with the assistant General 
    Counsel. Responses will include written justification citing a specific 
    exemption or exemptions.
        (5) Prepares input for the annual Privacy Act Report as required 
    using the guidelines provided in Appendix A to this part.
        (6) Conducts training on the DFAS Privacy Act Program for Center 
    personnel.
        (i) FSO Privacy Act Officer.
        (1) Implements and administers the DFAS Privacy Act Program for all 
    personnel, to include contractor personnel, within the FSO.
        (2) Ensures that the collection, maintenance, use, or dissemination 
    of records of identifiable personal information is in a manner that 
    assures that such action is for a necessary and lawful purpose; the 
    information is timely and accurate for its intended use; and that 
    adequate safeguards are provided to prevent misuse of such information. 
    Advises the Program Manager that systems notices must be published in 
    the Federal Register prior to collecting or maintenance of the 
    information. Submits system notices to the DFAS-HQ Privacy Act Officer 
    for review and subsequent submission to the Department of Defense 
    Privacy Office.
        (3) Administratively controls and processes Privacy Act requests. 
    Ensures that the provisions of this regulation and the DoD Privacy Act 
    Program are followed in processing requests for records. Ensure all 
    Privacy Act requests are promptly reviewed. Coordinate the reply with 
    other organizational elements as required.
        (4) Prepares denials and partial denials for signature by the 
    Director, FSO and obtains required coordination with the assistant 
    General Counsel. Responses will include written justification citing a 
    specific exemption or exemptions.
        (5) Prepares input for the annual Privacy Act Report (RCS: DD 
    DA&M(A)1379) as required using the guidelines provided in Appendix A to 
    this part.
        (6) Conducts training on the DFAS Privacy Act Program for FSO 
    personnel.
        (j) DFAS employees.
        (1) Will not disclose any personal information contained in any 
    system of records, except as authorized by this regulation.
        (2) Will not maintain any official files which are retrieved by 
    name or other personal identifier without first ensuring that a system 
    notice has been published in the Federal Register.
        (3) Reports any disclosures of personal information from a system 
    of records or the maintenance of any system of records not authorized 
    by this regulation to the appropriate Privacy Act Officer for action.
        (k) DFAS system managers (SM).
        (1) Ensures adequate safeguards have been established and are 
    enforced to prevent the misuse, unauthorized disclosure, alteration, or 
    destruction of personal information contained in system records.
        (2) Ensures that all personnel who have access to the system of 
    records or are engaged in developing or supervising procedures for 
    handling records are totally aware of their responsibilities to protect 
    personal information established by the DFAS Privacy Act Program.
        (3) Evaluates each new proposed system of records during the 
    planning stage. The following factors should be considered:
        (i) Relationship of data to be collected and retained to the 
    purpose for which the system is maintained. All information must be 
    relevant to the purpose.
        (ii) The impact on the purpose or mission if categories of 
    information are not collected. All data fields must be necessary to 
    accomplish a lawful purpose or mission.
        (iii) Whether informational needs can be met without using personal 
    identifiers.
        (iv) The disposition schedule for information.
        (v) The method of disposal.
        (vi) Cost of maintaining the information.
        (4) Complies with the publication requirements of DoD 5400.11-R, 
    `Department of Defense Privacy Program' (see 32 CFR part 310). Submits 
    final publication requirements to the appropriate DFAS Privacy Act 
    Officer.
        (l) DFAS program manager(s). Reviews system alterations or 
    amendments to evaluate for relevancy and necessity. Reviews will be 
    conducted annually and reports prepared outlining the results and 
    corrective actions taken to resolve problems. Reports will be forwarded 
    to the appropriate Privacy Act Officer.
        (m) Federal government contractors. When a DFAS organizational 
    element contracts to accomplish an agency function and performance of 
    the contract requires the operation of a system of records or a portion 
    thereof, DoD 5400.11-R, `Department of Defense Privacy Program' (see 32 
    CFR part 310) and this part apply. For purposes of criminal penalties, 
    the contractor and its employees shall be considered employees of DFAS 
    during the performance of the contract.
        (1) Contracting Involving Operation of Systems of Records. 
    Consistent with Federal Acquisition Regulation (FAR) \2\ and the DoD 
    Supplement to the Federal Acquisition Regulation (DFAR) \3\, Part 
    224.1, contracts involving the operation of a system of records or 
    portion thereof shall specifically identify the record system, the work 
    to be performed and shall include in the solicitations and resulting 
    contract such terms specifically prescribed by the FAR and DFAR.
    ---------------------------------------------------------------------------
    
        \2\ Copies may be obtained at cost from the Superintendent of 
    Documents, P.O. Box 37195, Pittsburgh, PA 15250-7954.
        \3\ See footnote 2 to Sec. 324.4(m)(1)
    ---------------------------------------------------------------------------
    
        (2) Contracting. For contracting subject to this part, the Agency 
    shall:
        (i) Informs prospective contractors of their responsibilities under 
    the DFAS Privacy Act Program.
        (ii) Establishes an internal system for reviewing contractor 
    performance to ensure compliance with the DFAS Privacy Act Program.
        (3) Exceptions. This rule does not apply to contractor records that 
    are:
        (i) Established and maintained solely to assist the contractor in 
    making internal contractor management decisions, such as records 
    maintained by the contractor for use in managing the contract.
        (ii) Maintained as internal contractor employee records, even when 
    used in conjunction with providing goods or services to the agency.
        (4) Contracting procedures. The Defense Acquisition Regulatory 
    Council is responsible for developing the specific policies and 
    procedures for soliciting, awarding, and administering contracts.
        (5) Disclosing records to contractors. Disclosing records to a 
    contractor for use in performing a DFAS contract is considered a 
    disclosure within DFAS. The contractor is considered the agent of DFAS 
    when receiving and maintaining the records for the agency.
    
    [[Page 25564]]
    
    Subpart B - Systems of Records
    
    
    Sec. 324.5  General information.
    
        (a) The provisions of DoD 5400.11-R, `Department of Defense Privacy 
    Program' (see 32 CFR part 310) apply to all DFAS systems of records. 
    DFAS Privacy Act Program Procedural Rules, DFAS Exemption Rules and 
    System of Record Notices are the three types of documents relating to 
    the Privacy Act Program that must be published in the Federal Register.
        (b) A system of records used to retrieve records by a name or some 
    other personal identifier of an individual must be under DFAS control 
    for consideration under this regulation. DFAS will maintain only those 
    Systems of Records that have been described through notices published 
    in the Federal Register.
        (1) First amendment guarantee. No records will be maintained that 
    describe how individuals exercise their rights guaranteed by the First 
    Amendment unless maintenance of the record is expressly authorized by 
    Statute, the individual or for an authorized law enforcement purpose.
        (2) Conflicts. In case of conflict, the provisions of DoD 5400.11-R 
    take precedence over this supplement or any DFAS directive or procedure 
    concerning the collection, maintenance, use or disclosure of 
    information from individual records.
        (3) Record system notices. Record system notices are published in 
    the Federal Register as notices and are not subject to the rule making 
    procedures. The public must be given 30 days to comment on any proposed 
    routine uses prior to implementing the system of record.
        (4) Amendments. Amendments to system notices are submitted in the 
    same manner as the original notices.
    
    
    Sec. 324.6  Procedural rules.
    
        DFAS procedural rules (regulations having a substantial and direct 
    impact on the public) must be published in the Federal Register first 
    as a proposed rule to allow for public comment and then as a final 
    rule. Procedural rules will be submitted through the appropriate DFAS 
    Privacy Act Officer to the Department of Defense Privacy Office. 
    Appendix B to this part provides the correct format. Guidance may be 
    obtained from the DFAS-HQ and DFAS Center Records Managers on the 
    preparation of procedural rules for publication.
    
    
    Sec. 324.7  Exemption rules.
    
        (a) Submitting proposed exemption rules. Each proposed exemption 
    rule submitted for publication in the Federal Register must contain: 
    The agency identification and name of the record system for which an 
    exemption will be established; The subsection(s) of the Privacy Act 
    which grants the agency authority to claim an exemption for the system; 
    The particular subsection(s) of the Privacy Act from which the system 
    will be exempt; and the reasons why an exemption from the particular 
    subsection identified in the preceding subparagraph is being claimed. 
    No exemption to all provisions of the Privacy Act for any System of 
    records will be granted. Only the Director, DFAS may make a 
    determination that an exemption should be established for a system of 
    record.
        (b) Submitting exemption rules for publication. Exemption rules 
    must be published in the Federal Register first as proposed rules to 
    allow for public comment, then as final rules. No system of records 
    shall be exempt from any provision of the Privacy Act until the 
    exemption rule has been published in the Federal Register as a final 
    rule. The DFAS Privacy Act Officer will submit proposed exemption 
    rules, in proper format, to the Defense Privacy Office, for review and 
    submission to the Federal Register for publication. Amendments to 
    exemption rules are submitted in the same manner as the original 
    exemption rules.
        (c) Exemption for classified records. Any record in a system of 
    records maintained by the Defense Finance and Accounting Service which 
    falls within the provisions of 5 U.S.C. 552a(k)(1) may be exempt from 
    the following subsections of 5 U.S.C. 552a: (c)(3), (d), (e)(1), 
    (e)(4)(G)-(e)(4)(I) and (f) to the extent that a record system contains 
    any record properly classified under Executive Order 12589 and that the 
    record is required to be kept classified in the interest of national 
    defense or foreign policy. This specific exemption rule, claimed by the 
    Defense Finance and Accounting Service under authority of 5 U.S.C. 
    552a(k)(1), is applicable to all systems of records maintained, 
    including those individually designated for an exemption herein as well 
    as those not otherwise specifically designated for an exemption, which 
    may contain isolated items of properly classified information
        (1) General exemptions. (Reserved)
        (2) Specific exemptions. (Reserved)
    
    Subpart C - Individual Access to Records
    
    
    Sec. 324.8  Right of access.
    
        The provisions of DoD 5400.11-R, `Department of Defense Privacy 
    Program' (see 32 CFR part 310) apply to all DFAS personnel about whom 
    records are maintained in systems of records. All information that can 
    be released consistent with applicable laws and regulations should be 
    made available to the subject of record.
    
    
    Sec. 324.9  Notification of record's existence.
    
        All DFAS Privacy Act Officers shall establish procedures for 
    notifying an individual, in response to a request, if the system of 
    records contains a record pertaining to him/her.
    
    
    Sec. 324.10  Individual requests for access.
    
        Individuals shall address requests for access to records to the 
    appropriate Privacy Act Officer by mail or in person. Requests for 
    access should be acknowledged within 10 working days after receipt and 
    provided access within 30 working days. Every effort will be made to 
    provide access rapidly; however, records cannot usually be made 
    available for review on the day of request. Requests must provide 
    information needed to locate and identify the record, such as 
    individual identifiers required by a particular system, to include the 
    requester's full name and social security number.
    
    
    Sec. 324.11  Denials.
    
        Only a designated denial authority may deny access. The denial must 
    be in writing.
    
    
    Sec. 324.12  Granting individual access to records.
    
        (a) The individual should be granted access to the original record 
    (or exact copy) without any changes or deletions. A record that has 
    been amended is considered the original.
        (b) The DFAS component that maintains control of the records will 
    provide an area where the records can be reviewed. The hours for review 
    will be set by each DFAS location.
        (c) The custodian will require presentation of identification prior 
    to providing access to records. Acceptable identification forms include 
    military or government civilian identification cards, driver's license, 
    or other similar photo identification documents.
        (d) Individuals may be accompanied by a person of their own 
    choosing when reviewing the record; however, the custodian will not 
    discuss the record in the presence of the third person without written 
    authorization.
        (e) On request, copies of the record will be provided at a cost of 
    $.15 per page. Fees will not be assessed if the cost is less that 
    $30.00. Individuals requesting copies of their official personnel 
    records are entitled to one
    
    [[Page 25565]]
    
    free copy and then a charge will be assessed for additional copies.
    
    
    Sec. 324.13  Access to medical and psychological records.
    
        Individual access to medical and psychological records should be 
    provided, even if the individual is a minor, unless it is determined 
    that access could have an adverse effect on the mental or physical 
    health of the individual. In this instance, the individual will be 
    asked to provide the name of a personal physician, and the record will 
    be provided to that physician in accordance with guidance in Department 
    of Defense 5400.11-R, `Department of Defense Privacy Program' (see 32 
    CFR part 310).
    
    
    Sec. 324.14  Relationship between the Privacy Act and the Freedom of 
    Information Act.
    
        Access requests that specifically state or reasonably imply that 
    they are made under FOIA, are processed pursuant to the DFAS Freedom of 
    Information Act Regulation. Access requests that specifically state or 
    reasonably imply that they are made under the PA are processed pursuant 
    to this regulation. Access requests that cite both the FOIA and the PA 
    are processed under the Act that provides the greater degree of access. 
    Individual access should not be denied to records otherwise releasable 
    under the PA or the FOIA solely because the request does not cite the 
    appropriate statute. The requester should be informed which Act was 
    used in granting or denying access.
    
    
    Appendix A to part 324-DFAS Reporting Requirements
    
        By February 1, of each calendar year, DFAS Centers and Financial 
    Systems Organizations will provide the DFAS Headquarters Privacy Act 
    Officer with the following information:
        1. Total Number of Requests for Access:
        a. Number granted in whole:
        b. Number granted in part:
        c. Number wholly denied:
        d. Number for which no record was found:
        2. Total Number of Requests to Amend Records in the System:
        a. Number granted in whole:
        b. Number granted in part:
        c. Number wholly denied:
        3. The results of reviews undertaken in response to paragraph 3a of 
    Appendix I to OMB Circular A-130 \4\.
    ---------------------------------------------------------------------------
    
        \4\ Copies available from the Office of Personnel Management, 
    1900 E. Street, Washington, DC 20415.
    ---------------------------------------------------------------------------
    
    
    Appendix B to part 324-System of Records Notice
    
        The following data captions are required for each system of records 
    notice published in the Federal Register. An explanation for each 
    caption is provided.
        1. System identifier. The system identifier must appear in all 
    system notices. It is limited to 21 positions, including agency code, 
    file number, symbols, punctuation, and spaces.
        2. Security classification. Self explanatory. (DoD does not publish 
    this caption. However, each agency is responsible for maintaining the 
    information.)
        3. System name. The system name must indicate the general nature of 
    the system of records and, if possible, the general category of 
    individuals to whom it pertains. Acronyms should be established 
    parenthetically following the first use of the name (e.g., `Field Audit 
    Office Management Information System (FMIS)'). Acronyms shall not be 
    used unless preceded by such an explanation. The system name may not 
    exceed 55 character positions, including punctuation and spaces.
        4. Security classification. This category is not published in the 
    Federal Register but is required to be kept by the Headquarters Privacy 
    Act Officer.
        5. System location. a. For a system maintained in a single 
    location, provide the exact office name, organizational identity, 
    routing symbol, and full mailing address. Do not use acronyms in the 
    location address.
        b. For a geographically or organizationally decentralized system, 
    describe each level of organization or element that maintains a portion 
    of the system of records.
        c. For an automated data system with a central computer facility 
    and input or output terminals at geographically separate locations, 
    list each location by category.
        d. If multiple locations are identified by type of organization, 
    the system location may indicate that official mailing addresses are 
    published as an appendix to the agency's compilation of systems of 
    records notices in the Federal Register. If no address directory is 
    used, or if the addresses in the directory are incomplete, the address 
    of each location where a portion of the record system is maintained 
    must appear under the `system location' caption.
        e. Classified addresses shall not be listed but the fact that they 
    are classified shall be indicated.
        f. The U.S. Postal Service two-letter state abbreviation and the 
    nine-digit zip code shall be used for all domestic addresses.
        6. Categories of individuals covered by the system. Use clear, non 
    technical terms which show the specific categories of individuals to 
    whom records in the system pertain. Broad descriptions such as `all 
    DFAS personnel' or `all employees' should be avoided unless the term 
    actually reflects the category of individuals involved.
        7. Categories of records in the system. Use clear, non technical 
    terms to describe the types of records maintained in the system. The 
    description of documents should be limited to those actually retained 
    in the system of records. Source documents used only to collect data 
    and then destroyed should not be described.
        8. Authority for maintenance of the system. The system of records 
    must be authorized by a Federal law or Executive Order of the 
    President, and the specific provision must be cited. When citing 
    federal laws, include the popular names (e.g., `5 U.S.C. 552a, The 
    Privacy Act of 1974') and for Executive Orders, the official titles 
    (e.g., `Executive Order 9397, Numbering System for Federal Accounts 
    Relating to Individual Persons').
        9. Purpose(s). The specific purpose(s) for which the system of 
    records was created and maintained; that is, the uses of the records 
    within DFAS and the rest of the Department of Defense should be listed.
        10. Routine uses of records maintained in the system, including 
    categories of users and purposes of the uses. All disclosures of the 
    records outside DoD, including the recipient of the disclosed 
    information and the uses the recipient will make of it should be 
    listed. If possible, the specific activity or element to which the 
    record may be disclosed (e.g., `to the Department of Veterans Affairs, 
    Office of Disability Benefits') should be listed. General statements 
    such as `to other Federal Agencies as required' or `to any other 
    appropriate Federal Agency' should not be used. The blanket routine 
    uses, published at the beginning of the agency's compilation, applies 
    to all system notices, unless the individual system notice states 
    otherwise.
        11. Disclosure to consumer reporting agencies: This entry is 
    optional for certain debt collection systems of records.
        12. Policies and practices for storing, retrieving, accessing, 
    retaining, and disposing of records in the system. This section is 
    divided into four parts.
        13. Storage: The method(s) used to store the information in the 
    system (e.g., `automated, maintained in computers
    
    [[Page 25566]]
    
    and computer output products' or `manual, maintained in paper files' or 
    `hybrid, maintained in paper files and in computers') should be stated. 
    Storage does not refer to the container or facility in which the 
    records are kept.
        14. Retrievability: How records are retrieved from the system 
    (e.g., `by name,' `by SSN,' or `by name and SSN') should be indicated.
        15. Safeguards: The categories of agency personnel who use the 
    records and those responsible for protecting the records from 
    unauthorized access should be stated. Generally the methods used to 
    protect the records, such as safes, vaults, locked cabinets or rooms, 
    guards, visitor registers, personnel screening, or computer `fail-safe' 
    systems software should be identified. Safeguards should not be 
    described in such detail as to compromise system security.
        16. Retention and disposal: Describe how long records are 
    maintained. When appropriate, the length of time records are maintained 
    by the agency in an active status, when they are transferred to a 
    Federal Records Center, how long they are kept at the Federal Records 
    Center, and when they are transferred to the National Archives or 
    destroyed should be stated. If records eventually are destroyed, the 
    method of destruction (e.g., shredding, burning, pulping, etc.) should 
    be stated. If the agency rule is cited, the applicable disposition 
    schedule shall also be identified.
        17. System manager(s) and address. The title (not the name) and 
    address of the official or officials responsible for managing the 
    system of records should be listed. If the title of the specific 
    official is unknown, such as with a local system, the local director or 
    office head as the system manager should be indicated. For 
    geographically separated or organizationally decentralized activities 
    with which individuals may correspond directly when exercising their 
    rights, the position or title of each category of officials responsible 
    for the system or portion thereof should be listed. Addresses that 
    already are listed in the agency address directory or simply refer to 
    the directory should not be included.
        18. Notification procedures. (1) Notification procedures describe 
    how an individual can determine if a record in the system pertains to 
    him/her. If the record system has been exempted from the notification 
    requirements of subsection (f)(l) or subsection (e)(4)(G) of the 
    Privacy Act, it should be so stated. If the system has not been 
    exempted, the notice must provide sufficient information to enable an 
    individual to request notification of whether a record in the system 
    pertains to him/her. Merely referring to a DFAS regulation is not 
    sufficient. This section should also include the title (not the name) 
    and address of the official (usually the Program Manager) to whom the 
    request must be directed; any specific information the individual must 
    provide in order for DFAS to respond to the request (e.g., name, SSN, 
    date of birth, etc.); and any description of proof of identity for 
    verification purposes required for personal visits by the requester.
        19. Record access procedures. This section describes how an 
    individual can review the record and obtain a copy of it. If the system 
    has been exempted from access and publishing access procedures under 
    subsections (d)(1) and (e)(4)(H), respectively, of the Privacy Act, it 
    should be so indicated. If the system has not been exempted, describe 
    the procedures an individual must follow in order to review the record 
    and obtain a copy of it, including any requirements for identity 
    verification. If appropriate, the individual may be referred to the 
    system manager or another DFAS official who shall provide a detailed 
    description of the access procedures. Any addresses already listed in 
    the address directory should not be repeated.
        20. Contesting records procedures. This section describes how an 
    individual may challenge the denial of access or the contents of a 
    record that pertains to him or her. If the system of record has been 
    exempted from allowing amendments to records or publishing amendment 
    procedures under subsections (d)(1) and (e)(4)(H), respectively, of the 
    Privacy Act, it should be so stated. If the system has not been 
    exempted, this caption describes the procedures an individual must 
    follow in order to challenge the content of a record pertaining to him/
    her, or explain how he/she can obtain a copy of the procedures (e.g., 
    by contacting the Program Manager or the appropriate DFAS Privacy Act 
    Officer).
        21. Record source categories: If the system has been exempted from 
    publishing record source categories under subsection (e)(4)(I) of the 
    Privacy Act, it should be so stated. If the system has not been 
    exempted, this caption must describe where DFAS obtained the 
    information maintained in the system. Describing the record sources in 
    general terms is sufficient; specific individuals, organizations, or 
    institutions need not be identified.
        22. Exemptions claimed for the system. If no exemption has been 
    established for the system, indicate `None.' If an exemption has been 
    established, state under which provision of the Privacy Act it is 
    established (e.g., `Portions of this system of records may be exempt 
    under the provisions of 5 U.S.C. 552a(k)(2).')
        Dated: May 15, 1996.
    
    
    
    
    L. M. Bynum,
    Alternate OSD Federal Register Liaison Officer, Department of Defense.
    [FR Doc. 96-12856 Filed 5-21-96; 8:45 am]
    BILLING CODE 5000-04-F
    
    

Document Information

Published:
05/22/1996
Department:
Defense Department
Entry Type:
Rule
Action:
Final rule.
Document Number:
96-12856
Dates:
May 1, 1996.
Pages:
25561-25566 (6 pages)
PDF File:
96-12856.pdf
CFR: (14)
32 CFR 324.1
32 CFR 324.2
32 CFR 324.3
32 CFR 324.4
32 CFR 324.5
More ...