Availability of DON Records and Publication of DON Documents Affecting the Public, 27536-27561 [06-3924]

Agencies

• DEPARTMENT OF DEFENSE
• Department of the Navy
• Navy Department

[Federal Register Volume 71, Number 91 (Thursday, May 11, 2006)]
[Rules and Regulations]
[Pages 27536-27561]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 06-3924]



[[Page 27535]]

-----------------------------------------------------------------------

Part II





Department of Defense





-----------------------------------------------------------------------



Department of the Navy



-----------------------------------------------------------------------



32 CFR Part 701



Availability of DON Records and Publication of DON Documents Affecting 
the Public; Final Rule

Federal Register / Vol. 71, No. 91 / Thursday, May 11, 2006 / Rules 
and Regulations

[[Page 27536]]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Department of the Navy

32 CFR Part 701

RIN 0703-AA77


Availability of DON Records and Publication of DON Documents 
Affecting the Public

AGENCY: Department of the Navy, DOD.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The rule sets forth amended regulations pertaining to the 
Department of the Navy's (DON) Privacy Program. The rule reflects 
changes in the Secretary of the Navy Instruction (SECNAVINST) 5211.5 
series from which it is derived.

Effective Date:  Effective May 11, 2006.

FOR FURTHER INFORMATION CONTACT: Mrs. Doris Lama (DNS-36), Office of 
the Chief of Naval Operations, 2000 Navy Pentagon, Washington, DC 
20350-2000, 202-685-6545.

SUPPLEMENTARY INFORMATION: Pursuant to the authority cited below, the 
DON amends 32 CFR part 701. Subparts F and G derived from the 
SECNAVINST 5211.5 series, which implements within the DON the 
provisions of Department of Defense (DOD) Directives 5400.11 and 
5400.11-R series, DOD Privacy Program (32 CFR part 310). This rule is 
being published by the DON for guidance and interest of the public in 
accordance with 5 U.S.C. 552(a)(1). It has been determined that 
invitation of public comment on these changes to the DON's implementing 
instruction prior to adoption would be impracticable and unnecessary, 
and it is therefore not required under the public rulemaking provisions 
of 32 CFR parts 286 and 701, subpart E. Interested persons, however, 
are invited to comment in writing on this amendment. All written 
comments received will be considered in making subsequent amendments or 
revisions to 32 CFR part 701, subparts F and G, or the instruction upon 
which it is based. Changes may be initiated on the basis of comments 
received. Written comments should be addressed to Mrs. Doris Lama (DNS-
36), Office of the Chief of Naval Operations, 2000 Navy Pentagon, 
Washington, DC 20350-2000. It has been determined that this final rule 
is not a ``major rule'' within the criteria specified in Section 1(b) 
of Executive Order 12291 and does not have substantial impact on the 
public.

List of Subjects in 32 CFR Part 701

    Administrative practice and procedure, Freedom of Information, 
Privacy.

0
Accordingly, 32 CFR part 701 is amended as follows:

PART 701--AVAILABILITY OF DON RECORDS AND PUBLICATION OF DON 
DOCUMENTS AFFECTING THE PUBLIC

0
1. The authority for part 701 continues to read as follows:

    Authority: 5 U.S.C. 552.


0
2. Revise subparts F and G to read as follows:
Subpart F--DON Privacy Program
Sec.
701.100 Purpose.
701.101 Privacy program terms and definitions.
701.102 Online resources.
701.103 Applicability.
701.104 Responsibility and authority.
701.105 Policy.
701.106 Collecting information about individuals.
701.107 Record access.
701.108 Amendment of records.
701.109 Privacy Act (PA) appeals.
701.110 Conditions of disclosure.
701.111 Disclosure accounting.
701.112 ``Blanket routine uses.''
701.113 PA exemptions.
701.114 PA enforcement actions.
701.115 Protected personal information (PPI).
701.116 PA systems of records notices overview.
701.117 Changes to PA systems of records.
701.118 Privacy, IT, and PIAs.
701.119 Privacy and the web.
701.120 Processing requests that cite or imply PA, Freedom of 
Information (FOIA), or PA/FOIA.
701.121 Processing ``routine use'' disclosures.
701.122 Medical records.
701.123 PA fees.
701.124 PA self assessments/inspections.
701.125 Computer matching program.
Subpart G--Privacy Act Exemptions
701.126 Purpose.
701.127 Exemption for classified records.
701.128 Exemptions for specific Navy record systems.
701.129 Exemptions for specific Marine Corps records systems.

Subpart F--DON Privacy Program


Sec.  701.100  Purpose.

    Subparts F and G of this part implement the Privacy Act (5 U.S.C. 
552a), and the DOD Directives 5400.11 and 5400.11-R series, DOD Privacy 
Program (see 32 CFR part 310) and provides DON policies and procedures 
to ensure that all DON military members and civilian/contractor 
employees are made fully aware of their rights and responsibilities 
under the provisions of the Privacy Act (PA); to balance the 
Government's need to maintain information with the obligation to 
protect individuals against unwarranted invasions of their privacy 
stemming from the DON's collection, maintenance, use, and disclosure of 
Protected Personal Information (PPI); and to require privacy management 
practices and procedures be employed to evaluate privacy risks in 
publicly accessible DON Web sites and unclassified non-national 
security information systems.
    (a) Scope. Governs the collection, safeguarding, maintenance, use, 
access, amendment, and dissemination of PPI kept by DON in PA systems 
of records.
    (b) Guidance. Provides guidance on how to respond to individuals 
who seek access to information in a PA system of records that is 
retrieved by their name and/or personal identifier.
    (c) Verify identity. Establishes ways to verify the identity of 
individuals who request their records before the records are made 
available to them.
    (d) Online resources. Directs the public to the Navy's PA Online 
Web site at https://www.privacy.navy.mil that defines the DON's PA 
Program, lists all Navy, Marine Corps, and Government-wide systems of 
records and provides guidance on how to gain access to those records.
    (e) Rules of conduct. Governs the PA rules of conduct for 
personnel, who will be subject to either civil or criminal penalties 
for noncompliance with 5 U.S.C. 552a.
    (f) Privacy impact assessment (PIA) requirements. Establishes 
requirements for conducting, reviewing, approving, and publishing PIAs.


Sec.  701.101  Privacy program terms and definitions.

    (a) Access. Review or copying a record or parts thereof contained 
in a system of records by any individual.
    (b) Agency. For the purposes of disclosing records subject to the 
PA between or among DOD components, DOD is considered a single agency. 
For all other purposes, DON is considered an agency within the meaning 
of PA.
    (c) Disclosure. The transfer of any personal information from a 
system of records by any means of communication (such as oral, written, 
electronic, mechanical, or actual review), to any person, private 
entity, or Government agency, other than the subject of the record, the 
subject's designated agent or the subject's legal guardian.
    (d) Federal personnel. Officers and employees of the U.S. 
Government, members of the uniformed services (including members of the 
reserve), individuals or survivors thereof, entitled to receive 
immediate or deferred

[[Page 27537]]

retirement benefits under any retirement program of the U.S. Government 
(including survivor benefits).
    (e) Individual. A living citizen of the U.S. or an alien lawfully 
admitted to the U.S. for permanent residence. The custodial parent of a 
minor or the legal guardian of any individual also may act on behalf of 
an individual. Members of the United States Armed Forces are 
``individuals.'' Corporations, partnerships, sole proprietorships, 
professional groups, businesses, whether incorporated or 
unincorporated, and other commercial entities are not ``individuals.''
    (f) Individual access. Access to information pertaining to the 
individual by the individual or his/her designated agent or legal 
guardian.
    (g) Information in identifiable form (IIF). Information in an 
Information Technology (IT) system or online collection that directly 
identifies an individual (e.g., name, address, social security number 
or other identifying code, telephone number, e-mail address, etc.) or 
by an agency intends to identify specific individuals in conjunction 
with other data elements (i.e., indirect identification that may 
include a combination of gender, race, birth date, geographic 
indicator, and other descriptors).
    (h) Information system. A discrete set of information resources 
organized for the collection, processing, maintenance, transmission, 
and dissemination of information.
    (i) Maintain. Includes maintain, collect, use, or disseminate.
    (j) Member of the public. Any individual or party acting in a 
private capacity.
    (k) Minor. Under this subpart, a minor is an individual under 18 
years of age, who is not a member of the U.S. Navy or Marine Corps, or 
married.
    (l) Official use. Within the context of this subpart, this term is 
used when DON officials and employees have a demonstrated need for the 
use of any record or the information contained therein in the 
performance of their official duties.
    (m) Personal information. Information about an individual that 
identifies, relates, or is unique to, or describes him or her (e.g., 
Social Security Number (SSN), age, military rank, civilian grade, 
marital status, race, salary, home/office phone numbers, etc.).
    (n) Privacy Act (PA) request. A request from an individual for 
notification as to the existence of, access to, or amendment of records 
pertaining to that individual. These records must be maintained in a 
system of records.
    (o) Privacy Impact Assessment (PIA). An ongoing assessment to 
evaluate adequate practices in balancing privacy concerns with the 
security needs of an organization. The process is designed to guide 
owners and developers of information systems in assessing privacy 
through the early stages of development. The process consists of 
privacy training, gathering data from a project on privacy issues, 
identifying and resolving the privacy risks, and approval by a 
designated privacy representative.
    (p) Protected personal information (PPI). Any information or 
characteristics that may be used to distinguish or trace an 
individual's identity, such as their name, SSN, or biometric records.
    (q) Record. Any item, collection, or grouping of information, 
whatever the storage media (e.g., paper, electronic, etc), about an 
individual that is maintained by a DON activity including, but not 
limited to, the individual's education, financial transactions, and 
medical, criminal, or employment history, and that contains the 
individual's name or other identifying particulars assigned to the 
individual, such as a finger or voice print or a photograph.
    (r) Review authority. An official charged with the responsibility 
to rule on administrative appeals of initial denials of requests for 
notification, access, or amendment of records. SECNAV has delegated 
review authority to the Assistant Secretary of the Navy (Manpower & 
Reserve Affairs) (ASN(M&RA)), General Counsel of the DON (GC), and the 
Judge Advocate General of the Navy (JAG). Additionally, the Office of 
Personnel Management (OPM) is the review authority for civilian 
official personnel folders or records contained in any other OPM 
record.
    (s) ``Routine use'' disclosure. A disclosure of a record made 
outside DOD for a purpose that is compatible with the purpose for which 
the record was collected and maintained by DOD. The ``routine use'' 
must have been included in the notice for the system of records 
published in the Federal Register.
    (t) Statistical record. A record maintained only for statistical 
research, or reporting purposes, and not used in whole or in part in 
making any determination about a specific individual.
    (u) System manager. An official who has overall responsibility for 
a system of records. He/she may serve at any level in DON. Systems 
managers are indicated in the published record systems notices. If more 
than one official is indicated as a system manager, initial 
responsibility resides with the manager at the appropriate level (i.e., 
for local records, at the local activity).
    (v) System of records. A group of records under the control of a 
DON activity from which information is retrieved by the individual's 
name or by some identifying number, symbol, or other identifying 
particular assigned to the individual. System notices for all PA 
systems of records must be published in the Federal Register and are 
also available for viewing or downloading from the Navy's Privacy Act 
Online Web site at https://www.privacy.navy.mil.
    (w) Web site. A collection of information organized into a number 
of Web documents related to a common subject or set of subjects, 
including the ``home page'' and the linked subordinate information.
    (x) Working day. All days excluding Saturday, Sunday, and legal 
holidays.


Sec.  701.102  Online resources.

    (a) Navy PA online Web site (https://www.privacy.navy.mil). This Web 
site supplements this subpart and subpart G. It provides a detailed 
understanding of the DON's PA Program. It contains information on Navy 
and Marine Corps systems of records notices; Government-wide systems of 
records notices that can be used by DON personnel; and identifies Navy 
and Marine Corps exempt systems of records notices. It includes: PA 
policy documents; sample training materials; DOD ``Blanket Routine 
Uses;'' a checklist for conducting staff assistance visits; a copy of 
PA statute; guidance on how to establish, delete, alter, or amend PA 
systems of records notices; and provides updates on the DON's PA 
Program.
    (b) DON Chief Information Officer (DON CIO) Web site (https://
www.doncio.navy.mil). This Web site provides detailed guidance on PIAs.
    (c) DOD's PA Web site (https://www.defenselink.mil/privacy). This 
Web site is an excellent resource that contains a listing of all DOD 
and its components' PA systems of records notices, DOD PA directive and 
regulation, OMB Circulars, Defense Privacy Decision Memoranda, etc.
    (d) DON Freedom of Information Act (FOIA) Web site (https://
www.foia.navy.mil). This Web site discusses the interface between PA 
and FOIA and provides detailed guidance on the DON's FOIA Program.


Sec.  701.103  Applicability.

    (a) DON activities. Applies to all DON activities that collect, 
maintain, or disseminate PPI. Applies to DON

[[Page 27538]]

activities and to contractors, vendors, and other entities that 
develop, procure, or use Information Technology (IT) systems under 
contract to DOD/DON, to collect, maintain, or disseminate IIF from or 
about members of the public.
    (b) Combatant commands. Applies to the U.S. Joint Forces Command 
(USJFCOM) and U.S. Pacific Command (USPACOM), except for U.S. Forces 
Korea as prescribed by DOD Directive 5100.3.
    (c) U.S. citizens and legally admitted aliens. Applies to living 
citizens of the U.S. or aliens lawfully admitted for permanent legal 
residence. Requests for access to information in a PA system of records 
made by individuals who are not U.S. citizens or permanent residents 
will be processed under the provisions of the FOIA.
    (d) Federal contractors. Applies to Federal contractors by contract 
or other legally binding action, whenever a DON contract provides for 
the operation, maintenance, or use of records contained in a PA system 
of records to accomplish a DON function.
    (1) When a DON activity contracts for the operation or maintenance 
of a system of records or a portion of a system of records by a 
contractor, the record system or the portion of the record system 
affected are considered to be maintained by the DON activity and are 
subject to this subpart and subpart G of this part.
    (2) The contractor and its employees are considered employees of 
the DON activity for purposes of the sanction provisions of the PA 
during the performance of the contract.
    (3) The Defense Acquisition Regulatory (DAR) Council, which 
oversees the implementation of the Federal Acquisition Regulations 
(FAR) within DOD, is responsible for developing the specific policies 
and procedures for soliciting, awarding, and administering contracts 
that are subject to this subpart and 5 U.S.C. 552a.
    (4) Consistent with the FAR regulations, contracts for the 
operation of a system of records shall identify specifically the record 
system and the work to be performed, and shall include in the 
solicitation and resulting contract the terms as prescribed by the FAR 
(see https://www.privacy.navy.mil (Admin Tools)).
    (5) DON activities must furnish PA Program guidance to their 
personnel who solicit and award or administer Government contracts; 
inform prospective contractors of their responsibilities regarding the 
DON PA Program; and establish an internal system of contractor 
performance review to ensure compliance with the DON Privacy Program.
    (6) This instruction does not apply to records of a contractor that 
are:
    (i) Established and maintained solely to assist the contractor in 
making internal contractor management decisions, such as records 
maintained by the contractor for use in managing the contract;
    (ii) Maintained as internal contractor employee records, even when 
used in conjunction with providing goods or services to a DON activity;
    (iii) Maintained as training records by an educational organization 
contracted by a DON activity to provide training when the records of 
the contract students are similar to and commingled with training 
records of other students, such as admission forms, transcripts, and 
academic counseling and similar records;
    (iv) Maintained by a consumer reporting agency to which records 
have been disclosed under 31 U.S.C. 3711; or
    (7) DON activities shall establish contract surveillance programs 
to ensure contractors comply with the procedures established by the DAR 
Council.
    (8) Disclosing records to a contractor for use in performing a 
contract let by a DON activity is considered a disclosure within DON 
(i.e., based on an official need to know). The contractor is considered 
the agent of DON when receiving and maintaining the records for that 
activity.
    (e) Precedence. In case of a conflict, this subpart and subpart G 
takes precedence over any DON directive that deals with the personal 
privacy and rights of individuals regarding their personal records, 
except for disclosure of PPI required by 5 U.S.C. 552 and implemented 
by Secretary of the Navy (SECNAVINST) 5720.42F.


Sec.  701.104  Responsibility and authority.

    (a) Delegation. The Chief of Naval Operations (CNO) for 
administering and supervising the execution of 5 U.S.C. 552a, DOD 
Directive 5400.11 and DOD Regulation 5400.11-R. The Director, Navy 
Staff (DNS) will administer this program through the Head, DON PA/FOIA 
Policy Branch (DNS-36) who will serve as the Principal PA Program 
Manager for the DON.
    (b) CNO (DNS-36). (1) Develops and implements DON policy on the 
provisions of the PA; serves as principal advisor on all DON PA 
matters; oversees the administration of the DON's PA program; reviews 
and resolves PA complaints; maintains the DON's PA Online Web site; 
develops a Navy-wide PA training program and serves as training 
oversight manager; establishes, maintains, deletes, and approves Navy 
and joint Navy/Marine Corps PA systems of records notices; compiles 
reports that address the DON's PA Program to DOD and/or the Office of 
Management and Budget (OMB); conducts PA reviews as defined in OMB 
Circular A-130; publishes exempt systems of records in the CFR; and 
conducts staff assistance visits/program evaluations within DON to 
review compliance with 5 U.S.C. 552a, this subpart and subpart G of 
this part.
    (2) Serves as PA Coordinator for the Secretary of the Navy 
(SECNAV), Office of the CNO (OPNAV) and the Naval Historical Center 
(NHC).
    (3) Represents SECNAV on the Defense Privacy Board (DPO). Per DOD 
Directive 5400.11, the Board has oversight responsibility for 
implementation of the DOD Privacy Program.
    (4) Represents SECNAV on the Defense Data Integrity Board. Per DOD 
Directive 5400.11, the Board has oversight responsibility for reviewing 
and approving all computer matching agreements between the DOD and 
other Federal, State, or local government agencies, as well as 
memoranda of understanding when the match is internal to DOD, to ensure 
that appropriate procedural and due process requirements have been 
established before engaging in computer matching activities.
    (5) Provides input to the DPO on OMB's Federal Information Security 
Management Act (FISMA) Report.
    (6) Coordinates on all PIAs prior to the PIA being submitted to DON 
CIO for review and final approval. Makes a determination as to whether 
the new IT system constitutes a PA system of records. If it does, 
determines whether an existing system covers the collection or whether 
a new systems notice will have to be written and approved. As 
necessary, assists the DON activity in creating and getting a new PA 
system of records notice approved.
    (7) Oversees the administration of OPNAV's PA program.
    (8) Chairs the DON PA Oversight Working Group.
    (c) Commandant of the Marine Corps (CMC). (1) Administers and 
supervises the execution of this instruction within the Marine Corps 
and maintains and approves Marine Corps PA systems of records notices. 
The Commandant has designated CMC (ARSF) as the PA manager for the U.S. 
Marine Corps.
    (2) Oversees the administration of the Marine Corps' PA program; 
reviews and resolves PA complaints; develops a Marine Corps privacy 
education, training, and awareness program;

[[Page 27539]]

reviews and validates PIAs for Marine Corps information systems and 
submits the validation to CNO (DNS-36); establishes, maintains, 
deletes, and approves Marine Corps PA systems of records notices; and 
conducts staff assistance visits/program evaluations within the Marine 
Corps to review compliance with 5 U.S.C. 552a, this subpart and subpart 
G of this part.
    (3) Serves as the PA Coordinator for all Headquarters, U.S. Marine 
Corps components, except for Marine Corps Systems Command and the 
Marine Corps Combat Development Command.
    (4) Provides input to CNO (DNS-36) for inclusion FISMA Report.
    (5) Serves on the DON PA Oversight Working Group.
    (6) Coordinates on all PIAs prior to the PIA being submitted to DON 
CIO for review and final approval, making a determination as to whether 
the new IT system constitutes a PA system of records. If it does, 
determines whether an existing system covers the collection or whether 
a new systems notice will have to be written and approved. As 
necessary, assists the DON activity in creating and getting a new PA 
system of records notice approved.
    (d) DON CIO. (1) Integrates protection of PPI into the overall DON 
major information system life cycle management process as defined in 
the E-Government Act of 2002 (Pub. L. 107-347).
    (2) Provides guidance for effective assessment and utilization of 
privacy-related technologies.
    (3) Provides guidance to DON officials on the conduct of PIAs (see 
their Web site at https://www.doncio.navy.mil) and oversees DON PIA 
policy and procedures to ensure PIAs are conducted commensurate with 
the information system being assessed, the sensitivity of IIF in that 
system, and the risk of harm for unauthorized release of that 
information. Also, DON CIO reserves the right to request that a PIA be 
completed on any system that may have privacy risks.
    (4) Reviews and approves all PIAs for the DON and submits the 
approved PIAs to DOD and OMB according to Federal and DOD guidance.
    (5) Serves as the focal point in establishing and validating DON 
information systems privacy requirements and coordinating issues with 
other DOD Military Departments and Federal Agencies.
    (6) Develops and coordinates privacy policy, procedures, education, 
training, and awareness practices regarding DON information systems.
    (7) Compiles and prepares responses to either DOD or OMB regarding 
PIA issues.
    (8) Develops and coordinates DON web privacy policy, education, 
training and an awareness program in accordance with DON Web privacy 
requirements including annual Web site privacy posting training with 
CNO (DNS-36).
    (9) Provides guidance toward effective research and development of 
privacy-related technologies.
    (10) Serves as the focal point in establishing and validating DON 
Web privacy requirements and coordinating issues with DOD, other 
Military Departments, and other Federal agencies.
    (11) Provides guidance on the use of encryption software to protect 
privacy sensitive information.
    (12) Implements DON IT privacy requirements and coordinates IT 
information system requirements that cross service boundaries with the 
Joint Staff.
    (13) Provides recommended changes to CNO (DNS-36) on policy 
guidance set forth in this instruction regarding IT privacy policy and 
procedures that includes requirements/guidance for conducting PIAs.
    (14) Provides input to CNO (DNS-36) for inclusion in the FISMA 
Report.
    (15) Serves on the DON PA Oversight Working Group.
    (e) The Chief of Information (CHINFO) and U.S. Marine Corps 
Director of Public Affairs (DIRPA). CHINFO and DIRPA, in accordance 
with DON CIO guidance on Department-wide Information Management (IM) 
and IT matters, are responsible for developing and administering Navy 
and Marine Corps Web site privacy policies and procedures respectively 
per SECNAVINST 5720.47B. Additionally, CHINFO and DIRPA:
    (1) Maintains master World Wide Web (WWW) page to issue new 
service-specific Web privacy guidance. CHINFO will maintain a master 
WWW page to issue DON guidance and DIRPA will link to that page. All 
significant changes to this Web site and/or its location will be issued 
via Naval (ALNAV) message.
    (2) Maintains overall cognizance for DON and U.S. Marine Corps Web 
sites and Web site content-related questions as they pertain to Web 
site privacy requirements.
    (3) Ensures that public-facing Web sites have machine-readable 
privacy policies (i.e., web privacy policies are P3P-enabled or 
automatically readable using some other tool).
    (4) Provides input to CNO (DNS-36) for inclusion in the FISMA 
Report.
    (5) Serves on the DON PA Oversight Working Group.
    (f) DON PA Oversight Working Group. The DON PA Oversight Working 
Group is charged with reviewing and coordinating compliance with DON PA 
program initiatives. CNO (DNS-36) will chair this working group, 
hosting meetings as deemed appropriate to discuss best PA practices, PA 
issues, FISMA reporting and other reporting requirements, PA training 
initiatives, etc. At a minimum, membership shall consist of CNO (DNS-
36), DON CIO, CMC (ARSF), CMC (C4I-IA), OJAG (Code 13), OGC (PA/FOIA), 
CMC (JAR), CHINFO, and CMC (PA).
    (g) DON activities. Each DON activity is responsible for 
implementing and administering a PA program under this subpart and 
subpart G.
    (h) Navy Echelon 2 and 3 Commands and Marine Corps Major 
Subordinate Commands. Each Navy Echelon 2 and 3 Command and Marine 
Corps Major Subordinate Command will designate a PA Coordinator to:
    (1) Serve as principal point of contact on PA matters.
    (2) Advise CNO (DNS-36) promptly of the need to establish a new 
Navy PA system of records; amend or alter an existing Navy system of 
records; or, delete a Navy system of records that is no longer needed.
    (3) Advise CMC (ARSF) promptly of the need to establish a new 
Marine Corps PA system of records; amend or alter an existing Marine 
Corps system of records; or, delete a Marine Corps system of records 
that is no longer needed.
    (4) Ensure no official files are maintained on individuals that are 
retrieved by name or other personal identifier without first ensuring 
that a system of records notice exists that permits such collection.
    (5) Ensure that PA systems of records managers are properly trained 
on their responsibilities for protecting PPI being collected and 
maintained under the DON PA Program.
    (6) Provide overview training to activity/command personnel on the 
provisions of this subpart and subpart G.
    (7) Issue an implementing instruction which designates the 
activity's PA Coordinator, addresses PA records disposition, addresses 
PA processing procedures, identifies those PA systems of records being 
used by their activity; and provide training/guidance to those 
personnel involved with collecting, maintaining, disseminating 
information from a PA system of records.
    (8) Review internal directives, forms, practices, and procedures, 
including

[[Page 27540]]

those having PA implications and where Statements (PAS) are used or PPI 
is solicited.
    (9) Maintain liaison with records management officials (e.g., 
maintenance and disposal procedures and standards, forms, and reports), 
as appropriate.
    (10) Provide guidance on handling PA requests; scope of PA 
exemptions; and the fees, if any, that may be collected.
    (11) Conduct staff assistance visits or program evaluations within 
their command and lower echelon commands to ensure compliance with the 
PA.
    (12) Work closely with their PA systems managers to ensure they are 
properly trained with regard to collecting, maintaining, and 
disseminating information in a PA system of records notice.
    (13) Process PA complaints.
    (14) Ensure protocols are in place to avoid instances of loss of 
PPI. Should a loss occur, take immediate action to apprise affected 
individuals of how to ensure their identity has not been compromised.
    (15) Work closely with their public affairs officer and/or web 
master to ensure that PPI is not placed on public Web sites or in 
public folders.
    (16) Annually conduct reviews of their PA systems of records to 
ensure that they are necessary, accurate, and complete.
    (17) Provide CNO (DNS-36) or CMC (ARSF) respectively, with a 
complete listing of all PA Coordinators under their jurisdiction. Such 
information should include activity name, complete mailing and E-Mail 
addresses, office code, name of PA Coordinator, and commercial, DSN, 
and FAX telephone numbers.
    (18) Review and validate PIAs for their information systems and 
submit the validation to CNO (DNS-36) for Navy information systems or 
to HQMC (ARSF) for Marine Corps information systems.
    (i) DON employees/contractors. DON employees/contractors are 
responsible for safeguarding the rights of others by:
    (1) Ensuring that PPI contained in a system of records, to which 
they have access or are using to conduct official business, is 
protected so that the security and confidentiality of the information 
is preserved.
    (2) Not disclosing any information contained in a system of records 
by any means of communication to any person or agency, except as 
authorized by this instruction or the specific PA systems of records 
notice.
    (3) Not maintaining unpublished official files that would fall 
under the provisions of 5 U.S.C. 552a.
    (4) Safeguarding the privacy of individuals and confidentiality of 
PPI contained in a system of records.
    (5) Properly marking all documents containing PPI data (e.g., 
letters, E-Mails, message traffic, etc.) as ``FOR OFFICIAL USE ONLY--
PRIVACY SENSITIVE--Any misuse or unauthorized disclosure can result in 
both civil and criminal penalties.''
    (6) Not maintaining privacy-sensitive information in public 
folders.
    (7) Reporting any unauthorized disclosure of PPI from a system of 
records to the applicable Privacy Point of Contact (POC) for his/her 
activity.
    (8) Reporting the maintenance of any unauthorized system of records 
to the applicable Privacy POC for his/her activity.
    (j) Denial authority. Within DON, the head of the activity having 
cognizance over an exempt PA system of record is authorized to deny 
access to that information under the exemptions cited in the PA systems 
of records notice. The denial authority may also deny requests to amend 
a system of records or to deny notification that a record exists. As 
deemed appropriate, the head of the activity may further designate 
initial denial authority to an individual properly trained on the 
provisions of the PA and this subpart and subpart G of this part.
    (k) Release authority. Within DON, officials having cognizance over 
a non-exempt PA system of record that is requested by a first party or 
his/her authorized representative are authorized to release records. A 
release authority may also grant requests for notification and 
amendment of systems of records. The PA systems manager, who is 
properly trained on the provisions of 5 U.S.C. 552a, DOD Directive 
5400.11 and DOD 5400.11-R, may be delegated this responsibility.
    (l) Review authority. (1) Assistant Secretary of the Navy (Manpower 
& Reserve Affairs) (ASN(M&RA)) is designated to act upon requests for 
administrative review of initial denials of requests for amendment of 
records related to fitness reports and performance evaluations of 
military personnel.
    (2) Both the JAG and GC are designated to act upon requests for 
administrative review of initial denials of records for notification, 
access, or amendment of records under their cognizance.
    (3) The authority of SECNAV, as the head of an agency, to request 
records subject to the PA from an agency external to DOD for civil or 
criminal law enforcement purposes, under (b)(7) of 5 U.S.C. 552a, is 
delegated to CMC; the Commander, Naval Criminal Investigative Service; 
JAG and GC.
    (m) System manager. System managers are responsible for overseeing 
the collection, maintenance, use, and dissemination of information from 
a PA system of records and ensuring that all personnel who have access 
to those records are aware of their responsibilities for protecting PPI 
that is being collected or maintained. In this capacity, they shall:
    (1) Establish appropriate administrative, technical, and physical 
safeguards to ensure the records in every system of records are 
protected from unauthorized alteration, destruction, or disclosure.
    (2) Protect the records from reasonably anticipated threats or 
hazards that could result in substantial harm, embarrassment, 
inconvenience, or unfairness to any individual on whom information is 
maintained.
    (3) Work closely with their coordinator to ensure that all 
personnel who have access to a PA system of records are properly 
trained on their responsibilities under the PA. Training materials may 
be downloaded from https://www.privacy.navy.mil.
    (4) Ensure that no illegal files are maintained.


    Note: Official files on individuals that are retrieved by name 
and/or personal identifier must be approved and published in the 
Federal Register.


    (5) Review annually each PA system of records notice under their 
cognizance to determine if the records are up-to-date and/or used in 
matching programs and whether they are in compliance with the OMB 
Guidelines. Such items as organization names, titles, addresses, etc., 
frequently change and should be reported to CNO (DNS-36) for updating 
and publication in the Federal Register.
    (6) Work with IT personnel to identify any new information systems 
being developed that contain PPI. If a PA systems notice does not exist 
to allow for the collection, assist in creating a new systems notice 
that permits collection.
    (7) Complete and maintain a PIA for those systems that collect, 
maintain or disseminate IIF, according to DON PIA guidance found at 
https://www.privacy.navy.mil and https://www.doncio.navy.mil.
    (8) Complete and maintain a disclosure accounting form for all 
disclosures made without the consent of the record subject, except 
those made within DOD or under FOIA. (See 701.111).
    (9) Ensure that only those DOD/DON officials with a ``need to 
know'' in the

[[Page 27541]]

official performance of their duties has access to information 
contained in a system of records.
    (10) Ensure safeguards are in place to protect the privacy of 
individuals and confidentiality of PPI contained in a system of 
records.
    (11) Ensure that records are maintained in accordance with the 
identified PA systems of records notice.
    (12) Ensure that each newly proposed PA system of records notice is 
evaluated for need and relevancy and confirm that no existing PA system 
of records notice covers the proposed collection.
    (13) Stop collecting any category or item of information about 
individuals that is no longer justified, and when feasible remove the 
information from existing records.
    (14) Ensure that records are kept in accordance with retention and 
disposal requirements set forth in SECNAVINST 5720.47B.
    (15) Take reasonable steps to ensure the accuracy, relevancy, 
timeliness, and completeness of a record before disclosing the record 
to anyone outside the Federal Government.
    (16) Identify all systems of records that are maintained in whole 
or in part by contractor personnel, ensuring that they are properly 
trained and that they are routinely inspected for PA compliance.


Sec.  701.105  Policy.

    DON recognizes that the privacy of an individual is a personal and 
fundamental right that shall be respected and protected and that PPI 
shall be collected, maintained, used, or disclosed to ensure that it is 
relevant and necessary to accomplish a lawful DON/DOD purpose required 
to be accomplished by statute or Executive Order (E.O.). Accordingly, 
it is DON policy that DON activities shall fully comply with 5 U.S.C. 
552a, DOD Directive 5400.11 and DOD 5400.11-R to protect individuals 
from unwarranted invasions of privacy when information is collected, 
processed, maintained, or disseminated. To ensure compliance, DON 
activities shall follow the procedures listed in this section.
    (a) Collection, Maintenance and Use. (1) Only maintain systems of 
records that have been approved and published in the Federal Register. 
(See https://www.privacy.navy.mil for a list of all DOD, Navy, Marine 
Corps, and component systems of records notices, as well as, links to 
Government-wide systems that the DON is eligible to use).


    Note: CNO (DNS-36) can assist Navy activities in identifying 
existing systems that may meet their needs and HQMC (ARSF) can 
assist Marine Corps activities.


    (2) Only collect, maintain, and use PPI needed to support a DON 
function or program as authorized by law or E.O. and disclose this 
information only as authorized by 5 U.S.C. 552a, this subpart and 
subpart G of this part. In assessing need, DON activities shall 
consider alternatives such as: truncating the SSN by only using the 
last four digits; using information that is not individually 
identifiable; using a sampling of certain data for certain individuals 
only. Additionally, they shall consider the length of time the 
information is needed and the cost of maintaining the information 
compared to the risks and adverse consequences of not maintaining the 
information.
    (3) Only maintain PPI that is timely, accurate, complete, and 
relevant to the purpose for which it was collected.
    (4) DON activities shall not maintain records describing how an 
individual exercises his/her rights guaranteed by the First Amendment 
(freedom of religion; freedom of political beliefs; freedom of speech; 
freedom of the press; the right to peaceful assemblage; and petition 
for redress of grievances), unless they are: expressly authorized by 
statute; authorized by the individual; within the scope of an 
authorized law enforcement activity; or are used for the maintenance of 
certain items of information relating to religious affiliation for 
members of the naval service who are chaplains.


    Note: This should not be construed, however, as restricting or 
excluding solicitation of information that the individual is willing 
to have in his/her record concerning religious preference, 
particularly that required in emergency situations.


    (b) Disposal. Dispose of records from systems of records to prevent 
inadvertent disclosure. To this end:
    (1) Disposal methods are considered adequate if the records are 
rendered unrecognizable or beyond reconstruction (e.g., tearing, 
burning, melting, chemical decomposition, burying, pulping, 
pulverizing, shredding, or mutilation). Magnetic media may be cleared 
by completely erasing, overwriting, or degaussing the tape.
    (2) DON activities may recycle PA data. Such recycling must be 
accomplished to ensure that PPI is not compromised. Accordingly, the 
transfer of large volumes of records in bulk to an authorized disposal 
activity is not considered a disclosure of records.
    (3) When disposing of or destroying large quantities of records 
from a system of records, DON activities must ensure that the records 
are disposed of to preclude easy identification of specific records.
    (c) Individual access. (1) Allow individuals to have access to and/
or copies of all or portions of their records to which they are 
entitled. In the case of a legal guardian or custodial parent of a 
minor, they have the same rights as the individual he/she represents. A 
minor is defined as an individual under the age of 18. In the case of 
members of the Armed Forces under the age of 18, they are not 
considered to be minors for the purposes of the PA.
    (2) Enter all PA first-party access requests into a tracking system 
and assign a case file number. (Files should comply with DON PA systems 
of records notice NM05211-1, PA Request Files and Tracking System at 
https://www.privacy.navy.mil/notices.)
    (3) Allow individuals to seek amendment of their records when they 
can identify and provide proof that factual information contained 
therein is erroneous, untimely, incomplete, or irrelevant. While 
opinions are not subject to amendment, individuals who are denied 
access to amending their record may have a statement of disagreement 
added to the file.
    (4) Allow individuals to appeal decisions that deny them access to 
or refusal to amend their records. If a request to amend their record 
is denied, allow the individual to file a written statement of 
disagreement.
    (d) Posting and use of PA sensitive information. (1) Do not post 
PPI on an Internet site. Also, limit the posting and use of PA 
sensitive information on an Intranet Web site, letter, FAX, e-mail, 
etc.
    (2) When posting or transmitting PPI, ensure the following legend 
is posted on the document: ``FOR OFFICIAL USE ONLY--PRIVACY ACT 
SENSITIVE: Any misuse or unauthorized disclosure of this information 
may result in both criminal and civil penalties.''
    (e) Safeguarding PPI. DON activities shall establish appropriate 
administrative, technical and physical safeguards to ensure that the 
records in every system of records are protected from unauthorized 
alteration or disclosure and that their confidentiality is protected. 
Protect the records against reasonably anticipated threats of hazards 
that could result in substantial harm, embarrassment, inconvenience, or 
unfairness to any individual about whom information is kept. At a 
minimum, DON activities shall:
    (1) Tailor system safeguards to conform to the type of records in 
the system, the sensitivity of the PPI stored, the storage medium used, 
and the number of records maintained.

[[Page 27542]]

    (2) Treat all unclassified records that contain PPI that normally 
would be withheld from the public under FOIA exemptions (b)(6) and 
(b)(7)(C) as if they were designated ``For Official Use Only'' and 
safeguard them from unauthorized disclosure.
    (3) Ensure that privacy considerations are addressed in the 
reengineering of business processes and take proactive steps to ensure 
compliance with the PA and 5 U.S.C. 552a as they move from conducting 
routine business via paper to electronic media.
    (4) Recognize the importance of protecting the privacy of its 
members, especially as it modernizes its collection systems. Privacy 
issues must be addressed when systems are being developed, and privacy 
protections must be integrated into the development life cycle of 
automated systems. This applies also to contractors, vendors, and other 
entities that develop, procure, or use IT systems under contract to 
DOD/DON, to collect, maintain, or disseminate IIF from or about members 
of the public (see Sec.  701.115).
    (5) Ensure that adequate safeguards are implemented and enforced to 
prevent misuse, unauthorized disclosure, alteration, or destruction of 
PPI in records per 5 U.S.C. 552a, this subpart and subpart G of this 
part.


Sec.  701.106  Collecting information about individuals.

    (a) Collecting information directly from the individual. To the 
greatest extent practicable, collect information for systems of records 
directly from the individual to whom the record pertains if the record 
may be used to make an adverse determination about the individual's 
rights, benefits, or privileges under a Federal program.
    (b) Collecting information about individuals from third persons. It 
may not always be practical to collect all information about an 
individual directly. For example, when verifying information through 
other sources for security or employment suitability determinations; 
seeking other opinions, such as a supervisor's comments on past 
performance or other evaluations; obtaining the necessary information 
directly from the individual would be exceptionally difficult or would 
result in unreasonable costs or delays; or, the individual requests or 
consents to contacting another person to obtain the information.
    (c) Soliciting the SSN. (1) It is unlawful for any Federal, State, 
or local government agency to deny an individual a right, benefit, or 
privilege provided by law because the individual refuses to provide 
his/her SSN. However, this prohibition does not apply if a Federal law 
requires that the SSN be provided, or the SSN is required by a law or 
regulation adopted before January 1, 1975, to verify the individual's 
identity for a system of records established and in use before that 
date.
    (2) Before requesting an individual to provide the SSN, the 
individual must be advised whether providing the SSN is mandatory or 
voluntary; by what law or other authority the SSN is solicited; and 
what uses will be made of the SSN.
    (3) The preceding advice relates only to the SSN. If other 
information about the individual is solicited for a system of records, 
a PAS also must be provided.
    (4) The notice published in the Federal Register for each system of 
records containing SSNs solicited from individuals must indicate the 
authority for soliciting the SSNs and whether it is mandatory for the 
individuals to provide their SSN. E.O. 9397 requires Federal Agencies 
to use SSNs as numerical identifiers for individuals in most Federal 
records systems. However, it does not make it mandatory for individuals 
to provide their SSNs.
    (5) When entering military service or civilian employment with the 
DON, individuals are asked to provide their SSNs. In many instances, 
this becomes the individual's numerical identifier and is used to 
establish personnel, financial, medical, and other official records (as 
authorized by E.O. 9397). The individuals must be given the 
notification described above. Once the individual has provided his/her 
SSN to establish a record, a notification is not required when the SSN 
is requested only for identification or to locate the records.
    (6) DON activities are discouraged from collecting SSNs when 
another identifier would suffice. In those instances where activities 
wish to differentiate individuals, they may find it advantageous to 
only collect the last four digits of the individual's SSN, which is not 
considered to be privacy sensitive.
    (7) If a DON activity requests an individual's SSN even though it 
is not required by Federal statute, or is not for a system of records 
in existence and operating prior to January 1, 1975, it must provide a 
PAS and make it clear that disclosure of the number is voluntary. 
Should the individual refuse to disclose his/her SSN, the activity must 
be prepared to identify the individual by alternate means.
    (d) Contents of a PAS. (1) When an individual is requested to 
furnish PPI for possible inclusion in a system of records, a PAS must 
be provided to the individual, regardless of the method used to collect 
the information (e.g., forms, personal or telephonic interview, etc). 
If the information requested will not be included in a system of 
records, a PAS is not required.
    (2) The PAS shall include the following:
    (i) The Federal law or E.O. that authorizes collection of 
information (i.e., E.O. 9397 authorizes collection of SSNs);
    (ii) Whether or not it is mandatory for the individual to provide 
the requested information. (Note: It is only mandatory when a Federal 
law or E.O. of the President specifically imposes a requirement to 
furnish the information and provides a penalty for failure to do so. If 
furnishing information is a condition precedent to granting a benefit 
or privilege voluntarily sought by the individual, then the individual 
may decline to provide the information and decline the benefit);
    (iii) The principal purposes for collecting the information;
    (iv) The routine uses that will be made of the information (e.g., 
to whom and why it will be disclosed outside DOD); and
    (v) The possible effects on the individual if the requested 
information is not provided.
    (3) The PAS must appear on the form used to collect the information 
or on a separate form that can be retained by the individual collecting 
the information. If the information is collected by a means other than 
a form completed by the individual, i.e., solicited over the telephone, 
the PAS should be read to the individual and if requested by the 
individual, a copy sent to him/her. There is no requirement that the 
individual sign the PAS.
    (e) Format for a PAS. When forms are used to collect information 
about individuals for a system of records, the PAS shall appear as 
follows (listed in the order of preference):
    (1) Immediately below the title of the form;
    (2) Elsewhere on the front page of the form (clearly indicating it 
is the PAS);
    (3) On the back of the form with a notation of its location below 
the title of the form; or,
    (4) On a separate form which the individual may keep.
    (f) Using forms issued by non-DOD activities. Forms subject to the 
PA issued by other Federal agencies have a PAS attached or included. 
DON activities shall ensure that the statement prepared by the 
originating agency is adequate for the purpose for which the form will 
be used by the DON activity. If the PAS provided is inadequate, the

[[Page 27543]]

DON activity concerned shall prepare a new statement or a supplement to 
the existing statement before using the form. Forms issued by agencies 
not subject to the PA (state, municipal, and local agencies) do not 
contain a PAS. Before using a form prepared by such agencies to collect 
PPI subject to this subpart and subpart G, an appropriate PAS must be 
added.


Sec.  701.107  Record access.

    The access provisions of this subpart and subpart G of this part 
are intended for use by individuals about whom records are maintained 
in systems of records. Accordingly, only individuals seeking first 
party access to records retrieved by their name and/or personal 
identifier from a system of records have access under the provisions of 
5 U.S.C. 552a, this subpart and subpart G of this part, unless they 
provide written authorization for their representative to act on their 
behalf. (See Sec.  701.107(e) regarding access by custodial parents and 
legal guardians.)
    (a) How to request records. Individuals shall address requests for 
access to records retrieved by their name and/or personal identifier to 
the PA systems manager or to the office designated in the paragraph 
entitled, ``Record Access Procedures.''
    (1) DON activities may not require an individual to state a reason 
or justify the need to gain access under 5 U.S.C. 552a, this subpart 
and subpart G of this part.
    (2) However, an individual must comply with the requirements of the 
PA and this instruction in order to seek access to records under the 
provisions of 5 U.S.C. 552a, this subpart and subpart G of this part. 
Specifically, individuals seeking access to records about themselves 
that are maintained in a PA system of records must sign their request 
and provide specific identifying data to enable a search for the 
requested record. Failure to sign the request or to provide sufficient 
identifying data to locate the record will result in the request being 
returned for non-compliance with the ``Record Access Procedures'' cited 
in the PA system of records notice.
    (b) Authorized access. (1) Individuals may authorize the release of 
all or part of their records to anyone they choose provided they submit 
a signed authorization to that DON activity. Such authorization must 
specifically state the records to which the individual may have access.
    (2) Individuals may be accompanied by anyone they choose when 
seeking to review their records. In such instance, DON activities shall 
require the individual to provide a written authorization to allow the 
record to be discussed in front of the other person.
    (c) Failure to comply. First party requesters will be granted 
access to their records under the provisions of the PA, unless:
    (1) They did not properly identify the records being sought; did 
not sign their request; and/or failed to provide sufficient identifying 
data to locate the requested record(s);
    (2) They are seeking access to information in a system of records 
that is exempt from disclosure in whole or in part under the provisions 
of 5 U.S.C. 552a;
    (3) They are seeking access to information that was compiled in 
anticipation of a civil action or proceeding (i.e., 5 U.S.C. 552a(d)(5) 
applies). The term ``civil action or proceeding'' includes quasi-
judicial and pre-trial judicial proceedings, as well as formal 
litigation. However, this does not prohibit access to records compiled 
or used for purposes other than litigation or to records frequently 
subject to litigation. The information must have been compiled for the 
primary purpose of litigation to be withheld under 5 U.S.C. 552a(d)(5); 
or
    (4) They are seeking access to information contained in the system 
that is currently and properly classified (see 5 U.S.C. 552a(k)(1)).
    (d) Blanket requests. Many DON activities are unable to respond to 
``blanket'' requests from individuals for access or copies of ``all 
records pertaining to them,'' because they do not have a centralized 
index that would allow them to query by name and personal identifier to 
identify ``all files.'' Accordingly, it is the requester's 
responsibility to identify the specific PA system of records notice for 
which they seek information. To assist the requester in identifying 
such systems, DON activities shall apprise the requester that a listing 
of all DON PA systems of records can be downloaded from https://
www.privacy.navy.mil and that they should identify the specific records 
they are seeking and write directly to the PA systems manager listed in 
the notice, following the guidance set forth under the section entitled 
``Record Access Procedures'' of the notice.
    (e) Access by custodial parents and legal guardians. The custodial 
parent of any minor, or the legal guardian of any individual declared 
by a court of competent jurisdiction to be incompetent due to physical 
or mental incapacity or age, may obtain access to the record of the 
minor or incompetent individual under the provisions of the PA, if they 
are acting on behalf of/in the best interest of/for the benefit of the 
minor or incompetent. If the systems manager determines that they are 
not acting on behalf of/in the best interest of/for the benefit of the 
minor or incompetent, access will not be granted under the PA and the 
request will be processed under FOIA (5 U.S.C. 552). See 701.122 
regarding access to medical records.
    (f) Access by a minor or incompetent. The right of access of the 
parent or legal guardian is in addition to that of the minor or 
incompetent. Although a minor or incompetent has the same right of 
access as any other individual under this subpart and subpart G of this 
part, DON activities may wish to ascertain whether or not the 
individual is being coerced to obtain records for the benefit of 
another. If so, the activity may refuse to process the request under 
the provisions of PA.
    (g) Requests from members of Congress. Requests received from a 
Member of Congress on behalf of a constituent shall be processed under 
the provisions of the PA and this subpart and subpart G of this part if 
the requester is seeking access to records about the constituent 
contained in a non-exempt PA system of records (i.e., first party 
request). Otherwise, the request will be processed under the provisions 
of the FOIA (see 5 U.S.C. 552) since the request is received from a 
third party (i.e., not the record subject).
    (1) The DOD ``Blanket Routine Uses'' enables DON activities to 
process requests from Members of Congress on behalf of their 
constituents without submitting a written authorization from the 
constituent granting authorization to act on their behalf.
    (2) In those instances where the DON activity wishes to verify that 
a constituent is seeking assistance from a Member of Congress, an oral 
or written statement by a Congressional staff member is sufficient to 
confirm that the request was received from the individual to whom the 
record pertains.
    (3) If the constituent inquiry is made on behalf of an individual 
other than the record subject (i.e., a third party requester), advise 
the Member of Congress that a written consent from the record subject 
is required before information may be disclosed. Do not contact the 
record subject to obtain consent for the disclosure to the Member of 
Congress, unless specifically requested by the Member of Congress.
    (4) Depending on the sensitivity of the information being 
requested, a DON activity may choose to provide the record directly to 
the constituent and notify the congressional office that this

[[Page 27544]]

has been done without providing the record to the congressional member.
    (h) Release of PPI. Release of PPI to individuals under the PA and/
or this subpart or subpart G is not considered to be a public release 
of information.
    (i) Verification of identity. (1) An individual shall provide 
reasonable verification of identity before obtaining access to records. 
In the case of seeking to review a record in person, identification of 
the individual can be verified by documents they normally carry (e.g., 
identification card, driver's license, or other license, permit/pass). 
DON activities shall not, however, deny access to an individual who is 
the subject of the record solely for refusing to divulge his/her SSN, 
unless it is the only means of retrieving the record or verifying 
identity.
    (2) DON activities may not insist that a requester submit a 
notarized signature to request records. Instead, the requester shall be 
offered the alternative of submitting an unsworn declaration that 
states ``I declare under perjury or penalty under the laws of the 
United States of America that the foregoing is true and correct.''
    (j) Telephonic requests. DON activities shall not honor telephonic 
requests nor unsigned E-Mail/FAX/letter requests for first party access 
to a PA system of records.
    (k) Denials. (1) An individual may be denied access to a record 
pertaining to him/her only if the record was compiled in reasonable 
anticipation of civil action; is in a system of records that has been 
exempted from the access provisions of this subpart and subpart G of 
this part under one of the permitted exemptions; contains classified 
information that has been exempted from the access provision of this 
instruction under the blanket exemption for such material claimed for 
all DOD PA systems of records; is contained in a system of records for 
which access may be denied based on some other federal statute.
    (2) Only deny the individual access to those portions of the 
records for which the denial of access serves some legitimate 
governmental purpose.
    (3) Only a designated denial authority may deny access to 
information contained in an exempt PA system of records. The denial 
must be in writing and at a minimum include the name, title or position 
and signature of the designated denial authority; the date of the 
denial; the specific reason for the denial, including specific citation 
to the appropriate sections of the PA or other statutes, this 
instruction, or CFR authorizing the denial; notice to the individual of 
his/her right to appeal the denial through the component appeal 
procedure within 60 calendar days; and, the title or position and 
address of the PA appeals official for the DON.
    (l) Illegible or incomplete records. DON activities may not deny an 
individual access to a record solely because the physical condition or 
format of the record does not make it readily available (i.e., when the 
record is in a deteriorated state or on magnetic tape). DON activities 
may either prepare an extract or recopy the document and mark it ``Best 
Copy Available.''
    (m) Personal notes. (1) Certain documents under the physical 
control of a DON employee and used to assist him/her in performing 
official functions are not considered ``agency records'' within the 
meaning of this instruction. Un-circulated personal notes and records 
that are not disseminated or circulated to any person or organization 
(e.g., personal telephone lists or memory aids) that are retained or 
discarded at the author's discretion and over which the DON activity 
does not exercise direct control, are not considered ``agency 
records.'' However, if personnel are officially directed or encouraged, 
either in writing or orally, to maintain such records, they may become 
``agency records,'' and may be subject this subpart and subpart G of 
this part.
    (2) The personal uncirculated handwritten notes of unit leaders, 
office supervisors, or military supervisory personnel concerning 
subordinates are not systems of records within the meaning of this 
instruction. Such notes are an extension of the individual's memory. 
These notes, however, must be maintained and discarded at the 
discretion of the individual supervisor and not circulated to others. 
Any established requirement to maintain such notes (such as, written or 
oral directives, regulations, or command policy) make these notes 
``agency records'' and they then must be made a part of a system of 
records. If the notes are circulated, they must be made a part of a 
system of records. Any action that gives personal notes the appearance 
of official agency records is prohibited, unless the notes have been 
incorporated into a system of records.
    (n) Compiled in anticipation of litigation. An individual is not 
entitled to access information compiled in reasonable anticipation of a 
civil action or proceeding. Accordingly, deny access under 5 U.S.C. 
552a(d)(5) and then process under FOIA (SECNAVINST 5740.42F) to 
determine releasibility.


Sec.  701.108  Amendment of records.

    Amendments under this subpart and subpart G of this part are 
limited to correcting factual or historical matters (i.e., dates and 
locations of service, participation in certain actions of activities, 
not matters of opinion (e.g., evaluations of work performance and 
assessments of promotion potential contained in employee evaluations, 
fitness reports, performance appraisals, or similar documents)) except 
when such matters of