Department of Defense Privacy Program, 18758-18790 [E7-6118]

Agencies

• Office of the Secretary
• DEPARTMENT OF DEFENSE

[Federal Register Volume 72, Number 71 (Friday, April 13, 2007)]
[Rules and Regulations]
[Pages 18758-18790]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-6118]



[[Page 18757]]

-----------------------------------------------------------------------

Part II





Department of Defense





-----------------------------------------------------------------------



32 CFR Part 310



Department of Defense Privacy Program; Final Rule

Federal Register / Vol. 72, No. 71 / Friday, April 13, 2007 / Rules 
and Regulations

[[Page 18758]]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

[DoD-2006-OS-0129]
RIN 0790-AB03

32 CFR Part 310


Department of Defense Privacy Program

AGENCY: Department of Defense.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Defense is updating policies and 
responsibilities for the Defense Privacy Program which implements the 
Privacy Act of 1974.

EFFECTIVE DATE: April 13, 2007.

FOR FURTHER INFORMATION CONTACT: Mr. Vahan Moushegian, Jr., at (703) 
607-2943.

SUPPLEMENTARY INFORMATION: The proposed rule was published in the 
Federal Register on July 14, 2006 at 71 FR 40282. No public comments 
were received. Some administrative changes were made as a result of 
comments on the corresponding DoD issuance and Office of Management and 
Budget guidance. Changes involve revision of the terms for personal and 
compromised information; the incorporation of additional considerations 
when determining if a social security number will be collected; a 
reorganization of the procedures involving Congressional or General 
Accountability Office access to records; an expanded explanation of 
record disposal procedures and the access exemption; additional 
consideration involving training and technical/special security 
requirements; and new notification procedures when there is a loss or 
theft of information.

Executive Order (E.O.) 12866, ``Regulatory Planning and Review''

    It has been determined that 32 CFR part 310 is not a significant 
regulatory action. The rule does not
    (1) Have an annual effect on the economy of $100 million or more or 
adversely affect in a material way the economy; a sector of the 
economy; productivity; competition; jobs; the environment; public 
health or safety; or State, local, or tribal governments or 
communities;
    (2) Create a serious inconsistency or otherwise interfere with an 
action taken or planned by another Agency;
    (3) Materially alter the budgetary impact of entitlements, grants, 
user fees, or loan programs, or the rights and obligations of 
recipients thereof; or
    (4) Raise novel legal or policy issues arising out of legal 
mandates, the President's priorities, or the principles set forth in 
this Executive Order.

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. Chapter 6)

    It has been determined that this rule is not subject to the 
Regulatory Flexibility Act because it would not, if promulgated, have a 
significant economic impact on a substantial number of small entities 
because it is only concerned with the administration of Privacy Program 
within the Department of Defense.

Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)

    It has been determined that this rule does not impose information 
requirements beyond the Department of Defense and that the information 
collected within the Department of Defense is necessary and consistent 
with 5 U.S.C. 552a, known as the Privacy Act of 1974.

Section 202, Public Law 104-4, ``Unfunded Mandates Reform Act''

    It has been determined that the rule does not involve a Federal 
mandate that may result in the expenditure by State, local and tribal 
governments, in the aggregate, or by the private sector, of $100 
million or more in any one year.

Executive Order 13132, ``Federalism''

    It has been determined that this rule does not have federalism 
implications. The rule does not have substantial direct effects on the 
States, the relationship between the National Government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government.

List of Subjects in 32 CFR Part 310

    Privacy.


0
Accordingly, 32 CFR part 310 is revised as follows.

PART 310--DOD PRIVACY PROGRAM

Subpart A--DoD Policy
Sec.
310.1 Reissuance.
310.2 Purpose.
310.3 Applicability and scope.
310.4 Definitions.
310.5 Policy.
310.6 Responsibilities.
310.7 Information requirements.
310.8 Rules of conduct.
310.9 Privacy boards and office, composition and responsibilities.
Subpart B--Systems of Records
310.10 General.
310.11 Standards of accuracy.
310.12 Government contractors.
310.13 Safeguarding personal information.
310.14 Notification when information is lost, stolen, or 
compromised.
Subpart C--Collecting Personal Information
310.15 General considerations.
310.16 Forms.
Subpart D--Access by Individuals
310.17 Individual access to personal information.
310.18 Denial of individual access.
310.19 Amendment of records.
310.20 Reproduction fees.
Subpart E--Disclosure of Personal Information to Other Agencies and 
Third Parties
310.21 Conditions of disclosure.
310.22 Non-consensual conditions of disclosure.
310.23 Disclosures to commercial enterprises.
310.24 Disclosures to the public from medical records.
310.25 Disclosure accounting.
Subpart F--Exemptions
310.26 Use and establishment of exemptions.
310.27 Access exemption.
310.28 General exemption.
310.29 Specific exemptions.
Subpart G--Publication Requirements
310.30 Federal Register publication.
310.31 Exemption rules.
310.32 System notices.
310.33 New and altered record systems.
310.34 Amendment and deletion of system notices.
Subpart H--Training Requirements
310.35 Statutory training requirements.
310.36 OMB training guidelines.
310.37 DoD training programs.
310.38 Training methodology and procedures.
310.39 Funding for training.
Subpart I--Reports
310.40 Requirement for reports.
310.41 Suspense for submission of reports.
310.42 Reports control symbol.
Subpart J--Inspections
310.43 Privacy Act inspections.
310.44 Inspection reporting.
Subpart K--Privacy Act Violations
310.45 Administrative remedies.
310.46 Civil actions.
310.47 Civil remedies.
310.48 Criminal penalties.
310.49 Litigation status sheet.
310.50 Lost, stolen, or compromised information.
Subpart L--Computer Matching Program Procedures
310.51 General.
310.52 Computer matching publication and review requirements.
310.53 Computer matching agreements (CMAs).
Appendix A to Part 310--Safeguarding Personally Identifiable 
Information
Appendix B to Part 310--Sample Notification Letter

[[Page 18759]]

Appendix C to Part 310--DoD Blanket Routine Uses
Appendix D to Part 310--Provisions of the Privacy Act From Which a 
General or Specific Exemption May Be Claimed
Appendix E to Part 310--Sample of New or Altered System of Records 
Notice in Federal Register Format
Appendix F to Part 310--Format for New or Altered System Report
Appendix G to Part 310--Sample Amendments or Deletions to System 
Notices in Federal Register Format
Appendix H to Part 310--Litigation Status Sheet

    Authority: Pub. L. 93-579, 88 Stat. 1896 (5 U.S.C. 552a).

Subpart A--DoD Policy


Sec.  310.1  Reissuance.

    This part consolidates into a single location (32 CFR part 310) 
Department of Defense (DoD) policies and procedures for implementing 
the Privacy Act of 1974, as amended (5 U.S.C. 552a) by authorizing the 
development, publication and maintenance of the DoD Privacy Program set 
forth by DoD Directive 5400.11 \1\ and 5400.11-R,\2\ both entitled: 
``DoD Privacy Program.''
---------------------------------------------------------------------------

    \1\ Copies may be obtained at https://www.dtic.mil/whs/
directives.
    \2\ See footnote 1 to Sec.  310.1.
---------------------------------------------------------------------------


Sec.  310.2  Purpose.

    This part:
    (a) Updates policies and responsibilities of the DoD Privacy 
Program under 5 U.S.C. 552a and OMB Circular A-130.
    (b) Authorizes the Defense Privacy Board, the Defense Privacy Board 
Legal Committee, and the Defense Data Integrity Board.
    (c) Continues to authorize the publication of DoD 5400.11-R.
    (d) Continues to delegate authorities and responsibilities for the 
effective administration of the DoD Privacy Program.


Sec.  310.3  Applicability and scope.

    This part:
    (a) Applies to the Office of the Secretary of Defense (OSD), the 
Military Departments, the Chairman of the Joint Chiefs of Staff, the 
Combatant Commands, the Office of the Inspector General of the 
Department of Defense (IG, DoD), the Defense Agencies, the DoD Field 
Activities, and all other organizational entities in the Department of 
Defense (hereinafter referred to collectively as ``the DoD 
Components'').
    (b) Shall be made applicable to DoD contractors who are operating a 
system of records on behalf of a DoD Component, to include any of the 
activities, such as collecting and disseminating records, associated 
with maintaining a system of records.
    (c) This part does not apply to:
    (1) Requests for information made under the Freedom of Information 
Act. They are processed in accordance with DoD 5400.7-R.\3\
---------------------------------------------------------------------------

    \3\ See footnote 1 to Sec.  310.3(c)(1).
---------------------------------------------------------------------------

    (2) Requests for information from systems of records controlled by 
the Office of Personnel Management (OPM), although maintained by a DoD 
Component. These are processed in accordance with policies established 
by OPM ``Privacy Procedures for Personnel Records'' (5 CFR 297).
    (3) Requests for personal information from the General Accounting 
Office. These are processed in accordance with DoD Directive 7650.1.\4\
---------------------------------------------------------------------------

    \4\ See footnote 1 to Sec.  310.3(c)(1).
---------------------------------------------------------------------------

    (4) Requests for personal information from Congress. These are 
processed in accordance with DoD Directive 5400.4 except those specific 
provisions in Subpart E--Disclosure of Personal Information to Other 
Agencies and Third Parties.


Sec.  310.4.  Definitions.

    (a) Access. The review of a record or a copy of a record or parts 
thereof in a system of records by any individual.
    (b) Agency. For the purposes of disclosing records subject to the 
Privacy Act among the DoD Components, the Department of Defense is a 
considered a single agency. For all other purposes to include requests 
for access and amendment, denial of access or amendment, appeals from 
denials, and record keeping as relating to release of records to non-
DoD Agencies, each DoD Component is considered an agency within the 
meaning of the Privacy Act.
    (c) Computer Matching Program. The computerized comparison of two 
or more automated systems of records or a system of records with non-
Federal records. Manual comparison of systems of records or a system of 
records with non-Federal records are not covered.
    (d) Confidential source. A person or organization who has furnished 
information to the Federal Government under an express promise, if made 
on or after September 27, 1975, that the person's or the organization's 
identity shall be held in confidence or under an implied promise of 
such confidentiality if this implied promise was made on or before 
September 26, 1975.
    (e) Disclosure. The transfer of any personal information from a 
system of records by any means of communication (such as oral, written, 
electronic, mechanical, or actual review) to any person, private 
entity, or Government Agency, other than the subject of the record, the 
subject's designated agent or the subject's legal guardian.
    (f) Federal benefit program. A program administered or funded by 
the Federal Government, or by any agent or State on behalf of the 
Federal Government, providing cash or in-kind assistance in the form of 
payments, grants, loans, or loan guarantees to individuals.
    (g) Federal personnel. Officers and employees of the Government of 
the United States, members of the uniformed services (including members 
of the Reserve Components), individuals entitled to receive immediate 
or deferred retirement benefits under any retirement program of the 
United States (including survivor benefits).
    (h) Individual. A living person who is a citizen of the United 
States or an alien lawfully admitted for permanent residence. The 
parent of a minor or the legal guardian of any individual also may act 
on behalf of an individual. Members of the United States Armed Forces 
are ``individuals.'' Corporations, partnerships, sole proprietorships, 
professional groups, businesses, whether incorporated or 
unincorporated, and other commercial entities are not ``individuals'' 
when acting in an entrepreneurial capacity with the Department of 
Defense but are ``individuals'' otherwise (e.g., security clearances, 
entitlement to DoD privileges or benefits, etc.).
    (i) Individual access. Access to information pertaining to the 
individual by the individual or his or her designated agent or legal 
guardian.
    (j) Lost, stolen, or compromised information. Actual or possible 
loss of control, unauthorized disclosure, or unauthorized access of 
personal information where persons other than authorized users gain 
access or potential access to such information for an other than 
authorized purpose where one or more individuals will be adversely 
affected. Such incidents also are known as breaches.
    (k) Maintain. To maintain, collect, use, or disseminate records 
contained in a system of records.
    (l) Non-Federal agency. Any state or local government, or agency 
thereof, which receives records contained in a system of records from a 
source agency for use in a computer matching program.
    (m) Official use. Within the context of this part, this term is 
used when officials and employees of a DoD Component have a 
demonstrated a need for the record or the information

[[Page 18760]]

contained therein in the performance of their official duties, subject 
to DoD 5200.1-R.\5\
---------------------------------------------------------------------------

    \5\ See footnote 1 to Sec.  310.1.
---------------------------------------------------------------------------

    (n) Personal information. Information about an individual that 
identifies, links, relates, or is unique to, or describes him or her, 
e.g., a social security number; age; military rank; civilian grade; 
marital status; race; salary; home/office phone numbers; other 
demographic, biometric, personnel, medical, and financial information, 
etc. Such information also is known as personally identifiable 
information (i.e., information which can be used to distinguish or 
trace an individual's identity, such as their name, social security 
number, date and place of birth, mother's maiden name, biometric 
records, including any other personal information which is linked or 
linkable to a specified individual).
    (o) Privacy Act request. A request from an individual for 
notification as to the existence of, access to, or amendment of records 
pertaining to that individual. These records must be maintained in a 
system of records.
    (p) Member of the public. Any individual or party acting in a 
private capacity to include Federal employees or military personnel.
    (q) Recipient agency. Any agency, or contractor thereof, receiving 
records contained in a system of records from a source agency for use 
in a computer matching program.
    (r) Record. Any item, collection, or grouping of information, 
whatever the storage media (e.g., paper, electronic, etc.), about an 
individual that is maintained by a DoD Component, including, but not 
limited to, his or her education, financial transactions, medical 
history, criminal or employment history, and that contains his or her 
name, or the identifying number, symbol, or other identifying 
particular assigned to the individual, such as a finger or voice print 
or a photograph.
    (s) Risk assessment. An analysis considering information 
sensitivity, vulnerabilities, and cost in safeguarding personal 
information processed or stored in the facility or activity.
    (t) Routine use. The disclosure of a record outside the Department 
of Defense for a use that is compatible with the purpose for which the 
information was collected and maintained by the Department of Defense. 
The routine use must be included in the published system notice for the 
system of records involved.
    (u) Source agency. Any agency which discloses records contained in 
a system of records to be used in a computer matching program, or any 
state or local government, or agency thereof, which discloses records 
to be used in a computer matching program.
    (v) Statistical record. A record maintained only for statistical 
research or reporting purposes and not used in whole or in part in 
making determinations about specific individuals.
    (w) System of records. A group of records under the control of a 
DoD Component from which personal information about an individual is 
retrieved by the name of the individual or by some other identifying 
number, symbol, or other identifying particular assigned, that is 
unique to the individual.


Sec.  310.5  Policy.

    It is DoD policy that:
    (a) The privacy of an individual is a personal and fundamental 
right that shall be respected and protected.
    (1) The Department's need to collect, maintain, use, or disseminate 
personal information about individuals for purposes of discharging its 
statutory responsibilities shall be balanced against the right of the 
individual to be protected against unwarranted invasions of their 
privacy.
    (2) The legal rights of individuals, as guaranteed by Federal law, 
regulation, and policy, shall be protected when collecting, 
maintaining, using, or disseminating personal information about 
individuals.
    (3) DoD personnel, to include contractors, have an affirmative 
responsibility to protect an individual's privacy when collecting, 
maintaining, using, or disseminating personal information about an 
individual.
    (4) Departmental legislative, regulatory, or other policy proposals 
shall be evaluated to ensure that privacy implications, including those 
relating to the collection, maintenance, use, or dissemination of 
personal information, are assessed, to include, when required and 
consistent with the Privacy Provision of the E-Government Act of 2002 
(44 U.S.C. 3501, Note), the preparation of a Privacy Impact Assessment.
    (b) Personal information shall be collected, maintained, used, or 
disclosed to ensure that:
    (1) It shall be relevant and necessary to accomplish a lawful DoD 
purpose required to be accomplished by statute or Executive order.
    (2) It shall be collected to the greatest extent practicable 
directly from the individual.
    (3) The individual shall be informed as to why the information is 
being collected, the authority for collection, what uses will be made 
of it, whether disclosure is mandatory or voluntary, and the 
consequences of not providing that information.
    (4) It shall be relevant, timely, complete, and accurate for its 
intended use; and
    (5) Appropriate administrative, technical, and physical safeguards 
shall be established, based on the media (e.g., paper, electronic, 
etc.) involved, to ensure the security of the records and to prevent 
compromise or misuse during storage, transfer, or use, including 
working at authorized alternative worksites.
    (c) No record shall be maintained on how an individual exercises 
rights guaranteed by the First Amendment to the Constitution, except as 
follows:
    (1) When specifically authorized by statute;
    (2) When expressly authorized by the individual on whom the record 
is maintained; or
    (3) When the record is pertinent to and within the scope of an 
authorized law enforcement activity.
    (d) Notices shall be published in the Federal Register and reports 
shall be submitted to Congress and the Office of Management and Budget, 
in accordance with, and as required by, 5 U.S.C. 552a, OMB Circular A-
130, and DoD 5400.11-R, as to the existence and character of any system 
of records being established or revised by the DoD Components. 
Information shall not be collected, maintained, used, or disseminated 
until the required publication and review requirements, as set forth in 
5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R, are satisfied.
    (e) Individuals shall be permitted, to the extent authorized by 5 
U.S.C. 552a and DoD 5400.11-R, to:
    (1) Determine what records pertaining to them are contained in a 
system of records.
    (2) Gain access to such records and obtain a copy of those records 
or a part thereof.
    (3) Correct or amend such records once it has been determined that 
the records are not accurate, relevant, timely, or complete.
    (4) Appeal a denial of access or a request for amendment.
    (f) Disclosure of records pertaining to an individual from a system 
of records shall be prohibited except with the consent of the 
individual or as otherwise authorized by 5 U.S.C. 552a, DoD 5400.11-R, 
and DoD 5400.7-R. When disclosures are made, the individual shall be 
permitted, to the

[[Page 18761]]

extent authorized by references 5 U.S.C. 552a and/or DoD 5400.11-R, to 
seek an accounting of such disclosures from the DoD Component making 
the release.
    (g) Disclosure of records pertaining to personnel of the National 
Security Agency, the Defense Intelligence Agency, the National 
Reconnaissance Office, and the National Geospatial-Intelligence Agency 
shall be prohibited to the extent authorized by Public Law 86-36 (1959) 
and 10 U.S.C. 424. Disclosure of records pertaining to personnel of 
overseas, sensitive, or routinely deployable units shall be prohibited 
to the extent authorized by 10 U.S.C. 130b. Disclosure of medical 
records is prohibited except as authorized by DoD 6025.18-R.\6\
---------------------------------------------------------------------------

    \6\ See footnote 1 to Sec.  310.1.
---------------------------------------------------------------------------

    (h) Computer matching programs between the DoD Components and the 
Federal, State, or local governmental agencies shall be conducted in 
accordance with the requirements of 5 U.S.C. 552a, OMB Circular A-130, 
and DoD 5400.11-R.
    (i) DoD personnel and system managers shall conduct themselves 
consistent with established rules of conduct 310.8 so that personal 
information to be stored in a system of records only shall be 
collected, maintained, used, and disseminated as is authorized by this 
part, 5 U.S.C. 552a and DoD 5400.11-R.
    (j) DoD personnel, including but not limited to family members, 
retirees, contractor employees, and volunteers, shall be notified, in a 
timely manner, consistent with the requirements of DoD 5400.11-R, if 
their personal information, whether or not included in a system of 
records, is lost, stolen, or compromised.
    (k) DoD Field Activities shall receive Privacy Program support from 
the Director, Washington Headquarters Services.


Sec.  310.6  Responsibilities.

    (a) The Director of Administration and Management, Office of the 
Secretary of Defense, shall:
    (1) Serve as the Senior Privacy Official for the Department of 
Defense.
    (2) Provide policy guidance for, and coordinate and oversee 
administration of, the DoD Privacy Program to ensure compliance with 
policies and procedures in 5 U.S.C. 552a and OMB Circular A-130.
    (3) Publish DoD 5400.11-R and other guidance, including Defense 
Privacy Board Advisory Opinions, to ensure timely and uniform 
implementation of the DoD Privacy Program.
    (4) Serve as the Chair to the Defense Privacy Board and the Defense 
Data Integrity Board (see Sec.  310.9).
    (5) Supervise and oversee the activities of the Defense Privacy 
Office (see Sec.  310.9).
    (b) The Director, WHS, under the DA&M, shall provide Privacy 
Program support for DoD Field Activities.
    (c) The General Counsel of the Department of Defense shall:
    (1) Provide advice and assistance on all legal matters arising out 
of, or incident to, the administration of the DoD Privacy Program.
    (2) Review and be the final approval authority on all advisory 
opinions issued by the Defense Privacy Board or the Defense Privacy 
Board Legal Committee.
    (3) Serve as a member of the Defense Privacy Board, the Defense 
Data Integrity Board, and the Defense Privacy Board Legal Committee 
(310.9).
    (d) The Secretaries of the Military Departments and the Heads of 
the Other DoD Components, except as noted in Sec.  310.5(k), shall:
    (1) Provide adequate funding and personnel to establish and support 
an effective DoD Privacy Program, to include the appointment of a 
senior official to serve as the principal point of contact (POC) for 
DoD Privacy Program matters.
    (2) Establish procedures, as well as rules of conduct, necessary to 
implement this part and DoD 5400.11-R to ensure compliance with the 
requirements of 5 U.S.C. 552a and OMB Circular A-130.
    (3) Conduct training, consistent with the requirements of DoD 
5400.11-R, on the provisions of this part, 5 U.S.C. 552a, OMB Circular 
A-130, and DoD 5400.11-R, for assigned, employed and detailed, to 
include contractor, personnel and individuals having primary 
responsibility for implementing the DoD Privacy Program.
    (4) Ensure all Component legislative proposals, policies, or 
programs having privacy implications, such as the DoD Privacy Impact 
Assessment Program, are evaluated to ensure consistency with the 
information privacy principles of this part and DoD 5400.11-R.
    (5) Assess the impact of technology on the privacy of personal 
information and, when feasible, adopt privacy-enhancing technology both 
to preserve and protect personal information contained in Component 
systems of records and to permit auditing of compliance with the 
requirements of this part and DoD 5400.11-R.
    (6) Ensure the DoD Privacy Program periodically shall be reviewed 
by the Inspectors General or other officials, who shall have 
specialized knowledge of the DoD Privacy Program.
    (7) Submit reports, consistent with the requirements of DoD 
5400.11-R, as mandated by 5 U.S.C. 552a and OMB Circular A-130, and DoD 
Directive 5500.1, and as otherwise directed by the DPO.
    (e) The Secretaries of the Military Departments shall provide 
support to the Combatant Commands, as identified in DoD Directive 
5100.3,\7\ in the administration of the DoD Privacy Program.
---------------------------------------------------------------------------

    \7\ See footnote 1 to Sec.  310.1.
---------------------------------------------------------------------------


Sec.  310.7  Information requirements.

    The reporting requirements in Sec.  310.6(d)(7) are assigned Report 
Control Symbol DD-DA&M(A)1379.


Sec.  310.8  Rules of conduct.

    (a) DoD personnel shall:
    (1) Take such actions, as considered appropriate, to ensure that 
personal information contained in a system of records, to which they 
have access to or are using incident to the conduct of official 
business, shall be protected so that the security and confidentiality 
of the information shall be preserved.
    (2) Not disclose any personal information contained in any system 
of records except as authorized by DoD 5400.11-R or other applicable 
law or regulation. Personnel willfully making such a disclosure when 
knowing that disclosure is prohibited are subject to possible criminal 
penalties and/or administrative sanctions.
    (3) Report any unauthorized disclosures of personal information 
from a system of records or the maintenance of any system of records 
that are not authorized by this part to the applicable Privacy POC for 
his or her DoD Component.
    (b) DoD System Managers for each system of records shall:
    (1) Ensure that all personnel who either shall have access to the 
system of records or who shall develop or supervise procedures for 
handling records in the system of records shall be aware of their 
responsibilities and are properly trained to safeguard personal 
information being collected and maintained under the DoD Privacy 
Program.
    (2) Prepare promptly any required new, amended, or altered system 
notices for the system of records and submit them through their DoD 
Component Privacy POC to the DPO for publication in the Federal 
Register.
    (3) Not maintain any official files on individuals which are 
retrieved by name or other personal identifier without first

[[Page 18762]]

ensuring that a notice for the system of records shall have been 
published in the Federal Register. Any official who willfully maintains 
a system of records without meeting the publication requirements, as 
prescribed by 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R, is 
subject to possible criminal penalties and/or administrative sanctions.


Sec.  310.9  Privacy boards and office, composition and 
responsibilities.

    (a) The Defense Privacy Board--(1) Membership. The Board shall 
consist of the DA&M, OSD, who shall serve as the Chair; the Director of 
the DPO, DA&M, who shall serve as the Executive Secretary and as a 
member; the representatives designated by the Secretaries of the 
Military Departments; and the following officials or their designees: 
the Deputy Under Secretary of Defense for Program Integration 
(DUSD(PI)); the Assistant Secretary of Defense for Health Affairs; the 
Assistant Secretary of Defense for Networks and Information Integration 
(ASD) (NII)/Chief Information Officer (CIO); the Director, Executive 
Services and Communications Directorate, WHS; the GC, DoD; and the 
Director for Information Technology Management Directorate (ITMD), WHS. 
The designees also may be the principal POC for the DoD Component for 
privacy matters.
    (2) Responsibilities. (i) The Board shall have oversight 
responsibility for implementation of the DoD Privacy Program. It shall 
ensure the policies, practices, and procedures of that Program are 
premised on the requirements of 5 U.S.C. 552a and OMB Circular A-130, 
as well as other pertinent authority, and the Privacy Programs of the 
DoD Component are consistent with, and in furtherance of, the DoD 
Privacy Program.
    (ii) The Board shall serve as the primary DoD policy forum for 
matters involving the DoD Privacy Program, meeting as necessary, to 
address issues of common concern so as to ensure uniform and consistent 
policy shall be adopted and followed by the DoD Components. The Board 
shall issue advisory opinions as necessary on the DoD Privacy Program 
so as to promote uniform and consistent application of 5 U.S.C. 552a, 
OMB Circular A-130, and DoD 5400.11-R.
    (iii) Perform such other duties as determined by the Chair or the 
Board.
    (b) The Defense Data Integrity Board--(1) Membership. The Board 
shall consist of the DA&M, OSD, who shall serve as the Chair; the 
Director of the DPO, DA&M, who shall serve as the Executive Secretary; 
and the following officials or their designees: the representatives 
designated by the Secretaries of the Military Departments; the 
DUSD(PI); the (ASD) (NII)/CIO; the GC, DoD; the Inspector General, DoD; 
the ITMD, WHS; and the Director, Defense Manpower Data Center. The 
designees also may be the principal points of contact for the DoD 
Component for privacy matters.
    (2) Responsibilities. (i) The Board shall oversee and coordinate, 
consistent with the requirements of 5 U.S.C. 552a, OMB Circular A-130, 
and DoD 5400.11-R, all computer matching programs involving personal 
records contained in system of records maintained by the DoD 
Components.
    (ii) The Board shall review and approve all computer matching 
agreements between the Department of Defense and the other Federal, 
State or local governmental agencies, as well as memoranda of 
understanding when the match is internal to the Department of Defense, 
to ensure, under 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R, 
appropriate procedural and due process requirements shall have been 
established before engaging in computer matching activities.
    (c) The Defense Privacy Board Legal Committee--(1) Membership. The 
Committee shall consist of the Director, DPO, DA&M, who shall serve as 
the Chair and the Executive Secretary; the GC, DoD, or designee; and 
civilian and/or military counsel from each of the DoD Components. The 
General Counsels (GCs) and The Judge Advocates General of the Military 
Departments shall determine who shall provide representation for their 
respective Department to the Committee. This does not preclude 
representation from each office. The GCs of the other DoD Components 
shall provide legal representation to the Committee. Other DoD civilian 
or military counsel may be appointed by the Executive Secretary, after 
coordination with the DoD Component concerned, to serve on the 
Committee on those occasions when specialized knowledge or expertise 
shall be required.
    (2) Responsibilities. (i) The Committee shall serve as the primary 
legal forum for addressing and resolving all legal issues arising out 
of or incident to the operation of the DoD Privacy Program.
    (ii) The Committee shall consider legal questions regarding the 
applicability of 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R 
and questions arising out of or as a result of other statutory and 
regulatory authority, to include the impact of judicial decisions, on 
the DoD Privacy Program. The Committee shall provide advisory opinions 
to the Defense Privacy Board and, on request, to the DoD Components.
    (d) The DPO--(1) Membership. It shall consist of a Director and a 
staff. The Director also shall serve as the Executive Secretary and a 
member of the Defense Privacy Board; as the Executive Secretary to the 
Defense Data Integrity Board; and as the Chair and the Executive 
Secretary to the Defense Privacy Board Legal Committee.
    (2) Responsibilities. (i) Manage activities in support of the 
Privacy Program oversight responsibilities of the DA&M.
    (ii) Provide operational and administrative support to the Defense 
Privacy Board, the Defense Data Integrity Board, and the Defense 
Privacy Board Legal Committee.
    (iii) Direct the day-to-day activities of the DoD Privacy Program.
    (iv) Provide guidance and assistance to the DoD Components in their 
implementation and execution of the DoD Privacy Program.
    (v) Review DoD legislative, regulatory, and other policy proposals 
which implicate information privacy issues relating to the Department's 
collection, maintenance, use, or dissemination of personal information, 
to include any testimony and comments having such implications under 
DoD Directive 5500.1.
    (vi) Review proposed new, altered, and amended systems of records, 
to include submission of required notices for publication in the 
Federal Register and, when required, providing advance notification to 
the OMB and the Congress, consistent with 5 U.S.C. 552a, OMB Circular 
A-130, and DoD 5400.11-R.
    (vii) Review proposed DoD Component privacy rulemaking, to include 
submission of the rule to the Office of the Federal Register for 
publication and providing to the OMB and the Congress reports, 
consistent with 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R.
    (viii) Develop, coordinate, and maintain all DoD computer matching 
agreements, to include the submission of required match notices for 
publication in the Federal Register and the provision of advance 
notification to the OMB and the Congress, consistent with 5 U.S.C. 
552a, OMB Circular A-130, and DoD 5400.11-R.
    (ix) Provide advice and support to the DoD Components to ensure:
    (A) All information requirements developed to collect or maintain 
personal data conform to DoD Privacy Program standards;

[[Page 18763]]

    (B) Appropriate procedures and safeguards shall be developed, 
implemented, and maintained to protect personal information when it is 
stored in either a manual and/or automated system of records or 
transferred by electronic or non-electronic means; and
    (C) Specific procedures and safeguards shall be developed and 
implemented when personal data is collected and maintained for research 
purposes.
    (x) Serve as the principal POC for coordination of privacy and 
related matters with the OMB and other Federal, State, and local 
governmental agencies.
    (xi) Compile and submit the ``Biennial Matching Activity Report'' 
to the OMB as required by OMB Circular A-130 and DoD 5400.11-R, and the 
Quarterly and Annual Federal Information Security Management Agency 
(FISMA) Privacy Reports, as required by 44 U.S.C. 3544(c), such other 
reports as may be required.
    (xii) Update and maintain this part and DoD 5400.11-R.

Subpart B--Systems of Records


Sec.  310.10  General.

    (a) System of Records. To be subject to the provisions of this 
part, a ``system of records'' must:
    (1) Consist of ``records'' (as defined in 310.4(r)) that are 
retrieved by the name of an individual or some other personal 
identifier; and
    (2) Be under the control of a DoD Component.
    (b) Retrieval practices. (1) Records in a group of records that MAY 
be retrieved by a name or personal identifier are not covered by this 
part even if the records contain personal data and are under control of 
a DoD Component. The records MUST be retrieved by name or other 
personal identifier to become a system of records for the purpose of 
this part.
    (i) When records are contained in an automated (Information 
Technology) system that is capable of being manipulated to retrieve 
information about an individual, this does not automatically transform 
the system into a system of records as defined in this part.
    (ii) In determining whether an automated system is a system of 
records that is subject to this part, retrieval policies and practices 
shall be evaluated. If DoD Component policy is to retrieve personal 
information by the name or other unique personal identifier, it is a 
system of records. If DoD Component policy prohibits retrieval by name 
or other identifier, but the actual practice of the Component is to 
retrieve information by name or identifier, even if done infrequently, 
it is a system of records.
    (2) If records are retrieved by name or personal identifier, a 
system notice must be submitted in accordance with Sec.  310.33.
    (3) If records are not retrieved by name or personal identifier but 
then are rearranged in such a manner that they are retrieved by name or 
personal identifier, a new systems notice must be submitted in 
accordance with Sec.  310.33.
    (4) If records in a system of records are rearranged so that 
retrieval is no longer by name or other personal identifier, the 
records are no longer subject to this part and the system notice for 
the records shall be deleted in accordance with Sec.  310.34.
    (c) Relevance and necessity. Information or records about an 
individual shall only be maintained in a system of records that is 
relevant and necessary to accomplish a DoD Component purpose required 
by a Federal statute or an Executive Order.
    (d) Authority to establish systems of records. Identify the 
specific statute or the Executive Order that authorizes maintaining 
personal information in each system of records. The existence of a 
statute or Executive Order mandating the maintenance of a system of 
records does not abrogate the responsibility to ensure that the 
information in the system of records is relevant and necessary. If a 
statute or Executive Order does not expressly direct the creation of a 
system of records, but the establishment of a system of records is 
necessary in order to discharge the requirements of the statute or 
Executive Order, the statute or Executive Order shall be cited as 
authority.
    (e) Exercise of First Amendment rights. (1) Do not maintain any 
records describing how an individual exercises his or her rights 
guaranteed by the First Amendment of the U.S. Constitution except when:
    (i) Expressly authorized by Federal statute;
    (ii) Expressly authorized by the individual; or
    (iii) Maintenance of the information is pertinent to and within the 
scope of an authorized law enforcement activity.
    (2) First Amendment rights include, but are not limited to, freedom 
of religion, freedom of political beliefs, freedom of speech, freedom 
of the press, the right to assemble, and the right to petition.
    (f) System Manager's evaluation. (1) Evaluate the information to be 
included in each new system before establishing the system and evaluate 
periodically the information contained in each existing system of 
records for relevancy and necessity. Such a review shall also occur 
when a system notice alteration or amendment is prepared (see Sec.  
310.33 and Sec.  310.34).
    (2) Consider the following:
    (i) The relationship of each item of information retained and 
collected to the purpose for which the system is maintained;
    (ii) The specific impact on the purpose or mission of not 
collecting each category of information contained in the system;
    (iii) The possibility of meeting the informational requirements 
through use of information not individually identifiable or through 
other techniques, such as sampling;
    (iv) The length of time each item of personal information must be 
retained;
    (v) The cost of maintaining the information; and
    (vi) The necessity and relevancy of the information to the purpose 
for which it was collected.
    (g) Discontinued information requirements. (1) Stop collecting 
immediately any category or item of personal information for which 
retention is no longer justified. Also delete this information from 
existing records, when feasible.
    (2) Do not destroy any records that must be retained in accordance 
with disposal authorizations established under 44 U.S.C. 3303a, 
Examination by Archivist of Lists and Schedules of Records Lacking 
Preservation Value; Disposal of Records.''


Sec.  310.11  Standards of accuracy.

    (a) Accuracy of information maintained. Maintain all personal 
information used or may be used to make any determination about an 
individual with such accuracy, relevance, timeliness, and completeness 
as is reasonably necessary to ensure fairness to the individual in 
making any such determination.
    (b) Accuracy determinations before dissemination. Before 
disseminating any personal information from a system of records to any 
person outside the Department of Defense, other than a Federal Agency, 
make reasonable efforts to ensure the information to be disclosed is 
accurate, relevant, timely, and complete for the purpose it is being 
maintained (see Sec.  310.21(d)).


Sec.  310.12  Government contractors.

    (a) Applicability to government contractors. (1) When a DoD 
Component contract requires the operation or maintenance of a system of 
records or a portion of a system of records or

[[Page 18764]]

requires the performance of any activities associated with maintaining 
a system of records, including the collection, use, and dissemination 
of records, the record system or the portion of the record system 
affected are considered to be maintained by the DoD Component and are 
subject to this part. The Component is responsible for applying the 
requirements of this part to the contractor. The contractor and its 
employees are to be considered employees of the DoD Component for 
purposes of the criminal provisions of 5 U.S.C 552a(i) during the 
performance of the contract. Consistent with the Federal Acquisition 
Regulation (FAR), Part 24.1, contracts requiring the maintenance or 
operation of a system of records or the portion of a system of records 
shall include in the solicitation and resulting contract such terms as 
are prescribed by the FAR.
    (2) If the contractor must use, have access to, or disseminate 
individually identifiable information subject to this part in order to 
perform any part of a contract, and the information would have been 
collected, maintained, used, or disseminated by the DoD Component but 
for the award of the contract, these contractor activities are subject 
to this part.
    (3) The restriction in paragraphs (a)(1) and (2) of this section do 
not apply to records:
    (i) Established and maintained to assist in making internal 
contractor management decisions, such as records maintained by the 
contractor for use in managing the contract;
    (ii) Maintained as internal contractor employee records even when 
used in conjunction with providing goods and services to the Department 
of Defense; or
    (iii) Maintained as training records by an educational organization 
contracted by a DoD Component to provide training when the records of 
the contract students are similar to and commingled with training 
records of other students (for example, admission forms, transcripts, 
academic counseling and similar records).
    (iv) Maintained by a consumer reporting agency to which records 
have been disclosed under contract in accordance with the Federal 
Claims Collection Act of 1966, 31 U.S.C. 3711(e).
    (v) Maintained by the contractor incident to normal business 
practices and operations.
    (4) The DoD Components shall publish instructions that:
    (i) Furnish DoD Privacy Program guidance to their personnel who 
solicit, award, or administer Government contracts;
    (ii) Inform prospective contractors of their responsibilities, and 
provide training as appropriate, regarding the DoD Privacy Program; and
    (iii) Establish an internal system of contractor performance review 
to ensure compliance with the DoD Privacy Program.
    (b) Contracting procedures. The Defense Acquisition Regulations 
Council shall develop the specific policies and procedures to be 
followed when soliciting bids, awarding contracts or administering 
contracts that are subject to this part.
    (c) Contractor compliance. Through the various contract 
surveillance programs, ensure contractors comply with the procedures 
established in accordance with Sec.  310.12(b).
    (d) Disclosure of records to contractors. Disclosure of records 
contained in a system of records by a DoD Component to a contractor for 
use in the performance of a DoD contract is considered a disclosure 
within the Department of Defense (see Sec.  310.21(b)). The contractor 
is considered the agent of the contracting DoD Component and to be 
maintaining and receiving the records for that Component.


Sec.  310.13  Safeguarding personal information.

    (a) General responsibilities. DoD Components shall establish 
appropriate administrative, technical and physical safeguards to ensure 
that the records in each system of records are protected from 
unauthorized access, alteration, or disclosure and that their 
confidentiality is preserved and protected. Records shall be protected 
against reasonably anticipated threats or hazards that could result in 
substantial harm, embarrassment, inconvenience, or unfairness to any 
individual about whom information is kept.
    (b) Minimum standards. (1) Tailor system safeguards to conform to 
the type of records in the system, the sensitivity of the personal 
information stored, the storage medium used and, to a degree, the 
number of records maintained.
    (2) Treat all unclassified records that contain personal 
information that normally would be withheld from the public under 
Freedom of Information Exemption Numbers 6 and 7 of 286.12, subpart C 
of 32 CFR part 286 (``DoD Freedom of Information Act Program'') as 
``For Official Use Only,'' and safeguard them accordingly, in 
accordance with DoD 5200.1-R even if they are not actually marked ``For 
Official Use Only.''
    (3) Personal information that does not meet the criteria discussed 
in paragraph (b)(2) of this section shall be accorded protection 
commensurate with the nature and type of information involved.
    (4) Special administrative, physical, and technical procedures are 
required to protect data that is stored or processed in an information 
technology system to protect against threats unique to an automated 
environment (see Appendix A).
    (5) Tailor safeguards specifically to the vulnerabilities of the 
system.
    (c) Records disposal. (1) Dispose of records containing personal 
data so as to prevent inadvertent compromise. Disposal methods are 
those approved by the Component or the National Institute of Standards 
and Technology. For paper records, disposal methods, such as tearing, 
burning, melting, chemical decomposition, pulping, pulverizing, 
shredding, or mutilation are acceptable. For electronic records, and 
media, disposal methods, such as overwriting, degaussing, 
disintegration, pulverization, burning, melting, incineration, 
shredding or sanding, are acceptable.
    (2) Disposal methods are considered adequate if the personal data 
is rendered unrecognizable or beyond reconstruction.


Sec.  310.14  Notification when information is lost, stolen, or 
compromised.

    (a) If records containing personal information are lost, stolen, or 
compromised, the potential exists that the records may be used for 
unlawful purposes, such as identity theft, fraud, stalking, etc. The 
personal impact on the affected individual may be severe if the records 
are misused. To assist the individual, the Component shall promptly 
notify the individual of any loss, theft, or compromise (See also, 
Sec.  310.50 for reporting of the breach to Senior Component Official 
for Privacy and the Defense Privacy Office).
    (1) The notification shall be made whenever a breach occurs that 
involves personal information pertaining to a service member, civilian 
employee (appropriated or non-appropriated fund), military retiree, 
family member, DoD contractor, other persons that are affiliated with 
the Component (e.g., volunteer), and/or any other member of the public 
on whom information is maintained by the Component or by a contractor 
on behalf of the Component.
    (2) The notification shall be made as soon as possible, but not 
later than 10 working days after the loss, theft, or compromise is 
discovered and the identities of the individuals ascertained.

[[Page 18765]]

    (i) The 10 day period begins to run after the Component is able to 
determine the identities of the individuals whose records were lost.
    (ii) If the Component is only able to identify some but not all of 
the affected individuals, notification shall be given to those that can 
be identified with follow-up notifications made to those subsequently 
identified.
    (iii) If the Component cannot readily identify the affected 
individuals or will not be able to identify the individuals, the 
Component shall provide a generalized notice to the potentially 
impacted population by whatever means the Component believes is most 
likely to reach the affected individuals.
    (3) When personal information is maintained by a DoD contractor on 
behalf of the Component, the contractor shall notify the Component 
immediately upon discovery that a loss, theft or compromise has 
occurred.
    (i) The Component shall determine whether the Component or the 
contractor shall make the required notification.
    (ii) If the contractor is to notify the impacted population, it 
shall submit the notification letters to the Component for review and 
approval. The Component shall coordinate with the Contractor to ensure 
the letters meet the requirements of Sec.  310.14.
    (4) Subject to paragraph (a)(2) of this section, the Component 
shall inform the Deputy Secretary of Defense of the reasons why notice 
was not provided to the individuals or the affected population within 
the 10-day period.
    (i) If for good cause (e.g., law enforcement authorities request 
delayed notification as immediate notification will jeopardize 
investigative efforts), notice can be delayed, but the delay shall only 
be for a reasonable period of time. In determining what constitutes a 
reasonable period of delay, the potential harm to the individual must 
be weighed against the necessity for delayed notification.
    (ii) The required notification shall be prepared and forwarded to 
the Senior Component Official for Privacy who shall forward it to the 
Defense Privacy Office. The Defense Privacy Office, in coordination 
with the Office of the Under Secretary of Defense for Personnel and 
Readiness, shall forward the notice to the Deputy Secretary.
    (5) The notice to the individual, at a minimum, shall include the 
following:
    (i) The individuals shall be advised of what specific data was 
involved. It is insufficient to simply state that personal information 
has been lost. Where names, social security numbers, and dates of birth 
are involved, it is critical that the individual be advised that these 
data elements potentially have been compromised.
    (ii) The individual shall be informed of the facts and 
circumstances surrounding the loss, theft, or compromise. The 
description of the loss should be sufficiently detailed so that the 
individual clearly understands how the compromise occurred.
    (iii) The individual shall be informed of what protective actions 
the Component is taking or the individual can take to mitigate against 
potential future harm. The Component should refer the individual to the 
Federal Trade Commission's public Web site on identity theft at https://
www.consumer.gov/idtheft/con_steps.htm. The site provides valuable 
information as to what steps individuals can take to protect themselves 
if their identities potentially have been or are stolen.
    (iv) A sample notification letter is at Appendix B.
    (b) The notification shall be made whether or not the personal 
information is contained in a system of records (See Sec.  310.10(a)).

Subpart C--Collecting Personal Information


Sec.  310.15  General considerations.

    (a) Collect directly from the individual. Collect to the greatest 
extent practicable personal information directly from the individual to 
whom it pertains if the information may result in adverse determination 
about an individual's rights, privileges, or benefits under any Federal 
program.
    (b) Collecting social security numbers (SSNs). (1) It is unlawful 
for any Federal, State, or local governmental agency to deny an 
individual any right, benefit, or privilege provided by law because the 
individual refuses to provide his or her SSN. However, if a Federal 
statute requires the SSN be furnished or if the SSN is furnished to a 
DoD Component maintaining a system of records in existence that was 
established and in operation before January 1, 1975, and the SSN was 
required under a statute or regulation adopted prior to this date for 
purposes of verifying the identity of an individual, this restriction 
does not apply.
    (2) When an individual is requested to provide his or her SSN, he 
or she must be told:
    (i) What uses will be made of the SSN;
    (ii) The statute, regulation, or rule authorizing the solicitation 
of the SSN; and
    (iii) Whether providing the SSN is voluntary or mandatory.
    (3) Include in any systems notice for any system of records that 
contains SSNs a statement indicating the authority for maintaining the 
SSN.
    (4) E.O. 9397,''Numbering System for Federal Accounts Relating to 
Individual Persons'', November 30, 1943, authorizes solicitation and 
use of SSNs as a numerical identifier for Federal personnel that are 
identified in most Federal record systems. However, it does not 
constitute authority for mandatory disclosure of the SSN.
    (5) Upon entrance into military service or civilian employment with 
the Department of Defense, individuals are asked to provide their SSNs. 
The SSN becomes the service or employment number for the individual and 
is used to establish personnel, financial, medical, and other official 
records. The notification in paragraph (b)(2) of this section shall be 
provided the individual when originally soliciting his or her SSN. The 
notification is not required if an individual is requested to furnish 
his SSN for identification purposes and the SSN is solely used to 
verify the SSN that is contained in the records. However, if the SSN is 
solicited and retained for any purposes other than verifying the 
existing SSN in the records, the requesting official shall provide the 
individual the notification required by paragraph (b)(2) of this 
section.
    (6) Components shall ensure that the SSN is only collected when 
there is a demonstrated need for collection. If collection is not 
essential for the purposes for which the record or records are being 
maintained, it should not be solicited.
    (7) DoD Components shall continually review their use of the SSN to 
determine whether such use can be eliminated, restricted, or concealed 
in Component business processes, systems and paper and electronic 
forms. While use of the SSN may be essential for program integrity and 
national security when information about an individual is disclosed 
outside the DoD, it may not be as critical when the information is 
being used for internal Departmental purposes.
    (c) Collecting personal information from third parties. When 
information being solicited is of an objective nature and is not 
subject to being altered, the information should first be collected 
from the individual. But it may not be practicable to collect personal 
information first from the individual in all cases. Some examples of 
this are:
    (1) Verification of information through third-party sources for 
security

[[Page 18766]]

or employment suitability determinations;
    (2) Seeking third-party opinions such as supervisor comments as to 
job knowledge, duty performance, or other opinion-type evaluations;
    (3) When obtaining information first from the individual may impede 
rather than advance an investigative inquiry into the actions of the 
individual; and
    (4) Contacting a third party at the request of the individual to 
furnish certain information such as exact periods of employment, 
termination dates, copies of records, or similar information.
    (d) Privacy Act Statements. (1) When an individual is requested to 
furnish personal information about himself or herself for inclusion in 
a system of records, a Privacy Act Statement is required regardless of 
the medium used to collect the information (forms, personal interviews, 
telephonic interviews, or other methods). The Privacy Act Statement 
consists of the elements set forth in paragraph (d)(2)of this section. 
The statement enables the individual to make an informed decision 
whether to provide the information requested. If the personal 
information solicited is not to be incorporated into a system of 
records, the statement need not be given. However, personal information 
obtained without a Privacy Act Statement shall not be incorporated into 
any system of records. When soliciting SSNs for any purpose, see 
paragraph (b)(2) of this section.
    (2) The Privacy Act Statement shall include:
    (i) The Federal statute or Executive Order that authorizes 
collection of the requested information (See Sec.  310.10(d)).
    (ii) The principal purpose or purposes for which the information is 
to be used;
    (iii) The routine uses that will be made of the information (See 
Sec.  310.22(d));
    (iv) Whether providing the information is voluntary or mandatory 
(See paragraph (e) of this section); and
    (v) The effects on the individual if he or she chooses not to 
provide the requested information.
    (3) The Privacy Act Statement shall be concise, current, and easily 
understood.
    (4) The Privacy Act statement may appear as a public notice (sign 
or poster), conspicuously displayed in the area where the information 
is collected, such as at check-cashing facilities or identification 
photograph facilities (but see Sec.  310.16(a)).
    (5) The individual normally is not required to sign the Privacy Act 
Statement.
    (6) The individual shall be provided a written copy of the Privacy 
Act Statement upon request. This must be done regardless of the method 
chosen to furnish the initial advisement.
    (e) Mandatory as opposed to voluntary disclosures. Include in the 
Privacy Act Statement specifically whether furnishing the requested 
personal data is mandatory or voluntary. A requirement to furnish 
personal data is mandatory only when the DoD Component is authorized to 
impose a penalty on the individual for failure to provide the requested 
information. If a penalty cannot be imposed, disclosing the information 
is always voluntary.


Sec.  310.16  Forms.

    (a) DoD Forms. (1) DoD Instruction 7750.7 \8\ provides guidance for 
preparing Privacy Act Statements for use with forms (see also paragraph 
(b) of this section).
---------------------------------------------------------------------------

    \8\ See footnote 1 to Sec.  310.1.
---------------------------------------------------------------------------

    (2) When forms are used to collect personal information, the 
Privacy Act Statement shall appear as follows (listed in the order of 
preference):
    (i) In the body of the form, preferably just below the title so 
that the reader will be advised of the contents of the statement before 
he or she begins to complete the form;
    (ii) On the reverse side of the form with an appropriate annotation 
under the title giving its location;
    (iii) On a tear-off sheet attached to the form; or
    (iv) As a separate supplement to the form.
    (b) Forms issued by non-DoD activities. (1) Forms subject to the 
Privacy Act issued by other Federal Agencies must have a Privacy Act 
Statement. Always ensure the statement prepared by the originating 
Agency is adequate for the purpose for which the form shall be used by 
the DoD activity. If the Privacy Act Statement provided is inadequate, 
the DoD Component concerned shall prepare a new statement or a 
supplement to the existing statement before using the form.
    (2) Forms issued by agencies not subject to the Privacy Act (State, 
municipal, and other local agencies) do not contain Privacy Act 
Statements. Before using a form prepared by such agencies to collect 
personal data subject to this part, an appropriate Privacy Act 
Statement must be added.

Subpart D--Access by Individuals


Sec.  310.17  Individual access to personal information.

    (a) Individual access. (1) The access provisions of this part are 
intended for use by individuals who seek access to records about 
themselves that are maintained in a system of records. Release of 
personal information to individuals under this part is not considered 
public release of the information.
    (2) Make available to the individual to whom the record pertains 
all of the personal information contained in the system of records 
except where access may be denied pursuant to an exemption claimed for 
the system (see subpart F to this part). However, when the access 
provisions of this subpart are not available to the individual due to a 
claimed exemption, the request shall be processed to provide 
information that is disclosable pursuant to the DoD Freedom of 
Information Act program (see 32 CFR, part 286).
    (b) Individual requests for access. Individuals shall address 
requests for access to personal information in a system of records to 
the system manager or to the office designated in the DoD Component 
procedural rules or the system notice.
    (c) Verification of identity. (1) Before granting access to 
personal data, an individual may be required to provide reasonable 
proof of his or her identity.
    (2) Identity verification procedures shall not:
    (i) Be so complicated as to discourage unnecessarily individuals 
from seeking access to information about themselves; or
    (ii) Be required of an individual seeking access to records that 
normally would be available under the DoD Freedom of Information Act 
Program (see 32 CFR, part 286).
    (iii) When an individual seeks personal access to records 
pertaining to themselves in person, proof of identity is normally 
provided by documents that an individual ordinarily possesses, such as 
employee and military identification cards, driver's license, other 
licenses, permits or passes used for routine identification purposes.
    (iv) When access is requested by mail, identity verification may 
consist of the individual providing certain minimum identifying data, 
such as full name, date and place of birth, o