the principal POC for the DoD Component for privacy matters. (2) Responsibilities. (i) The Board shall oversee and coordinate, consistent with the requirements of 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R, all computer matching programs involving personal records contained in system of records maintained by the DoD Components. (ii) The Board shall review and approve all computer matching agreements between the Department of Defense and the other Federal, State or local governmental agencies, as well as memoranda of understanding when the match is internal to the Department of Defense, to ensure that, under 5 U.S.C. 552a, and OMB Circular A-130 and DoD 5400.11-R, appropriate procedural and due process requirements shall have been established before engaging in computer matching activities. (c) The Defense Privacy Board Legal Committee.-(1) Membership. The Committee shall consist of the Director, Defense Privacy Office, WHS, who shall serve as the Chair and the Executive Secretary; the GC, DoD, or designee; and civilian and/or military counsel from each of the DoD Components. The General Counsels (GCs) and The Judge Advocates General of the Military Departments shall determine who shall provide representation for their respective Department to the Committee. That does not preclude representation from each office. The GCs of the other DoD Components shall provide legal representation to the Committee. Other DoD civilian or military counsel may be appointed by the Executive Secretary, after coordination with the DoD Component concerned, to serve on the Committee on those occasions when specialized knowledge or expertise shall be required. (2) Responsibilities. (i) The Committee shall serve as the primary legal forum for addressing and resolving all legal issues arising out of or incident to the operation of the DoD Privacy Program. (ii) The Committee shall consider legal questions regarding the applicability of 5 U.S.C. 552a, OMB Circular A130, and DoD 5400.11-R and questions arising out of or as a result of other statutory and regulatory authority, to include the impact of judicial deci sions, on the DoD Privacy Program. The Committee shall provide advisory opinions to the Defense Privacy Board and, on request, to the DoD Components. (c) The Defense Privacy Office.-(1) Membership. It shall consist of a Director and a staff. The Director also shall serve as the Executive Secretary and a member of the Defense Privacy Board; as the Executive Secretary to the Defense Data Integrity Board; and as the Chair and the Executive Secretary to the Defense Privacy Board Legal Committee. (2) Responsibilities. (i) Manage activities in support of the Privacy Program oversight responsibilities of the DA&M (ii) Provide operational and administrative support to the Defense Privacy Board, the Defense Data Integrity Board, and the Defense Privacy Board Legal Committee. (iii) Direct the day-to-day activities of the DoD Privacy Program. (iv) Provide guidance and assistance to the DoD Components in their implementation and execution of the DoD Privacy Program. (v) Review proposed new, altered, and amended systems of records, to include submission of required notices for publication in the FEDERAL REGISTER and, when required, providing advance notification to the Office of Management and Budget (OMB) and the Congress, consistent with 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R. (vi) Review proposed DoD Component privacy rulemaking, to include submission of the rule to the Office of the Federal Register for publication and providing to the OMB and the Congress reports, consistent with 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R, and to the Office of the Comptroller General of the United States, consistent with 5 U.S.C. Chapter 8. (vii) Develop, coordinate, and maintain all DoD computer matching agreements, to include submission of required match notices for publication in the FEDERAL REGISTER and advance notification to the OMB and the Congress of the proposed matches, consistent with 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R. (viii) Provide advice and support to the DoD Components to ensure that: 21 મ (A) All information requirements developed to collect or maintain personal data conform to DoD Privacy Program standards. (B) Appropriate procedures and safeguards shall be developed, implemented, and maintained to protect personal information when it is stored in either a manual and/or automated system of records or transferred by electronic on non-electronic means; and (C) Specific procedures and safeguards shall be developed and implemented when personal data is collected and maintained for research purposes. (ix) Serve as the principal POC for coordination of privacy and related matters with the OMB and other Federal, State, and local governmental agencies. (x) Compile and submit the "Biennial 'Privacy Act' Report" and the "Biennial Matching Activity Report" to the OMB as required by OMB Circular A130 and DoD 5400.11-R (xi) Update and maintain this part and DoD 5400.11-R. Subpart B-Systems of Records §310.10 General. (a) System of records. To be subject to the provisions of this part a "system of records" must: (1) Consist of "records" (as defined in §310.3(n)) that are retrieved by the name of an individual or some other personal identifier, and (2) Be under the control of a DoD Component. (b) Retrieval practices. (1) Records in a group of records that may be retrieved by a name or personal identifier are not covered by this part even if the records contain personal data and are under control of a DoD Component. The records must be, in fact, retrieved by name or other personal identifier to become a system of records for the purpose of this part. (2) If files that are not retrieved by name or personal identifier are rearranged in such manner that they are retrieved by name or personal identifier, a new systems notice must be submitted in accordance with §310.63(c) of subpart G. (3) If records in a system of records are rearranged so that retrieval is no longer by name or other personal identifier, the records are no longer subject to this part and the system notice for the records shall be deleted in accordance with §310.64(c) of subpart G. (c) Relevance and necessity. Retain in a system of records only that personal information which is relevant and necessary to accomplish a purpose required by a federal statute or an Executive Order. (d) Authority to establish systems of records. Identify the specific statute or the Executive Order that authorize maintaining personal information in each system of records. The existance of a statute or Executive order mandating the maintenance of a system of records does not abrogate the responsibility to ensure that the information in the system of records is relevant and necessary. (e) Exercise of First Amendment rights. (1) Do not maintain any records describing how an individual exercises his or her rights guaranteed by the First Amendment of the U.S. Constitution except when: (i) Expressly authorized by federal statute; (ii) Expressly authorized by the individual; or (iii) Maintenance of the information is pertinent to and within the scope of an authorized law enforcement activity. (2) First Amendment rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition. (f) System manager's evaluation. (1) Evaluate the information to be included in each new system before establishing the system and evaluate periodically the information contained in each existing system of records for relevancy and necessity. Such a review shall also occur when a system notice amendment or alteration is prepared (see §§ 310.63 and 310.64 of subpart G). (2) Consider the following: (i) The relationship of each item of information retained and collected to the purpose for which the system is maintained; (ii) The specific impact on the purpose or mission of not collecting each category of information contained in the system; (iii) The possibility of meeting the information requirements through use of information not individually identifiable or through other techniques, such as sampling; (iv) The length of time each item of personal information must be retained; (v) The cost of maintaining the information; and (vi) The necessity and relevancy of the information to the purpose for which it was collected. (g) Discontinued information requirements. (1) Stop collecting immediately any category or item of personal information from which retention is no longer justified. Also excise this information from existing records, when feasible. (2) Do not destroy any records that must be retained in accordance with disposal authorizations established under 44 U.S.C. 303a, "Examination by the Administrator of General Services of Lists and Schedules of Records Lacking Preservation Value, Disposal of Records." [51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, and amended at 56 FR 57800, Nov. 14, 1991] §310.11 Standards of accuracy. (a) Accuracy of information maintained. Maintain all personal information that is used or may be used to make any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in making any such determination. (b) Accuracy determination before dissemination. Before disseminating any personal information from a system of records to any person outside the Department of Defense, other than a federal agency, make reasonable efforts to ensure that the information to be disclosed is accurate, relevant, timely, and complete for the purpose it is being maintained (see also §310.30(d), subpart D and $310.40(d), subpart E). [51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, and amended at 56 FR 57800, Nov. 14, 1991] $310.12 Government contractors. (a) Applicability to government contractors. (1) When a DoD Component contracts for the operation or maintenance of a system of records or a portion of a system of records by a contractor, the record system or the portion of the record system affected are considered to be maintained by the DoD Component and are subject to this part. The Component is responsible for applying the requirements of this part to the contractor. The contractor and its employees are to be considered employees of the DoD Component for purposes of the sanction provisions of the Privacy Act during the performance of the contract. Consistent with the Defense Acquisition Regulation (DAR), §1.327, "Protection of Individual Privacy" contracts requiring the maintenance of a system of records or the portion of a system of records shall identify specifically the record system and the work to be performed and shall inIclude in the solicitation and resulting contract such terms as are prescribed by the DAR. (2) If the contractor must use or have access to individually identifiable information subject to this part to perform any part of a contract, and the information would have been collected and maintained by the DoD Component but for the award of the contract, these contractor activities are subject to this Regulation. (3) The restriction in paragraphs (a) (1) and (2) of §310.12 do not apply to records: (i) Established and maintained to assist in making internal contractor management decisions, such as records maintained by the contractor for use in managing the contract; (ii) Maintained as internal contractor employee records even when used in conjunction with providing goods and services to the Department of Defense; or (iii) Maintained as training records by an educational organization contracted by a DoD Component to provide training when the records of the contract students are similar to and comingled with training records of other students (for example, admission forms, transcripts, academic counselling and similar records); (iv) Maintained by a consumer reporting agency to which records have been disclosed under contract in accordance with the Federal Claims Collection Act of 1966, 31 U.S.C. 952(d). (4) DoD Components must publish instruction that: (i) Furnish DoD Privacy Program guidance to their personnel who solicit, award, or administer government contracts; (ii) Inform prospective contractors of their responsibilities regarding the DoD Privary Program; and (iii) Establish an internal system of contractor performance review to ensure compliance with the DoD Privacy Program. (b) Contracting procedures. The Defense Systems Acquisition Regulatory Council (DSARC) is responsible for developing the specific policies and procedures to be followed when soliciting bids, awarding contracts or administering contracts that are subject to this part. (c) Contractor compliance. Through the various contract surveillance programs, ensure contractors comply with the procedures established in accordance with paragraph (b) above of this subpart. (d) Disclosure of records to contractors. Disclosure of personal records to a contractor for the use in the performance of any DoD contrtact by a DoD Component is considered a disclosure within the Department of Defense (see $310.40(b), subpart E). The contractor is considered the agent of the contracting DoD Component and to be maintaining and receiving the records for that Component. [51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, and amended at 56 FR 57800, Nov. 14, 1991] $310.13 Safeguarding personal information. (a) General responsibilities. Establish appropriate administrative, technical and physical safeguards to ensure that the records in every system of records are protected from unauthorized alteration or disclosure and that their confidentiality is protected. Protect the records against reasonably anticipated threats or hazards that could result in substantial harm, embarrassment, in convenience, or unfairness to any individual about whom information is kept. (b) Minimum standards. (1) Tailor system safeguards to conform to the type of records in the system, the sensitivity of the personal information stored, the storage medium used and, to a degree, the number of records maintained. (2) Treat all unclassified records that contain personal information that normally would be withheld from the public under Exemption Numbers 6 and 7, of § 286.31, subpart D of 32 CFR part 286 (DoD Freedom of Information Act Program) as if they were designated "For Official Use Only" and safeguard them in accordance with the standards established by subpart E of 32 CFR part 286 (DoD FOIA Program) even if they are not actually marked "For Official Use Only." (3) Afford personal information that does not meet the criteria discussed in paragraph (c)(3) of this section that degree of security which provides protection commensurate with the nature and type of information involved. (4) Special administrative, physical, and technical procedures are required to protect data that is stored or being processed temporarily in an automated data processing (ADP) system or in a word processing activity to protect it against threats unique to those environments (see Appendices A and B). (5) Tailor safeguards specifically to the vulnerabilities of the system. (c) Records disposal. (1) Dispose of records containing personal data so as to prevent inadvertent compromise. Disposal methods such as tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding, or mutilation are considered adequate if the personal data is rendered unrecognizable or beyond reconstruction. (2) The transfer of large quantities of records containing personal data (for example, computer cards and printouts) in bulk to a disposal activity, such as the Defense Property Disposal Office, is not a release of personal information under this part. The sheer volume of such transfers make it difficult or impossible to identify readily specific individual records. (3) When disposing of or destroying large quantities of records containing personal information, care must be exercised to ensure that the bulk of the records is maintained so as to prevent specific records from being readily identified. If bulk is maintained, no special procedures are required. If bulk cannot be maintained or if the form of the records make individually identifiable information easily available, dispose of the record in accordance with paragraph (c)(1) of this section. Subpart C-Collecting Personal Information $310.20 General considerations. (a) Collect directly from the individual. Collect to the greatest extent practicable personal information directly from the individual to whom it pertains if the information may be used in making any determination about the rights, privileges, or benefits of the individual under any federal program (see also paragraph (c) of this section). (b) Collecting Social Security Numbers (SSNs). (1) It is unlawful for any federal, state, or local governmental agency to deny an individual any right, benefit, or privilege provided by law because the individual refuses to provide his or her SSN. However, if a federal statute requires that the SSN be furnished or if the SSN is required to verify the identity of the individual in a system of records that was established and in use before January 1, 1975, and the SSN was required as an identifier by a statute or regulation adopted before that date, this restriction does not apply. (2) When an individual is requested to provide his or her SSN, he or she must be advised: (i) The uses that will be made of the SSN; (ii) The statute, regulation, or rule authorizing the solicitation of the SSN; and (iii) Whether providing the SSN is voluntary or mandatory. (3) Include in any systems notice for any system of records that contains SSNS a statement indicating the authority for maintaining the SSN and the sources of the SSNs in the system. If the SSN is obtained directly from the individual indicate whether this is voluntary or mandatory. (4) Executive Order 9397, "Numbering System For Federal Accounts Relating to Individual Persons," November 30, 1943, authorizes solicitation and use of SSNS as numerical identifier for individuals in most Federal records systems. However, it does not provide mandatory authority for soliciting SSNs. (5) Upon entrance into military service or civilian employment with the Department of Defense, individuals are asked to provide their SSNs. The SSN becomes the service or employment number for the individual and is used to establish personnel, financial, medical, and other official records. Provide the notification in paragraph (b)(2) of this section to the individual when originally soliciting his or her SSN After an individual has provided his or her SSN for the purpose of establishing a record, the notification in paragraph (b)(2) is not required if the individual is only requested to furnish or verify the SSNs for identification purposes in connection with the normal use of his or her records. However, if the SSN is to be written down and retained for any purpose by the requesting official, the individual must be provided the notification required by paragraph (b)(2) of this section. (6) Consult the Office of Personnel Management, Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735) when soliciting SSNs for use in OPM records systems. (c) Collecting personal information from third parties. It may not be practical to collect personal information directly from the individual in all cases. Some examples of this are: (1) Verification of information through third party sources for security or employment suitability deter minations; (2) Seeking third party opinions such as supervisory comments as to job knowledge, duty performance, or other opinion-type evaluations; (3) When obtaining the needed information directly from the individual is exceptionally difficult or may result in unreasonable costs; or T |