(4) Whether the record subjects have consented to the match; or whether disclosure of records for the match would be compatible with the purpose for which the records were originally collected; that is, whether disclosure under a "routine use" would be appropriate; whether the soliciting agency is seeking the records for a legitimate law enforcement activity-whichever is appropriate; or any other provision of the Privacy Act under which disclosure may be made; (5) Description of additional information which may be subsequently disclosed in relation to "hits"; (6) Subsequent actions expected of the source (for example, verification of the identity of the "hits" or follow-up with individuals who are "hits"); (7) Safeguards to be afforded the records involved, including disposition. b. If the agency is satisfied that disclosure of the records would not violate its responsibilities under the Privacy Act, it may proceed to make the disclosure to the matching agency. It should ensure that only the minimum information necessary to conduct the match is provided. If disclosure is to be made pursuant to a "routine use" (Section (b)(3) of the Privacy Act), it should ensure that the system of records contains such a use, or it should publish a routine use notice in the FEDERAL REGISTER. The agency should also be sure to maintain an accounting of the disclosures pursuant to Section (c) of the Privacy Act. c. To a nonfederal entity. Before disclosing records to a nonfederal entity for a matching program to be carried out by that entity, a source agency should, in addition to all of the consideration in paragraph E.1.a., above, also make reasonable efforts, pursuant to Section (e)(6) of the Privacy Act, to "assure that such records are accurate, complete, timely, and relevant for agency purposes." 2. Written Agreements. Before disclosing to either a federal or nonfederal entity, the source agency should require the matching entity to agree in writing to certain conditions governing the use of the matching file; for example, that the matching file will remain the property of the source agency and be returned at the end of the matching program (or destroyed as appropriate); that the file will be used and accessed only to match the file or files previously agreed to; that it will not be used to extract information concerning "non-hit" individuals for any purpose, and that it will not be duplicated or disseminated within or outside the matching agency unless authorized in writing by the source agency. 3. Performing Matching Programs. (a) Matching agencies should maintain reasonable administrative, technical, and physical security safeguards on all files involved in the matching program. (b) Matching agencies should insure that they have appropriate systems of records including those containing "hits," and that such systems and any routine uses have been appropriately noticed in the FEDERAL REGISTER and reported to OMB and the Congress, as appropriate. 4. Disposition of Records. a. Matching agencies will return or destroy source matching files (by mutual agreement) immediately after the match. b. Records relating to hits will be kept only so long as an investigation, either criminal or administrative, is active, and will be disposed of in accordance with the requirements of the Privacy Act and the Federal Records Schedule. 5. Publication Requirements. a. Agencies, before disclosing records outside the agency, will publish appropriate "routine use" notices in the FEDERAL REGISTER, if necessary. b. If the matching program will result in the creation of a new or the substantial alteration of an existing system of records, the agency involved should publish the appropriate FEDERAL REGISTER notice and submit the requisite report to OMB and the Congress pursuant to OMB Circular No. A-108. 6. Reporting Requirements. a. As close to the initiation of the matching program as possible, matching agencies shall publish in the FEDERAL REGISTER a brief public notice describing the matching program. The notice should include: (1) The legal authority under which the match is being conducted; (2) A description of the matching program including whether the program is one time or continuing, the organizations involved, the purpose or purposes for which the program is being conducted, and the procedures to be used in matching and following up on the "hits"; (3) A complete description of the personal records to be matched, including the source or sources, system of records identifying data, date or dates and page number of the most recent FEDERAL REGISTER full text publication when appropriate; (4) The projected start and ending dates of the program; (5) The security safeguards to be used to protect against unauthorized access or disclosure of the personal records; and (6) Plans for disposition of the source records and "hits." 7. Agencies should send a copy of this notice to the Congress and to OMB at the same time it is sent to the FEDERAL REGISTER. a. Agencies should report new or altered systems of records as described in paragraph E.5.b., above, as necessary. b. Agencies should also be prepared to report on matching programs pursuant to the reporting requirements of either the Privacy Act or the Paperwork Reduction Act. Reports will be solicited by the Office of Information and Regulatory Affairs and will focus on both the protection of individual privacy and the government's effective use of information technology. Reporting instructions will be disseminated to the agencies as part of either the reports required by paragraph (p) of the Privacy Act, or Section 3514 of Pub. L. 96-511. 8. Use of Contractors. Matching programs should, as far as practicable, be conducted "in-house" by federal agencies using agency personnel, rather than by contract. When contractors are used, however, a. The matching agency should, consistent with paragraph (m) of the Privacy Act, cause the requirements of that Act to be applied to the contractor's performance of the matching program. The contract should include the Privacy Act clause required by Federal Personnel Regulation Amendment 155 (41 CFR 1-1.337-5); b. The terms of the contract should include appropriate privacy and security provisions consistent with policies, regulations, standards, and guidelines issued by OMB, GSA, and the Department of Commerce; c. The terms of the contract should preclude the contractor from using, disclosing, copying, or retaining records associated with the matching program for the contractor's own use; d. Contractor personnel involved in the matching program shall be made explicitly aware of their obligations under the Act and of these guidelines, agency rules, and any special safeguards in relation to each specific match performed. e. Any disclosures of records by the agency to the contractor should be made pursuant to a "routine use" (5 U.S.C. 552a(b)(3)). F. Implementation and Oversight. OMB will oversee the implementation of these guidelines and shall interpret and advise upon agency proposals and actions within their scope, consistent with section 6 of the Privacy Act. [51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, as amended at 56 FR 57801, Nov. 14, 1991] SOURCE: 64 FR 22785, Apr. 28, 1999, unless otherwise noted. §311.1 Purpose. This part updates and implements basic policies and procedures outlined in 5 U.S.C. 552a, OMB Circular A-130,1 | and DoD 5400.11-R2 and provides guidance and procedures for use in estab lishing the Privacy Program in the Of fice of the Secretary of Defense (OSD) and those organizations assigned to OSD for administrative support. $311.2 Applicability and scope. This part: (a) Applies to the OSD, the Chairman of the Joint Chiefs of Staff, Uniformed Services University of the Health Sciences (USUHS) and other activities assigned to OSD for administrative support hereafter referred to collectively as "OSD Components." (b) Covers record systems maintained by OSD Components and governs the maintenance, access, change, and release of information contained in OSD Component record systems, from which information about an individual is retrieved by a personal identifier. 8311.3 Definitions. Access. Any individual's review of a record or a copy of a record or parts of a system of records. Disclosure. The transfer of any per sonal information from a system of records by any means of oral, written, electronic, mechanical, or other communication, to any person, private entity, or Government agency, other than the subject of the record, the subject's designated agent, or the subject's guardian. Individual. A living citizen of the United States or an alien lawfully adImitted to the United States for permanent residence. The legal guardian of an individual has the same rights as the individual and may act on his or her behalf. Individual access. Access to personal information pertaining to the individual, by the individual, his or her designated agent or legal guardian. Maintain. Includes maintenance, collection, use or dissemination. Personal information. Information about an individual that is intimate or private, as distinguished from information related solely to the individual's official functions or public life. $311.4 Policy. (a) It is DoD policy to safeguard personal information contained in any system of records maintained by any DoD Component and to permit any individual to know what existing records pertain to him or her in any OSD Component covered by this part. (b) Each office maintaining records and information about individuals shall ensure that their privacy is protected from unauthorized disclosure of personal information. These offices shall permit individuals to have access to, and to have a copy made of all, or any portion of records about them, except as provided in Chapters 3 and 5, DoD 5400.11-R, and to have an opportunity to request that such records be amended as provided by the Privacy Act of 1974 and Chapter 3 of DoD 5400.11-R. Individuals requesting access to their records shall receive concurrent consideration under 5 U.S.C. 552a and the Freedom of Information Act, as amended, if appropriate. (c) Heads of OSD Components shall maintain any necessary record of a personal nature that is individually identifiable in a manner that complies with the law and DoD policy. Any information collected must be as accurate, relevant, timely, and complete as is reasonable to ensure fairness to the individual. Adequate safeguards must be provided to prevent misuse or unauthorized release of such information. $311.5 Responsibilities. (a) The Director of Administration and Management, Office of the Secretary of Defense (DA&M, OSD) shall: (1) Direct and administer the DoD Privacy Program for OSD Components. (2) Establish standards and procedures to ensure implementation of and compliance with the Privacy Act of 1974, OMB Circular No. A-130, and DoD 5400.11-R. (3) Designate the Director for Freedom of Information and Security Review as the point of contact for individuals requesting information of access to records and copies about themselves. (4) Serve as the appellate authority within OSD when a requester appeals a denial for access to records under the Privacy Act. (5) Serve as the appellate authority within OSD when a requester appeals a denial for amendment of a record or initiates legal action to correct a record. (6) Evaluate and decide, in coordination with The General Counsel of the Department of Defense (GC, DoD), appeals resulting from denials of access or amendments to records by the OSD Components. (7) Designate the Directives and Records Division, Correspondence and Directives Directorate, Washington Headquarters Services (WHS) as the office responsible for all aspects of the Privacy Act, except that portion about receiving and acting on public requests for personal records. As such, the Directives and Records Division shall: (i) Exercise oversight and administrative control of the Privacy Act Program in OSD and those organizations assigned to OSD for administrative support. (ii) Provide guidance and training to organizational entities as required by 5 U.S.C. 552a and OMB Circular A-130. (iii) Collect and consolidate data from OSD Components, and submit an annual report to the Defense Privacy Office, as required by 5 U.S.C. 552a, OMB Circular A-130, and DoD 5400.11-R. (iv) Coordinate and consolidate information for reporting all record systems, as well as changes to approved systems, to the OMB, the Congress, and the FEDERAL REGISTER, as required by 5 U.S.C. 552a, OMB Circular E 130, and DoD 5400.11-R. A (v) Collect information from OSD Components, and prepare consolidated reports required by 5 U.S.C. 552a and DoD 5400.11-R. (b) The Director for Freedom of Information and Security Review shall: (1) Forward requests for information or access to records to the appropriate OSD Component having primary responsibility for any pertinent system of records under 5 U.S.C. 552a, or to OSD Components, under the Freedom of Information Act, as amended. (2) Maintain deadlines to ensure that responses are made within the time limits prescribed in DoD 5400.7-R,3 DOD Instruction 5400.10,4 and this part. (3) Collect fees charged and assessed for reproducing requested materials. (4) Refer all matters about amendments of records and general and specific exemptions under the 5 U.S.C. 552a to the proper OSD Components. (c) The General Counsel of the Department of Defense shall: (1) Coordinate all OSD final denials of appeals for amending records, and review actions to confirm denial of access to records, as appropriate. (2) Provide advice and assistance to the DA&M, OSD in the discharge of appellate and review responsibilities, and to the DFOISR on all access matters. (3) Provide advice and assistance to OSD Components on legal matters pertaining to the Privacy Act of 1974. (d) The Heads of the OSD Components shall: (1) Designate an individual as the point of contact for Privacy Act matters; designate an official to deny initial requests for access to an individual's records or changes to records; and advise both DA&M, OSD and DFOISR of names of officials so designated. (2) Report any new record system, or changes to an existing system, to the Chief, Directives and Records Division, WHS, at least 90 days before the intended use of the system. (3) Review all contracts that provide for maintaining records systems, by or on behalf of his or her office, to ensure within his or her authority, that language is included that provides that such systems shall be maintained in a manner consistent with 5 U.S.C. 552a. (4) Revise procurement guidance to ensure that any contract providing for the maintenance of a records system, by or on behalf of his or her office, includes language that ensures that such system shall be maintained in accordance with 5 U.S.C. 552a. 3 See footnote 2 to §311.1. 4 See footnote 2 to §311.1. (5) Revise computer and telecommunications procurement policies to ensure that agencies review all proposed contracts for equipment and services to comply with 5 U.S.C. 552a. (6) Coordinate with Automatic Data Processing (ADP) and word processing managers providing services to ensure that an adequate risk analysis is conducted to comply with DoD 5400.11-R. (7) Review all Directives that require forms or other methods used to collect information about individuals to ensure that they are in compliance with 5 U.S.C. 552a. (8) Establish administrative systems in OSD Component organizations to comply with the procedures listed in this part and DoD 5400.11-R. (9) Coordinate with the GC, DoD on all proposed denials of access to records. (10) Provide justification to the DFOISR when access to a record is denied in whole or in part. (11) Provide the record to the DFOISR when the initial denial of a request for access to such record has been appealed by the requester, or at the time of initial denial when appeal seems likely. (12) Maintain an accurate account of the actions resulting in a denial for access to a record or for the correction of a record. This account should be maintained so that it can be readily certified as the complete record of proceedings if litigation occurs. (13) Ensure that all personnel who either have access to the system of records, or who are engaged in developing or supervising procedures for handling records in the system, are aware of their responsibilities for protecting personal information as established in the Privacy Act and DoD 5400.11-R. (14) Forward all requests for access to records received directly from an individual to the DFOISR for appropriate suspense control and recording. (15) Provide DFOISR with a copy of the requested record when the request is granted. (e) The requester who desires to submit a request is responsible for: (1) Determining whether to submit the request in writing or in person. A requester who seeks access to records D pertaining to himself or herself which are filed by his or her name or personal identifier: (1) May make such a request in person to the custodian of the records. If the requester is not satisfied with the response, however, in order to invoke any provision of 5 U.S.C. 552a, DOD 5400.11-R, or this part, the requester must file a request in writing as provided in §311.6(b)(10). The requester must provide proof of identify by showing drivers license or similar credentials. (ii) Describing the record sought, and providing sufficient information to enable the material to be located (e.g., identification of system of records, approximate date it was initiated, originating organization, and type of document). (iii) Complying with procedures provided in DoD 5400.11-R for inspecting and/or obtaining copies of requested records. (iv) Submitting a written request to amend the record to the system manager or to the office designated in the system notice. $311.6 Procedures. (a) Publication of notice in the Federal Register. (1) A notice shall be published in the FEDERAL REGISTER of any record system meeting the definition of a system of records in DoD 5400.11-R. (2) Regarding new or revised records systems, each OSD Component shall provide the Chief, Directives and Records Division with 90 days advance notice of any anticipated new or revised system of records. This material shall be submitted to the OMB and to Congress at least 60 days before use and to the Federal Register at least 30 days before being put into use, to provide an opportunity for interested persons to submit written data, views, or arguments to the OSD Components. Instructions on content and preparation are outlined in DoD 5400.11-R. (b) Access to information on records systems. (1) Upon request, and as provided by the Privacy Act, records shall be disclosed only to the individual they pertain to and under whose individual name or identifier they are filed, unless exempted by provisions stated in DoD 5400.11-R. (2) There is not requirement under 5 U.S.C. 552a that a record be created or that an individual be given access to records that are not in a group of records that meet this definition of a system of records in 5 U.S.C. 552a. (3) Granting access to a record containing personal information shall not be conditioned upon any requirement that the individual state a reason or otherwise justify the need to gain ac cess. (4) No verification of identity shall be required of an individual seeking access to records that are otherwise available to the public. (5) Individuals shall not be denied access to a record in a system of records about themselves because those records are exempted from disclosure under DoD 5400.7-R. Individuals may only be denied access to a record in a system of records about themselves when those records are exempted from the access provisions of the Privacy Act under DoD 5400.11-R, Chapter 5. (6) Individuals shall not be denied access to their records for refusing to disclose their Social Security Numbers (SSNs), unless disclosure of the SSN is required by statute, by regulation adopted before January 1, 1975, or if the record's filing identifier and only means of retrieval is by SSN. (7) Individuals may request access to their records, in person or by mail, in accordance with the procedures outlined in paragraph (b)(8) of this section. (8) Information necessary to identify a record is: the individual's name, date of birth, place of birth, identification of the records system as listed in the FEDERAL REGISTER, or sufficient information to identify the type of records being sought, and the approximate date the records might have been created. Any individual making a request for access to records in person shall come to the Directorate for Freedom of Information and Security Review (DFOISR), Room 2C757, Pentagon, Washington, DC 20301-1155; and shall provide personal identification acceptable to the Director, DFOISR, to verify the individual's identity (e.g., driver's license, other licenses, permits, or passes used for routine identification purposes). |