Page images
PDF
EPUB

1975, to verify the individual's identity for a system of records established and in use before that date.

(2) Before requesting an individual to provide the SSN, the individual shall be told:

(i) Whether providing the SSN is voluntary or mandatory,

(ii) By what law or other authority the SSN is solicited, and

(iii) What uses will be made of the SSN.

(3) The notice published in the FEDERAL REGISTER for each system of records containing SSNs solicited from individuals must indicate the authority for soliciting the SSNs and whether it is mandatory for the individuals to provide their SSNs. Executive Order 9397 permits Federal agencies to solicit SSNs as numerical identifiers for individuals in Federal records systems.

(4) Upon entrance into employment with the agency, individuals must provide their SSNs; therefore, they must be given the notification. The SSN is then the individual's numerical identifier and used to establish personnel, financial, medical, and other official records. After the individual has provided the SSN to establish the records, the notification is not required when the SSN is requested only for verification or to locate the records.

(5) The Federal Personnel Manual should be consulted when soliciting SSNs for use in systems of records controlled by the Office of Personnel Management.

(c) Collecting information about individuals from third persons. It might not always be practical to collect all information about the individual directly from the individual, such as when:

(1) Verifying information through other sources for security or employment suitability determinations.

(2) Seeking other opinions, such as a supervisor's comments on past performance or other evaluations.

(3) Obtaining the necessary information directly from the individual will be exceptionally difficult or will result in unreasonable costs or delays; or

(4) The individual requests or consents to contacting another person to obtain the information.

(d) Privacy Act statement. (1) When an individual is requested to furnish infor

mation about himself or herself for a system of records, a Privacy Act statement must be provided to the individual, regardless of the method used to collect the information (forms, personal interviews, telephonic interviews, etc.). If the information requested will not be included in a system of records, a Privacy Act statement is not required.

(2) The Privacy Act statement shall include the following:

(i) The Federal law or Executive Order of the President that authorizes collecting the information.

(ii) Whether it is voluntary or mandatory for the individual to provide the requested information.

(iii) The principal purposes for which the information will be used.

(iv) The routine uses that will be made of the information (to whom and why it will be disclosed outside the Department of Defense); and

(v) The effects, if any, on the individual if all or part of the information is not provided.

(3) The Privacy Act statement must appear on the form used to collect the information or on a separate form that can be retained by the individual requesting it. If the information is collected other than by the individual completing a form, such as when the information is solicited by telephone, the Privacy Act statement should be read to the individual and a copy sent to him or her on request.

(4) It is mandatory for an individual to furnish information about himself or herself for a system of records only when a Federal law or Executive Order of the President specifically imposes a duty to furnish the information and provides a penalty, e.g., criminal sanctions, for failure to do so. If furnishing the information is only a condition for granting a benefit or privilege voluntarily sought by the individual (such as a request for annual leave), it is voluntary for the individual to give the information. However, the denial of the benefit or privilege must be listed in the Privacy Act statement as one of the effects of not providing the information, i.e., the effects on the individual if the information is not provided.

$317.21 Forms.

(a) DCAA forms. (1) DCAA Regulation 5015.38, "DCAA Forms Management Program," provides guidance for preparing the Privacy Act statement for use with DCAA forms.

(2) When forms are used to collect information about individuals for a system of records, the Privacy Act statement shall appear as follows (listed in the order of preference):

(i) Immediately below the title of the form.

(ii) Elsewhere on the front page of the form (clearly indicating it is the Privacy Act statement).

(iii) On the back of the form with a notation of its location below the title of the form, or

(iv) On a separate form which the individual may keep.

(b) Non-DCAA forms. Forms subject to 5 U.S.C. 552a issued by other DoD components or Federal agencies might contain a Privacy Act statement; however, the statement might not reflect accurately the authority, purposes, and routine uses applicable within the agency. If so, the activity using the form shall prepare a statement or supplement to the one provided with the form.

Subpart D-Access to Records $317.30 Individual access to records.

(a) Right of access (1) The access provisions of this part are for individuals who are subjects of records maintained in DCAA systems of records.

(2) All information that can be released consistent with applicable laws and regulations should be made available to the subject of record.

(b) Notification of record's existence. Record managers of system of records shall establish procedures for notifying an individual, in response to a request, if the system of records contains a record pertaining to him or her.

(c) Individual requests for access. (1) Individuals shall address requests for access to records in systems of records

8 Copies may be obtained, at cost, from the Defense Contract Audit Agency, ATTN: CMO, Cameron Station, Alexandria, VA 22304-6178.

to the responsible system manager or the regional Privacy Act officer.

(2) Requests for access may be oral or written; however, only written requests are to be maintained in the Privacy Act case file and counted when compiling the annual Privacy Act report.

(d) Verifying identity. (1) An individual shall provide reasonable verification of identity before obtaining access to records.

(2) Procedures for verifying identity shall not be complicated merely to discourage individuals from seeking access to records.

(3) When an individual seeks access in person, identification can be verified by documents normally carried by the individual, such as an identification card, driver's license, or other license, permit or pass normally used for identification purposes.

(4) When access is requested other than in person, identity may be verified by the individual's providing minimum identifying data such as full name, date and place of birth, or other information necessary to locate the record sought. If the information sought is sensitive, additional identifying data may be required.

(5) The individual may be accompanied by a person of his or her choice when viewing the record; however, the individual may be required to provide written authorization to have the record discussed in front of the other person.

(6) An individual shall not be denied access to a record solely for refusing to divulge the SSN, unless it is the only means of retrieving the record or verifying identity.

(7) An individual shall not be required to explain why he or she is seeking access to a record.

(8) Only a designated denial authority may deny access. The denial must be in writing.

(9) If notarization of requests is required for access, procedures shall be established for an alternate method of verification for individuals who do not have access to notary services, such as military members overseas. The following formats may be used as prescribed by 28 U.S.C. 1746:

[ocr errors]
[ocr errors]
[ocr errors]
[ocr errors]

me

[merged small][merged small][ocr errors]

(i) If executed outside of the United States: "I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature)."

(ii) If executed within the United States, its territories, possessions, or commonwealths: "I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).”

(e) Granting individual access to records. (1) The individual should be granted access to the original record (or exact copy) without any changes or deletions. A record that has been amended is considered the original.

(2) The individual's request should be granted for an exact copy of the record, and, upon the signed authorization of the individual, a copy should be provided to anyone designated by the individual. In either case, the copying fees may be assessed to the individual.

(3) If requested, explain any record or portion of a record that is not understood, as well as any changes or deletions.

OT exempt

(f) Пllegible, incomplete, records. (1) Illegible or incomplete records. Individual access should not be denied solely because the physical condition or format of the record does not make it readily available, such as when the record is in a deteriorated state or on magnetic tape. In this case, the document should be recopied exactly or an extract can be prepared.

(2) Exempt records. A request for a record that is wholly or partially exempt from access shall also be processed under the Freedom of Information Act (FOIA). The requester shall be granted access to all information that is releasable under either this part or the FOIA. The agency may provide this information in the form of an extract or summary of the record. The provisions of this rule or the FOIA under which access was granted should be cited.

(g) Access to medical and psychological records. (1) Individual access to medical and psychological records should be provided, even if the individual is a minor, unless it is determined that access could have an adverse effect on the mental or physical health of the indi

vidual. This determination normally should be made in consultation with a medical practitioner.

(2) If it is medically indicated that access could have an adverse mental or physical effect on the individual, the record should be provided to a medical practitioner named by the individual, along with an explanation why access without medical supervision could be harmful to the individual.

(3) The named medical practitioner should not be required to request the record for the individual.

(4) If the individual refuses or fails to designate a medical practitioner, access shall be refused. The refusal is not considered a denial for reporting purposes under the Privacy Act.

(h) Access by parents and legal guardians. (1) The parent of any minor, an individual under 18 years of age who is neither a member of a Military Service nor married, or the legal guardian of any individual declared by a court of competent jurisdiction to be incompetent due to physical or mental incapacity or age, may obtain access to the record of the minor or incompetent individual if the parent or legal guardian is acting on behalf of the minor or incompetent (i.e., for the benefit of the minor or incompetent). However, with respect to access by parents and legal guardians to medical records and medical determinations about minors, observe the following procedures:

(i) In the United States, the laws of the state where the records are located might afford special protection to certain medical records such as drug and alcohol abuse treatment records and psychiatric records. The state statutes might apply even if the records are maintained by a military medical facility.

(ii) For installations located outside the United States, the parent or legal guardian of a minor shall be denied access if all four of the following conditions are met:

(A) The minor at the time of the treatment or consultation was 15, 16, or 17 years old.

(B) The treatment or consultation was within a program authorized by law or regulation to provide confidentiality to the minor.

(C) The minor specifically indicated a desire that the treatment or consultation record be handled in confidence and not disclosed to a parent or guardian, and

(D) The parent or legal guardian does not have the written authorization of the minor or a valid court order granting access.

(2) A minor or incompetent has the same right of access as any other individual. The right of access of the parent or legal guardian is in addition to that of the minor or incompetent.

(i) Access to information compiled in anticipation of a civil proceeding. (1) An individual is not entitled to access information compiled in reasonable anticipation of a civil action or proceeding.

(2) The term "civil action or proceeding" includes quasi-judicial and pretrial judicial proceedings as well as formal litigation.

(3) Paragraphs (i)(1) and (2) of this to section do not prohibit access records compiled or used for purposes other than litigation, nor prohibit access to systems of records solely because they are frequently subject to litigation. The information must have been compiled for the primary purpose of litigation.

(4) Attorney work products prepared in conjunction with the paragraphs (i)(1) and (2) of this section are also protected.

(j) Non-agency records. (1) Certain documents under the control of DCAA personnel and used to assist them in performing official functions may not be considered agency records within the meaning of this part. Such documents, if maintained in accordance with the following subparagraph, are not systems of records that are subject to this part. Examples are personal telephone lists and personal notes kept to refresh the memory of the author. (2) To be considered non-agency records, the documents must:

(i) Be maintained and discarded solely at the discretion of the author.

(ii) Be created only for the author's personal convenience.

(iii) Not be the result of official direction or encouragement, whether oral or written; and

(iv) Not be shown to other persons for any reason.

(k) Relationship between the Privacy Act and the Freedom of Information Act (FOIA). (1) Access requests that specifically state or reasonably imply that they are made under the Freedom of Information Act (5 U.S.C. 552), are processed pursuant to DCAA Regulation 5410.10 (32 CFR part 290).

(2) Access requests that specifically state or reasonably imply that they are made under the Privacy Act of 1974 (5 U.S.C. 552a) are processed pursuant to this part.

(3) Access requests that cite both the FOIA and the Privacy Act are processed under the Act that provides the greater degree of access. The requester should be informed which Act was used in granting or denying access.

(4) Individual access should not be denied to records otherwise releasable under the Privacy Act or the Freedom of Information Act solely because the request does not cite the appropriate statute.

(1) Time limits. Access requests should be acknowledged within 10 working days after receipt, and access should be granted or denied within 30 working days, excluding Federal holidays.

$317.31 Reproduction fees.

(a) Fee schedules. The fees charged requesters shall include only the direct cost of reproduction and shall not include costs of:

(1) Time or effort devoted by agency personnel to searching for or reviewing the record.

(2) Fees not associated with the actual cost of reproduction.

(3) Producing a copy when it must be provided to the individual without cost under another regulation, directive, or law.

(4) Normal postage.

(5) Transportation of records or personnel, or

(6) Producing a copy when the individual has requested only to review the record and has not requested a copy to keep, and

(i) The only means of allowing review is to make a copy (e.g., the record is stored in a computer and a copy must be printed to provide individual access), or

Office of the Secretary of Defense

(ii) The agency does not wish to surrender temporarily the original record for the individual to review.

(7) Compute fees using the appropriate portions of the fee schedule in 32 CFR part 286, subpart F.

(b) Fee waivers. (1) Fees shall be waived automatically if the direct cost of reproduction is less than $30, unless the individual is requesting an obvious extension or duplication of a previous request for which he or she was granted a waiver.

(2) Decisions to waive or reduce fees that exceed $30 may be made on a caseby-case basis.

$317.32 Denying individual access.

(a) Denying individual access. The subject of record may be denied access only if it:

(1) Was compiled in reasonable anticipation of a civil action or proceeding; or

(2) Is in a system of records that has been exempted from the access provisions of this part.

(3) The individual should be denied access only to those portions of the record for which the denial will serve a legitimate governmental purpose.

(4) An individual may be refused access for failure to comply with established procedural requirements, but must be told the specific reason for the refusal and the proper access procedures.

(b) Notifying the individual. Written denial of access must be given to the individual and must be documented in a Privacy Act case file. The denial shall include:

(1) The name, title, and signature of a designated denial authority.

(2) The date of the denial.

(3) The specific reason for the denial, citing the appropriate sections of the Privacy Act or this part authorizing the denial.

(4) Notice of the individual's right to appeal the denial within 60 calendar days of the date the notice is mailed; and

(5) The title and address of the appeal official.

(c) Appeal procedures. Appeal procedures provide for the following:

(1) Review by the Assistant Director, Resources, DCAA Headquarters, or his or her designee, of any appeal by an individual.

(2) Written notification to the individual by the Assistant Director, Resources shall:

(i) If the denial is sustained totally or in part, include:

(A) The reason for denying the appeal, citing the provision of the Privacy Act or this part upon which the denial is based.

(B) The date of the appeal determination.

(C) The name, title, and signature of the appeal authority; and

(D) A statement informing the applicant of the right to seek judicial relief in Federal District Court.

(ii) If the appeal is granted, advise the individual and provide access to the record sought.

(d) Final action, time limits, and documentation. (1) The written appeal notification granting or denying access is the final agency action on the initial request for access.

(2) All appeals shall be processed within 30 working days, excluding Federal holidays, of receipt, unless the appeal authority finds that an adequate review cannot be completed within that period. If additional time is needed, notify the applicant in writing, explaining the reason for the delay and when the appeal will be completed.

(3) All actions on appeals must be documented in the Privacy Act case

file.

(e) Denial of appeal by the agency's failure to act. An individual may consider his or her appeal denied if the appeal authority fails:

(1) To take final action on the appeal within 30 working days, excluding Federal holidays, of receipt when no extension of time notice was given; or

(2) To take final action within the period established by the extension of time notice.

(f) Denying access to Office of Personnel Management (OPM) records held by the agency. (1) The records in all systems of records maintained in accordance with the OPM Government-wide system notices are only in the temporary custody of the agency.

« PreviousContinue »