fact, makes an adverse determination based on the record. (d) Failure to comply with the Privacy Act. The agency fails to comply with any other provision of the Privacy Act or any rule or regulation promulgated under the Privacy Act and thereby causes the individual to be adversely affected. $317.112 Criminal penalties. The Privacy Act (5 U.S.C. 552a(i)) authorizes three criminal penalties against individuals. All three are misdemeanors punishable by fines of $5,000. (a) Wrongful disclosure. Any member or employee of the agency who, by virtue of his or her employment or position, has possession of or access to records and willfully makes a disclosure to anyone not entitled to receive the information. (b) Maintaining unauthorized records. Any member or employee of the agency who willfully maintains a system of records for which a notice has not been published. (c) Wrongful requesting or obtaining records. Any person who knowingly and willfully requests or obtains a record concerning an individual from the agency under false pretenses. $317.113 Litigation status report. Whenever a civil complaint citing the Privacy Act is filed against the agency in Federal court or whenever criminal charges are brought against an individual in Federal court (including referral to a court-martial) for any offense, the agency shall notify the Defense Privacy Office, DA&M. The litigation status report included in appendix C to this part provides a format for this notification. An initial litigation status report shall be forwarded providing, as a minimum, the information specified. An updated litigation status report shall be sent at each stage of litigation. When the court renders a formal disposition of the case, copies of the court's action, along with the litigation status report reporting the action, shall be sent to the Defense Privacy Office, DA&M. $317.114 Annual review of enforce ment actions. (a) Annual review. The agency shall review annually the actions of its personnel that have resulted in either the agency being found civilly liable or an agency member being found criminally liable under the Privacy Act. (b) Reporting results. The agency shall be prepared to report the results of the annual review to the Defense Privacy Office, DA&M. Subpart K-Reports $317.120 Report requirements. (a) Statutory requirements. Subsection (p) of the Privacy Act requires a report and assigns to the Office of Management and Budget the responsibility for compiling the report. (b) OMB requirements. (1) In addition to the report, the Office of Management and Budget requires that all agencies be prepared to report the results of the reviews. (2) All reports of the agency concerning implementation of the Privacy Act shall be submitted to the Defense Privacy Office, DA&M, which shall prescribe the contents and suspense for such reports. $317.121 Reports. (a) Submission to the Defense Privacy Office. The agency shall prepare statistics and other documentation for the preceding calendar year concerning those items prescribed for the annual report and any reports of the reviews required, and when directed, send them to the Defense Privacy Office, DA&M. (b) Report Control Symbol. Unless otherwise directed, any report concerning implementation of the Privacy Program shall be assigned Report Control Symbol DD-DA&M(A)1379. (c) Content of annual report. The Defense Privacy Office, DA&M, shall prescribe the content of the annual report but, at a minimum, the annual report shall contain the following: (1) Name and address of reporting agency. (2) Name and telephone number of agency official who can best answer questions about this report. (3) Agency Privacy Act Officials. (ii) Privacy Act Officer. (4) If your agency was involved in any litigation involving the Privacy Act. (i) Provide a citation to the case and a brief description of the background, issues and results. (ii) If the cases required your agency to change its practices, describe how. (5) Systems of Records Inventory: (i) Total number of systems of records as of December 31, 19XX. (ii) Number of exempt systems. (iii) Number of automated systems (either in whole or part). (iv) Number of systems deleted. (vi) Number of routine uses added. (vii) Number of routine uses deleted. (viii) Number of existing systems to which an exemption(s) was added, and (ix) Number of new systems to which an exemption(s) was added. (6) If your agency received any public comments on any of its systems of other Privacy Act implementing activities, briefly describe: (7) Access requests (first party requests which cited the Privacy Act): (i) Number of requests. (ii) Number granted in whole or in part. (iii) Number denied in whole. (iv) Number for which no record was found. (8) Amendment requests (first party requests which cited the Privacy Act): (1) Number of requests. (ii) Number granted in whole or part. (iii) Number denied in whole. (9) Appeals of denial: (i) Number of access denials appealed. (ii) Number in which denial upheld. was Subpart L-Agency Exemption Rules $317.130 Establishing and using exemptions. (a) Types of exemptions. (1) There are two types of exemptions permitted by the Privacy Act: (i) General exemptions that authorize the exemption of a system of records from all but specifically identified provisions of the Privacy Act, and (ii) Specific exemptions that allow a system of records to be exempted from only a few designated provisions of the Privacy Act. (2) Neither the Privacy Act nor this part permits exemption of a system of records from all provisions of the Privacy Act. (b) Establishing exemptions. (1) Neither general nor specific exemptions are established automatically for a system of records. Only the Director of DCAA or his/her designee shall make a determination that the system is one for which an exemption may be established and then propose and establish an exemption rule for the system. No system of records within the agency shall be considered exempted until the Assistant Director, Resources, DCAA has approved the exemption and an exemption rule has been published as a final rule in the FEDERAL REGISTER for this part. (2) Only the Assistant Director, Resources, or his or her designee, may establish an exemption for a system of records. (3) No exemption may be established for a system of records until the system itself has been established by publishing a notice in the FEDERAL REGISTER describing the system. (4) A system of records is exempt from only those provisions of the Privacy Act that are identified specifically in the agency exemption rule for the system. (c) Provisions to which exemptions may be applied. After, or along with, establishing the system of records, the Assistant Director, Resources, may establish an exemption rule that shall exempt the system of records from any provision of the Privacy Act for which an exemption is allowed. (d) Using exemptions. (1) Exemptions should be used only for the specific purposes stated in the exemption rules and only when in the best interest of the Government. Exemptions should be applied to only the specific portions of the records that require protection. (2) An exemption should not be used to deny an individual access to information that he or she can obtain under the FOIA. (e) Exempt records maintained in nonexempt systems. (1) An exemption rule applies to the system of records for which it was established. If a record from an exempted system is incorporated intentionally into a system that has not been exempted, the published notice and rules for the non-exempted system will apply to the record and it will not be exempt from any provisions of the Privacy Act. (2) A record from one DoD component's exempted system that is temporarily in the possession of another DoD component remains subject to the published system notice and rules of the originating DoD component. However, if the non-originating DoD component incorporates the record into its own system of records, the published notice and rules for the system into which it is incorporated shall apply. If that system of records has not been exempted, the record shall not be exempt from any provisions of the Privacy Act. (3) Care should be exercised that exempt records are not accidentally misfiled into a system of records that are not exempted §317.131 General exemptions. (a) Using general exemptions. (1) DCAA is not authorized to establish the exemption for records maintained by the Central Intelligence agency under subsection (j)(1) of the Privacy Act. (2) The general exemption provided by subsection (j)(2) of the Privacy Act may be established to protect criminal law enforcement records maintained by the agency. (3) To be eligible for the (j)(2) exemption, the system of records must be maintained by an element that per forms, as one of its principal functions, the enforcement of criminal laws. (4) Criminal law enforcement includes police efforts to detect, prevent, control, or reduce crime, or to apprehend criminals, and the activities of prosecution, court, correctional, probation, pardon, or parole authorities. (5) Information that may be protected under the (j)(2) exemption includes: (i) Information compiled for the purpose of identifying criminal offenders and alleged criminal offenders consisting of only identifying data and notations of arrests; the nature and disposition of criminal charges; and sentencing, confinement, release, parole, and probation status. (ii) Information compiled for the purpose of a criminal investigation, including reports of informants and investigators, and associated with an identifiable individual; and (iii) Reports identifiable to an individual, compiled at any stage of the enforcement process, from arrest, apprehension, indictment, or preferral of charges through final release from the supervision that resulted from the commission of a crime. (6) The (j)(2) exemption does not apply to: (i) Investigative records maintained by an element having no criminal law enforcement activity as one of its principal functions, or (ii) Investigative records compiled by any element concerning individuals' suitability, eligibility, or qualification for duty, employment, or access to classified information, regardless of the principal functions of the DoD component that compiled them. (7) The (j)(2) exemption established for a system of records maintained by a criminal law enforcement element cannot protect law enforcement records incorporated into a non-exempted system of records or any system of records maintained by an element not principally tasked with enforcing criminal laws. Agency system managers are prohibited to incorporate criminal law enforcement records into systems other than those maintained by criminal law enforcement elements. (b) Access to records under a (j)(2) exemption. Requests for access to criminal law enforcement records maintained in a system for which a (j)(2) exemption has been established shall be processed as if also made under the FOIA. $317.132 Specific exemptions. (a) Using specific exemptions. Specific exemptions permit certain categories of records to be exempted from specific provisions of the Privacy Act. Subsections (k)(1-7) of the Privacy Act permits claiming exemptions for seven categories of records. To be eligible for a specific exemption, the record must meet the corresponding criteria. (1) (k)(1) exemption: Information properly classified under DoD 5200.1R 11 (32 CFR part 159) in the interest of national defense or foreign policy. (2) (k)(2) exemption: Investigatory information compiled for law enforcement purposes. If maintaining the information causes an individual to be ineligible for or denied any right, benefit, or privilege that he or she would otherwise be eligible for or entitled to under Federal law, then he or she shall be given access to the information, except for the information that would identify a confidential source. The (k)(2) exemption, when established, allows limited protection of investigative records normally maintained in a (j)(2) exempt system for use in personnel and administrative actions. (3) (k)(3) exemption: Records maintained in connection with providing protective services to the President of the United States and other individuals under 18 U.S.C. 3056. (4) (k)(4) exemption: Records required by Federal law to be maintained and used solely as statistical records that are not used to make any determination about an identifiable individual, except as provided by 13 U.S.C. 8. (5) (k)(5) exemption: Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, military service, Federal contracts, or access to classified information, but only to the extent such material would reveal the 11 See footnote 3 to §317.1(b). 32 CFR Ch. 1 (7-1-00 Edition) identity of a confidential source. This exemption allows protection of confidential sources in background investigations, employment inquiries, and similar inquiries used in personnel screening to determine suitability, eligibility, or qualifications. (6) (k)(6) exemption: Testing or examination material used solely to determine individual qualifications for appointment or promotion in the Federal or military service if the disclosure would compromise the objectivity or fairness of the testing or examination process. (7) (k)(7) exemption: Evaluation material used to determine potential for promotion in the military services, but only to the extent that disclosure would reveal the identity of a confidential source. (b) Confidential source. (1) A “confidential source" is defined under the Privacy Act as a person or organization that has furnished information to the Federal Government under an express promise or, before September 27, 1975, under an implied promise that the identity of the person or organization would be held in confidence. (2) Promises of confidentiality are to be given on a limited basis and only when essential to obtain the information sought. Appropriate procedures should be established for granting confidentiality and designate those categories of individuals authorized to make such promises. (c) Access to records under specific eremptions. Requests for access to records maintained in systems of records for which specific exemptions have been established shall be processed as if also made under the FOIA. $317.133 DCAA exempt record sys tems. (a) Exempt systems of records. The Director, DCAA has made a determination and claims an exemption for the following agency systems of records by publication of an appropriate exemp tion rule for the record system and therefore allowing the agency to invoke, at its discretion, the particular exemption permitted by the Privacy Act from certain subsections of the Privacy Act. (b) Classified material. The Director, DCAA has made a determination that all systems of records maintained by the agency shall be exempt from 5 U.S.C. 552a(d) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(1) to the extent that the record system contains any information properly classified under Executive Order 12958 and required by the executive order to be withheld in the interest of national defense or foreign policy. This blanket exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions herein may contain items of information that have been properly classified. (c) General exemption rules. [Reserved] (d) Specific exemption rules. [Reserved] [57 FR 48992, Oct. 29, 1992, as amended at 61 FR 2916, Jan. 30, 1996] APPENDIX A TO PART 317-DCAA BLANKET ROUTINE USES A. LAW ENFORCEMENT ROUTINE USE In the event that a system of records maintained by this agency to carry out its functions indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or by regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the appropriate agency, whether Federal, State, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto. B. DISCLOSURE WHEN REQUESTING A record from a system of records maintained by this agency may be disclosed as a routine use to a Federal, State, or local agency maintaining civil, criminal, or other relevant enforcement information, or other pertinent information, such as current licenses, if necessary to obtain information relevant to a agency decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit. C. DISCLOSURE OF REQUESTED A record from a system of records maintained by this agency may be disclosed to a Federal Agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision on the matter. D. CONGRESSIONAL INQUIRIES ROUTINE USE Disclosure from a system of records maintained by this agency may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual. E. PRIVATE RELIEF LEGISLATION Relevant information contained in all systems of records of the agency published on or before August 22, 1975, may be disclosed to the Office of Management and Budget in connection with the review of private relief legislation as set forth in OMB Circular A-19 at any stage of the legislative coordination and clearance process as set forth in that circular. F. DISCLOSURES REQUIRED BY INTERNATIONAL AGREEMENTS ROUTINE USE A record from a system of records maintained by this agency may be disclosed to foreign law enforcement, security, investigatory, or administrative authorities in order to comply with requirements imposed by, or to claim rights conferred in, international agreements and arrangements, including those regulating the stationing and status in foreign countries of Department of Defense military and civilian personnel. G. DISCLOSURE TO STATE AND LOCAL Any information normally contained in IRS Form W-2 that is maintained in a record from a system of records maintained by this agency may be disclosed to State and local taxing authorities with which the Secretary of the Treasury has entered into agreements pursuant to Title 5 U.S.C. Sections 5516, 5517, 5520, and only to those State and local taxing authorities for which an employee or military member is or was subject to tax, regardless of whether tax is or was withheld. This routine use is in accordance with Treasury Fiscal Requirements Manual Bulletin No. 7607. H. DISCLOSURE TO THE OFFICE OF PERSONNEL MANAGEMENT ROUTINE USE A record from a system of records subject to the Privacy Act and maintained by this |