the individual to make an informed decision whether to provide the information requested. If the personal information solicited is not to be incorporated into a system of records, the statement need not be given. The Privacy Act Statement shall be concise, current, and easily understood. It must include:

(i) The specific Federal statute or Executive Order that authorizes collection of the requested information.

(ii) The principal purpose or purposes for which the information is to be used. (iii) The routine uses that will be made of the information.

(iv) Whether providing the information is voluntary or mandatory.

(v) The effects on the individual if he or she chooses not to provide the requested information.

(3) The Privacy Act Statement may appear as a public notice (sign or poster), conspicuously displayed in the area where the information is collected, such as at check-cashing facilities or identification photograph facilities. The individual normally is not required to sign the Privacy Act Statement. Provide the individual a written copy of the Privacy Act Statement upon request. This must be done regardless of the method chosen to furnish the initial advisement.

(4) Include in the Privacy Act Statement specifically whether furnishing the requested personal data is mandatory or voluntary. A requirement to furnish personal data is mandatory only when a Federal statute, Executive order, regulation, or other lawful order specifically imposes a duty on the individual to provide the information sought, and the individual is subject to a penalty if he or she fails to provide the requested information. If providing the information is only a condition of a prerequisite to granting a benefit or privilege and the individual has the option of requesting the benefit or privilege, providing the information is always voluntary. However, the loss or denial of the privilege, benefit, or entitlement sought may be listed as a consequence of not furnishing the requested information.

(5) It is unlawful for any Federal, state, or local government agency to deny an individual any right, benefit, or privilege provided by law because

the individual refuses to provide his or her social security number (SSN). However, if a Federal statute requires that the SSN be furnished or if the SSN is required to verify the identity of the individual in a system of records that was established and in use before January 1, 1975, and the SSN was required as an identifier by a statute or regulation adopted before that date, this restriction does not apply.

(i) When an individual is requested to provide his or her SSN, he or she must be told:

(A) The uses that will be made of the SSN.

(B) The statute, regulation, or rule authorizing the solicitation of the SSN.

(C) Whether providing the SSN is voluntary or mandatory.

(ii) Include in any systems notice for any system of records that contains SSNS a statement indicating the authority for maintaining the SSN and the source of the SSNs in the system. If the SSN is obtained directly from the individual indicate whether this is voluntary or mandatory.

(iii) Upon entrance into Military Service of civilian employment with DoD, individuals are asked to provide their SSNs. The SSN becomes the service or employment number for the individual and is used to establish personnel, financial, medical, and other official records. After an individual has provided his or her SSN for the purpose of establishing a record, a Privacy Act Statement is not required if the individual is only requested to furnish or verify the SSNs for identification purposes in connection with the normal use of his or her records. However, if the SSN is to be written down and retained for any purpose by the requesting official, the individual must be provided a Privacy Act Statement.

(6) DLAR 7760.1, Forms Management Program,2 provides guidance on administrative requirements for Privacy Act Statements used with DLA forms. Forms subject to the Privacy Act issued by other Federal agencies have a

2 Copies may be obtained, if needed, from the Defense Logistics Agency, ATTN: DLAXP, Cameron Station, Alexandria, VA 22304.

Privacy Act Statement attached or included. Always ensure that the statement prepared by the originating agency is adequate for the purpose for which the form will be used by the DoD activity. If the Privacy Act Statement provided is inadequate, the activity concerned will prepare a new statement of a supplement to the existing statement before using the form. Forms issued by agencies not subject to the Privacy Act (state, municipal, and other local agencies) do not contain Privacy Act Statements. Before using a form prepared by such agencies to collect personal data subject to this part, an appropriate Privacy Act Statement must be added.

(1) Systems of records. (1) To be subject to this part, a "system of records" must consist of records retrieved by the name of an individual or some other personal identifier and be under the control of a DLA activity. Records in a group of records that may be retrieved by a name or personal identifier are not covered by this part. The records must be, in fact, retrieved by name or other personal identifier to become a system of records for the purpose of this part.

(2) Retain in a system of records only that personal information which is relevant and necessary to accomplish a purpose required by a Federal statute or an Executive Order. The existence of a statute or Executive order mandating that maintenance of a system of records does not abrogate the responsibility to ensure that the information in the system of records is relevant and necessary.

(3) Do not maintain any records describing how an individual exercises his or her rights guaranteed by the First Amendment of the U.S. Constitution unless expressly authorized by Federal statute or the individual. First Amendment rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition.

(4) Maintain all personal information used to make any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in making

any such determination. Before disseminating any personal information from a system of records to any person outside DoD, other than a Federal agency, make reasonable efforts to ensure that the information to be disclosed is accurate, relevant, timely, and complete for the purpose it is being maintained.

(5) Establish appropriate administrative, technical and physical safeguards to ensure that the records in every system of records are protected from unauthorized alteration or disclosure and that their confidentiality is protected. Protect the records against reasonably anticipated threats or hazards. Tailor safeguards specifically to the vulnerabilities of the system and the type of records in the system, the sensitivity of the personal information stored, the storage medium used and, to a degree, the number of records maintained.

(i) Treat all unclassified records that contain personal information that nor mally would be withheld from the public as if they were designated "For Official Use Only" and safeguard them in accordance with the standards established by DLAR 5400.14 (32 CFR part 1285) even if they are not marked "For Official Use Only."

(ii) Special administrative, physical, and technical procedures are required to protect data that are stored or being processed temporarily in an automated data processing (ADP) system or in a word processing activity to protect it against threats unique to those environments (see DLAM 5200.1, ADP Security Manual,3 and appendix D of this part).

(6) Dispose of records containing personal data so as to prevent inadvertent compromise. Disposal methods such as tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding, or mutilation are considered adequate if the personal data is rendered unrecognizable or beyond reconstruction.

(i) The transfer of large quantities of records containing personal data (for

3 Copies may be obtained, if needed, from the Defense Logistics Agency, ATTN: DLAXP, Cameron Station, Alexandria, VA 22304.

example, computer cards and printouts) in bulk to a disposal activity, such as the Defense Property Disposal Office, is not a release of personal information under this part. The sheer volume of such transfers makes it difficult or impossible to identify readily specific individual records.

(ii) When disposing of or destroying large quantities of records containing personal information, care must be exercised to ensure that the bulk of the records is maintained so as prevent specific records from being readily identified. If bulk is maintained, no special procedures are required.

(7) When DLA contracts for the operation or maintenance of a system of records or a portion of a system of records by a contractor, the record system or the portion of the record system affected are considered to be maintained by DLA and are subject to this part. The activity concerned is responsible for applying the requirements of this part to the contractor. The contractor and its employees are to be considered employees of DLA for purposes of the sanction provisions of the Privacy Act during the performance of the contract. See the Federal Acquisition Regulation (FAR), section 24.000 (48 CFR chapter 1).

(j) System Notices. (1) A notice of the existence of each system of records must be published in the FEDERAL REGISTER. While system notices are not subject to formal rulemaking procedures, advance public notice must be given before an activity may begin to collect personal information or use a new system of records. The notice procedures require that:

(1) The system notice describes the contents of the record system and the routine uses for which the information in the system may be released.

(ii) The public be given 30 days to comment on any proposed routine uses before implementation.

(iii) The notice contains the date on which the system will become effective.

(2) Appendix A of this part discusses the specific elements required in a sys

tem notice. DLAH 5400.14 contains systems notices published by DLA.

(3) In addition to system notices, reports are required for new and altered systems of records. The criteria of these reports are outlined in appendixes B and C of this part. No report is required for amendments to existing systems which do not meet the criteria for altered record systems.

(4) System managers shall evaluate the information to be included in each new system before establishing the system and evaluate periodically the information contained in each existing system of records for relevancy and necessity. Such a review will also occur when a system notice amendment or alteration is prepared. Consider the following:

(i) The relationship of each item of information retained and collected to the purpose for which the system is maintained.

(ii) The specific impact on the purpose or mission of not collecting each category of information contained in the system.

(iii) The possibility of meeting the informational requirements through use of information not individually identifiable or through other techniques, such as sampling.

(iv) The length of time each item of personal information must be retained. (v) The cost of maintaining the information.

(vi) The necessity and relevancy of the information to the purpose for which it was collected.

(5) Systems notices and reports of new and altered systems will be submitted to DLA-XA as required.

(k) Exemptions. The Director, DLA will designate the DLA records which are to be exempted from certain provisions of the Privacy Act. DLA-XA will publish in the FEDERAL REGISTER information specifying the name of each designated system, the specific provisions of the Privacy Act from which each system is to be exempted, the reasons for each exemption, and the reason for each exemption of the record system.

4 Copies may be obtained, if needed, from the Defense Logistics Agency, ATTN: DLAXP, Cameron Station, Alexandria, VA 22304.