specific exemptions of 5 U.S.C. 552a and one or more of the nine exemptions under DeCA Directive 30-12,3 Freedom of Information Act (FOIA) Program. (iv) Ensure all requests are coordinated through the General Counsel. (v) Ensure all requests are denied by the DeCA IDA. (vi) Ensure all appeals are forwarded to the Director DeCA or his designee. (4) Test Questions: (i) Are PA requests logged into a formal control system? (DeCA HQ/SA, Region IM). Response: Yes/No / NA. Remarks: (ii) Are individual requests for access acknowledged within 10 working days after receipt? (DeCA HQ/SA, Region IM). Response: Yes/No / NA. Remarks: (iii) when more than 10 working days are required to respond to a PA request, is the requester informed, explaining the circumstances for the delay and provided an approximate date for completion? (DeCA HQ/ SA, Region IM). Response: Yes/No / NA. Remarks: (iv) Are DeCA records withheld only when they fall under one or more of the general or specific exemptions of the PA or one or more of the nine exemptions of the FOIA? (DeCA HQ/SA, Region IM). Response: Yes/No / NA. Remarks: (v) Do denial letters contain the name and title or position of the official who made the determination, cite the exemption(s) on which the denial is based and advise the PA requester of their right to appeal the denial to the Director DeCA or designee? (DeCA HQ/ SA). Response: Yes/No / NA. Remarks: (vi) Are PA requests denied only by the HQ DECA IDA? (All). Response: Yes/No/NA. Remarks: (vii) Is coordination met with the General Counsel prior to forwarding a PA request to the IDA? (DeCA HQ/SA). Response: Yes/No/ NA. Remarks: (j) Event cycle 3: Requesting PA Information. (1) Risk: Obtaining personal information resulting in a violation of the PA. (2) Control Objective: Establish a system before data collection and storage to ensure no violation of the privacy of individuals. (3) Control Technique: Ensure Privacy Act Statement to obtain personal information is furnished to individuals before data collection. (4) Test Questions: (i) Are all forms used to collect information about individuals which will be part of a system of records staffed with the PA Officer for correctness of the Privacy Act Statement? (DeCA HQ/SA, Region). Response: Yes/ No/NA. Remarks: (ii) Are Privacy Statements prepared and issued for all forms, formats and question 3 See footnote 1 to this Appendix B. naires that are subject to the PA, coordinated with the DeCA forms manager? (DeCA HQ/SA, Region). Response: Yes/No/NA. Remarks: (iii) Do Privacy Act Statements furnished to individuals provide the following: (A) The authority for the request. (B) The principal purpose for which the information will be used. (C) Any routine uses. (D) The consequences of failing to provide the requested information. Yes/No/NA. Remarks: (k) Event cycle 4: Records Maintenance. (1) Risk: Unprotected records allowing individuals without a need to know access to privacy information. (2) Control Objective: PA records are properly maintained throughout their life cycle. (3) Control Technique: Ensure the prescribed policies and procedures are followed during the life cycle of information. (4) Test Questions: (i) Are file cabinets/containers that house PA records locked at all times to prevent unauthorized access? (All). Response: Yes/No/ NA. Remarks: (ii) Are personnel with job requirement (need to know) only allowed access to PA information? (All). Response: Yes/No/NA. Remarks: (iii) Are privacy act records treated as unclassified records and designated 'For Official Use Only'? (All). Response: Yes/No/NA. Remarks: (iv) Are computer printouts that contain privacy act information as well as disks, tapes and other media marked 'For Official Use Only'? (All). Response: Yes/No/NA. Remarks: (v) Is a Systems Manager appointed for each automated/manual PA systems of records? (DeCA HQ/SA, Region). Response: Yes/No/NA. Remarks: (vi) Are PA records maintained and disposed of in accordance with DeCA Directive 30-2,4 The Defense Commissary Agency Filing System? (All). Response: Yes/No/NA. Remarks: (1) I attest that the above listed internal controls provide reasonable assurance that DeCA resources are adequately safeguarded. I am satisfied that if the above controls are fully operational, the internal controls for this sub-task throughout DeCA are adequate. Safety, Security and Administration. FUNCTIONAL PROPONENT. I have reviewed this sub-task within my organization and have supplemented the prescribed internal control review checklist when warranted by unique environmental circumstances. The controls prescribed in this checklist, as amended, are in place and operational for my organization (except for 4 See footnote 2 to this Appendix B. the weaknesses described in the attached plan, which includes schedules for correcting the weaknesses). ASSESSABLE UNIT MANAGER (Signa ture). APPENDIX C TO PART 327-DECA BLANKET ROUTINE USES (a) Routine Use-Law Enforcement. If a system of records maintained by a DoD Component, to carry out its functions, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or by regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, the agency concerned, whether Federal, State, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto. (b) Routine Use-Disclosure when Requesting Information. A record from a system of records maintained by a Component may be disclosed as a routine use to a Federal, State, or local agency maintaining civil, criminal, or other relevant enforcement information or other pertinent information, such as current licenses, if necessary to obtain information relevant to a Component decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit. (c) Routine Use-Disclosure of Requested Information. A record from a system of records maintained by a Component may be disclosed to a Federal agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision on the matter. (d) Routine Use-Congressional Inquiries. Disclosure from a system of records maintained by a Component may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual. (e) Routine Use Private Relief Legislation. Relevant information contained in all systems of records of the Department of Defense published on or before August 22, 1975, will be disclosed to the OMB in connection with the review of private relief legislation as set forth in OMB Circular A-19 at any stage of the legislative coordination and clearance process as set forth in that Circular. (f) Routine Use-Disclosures Required by International Agreements. A record from a system of records maintained by a Component may be disclosed to foreign law enforcement, security, investigatory, or administrative authorities to comply with requirements imposed by, or to claim rights conferred in, international agreements and arrangements including those regulating the stationing and status in foreign countries of DoD military and civilian personnel. (g) Routine Use-Disclosure to State and Local Taxing Authorities. Any information normally contained in Internal Revenue Service (IRS) Form W-2 which is maintained in a record from a system of records maintained by a Component may be disclosed to State and local taxing authorities with which the Secretary of the Treasury has entered into agreements under 5 U.S.C., 5516, 5517, and 5520 and only to those State and local taxing authorities for which an employee or military member is or was subject to tax regardless of whether tax is or was withheld. This routine use is in accordance with Treasury Fiscal Requirements Manual Bulletin No. 76–07. (h) Routine Use-Disclosure to the Office of Personnel Management. A record from a system of records subject to the Privacy Act and maintained by a Component may be disclosed to the Office of Personnel Management (OPM) concerning information on pay and leave, benefits, retirement deduction, and any other information necessary for the OPM to carry out its legally authorized government-wide personnel management functions and studies. (i) Routine Use-Disclosure to the Department of Justice for Litigation. A record from a system of records maintained by this component may be disclosed as a routine use to any component of the Department of Justice for the purpose of representing the Department of Defense, or any officer, employee or member of the Department in pending or potential litigation to which the record is pertinent. (j) Routine Use-Disclosure to Military Banking Facilities Overseas. Information as to current military addresses and assignments may be provided to military banking facilities who provide banking services overseas and who are reimbursed by the Government for certain checking and loan losses. For personnel separated, discharged, or retired from the Armed Forces, information as to last known residential or home of record address may be provided to the military banking facility upon certification by a banking facility officer that the facility has a returned or dishonored check negotiated by the individual or the individual has defaulted on a loan and that if restitution is not made by the individual, the U.S. Government will be liable for the losses the facility may incur. (k) Routine Use-Disclosure of Information to the General Services Administration (GSA). A record from a system of records maintained by this component may be disclosed as a routine use to the General Services Administration (GSA) for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906. (1) Routine Use-Disclosure of Information to the National Archives and Records Administration (NARA). A record from a system of records maintained by this component may be disclosed as a routine use to the National Archives and Records Administration (NARA) for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906. (m) Routine Use-Disclosure to the Merit Systems Protection Board. A record from a system of records maintained by this component may be disclosed as a routine use to the Merit Systems Protection Board, including the Office of the Special Counsel for the purpose of litigation, including administrative proceedings, appeals, special studies of the civil service and other merit systems, review of OPM or component rules and regulations, investigation of alleged or possible prohibited personnel practices; including administrative proceedings involving any individual subject of a DoD investigation, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as may be authorized by law. (n) Routine Use Counterintelligence Purpose. A record from a system of records maintained by this component may be disclosed as a routine use outside the DoD or the U.S. Government for the purpose of counterintelligence activities authorized by U.S. Law or Executive Order or for the purpose of enforcing laws which protect the national security of the United States. public on those of its proposed regulations and other types of rulemaking as described hereafter which originate within the Department of Defense as a requirement of general applicability and future effect designed to implement, interpret, or prescribe law or policy, or practice or procedure requirements of a component. This requirement applies to those regulations which constitute the authority for actions having a substantial and direct impact on the public when consistent with other responsibilities of the Department for the efficient and responsible conduct of public business. (b) Implements the provisions of 5 U.S.C. 552 relating to the kinds of regulations that must be published in the FEDERAL REGISTER after they are adopted. [40 FR 4911, Feb. 3, 1975. Redesignated at 56 FR 64482, Dec. 10, 1991] $336.2 Applicability and scope. (a) The provisions of this part apply to the Office of the Secretary of Defense, the Military Departments, the Organization of the Joint Chiefs of Staff, and the Defense Agencies (hereinafter referred to singularly as a "DoD component" or collectively as "DoD components"). (b) These provisions are applicable to those directives, instructions, regulations, policy memoranda, manuals, and other forms of rulemaking (hereinafter referred to as "regulations") that have a substantial and direct impact on the public. Only a regulation which must be published in the FEDERAL REGISTER after its adoption in accordance with 5 U.S.C. 552 (as implemented in §336.5) comes within the requirement that it be evaluated to determine whether it will have the substantial and direct impact on the public that warrants an invitation for public comment prior to its adoption. An implementation by a subordinate component of a regulation adopted by a component at a higher level within the Department of Defense is not deemed to “originate” a requirement of general applicability and future effect, and therefore, does not fall within the scope of the obligation to invite public comment on its provisions. (c) The determination by the component originating a regulation shall be final and conclusive in determining whether a regulation or a proposed regulation comes within the purview of this part. Consideration shall be given, however, to the definition of "rulemaking" found in 5 U.S.C. 551 as it relates to the requirements of 5 U.S.C. 553 in making this determination. (d) The requirement for inviting public comment on a proposed regulation shall not be deemed applicable to any proposed regulation coming within one or more of the following exemptions or exceptions to the rulemaking procedures set forth in 5 U.S.C. 553. (1) Any matter pertaining to a military or foreign affairs function of the United States which has been determined under the criteria of an Executive Order or statute to require a security classification in the interests of national defense or foreign policy. (2) Any matter relating to (i) agency management, (ii) agency personnel, or (iii) public contracts (e.g., the Armed Services Procurement Regulation), including nonappropriated fund contracts. (3) Any matter involving (i) interpretative rules, (ii) general statements of policy, or (iii) rules of agency organization, procedure, or practice. (4) Any situation in which the DoD Component for good cause finds that inviting public comment on a proposed regulation is (i) impracticable, (ii) unnecessary, or (iii) contrary to the public interest, and incorporates in the adopted regulation that determination and its basis. (e) Exceptions to the requirement in 5 U.S.C. 552 for publication in the FEDERAL REGISTER of adopted regulations for the guidance of the public shall be made in accordance with guidance provided in 32 CFR 286.8. [40 FR 4911, Feb. 3, 1975. Redesignated at 41 FR 27074, July 1, 1976, and further redesignated and amended at 56 FR 64482, Dec. 10, 1991] $336.3 Policy. (a) It is the policy of the Department of Defense to encourage the maximum practicable participation of the public in the formulation of regulations having a substantial and direct impact on the public, and to inform the public fully through publication in the FEDERAL REGISTER of all adopted regulations intended for public guidance. (b) A proposed regulation which would originate a Department of Defense policy having a substantial and direct impact on the public should be published, along with a notice of purpose and authority, in the FEDERAL REGISTER in order to invite public comment within a designated time at least 30 days prior to its intended adoption. This policy should be followed even though the proposed regulation may come within one or more of the exceptions or exemptions to the requirement for prepublication of proposed rules described in §336.2(d) (2) (i) and (ii), (3) and (4), unless it is determined by the DoD Component as a matter within its sole and exclusive prerogative that the employment of the exception or exemption is appropriate to satisfy a significant and legitimate interest of the DoD Component or the public. (c) After their adoption, all regulations for the guidance of the public shall be published in the FEDERAL REGISTER in accordance with 5 U.S.C. 552, even though they may come within one or more of the exemptions described in 32 CFR 286.6. If no significant and legitimate interest of the DoD Component or public precludes such publication. This policy extends to some adopted regulations for the guidance of the public which were not the subject of notice and public comment. [40 FR 4911, Feb. 3, 1975. Redesignated at 41 FR 27074, July 1, 1976, and further redesignated and amended at 56 FR 64482, Dec. 10, 1991] $336.4 Proposed regulations. (a) The general notice of a proposed regulation shall be published in the FEDERAL REGISTER in accordance with the guidance contained in the "Federal Register Handbook on Document Drafting" (GSA), whenever that regulation would have a substantial and direct impact on the public or any significant portion of the public, unless it comes within one or more of the exceptions or exemptions previously set forth in § 336.2(d). (b) The notice shall include: (1) A statement of the purpose and objective of the proposed regulation; (2) Reference to the legal authority under which the regulation is proposed; and (3) The terms or substance of the proposed regulation. (c) Whenever the originating DoD Component finds that notice and prepublication of a proposed regulation for public comment are impracticable, unnecessary, or contrary to the public interest, it shall incorporate that finding and a brief statement of its reasons in the adopted regulation, or it may adopt and publish in the FEDERAL REGISTER a separate regulation excepting or exempting categories of regulations for any of these reasons, with an explanation of the basis for excepting or exempting each particular category. Separate regulations for this purpose shall be promulgated by the procedures for proposed rules whenever this falls within the requirements of paragraph (a) of this section. (d) Following the publication of notice and the proposed regulation in the FEDERAL REGISTER, the DoD Component shall give all interested persons an opportunity to participate in the rulemaking through the submission of written data, views, or arguments. An opportunity for oral presentation will normally not be provided, but may as a matter within the sole and exclusive prerogative of the component be extended where it is found to be in the interest of the DoD Component or the public. After careful consideration of all relevant matter presented, the component shall incorporate in the adopted regulation a concise general statement of its basis and purpose. A preamble to the adopted regulation may be published in the FEDERAL REGISTER to explain the relationship of the adopted rule to the proposed rule, including the nature and effect of public comments. [40 FR 4911, Feb. 3, 1975. Redesignated at 41 FR 27074, July 1, 1976, and further redesignated and amended at 56 FR 64482, Dec. 10, 1991] $336.5 Publication in the Federal Reg. ister of adopted regulations and other matters. Subject to the exemptions set forth in 32 CFR 286.6: (a) Each DoD Component shall publish in the FEDERAL REGISTER an informative, current description for the guidance of the public, of where, how, and by what authority it performs any of its functions. In deciding which information to publish in the FEDERAL REGISTER a DoD Component shall consider the fundamental objective of informing all interested persons of how to deal effectively with the component. (b) Information to be published in the FEDERAL REGISTER shall include: (1) Descriptions of the central and field organization of the component concerned, and the established places at which, the employees or members of the armed forces from whom, and the methods whereby the public may secure information, make submittals or requests, or obtain decisions. (2) The procedures by which a DoD Component conducts its business with the public, both formally and informally. (3) The rules of procedure which must be followed, the description of forms which must be completed, or the source from which forms may be obtained, and instructions on the scope and content of papers, reports, examinations required to be submitted pursuant to such rules of procedures, as adopted by the component. (4) Directives, instructions, regulations, manuals, policy memorandums, statements of general policy, or interpretation of general applicability adopted by the agency, and other substantive rules of general applicability affecting the public. (c) With the approval of the Director of the FEDERAL REGISTER, the requirement for publication in the FEDERAL REGISTER (1 CFR part 51, 37 FR 23614, Nov. 4, 1972) may be satisfied by reference in the FEDERAL REGISTER to other publications reasonably available to the class of persons affected and containing the information which must |