review, make a reasonable effort to assure that such record is accurate, complete, timely, fair and relevant to the purpose for which they are maintained.

(e) The defense central index of investigations (DCII). It is the policy of DIS, as custodian, that each DOD component or element that has direct access to or contributes records to the DCII (DIS 5-02), is individually responsible for compliance with The Privacy Act of 1974 and DOD Directive 5400.11 with respect to requests for notification, requests for access by subject individuals, granting of such access, request for amendment and corrections by subjects, making amendments or corrections, other disclosures, accounting for disclosures and the exercise of exemptions, insofar as they pertain to any record placed in the DCII by that component or element. Any component or element of the DOD that makes a disclosure of any record whatsoever to an individual or agency outside the DOD, from the DCII, is individually responsible to maintain an accounting of that disclosure as prescribed by The Privacy Act of 1974 and DOD Directive 5400.11 and to notify the element placing the record in the DCII of the disclosure. Use of and compliance with the procedures of the DCII Disclosure Accounting System will meet these requirements. Any component or element of DOD with access to the DCII that, in response to a request concerning an individual, discovers a record pertaining to that individual placed in the DCII by another component or element, may refer the requester to the DOD component that placed the record into the DCII without making an accounting of such referral, although it involves the divulging of the existence of that record. Generally, consultation with, and referral to, the component or element placing a record in the DCII should be effected by any component receiving a request pertaining to that record to insure appropriate exercise of amendment or exemption procedures.

(f) Investigative operations. (1) DIS agents must be thoroughly familiar with and understand these rules and the authorities, purposes and routine uses of DIS investigative records, and be prepared to explain them and the effect of refusing information to all sources of investigative information, including subjects, during interview, in response to questions that go beyond the required printed and oral notices. Agents

shall be guided by reference (f) § 298a.2, in this respect.

(2) All sources may be advised that the subject of an investigative record may be given access to it, but that the identities of sources may be withheld under certain conditions. Such advisement will be made as prescribed in § 298a.2(f), and the interviewing agent may not urge a source to request a grant of confidentiality. Such pledges of confidence will be given sparingly and then only when required to obtain information relevant and necessary to the stated purpose of the investigative information being collected.

(3) Directors of DIS investigative control elements will maintain statistics on the relative number of times confidentiality is granted sources, and the general types of sources and cases in which this is done.

(g) Non-system information on individuals. The following information is not considered part of personal records systems reportable under the Privacy Act of 1974 and may be maintained by DIS members for ready identification, contact, and property control purposes only. If at any time the information described in this paragraph is to be used for other than these purposes, that information must become part of a reported, authorized record system. No other information concerning individuals except that described in the records systems notice and this paragraph may be maintained within DIS.

at

(1) Identification information doorways, building directories, desks, lockers, nametags, etc.

(2) Identification in telephone directories, locator cards and rosters.

(3) Geographical or agency contact cards.

(4) Property receipts and control logs for building passes, credentials, vehicles, weapons, etc.

(5) Temporary personal working notes kept solely by and at the initiative of individual members of DIS to facilitate their duties.

(h) Notification of prior recipients. Whenever a decision is made to amend a record, or a statement contesting a DIS decision not to amend a record is received from the subject individual, prior recipients of the record identified in disclosure accountings will be notified to the extent possible. In some cases, prior recipients cannot be located due to reorganization or deactivations (e.g.,

US Military Assistance Command, Vietnam). In these cases, the personnel security element of the receiving Defense Component will be sent the notification or statement for appropriate action.

(i) Ownership of DIS investigative records. Investigative records created or compiled by DIS remain DIS records when provided to other agencies, components or elements for adjudication or other personnel actions. Such provision is temporary and DIS investigative documents should not permanently become part of the records of another system of records except by an official action such as a trial or board authorized by statute.

(j) Consultation and referral. DIS system of records may contain records originated by other components or agencies which may have claimed exemptions for them under the Privacy Act of 1974. When any action that may be exempted is initiated concerning such a record, consultation with the originating agency or component will be effected. Where appropriate such records will be referred to the originating component or agency for approval or disapproval of the action.

decisions and other submittals may be addressed to the Information Officer, National Security Agency/Central Security Service, Fort George G. Meade, Maryland 20755.

§ 299.3 Indexes.

The NSA/CSS does not originate final orders, opinions, statements of policy, interpretations, staff manuals or instructions that affect a member of the public of the type covered by the indexing requirement of 5 U.S.C. 552(a)(2) or required to be published for the guidance of the public under 5 U.S.C. 552(a)(1). The Director, NSA/Chief, CSS, has therefore determined, pursuant to pertinent statutory and Executive Order requirements, that it is unnecessary and impracticable to publish an index of the type required by 5 U.S.C. 552 as amended by Public Law 93-502.

§ 299.4 Procedures for request of records.

(a) Requests. Requests for access to records of the National Security Agency/Central Security Service may be filed by mail addressed to the Information Officer, National Security Agency/Central Security Service, Fort George G. Meade, Maryland 20755. Requests need not be made on any special form but may be by letter or other written statement identifying the request as a Freedom of Information Act request and setting forth sufficient information reasonably describing the requested record.

(b) Determination and notification. When the requested record has been located and identified, the Information Officer shall determine whether the record is one which, consistent with statutory requirements, Executive Orders and appropriate directives, may be released or should be exempted under the provisions of 5 U.S.C. 552. The Information Officer shall notify the requester of his determination within ten working days of his receipt of the request.

(c) Extension of response time. Where the requested record cannot be located within the initial response period of ten days because of unusual circumstances, the Information Officer shall notify the requester in writing within the initial response period of the delay, the reasons therefore, and a date, not to exceed ten working days, on which a determination is expected to be dispatched.

(d) Fees. If the Agency determines that the requested record can be released,

the Information Officer will inform the requester as to the appropriate search and duplication fee, if any, and, upon receipt of this fee, will have the record duplicated and sent to the requester. Fees will be computed in accordance with the uniform Schedule of Fees promulgated by the Department of Defense. Fees paid in accordance with this paragraph will be paid by check or postal money order forwarded to the Information Officer and made payable to the Treasurer of the United States.

§ 299.5 Appeals.

Any person denied access to records may, within 30 days after notification of such denial, file an appeal to the Executive for Staff Services, National Security Agency/Central Security Service. Such an appeal shall be in writing addressed to the Executive for Staff Services, National Security Agency/Central Security Service, Fort George G. Meade, Maryland 20755, shall reference the initial denial of access issued by the Agency to the requester and shall contain in sufficient detail and particularity the grounds upon which the requester believes release of the information is required. The Executive for Staff Services shall respond to the appeal within 20 working days after receipt of the appeal. § 299.6 Effective date.

This notice shall become effective upon February 19, 1975.

Pub. L. 86-36, Pub. L. 88-290 and 18 U.S.C. 798.

SOURCE: 40 FR 44294, Sept. 25, 1975, unless otherwise noted.

§ 299a.1 Purpose and scope.

(a) The purpose of this rule is to comply with and implement title 5 U.S.C. 552a, sections (f) and (k), hereinafter identified as the Privacy Act. It establishes the procedures by which an individual may be notified whether a system of records contains information pertaining to the individual; defines times, places and requirements for identification of the individual requesting records, for disclosure of requested records where appropriate; special handling for medical and psychological records; for amendment of records; appeal of denials of requests for amendment; and provides a schedule of fees to be charged for making copies of requested records. In addition, this rule contains the exemptions promulgated by the Director, NSA, pursuant to 5 U.S.C. 552a(k), to exempt Agency systems of records from subsections (c) (3); (d); (e) (1); (e) (4) (G) (H), (I); and (f) of section 552a.

(b) The procedures established and exemptions claimed apply to systems of records for which notice has been published in the FEDERAL REGISTER pursuant to the Privacy Act. Requests from individuals for records pertaining to themselves will be processed in accordance with these procedures and consistent with the exemptions claimed. Requests for records which do not specify the statute pursuant to which they are made but which may be reasonably construed to be requests by an individual for records pertaining to that individual will also be processed in accordance with these procedures and consistent with exemptions claimed. To the extent appropriate, these procedures apply to records maintained by this Agency pursuant to system of records notices published by the Civil Service Commission. The primary category of records affected by a Commission notice is that maintained in conjunction with the CSC system identified as "CSC-Retirement Life Insurance and Health Benefits Records System." Authority pursuant to 44 U.S.C. 3101 to maintain each system of records for which notice has been published is implied in each "authority for maintenance of a system" of each systems notice.

(a) Access to the NSA headquarters: means current and continuing daily access to those facilities making up the NSA headquarters.

(b) Individual: means a natural person who is a citizen of the United States or an alien lawfully admitted for permanent residence.

(c) Request: means a request in writing for records pertaining to the requester contained in a system of records and made pursuant to the Privacy Act or if no statute is identified considered by the Agency to be made pursuant to that Act.

a

(d) System of Records: means grouping of records maintained by the Agency for which notice has been published in the FEDERAL REGISTER pursuant to section 552a(e) (4) of title 5 U.S.C. § 299a.3 Procedures for requests concerning individual records in a system of records.

(a) (1) Notification: Any individual may be notified in response to a request if any system of records contains a record pertaining to the requester by sending a request addressed to: Information Officer, National Security Agency, Fort George G. Meade, Maryland 20755. Such request shall be in writing, shall be identified on the envelope and the request as a "Privacy Act Request," shall designate the system or systems of records using the names of the systems as published in the system notices, shall contain the full name, present address, date of birth, social security number and dates of affiliation or contact with NSA/CSS of the requester and shall be signed in full by the requester.

(2) A request pertaining to records concerning the requester which does not specify the Act pursuant to which the request is made shall be processed as a Privacy Act request. A request which does not designate the system or systems of records to be searched shall be processed by checking the following systems of records: Applicants; Personnel; Health, Medical and Safety.

(b) (1) Identification: Any individual currently not authorized access to the National Security Agency headquarters who requests disclosure of records shall provide the following information with the written request for disclosure: full name, present address, date of birth, social security number, and date of first

affiliation or contact with NSA/CSS and date of last affiliation or contact with NSA/CSS.

(2) Any individual currently authorized access to the National Security Agency headquarters shall provide the following information with the request for notification: full name, present organizational assignment, date of birth, social security number.

(3) Such request shall be treated as a certification of the requester that the requester is the individual named. Individuals should be aware that the Privacy Act provides criminal penalties for any person who knowingly and willfully requests or obtains any records concerning an individual under false pretenses. § 299a.4 Times, places and procedures for disclosures.

(a) Individual not currently affiliated with NSA:

(1) Request procedure. Any individual currently not authorized access to the National Security Agency headquarters shall make the request for notification in writing and shall include the required identifying data. Upon verification of the existence in systems of records of records pertaining to the requester, a copy of the records located shall be mailed to the requester subject to appropriate specific exemptions, applicable Public Laws, special procedures pertaining to medical records, including psychological records, and the exclusion for information compiled in reasonable anticipation of a civil action or proceeding. If the request cannot be processed within ten working days from the time of receipt of the request, an acknowledgement of receipt of the request will be sent to the requester.

(2) Appointment of other individual. If a requester wishes another individual to obtain the requested records on his behalf, the requester shall provide a written, signed, notarized statement appointing that individual as his representative, certifying that the individual appointed may have access to the records of the requester and that such access shall not constitute an invasion of the privacy of the requester nor a violation of his rights under the Privacy Act of 1974.

(b) Individual currently affiliated with NSA-(1) Request procedure. Any individual currently authorized access to the National Security Agency headquar

ters may make the request for notification to the appropriate official delegated responsibility for a system of records pursuant to internal agency regulations pertaining to the Privacy Act of 1974. In the alternative, such individual may direct the request to the NSA Information Officer in writing in the same form and including the data required in § 299a.4(a) (1 above. In the case of any denial of notification by officials delegated responsibility for a system the request shall be referred to the NSA Information Officer for review.

(2) Appointment of other individual. If the requester makes a request pursuant to this paragraph and wishes to designate another individual to accompany him, the same procedures as provided in paragraph (a) (2) of this section apply. If the individual appointed is currently authorized access to the National Security Agency headquarters, he may accompany the requester. If the individual appointed is not currently authorized access, a copy of the records located may be mailed to the appointed individual subject to appropriate specific exemptions, applicable Public Laws, special procedures pertaining to medical records including psychological records, and the exclusion for information compiled in reasonable anticipation of a civil action or proceeding.

§ 299a.5 Medical or psychological records.

If the request includes records of a medical or psychological nature, and if an Agency doctor makes the determination that the records requested contain information which would have an adverse effect upon the requester, the requester will be advised to appoint a medical doctor in the appropriate discipline to receive the information. The appointment of the doctor shall be in the same form as that indicated in § 299a.4(a) (2) and shall include a certification that the doctor appointed is authorized to practice the appropriate specialty by virtue of a license to practice same in the state which granted the license.

same requirements contained in § 299a.4 (a) (1) Appointment of Other Individuals, including the requirement for written authorization. Requests by parents or legal guardians acting on behalf of minors will be processed in the same manner and in accordance with the procedures established herein for individuals not currently authorized access to the NSA headquarters.

§ 299a.7 Procedures for amendment.

(a) Request procedure. Any request for amendment of a record or records contained in a system of records shall be in writing addressed to the Information Officer, National Security Agency, Fort George G. Meade, Md. 20755, Attention: Privacy Act Amendment, and shall contain sufficient details concerning the requested amendment, justification for the amendment, and a copy of the record (s) to be amended or sufficient identifying data concerning the affected record(s) to permit its timely retrieval. Such requests may not be used to accomplish actions for which other procedures have been established such as grievances, performance appraisal protests, etc. In such cases the requester will be advised of the appropriate procedures for such actions.

(b) Initial determination: The NSA Information Officer may make an initial determination concerning the requested amendment within ten working days or shall acknowledge receipt of the amendment request within that period if a determination cannot be completed. The determination shall advise the requester of action taken to make the requested amendment or inform the requester of the rejection of the request, the reason(s) for the rejection and the procedures established by the Agency for review of rejected amendment requests.

(c) Request on appeal: A requester may appeal the rejection by the NSA Information Officer of a request for amendment to the Executive for Staff Services. Such appeal shall be in writing, addressed to the Executive for Staff Services, National Security Agency, Fort George G. Meade, MD 20755, Attention: Privacy Act Amendment Appeal.

§ 299a.8 Appeal determination.

The Executive for Staff Services shall acknowledge receipt of the appeal within ten working days. A determination concerning the appeal shall be provided to the requester within 30 working days, unless the Director, National Security