Record source categories: Add at end, "peers, character references, and the individual member."

[51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, and amended at 56 FR 57801, Nov. 14, 1991]

APPENDIX H TO PART 310-LITIGATION STATUS SHEET

(See §310.104, subpart K)

1. Case Number.1

2. Requester.

3. Document Title or Description. 2

4. Litigation:

a. Date Complaint Filed.

b. Court.

c. Case File Number1

5. Defendants (DoD Component and individual).

6. Remarks (brief explanation of what the case is about).

7. Court Action:

a. Court's Finding.

b. Disciplinary Action (as appropriate).

8. Appeal (as appropriate):

a. Date Complaint Filed.

b. Court.

c. Case File Number. 5

d. Court's Finding.

e. Disciplinary Action (as appropriate).

[51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, and amended at 56 FR 57801, Nov. 14, 1991]

APPENDIX I TO PART 310 OFFICE OF MANAGEMENT AND BUDGET (OMB) MATCHING GUIDELINES

(See §310.110, subpart L)

A. Purpose. These guidelines supplement and shall be used in conjunction with OMB Guidelines on the Administration of the Privacy Act of 1974, issued on July 1, 1975, and supplemented on November 21, 1975. They replace earlier guidance on conducting computerized matching programs issued on March 30, 1979. They are intended to help agencies relate the procedural requirements of the Privacy Act to the operational requirements of computerized matching. They are designed to address the concerns expressed by the Congress in the Privacy Act of 1974 that "the increasing use of computers and sophisticated information technology, while essential to the efficient operation of the Government, has greatly magnified the harm to individual privacy that can occur

1 Number used by the Component for reference purposes

2 Indicate the nature of the case, such as, "Denial of access," "Refusal to amend," "Incorrect records," or other violations of the Act (specify).

from any collection, maintenance, use, or dissemination of personal information." These guidelines do not authorize activities that are not permitted by law, nor do they prohibit activities expressly required to be performed by law. Complying with these guidelines, however, does not relieve a federal agency of the obligation to comply with the provisions of the Privacy Act, including any provisions not cited in these guidelines.

B. Scope. These guidelines apply to all agencies subject to the Privacy Act of 1974 (5 U.S.C. 552a) and to all matching programs:

1. Performed by a federal agency, whether the personal records used in the match are federal or nonfederal.

2. For which a federal agency discloses any personal records for use in a matching program performed by any other federal agency or any nonfederal organization.

C. Effective Date. These guidelines are ef fective on May 11, 1982.

D. Definitions. For the purposes of the Guidelines, all the terms defined in the Privacy Act of 1974 apply.

1. Personal Record. Any information pertaining to an individual that is stored in an automated system of records; for example, a data base which contains information about individuals that is retrieved by name or some other personal identifier.

2. Matching Program. A procedure in which a computer is used to compare two or more automated systems of records or a system of records with a set of nonfederal records to find individuals who are common to more than one system or set. The procedure includes all of the steps associated with the match, including obtaining the records to be matched, actual use of the computer, administrative and investigative action on the hits, and disposition of the personal records maintained in connection with the match. It should be noted that a single matching program may involve several matches among a number of participants. Matching programs do not include the following:

a. Matches that do not compare a substantial number of records, such as, comparison of the Department of Education's defaulted student loan data base with the Office of Personnel Management's federal employee data base would be covered; comparison of six individual student loan defaultees with the OPM file would not be covered.

b. Checks on specific individuals to verify data in an application for benefits done reasonably soon after the application is received.

c. Checks on specific individuals based on information which raises questions about an individual's eligibility for benefits or payments done reasonably soon after the information is received.

d. Matches done to produce aggregate statistical data without any personal identifi

ers.

e. Matches done to support any research or statistical project when the specific data are not to be used to make decisions about the rights, benefits, or privileges of specific individuals.

f. Matches done by an agency using its own records.

3. Matching Agency. The federal agency which actually performs the match.

4. Source Agency. The federal agency which discloses records from a system of records to be used in the match. Note that in some circumstances a source agency may be the instigator and ultimate beneficiary of the matching program, as when an agency lacking computer resources uses another agency to perform the match. The disclosure of records to the matching agency and any later disclosure of "hits" (by either the matching or the source agencies) must be done in accordance with the provisions of paragraph (b) of the Privacy Act.

5. Hit. The identification, through a matching program, of a specific individual.

E. Guidelines for Agencies Participating in Matching Programs. Agencies should acquire and disclose matching records and conduct matching programs in accordance with the provisions of this section and the Privacy Act.

1. Disclosing Personal Records for Matching Programs.

a. To another federal agency. Source agencies are responsible for determining whether or not to disclose personal records from their systems and for making sure they meet the necessary Privacy Act disclosure provisions when they do. Among the factors source agencies should consider are:

(1) Legal authority for the match;

(2) Purpose and description of the match; (3) Description of the records to be matched;

(4) Whether the record subjects have consented to the match; or whether disclosure of records for the match would be compatible with the purpose for which the records were originally collected; that is, whether disclosure under a "routine use" would be appropriate; whether the soliciting agency is seeking the records for a legitimate law enforcement activity-whichever is appropriate; or any other provision of the Privacy Act under which disclosure may be made;

(5) Description of additional information which may be subsequently disclosed in relation to "hits";

(6) Subsequent actions expected of the source (for example, verification of the identity of the "hits" or follow-up with individuals who are "hits");

(7) Safeguards to be afforded the records involved, including disposition.

b. If the agency is satisfied that disclosure of the records would not violate its responsibilities under the Privacy Act, it may proceed to make the disclosure to the matching

agency. It should ensure that only the minimum information necessary to conduct the match is provided. If disclosure is to be made pursuant to a "routine use" (Section (b)(3) of the Privacy Act), it should ensure that the system of records contains such a use, or it should publish a routine use notice in the FEDERAL REGISTER. The agency should also be sure to maintain an accounting of the disclosures pursuant to Section (c) of the Privacy Act.

c. To a nonfederal entity. Before disclosing records to a nonfederal entity for a matching program to be carried out by that entity, a source agency should, in addition to all of the consideration in paragraph E.1.a., above, also make reasonable efforts, pursuant to Section (e)(6) of the Privacy Act, to "assure that such records are accurate, complete, timely, and relevant for agency purposes."

2. Written Agreements. Before disclosing to either a federal or nonfederal entity, the source agency should require the matching entity to agree in writing to certain conditions governing the use of the matching file; for example, that the matching file will remain the property of the source agency and be returned at the end of the matching program (or destroyed as appropriate); that the file will be used and accessed only to match the file or files previously agreed to; that it will not be used to extract information concerning "non-hit" individuals for any purpose, and that it will not be duplicated or disseminated within or outside the matching agency unless authorized in writing by the source agency.

3. Performing Matching Programs. (a) Matching agencies should maintain reasonable administrative, technical, and physical security safeguards on all files involved in the matching program.

(b) Matching agencies should insure that they have appropriate systems of records including those containing "hits," and that such systems and any routine uses have been appropriately noticed in the FEDERAL REGISTER and reported to OMB and the Congress, as appropriate.

4. Disposition of Records. a. Matching agencies will return or destroy source matching files (by mutual agreement) immediately after the match.

b. Records relating to hits will be kept only so long as an investigation, either criminal or administrative, is active, and will be disposed of in accordance with the requirements of the Privacy Act and the Federal Records Schedule.

5. Publication Requirements. a. Agencies, before disclosing records outside the agency, will publish appropriate "routine use" notices in the FEDERAL REGISTER, if necessary.

b. If the matching program will result in the creation of a new or the substantial alteration of an existing system of records, the

agency involved should publish the appropriate FEDERAL REGISTER notice and submit the requisite report to OMB and the Congress pursuant to OMB Circular No. A-108.

6. Reporting Requirements. a. As close to the initiation of the matching program as possible, matching agencies shall publish in the FEDERAL REGISTER a brief public notice describing the matching program. The notice should include:

(1) The legal authority under which the match is being conducted;

(2) A description of the matching program including whether the program is one time or continuing, the organizations involved, the purpose or purposes for which the program is being conducted, and the procedures to be used in matching and following up on the "hits";

(3) A complete description of the personal records to be matched, including the source or sources, system of records identifying data, date or dates and page number of the most recent FEDERAL REGISTER full text publication when appropriate;

(4) The projected start and ending dates of the program;

(5) The security safeguards to be used to protect against unauthorized access or disclosure of the personal records; and

(6) Plans for disposition of the source records and "hits."

7. Agencies should send a copy of this notice to the Congress and to OMB at the same time it is sent to the FEDERAL REGISTER.

a. Agencies should report new or altered systems of records as described in paragraph E.5.b., above, as necessary.

b. Agencies should also be prepared to report on matching programs pursuant to the reporting requirements of either the Privacy Act or the Paperwork Reduction Act. Reports will be solicited by the Office of Information and Regulatory Affairs and will focus on both the protection of individual privacy and the government's effective use of information technology. Reporting instructions will be disseminated to the agencies as part of either the reports required by paragraph (p) of the Privacy Act, or Section 3514 of Pub. L. 96-511.

8. Use of Contractors. Matching programs should, as far as practicable, be conducted "in-house" by federal agencies using agency personnel, rather than by contract. When contractors are used, however,

a. The matching agency should, consistent with paragraph (m) of the Privacy Act, cause the requirements of that Act to be applied to the contractor's performance of the matching program. The contract should include the Privacy Act clause required by Federal Personnel Regulation Amendment 155 (41 CFR 1-1.337-5);

b. The terms of the contract should include appropriate privacy and security provisions consistent with policies, regulations, stand

ards, and guidelines issued by OMB, GSA, and the Department of Commerce;

c. The terms of the contract should preclude the contractor from using, disclosing, copying, or retaining records associated with the matching program for the contractor's own use;

d. Contractor personnel involved in the matching program shall be made explicitly aware of their obligations under the Act and of these guidelines, agency rules, and any special safeguards in relation to each specific match performed.

e. Any disclosures of records by the agency to the contractor should be made pursuant to a "routine use" (5 U.S.C. 552a(b)(3)).

F. Implementation and Oversight. OMB will oversee the implementation of these guidelines and shall interpret and advise upon agency proposals and actions within their scope, consistent with section 6 of the Privacy Act.

[51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, and amended at 56 FR 57801, Nov. 14, 1991]

§311.1 Reissuance and purpose.

This part reissues Administrative Instruction No. 81 to update and implement basic policies and procedures outlined in Privacy Act of 1974, DoD 5400.11-R, OMB Circular No. A-108 (TM No. 4) and to provide guidance and procedures for use in establishing the Privacy Program in the Office of the Secretary of Defense (OSD) and those organizations assigned to OSD for administrative support.

§311.2 Applicability and scope.

(a) This part applies to the OSD, Joint Staff, Defense Advanced Research Projects Agency (DARPA), Uniformed Services University of the

Health Sciences (USUHS) and other activities assigned to OSD for administrative support (hereafter referred to collectively as "OSD Components").

(b) This part covers record systems maintained by OSD Components and governs the maintenance, access, change, and release of information contained in OSD Component record systems, from which information pertaining to an individual is retrieved by a personal identifier.

[51 FR 7070, Feb. 28, 1986, as amended at 54 FR 2101, Jan. 19, 1989. Redesignated at 56 FR 55631, Oct. 29, 1991]

§311.3 Definitions.

Access. Any individual's review of a record or a copy of a record or parts of a system of records.

Disclosure. The transfer of any personal information from a system of records by any means of oral, written, electronic, mechanical, or other communication, to any person, private entity, or Government agency, other than the subject of the record, the subject's designated agent, or the subject's legal guardian.

Individual. A living citizen of the United States or an alien lawfully admitted to the United States for permanent residence. The legal guardian of an individual has the same rights as the individual and may act on his or her behalf.

Individual access. Access to information pertaining to the individual or his or her designated agent or legal guardian.

Maintain. Includes maintenance, collection, use or dissemination.

Personal information. Information about an individual that is intimate or private, as distinguished from information related solely to the individual's official functions or public life.

§311.4 Policy.

(a) It is DoD policy to protect the privacy of individuals involved in any phase of the personnel management process and to permit any individual to know what existing records pertain to him or her in any OSD Component covered by this part.

(b) Each office maintaining records and information about individuals shall ensure that their privacy is pro

tected from unauthorized disclosure. These offices shall permit individuals to have access to, and to have a copy made of, all or any portion of records pertaining to them (except those referred to in Chapters 3 and 5, DoD 5400.11-R and to have an opportunity to request that such records be amended as provided by the Privacy Act of 1974. Individuals requesting access to their records shall receive concurrent consideration under the Privacy Act of 1974 and the Freedom of Information Act as amended, if appropriate.

(c) The heads of OSD Components shali maintain any record of an identifiable personal nature in a manner that is necessary and lawful. Any information collected must be as accurate, relevant, timely, and complete as is reasonable to ensure fairness to the individual. Adequate safeguards must be provided to prevent misuse or unauthorized release of such information.

§311.5 Responsibilities.

(a) The Director of Administration and Management (DA&M) shall:

(1) Direct and administer the DoD Privacy Program for OSD Components.

(2) Establish standards and procedures to ensure implementation of and compliance with the Privacy Act of 1974, OMB Circular No. A-108 (TM No. 4), and DoD 5400.11-R.

(3) Serve as the appellate authority within OSD when a requester appeals a denial for amendment of a record or initiates legal action to correct a record.

(4) Evaluate and decide, in coordination with the General Counsel (GC), DoD, appeals resulting from denials of correction and/or amendments to records by OSD Components.

(5) Designate the Records Management Division, Correspondence and Directives Directorate, Washington Headquarters Services (WHS), as the office responsible for all aspects of the Privacy Act, except that portion pertaining to receiving and acting on public requests for personal records. As such, the Records Management Division, shall:

(i) Exercise oversight and administrative control of the Privacy Act Program in OSD and those organizations

assigned to OSD for administrative support.

(ii) Provide guidance and training to organizational entities as required by the Privacy Act of 1974 and OMB Circular A-108 (TM No. 4).

(iii) Collect and consolidate data from OSD Components, and submit an annual report to the Defense Privacy Office, as required by the Privacy Act of 1974, OMB Circular A-108 (TM No. 4) and DoD 5400.11-R.

(iv) Coordinate and consolidate information for reporting all record systems, as well as changes to approved systems, to the Office of Management and Budget (OMB), the Congress, and the FEDERAL REGISTER, as required by the Privacy Act of 1974, OMB Circular No. A-108 (TM No. 4) and DoD 5400.11-R.

(v) Collect information from OSD Components, and prepare consolidated reports required by the Privacy Act of 1974 and DoD 5400.11-R.

(b) The Assistant Secretary of Defense (Public Affairs) ASD(PA) shall:

(1) Designate the Director for Freedom of Information and Security Review, OASD(PA), as the point of contact for individuals requesting information or access to records and copies concerning themselves.

(2) Serve as the authority within OSD when requesters seek reconsideration of previously denied requests for access to records, and in coordination with the GC, DoD, and the DA&M, evaluate and decide on such requests. (c) The Director for Freedom of Information and Security Review shall:

(1) Forward requests for information or access to records to the appropriate OSD Component having primary responsibility for any pertinent system of records under the Privacy Act of 1974 or to OSD Components, under the Freedom of Information Act as amended.

(2) Maintain deadlines to ensure that responses are made within the time limits prescribed in DoD 5400.7-R, DoD Directive 5400.10 and this part.

(3) Collect fees charged and assessed for reproducing requested materials.

(4) Refer all matters concerning amendments of records and general and specific exemptions under the Privacy Act of 1974 to the proper OSD components.

or

(5) Authorize a specific field activity of an OSD Component to act as the point of contact for individuals requesting information access to records or copies, under the Privacy Act of 1974 for which the field activity has primary responsibility. All authorizations by the ASD(PA) shall be coordinated with the heads of the OSD Component concerned.

(d) The General Counsel, DoD, shall: (1) Coordinate with the Department of Justice (DOJ) on all OSD final denials of appeals for amending records, and review actions to confirm denial of access to records.

(2) Provide advice and assistance to the DA&M in the discharge of appellate and review responsibilities, and to the ASD(PA) on all access matters.

(3) Provide advice and assistance to OSD Components on legal matters pertaining to the Privacy Act of 1974.

(e) The Head of OSD Components shall:

(1) Designate an individual as the point of contact for Privacy Act matters; designate an official to deny initial requests for access to an individual's records or changes to records; and advise both DA&M and ASD(PA) of names of officials so designated.

(2) Report any new record system, or changes to an existing system, to the OSD Records Administrator, WHS, at least 90 days before the intended use of the system.

(3) Review all contracts that provide for maintaining records systems, by or on behalf of his or her office, to ensure within his or her authority, that language is included that provides that such systems shall be maintained in a manner consistent with the Privacy Act of 1974.

(4) Revise procurement guidance to ensure that any contract providing for the maintenance of a records system, by or on behalf of his or her office, includes language that ensures that such system will be maintained in accordance with the Privacy Act of 1974.

(5) Revise computer and telecommunications procurement policies to ensure that agencies review all proposed contracts for equipment and services to comply with the Privacy Act of 1974.