The Code of Federal Regulations of the United States of America

to perform the match. The disclosure of records to the matching agency and any later disclosure of "hits" (by either the matching or the source agencies) must be done in accordance with the provisions of paragraph (b) of the Privacy Act.

5. Hit. The identification, through a matching program, of a specific individual.

E. Guidelines for Agencies Participating in Matching Programs. Agencies should acquire and disclose matching records and conduct matching programs in accordance with the provisions of this section and the Privacy Act.

1. Disclosing Personal Records for Matching Programs

a. To another Federal agency. Source agencies are responsible for determining whether or not to disclose personal records from their systems and for making sure they meet the necessary Privacy Act disclosure provisions when they do. Among the factors source agencies should consider are:

(1) Legal authority for the match.

(2) Purpose and description of the match. (3) Description of the records to be matched.

(4) Whether the record subjects have consented to the match; or whether disclosure of records for the match would be compatible with the purpose for which the records were originally collected; that is, whether disclosure under a "routine use" would be appropriate; whether the soliciting agency is seeking the records for a legitimate law enforcement activity-whichever is appropriate; or any other provision of the Privacy Act under which disclosure may be made.

(5) Description of additional information which may be subsequently disclosed in relation to "hits."

(6) Subsequent actions expected of the source (for example, verification of the identity of the "hits" or followup with individuals who are “hits”).

(7) Safeguards to be afforded the records involved, including disposition.

b. If the agency is satisfied that disclosure of the records would not violate its responsibilities under the Privacy Act, it may proceed to make the disclosure to the matching agency. It should ensure that only the minimum information necessary to conduct the match is provided. If disclosure is to be made pursuant to a "routine use" (Section b.3. of the Privacy Act), it should ensure that the system of records contains such a use, or it should publish a routine use notice in the FEDERAL REGISTER. The agency should also be sure to maintain an accounting of the disclosure pursuant to Section (c) of the Privacy Act.

c. To a nonfederal entity. Before disclosing records to a nonfederal entity for a matching program to be carried out by that entity, a source agency should, in addition to all of the consideration in subparagraph a, above,

also make reasonable efforts, pursuant to Section (e)(6) of the Privacy Act, to "assure that such records are accurate, complete, timely, and relevant for agency purposes."

2. Written Agreements. Before disclosing to either a Federal or non-Federal entity, the source agency should require the matching entity to agree in writing to certain conditions governing the use of the matching file; for example, that the matching file will remain the property of the source agency and be returned at the end of the matching program (or destroyed as appropriate); that the file will be used and accessed only to match the file or files previously agreed to; that it will not be used to extract information concerning "non-hit" individuals for any purpose, and that it will not be duplicated or disseminated within or outside the matching agency unless authorized in writing by the source agency.

3. Performing Matching Programs—

a. Matching agencies should maintain reasonable administrative, technical, and physical security safeguards on all files involved in the matching program.

b. Matching agencies should ensure that they have appropriate systems of records including those containing "hits," and that such systems and any routine uses have been appropriately notices in the FEDERAL REGISTER and reported to OMB and the Congress. 4. Disposition of Records

a. Matching agencies will return or destroy source matching files (by mutual agreement) immediately after the match.

b. Records relating to this will be kept only so long as an investigation, either criminal or administrative, is active, and will be disposed of in accordance with the requirements of the Privacy Act and the Federal Records Act.

5. Publication Requirements—

a. Agencies, before disclosing records outside the agency, will publish appropriate "routine use" notices in the FEDERAL REGISTER, if necessary.

b. If the matching program will result in the creation of a new or the substantial alteration of an existing system of records, the agency involved should publish the appropriate FEDERAL REGISTER notice and submit the requisite report to OMB and the Congress pursuant to OMB Circular No. A-108. 6. Reporting Requirements

a. As close to the initiation of the matching program as possible, matching agencies will publish in the FEDERAL REGISTER a brief public notice describing the matching program. The notice should include:

1. The legal authority under which the match is being conducted.

2. A description of the matching program including whether the program is one time or continuing, the organizations involved, the purpose or purposes for which the program is being conducted, and the procedures

to be used in matching and following up on the "hits."

3. A complete description of the personal records to be matched, including the source or sources, system of records identifying data, date or dates and page number of the most recent FEDERAL REGISTER full text publication when appropriate.

4. The projected start and ending dates of the program.

5. The security safeguards to be used to protect against unauthorized access or disclosure of the personal records.

6. Plans for disposition of the source records and "hits."

7. Agencies should send a copy of this notice to the Congress and to OMB at the same time it is sent to the FEDERAL REGISTER.

a. Agencies should report new or altered systems of records as described in subparagraph 5b, above, as necessary.

b. Agencies should also be prepared to report on matching programs pursuant to the reporting requirements of either the Privacy Act or the Paperwork Reduction Act. Reports will be solicited by the Office of Information and Regulatory Affairs and will focus on both the protection of individual privacy and Government's effective use of information technology. Reporting instructions will be disseminated to the agencies as part of either the reports required by paragraph (p) of the Privacy Act, or section 3514 of Pub. L. 96511.

8. Use of Contractors. Matching programs should, as far as practicable, be conducted "in-house" by Federal agencies using agency personnel, rather than by contract. When contractors are used:

a. The matching agency should, consistent with paragraph (m) of the Privacy Act, cause the requirements of that Privacy Act to be applied to the contractor's performance of the matching program. The contract should include the Privacy Act clause required by Federal Personnel Regulation Amendment 155 (41 CFR 1-1.337-5).

b. The terms of the contract should include appropriate privacy and security provisions consistent with policies, regulations, standards, and guidelines issued by OMB, GSA, and the Department of Commerce.

c. The terms of the contract should preclude the contractor from using, disclosing, copying, or retaining records associated with the matching program for the contractor's

own use.

d. Contractor personnel involved in the matching program shall be made explicitly aware of their obligations under the Privacy Act and of these guidelines, agency rules, and any special safegurds in relation to each specific match performed.

e. Any disclosures of records by the agency to the contractor should be made pursuant to a "routine use" (5 U.S.C. 552a(b)(3)).

b. Disciplinary Action (as appropriate). 8. Appeal (as appropriate). a. Date Complaint File. b. Court.

c. Case File Number.1 d. Court's Finding.

e. Disciplinary Action (as appropriate). APPENDIX G TO PART 323-PRIVACY ACT ENFORCEMENT ACTIONS

A. Administrative Remedies. Any individual who feels he or she has a legitimate complaint or grievance against the Defense Logistics Agency or any DLA employee concerning any right granted by this DLAR will be permitted to seek relief through appropriate administrative channels.

B. Civil Actions. An individual may file a civil suit against DLA or its employees if the individual feels certain provisions of the Privacy Act have been violated (see 5 U.S.C. 552a(g), reference (b).)

C. Civil Remedies. In addition to specific remedial actions, the Privacy Act provides for the payment of damages, court cost, and attorney fees in some cases.

D. Criminal Penalties

1. The Privacy Act also provides for criminal penalties (see 5 U.S.C. 552a(1).) Any official or employee may be found guilty of a misdemeanor and fined not more than $5,000 if he or she willfully discloses personal information to anyone not entitled to receive the information, or maintains a system of records without publishing the required public notice in the FEDERAL REGISTER.

1 Number used by the Component for reference purposes.

2 Indicate the nature of the case, such as "Denial of access," "Refusal to amend,” “Incorrect records," or other violations of the Act (specify).

2. A person who requests or obtains access to any record concerning another individual under false pretenses may be found guilty of a misdemeanor and fined up to $5,000.

APPENDIX H TO PART 323-DLA EXEMPTION RULES

Exempted Records Systems. All systems of records maintained by the Defense Logistics Agency will be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 552a(k)(1) to the extent that the system contains any information properly classified under Executive Order 12958 and which is required by the Executive Order to be kept secret in the interest of national defense or foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions herein may contain isolated items of information which have been properly classified.

a. ID: S500.10 DLA-I (Specific exemption). 1. System name: Personnel Security Files. 2. Exemption: This system of records is exempted from the following provisions of title 5, United States Code, section 552a: (c)(3); (d); and (e)(1).

3. Authority: 5 U.S.C. 552a(k)(2).

4. Reasons: The investigatory reports are used by appropriate Security Officers and Commanders or other designated officials as a basis for determining a persons's eligibility for access to information classified in the interests of national defense.

b. ID: S500.20 DLA-I (Specific exemption). 1. System name: Criminal Incident/Investigations File.

2. Exemption: This system of records is exempted from the following provisions of the Title 5, United States Code, section 552a: (c)(3); (d); and (e)(1).

3. Authority: 5 U.S.C. 552a(k)(2).

4. Reasons: Granting individuals access to information collected and maintained by this component relating to the enforcement of criminal laws could interfere with orderly investigations, with the orderly administration of justice, and possibly enable suspects to avoid detection or apprehension. Disclosure of this information could result in the concealment, destruction or fabrication of evidence and jeopardize the safety and well being of informants, witnesses and their families, and law enforcement personnel and their families. Disclosure of this information could also reveal and render ineffectual investigative techniques, sources and methods used by this component and could result in the invasion of privacy of individuals only incidentally related to an investigation. Investigatory material is exempt to the extent

that the disclosure of such material would reveal the identity of a source who furnished the information to the Government under an express promise that the identity of the source would be held in confidence, or prior to September 27, 1975 under an implied promise that the identity of the source would be held in confidence. This exemption will protect the identities of certain sources who would be otherwise unwilling to provide information to the Government. The exemption of the individual's right of access to his records and the reasons therefore necessitate the exemptions of this system of records from the requirements of the other cited provisions.

c. ID: S100.50 DLA-GC (Specific exemption).

1. System name: Fraud and Irregularities. 2. Exemption: This system of records is exempt from the provisions of 5 U.S.C. 552a(c)(3), (d)(1) through (4), (e)(1), (e)(4)(G), (H), and (I), and (f).

3. Authorities: 5 U.S.C. 552a(k)(2) and (k)(5). 4. Reasons: From subsection (c)(3) because granting access to the accounting for each disclosure as required by the Privacy Act, including the date, nature, and purpose of each disclosure and the identity of the recipient, could alert the subject to the existence of the investigation or prosecutive interest by DLA or other agencies. This could seriously compromise case preparation by prematurely revealing its existence and nature; compromise or interfere with witnesses or make witnesses reluctant to cooperate; and lead to suppression, alteration, or destruction of evidence.

From subsections (d)(1) through (d)(4) and (f) because providing access to records of a civil investigation and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of the investigation and impede case preparation. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding.

From subsection (e)(1) because it is not always possible to detect the relevance or necessity of each piece of information in the early stages of an investigation. In some cases, it is only after the information is evaluated in light of other evidence that its relevance and necessity will be clear.

From subsections (e)(4)(G) and (H) because there is no necessity for such publication

since the system of records will be exempt from the underlying duties to provide notification about and access to information in the system and to make amendments to and corrections of the information in the system.

From subsection (e)(4)(I) because to the extent that this provision is construed to require more detailed disclosure than the broad, generic information currently published in the system notice, an exemption from this provision is necessary to protect the confidentiality of sources of information and to protect privacy and physical safety of witnesses and informants. DLA will, nevertheless, continue to publish such a notice in broad generic terms as is its current practice.

d. ID: S100.10 GC (Specific exemption).

1. System name: Whistleblower Complaint and Investigation Files.

2. Exemption: Portions of this system of records may be exempt under the provisions of 5 U.S.C. 552a(c)(3), (d)(1) through (d)(4), (e)(1), (e)(4)(G), (e)(4)(H), and (e)(4)(I), and (f). 3. Authority: 5 U.S.C. 552a(k)(2).

4. Reasons: From subsection (c)(3) because granting access to the accounting for each disclosure as required by the Privacy Act, including the date, nature, and purpose of each disclosure and the identity of the recipient, could alert the subject to the existence of the investigation or prosecutive interest by DLA or other agencies. This could seriously compromise case preparation by prematurely revealing its existence and nature; compromise or interfere with witnesses or make witnesses reluctant to cooperate; and lead to suppression, alteration, or destruction of evidence.

From subsections (d)(1) through (d)(4), and (f) because providing access to records of a civil investigation and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of the investigation and impede case preparation. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding.

From subsection (e)(1), because it is not always possible to detect the relevance or necessity of each piece of information in the early stages of an investigation. In some cases, it is only after the information is evaluated in light of other evidence that its relevance and necessity will be clear.

From subsections (e)(4)(G) and (e)(4)(H) because there is no necessity for such publication since the system of records will be exempt from the underlying duties to provide notification about and access to information in the system and to make amendments to and corrections of the information in the system. However, DLA will continue to publish such a notice in broad generic terms as is its current practice.

[DLAR 5400.21, 51 FR 33595, Sept. 22, 1986. Redesignated at 56 FR 57803, Nov. 14, 1991, and amended at 55 FR 32913, Aug. 13, 1990; 57 FR 40609, Sept. 4, 1992; 59 FR 9668, Mar. 1, 1994; 60 FR 3088, Jan. 13, 1995; 61 FR 2916, Jan. 30, 1996]

Subpart A-General information

$324.1 Issuance and purpose.

The Defense Finance and Accounting Service fully implements the policy and procedures of the Privacy Act and the DoD 5400.11-R1, 'Department of Defense Privacy Program' (see 32 CFR part 310). This regulation supplements the DoD Privacy Program only to establish policy for the Defense Finance and Accounting Service (DFAS) and provide DFAS unique procedures.

$324.2 Applicability and scope.

This regulation applies to all DFAS, Headquarters, DFAS Centers, the Financial System Organization (FSO), and other organizational components. It applies to contractor personnel who have entered a contractual agreement with DFAS. Prospective contractors will be advised of their responsibilities under the Privacy Act Program.

§324.3 Policy.

DFAS personnel will comply with the Privacy Act of 1974, the DoD Privacy Program and the DFAS Privacy Act Program. Strict adherence is required to ensure uniformity in the implementation of the DFAS Privacy Act Program and to create conditions that will foster public trust. Personal information maintained by DFAS organizational elements will be safeguarded. Information will be made available to the individual to whom it pertains to the maximum extent practicable. Specific DFAS policy is provided for Privacy Act training, responsibilities, reporting procedures and implementation requirements. DFAS Components will not define policy for the Privacy Act Program.

$324.4 Responsibilities.

(a) Director, DFAS. (1) Ensures the DFAS Privacy Act Program is implemented at all DFAS locations.

(2) The Director, DFAS, will be the Final Denial Appellate Authority. This authority may be delegated to the Director for Resource Management.

1 Copies may be obtained at cost from the National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161.

(3) Appoints the Director for External Affairs and Administrative Support, or a designated replacement, as the DFAS Headquarters Privacy Act Officer.

(b) DFAS Headquarters General Counsel. (1) Ensures uniformity is maintained in legal rulings and interpretation of the Privacy Act.

(2) Consults with DoD General Counsel on final denials that are inconsistent with other final decisions within DOD. Responsible to raise new legal issues of potential significance to other Government agencies.

(3) Provides advice and assistance to the DFAS Director, Center Directors, and the FSO as required, in the discharge of their responsibilities pertaining to the Privacy Act.

(4) Acts as the DFAS focal point on Privacy Act litigation with the Department of Justice.

(5) Reviews Headquarters' denials of initial requests and appeals.

(c) DFAS Center Directors. (1) Ensures that all DFAS Center personnel, all personnel at subordinate levels, and contractor personnel working with personal data comply with the DFAS Privacy Act Program.

(2) Serves as the DFAS Center Initial Denial Authority for requests made as a result of denying release of requested information at locations within DFAS Center authority. Initial denial authority may not be redelegated. Initial denial appeals will be forwarded to the appropriate DFAS Center marked to the attention of the DFAS Center Initial Denial Authority.

(d) Director, FSO. (1) Ensures that FSO and subordinate personnel and contractors working with personal data comply with the Privacy Act Program.

(2) Serves as the FSO Initial Denial Authority for requests made as a result of denying release of requested information at locations within FSO authority. FSO Initial denial authority may not be redelegated.

(3) Appoints a Privacy Act Officer for the FSO and each Financial System Activity (FSA).

(e) DFAS Headquarters Privacy Act Officer. (1) Establishes, issues and updates policy for the DFAS Privacy Act Program and monitors compliance. Serves

« Previous Continue »

Books