Page images

Subpart C-Collecting Personal


$ 806b.7 How to collect personal infor

mation. Collect personal information directly from the subject of the record when possible. You may ask third parties when:

(a) You must verify information. (b) You want opinions or evaluations. (c) You can't contact the subject. (d) The subject asks you.

(4) Review all publications and forms for compliance with this part.

(5) Review system notices. (6) Investigate complaints.

(7) Staff denial recommendations (at MAJCOMs and FOAs only).

(g) System Managers:

(1) Decide the need for, and content of systems.

(2) Manage and safeguard the system.

(3) Train personnel on Privacy Act requirements.

(4) Protect records from unauthorized disclosure, alteration, or destruction.

(5) Prepare system notices and reports.

(6) Answer Privacy Act requests.
(7) Keep records of disclosures.
(8) Evaluate the systems annually.
(h) Privacy Act Monitors (PAM):

(1) Are the focal point in their functional area for general Privacy Act questions and correspondence.

(2) Maintain a list of all systems of records and system managers in their area.

(3) Act as liaison with the Privacy Act Officer.

(4) Maintain statistics for the annual Privacy Act report.

8806b.8 When to give Privacy Act

statements (PAS). (a) Give a PAS orally or in writing:

(1) To anyone from whom you are collecting personal information that will be put in a system of records.

(2) Whenever you ask someone for his or her Social Security Number (SSN).

NOTE: Do this regardless of how you collect or record the answers. You may display a sign in areas where people routinely furnish this kind of information. Give a copy of the PAS if asked. Do not ask the person to sign the PAS.

(3) A PAS must include four items:

(i) Authority: The legal authority, that is, the United States Code or Executive Order authorizing the program the system supports.

(ii) Purpose: The reason you are collecting the information.

(iii) Routine Uses: A list of where and why the information will be disclosed outside DoD.

(iv) Disclosure: Voluntary or Mandatory. (Use Mandatory only when disclosure is required by law and the individual will be penalized for not providing information.) Include any CONsequences of nondisclosure in nonthreatening language.

Subpart B-Obtaining Law En

forcement Records and Promises of Confidentiality

8806b.5 Obtaining law enforcement

records. The Commander AFOSI; the Chief, Air Force Security Police Agency (AFSPA); MAJCOM, FOA, and base chiefs of security police; AFOSI detachment commanders; and designees of those offices may ask another agency for records for law enforcement under 5 U.S.C. 552a(b)(7). The requesting office must indicate in writing the specific part of the record desired and identify the law enforcement activity asking for the record.

8806b.6 Promising confidentiality.

Record promises of confidentiality to exempt from disclosure any 'confidential' information under subsections (k)(2), (k)(5), or (k)(7) of the Privacy Act.

$806b.9 Requesting the social security

number (SSN). (a) Do not deny people a legal right, benefit, or privilege for refusing to give their SSNs unless the law requires disclosure, or a law or regulation adopted before January 1, 1975, required the SSN and the Air Force uses it to verify a person's identity in a system of records established before that date. When you ask for an SSN to create a record, tell the individual:

[blocks in formation]

(1) The statute, regulation, or rule authorizing you to ask for the SSN.

(2) The uses that will be made of the SSN.

(3) If he or she is legally obligated to provide the SSN.

(b) The Air Force requests an individual's SSN and provides the individual information required by law when anyone enters military service or becomes an Air Force civilian employee. The Air Force uses the SSN as a service or employment number to reference the individual's official records. When you ask someone for an SSN as identification (ID) to retrieve an existing record, you do not have to restate this information.

(c) Executive Order 9397, November 22, 1943, authorizes using the SSN as a personal identifier. This order is not adequate authority to collect an SSN to create a record. When law does not require disclosing the SSN or when the system of records was created after January 1, 1975, you may ask for the SSN, but the individual does not have to disclose it. If the individual refuses to respond, use alternative means of identifying records.

(d) SSNs are personal and unique to each individual. Protect them as FOR OFFICIAL USE ONLY (FOUO). Do not disclose them to anyone without an official need to know.

Consider a request from an individual for his or her own records in a system of records under both the Freedom of Information Act (FOIA) and the Privacy Act regardless of the Act cited. The requester need not cite any Act. Process the request under whichever Act gives the most information. When necessary, tell the requester under which Act you processed the request and why.

(a) Requesters should describe the records they want. They do not have to name a system of records number, but they should at least name a type of record or functional area. For requests that ask for 'all records about me,' ask for more information and tell the person how to review the Air Force systems of records published in the FEDERAL REGISTER or in AFDIR 37–1441, ‘Privacy Act Systems of Record' (formerly AFR 436).

(b) Requesters should not use government equipment, supplies, stationery, postage, telephones, or official mail channels for making Privacy Act requests. Privacy Act Officers and system managers process such requests but tell requesters that using government resources to make Privacy Act requests is not authorized.

(c) Tell the requester if a record exists and how to review the record. If possible, respond to requests within 10 workdays of receiving them. If you cannot answer the request in 10 workdays, send a letter explaining why and give an approximate completion date no more than 20 workdays after the first office received the request.

(d) Show or give a copy of the record to the requester within 30 workdays of receiving the request unless the system is exempt and the Air Force lists the exemption in appendix C of this part; or published as a final rule in the FEDERAL REGISTER. Give information in a form the requester can understand.

(e) If the requester wants another person present during the record review, the system manager may ask for

Subpart D-Giving Access to

Privacy Act Records

8806b.10 Making a request for access.

Persons or their designated representatives may ask for a copy of their records in a system of records. Requesters need not state why they want access to their records. Verify the identity of the requester to avoid unauthorized disclosures. How you verify identity will depend on the sensitivity of the requested records. Persons without access to notary services may use an unsworn declaration in the following format: 'I declare under penalty of perjury (if outside the United States, add 'under the laws of the United States of America') that the foregoing is true and correct. Executed on (date). (Signature).'

1 Copies may be obtained at cost from the National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161.

written consent to authorize discussing. (1) Ask the requester to get a letter the record with another person present. from a physician to whom you can send

the records. Include a letter explaining 8806b.12 Fees.

to the physician that giving the Give the first 100 pages free, and

records directly to the individual could charge only reproduction costs for the

be harmful. remainder. Copies cost $.15 per page;

(2) Offer the services of a military microfiche costs $.25 per fiche. Charge

physician other than one who provided the fee for the first 100 pages if records

treatment if naming the physician show that the Air Force already re

poses a hardship on the individual. sponded to a request for the same (c) Do not delete third-party informarecords at no charge. Do not charge tion from a record when the subject refees:

quests access, except as noted in (a) When the requester can get the $ 806b.13(d), unless the Air Force covers record without charge under another the record with an established exemppublication (for example, medical tion (appendix C of this part). Presume records).

that all information in a file pertains (b) For search.

to the subject of the file. (c) For reproducing a document for (d) Do not release third-party perthe convenience of the Air Force.

sonal data (such as SSN and home ad(d) For reproducing a record so the dress). This action is not a denial. requester can review it.

(e) Withhold records compiled in con

nection with a civil action or other 8806b.13 Denying or limiting access. proceeding including any action where Process access denials within five

the Air Force expects judicial or adworkdays after you receive a request

ministrative adjudicatory proceedings. for access. When you may not release a

This exemption does not cover crimirecord, send a copy of the request, the

nal actions. Do not release attorney

work products prepared before, during, record, and why you recommend denying access (including the applicable ex

or after the action or proceeding. emption) to the denial authority through the Staff Judge Advocate

$ 806b.14 Denial authorities. (SJA) and the Privacy Act officer. The These officials or a designee may SJA gives a written legal opinion on deny access or amendment of records. the denial. The MAJCOM or FOA Pri Send a letter to SAFIAAIA with the povacy Act officer reviews the file, gets sition titles of designees. You must get written advice from the SJA and the SAFIAA approval before delegating functional office of primary respon this authority to a lower level. Send sibility (OPR), and makes rec requests for waiver with justification ommendation to the denial authority. to SAF/AAIA. Authorities are: The denial authority sends the re

(a) DCSs and chiefs of comparable ofquester a letter with the decision. If fices or higher level at SAF or HQ the denial authority grants access, re

USAF. lease the record. If the denial authority (b) MAJCOM or FOA commanders. refuses access, tell the requester why (c) HQ USAF/DPCP, Pentagon, Washand explain pertinent appeal rights.

ington, DC 20330-5060 (for civilian per(a) Before you deny a request for ac

sonnel records). cess to a record, make sure that:

(d) Commander, Air Force Office of (1) The system has an SAF approved

Special Investigations (AFOSI), Washexemption.

ington, DC 20332–6001 (for AFOSI (2) The exemption covers each docu records). ment.

(3) Nonexempt parts are segregated. Subpart E-Amending the Record

(b) You may refuse to give out medical records if a physician believes that

8806b.15 Amendment reasons. doing so could harm the person's men Individuals may ask to have their tal or physical health. You have these records amended to make them accuoptions:

rate, timely, relevant, or complete.


System managers routinely correct a record if the requester can show that it is factually wrong.

Records (AFBCMR). Record correction requests denied by the AFBCMR are not subject to further consideration under this part.

8806b.16 Responding to amendment

requests. (a) Anyone may request minor corrections orally. Requests for more serious modifications should be in writing.

(b) After verifying the identity of the requester, make the change, notify all known recipients of the record, and inform the individual.

(c) Acknowledge requests within 10 workdays of receipt. Give an expected completion date unless you complete the change within that time. Final decisions must take no longer than 30 workdays.



8 806b.17 Approving or denying

record amendment. The Air Force does not usually amend a record when the change is based on opinion, interpretation, or subjective official judgment. This action constitutes a denial, and requesters may appeal. If the system manager decides not to amend or partially amend the record, send a copy of the request, the record, and the recommended denial reasons to the denial authority through the SJA and the Privacy Act officer. SJAs will include a legal opinion.

(a) The MAJCOM or FOA Privacy Act officer reviews the proposed denial, gets a legal opinion from the SJA and written advice from the functional OPR, and makes a recommendation to the denial authority.

(b) The denial authority sends the requester a letter with the decision. If the denial authority approves the request, amend the record and notify all previous recipients that it has been changed. If the authority denies the request, give the requester the statutory authority, reason, and pertinent appeal rights.

8806b.19 Appeal procedures.

(a) Individuals may request a denial review by writing to the Secretary of the Air Force through the denial authority within 60 calendar days after receiving a denial letter. The denial authority promptly sends a complete appeal package to SAFIAAIA, including:

(1) Original appeal letter.
(2) Initial request.
(3) Initial denial.
(4) Copy of the record.

(5) Any internal records or coordination actions relating to the denial.

(6) Denial authority's comments on the appellant's arguments.

(7) Legal reviews.

(b) If the denial authority reverses an earlier denial and grants access amendment, notify the requester immediately.

(c) SAF/AAIA reviews the denial and forwards to SAF/GCA for legal review or staffing to grant or deny the appeal. SAF/GCA tells the requester the final Air Force decision and explains judicial review rights.

(d) The requester may file a concise statement of disagreement with the system manager if SAF/GCA denies the request to amend the record. SAF/GCA explains the requester's rights when they issue the final appeal decision.

(1) The records should clearly show that a statement of disagreement is filed with the record or separately.

(2) The disputed part of the record must show that the requester filed a statement of disagreement.

(3) Give copies of the statement of disagreement to the record's previous recipients. Inform subsequent record users about the dispute and give them a copy of the statement with the record.

(4) The system manager may include a brief summary of the reasons for not amending the record. Limit the summary to the reasons SAF/GCA gave to the individual. The summary is part of the individual's record, but it is not subject to amendment procedures.

8806b.18 Seeking review of unfavor.

able agency determinations. Requesters should pursue record corrections of subjective matters and opinions through proper channels to the Civilian Personnel Office using grievance procedures or the Air Force Board for Correction of Military

(b) Instituting significant changes to an existing system.

(c) Sending out data collection forms or instructions.

(d) Issuing a request for proposal or invitation for bid to support a new system.

8806b.20 Contents of Privacy Act case

files. Do not keep copies of disputed records in this file. Use the file solely for statistics and to process requests. Do not use the case files to make any kind of determination about an individual. Document reasons for untimely responses. These files include:

(a) Requests from and replies to individuals on whether system has records about them.

(b) Requests for access or amendment.

(c) Approvals, denials, appeals, and final review actions.

(d) Coordination actions and related papers.


8806b.23 Timing of notices.

At least 120 days before the effective start date, system managers must send the system notice to SAFIAAIA on a 5 14 or 3 1/2-inch disk in Wordstar (ASCII text file) or Microsoft Word, with a paper copy highlighting any changes through the MAJCOM or FOA Privacy Act Officer. See Appendix B of this part for a sample system notice.

Subpart F-Privacy Act


Subpart G-Protecting and

Disposing of Records

8 806b.21 When to include a Privacy

Act warning statement in publica

tions. Include a Privacy Act Warning Statement in each Air Force publication that requires collecting or keeping personal information in a system of records. Also include the warning statement when publications direct collection of the SSN from the individual. The warning statement will cite legal authority and the system of records number and title. You can use the following warning statement: “This part requires collecting and maintaining information protected by the Privacy Act of 1974 authorized by (U.S.C. citation and or Executive Order number). System of records notice (number and title) applies.'

8806b.24 Protecting records.

Protect information according to its sensitivity level. Consider the personal sensitivity of the information and the risk of loss or alteration. Most information in systems of records is FOR OFFICIAL USE ONLY (FOUO). Refer to AFI 37–131%, 'Air Force Freedom of Information Act Program,' for protection methods.

$ 8065.22 Publishing system notices.

The Air Force must publish notices in the FEDERAL REGISTER of new, amended, and deleted systems to inform the public of what records the Air Force keeps and give them an opportunity to comment. The Privacy Act also requires submission of new or significantly altered systems to the Office of Management and Budget (OMB) and both houses of the Congress before publication in the FEDERAL REGISTER. This includes:

(a) Starting a new system.

8 806b.25 Balancing protection.

Balance additional protection against risk and cost. AF Form 3227, 'Privacy Act Cover Sheet', is available for use with Privacy Act material. For example, a password may be enough protection for an automated system with a log-on protocol. Classified computer systems or those with established audit and password systems are obviously less vulnerable than unprotected files or word processors in offices that are periodically empty. Follow AFI 33–2023, 'The Air Force Computer Security Program,' for procedures on safeguarding personal information in automated records.

2 See footnote 1 to section 806b.11, of this part.

3 See footnote i to section 806b.11, of this part.

« PreviousContinue »