(4) Review all publications and forms for compliance with this part.

(5) Review system notices. (6) Investigate complaints.

(7) Staff denial recommendations (at MAJCOMS and FOAS only).

(g) System Managers:

(1) Decide the need for, and content of systems.

(2) Manage and safeguard the system. (3) Train personnel on Privacy Act requirements.

(4) Protect records from unauthorized disclosure, alteration, or destruction. (5) Prepare system notices and reports.

(6) Answer Privacy Act requests. (7) Keep records of disclosures. (8) Evaluate the systems annually. (h) Privacy Act Monitors (PAM): (1) Are the focal point in their functional area for general Privacy Act questions and correspondence.

(2) Maintain a list of all systems of records and system managers in their

area.

(3) Act as liaison with the Privacy Act Officer.

(4) Maintain statistics for the annual Privacy Act report.

Subpart B-Obtaining Law Enforcement Records and Promises of Confidentiality

§ 806b.5 Obtaining law enforcement records.

The Commander AFOSI; the Chief, Air Force Security Police Agency (AFSPA); MAJCOM, FOA, and base chiefs of security police; AFOSI detachment commanders; and designees of those offices may ask another agency for records for law enforcement under 5 U.S.C. 552a(b)(7). The requesting office must indicate in writing the specific part of the record desired and identify the law enforcement activity asking for the record.

§ 806b.6 Promising confidentiality.

Record promises of confidentiality to exempt from disclosure any 'confidential' information under subsections (k)(2), (k)(5), or (k)(7) of the Privacy Act.

Subpart C-Collecting Personal Information

§ 806b.7 How to collect personal information.

Collect personal information directly from the subject of the record when possible. You may ask third parties when:

(a) You must verify information. (b) You want opinions or evaluations. (c) You can't contact the subject. (d) The subject asks you.

§ 806b.8 When to give Privacy Act statements (PAS).

(a) Give a PAS orally or in writing: (1) To anyone from whom you are collecting personal information that will be put in a system of records.

(2) Whenever you ask someone for his or her Social Security Number (SSN).

NOTE: Do this regardless of how you collect or record the answers. You may display a sign in areas where people routinely furnish this kind of information. Give a copy of the PAS if asked. Do not ask the person to sign the PAS.

(3) A PAS must include four items:

(i) Authority: The legal authority, that is, the United States Code or Executive Order authorizing the program the system supports.

(ii) Purpose: The reason you are collecting the information.

(iii) Routine Uses: A list of where and why the information will be disclosed outside DoD.

(iv) Disclosure: Voluntary or Mandatory. (Use Mandatory only when disclosure is required by law and the individual will be penalized for not providing information.) Include any consequences of nondisclosure in nonthreatening language.

§ 806b.9 Requesting the social security number (SSN).

(a) Do not deny people a legal right, benefit, or privilege for refusing to give their SSNs unless the law requires disclosure, or a law or regulation adopted before January 1, 1975, required the SSN and the Air Force uses it to verify a person's identity in a system of records established before that date. When you ask for an SSN to create a record, tell the individual:

(1) The statute, regulation, or rule authorizing you to ask for the SSN.

(2) The uses that will be made of the SSN.

(3) If he or she is legally obligated to provide the SSN.

(b) The Air Force requests an individual's SSN and provides the individual information required by law when anyone enters military service or becomes an Air Force civilian employee. The Air Force uses the SSN as a service or employment number to reference the individual's official records. When you ask someone for an SSN as identification (ID) to retrieve an existing record, you do not have to restate this information.

(c) Executive Order 9397, November 22, 1943, authorizes using the SSN as a personal identifier. This order is not adequate authority to collect an SSN to create a record. When law does not require disclosing the SSN or when the system of records was created after January 1, 1975, you may ask for the SSN, but the individual does not have to disclose it. If the individual refuses to respond, use alternative means of identifying records.

(d) SSNs are personal and unique to each individual. Protect them as FOR OFFICIAL USE ONLY (FOUO). Do not disclose them to anyone without an official need to know.

Subpart D-Giving Access to Privacy Act Records

§ 806b.10 Making a request for access. Persons or their designated representatives may ask for a copy of their records in a system of records. Requesters need not state why they want access to their records. Verify the identity of the requester to avoid unauthorized disclosures. How you verify identity will depend on the sensitivity of the requested records. Persons without access to notary services may use an unsworn declaration in the following format: 'I declare under penalty of perjury (if outside the United States, add 'under the laws of the United States of America') that the foregoing is true and correct. Executed on (date). (Signature).'

§ 806b.11 Processing a request for ac

cess.

Consider a request from an individual for his or her own records in a system of records under both the Freedom of Information Act (FOIA) and the Privacy Act regardless of the Act cited. The requester need not cite any Act. Process the request under whichever Act gives the most information. When necessary, tell the requester under which Act you processed the request and why.

(a) Requesters should describe the records they want. They do not have to name a system of records number, but they should at least name a type of record or functional area. For requests that ask for 'all records about me,' ask for more information and tell the person how to review the Air Force systems of records published in the FEDERAL REGISTER or in AFDIR 37-1441, 'Privacy Act Systems of Record' (formerly AFR 4–36).

(b) Requesters should not use government equipment, supplies, stationery, postage, telephones, or official mail channels for making Privacy Act requests. Privacy Act Officers and system managers process such requests but tell requesters that using government resources to make Privacy Act requests is not authorized.

(c) Tell the requester if a record exists and how to review the record. If possible, respond to requests within 10 workdays of receiving them. If you cannot answer the request in 10 workdays, send a letter explaining why and give an approximate completion date no more than 20 workdays after the first office received the request.

(d) Show or give a copy of the record to the requester within 30 workdays of receiving the request unless the system is exempt and the Air Force lists the exemption in appendix C of this part; or published as a final rule in the FEDERAL REGISTER. Give information in a form the requester can understand.

(e) If the requester wants another person present during the record review, the system manager may ask for

1 Copies may be obtained at cost from the National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161.

written consent to authorize discussing. the record with another person present.

§806b.12 Fees.

Give the first 100 pages free, and charge only reproduction costs for the remainder. Copies cost $.15 per page; microfiche costs $.25 per fiche. Charge the fee for the first 100 pages if records show that the Air Force already responded to a request for the same records at no charge. Do not charge fees:

(a) When the requester can get the record without charge under another publication (for example, medical records).

(b) For search.

(c) For reproducing a document for the convenience of the Air Force.

(d) For reproducing a record so the requester can review it.

8806b.13 Denying or limiting access.

Process access denials within five workdays after you receive a request for access. When you may not release a record, send a copy of the request, the record, and why you recommend denying access (including the applicable exemption) to the denial authority through the Staff Judge Advocate (SJA) and the Privacy Act officer. The SJA gives a written legal opinion on the denial. The MAJCOM or FOA Privacy Act officer reviews the file, gets written advice from the SJA and the functional office of primary responsibility (OPR), and makes a recommendation to the denial authority. The denial authority sends the requester a letter with the decision. If the denial authority grants access, release the record. If the denial authority refuses access, tell the requester why and explain pertinent appeal rights.

(a) Before you deny a request for access to a record, make sure that:

(1) The system has an SAF approved exemption.

(2) The exemption covers each document.

(3) Nonexempt parts are segregated. (b) You may refuse to give out medical records if a physician believes that doing so could harm the person's mental or physical health. You have these options:

(1) Ask the requester to get a letter from a physician to whom you can send the records. Include a letter explaining to the physician that giving the records directly to the individual could be harmful.

(2) Offer the services of a military physician other than one who provided treatment if naming the physician poses a hardship on the individual.

(c) Do not delete third-party information from a record when the subject requests access, except as noted in § 806b.13(d), unless the Air Force covers the record with an established exemption (appendix C of this part). Presume that all information in a file pertains to the subject of the file.

(d) Do not release third-party personal data (such as SSN and home address). This action is not a denial.

(e) Withhold records compiled in connection with a civil action or other proceeding including any action where the Air Force expects judicial or administrative adjudicatory proceedings. This exemption does not cover criminal actions. Do not release attorney work products prepared before, during, or after the action or proceeding.

§806b.14 Denial authorities.

These officials or a designee may deny access or amendment of records. Send a letter to SAF/AAIA with the position titles of designees. You must get SAF/AA approval before delegating this authority to a lower level. Send requests for waiver with justification to SAF/AAIA. Authorities are:

(a) DCSS and chiefs of comparable offices or higher level at SAF or HQ USAF.

(b) MAJCOM or FOA commanders.

(c) HQ USAF/DPCP, Pentagon, Washington, DC 20330-5060 (for civilian personnel records).

(d) Commander, Air Force Office of Special Investigations (AFOSI), Washington, DC 20332-6001 (for AFOSI records).

Subpart E-Amending the Record

§806b.15 Amendment reasons.

Individuals may ask to have their records amended to make them accurate, timely, relevant, or complete.

(a) The MAJCOM or FOA Privacy Act officer reviews the proposed denial, gets a legal opinion from the SJA and written advice from the functional OPR, and makes a recommendation to the denial authority.

(b) The denial authority sends the requester a letter with the decision. If the denial authority approves the request, amend the record and notify all previous recipients that it has been changed. If the authority denies the request, give the requester the statutory authority, reason, and pertinent appeal rights.

§806b.18 Seeking review of unfavor

able agency determinations.

Requesters should pursue record corrections of subjective matters and opinions through proper channels to the Civilian Personnel Office using grievance procedures or the Air Force Board for Correction of Military

Records (AFBCMR). Record correction requests denied by the AFBCMR are not subject to further consideration under this part.

§806b.19 Appeal procedures.

(a) Individuals may request a denial review by writing to the Secretary of the Air Force through the denial authority within 60 calendar days after receiving a denial letter. The denial authority promptly sends a complete appeal package to SAF/AAIA, including:

(1) Original appeal letter.
(2) Initial request.
(3) Initial denial.

(4) Copy of the record.

(5) Any internal records or coordination actions relating to the denial.

(6) Denial authority's comments on the appellant's arguments.

(7) Legal reviews.

(b) If the denial authority reverses an earlier denial and grants access or amendment, notify the requester immediately.

(c) SAF/AAIA reviews the denial and forwards to SAF/GCA for legal review or staffing to grant or deny the appeal. SAF/GCA tells the requester the final Air Force decision and explains judicial review rights.

(d) The requester may file a concise statement of disagreement with the system manager if SAF/GCA denies the request to amend the record. SAF/GCA explains the requester's rights when they issue the final appeal decision.

(1) The records should clearly show that a statement of disagreement is filed with the record or separately.

(2) The disputed part of the record must show that the requester filed a statement of disagreement.

(3) Give copies of the statement of disagreement to the record's previous recipients. Inform subsequent record users about the dispute and give them a copy of the statement with the record.

(4) The system manager may include a brief summary of the reasons for not amending the record. Limit the summary to the reasons SAF/GCA gave to the individual. The summary is part of the individual's record, but it is not subject to amendment procedures.

§ 806b.20 Contents of Privacy Act case files.

Do not keep copies of disputed records in this file. Use the file solely for statistics and to process requests. Do not use the case files to make any kind of determination about an individual. Document reasons for untimely responses. These files include:

(a) Requests from and replies to individuals on whether a system has records about them.

(b) Requests for access or amendment.

(c) Approvals, denials, appeals, and final review actions.

(d) Coordination actions and related papers.

Subpart F-Privacy Act Notifications

8806b.21 When to include a Privacy Act warning statement in publications.

Include a Privacy Act Warning Statement in each Air Force publication that requires collecting or keeping personal information in a system of records. Also include the warning statement when publications direct collection of the SSN from the individual. The warning statement will cite legal authority and the system of records number and title. You can use the following warning statement: "This part requires collecting and maintaining information protected by the Privacy Act of 1974 authorized by (U.S.C. citation and or Executive Order number). System of records notice (number and title) applies.'

§ 806b.22 Publishing system notices.

The Air Force must publish notices in the FEDERAL REGISTER of new, amended, and deleted systems to inform the public of what records the Air Force keeps and give them an opportunity to comment. The Privacy Act also requires submission of new or significantly altered systems to the Office of Management and Budget (OMB) and both houses of the Congress before publication in the FEDERAL REGISTER. This includes:

(a) Starting a new system.

(b) Instituting significant changes to an existing system.

(c) Sending out data collection forms or instructions.

(d) Issuing a request for proposal or invitation for bid to support a new system.

§ 806b.23 Timing of notices.

At least 120 days before the effective start date, system managers must send the system notice to SAF/AAIA on a 5 1/4 or 3 1/2-inch disk in Wordstar (ASCII text file) or Microsoft Word, with a paper copy highlighting any changes through the MAJCOM or FOA Privacy Act Officer. See Appendix B of this part for a sample system notice.

Subpart G-Protecting and
Disposing of Records

§ 806b.24 Protecting records.

Protect information according to its sensitivity level. Consider the personal sensitivity of the information and the risk of loss or alteration. Most information in systems of records is FOR OFFICIAL USE ONLY (FOUO). Refer to AFI 37-1312, 'Air Force Freedom of Information Act Program,' for protection methods.

§ 806b.25 Balancing protection.

Balance additional protection against risk and cost. AF Form 3227, 'Privacy Act Cover Sheet', is available for use with Privacy Act material. For example, a password may be enough protection for an automated system with a log-on protocol. Classified computer systems or those with established audit and password systems are obviously less vulnerable than unprotected files or word processors in offices that are periodically empty. Follow AFI 33-2023, "The Air Force Computer Security Program,' for procedures on safeguarding personal information in automated records.

2 See footnote 1 to section 806b.11, of this part.

3 See footnote 1 to section 806b.11, of this part.