32 C.F.R. Subpart B—Systems of Records
Title 32 - National Defense
(a) System of records. To be subject to the provisions of this part a “system of records” must: (1) Consist of “records” (as defined in §310.3(n)) that are retrieved by the name of an individual or some other personal identifier, and (2) Be under the control of a DoD Component. (b) Retrieval practices. (1) Records in a group of records that may be retrieved by a name or personal identifier are not covered by this part even if the records contain personal data and are under control of a DoD Component. The records must be, in fact, retrieved by name or other personal identifier to become a system of records for the purpose of this part. (2) If files that are not retrieved by name or personal identifier are rearranged in such manner that they are retrieved by name or personal identifier, a new systems notice must be submitted in accordance with §310.63(c) of subpart G. (3) If records in a system of records are rearranged so that retrieval is no longer by name or other personal identifier, the records are no longer subject to this part and the system notice for the records shall be deleted in accordance with §310.64(c) of subpart G. (c) Relevance and necessity. Retain in a system of records only that personal information which is relevant and necessary to accomplish a purpose required by a federal statute or an Executive Order. (d) Authority to establish systems of records. Identify the specific statute or the Executive Order that authorize maintaining personal information in each system of records. The existance of a statute or Executive order mandating the maintenance of a system of records does not abrogate the responsibility to ensure that the information in the system of records is relevant and necessary. (e) Exercise of First Amendment rights. (1) Do not maintain any records describing how an individual exercises his or her rights guaranteed by the First Amendment of the U.S. Constitution except when: (i) Expressly authorized by federal statute; (ii) Expressly authorized by the individual; or (iii) Maintenance of the information is pertinent to and within the scope of an authorized law enforcement activity. (2) First Amendment rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition. (f) System manager's evaluation. (1) Evaluate the information to be included in each new system before establishing the system and evaluate periodically the information contained in each existing system of records for relevancy and necessity. Such a review shall also occur when a system notice amendment or alteration is prepared (see §§310.63 and 310.64 of subpart G). (2) Consider the following: (i) The relationship of each item of information retained and collected to the purpose for which the system is maintained; (ii) The specific impact on the purpose or mission of not collecting each category of information contained in the system; (iii) The possibility of meeting the information requirements through use of information not individually identifiable or through other techniques, such as sampling; (iv) The length of time each item of personal information must be retained; (v) The cost of maintaining the information; and (vi) The necessity and relevancy of the information to the purpose for which it was collected. (g) Discontinued information requirements. (1) Stop collecting immediately any category or item of personal information from which retention is no longer justified. Also excise this information from existing records, when feasible. (2) Do not destroy any records that must be retained in accordance with disposal authorizations established under 44 U.S.C. 303a, “Examination by the Administrator of General Services of Lists and Schedules of Records Lacking Preservation Value, Disposal of Records.” [51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, and amended at 56 FR 57800, Nov. 14, 1991] (a) Accuracy of information maintained. Maintain all personal information that is used or may be used to make any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in making any such determination. (b) Accuracy determination before dissemination. Before disseminating any personal information from a system of records to any person outside the Department of Defense, other than a federal agency, make reasonable efforts to ensure that the information to be disclosed is accurate, relevant, timely, and complete for the purpose it is being maintained (see also §310.30(d), subpart D and §310.40(d), subpart E). [51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, and amended at 56 FR 57800, Nov. 14, 1991] (a) Applicability to government contractors. (1) When a DoD Component contracts for the operation or maintenance of a system of records or a portion of a system of records by a contractor, the record system or the portion of the record system affected are considered to be maintained by the DoD Component and are subject to this part. The Component is responsible for applying the requirements of this part to the contractor. The contractor and its employees are to be considered employees of the DoD Component for purposes of the sanction provisions of the Privacy Act during the performance of the contract. Consistent with the Defense Acquisition Regulation (DAR), §1.327, “Protection of Individual Privacy” contracts requiring the maintenance of a system of records or the portion of a system of records shall identify specifically the record system and the work to be performed and shall include in the solicitation and resulting contract such terms as are prescribed by the DAR. (2) If the contractor must use or have access to individually identifiable information subject to this part to perform any part of a contract, and the information would have been collected and maintained by the DoD Component but for the award of the contract, these contractor activities are subject to this Regulation. (3) The restriction in paragraphs (a) (1) and (2) of §310.12 do not apply to records: (i) Established and maintained to assist in making internal contractor management decisions, such as records maintained by the contractor for use in managing the contract; (ii) Maintained as internal contractor employee records even when used in conjunction with providing goods and services to the Department of Defense; or (iii) Maintained as training records by an educational organization contracted by a DoD Component to provide training when the records of the contract students are similar to and comingled with training records of other students (for example, admission forms, transcripts, academic counselling and similar records); (iv) Maintained by a consumer reporting agency to which records have been disclosed under contract in accordance with the Federal Claims Collection Act of 1966, 31 U.S.C. 952(d). (4) DoD Components must publish instruction that: (i) Furnish DoD Privacy Program guidance to their personnel who solicit, award, or administer government contracts; (ii) Inform prospective contractors of their responsibilities regarding the DoD Privary Program; and (iii) Establish an internal system of contractor performance review to ensure compliance with the DoD Privacy Program. (b) Contracting procedures. The Defense Systems Acquisition Regulatory Council (DSARC) is responsible for developing the specific policies and procedures to be followed when soliciting bids, awarding contracts or administering contracts that are subject to this part. (c) Contractor compliance. Through the various contract surveillance programs, ensure contractors comply with the procedures established in accordance with paragraph (b) above of this subpart. (d) Disclosure of records to contractors. Disclosure of personal records to a contractor for the use in the performance of any DoD contrtact by a DoD Component is considered a disclosure within the Department of Defense (see §310.40(b), subpart E). The contractor is considered the agent of the contracting DoD Component and to be maintaining and receiving the records for that Component. [51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, and amended at 56 FR 57800, Nov. 14, 1991] (a) General responsibilities. Establish appropriate administrative, technical and physical safeguards to ensure that the records in every system of records are protected from unauthorized alteration or disclosure and that their confidentiality is protected. Protect the records against reasonably anticipated threats or hazards that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual about whom information is kept. (b) Minimum standards. (1) Tailor system safeguards to conform to the type of records in the system, the sensitivity of the personal information stored, the storage medium used and, to a degree, the number of records maintained. (2) Treat all unclassified records that contain personal information that normally would be withheld from the public under Exemption Numbers 6 and 7, of §286.31, subpart D of 32 CFR part 286 (DoD Freedom of Information Act Program) as if they were designated “For Official Use Only” and safeguard them in accordance with the standards established by subpart E of 32 CFR part 286 (DoD FOIA Program) even if they are not actually marked “For Official Use Only.” (3) Afford personal information that does not meet the criteria discussed in paragraph (c)(3) of this section that degree of security which provides protection commensurate with the nature and type of information involved. (4) Special administrative, physical, and technical procedures are required to protect data that is stored or being processed temporarily in an automated data processing (ADP) system or in a word processing activity to protect it against threats unique to those environments (see Appendices A and B). (5) Tailor safeguards specifically to the vulnerabilities of the system. (c) Records disposal. (1) Dispose of records containing personal data so as to prevent inadvertent compromise. Disposal methods such as tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding, or mutilation are considered adequate if the personal data is rendered unrecognizable or beyond reconstruction. (2) The transfer of large quantities of records containing personal data (for example, computer cards and printouts) in bulk to a disposal activity, such as the Defense Property Disposal Office, is not a release of personal information under this part. The sheer volume of such transfers make it difficult or impossible to identify readily specific individual records. (3) When disposing of or destroying large quantities of records containing personal information, care must be exercised to ensure that the bulk of the records is maintained so as to prevent specific records from being readily identified. If bulk is maintained, no special procedures are required. If bulk cannot be maintained or if the form of the records make individually identifiable information easily available, dispose of the record in accordance with paragraph (c)(1) of this section.
Title 32: National Defense
PART 310—DoD PRIVACY PROGRAM
Subpart B—Systems of Records
§ 310.10 General.
§ 310.11 Standards of accuracy.
§ 310.12 Government contractors.
§ 310.13 Safeguarding personal information.
