32 C.F.R. Subpart G—Publication Requirements
Title 32 - National Defense
(a) What must be published in the (i) DoD Component Privacy Program rules; (ii) Component exemption rules; and (iii) System notices. (2) See DoD 5025.1–M, “Directives Systems Procedures,” and DoD Directive 5400.9, (32 CFR part 296) “Publication of Proposed and Adopted Regulations Affecting the Public” for information pertaining to the preparation of documents for publication in the (b) The effect of publication in the (c) DoD Component rules. (1) Component Privacy Program procedures and Component exemption rules are subject to the rulemaking procedures prescribed in 32 CFR part 296. (2) System notices are not subject to formal rulemaking and are published in the (3) Privacy procedural and exemption rules are incorporated automatically into the Code of Federal Regulations (CFR). System notices are not published in the CFR. (d) Submission of rules for publication. (1) Submit to the Defense Privacy Office, ODASD(A), all proposed rules implementing this part in proper format (see Appendices E, F and G) for publication in the (2) This part has been published as a final rule in the (3) DoD Component rules that simply implement this part need only be published as final rules in the (4) Amendments to Component rules are submitted like the basic rules. (5) The Defense Privacy Office ODASD(A) submits the rules and amendments thereto to the (e) Submission of exemption rules for publication. (1) No system of records within the Department of Defense shall be considered exempt from any provision of this part until the exemption and the exemption rule for the system has been published as a final rule in the (2) Submit exemption rules in proper format to the Defense Privacy Office ODASD(A). After review, the Defense Privacy Office will submit the rules to the (3) Exemption rules require publication both as proposed rules and final rules (see DoD Directive 5400.9, 32 CFR part 296). (4) Section 310.61 of this subpart discusses the content of an exemption rule. (5) Submit amendments to exemption rules in the same manner used for establishing these rules. (f) Submission of system notices for publication. (1) While system notices are not subject to formal rulemaking procedures, advance public notice must be given before a Component may begin to collect personal information or use a new system of records. The notice procedures require that: (i) The system notice describes the contents of the record system and the routine uses for which the information in the system may be released. (ii) The public be given 30 days to comment on any proposed routine uses before implementation; and (iii) The notice contain the data on which the system will become effective. (2) Submit system notices to the Defense Privacy Office in the Federal Register format (see appendix E). The Defense Privacy Office transmits the notices to the (3) Section 310.62 of this subpart discusses the specific elements required in a system notice. [51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, as amended at 56 FR 57800, Nov. 14, 1991] (a) General procedures. Paragraph (b)(1) of §310.50, subpart F, provides the general guidance for establishing exemptions for systems of records. (b) Contents of exemption rules. (1) Each exemption rule submitted for publication must contain the following: (i) The record system identification and title of the system for which the exemption is claimed (see §310.62 of this subpart); (ii) The specific subsection of the Privacy Act under which exemptions for the system are claimed (for example, 5 U.S.C. 552a(j)(2), 5 U.S.C. 552a(k)(3); or 5 U.S.C. 552a(k)(7); (iii) The specific provisions and subsections of the Privacy Act from which the system is to be exempted (for example, 5 U.S.C. 552a(c)(3), or 5 U.S.C. 552a(d)(1)–(5)) (see appendix D); and (iv) The specific reasons why an exemption is being claimed from each subsection of the Act identified. (2) Do not claim an exemption for classified material for individual systems of records, since the blanket exemption applies (see paragraph (c) of §310.50 of subpart F). [51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, as amended at 56 FR 57800, Nov. 14, 1991] (a) Contents of the system notices. (1) The following data captions are included in each system notice: (i) System identification (see paragraph (b) of this section). (ii) System name (see paragraph (c) of this section). (iii) System location (see paragraph (d) of this section). (iv) Categories of individuals covered by the system (see paragraph (e) of this section). (v) Categories of records in the system (see paragraph (f) of this section). (vi) Authority for maintenance of the system (see paragraph (g) of this section). (vii) Purpose(s) (see paragraph (h) of this section). (viii) Routine uses of records maintained in the system, including categories of users, uses, and purposes of such uses (see paragraph (i) of this section). (ix) Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system (see paragraph (j) of this section). (x) Systems manager(s) and address (see paragraph (k) of this section). (xi) Notification procedure (see paragraph (l) of this section). (xii) Record access procedures (see paragraph (m) of this section). (xiii) Contesting records procedures (see paragraph (n) of this section.) (xiv) Record source categories (see paragraph (o) of this section). (xv) Systems exempted from certain provision of the Act (see paragraph (p) of this section). (2) The captions listed in paragraph (a)(1) of this section have been mandated by the Office of Federal Register and must be used exactly as presented. (3) A sample system notice is shown in appendix E. (b) System identification. The system identifier must appear on all system notices and is limited to 21 positions, including Component code, file number and symbols, punctuation, and spacing. (c) System name. (1) The name of the system should reasonably identify the general purpose of the system and, if possible, the general categories of individuals involved. (2) Use acronyms only parenthetically following the title or any portion thereof, such as, “Joint Uniform Military Pay System (JUMPS).” Do not use acronyms that are not commonly known unless they are preceded by an explanation. (3) The system name may not exceed 55 character positions including punctuation and spacing. (d) System location. (1) For systems maintained in a single location provide the exact office name, organizational identity, and address or routing symbol. (2) For geographically or organizationally decentralized systems, specify each level of organization or element that maintains a segment of the system. (3) For automated data systems with a central computer facility and input/output terminals at several geographically separated locations, list each location by category. (4) When multiple locations are identified by type of organization, the system location may indicate that official mailing addresses are contained in an address directory published as an appendix to the Component system notices in the (5) If no address directory is used or the addresses in the directory are incomplete, the address of each location where a segment of the record system is maintained must appear under the “System Location” caption. (6) Classified addresses are not listed, but the fact that they are classified is indicated. (7) Use the standard U.S. Postal Service two letter state abbreviation symbols and zip codes for all domestic addresses. (e) Categories of individuals covered by the system. (1) Set forth the specific categories of individuals to whom records in the system pertain in clear, easily understood, nontechnical terms. (2) Avoid the use of broad over-general descriptions, such as “all Army personnel” or “all military personnel” unless this actually reflects the category of individuals involved. (f) Categories of records in the system. (1) Describe in clear, nontechnical terms the types of records maintained in the system. (2) Only documents actually retained in the system of records shall be described, not source documents that are used only to collect data and then destroyed. (g) Authority for maintenance of the system. (1) Cite the specific provision of the federal statute or Executive Order that authorizes the maintenance of the system. (2) Include with citations for statutes the popular names, when appropriate (for example, Title 51, U.S. Code, section 2103, “Tea-Tasters Licensing Act”), and for Executive Orders, the official title (for example, Executive Order No. 9397, “Numbering System for Federal Accounts Relating to Individual Persons”). (3) Cite the statute or Executive Order establishing the Component for administrative housekeeping records. (4) If the Component is chartered by a DoD Directive, cite that Directive as well as the Secretary of Defense authority to issue the Directive. For example, “Pursuant to the authority contained in the National Security Act of 1947, as amended (10 U.S.C. 133d), the Secretary of Defense has issued DoD Directive 5105.21, the charter of the Defense Intelligence Agency (DIA) as a separate Agency of the Department of Defense under his control. Therein, the Director, DIA, is charged with the responsibility of maintaining all necessary and appropriate records.” (h) Purpose or purposes. (1) List the specific purposes for maintaining the system of records by the Component. (2) Include the uses made of the information within the Component and the Department of Defense (so-called “internal routine uses”). (i) Routine uses. (1) The blanket routine uses (appendix C) that appear at the beginning of each Component compilation apply to all systems notices unless the individual system notice specifically states that one or more of them do not apply to the system. List the blanket routine uses at the beginning of the Component listing of system notices (see paragraph (e)(5) of §310.41 of subpart E). (2) For all other routine uses, when practical, list the specific activity to which the record may be released, to include any routine automated system interface (for example, “to the Department of Justice, Civil Rights Compliance Division,” “to the Veterans Administration, Office of Disability Benefits,” or “to state and local health agencies”). (3) For each routine user identified, include a statement as to the purpose or purposes for which the record is to be released to that activity (see §310.41(e) of subpart E). The routine uses should be compatible with the purpose for which the record was collected or obtained (see §310.3(p), subpart A). (4) Do not use general statements, such as, “to other federal agencies as required” or “to any other appropriate federal agency.” (j) Policies and practices for storing, retiring, accessing, retaining, and disposing of records. This caption is subdivided into four parts: (1) Storage. Indicate the medium in which the records are maintained. (For example, a system may be “automated”, maintained on magnetic tapes or disks, “manual”, maintained in paper files, or “hybrid”, maintained in a combination of paper and automated form.) Storage does not refer to the container or facility in which the records are kept. (2) Retrievability. Specify how the records are retrieved (for example, name and SSN, name, SSN) and indicate whether a manual or computerized index is required to retrieve individual records. (3) Safeguards. List the categories of Component personnel having immediate access and those responsible for safeguarding the records from unauthorized access. Generally identify the system safeguards (such as storage in safes, vaults, locked cabinets or rooms, use of guards, visitor registers, personnel screening, or computer “fail-safe” systems software). Do not describe safeguards in such detail so as to compromise system security. (4) Retention and disposal. Indicate how long the record is retained. When appropriate, also state the length of time the records are maintained by the Component, when they are transferred to a Federal Records Center, length of retention at the Record Center and when they are transferred to the National Archivist or are destroyed. A reference to a Component regulation without further detailed information is insufficient. (k) System manager(s) and address. (1) List the title and address of the official responsible for the management of the system. (2) If the title of the specific official is unknown, such as for a local system, specify the local commander or office head as the systems manager. (3) For geographically separated or organizationally decentralized activities for which individuals may deal directly with officials at each location in exercising their rights, list the position or duty title of each category of officials responsible for the system or a segment thereof. (4) Do not include business or duty addresses if they are listed in the Component address directory. (l) Notification procedures. (1) If the record system has been exempted from subsection (e)(4)(G) of the Privacy Act (5 U.S.C. 552a) (see §310.50)(d), so indicate. (2) For all nonexempt systems, describe how an individual may determine if there are records pertaining to him or her in the system. The procedural rules may be cited, but include a brief procedural description of the needed data. Provide sufficient information in the notice to allow an individual to exercise his or her rights without referral to the formal rules. (3) As a minimum, the caption shall include: (i) The official title (normally the system manager) and official address to which the request is to be directed; (ii) The specific information required to determine if there is a record of the individual in the system. (iii) Identification of the offices through which the individual may obtain access; and (iv) A description of any proof of identity required (see §310.30(c)(1)). (4) When appropriate, the individual may be referred to a Component official who shall provide this data to him or her. (m) Record access procedures. (1) If the record system has been exempted from subsection (e)(4)(H) of the Privacy Act (5 U.S.C. 552a) (see §310.50(d)), so indicate. (2) For all nonexempt records systems, describe the procedures under which individuals may obtain access to the records pertaining to them in the system. (3) When appropriate, the individual may be referred to the system manager or Component official to obtain access procedures. (4) Do not repeat the addresses listed in the Component address directory but refer the individual to that directory. (n) Contesting record procedures. (1) If the record system has been exempted from subsection (e)(4)(H) of the Privacy Act (5 U.S.C. 552a) (see §310.50(d)), so indicate. (2) For all nonexempt systems of records, state briefly how an individual may contest the content of a record pertaining to him or her in the system. (3) The detailed procedures for contesting record accuracy, refusal of access or amendment, or initial review and appeal need not be included if they are readily available elsewhere and can be referred to by the public. (For example, “The Defense Mapping Agency rules for contesting contents and for appealing initial determinations are contained in DMA Instruction 5400.11 (32 CFR part 295c).”) (4) The individual may also be referred to the system manager to determine these procedures. (o) Record source categories. (1) If the record system has been exempted from subsection (e)(4)(I) of the Privacy Act (5 U.S.C. 552a) (see §310.50(d), subpart F), so indicate. (2) For all nonexempt systems of records, list the sources of the information in the system. (3) Specific individuals or institutions need not be identified by name, particularly if these sources have been granted confidentiality (see §310.52(b), subpart F). (p) System exempted from certain provisions of the Act. (1) If no exemption has been claimed for the system, indicate “None.” (2) If there is an exemption claimed indicate specifically under which subsection of the Privacy Act (5 U.S.C. 552a) it is claimed. (3) Cite the regulation and CFR section containing the exemption rule for the system. (For example, “Parts of this record system may be exempt under Title 5 U.S. Code, 552a(k)(2) and (5), as applicable. See exemption rules contained in Army Regulation 340–21 (32 CFR part 505).”) (q) Maintaining the master DoD system notice registry. (1) The Defense Privacy Office, ODASD(A) maintains a master registry of all DoD record systems notices. (2) Coordinate with the Defense Privacy Office, ODASD(A) to ensure that all new systems are added to the master registry and all amendments and alterations are incorporated into the master registry. [51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, as amended at 56 FR 57800, Nov. 14, 1991] (a) Criteria for a new record system. (1) A new system of records is one for which there has been no system notice published in the (2) If a notice for a system of records has been canceled or deleted before reinstating or reusing the system, a new system notice must be published in the (b) Criteria for an altered record system. A system is considered altered whenever one of the following actions occurs or is proposed: (1) A significant increase or change in the number or type of individuals about whom records are maintained. (i) Only changes that alter significantly the character and purpose of the record system are considered alterations. (ii) Increases in numbers of individuals due to normal growth are not considered alterations unless they truly alter the character and purpose of the system; (iii) Increases that change significantly the scope of population covered (for example, expansion of a system of records covering a single command's enlisted personnel to include all of the Component's enlisted personnel would be considered an alteration). (iv) A reduction in the number of individuals covered is not an alteration, but only an amendment (see paragraph (a) of §310.64 of this subpart). (v) All changes that add new categories of individuals to system coverage require a change to the “Categories of individuals covered by the system” caption of the notice (§310.62(e)) and may require changes to the “Purpose(s)” caption (§310.62(h)). (2) An expansion in the types or categories of information maintained. (i) The addition of any new category of records not described under the “Categories of Records in System” caption is considered an alteration. (ii) Adding a new data element which is clearly within the scope of the categories of records described in the existing notice is an amendment (see §310.64(a) of this subpart). (iii) All changes under this criterion require a change to the “Categories of Records in System” caption of the notice (see §310.62(f) of this subpart). (3) An alteration in the manner in which the records are organized or the manner in which the records are indexed and retrieved. (i) The change must alter the nature of use or scope of the records involved (for example, combining records systems in a reorganization). (ii) Any change under this criteria requires a change in the “Retrievability” caption of the system notice (see §310.62(j)(2) of this subpart). (iii) If the records are no longer retrieved by name or personal identifier cancel the system notice (see §310.10(a) of subpart B). (4) A change in the purpose for which the information in the system is used. (i) The new purpose must not be compatible with the existing purposes for which the system is maintained or a use that would not reasonably be expected to be an alteration. (ii) If the use is compatible and reasonably expected, there is no change in purpose and no alteration occurs. (iii) Any change under this criterion requires a change in the “Purpose(s)” caption (see §310.62(h) of this subpart) and may require a change in the “Authority for maintenance of the system” caption (see §310.62(g) of this subpart). (5) Changes that alter the computer environment (such as changes to equipment configuration, software, or procedures) so as to create the potential for greater or easier access. (i) Increasing the number of offices with direct access is an alteration. (ii) Software releases, such as operating systems and system utilities that provide for easier access are considered alterations. (iii) The addition of an on-line capability to a previously batch-oriented system is an alteration. (iv) The addition of peripheral devices such as tape devices, disk devices, card readers, printers, and similar devices to an existing ADP system constitute an amendment if system security is preserved (see paragraph (a) of §310.64 of this subpart). (v) Changes to existing equipment configuration with on-line capability need not be considered alterations to the system if: (A) The change does not alter the present security posture; or (B) The addition of terminals does not extend the capacity of the current operating system and existing security is preserved; (vi) The connecting of two or more formerly independent automated systems or networks together creating a potential for greater access is an alteration. (vii) Any change under this caption requires a change to the “Storage” caption element of the systems notice (see §310.62(j)(1) of this subpart). (c) Reports of new and altered systems. (1) Submit a report of a new or altered system to the Defense Privacy Office before collecting information for or using a new system or altering an existing system (see appendix F and paragraph (d) of this section). (2) The Defense Privacy Office, ODASD(A) coordinates all reports of new and altered systems with the Office of the Assistant Secretary of Defense (Legislative Affairs) and the Office of the General Counsel, Department of Defense. (3) The Defense Privacy Office prepares for the DASD(A)'s approval and signature the transmittal letters sent to OMB and Congress (see paragraph (e) of this section). (d) Time restrictions on the operation of a new or altered system. (1) All time periods begin from the date the DASD(A) signs the transmittal letters (see paragraph (c)(3) of this section). The specific time limits are: (i) 60 days must elapse before data collection forms or formal instructions pertaining to the system may be issued. (ii) 60 days must elapse before the system may become operational; (that is, collecting, maintaining, using, or disseminating records from the system) (see also §310.60(f) of this subpart). (iii) 60 days must elapse before any public issuance of a Request for Proposal or Invitation to Bid for a new ADP or telecommunication system. Note: Requests for delegation of procurement authority may be submitted to the General Services Administration during the 60 days' waiting period, but these shall include language that the Privacy Act reporting criteria have been reviewed and that a system report is required for such procurement. (iv) Normally 30 days must elapse before publication in the (2) Do not operate a system of records until the waiting periods have expired (see §310.103 of subpart K). (e) Outside review of new and altered systems reports. If no objections are received within 30 days of a submission to the President of the Senate, Speaker of the House of Representatives, and the Director, OMB, of a new or altered system report it is presumed that the new or altered systems have been approved as submitted. (f) Exemptions for new systems. See §310.60(e) of this subpart for the procedures to follow in submitting exemption rules for a new system of records. (g) Waiver of time restrictions. (1) The OMB may authorize a federal agency to begin operation of a system of records before the expiration of time limits set forth in §310.63(d) of this subpart. (2) When seeking such a waiver, include in the letter of transmittal to the Defense Privacy Office, ODASD(A) an explanation why a delay of 60 days in establishing the system of records would not be in the public interest. The transmittal must include: (i) How the public interest will be affected adversely if the established time limits are followed; and (ii) Why earlier notice was not provided. (3) When appropriate, the Defense Privacy Office, ODASD(A) shall contact OMB and attempt to obtain the waiver. (i) If a waiver is granted, the Defense Privacy Office, ODASD(A) shall notify the subcommittee and submit the new or altered system notice along with any applicable procedural or exemption rules for publication in the (ii) If the waiver is disapproved, the Defense Privacy Office, ODASD(A) shall process the system the same as any other new or altered system and notify the subcommittee of the OMB decision. (4) Under no circumstances shall the routine uses for new or altered system be implemented before 30 days have elapsed after publication of the system notice containing the routine uses in the [51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, as amended at 56 FR 57800, Nov. 14, 1991] (a) Criteria for an amended system notice. (1) Certain minor changes to published systems notices are considered amendments and not alterations (see §310.63(b) of this subpart). (2) Amendments do not require a report of an altered system (see §310.63(c) of this subpart), but must be published in the (b) System notices for amended systems. When submitting an amendment for a system notice for publication in the (1) The system identification and name (see paragraph (b) and (c) of §310.62 of this subpart). (2) A description of the nature and specific changes proposed. (3) The full text of the system notice is not required if the master registry contains a current system notice for the system (see §310.62(q) of this subpart). (c) Deletion of system notices. (1) Whenever a system is discontinued, combined into another system, or determined no longer to be subject to this part, a deletion notice is required. (2) The notice of deletion shall include: (i) The system identification and name. (ii) The reason for the deletion. (3) When the system is eliminated through combination or merger, identify the successor system or systems in the deletion notice. (d) Submission of amendments and deletions for publication. (1) Submit amendments and deletions to the Defense Privacy Office, ODASD(A) for transmittal to the (2) Include in the submission at least one original (not a reproduced copy) in proper (3) Multiple deletions and amendments may be combined into a single submission. [51 FR 2364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991, as amended at 56 FR 57801, Nov. 14, 1991]
Title 32: National Defense
PART 310—DoD PRIVACY PROGRAM
Subpart G—Publication Requirements
§ 310.60 Federal Register publication.
§ 310.61 Exemption rules.
§ 310.62 System notices.
§ 310.63 New and altered record systems.
§ 310.64 Amendment and deletion of systems notices.
