32 C.F.R. PART 323—DEFENSE LOGISTICS AGENCY PRIVACY PROGRAM
Title 32 - National Defense
Authority: Privacy Act of 1974, Pub. L. 93–579, Stat. 1896 (5 U.S.C. 552a).
Source: DLAR 5400.21, 51 FR 33595, Sept. 22, 1986, unless otherwise noted. Redesignated at 56 FR 57803, Nov. 14, 1991.
This part 323 implements the Privacy Act of 1974 (5 U.S.C. 552a) and DoD Directive and DoD Regulation 5400.11, Department of Defense Privacy Program (32 CFR part 286a). It applies to Headquarters, Defense Logistics Agency (HQ DLA) and all DLA field activities. It is the policy of DLA to safeguard personal information contained in any system of records maintained by DLA activities and to make that information available to the individual to whom it pertains to the maximum extent practicable. DLA policy specifically requires that DLA activities: (a) Collect, maintain, use, and disseminate personal information only when it is relevant and necessary to achieve a purpose required by statute or Executive Order. (b) Collect personal information directly from the individuals to whom it pertains to the greatest extent practical. (c) Inform individuals who are asked to supply personal information for inclusion in any system of records: (1) The authority for the solicitation. (2) Whether furnishing the information is mandatory or voluntary. (3) The intended uses of the information. (4) The routine disclosures of the information that may be made outside DoD. (5) The effect on the individual of not providing all of any part of the requested information. (d) Ensure that all records used in making determinations about individuals are accurate, relevant, timely, and complete. (e) Make reasonable efforts to ensure that records containing personal information are accurate, relevant, timely, and complete for the purposes for which they are being maintained before making them available to any recipients outside DoD, other than a Federal agency, unless the disclosure is made under DLAR 5400.14, DLA Freedom of Information Act Program (32 CFR part 1285). (f) Keep no record that describes how individuals exercise their rights guaranteed by the First Amendment of the U.S. Constitution, unless expressly authorized by statute or by the individual to whom the records pertain or is pertinent to and within the scope of an authorized law enforcement activity. (g) Make reasonable efforts, when appropriate, to notify individuals whenever records pertaining to them are made available under compulsory legal process, if such process is a matter of public record. (h) Establish safeguards to ensure the security of personal information and to protect this information from threats or hazards that might result in substantial harm, embarrassment, inconvenience, or unfairness to the individual. (i) Establish rules of conduct for DoD personnel involved in the design, development, operation, or maintenance of any system of records and train them in these rules of conduct. (j) Assist individuals in determining what records pertaining to them are being collected, maintained, used, or disseminated. (k) Permit individual access to the information pertaining to them maintained in any system of records, and to correct or amend that information, unless an exemption for the system has been properly established for an important public purpose. (l) Provide, on request, an accounting of all disclosures of the information pertaining to them except when disclosures are made: (1) To DoD personnel in the course of their official duties. (2) Under 32 CFR part 1285 (DLAR 5400.14). (m) Advise individuals on their rights to appeal any refusal to grant access to or amend any record pertaining to them, and to file a statement of disagreement with the record in the event amendment is refused. [DLAR 5400.21, 51 FR 33595, Sept. 22, 1986, unless otherwise noted. Redesignated at 56 FR 57803, Nov. 14, 1991, as amended at 66 FR 41781, Aug. 9, 2001] (a) Access. The review of a record or a copy of a record or parts thereof in a system of records by any individual. (b) Agency. For the purpose of disclosing records subject to the Privacy Act among DoD Components, the Department of Defense is considered a single agency. For all other purposes including applications for access and amendment, denial of access or amendment, appeals from denials, and recordkeeping as regards release to non-DoD agencies, DLA is considered an agency within the meaning of the Privacy Act. (c) Confidential source. A person or organization who has furnished information to the Federal Government under an express promise that the person's or the organization's identity will be held in confidence or under an implied promise of such confidentiality if this implied promise was made before September 27, 1975. (d) Disclosure. The transfer of any personal information from a system of records by any means of communication to any person, private entity, or Government agency, other than the subject of the record, the subject's designated agent or the subject's legal guardian. (e) Individual. A living citizen of the United States or an alien lawfully admitted to the United States for permanent residence. The legal guardian of an individual has the same rights as the individual and may act on his or her behalf. (f) Individual access. Access to information pertaining to the individual by the individual or his or her designated agent or legal guardian. (g) Maintain. Includes maintain, collect, use, or disseminate. (h) Member of the public. Any individual or party acting in a private capacity to include Federal employees or military personnel. (i) Official use. Within the context of this part, this term is used when officials and employees of a DLA activity have a demonstrated need for the use of any record or the information contained therein in the performance of their official duties. (j) Personal information. Information about an individual that is intimate or private to the individual, as distinguished from information related solely to the individual's official functions or public life. (k) Privacy Act. The Privacy Act of 1974, as amended, 5 U.S.C. 552a. (l) Privacy Act request. A request from an individual for notification as to the existence of, access to, or amendment of records pertaining to that individual. These records must be maintained in a system of records. The request must indicate that it is being made under the Privacy Act to be considered a Privacy Act request. (m) Record. Any item, collection, or grouping of information about an individual that is maintained by DLA, including, but not limited to, the individual's education, financial transactions, medical history, and criminal or employment history, and that contains the individual's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. (n) Risk assessment. An analysis considering information sensitivity, vulnerabilities, and the cost to a computer facility or word processing activity in safeguarding personal information processed or stored in the facility or activity. (o) Routine use. The disclosure of a record outside DoD for a use that is compatible with the purpose for which the information was collected and maintained by DoD. The routine use must be included in the published system notice for the system of records involved. (p) Statistical record. A record maintained only for statistical research or reporting purposes and not used in whole or in part in making determinations about specific individuals. (q) System of Records. A group of records under the control of a DLA activity from which information is retrieved by the individual's name or by some identifying number, symbol, or other identifying particular assigned to the individual. System notices for all Privacy Act systems of records must be published in the (a) Headquarters Defense Logistics Agency. (1) The Staff Director, Corporate Communications, DLA Support Services (DSS-C) will: (i) Formulate policies, procedures, and standards necessary for uniform compliance with the Privacy Act by DLA activities. (ii) Serve as the DLA Privacy Act Officer and DLA representative on the Defense Privacy Board. (iii) Maintain a master registry of system notices published by DLA. (iv) Develop or compile the rules, notices, and reports required under this part. (v) Establish training programs for all individuals with public affairs duties, and all other personnel whose duties require access to or contact with systems of records affected by the Privacy Act. Initial training will be given to new employees and military members upon assignment. Refresher training will be provided annually or more frequently if conditions warrant. (2) The General Counsel, DLA (DLA-GC) will: (i) Serve as the appellate authority for denials of individual access and amendment of records. (ii) Provide representation to the Defense Privacy Board Legal Committee. (iii) Advise the Defense Privacy Office on the status of DLA privacy litigation. (3) The DLA Chief Information Office (J–6) will formulate and implement protective standards for personal information maintained in automated data processing systems and facilities. (b) The Heads of DLA Primary Level Field Activities (PLFAs) will: (1) Ensure that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; that the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information. (2) Designate a Privacy Act Officer to serve as the principal point of contact on privacy matters. (3) Ensure the internal operating procedures provide for effective compliance with the Privacy Act. (4) Establish training programs for all individuals with public affairs duties, and all other personnel whose duties require access to or contact with systems of records affected by the Privacy Act. Initial training will be given to new employees and military members upon assignment. Refresher training will be provided annually or more frequently if conditions warrant. [DLAR 5400.21, 51 FR 33595, Sept. 22, 1986, unless otherwise noted. Redesignated at 56 FR 57803, Nov. 14, 1991, as amended at 66 FR 41781, Aug. 9, 2001] (a) Individual access. (1) The access provisions of this part are intended for use by individuals whose records are maintained in systems of records. Release of personal information to individuals under this part is not considered public release of information. (2) Individuals will address requests for access to personal information about themselves in a system of records to the system manager or to the office designated in the system notice. Before being granted access to personal data, an individual may be required to provide reasonable verification of his or her identity. Identity verification procedures will be simple so as not to discourage individuals from seeking access to information about themselves; or be required of an individual seeking access to records which normally would be available under 32 CFR part 1285 (DLAR 5400.14). (i) Normally, when individuals seek personal access to records pertaining to themselves, identification will be made from documents that normally are readily available, such as employee and military identification cards, driver's license, other licenses, permits, or passes used for routine identification purposes. (ii) When access is requested by mail, identity verification may consist of the individual providing certain minimum identifying data, such as full name, date and place of birth, or such other personal information necessary to locate the record sought. If the information sought is sensitive, additional identifying data may be required. If notarization of requests is required, procedures will be established for an alternate method of verification for individuals who do not have access to notary services, such as military members overseas. (3) If an individual wishes to be accompanied by a third party when seeking access to his or her records or to have the records released directly to a third party, the individual may be required to furnish a signed access authorization granting the third party access. An individual will not be refused access to his or her record solely for failure to divulge his or her social security number (SSN) unless it is the only method by which retrieval can be made. The individual is not required to explain or justify his or her need for access to any record under this part. (4) Disclose medical records to the individual to whom they pertain, even if a minor, unless a judgment is made that access to such records could have an adverse effect on the mental or physical health of the individual. Normally, this determination will be made in consultation with a medical doctor. If it is determined that the release of the medical information may be harmful to the mental or physical health of the individual, send the record to a physician named by the individual and in the transmittal letter to the physician, explain why access by the individual without proper professional supervision could be harmful (unless it is obvious from the record). Do not require the physician to request the records for the individual. If the individual refuses or fails to designate a physician, the record will not be provided. Such refusal of access is not considered a denial for reporting purposes. (5) Requests by individuals for access to investigatory records pertaining to themselves and compiled for law enforcement purposes are processed under this part or 32 CFR part 1285 depending on which part gives them the greatest degree of access. (6) Certain documents under the physical control of DoD personnel and used to assist them in performing official functions, are not considered “agency records” within the meaning of this part. Uncirculated personal notes and records that are not disseminated or circulated to any person or organization (for example, personal telephone lists or memory aids) that are retained or discarded at the author's discretion and over which DLA exercises no direct control, are not considered agency records. However, if personnel are officially directed or encouraged, either in writing or orally, to maintain such records, they may become “agency records,” and may be subject to the Privacy Act of 1974 (5 U.S.C. 552a) and this part. (7) Acknowledge requests for access within 10 working days after receipt and provide access within 30 working days. (b) Denial of individual access. (1) Individuals may be formally denied access to a record pertaining to them only if the record was compiled in reasonable anticipation of civil action; is in a system of records that has been exempted from the access provisions of this part under one of the permitted exemptions; contains classified information that has been exempted from the access provision of this part under the blanket exemption for such material claimed for all DoD records systems; or is contained in a system of records for which access may be denied under some other Federal statute. Only deny the individual access to those portions of the records from which the denial of access serves some legitimate Governmental purpose. (2) An individual may be refused access if the record is not described well enough to enable it to be located with a reasonable amount of effort on the part of an employee familiar with the file; or access is sought by an individual who fails or refuses to comply with the established procedural requirements, including refusing to name a physician to receive medical records when required or to pay fees. Always explain to the individual the specific reason access has been refused and how he or she may obtain access. (3) Formal denials of access must be in writing and include as a minimum: (i) The name, title or position, and signature of the appropriate Head of the HQ DLA principal staff element or primary level field activity. (ii) The date of the denial. (iii) The specific reason for the denial, including specific citation to the appropriate sections of the Privacy Act of 1974 (5 U.S.C. 552a) or other statutes, this part, or DLAR 5400.21 authorizing the denial. (iv) Notice to the individual of his or her right to appeal the denial within 60 calendar days of the date of the denial letter and to file any such appeal with the HQ DLA Privacy Act Officer, Defense Logistics Agency (DSS-CA), 8725 John J. Kingman Road, Suite 2533, Fort Belvoir, VA 22060–6221. (4) DLA will process all appeals within 30 days of receipt unless a fair an equitable review cannot be made within that period. The written appeal notification granting or denying access is the final DLA action on access. (5) The records in all systems of records maintained in accordance with the Office of Personnel Management (OPM) Government-wide system notices are technically only in the temporary custody of DLA. All requests for access to these records must be processed in accordance with the Federal Personnel Manual (5 CFR parts 293, 294, 297 and 735) as well as this part. DLA–GC is responsible for the appellate review of denial of access to such records. (c) Amendment of records. (1) Individuals are encouraged to review the personal information being maintained about them by DLA and to avail themselves of the procedures established by this part to update their records. An individual may request the amendment of any record contained in a system of records pertaining to him or her unless the system of record has been exempted specifically from the amendment procedures of this part. Normally, amendments under this part are limited to correcting factual matters and not matters of official judgment, such as performance ratings promotion potential, and job performance appraisals. (2) The applicant must adequately support his or her claim and may be required to provide identification to ensure that they are indeed seeking to amend a record pertaining to themselves and not, inadvertently or intentionally, the record of others. Consider the following factors when evaluating the sufficiency of a request to amend: (i) The accuracy of the information itself. (ii) The relevancy, timeliness, completeness, and necessity of the recorded information for accomplishing an assigned mission or purpose. (3) Provide written acknowledgement of a request to amend within 10 working days of its receipt by the appropriate systems manager. There is no need to acknowledge a request if the action is completed within 10 working days and the individual is so informed. The letter of acknowledgement shall clearly identify the request and advise the individual when he or she may expect to be notified of the completed action. Only under the most exceptional circumstances will more than 30 days be required to reach a decision on a request to amend. (4) If the decision is made to grant all or part of the request for amendment, amend the record accordingly and notify the requester. Notify all previous recipients of the information, as reflected in the disclosure accounting records, that an amendment has been made and the substance of the amendment. Recipients who are known to be no longer retaining the information need not be advised of the amendment. All DoD Components and Federal agencies known to be retaining the record or information, even if not reflected in disclosure records, will be notified of the amendment. Advise the requester of these notifications, and honor all requests by the requester to notify specific Federal agencies of the amendment action. (5) If the request for amendment is denied in whole or in part, promptly advise the individual in writing of the decision to include: (i) The specific reason and authority for not amending. (ii) Notification that he or she may seek further independent review of the decision by filing an appeal with the HQ DLA Privacy Act Officer, Defense Logistics Agency (DSS-CA), 8725 John J. Kingman Road, Suite 2533, Fort Belvoir, VA 22060–6221, and including all supporting materials. (6) DLA will process all appeals within 30 days unless a fair review cannot be made within this time limit. (i) If the appeal is granted, DLA will promptly notify the requester and system manager of the decision. The system manager will amend the record(s) as directed and ensure that all prior known recipients of the records who are known to be retaining the record are notified of the decision and the specific nature of the amendment and that the requester is notified as to which DoD Components and Federal agencies have been told of the amendment. (ii) If the appeal is denied completely or in part, the individual is notified in writing by the reviewing official that: (A) The appeal has been denied and the specific reason and authority for the denial. (B) The individual may file a statement of disagreement with the appropriate authority and the procedures for filing this statement. (C) If filed properly, the statement of disagreement shall be included in the records, furnished to all future recipients of the records, and provided to all prior recipients of the disputed records who are known to hold the record. (D) The individual may seek a judicial review of the decision not to amend. (7) The records in all systems of records controlled by the Office of Personnel Management (OPM) Government-wide system notices are technically only temporarily in the custody of DLA. All requests for amendment of these records must be processed in accordance with the Federal Personnel Manual (FPM). A DLA denial authority may deny a request. However, the appeal process for all such denials must include a review by the Assistant Director for Agency Compliance and Evaluation, Office of Personnel Management, 1900 E Street, NW., Washington, DC 20415. When an appeal is received from a DLA denial of amendment of the OPM controlled record, process the appeal in accordance with the FPM and notify the OPM appeal authority listed above. The individual may appeal any DLA decision not to amend the OPM records directly to OPM. OPM is the final review authority for any appeal from a denial to amend the OPM records. (8) If the reviewing authority refuses to amend the record as requested, the individual may submit a concise statement of disagreement setting forth his or her reasons for disagreeing with the decision not to amend. (i) If an individual chooses to file a statement of disagreement, annotate the record to indicate that the statement has been filed. Furnish copies of the statement of disagreement to all DoD Components and Federal agencies that have been provided copies of the disputed information and who may be maintaining the information. (ii) When possible, incorporate the statement of disagreement into the record. If the statement cannot be made a part of the record, establish procedures to ensure that it is apparent from the records that a statement of disagreement has been filed and maintain the statement so that it can be obtained readily when the disputed information is used or disclosed. Automated record systems that are not programmed to accept statements of disagreement shall be annotated or coded so that they clearly indicate that a statement of disagreement is on file, and clearly identify the statement with the disputed information in the system. Provide a copy of the statement of disagreement whenever the disputed information is disclosed for any purpose. (9) A summary of reasons for refusing to amend may be included with any record for which a statement of disagreement is filed. Include in this summary only the reasons furnished to the individual for not amending the record. Do not include comments on the statement of disagreement. Normally, the summary and statement of disagreement are filed together. When disclosing information for which a summary has been filed, a copy of the summary may be included in the release, if desired. (d) Documentation. Establish a separate Privacy Case File to retain the documentation received and generated during the amendment or access process. There is no need to establish a Privacy Case File if the individual has not cited the Privacy Act or this part. Privacy Case Files shall not be furnished or disclosed to anyone for use in making any determination about the individual other than determinations made under this part. Only the items listed below may be included in the system of records challenged for amendment or for which access is sought. Do not retain copies of unamended records in the basis record system if the request for amendment is granted. (1) The following items relating to an amendment request may be included in the disputed record system: (i) Copies of the amended record. (ii) Copies of the individual's statement of disagreement. (iii) Copies of activity summaries. (iv) Supporting documentation submitted by the individual. (2) The following items relating to an access request may be included in the basic records system: (i) Copies of the request. (ii) Copies of the activity action granting total access. (Note: A separate Privacy Case File need not be created in such cases.) (iii) Copies of the activity action denying access. (iv) Copies of any appeals filed. (v) Copies of the reply to the appeal. (e) Fees. An individual may be charged only for the direct cost of copying and reproduction, computed using the appropriate portions of the fee schedule in DLAR 5400.14 (32 CFR part 1285) under the provisions of this part. Normally, fees are waived automatically if the direct costs of a given request is less than $30. This fee waiver provision does not apply when a waiver has been granted to the individual before, and later requests appear to be an extension or duplication of that original request. DLA activities may, however, set aside this automatic fee waiver provision when on the basis of good evidence it determines that the waiver of fees is not in the public interest. Decisions to waive or reduce fees that exceed the automatic waiver threshold will be made on a case-by-case basis. Fees may not be charged when: (1) Copying is performed for the convenience of the Government or is the only means to make the record available to the individual. (2) The record may be obtained without charge under any other part, directive, or statute. (3) Providing documents to members of Congress for copying records furnished even when the records are requested under the Privacy Act on behalf of a constituent. (f) Disclosures of personal information. (1) For the purposes of disclosure and disclosure accounting, the Department of Defense is considered a single agency. Records pertaining to an individual may be disclosed without the consent of the individual to any DoD official who has need for the record in the performance of his or her assigned duties. Do not disclose personnel information from a system of records outside the Department of Defense unless the record has been requested by the individual to whom it pertains; the written consent of the individual to whom the record pertains has been obtained for release of the record to the requesting agency, activity, or individual; or the release is for one of the specific nonconsensual purposes set forth in this part or DLAR 5400.14, (32 CFR part 1285). (2) Except for releases made in accordance with DLAR 5400.14, (32 CFR part 1285) before disclosing any personal information to any recipient outside DoD other than a Federal agency or the individual to whom it pertains; (i) Ensure that the records are accurate, timely, complete, and relevant for agency purposes. (ii) Contact the individual, if reasonably available, to verify the accuracy, timeliness, completeness, and relevancy of the information, if this cannot be determined from the record. (iii) If the information is not current and the individual is not reasonably available, advise the recipient that the information is believed accurate as of a specific date and any other known factors bearing on its accuracy and relevancy. (3) All records must be disclosed if their release is required by the Freedom of Information Act. DLAR 5400.14, (32 CFR part 1285) requires that records be made available to the public unless exempted from disclosure by one of the nine exemptions found in the Freedom of Information Act. The standard for exempting most personal records, such as personnel records, medical records, and similar records, is found in DLAR 5400.14 (32 CFR part 1285). Under the exemption, release of personal information can only be denied when its release would be a ‘clearly unwarranted invasion of personal privacy.’ (i) All disclosures of personal information regarding Federal civilian employees will be made in accordance with the Federal Personnel Manual. Some examples of personal information regarding DoD civilian employees that normally may be released without a clearly unwarranted invasion of personal privacy include: (A) Name. (B) Present and past position titles. (C) Present and past grades. (D) Present and past salaries. (E) Present and past duty stations. (F) Office and duty telephone numbers. (ii) All release of personal information regarding military members shall be made in accordance with the standards established by DLAR 5400.14, (32 CFR part 1285). While it is not possible to identify categorically information that must be released or withheld from military personnel records in every instance, the following items of personal information regarding military members normally may be disclosed without a clearly unwarranted invasion of their personal privacy: (A) Full name. (B) Rank. (C) Date of rank. (D) Gross salary. (E) Past duty assignments. (F) Present duty assignment. (G) Future assignments that are officially established. (H) Office or duty telephone numbers. (I) Source of commission. (J) Promotion sequence number. (K) Awards and decorations. (L) Attendance at professional military schools. (M) Duty status at any given time. (iii) All releases of personal information regarding civilian personnel not subject to the FPM shall be made in accordance with the standards established by DLAR 5400.14 (32 CFR part 1285). While it is not possible to identify categorically those items of personal information that must be released regarding civilian employees not subject to the FPM, such as nonappropriated fund employees, normally the following items may be released without a clearly unwarranted invasion of personal privacy: (A) Full name. (B) Grade or position. (C) Date of grade. (D) Gross salary. (E) Present and past assignments. (F) Future assignments, if officially established. (G) Office or duty telephone numbers. (4) A request for a home address or telephone number may be referred to the last known address of the individual for a direct reply by him or her to the requester. In such cases the requester will be notified of the referral. The release of home addresses and home telephone numbers normally is considered a clearly unwarranted invasion of personal privacy and is prohibited. However, these may be released without prior specific consent of the individual if: (i) The individual has indicated previously that he or she has no objection to their release. (ii) The source of the information to be released is a public document such as commercial telephone directory or other public listing. (iii) The release is required by Federal statute (for example, pursuant to Federally-funded state programs to locate parents who have defaulted on child support payments (42 U.S.C. section 653).) (iv) The releasing official releases the information under the provisions of DLAR 5400.14, (32 CFR part 1285). (5) Records may be disclosed outside DoD without consent of the individual to whom they pertain for an established routine use. Routine uses may be established, discontinued, or amended without the consent of the individuals involved. However, new or changed routine uses must be published in the 1 Copies may be obtained from the Defense Logistics Agency, ATTN: DSS-CV, 8725 John J. Kingman Road, Suite 2533, Fort Belvoir, VA 22060–6221. (6) Records in DLA systems of records may be disclosed without the consent of the individuals to whom they pertain to the Bureau of the Census for purposes of planning or carrying out a census survey or related activities. (7) Records may be disclosed for statistical research and reporting without the consent of the individuals to whom they pertain. Before such disclosures, the recipient must provide advance written assurance that the records will be used as statistical research or reporting records; the records will only be transferred in a form that is not individually identifiable; and the records will not be used, in whole or in part, to make any determination about the rights, benefits, or entitlements of specific individuals. A disclosure accounting is not required. (8) Records may be disclosed without the consent of the individual to whom they pertain to the National Archives and Records Administration (NARA) if they have historical or other value to warrant continued preservation; or for evaluation by NARA to determine if a record has such historical or other value. Records transferred to a Federal Record Center (FRC) for safekeeping and storage do not fall within this category. These remain under the control of the transferring activity, and the FRC personnel are considered agents of the activity which retain control over the records. No disclosure accounting is required for the transfer of records to FRCs. (9) Records may be disclosed without the consent of the individual to whom they pertain to another agency or an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity, provided the civil or criminal law enforcement activity is authorized by law; the head of the law enforcement acitivity or a designee has made a written request specifying the particular records desired and the law enforcement purpose (such as criminal investigations, enforcement of civil law, or a similar propose) for which the record is sought; and there is no Federal statute that prohibits the disclosure of the records. Normally, blanket requests for access to any and all records pertaining to an individual are not honored. When a record is released to a law enforcement activity, maintain a disclosure accounting. This disclosure accounting will not be made available to the individual to whom the record pertains if the law enforcement activity requests that the disclosure not be released. (10) Records may be disclosed without the consent of the individual to whom they pertain if disclosure is made under compelling circumstances affecting the health or safety of any individual. The affected individual need not be the subject of the record disclosed. When such a disclosure is made, notify the individual who is the subject of the record. Notification sent to the last known address of the individual as reflected in the records is sufficient. (11) Records may be disclosed without the consent of the individual to whom they pertain to either House of the Congress or to any committee, joint committee or subcommittee of Congress if the release pertains to a matter within the jurisdiction of the committee. Records may also be disclosed to the General Accounting Office (GAO) in the course of the activities of GAO. (12) Records may be disclosed without the consent of the person to whom they pertain under a court order signed by a judge of a court of competent jurisdiction. Releases may also be made under the compulsory legal process of Federal or state bodies having authority to issue such process. (i) When a record is disclosed under this provision, make reasonable efforts to notify the individual to whom the record pertains, if the legal process is a matter of public record. (ii) If the process is not a matter of public record at the time it is issued, seek to be advised when the process is made public and make reasonable efforts to notify the individual at that time. (iii) Notification sent to the last known address of the individual as reflected in the records is considered reasonable effort to notify. Make a disclosure accounting each time a record is disclosed under a court order or compulsory legal process. (13) Certain personal information may be disclosed to consumer reporting agencies as defined by the Federal Claims Collection Act. Information which may be disclosed to a consumer reporting agency includes: (i) Name, address, taxpayer identification number (SSN), and other information necessary to establish the identity of the individual. (ii) The amount, status, and history of the claim. (iii) The agency or program under which the claim arose. (g) Disclosure accounting. (1) Keep an accurate record of all disclosures made from any system of records except disclosures to DoD personnel for use in the performance of their official duties or under DLAR 5400.14 (32 CFR part 1285). In all other cases a disclosure accounting is required even if the individual has consented to the disclosure of the information pertaining to him or her. (2) Use any system of disclosure accounting that will provide the necessary disclosure information. As a minimum, disclosure accounting will contain the date of the disclosure, a description of the information released, the purpose of the disclosure, the name and address of the person or agency to whom the disclosure was made. When numerous similar records are released (such as transmittal of payroll checks to a bank), identify the category of records disclosed and include the data required in some form that can be used to construct an accounting disclosure record for individual records if required. Retain disclosure accounting records for 5 years after the disclosure or the life of the record, whichever is longer. (3) Make available to the individual to whom the record pertains all disclosure accountings except when the disclosure has been made to a law enforcement activity and the law enforcement activity has requested that disclosure not be made, or the system of records has been exempted from the requirement to furnish the disclosure accounting. If disclosure accountings are not maintained with the record and the individual requests access to the accounting, prepare a listing of all disclosures and provide this to the individual upon request. (h) Collecting personal information. (1) Collect to the greatest extent practicable personal information directly from the individual to whom it pertains if the information may be used in making any determination about the rights, privileges, or benefits of the individual under any Federal program. (2) When an individual is requested to furnish personal information about himself or herself for inclusion in a system of records, a Privacy Act Statement is required regardless of the medium used to collect the information (forms, personal interviews, stylized formats, telephonic interviews, or other methods). The statement enables the individual to make an informed decision whether to provide the information requested. If the personal information solicited is not to be incorporated into a system of records, the statement need not be given. The Privacy Act Statement shall be concise, current, and easily understood. It must include: (i) The specific Federal statute or Executive Order that authorizes collection of the requested information. (ii) The principal purpose or purposes for which the information is to be used. (iii) The routine uses that will be made of the information. (iv) Whether providing the information is voluntary or mandatory. (v) The effects on the individual if he or she chooses not to provide the requested information. (3) The Privacy Act Statement may appear as a public notice (sign or poster), conspicuously displayed in the area where the information is collected, such as at check-cashing facilities or identification photograph facilities. The individual normally is not required to sign the Privacy Act Statement. Provide the individual a written copy of the Privacy Act Statement upon request. This must be done regardless of the method chosen to furnish the initial advisement. (4) Include in the Privacy Act Statement specifically whether furnishing the requested personal data is mandatory or voluntary. A requirement to furnish personal data is mandatory only when a Federal statute, Executive order, regulation, or other lawful order specifically imposes a duty on the individual to provide the information sought, and the individual is subject to a penalty if he or she fails to provide the requested information. If providing the information is only a condition of a prerequisite to granting a benefit or privilege and the individual has the option of requesting the benefit or privilege, providing the information is always voluntary. However, the loss or denial of the privilege, benefit, or entitlement sought may be listed as a consequence of not furnishing the requested information. (5) It is unlawful for any Federal, state, or local government agency to deny an individual any right, benefit, or privilege provided by law because the individual refuses to provide his or her social security number (SSN). However, if a Federal statute requires that the SSN be furnished or if the SSN is required to verify the identity of the individual in a system of records that was established and in use before January 1, 1975, and the SSN was required as an identifier by a statute or regulation adopted before that date, this restriction does not apply. (i) When an individual is requested to provide his or her SSN, he or she must be told: (A) The uses that will be made of the SSN. (B) The statute, regulation, or rule authorizing the solicitation of the SSN. (C) Whether providing the SSN is voluntary or mandatory. (ii) Include in any systems notice for any system of records that contains SSNs a statement indicating the authority for maintaining the SSN and the source of the SSNs in the system. If the SSN is obtained directly from the individual indicate whether this is voluntary or mandatory. (iii) Upon entrance into Military Service of civilian employment with DoD, individuals are asked to provide their SSNs. The SSN becomes the service or employment number for the individual and is used to establish personnel, financial, medical, and other official records. After an individual has provided his or her SSN for the purpose of establishing a record, a Privacy Act Statement is not required if the individual is only requested to furnish or verify the SSNs for identification purposes in connection with the normal use of his or her records. However, if the SSN is to be written down and retained for any purpose by the requesting official, the individual must be provided a Privacy Act Statement. (6) DLAI 5530.1, Publications, Forms, Printing, Duplicating, Micropublishing, Office Copying, and Automated Information Management Programs,2 2 Copies may be obtained from the Defense Logistics Agency, ATTN: DSS-CV, 8725 John J. Kingman Road, Suite 2533, Fort Belvoir, VA 22060–6221. (i) Systems of records. (1) To be subject to this part, a “system of records” must consist of records retrieved by the name of an individual or some other personal identifier and be under the control of a DLA activity. Records in a group of records that may be retrieved by a name or personal identifier are not covered by this part. The records must be, in fact, retrieved by name or other personal identifier to become a system of records for the purpose of this part. (2) Retain in a system of records only that personal information which is relevant and necessary to accomplish a purpose required by a Federal statute or an Executive Order. The existence of a statute or Executive order mandating that maintenance of a system of records does not abrogate the responsibility to ensure that the information in the system of records is relevant and necessary. (3) Do not maintain any records describing how an individual exercises his or her rights guaranteed by the First Amendment of the U.S. Constitution unless expressly authorized by Federal statute or the individual. First Amendment rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition. (4) Maintain all personal information used to make any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in making any such determination. Before disseminating any personal information from a system of records to any person outside DoD, other than a Federal agency, make reasonable efforts to ensure that the information to be disclosed is accurate, relevant, timely, and complete for the purpose it is being maintained. (5) Establish appropriate administrative, technical and physical safeguards to ensure that the records in every system of records are protected from unauthorized alteration or disclosure and that their confidentiality is protected. Protect the records against reasonably anticipated threats or hazards. Tailor safeguards specifically to the vulnerabilities of the system and the type of records in the system, the sensitivity of the personal information stored, the storage medium used and, to a degree, the number of records maintained. (i) Treat all unclassified records that contain personal information that normally would be withheld from the public as if they were designated “For Official Use Only” and safeguard them in accordance with the standards established by DLAR 5400.14 (32 CFR part 1285) even if they are not marked “For Official Use Only.” (ii) Special administrative, physical, and technical procedures are required to protect data that are stored or being processed temporarily in an automated data processing (ADP) system or in a word processing activity to protect it against threats unique to those environments (see DLAR 5200.17, Security Requirements for Automated Information and Telecommunications Systems,3 3 Copies may be obtained from the Defense Logistics Agency, ATTN: DSS-CV, 8725 John J. Kingman Road, Suite 2533, Fort Belvoir, VA 22060–6221. (6) Dispose of records containing personal data so as to prevent inadvertent compromise. Disposal methods such as tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding, or mutilation are considered adequate if the personal data is rendered unrecognizable or beyond reconstruction. (i) The transfer of large quantities of records containing personal data (for example, computer cards and printouts) in bulk to a disposal activity, such as the Defense Property Disposal Office, is not a release of personal information under this part. The sheer volume of such transfers makes it difficult or impossible to identify readily specific individual records. (ii) When disposing of or destroying large quantities of records containing personal information, care must be exercised to ensure that the bulk of the records is maintained so as prevent specific records from being readily identified. If bulk is maintained, no special procedures are required. (7) When DLA contracts for the operation or maintenance of a system of records or a portion of a system of records by a contractor, the record system or the portion of the record system affected are considered to be maintained by DLA and are subject to this part. The activity concerned is responsible for applying the requirements of this part to the contractor. The contractor and its employees are to be considered employees of DLA for purposes of the sanction provisions of the Privacy Act during the performance of the contract. See the Federal Acquisition Regulation (FAR), section 24.000 (48 CFR chapter 1). (j) System Notices. (1) A notice of the existence of each system of records must be published in the (i) The system notice describes the contents of the record system and the routine uses for which the information in the system may be released. (ii) The public be given 30 days to comment on any proposed routine uses before implementation. (iii) The notice contains the date on which the system will become effective. (2) Appendix A of this part discusses the specific elements required in a system notice. DLAH 5400.14 4 Copies may be obtained from the Defense Logistics Agency, ATTN: DSS-CV, 8725 John J. Kingman Road, Suite 2533, Fort Belvoir, VA 22060–6221. (3) In addition to system notices, reports are required for new and altered systems of records. The criteria of these reports are outlined in appendixes B and C of this part. No report is required for amendments to existing systems which do not meet the criteria for altered record systems. (4) System managers shall evaluate the information to be included in each new system before establishing the system and evaluate periodically the information contained in each existing system of records for relevancy and necessity. Such a review will also occur when a system notice amendment or alteration is prepared. Consider the following: (i) The relationship of each item of information retained and collected to the purpose for which the system is maintained. (ii) The specific impact on the purpose or mission of not collecting each category of information contained in the system. (iii) The possibility of meeting the informational requirements through use of information not individually identifiable or through other techniques, such as sampling. (iv) The length of time each item of personal information must be retained. (v) The cost of maintaining the information. (vi) The necessity and relevancy of the information to the purpose for which it was collected. (5) Systems notices and reports of new and altered systems will be submitted to DLA Support Services (DSS-CA) as required. (k) Exemptions. The Director, DLA will designate the DLA records which are to be exempted from certain provisions of the Privacy Act. DLA Support Services (DSS-CA) will publish in the (1) General Exemptions. To qualify for a general exemption, as defined in the Privacy Act, the system of records must be maintained by a system manager who performs as his/her principal function any activity pertaining to the enforcement of criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities or prosecutors, courts, correctional, probation, pardon, or parole authorities. Such system of records must consist of: (i) Information compiled for the purpose of identifying individual criminal offenders and alleged offenders and containing only identifying data and notations or arrests, the nature and disposition of criminal charges, sentencing, confinement, release, and parole, and probation status. (ii) Information compiled for the purpose of a criminal investigation, including reports of informants and investigators, and associated with an identifiable individual. (iii) Reports identifiable to an individual compiled at any stage of the process of enforcement of the criminal laws from arrest or indictment through release from supervision. (2) Specific exemption. To qualify for a specfic exemption, as defined by the Privacy Act, the systems of records must be: (i) Specifically authorized under criteria established by an Executive Order to be kept classified in the interest of national defense or foreign policy and are in fact properly classified pursuant to such Executive Order. (ii) Investigatory material compiled for law enforcement purposes other than material covered under a general exemption. However, an individual will not be denied access to information which has been used to deny him/her a right or privilege unless disclosure would reveal a source who furnished information to the Government under a promise that the identity of the source would be held in confidence. For investigations made after September 27, 1975, the identity of the source may be treated as confidential only if based on the expressed guarantee that the identity would not be revealed. (iii) Maintained in connection with providing protective services to the President of the United States or other individuals protected pursuant to 18 U.S.C. 3056. (iv) Used only to generate aggregate statistical data or for other similarly evaluative or analytic purposes, and which are not used to make decisions on the rights, benefits, or entitlements of individuals except for the disclosure of a census record permitted by 13 U.S.C. 8. (v) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, Military Service, Federal contracts, or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the source would be held in confidence, or prior to September 27 1975, under an implied promise that the identity of the source would be held in confidence. (vi) Testing or examination material used solely to determine individual qualifications for appointment or promotion in the Federal service, the disclosure of which would compromise the objectivity or fairness of the testing or elimination process. (vii) Evaluation material used to determine potential for promotion in the Military Services, but only the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence or prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence. System managers will specify those categories of individuals for whom pledges of confidentiality may be made when obtaining information on an individual's suitability for promotion. (viii) Exemption rules for DLA systems of records are published in appendix H of this part. (l) Matching Program Procedures. The OMB has issued special guidelines to be followed in programs that match the personal records in the computerized data bases of two or more Federal agencies by computer (see appendix E). These guidelines are intended to strike a balance between the interest of the Government in maintaining the integrity of Federal programs and the need to protect individual privacy expectations. They do not authorize matching programs as such and each matching program must be justified individually in accordance with the OMB guidelines. (1) Forward all requests for matching programs to include necessary routine use amendments and analysis and proposed matching program reports to DLA Support Services. Changes to existing matching programs shall be processed in the same manner as a new matching program report. (2) No time limits are set by the OMB guidelines. However, in order to establish a new routine use for a matching program, the amended system notice must have been published in the (3) For the purpose of the OMB guidelines, DoD and all DoD Components are considered a single agency. Before initiating a matching program using only the records of two or more DoD activities, notify DLA Support Services (DSS-CA) that the match is to occur. Further information may be requested from the activity proposing the match. (4) System managers shall review annually each system of records to determine if records from the system are being used in matching programs and whether the OMB Guidelines have been complied with. [DLAR 5400.21, 51 FR 33595, Sept. 22, 1986, unless otherwise noted. Redesignated at 56 FR 57803, Nov. 14, 1991, as amended at 66 FR 41781, Aug. 9, 2001. DLA activities may be required to provide data under reporting requirements established by the Defense Privacy Office and DLA Support Services (DSS-CA). Any report established shall be assigned Report Control Symbol DD-DA&M(A)1379. [66 FR 41782, Aug. 9, 2001] A. System identification. See DLAH 5400.1.1 1 Copies may be obtained from the Defense Logistics Agency, ATTN: DSS-CV, 8725 John J. Kingman Road, Suite 2533, Fort Belvoir, VA 22060–6221. 2 [Reserved] B. System name. The name of the system reasonably identifies the general purpose of the system and, if possible, the general categories of individuals involved. Use acronyms only parenthetically following the title or any portion thereof, such as, “Joint Uniform Military Pay System (JUMPS).” Do not use acronyms that are not commonly known unless they are preceded by an explanation. The system name may not exceed 55 character positions including punctuation and spacing. C. System location 1. For systems maintained in a single location provided the exact office name, organizational identity, and address or routing symbol. For geographically or organizationally decentralized systems, specify each level of organization or element that maintains a segment of the system. For automated data systems with a central computer facility and input/output terminals at several geographically separated location, list each location by category. 2. When multiple locations are identified by type of organization, the system location may indicate that official mailing addresses are contained in an address directory published as an appendix to DLAH 5400.1. 3. If no address directory is used or the addresses in the directory are incomplete, the address of each location where a segment of the record system is maintained must appear under the “System Location” caption. Classified addresses are not listed, but the fact that they are classified is indicated. Use the standard U.S. Postal Service two letter state abbreviation symbols and zip codes for all domestic addresses. D. Categories of individuals covered by the system. Set forth the specific categories of individuals to whom records in the system pertain in clear, easily understood, nontechnical terms. Avoid the use of broad over-general descriptions, such as “all DLA personnel” or “all civilian personnel” unless this actually reflects the category of individuals involved. E. Categories of records in the system. Describe in clear, nontechnical terms the types of records maintained in the system. Only documents actually retained in the system of records will be described, not source documents that are used only to collect data and the destroyed. F. Authority for maintenance of the system. 1. Cite the specific provisions of the Federal statute or Executive Order that authorizes the maintenance of the system. Include with citations for statutes the popular names, when appropriate (for example, title 51, United States Code, section 2103, “Tea-Tasters Licensing Act”), and for Executive Orders, the official title (for example, Executive Order 9397, “Numbering System for Federal Accounts Relative to Individual Persons”). 2. For administrative housekeeping records, cite the directive establishing DLA as well as the Secretary of Defense authority to issue the directive. For example, ‘Pursuant to the authority contained in the National Security Act of 1947, as amended (10 U.S.C. 133d), the Secretary of Defense has issued DoD Directive 5105.22 (32 CFR part 398), Defense Logistics Agency (DLA), the charter of the Defense Logistics Agency (DLA) as a separate agency of the Department of Defense under this control. Therein, the Director, DLA, is charged with the responsibility of maintaining all necessary and appropriate records.’ G. Purpose or purposes. List the specific purposes for maintaining the system of records by the activity. Include the use made of the information within DLA and the Department of Defense (so-called “internal routine uses”). H. Routine uses. 1. The blanket routine uses that appear in DLAH 5400.13 3 Copies may be obtained from the Defense Logistics Agency, ATTN: DSS-CV, 8725 John J. Kingman Road, Suite 2533, Fort Belvoir, VA 22060–6221. 2. For each routine use identified, include a statement as to the purpose or purposes for which the record is to be released to the activity. Do not use general statements, such as, “to other Federal agencies as required” and “to any other appropriate Federal agency.” I. Policies and practices for storing, retiring, accessing, retaining, and disposing of records. This caption is subdivided into four parts: 1. Storage. Indicate the medium in which the records are maintained. (For example, a system may be “automated, maintained on magnetic tapes or disks,” “manual, maintained in paper files,” or “hybrid, maintained in a combination of paper and automated form.”) Storage does not refer to the container or facility in which the records are kept. 2. Retrievability. Specify how the records are retrieved (for example, name and SSN, name, SSN) and indicate whether a manual or computerized index is required to retrieve individual records. 3. Safeguards. List the categories of DLA personnel having immediate access and these responsible for safeguards (such as storage in safes, vaults, locked cabinets or rooms, use of guards, visitors registers, personnel screening, or computer “fail-safe” systems software). Do not describe safeguards in such detail as to compromise system security. 4. Retention and disposal. Indicate how long the record is retained. When appropriate, state the length of time the records are maintained by the activity, when they are transferred to a Federal Records Center, length of retention at the Records Center and when they are transferred to the National Archives or are destroyed. A reference to DLAI 5015.1,4 4 Copies may be obtained from the Defense Logistics Agency, ATTN: DSS-CV, 8725 John J. Kingman Road, Suite 2533, Fort Belvoir, VA 22060–6221. J. System manager or managers and address. 1. List the title and address of the official responsible for the management of the system. If the title of the specific official is unknown, such as for a local system, specify the local commander or office head as the systems manager. 2. For geographically separated or ogranizationally decentralized activities for which individuals may deal directly with officials at each location in exercising their rights, list the position or duty title of each category of officials responsible for the system or a segment thereof. 3. Do not include business or duty addresses if they are listed in DLAH 5400.1. K. Notification procedures. 1. If the record system has been exempted from subsection (e)(4)(G) the Privacy Act, so indicate. 2. For all nonexempt systems, describe how an individual may determine if there are records pertaining to him or her in the system. The procedural rules may be cited, but include a brief procedural description of the needed data. Provide sufficient information in the notice to allow an individual to exercise his or her rights without referrals to this part. 3. As a minimum, the caption will include: a. The official title (normally the system manager) and official address to which request is to be directed. b. The specific information required to determine if there is a record of the individual in the system. c. Identification of the offices through which the individual may obtain access. d. A description of any proof of identity required. 4. When appropriate, the individual may be referred to an activity official who shall provide this data to him or her. L. Record access procedures. 1. If the record system has been exempted from subsection (e)(4)(H) of the Privacy Act, so indicate. 2. For all nonexempt record systems, describe the procedures under which individuals may obtain access to the record pertaining to them in the system. When appropriate, the individual may be referred to the system manager or activity official to obtain access procedures. Do not repeat the addresses listed in DLAH 5400.1, but refer the individual to that directory. M. Contesting record procedures. 1. If the record system has been exempted from subsection (e)(4)(H) of the Privacy Act, so indicate. 2. For all nonexempt systems of records, state briefly how an individual may contest the content of a record pertaining to him or her in the system. The detailed procedures for contesting record accuracy, refusal of access or amendment, or initial review and appeal need not be included if they are readily available elsewhere and can be referred to by the public. (For example, “The Defense Logistics Agency rules for contesting contents and for appealing initial determinations are contained in 32 CFR part.”) (DLAR 5400.21). 3. The individual may also be referred to the system manager to determine these procedures. N. Record source categories. 1. If the record system has been exempted from subsection (e)(4)(I) of the Privacy Act, so indicate. 2. For all nonexempt systems of records, list the sources of the information in the system. Specific individuals or institutions need not be identified by name, particularly if these sources have been granted confidentiality. O. System exempted from certain provisions of the Privacy Act. 1. If no exemption has been claimed for the system, indicate “None.” 2. If there is an exemption claimed, indicate specifically under which subsection of the Privacy Act is is claimed. Cite the regulation and CFR section containing the exemption rule for the system. (For example, “Parts of this record system may be exempt under title 5, United States Code, sections 552a(k)2. and (5), as applicable. See exemption rules contained in 32 CFR part 323.”) (DLAR 5400.21). [DLAR 5400.21, 51 FR 33595, Sept. 22, 1986. Redesignated and amended at 56 FR 57803, Nov. 14, 1991; 66 FR 41781, Aug. 9, 2001] A. Criteria for a new record system. A new system of records is one for which there has been no system notice published in the B. Criteria for an altered record system. A system is considered altered whenever one of the following actions occurs or is proposed: 1. A significant increase or change in the number or type of indiviudals about whom records are maintained. a. Only changes that alter significantly the character and purpose of the records system are considered alterations. b. Increases in numbers of individuals due to normal growth are not considered alterations unless they truly alter the character and purpose of the system. c. Increases that change significantly the scope of population covered (for example, expansion of a system of records covering a single PLFA's enlisted personnel to include all of DLA enlisted personnel would be considered an alteration). d. A reduction in the number of individual covered is not an alteration, but only an amendment. e. All changes that add new categories of individuals to system coverage require a change to the “Categories of individuals covered by the system” caption of the notice and may require changes to the “Purpose(s)” caption. 2. An expansion in the types or categories of information maintained. a. The addition of any new category of records not described under the “Categories of Records in System” caption is considered an alteration. b. Adding a new data element which is clearly within the scope of the categories of records described in the existing notice is an amendment. c. All changes under this criterion require a change to the “Categories of Records in System” caption of the notice. 3. An alteration in the manner in which the records are organized or the manner in which the records are indexed and retrieved. a. The change must alter the nature of use or scope of the records involved (for example, combining records systems in a reorganization). b. Any change under this critera requires a change in the “Retrievability” caption of the system notice. c. If the records are no longer retrieved by name or personal identifier, cancel the system notice. 4. A change in the purpose for which the information in the system is used. a. The new purpose must not be compatible with the existing purposes for which the system is maintained or a use that would not reasonably be expected to be an alteration. b. If the use is compatible and reasonably expected, there is no change in purpose and no alteration occurs. c. Any change under this criterion requires a change in the “Purpose(s)” caption and may require a change in the “Authority for maintenance of the system” caption. 5. Changes that alter the computer environment (such as changes to equipment configuration, software, or procedures) so as to create the potential for greater or easier access. a. Increasing the number of offices with direct access is an alteration. b. Software releases, such as operating systems and system utilities that provide for easier access are considered alterations. c. The addition of an on-line capability to a previously batch-oriented system is an alteration. d. The addition of peripheral devices such as tape devices, disk devices, card readers, printers, and similar devices to an existing ADP system constitute an amendment if system security is preserved. e. Changes to existing equipment configuration with on-line capability need not be considered alterations to the system if: (1) The change does not alter the present security posture. (2) The addition of terminals does not extend the capacity of the current operating system and existing security is preserved. f. The connecting of two or more formerly independent automated systems or networks together creating a potential for greater access is an alteration. g. Any change under this caption requires a change to the “Storage” caption element of the systems notice. C. Reports of new and altered systems. Submit a report of a new or altered system to DLA Support Services (DSS-CA) before collecting information and for using a new system or altering an existing system. D. Time restrictions on the operation of a new or altered system. 1. All time periods begin from the date OSD signs the transmittal letters on the reports to OMB and Congress. The specific time limits are: a. Sixty days must elapse before collection forms or fomal instructions pertaining to the system may be issued. b. Sixty days must elapse before the system may become operational. c. Sixty days must elapse before any public issuance of a Request for Proposal or Invitation to Bid for a new ADP or telecommunication system. Note: Requests for delegation of procurement authority may be submitted to the General Services Administration during the 60 days' waiting period, but these will include language that the Privacy Act reporting criteria have been reviewed and that a system report is required for such procurement. d. Normally 30 days must elapse before publication in the 2. Do not operate a system of records until the waiting periods have expired. E. Outside review of new and altered systems reports. If no objections are received within 30 days of a submission to the President of the Senate, Speaker of the House of Representatives, and the Director, OMB, of a new or altered system report, it is presumed that the new or altered systems have been approved as submitted. F. Waiver of time restrictions. 1. The OMB may authorize a Federal agency to begin operation of a system of records before the expiration of time limits described above. When seeking such a waiver, include in the letter of transmittal to DLA Support Services (CA) an explanation why a delay of 60 days in establishing the system of records would not be in the public interest. The transmittal must include: a. How the public interest will be affected adversely if the established time limits are followed. b. Why earlier notice was not provided. 2. Under no circumstances will the routine uses for a new or altered system be implemented before 30 days have elapsed after publication of the system notice containing the routine uses in the [DLAR 5400.21, 51 FR 33595, Sept. 22, 1986. Redesignated and amended at 56 FR 57803, Nov. 14, 1991; 66 FR 41782, Aug. 9, 2001] The report on a new or altered system will consist of a transmittal letter, a narrative statement, and include supporting documentation. A. Transmittal Letter. The transmittal letter shall include any request for waivers. The narrative statement will be attached. B. Narrative Statement. The narrative statement is typed in double space on standard bond paper. The statement includes: 1. System identification and name. This caption sets forth the identification and name of the system. 2. Responsible official. The name, title, address, and telephone number of the official responsible for the report and to whom inquiries and comments about the report may be directed by Congress, the Office of Management and Budget, or Defense Privacy Office. 3. Purpose of the system or nature of the change proposed. Describe the purpose of the new system. For an altered system, describe the nature of the change being proposed. 4. Authority for the system. See enclosure 1 of this part. 5. Number of individuals. The approximate number of individuals about whom records are to be maintained. 6. Information on First Amendment activities. Describe any information to be kept on the exercise of the individual's First Amendment rights and the basis for maintaining it. 7. Measures to ensure information accuracy. If the system is to be used to make determinations about the rights, benefits, or entitlements of individuals, describe the measures being established to ensure the accuracy, currency, relevance, and completeness of the information used for these purposes. 8. Other measures to ensure system security. Describe the steps taken to minimize the risk of unauthorized access to the system. A more detailed assessment of security risks and specific administrative, technical, and physical safeguards will be available for review upon request. 9. Relationship to state and local government activities. Describe the relationship of the system to state or local government activities that are the sources, recipients, or users of the information in the system. C. Supporting Documentation. Item 10 of the narrative is captioned Supporting Documents. A positive statement for this caption is essential for those enclosures that are not required to be enclosed. For example, “No changes to the existing DLA procedural or exemption rules (32 CFR part 323) are required for this proposed system.” List in numerical sequence only those enclosures that are actually furnished. The following are typical enclosures that may be required: 1. For a new system, an advance copy of the system notice which is proposed for publication; for an altered system an advance copy of the notice reflecting the specific changes proposed. 2. An advance copy of any proposed exemption rule if the new or altered system is to be exempted. If there is no exemption, so state in the narrative. 3. Any other supporting documentation that may be pertinent or helpful in understanding the need for the system or clarifying its intended use. While not required, such documentation, when available, is helpful in evaluating the new or altered system. [DLAR 5400.21, 51 FR 33595, Sept. 22, 1986. Redesignated and amended at 56 FR 57803, Nov. 14, 1991] A. Minimum Standards of Protection. All personal data processed using word processing equipment will be afforded the standards of protection required by this regulation. The special considerations discussed in this enclosure are primarily for Word Processing Centers (WPCs) operating independent of the customer's function. However, managers of word processing systems are encouraged to consider and adopt, when appropriate, the special considerations described. WPCs that are not independent of a customer's function are not required to prepare formal written risk assessments. B. WPC Information Flow. In analyzing procedures required to safeguard adequately personal information in a WPC, the basic elements of WPC information flow and control must be considered. These are: Information receipt, information processing, information return, information storage and filing. WPCs do not control information acquisition or its ultimate use by the customers and, therefore, these are not addressed. C. Safeguarding Information During Receipt. 1. The word processing manager will establish procedures: a. That require each customer who requests that information subject to this DLAR be processed to identify specifically that information to the WPC personnel. This may be done by: (1) Providing a check-off type entry on the WPC work requests. (2) Requiring that the WPC work requests be stamped with a special legend, or that a special notation be made on the work requests. (3) Predesignating specifically a class of documents as coming within the provisions of this DLAR (such as, all officer effectiveness reports, all recall rosters, and all medical protocols). (4) Using a special cover sheet both to alert the WPC personnel as to the type information, and to protect the document during transmittal. (5) Requiring an oral warning on all dictation. (6) Any other procedures that ensure the WPC personnel are alerted to the fact that personal data subject to this DLAR is to be processed. b. To ensure that the operators or other WPC personnel who receive data for processing not identified as being under the provisions of this DLAR, but that appear to be personal, promptly call the information to the attention of the WPC supervisor or the customer. c. To ensure that any request for the processing of personal data which the customer has not identified as being in a system of record, and that appears to meet the criteria set forth in this regulation, is called to the attention of the appropriate supervisory personnel and system manager. 2. The WPC supervisor will ensure that personal information is not inadvertently compromised within the WPC. D. Safeguarding Information During Processing. 1. Each WPC supervisor will establish internal safeguards that will protect personal data from compromise while it is being processed. 2. Physical safeguards may include: a. Controls on individual access to the center. b. Machine configurations that reduce external access to the information being processed, or arrangements that alert the operator to the presence of others. c. Using certain specific machines to process personnal data. d. Any other physical safeguards, to include special technical arrangements that will protect the data during processing. 3. Other safeguards may include: a. Using only certain selected operators to process personal data. b. Processing personal data only at certain times during the day without the WPC manager's specific authorization. c. Using only certain tapes or diskettes to process and store personal data. d. Using continuous tapes for dictation of personal data. e. Requiring all WPC copies of documents to be marked specifically so as to prevent inadvertent compromise. f. Returing extra copies and mistakes to the customer with the product. g. Disposing of waste containing personal data in a special manner. h. Any other local procedures that provide adequate protection to the data being processed. E. Safeguarding Information During Return. The WPC shall protect the data until it is returned to the customer or is placed into a formal distribution channel. In conjunction with the appropriate administrative support personnel and the WPC customers, the WPC manager will establish procedures that protect the information from the time word processing is completed until it is returned to the customer. Safeguarding procedures may include: 1. Releasing products only to specifically identified individuals. 2. Using sealed envelopes to transmit products to the customer. 3. Using special cover sheets to protect products similar to the one discussed in above. 4. Hand-carrying products to the customers. 5. Using special messengers to return the products. 6. Any other procedures that adequately protect products from compromise while they are awaiting return or being returned to the customer. F. Safeguards During Storage. The WPC manager shall ensure that all personal data retained in the center for any purpose (including samples) are protected properly. Safeguarding procedures may include: 1. Marking will hard copies retained with special legends or designators. 2. Storing media containing personal data in separate files or areas. 3. Marking the storage containers for media containing personal data with special legends or notations. 4. Restricting the reuse of media used to process personal data or erasing the media before reuse. 5. Establishing special criteria for the WPC retention of media used to store and process personal data. 6. Returning the media to the customer for retention with the file copies of the finished products. 7. Discouraging, when practical, the long-term storage of personnal data in any form within the WPC. 8. Any other filing or storage procedures that safeguard adequately any personal information retained or filed within the WPC. G. Risk Assessment for WPCs. 1. Each WPC manager will ensure that a formal, written risk assessment is prepared for each WPC that processes personal information subject to this regulation. The assessment will address the areas discussed in this enclosure, as well as any special risks that the WPC location, configuration, or organization may present to the compromise or alteration of personal data being processed or stored. 2. A risk assessment will be conducted at least every 5 years or whenever there is a change of equipment, equipment configuration, WPC location, WPC configuration or modification of the WPC facilities that either increases or decreases the likelihood or compromise of personal data. 3. Copies of the risk assessment will be retained by the WPC manager and made available to appropriate inspectors, as well as to personnel studying equipment for facility upgrading of personal data. H. Special Considerations in WPC Design and Modification. Procedures will be established to ensure that all personnel involved in the design of WPCs or the acquisition of word processing equipment are aware of the special considerations required when processing personal data subject to this DLAR. A. Purpose. These guidelines supplement and will be used in conjunction with OMB Guidelines on the Administration of the Privacy Act of 1974, issued on July 1, 1975, and supplemented on November 21, 1975. They replace earlier guidance on conducting computerized matching programs issued on March 30, 1979. They are intended to help agencies relate the procedural requirements of the Privacy Act to the operational requirements of computerized matching. They are designed to address the concern expressed by the Congress in the Privacy Act of 1974 that “the increasing use of computers and sophisticated information technology, while essential to the efficient operation of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information.” These guidelines do not authorize activities that are not permitted by law, nor do they prohibit activities expressly required to be performed by law. Complying with these guidelines, however, does not relieve a Federal agency of the obligation to comply with the provisions of the Privacy Act, including any provisions not cited in these guidelines. B. Scope. These guidelines apply to all agencies subject to the Privacy Act of 1974 (5 U.S.C. 552a) and to all matching programs: 1. Performed by a Federal agency, whether the personal records used in the match are Federal or nonfederal. 2. For which a Federal agency discloses any personal records for use in a matching program performed by any other Federal agency or any nonfederal organization. C. Effective Date. These guidelines were effective on May 11, 1982. D. Definitions. For the purpose of the Guidelines, all the terms defined in the Privacy Act of 1974 apply. 1. Personal Record. Any information pertaining to an individual that is stored in an automated system of records; for example, a data base which contains information about individuals that is retrieved by name or some other personal identifier. 2. Matching Program. A procedure in which a computer is used to compare two or more automated systems of records or a system of records with a set of nonfederal records to find individuals who are common to more than one system or set. The procedure includes all of the steps associated with the match, including obtaining the records to be matched, actual use of the computer, administrative and investigative action on the hits, and disposition of the personal records maintained in connection with the match. It should be noted that a single matching program may involve several matches among a number of participants. Watching programs do not include the following: a. Matches which compare a substantial number of records, such as, comparison of the Department of Education's defaulted student loan data base with the Office of Personnel Management's Federal employee data base would be covered; comparison of six individual student loan defaultees with the OPM file would not be covered. b. Checks on specific individuals to verify data in an application for benefits done reasonably soon after the application is received. c. Checks on specific individuals based on information which raises questions about an individual's eligibility for benefits or payments done reasonably soon after the information is received. d. Matches done to produce aggregate statistical data without any personal identifiers. e. Matches done to support any research or statistical project when the specfic data are not to be used to make decisions about the rights, benefits, or privileges of specific individuals. f. Matches done by an agency using its own records. 3. Matching Agency. The Federal agency which actually performs the match. 4. Source Agency. The Federal agency which discloses records from a system of records to be used in the match. Note that in some circumstances a source agency may be the instigator and ultimate beneficiary of the matching program, as when an agency lacking computer resources uses another agency to perform the match. The disclosure of records to the matching agency and any later disclosure of “hits” (by either the matching or the source agencies) must be done in accordance with the provisions of paragraph (b) of the Privacy Act. 5. Hit. The identification, through a matching program, of a specific individual. E. Guidelines for Agencies Participating in Matching Programs. Agencies should acquire and disclose matching records and conduct matching programs in accordance with the provisions of this section and the Privacy Act. 1. Disclosing Personal Records for Matching Programs— a. To another Federal agency. Source agencies are responsible for determining whether or not to disclose personal records from their systems and for making sure they meet the necessary Privacy Act disclosure provisions when they do. Among the factors source agencies should consider are: (1) Legal authority for the match. (2) Purpose and description of the match. (3) Description of the records to be matched. (4) Whether the record subjects have consented to the match; or whether disclosure of records for the match would be compatible with the purpose for which the records were originally collected; that is, whether disclosure under a “routine use” would be appropriate; whether the soliciting agency is seeking the records for a legitimate law enforcement activity—whichever is appropriate; or any other provision of the Privacy Act under which disclosure may be made. (5) Description of additional information which may be subsequently disclosed in relation to “hits.” (6) Subsequent actions expected of the source (for example, verification of the identity of the “hits” or followup with individuals who are “hits”). (7) Safeguards to be afforded the records involved, including disposition. b. If the agency is satisfied that disclosure of the records would not violate its responsibilities under the Privacy Act, it may proceed to make the disclosure to the matching agency. It should ensure that only the minimum information necessary to conduct the match is provided. If disclosure is to be made pursuant to a “routine use” (Section b.3. of the Privacy Act), it should ensure that the system of records contains such a use, or it should publish a routine use notice in the c. To a nonfederal entity. Before disclosing records to a nonfederal entity for a matching program to be carried out by that entity, a source agency should, in addition to all of the consideration in subparagraph a, above, also make reasonable efforts, pursuant to Section (e)(6) of the Privacy Act, to “assure that such records are accurate, complete, timely, and relevant for agency purposes.” 2. Written Agreements. Before disclosing to either a Federal or non-Federal entity, the source agency should require the matching entity to agree in writing to certain conditions governing the use of the matching file; for example, that the matching file will remain the property of the source agency and be returned at the end of the matching program (or destroyed as appropriate); that the file will be used and accessed only to match the file or files previously agreed to; that it will not be used to extract information concerning “non-hit” individuals for any purpose, and that it will not be duplicated or disseminated within or outside the matching agency unless authorized in writing by the source agency. 3. Performing Matching Programs— a. Matching agencies should maintain reasonable administrative, technical, and physical security safeguards on all files involved in the matching program. b. Matching agencies should ensure that they have appropriate systems of records including those containing “hits,” and that such systems and any routine uses have been appropriately notices in the 4. Disposition of Records— a. Matching agencies will return or destroy source matching files (by mutual agreement) immediately after the match. b. Records relating to this will be kept only so long as an investigation, either criminal or administrative, is active, and will be disposed of in accordance with the requirements of the Privacy Act and the Federal Records Act. 5. Publication Requirements— a. Agencies, before disclosing records outside the agency, will publish appropriate “routine use” notices in the b. If the matching program will result in the creation of a new or the substantial alteration of an existing system of records, the agency involved should publish the appropriate 6. Reporting Requirements— a. As close to the initiation of the matching program as possible, matching agencies will publish in the 1. The legal authority under which the match is being conducted. 2. A description of the matching program including whether the program is one time or continuing, the organizations involved, the purpose or purposes for which the program is being conducted, and the procedures to be used in matching and following up on the “hits.” 3. A complete description of the personal records to be matched, including the source or sources, system of records identifying data, date or dates and page number of the most recent 4. The projected start and ending dates of the program. 5. The security safeguards to be used to protect against unauthorized access or disclosure of the personal records. 6. Plans for disposition of the source records and “hits.” 7. Agencies should send a copy of this notice to the Congress and to OMB at the same time it is sent to the a. Agencies should report new or altered systems of records as described in subparagraph 5b, above, as necessary. b. Agencies should also be prepared to report on matching programs pursuant to the reporting requirements of either the Privacy Act or the Paperwork Reduction Act. Reports will be solicited by the Office of Information and Regulatory Affairs and will focus on both the protection of individual privacy and Government's effective use of information technology. Reporting instructions will be disseminated to the agencies as part of either the reports required by paragraph (p) of the Privacy Act, or section 3514 of Pub. L. 96–511. 8. Use of Contractors. Matching programs should, as far as practicable, be conducted “in-house” by Federal agencies using agency personnel, rather than by contract. When contractors are used: a. The matching agency should, consistent with paragraph (m) of the Privacy Act, cause the requirements of that Privacy Act to be applied to the contractor's performance of the matching program. The contract should include the Privacy Act clause required by Federal Personnel Regulation Amendment 155 (41 CFR 1–1.337–5). b. The terms of the contract should include appropriate privacy and security provisions consistent with policies, regulations, standards, and guidelines issued by OMB, GSA, and the Department of Commerce. c. The terms of the contract should preclude the contractor from using, disclosing, copying, or retaining records associated with the matching program for the contractor's own use. d. Contractor personnel involved in the matching program shall be made explicitly aware of their obligations under the Privacy Act and of these guidelines, agency rules, and any special safegurds in relation to each specific match performed. e. Any disclosures of records by the agency to the contractor should be made pursuant to a “routine use” (5 U.S.C. 552a(b)(3)). F. Implementation and Oversight. OMB will oversee the implementation of these guidelines and will interpret and advise upon agency proposals and actions within their scope, consistent with section 6 of the Privacy Act. 1. Case Number.1 1 Number used by the Component for reference purposes. 2. Requester. 3. Document Title or Description.2 2 Indicate the nature of the case, such as “Denial of access,” “Refusal to amend,” “Incorrect records,” or other violations of the Act (specify). 4. Litigation. a. Date Complaint Filed. b. Court. c. Case File Number.1 5. Defendants (DoD Component and individual). 6. Remarks (brief explanation of what the case is about). 7. Court Action. a. Court's Finding. b. Disciplinary Action (as appropriate). 8. Appeal (as appropriate). a. Date Complaint File. b. Court. c. Case File Number.1 d. Court's Finding. e. Disciplinary Action (as appropriate). A. Administrative Remedies. Any individual who feels he or she has a legitimate complaint or grievance against the Defense Logistics Agency or any DLA employee concerning any right granted by this DLAR will be permitted to seek relief through appropriate administrative channels. B. Civil Actions. An individual may file a civil suit against DLA or its employees if the individual feels certain provisions of the Privacy Act have been violated (see 5 U.S.C. 552a(g), reference (b).) C. Civil Remedies. In addition to specific remedial actions, the Privacy Act provides for the payment of damages, court cost, and attorney fees in some cases. D. Criminal Penalties— 1. The Privacy Act also provides for criminal penalties (see 5 U.S.C. 552a(1).) Any official or employee may be found guilty of a misdemeanor and fined not more than $5,000 if he or she willfully discloses personal information to anyone not entitled to receive the information, or maintains a system of records without publishing the required public notice in the 2. A person who requests or obtains access to any record concerning another individual under false pretenses may be found guilty of a misdemeanor and fined up to $5,000. Exempted Records Systems. All systems of records maintained by the Defense Logistics Agency will be exempt from the requirements of 5 U.S.C. 552a(d) pursuant to 5 U.S.C. 552a(k)(1) to the extent that the system contains any information properly classified under Executive Order 12958 and which is required by the Executive Order to be kept secret in the interest of national defense or foreign policy. This exemption, which may be applicable to parts of all systems of records, is necessary because certain record systems not otherwise specifically designated for exemptions herein may contain isolated items of information which have been properly classified. a. ID: S500.10 DLA-I (Specific exemption). 1. System name: Personnel Security Files. 2. Exemption: This system of records is exempted from the following provisions of title 5, United States Code, section 552a: (c)(3); (d); and (e)(1). 3. Authority: 5 U.S.C. 552a(k)(2). 4. Reasons: The investigatory reports are used by appropriate Security Officers and Commanders or other designated officials as a basis for determining a persons's eligibility for access to information classified in the interests of national defense. b. ID: S500.20 DLA-I (Specific exemption). 1. System name: Criminal Incident/Investigations File. 2. Exemption: This system of records is exempted from the following provisions of the Title 5, United States Code, section 552a: (c)(3); (d); and (e)(1). 3. Authority: 5 U.S.C. 552a(k)(2). 4. Reasons: Granting individuals access to information collected and maintained by this component relating to the enforcement of criminal laws could interfere with orderly investigations, with the orderly administration of justice, and possibly enable suspects to avoid detection or apprehension. Disclosure of this information could result in the concealment, destruction or fabrication of evidence and jeopardize the safety and well being of informants, witnesses and their families, and law enforcement personnel and their families. Disclosure of this information could also reveal and render ineffectual investigative techniques, sources and methods used by this component and could result in the invasion of privacy of individuals only incidentally related to an investigation. Investigatory material is exempt to the extent that the disclosure of such material would reveal the identity of a source who furnished the information to the Government under an express promise that the identity of the source would be held in confidence, or prior to September 27, 1975 under an implied promise that the identity of the source would be held in confidence. This exemption will protect the identities of certain sources who would be otherwise unwilling to provide information to the Government. The exemption of the individual's right of access to his records and the reasons therefore necessitate the exemptions of this system of records from the requirements of the other cited provisions. c. ID: S100.50 DLA-GC (Specific exemption). 1. System name: Fraud and Irregularities. 2. Exemption: This system of records is exempt from the provisions of 5 U.S.C. 552a(c)(3), (d)(1) through (4), (e)(1), (e)(4)(G), (H), and (I), and (f). 3. Authorities: 5 U.S.C. 552a(k)(2) and (k)(5). 4. Reasons: From subsection (c)(3) because granting access to the accounting for each disclosure as required by the Privacy Act, including the date, nature, and purpose of each disclosure and the identity of the recipient, could alert the subject to the existence of the investigation or prosecutive interest by DLA or other agencies. This could seriously compromise case preparation by prematurely revealing its existence and nature; compromise or interfere with witnesses or make witnesses reluctant to cooperate; and lead to suppression, alteration, or destruction of evidence. From subsections (d)(1) through (d)(4) and (f) because providing access to records of a civil investigation and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of the investigation and impede case preparation. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding. From subsection (e)(1) because it is not always possible to detect the relevance or necessity of each piece of information in the early stages of an investigation. In some cases, it is only after the information is evaluated in light of other evidence that its relevance and necessity will be clear. From subsections (e)(4)(G) and (H) because there is no necessity for such publication since the system of records will be exempt from the underlying duties to provide notification about and access to information in the system and to make amendments to and corrections of the information in the system. From subsection (e)(4)(I) because to the extent that this provision is construed to require more detailed disclosure than the broad, generic information currently published in the system notice, an exemption from this provision is necessary to protect the confidentiality of sources of information and to protect privacy and physical safety of witnesses and informants. DLA will, nevertheless, continue to publish such a notice in broad generic terms as is its current practice. d. ID: S100.10 GC (Specific exemption). 1. System name: Whistleblower Complaint and Investigation Files. 2. Exemption: Portions of this system of records may be exempt under the provisions of 5 U.S.C. 552a(c)(3), (d)(1) through (d)(4), (e)(1), (e)(4)(G), (e)(4)(H), and (e)(4)(I), and (f). 3. Authority: 5 U.S.C. 552a(k)(2). 4. Reasons: From subsection (c)(3) because granting access to the accounting for each disclosure as required by the Privacy Act, including the date, nature, and purpose of each disclosure and the identity of the recipient, could alert the subject to the existence of the investigation or prosecutive interest by DLA or other agencies. This could seriously compromise case preparation by prematurely revealing its existence and nature; compromise or interfere with witnesses or make witnesses reluctant to cooperate; and lead to suppression, alteration, or destruction of evidence. From subsections (d)(1) through (d)(4), and (f) because providing access to records of a civil investigation and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of the investigation and impede case preparation. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding. From subsection (e)(1), because it is not always possible to detect the relevance or necessity of each piece of information in the early stages of an investigation. In some cases, it is only after the information is evaluated in light of other evidence that its relevance and necessity will be clear. From subsections (e)(4)(G) and (e)(4)(H) because there is no necessity for such publication since the system of records will be exempt from the underlying duties to provide notification about and access to information in the system and to make amendments to and corrections of the information in the system. However, DLA will continue to publish such a notice in broad generic terms as is its current practice. From subsection (e)(4)(I) because to the extent that this provision is construed to require more detailed disclosure than the broad, generic information currently published in the system notice, an exemption from this provision is necessary to protect the confidentiality of sources of information and to protect privacy and physical safety of witnesses and informants. DLA will, nevertheless, continue to publish such a notice in broad generic terms as is its current practice. e. ID: S500.60 CA (Specific exemption). 1. System name: DLA Complaint Program Records. 2. Exemption: (i) Investigatory material compiled for law enforcement purposes may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of the information, the individual will be provided access to the information except to the extent that disclosure would reveal the identity of a confidential source. (ii) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information may be exempt pursuant to 5 U.S.C. 552a(k)(5), but only to the extent that such material would reveal the identity of a confidential source. 3. Authority: 5 U.S.C. 552a(k)(2) and (k)(5), subsections (c)(3), (d)(1) through (d)(4), (e)(1), (e)(4)(G), (H), and (I), and (f). 4. Reasons: (i) From subsection (c)(3) because to grant access to an accounting of disclosures as required by the Privacy Act, including the date, nature, and purpose of each disclosure and the identity of the recipient, could alert the subject to the existence of the investigation or prosecutive interest by DLA or other agencies. This could seriously compromise case preparation by prematurely revealing its existence and nature; compromise or interfere with witnesses or make witnesses reluctant to cooperate; and lead to suppression, alteration, or destruction of evidence. (ii) From subsections (d)(1) through (d)(4), and (f) because providing access to records of a civil or administrative investigation and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of the investigation and impede case preparation. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; enable individuals to conceal their wrongdoing or mislead the course of the investigation; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding. (iii) From subsection (e)(1) because it is not always possible to detect the relevance or necessity of each piece of information in the early stages of an investigation. In some cases, it is only after the information is evaluated in light of other evidence that its relevance and necessity will be clear. (iv) From subsections (e)(4)(G) and (H) because this system of records is compiled for law enforcement purposes and is exempt from the access provisions of subsections (d) and (f). (v) From subsection (e)(4)(I) because to the extent that this provision is construed to require more detailed disclosure than the broad, generic information currently published in the system notice, an exemption from this provision is necessary to protect the confidentiality of sources of information and to protect privacy and physical safety of witnesses and informants. DLA will, nevertheless, continue to publish such a notice in broad generic terms as is its current practice. f. ID: S500.30 CAAS (Specific exemption). 1. System name: Incident Investigation/Police Inquiry Files. 2. Exemption: (i) Investigatory material compiled for law enforcement purposes may be exempt pursuant to 5 U.S.C. 552a(k)(2). However, if an individual is denied any right, privilege, or benefit for which he would otherwise be entitled by Federal law or for which he would otherwise be eligible, as a result of the maintenance of the information, the individual will be provided access to the information except to the extent that disclosure would reveal the identity of a confidential source. (ii) Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information may be exempt pursuant to 5 U.S.C. 552a(k)(5), but only to the extent that such material would reveal the identity of a confidential source. 3. Authority: 5 U.S.C. 552a(k)(2) and (k)(5), subsections (c)(3), (d)(1) through (d)(4), (e)(1), (e)(4)(G), (H), and (I), and (f). 4. Reasons: (i) From subsection (c)(3) because to grant access to the accounting for each disclosure as required by the Privacy Act, including the date, nature, and purpose of each disclosure and the identity of the recipient, could alert the subject to the existence of the investigation or prosecutive interest by DLA or other agencies. This could seriously compromise case preparation by prematurely revealing its existence and nature; compromise or interfere with witnesses or make witnesses reluctant to cooperate; and lead to suppression, alteration, or destruction of evidence. (ii) From subsections (d)(1) through (d)(4), and (f) because providing access to records of a civil or administrative investigation and the right to contest the contents of those records and force changes to be made to the information contained therein would seriously interfere with and thwart the orderly and unbiased conduct of the investigation and impede case preparation. Providing access rights normally afforded under the Privacy Act would provide the subject with valuable information that would allow interference with or compromise of witnesses or render witnesses reluctant to cooperate; lead to suppression, alteration, or destruction of evidence; enable individuals to conceal their wrongdoing or mislead the course of the investigation; and result in the secreting of or other disposition of assets that would make them difficult or impossible to reach in order to satisfy any Government claim growing out of the investigation or proceeding. (iii) From subsection (e)(1) because it is not always possible to detect the relevance or necessity of each piece of information in the early stages of an investigation. In some cases, it is only after the information is evaluated in light of other evidence that its relevance and necessity will be clear. (iv) From subsections (e)(4)(G) and (H) because this system of records is compiled for law enforcement purposes and is exempt from the access provisions of subsections (d) and (f). (v) From subsection (e)(4)(I) because to the extent that this provision is construed to require more detailed disclosure than the broad, generic information currently published in the system notice, an exemption from this provision is necessary to protect the confidentiality of sources of information and to protect privacy and physical safety of witnesses and informants. DLA will, nevertheless, continue to publish such a notice in broad generic terms as is its current practice. [DLAR 5400.21, 51 FR 33595, Sept. 22, 1986. Redesignated at 56 FR 57803, Nov. 14, 1991, as amended at 55 FR 32913, Aug. 13, 1990; 57 FR 40609, Sept. 4, 1992; 59 FR 9668, Mar. 1, 1994; 60 FR 3088, Jan. 13, 1995; 61 FR 2916, Jan. 30, 1996; 63 FR 25772, May 11, 1998; 65 FR 18900, Apr. 10, 2000]
Title 32: National Defense
PART 323—DEFENSE LOGISTICS AGENCY PRIVACY PROGRAM
Section Contents
§ 323.1 Purpose and scope.
§ 323.2 Policy.
§ 323.3 Definitions.
§ 323.4 Responsibilities.
§ 323.5 Procedures.
§ 323.6 Forms and reports.
Appendix A to Part 323—Instructions for Preparation of System Notices
Appendix B to Part 323—Criteria for New and Altered Record Systems
Appendix C to Part 323—Instructions for Preparation of Reports to New or Altered Systems
Appendix D to Part 323—Word Processing Center (WPC) Safeguards
Appendix E to Part 323—OMB Guidelines for Matching Programs
Appendix F to Part 323—Litigation Status Sheet
Appendix G to Part 323—Privacy Act Enforcement Actions
Appendix H to Part 323—DLA Exemption Rules
§ 323.1 Purpose and scope.
top
§ 323.2 Policy.
top
§ 323.3 Definitions.
top
§ 323.4 Responsibilities.
top
§ 323.5 Procedures.
top
§ 323.6 Forms and reports.
top
Appendix A to Part 323—Instructions for Preparation of System Notices
top
Appendix B to Part 323—Criteria for New and Altered Record Systems
top
Appendix C to Part 323—Instructions for Preparation of Reports to New or Altered Systems
top
Appendix D to Part 323—Word Processing Center (WPC) Safeguards
top
Appendix E to Part 323—OMB Guidelines for Matching Programs
top
Appendix F to Part 323—Litigation Status Sheet
top
Appendix G to Part 323—Privacy Act Enforcement Actions
top
Appendix H to Part 323—DLA Exemption Rules
top
