32 C.F.R. Subpart A—General information
Title 32 - National Defense
The Defense Finance and Accounting Service fully implements the policy and procedures of the Privacy Act and the DoD 5400.11-R1 1 Copies may be obtained at cost from the National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161.
Title 32: National Defense
PART 324—DFAS PRIVACY ACT PROGRAM
Subpart A—General information
§ 324.1 Issuance and purpose.
§ 324.2 Applicability and scope.
This regulation applies to all DFAS, Headquarters, DFAS Centers, the Financial System Organization (FSO), and other organizational components. It applies to contractor personnel who have entered a contractual agreement with DFAS. Prospective contractors will be advised of their responsibilities under the Privacy Act Program.
§ 324.3 Policy.
DFAS personnel will comply with the Privacy Act of 1974, the DoD Privacy Program and the DFAS Privacy Act Program. Strict adherence is required to ensure uniformity in the implementation of the DFAS Privacy Act Program and to create conditions that will foster public trust. Personal information maintained by DFAS organizational elements will be safeguarded. Information will be made available to the individual to whom it pertains to the maximum extent practicable. Specific DFAS policy is provided for Privacy Act training, responsibilities, reporting procedures and implementation requirements. DFAS Components will not define policy for the Privacy Act Program.
§ 324.4 Responsibilities.
(a) Director, DFAS. (1) Ensures the DFAS Privacy Act Program is implemented at all DFAS locations.
(2) The Director, DFAS, will be the Final Denial Appellate Authority. This authority may be delegated to the Director for Resource Management.
(3) Appoints the Director for External Affairs and Administrative Support, or a designated replacement, as the DFAS Headquarters Privacy Act Officer.
(b) DFAS Headquarters General Counsel. (1) Ensures uniformity is maintained in legal rulings and interpretation of the Privacy Act.
(2) Consults with DoD General Counsel on final denials that are inconsistent with other final decisions within DoD. Responsible to raise new legal issues of potential significance to other Government agencies.
(3) Provides advice and assistance to the DFAS Director, Center Directors, and the FSO as required, in the discharge of their responsibilities pertaining to the Privacy Act.
(4) Acts as the DFAS focal point on Privacy Act litigation with the Department of Justice.
(5) Reviews Headquarters' denials of initial requests and appeals.
(c) DFAS Center Directors. (1) Ensures that all DFAS Center personnel, all personnel at subordinate levels, and contractor personnel working with personal data comply with the DFAS Privacy Act Program.
(2) Serves as the DFAS Center Initial Denial Authority for requests made as a result of denying release of requested information at locations within DFAS Center authority. Initial denial authority may not be redelegated. Initial denial appeals will be forwarded to the appropriate DFAS Center marked to the attention of the DFAS Center Initial Denial Authority.
(d) Director, FSO. (1) Ensures that FSO and subordinate personnel and contractors working with personal data comply with the Privacy Act Program.
(2) Serves as the FSO Initial Denial Authority for requests made as a result of denying release of requested information at locations within FSO authority. FSO Initial denial authority may not be redelegated.
(3) Appoints a Privacy Act Officer for the FSO and each Financial System Activity (FSA).
(e) DFAS Headquarters Privacy Act Officer. (1) Establishes, issues and updates policy for the DFAS Privacy Act Program and monitors compliance. Serves as the DFAS single point of contact on all matters concerning Privacy Act policy. Resolves any conflicts resulting from implementation of the DFAS Privacy Act Program policy.
(2) Serves as the DFAS single point of contact with the Department of Defense Privacy Office. This duty may be delegated.
(3) Ensures that the collection, maintenance, use and/or dissemination of records of identifiable personal information is for a necessary and lawful purpose, that the information is current and accurate for the intended use and that adequate security safeguards are provided.
(4) Monitors system notices for agency systems of records. Ensures that new, amended, or altered notices are promptly prepared and published. Reviews all notices submitted by the DFAS Privacy Act Officers for correctness and submits same to the Department of Defense Privacy Office for publication in the
(5) Establishes DFAS Privacy Act reporting requirement due dates. Compiles all Agency reports and submits the completed annual report to the Defense Privacy Office. DFAS reporting requirements are provided in appendix A to this part.
(6) Conducts annual Privacy Act Program training for DFAS Headquarters (HQ) personnel. Ensures that subordinate DFAS Center and FSO Privacy Act Officers fulfill annual training requirements.
(f) FSO and Financial System Activities (FSAs) Legal Support. The FSO and subordinate FSA organizational elements will be supported by the appropriate DFAS-HQ or DFAS Center General Counsel office.
(g) DFAS Center(s) Assistant General Counsel. (1) Ensures uniformity is maintained in legal rulings and interpretation of the Privacy Act and this regulation. Consults with the DFAS-HQ General Counsel as required.
(2) Provides advice and assistance to the DFAS Center Director and the FSA in the discharge of his/her responsibilities pertaining to the Privacy Act.
(3) Coordinates on DFAS Center and the FSA denials of initial requests.
(h) DFAS Center Privacy Act Officer. (1) Implements and administers the DFAS Privacy Act Program for all personnel, to include contractor personnel, within the Center, Operating Locations (OpLocs) and Defense Accounting Offices (DAOs).
(2) Ensures that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information. Advises the Program Manager that systems notices must be published in the
(3) Administratively controls and processes Privacy Act requests. Ensures that the provisions of this regulation and the DoD Privacy Act Program are followed in processing requests for records. Ensures all Privacy Act requests are promptly reviewed. Coordinates the reply with other organizational elements as required.
(4) Prepares denials and partial denials for the Center Director's signature and obtain required coordination with the assistant General Counsel. Responses will include written justification citing a specific exemption or exemptions.
(5) Prepares input for the annual Privacy Act Report as required using the guidelines provided in appendix A to this part.
(6) Conducts training on the DFAS Privacy Act Program for Center personnel.
(i) FSO Privacy Act Officer. (1) Implements and administers the DFAS Privacy Act Program for all personnel, to include contractor personnel, within the FSO.
(2) Ensures that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information. Advises the Program Manager that systems notices must be published in the
(3) Administratively controls and processes Privacy Act requests. Ensures that the provisions of this regulation and the DoD Privacy Act Program are followed in processing requests for records. Ensure all Privacy Act requests are promptly reviewed. Coordinate the reply with other organizational elements as required.
(4) Prepares denials and partial denials for signature by the Director, FSO and obtains required coordination with the assistant General Counsel. Responses will include written justification citing a specific exemption or exemptions.
(5) Prepares input for the annual Privacy Act Report (RCS: DD DA&M(A)1379) as required using the guidelines provided in appendix A to this part.
(6) Conducts training on the DFAS Privacy Act Program for FSO personnel.
(j) DFAS employees. (1) Will not disclose any personal information contained in any system of records, except as authorized by this regulation.
(2) Will not maintain any official files which are retrieved by name or other personal identifier without first ensuring that a system notice has been published in the
(3) Reports any disclosures of personal information from a system of records or the maintenance of any system of records not authorized by this regulation to the appropriate Privacy Act Officer for action.
(k) DFAS system managers (SM). (1) Ensures adequate safeguards have been established and are enforced to prevent the misuse, unauthorized disclosure, alteration, or destruction of personal information contained in system records.
(2) Ensures that all personnel who have access to the system of records or are engaged in developing or supervising procedures for handling records are totally aware of their responsibilities to protect personal information established by the DFAS Privacy Act Program.
(3) Evaluates each new proposed system of records during the planning stage. The following factors should be considered:
(i) Relationship of data to be collected and retained to the purpose for which the system is maintained. All information must be relevant to the purpose.
(ii) The impact on the purpose or mission if categories of information are not collected. All data fields must be necessary to accomplish a lawful purpose or mission.
(iii) Whether informational needs can be met without using personal identifiers.
(iv) The disposition schedule for information.
(v) The method of disposal.
(vi) Cost of maintaining the information.
(4) Complies with the publication requirements of DoD 5400.11-R, ‘Department of Defense Privacy Program’ (see 32 CFR part 310). Submits final publication requirements to the appropriate DFAS Privacy Act Officer.
(l) DFAS program manager(s). Reviews system alterations or amendments to evaluate for relevancy and necessity. Reviews will be conducted annually and reports prepared outlining the results and corrective actions taken to resolve problems. Reports will be forwarded to the appropriate Privacy Act Officer.
(m) Federal government contractors. When a DFAS organizational element contracts to accomplish an agency function and performance of the contract requires the operation of a system of records or a portion thereof, DoD 5400.11-R, ‘Department of Defense Privacy Program’ (see 32 CFR part 310) and this part apply. For purposes of criminal penalties, the contractor and its employees shall be considered employees of DFAS during the performance of the contract.
(1) Contracting involving operation of systems of records. Consistent with Federal Acquisition Regulation (FAR)2
2 Copies may be obtained at cost from the Superintendent of Documents, P.O. Box 37195, Pittsburgh, PA 15250–7954.
3 See footnote 2 to §324.4(m)(1)
(2) Contracting. For contracting subject to this part, the Agency shall:
(i) Informs prospective contractors of their responsibilities under the DFAS Privacy Act Program.
(ii) Establishes an internal system for reviewing contractor performance to ensure compliance with the DFAS Privacy Act Program.
(3) Exceptions. This rule does not apply to contractor records that are:
(i) Established and maintained solely to assist the contractor in making internal contractor management decisions, such as records maintained by the contractor for use in managing the contract.
(ii) Maintained as internal contractor employee records, even when used in conjunction with providing goods or services to the agency.
(4) Contracting procedures. The Defense Acquisition Regulatory Council is responsible for developing the specific policies and procedures for soliciting, awarding, and administering contracts.
(5) Disclosing records to contractors. Disclosing records to a contractor for use in performing a DFAS contract is considered a disclosure within DFAS. The contractor is considered the agent of DFAS when receiving and maintaining the records for the agency.
Browse Next
