(a) Purpose. This part prescribes policies and procedures for: (1) Notifying an individual whether an Army system of records contains a record concerning him. (2) Verifying the identity of an individual requesting records or information about himself before they are furnished to him. (3) Providing access to or copies of records to an individual in response to his request. (4) Reviewing a request from an individual to amend a record, taking action thereon promptly, and acting on an appeal from an initial adverse determination as the result of an amendment request. (5) Collecting, safeguarding, maintaining, using, and disclosing personal information. (6) Exempting certain systems of records from provisions of this regulation. (7) Assuring privacy protection to individuals who furnish information under promises of confidentiality. (b) General policies. Department of the Army policy is: (1) To protect the personal privacy of individuals from unwarranted invasion. (2) To permit an individual to know what records the Army has on him, to have access to or copies of such records or portions thereof, and to request amendment of such records, whenever exemptions do not apply or there is no significant, legitimate governmental purpose to be served by claiming an exemption. (3) To collect, maintain, use, or disclose any record of identifiable personal information only for a necessary and lawful purpose. (4) To ensure that the information is timely and accurate for the intended use and is adequately safeguarded to prevent misuse or unauthorized access/disclosure. (5) To act on all requests promptly, accurately, and fairly. Delay will not be permitted even though requests appear to be minor in nature. (c) Applicability and scope. (1) This part applies to all requests received by elements of the Department of the Army from individuals who seek information on, access to, or amendment of records pertaining to them under the provisions of the Privacy Act of 1974. It governs the collection, maintenance, use, and disclosure of personal information by all elements of the Department of the Army, including the Army Reserve and the Army National Guard. (2) When the Army provides by a contract for the operation by or on behalf of the Army of a system of records to accomplish an Army function, the Army shall, consistent with its authority, cause the requirements of this regulation to be applied to such system. The criminal sanctions specified by section 3(i) of the Privacy Act may be applicable to such a contractor or employee thereof. (d) Statutory authority. The Privacy Act of 1974 (5 U.S.C. 552a) is the statutory basis for the Army privacy program. The Act assigns overall Governmentwide responsibilities for implementation to the Office of Management and Budget (OMB) and specific responsibilities to the Civil Service Commission (CSC) and the General Services Administration (GSA). These agencies have issued detailed regulations and guidance for Governmentwide implementation of The Privacy Act. Within the Department of Defense (DOD), the Act is further implemented by DOD Directive 5400.11, Personal Privacy and Rights of Individuals Regarding Their Personal Records. (e) Explanation of terms-(1) Access and amendment refusal authority (AA RA). The Army Staff agency head or major Army commander designated sole authority by this rule to deny access to or refuse amendment of records in his assigned area of propon ency or functional specialization (see paragraph (g) of this section). (2) Form proponent. The Army Staff agency head, major Army commander, or other commander who, normally by regulation or other issuance, prescribes the design, content, and use of a form or format used to collect personal information from individuals. (3) Individual. A citizen of the United States or an alien lawfully admitted for permanent residence, whether a member or former member of the U.S. armed forces or employee thereof. The term "individual" does not include a decendent. For purposes of this rule, the parent of any minor, or the legal guardian of any individual who has been declared to be incompetent due to physical or mental incapacity or age by a court of competent jurisdiction, may act on behalf of the individual provided he supplies proper verification of his status. (4) Maintain. The collection, use, maintenance, or dissemination of rec ords. (5) Record. Any item, collection or grouping of information about an individual that is maintained by any element of the Army, including, but not limited to, his home address, home telephone number, social security number (SSN), education, financial transactions, medical history, duty performance characteristics (to include personal and behavioral), and/or criminal or employment history; and that contains his name, SSN, symbol, code, or other identifying particular assigned to the individual, such as fingerprint, voice print, or photograph. (6) Routine use. The disclosure of a record, or the use of such record, outside the Department of Defense for a corollary purpose compatible with the purpose for which the information was collected, and which is appropriate and necessary for the efficient conduct of the Government. Routine use encompasses not only common and ordinary uses, but also all proper and necessary uses of the record, even if such use occurs infrequently. See § 505.6(g). (7) Statistical record. A record in a system of records maintained for statistical research or reporting purposes only, and not used in whole or in part to make any determination about an identifiable individual, except as provided by 13 U.S.C. 8. (8) System manager. An Army Staff agency head, major Army commander, or other commander who (i) By statute, Army Regulation, or other Headquarters, Department of the Army (HQDA) issuance, prescribes the establishment and maintenance of an Army-wide system of records, or a function or process which results in the establishment of an Army-wide system of records. (ii) By regulation or other issuance, prescribes the establishment and maintenance of an agency, command, or installation-unique system or records, or prescribes a function or process which results in the establishment of such a system of records. (9) System of records. A group of records under the control of any element of the Army from which information is retrieved by the name or SSN of an individual or by some other identifying number, symbol, code, or identifying particular assigned to the individual. A grouping or files series of records arranged chronologically or subjectively, which is not retrieved by individual identifier, is not a system of records as defined herein, even though individual information could be retrieved by such an identifier (such as through case or paper-by-paper search). (f) Responsibilities-(1) The Adjutant General. The Adjutant General is responsible for staff direction of the Army privacy program. In consultation with the Secretary of the Army's General Counsel, he formulates overall policy concerning the Army privacy program. (2) Director, Management Information Systems. The Director, Management Information Systems, is responsible for promulgating instructions for safeguarding automated systems containing personal information, to include issuance of guidance concerning the preparation of privacy safeguard plans, systems synopses, and certifications required in the design, procurement and operation of all automated systems involving personal information. (3) Heads of Army Staff Agencies and Field Commanders. (i) The Adminis trative Assistant to the Secretary of the Army and the Director of the Army Staff are responsible for supervision and execution of the privacy program in their respective administrative areas in Headquarters, Department of the Army. (ii) Heads of Army Staff Agencies, Field Operating Agencies, and commanders of major Army commands and subcommands are responsible for supervision and execution of the privacy program in their areas of jurisdiction, including supervision of privacy programs of agencies, installations, and activities under their command. (iii) Commanders of subordinate commands, installations, and activities are responsible for supervision and execution of privacy programs in all elements under their jurisdiction. (4) The Deputy Chief of Staff for Personnel, the Chief of Engineers, the Judge Advocate General, the Commander, U.S. Army Criminal Investigation Command, and the Commander, U.S. Army Intelligence Agency. These officials are delegated the Secretary of the Army's authority to request disclosure of records for civil and criminal law enforcement purposes from any agency or instrumentality under the control of the U.S. See § 505.3(b)(7). (5) Heads of Joint Agencies and Commands. The heads of joint agencies and commands for which the Department of the Army acts as executive agent, management agent, or administrative agent, or furnishes administrative support or essential management control, will follow instructions contained in this rule. Heads of such joint agencies and commands are responsible for the supervision and execution of privacy programs in subordinate elements. (6) Commander, AAFES. The Commander, Army-Air Force Exchange Service is responsible for the supervision and execution of privacy programs within his command in accordance with this rule. (g) Access and amendment refusal authorities (AARA)-(1) General responsibilities. The officials indicated in paragraph (g)(2) of this section are designated as the sole Access and Amendment Refusal Authorities for requests submitted under this rule. Each AARA is responsible for action on requests for access to or amendment of records referred by commanders under the provisions of § 505.2. Each AARA will appoint a single point of contact to represent him on matters concerned with access denials and amendment refusals. The single point of contact may also serve as the privacy official for the agency (paragraph (i) of this section). The names, offices, and telephone numbers of the individuals appointed as single points of contact will be furnished to HQDA (DAAG-AMR) Washington, D.C. 20314. (2) Assigned areas of authority. The AARA are assigned authority in the areas of functional specialization listed below. In cases where requests for access involve information related to actual or potential litigation against the United States, the request will be coordinated with The Judge Advocate General (Litigation Division), HQDA (DAJA-LT). (i) The Adjutant General is authorized to act on requests for access to or amendment of personnel records of retired, separated, or Reserve Component Military Personnel, and dependent school student records. He is also authorized to act upon, coordinate, or refer access and amendment requests which do not fall within the jurisdiction of another AARA. (ii) Commander, US Army Military Personnel Center is authorized to act on requests for access to or amendment of records of active duty military personnel. (iii) The Surgeon General is authorized to act on requests for access to or amendment of medical records. (iv) The Deputy Chief of Staff for Personnel is authorized to act on requests for access to or amendment of: (A) Records of active civilian employees (requests for access to or amendment of records of former employees will be acted on by the Director, Bureau of Manpower Information Systems, US Civil Service Commission, 1900 E St., NW, Wash., DC 20415). (B) Records of nonappropriated fund employees, except for employees of the Army and Air Force Exchange Service. (C) Military Police records. (v) The Inspector General and Auditor General are authorized to act on requests for access to or amendment of Inspector General, safety investigatory, and Army audit records. (vi) The Chief of Chaplains is authorized to act on requests for access to or amendment of ecclesiastical records. (vii) Commander US Army Criminal Investigation Command is authorized to act on requests for access to or amendment of records on criminal investigations (to include military police reports which are part of criminal investigation reports) and investigations in progress. (viii) Commander, US Army Intelligence Agency is authorized to act on requests for access to or amendment of all US Army intelligence investigative records. (ix) The Comptroller of the Army is authorized to act on requests for access to or amendment of financial records. (x) Commander US Army Materiel Command is authorized to act on requests for access to or amendment of records on personnel of Army contractors, except for those described in paragraph (g)(2)(xvi) of this section. (xi) Commander, Military Traffic Management Command is authorized to act on requests for access to or amendment of transportation records. (xii) Commander, Army and Air Force Exchange Service is responsible for acting on requests for access to or amendment of records pertaining to personnel of his command. (xiii) Chief, National Guard Bureau is authorized to act on requests for access to or amendment of records pertaining to personnel of the National Guard. (xiv) The Administrative Assistant to the Secretary of the Army is authorized to act on requests for access to or amendment of records maintained by the Secretariat. (xv) The Judge Advocate General is authorized to act on requests for access to or amendment of legal records for which he is responsible. (xvi) The Chief of Engineers is authorized to act on requests for access to or amendment of records pertaining to civil works, military construction, engineer procurement, and ecology contractor personnel, and other engineer matters not under the purview of another AARA. In addition, he is authorized to act on requests for access to or amendment of records pertaining to cases involving civil works potential litigation in which the United States has an interest. (3) Review Boards. All Army boards, councils, and similar activities which are established by the Department of the Army as special mechanisms for making determinations involving personnel and/or for the correction of records (e.g., Deputy Chief of Staff for Personnel (DCSPER) Special Review Board) will perform the AARA functions in their assigned areas of responsibility. Requests for amendment of records pursuant to the Privacy Act and this rule which fall in this category will be referred to, and processed by, such activities, and not by the AARA listed within paragraph (f)(2) of this section. This provision does not apply to the Army Board for the Correction of Military Records, which will accept applications and make corrections only in accordance with AR 15185. (h) DA Privacy Review Board. There is hereby established a Department of the Army (DA) Privacy Review Board. Membership of the Board will consist of the Administrative Assistant (AA) to the Secretary of the Army, The Adjutant General (TAG) and the Judge Advocate General (TJAG). Each Access and Amendment Refusal Authority (including the AA, TAG and TJAG) will serve as a nonvoting member when the Board is considering matters in his area of functional specialization. Where a matter comes before the Privacy Board which is the proper concern of an element of the staff which is not a member of the Board, that element will be permitted to participate in the resolution of such matter as a nonvoting member of the Board. The Adjutant General will serve as Chairman of the Board. Functions of the Board include: (1) To act on behalf of the Secretary of the Army in deciding all appeals of refusal to amend submitted in accordance with § 505.2. (2) To review all requests for exemptions made in accordance with § 505.7 and submit its recommendation to the Secretary. (3) To provide advice on the formulation of policy concerning the Army Privacy Program. (4) To act on such other matters as may be referred to the Board. (i) Designation of privacy officials. Heads of Army staff agencies and commanders of major Army commands and subordinate commands, installations, and activities exercising general courts martial jurisdiction will designate a privacy official to carry out required privacy functions for the agency head/commander. In addition, privacy coordinators may be designated at such subordinate commands and organizational subdivisions as are necessary to accomplish privacy responsibilities. One copy of all orders designating privacy officials for Army Staff agencies and major commands will be furnished HQDA (DAAG-AMR), Washington, D.C. 20314. (j) Duties of privacy officials. Privacy officials designated in accordance with paragraph (i) of this section will serve as staff officers on privacy matters for agency heads/commanders. The duties of a privacy official include: (1) Serving as a focal point for all privacy requests. (2) Ensuring that all systems of records subject to this rule are described by published system notices; such systems are not modified or otherwise expanded prior to public notification; and disclosure of personal information and accounting records thereof are in accordance with this rule. (3) Maintaining liaison with forms and reports management officials to ensure that privacy statements are prepared and issued for all forms, formats, and questionnaires subject to this rule. (4) Developing and providing, or arranging for the provision of a privacy training program for all personnel involved in the design, development, custody, maintenance, and use of a system of records. (5) Maintaining narrative and statistical data for preparation of the annual report required by paragraph (k) of this section. (k) Annual report. The heads of Army Staff agencies, commanding generals of major Army commands, heads of joint agencies and commands, and the Commander, Army and Air Force Exchange Service will prepare and submit to HQDA (DAAG-AMR) Washington, D.C. 20314, a consolidated report on privacy program activities in their areas of responsibility. The report will be for the calendar year ending December 31, and will be submitted in duplicate to reach HQDA by March 1, annually. Reports Control Symbol DD (A) 1379 applies, Annual reports will include, but not be limited to the following: (1) Summary. A brief management summary of the status of actions taken to comply with this rule, the results of these efforts, difficulties and problems encountered, and recommendations with full justification for changes in legislation, policies, or procedures. (2) Accomplishments. A summary of major accomplishments, such as improvements in information practices and safeguards. (3) Plans. A summary of major plans for privacy activities in the coming year; for example, areas of planned emphasis, strengthened safeguards, and training programs. (4) Exemptions. A list of systems or segments thereof in custody of the agency or command which are exempted from provisions of this rule pursuant to § 505.7, the estimated total number of records in each such system or segment thereof, and the reason for the exemption. (For manual records, count file folders, cards, or similar units; for automated records, reflect the number of individuals on whom information is maintained). (5) Significant changes in systems. A summary of the reasons for major changes in systems or segments thereof; for instance, the extent to which review of relevance and necessity for records has resulted in elimination of all or portions of systems of records, or any reduction in the number of individuals on whom records are maintained. |