(a) Purpose. This part sets forth policies and procedures that govern personal information maintained by the Department of the Army (DA) in Privacy Act systems of records. This part also provides guidance on collecting and disseminating personal information in general. The purpose of the Army Privacy Act Program is to balance the government's need to maintain information about individuals with the right of individuals to be protected against unwarranted invasions of their privacy stemming from Federal agencies' collection, maintenance, use and disclosure of personal information about them. Additionally, this part promotes uniformity within the Army's Privacy Act Program.
(b) References:(1) Referenced publications are listed in Appendix A of this part.
(c) Definitions are provided at Appendix H of this part.
(d) Responsibilities.(1) The Office of the Administrative Assistant to the Secretary of the Army will—
(i) Act as the senior Army Privacy Official with overall responsibility for the execution of the Department of the Army Privacy Act Program;
(ii) Develop and issue policy guidance for the program in consultation with the Army General Counsel; and
(iii) Ensure the DA Privacy Act Program complies with Federal statutes, Executive Orders, Office of Management and Budget guidelines, and 32 CFR part 310.
(2) The Chief Attorney, Office of the Administrative Assistant to the Secretary of the Army (OAASA) will—
(i) Provide advice and assistance on legal matters arising out of, or incident to, the administration of the DA Privacy Act Program;
(ii) Serve as the legal advisor to the DA Privacy Act Review Board. This duty may be fulfilled by a designee in the Chief Attorney and Legal Services Directorate, OAASA;
(iii) Provide legal advice relating to interpretation and application of the Privacy Act of 1974; and
(iv) Serve as a member on the Defense Privacy Board Legal Committee. This duty may be fulfilled by a designee in the Chief Attorney and Legal Services Directorate, OAASA.
(3) The Judge Advocate General will serve as the Denial Authority on requests made pursuant to the Privacy Act of 1974 for access to or amendment of Army records, regardless of functional category, concerning actual or potential litigation in which the United States has an interest.
(4) The Chief, DA Freedom of Information Act and Privacy Office (FOIA/P), U.S. Army Records Management and Declassification Agency will—
(i) Develop and recommend policy;
(ii) Execute duties as the Army's Privacy Act Officer;
(iii) Promote Privacy Act awareness throughout the DA;
(iv) Serve as a voting member on the Defense Data Integrity Board and the Defense Privacy Board;
(v) Represent the Department of the Army in DOD policy meetings; and
(vi) Appoint a Privacy Act Manager who will—
(A) Administer procedures outlined in this part;
(B) Review and approve proposed new, altered, or amended Privacy Act systems of records notices and subsequently submit them to the Defense Privacy Office for coordination;
(C) Review Department of the Army Forms for compliance with the Privacy Act and this part;
(D) Ensure that reports required by the Privacy Act are provided upon request from the Defense Privacy Office;
(E) Review Computer Matching Agreements and recommend approval or denial to the Chief, DA FOIA/P Office;
(F) Provide Privacy Act training;
(G) Provide privacy guidance and assistance to DA activities and combatant commands where the Army is the Executive Agent;
(H) Ensure information collections are developed in compliance with the Privacy Act provisions;
(I) Ensure Office of Management and Budget reporting requirements, guidance, and policy are accomplished; and
(J) Immediately review privacy violations of personnel to locate the problem and develop a means to prevent recurrence of the problem.
(5) Heads of Department of the Army activities, field-operating agencies, direct reporting units, Major Army commands, subordinate commands down to the battalion level, and installations will—
(i) Supervise and execute the privacy program in functional areas and activities under their responsibility; and
(ii) Appoint a Privacy Act Official who will—
(A) Serve as the staff advisor on privacy matters;
(B) Ensure that Privacy Act records collected and maintained within the Command or agency are properly described in a Privacy Act system of records notice published in the Federal Register ;
(C) Ensure no undeclared systems of records are being maintained;
(D) Ensure Privacy Act requests are processed promptly and responsively;
(E) Ensure a Privacy Act Statement is provided to individuals when information is collected that will be maintained in a Privacy Act system of records, regardless of the medium used to collect the personal information (i.e., forms, personal interviews, stylized formats, telephonic interviews, or other methods);
(F) Review, biennially, recordkeeping practices to ensure compliance with the Act, paying particular attention to the maintenance of automated records. In addition, ensure cooperation with records management officials on such matters as maintenance and disposal procedures, statutory requirements, forms, and reports; and
(G) Review, biennially Privacy Act training practices. This is to ensure all personnel are familiar with the requirements of the Act.
(6) DA Privacy Act System Managers and Developers will—
(i) Ensure that appropriate procedures and safeguards are developed, implemented, and maintained to protect an individual's personal information;
(ii) Ensure that all personnel are aware of their responsibilities for protecting personal information being collected and maintained under the Privacy Act Program;
(iii) Ensure official filing systems that retrieve records by name or other personal identifier and are maintained in a Privacy Act system of records have been published in the Federal Register as a Privacy Act system of records notice. Any official who willfully maintains a system of records without meeting the publication requirements, as prescribed by 5 U.S.C. 552a, as amended, OMB Circular A-130, 32 CFR part 310 and this part, will be subject to possible criminal penalties and/or administrative sanctions;
(iv) Prepare new, amended, or altered Privacy Act system of records notices and submit them to the DA Freedom of Information and Privacy Office for review. After appropriate coordination, the system of records notices will be submitted to the Defense Privacy Office for their review and coordination;
(v) Review, biennially, each Privacy Act system of records notice under their purview to ensure that it accurately describes the system of records;
(vi) Review, every four years, the routine use disclosures associated with each Privacy Act system of records notice in order to determine if such routine use continues to be compatible with the purpose for which the activity collected the information;
(vii) Review, every four years, each Privacy Act system of records notice for which the Secretary of the Army has promulgated exemption rules pursuant to Sections (j) or (k) of the Act. This is to ensure such exemptions are still appropriate;
(viii) Review, every year, contracts that provide for the maintenance of a Privacy Act system of records to accomplish an activity's mission. This requirement is to ensure each contract contains provisions that bind the contractor, and its employees, to the requirements of 5 U.S.C. 552a(m)(1); and
(ix) Review, if applicable, ongoing Computer Matching Agreements. The Defense Data Integrity Board approves Computer Matching Agreements for 18 months, with an option to renew for an additional year. This additional review will ensure that the requirements of the Privacy Act, Office of Management and Budget guidance, local regulations, and the requirements contained in the Matching Agreements themselves have been met.
(7) All DA personnel will—
(i) Take appropriate actions to ensure personal information contained in a Privacy Act system of records is protected so that the security and confidentiality of the information is preserved;
(ii) Not disclose any personal information contained in a Privacy Act system of records except as authorized by 5 U.S.C. 552a, DOD 5400.11-R, or other applicable laws. Personnel willfully making a prohibited disclosure are subject to possible criminal penalties and/or administrative sanctions; and
(iii) Report any unauthorized disclosures or unauthorized maintenance of new Privacy Act systems of records to the applicable activity's Privacy Act Official.
(8) Heads of Joint Service agencies or commands for which the Army is the Executive Agent or the Army otherwise provides fiscal, logistical, or administrative support, will adhere to the policies and procedures in this part.
(9) Commander, Army and Air Force Exchange Service, will supervise and execute the Privacy Program within that command pursuant to this part.
(10) Overall Government-wide responsibility for implementation of the Privacy Act is the Office of Management and Budget. The Department of Defense is responsible for implementation of the Act within the armed services. The Privacy Act also assigns specific Government-wide responsibilities to the Office of Personnel Management and the General Services Administration.