32 CFR 310.17 - Individual access to personal information.
(a) Individual access.
(1) The access provisions of this part are intended for use by individuals who seek access to records about themselves that are maintained in a system of records. Release of personal information to individuals under this part is not considered public release of the information.
(2) Make available to the individual to whom the record pertains all of the personal information contained in the system of records except where access may be denied pursuant to an exemption claimed for the system (see subpart F to this part). However, when the access provisions of this subpart are not available to the individual due to a claimed exemption, the request shall be processed to provide information that is disclosable pursuant to the DoD Freedom of Information Act program (see 32 CFR, part 286).
(b) Individual requests for access. Individuals shall address requests for access to personal information in a system of records to the system manager or to the office designated in the DoD Component procedural rules or the system notice.
(c) Verification of identity.
(1) Before granting access to personal data, an individual may be required to provide reasonable proof of his or her identity.
(2) Identity verification procedures shall not:
(i) Be so complicated as to discourage unnecessarily individuals from seeking access to information about themselves; or
(ii) Be required of an individual seeking access to records that normally would be available under the DoD Freedom of Information Act Program (see 32 CFR, part 286).
(iii) When an individual seeks personal access to records pertaining to themselves in person, proof of identity is normally provided by documents that an individual ordinarily possesses, such as employee and military identification cards, driver's license, other licenses, permits or passes used for routine identification purposes.
(iv) When access is requested by mail, identity verification may consist of the individual providing certain minimum identifying data, such as full name, date and place of birth, or such other personal information necessary to locate the record sought and information that is ordinarily only known to the individual. If the information sought is of a sensitive nature, additional identifying data may be required. An unsworn declaration under penalty of perjury (28 U.S.C. 1746, “Unsworn Declaration under Penalty of Perjury”) or notarized signatures are acceptable as a means of proving the identity of the individual.
(A) If an unsworn declaration is executed within the United States, its territories, possessions, or commonwealths, it shall read “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).”
(B) If an unsworn declaration is executed outside the United States, it shall read “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).”
(v) If an individual wishes to be accompanied by a third party when seeking access to his or her records or to have the records released directly to a third party, the individual may be required to furnish a signed access authorization granting the third-party access.
(vi) An individual shall not be refused access to his or her record solely because he or she refuses to divulge his or her SSN unless the SSN is the only method by which retrieval can be made. (See § 310.15(b).)
(vii) The individual is not required to explain or justify his or her need for access to any record under this part.
(viii) Only a denial authority may deny access and the denial must be in writing and contain the information required by 310.18.
(d) Granting individual access to records.
(1) Grant the individual access to the original record or an exact copy of the original record without any changes or deletions, except when deletions have been made in accordance with paragraph (e) of this Section. For the purpose of granting access, a record that has been amended under § 310.19(b)is considered to be the original. See paragraph (e) of this Section for the policy regarding the use of summaries and extracts.
(2) Provide exact copies of the record when furnishing the individual copies of records under this part.
(3) Explain in terms understood by the requestor any record or portion of a record that is not clear.
(e) Illegible, incomplete, or partially exempt records.
(1) Do not deny an individual access to a record or a copy of a record solely because the physical condition or format of the record does not make it readily available (for example, deteriorated state or on magnetic tape). Either prepare an extract or recopy the document exactly.
(2) If a portion of the record contains information that is exempt from access, an extract or summary containing all of the information in the record that is releasable shall be prepared.
(3) When the physical condition of the record or its state makes it necessary to prepare an extract for release, ensure the extract can be understood by the requester.
(4) Explain to the requester all deletions or changes to the records.
(f) Access to medical records.
(1) Access to medical records is not only governed by the access provisions of this part but also by the access provisions of DoD 6025.18-R. The Privacy Act, as implemented by this part, however, provides greater access to an individual's medical record than that authorized by DoD 6025.18-R.
(2) Medical records in a system of records shall be disclosed to the individual to whom they pertain, even if a minor, but when it is believed that access to such records could have an adverse effect on the mental or physical health of the individual or may result in harm to a third party, the following special procedures apply.
(i) If a determination is made in consultation with a medical doctor that release of the medical information may be harmful to the mental or physical health of the individual or to a third party, the Component shall:
(A) Send the record to a physician named by the individual; and
(B) In the transmittal letter to the physician explain why access by the individual without proper professional supervision could be harmful (unless it is obvious from the record).
(ii) The Component shall not require the physician to request the records for the individual.
(3) If the individual refuses or fails to designate a physician, the record shall not be provided. Such refusal of access is not considered a denial under the Privacy Act (see paragraph (a) of § 310.18).
(4) If records are provided the designated physician, but the physician declines or refuses to provide the records to the individual, the DoD Component is under an affirmative duty to take action to deliver the records to the individual by whatever means deemed appropriate. Such action should be taken expeditiously especially if there has been a significant delay between the time the records were furnished the physician and the decision by the physician not to release the records.
(5) Access to a minor's medical records may be granted to his or her parents or legal guardians. However, access is subject to the restrictions as set forth at paragraph C9.7.3 of DoD 6025.18-R.
(6) All members of the Military Services and all married persons are not considered minors regardless of age, and the parents of these individual do not have access to their medical records without written consent of the individual.
(g) Access to information compiled in anticipation of civil action (see § 310.27).
(h) Non-Agency records.
(1) Certain documents under the physical control of DoD personnel and used to assist them in performing official functions, are not considered “Agency records” within the meaning of this part. Uncirculated personal notes and records that are not disseminated or circulated to any person or organization (for example, personal telephone lists or memory aids) that are retained or discarded at the author's discretion and over which the Component exercises no direct control are not considered Agency records. However, if personnel are officially directed or encouraged, either in writing or orally, to maintain such records, they may become “Agency records,” and may be subject to this part.
(2) The personal uncirculated handwritten notes of unit leaders, office supervisors, or military supervisory personnel concerning subordinates are not systems of records within the meaning of this part. Such notes are an extension of the individual's memory. These notes, however, must be maintained and discarded at the discretion of the individual supervisor and not circulated to others. Any established requirement to maintain such notes (such as, written or oral directives, regulations, or command policy) may transform these notes into “Agency records” and they then must be made a part of a system of records. If the notes are circulated, they must be made a part of a system of records. Any action that gives personal notes the appearance of official Agency records is prohibited, unless the notes have been incorporated into a system of records.
(i) Relationship between the Privacy Act (5 U.S.C. 552a) and the FOIA (5 U.S.C. 552). Not all requesters are knowledgeable of the appropriate statutory authority to cite when requesting records. In some instances, they may cite neither Act, but will imply one or both Acts. The below guidelines are provided to ensure requesters are given the maximum amount of information as authorized under both statutes. (1) Process requests for individual access as follows:
(i) If the records are required to be released under the Privacy Act, the FOIA (32 CFR part 286) does not bar release even if a FOIA exemption could be invoked if the request had been processed solely under FOIA. Conversely, if the records are required to be released under the FOIA, the Privacy Act does not bar disclosure.
(ii) Requesters who seek records about themselves contained in a Privacy Act system of records, and who cite or imply only the Privacy Act, will have their records processed under the provisions of this part and the FOIA (32 CFR part 286). If the system of records is exempt from the access provisions of this part, and if the records, or any portion thereof, are exempt under the FOIA, the requester shall be advised and informed of the appropriate Privacy and FOIA exemption. Only if the records can be denied under both statutes may the Department withhold the records from the individual. Appeals shall be processed under both Acts.
(iii) Requesters who seek records about themselves that are not contained in a Privacy Act system of records, and who cite or imply only the Privacy Act, will have their requests processed under the provisions of the FOIA (32 CFR part 286), because the access provisions of this part do not apply. Appeals shall be processed under the FOIA.
(iv) Requesters who seek records about themselves that are contained in a Privacy Act system of records, and who cite or imply the FOIA or both Acts, will have their requests processed under the provisions of this part and the FOIA (32 CFR part 286). If the system of records is exempt from the access provisions of this part, and if the records, or any portion thereof, are exempt under the FOIA, the requester shall be advised and informed of the appropriate Privacy and FOIA exemption. Appeals shall be processed under both Acts.
(v) Requesters who seek records about themselves that are not contained in a Privacy Act system of records, and who cite or imply the Privacy Act and FOIA, will have their requests processed under the FOIA (32 CFR part 286), because the access provisions of this part do not apply. Appeals shall be processed under the FOIA.
(2) Do not deny individuals' access to personal information concerning themselves that would otherwise be releasable to them under either Act solely because they fail to cite or imply either Act or cite the wrong Act or part.
(3) Explain to the requester which Act(s) was(were) used when granting or denying access under either Act.
(j) Time limits. DoD Components normally shall acknowledge requests for access within 10 working days after receipt and provide access within 30 working days.
(k) Privacy case file. Establish a Privacy Act case file when required. (See paragraph (p) of § 310.19.)