32 CFR 310.8 - Rules of conduct.
In accordance with section (e)(9) of The Privacy Act, this section provides DoD rules of conduct for the development, operation, and maintenance of systems of records. DoD personnel and DoD contractor personnel will:
(a) Take action to ensure that any PII contained in a system of records that they access and use to conduct official business will be protected so that the security and confidentiality of the information is preserved.
(b) Not disclose any PII contained in any system of records, except as authorized by The Privacy Act, or other applicable statute, Executive order, regulation, or policy. Those willfully making any unlawful or unauthorized disclosure, knowing that disclosure is prohibited, may be subject to criminal penalties and/or administrative sanctions.
(c) Report any unauthorized disclosures of PII from a system of records to the applicable Privacy point of contact (POC) for the respective DoD Component.
(d) Report the maintenance of any system of records not authorized by this part to the applicable Privacy POC for the respective DoD Component.
(e) Minimize the collection of PII to that which is relevant and necessary to accomplish a purpose of the DoD.
(f) Not maintain records describing how any individual exercises rights guaranteed by the First Amendment, except:
(1) When specifically authorized by statute.
(2) When expressly authorized by the individual that the record is about.
(3) When the record is pertinent to and within the scope of an authorized law enforcement activity, including authorized intelligence or administrative activities.
(g) Safeguard the privacy of all individuals and the confidentiality of all PII.
(h) Limit the availability of records containing PII to DoD personnel and DoD contractors who have a need to know in order to perform their duties.
(i) Prohibit unlawful possession, collection, or disclosure of PII, whether or not it is within a system of records.
(j) Ensure that all DoD personnel and DoD contractors who either have access to a system of records or develop or supervise procedures for handling records in a system of records are aware of their responsibilities and are properly trained to safeguard PII being maintained under the DoD Privacy Program.
(k) Prepare any required new, amended, or altered SORN for a given system of records and submit the SORN through their DoD Component Privacy POC to the Chief, DPCLD, for coordination and submission for publication in the FR.
(l) Not maintain any official files on individuals, which are retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual, also known as a system of records, without first ensuring that a notice has been published in the FR. Any official who willfully maintains a system of records without meeting the publication requirements as prescribed by this part and The Privacy Act may be subject to criminal penalties and/or administrative sanctions.
(m) Maintain all records in a mixed system of records as if all the records in such a system are subject to The Privacy Act.