32 CFR 318.15 - Rules of conduct.
(a) DTRA personnel shall:
(1) Take such actions, as considered appropriate, to ensure that personal information contained in a system of records, to which they have access or are using incident to the conduct of official business, shall be protected so that the security and confidentiality of the information shall be preserved.
(2) Not disclose any personal information contained in any system of records except as authorized by 32 CFR part 310 or other applicable law or regulation. Personnel willfully making such a disclosure when knowing the disclosure is prohibited are subject to possible criminal penalties and/or administrative sanctions.
(3) Report any unauthorized disclosure of personal information from a system of records or the maintenance of any system of records that are not authorized by the Instruction to the DTRA Privacy Act Officer.
(b) DTRA system managers for each system of records shall:
(1) Ensure that all personnel who either have access to the system of records or who shall develop or supervise procedures for the handling of records in the system of records shall be aware of their responsibilities for protecting personnel information being collected and maintained under the DTRA Privacy Program.
(2) Promptly notify the Privacy Act Officer of any required new, amended, or altered system notices for the system of records.
(3) Not maintain any official files on individuals, which are retrieved by name or other personal identifier without first ensuring that a notice for the system of records shall have been published in the Federal Register. Any official who willfully maintains a system of records without meeting the publication requirements, as prescribed by 5 U.S.C. 552a, OMB Circular A-130, and 32 CFR part 310, is subject to possible criminal penalties and/or administrative sanctions.