32 CFR 320.3 - Responsibilities.
(a) Director of NGA:
(1) Implements the NGA privacy program.
(2) Designates the Director of the Public Affairs Office as the NGA Initial Denial Authority;
(3) Designates the Chief of Staff as the Appellate Authority.
(4) Designates the General Counsel as the NGA Privacy Act Officer and the principal point of contact for matters involving the NGA privacy program.
(b) NIMA General Counsel:
(1) Oversees systems of records maintained throughout NIMA, administered by Information Services. This includes coordinating all notices of new systems of records and changes to existing systems for publication in the Federal Register.
(2) Coordinates all denials of requests for access to or amendment of records.
(3) Assesses and collects fees for costs associated with processing Privacy Act requests and approves or denies requests for fee waivers. Fees collected are forwarded through Financial Management Directorate to the U.S. Treasury.
(4) Prepares the annual report to the Defense Privacy Office.
(5) Oversees investigations of allegations of unauthorized maintenance, disclosure, or destruction of records.
(6) Conducts or coordinates Privacy Act training for NGA personnel as needed, including training for public affairs officers and others who deal with the public and news media.
(c) NIMA System Managers:
(1) Ensure that all personnel who either have access to a system of records or who are engaged in developing or supervising procedures for handling records in a system of records are aware of their responsibilities for protecting personal information.
(2) Prepare notices of new systems of records and changes to existing systems for publication in the Federal Register.
(6) Safeguard records to ensure that they are protected from unauthorized alteration or disclosure.
(7) Dispose of records in accordance with accepted records management practices to prevent inadvertent compromise. Disposal methods such as tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding, or mutilation are considered adequate if the personal data is rendered unrecognizable or beyond reconstruction.