32 CFR 326.4 - Policy.
(a) Records about individuals -
(1) Collection. The NRO will safeguard the privacy of individuals identified in its records. Information about an individual will, to the greatest extent practicable, be collected directly from the individual, and personal information will be protected from unintentional or unauthorized disclosure by treating it as marked ‘For Official Use Only.’ Access to personal information will be restricted to those employees whose official duties require it during the regular course of business.
(i) Privacy Act Statement. When an individual is requested to furnish personal information about himself for inclusion in a system of records, a Privacy Act Statement is required to enable him to make an informed decision whether to provide the information requested. A Privacy Act Statement may appear, in order of preference, at the top or bottom of a form, on the reverse side of a form, or attached to the form as a tear-off sheet.
(ii) Social Security Numbers (SSNs). It is unlawful for any governmental agency to deny an individual any right, benefit, or privilege provided by law because the individual refuses to provide his SSN. However, if a federal statute requires that the SSN be furnished or if the SSN is required to verify the identity of an individual in a system of records that was established and in use before January 1, 1975, this restriction does not apply. When collecting the SSN, a ‘qualified’ Privacy Act Statement must be provided even if the SSN will not be maintained in a system of records. The ‘qualified’ Privacy Act Statement shall inform the individual whether the disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.
(2) Maintenance. The NRO will maintain in its records only such information about an individual which is accurate, relevant, timely, and necessary to accomplish a purpose which is required by statute or Executive Order. All records used by the NRO to make determinations about individuals will be maintained with such accuracy and completeness as is reasonably necessary to assure fairness to the individual.
(3) Existence. The applicability of the Privacy Act depends on the existence of an identifiable record. The procedures described in NRO regulations do not require that a record be created or that an individual be given access to records that are not retrieved by name or other individual identifier. Nor do these procedures entitle an individual to have access to any information compiled in reasonable anticipation of a civil action or proceeding. NRO will maintain only those systems of records that have been described through notices published in the Federal Register. A system of records from which records may be retrieved by a name or some other personal identifier must be under NRO control for consideration under this part.
(4) Disposal. The NRO will archive, dispose of, or destroy records containing personal data in a manner to prevent specific records from being readily identified or inadvertently compromised.
(b) Evaluation of records. Statutory authority to establish and maintain a system of records does not grant unlimited authority to collect and maintain all information which may be useful or convenient. Directorates and offices maintaining records will evaluate each category of information in records systems for necessity and relevance prior to republication of all system notices in the Federal Register and during the design phase or change of a system of records. The following will be considered in the evaluation:
(1) Relationship of each item of information to the statutory purpose for which the system is maintained;
(2) Specific adverse consequences of not collecting each category of information; and
(3) Techniques for purging parts of the records.
(c) Disclosure of records. The NRO will provide the fullest access practicable by individuals to NRO records concerning them. Release of personal information to such individuals is not considered public release of information. Upon receipt of a written request, the NRO will release to individuals those records that are releasable and applicable to the individual making the request. Generally, information, other than that exempted by law and this part, will be provided to the individual. NRO personnel will comply with the Privacy Act of 1974, as amended, the DoD Privacy Act Program (32 CFR part 310), and the NRO Privacy Act Program. No NRO records shall be disclosed by any means of communication to any person or to any agency except pursuant to a written request by or the prior written consent of the individual to whom it pertains, unless disclosure of the record will be:
(1) To those employees of the NRO who have an official need for the record in the performance of their duties.
(2) Required to be disclosed to a member of the public under the Freedom of Information Act, as amended.
(3) For a routine use as defined in the Privacy Act.
(4) To the Census Bureau for the purpose of conducting a census or survey or related activity authorized by law.
(5) To a recipient who has provided the NRO with advance, adequate written assurance that the record will be used solely as statistical research and that the record is to be transferred in a form in which the individual is not identifiable.
(6) To the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the U. S. Government.
(7) To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the U.S. for a civil or criminal law enforcement activity if such activity is authorized by law and if the head of the agency or governmental entity has made a written request to the NRO specifying the particular portion of the record and the law enforcement activity for which the record is sought (blanket requests will not be accepted); a record may also be disclosed to a law enforcement agency at the initiative of the NRO pursuant to the blanket routine use for law enforcement when criminal conduct is indicated in the record.
(8) To a person showing compelling circumstances affecting the health or safety of an individual if, upon such disclosure, notification is sent to the last known address of the individual to whom the record pertains (emergency medical information may be released by telephone).
(9) To Congress or any committee, joint committee, or subcommittee of Congress with respect to a matter under its jurisdiction. This provision does not authorize the disclosure of a record to members of Congress acting in their individual capacities or on behalf of their constituents making third party requests. However, such releases may be made pursuant to the blanket routine use for Congressional inquiries when a constituent has sought the assistance of his Congressman for the constituent's individual record(s).
(10) To the Comptroller General or any of his authorized representatives in the course of the performance of the duties of the General Accounting Office.
(11) Pursuant to an order of a court of competent jurisdiction. When the record is disclosed under compulsory legal process and when the issuance of that order or subpoena is made public by the court which issued it, the NRO will make reasonable efforts to notify the individual to whom the record pertains by mail at the most recent address contained in NRO records.
(12) To a consumer reporting agency in accordance with 31 U.S.C. 3711(f).
(d) Allocation of resources. NRO components shall exercise due diligence in their responsibilities under the Privacy Act and must devote a reasonable level of personnel to respond to requests on a ‘first-in, first-out’ basis. In allocating Privacy Act resources, the component shall consider its imposed business demands, the totality of resources available to it, the information review and release demands imposed by Congress and other governmental authorities, and the rights of the public under various disclosure laws. The PA Coordinator will establish priorities for cases consistent with established law to ensure that smaller as well as larger ‘project’ cases receive equitable attention.
(e) Written permission for disclosure. Disclosures made under circumstances not delineated in this part shall be made only if the written permission of the individual involved has been obtained. Written permission shall be recorded on or appended to the document transmitting the personal information to the other agency, in which case no separate accounting of the disclosure need be made. Written permission is required in each case; that is, once obtained, written permission for one case does not constitute blanket permission for other disclosures.
(f) Coordination with other government agencies. Records systems of the NRO may contain records originated by other agencies that may have claimed exemptions for them under the Privacy Act. Where appropriate, coordination will be effected with the originating agency. The NRO will comply with the instructions issued by another agency responsible for a system of records (e.g., Office of Personnel Management) in granting access to such records. Records containing information or interests of another government agency will not be released until coordination with the other agency involved. A request for information pertaining to the individual in an NRO record system received from another federal agency will be coordinated with the originating agency.
(g) Accounting for disclosure. Except for disclosures made under paragraphs (c)(1) and (c)(2) of this section, an accurate account of the disclosures shall be kept by the record holder in consultation with the Privacy Act Coordinator (PA Coordinator). There need not be a notation on a single document of every disclosure of a particular record. The record holder should be able to construct from its system of records the accounting information:
(1) When required by the individual to whom the record pertains, or
(2) When necessary to inform previous recipients of any amended records. The accounting shall be retained for at least five years or for the life of the record, whichever is longer, to be available for review by the subject of the record at his request except for disclosures made under paragraph (c)(7) of this section.
(h) Application of rules. Any request for access, amendment, correction, etc., of personal record information in a system of records by an individual to whom such information pertains will be governed by the Privacy Act of 1974, as amended, DoD regulatory authority, and this part, exclusively. Any denial or exemption of all or part of a record from access, disclosure, amendment, correction, etc., will be processed under DoD regulatory authority and this part, unless court order or other competent authority directs otherwise.
(i) First Amendment rights. No NRO official or component may maintain any information pertaining to the exercise by an individual of his rights under the First Amendment without the permission of that individual unless such collection is specifically authorized by statute or pertains to an authorized law enforcement activity.
(j) Non-system information on individuals. The following information is not considered part of personal records systems reportable under this part and may be maintained by NRO for ready identification, contact, and property control purposes only, provided it is not maintained in a system of records. If at any time the information described in this paragraph is being maintained in a system of records, the information is subject to the Privacy Act.
(1) Identification information at doorways, building directories, desks, lockers, name tags, etc.
(2) Geographical or agency contact cards.
(3) Property receipts and control logs for building passes, credentials, vehicles, etc.
(4) Personal working notes of employees that are merely an extension of the author's memory, if maintained properly, do not come under the Privacy Act. Personal notes are not considered official NRO records if they meet the following requirements:
(i) Keeping or discarding notes must be at the sole discretion of the author. Any requirement by supervising authority, whether by oral or written directive, regulation, policy, or memo to maintain such notes, likely would cause the notes to become official agency records.
(ii) Such notes must be restricted to the author's personal use as memory aids, and only the author may have access to them. Passing them to a successor or showing them to other personnel (including supporting staff such as secretaries) would likely cause them to become agency records.
(5) Rosters. The NRO has no restriction against rosters that contain only corporate information such as name, work telephone number, and position. Good recordkeeping practices dictate that only rosters that are relevant and necessary to the NRO's operations may be maintained, and therefore convenience rosters, which by definition do not satisfy the test, may not be maintained.