32 CFR 327.5 - Systems of records.
(a) System of records. To be subject to the provisions of this part, a “system of records” must:
(1) Consist of “records” that are retrieved by the name of an individual or some other personal identifier, and
(2) Be under the control of DeCA.
(b) Retrieval practices. Records in a group of records that may be retrieved by a name or personal identifier are not covered by this part even if the records contain personal data and are under the control of DeCA. The records MUST BE, in fact, retrieved by name or other personal identifier to become a system of records for DeCA.
(c) Relevance and necessity. Only those records that contain personal information which is relevant and necessary to accomplish a purpose required by Federal statute or an Executive Order will be maintained by DeCA.
(d) Authority to establish systems of records. Director, DeCA has the authority to establish systems of records; however, each time a system of records is established, the Executive Order or Federal statute that authorizes maintaining the personal information must be identified.
(1) DeCA will not maintain any records describing how an individual exercises his or her rights guaranteed by the First Amendment of the U.S. Constitution.
(2) These rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition.
(e) System manager's evaluation. Systems managers, along with the DeCA Privacy Officer, shall evaluate the information to be included in each new system before establishing the system and evaluate periodically the information contained in each existing system of records for relevancy and necessity. Such a review will also occur when a system notice amendment or alteration is prepared. Consider the following:
(1) The relationship of each item of information retained and collected to the purpose for which the system is maintained.
(2) The specific impact on the purpose or mission of not collecting each category of information contained in the system.
(3) The possibility of meeting the informational requirements through use of information not individually identifiable or through other techniques, such as sampling.
(4) The length of time each item of personal information must be retained.
(5) The cost of maintaining the information.
(6) The necessity and relevancy of the information to the purpose for which it was collected.
(f) Discontinued information requirements.
(1) When notification is received to stop collecting any category or item of personal information, the DeCA PA Officer will issue instructions to stop immediately and also excise this information from existing records, when feasible, and amend existing notice.
(2) Disposition of these records will be provided by the DeCA PA Officer in accordance with the DeCA Filing System. 3
3 Copies may be obtained: Defense Commissary Agency, ATTN: FOIA/Privacy Officer, 1300 E. Avenue, Fort Lee, VA 23801-1800.
(g) Government contractors.
(1) When DeCA contracts for the operation or maintenance of a system of records or a portion of a system of records by a contractor, the record system or the portion affected are considered to be maintained by DeCA and are subject to this part. DeCA is responsible for applying the requirements of this part to the contractor. The contractor and its employees are to be considered employees of DeCA for the purposes of the approved provisions of the Privacy Act during the performance of the contract. Consistent with the Defense Acquisition Regulation, contracts requiring the maintenance of a system of records or the portion of a system of records shall identify specifically the record system and the work to be performed and shall include in the solicitation and resulting contract such terms as are prescribed in the Defense Acquisition Regulation (DAR). 4
4 See footnote 3 to § 327.5.
(2) If the contractor must use or have access to individually identifiable information subject to this part to perform any part of a contract, and the information would have been collected and maintained by DeCA but for the award of the contract, these contractor activities are subject to this part.
(3) The restrictions in paragraphs (g)(1) and (g)(2) of this section do not apply to records:
(i) Established and maintained to assist in making internal contractor management decisions such as those maintained for use in managing the contract.
(ii) Those maintained as internal contractor employee records even when used in conjunction with providing goods and services to DeCA.
(4) Disclosure of records to contractors. Disclosure of personal records to a contractor for the use in the performance of any DeCA contract is considered a disclosure within the Department of Defense (DoD). The contractor is considered the agent of DeCA and is to be maintaining and receiving the records for DeCA.
(h) Safeguarding personal information. DeCA personnel will protect records in every system of records for confidentiality against alteration, unauthorized disclosure, embarrassment, or unfairness to any individual about when information is kept.
(1) Supervisor/Manager paper records maintained by DeCA personnel will be treated as ‘For Official Use Only’ (FOUO) documents and secured in locked file cabinets, desks or bookcases during non-duty hours. During normal working hours, these records will be out-of-sight if the working area is accessible to non-government personnel.
(2) Personnel records maintained by DeCA computer room or stand alone systems, will be safeguarded at all times. Printed computer reports containing personal data must carry the markings FOUO. Other media storing personal data such as tapes, reels, disk packs, etc., must be marked with labels which bear FOUO and properly safeguarded.
(3) Adherence to paragraphs (h)(1) and (h)(2) of this section, fulfills the requirements of 32 CFR part 285.
(i) Records disposal.
(1) DeCA records containing personal data will be shredded or torn to render the record unrecognizable or beyond reconstruction.
(2) The transfer of large quantities of DeCA records containing personal data to disposal activities is not considered a release of personal information under this part. The volume of such transfers makes it difficult or impossible to identify easily specific individual records. Care must be exercised to ensure that the bulk is maintained so as to prevent specific records from becoming readily identifiable. If the bulk is amintained, no special procedures are required. if the bulk cannot be maintained, dispose of the records by shredding or tearing to render the record unrecognizable or beyond reconstruction.