32 CFR § 505.2 - General provisions.
(1) Protect the privacy of United States living citizens and aliens lawfully admitted for permanent residence from unwarranted intrusion.
(2)Deceased individuals do not have Privacy Act rights, nor do executors or next-of-kin in general. However, immediate family members may have limited privacy rights in the manner of death details and funeral arrangements of the deceased individual. Family members often use the deceased individual's Social Security Number (SSN) for federal entitlements; appropriate safeguards must be implemented to protect the deceased individual's SSN from release. Also, the Health Insurance Portability and Accountability Act extends protection to certain medical information contained in a deceased individual's medical records.
(3) Personally identifiable health information of individuals, both living and deceased, shall not be used or disclosed except for specifically permitted purposes.
(8) Let individuals know what Privacy Act records the Army maintains by publishing Privacy Act system of records notices in the Federal Register. This will enable individuals to review and make copies of these records, subject to the exemptions authorized by law and approved by the Secretary of the Army. Department of the ArmyPrivacy Act systems of records notices are available at http://www.defenselink.mil/privacy.
(11) Act on all requests promptly, accurately, and fairly.
(13)Maintain no records describing how an individual exercises his or her rights guaranteed by the First Amendment (freedom of religion, freedom of political beliefs, freedom of speech and press, freedom of peaceful assemblage, and petition) unless expressly authorized by statute, pertinent to and within the scope of an authorized law enforcement activity, or otherwise authorized by law or regulation.
(b)Safeguard personal information.
(2)Personal information should never be placed on shared drives that are accessed by groups of individuals unless each person has an “official need to know” the information in the performance of official duties.
(3) Safeguarding methods must strike a balance between the sensitivity of the data, need for accuracy and reliability for operations, general security of the area, and cost of the safeguards. In some situations, a password may be enough protection for an automated system with a log-on protocol. For additional guidance on safeguarding personal information in automated records see AR 380-67, The Department of the Army Personnel Security Program.
(c)Conveying privacy protected data electronically via e-mail and the World Wide Web.
(1) Unencrypted electronic transmission of privacy protected data makes the Army vulnerable to information interception which can cause serious harm to the individual and the accomplishment of the Army's mission.
(2) The Privacy Act requires that appropriate technical safeguards be established, based on the media (e.g., paper, electronic) involved, to ensure the security of the records and to prevent compromise or misuse during transfer.
(3) Privacy Web sites and hosted systems with privacy-protected data will employ secure sockets layers (SSL) and Public Key Infrastructure (PKI) encryption certificates or other DoD-approved commercially available certificates for server authentication and client/server authentication. Individuals who transmit data containing personally identifiable information over e-mail will employ PKI or other DoD-approved certificates.
(4) When sending Privacy Act protected information within the Army using encrypted or dedicated lines, ensure that -
(i) There is an “official need to know” for each addressee (including “cc” addressees); and
(ii) The Privacy Act protected information is marked For Official Use Only (FOUO) to inform the recipient of limitations on further dissemination. For example, add FOUO to the beginning of an e-mail message, along with the following language: “This contains FOR OFFICIAL USE ONLY (FOUO) information which is protected under the Privacy Act of 1974 and AR 340-21, The Army Privacy Program. Do not further disseminate this information without the permission of the sender.”
(iii) Do not indiscriminately apply this statement. Use it only in situations when actually transmitting protected Privacy Act information.
(iv) For additional information about marking documents “FOUO” review AR 25-55, Chapter IV.
(5) Add appropriate “Privacy and Security Notices” at major Web site entry points. Refer to AR 25-1, para 6-4n for requirements for posting “Privacy and Security Notices” on public Web sites. Procedures related to the establishing, operating, and maintaining of unclassified DA Web sites can be accessed at http://www.defenselink.mil/webmasters/policy/DOD_web_policy.
(6) Ensure public Web sites comply with policies regarding restrictions on persistent and third party cookies. The Army prohibits both persistent and third part cookies. (see AR 25-1, para 6-4n)
(7) A Privacy Advisory is required on Web sites which host information systems soliciting personally identifying information, even when not maintained in a Privacy Act system of records. The Privacy Advisory informs the individual why the information is solicited and how it will be used. Post the Privacy Advisory to the Web site page where the information is being solicited, or to a well marked hyperlink stating “Privacy Advisory - Please refer to the Privacy and Security Notice that describes why this information is collected and how it will be used.”
(d)Protecting records containing personal identifiers such as names and Social Security Numbers.
(1) Only those records covered by a Privacy Act system of records notice may be arranged to permit retrieval by a personal identifier (e.g., an individual's name or Social Security Number). AR 25-400-2, paragraph 6-2 requires all records covered by a Privacy Act system of records notice to include the system of record identification number on the record label to serve as a reminder that the information contained within must be safeguarded.
(3) When developing a coversheet, the following is an example of a statement that you may use: “The information contained within is FOR OFFICIAL USE ONLY (FOUO) and protected by the Privacy Act of 1974.”
(e)Notification of Individuals when personal information is lost, stolen, or compromised.
(1) Whenever an Army organization becomes aware the protected personal information pertaining to a Service member, civilian employee (appropriated or non-appropriated fund), military retiree, family member, or another individual affiliated with Army organization (e.g., volunteer) has been lost, stolen, or compromised, the organization shall inform the affected individuals as soon as possible, but not later than ten days after the loss or compromise of protected personal information is discovered.
(2) At a minimum, the organization shall advise individuals of what specific data was involved; the circumstances surrounding the loss, theft, or compromise; and what protective actions the individual can take.
(3) If Army organizations are unable to comply with policy, they will immediately notify their superiors, who will submit a memorandum through the chain of command to the Administrative Assistant of the Secretary of the Army to explain why the affected individuals or population's personal information has been lost, stolen, or compromised.
(f)Federal government contractors' compliance.
(1) When a DA activity contracts for the design, development, or operation of a Privacy Act system of records in order to accomplish a DA mission, the agency must apply the requirements of the Privacy Act to the contractor and its employees working on the contract (See 48 CFR part 24 and other applicable supplements to the FAR; 32 CFR part 310).
(2)System Managers will review annually, contracts contained within the system(s) of records under their responsibility, to determine which ones contain provisions relating to the design, development, or operation of a Privacy Act system of records.
(3) Contractors are considered employees of the Army for the purpose of the sanction provisions of the Privacy Act during the performance of the contract requirements.
(4) Disclosing records to a contractor for use in performing the requirements of an authorized DA contract is considered a disclosure within the agency under exception (b)(1), “Official Need to Know”, of the Act.