32 CFR 505.3 - Privacy Act systems of records.
(a) Systems of records.
(1) A system of records is a group of records under the control of a DA activity that are retrieved by an individual's name or by some identifying number, symbol, or other identifying particular assigned to an individual.
(2) Privacy Act systems of records must be -
(i) Authorized by Federal statute or an Executive Order;
(ii) Needed to carry out DA's mission; and
(iii) Published in the Federal Register in a system of records notice, which will provide the public an opportunity to comment before DA implements or changes the system.
(3) The mere fact that records are retrievable by a name or personal identifier is not enough. Records must actually be retrieved by a name or personal identifier. Records in a group of records that may be retrieved by a name or personal identifier but are not normally retrieved by this method are not covered by this part. However, they are covered by AR 25-55, the Department of the Army Freedom of Information Act Program.
(4) The existence of a statute or Executive Order mandating the maintenance of a system of records to perform an authorized activity does not abolish the responsibility to ensure the information in the system of records is relevant and necessary to perform the authorized activity.
(b) Privacy Act system of records notices.
(1) DA must publish notices in the Federal Register on new, amended, altered, or deleted systems of records to inform the public of the Privacy Act systems of records that it maintains. The Privacy Act requires submission of new or significantly changed systems of records to OMB and both houses of Congress before publication in the Federal Register (See Appendix E of this part).
(2) Systems managers must send a proposed notice at least 120 days before implementing a new, amended or altered system to the DA Freedom of Information and Privacy Office. The proposed or altered notice must include a narrative statement and supporting documentation. A narrative statement must contain the following items:
(i) System identifier and name;
(ii) Responsible Official, title, and phone number;
(iii) If a new system, the purpose of establishing the system or if an altered system, nature of changes proposed;
(iv) Authority for maintenance of the system;
(v) Probable or potential effects of the system on the privacy of individuals;
(vi) Whether the system is being maintained, in whole or in part, by a contractor;
(vii) Steps taken to minimize risk of unauthorized access;
(viii) Routine use compatibility;
(ix) Office of Management and Budget information collection requirements; and
(x) Supporting documentation as an attachment. Also as an attachment should be the proposed new or altered system notice for publication in the Federal Register.
(3) An amended or altered system of records is one that has one or more of the following:
(i) A significant increase in the number, type, or category of individuals about whom records are maintained;
(ii) A change that expands the types of categories of information maintained;
(iii) A change that alters the purpose for which the information is used;
(iv) A change to equipment configuration (either hardware or software) that creates substantially greater access to the records in the system of records;
(v) An addition of an exemption pursuant to Section (j) or (k) of the Act; or
(vi) An addition of a routine use pursuant to 5 U.S.C. 552a(b)(3).
(4) For additional guidance contact the DA FOIA/P Office.
(5) On behalf of DA, the Defense Privacy Office maintains a list of DOD Components' Privacy Act system of records notices at the Defense Privacy Office's Web site http://www.defenselink.mil/privacy.
(6) DA PAM 25-51 sets forth procedures pertaining to Privacy Act system of records notices.
(7) For new systems, system managers must establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records. This applies to all new systems of records whether maintained manually or automated.
(i) One safeguard plan is the development and use of a Privacy Impact Assessment (PIA) mandated by the E-Gov Act of 2002, Section 208. The Office of Management and Budget specifically directs that a PIA be conducted, reviewed, and published for all new or significantly altered information in identifiable form collected from or about the members of the public. The PIA describes the appropriate administrative, technical, and physical safeguards for new automated systems. This will assist in the protection against any anticipated threats or hazards to the security or integrity of data, which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. Contact your local Information Officer for guidance on conducting a PIA.
(ii) The development of appropriate safeguards must be tailored to the requirements of the system as well as other factors, such as the system environment, location, and accessibility.