32 CFR 806b.29 - Sending personal information over electronic mail.
(a) Exercise caution before transmitting personal information over e-mail to ensure it is adequately safeguarded. Some information may be so sensitive and personal that e-mail may not be the proper way to transmit it. When sending personal information over e-mail within DoD, ensure: There is an official need; all addressee(s) (including “cc” addressees) are authorized to receive it under the Privacy Act; and it is protected from unauthorized disclosure, loss, or alteration. Protection methods may include encryption or password protecting the information in a separate Word document. When transmitting personal information over e-mail, add “FOUO” to the beginning of the subject line, followed by the subject, and apply the following statement at the beginning of the e-mail:
“This e-mail contains For Official Use Only (FOUO) information which must be protected under the Privacy Act and Air Force Instruction 33-332.”
(b) Do not indiscriminately apply this statement to e-mails. Use it only in situations when you are actually transmitting personal information. DoD Regulation 5400.7/Air Force Supp, Chapter 4 3, provides additional guidance regarding For Official Use Only information.
(c) Do not disclose personal information to anyone outside DoD unless specifically authorized by the Privacy Act (see § 806b.47).
(d) Do not send Privacy Act information to distribution lists or group e-mail addresses unless each member has an official need to know the personal information. When in doubt, send only to individual accounts.
(e) Before forwarding e-mails you have received that contain personal information, verify that your intended recipients are authorized to receive the information under the Privacy Act (see § 806b.47).