32 CFR Appendix B to Part 324, System of Records Notice
The following data captions are required for each system of records notice published in the Federal Register. An explanation for each caption is provided.
1. System identifier. The system identifier must appear in all system notices. It is limited to 21 positions, including agency code, file number, symbols, punctuation, and spaces.
2. Security classification. Self explanatory. (DoD does not publish this caption. However, each agency is responsible for maintaining the information.)
3. System name. The system name must indicate the general nature of the system of records and, if possible, the general category of individuals to whom it pertains. Acronyms should be established parenthetically following the first use of the name (e.g., ‘Field Audit Office Management Information System (FMIS)’). Acronyms shall not be used unless preceded by such an explanation. The system name may not exceed 55 character positions, including punctuation and spaces.
4. Security classification. This category is not published in the Federal Register but is required to be kept by the Headquarters Privacy Act Officer.
5. System location. a. For a system maintained in a single location, provide the exact office name, organizational identity, routing symbol, and full mailing address. Do not use acronyms in the location address.
b. For a geographically or organizationally decentralized system, describe each level of organization or element that maintains a portion of the system of records.
c. For an automated data system with a central computer facility and input or output terminals at geographically separate locations, list each location by category.
d. If multiple locations are identified by type of organization, the system location may indicate that official mailing addresses are published as an appendix to the agency's compilation of systems of records notices in the Federal Register. If no address directory is used, or if the addresses in the directory are incomplete, the address of each location where a portion of the record system is maintained must appear under the ‘system location’ caption.
e. Classified addresses shall not be listed but the fact that they are classified shall be indicated.
f. The U.S. Postal Service two-letter state abbreviation and the nine-digit zip code shall be used for all domestic addresses.
6. Categories of individuals covered by the system. Use clear, non technical terms which show the specific categories of individuals to whom records in the system pertain. Broad descriptions such as ‘all DFAS personnel’ or ‘all employees’ should be avoided unless the term actually reflects the category of individuals involved.
7. Categories of records in the system. Use clear, non technical terms to describe the types of records maintained in the system. The description of documents should be limited to those actually retained in the system of records. Source documents used only to collect data and then destroyed should not be described.
8. Authority for maintenance of the system. The system of records must be authorized by a Federal law or Executive Order of the President, and the specific provision must be cited. When citing federal laws, include the popular names (e.g., ‘ 5 U.S.C. 552a, The Privacy Act of 1974’) and for Executive Orders, the official titles (e.g., ‘ Executive Order 9397, Numbering System for Federal Accounts Relating to Individual Persons’).
9. Purpose(s). The specific purpose(s) for which the system of records was created and maintained; that is, the uses of the records within DFAS and the rest of the Department of Defense should be listed.
10. Routine uses of records maintained in the system, including categories of users and purposes of the uses. All disclosures of the records outside DoD, including the recipient of the disclosed information and the uses the recipient will make of it should be listed. If possible, the specific activity or element to which the record may be disclosed (e.g., ‘to the Department of Veterans Affairs, Office of Disability Benefits’) should be listed. General statements such as ‘to other Federal Agencies as required’ or ‘to any other appropriate Federal Agency’ should not be used. The blanket routine uses, published at the beginning of the agency's compilation, applies to all system notices, unless the individual system notice states otherwise.
11. Disclosure to consumer reporting agencies. This entry is optional for certain debt collection systems of records.
12. Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system. This section is divided into four parts.
13. Storage. The method(s) used to store the information in the system (e.g., ‘automated, maintained in computers and computer output products’ or ‘manual, maintained in paper files’ or ‘hybrid, maintained in paper files and in computers’) should be stated. Storage does not refer to the container or facility in which the records are kept.
14. Retrievability. How records are retrieved from the system (e.g., ‘by name,’ ‘by SSN,’ or ‘by name and SSN’) should be indicated.
15. Safeguards. The categories of agency personnel who use the records and those responsible for protecting the records from unauthorized access should be stated. Generally the methods used to protect the records, such as safes, vaults, locked cabinets or rooms, guards, visitor registers, personnel screening, or computer ‘fail-safe’ systems software should be identified. Safeguards should not be described in such detail as to compromise system security.
16. Retention and disposal. Describe how long records are maintained. When appropriate, the length of time records are maintained by the agency in an active status, when they are transferred to a Federal Records Center, how long they are kept at the Federal Records Center, and when they are transferred to the National Archives or destroyed should be stated. If records eventually are destroyed, the method of destruction (e.g., shredding, burning, pulping, etc.) should be stated. If the agency rule is cited, the applicable disposition schedule shall also be identified.
17. System manager(s) and address. The title (not the name) and address of the official or officials responsible for managing the system of records should be listed. If the title of the specific official is unknown, such as with a local system, the local director or office head as the system manager should be indicated. For geographically separated or organizationally decentralized activities with which individuals may correspond directly when exercising their rights, the position or title of each category of officials responsible for the system or portion thereof should be listed. Addresses that already are listed in the agency address directory or simply refer to the directory should not be included.
18. Notification procedures. Notification procedures describe how an individual can determine if a record in the system pertains to him/her. If the record system has been exempted from the notification requirements of subsection (f)(l) or subsection (e)(4)(G) of the Privacy Act, it should be so stated. If the system has not been exempted, the notice must provide sufficient information to enable an individual to request notification of whether a record in the system pertains to him/her. Merely referring to a DFAS regulation is not sufficient. This section should also include the title (not the name) and address of the official (usually the Program Manager) to whom the request must be directed; any specific information the individual must provide in order for DFAS to respond to the request (e.g., name, SSN, date of birth, etc.); and any description of proof of identity for verification purposes required for personal visits by the requester.
19. Record access procedures. This section describes how an individual can review the record and obtain a copy of it. If the system has been exempted from access and publishing access procedures under subsections (d)(1) and (e)(4)(H), respectively, of the Privacy Act, it should be so indicated. If the system has not been exempted, describe the procedures an individual must follow in order to review the record and obtain a copy of it, including any requirements for identity verification. If appropriate, the individual may be referred to the system manager or another DFAS official who shall provide a detailed description of the access procedures. Any addresses already listed in the address directory should not be repeated.
20. Contesting records procedures. This section describes how an individual may challenge the denial of access or the contents of a record that pertains to him or her. If the system of record has been exempted from allowing amendments to records or publishing amendment procedures under subsections (d)(1) and (e)(4)(H), respectively, of the Privacy Act, it should be so stated. If the system has not been exempted, this caption describes the procedures an individual must follow in order to challenge the content of a record pertaining to him/her, or explain how he/she can obtain a copy of the procedures (e.g., by contacting the Program Manager or the appropriate DFAS Privacy Act Officer).
21. Record source categories. If the system has been exempted from publishing record source categories under subsection (e)(4)(I) of the Privacy Act, it should be so stated. If the system has not been exempted, this caption must describe where DFAS obtained the information maintained in the system. Describing the record sources in general terms is sufficient; specific individuals, organizations, or institutions need not be identified.
22. Exemptions claimed for the system. If no exemption has been established for the sys-tem, indicate ‘None.’ If an exemption has been established, state under which provision of the Privacy Act it is established (e.g., ‘Portions of this system of records may be exempt under the provisions of 5 U.S.C. 552a(k)(2).’)