It is DoD policy that:
(a) An individual's privacy is a fundamental legal right that must be respected and protected.
(1) The DoD's need to collect, use, maintain, or disseminate (also known and referred to in this part as ``maintain'') PII about individuals for purposes of discharging its statutory responsibilities will be balanced against their right to be protected against unwarranted privacy invasions.
(2) The DoD protects individuals' rights, consistent with federal laws, regulations, and policies, when maintaining their PII.
(3) DoD personnel and DoD contractors have an affirmative responsibility to protect an individual's privacy when maintaining his or her PII.
(4) Consistent with section 1016(d) of Public Law 108-458 and section 1 of Executive Order 13388, ``Further Strengthening the Sharing of Terrorism Information to Protect Americans'', the DoD will protect information privacy and provide other protections relating to civil liberties and legal rights in the development and use of the information sharing environment.
(b) The DoD establishes rules of conduct for DoD personnel and DoD contractors involved in the design, development, operation, or maintenance of any system of records. DoD personnel and DoD contractors will be trained with respect to such rules and the requirements of this section and any other rules and procedures adopted pursuant to this section and the penalties for noncompliance. The DoD Rules of Conduct are established in Sec. 310.8.
(c) DoD personnel and DoD contractors conduct themselves consistent with the established rules of conduct in Sec. 310.8, so that records maintained in a system of records will only be maintained as authorized by 5 U.S.C. 552a and this part.
(d) DoD legislative, regulatory, or other policy proposals will be evaluated to ensure consistency with the information privacy requirements of this part.
(e) Pursuant to The Privacy Act, no record will be maintained on how an individual exercises rights guaranteed by the First Amendment to the Constitution of the United States (referred to in this part as ``the First Amendment''), except:
(1) When specifically authorized by statute.
(2) When expressly authorized by the individual that the record is about.
(3) When the record is pertinent to and within the scope of an authorized law enforcement activity, including an authorized intelligence or administrative investigation.
(f) Disclosure of records pertaining to an individual from a system of records is prohibited except with his or her consent or as otherwise authorized by 5 U.S.C. 552a and this part or 32 CFR part 286. When DoD Components make such disclosures, the individual may, to the extent authorized by 5 U.S.C. 552a and this part, obtain a description of such disclosures from the Component concerned.
(g) Disclosure of records pertaining to personnel of the National Security Agency, the Defense Intelligence Agency, the National Reconnaissance Office, and the National Geospatial-Intelligence Agency is prohibited to the extent authorized by Public Law 86-36, ``National Security Agency-Officers and Employees'' and 10 U.S.C. 424. Disclosure of records pertaining to personnel of overseas, sensitive, or routinely deployable units is prohibited to the extent authorized by 10 U.S.C. 130b.
(h) The DoD establishes appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual about whom information is maintained.
(i) Disclosure of PHI will be consistent with DoD 6025.18-R.
(j) All DoD personnel and DoD contractors will be provided training pursuant to 5 U.S.C. 552a and OMB Circular No. A-130.
(k) PII collected, used, maintained, or disseminated will be:
(1) Relevant and necessary to accomplish a lawful DoD purpose required by statute or Executive Order.
(2) Collected to the greatest extent practicable directly from the individual. He or she will be informed as to why the information is being collected, the authority for collection, how it will be used, whether disclosure is mandatory or voluntary, and the consequences of not providing that information.
(3) Relevant, timely, complete, and accurate for its intended use.
(4) Protected using appropriate administrative, technical, and physical safeguards based on the media (e.g., paper, electronic) involved. Protection will ensure the security of the records and prevent compromise or misuse during maintenance, including working at authorized alternative worksites.
(l) Individuals are permitted, to the extent authorized by 5 U.S.C. 552a and this part, to:
(1) Upon request by an individual, gain access to records or to any information pertaining to the individual which is contained in a system of records.
(2) Obtain a copy of such records, in whole or in part.
(3) Correct or amend such records once it has been determined that the records are not accurate, relevant, timely, or complete.
(4) Appeal a denial for a request to access or a request to amend a record.
(m) Non-U.S. citizens and aliens not lawfully admitted for permanent residence may request access to and amendment of records pertaining to them; however, this part does not create or extend any right pursuant to The Privacy Act to them.
(n) SORNs and notices of proposed or final rulemaking are published in the Federal Register (FR), and reports are submitted to Congress and OMB, in accordance with 5 U.S.C. 552a, OMB Circular No. A-130, and this part, Volume 1 of DoD Manual 8910.01, ``DoD Information Collections Manual: Procedures for DoD Internal Information Collections'' (available at http://www.dtic.mil/whs/directives/corres/pdf/891001m_vol1.pdf), and DoD Instruction 5545.02, ``DoD Policy for Congressional Authorization and Appropriations Reporting Requirements'' (available at http://www.dtic.mil/whs/directives/corres/pdf/554502p.pdf). Information about an individual maintained in a new system of records will not be collected until the required SORN publication and review requirements are satisfied.
(o) All DoD personnel must make reasonable efforts to inform an individual, at their last known address, when any record about him or her is disclosed:
(1) Due to a compulsory legal process.
(2) In a manner that will become a matter of public record.
(p) Individuals must be notified in a timely manner, consistent with the requirements of this part, if there is a breach of their PII.
(q) At least 30 days prior to disclosure of information pursuant to subparagraph (e)(4)(D) (routine uses) of The Privacy Act, the DoD will publish an FR notice of any new use or intended use of the information in the system, and provide an opportunity for interested people to submit written data, views, or arguments to the agency.
(r) Computer matching programs between the DoD Components and federal, state, or local governmental agencies are conducted in accordance with the requirements of 5 U.S.C. 552a, OMB Circular No. A-130, and this part.
(s) The DoD will publish in the FR notice any establishment or revision of a matching program at least 30 days prior to conducting such program of such establishment or revision if any DoD Component is a recipient agency or a source agency in a matching program with a non-federal agency. [80 FR 4208, Jan. 27, 2015]