(a) The Counsel, DISA, is hereby designated the Privacy Act Officer for DISA and is responsible for insuring that an internal DISA Privacy Program is established and maintained. He will also insure that all echelons of DISA effectively comply with and implement 32 CFR part 310.
(b) The Civilian Assistant to the Chief of Staff will be responsible for the annual reporting requirements contained in 32 CFR 310.5.
(c) DISA System Managers and other appropriate DISA officials will:
(1) Insure compliance with the provisions of 32 CFR 310.9.
(2) Comply with the provisions of 32 CFR 286a.11. In this area the Assistant to the Director for Administration will provide assistance.
(3) Adhere to the following:
(i) Within DISA, the System Manager of any record system will assure that records pertaining to an individual will be disclosed, upon request, to the individual to whom the record pertains. The individual need not state a reason or otherwise justify the need to gain access. A person of the individual's choosing may accompany the individual when the record is disclosed. The System Manager may require the individual to furnish a written statement authorizing discussion of the individual's records in the presence of the accompanying person. If requested, the System Manager will have a copy made of all or any portion of the record pertaining to the individual in a form comprehensible to the requester.
(ii) The System Manager may release records to the individual's representative who has the written consent of the individual. The System Manager will require reasonable identification of individuals to assure that records are disclosed to the proper person. No verification of identity will be required of an individual seeking access to records which are otherwise available to any member of the public under the Freedom of Information Act. Identification requirements should be consistent with the nature of the records being disclosed. For disclosure of records to an individual in person, the System Manager will require that the individual show some form of identification. For records disclosed to an individual in person or by mail, the System Manager may require whatever identifying information is needed to locate the record; i.e., name, social security number, date of birth. If the sensitivity of the data warrants, the System Manager may require a signed notarized statement of identity. The System Manager may compare the signatures of the requester with those in the records to verify identity. An individual will not be denied access to his record for refusing to disclose his social security number unless disclosure is required by statute or by regulation adopted before 1 January 1975. An individual will not be denied access to records pertaining to him because the records are exempted from disclosure under the provisions of the Freedom of Information Act.
(iii) The System Manager will not deny access to a record or a copy thereof to an individual solely because its physical presence is not readily available (i.e. on magnetic tape) or because the context of the record may disclose sensitive information about another individual. To protect the personal privacy of other individuals who may be identified in a record, the System Manager shall prepare an extract to delete only that information which would not be releasable to the requesting individual under the Freedom of Information Act.
(iv) When the System Manager is of the opinion that the disclosure of medical information could have an adverse effect upon the individual to whom it pertains, the System Manager will promptly request the individual to submit the name and address of a doctor who will determine whether the medical record may be disclosed directly to the individual. The System Manager will then request the opinion of the doctor named by the individual on whether a medical record may be disclosed to the individual. The System Manager shall disclose the medical record to the individual to whom it pertains unless, in the judgment of the doctor, access to the record could have an adverse effect upon the individual's physical or mental health. In this event the System Manager will transmit the record to the doctor and immediately inform the individual.
(v) The fees to be charged, if any, to an individual for making copies of his record, excluding the cost of any search for and review of the record, will be in accordance with the ``Schedule of Fees'' as set forth in 32 CFR 286.5 and 286.10.
(vi) The System Manager of the record will permit an individual to request amendment of a record pertaining to the individual. Requests to amend records shall be in person or in writing and shall be submitted to the System Manager who maintains the records. Such requests should contain as a minimum, identifying information needed to locate the record, a brief description of the item or items of information to be amended, and the reason for the requested change.
(vii) The System Manager will provide a written acknowledgment of the receipt of a request to amend a record to the individual who requested the amendment within 10 days (excluding Saturdays, Sundays, and legal public holidays) after the date of receipt of such request. Such an acknowledgment may, if necessary, request any additional information needed to make a determination. No acknowledgment is required if the request can be reviewed and processed and the individual notified of compliance or denial within the 10 day period.
(viii) The System Manager will promptly take one of the following actions on requests to amend records:
(A) Refer the request to the agency or office that has control of and maintains the record in those instances where the record requested remains the property of the controlling office or agency.
(B) In accordance with existing statute, regulation, or administrative procedure, make any correction of any portion thereof which the individual believes is not accurate, relevant, timely or complete, or
(C) Inform the individual of the System Manager's refusal to amend the record in accordance with the individual's request, the reason for the refusal, and the individual's right to request a review of the refusal by the Director, DISA, through the DISA Privacy Act Board.
(ix) The DISA Privacy Act Board will be comprised of the DISA Counsel, as Chairman; the Assistant to the Director for Administration, and the Assistant to the Director for Personnel; or in their absence, their authorized representatives. The individual who disagrees with the refusal of the System Manager to amend his record may request a review of this refusal by the DISA Privacy Act Board. The request for the review may be made orally or in writing and shall be made to the System Manager. The System Manager will promptly forward the request for review to the Chairman of the Board to make a proper review. The Board will promptly review the matter. If, after review, the Board is unanimous in its decision that the record be amended in accordance with the request of the individual then the Chairman of the Board shall so notify the System Manager. The System Manager will immediately make the necessary corrections to the record and will promptly notify the individual. The System Manager will, if an accounting of disclosure of the record has been made, advise all previous recipients of the record, which was corrected, of the correction and its substance. This will be done in all instances when a record is amended. If, after review, the Board decides that the request for amendment should be denied, it will promptly forward its recommendation to the Director, DCA. A majority vote of the members of the Board will constitute a recommendation to the Director.
(x) The Director, DISA, upon receipt of the Board's recommendation, will complete the review and make a final determination.
(xi) If the Director, DISA, after his review, agrees with the individual's request to amend the record, he will, through the DISA Counsel, so advise the individual in writing. The System Manager will receive a copy of the Director's decision and will assure that the record is corrected accordingly and that if an accounting of disclosure of the record has been made, advise all previous recipients of the record which was corrected of the correction and its substance.
(xii) If, after his review, the Director refuses to amend the records as the individual requested, he will, through the DISA Counsel, advise the individual of his refusal and the reasons for it; of the individual's right to file a concise statement setting forth the reasons for the individual's disagreement with the decision of the Director, DISA; that the statement which is filed will be made available to anyone to whom the record is subsequently disclosed together with, at the discretion of the Agency, a brief statement by the Agency summarizing its reasons for refusing to amend the record; that prior recipients of the disputed record will be provided a copy of any statement of dispute to the extent that an accounting of disclosures was maintained; and of the individual's right to seek judicial review of the Agency's refusal to amend a record.
(xiii) The Director's final determination on the individual's request for a review of the System Manager's initial refusal to amend the record must be concluded within 30 days (excluding Saturdays, Sundays, and legal public holidays) from the date on which the individual requested such review unless the Director determines that a fair and equitable review cannot be made within that time. If additional time is required, the individual will be informed in writing of reasons for the delay and of the approximate date on which the review is expected to be completed.
(xiv) After the Director, DISA has refused to amend a record and the individual has filed a statement setting forth the reasons for the individual's disagreement with the decision of the Director, the System Manager will clearly note any portion of the record which is disputed. The System Manager's notation should make clear that the record is disputed and this should be apparent to anyone who may subsequently have access to, use, or disclose the record. When the System Manager has previously disclosed or will subsequently disclose that portion of the record which is disputed he will note that that portion of the record is disputed and will provide the recipients of the record with a copy of the individual's statement setting forth the reasons for the individual's disagreement with the decision of the Director not to amend the record. The System Manager will also provide recipients of the disputed record with a brief summary of the Director's reasons for not making the requested amendments to the record.
(xv) Nothing herein shall allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding.
(xvi) Any requests by an individual for access to or copies of his records shall be processed in accordance with this part and 32 CFR part 310.
(d) DISA System Managers will be:
(1) Responsible for complying with the provisions contained in 32 CFR 310.8 relating to the disclosure to others of personal records, obtaining the written consent of individuals to whom the record pertains, and for keeping an accurate accounting of each disclosure of a record.
(2) Responsible for providing to the Civilian Assistant to the Chief of Staff the information requested in 32 CFR 310.5. However, the information will be reported on a quarterly basis with the first report due to the Civilian Assistant to the Chief of Staff by 31 December 1975.
(e) The Assistant to the Director for Administration, Headquarters, DCA will:
(1) Be responsible for furnishing written guidelines to assist System Managers and other DISA officials in evaluating and implementing paperwork management procedures required under the Privacy Act of 1974. In this regard it should be noted that the Act establishes a number of requirements. Among these are the requirements:
(i) To disclose records contained in a system of records only under conditions specified in the law,
(ii) To maintain an accounting of such disclosures,
(iii) To establish procedures for the disclosure to an individual of his record or information pertaining to him,
(iv) For reviewing a request concerning the amendment of such record, and
(v) For permitting individuals to file a statement of disagreement which will be forwarded with subsequent disclosures. The guidelines will cover those portions of the Privacy Act which requires paperwork systems for implementation. In preparing those guidelines the Assistant to the Director for Administration will make use of the ``Records Management System for Implementing the Privacy Act'' as provided by the GSA and National Archives and Records Service, Office of Records Management. The GSA and NARA procedures and guidelines will be adapted and modified as required to meet DISA needs.
(2) Be responsible for providing the ``Forms'' which are required to comply with 32 CFR 310.9(b).
(f) The Assistant to the Director for Personnel, Headquarters, DISA will:
(1) Be responsible for development, within DISA, of an appropriate training program for all DISA personnel whose duties involve responsibilities for systems of records affected by the Privacy Act.
(2) Assure that DISA personnel involved in the design, development, operation, or maintenance of any system of records, as defined in 32 CFR 310.6 are informed of all requirements to protect the privacy of the individuals who are subjects of the records. The criminal penalties and civil suit aspects of the Privacy Act will be emphasized.
(3) Assure that within DISA administrative and physical safeguards are established to protect information from unauthorized or unintentional access, disclosure, modification or destruction and to insure that all persons whose official duties require access to or processing and maintenance of personal information are trained in the proper safeguarding and use of such information. [40 FR 55535, Nov. 28, 1975. Redesignated and amended at 57 FR 6074, Feb. 20, 1992; 62 FR 26389, May 14, 1997]