(a) The Director's Chief of Staff (DC) is responsible for overseeing the administration of the PA. The Director of Policy (DC3), or the Deputy Director of Policy, if so designated, shall carry out this responsibility on behalf of the Chief of Staff and shall:
(1) Provide policy guidance to NSA/CSS on PA issues.
(2) Provide policy guidance to PA coordinators for processing PA requests from NSA/CSS employees who will be using the records within NSA/CSS spaces.
(3) Provide training of NSA/CSS employees and contractors in the requirements of the PA. Specialized training is provided to special investigators and employees who deal with the news media or the public.
(4) Receive, process, and respond to PA requests from individuals and employees who require the information for use outside of NSA/CSS spaces.
(i) Conduct the appropriate search for and review of records.
(ii) Provide the requester with copies of all releasable material.
(iii) Notify the requester of any adverse determination, including his/her right to appeal an adverse determination to the NSA/CSS Appeal Authority.
(iv) Assure the timeliness of responses.
(5) Receive, process and respond to PA amendment requests to include:
(i) Obtain comments and supporting documentation from the organization originating the record.
(ii) Conduct a review of all documentation relevant to the request.
(iii) Advise the requester of the Agency's decision.
(iv) Notify the requester of any adverse determination, including his/her right to appeal the adverse determination to the NSA/CSS Appeal Authority.
(v) Direct the appropriate Agency organization to amend a record and advise other record holders to amend the record when a decision is made in favor of a requester.
(vi) Assure the timeliness of responses.
(6) Ensure that Agency employees (internal requesters) that have access to NSA/CSS spaces are given access to all or part of a PA record to which the employee was denied by the record holder when, after a review of the circumstances by the Director of Policy, it is determined that access should be granted. For those individuals who do not have access to NSA/CSS spaces see Sec. 322.6 of this part.
(7) Conduct Agency reviews in accordance with OMB Circular A-130 \1\ and 32 CFR part 310.---------------------------------------------------------------------------
\1\ Available from http://www.whitehouse.gov/omb/circulars/index.html.---------------------------------------------------------------------------
(8) Deposit in the U.S. Treasury all fees collected as a result of charges levied for the duplication of records provided under the PA and maintain the necessary accounting records for such fees.
(b) The NSA/CSS Privacy Act Appeal Authority is designated as the reviewing authority for requests for review of denials by the Director of Policy to provide access to a record and/or to amend a record. The PA Appeal Authority is the Deputy Director, NSA. In the absence of the Deputy Director, the Director's Chief of Staff serves as the Appeal Authority.
(c) The General Counsel (GC) or his designee shall:
(1) Advise on all legal matters concerning the PA.
(2) Advise the Director of Policy and other NSA/CSS organizations, as appropriate, of legal decisions including rulings by the Justice Department and actions by the DoD Privacy Board involving the PA.
(3) Review proposed responses to PA requests to ensure legal sufficiency, as appropriate.
(4) Provide a legal review of proposed Privacy Act notices and amendments for submission to the Defense Privacy Office.
(5) Assist, as required, in the preparation of PA reports for the Department of Defense and other authorities.
(6) Review proposals to collect PA information for legal sufficiency, assist in the development of PA statements and warning statements when required and approve prior to use.
(7) Represent the Agency in all judicial actions related to the PA by providing support to the Department of Justice and by keeping the DoD Office of General Counsel apprised of pending PA litigation. A litigation status sheet will be provided to the Defense Privacy Office.
(8) Assist in the education of new and current employees, including contractors, to the requirements of the PA.
(9) Review PA and PA Amendment appeals, prepare responses, and submit them to the NSA/CSS Appeal Authority for final decision.
(10) Notify the Director of Policy of the outcome of all appeals.
(d) The Associate Director for Human Resources Services or designee shall:
(1) Establish the physical security requirements for the protection of personal information and ensure that such requirements are maintained.
(2) Establish and ensure compliance with procedures governing the pledging of confidentiality to sources of information interviewed in connection with inquiries to determine suitability, eligibility or qualifications for Federal employment, Federal contracts, or access to classified information.
(3) Retain copies of records processed pursuant to the PA. The retention schedule is six years from the date records were provided to the requester if deletions were made and two years if records were provided in their entirety.
(4) Ensure the prompt delivery of all PA requests to the Director of Policy.
(5) Ensure the prompt delivery of all Privacy Act appeals of an adverse determination to the NSA/CSS PA Appeal Authority staff.
(6) Ensure that forms used to collect PA information meet the requirements of the PA.
(7) Compile, when required, estimates of cost incurred in the preparation or modification of forms requiring PA Statements.
(8) Assist in the development of training courses to educate new and current Agency employees, including contractors, of the provisions of the PA.
(9) Respond to PA requests for access to records, as appropriate.
(10) Establish procedures for the protection of personal information and ensure compliance with the procedures.
(e) The Inspector General (IG) shall: (1) Be alert to Privacy Act compliance and to managerial administrative, and operational problems associated with the implementation of this part and document any such problems and remedial actions, if any, in official reports to responsible Agency officials, when appropriate.
(2) Respond, as appropriate, to PA requests.
(3) Establish procedures for the protection of personal records under the control or in the possession of OIG and ensure compliance with the procedures.
(f) Chiefs of Directorates, Associate Directorates, and Field Elements shall: (1) Ensure that no systems or subsets of Systems of Records other than those published in the Federal Register are maintained within their components or field elements.
(2) Establish rules of conduct for persons who design, use or maintain Systems of Records within their components or field elements and ensure compliance with these rules.
(3) Establish, in consultation with the Associate Director of Human Resources or designee, the physical security requirements for the protection of personal information and ensure that such requirements are maintained.
(4) Ensure that no records are maintained within their components or field elements which describe how any individual exercises rights guaranteed by the First Amendment to the Constitution of the United States unless expressly authorized by statute, or by the individual about whom the record is maintained, or unless pertinent to, and within the scope of, an authorized law enforcement activity.
(5) Ensure that records contained in the Systems of Records within their components or field elements are not disclosed to anyone other than in conformance with the Privacy Act, to include the routine uses for such records published in the Federal Register.
(6) Maintain only such information about an individual as is relevant and necessary to accomplish a purpose of the Agency required to be accomplished by statute and Executive Order.
(7) Maintain all records which are used by the Agency in making any determination about any individual with such accuracy, relevancy, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in any determination.
(8) Establish procedures for protecting the confidentiality of personal records maintained or processed by computer systems and ensure compliance with the procedures.
(9) Designate a primary and alternate PA coordinator to be responsible for PA matters and inform the Office of Policy of the designations. Subordinate PA coordinators may be appointed at office level.
(10) Ensure that the Privacy Act coordinators acquire the necessary training in the theory and administration of the Privacy Act.
(11) Ensure that the Privacy Act coordinators conduct, to the extent practicable, on-the-job PA training of supervisors and records handlers in their organizations.
(12) Respond to PA requests to review records, as appropriate.
(13) Establish procedures for the protection of personal records and ensure compliance with the procedures.
(14) Establish procedures to ensure that requests for copies of PA records needed for external use, outside of NSA/CSS, shall be delivered to the Director of Policy immediately upon receipt once the request is identified as a Privacy Act request or appears to be intended as such a request.
(15) Publish, as necessary, internal PA procedures which are consistent with the Privacy Act and this part.
(16) Maintain an accounting of disclosures of records as described in Sec. 322.5 of this part.
(17) Coordinate with the Office of the General Counsel any proposed new record systems or changes (either alterations or amendments) to existing systems. Notice of new record systems or alterations to existing systems must be published in the Federal Register at least 30 days and Congress and the Office of Management and Budget must be given 40 days to review the new/altered system before implementation.
(18) Collect and forward to the Director of Policy information necessary to prepare reports, as requested.
(19) Respond promptly to the Director of Policy and the PA Appeal Authority decisions concerning the granting access to records, amending records, or filing statements of disagreements.
(20) Ensure that forms (paper or electronic) used to collect PA information meet the requirements of the PA.
(21) Establish procedures to ensure that requests to conduct computer matching are forwarded to the Director of Policy.
(g) Each field element shall designate a Privacy Act (PA) Coordinator to ensure compliance with this part and to receive and, where appropriate, process PA requests. Section 322.6 of this part describes the procedure for individuals to gain access to records and the responsibilities of the PA Coordinators. Consistent with the provisions of 32 CFR parts 285 and 286 and 32 CFR part 310 special procedures apply to the disclosure of certain medical records and psychological records. Field elements should consult the PA Coordinator of the Office of Occupational Health, Environment and Safety Services before disclosing such information. (See paragraph (d)(9) of this section.)
(h) All NSA/CSS organizations and field elements responsible for electronic/paper forms or other methods used to collect personal information from individuals shall determine, with General Counsel's concurrence, which of those forms or methods require Privacy Act Statements and shall prepare the required statements. The Office of Policy requires all organizations or elements using such forms or methods shall ensure that respondents read, understand, and sign the statements before supplying the requested information. In addition, organizations must obtain the Director of Policy and the Office of General Counsel approval prior to the collection of personal information in electronic format.