(a) Disclosures and nonconsensual disclosures. (1) All requests made by DeCA individuals for personal information about other individuals (third parties) will be processed under DeCA Directive 30-12 \7\ except when the third party personal information is contained in the Privacy record of the individual making the request.---------------------------------------------------------------------------
\7\ See footnote 3 to Sec. 327.5.---------------------------------------------------------------------------
(2) For the purposes of disclosure and disclosure accounting, the Department of Defense is considered a single agency.
(3) Personal information from DeCA systems of records will not be disclosed outside the DoD unless:
(i) The record has been requested by the individual to whom it pertains,
(ii) Written consent has been given by the individual to whom the record pertains for release to the requesting agency, activity, or individual, or
(iii) The release is pursuant to one of the specific nonconsensual purposes set forth in the Act.
(4) Records may be disclosed without the consent of a DeCA individual to any DoD official who has need for the record in the performance of their assigned duties. Rank, position, or title alone does not authorize this access. An official need for this information must exist.
(5) DeCA records must be disclosed if their release is required by 32 CFR part 285, which is implemented by DeCA Directive 30-12.\8\ 32 CFR part 285 requires that records be made available to the public unless exempt from disclosure under the FOIA.---------------------------------------------------------------------------
\8\ See footnote 3 to Sec. 327.5.---------------------------------------------------------------------------
(b) Normally releasable information. Personal information that is normally releasable without the consent of a DeCA individual that does not imply a clearly unwarranted invasion of personal privacy:
(1) Civilian employees:
(i) Name,
(ii) Present and past position titles,
(iii) Present and past grades,
(iv) Present and past salaries,
(v) Present and past duty stations,
(vi) Office or duty telephone numbers,
(2) Military members:
(i) Full name,
(ii) Rank,
(iii) Date of rank,
(iv) Gross salary,
(v) Past duty assignments,
(vi) Present duty assignments,
(vii) Future assignments that are officially established,
(viii) Office or duty telephone numbers,
(ix) Source of commission,
(x) Promotion sequence number,
(xi) Awards and decorations,
(xii) Attendance at professional military schools,
(xiii) Duty status at any given time.
(3) All disclosures of personal information on civilian employees shall be made in accordance with the Office of Personnel Management (OPM) and all disclosures of personal information on military members shall be made in accordance with the standards established by 32 CFR part 285.
(4) The release of DeCA employees' home addresses and home telephone numbers is considered a clearly unwarranted invasion of personal privacy and is prohibited; however, these may be released without prior consent of the employee if:
(i) The employee has indicated previously that he or she consents to their release,
(ii) The releasing official was requested to release the information under the provisions of 32 CFR part 285.
(5) Before listing home addresses and home telephone numbers in any DeCA telephone directory, give the individuals the opportunity to refuse such a listing.
(c) Disclosures for established routine uses. (1) Records may be disclosed outside of DeCA without consent of the individual to whom they pertain for an established routine use.
(1) Records may be disclosed outside of DeCA without consent of the individual to whom they pertain for an established routine use.
(2) A routine use shall:
(i) Be compatible with the purpose for which the record was collected;
(ii) Indicate to whom the record may be released;
(iii) Indicate the uses to which the information may be put by the receiving agency; and
(iv) Have been published previously in the Federal Register.
(3) A routine use will be established for each user of the information outside DeCA who need official access to the records. This use may be discontinued or amended without the consent of the individual/s involved. Any routine use that is new or changed is published in the Federal Register 30 days before actually disclosing the record. In addition to routine uses established by DeCA individual system notices, blanket routine uses have been established. See Appendix C to this part.
(d) Disclosure without consent. DeCA records may be disclosed without the consent of the individual to whom they pertain to another agency within or under the control of the U.S. for a civil or criminal law enforcement activity if:
(1) The civil or criminal law enforcement activity is authorized by law (Federal, State, or local); and
(2) The head of the agency or instrumentality (or designee) has made a written request to the Component specifying the particular record or portion desired and the law enforcement activity for which it is sought.
(3) Blanket requests for any and all records pertaining to an individual shall not be honored. The requesting agency or instrumentality must specify each record or portion desired and how each relates to the authorized law enforcement activity.
(4) This disclosure provision applies when the law enforcement agency or instrumentality request the record, If the DoD Component discloses a record outside the DoD for law enforcement purposes without the individual's consent and without an adequate written request, the disclosure must be pursuant to an established routine use, such as the blanket routine use for law enforcement.
(e) Disclosures to the public from health care records. (1) The following general information may be released to the news media or public concerning a DeCA employee treated or hospitalized in DoD medical facilities and non-Federal facilities for whom the cost of the care is paid by DoD:
(1) The following general information may be released to the news media or public concerning a DeCA employee treated or hospitalized in DoD medical facilities and non-Federal facilities for whom the cost of the care is paid by DoD:
(i) Personal information concerning the patient that is provided in Sec. 327.8 and under provisions of 32 CFR part 285.
(ii) The medical condition such as the date of admission or disposition and the present medical assessment of the individual's condition in the following terms if the medical doctor has volunteered the information:
(A) The individual's condition is presently (stable) (good) (fair) (serious) or (critical), and
(B) Whether the patient is conscious, semi-conscious or unconscious.
(2) Detailed medical and other personal information may be released on a DeCA employee only if the employee has given consent to the release. If the employee is not conscious or competent, no personal information, except that required by 32 CFR part 285, will be released until there has been enough improvement in the patient's condition for them to give informed consent.
(3) Any item of personal information may be released on a DeCA patient if the patient has given consent to its release.
(4) This part does not limit the disclosure of personal medical information for other government agencies' use in determining eligibility for special assistance or other benefits provided disclosure in pursuant to a routine use.
Sec. Appendix A to Part 327--Sample DeCA Response Letter Mrs. Floria Employee551 Florida AvenueOakland, CA 94618
Dear Mrs. Employee: This responds to your Privacy Act request dated (enter date of request), in which you requested (describe requested records).
Your request has been referred to our headquarters for further processing. They will respond directly to you. Any questions concerning your request may be made telephonically (enter Privacy Officer's telephone number) or in writing to the following address:
Defense Commissary Agency, Safety, Security, and Administration, Attention: FOIA/PA Officer, Fort Lee, VA 23801-1800.
I trust this information is responsive to your needs. (Signature block)
Sec. Appendix B to Part 327--Internal Management Control Review
Checklist
(a) Task: Personnel and/or Organization Management.
(b) Subtask: Privacy Act (PA) Program.
(c) Organization:
(d) Action officer:
(e) Reviewer:
(f) Date completed:
(g) Assessable unit: The assessable units are HQ, DeCA, Regions, Central Distribution Centers, Field Operating Activities, and commissaries. Each test question is annotated to indicate which organization(s) is (are) responsible for responding to the question(s). Assessable unit managers responsible for completing this checklist are shown in the DeCA, MCP, DeCA Directive 70-2.\1\---------------------------------------------------------------------------
\1\ Copies may be obtained: Defense Commissary Agency, ATTN: FOIA/Privacy Officer, 1300 E. Avenue, Fort Lee, VA 23801-1800.---------------------------------------------------------------------------
(h) Event cycle 1: Establish and implement a Privacy Act Program.
(1) Risk: If prescribed policies, procedures and responsibilities of the Privacy Act Program are not adhered to, sensitive private information on individuals can be given out to individuals.
(2) Control Objectives: The prescribed policies, procedures and responsibilities contained in 5 U.S.C. 552a are followed to protect individual privacy and information release.
(3) Control Techniques: 32 CFR part 310 and DeCA Directive 30-13,\2\ Privacy Act Program.---------------------------------------------------------------------------
\2\ See footnote 1 to this Appendix B.---------------------------------------------------------------------------
(i) Ensure that a PA program is established and implemented.
(ii) Appoint an individual with PA responsibilities and ensure the designation of appropriate staff to assist.
(4) Test Questions: Explain rationale for YES responses or provide cross-references where rationale can be found. For NO responses, cross-reference to where corrective action plans can be found. If response is NA, explain rationale.
(i) Is a PA program established and implemented in DeCA to encompass procedures for subordinate activities? (DeCA HQ/SA, Region IM). Response: Yes / No / NA. Remarks:
(ii) Is an individual appointed PA responsibilities? (DeCA HQ/SA, Region IM). Response: Yes / No / NA. Remarks:
(iii) Are the current names and office telephone numbers furnished OSD, Private Act Office of the PA Officer and the IDA? (DeCA HQ/SA). Response: Yes / No / NA. Remarks:
(iv) Is the annual PA report prepared and forwarded to OSD, Defense Privacy Office? (DeCA HQ/SA). Response: Yes / No / NA. Remarks:
(v) Is PA awareness training/orientation provided? Is in-depth training provided for personnel involved in the establishment, development, custody, maintenance and use of a system of records? (DeCA HQ/SA, Region). Response: Yes / No / NA. Remarks:
(vi) Is the PA Officer consulted by information systems developers for privacy requirements which need to be included as part of the life cycle management of information consideration in information systems design? (DeCA HQ/SA, Region). Response: Yes / No / NA. Remarks:
(vii) Is each system of records maintained by DeCA supported by a Privacy Act System Notice and has the systems notice been published in the Federal Register? (DeCA HQ/SA). Response: Yes / No / NA. Remarks:
(i) Event cycle 2: Processing PA Requests.
(1) Risk: Failure to process PA requests correctly could result in privacy information being released which subjects the Department of Defense, DeCA or individuals to criminal penalties.
(2) Control Objective: PA requests are processed correctly.
(3) Control Technique:
(i) Ensure PA requests are logged into a formal control system.
(ii) Ensure PA requests are answered promptly and correctly.
(iii) Ensure DeCA records are only withheld when they fall under the general and specific exemptions of 5 U.S.C. 552a and one or more of the nine exemptions under DeCA Directive 30-12,\3\ Freedom of Information Act (FOIA) Program.---------------------------------------------------------------------------
\3\ See footnote 1 to this Appendix B.---------------------------------------------------------------------------
(iv) Ensure all requests are coordinated through the General Counsel.
(v) Ensure all requests are denied by the DeCA IDA.
(vi) Ensure all appeals are forwarded to the Director DeCA or his designee.
(4) Test Questions:
(i) Are PA requests logged into a formal control system? (DeCA HQ/SA, Region IM). Response: Yes / No / NA. Remarks:
(ii) Are individual requests for access acknowledged within 10 working days after receipt? (DeCA HQ/SA, Region IM). Response: Yes / No / NA. Remarks:
(iii) when more than 10 working days are required to respond to a PA request, is the requester informed, explaining the circumstances for the delay and provided an approximate date for completion? (DeCA HQ/SA, Region IM). Response: Yes / No / NA. Remarks:
(iv) Are DeCA records withheld only when they fall under one or more of the general or specific exemptions of the PA or one or more of the nine exemptions of the FOIA? (DeCA HQ/SA, Region IM). Response: Yes / No / NA. Remarks:
(v) Do denial letters contain the name and title or position of the official who made the determination, cite the exemption(s) on which the denial is based and advise the PA requester of their right to appeal the denial to the Director DeCA or designee? (DeCA HQ/SA). Response: Yes / No / NA. Remarks:
(vi) Are PA requests denied only by the HQ DeCA IDA? (All). Response: Yes / No / NA. Remarks:
(vii) Is coordination met with the General Counsel prior to forwarding a PA request to the IDA? (DeCA HQ/SA). Response: Yes / No / NA. Remarks:
(j) Event cycle 3: Requesting PA Information.
(1) Risk: Obtaining personal information resulting in a violation of the PA.
(2) Control Objective: Establish a system before data collection and storage to ensure no violation of the privacy of individuals.
(3) Control Technique: Ensure Privacy Act Statement to obtain personal information is furnished to individuals before data collection.
(4) Test Questions:
(i) Are all forms used to collect information about individuals which will be part of a system of records staffed with the PA Officer for correctness of the Privacy Act Statement? (DeCA HQ/SA, Region). Response: Yes / No / NA. Remarks:
(ii) Are Privacy Statements prepared and issued for all forms, formats and questionnaires that are subject to the PA, coordinated with the DeCA forms manager? (DeCA HQ/SA, Region). Response: Yes / No / NA. Remarks:
(iii) Do Privacy Act Statements furnished to individuals provide the following:
(A) The authority for the request.
(B) The principal purpose for which the information will be used.
(C) Any routine uses.
(D) The consequences of failing to provide the requested information. Yes / No / NA. Remarks:
(k) Event cycle 4: Records Maintenance.
(1) Risk: Unprotected records allowing individuals without a need to know access to privacy information.
(2) Control Objective: PA records are properly maintained throughout their life cycle.
(3) Control Technique: Ensure the prescribed policies and procedures are followed during the life cycle of information.
(4) Test Questions:
(i) Are file cabinets/containers that house PA records locked at all times to prevent unauthorized access? (All). Response: Yes / No / NA. Remarks:
(ii) Are personnel with job requirement (need to know) only allowed access to PA information? (All). Response: Yes / No / NA. Remarks:
(iii) Are privacy act records treated as unclassified records and designated `For Official Use Only'? (All). Response: Yes / No / NA. Remarks:
(iv) Are computer printouts that contain privacy act information as well as disks, tapes and other media marked `For Official Use Only'? (All). Response: Yes / No / NA. Remarks:
(v) Is a Systems Manager appointed for each automated/manual PA systems of records? (DeCA HQ/SA, Region). Response: Yes / No / NA. Remarks:
(vi) Are PA records maintained and disposed of in accordance with DeCA Directive 30-2, \4\ The Defense Commissary Agency Filing System? (All). Response: Yes / No / NA. Remarks:---------------------------------------------------------------------------
\4\ See footnote 2 to this Appendix B.---------------------------------------------------------------------------
(1) I attest that the above listed internal controls provide reasonable assurance that DeCA resources are adequately safeguarded. I am satisfied that if the above controls are fully operational, the internal controls for this sub-task throughout DeCA are adequate.
Safety, Security and Administration.
FUNCTIONAL PROPONENT.
I have reviewed this sub-task within my organization and have supplemented the prescribed internal control review checklist when warranted by unique environmental circumstances. The controls prescribed in this checklist, as amended, are in place and operational for my organization (except for the weaknesses described in the attached plan, which includes schedules for correcting the weaknesses).
ASSESSABLE UNIT MANAGER (Signature).
Sec. Appendix C to Part 327--DeCA Blanket Routine Uses
(a) Routine Use--Law Enforcement. If a system of records maintained by a DoD Component, to carry out its functions, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or by regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, the agency concerned, whether Federal, State, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto.
(b) Routine Use--Disclosure when Requesting Information. A record from a system of records maintained by a Component may be disclosed as a routine use to a Federal, State, or local agency maintaining civil, criminal, or other relevant enforcement information or other pertinent information, such as current licenses, if necessary to obtain information relevant to a Component decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit.
(c) Routine Use--Disclosure of Requested Information. A record from a system of records maintained by a Component may be disclosed to a Federal agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision on the matter.
(d) Routine Use--Congressional Inquiries. Disclosure from a system of records maintained by a Component may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.
(e) Routine Use--Private Relief Legislation. Relevant information contained in all systems of records of the Department of Defense published on or before August 22, 1975, will be disclosed to the OMB in connection with the review of private relief legislation as set forth in OMB Circular A-19 at any stage of the legislative coordination and clearance process as set forth in that Circular.
(f) Routine Use--Disclosures Required by International Agreements. A record from a system of records maintained by a Component may be disclosed to foreign law enforcement, security, investigatory, or administrative authorities to comply with requirements imposed by, or to claim rights conferred in, international agreements and arrangements including those regulating the stationing and status in foreign countries of DoD military and civilian personnel.
(g) Routine Use--Disclosure to State and Local Taxing Authorities. Any information normally contained in Internal Revenue Service (IRS) Form W-2 which is maintained in a record from a system of records maintained by a Component may be disclosed to State and local taxing authorities with which the Secretary of the Treasury has entered into agreements under 5 U.S.C., 5516, 5517, and 5520 and only to those State and local taxing authorities for which an employee or military member is or was subject to tax regardless of whether tax is or was withheld. This routine use is in accordance with Treasury Fiscal Requirements Manual Bulletin No. 76-07.
(h) Routine Use--Disclosure to the Office of Personnel Management. A record from a system of records subject to the Privacy Act and maintained by a Component may be disclosed to the Office of Personnel Management (OPM) concerning information on pay and leave, benefits, retirement deduction, and any other information necessary for the OPM to carry out its legally authorized government-wide personnel management functions and studies.
(i) Routine Use--Disclosure to the Department of Justice for Litigation. A record from a system of records maintained by this component may be disclosed as a routine use to any component of the Department of Justice for the purpose of representing the Department of Defense, or any officer, employee or member of the Department in pending or potential litigation to which the record is pertinent.
(j) Routine Use--Disclosure to Military Banking Facilities Overseas. Information as to current military addresses and assignments may be provided to military banking facilities who provide banking services overseas and who are reimbursed by the Government for certain checking and loan losses. For personnel separated, discharged, or retired from the Armed Forces, information as to last known residential or home of record address may be provided to the military banking facility upon certification by a banking facility officer that the facility has a returned or dishonored check negotiated by the individual or the individual has defaulted on a loan and that if restitution is not made by the individual, the U.S. Government will be liable for the losses the facility may incur.
(k) Routine Use--Disclosure of Information to the General Services Administration (GSA). A record from a system of records maintained by this component may be disclosed as a routine use to the General Services Administration (GSA) for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906.
(l) Routine Use--Disclosure of Information to the National Archives and Records Administration (NARA). A record from a system of records maintained by this component may be disclosed as a routine use to the National Archives and Records Administration (NARA) for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906.
(m) Routine Use--Disclosure to the Merit Systems Protection Board. A record from a system of records maintained by this component may be disclosed as a routine use to the Merit Systems Protection Board, including the Office of the Special Counsel for the purpose of litigation, including administrative proceedings, appeals, special studies of the civil service and other merit systems, review of OPM or component rules and regulations, investigation of alleged or possible prohibited personnel practices; including administrative proceedings involving any individual subject of a DoD investigation, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as may be authorized by law.
(n) Routine Use--Counterintelligence Purpose. A record from a system of records maintained by this component may be disclosed as a routine use outside the DoD or the U.S. Government for the purpose of counterintelligence activities authorized by U.S. Law or Executive Order or for the purpose of enforcing laws which protect the national security of the United States.