Code of Federal Regulations (alpha)

CFR /  Title 32  /  Part 806b  /  Sec. 806b.29 Sending personal information over electronic mail.

(a) Exercise caution before transmitting personal information over e-mail to ensure it is adequately safeguarded. Some information may be so sensitive and personal that e-mail may not be the proper way to transmit it. When sending personal information over e-mail within DoD, ensure: There is an official need; all addressee(s) (including ``cc'' addressees) are authorized to receive it under the Privacy Act; and it is protected from unauthorized disclosure, loss, or alteration. Protection methods may include encryption or password protecting the information in a separate Word document. When transmitting personal information over e-mail, add ``FOUO'' to the beginning of the subject line, followed by the subject, and apply the following statement at the beginning of the e-mail:

``This e-mail contains For Official Use Only (FOUO) information which must be protected under the Privacy Act and Air Force Instruction 33-332.''

(b) Do not indiscriminately apply this statement to e-mails. Use it only in situations when you are actually transmitting personal information. DoD Regulation 5400.7/Air Force Supp, Chapter 4 \3\, provides additional guidance regarding For Official Use Only information.---------------------------------------------------------------------------

\3\ http://www.dtic.mil/whs/directives/corres/pdf/54007r_0998/p54007r.pdf.---------------------------------------------------------------------------

(c) Do not disclose personal information to anyone outside DoD unless specifically authorized by the Privacy Act (see Sec. 806b.47).

(d) Do not send Privacy Act information to distribution lists or group e-mail addresses unless each member has an official need to know the personal information. When in doubt, send only to individual accounts.

(e) Before forwarding e-mails you have received that contain personal information, verify that your intended recipients are authorized to receive the information under the Privacy Act (see Sec. 806b.47).