Cte Privacy Bridges Module 2

7/29/2019 Cte Privacy Bridges Module 2

1/41

1

Privacy Act System of Records

and Systems Notices


2/41

Module 2

Explain Privacy Act System of Records

and Systems Notices.


3/41

3


4/41

Privacy Act

Records that are retrieved by name orpersonal identifier are subject to PrivacyAct (PA) requirements and are referred toas PA systems of records. The Air Forcemust publish notices in the FederalRegister, describing the collection ofInformation for new, changed or deletedsystems to inform the public and givethem an opportunity to comment beforeimplementing or changing the system.

4


5/41

A System of Records is agroup of records that:

Contains a personalidentifier (such as a name,

Social Security Number,Employee Number, etc.)

Contains one other item ofpersonal data (such as

home address,performance rating, bloodtype, etc.)

Is retrieved by a personal

identifier.

"Privacy Act System of Records


6/41

"Privacy Act System of Records

An official system of records must be:

Authorized by law or Executive Order

Controlled by an Air Force or lower level directive Neededto carry out an Air Force mission or function

Published in the Federal Register


7/41

The following are NOT Privacy Act systems of

recordseven though they may contain

personal information

Read files: These are retrieved by date, notpersonal identifier.

Folders with employees names on the label:only containing non-personal information, such

as a copy of the employee's position

description.These do not contain the required secondelement of personal data.

Folders or databases containingcommercialand financial data pertaining to contracts.

Contractors have no expectation of privacyregarding their operations. They may,however,expect the data to be handled on a proprietaryor confidential basis.


8/41

Responsibilities

AF Chief Information Officer senior AF Privacy Official w/overall

responsibility for the AF PA program

Office of the General Counsel to the Secretary of the AF(SAF/GCA) makes the final decision on appeals

PRIVACY ACT OF 1974


9/41

9

Responsibilities

Base Privacy Act Officers: Provide guidance and training to base

personnel.

Submit reports as required.

Review publications and forms forcompliance with this instruction.

Review system notices to validatecurrency.

Direct investigations ofcomplaints/violations.

Evaluate the health of the program atregular intervals using this instructionas guidance.


10/41

10

Responsibilities

System Managers: Manage and safeguard the system.

Train users on PA requirements.

Protect records from unauthorized

disclosure, alteration, or destruction. Prepare system notices and reports.

Answer PA requests.

Keep records of disclosures.

Validate system notices annually.

Investigate PA complaints


11/41

11

Responsibilities

System owners anddevelopers:

Decide the need for, and

content of systems. Evaluate PA requirements of

information systems in earlystages of development.

Completes a Privacy ImpactAssessment (PIA) DD FORM2930 NOV 2008

Then submits to the PA officer


12/41

System Manager Responsibility

Manages, safeguards, and evaluates their systems ofrecords

Provides training resources to assure proper operation andmaintenance of their system(s)

Prepares public notices and report for new or changed

systems

Local System Managers Responsibility:

Answers Privacy Act requests

Keeps accurate records of all reportable disclosures

Compiles annual report data

NOTE: Legal offices are responsible for reviewing andcoordinating all recommendations for denial/partial denials

12


13/41

13

Systems of Records

Operated by Contractor

Contractors who are required to operateor maintain a PA system of records bycontract must follow this instruction forcollecting, safeguarding, maintaining,using, accessing, amending anddisseminating personal information.

Contract must contain proper PA clausesand provide system number.

Review annually


14/41

Do not commingle information about different individualsin the same file.

Mark privacy records appropriately.For Official Use Only Privacy Act Data

Do not use interoffice or translucent envelopes to mail PrivacyAct protected data. Instead, use sealable opaque solid white orKraft envelopes. Be sure to mark the envelope to the persons

attention.

Do not place Privacy Act protected data on shared drives,

multi-access calendars, the Intranet, or the Internet.

Do not create Systems of Records on your computer, orin your files without first contacting your Privacy official.

Responsibilities as an Air Force employee

As an employee, you play a very important role in assuring that

the Air Force complies with the provisions of the Privacy Act.


15/41

15

PRIVACY IMPACT ASSESSMENT

What is PIA. Developing or procuringinformation technology (IT) systems orprojects that collect, maintain, ordisseminate information in identifiableform from or about members of thepublic

Initiating a new electronic collection ofinformation, in identifiable form for 10 ormore persons excluding agencies,instrumentalities, or employees of theFederal Government.


16/41

16

PRIVACY IMPACT ASSESSMENT

PIA conducted to:

Ensure the public is aware of theinformation collected about them

Any impact these systems have onpersonal privacy is adequately addressed

Collect only enough personal informationto administer our programs, and no more

PIAs confirm that information is

used for the purpose intended

remains timely and accurate

protected while maintained and heldneeded

NOTE: See AFI 33-332, Attachment 4 orhttp://www.foia.af.mil/Privacy/PrivImpAssess.shtml


17/41

17

SYSTEM NOTICE

Publishing System Notices. The Air Force must

publish notices in the Federal Registerof new,changed, and deleted systems to inform the publicof what records the Air Force keeps and give theman opportunity to comment before the system isimplemented or changed.

Submitting Notices. At least 120 days beforeimplementing a new system, or a major change toan existing system.

Submit a Notice. System Managers must send aproposed notice through MAJCOM Privacy Act

Office. To AF-CIO/P

NOTE: See AFI 33-332, Attachment 2


18/41

18

SYSTEM NOTICE

Systems of records are grouped by series. (i.e.

Security 31)

System identification: F031 AF SF A or F051 AFJAC

The letter 'F' means Air Force.

The first three digits (031 and 051) show that therecords pertain to Security and Law respectively.

The letters that follow indicate to whom the systemapplies and/or the Office of Primary Responsibility(OPR). (i.e. F031 AF SF A, AF indicates that this isan Air Force-wide system, with SF denotingSecurity Forces as the OPR.

The last alpha designation is for internal

management control. In the records system F051AFJA C, (without a space between the AF and JA)indicates this is a Judge Advocate General Systemand applies to the office of The Judge AdvocateGeneral only.


19/41

19

Disclosure Accountings

System managers must keep an accurate record of

all disclosures made from any system of recordsexcept disclosures to DOD personnel for officialuse or disclosures under the FOIA.

System managers may use AF Form 771,Accounting of Disclosures.

System managers must keep the disclosure formon file for 5 years and give it to the subject onrequest, send corrected or disputed information toprevious record recipients, explain any disclosures,and provide an audit trail for reviews. Include ineach accounting:

Release date.

Description of information.

Reason for release.

Name and address of recipient.


20/41

20

Disclosure Accountings

Some exempt systems let

you withhold theaccounting record fromthe subject.

You may withholdinformation aboutdisclosure accountings forlaw enforcement purposesat the law enforcementagencys request.

FOIA


21/41

21


22/41

Disclosing Medical Records

of Minors

AF personnel maydisclose the medicalrecords of minors to their

parents or legalguardians in conjunctionwith applicable Federallaws and guidelines. The laws of each state define

the age of majority.

Outside the United States

(overseas), the age of majorityis 18.22


23/41

Special Provision for

Medical Records If a physician believes that disclosing

requested medical records could harmthe persons mental or physical health:

Requester needs a letter fromphysician to send records

Offer the services of a militaryphysician other that one whoprovided treatment if naming thephysician poses a hardship on theindividual

NOTE: The PA requires that the PAManager ultimately ensure that thesubject receives the records

23


24/41

24


25/41

25

Law Enforcement Records

Obtaining Law Enforcement Records. TheCommander, Air Force Office of Special

Investigation (AFOSI); the Commander, Air

Force Security Forces Center (HQ AFSFC);

MAJCOM, FOA, and base chiefs of security

forces; AFOSI detachment commanders;

and designees of those offices may askanother agency for records for law

enforcement under 5 U.S.C. 552a(b)(7).

Indicate in writing

Specify part of record desired

Identify the law enforcement activity


26/41

26

Confidentially Promises

Confidentiality Promises.Promises of confidentiality

must be prominently

annotated in the record toprotect from disclosure any

confidential information

under 5 United States Code

552a (k)(2), (k)(5), or (k)(7)of the Privacy Act.


27/41

27

PRIVACY IMPACT


28/41

28

PRIVACY IMPACT

ASSESSMENT

What is PIA. Developing or procuringinformation technology (IT) systems orprojects that collect, maintain, ordisseminate information in identifiableform from or about members of thepublic

Initiating a new electronic collection ofinformation, in identifiable form for 10 ormore persons excluding agencies,instrumentalities, or employees of theFederal Government.

PRIVACY IMPACT


29/41

29

PRIVACY IMPACT

ASSESSMENT

PIA conducted to:

Ensure the public is aware of theinformation collected about them

Any impact these systems have onpersonal privacy is adequately addressed

Collect only enough personal informationto administer our programs, and no more

PIAs confirm that information is

used for the purpose intended

remains timely and accurate

protected while maintained and heldneeded

NOTE: See AFI 33-332, Attachment 4 orhttp://www.foia.af.mil/Privacy/PrivImpAssess.shtml


30/41

30

SYSTEM NOTICE

Publishing System Notices. The AirForce must publish notices in the Federal

Registerof new, changed, and deletedsystems to inform the public of whatrecords the Air Force keeps and givethem an opportunity to comment beforethe system is implemented or changed.

Submitting Notices. At least 120 daysbefore implementing a new system, or amajor change to an existing system.

Submit a Notice. System Managers mustsend a proposed notice throughMAJCOM Privacy Act Office. To AF-CIO/P

NOTE: See AFI 33-332, Attachment 2


31/41

SYSTEM NOTICES

Systems of records are grouped by series. (i.e. Security 31)

System identification: F031 AF SF A or F051 AFJA C

The letter 'F' means Air Force.

The first three digits (031 and 051) show that the records pertainto Security and Law respectively.

The letters that follow indicate to whom the system appliesand/or the Office of Primary Responsibility (OPR). (i.e. F031 AFSF A, AF indicates that this is an Air Force-wide system, with SFdenoting Security Forces as the OPR.

The last alpha designation is for internal management control. In

the records system F051 AFJA C, (without a space between theAF and JA) indicates this is a Judge Advocate General Systemand applies to the office of The Judge Advocate General only.

31


32/41

32

Exemption Types

General. Exemptions authorizes theexemption of a system of records from

most parts of the Privacy Act

Specific. Exemption authorizes the

exemption of a system of records fromonly a few parts


33/41

33

Authorizing Exemptions

Authorizing Exemptions. Denial authoritiesmay withhold records using Privacy Act

exemptions onlywhen an exemption forthe system of records has been publishedin the Federal Register as a final rule.


34/41

34

Requesting an Exemption

A system manager who believes that asystem needs an exemption from some or

all of the requirements of the PA will senda request to AF-CIO/P through theMAJCOM or FOA PA Officer.

The request will detail the reasons for theexemption, the section of the Act that allowsthe exemption, and the specific


35/41

35

Exemptions

(b)Applies to information concerning other individuals which

may not be released without their written consent. (d)(5) Information compiled in reasonable anticipation of a civil

action proceeding.

(j)(1)Applies to polygraph records; documents or segregateportions of documents, the release of which would discloseintelligence sources and methods, including names of certainagency employees and organizational components; anddocuments or information provided by foreign governments;(CIA exemption).

(j)(2) Material reporting investigative efforts pertaining to theenforcement of criminal law including efforts to prevent, control,or reduce crime or apprehend criminals, except records ofarrest.

(k)(1)Applies to information and material property classifiedpursuant to an Executive Order in the interest of nationaldefense or foreign policy.


36/41

36

Exemptions

(k)(3) Material maintained in connection with providing protective

services to the President of the United States or any other individualpursuant to the authority of Title 18, United States Code, Section 3056.

(k)(4) Required by statute to be maintained and used solely as statisticalrecords.

(k)(5) Applies to investigatory material compiled solely for the purpose of

determining suitability, eligibility, or qualifications for Federal civilianemployment, or access to classified information, the release of whichwould disclose a confidential source.

(k)(6) Testing or examination material used to determine individualqualifications for appointment or promotion in Federal government

service, the release of which would compromise the testing orexamination process.

(k)(7) Material used to determine potential for promotion in the armedservices, the disclosure of which would reveal the identity of the personwho furnished the material pursuant to a promise that his identity wouldbe held in confidence.


37/41

37

12 EXCEPTIONSTO CONSENT RULE

Need to know withinthe agency

Required to bereleased under FOIA

Routine Use

Census Bureau

Statistical Research

National Archives

Law Enforcement Health or Safety

Congress

GAO

Court Order

Consumer ReportingAgency

PRIVACY EXEMPTIONS


38/41

PRIVACY EXEMPTIONS

GENERAL

(j)(1) CIA (j)(2) Maintained by agency

whose principal function iscriminal law enforcement

Exempts system from mostparts of Privacy Act

PRIVACY EXEMPTIONS


39/41

PRIVACY EXEMPTIONS

SPECIFIC

(k)(1) Classified (k)(2) Investigatory

material compiled for lawenforcement

(k)(3) Protective servicesto the President

(k)(4) Required by statutefor use as statisticalrecords only

(k)(5) Investigatorymaterial for determiningsuitability for employment

(k)(6) Testing material

(k)(7) Evaluation materialused for promotion

QUESTIONS?


40/41

QUESTIONS?


41/41

41

Documents

Cte Privacy Bridges Module 2