BY ORDER OF THE SECRETARY OF THE AIR FORCE
AIR FORCE INSTRUCTION 33-332 12 JANUARY 2015 Incorporating Change 1, 17 November 2016 Corrective Actions applied on 17 November 2016 Communications and Information AIR FORCE PRIVACY AND CIVIL LIBERTIES PROGRAM
COMPLIANCE WITH THIS PUBLICATION IS MANDATORY ACCESSIBILITY: Publications and forms are available on the e- Publishing website at www.e-Publishing.af.mil for downloading or ordering. RELEASABILITY: There are no releasability restrictions on this publication.
OPR: SAF CIO/A6XA Information Access Policy and Compliance Branch Supersedes:
Certified by: SAF/A6X (Col Suzanne S. Kumashiro) Pages: 80
AFI33-332, 5 June 2013
This Instruction implements Public Law 110-53 (42 U.S.C. § 2000ee-1) Section 803; Air Force Policy Directive (AFPD) 33-3, Information Management; Department of Defense Directive (DoDD) 5400.11, Department of Defense Privacy Program; Department of Defense Regulation (DoDR) 5400.11-R, Department of Defense Privacy Program; Department of Defense Instruction (DoDI) 5400.16, DoD Privacy Impact Assessment (PIA) Guidance; DoDI 1000.30, Reduction of Social Security Number (SSN) Use Within DoD; and DoDI 1000.29, DoD Civil Liberties Program. The Instruction provides direction on the Privacy Act of 1974, 5 U.S.C. § 552a, E-Government Act of 2002, 44 U.S.C. §3601, Safeguarding and Responding to Personally Identifiable Information (PII) breaches, Reduction of Social Security Number (SSN) and Civil Liberties. In addition to this instruction, Air Force medical organizations that meet the definition of a covered entity must also comply with the Health Insurance Portability and Accountability Act (HIPAA), as required by DoD 6025.18-R, DoD Health Information Privacy Regulation; DoD 8580.02-R, DoD Health Information Security Regulation; and Air Force Instruction (AFI) 41-210, TRICARE Operations and Patient Administration Functions, which covers Protected Health Information (PHI) held by them. This Instruction applies to Air Force Active Duty, Air Reserve Command (AFRC) and Air National Guard (ANG) units, government civilians, contractors and Civil Air Patrol when performing functions for the Air Force, and in accordance with (IAW) DoDD 5100.03, Support of the Headquarters of Combatant and Subordinate Joint Commands. Air National Guard personnel not in a federal status are subject to their respective state military code or applicable
AFI33-332 12 JANUARY 2015
administrative actions, as appropriate. Ensure all records created as a result of processes prescribed in this Instruction are maintained in accordance with Air Force Manual (AFI) 33-363, Management of Records, and disposed of in accordance with the Air Force Records Disposition Schedule (RDS) maintained in the Air Force Records Information Management System (AFRIMS). Use of the term “MAJCOM” throughout this AFI includes MAJCOMs, FOAs, DRUs, and the Air Force Installation Mission Support Center (AFIMSC). Refer recommended changes and questions about this Instruction to the Office of Primary Responsibility (OPR) using the AF Form 847, Recommendation for Change of Publication; route through the appropriate functional chain of command. Send supplements and implementing publications of this Instruction to the Chief Information Dominance and Chief Information Officer (SAF/CIO A6XA), 1800 Air Force Pentagon, Washington, DC 20330-1800 for review and coordination prior to publication. SUMMARY OF CORRECIVE ACTIONS Recent changes include correcting currently published IC-1 to include the implementation of SECAF Memorandum, Reducing Ancillary and Computer-Based Training that was not processed in the IC. A margin bar (|) indicates changed material. SUMMARY OF CHANGES This interim change (IC) revises AFI 33-332 by (1) revising PII safeguarding (2) updating PII Breach Reporting (3) updating PII Breach Reporting to US CERT (4) updating privacy statement (5) updating privacy act notices and markings (5) updating the guidance regarding periodic review of published SORNS, (7) providing clarification on deletion of SORNs, (8) updating Privacy Impact Assessment processing procedures, (9) updating approved PIAs submission, (10) updating Privacy managers PIA responsibilities, (11) updating records professionals responsibilities regarding PIAs, and (12) replacing “quarterly” with “semi-annual” for all Privacy and Civil Liberties reports previously referred to as “quarterly”, by(13) updating Attachment 11 and (14) adding Attachment 13, Air Force Biennial System of Records Notice (SORN) Accuracy Review Checklist . A margin bar (|) indicates changed material. Chapter 1— UNDERSTANDING PRIVACY AND HOW IT APPLIES TO THE AIR FORCE
Privacy Overview. ..................................................................................................
Privacy Act Notices. ...............................................................................................
Privacy Act Information. ........................................................................................
Chapter 2— PRIVACY ACT
Overview of the Privacy Act of 1974, 5 U. ............................................................
Privacy Act Responsibilities. ..................................................................................
Privacy Act Complaints and Violations. .................................................................
AFI33-332 12 JANUARY 2015
Maintaining Personal Information. .........................................................................
Privacy Act Statements. ..........................................................................................
Publishing System of Records Notices (SORNs). ..................................................
Privacy Act Records Request..................................................................................
Amending a Privacy Act Record. ...........................................................................
Approving or Denying a Record to be Amended. ..................................................
Contents of Privacy Act Processing Case Files. .....................................................
First Party Appeal Process For Denial to Access or Amendment of a Privacy Act Record. .....................................................................................................................
Disclosing Information. ..........................................................................................
Computer Matching. ...............................................................................................
Privacy Act Exemptions. ........................................................................................
The Federal Records Act, 44 U...............................................................................
Chapter 3— E-GOVERNMENT ACT
Overview of the E-Government Act of 2002, 44 U. ...............................................
The Purposes of the E-Government Act are the Following: ...................................
Privacy Impact Assessments (PIA). ........................................................................
Chapter 4— ROLES AND RESPONSIBILITIES.
The Chief, Information Officer (SAF/CIO A6) shall: ............................................
The CSOP shall:......................................................................................................
The AF Privacy Officer shall: .................................................................................
The Office of The Judge Advocate General, Administrative Law Directorate (AF/JAA), and Judge Advocate legal offices ..........................................................
AF Departmental Forms Management Officer shall: .............................................
MAJCOM/A6s or Responsible Directorate and Wing Commanders shall:............
HAF/MAJCOM/FOA/DRU/Base Privacy Managers/Monitors shall: ...................
Unit Privacy Monitors shall: ...................................................................................
Functional Level ISOs, PMs, and IAMs shall: .......................................................
Records Professionals shall.....................................................................................
AFI33-332 12 JANUARY 2015
Chapter 5— SOCIAL SECURITY NUMBER (SSN) REDUCTION PLAN
The Specific Requirement for Use of the SSN. ......................................................
Alternative Means of Identifying Records: .............................................................
Protection of SSN. ..................................................................................................
Reporting Results of Social Security Number Reduction. ......................................
Chapter 6— PROTECTING RECORDS
Protecting Records. .................................................................................................
Protecting Personal information or PII Maintained in an Electronic System. ........
Risk Based Management.........................................................................................
Disposing of Records. .............................................................................................
Chapter 7— CIVIL LIBERTIES
Basic Guidelines. ....................................................................................................
Civil Liberties Responsibilities. ..............................................................................
Civil Liberties Semi-Annual Report. ......................................................................
Reprisal For Making Complaint: ............................................................................
Civil Liberties Training Tools. ...............................................................................
AFI33-332 12 JANUARY 2015
Attachment 1— GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION
Attachment 2— PREPARING A SYSTEM OF RECORDS NOTICE (SORN)
Attachment 3— DOD BLANKET ROUTINE USE
Attachment 4— EXAMPLES OF PRIVACY ACT STATEMENT/ADVISORY AND PRIVACY STATEMENT
Attachment 5— ALTERING A SYSTEM OF RECORD NOTICE
Attachment 6— RISK ASSESSMENT
Attachment 7— EXAMPLE PRIVACY BREACH NOTIFICATION LETTER OFFICIAL LETTERHEAD
Attachment 8— PREPARING A DOD SSN JUSTIFICATION MEMORANDUM
Attachment 9— APPROVED DOD TRAINING WEBSITES APPROVED DOD PRIVACY TRAINING WEBSITES
Attachment 10— NOTIONAL COMPLAINT VIGNETTES
Attachment 11— CIVIL LIBERTIES COMPLAINT REPORT INSTRUCTIONS
Attachment 12— EXAMPLE CIVIL LIBERTIES REPORT
Attachment 13— EXAMPLE AIR FORCE BIENNIAL SYSTEM OF RECORDS NOTICE (SORN) ACCURACY REVIEW CHECKLIST Bookmark not defined.
AFI33-332 12 JANUARY 2015 Chapter 1 UNDERSTANDING PRIVACY AND HOW IT APPLIES TO THE AIR FORCE
1.1. Privacy Overview. 1.1.1. What is privacy? Although there is not an official government definition of privacy, it generally refers to the notion of individuals maintaining control over information about them. For the Air Force, the framework of privacy requirements includes the Privacy Act of 1974, the E-Government Act of 2002 (specifically section 208), Office of Management and Budget (OMB) policy, DoD policy, and Air Force policy. Failure to protect privacy can bring about risks to the individual, such as identity theft and risks to the Air Force, such as lawsuits for inappropriate disclosure that divert critical resources away from our mission. 1.1.2. What information must be protected? The information protected by the various components of the privacy framework is discussed using multiple terms. For the purposes of this Instruction, there are two key definitions to understand: 188.8.131.52. Personal Information (Personally Identifiable Information (PII)) 184.108.40.206.1. Office of Management and Budget Memorandum 07-16, Safeguarding Against and Responding to PII Breach - Personally Identifiable Information is defined as information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. 220.127.116.11.2. Office of Management and Budget Memorandum10-22, Online Use of Web Measurement and Customization Technologies - The definition of PII is not anchored to any single category of information or technology. Rather, it demands a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available – in any medium and from any source – that, when combined with other available information, could be used to identify an individual. 18.104.22.168. For safeguarding of Personal Information, please refer to DoD 5400.11-R, Department of Defense Privacy Program (C1.4, C4 and Appendix 1). 22.214.171.124.1. DELETED 126.96.36.199.1.1. DELETED 188.8.131.52.1.1.1. DELETED 184.108.40.206.1.1.2. DELETED 220.127.116.11.1.1.3. DELETED 18.104.22.168.1.1.4. DELETED 22.214.171.124.1.1.5. DELETED 126.96.36.199.1.1.6. DELETED
AFI33-332 12 JANUARY 2015
188.8.131.52.1.1.7. DELETED 184.108.40.206.1.1.8. DELETED 220.127.116.11.1.1.9. DELETED 18.104.22.168.1.2. DELETED 22.214.171.124.1.2.1. DELETED 126.96.36.199.1.2.2. DELETED 188.8.131.52.1.2.3. DELETED 184.108.40.206.1.2.4. DELETED 220.127.116.11.1.2.5. DELETED 18.104.22.168.1.2.6. DELETED 22.214.171.124.1.2.7. DELETED 126.96.36.199.1.3. DELETED 188.8.131.52.1.3.1. DELETED 184.108.40.206.2. DELETED 220.127.116.11.3. DELETED 18.104.22.168.3.1. DELETED 22.214.171.124.4. DELETED 126.96.36.199.5. DELETED 188.8.131.52. PII maintained in a SOR accessed or handled by contractors. Contractors required to access or handle PII on behalf of the Air Force, will follow this Instruction. Organizations with contractors that access and handle PII will coordinate with contracting officials to ensure that contracts contain the proper Privacy Act clauses: 52.224-1, Privacy Act Notification; and 52.224-2, Privacy Act as required by the Federal Acquisition Regulation (FAR) (see FAR website at: http://www.acquisition.gov/far/) Contracting Officers should also require non-disclosure agreements for contractors who will have access to sensitive PII. (T-0) 184.108.40.206.1. Contracts will be reviewed annually by the Contracting Office Representative (COR) to ensure compliance with this Instruction. (T-0) 220.127.116.11.2. Disclosure of PII maintained in a SOR to contractors for use in the performance of an Air Force contract is considered an official use disclosure within the agency under exception (b)(1) of the Privacy Act and protected as an inter/intra Agency disclosure per Freedom of Information Act (FOIA) exemption (b)(5). 18.104.22.168. PII Breach Reporting. Refer to Office of the Secretary of Defense Memorandum (OSD 06227-09, dated 5 June 2009), Safeguarding Against and Responding to theictectBreach of Personally Identifiable Information, and Office of the Secretary of Defense Memorandum (2 August 2012), Use of Best Judgement for Individual Personally Identifiable Information (PII) Breach Notification Determinations.(T-0)
AFI33-332 12 JANUARY 2015 22.214.171.124.1. A PII breach is defined as “actual or possible loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to PII, whether physical or electronic.” 126.96.36.199.2. Actual or possible breaches must be reported to the servicing Privacy Manager/Monitor by anyone discovering it. 188.8.131.52.3. The servicing Privacy Manager/Monitor shall assist with the submission of a Preliminary PII Breach Report by unencrypted e-mail according to the timeline below: (T-1) 184.108.40.206.4. PII Breach Reports shall be completed using DD Form 2959, Breach of Personally Identifiable Information (PII) Report provided by Defense Privacy and Civil Liberties Office located on the AF Privacy Website: www.privacy.af.mil.(T-0) 220.127.116.11.5. Use for Preliminary, updates, and Final reports. 18.104.22.168.5.1. Reports shall not include names of individuals involved or affected by the breach. Reports are forwarded by unencrypted e-mail through the MAJCOM/FOA/DRU Privacy Manager who in turn shall notify the AF Privacy Office by official unencrypted e-mail ([email protected]
) attaching the written PII Breach Preliminary Report. 22.214.171.124.5.2. Notify the United States Computer Emergency Readiness Team (US CERT) within one hour of discovering that an electronic breach of personally identifiable information has occurred. 126.96.36.199.5.3. The Wing Commander shall submit an initial Operational Report (OPREP) if it is determined the breach may have an impact on organizational operation and or potential media attention. 188.8.131.52.5.4. Within 24 hours of the PII breach, the Privacy official where the incident occurred shall notify the senior official (O6/GS-15, or higher) in the chain of command and simultaneously notify the MAJCOM/FOA/DRU Privacy Manager by official unencrypted e-mail (NIPR) attaching the PII Breach Preliminary Report. 184.108.40.206.5.5. Within 24 hours of being notified of the PII breach, the appropriate level Privacy Manager shall notify the AF Privacy Office by official unencrypted e-mail ([email protected]
) attaching the written PII Breach Preliminary Report. 220.127.116.11.5.6. Within 48 hours of the PII breach notification the AF Privacy Officer shall upload the report into the DPCLO Reporting Management Tool. 18.104.22.168.5.7. Until resolved, the underlying issues that led to the breach shall continue to be reported to the AF Privacy Office IAW these reporting procedures. 22.214.171.124.5.8. The servicing Privacy Manager shall send the PII Breach Final Report when resolved in the same routing as previous notifications along with a final OPREP (if applicable).
AFI33-332 12 JANUARY 2015
126.96.36.199. Guidelines for conducting an inquiry of a PII Incident. The senior-level individual who is in the chain of command for the organization where the actual or possible loss, theft or compromise of information occurred shall appoint an Investigating Official (IO) to conduct an inquiry (recommend E7/above or civil equivalent) of the incident to determine if it is an actual breach, the cause and if a there was any criminal intent that would warrant a criminal investigation.(T-1) 188.8.131.52.1. The servicing Privacy Manager/Monitor shall provide guidance to the individual appointed to properly complete the PII Breach Final Report and reference AFI and DoD Policies and the Privacy Act for use in completing the inquiry as required. 184.108.40.206.2. The appointed official shall review the initial Preliminary PII Breach Report and independently assess the handling of the breach. They shall make clarifications and additions on the Final PII Breach Report as required, and submit to the appointing senior-level individual who will determine whether notification to affected individuals is required after a risk assessment (see attachment 6) analysis has been completed, along with any corrective actions that should be taken. (T-0) 220.127.116.11.3. Upon concurrence with Final PII Breach Report recommendations, the senior individual in the chain of command for the organization where the loss, theft or compromise occurred shall route the Final PII Breach Report to the appropriate level Privacy Manager within five days. (T-0) 18.104.22.168.4. Commanders/Directors shall ensure notifications are sent to individuals once a decision has been made as to whether there may be any impact towards the individual(s). Once a decision has been made to notify; notification will be sent to affected individuals within 10 working days after a breach is confirmed and the identities of the affected individuals ascertained by a senior official (O6/GS-15 and higher) in the chain of command for the organization where the breach occurred. (T-0) 22.214.171.124.5. Commanders/Directors shall ensure individual(s) responsible for cause of the breach receive the DISA Identifying and Safeguarding Personally Identifiable Information refresher training, http://iase.disa.mil/eta/Pages/index.aspx. (T-0) 126.96.36.199. Air Force Computer Emergency Response Team (AFCERT) Reported PII Incidents. According to CJCSM 6510.01B, Enclosure C, Paragraph 7.b, “when a Computer Network Defense Service Provider (CNDSP) discovers compromised or potentially compromised PII, they must notify the US CERT and their servicing Privacy Office.” (T-0) 188.8.131.52.1. AFCERT shall follow through on CNDSP detections of PII Incidents by notifying the Information Security Officer (ISO) and Program Manager (PM of the web application and/or IT system cited. 184.108.40.206. ISO and PM of web application and/or IT system responsible for the breach must notify the servicing Privacy Manager or Monitor who shall ensure Breach notifications are accomplished as established by AF policy and DoD reporting guidance.
AFI33-332 12 JANUARY 2015 1.1.3. Cover Sheet: AF Form 3227, Privacy Act Cover Sheet or DD Form 2923, Privacy Act Data Cover Sheet. Use is mandatory to protect PII from being viewed by unauthorized personnel when Privacy Act materials are removed from their system of record or approved storage location. (T-0) 1.1.4. Label: AFVA 33-276, Air ForceictectPrivacy Act Label. Use is mandatory to assist in identifying Privacy Act information by placing the label on the covers of removable electronic storage media such as Laptops, Government Hard drives, DVDs, CDs, diskettes, tapes and may be used for deployment folders. The label is not authorized for use on file drawers file cabinets, mailing envelopes, or other stationary equipment or materials IAW with AFI 33-322, Records Management Program. (T-1)
1.2. Privacy Act Notices. (T-0) 1.2.1. Whenever an individual is requested to provide personal information that will not be maintained in a SOR, the individual shall be provided the authority, purpose, routine use(s), whether disclosure of the information is voluntary or not. This is known as a “Privacy Statement.” (T-0) 220.127.116.11. Authority: the legal authority that authorizes the solicitation of the personal information. 18.104.22.168. Purpose: the principal purpose or purposes for which the information is intended to be used. 22.214.171.124. Routine Uses: who or what agency will the personal information be shared with on a routine basis outside the DoD. 126.96.36.199. Disclosure: Voluntary or Mandatory. (Use mandatory only when disclosure is required by law and the individual will be penalized for not providing information. All mandatory disclosure requirements must first be reviewed by the servicing legal office). Include any consequences of nondisclosure in nonthreatening language. 1.3. Privacy Act Information. 1.3.1. Privacy Act Information is PII which is referred to as personal information that is maintained in a System of Records (SOR) as defined by the Privacy Act, which means the information is retrievable by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 1.3.2. Understanding Which Definition Applies. PII is a very broad definition and generally refers to any type of personal information that is linked or linkable to a person. PII may or may not be maintained in a SOR, which means it may or may not also be Privacy Act Information. When PII is maintained in a SOR, it is also Privacy Act Information. Both the Privacy Act requirements and other privacy requirements that protect PII in the privacy framework apply to Privacy Act Information. When PII is not maintained in a SOR, and therefore is not Privacy Act Information, the E-Government Act and many OMB, DoD, and AF policies that protect PII still apply to the information.
AFI33-332 12 JANUARY 2015
11 Chapter 2 PRIVACY ACT
2.1. Overview of the Privacy Act of 1974, 5 U. S.C. § 552a. 2.1.1. Under the Privacy Act of 1974, 5 U.S.C. § 552a, The Congress finds the following: 188.8.131.52. The privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies; 184.108.40.206. The increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information; 220.127.116.11. The opportunities for an individual to secure employment, insurance, and credit, and his/her right to due process, and other legal protections are endangered by the misuse of certain information systems; 18.104.22.168. The right to privacy is a personal and fundamental right protected by the Constitution of the United States; and 22.214.171.124. In order to protect the privacy of individuals identified in information systems maintained by Federal agencies, it is necessary and proper for the Congress to regulate the collection, maintenance, use, and dissemination of information by such agencies. 2.1.2. The purpose of the Privacy Act is to provide certain safeguards for an individual against an invasion of personal privacy by requiring Federal agencies, except as otherwise provided by law, to: 126.96.36.199. Permit an individual to determine what records pertaining to him/her are collected, maintained, used, or disseminated by such agencies; 188.8.131.52. Permit an individual to prevent records pertaining to him/her obtained by such agencies for a particular purpose from being used or made available for another purpose without his/her consent; 184.108.40.206. Permit an individual to gain access to information pertaining to him/her in Federal agency records, to have a copy made of all or any portion thereof, and to correct or amend such records; 220.127.116.11. Collect, maintain, use, or disseminate any record of identifiable personal information in a manner that assures that such action is for a necessary and lawful purpose, that the information is current for its intended use, and that adequate safeguards are provided to prevent misuse of such information; 18.104.22.168. Permit exemptions from the requirements with respect to records provided in this Act only in those cases where there is an important public policy need for such exemption as has been determined by specific statutory authority; and 22.214.171.124. Criminal Penalties 126.96.36.199.1. Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain
AFI33-332 12 JANUARY 2015 individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. 188.8.131.52.2. Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements shall be guilty of a misdemeanor and fined not more than $5,000. 184.108.40.206.3. Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000. 2.1.3. For the purpose of this chapter the following terms are provided; 220.127.116.11. The term “individual” means a citizen of the United States or an alien lawfully admitted for permanent residence’; 18.104.22.168. The term “record” means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his/her education, financial transactions, medical history, and criminal or employment history and that contains his/her name, or the identifying number, symbol or other identifying particular assigned to the individual, such as a finger or voice print or a photograph; 22.214.171.124. The term “System of Records” (SOR) means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual; 126.96.36.199. The term “maintain” includes maintain, collect, use or disseminate; 188.8.131.52. The term “routine use” means, with respect to the disclosure of a record, the use of such record for a purpose that is compatible with the purpose for which it was collected; 184.108.40.206. The term “System of Records Notice” (SORN), refers to a legal document that describes the kinds of personal data collected and maintained in a SOR, on whom it is maintained, what the records are used for, and how an individual may access or contest the records in the system. (Note:A SORN must be published in the Federal Register to allow the general public a 30 day opportunity to comment before implementing a SOR.); 220.127.116.11. The term “Personal Information” means all information that describes, locates or indexes anything about an individual including his/her education, financial transaction, medical history, criminal or employment record, or that affords a basis for inferring personal characteristics, such as biometric data including finger and voice prints, photographs, or things done by or to such individual; and the record of his/her presence, registration, or membership in an organization or activity, or admission to an institution; 18.104.22.168. The term “data subject” means an individual about whom personal information is indexed or may be located under his/her names, personal number, or other identifiable data, in an information system.
AFI33-332 12 JANUARY 2015
22.214.171.124. The term “Privacy Act Violation” means an agency has failed to notify an individual of a system of record(s) being maintained on them; allow an individual access to their record (unless an exemption applies); failure to have a system of record notice published to the federal register; unauthorized access; and obtain access to records under false pretenses. 126.96.36.199. The term “Privacy Act Request” means an individual has requested access to a specific record being maintained on them by an agency. 2.2. Privacy Act Responsibilities. 2.2.1. Air Force personnel or supporting contractors shall: (T-0) 188.8.131.52. Maintain a paper or electronic SOR only under the authority of an approved SORN published in the Federal Register. 184.108.40.206. Collect, maintain, and use information only for purposes described in the published SORN to support programs authorized by law or executive order and as implemented by DoD and AF prescribing directives. 220.127.116.11. Adequately safeguard records 18.104.22.168. Maintain records in accordance with (IAW) an approved Records Disposition Schedule (RDS), which defines the time period records should be maintained and how to properly disposition records, including destruction. 22.214.171.124. Ensure records are timely, accurate, relevant, and complete. 126.96.36.199. Amend and correct information in a SOR upon request, as appropriate by the owner of the SOR. 188.8.131.52. Allow individuals to review and receive copies of record(s) that contain their personal information unless a statutory exemption applies. (http://dpclo.defense.gov/Privacy/SORNs.aspx) 184.108.40.206. Ensure personal information which is accessible or viewable through SharePoint or similar web base applications are properly safeguarded to where only individuals who have an official need-to-know to conduct daily operations may gain access or view. 220.127.116.11. Remove personal information which is accessible through the use of SharePoint or similar web base applications, when no longer needed for daily operations and properly file IAW AF RDS. 18.104.22.168. Ensure personal information stored on shared drives, folders, and directories are accessible only to individuals whose official duties provide them a valid need-to-know. 22.214.171.124. Use Army Missile Research Development and Engineering Center Safe Access File Exchange (AMRDEC SAFE) http://safe.amrdec.army.mil/safe/ or DoD Encryption Wizard as alternate means of safeguarding personal information. (see AFI 41210, TRICARE Operations and Patient Administration Functions, for protecting HIPAA information) 126.96.36.199. Digitally sign and encrypt e-mail messages, or password protect any attachments containing personal information.
AFI33-332 12 JANUARY 2015 188.8.131.52. Provide personal information requested thru the Privacy Act at the requesters discretion. (e.g. personal e-mail (unencrypted), facsimile, first class mail, etc.) 184.108.40.206. Use official forms and similar tools that have been approved and published IAW AFI 33-360, Publications and Forms Management, when collecting PII. 220.127.116.11. In Accordance With the Paper Reduction Act, an Office of Management and Budget (OMB) control number shall be requested whenever information is being collected from ten or more members of the general public. This requirement may apply to Military or Government civilians whenever information is being collected outside their scope of their duty. (see AFI 33-324, The Air Force Information Collections And Reports Management Program) 18.104.22.168. Ensure individuals are provided a Privacy Act Statement (PAS) whenever collected information is to be maintained in a System of Records. (see para 2.5., of this Instruction) 2.2.2. Air Force personnel or supporting contractors shall not: (T-0) 22.214.171.124. Maintain a System of Records on individuals without their knowledge and/or without a SORN published to the Federal Register. Doing so is known as maintaining a “Secret File” on an individual which is a violation of the Privacy Act. Personnel who fail to adhere to this paragraph may be punished under UCMJ Article 92(1) or a civil equivalent. 126.96.36.199. Keep records on how a person exercises First Amendment rights. First Amendment rights include, but are not limited to, freedom of religion, freedom of political beliefs, freedom of speech, freedom of the press, the right to assemble, and the right to petition. EXCEPTIONS are when: the AF has the permission of that individual, the individual posts/sends the record directly to the AF, or is authorized by Federal statute; or the information pertains to and is within the scope of an authorized law enforcement activity. 188.8.131.52. Penalize or harass an individual for exercising rights guaranteed under the Privacy Act. 184.108.40.206. Transmit informational materials or communications that contain personal information to or from personal or commercial e-mail accounts unless a written consent has been submitted by the individual who has requested their personal information to be sent to a personal or commercial e-mail account. In addition, the transmission of PHI is restricted, pursuant to guidance in AFI 41-210, Tricare Operations and Patient Administration Functions, paragraph 6.16. Personnel who fail to adhere to this paragraph may be punished under UCMJ Article 92(1) or a civil equivalent. 220.127.116.11. Use auto-forwarding through multiple user accounts to circumvent CAC-based authentication and DoD encryption requirements. 18.104.22.168. Mail or courier sensitive electronic personal information on any removable media (i.e. CDs, DVDs, hard drives, flash drives, or floppy disks) unless the data is encrypted (see AFI 33-200, Information Assurance (IA) Management). (see para 22.214.171.124.2., 126.96.36.199. or 188.8.131.52., of this publication)
AFI33-332 12 JANUARY 2015
184.108.40.206. Return failed hard drives to include copiers with internal hard drives, to a vendor for service if the device was ever used to store Personal Information, without ensuring all data has been permanently removed. 220.127.116.11. Leave personal information in unsecured vehicles, unattended workspaces, unsecured file drawers, or in checked baggage. 18.104.22.168. File personal notes in a SOR, as personal notes will be considered part of the SOR. 22.214.171.124. Use personal information for any other reason not stated under the purpose within the published SORN. 126.96.36.199. Pull data or information from an approved system of records to be added to an unapproved source for convenience or any other means. (Note: Doing so, the data is no longer in the location as prescribed in the SORN published in the federal register) 2.3. Privacy Act Complaints and Violations. 2.3.1. A privacy complaint is an allegation that an agency or its employees violated a specific provision of the Privacy Act of 1974, as amended regarding to the maintenance, amendment, or dissemination of personal information in a SOR. A privacy violation occurs when an agency or individual knowingly or willfully fails to comply with provisions of the Privacy Act. 2.3.2. Privacy Act complaints and violations must be submitted in written form to the servicing privacy manager. 2.3.3. Alleged Privacy Act complaints or violations are processed through the supporting Privacy Manager. The Privacy Manager directs the process and provides guidance to the SOR owner. Issues that cannot be resolved at the local level shall be elevated to the HAF/MAJCOM/FOA/DRU Privacy Manager, as appropriate. 2.3.4. Penalties for Violation. An individual may file a civil law suit against the AF for failing to comply with the Privacy Act. In addition to specific remedial actions, civil remedies include payment of damages, court costs, attorney fees in some cases against an AF employee. In addition to potential UCMJ actions, an AF employee may be subject misdemeanor criminal charges and a fine of up to $5,000 may be imposed if he/she; 188.8.131.52. Maintains a SOR without publishing the required SORN in the Federal Register or; 184.108.40.206. Willfully discloses personal information from a SOR, knowing that dissemination is prohibited, to anyone not entitled to receive the information. 2.3.5. Privacy Acts and Complaints Reporting Process: 220.127.116.11. The local Privacy Manager or SOR owner shall: (T-0) 18.104.22.168.1. Conduct an inquiry to determine if a formal investigation of the complaint or allegation of a Privacy Act violation is warranted. 22.214.171.124.2. Ensure a response is sent to the complainant through the Privacy Official. (Note: for Privacy Act complaints filed in a U.S. District Court against the AF, an AF activity, or an AF employee, the Office of The Judge Advocate’s General Litigation Division (AFLOA/JACL) shall provide SAF/A6XA a litigation summary in accordance with the format in Appendix 8 of DoD 5400.11-R, Department of Defense
AFI33-332 12 JANUARY 2015 Privacy Program.) When the court renders a formal opinion or judgment, AFLOA/JACL will send SAF/A6XA a copy of the judgment and opinion.
2.4. Maintaining Personal Information. 2.4.1. Each agency that maintains a SOR shall: (T-0) 2.4.2. Maintain in its records only information about an individual that is relevant and necessary to accomplish a purpose of the agency as required by a statute or executive order or their implementing regulations. 2.4.3. To the greatest extent practicable, collect personal information only directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs. 126.96.36.199. Examples of when it is more practical to collect information from a third party instead of the subject individual include but are not limited to, the following: 188.8.131.52.1. Verification of information through third-party sources for security or employment suitability determinations. 184.108.40.206.2. Seeking third-party opinions such as supervisor comments as to job knowledge, duty performance, or other opinion-type evaluations. 220.127.116.11.3. Obtaining information first from the individual may impede rather than advance an investigative inquiry into the actions of the individual. 18.104.22.168.4. Contacting a third party at the request of the individual to furnish certain information, such as exact periods of employment, termination dates, copies of records, or similar information. 22.214.171.124.5. Implementing and enforcing safeguards to ensure protection of personal information. 2.4.4. Ensuring required Privacy Act Statement is provided to individuals when personal information is collected. 2.4.5. In Accordance With the Paper Reduction Act, an Office of Management and Budget (OMB) control number shall be requested whenever information is being collected from ten or more members of the general public. This requirement may apply to Military or Government civilians whenever information is being collected outside their scope of their duty. (see AFI 33-324, The Information Collections and Reports Management Program: Controlling Internal, Public, and Interagency Air Force Information Collections) 2.5. Privacy Act Statements. (T-0) 2.5.1. Whenever an individual is requested to provide personal information that will be maintained in a SOR or collected on an official AF Form, the individual shall be provided the authority, purpose, routine use(s), whether disclosure of the information is voluntary or not; and the applicable SORN. This is known as a Privacy Act Statement (PAS). 126.96.36.199. Authority: the legal authority that authorizes the solicitation of the personal information.
AFI33-332 12 JANUARY 2015
188.8.131.52. Purpose: the principal purpose or purposes for which the information is intended to be used. 184.108.40.206. Routine Uses: who will the personal information be shared with on a routine basis outside the DoD. 220.127.116.11. Disclosure: Voluntary or Mandatory. (Use mandatory only when disclosure is required by law and the individual will be penalized for not providing information. All mandatory disclosure requirements must first be reviewed by the servicing legal office). Include any consequences of nondisclosure in nonthreatening language. 18.104.22.168. AF SORN(s), are searchable by number and title, and are available at: http://dpclo.defense.gov/Privacy/SORNs.aspx (If applicable) 2.5.2. Privacy Act Advisory Statements in Publications. Include a Privacy Act Advisory Statement in each AF publication that requires collecting or keeping personal information in a SOR. Also include a statement when publications direct collection from the individual of any part or form of the Social Security Number (SSN). The statement shall refer to the legal authority for collecting the information and SORN number and title as follows: “This Instruction requires the collection and or maintenance of information protected by the Privacy Act of 1974 authorized by [set forth the legal authority such as the federal statute, executive order, and regulation]. The applicable SORN(s) [number and title] is (are) available at: http://dpclo.defense.gov/Privacy/SORNs.aspx 2.5.3. Paper or electronic documents and/or materials that contain personal information such as a recall rosters, personnel rosters, lists or spreadsheets shall be marked “FOR OFFICIAL USE ONLY” (see DoDM 5200.01, Volume 4, DoD Information Security Program: Controlled Unclassified Information (CUI)) as follows: 22.214.171.124. “The information herein is FOR OFFICIAL USE ONLY (FOUO) information which must be protected under the Freedom of Information Act (5 U.S.C 552) and/or the Privacy Act of 1974 (5 U.S.C. 552a). Unauthorized disclosure or misuse of this PERSONAL INFORMATION may result in disciplinary action, criminal and/or civil penalties.” 2.5.4. All paper documents and printed materials that contain personal information shall be covered with the AF Form 3227, Privacy Act Cover Sheet or DD Form 2923, Privacy Act Data Cover Sheet when removed from its approved storage area. 2.5.5. The Privacy Act requires agencies to provide safeguards to ensure the security and confidentiality of SOR and to protect individuals against an invasion of personal privacy. 2.5.6. Exercise caution before transmitting personal information via e-mail to ensure the message is adequately safeguarded. Some information may be so sensitive and personal that e-mail may not be the appropriate means of transmitting. (see DoDI 8500.01, Cybersecurity, ECCT-1 (Encryption for Confidentiality (Data at Transmit)). 2.5.7. When transmitting personal information over e-mail, encrypt and add “For Official Use Only” (“FOUO”) to the beginning of the subject line and apply the following statement at the beginning of the e-mail: "This e-mail contains FOR OFFICIAL USE ONLY (FOUO) information which must be protected under the Freedom of Information Act (5 U.S.C 552) and/or the Privacy Act of 1974 (5 U.S.C. 552a). Unauthorized disclosure or misuse of this
AFI33-332 12 JANUARY 2015 PERSONAL INFORMATION may result in disciplinary action, criminal and/or civil penalties. Further distribution is prohibited without the approval of the author of this message unless the recipient has a need-to-know in the performance of official duties. If you have received this message in error, please notify the sender and delete all copies of this message.”
(Note: Do not indiscriminately apply this statement to all e-mails. Use it only in situations when you are actually transmitting personal information required to be protected For Official Use Only purposes. (see DoDM 5200.01, Volume 4 DoD Information Security Program: Controlled Unclassified Information (CUI)) . The guidance in this paragraph does not apply to appropriate releases of personal information to members of the public via e-mail, such as pursuant to the Freedom of Information Act, or with the consent of the subject of the personal information.) 2.6. Publishing System of Records Notices (SORNs). Records that are retrieved by a personal and/or a unique identifier are subject to the Privacy Act of 1974 requirements and are referred to as a system of records (SOR). The AF Privacy Officer will submit SORNs to the Defense Privacy and Civil Liberties Office (DPCLO) to be published in the Federal Register for new, changed or deleted SOR. When published, the public will be allowed 30 days to comment. Collection of this information is not authorized until the SORN is final, including during this 30 day review period. If comments are received that result in a contrary determination, this could further delay the time until a final SORN is published and collection may occur. Any collection conducted prior to finalizing the SORN is an illegal collection and can result in civil penalties under the Privacy Act Of 1974 5 U.S.C. § 552a as amended, (i)(1) Criminal Penalties. 2.6.1. When is a SORN required? A SORN is required when personal information is maintained on an individual and is regularly retrieved by a name, number, symbol, or other identifying particular (i.e. data) assigned to the individual. The Privacy Act requires submission of new or significantly changed SORNs to the Office of Management and Budget (OMB) and both houses of Congress before publication in the Federal Register. This applies when: 126.96.36.199. Starting a new system. (Add). 188.8.131.52.1. Preamble. 184.108.40.206.2. Narrative. 220.127.116.11.3. Final SORN write up. 18.104.22.168. Instituting significant changes to an existing system. (Alter). 22.214.171.124.1. Preamble. 126.96.36.199.2. Narrative. 188.8.131.52.3. Changes. 184.108.40.206.4. Final write-up with changes. 220.127.116.11. Minor changes to an existing system. (Admin). 18.104.22.168.1. Changes. 22.214.171.124.2. Final write-up with changes.
AFI33-332 12 JANUARY 2015
2.6.2. Other Systems. National Security SORs require a SORN. While some or many of these systems may be classified, the SORN is written in an unclassified manner describing the nature of the collection of PII. (see DoD 5400.11-R, for the use and establishment of exemptions that may apply to these systems). 2.6.3. Adopting Existing SORN. A new or existing SOR may be incorporated into an existing SORN published in the Federal Register: 126.96.36.199. First, research current SORNs, including those that cover systems of records government-wide and DoD-wide on the Defense Privacy Notices website at http://dpclo.defense.gov/Privacy/SORNs.aspx for one that matches well with the new SOR at all points, i.e., Category of Individuals Covered, Category of Records, Authority, Purposes, Routine Uses, Policies, etc. 188.8.131.52. Second, if necessary, contact the current SORN owner through the POC information on the SORN to discuss altering or amending their SORN to include the new AF SOR and POC information. 184.108.40.206. Provide the system owner the altered or amended SORN for their review and processing. 2.6.4. Updating SORNs. Examples for Adding, Altering, Amending, and Deleting a SORN are available on the AF Information Access SharePoint and the AF Privacy Website. 2.6.5. Submitting SORNs for Publication in the Federal Register. The PM must submit the proposed SORN through their MAJCOM/FOA/DRU Privacy Manager at a minimum of 120 days before the planned implementation date of a new SOR or a change to an existing SOR subject to this Instruction. The Privacy Manager shall review for accuracy and completeness and send electronically to the AF Privacy Office [email protected]
The AF Privacy Office shall review and forward to DPCLO for review and publishing in the Federal Register, as appropriate. (T-1) 2.6.6. Requirement for periodic review of published SORNs. PMs use the Air Force Biennial SORN Accuracy Review Checklist (Attachment 13) to document the validity, accuracy, relevance, timeliness and necessity of their published SORNs, coinciding with Appendix I to OMB Circular A-130, (Federal Agency Responsibilities for Maintaining Records about Individuals). PMs review and submit any changes through the process described in this chapter and promptly update appropriate answers to EITDR questions. 2.6.7. Deletion of SORNs. If your IT system is being decommissioned or closed and has a published SORN that is no longer required, comply with DoD 5400.11-R, Department of Defense Privacy Program, subpar C6.5.3., Deletion of System of Records Notices and submit appropriate amendment or deletion request to the AF Privacy Office, [email protected]
to be forwarded to DPCLO to have the SORN deleted from the Federal Register. 2.7. Privacy Act Records Request. Persons or their designated representatives may ask for a copy of their records maintained in a SOR. Requesters need not state why they want access to their records. Personnel that receive requests must verify the identity of the requester to avoid unauthorized disclosures. How their identity is verified will depend on the sensitivity of the requested records. Identity can be verified in a number of ways, to include visually, personal
AFI33-332 12 JANUARY 2015
knowledge of the requester, a signed letter, or a request via telephone as appropriate or e-mail, a notarized statement, or an unsworn statement. An unsworn declaration or notarized statement should be obtained in the following format: 2.7.1. Requesting Access to Records in a SOR. 220.127.116.11. Contents of Request. “I declare under penalty of perjury (if outside the United States, add “under the laws of the United States of America”) that the foregoing is true and correct. Executed on (date)(Signature).” 18.104.22.168.1. Description of Records. The requester must adequately describe the records they want. The requester is not required to name a SOR, but they should at least name a type of record or functional area. For requests that ask for “all records about me,” the requester should be asked for more information about the types of records they are seeking and informed as to how their input can help the AF respond as quickly as possible. If the requester needs help identifying types of systems or records, provide them information to review the government-wide systems of records published in the Federal Register and AF specific SORNs published at http://dpclo.defense.gov/Privacy/SORNs.aspx. Ensure they understand that identifying the relevant SORN(s) will make the AF review more efficient. If the requester is truly requesting all records pertaining to themselves or an individual, inform the requester they must make a FOIA request. 22.214.171.124.2. Provide Verification of Identity. 126.96.36.199. Use of a Government Resource to Make a Request is prohibited. 2.7.2. Processing a Request for Access to Records in a SOR. Immediately consult the local Privacy Manager, if necessary, to ensure timely response to the request. When individuals request information about themselves, they are not required to cite either the Privacy Act or Freedom of Information Act (FOIA). The individual who processes the request will apply the Privacy Act when records are contained in a SOR and will apply the FOIA to all other records. 188.8.131.52. Acknowledge Request. As a good practice SOR owner should send the requester an acknowledgement letter within 10 workdays informing them of an approximate completion date. 184.108.40.206. Required Response. As a good practice SOR owner should provide a copy of the record(s) to the requester within 20 workdays of receiving the request. If the SOR has an exemption, inform the requestor of those exemptions in a format the requester can understand. If the system is exempt from disclosure under the Privacy Act, follow the procedures addressed in paragraph 2.11. 2.7.3. Denying or Limiting Access. When information protected under the Privacy Act may not be released under the Privacy Act, the request must be processed under the FOIA. If any part of the record is denied under the FOIA, the procedures in DoD 5400.7-R_AFMAN 33302, Freedom of Information Act Program, are followed. For Privacy Act denials also processed under the FOIA (Note: This should be an extremely rare circumstance), send a copy of the request, the record copy, and why access has been denied (include the applicable exemption) to the denial authority through the legal office and the Privacy Office. Judge Advocate (JA) office shall include a written legal opinion. The legal opinion shall not merely
AFI33-332 12 JANUARY 2015
state that the decision is “legally sufficient,” but shall provide factual details and an analysis of the law and applicable regulations. The Privacy Manager reviews the file, and makes a recommendation to the denial authority. The denial authority sends the requester a letter with the decision. If the denial authority grants access, release the record copy. If the denial authority refuses access, tell the requester why and explain pertinent appeal rights. 220.127.116.11. Before a request for access to a Privacy Act system of record from the subject is denied that was not processed under the FOIA, the SOR owner shall ensure that: 18.104.22.168.1. The system has an exemption published in the Federal Register as a final rule. 22.214.171.124.2. The exemption covers each document. All parts of a system are not automatically exempt. 126.96.36.199.3. The FOIA does not require release of any part of the record. 188.8.131.52.4. Nonexempt parts are segregated. 2.7.4. Third Party Information in a SOR. A first party requester is not entitled to receive information that does not directly pertain to him or her that is contained in their record; for example, the home address or SSN of a third party that is contained in their system of record solely for ease of identification of the third party. Servicing legal offices should be consulted prior to the release of a third party’s sensitive personal information to a first party requester that is contained in the first party requester’s SOR. 2.8. Amending a Privacy Act Record. 2.8.1. Amendment Reasons. Individuals may ask to have their personal information in a SOR amended to make such information accurate, timely, relevant, and complete. System managers shall routinely correct a record if the requester can show that it is factually incorrect (e.g., date of birth is wrong). 2.8.2. Responding to Amendment Requests. 184.108.40.206. The individual may request simple corrections orally. Requests for complicated and detailed corrections must be in writing to ensure clarity. 220.127.116.11. After verifying the identity of the requester, the receiving agency shall make the change if appropriate, notify all known recipients of the record, and inform the affected individual. 18.104.22.168. Acknowledge requests within 10 workdays of receipt. Give an expected completion date unless the change is completed within that time. Final decisions must, unless extended by the appropriate authority, take no longer than 30 workdays after the date of receipt. 2.9. Approving or Denying a Record to be Amended. The AF does not usually amend a record when the change is based on opinion, interpretation, or subjective official judgment. Determination not to amend such records constitutes a denial, and the requester may: 2.9.1. If the SOR owner decides not to amend the record then a copy of the request, the record, and the recommended denial reasons shall be sent to their legal and the Privacy Office. Legal office shall include a written legal opinion. The legal opinion shall not merely state that the
AFI33-332 12 JANUARY 2015 decision is “legally sufficient,” but will provide factual details and an analysis of the law and applicable regulations. 2.9.2. The SOR owner shall send the requester a letter with the decision. 2.9.3. If the SOR owner denies to amend the records, the requester may file a concise statement of disagreement with the Air Force Privacy Officer.
2.10. Contents of Privacy Act Processing Case Files. Copies of disputed records shall not be kept in Privacy Act Processing Case files. Disputed records shall be filed under their appropriate series. Use the Privacy Act Processing Case Files solely for statistics and to process requests. Such case files shall not be used to make any kind of determination about an individual. The reasons for untimely responses shall be documented in the Privacy Act Processing Case Files and may include the following: 2.10.1. Requests from and replies to individuals on whether a SOR contains records about them. 2.10.2. Requests for access or amendment. 2.10.3. Approvals, denials, appeals, and final review actions. 2.11. First Party Appeal Process For Denial to Access or Amendment of a Privacy Act Record. 2.11.1. Appeals Procedures. Individuals who receive a denial to their access or amendment request may request a denial review (appeal) within 60 calendar days of the date of the denial letter. 2.11.2. The SOR owner shall promptly send a complete appeal package to the Air Force Privacy Officer. The package must include the following: (T-0) 22.214.171.124. The original appeal letter; 126.96.36.199. The initial request; 188.8.131.52. The initial denial; 184.108.40.206. A copy of the record; 220.127.116.11. Any internal records or coordination actions relating to the denial and the denial authority’s comments on the appellant’s arguments and the legal reviews. 2.11.3. If the SOR owner reverses their decision on an earlier denial and grants access or amendment, notify the requester immediately. 2.11.4. The SOR owner may include a brief summary of the reasons for not amending the record. 2.11.5. The Air Force Privacy Officer will review the denial and provide a final recommendation to the SOR owner along with providing the requester with the final AF decision and explanation of judicial review rights. 2.11.6. The records will clearly show that a statement of disagreement is filed with the record or separately, if applicable.
AFI33-332 12 JANUARY 2015
2.11.7. The disputed part of the record must show that the requester filed a statement of disagreement. 2.11.8. Give copies of the statement of disagreement to the record’s previous recipients. Inform subsequent record users about the dispute and give them a copy of the statement with the record. 2.12. Disclosing Information. 2.12.1. In all cases, use the following guidelines to decide whether to release information without consent: 18.104.22.168. Would the subject have a reasonable expectation of privacy in the information requested? 22.214.171.124. Is disclosing the information in the public interest? The public interest relates to how the AF carries out its statutory and regulatory duties. 126.96.36.199. Balance the public interest against the individual’s privacy interest. Do not consider the requester’s purpose, circumstances, or proposed use. 2.12.2. Rules for Releasing personal information without Consent of the Subject. The Privacy Act prohibits disclosure of personal information within a SOR without the prior written consent of the individual to whom the record pertains. There are twelve exceptions to the “no disclosure without consent” rule. (see http://www.privacy.af.mil/exceptions/index.asp) 2.12.3. Disclosing the Medical Records of Minors. AF personnel may disclose the medical records of minors to their parents or legal guardians in conjunction with applicable Federal laws and guidelines. The laws of each state define the age of majority and/or circumstances under which minors are consider emancipated. Consult with the servicing legal office’s medical liaison and Military Treatment Facility (MTF) for guidance in regard to the age of majority, especially in overseas locations. 2.12.4. Disclosure Accountings. System managers must keep an accurate record of all disclosures made from any SOR except disclosures to DoD personnel for a valid official use or disclosures under the FOIA. System managers may use AF Form 771, Accounting of Disclosures. Retain disclosure accountings for 5 years after the disclosure, or for the life of the record, whichever is longer. 188.8.131.52. System managers shall file the Accounting of Disclosure record and give it to the data subject on request, send corrected or disputed information to previous record recipients, explain any disclosures, and provide an audit trail for reviews. Include in each accounting: (T-0) 184.108.40.206.1. Release date. 220.127.116.11.2. Description of information. 18.104.22.168.3. Reason for release. 22.214.171.124.4. Name and address of recipient. 126.96.36.199.5. Some exempt systems let you withhold the accounting record from the subject.
AFI33-332 12 JANUARY 2015 188.8.131.52.6. Withhold information about disclosure accountings for law enforcement purposes at the law enforcement agency’s request.
2.13. Computer Matching. Computer matching programs electronically compare records from two or more automated systems, one from the DoD and the other from a Federal agency, or a state or local government in other to make a decision that affects an individual’s rights, benefits and/or privileges. 2.13.1. A system manager proposing a match that could result in an adverse action against a Federal employee must meet the following requirements of the Privacy Act: 184.108.40.206. Prepare a written agreement between participants; 220.127.116.11. Secure approval of the Defense Data Integrity Board; 18.104.22.168. Publish a matching notice in the Federal Register before matching begins; 22.214.171.124. Ensure full investigation and due process; and 126.96.36.199. Act on the information, as necessary. 2.13.2. The Privacy Act applies to matching programs that use records from Federal personnel or payroll systems and Federal benefit programs where matching: 188.8.131.52. Determines Federal benefit eligibility; 184.108.40.206. Checks on compliance with benefit program requirements; or 220.127.116.11. Recovers improper payments or delinquent debts from current or former beneficiaries. 2.13.3. Matches used for statistics, pilot programs, law enforcement, tax administration, routine administration, background checks and foreign counterintelligence, and internal matching that will not cause any adverse action are exempt from Privacy Act matching requirements. 2.13.4. Any activity that expects to participate in a matching program must contact the AF Privacy Officer immediately. System managers must prepare a Computer System Matching Agreement notice for publication in the Federal Register, which explains the routine uses that permit the processing of personal information to the AF Privacy Officer. Allow 180 days for processing requests for a new matching program. 2.13.5. Individuals must receive notice when they are asked to provide personal information that will be used in a matching program as a routine use. The most appropriate method of providing notice is to include the PAS on the form used when an individual applies for benefits. When the individual completes and submits the form and has been provided adequate notice, they are consenting to the routine uses associated with the notice. Coordinate appropriate statements with the MAJCOM/FOA/DRU Privacy Manager and AF Privacy Officer. 2.14. Privacy Act Exemptions. 2.14.1. Exemption Types. This section contains the most current exemptions that have been published as final rules for the listed SOR as of the date of this Instruction. The ISO should ensure that a more recent final rule has not been published. There are two types of exemptions from release or disclosure permitted by Title 5, USC 552a:
AFI33-332 12 JANUARY 2015
18.104.22.168. A General exemption authorizes the exemption of a SOR from most parts of the Privacy Act. 22.214.171.124. A Specific exemption authorizes the exemption of a SOR from only a few parts of the Privacy Act. 2.14.2. Authorizing Exemptions. Denial authorities may withhold release or disclosure of records to the first party requesters using Privacy Act exemptions only when an exemption for the SOR has been published in the Federal Register as a final rule. (see http://dpclo.defense.gov/Privacy/SORNs.aspx ; exemptions are noted in the right column.) 2.14.3. Requesting an Exemption. An ISO who believes that a system requires an exemption from some or all of the requirements of the Privacy Act shall send a request through the Wing Privacy Office, the HAF/MAJCOM/FOA/DRU Privacy Office, and to AF Privacy Office. Final approval is granted by DPCLO. The request will detail the reasons why the exemption applies, the section of the Act that allows the exemption, and the specific subsections of the Privacy Act from which the system is to be exempted, with justification for each subsection. 2.14.4. Exemptions. Exemptions permissible under Title 5 Privacy Act are searchable at http://www.gpo.gov/fdsys/pkg/USCODE-2012-title5/pdf/USCODE-2012-title5-partIchap5-subchapII-sec552a.pdf 126.96.36.199. The (j)(2) exemption. Applies to investigative records created and maintained by law-enforcement activities whose principal function is criminal law enforcement. 188.8.131.52. The (k)(1) exemption. Applies to information specifically authorized to be classified according to DoDM 5200.01, Volume 4, DoD Information Security Program: Controlled Unclassified Information (CUI)). 184.108.40.206. The (k)(2) exemption. Applies to investigatory information compiled for lawenforcement purposes by non-law enforcement activities and which is not within the scope of the (j)(2) exemption. However, the AF must allow an individual access to any record that is used to deny rights, privileges or benefits to which he or she would otherwise be entitled by Federal law or for which he or she would otherwise be eligible as a result of the maintenance of the information (unless doing so would reveal a confidential source). 220.127.116.11. The (k)(3) exemption. Applies to records maintained in connection with providing protective services to the President and other individuals under Title 18; Crimes and Criminal Procedure, USC, section 3056; Powers, authorities, and duties of United States Secret Service. 18.104.22.168. The (k)(4) exemption. Applies to records maintained solely for statistical research or program evaluation purposes and which are not used to make decisions on the rights, benefits, or entitlement of an individual except for census records which may be disclosed under Title 13, CENSUS, U.S.C., Section 8; Authenticated transcripts or copies of certain returns; other data; restriction on use; disposition of fees received. 22.214.171.124. The (k)(5) exemption. Applies to investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for U.S. civilian employment, military service, U.S. contracts, or access to classified information, but only to the extent such material would reveal the identity of a confidential source. This provision allows protection of confidential sources used in background investigations, employment
AFI33-332 12 JANUARY 2015 inquiries, and similar inquiries that are for personnel screening to determine suitability, eligibility, or qualifications. 126.96.36.199. The (k)(6) exemption. Applies to testing or examination material used solely to determine individual qualifications for appointment or promotion in the Federal or military service, if the disclosure would compromise the objectivity or fairness of the test or examination process. 188.8.131.52. The (k)(7) exemption. Applies to evaluation material used to determine potential for promotion in the Military Services, but only to the extent that the disclosure of such material would reveal the identity of a confidential source.
2.15. The Federal Records Act, 44 U. S.C. § 3301. Defines a federal government record as “all books, papers, maps, photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, guidance, decisions, procedures, operations, or other activities of the Government or because of the informational value of data in them.”
AFI33-332 12 JANUARY 2015
27 Chapter 3 E-GOVERNMENT ACT
3.1. Overview of the E-Government Act of 2002, 44 U. S.C. 3601. Congress finds the following: 184.108.40.206. The use of computers and the Internet is rapidly transforming societal interactions and the relationships among citizens, private businesses, and the Government. 220.127.116.11. The Federal Government has had uneven success in applying advances in information technology to enhance governmental functions and services, achieve more efficient performance, increase access to Government information, and increase citizen participation in Government. 18.104.22.168. Most Internet-based services of the Federal Government are developed and presented separately, according to the jurisdictional boundaries of an individual department or agency, rather than being integrated cooperatively according to function or topic. 22.214.171.124. Internet-based Government services involving interagency cooperation are especially difficult to develop and promote, in part because of a lack of sufficient funding mechanisms to support such interagency cooperation. 126.96.36.199. Electronic Government has its impact through improved Government performance and outcomes within and across agencies. 188.8.131.52. Electronic Government is a critical element in the management of Government, to be implemented as part of a management framework that also addresses finance, procurement, human capital, and other challenges to improve the performance of Government. 184.108.40.206. To take full advantage of the improved Government performance that can be achieved through the use of Internet based technology requires strong leadership, better organization, improved interagency collaboration, and more focused oversight of agency compliance with statutes related to information resource management. 3.2. The Purposes of the E-Government Act are the Following: 3.2.1. To provide effective leadership of Federal Government efforts to develop and promote electronic Government services and processes by establishing an Administrator of a new Office of Electronic Government within the Office of Management and Budget. 3.2.2. To promote use of the Internet and other information technologies to provide increased opportunities for citizen participation in Government. 3.2.3. To promote interagency collaboration in providing electronic Government services, where this collaboration would improve the service to citizens by integrating related functions, and in the use of internal electronic Government processes, where this collaboration would improve the efficiency and effectiveness of the processes. 3.2.4. To improve the ability of the Government to achieve agency missions and program performance goals.
AFI33-332 12 JANUARY 2015 3.2.5. To promote the use of the Internet and emerging technologies within and across Government agencies to provide citizen-centric Government information and services. 3.2.6. To reduce costs and burdens for businesses and other Government entities. 3.2.7. To promote better informed decision-making by policy makers. 3.2.8. To promote access to high-quality Government information and services across multiple channels. 3.2.9. To make the Federal Government more transparent and accountable. 3.2.10. To transform agency operations by utilizing, where appropriate, best practices from public and private sector organizations. 3.2.11. To provide enhanced access to Government information and services in a manner consistent with laws regarding protection of personal privacy, national security, records retention, access for persons with disabilities, and other relevant laws.
3.3. Privacy Impact Assessments (PIA). 3.3.1. Evaluate Information Systems Risk Management Framework. Information System Owners (ISO), Portfolio Managers (PfMs), Program Managers (PM), and Information Assurance Managers (IAM) shall address risks assessment on Personally Identifiable Information (PII) in an IT system and plan the integration of privacy protections with appropriate Information Assurance (IA) controls into the development life cycle of an information system. A Privacy Impact Assessment (PIA) shall be completed in accordance with DoDI 5400.16, DoD Privacy Impact Assessment (PIA) Guidance. (T-0) 3.3.2. What is a PIA? The PIA is an analysis of how PII (which is personal information when stored in a SOR) is collected and handled in an IT system: 220.127.116.11. To ensure PII handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 18.104.22.168. To determine the risks to an individual and the effects of collecting, maintaining and disseminating PII in an electronic information system, and; 22.214.171.124. To examine and evaluate protections and alternative processes for handling PII information to mitigate potential privacy risks. 126.96.36.199. The depth and content of the PIA should be thorough and appropriate for the nature of the information to be collected and the size and complexity of the information technology system. 188.8.131.52. The PIA identifies the physical, technical, and administrative controls that are needed to protect PII. Information Assurance controls are identified in DoDI 8500.01, Cybersecurity. Information Assurance controls will be implemented and tested before deployment or release of a system to mitigate specific risks. Additionally, system owners will determine whether a SORN exists, needs to be created, and/or needs to be amended.
AFI33-332 12 JANUARY 2015
3.3.3. When must a PIA be conducted? 184.108.40.206. The E-Government Act of 2002 and DoDI 5400.16 require PIAs to be conducted before developing or procuring IT systems or projects that collect, maintain, or disseminate information in identifiable form from or about individuals as defined in DoD 5400.11-R. 220.127.116.11. PIAs are required to be performed, approved and/or updated as necessary when a system change exposes a new privacy risk for which an Information Assurance control must be identified and tested before re-deployment or re-release of the system. 18.104.22.168. At the discretion of the commander. 3.3.4. When a PIA must be submitted. PIAs are submitted 120 days from the scheduled operational or expiration date of the Authorization to Operate (ATO) or Interim Authorization to Operate (IATO) on all new and existing systems. This applies to IT systems whenever PII is collected, maintained, used or disseminated for the purpose, other than the user table, in electronic form about members of the public, Federal personnel, contractors or foreign nationals employed at U.S. military facilities internationally. 3.3.5. When a PIA is not required. 22.214.171.124. When Personally Identifiable Information (PII) is not being maintained, collected, stored, used, or disseminated; 126.96.36.199. An IT system is an approved National Security System (NSS). Administrative and personnel systems that do not meet one or more of the NSS conditions are not exempt from the PIA requirement. 3.3.6. Who conducts the PIA? The ISO shall conduct a PIA in conjunction with the system PM, IAM and Privacy Manager/Monitor. (T-0) 3.3.7. Medical IT systems that are Defense Health Agency (DHA) funded or in the AF linefunded portfolio and managed by Air Force Medical Service (AFMS) assets, shall route PIAs through the DHA CIO office for appropriate management, signatures, and oversight. 3.3.8. All DoD Medical Department IT systems purchased with DHA funds must ONLY be reported to the DoD Information Technology Portfolio Repository (DITPR) via the component Defense Health Agency (DHA). 3.3.9. Format and Digital Signatures. PIAs shall be completed on DD Form 2930, Privacy Impact Assessment (PIA), as an unsecured fillable PDF which requires digital signatures as follows, except for medical DHP funded systems.(T-0) 188.8.131.52. Privacy Impact Assessments processing procedure. 184.108.40.206.1. The system Program Manager will digitally sign and forward the signed PIA to their perspective Information System Security Manager (ISSM); 220.127.116.11.2. ISSMs digitally sign and forward the signed PIA to their Base Privacy Manager. Base Privacy Managers digitally sign and coordinate with the applicable records management office to ensure appropriate lifecycle management of any records created are maintained, used, preserved, and disposed of in accordance with DoD Instruction 5015.02 (Reference (i)) and National Archives and Records Administration approved records schedules. Records managers annotate in section 3 part f of the DD
AFI33-332 12 JANUARY 2015 2930, “Records maintenance is consistent with NARA records schedule”. Records managers return the PIA to the PM. PMs forward the signed PIA for review to their respective MAJCOM Privacy Office. After MAJCOM review, forward the PIA to the Senior Information Security Officer (SISO) workflow e-mail [email protected]
18.104.22.168.3. The Senior Information Security Officer (SISO) or designee shall digitally sign and return the signed PIA to the AF Privacy Officer workflow e-mail [email protected]
22.214.171.124.4. The AF Privacy Officer shall digitally sign and forward the signed PIA to the AF CIO or representative. 126.96.36.199.5. The AF CIO or representative shall digitally sign and return PIA to the AF Privacy Officer. 3.3.10. Submitting Approved PIAs. AF Privacy maintains a copy of all approved PIAs on the AF Privacy public access website http://www.privacy.af.mil/pia/index.asp. An electronic copy will be forwarded by the AF Privacy Officer to the Department of Defense, Chief Information Officer (DOD CIO). 3.3.11. Periodic Reviews and Updates Cycle of PIAs. PMs review and update PIAs IAW DoDI 5400.16, 14 July 2015, DoD Privacy Impact Assessment (PIA) Guidance.
AFI33-332 12 JANUARY 2015
31 Chapter 4
ROLES AND RESPONSIBILITIES. 4.1. The Chief, Information Officer (SAF/CIO A6) shall: (T-0) 4.1.1. Establish procedures to ensure compliance with the Privacy Act and the DoD privacy program. 4.1.2. Appoint a Component Senior Official for Privacy (CSOP) with overall responsibility for the AF privacy program. 4.1.3. Appoint an AF Privacy Officer with responsibility for implementing the AF privacy program. 4.2. The CSOP shall: (T-0) 4.2.1. Ensure DoD and AF proposals, policies, or programs having privacy implications are evaluated to ensure consistency with privacy principles. 4.2.2. Ensure the AF privacy program is periodically reviewed by the Inspector General (IG) or other officials, who have specialized knowledge of the privacy policies. 4.2.3. Supervise and oversee management of the AF Privacy Program as administered by the AF Privacy Officer. 4.2.4. The CSOP or the AF Privacy Officer will serve as the AF representative on the Defense Privacy Board and the Defense Data Integrity Board, which are administered through the Defense Privacy and Civil Liberties Office (DPCLO). 4.3. The AF Privacy Officer shall: (T-0) 4.3.1. Administer guidance and procedures prescribed in this Instruction and DoD policies. 4.3.2. Develop AF policy to ensure protection of PII. 4.3.3. Provide guidance and assistance to Privacy Managers. 4.3.4. Conduct mandatory reviews of publications and forms for compliance with this Instruction. 4.3.5. Review Privacy Impact Assessments (PIA) for submission to SAF/CIO A6 for approval (see Chapter 3). 4.3.6. Review and submit proposed new, altered, amended, and deleted SORNs to DPCLO. 4.3.7. Review and approved SSN justification memos for continued use of SSN. 4.3.8. Report Privacy Breaches to the DPCLO within the prescribed timelines. Track and monitor breach trends to improve guidance and procedures. 4.3.9. Prepare and submit reports as required to DPCLO. 4.3.10. Provide guidance and support to the field to ensure information systems which are developed to collect, maintain, process, or disseminate personal information conform to the Privacy Act, OMB, DoD, and AF requirements.
AFI33-332 12 JANUARY 2015 4.3.11. Coordinate with SAF/A6OI, Information Assurance Division, to ensure appropriate Information Assurance Control procedures are applied by Information System Owners (ISO), Program Managers (PM), Information Assurance Managers (IAM), and Portfolio Managers during the Certification and Accreditation (C&A) process to protect Privacy Act information throughout the IT system life cycle. 4.3.12. Serve as the AF representative on the Defense Privacy Board and the Defense Data Integrity Board, which are administered through the Defense Privacy and Civil Liberties Office (DPCLO).
4.4. The Office of The Judge Advocate General, Administrative Law Directorate (AF/JAA), and Judge Advocate legal offices shall; provide advice to the Privacy Officer/Manager/Monitor, commanders, and supervisors on requests made under the Privacy Act, and the Freedom of Information Act, PII breaches, and other aspects of the AF Privacy and Civil Liberties program. (T-0) 4.5. AF Departmental Forms Management Officer shall: (T-0) 4.5.1. Maintain a database of both new and existing forms reviewed to produce an annual report every July 1. This report shall be submitted to the AF Privacy Officer as input into the Privacy section of the annual Federal Information Security Management Act (FISMA) report as required by Subchapter III, Chapter 35 of Title 44, United States Code. 4.5.2. Ensure OPRs for new and revised forms that collect personal information have the appropriate notice as required in this instruction. Coordination is made with the supporting Privacy Manager/Monitor before publishing. Final publishing packages must contain a completed AF Form 673, Air Force Publication/Form Action Request, IAW AFI 33-360, Publications and Forms Management; and if applicable, the associated SORN and AF Privacy Officer approved SSN justification memo. 4.6. MAJCOM/A6s or Responsible Directorate and Wing Commanders shall: (T-0) 4.6.1. Establish a Privacy Office within the A6 or responsible Directorate and appoint in writing a Privacy Manager/Monitor to execute command and base-level responsibilities as outlined in this Instruction. 4.6.2. Establish policies to notify Wing Commanders of Privacy Act Violations, complaints and breaches. 4.6.3. Establish policies necessary to implement and enforce the AF Privacy Program. 4.6.4. Ensure all assigned AF personnel are aware of and understand the requirements within this Instruction. 4.6.5. Ensure all privacy related issues or concerns are brought to the attention of servicing privacy manager or the AF Privacy Officer. 4.6.6. Ensure all assigned personnel have completed required mandatory annual privacy training; 188.8.131.52. DELETED. 184.108.40.206. Specialized Training. Training that focuses on the requirements IAW the Privacy Act of 1974 for individuals who will maintain a System of Record (SOR).(T-0)
AFI33-332 12 JANUARY 2015
220.127.116.11. Newcomers Orientation Training is provided to newly assigned personnel which places focus on the basic requirements of the Privacy Act and Safeguarding Personally Identifiable Information.(T-0) 18.104.22.168. Management Training. Training that provides managers and decision makers considerations that they should take into account when making management decisions regarding actions under this chapter. 22.214.171.124. Remedial Training (for individuals who committed a breach). 4.6.7. Privacy Act Training Tools. Helpful resources include: 126.96.36.199. The Privacy Act web page includes a Privacy Overview, Privacy Act training slides, the AF SORNs, and links to the Defense Privacy Board Advisory Opinions, the DoD and Department of Justice Privacy web pages. Go to http://www.privacy.af.mil/index.asp. “Resources” and “Training.” http://www.privacy.af.mil/training/index.asp 188.8.131.52. “The Privacy Act of 1974,” a 32-minute film developed by the Defense Privacy Office. Contact the Joint Visual Information Services Distribution Activity at DSN 7956543 or commercial (570) 895-6543, and ask for #504432 “The Privacy Act of 1974.” 184.108.40.206. Training slides for use by Privacy Managers/Monitors are available in the “Information Access SharePoint Site.” http://cs.eis.af.mil/afciorcs/InfoAcc/default.aspx 220.127.116.11. DISA web based training, http://iase.disa.mil/eta/index.html#onlinetraining. 4.6.8. Ensure organizational Commanders and Equivalents have: (Examples of commander equivalents include MAJCOM Director, Director of Staff, Civilian Director of an organization, or a Commandant of a school).(T-1) 18.104.22.168. Appointed a Unit Privacy Monitor in writing and submit to the base Privacy Manager. 22.214.171.124. Reinforced the importance of safeguarding PII and ensure personnel who fail to safeguard PII are counseled or disciplined as appropriate. 126.96.36.199. Directed an inquiry to determine the circumstances and impact of privacy breaches IAW Chapter 1 of this Instruction. 188.8.131.52. Ensured coordination and teamwork is accomplished between ISO, PM, IAMs and Privacy Managers. 184.108.40.206. Ensured assigned personnel are aware of and understand the requirements within this Instruction. 220.127.116.11. Ensured additional privacy training is incorporated into in-house training, as needed.
AFI33-332 12 JANUARY 2015
4.7. HAF/MAJCOM/FOA/DRU/Base Privacy Managers/Monitors shall: (T-1) 4.7.1. Provide direction and training to commanders and personnel implementing this Instruction. 18.104.22.168. Track assigned personnel privacy training. 22.214.171.124. Provide specialized training to individuals who handle privacy information on a daily or routine basis. 4.7.2. Promote privacy awareness throughout the organization and assist commanders with establishing procedures to reinforce the protection of personal information or PII. 4.7.3. Report privacy breaches and provide direction to organizations where the breach occurred. 4.7.4. Provide direction to assist with resolution of Privacy Act complaints or violations. 4.7.5. Review and process Privacy Act Request denial recommendations. 4.7.6. Review all publications and forms drafted by staff OPRs for compliance with this instruction. (Note:Publications drafted for a higher level should be reviewed by the Privacy Manager at the level of the OPR. Review organizational publications and forms for compliance with this Instruction.) 4.7.7. Provide updates as needed of Privacy Managers name, office symbol, voice number, FAX number, unclassified e-mail address to the Privacy Manager in their chain of command who in turn shall forward a copy to the AF Privacy Officer (SAF/A6XA) for continuity. 4.7.8. Submit Semi-Annual reports and/or other required reports as directed by the AF Privacy Officer. Semi-annual reports may consist of the number of SORNs reviewed, privacy complaints, and training provided; complaints will be categorized as follows: 126.96.36.199. Process and Procedural: For actions concerning consent, collection, and appropriate notice. 188.8.131.52. Redress: Privacy Act inquiries seeking resolution of difficulties or concerns about Privacy matters. 184.108.40.206. Operational: Inquiries regarding Privacy Act matters not including Privacy Act requests for access and/or correction. 220.127.116.11. Referrals: Complaints received but referred to another office with jurisdiction over the complaint. 4.7.9. Conduct Staff Assistance Visits (SAVs)/Command Unit Inspections if budget permits to ensure compliance and health of privacy programs. 4.7.10. Base Privacy Managers provide direction to ISO, PM and IAM for properly completing a SORN or PIA (to include signing off on the DD 2930). 4.7.11. Base Privacy Managers assist ISO/PM with reviewing SORNs and PIAs to coincide with their IT system review cycles. Coordination and teamwork are required between ISO, PM, IAM and Privacy Managers. 4.7.12. Maintain copies of approved file plans with System of Records (SOR) for the purpose of identifying records protected under the Privacy Act of 1974 to assist with inspections.
AFI33-332 12 JANUARY 2015
4.7.13. Address all privacy issues or concerns with leadership and the Air Force Privacy Officer. 4.7.14. Monitor/Track Annual SORNs Review. 4.7.15. Monitor/Track Annual PIA Review. 4.8. Unit Privacy Monitors shall: (T-1) 4.8.1. Provide direction and training to commanders and personnel implementing this Instruction. 4.8.2. Promote privacy awareness throughout the organization and assist commanders/equivalent with implementing procedures to reinforce the protection of PII. 4.8.3. Track assigned personnel privacy training. 4.8.4. Provide specialized training to individuals who handle personal information or PII on a daily or routine basis. 4.8.5. Review organizational publications and forms for privacy compliance with this Instruction. 4.8.6. Provide direction to the commander/equivalent to assist with resolution of privacy breaches, complaints, and violations. 4.8.7. Submit Semi-Annual reports and/or other required reports as directed by their prospective privacy manager. Semi-annual reports will consist of the number of SORNs reviewed, privacy complaints, and training provided; complaints will be categorized as follows: 18.104.22.168. Process and Procedural: appropriate notice.
For actions concerning consent, collection, and
22.214.171.124. Redress: Privacy Act inquiries seeking resolution of difficulties or concerns about Privacy matters. 126.96.36.199. Operational: Inquiries regarding Privacy Act matters not including Privacy Act requests for access and/or correction. 188.8.131.52. Referrals: Complaints received but referred to another office with jurisdiction over the complaint. 4.8.8. Maintain copies of approved file plans with SOR for the purpose of identifying records protected under the Privacy Act of 1974 to assist with conducting inspections or privacy act request. 4.9. Functional Level ISOs, PMs, and IAMs shall: (T-0) 4.9.1. Implement privacy safeguards, complete PIAs and SORNs. Direction will be provided by supporting Privacy Manager (see Chapter 2 & 3 and DoDI 5400.16, DoD Privacy Impact Assessment (PIA) Guidance). 4.9.2. Determine early in the design phase of IT systems what personal information will be collected, used, processed, stored, or disseminated in the electronic systems of records.
AFI33-332 12 JANUARY 2015 4.9.3. Formulate Privacy Act requirements in early stages of IT systems design, development, and data management to plan for and implement Information Assurance (IA) controls to safeguard PII. 4.9.4. Ensure records containing PII are safeguarded or removed as required from all IT systems prior to disposal, replacement, or reuse of IT hardware storage components (hard drives) IAW IA directives. 4.9.5. Review applicable SORN(s) for information systems concurrently with the FISMA annual review to validate whether changes to an existing SORN is required. 4.9.6. Review IT systems registered in the Enterprise Information Technology Data Repository (EITDR) addresses and updates responses to privacy questions. Failure to do so may risk system non-concurrence by the AF Privacy Officer during annual compliance review, certification, decertification, or request for funding.
4.10. Records Professionals shall. (T-0). 4.10.1. Coordinate with privacy monitors/managers to ensure records identified on files plan as a System of Record have an approved SORN. 4.10.2. DELETED.
AFI33-332 12 JANUARY 2015
37 Chapter 5
SOCIAL SECURITY NUMBER (SSN) REDUCTION PLAN 5.1. Overview. The stated intention of the Social Security Reduction Plan is to reduce or eliminate the use of SSN in DoD and AF systems of records, IT systems and forms IAW DoDI 1000.30, Reduction of Social Security Number (SSN) Use Within DoD. The Functional office that owns the record for which SSNs are required to be collected is the Office of Primary Responsibility (OPR) for submitting a SSN Justification memorandum with respect to the collection of SSNs for those records. Records Professional, Privacy Manager, and Forms manager will assist to ensure compliance with the SSN reduction plan requirements. The use of the SSN shall be limited to transactions that specifically require the presentation of the SSN to meet a statutory or regulatory requirement. Most applications that require the SSN for specific transactions do not require its use for every transaction. For example, systems that link to financial institutions may need the SSN for initial interactions, but thereafter use an account number or some other form of identification or authentication. As such there is no need to use the SSN for individuals to authenticate themselves as part of every transaction. DoDI 1000.30, Reduction of Social Security Number (SSN) Use Within DoD, is in effect and establishes the following: 5.1.1. Acceptable Uses. Use of the SSN includes the SSN in any form, including, but not limited to truncated, masked, partially masked, encrypted, or disguised SSN. The acceptable uses of the SSN are those that are provided for by law, require interoperability with organizations beyond the DoD, or are required by operational necessities. Such operational necessities may be the result of the inability to alter systems, processes, or forms due to cost or unacceptable levels of risk. Those systems, processes, or forms that claim “operational necessity” shall be closely scrutinized. Ease of use and unwillingness to change are not acceptable justifications for continuing to collect SSNs. 5.1.2. Documenting Acceptable Uses of SSN and other PII specifically. The authorization for use of PII is governed through DoD 5400.11-R. The method by which SSN use is documented shall be consistent with existing Privacy Program requirements for forms, processes, IT systems, and systems of records, to include any locally created applications. 5.1.3. In addition to the documentation required for the use of PII in the PIA and/or SORN, the use of the SSN in any form as part of any collection, transfer, or retention, including locally created user applications, must be specifically documented and justified. Documentation of the SSN justification shall be retained and available upon request. 5.2. The Specific Requirement for Use of the SSN. 5.2.1. Forms that collect SSN must have a completed AF Form 673 and a justification memorandum stating the justification for use of the SSN that is addressed to and approved by AF Privacy Officer. Submit items to appropriate Forms Manager IAW AFI 33-360, Publications and Forms Management. 5.2.2. A senior official (flag officer or SES equivalent) shall sign the SSN Justification Memorandum stating the justification for use of the SSN. It is unacceptable to collect, retain, use or transfer SSN without an approved justification.
AFI33-332 12 JANUARY 2015 5.2.3. The SSN Justification Memo that approves collection of SSN in an IT System shall be forwarded with the PIA and/or SORN to the AF Privacy Officer. The justification memo will be addressed to Defense Privacy Officer for approval/disapproval. (see Attachment 8). 5.2.4. The DPCLO reviews SSN justifications for IT systems as an adjunct to the biennial PII review process. When justification for SSN use is rejected, the action officer will prepare a plan, to include milestones and a timeline, for the elimination of SSN usage. 5.2.5. Periodic Review of SSN Use and Justification. SSN use and justification memo review is a responsibility under the biennial review process for all forms. IT systems Justification memos shall be reviewed in conjunction with the FISMA Annual review. 5.2.6. Requesting the Social Security Number (SSN). When requesting an individual’s SSN always provide a Privacy Act Statement, Privacy Statement or Privacy Advisory, as applicable.
5.3. Alternative Means of Identifying Records: When law, executive order, or regulation does not require disclosing the SSN or if the SOR was created after January 1, 1975, a SSN may be requested, but the individual is not required to disclose it. If the individual refuses to provide their information, use alternative means of identifying records. Executive Order (E.O.) 9397, Numbering System for Federal Accounts Relating to Individual Persons, November 22, 1943, was amended by E.O. 13478, Amendments to Executive Order 9397 Relating to Federal Agency Use of Social Security Numbers, November 18, 2008, which emphasizes the need to protect PII and deletes the mandatory requirement to collecting SSNs. E.O. 9397 (SSN), as amended (E.O. 13478) shall be referenced when cited in a PAS, Privacy Statement, Privacy Advisory, PIA and SORN whenever a SSN is collected, used, stored, or disseminated for acceptable uses within AF IT systems, on AF Forms, or in other physical media systems of records. IT systems, AF Forms, and AF records OPRs should also consult DoDI 1000.30, Reduction of Social Security Number (SSN) Use Within DoD, DoD enclosure 2, paragraph 2, Acceptable Uses. Contact the OPR’s organizational Privacy Office for assistance. 5.4. Protection of SSN. SSNs are personal and unique to each individual. The SSN in any form, including, but not limited to truncated (last 4 or 5), masked, partially masked, encrypted, or disguised SSN will be Protected as High Impact PII and marked FOR OFFICIAL USE ONLY (FOUO). Within DoD, do not disclose a person’s SSN to another person without an official need to know or consent of the individual. Release of SSNs outside of the DoD are not releasable without the person’s consent or unless authorized under one of the twelve exceptions to the Privacy Act (see paragraph 1.16.4.). 5.5. Reporting Results of Social Security Number Reduction. 5.5.1. New Departmental Forms. The AF Departmental Forms Management Officer shall maintain a database to produce an annual report every July 1st. This report shall be an input into the Privacy Act section of the annual FISMA Report as required by subchapter III, chapter 35 of title 44, United States Code. The annual report shall contain the following elements: 184.108.40.206. Number of forms reviewed. 220.127.116.11. Number of forms requesting SSNs. 18.104.22.168. Number of SSN justifications accepted and rejected. 22.214.171.124. Examples of forms where SSNs were not allowed.
AFI33-332 12 JANUARY 2015
126.96.36.199. Examples of SSN masking or truncation. 188.8.131.52. For new forms issued below the departmental level (HAF/MAJCOM/FOA/DRU, Wing, etc), no database shall be required as set forth in paragraph 4.5.1. 184.108.40.206. Existing Departmental Forms. The AF Departmental Forms Management Officer shall report annually on July 1st the results of the AF Forms reviews and submit a report to the AF Privacy Officer. This report shall include the following elements: (T1) 220.127.116.11.1. Total number of forms in the database. 18.104.22.168.2. Number of forms reviewed. 22.214.171.124.3. Number of forms containing SSNs. 126.96.36.199.4. Number of forms where justifications were questioned. 188.8.131.52.5. Number of SSN justifications accepted and rejected. 184.108.40.206.6. Examples of forms where SSNs were not allowed. 220.127.116.11.7. Examples of SSN masking or truncation. 18.104.22.168. For existing forms issued yellow departmental level (HAF/MAJCOM/FOA/DRU, Wing, etc.), no reports are required at command and or base levels, with the exception of sharing best practices of specific examples where SSNs were eliminated or better masked, or for metrics collection at the AF level.
AFI33-332 12 JANUARY 2015 Chapter 6 PROTECTING RECORDS
6.1. Protecting Records. Protecting privacy information is the responsibility of every federal employee, military member, and contractor who handles SOR or PII contained in AF records. 6.2. Protecting Personal information or PII Maintained in an Electronic System. It is AF policy that personal information or PII collected, maintained, and stored in an electronic system shall be evaluated by the ISO for impact of loss or unauthorized disclosure and protected accordingly. Ensure coordination is accomplished between IT system PMs, IAMs and Privacy Manager. (IAW AFI 33-200, Information Assurance (IA) Management and DoDI 5400.16, DoD Privacy Impact Assessment (PIA) Guidance). 6.2.1. Assigning PII High, Moderate or Low Impact Security Category (SC). All electronic systems of records shall be assigned a High or Moderate PII impact security category according to the definitions established in this Instruction. 6.2.2. Protect PII of High or Moderate impact security category at a Confidentiality Level of Sensitive or higher as established in DoDI 8500.01, Cybersecurity, unless specifically cleared for public release (e.g., the name and contact information for selected senior officials or personnel whose duties require regular contact with the public). 22.214.171.124. As early as possible in the life cycle of IT-dependent programs, information owners shall establish the mission assurance category, security classification, sensitivity, and need-to-know of the information. 126.96.36.199. Information system owners shall establish the permissible uses of information and associated mission or business rules of use, and ensure that the distinction is clear to all personnel between information that is operationally sensitive and information that can be made available to the public. 188.8.131.52. Mission assurance category establish the requirements for availability and integrity, and security classification, sensitivity, and need-to-know establish confidentiality requirements. 184.108.40.206. Enclosure 4 of DoDI 8500.01, Cybersecurity, provides detailed lists of the IA Controls necessary to achieve the baseline levels of availability, integrity, and confidentiality for mission assurance category and classification. Any Mission Assurance Category is acceptable for DoD and AF information systems processing PII. 220.127.116.11. Electronic PII records that are assigned a Moderate or High Impact Category shall be protected as follows: 18.104.22.168.1. Such records shall not be routinely processed or stored on portable computing devices or removable electronic media without written approval of the Information Assurance Manager (IAM). (Note: IAM approval is not required in order to remove such records contained on a government laptop computer that is removed from the primary workspace in order to telecommute or travel TDY.)
AFI33-332 12 JANUARY 2015
22.214.171.124.2. Except for compelling operational needs, any portable computing device or removable electronic media that processes or stores High Impact PII electronic records (e.g., containing SSN) shall be restricted to workplaces that minimally satisfy Physical and Environmental Controls for Confidentiality Level Sensitive as established in DoDI 8500.01, Cybersecurity, (hereinafter referred to as "protected workplaces"). (Note: Removal of government laptop computers from primary purposes for telecommuting and TDYs is considered a compelling operational need.) 6.2.3. Electronic Storage Media. Any electronic devices which contain personal information which is removed from its’ protected workplaces, including those approved for routine processing, shall: 126.96.36.199. Use an AFVA 33-276, Air Force Privacy Act Label, to assist in identifying information which may be protected under the Privacy Act by placing the label on the covers of removable electronic storage media. (Note: Creation of a Privacy Act label is authorized when approved by functional managers.) AF Form 3227 Privacy Act Cover Sheet or DD Form 2923 Privacy Act Cover Sheet shall be used whenever documents containing personal information are removed from the approved storage area. 188.8.131.52. Require certificate based authentication using a DoD or DoD-approved Public Key Infrastructure (PKI) certificate on approved hardware token to access devices. 184.108.40.206. Implement IA Control PESL-1 (screen lock), with a specified period of inactivity not to exceed 30 minutes (15 minutes or less recommended). 220.127.116.11. PII Data at Rest on Portable Devices. Encrypt all data at rest, i.e., data that is contained on hard drives or other storage media within portable devices as well as all removable media created by or written from the device while outside a protected workplace. If a portable device is incapable of encryption, it cannot be used to store PII. Minimally, the cryptography shall be NIST-certified (i.e., FIPS 140-2 http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf). (see DoDI 8500.01, Cybersecurity, ECCR-1 (Encryption for Confidentiality (Data at Rest)) 18.104.22.168. Follow direction for transmitting PII or other sensitive information via e-mail IAW paragraph 2.5.6. of this Instruction. (see also DoDI 8500.01, Cybersecurity, ECCT-1 (Encryption for Confidentiality (Data at Transmit)). 6.2.4. PII and Remote Access. Only DoD authorized devices shall be used for remote access. Any remote access, whether for user or privileged system administrator functions, must conform to IA Control EBRU-1 (Remote Access for User Functions), EBRP-1 (Remote Access for Privileged Functions), and ECCT-1 (Enclave and Computing Environment) as established in DoDI 8500.01, Cybersecurity and DoD Memorandum, Department of Defense Guidance on Protecting Personally Identifiable Information (PII): 22.214.171.124. Shall employ certificate based authentication using a DoD or DoD-approved PKI certificate on an approved hardware token.(T-0) 126.96.36.199. The remote device gaining access shall conform to IA Control Physical and Environmental (PESL- 1 screen lock), with a specified period of inactivity not to exceed 30 minutes (15 minutes or less recommended). (see DoDI 8500.01, Cybersecurity). (T-0)
AFI33-332 12 JANUARY 2015 188.8.131.52. The remote device gaining access shall conform to IA Control Enclave and Computing Environment (ECRC-1, Resource Control). (see DoDI 8500.01, Cybersecurity) 184.108.40.206. Download and local/remote storage of records containing PII is prohibited unless expressly approved by the ISO.
6.3. Risk Based Management. Apply a risk based management approach. Evaluate the effectiveness of additional protections against sensitivity, probability of exposure, risk and cost. 6.3.1. Consider the sensitivity category (Low, Moderate, or High) of the PII and the probability of exposure, risk of disclosure, loss or alteration, when providing physical security measures. (see Attachment 6.) 6.3.2. Information marked For Official Use Only (FOUO) or Controlled Unclassified Information (CUI) must be protected from unauthorized disclosure. Reasonable steps shall be taken both during and after working hours to minimize risk of access by unauthorized personnel. Guidance on marking and physical security requirements for CUI and FOUO are addressed in AFI 31-401, Information Security Program Management and DoDM 5200.01, Volume 4, DoD Information Security Program: Controlled Unclassified Information (CUI)). 6.4. Disposing of Records. Consult a Records Professional before disposing of any records. You may use the following methods to dispose of records protected by the Privacy Act for authorized destruction according to RDS maintained in the AF Records Information Management System (AFRIMS). 6.4.1. Destroy by any reasonable method that prevents loss, theft or compromise during and after destruction such as pulping, macerating, tearing, burning, shredding or otherwise completely destroying the media so that PII is both not readable and is beyond reconstruction. Refer to NIST SP800-88, http://csrc.nist.gov/publications/PubsSPs.html 6.4.2. Degauss or overwrite magnetic media according to established guidelines. DoDM5200.01, Volume 4, Department of Defense Information Security Program: ControlledictectUnclassified Information (CUI), and AFI 31-401, Information Security Program Management also governs destruction of FOUO and CUI. 6.4.3. Recycling of material protected under the Privacy Act. 220.127.116.11. When safeguarding information protected under the Privacy Act that can be assured; disposal of such products may be accomplished through the Defense Reutilization and Marketing Office (DRMO) or through contracted recycling providers that manage a base-wide recycling program. 18.104.22.168. Originators of material containing PII must safeguard it until it is transferred to the recycling provider. This transfer does not require a disclosure accounting. (Note: Information protected under the Privacy Act shall not be placed in unattended recycle or trash bins.)
AFI33-332 12 JANUARY 2015
43 Chapter 7 CIVIL LIBERTIES
7.1. Overview. Civil liberties are fundamental rights and freedoms protected by the Constitution of the United States. These freedoms, which include the right to privacy, are concentrated primarily in the Bill of Rights. Individuals who feel any of the following provided examples (the list is not exhaustive) has been violated shall seek direction through their servicing Inspector General (IG) office; (see AFI 90-301, Inspector General Complaints Resolution). 7.1.1. First Amendment: Freedom of Religion; Freedom of Speech or of the Press; Right to Peaceably Assemble and to Petition the Government for a redress of grievances. 7.1.2. Second Amendment: Right to Keep and Bear Arms. 7.1.3. Fourth Amendment: Right Against Unreasonable Searches and Seizures. 7.1.4. Fifth Amendment: Prohibition Against Deprivation of Life, Liberties, or Property, without due process of law. 7.1.5. Fourteenth Amendment: Due Process and equal protection of the laws. 7.1.6. Fifteenth, Nineteenth and Twenty Sixth Amendments: Right to Vote. 7.2. Basic Guidelines. DODI 1000.29, DoD Civil Liberties program requires at least one senior official designated to advise the Secretary of Air Force (SECAF) on Civil Liberties matters and to meet the following statutory requirements: 7.2.1. Assist the SECAF in appropriately considering Civil Liberties concerns when the AF is proposing, developing, or implementing laws, regulations, policies, procedures, or guidelines related to efforts to protect the Nation against terrorism; 7.2.2. Periodically investigate and review AF actions, policies, procedures, guidelines and related laws and their implementation to ensure that the AF is adequately considering Civil Liberties in its actions; 7.2.3. Ensure that the AF has adequate procedures to receive, investigate, respond to, and provide redress for complaints from individuals who allege that the AF has violated their Civil Liberties; 7.2.4. In providing advice on proposals to retain or enhance a particular governmental power, the DoD Civil Liberties Officer shall consider whether the AF has established the following; 22.214.171.124. Whether the need for the power is balanced with the need to protect Civil Liberties; 126.96.36.199. Whether the AF provides adequate supervision to ensure that Civil Liberties are protected during the execution of the governmental power, and 188.8.131.52. Whether there are adequate guidelines and oversight to properly confine its use. 7.3. Civil Liberties Responsibilities. 7.3.1. The Component Senior Official for Privacy is designated as the AF Civil Liberties Officer. The AF Civil Liberties Officer shall: (T0)
AFI33-332 12 JANUARY 2015 184.108.40.206. Oversee the AF Civil Liberties program with execution by the AF Civil Liberties point of contact (POC). 220.127.116.11. Review and approve AF Civil Liberties reports prior to submission to DPCLO. 7.3.2. The AF Privacy Officer is designated as the AF Civil Liberties POC. The AF Privacy Officer shall: 18.104.22.168. Serve as the AF member on the Defense Civil Liberties board. 22.214.171.124. Provide policy and direction for the AF Civil Liberties program. 126.96.36.199. Review AF publications and policies to support the proper protection of Civil Liberties. 188.8.131.52. Compile and submit the AF Semi-Annual Civil Liberties report to the Defense Privacy and Civil Liberties Office. 184.108.40.206. Provide Secretary of the Air Force (SAF)/General Counsel (GC) and JA with copies of the AF Semi-annual Civil Liberties report for situational awareness. 220.127.116.11. Maintain the AF Civil Liberties website to ensure POCs, training materials, and Civil Liberties directions are current. 18.104.22.168. Provide training and training materials to HAF, MAJCOM, DRU, FOA and base Civil Liberties points of contact. Create and maintain the Annual Civil Liberties ADLS training. 7.3.3. SAF/IG and AF/A1 shall: (T-0) 22.214.171.124. Coordinate with SAF/GC on any Civil Liberty matters, reviews, or investigations, that involve the following: represent a significant litigation risk; impact major AF programs; materially impact the rights or benefits of an AF organization; affect ownership or use of AF property; attract Congressional interest; attract widespread media interest; raise a matter of first impression for the legal community; or otherwise affect the legal basis for an AF program or activity. 126.96.36.199. Identify and report Civil Liberties complaint allegations received and processed by IG or EEO/ MEO offices on a semi-annual basis. 188.8.131.52. Submit complaint(s) with Civil Liberties implications to the AF Civil Liberties POC using the semi-annual report template. (see Attachment 12). Reports are forwarded directly by unencrypted e-mail without identifying PII to the AF Privacy and Civil Liberties workflow e-mail at [email protected]
184.108.40.206. Provide Civil Liberties reporting requirements to the MAJCOMS, DRU, and FOA IG offices. 7.3.4. AF/JAA shall: (T-0) 220.127.116.11. Provide legal advice on Civil Liberties matters to the AF Civil Liberties Officer and Civil Liberties POC. 18.104.22.168. Review Civil Liberties Semi-Annual Reports for legal sufficiency. 22.214.171.124. Provide Civil Liberties reporting requirements to HAF/MAJCOM/FOA/DRU EO offices.
AFI33-332 12 JANUARY 2015
7.3.5. SAF/GC shall provide coordination on any civil liberty matters, reviews, or investigations, or legal opinions that represent a significant litigation risk, impact major AF programs, materially impact the rights or benefits of an AF organization, effect ownership or use of AF property, engender Congressional interest, attract widespread media interest, raise a matter of first impression for the legal community, or otherwise affect the legal basis for an AF program or activity. 7.3.6. MAJCOM, DRU, FOA and base legal offices shall: (T-0) 126.96.36.199. On a semi-annual basis, identify and report Civil Liberties complaint allegations addressed in Commander Directed Investigation (CDI) reports and Article 138 complaints that have been reviewed for legal sufficiency. 188.8.131.52. Submit civil Liberties complaints contained in CDIs and Article 138 complaints to the Civil Liberties POC, through AF/JAA, using the semi-annual reporting template. (see Attachment 12). Reports are forwarded by unencrypted e-mail without identifying PII. 184.108.40.206. Provide advice to the Civil Liberties POCs. 7.3.7. MAJCOM/A6s and Wing Commanders shall: (T-1) 220.127.116.11. Implement the AF Civil Liberties Program for personnel under their command/supervision. 18.104.22.168. Appoint a Privacy Manager to be the Civil Liberties POC for their organization, with commensurate duties and responsibilities. 7.3.8. The Civil Liberties POCs shall: (T-0) 22.214.171.124. Administer direction and procedures prescribed in this Instruction. 126.96.36.199. Ensure training is available for their organizations. 188.8.131.52. As needed, provide updates regarding the Civil Liberties POCs’ names, office symbols, voice number, and unclassified e-mail addresses to the AF Civil Liberties POC. 184.108.40.206. Promote Civil Liberties awareness throughout their organizations. 220.127.116.11. Direct complaints that may have Civil Liberties implications to the appropriate investigative office, such as the IG, EO, or the appropriate commanding officer for commander directed investigations. 7.4. Civil Liberties Semi-Annual Report. 7.4.1. The AF Civil Liberties Officer will submit a semi-annual report to DPCLO IAW DoDI1000.29, DoD Civil Liberties Program. (see attachment 12). Semi-annual reports are on a fiscal year schedule and are due on the 15th of January, April, July and October to the DoD Civil Liberties office. 7.4.2. AF/A1, SAF/IG, and AF/JAA will submit Civil Liberties reports to SAF/A6X on the 8th of the month following the end of the quarter in order to meet the DoD suspense date. Civil Liberties reports will not report Civil Liberties complaints in the following circumstances: during the Uniform Code of Military Justice process (Courts-Martial/Non-Judicial Punishment); administrative discharge process, or situations whereby an Inspector General reprisal and restriction complaint may be duplicated. (T-0)
AFI33-332 12 JANUARY 2015
7.5. Reprisal For Making Complaint: No AF member, employee, or contractor shall take any action constituting a reprisal, or threat of reprisal, in response to a Civil Liberties complaint or a disclosure of information to a Privacy or Civil Liberties Officer; provided, however, that disciplinary action may be taken if the Civil Liberties compliant or disclosure of information was made with the knowledge that such complaint or disclosure was false, or made with a willful disregard for its truth or falsity. 7.6. Civil Liberties Training Tools. 7.6.1. The AF Civil Liberties web page includes an overview, and will include Civil Liberties training slides and links to other DoD training on Civil Liberties. “Resources” and “Training.” http://www.privacy.af.mil/civilliberties/index.asp. 7.6.2. “The Asylum Seekers Overview.” This online training provided by the Department of Homeland Security (DHS) provides law enforcement personnel with essential information related to asylum seekers. The course serves as a resource to support the DHS’s commitment to securing America while providing established protections for asylum seekers. http://www.dhs.gov/xlibrary/assets/training/xus/crcl/asylumseekers/index.htm. 7.6.3. The Common Muslim American Head Coverings and Common Sikh American Head Coverings Posters. These posters provide direction to DoD personnel on the appropriate ways in which to screen and, if necessary, search Muslim or Sikh individuals wearing various types of religious head coverings. 7.6.4. “The First Three to Five Seconds.” This training introduces law enforcement officers to basic principles of the Arab American and Muslim American cultures. http://www.dhs.gov/xlibrary/assets/training/xus/crcl/three-fiveseconds/index.html.
WILLIAM J. BENDER, Lt Gen, USAF Chief, Information Dominance and Chief Information Officer
AFI33-332 12 JANUARY 2015
47 Attachment 1
GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION References Title 5 United States Code, Section 552a, as amended, The Privacy Act of 1974 Title 5 United States Code Section 552b, as amended, The Freedom of Information Act of 1966 Executive Order 9397, Numbering System for Federal Accounts Relating to Individual Persons, 30 November 1943 Executive Order 13478, Amendments to Executive Order 9397 Relating to Federal Agency Use of Social Security Numbers, 18 November 2008 Public Law 100-235, The Computer Security Act of 1987, 8 January 1988 Public Law 107-347, Section 208, E-Government Act of 2002, Federal Information Security Management Act (FISMA), 17 December 2002 Public Law 110-53, Section 803, Privacy and Civil Liberties Officers, Implementing Recommendations of the 9/11 Commission Act of 2007, 3 August 2007 DoDD 5400.11, DoD Privacy Program, 8 May 2007, Incorporating Change 1, 1 September 2011 DoDD 5100.3, Support of the Headquarters of Combatant and Subordinate Unified Commands, 9 February 2011 DoDI 1000.29, DoD Civil Liberties Program, 17 May 2012 DoDI 1000.30, Reduction of Social Security Number (SSN) Use Within DoD, 1 August 2012 DoDI 5400.16, DoD Privacy Impact Assessment (PIA) Guidance, 12 February 2009 DoDI 8500.01, Cybersecurity, 7 March 2014 DoD 5200.01-M, Volume 4, DoD Information Security Program: Controlled Unclassified Information (CUI), 24 February 2012 DoD 5400.7-R_AFMAN 33-302, Freedom of Information Act Program, 21 October 2010 DoD 5400.11-R, Department of Defense Privacy Program, 14 May 2007 DoD 6025.18-R, DoD Health Information Privacy Regulation, 24 January 2003 AFPD 33-3, Information Management, 8 September 2011 AFI 31-401, Information Security Program Management, 1 November 2005 AFI 33-200, Information Assurance (IA) Management, 23 December 2008 AFI 33-320, Federal Register, 15 May 2002 AFI 33-322, Records Management Program, 4 June 2012 AFI 33-324, The Air Force Information Collections And Reports Management Program, 6 March 2013
AFI33-332 12 JANUARY 2015
AFI 33-360, Publications and Forms Management, 25 September 2013 AFI 41-210, TRICARE Operations and Patient Administration Functions, 6 June 2012 AFI 90-301, Inspector General Complaints Resolution, 23 August 2011 AFMAN 33-363, Management of Records, 1 March 2008 Air Force Records Information Management System (AFRIMS) AFVA 33-276, Privacy Act Label, 1 August 2000 Federal Information Processing Standard (FIPS) 140-2, Security Requirements For Cryptographic Modules, 25 May 2001 Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004 Federal Acquisition Regulation (FAR), current edition Prescribed Forms AF Form 3227, Privacy Act Cover Sheet Adopted Forms DD Form 2923, Privacy Act Data Cover Sheet DD Form 2930, Privacy Impact Assessment (PIA) DD Form 2959, Breach of Personally Identifiable Information (PII) Report AF Form 771, Accounting of Disclosures AF Form 847, Recommendation for Change of Publication Abbreviations and Acronyms AFCERT—Air Force Computer Emergency Response Team AF CIO—Air Force Chief Information Officer AFBCMR—Air Force Board for Correction of Military Records AFI—Air Force Instruction AFLOA—Air Force Legal Operations Agency AFMAN—Air Force Manual AFMS—Air Force Medical Service AFPD—Air Force Policy Directive AFRIMS—Air Force Records Information Management System ATO—Authorization to Operate CIO—Chief Information Officer CDI—Commander Directed Investigation
AFI33-332 12 JANUARY 2015 CFR—Code of Federal Regulations CSOP—Component Senior Official for privacy CUI—Controlled Unclassified Information DCS—Deputy Chief of Staff DHP—Defense Health Program DHS—Department of Homeland Security DITPR—DoD Information Technology Portfolio Repository DoD—Department of Defense DPCLO—Defense Privacy and Civil Liberties office DRMO—Defense Reutilization and Marketing office DRU—Direct Reporting Unit EITDR—Enterprise Information Technology Data Repository EO—Equal Opportunity FIPS—Federal Information Processing Standard FISMA—Federal Information Security Management Act FOA—Field Operating Agency FOIA—Freedom of Information Act FOUO—For Official Use Only FRN—Federal Register Notice GOCO—Government-Owned Contractor-Operated GSA—General Services Administration HAF—Headquarters Air Force IA—Information Assurance ISSM—Information System Security Manager IATO—Interim Authorization to Operate IG—Inspector General ISO—Information System Owner IT—Information Technology MAJCOM—Major Command NIST—National Institute of Standards and Technology NSS—National Security System OMB—Office of Management and Budget
AFI33-332 12 JANUARY 2015
OPR—Office of Primary Responsibility OPREP—Operational Report PA—Stands for Public Affairs or Privacy Act, depending on context used. PAS—Privacy Act Statement PIA—Privacy Impact Assessment PII—Personally Identifiable Information PKI—Public Key Infrastructure PL—Public Law PM—Program Manager SAF—Secretary of the Air Force SISO—Senior Information Security Officer SJA—Staff Judge Advocate SOR—System of Records SORN—System of Records Notice SSN—Social Security Number US—United States USC—United States Code USCERT—United States Computer Emergency Response Team WHS—Washington Headquarters Services WWW—World Wide Web Terms Access—Allowing individuals to review or receive copies of government records that contain personally identifiable information about them. Amendment—The process of adding, deleting, or changing information in a SOR to make the data accurate, relevant, timely, or complete. Alteration—A significant increase or change in the number or type of individuals about whom records are maintained. Increases in numbers of individuals due to normal growth are not considered alterations unless they truly alter the character and purpose of the system. Increases that change significantly the scope of population covered (for example, expansion of a SOR covering a single command’s enlisted personnel to include all of the Component’s enlisted personnel would be considered an alteration). A reduction in the number of individuals covered is not an alteration, but only an amendment. Changes that add new categories of individuals to system coverage require a change to the “Categories of individuals covered by the system” caption of the notice and may require changes to the “Purpose(s)” caption. Biometric—Physiological and/or behavioral characteristics that are measurable and can be used to verify the identity of an individual.
AFI33-332 12 JANUARY 2015
Breach—A loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to PII, whether physical or electronic. Civil Liberties—Fundamental rights and freedoms protected by the Constitution of the United States. Computer Matching—A computerized comparison of two or more automated systems of records or a SOR with non-Federal records to establish or verify eligibility for payments under Federal benefit programs or to recover delinquent debts for these programs. Confidentiality—An expressed and recorded promise to withhold the identity of a source or the information provided by a source. Controlled Unclassified Information (CUI)—Types of information that require application of controls and protective measures for a variety of reasons. This information is also known as "unclassified controlled information." Cookie—Data created by a Web server that is stored on a user's computer either temporarily for that session only or permanently on the hard disk (persistent cookie). It provides a way for the Website to identify users and keep track of their preferences. It is commonly used to "maintain the state" of the session. A third-party cookie either originates on or is sent to a Web site different from the one you are currently viewing. Defense Data Integrity Board—Composed of representatives from DoD components and services who oversee, coordinate, and approves DoD computer matching programs covered by the Act. Denial Authority—The individuals with authority to deny requests for access or amendment of records under the Privacy Act. Disclosure—The transfer of any personally identifiable information from a SOR by any means of communication (such as oral, written, electronic, mechanical, or actual review) to any person, private entity, or Government Agency, other than the subject of the record, the subject’s designated agent, or the subject’s legal guardian. Federal Agency—A department, independent agency, commission, or establishment of the Executive Branch. For Official Use Only (FOUO)—Is a designation that is applied to unclassified information that may be exempt from mandatory release to the public under the Freedom of Information Act (FOIA). Federal Benefit Program—A federally funded or administered program for individuals that provides cash or in-kind assistance (payments, grants, loans, or loan guarantees). Federal Personnel—Officers and employees of the Government of the United States, members of the uniformed services (including members of the Reserve Components), and individuals entitled to receive immediate or deferred retirement benefits under any retirement program of the United States (including survivor benefits).
AFI33-332 12 JANUARY 2015
First Party Requester—A subject or designated representative asking for access to his/her SOR. The identity of the subject requester must be verified. A notarized signature or a sworn declaration under penalty from the record subject is one method to determine identification. Individual—Under the Privacy Act, a citizen of the United States or an alien lawfully admitted for permanent residence. Member of the Public—An individual or party acting in their private life capacity which may include Federal employees or military personnel. Minor—Under the established age an adult according to local state law. The legal age of majority may be different in overseas locations. If there is no applicable state law, a minor is anyone under the age of 18 years. Military members and married persons are not minors, no matter what their chronological age. Need—to-Know Need-to-know is the authorized, official need based on assigned duties and responsibilities, to access information that is protected under the Privacy Act. There are three cases when a need-to-know may be established: Official business; Statutory; and Information sharing. PII—Personally Identifiable Information; see Personal Identifier and Personal Information. Personal Identifier—A name, number, or symbol that is unique to an individual in which can be used to trace an individual’s identity, usually the person's name or SSN. Personal Information—Information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., SSN; age; military rank; civilian grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc. Such information is also known as personally identifiable information (PII) (i.e., information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date of birth, place of birth, mother’s maiden name, or biometric records, including any other PII which is linked or linkable to a specified individual). Privacy Statement—Whenever an individual is requested to provide personally identifiable information that will not be maintained in a SOR, the individual shall be provided the authority, purpose, routine use(s), whether disclosure of the information is voluntary or not. Privacy Act Request—A request from an individual for notification as to the existence of, access to, or amendment to records pertaining to them. These records must be maintained in a SOR. Privacy Act Statement—A statement required when soliciting personally identifiable information that is maintained in a SOR (known as Personal Information). The Privacy Act Statement informs the individual why the information is being solicited and how it will be used. Privacy Act System Notice—See System of Records Notice (SORN). Privacy Act System of Records—See SOR Privacy Act Complaint—An allegation that the Agency did not comply with specific provisions of the Privacy Act, 5 USC section 552a, with respect to the maintenance, amendment, or dissemination of SOR. Privacy Act Violations—a. When an individual or agency who knowingly and/or willingly makes a determination under the Privacy Act of 1974 paragraph (d)(3) not to amend an individual's records in accordance with his/her request, or fails to make such review in conformity with that
AFI33-332 12 JANUARY 2015
subsection; refuses to comply with an individual request under (d)(1); fails to maintain any records concerning: any individual with such accuracy, relevance, timeliness, and completeness as is necessary to assure fairness in any determination to the qualifications, character, rights, or opportunities of, or benefits to the individual that may be made on the basis of such record, and consequently a 3 determination is made which is adverse to the individual; or fails to comply with any other provision or rule promulgated there under, in such a way as to have an adverse effect on an individual, the individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction in the matters under the provisions of this subsection. b. When an individual or agency who knowingly and/or willingly maintains a SOR without a relevant and necessary need to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President; fails to inform each individual whom it asks to supply information, on a form which it uses to collect the information or on a separate form that can be retained by the individual: the authority (whether granted by statute, or by executive order of the President) which authorizes the solicitation of the information and whether the disclosure of such information is mandatory or voluntary; the principal purpose or purposes for which the information is intended to be used; the routine uses which may be made of the information, as published pursuant to paragraph (4)(D) of the Privacy Act; the effects on him/her, if any, of not providing all or any part of the requested information. Privacy Advisory—A statement required when soliciting individual’s Social Security Number for the authentication purpose only and will not be maintained in a System of Record. The Privacy Advisory informs the individual why the information is being solicited and how it will be used. Privacy Advisory—A statement required when soliciting individual’s Social Security Number for the authentication purpose only and will not be maintained in a System of Record. The Privacy Advisory informs the individual why the information is being solicited and how it will be used. Privacy Impact Assessment—A written assessment of an information system that addresses the information to be collected, the purpose and intended use; with whom the information will be shared; notice or opportunities for consent to individuals; how the information will be secured; and whether a new SOR is being created under the Privacy Act. Program Manager (PM)—The individual specifically designated to be responsible for the life cycle management of a system or end item. The PM is vested with full authority, responsibility, and resources to execute and support an approved AF program. The PM is accountable for credible cost, schedule, and performance reporting to the Milestone Decision Authority (DoD 5000.01). Throughout this document the term “Program Manager” is used for consistency with DoD policy and documentation. Public or Person—(as defined in 5 CFR 1320) Members of the public, or the term “person,” include individuals, partnerships, associations, corporations (including government-owned contractor-operated [GOCO] facilities), business trusts, legal representatives, organized group of individuals, state, territory, or local government. Routine Use—A disclosure of records to individuals or agencies outside DoD for a use that is compatible with the purpose for which the AF created the records.
AFI33-332 12 JANUARY 2015
Sensitive Information—Public Law 100-235, The Computer Security Act of 1987 established requirements for protection of certain information in U.S. Government automated information systems (AIS). This information is referred to as "sensitive" information, defined in the Act as: "Any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.” System Manager—The official who is responsible for managing a SOR including direction and procedures to operate and safeguard it. Local system managers operate record systems or are responsible for part of a decentralized system whether paper or electronic. System Notice—See System of Records Notice (SORN). System of Records—A group of records under the control of a DoD Component from which an individual’s record is retrieved by the name or personal identifier. System of Records Owner—An individual who maintains a record protected under the Privacy Act. System of Records Notice (SORN) /or/ Privacy Act System Notice—The official public notice published in the Federal Register of the existence, content, and Points of Contact for the SOR containing Privacy Act data. Third Party Requester—A request from any person for access to another individual’s Privacy Act record without that individual’s written consent.
AFI33-332 12 JANUARY 2015
55 Attachment 2
PREPARING A SYSTEM OF RECORDS NOTICE (SORN) A2.1. Publishing. The following elements comprise a SORN for publication in the Federal Register: (For examples see Privacy website Helpful Resources, http://www.privacy.af.mil/helpfulresources/index.asp). A2.2. System Identifier. AF Privacy Office, SAF/A6XA assigns the notice number, for example, F033 AF PC A, where “F” indicates “Air Force,” the next number represents the publication series number related to the subject matter, and the final letter group shows the system manager’s command or Deputy Chief of Staff (DCS). The last character “A” indicates that this is the first notice for this series and system manager. A2.3. System Name. Use a short, specific, plain-language title that identifies the system’s general purpose (limited to 55 characters). A2.4. System Location. Specify the address of the primary system and any decentralized elements, including automated data systems with a central computer facility and input or output terminals at separate locations. Use street address, 2-letter state abbreviations and 9-digit ZIP Codes. Spell out office names. Do not use office symbols. A2.5. Categories of Individuals Covered by the System. Use nontechnical, specific categories of individuals about whom the AF keeps records. Do not use categories like “all AF personnel” unless they are actually true. A2.6. Categories of Records in the System. Describe in clear, plain language, all categories of records in the system. List only documents actually kept in the system. Do not show source documents that are used to collect data and then destroyed. Do not list form numbers. A2.7. Authority for Maintenance of the System. Cite the specific law or executive order that authorizes the program the record supports. Note: EO 9397 (SSN), as amended, authorizes, but does require the use of the SSN as a personal identifier. It has been amended by EO 13478. Include both executive orders as authority whenever the SSN is collected and/or used to retrieve records. A2.8. Purpose. Describe briefly and specifically what the AF does with the information collected. A2.9. Routine Uses of Records Maintained in the System Including Categories of Users and the Purpose of Such Uses. List each specific agency or activity outside DoD to whom the records may be released and the purpose for such release. The DoD ‘Blanket Routine Uses’ published in the AF Directory of System Notices apply to all system notices. A2.10. Direction for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System: A2.10.1. Storage. State the medium in which the AF keeps the records; for example, in file folders, card files, microfiche, computer, or a combination of those methods. Storage does not refer to the storage container. A2.10.2. Retrievability. State how the AF retrieves the records; for example, by name, SSN, or personal characteristics (such as fingerprints or voiceprints).
AFI33-332 12 JANUARY 2015 A2.10.3. Safeguards. List the kinds of officials who have immediate access to the system. List those responsible for safeguarding the records. Identify the system safeguards; for example, storage in safes, vaults, locked cabinets or rooms, use of guards, visitor controls, personnel screening, computer systems software, and so on. Describe safeguards fully without compromising system security. A2.10.4. Retention and Disposal. State how long the activity must maintain the record IAW its approved Records Disposition. Indicate if or when the records may be transferred to a Federal Records Center and how long the record stays there. Specify when the Records Center transfers legal ownership of (accession) the record to the National Archives or when the Records center destroys the record. Indicate how the records may be destroyed. Consult with your Records Professional on finding an appropriate disposition in the AF Records Disposition Schedule in AFRIMS.
A2.11. System Manager and Address. List the position title and duty address of the system manager. For decentralized systems, show the locations and the position or duty title of each category of officials responsible for any segment of the system. A2.12. Notification Procedure. List the title and duty address of the official authorized to tell requesters if their records are in the system. Specify the information a requester must submit; for example, full name, military status, SSN, date of birth, or proof of identity, and so on. A2.13. Record Access Procedures. Explain how individuals may arrange to access their records. Include the titles or categories of officials who may assist; for example, the system manager. A2.14. Contesting Records Procedures. SAF/A6XA provides this standard caption. A2.15. Record Source Categories. Show categories of individuals or other information sources for the system. A2.16. Exemptions Claimed for the System. When a system has no approved exemption, write “None” under this heading. Specifically list any approved exemption including the subsection in the Act.
AFI33-332 12 JANUARY 2015
57 Attachment 3
DOD BLANKET ROUTINE USE The DoD ‘BLANKET ROUTINE USES’ are at http://dpclo.defense.gov/Privacy/SORNsIndex/BlanketRoutineUses.aspx. A3.1. DoD Blanket Routine Uses. Certain DoD ‘blanket routine uses’ have been established that are applicable to every record system maintained by the Department of the Air Force, unless specifically stated otherwise within the particular record system notice. These additional routine uses of the records are published only once in the Air Force’s Preamble to its compilation of records systems in the interest of simplicity, economy and to avoid redundancy. Updates and current versions of the DoD Blanket Routine uses are maintained on the DPCLO website. A3.2. Law Enforcement Routine Use. If a system of records maintained by a DoD Component to carry out its functions indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or by regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the agency concerned, whether federal, state, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto. A3.3. Disclosure when Requesting Information Routine Use. A record from a system of records maintained by a Component may be disclosed as a routine use to a federal, state, or local agency maintaining civil, criminal, or other relevant enforcement information or other pertinent information, such as current licenses, if necessary to obtain information relevant to a Component decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit. A3.4. Disclosure of Requested Information Routine Use. A record from a system of records maintained by a Component may be disclosed to a federal agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision on the matter. A3.5. Congressional Inquiries Routine Use. Disclosure from a system of records maintained by a Component may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual. A3.6. Private Relief Legislation Routine Use. Relevant information contained in systems of records of the Department of Defense published on or before August 22, 1975, will be disclosed to the Office of Management and Budget in connection with the review of private relief legislation as set forth in Office of Management and Budget Circular A-19 at any stage of the legislative coordination and clearance process as set forth in that Circular. A3.7. Disclosures Required by International Agreements Routine Use. A record from a system of records maintained by a Component may be disclosed to foreign law enforcement, security, investigatory, or administrative authorities to comply with requirements imposed by, or to claim rights conferred in, international agreements and arrangements including those regulating the stationing and status in foreign countries of DOD military and civilian personnel.
AFI33-332 12 JANUARY 2015
A3.8. Disclosure to State and Local Taxing Authorities Routine Use. Any information normally contained in Internal Revenue Service (IRS) Form W-2 which is maintained in a record from a system of records maintained by a Component may be disclosed to state and local taxing authorities with which the Secretary of the Treasury has entered into agreements under 5 U.S.C., sections 5516, 5517, and 5520 and only to those state and local taxing authorities for which an employee or military member is or was subject to tax regardless of whether tax is or was withheld. This routine use is in accordance with Treasury Fiscal Requirements Manual Bulletin No. 76-07. A3.9. Disclosure to the Office of Personnel Management Routine Use. A record from a system of records subject to the Privacy Act and maintained by a Component may be disclosed to the Office of Personnel Management (OPM) concerning information on pay and leave, benefits, retirement deduction, and any other information necessary for the OPM to carry out its legally authorized government-wide personnel management functions and studies. A3.10. Disclosure to the Department of Justice for Litigation Routine Use. A record from a system of records maintained by this component may be disclosed as a routine use to any component of the Department of Justice for the purpose of representing the Department of Defense, or any officer, employee or member of the Department in pending or potential litigation to which the record is pertinent. A3.11. Disclosure to Military Banking Facilities Overseas Routine Use. Information as to current military addresses and assignments may be provided to military banking facilities who provide banking services overseas and who are reimbursed by the Government for certain checking and loan losses. For personnel separated, discharged, or retired from the Armed Forces, information as to last known residential or home of record address may be provided to the military banking facility upon certification by a banking facility officer that the facility has a returned or dishonored check negotiated by the individual or the individual has defaulted on a loan and that if restitution is not made by the individual, the U.S. Government will be liable for the losses the facility may incur. A3.12. Disclosure of Information to the General Services Administration (GSA) Routine Use. A record from a system of records maintained by this component may be disclosed as a routine use to the General Services Administration (GSA) for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906. A3.13. Disclosure of Information to the National Archives and Records Administration (NARA) Routine Use. A record from a system of records maintained by this component may be disclosed as a routine use to the National Archives and Records Administration (NARA) for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906. A3.14. Disclosure to the Merit Systems Protection Board Routine Use. A record from a system of records maintained by this component may be disclosed as a routine use to the Merit Systems Protection Board, including the Office of the Special Counsel for the purpose of litigation, including administrative proceedings, appeals, special studies of the civil service and other merit systems, review of OPM or component rules and regulations, investigation of alleged or possible prohibited personnel practices; including administrative proceedings involving any individual subject of a DoD investigation, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as may be authorized by law.
AFI33-332 12 JANUARY 2015
A3.15. Counterintelligence Purpose Routine Use. A record from a system of records maintained by this component may be disclosed as a routine use outside the DoD or the U.S. Government for the purpose of counterintelligence activities authorized by U.S. Law or Executive Order or for the purpose of enforcing laws, which protect the national security of the United States.
AFI33-332 12 JANUARY 2015 Attachment 4 EXAMPLES OF PRIVACY ACT STATEMENT/ADVISORY AND PRIVACY STATEMENT
A4.1. Sample Privacy Act Statement. Authority: 10 U.S.C. 8013, Secretary of the Air Force; DoD 4500.36-R, Management, Acquisitions, and Use of Motor Vehicles; Air Force Policy Directive 24-3, Management, Operations and Use of Transportation Vehicles; Air Force Instruction 24-301, Transportation and Vehicle Operations; EO 9397 (SSN), as amended. Purpose: Information is collected to verify your eligibility to drive government owned or leased vehicles exceeding 10,000; emergency response equipped with four-wheel-drive. Routine Use: Information may be disclosed for any of the DoD “Blanket Routine Uses. Disclosures: Voluntary; however, failure to provide the information may result in our inability to provide you with a government vehicle operator identification card. System of Records Notice: F024 AF IL C Motor Vehicle Operator’s Records. A4.2. Sample Privacy Advisory. Authority: 18 U.S.C. 1029, Access Devices; E.O 9397 (SSN), as amended. Disclosure of your SSN is Voluntary: However, if you fail to provide your SSN, we will be unable to grant you access to the XYZ database. Uses to be made of your SSN: Your SSN will be compared against the mater list of employees for the sole purpose of positively identifying you. It will not be shared with anyone outside DoD. Once we have confirmed your identity, we will destroy this form. This data collection will not become part of any Privacy Act System of Record. A4.3. Sample Privacy Statement. Authority: 10 U.S.C. 10 8013, Secretary of the Air Force; DoD 4500.36-R, Management, Acquisitions, and Use of Motor Vehicles; Air Force Policy Directive 24-3, Management, Operations and Use of Transportation Vehicles; Air Force Instruction 24-301, Transportation and Vehicle Operations; EO 9397* (SSN), as amended. Purpose: Information is collected to verify your eligibility to drive government owned or leased vehicles exceeding 10,000; emergency response equipped with four-wheel-drive. Routine Use: Information may be disclosed for any of the DoD “Blanket Routine Uses. Disclosures: Voluntary; however, failure to provide the information may result in our inability to provide you with a government vehicle operator identification card. This data collection will not become part of any Privacy Act System of Record.
AFI33-332 12 JANUARY 2015
61 Attachment 5
ALTERING A SYSTEM OF RECORD NOTICE A5.1. A system is considered altered. Table A5.1. Criteria for altering a System of Records Notice. Alterations Categories of Individuals: C18.104.22.168. A significant increase or change in the number or type of individuals about whom records are maintained.
DoD 5400.11-R Citation C22.214.171.124.1. Only changes that alter significantly the character and purpose of the record system are considered alterations.
DoD 5400.11-R Exclusions C126.96.36.199.2. Increases in numbers of individuals due to normal growth are not considered alterations unless they truly alter the character and purpose C188.8.131.52.3. Increases that C184.108.40.206.4. A reduction in the of the system. change significantly the scope of number of individuals covered population covered. is not an alteration, but only an amendment. C220.127.116.11.5. All changes that add new categories of individuals to system coverage require a change to the “Categories of individuals covered by the system” caption of the notice
Categories of Records: C18.104.22.168. An expansion in the types or categories of information maintained.
C22.214.171.124.3. All changes under this criterion require a change to the “Categories of Records in the System” caption of the notice. Retrievability: C126.96.36.199.2. Any change under C188.8.131.52. An alteration of how this criterion requires a change in the records are organized or the the “Retrievability” caption of the manner in which the records are system notice. indexed and retrieved. C184.108.40.206.3. If the records are no longer retrieved by name or personal identifier, cancel the system notice. Purpose: C220.127.116.11. A change in the purpose for which the information in the system is used.
C18.104.22.168.1. The new purpose must not be compatible with the existing purposes for which the system is maintained. C22.214.171.124.3. Any change under this criterion requires a change in the
C126.96.36.199.2. If the use is compatible and reasonably expected, there is no change in purpose and no alteration occurs.
AFI33-332 12 JANUARY 2015
DoD 5400.11-R Citation
“Purpose(s)” caption (see paragraph C6.3.8. of this Chapter) and may require a change in the “Authority for maintenance of the system” caption (see paragraph C6.3.7. of this Chapter). C188.8.131.52.1. Increasing the number of offices with direct access is an alteration. C184.108.40.206.1. The change must alter the nature of use or scope of the records involved (for example, combining records systems in reorganization).
Combining system of records:
Computer Environment: C220.127.116.11.2. Software C.18.104.22.168. Changes that alter the applications, computer environment (such as, such as operating systems and system utilities, which provide changes to equipment for configuration, software, or procedures) so as to create the easier access, are considered alterations. potential for greater or easier access C22.214.171.124.3. The addition of an online capability to a previously batch-oriented system is an C126.96.36.199.4. The addition of alteration. peripheral devices such as, tape devices, disk devices, card readers, printers, and similar devices to an existing IT system constitute an amendment if system security is preserved.
C188.8.131.52.6. The connecting of two or more formerly independent automated systems or networks together creating a potential for greater access is an alteration.
DoD 5400.11-R Exclusions
AFI33-332 12 JANUARY 2015 Alterations
63 DoD 5400.11-R Citation C184.108.40.206.7. Any change under this caption requires a change to the “Storage” caption element of the systems notice.
DoD 5400.11-R Exclusions
AFI33-332 12 JANUARY 2015 Attachment 6 RISK ASSESSMENT
A6.1. Risk Notification. Five factors are used when determining if an agency is required to notify those who may have been affected by a PII breach. Agencies should take the time to determine the risk of harm, embarrassment, inconvenience or unfairness surrounding the breach. The factors used in assessing the likely risk of harm are: A6.1.1. Nature of Data Elements Breached. Consider context of the data involved and the potential harm, embarrassment, inconvenience or unfairness that might be generated by its exposure to unauthorized individuals. A6.1.2. Likelihood the Information is Accessible and Useable. Upon discovery of a breach, agencies should assess the likelihood the personally identifiable information has been or will be used by unauthorized individuals. The greater the risk that the information may be used unlawfully should influence an agency’s decision to provide notification to the individual(s). A6.1.3. Likelihood the breach may lead to harm, embarrassment, inconvenience or unfairness to an individual. A220.127.116.11. Broad Reach of Potential Harm, Embarrassment, Inconvenience or Unfairness. Consider the possible harm associated with the loss or compromise of the PII, i.e., loss of self- esteem, mental pain or emotional stress. A18.104.22.168. Likelihood Harm, Embarrassment, Inconvenience or Unfairness Will Occur. Agencies must determine the type of data has been compromised and the manner the breach occurred. A6.1.4. Ability of the Agencies to Mitigate the Risk of Harm, Embarrassment, Inconvenience or Unfairness. In addition to containing the breach, agencies must determine what countermeasures will be used to prevent further compromise of the system’s PII.
AFI33-332 12 JANUARY 2015
65 Attachment 7
EXAMPLE PRIVACY BREACH NOTIFICATION LETTER OFFICIAL LETTERHEAD Dear Mr. John Miller: On 3 January 2013, an individual assigned to XXX unit, sent an e-mail with an attachment (alpha roster, recall roster, and information document) containing your Personal Information which may be protected under the Privacy Act of 1974 from their government e-mail to their personal e-mail account. i.e. Yahoo, Gmail, or Hotmail. The e-mail contained your name, social security number, residential address, date of birth, personal e-mail address, and home telephone numbers. Based on the preliminary investigation, we have determined there was no malicious intent. We recommend you visit the Federal Trade Commission (FTC) on its Web site at http://www.consumer.ftc.gov/articles/0275-place-fraud-alert. The FTC urges that you immediately place an initial fraud alert on your credit file. The fraud alert is for a period of 90 days, during which, creditors are required to contact you before a new credit card is issued or an existing card changed. The site also provides other valuable information that can be taken now or in the future if problems should develop. The Air Force does not endorse this site or provide fraud credit protection. As the commander of xxxxxx, I take this loss very seriously and I am reviewing our current policies and practices to determine what must be changed to preclude a similar occurrence in the future. At a minimum, I will be providing additional training to personnel to ensure that they understand the importance of safeguarding individual’s Personal Information at all times and must be treated in a manner that preserves and protects the confidentiality of the individual. I deeply regret and apologize for any inconvenience and concern this may cause you. Should you have any questions, please call . Sincerely, Signature Block (Directorate level or higher)
AFI33-332 12 JANUARY 2015 Attachment 8 PREPARING A DOD SSN JUSTIFICATION MEMORANDUM
MEMORANDUM FOR AIR FORCE PRIVACY OFFICE, SAF/A6XA SUBJECT: Justification for the Use of the Social Security Number (SSN) The memorandum should begin by naming the DITPR number of the IT system and/or form that is the subject of the justification. The description must be sufficiently detailed so that someone unfamiliar with the system can grasp the general understanding of its intent. The justification for the use of the SSN must include a reference to the SSN Instruction Use Case that is being used to justify the use of the SSN. If the justification does not fall under either the operational necessity use case or the legacy system interface use case, then the justification shall also include the specific reference to the law that requires the use of the SSN and why it is applicable to the use being justified. Reference is made to the system or form supporting documentation, including but not limited to, System of Records Notice (SORN), Privacy Impact Assessment (PIA), Paperwork Reduction Act (PRA) notice, or any other documentation that may be appropriate. If the substance of the documentation is not attached, reference is made to how the reader may gain access to this documentation. Justification for the use of the SSN does not constitute blanket permission to use the SSN. Specific reference shall be made to indicate actions being taken to reduce the vulnerability of SSNs, which may include indicating where SSNs are being removed from transactions, where SSNs are no longer displayed, or any other protections that have been included. It should be obvious to the reader that a thorough effort has been made to evaluate the risk associated with the system or form and that every reasonable step has been or is being taken to reduce the use of the SSN and protect it where the use is still required. Justification for the use of the SSN does not constitute blanket permission to use the SSN. Specific reference shall be made to indicate actions being taken to reduce the vulnerability of SSNs, which may include indicating where SSNs are being removed from transactions, where SSNs are no longer displayed, or any other protections that have been included. It should be obvious to the reader that a thorough effort has been made to evaluate the risk associated with the system or form and that every reasonable step has been or is being taken to reduce the use of the SSN and protect it where the use is still required. If the justification for the use of the SSN falls under the “legacy use” authorization and is not specifically required by the law, reference shall be made to the Plan of Actions and Milestones for the elimination of the use of the SSN. Official’s Name GENERAL/SES
AFI33-332 12 JANUARY 2015
67 Attachment 9
APPROVED DOD TRAINING WEBSITES APPROVED DOD PRIVACY TRAINING WEBSITES Smartphones and Tablets version 2.0 training is now available online: http://iatraining.disa.mil/eta/smartphone tablet_v2/launchpage.htm The new Social Networking training is now available online: http://iase.disa.mil/eta/sns v1/sn/launchPage.htm DoD Social Media Hub Education and Training website: http://www.defense.gov/socialmedia/education-and-training.aspx/
AFI33-332 12 JANUARY 2015 Attachment 10 NOTIONAL COMPLAINT VIGNETTES
Disclaimer: Vignettes are provided for the instructional purpose of teaching how to identify Civil Liberties related issues only. They do not reflect official policies or positions of the Department of Defense.
1. Religion. a. Scenario: During the work day, a military unit attended a religious themed movie at the base theater. Members were given the choice of watching the movie or cleaning the barracks while the unit watched the movie. A week later a member of the unit submitted a complaint. In his complaint, he said he chose to watch the movie because he viewed cleaning the barracks as punishment, but now he feels like his religious freedom was violated. He does not think a punishment, like cleaning the barracks, should be an alternative to watching a religious themed movie. b. Civil Liberties Issue: First Amendment; Freedom of Religion. A service member should not be punished for participating or not participating in a religious activity. If the service member's belief that he faced a punishment for not attending the movie is accurate, his unit leadership should be counseled about the necessity of allowing for unit member religious freedom without the threat of punishment. 2. Social Media Use & Operational Security. a. Scenario: A deployed service member posted a photograph on Facebook. The caption indicated that his team had just returned from a patrol, and the date/time stamp on the photo showed exactly when it was taken. The service member’s chain of command told him to take down the photograph, to protect operational security. However, the service member stated that he was using his personal Facebook account, during his personal time (not while on duty), and not claiming to represent or speak for the military. b. Civil Liberties Issue: Freedom of Speech/Expression. While individuals have a right to express themselves through online social media outlets, such expression must not compromise operational security. DTM 09-026, “Responsible and Effective Use of Internet-based Capabilities,” Attachment 2, section 5, states that “when accessing Internet-based capabilities using Federal Government resources in an authorized personal or unofficial capacity, individuals shall employ sound operations security (OPSEC) measures.” Other regulations, like the “Joint Ethics Regulation and the Standards of Ethical Conduct for Employees of the Executive Branch,” prohibit the release of non-public information, require appropriate disclaimers of opinions being expressed, and restrict the use of government computers to access and to manage personal sites during official duty time. 3. Service Members’ Political Involvement. a. Scenario: An active-duty service member placed a bumper sticker on his privately owned vehicle. The chain of command told the service member to remove the sticker, but the service member refused, citing his Constitutional right to freedom of speech and freedom of expression. b. Civil Liberties Issue: Freedom of Speech/Expression/Assembly (to the extent that showcasing one’s political affiliation constitutes assembly). In keeping with the traditional concept that service members on active duty should not engage in partisan political activity, and that service members not on active duty should avoid inferences that their political activities imply or appear to imply official sponsorship, approval, or endorsement, the military may regulate service members’ participation in political activities. According to DoDD1344.10, Sec 22.214.171.124. “A member of the Armed Forces on active duty may: display a political bumper
AFI33-332 12 JANUARY 2015
sticker on the member’s private vehicle.” In this case, the Directive regulating such participation allows the service member to display the bumper sticker. Unit leadership should be counseled about DoD policies regulating service members’ participation in political activities. 4. Search and Seizure. a. Scenario: A DoD civilian, employed at a CONUS Air Force base, was randomly selected to have his vehicle searched at the gate. The gate guard inspected the engine compartment, exterior and undercarriage of the vehicle, and the interior of the vehicle, including the glove box and consoles. The employee submitted a complaint to the base Civil Liberties Officer, alleging that a search of the glove box and consoles was excessive and unreasonable. b. Civil Liberties Issue: Right to be Secure against Unreasonable Searches and Seizures. Installation commanders issue regulations for the protection and security of property or places under their command. The search followed established procedures for vehicle searches, per direction provided in Air Force Instruction 31-204 “Air Force Motor Vehicle Traffic Supervision.” In evaluating this type of case, consider whether a command authorizes the search of glove boxes and consoles. For example, the AFI instructs officials conducting searches of vehicles entering a military installation to “look under all seats, under/behind dash, glove box, consoles, visors, ashtrays and any packages and briefcases.” 5. Don’t Ask, Don’t Tell – With Speech/Religion Implications. a. Scenario: A service member speaks with a friend, informally on base, about the repeal of Don’t Ask, Don’t Tell. The service member, consistent with her religion, expressed opposition to homosexuality. The service member’s senior overheard comments and told her to stop expressing these views on base. The service member filed a Civil Liberties complaint, alleging that her freedom of speech/religion was violated when she was told to stop expressing her religious views on base. b. Civil Liberties Issue: Freedom of Speech/Religion. Service members may express moral or religious beliefs, so long as service members do NOT make statements detrimental to good order and discipline, and so long as service members obey lawful orders. Whether or not the service member’s Civil Liberties were, in fact, violated is dependent upon whether or not her comments fall within the constraints articulated in the direction above. 6. Carrying Privately Owned Weapons on Military Installations. a. Scenario: Service member living in family housing aboard a Marine Corps base is required to report to the Provost Marshall that she possesses a firearm and stores it at her home. The service member filed a complaint with the Civil Liberties POC arguing that the Provost Marshall should not be keeping records on how she exercises her right to keep and bear arms. b. Civil Liberties Issue: Right to Keep and Bear Arms. In reviewing the service member's complaint, consider whether the PM's requirement to report the firearm is authorized by a base order or other regulation. 7. Civilian Employment Complaint. a. Scenario: A DoD civilian supervisor typically allows overtime for all employees who volunteer. However, a civilian employee in that office submitted a complaint, alleging that he has not been allowed to work overtime because the supervisor saw him at an anti-war protest on a Saturday last year. His complaint letter alleged that because his supervisor will not allow him to work overtime, his Civil Liberties are being violated. b. Civil Liberties Issue: Right to Due Process. His complaint about not being allowed to work overtime, when other workers are encouraged to work overtime, could be a recognized employee grievance. Direct him to consider the use of his agency's existing employee grievance process.
AFI33-332 12 JANUARY 2015
8. Member of Public, Pentagon Protests, and Suspicious Activity Reporting. a. Scenario: A member of the public attended a protest at the Pentagon. He followed all rules and procedures governing the protest, including not making threatening statements or displaying threatening behavior, and complied with instructions from Pentagon Police Officers. The individual submitted a complaint alleging that a civilian employee, employed at the Pentagon, asked each of the protestors to identify themselves and subsequently stated that he was going to identify them in a suspicious activity report, due to their participation in the protest. b. Civil Liberties Issue: Freedom of Speech, Peaceable Assembly. Consider whether the Privacy Act of 1974 is implicated by the Pentagon employee’s actions. According to the Privacy Act (5 U.S.C. § 552a(e)(7)), “no information shall be maintained on how an individual exercises rights protected by the First Amendment to the Constitution of the United States, including the freedoms of speech, assembly, press and religion, except as follows: i. When specifically authorized by statute. ii. When expressly authorized by the individual, group of individuals, or association on whom the record is maintained. iii. When the record is pertinent to and within the scope of an authorized law enforcement activity.
AFI33-332 12 JANUARY 2015
71 Attachment 11
CIVIL LIBERTIES COMPLAINT REPORT INSTRUCTIONS Introduction Section 803 of Public Law 110-53 requires the Department to report its Civil Liberties activities to Congress. In order to comply with that requirement, each DoD Component must submit a semi-annual report to the Defense Privacy and Civil Liberties Office (DPCLO). DPCLO will consolidate Component data and submit the Department's reports to Congress. Component reports must include the following: (1) The number and nature of Civil Liberties complaints received; and (2) A summary of the disposition of such complaints. Semi-Annual reports are due by the 10th day of the month following the closing of each fiscal year quarter to the AF Civil Liberties POC: [email protected]
Component Points of Contact (POCs) Reporting Responsibilities POCs are responsible for establishing procedures to report Civil Liberties complaints for their entire Component. To ensure the Department is accurately accounting for and addressing Civil Liberties complaints, Component reporting procedures should capture Civil Liberties complaints that may be received by offices such as the Inspector General (IG), Equal Employment Opportunity (EEO), and Labor Management Employee Relations (LMER). Component reporting procedures should also ensure that there is no duplicate reporting within the Component. Report Direction Definitions Civil Liberties Complaint: For purposes of reporting, a complaint is an allegation of one or more Civil Liberties violations. Received: The Component has received the complaint and is evaluating it for a Civil Liberties implication. Pending: The complaint has not been fully adjudicated or resolved. Resolved: The complaint has been fully adjudicated or resolved. Provide a summary of complaints on a separate sheet of paper. Include the following information for each complaint: 1. Description of complaint. Please identify the constitutional amendment, law, regulation, or other authority alleged to be violated in the complaint, if possible. Do not include any personally identifiable information (PII) about the complainant or any other persons involved in complaint (examples of PII include names, addresses, phone numbers, and Social Security Numbers). 2. Findings; and 3. Disposition. Examples of Potential Complaints Implicating Civil Liberties (not an exhaustive list): A military service member claims he was punished by his commanding officer for refusing to attend a religious activity; or by not being allowed to attend a religious function in accordance with his religious beliefs. A civilian employee made disparaging comments about the Department via his personal social networking page and was instructed by his supervisor to remove the posts, or be reprimanded.
AFI33-332 12 JANUARY 2015 Attachment 12 EXAMPLE CIVIL LIBERTIES REPORT
SUMMARY OF CIVIL LIBERTIES COMPLAINTS 3RD QTR FY11 – APRIL TO JUNE 2011 DEPARTMENT OF THE AIR FORCE TOTAL NUMBER OF COMPLAINTS: 2 Complaint #1: Description of Complaint: Complainant alleges his new supervisor sent an e-mail to all-hands announcing that the pre-existing practice of allowing employees to take time away from their desks for religious prayer is being discontinued. Possible First Amendment, Freedom of Religion implication. Findings: The Department of the Air Force has received and evaluated the complaint, and the complaint is being investigated. Disposition: Pending. Complaint #2: Description of Complaint: Complainant alleges he was reprimanded for attending a political rally during his lunch break. Possible First Amendment, Freedom of Association implication. Findings: The Department of the Army has received and evaluated the complaint, and the complaint is being investigated. Disposition: Pending.
AFI33-332 12 JANUARY 2015
73 *Attachment 13
Example Air Force Biennial System of Records Notice (SORN) Accuracy Review Checklist If you are the Air Force official who is responsible for the operation and management of an Air Force Privacy Act system of recordsi, specifically: (Example: F011 AF AFMC A (Contractor Flight Operations)) This checklist will assist you in the biennial accuracy review of the Air Force System of Records Notice (SORN) and will ensure that all Air Force SORNs comply with the DoD Privacy Program (DoD Directive 5400.11 and DoD 5400.11-R) and Appendix I to OMB Circular A-130, entitled “Federal Agency Responsibilities for Maintaining Records about Individuals” (http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html). Once the checklist is completed and any updates and/or revisions to the SORN are identified, return both to the Air Force Privacy Act Office for further processing. Please provide the following information about the System Managerii: 1. System manager’s name: 2. System manager’s title: 3. System manager’s telephone # 4. Person completing checklist (if other than system manager): 5. Date review completed: 6. Overall comments: 1. System identifier. The Air Force Privacy Act Office assigns the system identifier based on
the Air Force Records Schedule. 2. System name. The system name must reasonably identify the general purpose of the system
and, if possible, the general category of individuals covered. Yes a. System name adequately describes the system of records. b. System name has been updated on the attached notice and/or below. c. Comments / Updates/ Clarifications:
AFI33-332 12 JANUARY 2015
3. System location. List each location where the records reside using complete mailing
addresses including the U.S. Postal Service two-letter State abbreviation and 9-digit zip code. P.O. boxes are not system locations. When Air Force contracts for the operation or maintenance of a Privacy Act system of records, the solicitation and resulting contract must contain the required FAR clauses. Yes No a. System location(s) is/are accurate as stated. b. Does a contractor collect, maintain, use or disseminate records on behalf of Air Force for this system of records? c. If 3.b. above is yes, do all contracts contain the required FAR clauses? d. Information has been updated on the attached notice and/or below. e. Comments / Updates / Clarifications: 4. Categories of individuals covered by the system. Identify the categories of individualsiii
about whom records are maintained. Once the notice is published, you may only collect records on the individuals identified and no others. If you wish to add a new category of individuals covered, the SORN must first be altered and republished. If you are collecting information from 10 or more “members of the publiciv” in a 12 month period, your collection may require Office of Management and Budget (OMB) approval under the Paperwork Reduction Act (PRA). For more information on this requirement, contact Air Force’s Information Management Control Officer (IMCO) (email: usaf.pentagon.saf-cio-a6.mbx.af-infocollection) for more information. Yes No a. All categories of individuals covered are described. b. Do categories of individuals covered include “members of the public”? If 4.b. is yes, contact the AF IMCO, regarding the applicability of the PRA and your information collection. c. Information has been updated on the attached notice and/or below. d. Comments / Updates / Clarifications: 5. Categories of records in the system. Identify all recordsv being collected, maintained, used,
and/or disseminated. The Privacy Act requires an agency “maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required by a Federal statute or an Executive Order.” Once the notice is published, you may only collect the records identified and no others. If you wish to add new records, the SORN must first be altered and republished. The collection of the Social Security Number (SSN) must be in accordance with DoD Instruction 1000.30, entitled “Reduction of Social Security Number (SSN) Use Within DoD.” Contact the Air Force Privacy Office (email: usaf.pentagon.saf-cio-a6.mbx.af-privacy), for more information on this requirement.
AFI33-332 12 JANUARY 2015
a. Records are accurate as described. b. All records maintained are relevant and necessary to accomplish a purpose of Air Force required by a Federal statute or an Executive Order. c. Are Social Security Numbers (SSNs) being maintained? If 5.b. is yes, contact the Air Force Privacy office or refer to Attachment 8 of AFI 33332 for instructions to complete a SSN Justification Memo. d. Information has been updated on the attached notice and/or below. e. Comments / Updates / Clarifications: 6.Authority for maintenance of the system. Cite the specific Federal statute or Executive Order (citation and descriptive title) authorizing the maintenancevi of the system of records. DOD/Air Force regulations may be listed as implementing documentation. Yes No a. All authorities are accurate as listed. b. Information has been updated on the attached notice and/or below. c. Comments / Updates / Clarifications: 7. Purpose(s). List the uses made of the records within Air Force / DoD. Once the notice is published, records may only be used for those purposes identified and no others. If you wish to add a new purpose, the SORN must first be altered and republished. Yes No a. Purposes are accurate as listed. b. Information has been updated on the attached notice and/or below. c. Comments / Updates / Clarifications: 8. Routine uses of records maintained in the system, including categories of users and the purposes of such uses. Identify each routine use.vii List each authorized specific routine use of the information outside the DoD for records in the system. Each specific routine use should identify the third party, to whom disclosure is authorized, the type of information to be disclosed, and the purpose for the disclosure.
Avoid general statements such as “to other Federal agencies as required,” or “to any other appropriate Federal agency”.
List in full the applicable Blanket Routine Uses (Law Enforcement, NARA, and Data Breach Remediation usually apply to ALL SORNs) (see DoD Routine Uses at dpcld.defense.gov)
AFI33-332 12 JANUARY 2015 NOTE: Boilerplate language used at the end of the Routine Uses is no longer required if when specific routine uses are selected and blanket routine uses are selected and incorporated in the SORN.
Reference: DoD 5400.11-R (pp. 59-60, C6.3.9)
Sample Format: In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act of 1974, as amended, the records contained herein may specifically be disclosed outside the DoD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows: [Note: Highlighted text is boiler plate language required in this section.]
[To a domestic or foreign entity that has entered into a public-private partnership with the Defense POW/MIA Accounting Agency (DPAA) as authorized by 10 U.S.C. 1501a, when DPAA determines that such disclosure is necessary to the performance of services DPAA has agreed shall be performed by the partner. Yes
a. Each routine use is accurate as written. b. Information has been updated on the attached notice and/or below. c. Comments / Updates / Clarifications: 9.Disclosure to consumer reporting agencies: Element is optional. Include it within your SORN if you will be releasing records to a consumer reporting agency for the purpose of collecting debts. Entry will read: "Disclosures pursuant to 5 U.S.C. 552a(b)(12) may be made from this system to `consumer reporting agencies' as defined in the Fair Credit Reporting Act (14 U.S.C. 1681a(f)) or the Federal Claims Collection Act of 1966 (31 U.S.C. 3701(a)(3)). The purpose of this disclosure is to aid in the collection of outstanding debts owed to the Federal government, typically to provide an incentive for debtors to repay delinquent Federal government debts by making these debts part of their credit records. The disclosure is limited to information necessary to establish the identity of the individual, including name, address, and taxpayer identification number (Social Security Number); the amount, status, and history of the claim; and the agency or program under which the claim arose for the sole purpose of allowing the consumer reporting agency to prepare a commercial credit report." Yes No a. Are records disclosed to a consumer reporting agency?
AFI33-332 12 JANUARY 2015
10. Policies and practices for storing, retiring, accessing, retaining, and disposing of records.
This caption is subdivided into four parts: 11. Storage. Describes the media in which records are stored, e.g, paper records, electronic records, or a hybrid (paper and electronic records). Personal information / Personally Identifiable Information viii(PII) maintained electronically may require the development of a Privacy Impact Assessment (PIA) in accordance with the EGovernment Act and DoD Instruction 5400.16, DoD Privacy Impact Assessment Guidance. Yes No a. Storage is accurate as stated. b. Comments / Updates / Clarifications: 12. Retrievability. Identify the personal / unique identifier(s) used to retrieve records.
a. Retrievability is correct as stated. b. Information has been updated on the attached notice and/or below. c. Comments / Updates / Clarifications: 13. Safeguards. Describe the physical, administrative, and technical safeguards in place to
prevent the risk of unauthorized access to or unauthorized disclosure of records. Yes a. The physical, administrative, and technical safeguards listed are accurate. b. Information has been updated on the attached notice and/or below. c. Comments / Updates / Clarifications:
14. Retention and disposal. Cite the approved National Archives and Records Administration
(NARA) retention period for records being maintained. Retention must be part of the Air Force Records Schedule. Contact your local Records Manager for further assistance. Yes No a. Retention and disposal is accurate as stated. b. Information has been updated on the attached notice and/or below. c. Comments / Updates / Clarifications: 15. System manager(s) and address. List the title (no names and no phone numbers) and
current mailing address of the Air Force official who is responsible for the operation and management (includes the policies and practices) of the system of records. Umbrella systems with multiple system managers must also list a policy-coordinating official. Yes No a. System manager and address is correct as currently indicated. b. Information has been updated on the attached notice and/or below. c. Comments / Updates / Clarifications: 17. Notification Procedure. Element describes how an individual may request notification that he/she is part of the system of records. The default wording is below:
AFI33-332 12 JANUARY 2015
"Individuals seeking to determine whether this system of records contains information about them should address written inquiries to the organization responsible for the system: (Complete address of where inquiry can verify if a record exists) Inquiry should contain the record subject’s full name, [identify the data elements needed from the record subject to retrieve the information, and the information needed to respond to their request]." When records being maintained warrant, Air Force may ask the record subject to provide a notarized statement or an unsworn statement verifying their identity as follows: If executed without the United States: `I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).' If executed within the United States, its territories, possessions, or commonwealths: `I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).' Yes No a. Element provides complete instructions and the address is current. b. Information has been updated on the attached notice and/or below. c. Comments / Updates / Clarifications: 18. Record access procedures. Element describes how an individual may request access to the records pertaining to him or her in the system of records. The default wording is below: "Individuals seeking to access information about themselves contained in this system of records should address written inquiries to: (Complete address of where Inquiry should contain the record subject’s full name, [identify the data elements needed from the record subject to retrieve the information, and the information needed to respond to their request]." When records being maintained warrant, Air Force may ask the record subject to provide a notarized statement or an unsworn statement verifying their identity as follows: If executed without the United States: `I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).' If executed within the United States, its territories, possessions, or commonwealths: `I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).' Yes No a. Element provides complete instructions and the address is current. b. Information has been updated on the attached notice and/or below. c. Comments / Updates / Clarifications: 16. Contesting record procedures. For Air Force entry will read: “The Air Force rules for
accessing records and for contesting contents and appealing initial agency determinations are published in Air Force Instruction 33-332, 32 CFR part 806b, or may be obtained from the system manager.” Contesting records is limited to information which is incomplete, irrelevant, incorrect, or untimely (obsolete).
AFI33-332 12 JANUARY 2015
17. Record source categories. Identify all sources of records, internal as well as external, e.g.,
from State and local government agencies, from the record subject, from third-party individuals, and from other Federal systems of records (identify the specific systems). Yes a. Sources are correct as listed. b. Information has been updated on the attached notice and/or below. c. Comments / Updates / Clarifications:
18. Exemptions claimed for the system. Identify the specific Privacy Act exemptions and
subsections from which records may be exempt, if applicable. Yes
a. Information is correct as stated. b. Information has been updated on the attached notice and/or below. c. Comments / Updates / Clarifications:
System of records - A group of records (paper or electronic) under the control of the Air Force from which personal information about an individual is retrieved by the name of the individual, or by some other identifying number, symbol, or other identifying particular assigned, that is unique to the individual.
System manager - The Air Force official responsible for the operation and management of a system of records.
Individual - A living person who is a citizen of the United States or an alien lawfully admitted for permanent residence. The parent of a minor or the legal guardian of any individual may also act on behalf of an individual. Members of the U.S. Armed Forces are “individuals.” Corporations, partnerships, sole proprietorships, professional groups, businesses, whether incorporated or unincorporated, and other commercial entities are not “individuals” when acting in an entrepreneurial capacity with the Department of Defense, but are “individuals” when acting in a personal capacity (e.g., security clearances, entitlement to DoD privileges or benefits, etc.).
Members of the Public -- Members of the public are individuals, partnerships, associations, corporations (including operations of Government-owned, contractor-operated facilities), business trusts or legal representatives, organized groups of individuals, and State, territorial, tribal, or local governments, or components thereof. -- Current Federal employees and military personnel are considered members of the public if the collection of information is addressed to them in their capacity as private citizens. They are not considered members of the public if they are providing information regarding their duty status as Federal employees or to determine the effectiveness of Federal programs relating to military families and the need for new programs (10 USC 1782). -- Contractors providing information are considered members of the public. -- Foreign nationals are considered members of the public. -- If information is being collected from all or a substantial majority of an industry,
AFI33-332 12 JANUARY 2015
approval under the PRA is still required. For example, there may only be three companies that produce the same product. If a Federal agency collects information from one of these companies, approval under the PRA is required. v
Record - any item, collection, or grouping of information, whatever the storage media (e.g., paper, electronic), about an individual that is maintained by the Air Force, including, but not limited to, his or her education, financial transactions, medical history, criminal or employment history, and that contains his or her name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint, a voice print, or a photograph.
Maintain - To maintain, collect, use, or disseminate records contained in a system of records.
Routine Use - The disclosure of a record outside DoD for a use that is compatible with the purpose for which the information was collected and maintained.
Personal Information - Information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a social security number; age; military rank; civilian grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc. Such information is also known as personally identifiable information (i.e., information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, and biometric records, including any other personal information which is linked or linkable to a specified individual).