SubPart G - Publication Requirements


§310.31   Federal Register publication.

(a) What must be published in the Federal Register.

(1) Four types of documents relating to the Privacy Program must be published in the Federal Register:

(i) DoD Component Privacy Procedural rules;

(ii) DoD Component exemption rules; and

(iii) System notices.

(iv) Match notices (See subpart L to this part).

(2) See DoD 5025.1-M,9 “Directive Systems Procedures” and Administrative Instruction (AI) No. 102,10 “Office of the Secretary of Defense Federal Register System” for information pertaining to the preparation of documents for publication in the Federal Register.

(b) The effect of publication in the Federal Register. Publication of a document in the Federal Register constitutes official public notice of the existence and content of the document.

(c) DoD Component rules. (1) Component Privacy Program procedures and Component exemption rules are subject to the rulemaking procedures prescribed in AI 102.

(2) System notices are not subject to formal rulemaking and are published in the Federal Register as “Notices,” not rules.

(3) Privacy procedural and exemption rules are incorporated automatically into the CFR. System notices are not published in the CFR.

(d) Submission of rules for publication. (1) Submit to the DPO, ODA&M, all proposed rules implementing this part in proper format (see DoD 5025.1-M and AI 102) for publication in the Federal Register.

(2) This part has been published as a final rule in the Federal Register. Therefore, incorporate it into your Component rules rather than by republication (see AI 102).

(3) DoD Component procedural rules that simply implement this Regulation need only be published as final rules in the Federal Register (see DoD 5025.1-M and AI 102). If the Component procedural rule supplements this part in any manner, they must be published as a proposed rule before being published as a final rule.

(4) Amendments to Component rules are submitted like the basic rules.

(5) The DPO submits the rules and amendments thereto to the Federal Register for publication.

(e) Submission of exemption rules for publication. (1) No system of records within the Department of Defense shall be considered exempt from any provision of this part until the exemption and the exemption rule for the system has been published as a final rule in the Federal Register.

(2) Submit exemption rules in proper format to the DPO. All exemption rules are coordinated with the DoD Office of General Counsel. After coordination, the DPO shall submit the rules to the Federal Register for publication.

(3) Exemption rules require publication both as proposed rules and final rules (see AI 102).

(4) §310.31(b) discusses the content of an exemption rule.

(5) Submit amendments to exemption rules in the same manner used for establishing these rules.

(f) Submission of system notices for publication. (1) System notices are not subject to formal rulemaking procedures. However, the Privacy Act (5 U.S.C. 552a) requires a system notice be published in the Federal Register of the existence and character of a new or altered system of records. Until publication of the notice, DoD Components shall not begin to operate the system of records (i.e., collect and use the information). The notice procedures require:

(i) The system notice describes what kinds of records are in the system, on whom they are maintained, what uses are made of the records, and how an individual may access, or contest, the records contained in the system.

(ii) The public be given 30 days to comment on any proposed routine uses before any disclosures are made pursuant to the routine use; and

(iii) The notice contain the date on which the system shall become effective.

(2) Submit system notices to the DPO in the Federal Register format (see AI 102 and appendix E to this part). The DPO transmits the notices to the Federal Register for publication.

(3) §310.32 discusses the specific elements required in a system notice.

[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]

Back to Top

§310.32   Exemption rules.

(a) General procedures. Subpart F of this part provides the general guidance for establishing exemptions for systems of records.

(b) Contents of exemption rules. (1) Each exemption rule submitted for publication must contain the following:

(i) The record system identifier and title of the system for which the exemption is claimed. (See §310.32(b) and (c));

(ii) The specific sections of the Privacy Act under which the exemption for the system is claimed (for example, 5 U.S.C. 552a(j)(2), 5 U.S.C. 552a(k)(3); or 5 U.S.C. 552a(k)(7);

(iii) The specific sections of the Privacy Act from which the system is to be exempted (for example, 5 U.S.C. 552a(c)(3), or 5 U.S.C. 552a(d)(l)-(5)) (see appendix D)); and

(iv) The specific reasons why an exemption is being claimed from each section of the Act identified.

(2) Do not claim an exemption for classified material for individual systems of records. The blanket exemption applies. (See paragraph (c) of §310.26.)

[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]

Back to Top

§310.33   System notices.

(a) Contents of the system notices.

(1) The following data captions are included in each system notice:

(i) Systems identifier. (see paragraph (b) of this section).

(ii) System name. (see paragraph (c) of this section).

(iii) System location. (see paragraph (d) of this section).

(iv) Categories of individuals covered by the system. (see paragraph (e) of this section).

(v) Categories of records in the system. (see paragraph (f) of this section).

(vi) Authority for maintenance of the system. (see paragraph (g) of this section).

(vii) Purpose(s). (see paragraph (h) of this section).

(viii) Routine uses of records maintained in the system, including categories of users and the purposes of such uses. (see paragraph (i) of this section).

(ix) Disclosure to Consumer Reporting Agencies. This element is optional but required when disclosing to consumer reporting agencies (See paragraph (l) of §310.22.)

(x) Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system. (see paragraph (j) of this section).

(xi) Systems manager(s) and address. (see paragraph (k) of this section).

(xii) Notification procedure. (see paragraph (l) of this section).

(xiii) Record access procedures. (see paragraph (m) of this section).

(xiv) Contesting records procedures. (see paragraph (n) of this section).

(xv) Record source categories. (see paragraph (o) of this section).

(xvi) Exemptions claimed for the system. (see paragraph (p) of this section).

(2) The captions listed in paragraph (a)(1) of this Section have been mandated by the Office of Federal Register and must be used exactly as presented.

(3) A sample system notice is shown in appendix E of this part.

(b) System identifier. The system identifier must appear on all system notices and is limited to 21 positions, unless an exception is granted by the DPO, including Component code, file number and symbols, punctuation, and spacing.

(c) System name.

(1) The name of the system reasonably identifies the general purpose of the system and, if possible, the general categories of individuals involved.

(2) Use acronyms only parenthetically following the title or any portion thereof, such as, “Joint Uniform Military Pay System (JUMPS).” Do not use acronyms not commonly known unless they are preceded by an explanation.

(3) The system name may not exceed 55 character positions, unless an exception is granted by the DPO, including punctuation and spacing.

(4) The system name should not be the name of the database or the IT system if the name does not meet the criteria in paragraph (c)(1) of this section.

(d) System location.

(1) For systems maintained in a single location provide the exact office name, organizational identity, and address.

(2) For geographically or organizationally decentralized systems, specify each level of organization or element that maintains a segment of the system, to include their mailing address, or indicate the official mailing addresses are published as an Appendix to the Component's compilation of system of records notices, or provide an address where a complete listing of locations can be obtained.

(3) Use the standard U.S. Postal Service two-letter State abbreviation symbols and 9-digit Zip Codes for all domestic addresses.

(e) Categories of individuals covered by the system.

(1) Set forth the specific categories of individuals to whom records in the system pertain in clear, easily understood, non-technical terms.

(2) Avoid the use of broad over-general descriptions, such as “all Army personnel” or “all military personnel” unless this actually reflects the category of individuals involved.

(f) Categories of records in the system.

(1) Describe in clear, non-technical terms the types of records maintained in the system.

(2) Only documents actually maintained in the system of records shall be described, not source documents that are used only to collect data and then destroyed.

(g) Authority for maintenance of system.

(1) Cite the specific provision of the Federal statute or E.O. that authorizes the maintenance of the system.

(2) Include with citations for statutes the popular names, when appropriate (for example, Section 2103 of title 51, United States Code, “Tea-Tasters Licensing Act”), and for E.O.s, the official title (for example, E.O. No. 9397, “Numbering System for Federal Accounts Relating to Individual Persons”).

(3) If direct statutory authority or an Executive Order does not exist, indirect statutory authority may be cited if the authority requires the operation or administration of a program, the execution of which will require the collection and maintenance of a system of records.

(4) If direct or indirect authority does not exist, the Department of Defense, as well as the Army, Navy, and Air Force general “housekeeping” statutes (i.e., 5 U.S.C. 301 (“Departmental Regulations”), 10 U.S.C. 3013 (“Secretary of the Army”), 5013 (“Secretary of the Navy”), and 8013 (“Secretary of the Air Force”) may be cited if the Secretary, or those offices to which responsibility has been delegated, are required to collect and maintain systems of records in order to discharge assigned responsibilities. If the housekeeping statute is cited, the regulatory authority implementing the statute within the Department or Component also shall be identified.

(5) If the social security number is being collected and maintained, E.O. 9397 (“Numbering Systems for Federal Accounts Relating to Indivdiual Persons”) shall be cited.

(h) Purpose or Purposes.

(1) List the specific purposes for maintaining the system of records by the Component.

(2) All internal uses of the information within the Department or Component shall be identified. Such uses are the so-called “internal routine uses.”

(i) Routine uses.

(1) Except as otherwise authorized by subpart E of this part, disclosure of information from a system of records to any person or entity outside the Department of Defense (see §310.21(b)) may only be made pursuant to a routine use that has been established for the specific system of records. Such uses are the so-called “external routine uses.”

(2) Each routine use shall include to whom the information is being disclosed and what use and purpose the information will be used. Routine uses shall be written as follows:

(i) “To* * *.[person or entity outside of DoD that will receive the information] to* * *.[what will be done with the information] for the purpose(s) of * * *[what objective is sought to be achieved].”

(ii) To the extent practicable, general statements, such as “to other Federal agencies as required” or “to any other appropriate Federal agency” shall be avoided.

(3) Blanket routine uses (appendix C to this part) have been adopted that apply to all Component system notices. The blanket routine uses appear at the beginning of each Component's compilation of its system notices.

(i) Each system notice shall contain a statement whether or not the blanket routine uses apply to the system.

(ii) Each notice may state that none of the blanket routine uses apply or that one or more do not apply.

(j) Policies and practices for storing, retiring, accessing, retaining, and disposing of records. This caption is subdivided into four parts:

(1) Storage. Indicate the medium in which the records are maintained. (For example, a system may be “automated, maintained on compact disks, diskettes,” “manual, maintained in paper files,” or “hybrid, maintained in a combination of paper and automated form.”) Storage does not refer to the container or facility in which the records are kept.

(2) Retrievability. Specify how the records are retrieved (for example, name, SSN, or some other unique personal identifier assigned the individual).

(3) Safeguards. Identify the system safeguards (such as storage in safes, vaults, locked cabinets or rooms, use of guards, visitor registers, personnel screening, or password protected IT systems). Also identify personnel who have access to the systems. Do not describe safeguards in such detail as to compromise system security.

(4) Retention and disposal. Indicate how long the record is retained. When appropriate, also state the length of time the records are maintained by the Component, when they are transferred to a FRC, time of retention at the Records Center and when they are transferred to the National Archivist or are destroyed. A reference to a Component regulation without further detailed information is insufficient. If records are eventually destroyed as opposed to being retired, identify the method of destruction (e.g., shredding, burning, pulping, etc).

(k) System manager or managers and address. (1) List the title and address of the official responsible for the management of the system.

(2) If the title of the specific official is unknown, such as for a local system, specify the local commander or office head as the systems manager.

(3) For geographically separated or organizationally decentralized activities for which individuals may deal directly with officials at each location in exercising their rights, list the position or duty title of each category of officials responsible for the system or a segment thereof.

(4) Do not include business or duty addresses if they are listed in the Component address directory.

(l) Notification procedures.

(1) Describe how an individual may determine if there are records pertaining to him or her in the system. The procedural rules may be cited, but include a brief procedural description of the needed data. Provide sufficient information in the notice to allow an individual to exercise his or her rights without referral to the formal rules.

(2) As a minimum, the caption shall include:

(i) The official title (normally the system manager) and official address to which the request is to be directed.

(ii) The specific information required to determine if there is a record of the individual in the system.

(iii) Identification of the offices through which the individual may obtain notification; and

(iv) A description of any proof of identity required. (see §310.17(c)).

(3) When appropriate, the individual may be referred to a Component official who shall provide this information to him or her.

(m) Record access procedures. (1) Describe how an individual can gain access to the records pertaining to him or her in the system. The procedural rules may be cited, but include a brief procedural description of the needed data. Provide sufficient information in the notice to allow an individual to exercise his or her rights without referral to the formal rules.

(2) As a minimum, the caption shall include:

(i) The official title (normally the system manager) and official address to which the request is to be directed.

(ii) A description of any proof of identity required. (see §310.17(c)).

(iii) When appropriate, the individual may be referred to a Component official who shall provide the records to him or her.

(n) Contesting record procedures. (1) Describe how an individual may contest the content of a record pertaining to him or her in the system.

(2) The detailed procedures for contesting a record need not be identified if the Component procedural rules are readily available to the public. (For example, “The Office of the Secretary of Defense” rules for contesting contents are contained in 32 CFR 311.) All Component procedural rules are set forth at a Departmental public Web site (http://www.defenselink.mil/privacy/cfr-rules.html).

(3) The individual may also be referred to the system manager to determine these procedures.

(o) Record source categories. (1) Describe where (the individual, other Component documentation, other Federal agencies, etc) the information contained in the system was obtained.

(2) Specific individuals or institutions need not be identified by name, particularly if these sources have been granted confidentiality. (see §310.29(b)).

(p) Exemptions claimed for the System. (1) If no exemption has been claimed for the system, indicate “None.”

(2) If an exemption is claimed, cite the exemption as well as identifying the CFR section containing the exemption rule for the system.

(q) Maintaining the Master DoD System Notice Registry. (1) The DPO maintains a master registry of all DoD record systems notices.

(2) The DPO also posts all DoD system notices to a public Web site (see http://www.defenselink.mil/privacy/notices).

[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]

Back to Top

§310.34   New and altered record systems.

(a) Criteria for a new record system.

(1) If a Component is maintaining a system of records as contemplated by §310.10(a), and a system notice has not been published for it in the Federal Register, the Component shall establish a system notice consistent with the requirements of this subpart.

(2) If a notice for a system of records has been canceled or deleted but a determination is subsequently made that the system will be reinstated or reused, the system may not be operated (i.e., information collected or used) until a new notice is published in the Federal Register.

(b) Criteria for an altered record system. A system is considered altered whenever one of the following actions occurs or is proposed:

(1) A significant increase or change in the number or type of individuals about whom records are maintained.

(i) Only changes that alter significantly the character and purpose of the record system are considered alterations.

(ii) Increases in numbers of individuals due to normal growth are not considered alterations unless they truly alter the character and purpose of the system.

(iii) Increases that change significantly the scope of population covered (for example, expansion of a system of records covering a single command's enlisted personnel to include all of the Component's enlisted personnel would be considered an alteration).

(iv) A reduction in the number of individuals covered is not an alteration, but only an amendment. (see §310.34(a).)

(v) All changes that add new categories of individuals to system coverage require a change to the “Categories of individuals covered by the system” caption of the notice (see §310.32(e)) and may require changes to the “Purpose(s)” caption (see §310.32(h)).

(2) An expansion in the types or categories of information maintained.

(i) The addition of any new category of records not described under the “Categories of Records in the System” caption is considered an alteration.

(ii) Adding a new data element that is clearly within the scope of the categories of records described in the existing notice is an amendment. (see §310.34(a)). An amended notice may not be required if the data element is clearly covered by the record category identified in the existing system notice.

(iii) All changes under this criterion require a change to the “Categories of Records in the System” caption of the notice. (see §310.32(f)).

(3) An alteration of how the records are organized or the manner in which the records are indexed and retrieved.

(i) The change must alter the nature of use or scope of the records involved (for example, combining records systems in a reorganization).

(ii) Any change under this criteria requires a change in the “Retrievability” caption of the system notice. (see §310.32(j)(2)).

(iii) If the records are no longer retrieved by name or personal identifier cancel the system notice. (see §310.10(b)).

(4) A change in the purpose for which the information in the system is used.

(i) The new purpose must not be compatible with the existing purposes for which the system is maintained.

(ii) If the use is compatible and reasonably expected, there is no change in purpose and no alteration occurs.

(iii) Any change under this criterion requires a change in the “Purpose(s)” caption (see §310.32(h)) and may require a change in the “Authority for maintenance of the system” caption (see §310.32).

(5) Changes that alter the computer environment (such as changes to equipment configuration, software, or procedures) so as to create the potential for greater or easier access.

(i) Increasing the number of offices with direct access is an alteration.

(ii) Software applications, such as operating systems and system utilities, that provide for easier access are considered alterations.

(iii) The addition of an on-line capability to a previously batch-oriented system is an alteration.

(iv) The addition of peripheral devices such as tape devices, disk devices, card readers, printers, and similar devices to an existing IT system constitute an amendment if system security is preserved. (see §310.34).

(v) Changes to existing equipment configuration with on-line capability need not be considered alterations to the system if:

(A) The change does not alter the present security posture; or

(B) The addition of terminals does not extend the capacity of the current operating system and existing security is preserved.

(vi) The connecting of two or more formerly independent automated systems or networks together creating a potential for greater access is an alteration.

(vii) Any change under this caption requires a change to the “Storage” caption element of the systems notice. (see §310.32(j)(i)).

(c) Reports of new and altered systems.

(1) Components shall submit a report for all new or altered systems to the DPO consistent with the requirements of this subpart and in the format prescribed at appendix F of this part.

(i) Components shall include the following when submitting an alteration for a system notice for publication in the Federal Register:

(A) The system identifier and name. (see §310.32(b) and (c)).

(B) A description of the nature and specific changes proposed.

(ii) The full text of the system notice need not be submitted if the master registry contains a current system notice for the system. (see §310.32(q)).

(2) The DPO coordinates all reports of new and altered systems with the Office of the Assistant Secretary of Defense (Legislative Affairs), Department of Defense.

(3) The DPO prepares and sends a transmittal letter that forwards the report, as well as the new or altered system notice, to OMB and Congress.

(4) The DPO shall publish in the Federal Register a system notice for new or altered systems.

(d) Time restrictions on the operation of a new or altered system. (1) The reports, and the new or altered system notice, must be provided OMB and Congress at least 40 days prior to the operation of the new or altered system. The 40 day review period begins on the date the transmittal letters are signed and dated.

(2) The system notice must be published in the Federal Register before a Component begins to operate the system (i.e., collect and use the information). If the new system has routine uses or the altered system adds a new routine use, no records may be disclosed pursuant to the routine use until the public has had 30 days to comment on the proposed use.

(3) The time periods run concurrently.

(e) Exemptions for new systems. See §310.30(e) for the procedures to follow in submitting exemption rules for a new system of records or for submitting an exemption rule for an existing system of records.

[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]

Back to Top

§310.35   Amendment and deletion of system notices.

(a) Criteria for an amended system notice.

(1) Certain minor changes to published systems notices are considered amendments and not alterations. (see §310.33(b)).

(2) Amendments do not require a report of an altered system (see §310.33(c)), but must be published in the Federal Register.

(b) System notices for amended systems. Components shall include the following when submitting an amendment for a system notice for publication in the Federal Register:

(1) The system identifier and name. (see §310.32 (b) and (c)).

(2) A description of the nature and specific changes proposed.

(3) The full text of the system notice need not be submitted if the master registry contains a current system notice for the system. (see §310.32(q)).

(c) Deletion of system notices.

(1) Whenever a system is discontinued, combined into another system, or determined no longer to be subject to this part, a deletion notice is required.

(2) The notice of deletion shall include:

(i) The system identification and name.

(ii) The reason for the deletion.

(3) When the system is eliminated through combination or merger, identify the successor system or systems in the deletion notice.

(d) Submission of amendments and deletions for publication. (1) Submit amendments and deletions to the DPO for transmittal to the Federal Register for publication.

(2) Multiple deletions and amendments may be combined into a single submission.

[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]

Back to Top