SubPart K - Privacy Act Violations


§310.46   Administrative remedies.

Any individual who believes he or she has a legitimate complaint or grievance against the Department of Defense or any DoD employee concerning any right granted by this part shall be permitted to seek relief through appropriate administrative channels.

[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]

Back to Top

§310.47   Civil actions.

An individual may file a civil suit against a DoD Component if the individual believes his or her rights under the Act have been violated. (See 5 U.S.C. 552a(g).)

[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]

Back to Top

§310.48   Civil remedies.

(a) This part applies to the Office of the Secretary of Defense (OSD), the Military Departments, the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff, the Combatant Commands, the Office of the Inspector General of the Department of Defense, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the DoD (referred to collectively in this part as the “DoD Components”).

(b) For the purposes of subsection (i), “Criminal penalties,” of The Privacy Act, any DoD contractor and any employee of such a contractor will be considered to be an employee of DoD when DoD provides by a contract for the operation by or on behalf of DoD of a system of records to accomplish a DoD function. DoD will, consistent with its authority, cause the requirements of section (m) of The Privacy Act to be applied to such systems.

[80 FR 4207, Jan. 27, 2015]

Back to Top

§310.49   Criminal penalties.

(a) The Act also provides for criminal penalties. (See 5 U.S.C. 552a(i).) Any official or employee may be found guilty of a misdemeanor and fined not more than $5,000 if he or she willfully:

(1) Discloses information from a system of records, knowing dissemination is prohibited to anyone not entitled to receive the information (see subpart E of this part); or

(2) Maintains a system of records without publishing the required public notice in the Federal Register. (See subpart G of this part.)

(b) Any person who knowingly and willfully requests or obtains access to any record concerning another individual under false pretenses may be found guilty of misdemeanor and fined up to $5,000.

[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]

Back to Top

§310.50   Litigation status sheet.

Whenever a complaint citing the Privacy Act is filed in a U.S. District Court against the Department of Defense, a DoD Component, or any DoD employee, the responsible system manager shall notify the DPO. The litigation status sheet at appendix H to this part provides a standard format for this notification. The initial litigation status sheet forwarded shall, as a minimum, provide the information required by items 1 through 6 of the status sheet. A revised litigation status sheet shall be provided at each stage of the litigation. When a court renders a formal opinion or judgment, copies of the judgment and opinion shall be provided to the DPO with the litigation status sheet reporting that judgment or opinion.

[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]

Back to Top

§310.51   Lost, stolen, or compromised information.

(a) When a loss, theft, or compromise of information occurs (see §310.14), the breach shall be reported to:

(1) The United States Computer Emergency Readiness Team (US CERT) within one hour of discovering that a breach of personally identifiable information has occurred. Components shall establish procedures to ensure that US CERT reporting is accomplished in accordance with the guidance set forth at http://www.us-cert.gov.

(i) The underlying incident that led to the loss or suspected loss of PII (e.g., computer incident, theft, loss of material, etc.) shall continue to be reported in accordance with established procedures (e.g., to designated Computer Network Defense (CND) Service Providers (reference (z)), law enforcement authorities, the chain of command, etc.).

(ii) [Reserved]

(2) The Senior Component Official for Privacy within 24 hours of discovering that a breach of personally identifiable information has occurred. The Senior Component Official for Privacy, or their designee, shall notify the Defense Privacy Office of the breach within 48 hours upon being notified that a loss, theft, or compromise has occurred. The notification shall include the following information:

(i) Identify the Component/organization involved.

(ii) Specify the date of the breach and the number of individuals impacted, to include whether they are DoD civilian, military, or contractor personnel; DoD civilian or military retirees; family members; other Federal personnel or members of the public, etc.

(iii) Briefly describe the facts and circumstances surrounding the loss, theft, or compromise.

(iv) Briefly describe actions taken in response to the breach, to include whether the incident was investigated and by whom; the preliminary results of the inquiry if then known; actions taken to mitigate any harm that could result from the breach; whether the affected individuals are being notified, and if this will not be accomplished within 10 working days, that action will be initiated to notify the Deputy Secretary (see §310.14); what remedial actions have been, or will be, taken to prevent a similar such incident in the future, e.g., refresher training conducted, new or revised guidance issued; and any other information considered pertinent as to actions to be taken to ensure that information is properly safeguarded.

(2) The Component shall determine whether administrative or disciplinary action is warranted and appropriate for those individuals determined to be responsible for the loss, theft, or compromise.

[72 FR 18758, Apr. 13, 2007. Redesignated at 81 FR 71830, Oct. 17, 2016]

Back to Top