Department of Defense DIRECTIVE NUMBER 5400.11 December 13, 1999 DA&M SUBJECT: DoD Privacy Program References: (a) DoD Directive 5400.11, “Department of Defense Privacy Program,” June 9, 1982 (hereby canceled) (b) Section 552a and Chapter 8 of title 5, United States Code (c) Office of Management and Budget Circular No. A-130, “Management of Federal Information Resources,” February 8, 1996 (d) DoD 5400.11-R, “Department of Defense Privacy Program,” August 1983, authorized by this Directive (e) through (i), see enclosure 1 1. REISSUANCE AND PURPOSE This Directive: 1.1. Reissues reference (a) to update policies and responsibilities of the DoD Privacy Program under Section 552a of reference (b), and under reference (c). 1.2. Authorizes the Defense Privacy Board, the Defense Privacy Board Legal Committee and the Defense Data Integrity Board. 1.3. Continues to authorize the publication of reference (d). 1.4. Continues to delegate authorities and responsibilities for the effective administration of the DoD Privacy Program. 2. APPLICABILITY This Directive: 2.1. Applies to the Office of the Secretary of Defense (OSD), the Military Departments, the Chairman of the Joint Chiefs of Staff, the Combatant Commands, the Inspector General of the Department of Defense (IG, DoD), the Uniformed Services University of the Health Sciences, the Defense Agencies, and the DoD Field Activities (hereafter referred to collectively as "the DoD Components"). 2.2. Shall be made applicable to DoD contractors who are operating a system of records on behalf of a DoD Component, to include any of the activities, such as collecting and disseminating records, associated with maintaining a system of records. 3. DEFINITIONS Terms used in this Directive are defined in enclosure 2. 4. POLICY It is DoD policy that: 4.1. The personal privacy of an individual shall be respected and protected. 4.2. Personal information shall be collected, maintained, used or disclosed to ensure that: 4.2.1. It shall be relevant and necessary to accomplish a lawful DoD purpose required to be accomplished by statute or Executive order; 4.2.2. It shall be collected to the greatest extent practicable directly from the individual; 4.2.3. The individual shall be informed as to why the information is being collected, the authority for collection, what uses will be made of it, whether disclosure is mandatory or voluntary, and the consequences of not providing that information; 4.2.4. It shall be relevant, timely, complete and accurate for its intended use; and 4.2.5. Appropriate administrative, technical, and physical safeguards shall be established, based on the media (e.g., paper, electronic, etc.) involved, to ensure the security of the records and to prevent compromise or misuse during storage or transfer. 4.3. No record shall be maintained on how an individual exercises rights guaranteed by the First Amendment to the Constitution, except as follows: 4.3.1. Specifically authorized by statute; 4.3.2. Expressly authorized by the individual on whom the record is maintained; or 4.3.3. When the record is pertinent to and within the scope of an authorized law enforcement activity. 4.4. Notices shall be published in the “Federal Register” and reports shall be submitted to Congress and the Office of Management and Budget, in accordance with, and as required by, Section 552a of 5 U.S.C., OMB Circular A-130, and DoD 5400.11-R (references (c) through (d)), as to the existence and character of any system of records being established or revised by the DoD Components. Information shall not be collected, maintained, used, or disseminated until the required publication/review requirements, as set forth in Section 552a of 5 U.S.C., OMB Circular A-130, and DoD 5400.11-R (references (c) through (d)), are satisfied. 4.5. Individuals shall be permitted, to the extent authorized by Section 552a of reference (b) and reference (d), to: 4.5.1. Determine what records pertaining to them are contained in a system of records; 4.5.2. Gain access to such records and to obtain a copy of those records or a part thereof; 4.5.3. Correct or amend such records on a showing that the records are not accurate, relevant, timely or complete; 4.5.4. Appeal a denial of access or a request for amendment. 4.6. Disclosure of records pertaining to an individual from a system of records shall be prohibited except with the consent of the individual or as otherwise authorized by Section 552a of reference (b), reference (d), and DoD 5400.7-R (reference (e)). When disclosures are made, the individual shall be permitted, to the extent authorized by Section 552a of reference (b) and reference (d), to seek an accounting of such disclosures from the DoD Component making the release. 4.7. Disclosure of records pertaining to personnel of the National Security Agency, the Defense Intelligence Agency, the National Reconnaissance Office, and the National Imagery and Mapping Agency shall be prohibited to the extent authorized by Pub. L. No. 86-36 (1959) and 10 U.S.C. 424 (references (f) and (g)). 4.8. Computer matching programs between the DoD Components and the Federal, State, or local governmental agencies shall be conducted in accordance with the requirements of Section 552a of 5 U.S.C., OMB Circular A-130, and DoD 5400.11-R (references (b) through (d)). 4.9. DoD personnel and system managers shall conduct themselves, consistent with established rules of conduct (enclosure 3), so that personal information to be stored in a system of records only shall be collected, maintained, used, and disseminated as is authorized by this Directive, Section 552a of reference (b), and reference (d). 5. RESPONSIBILITIES 5.1. The Director of Administration and Management, Office of the Secretary of Defense, shall: 5.1.1. Serve as the Senior Privacy Official for the Department of Defense. 5.1.2. Provide policy guidance for, and coordinate and oversee administration of, the DoD Privacy Program to ensure compliance with policies and procedures in Section 552a of reference (b) and reference (c). 5.1.3. Publish reference (d) and other guidance, to include Defense Privacy Board Advisory Opinions, to ensure timely and uniform implementation of the DoD Privacy Program. 5.1.4. Serve as the Chair to the Defense Privacy Board and the Defense Data Integrity Board (enclosure 4). 5.2. The Director of Washington Headquarters Services shall supervise and oversee the activities of the Defense Privacy Office (enclosure 4). 5.3. The General Counsel of the Department of Defense shall: 5.3.1. Provide advice and assistance on all legal matters arising out of, or incident to, the administration of the DoD Privacy Program. 5.3.2. Review and be the final approval authority on all advisory opinions issued by the Defense Privacy Board or the Defense Privacy Board Legal Committee. 5.3.3. Serve as a member of the Defense Privacy Board, the Defense Data Integrity Board, and the Defense Privacy Board Legal Committee (enclosure 4). 5.4. The Secretaries of the Military Departments and the Heads of the Other DoD Components shall: 5.4.1. Provide adequate funding and personnel to establish and support an effective DoD Privacy Program, to include the appointment of a senior official to serve as the principal point of contact (POC) for DoD Privacy Program matters. 5.4.2. Establish procedures, as well as rules of conduct, necessary to implement this Directive and DoD 5400.11-R (reference (d)) so as to ensure compliance with the requirements of Section 552a of 5 U.S.C. and OMB Circular A-130 (references (b) and (c)). 5.4.3. Conduct training, consistent with the requirements of reference (d), on the provisions of this Directive, Section 552a of reference (b), and references (c) and (d), for assigned and employed personnel and for those individuals having primary responsibility for implementing the DoD Privacy Program. 5.4.4. Ensure that the DoD Privacy Program periodically shall be reviewed by the Inspectors General or other officials, who shall have specialized knowledge of the DoD Privacy Program. 5.4.5. Submit reports, consistent with the requirements of DoD 5400.11-R (reference (d)), as mandated by Section 552a and Chapter 8 of 5 U.S.C. (reference (b)), OMB Circular A-130 (reference (c)), and DoD Directive 5400.12 (reference (h)), and as otherwise directed by the Defense Privacy Office. 5.5. The Secretaries of the Military Departments shall provide support to the Combatant Commands, as identified in DoD Directive 5100.3 (reference (i)), in the administration of the DoD Privacy Program. 6. INFORMATION REQUIREMENTS The reporting requirements in paragraph 5.4.5., above, are assigned Report Control Symbol DD-DA&M(A)1379. 7. EFFECTIVE DATE This Directive is effective immediately. Enclosures - 4 E1. References, continued E2. Definitions E3. Rules of Conduct E4. Privacy Boards and Office E1. ENCLOSURE 1 REFERENCES, continued (e) DoD 5400.7-R, “DoD Freedom of Information Act Program,” September 4, 1998, authorized by DoD Directive 5400.7, September 29, 1997 (f) Public Law 86-36, “National Security Agency-Officers and Employees,” May 29, 1959 (g) Section 424 of title 10, United States Code (h) DoD Directive 5400.12, “Obtaining Information from Financial Institutions,” February 6, 1980 (i) DoD Directive 5100.3, “Support of Headquarters of the Unified, Specified, and Subordinate Joint Commands, “ November 1, 1988 E2. ENCLOSURE 2 DEFINITIONS The Following terms are used in the Directive: E2.1.1. Individual. A living person who is a citizen of the United States or an alien lawfully admitted for permanent residence. The parent of a minor or the legal guardian of any individual also may act on behalf of an individual. Corporations, partnerships, sole proprietorships, professional groups, businesses, whether incorporated or unincorporated, and other commercial entities are not “individuals.” E2.1.2. Personal Information. Information about an individual that identifies, relates or is unique to, or describes him or her; e.g., a social security number, age, military rank, civilian grade, marital status, race, salary, home/office phone numbers, etc. E2.1.3. Record. Any item, collection, or grouping of information, whatever the storage media (e.g., paper, electronic, etc.), about an individual that is maintained by a DoD Component, including but not limited to, his or her education, financial transactions, medical history, criminal or employment history and that contains his or her name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. E2.1.4. System Manager. The DoD Component official who is responsible for the operation and management of a system of records. E2.1.5. System of Records. A group of records under the control of a DoD Component from which personal information is retrieved by the individual’s name or by some identifying number, symbol, or other identifying particular assigned to an individual. E3. ENCLOSURE 3 RULES OF CONDUCT E3.1. DoD PERSONNEL SHALL: E3.1.1. Take such actions, as considered appropriate, to ensure that personal information contained in a system of records, to which they have access to or are using incident to the conduct of official business, shall be protected so that the security and confidentiality of the information shall be preserved. E3.1.2. Not disclose any personal information contained in any system of records except as authorized by DoD 5400.11-R (reference (d)) or other applicable law or regulation. Personnel willfully making such a disclosure when knowing that disclosure is prohibited are subject to possible criminal penalties and/or administrative sanctions. E3.1.3. Report any unauthorized disclosures of personal information from a system of records or the maintenance of any system of records that are not authorized by this Directive to the applicable Privacy POC for his or her DoD Component. E3.2. DoD SYSTEM MANAGERS FOR EACH SYSTEM OF RECORDS SHALL: E3.2.1. Ensure that all personnel who either shall have access to the system of records or who shall develop or supervise procedures for handling records in the system of records shall be aware of their responsibilities for protecting personal information being collected and maintained under the DoD Privacy Program. E3.2.2. Prepare promptly any required new, amended, or altered system notices for the system of records and submit them through their DoD Component Privacy POC to the Defense Privacy Office for publication in the “Federal Register.” E3.2.3. Not maintain any official files on individuals which are retrieved by name or other personal identifier without first ensuring that a notice for the system of records shall have been published in the "Federal Register." Any official who willfully maintains a system of records without meeting the publication requirements, as prescribed by Section 552a of 5 U.S.C., OMB Circular A-130, and DoD 5400.11-R (references (b) through (d)), is subject to possible criminal penalties and/or administrative sanctions. E4. ENCLOSURE 4 PRIVACY BOARDS AND OFFICE COMPOSITION AND RESPONSIBILITIES E4.1. THE DEFENSE PRIVACY BOARD E4.1.1. Membership. The Board shall consist of the Director of Administration and Management, OSD(DA&M), who shall serve as the Chair; the Director of the Defense Privacy Office, Washington Headquarters Services (WHS), who shall serve as the Executive Secretary and as a member; the representatives designated by the Secretaries of the Military Departments; and the following officials or their designees: the Deputy Under Secretary of Defense for Program Integration (DUSD(PI)); the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence (ASD(C3I)); the Director, Freedom of Information and Security Review, WHS; the General Counsel of the Department of Defense (GC, DoD); and the Director for Information Operations and Reports, WHS (DIO&R). The designees also may be the principal POC for the DoD Component for privacy matters. E4.1.2. Responsibilities E4.1.2.1. The Board shall have oversight responsibility for implementation of the DoD Privacy Program. It shall ensure that the policies, practices, and procedures of that Program are premised on the requirements of Section 552a of 5 U.S.C. and OMB Circular A-130 (references (b) and (c)), as well as other pertinent authority, and that the Privacy Programs of the DoD Component are consistent with, and in furtherance of, the DoD Privacy Program. E4.1.2.2. The Board shall serve as the primary DoD policy forum for matters involving the DoD Privacy Program, meeting as necessary, to address issues of common concern so as to ensure that uniform and consistent policy shall be adopted and followed by the DoD Components. The Board shall issue advisory opinions as necessary on the DoD Privacy Program so as to promote uniform and consistent application of Section 552a of 5 U.S.C., OMB Circular A-130, and DoD 5400.11-R (references (b) through (d)). E4.1.2.3. Perform such other duties as determined by the Chair or the Board. E4.2. THE DEFENSE DATA INTEGRITY BOARD E4.2.1. Membership. The Board shall consist of the DA&M, OSD, who shall serve as the Chair; the Director of the Defense Privacy Office, WHS, who shall serve as the Executive Secretary; and the following officials or their designees: the representatives designated by the Secretaries of the Military Departments; the DUSD(PI); the ASD(C3I); the GC, DoD; the IG, DoD; the DIO&R(WHS); and the Director, Defense Manpower Data Center. The designees also may be the principal POC for the DoD Component for privacy matters. E4.2.2. Responsibilities E4.2.2.1. The Board shall oversee and coordinate, consistent with the requirements of Section 552a of 5 U.S.C., OMB Circular A-130, and DoD 5400.11-R (references (b) through(d)), all computer matching programs involving personal records contained in system of records maintained by the DoD Components. E4.2.2.2. The Board shall review and approve all computer matching agreements between the Department of Defense and the other Federal, State or local governmental agencies, as well as memoranda of understanding when the match is internal to the Department of Defense, to ensure that, under Section 552a of reference (b) and references (c) and (d), appropriate procedural and due process requirements shall have been established before engaging in computer matching activities. E4.3. THE DEFENSE PRIVACY BOARD LEGAL COMMITTEE E4.3.1. Membership. The Committee shall consist of the Director, Defense Privacy Office, WHS, who shall serve as the Chair and the Executive Secretary; the GC, DoD, or designee; and civilian and/or military counsel from each of the DoD Components. The General Counsels (GCs) and The Judge Advocates General of the Military Departments shall determine who shall provide representation for their respective Department to the Committee. That does not preclude representation from each office. The GCs of the other DoD Components shall provide legal representation to the Committee. Other DoD civilian or military counsel may be appointed by the Executive Secretary, after coordination with the DoD Component concerned, to serve on the Committee on those occasions when specialized knowledge or expertise shall be required. E4.3.2. Responsibilities E4.3.2.1. The Committee shall serve as the primary legal forum for addressing and resolving all legal issues arising out of or incident to the operation of the DoD Privacy Program. E4.3.2.2. The Committee shall consider legal questions regarding the applicability of Section 552a of 5 U.S.C., OMB Circular A-130, and DoD 5400.11-R (references (b) through (d)) and questions arising out of or as a result of other statutory and regulatory authority, to include the impact of judicial decisions, on the DoD Privacy Program. The Committee shall provide advisory opinions to the Defense Privacy Board and, on request, to the DoD Components. E4.4. THE DEFENSE PRIVACY OFFICE E4.4.1. Membership. It shall consist of a Director and a staff. The Director also shall serve as the Executive Secretary and a member of the Defense Privacy Board; as the Executive Secretary to the Defense Data Integrity Board; and as the Chair and the Executive Secretary to the Defense Privacy Board Legal Committee. E4.4.2. Responsibilities E4.4.2.1. Manage activities in support of the Privacy Program oversight responsibilities of the DA&M. E4.4.2.2. Provide operational and administrative support to the Defense Privacy Board, the Defense Data Integrity Board, and the Defense Privacy Board Legal Committee. E4.4.2.3. Direct the day-to-day activities of the DoD Privacy Program. E4.4.2.4. Provide guidance and assistance to the DoD Components in their implementation and execution of the DoD Privacy Program. E4.4.2.5. Review proposed new, altered, and amended systems of records, to include submission of required notices for publication in the “Federal Register” and, when required, providing advance notification to the Office of Management and Budget (OMB) and the Congress, consistent with Section 552a of 5 U.S.C., OMB Circular A-130, and DoD 5400.11-R (references (b) through (d)). E4.4.2.6. Review proposed DoD Component privacy rulemaking, to include submission of the rule to the Office of the Federal Register for publication and providing to the OMB and the Congress reports, consistent with Section 552a of reference (b) and references (c) and (d), and to the Office of the Comptroller General of the United States, consistent with Chapter 8 of reference (b). E4.4.2.7. Develop, coordinate, and maintain all DoD computer matching agreements, to include submission of required match notices for publication in the “Federal Register” and advance notification to the OMB and the Congress of the proposed matches, consistent with Section 552a of reference (b) and references (c) and (d). E4.4.2.8. Provide advice and support to the DoD Components to ensure that: E4.4.2.8.1. All information requirements developed to collect or maintain personal data conform to DoD Privacy Program standards; E4.4.2.8.2. Appropriate procedures and safeguards shall be developed, implemented, and maintained to protect personal information when it is stored in either a manual and/or automated system of records or transferred by electronic on non-electronic means; and E4.4.2.8.3. Specific procedures and safeguards shall be developed and implemented when personal data is collected and maintained for research purposes. E4.4.2.9. Serve as the principal POC for coordination of privacy and related matters with the OMB and other Federal, State, and local governmental agencies. E4.4.2.10. Compile and submit the “Biennial ‘Privacy Act’ Report” and the “Biennial Matching Activity Report” to the OMB as required by OMB Circular A-130 and DoD 5400.11-R (references (c) and (d)). E4.4.2.11. Update and maintain this Directive and reference (d).