ADA271948 : Department of Defense Privacy Program. DODD-5400.11


Department of Defense

DIRECTIVE

NUMBER 5400.11

December 13, 1999

DA&M

SUBJECT:  DoD Privacy Program 

References:  (a)  DoD Directive 5400.11, “Department
of Defense Privacy Program,” June 9, 1982 (hereby canceled)

(b)  Section 552a and Chapter 8 of title 5, United States
Code

(c)  Office of Management and Budget Circular No. A-130,
“Management of Federal Information Resources,” February
8, 1996

(d)  DoD 5400.11-R, “Department of Defense Privacy Program,”
August 1983, authorized by this Directive

(e)  through (i), see enclosure 1

1.  REISSUANCE AND PURPOSE 

This Directive:

1.1.  Reissues reference (a) to update policies and
responsibilities of the DoD Privacy Program under Section
552a of reference (b), and under reference (c).

1.2.  Authorizes the Defense Privacy Board, the Defense
Privacy Board Legal Committee and the Defense Data Integrity
Board.

1.3.  Continues to authorize the publication of reference
(d).

1.4.  Continues to delegate authorities and responsibilities
for the effective administration of the DoD Privacy
Program.

2.  APPLICABILITY 

This Directive:

2.1.  Applies to the Office of the Secretary of Defense
(OSD), the Military Departments, the Chairman of the
Joint Chiefs of Staff, the Combatant Commands, the Inspector
General of the Department of Defense (IG, DoD), the
Uniformed Services University of the Health Sciences,
the Defense Agencies, and the DoD Field Activities (hereafter
referred to collectively as "the DoD Components").

2.2.  Shall be made applicable to DoD contractors who
are operating a system of records on behalf of a DoD
Component, to include any of the activities, such as
collecting and disseminating records, associated with
maintaining a system of records.

3.  DEFINITIONS 

Terms used in this Directive are defined in enclosure
2.

4.  POLICY 

It is DoD policy that:

4.1.  The personal privacy of an individual shall be
respected and protected.

4.2.  Personal information shall be collected, maintained,
used or disclosed to ensure that:

4.2.1.  It shall be relevant and necessary to accomplish
a lawful DoD purpose required to be accomplished by
statute or Executive order;

4.2.2.  It shall be collected to the greatest extent
practicable directly from the individual;

4.2.3.  The individual shall be informed as to why the
information is being collected, the authority for collection,
what uses will be made of it, whether disclosure is
mandatory or voluntary, and the consequences of not
providing that information;

4.2.4.  It shall be relevant, timely, complete and accurate
for its intended use; and

4.2.5.  Appropriate administrative, technical, and physical
safeguards shall be established, based on the media
(e.g., paper, electronic, etc.) involved, to ensure
the security of the records and to prevent compromise
or misuse during storage or transfer.

4.3.  No record shall be maintained on how an individual
exercises rights guaranteed by the First Amendment to
the Constitution, except as follows:

4.3.1.  Specifically authorized by statute;

4.3.2.  Expressly authorized by the individual on whom
the record is maintained; or

4.3.3.  When the record is pertinent to and within the
scope of an authorized law enforcement activity.

4.4.  Notices shall be published in the “Federal Register”
and reports shall be submitted to Congress and the Office
of Management and Budget, in accordance with, and as
required by, Section 552a of 5 U.S.C., OMB Circular
A-130, and DoD 5400.11-R (references (c) through (d)),
as to the existence and character of any system of records
being established or revised by the DoD Components.
  Information shall not be collected, maintained, used,
or disseminated until the required publication/review
requirements, as set forth in Section 552a of 5 U.S.C.,
OMB Circular A-130, and DoD 5400.11-R (references (c)
through (d)), are satisfied.

4.5.  Individuals shall be permitted, to the extent
authorized by Section 552a of reference (b) and reference
(d), to:

4.5.1.  Determine what records pertaining to them are
contained in a system of records;

4.5.2.  Gain access to such records and to obtain a
copy of those records or a part thereof;

4.5.3.  Correct or amend such records on a showing that
the records are not accurate, relevant, timely or complete;

4.5.4.  Appeal a denial of access or a request for amendment.

4.6.  Disclosure of records pertaining to an individual
from a system of records shall be prohibited except
with the consent of the individual or as otherwise authorized
by Section 552a of reference (b), reference (d), and
DoD 5400.7-R (reference (e)).   When disclosures are
made, the individual shall be permitted, to the extent
authorized by Section 552a of reference (b) and reference
(d), to seek an accounting of such disclosures from
the DoD Component making the release.

4.7.  Disclosure of records pertaining to personnel
of the National Security Agency, the Defense Intelligence
Agency, the National Reconnaissance Office, and the
National Imagery and Mapping Agency shall be prohibited
to the extent authorized by Pub. L. No. 86-36 (1959)
and 10 U.S.C. 424 (references (f) and (g)).

4.8.  Computer matching programs between the DoD Components
and the Federal, State, or local governmental agencies
shall be conducted in accordance with the requirements
of Section 552a of 5 U.S.C., OMB Circular A-130, and
DoD 5400.11-R (references (b) through (d)).

4.9.  DoD personnel and system managers shall conduct
themselves, consistent with established rules of conduct
(enclosure 3), so that personal information to be stored
in a system of records only shall be collected, maintained,
used, and disseminated as is authorized by this Directive,
Section 552a of reference (b), and reference (d).

5.  RESPONSIBILITIES 

5.1.  The Director of Administration and Management,
Office of the Secretary of Defense, shall:

5.1.1.  Serve as the Senior Privacy Official for the
Department of Defense.

5.1.2.  Provide policy guidance for, and coordinate
and oversee administration of, the DoD Privacy Program
to ensure compliance with policies and procedures in
Section 552a of reference (b) and reference (c).

5.1.3.  Publish reference (d) and other guidance, to
include Defense Privacy Board Advisory Opinions, to
ensure timely and uniform implementation of the DoD
Privacy Program.

5.1.4.  Serve as the Chair to the Defense Privacy Board
and the Defense Data Integrity Board (enclosure 4).

5.2.  The Director of Washington Headquarters Services
shall supervise and oversee the activities of the Defense
Privacy Office (enclosure 4).

5.3.  The General Counsel of the Department of Defense
shall:

5.3.1.  Provide advice and assistance on all legal matters
arising out of, or incident to, the administration of
the DoD Privacy Program.

5.3.2.  Review and be the final approval authority on
all advisory opinions issued by the Defense Privacy
Board or the Defense Privacy Board Legal Committee.

5.3.3.  Serve as a member of the Defense Privacy Board,
the Defense Data Integrity Board, and the Defense Privacy
Board Legal Committee (enclosure 4).

5.4.  The Secretaries of the Military Departments and
the Heads of the Other DoD Components shall:

5.4.1.  Provide adequate funding and personnel to establish
and support an effective DoD Privacy Program, to include
the appointment of a senior official to serve as the
principal point of contact (POC) for DoD Privacy Program
matters.

5.4.2.  Establish procedures, as well as rules of conduct,
necessary to implement this Directive and DoD 5400.11-R
(reference (d)) so as to ensure compliance with the
requirements of Section 552a of 5 U.S.C. and OMB Circular
A-130 (references (b) and (c)).

5.4.3.  Conduct training, consistent with the requirements
of reference (d), on the provisions of this Directive,
Section 552a of reference (b), and references (c) and
(d), for assigned and employed personnel and for those
individuals having primary responsibility for implementing
the DoD Privacy Program.

5.4.4.  Ensure that the DoD Privacy Program periodically
shall be reviewed by the Inspectors General or other
officials, who shall have specialized knowledge of the
DoD Privacy Program.

5.4.5.  Submit reports, consistent with the requirements
of DoD 5400.11-R (reference (d)), as mandated by Section
552a and Chapter 8 of 5 U.S.C. (reference (b)), OMB
Circular A-130 (reference (c)), and DoD Directive 5400.12
(reference (h)), and as otherwise directed by the Defense
Privacy Office.

5.5.  The Secretaries of the Military Departments shall
provide support to the Combatant Commands, as identified
in DoD Directive 5100.3 (reference (i)), in the administration
of the DoD Privacy Program.

6.  INFORMATION REQUIREMENTS 

The reporting requirements in paragraph 5.4.5., above,
are assigned Report Control Symbol DD-DA&M(A)1379.

7.  EFFECTIVE DATE 

This Directive is effective immediately.

Enclosures - 4 

E1.  References, continued

E2.  Definitions

E3.  Rules of Conduct

E4.  Privacy Boards and Office

E1.  ENCLOSURE 1

REFERENCES, continued

(e)  DoD 5400.7-R, “DoD Freedom of Information Act Program,”
September 4, 1998, authorized by DoD Directive 5400.7,
September 29, 1997

(f)  Public Law 86-36, “National Security Agency-Officers
and Employees,” May 29, 1959

(g)  Section 424 of title 10, United States Code

(h)  DoD Directive 5400.12, “Obtaining Information from
Financial Institutions,” February 6, 1980

(i)  DoD Directive 5100.3, “Support of Headquarters
of the Unified, Specified, and Subordinate Joint Commands,
“ November 1, 1988

E2.  ENCLOSURE 2

DEFINITIONS

 The Following terms are used in the Directive:

E2.1.1.  Individual.   A living person who is a citizen
of the United States or an alien lawfully admitted for
permanent residence.   The parent of a minor or the
legal guardian of any individual also may act on behalf
of an individual.   Corporations, partnerships, sole
proprietorships, professional groups, businesses, whether
incorporated or unincorporated, and other commercial
entities are not “individuals.”

E2.1.2.  Personal Information.   Information about an
individual that identifies, relates or is unique to,
or describes him or her; e.g., a social security number,
age, military rank, civilian grade, marital status,
race, salary, home/office phone numbers, etc.

E2.1.3.  Record.   Any item, collection, or grouping
of information, whatever the storage media (e.g., paper,
electronic, etc.), about an individual that is maintained
by a DoD Component, including but not limited to, his
or her education, financial transactions, medical history,
criminal or employment history and that contains his
or her name, or the identifying number, symbol, or other
identifying particular assigned to the individual, such
as a finger or voice print or a photograph.

E2.1.4.  System Manager.   The DoD Component official
who is responsible for the operation and management
of a system of records.

E2.1.5.  System of Records.   A group of records under
the control of a DoD Component from which personal information
is retrieved by the individual’s name or by some identifying
number, symbol, or other identifying particular assigned
to an individual.

E3.   ENCLOSURE 3

RULES OF CONDUCT

E3.1.  DoD PERSONNEL SHALL: 

E3.1.1.  Take such actions, as considered appropriate,
to ensure that personal information contained in a system
of records, to which they have access to or are using
incident to the conduct of official business, shall
be protected so that the security and confidentiality
of the information shall be preserved.

E3.1.2.  Not disclose any personal information contained
in any system of records except as authorized by DoD
5400.11-R (reference (d)) or other applicable law or
regulation.   Personnel willfully making such a disclosure
when knowing that disclosure is prohibited are subject
to possible criminal penalties and/or administrative
sanctions.

E3.1.3.  Report any unauthorized disclosures of personal
information from a system of records or the maintenance
of any system of records that are not authorized by
this Directive to the applicable Privacy POC for his
or her DoD Component.

E3.2.  DoD SYSTEM MANAGERS FOR EACH SYSTEM OF RECORDS
SHALL: 

E3.2.1.  Ensure that all personnel who either shall
have access to the system of records or who shall develop
or supervise procedures for handling records in the
system of records shall be aware of their responsibilities
for protecting personal information being collected
and maintained under the DoD Privacy Program.

E3.2.2.  Prepare promptly any required new, amended,
or altered system notices for the system of records
and submit them through their DoD Component Privacy
POC to the Defense Privacy Office for publication in
the “Federal Register.”

E3.2.3.  Not maintain any official files on individuals
which are retrieved by name or other personal identifier
without first ensuring that a notice for the system
of records shall have been published in the "Federal
Register."   Any official who willfully maintains a
system of records without meeting the publication requirements,
as prescribed by Section 552a of 5 U.S.C., OMB Circular
A-130, and DoD 5400.11-R (references (b) through (d)),
is subject to possible criminal penalties and/or administrative
sanctions.

E4.  ENCLOSURE 4

PRIVACY BOARDS AND OFFICE

COMPOSITION AND RESPONSIBILITIES

E4.1.  THE DEFENSE PRIVACY BOARD 

E4.1.1.  Membership.   The Board shall consist of the
Director of Administration and Management, OSD(DA&M),
who shall serve as the Chair; the Director of the Defense
Privacy Office, Washington Headquarters Services (WHS),
who shall serve as the Executive Secretary and as a
member; the representatives designated by the Secretaries
of the Military Departments; and the following officials
or their designees:   the Deputy Under Secretary of
Defense for Program Integration (DUSD(PI)); the Assistant
Secretary of Defense for Command, Control, Communications,
and Intelligence (ASD(C3I)); the Director, Freedom of
Information and Security Review, WHS; the General Counsel
of the Department of Defense (GC, DoD); and the Director
for Information Operations and Reports, WHS (DIO&R).
  The designees also may be the principal POC for the
DoD Component for privacy matters.

E4.1.2.  Responsibilities 

E4.1.2.1.  The Board shall have oversight responsibility
for implementation of the DoD Privacy Program.   It
shall ensure that the policies, practices, and procedures
of that Program are premised on the requirements of
Section 552a of 5 U.S.C. and OMB Circular A-130 (references
(b) and (c)), as well as other pertinent authority,
and that the Privacy Programs of the DoD Component are
consistent with, and in furtherance of, the DoD Privacy
Program.

E4.1.2.2.  The Board shall serve as the primary DoD
policy forum for matters involving the DoD Privacy Program,
meeting as necessary, to address issues of common concern
so as to ensure that uniform and consistent policy shall
be adopted and followed by the DoD Components.   The
Board shall issue advisory opinions as necessary on
the DoD Privacy Program so as to promote uniform and
consistent application of Section 552a of 5 U.S.C.,
OMB Circular A-130, and DoD 5400.11-R (references (b)
through (d)).

E4.1.2.3.  Perform such other duties as determined by
the Chair or the Board.

E4.2.  THE DEFENSE DATA INTEGRITY BOARD 

E4.2.1.  Membership.   The Board shall consist of the
DA&M, OSD, who shall serve as the Chair; the Director
of the Defense Privacy Office, WHS, who shall serve
as the Executive Secretary; and the following officials
or their designees:   the representatives designated
by the Secretaries of the Military Departments; the
DUSD(PI); the ASD(C3I); the GC, DoD; the IG, DoD; the
DIO&R(WHS); and the Director, Defense Manpower Data
Center.   The designees also may be the principal POC
for the DoD Component for privacy matters.

E4.2.2.  Responsibilities 

E4.2.2.1.  The Board shall oversee and coordinate, consistent
with the requirements of Section 552a of 5 U.S.C., OMB
Circular A-130, and DoD 5400.11-R (references (b) through(d)),
all computer matching programs involving personal records
contained in system of records maintained by the DoD
Components.

E4.2.2.2.  The Board shall review and approve all computer
matching agreements between the Department of Defense
and the other Federal, State or local governmental agencies,
as well as memoranda of understanding when the match
is internal to the Department of Defense, to ensure
that, under Section 552a of reference (b) and references
(c) and (d), appropriate procedural and due process
requirements shall have been established before engaging
in computer matching activities.

E4.3.  THE DEFENSE PRIVACY BOARD LEGAL COMMITTEE 

E4.3.1.  Membership.   The Committee shall consist of
the Director, Defense Privacy Office, WHS, who shall
serve as the Chair and the Executive Secretary; the
GC, DoD, or designee; and civilian and/or military counsel
from each of the DoD Components.   The General Counsels
(GCs) and The Judge Advocates General of the Military
Departments shall determine who shall provide representation
for their respective Department to the Committee.  
That does not preclude representation from each office.
  The GCs of the other DoD Components shall provide
legal representation to the Committee.   Other DoD civilian
or military counsel may be appointed by the Executive
Secretary, after coordination with the DoD Component
concerned, to serve on the Committee on those occasions
when specialized knowledge or expertise shall be required.

E4.3.2.  Responsibilities 

E4.3.2.1.  The Committee shall serve as the primary
legal forum for addressing and resolving all legal issues
arising out of or incident to the operation of the DoD
Privacy Program.

E4.3.2.2.  The Committee shall consider legal questions
regarding the applicability of Section 552a of 5 U.S.C.,
OMB Circular A-130, and DoD 5400.11-R (references (b)
 through (d)) and questions arising out of or as a result
of other statutory and regulatory authority, to include
the impact of judicial decisions, on the DoD Privacy
Program.   The Committee shall provide advisory opinions
to the Defense Privacy Board and, on request, to the
DoD Components.

E4.4.  THE DEFENSE PRIVACY OFFICE 

E4.4.1.  Membership.   It shall consist of a Director
and a staff.   The Director also shall serve as the
Executive Secretary and a member of the Defense Privacy
Board; as the Executive Secretary to the Defense Data
Integrity Board; and as the Chair and the Executive
Secretary to the Defense Privacy Board Legal Committee.

E4.4.2.  Responsibilities 

E4.4.2.1.  Manage activities in support of the Privacy
Program oversight responsibilities of the DA&M.

E4.4.2.2.  Provide operational and administrative support
to the Defense Privacy Board, the Defense Data Integrity
Board, and the Defense Privacy Board Legal Committee.

E4.4.2.3.  Direct the day-to-day activities of the DoD
Privacy Program.

E4.4.2.4.  Provide guidance and assistance to the DoD
Components in their implementation and execution of
the DoD Privacy Program.

E4.4.2.5.  Review proposed new, altered, and amended
systems of records, to include submission of required
notices for publication in the “Federal Register” and,
when required, providing advance notification to the
Office of Management and Budget (OMB) and the Congress,
consistent with Section 552a of 5 U.S.C., OMB Circular
A-130, and DoD 5400.11-R (references (b) through (d)).

E4.4.2.6.  Review proposed DoD Component privacy rulemaking,
to include submission of the rule to the Office of the
Federal Register for publication and providing to the
OMB and the Congress reports, consistent with Section
552a of reference (b) and references (c) and (d), and
to the Office of the Comptroller General of the United
States, consistent with Chapter 8 of reference (b).

E4.4.2.7.  Develop, coordinate, and maintain all DoD
computer matching agreements, to include submission
of required match notices for publication in the “Federal
Register” and advance notification to the OMB and the
Congress of the proposed matches, consistent with Section
552a of reference (b) and references (c) and (d).

E4.4.2.8.  Provide advice and support to the DoD Components
to ensure that:

E4.4.2.8.1.  All information requirements developed
to collect or maintain personal data conform to DoD
Privacy Program standards;

E4.4.2.8.2.  Appropriate procedures and safeguards shall
be developed, implemented, and maintained to protect
personal information when it is stored in either a manual
and/or automated system of records or transferred by
electronic on non-electronic means; and

E4.4.2.8.3.  Specific procedures and safeguards shall
be developed and implemented when personal data is collected
and maintained for research purposes.

E4.4.2.9.  Serve as the principal POC for coordination
of privacy and related matters with the OMB and other
Federal, State, and local governmental agencies.

E4.4.2.10.  Compile and submit the “Biennial ‘Privacy
Act’ Report” and the “Biennial Matching Activity Report”
to the OMB as required by OMB Circular A-130 and DoD
5400.11-R (references (c) and (d)).

E4.4.2.11.  Update and maintain this Directive and reference
(d).