The Privacy Act (PA) of 1974, 5 U.S.C.552a, is a federal statute that establishes safeguards for the protection of records that the Federal Government (Executive Branch only) collects and maintains on U.S. citizens and aliens lawfully admitted for permanent residence. Specifically, it mandates that the Government:
- Disclose why information is being collected and how it will be used;
- Maintain only what is needed to accomplish agency business;
- Publish any new, revised, or deleted system of records notices in the Federal Register;
- Ensure that information is accurate, relevant, timely, and complete; and
- Provide individuals with the opportunity to correct inaccuracies in their record.
The Privacy Act only covers information filed within a "system of records." A system of records is a group of files that:
- Contain an individual's name, Social Security Number (SSN), or some other unique personal identifier (such as employee number) and one other element of personal information about the individual (such as date of birth); AND
- Are retrieved by an individual's name, SSN, or personal identifier.
An individual may be charged only for the direct cost of copying and reproduction, computed using the appropriate portions of the fee schedule in 32 CFR part 310. Normally, fees are waived automatically if the direct costs of a given request is less than $30. This fee waiver provision does not apply when a waiver has been granted to the individual before, and later requests appear to be an extension or duplication of that original request. DLA activities may, however, set aside this automatic fee waiver provision when on the basis of good evidence it determines that the waiver of fees is not in the public interest. Decisions to waive or reduce fees that exceed the automatic waiver threshold will be made on a case-by-case basis.
Systems of Records Notices
DLA Privacy Act systems of records are decentralized, located at the HQ DLA facility and at the DLA Field Activities, and established based on the type of information they contain. For example, separate Privacy Act systems exist for employee training records, firefighter/EMT records, vehicle/traffic incidents, firearms registration records, and so on. Thus, there is no one file that contains "all" information about an individual. Records are normally located in the geographic area where the individual developed a relationship with DLA. DLA's published Privacy Act systems of records notices may be found at Defense Privacy, Civil Liberties, and Transparency Division DoD Component Notices.
You are encouraged to scan other DoD Component Privacy Act systems of records notices because a handful of DoD Components have been given DoD-wide responsibility for certain programs/information collections. For example, DoD consolidated certain finance and accounting activities under the Defense Finance and Accounting Service (DFAS). DFAS is responsible for maintaining the Privacy Act systems of records for DoD civilian and military pay (active and reserve); military retiree and annuity pay; and travel pay. Other DoD Component's published Privacy system of records notices may be found at Defense Privacy, Civil Liberties, and Transparency Privacy SORNs.
Some Federal agencies have responsibility for one or more Privacy Act systems of records which are applicable Government-wide. This negates the need for DLA to publish a system notice if it maintains records under anyone of the Government-wide Privacy Act systems of records notices. All Federal Privacy Act systems of records notices may be found on the Government Printing Office webpage Systems of Records Notices (SORNs).
Not all records about an individual must be disclosed under the Privacy Act. Some records may be withheld to protect important government interests such as national security or law enforcement. The Privacy Act exemptions are different than the exemptions of the FOIA. Under the FOIA, any record may be withheld from disclosure if it contains exempt information when a request is received. The decision to apply a FOIA exemption is made only after a request has been made. In contrast, Privacy Act exemptions apply not to a record but to a "system of records." Before an agency can apply a Privacy Act exemption, the agency must first publish a rule stating that there may be exempt records in that "system of records." Since most record systems are not exempt, the exemptions are not relevant to most requests. Because Privacy Act exemptions are complex and used infrequently, most requesters need not worry about them. The exemptions are set out in the law. Privacy Act exemptions rules are published in the Federal Register. DLA has created a COMPILATION of our applicable exemption rules for ease of reference.
Verification of Identity
Depending on the type of records being sought, you may need to verify your identify before any action will be taken on any request. This can be done by providing DLA with a notarized statement or an unsworn declaration made in accordance with 28 U.S.C. 1746, in the following format:
- If executed within the United States, its territories, possessions, or commonwealths: `I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature)'.
- If executed without the United States: `I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature)'.
Amending a Record
Under the Privacy Act, you may ask that information in your file be amended if it is not accurate, relevant, timely, or completed.
Amendment requests must be in writing; however, most routine corrections or updates (such as a change of home address or telephone number) may be made verbally to the System manager identified within the DLA Privacy Act system of records notice.
- You may only request correction of factual information, not matters of opinion.
- Your request must include a description of the information to be amended and the reason for amendment. If you believe that information is inaccurate or incomplete, you will need to provide documented evidence supporting your position. Likewise, for amendments involving relevance or timeliness, you will need to provide a detailed rationale to support your position. The burden of proof is on the individual to show that information is not accurate, relevant, timely, or complete.
DoD Privacy Rules of Conduct
The Privacy Act requires each Agency to establish rules of conduct for all persons involved in the design, development, operation, and maintenance of any system of record and to train these persons with respect to these rules. These rules of conduct are set forth in DOD Directive 5400.11, Department of Defense Privacy Program and codified at 32 CFR part 310.
DoD personnel shall:
- Take such actions, as considered appropriate, to ensure that any personal information contained in a system of records, of which they have access to and are using to conduct official business, shall be protected so that the security and confidentiality of the information shall be preserved.
- Not disclose any personal information contained in any system of records, except as authorized. Personnel willfully making such disclosure when knowing that disclosure is prohibited are subject to possible criminal penalties and/or administrative sanctions.
- Report any unauthorized disclosures of personal information from a system of records or the maintenance of any system of records that are not authorized by this Directive to the applicable Privacy POC for his or her DoD Component.
DoD system managers for each system of records shall:
- Ensure that all personnel who either shall have access to the system of records or who shall develop or supervise procedures for handling records in the system of records shall be aware of their responsibilities and are properly trained to safeguard personal information being collected and maintained under the DoD Privacy Program.
- Prepare promptly any required new, amended, or altered system notices for the system of records and submit them through their DoD Component Privacy POC to the Defense Privacy Office for publication in the Federal Register
- Not maintain any official files on individuals, which are retrieved by name or other personal identifier, without first ensuring that a notice for the system of records shall have been published in the Federal Register. Any official who willfully maintains a system of records without meeting the publication requirements is subject to possible criminal penalties and/or administrative sanctions.
Privacy Act Reports
The Biennial Privacy Act report was repealed by the Federal Reports Elimination and Sunset Act of 1995, Pub. L. No. 104-66, § 3003, 109 Stat. 707, 734-36 (1995), amended by Pub. L. No. 106-113, § 236, 113 Stat. 1501, 1501A-302 (1999) (changing effective date to May 15, 2000).