80 FR 12558 - DCAA Privacy Act Program

DEPARTMENT OF DEFENSE
Office of the Secretary

Federal Register Volume 80, Issue 46 (March 10, 2015)

Page Range		12558-12561
FR Document		2015-05374
The Defense Contract Audit Agency (DCAA) is amending the DCAA Privacy Act Program Regulation. Specifically, DCAA is adding an exemption section to include an exemption for RDCAA 900.1, DCAA Internal Review Case Files. This rule provides policies and procedures for the DCAA's implementation of the Privacy Act of 1974, as amended.
Federal Register, Volume 80 Issue 46 (Tuesday, March 10, 2015)
[Federal Register Volume 80, Number 46 (Tuesday, March 10, 2015)]
[Rules and Regulations]
[Pages 12558-12561]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2015-05374]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 317

[DOD-2008-OS-0068]
RIN 0790-AJ23


DCAA Privacy Act Program

AGENCY: Department of Defense.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Defense Contract Audit Agency (DCAA) is amending the DCAA 
Privacy Act Program Regulation. Specifically, DCAA is adding an 
exemption section to include an exemption for RDCAA 900.1, DCAA 
Internal Review Case Files. This rule

[[Page 12559]]

provides policies and procedures for the DCAA's implementation of the 
Privacy Act of 1974, as amended.

DATES: This rule is effective on April 9, 2015.

FOR FURTHER INFORMATION CONTACT: Mr. Keith Mastromichalis, FOIA/PA 
Management Analyst, DCAA HQ, 703-767-1022.

SUPPLEMENTARY INFORMATION: The revisions to this rule are part of DoD's 
retrospective plan under EO 13563 completed in August 2011. DoD's full 
plan can be accessed at http://www.regulations.gov/#!docketBrowser;rpp=25;po=0;dct=N%252BFR%252BPR%252BO;D=DOD-2011-OS-
0036.

Executive Summary

I. Purpose of This Regulatory Action

    a. This rule provides policies and procedures for DCAA's 
implementation of the Privacy Act of 1974, as amended.
    b. Authority: Privacy Act of 1974, Pub. L. 93-579, Stat. 1896 (5 
U.S.C. 552a).

II. Summary of the Major Provisions of This Regulatory Action

    DCAA is adding an exemption section to include an exemption for 
RDCAA 900.1, DCAA Internal Review Case Files.

III. Costs and Benefits of This Regulatory Action

    This regulatory action imposes no monetary costs to the Agency or 
public. The benefit to the public is the accurate reflection of the 
Agency's Privacy Program to ensure that policies and procedures are 
known to the public.

Public Comments

    On Thursday, February 6, 2014 (79 FR 7114-7117), the Department of 
Defense published a proposed rule requesting public comment. No 
comments were received on the proposed rule, and no changes have been 
made in the final rule.

Regulatory Procedures

Executive Order 12866, ``Regulatory Planning and Review'' and Executive 
Order 13563, ``Improving Regulation and Regulatory Review''

    It has been determined that this rule is not a significant 
regulatory action under these Executive Orders. This rule does not (1) 
Have an annual effect on the economy of $100 million or more or 
adversely affect in a material way the economy; a sector of the 
economy; productivity; competition; jobs; the environment; public 
health or safety; or State, local, or tribal governments or 
communities; (2) Create a serious inconsistency or otherwise interfere 
with an action taken or planned by another Agency; (3) Materially alter 
the budgetary impact of entitlements, grants, user fees, or loan 
programs, or the rights and obligations of recipients thereof; or (4) 
Raise novel legal or policy issues arising out of legal mandates, the 
President's priorities, or the principles set forth in these Executive 
Orders.

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C Chapter 6)

    It has been certified that this rule does not have significant 
economic impact on a substantial number of small entities because it is 
concerned only with the administration of Privacy Act within the 
Department of Defense.

Public Law 95-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)

    It has been determined that this rule imposes no information 
collection requirements on the public under the Paperwork Reduction Act 
of 1995.

Section 202, Public Law 104-4, ``Unfunded Mandates Reform Act''

    It has been determined that this rule does not involve a Federal 
mandate that may result in the expenditure by State, local and tribal 
governments, in the aggregate, or by the private sector, of $100 
million or more and that such rulemaking will not significantly or 
uniquely affect small governments.

Executive Order 13132, ``Federalism''

    It has been determined that this rule does not have federalism 
implications. This rule does not have substantial direct effects on the 
States, on the relationship between the National Government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government.

List of Subjects in 32 CFR Part 317

    Privacy.

    Accordingly 32 CFR part 317 is revised to read as follows:

PART 317--DCAA PRIVACY ACT PROGRAM

Sec.
317.1 Purpose.
317.2 Applicability and scope.
317.3 Policy.
317.4 Responsibilities.
317.5 Procedures.
317.6 Procedures for exemptions.

    Authority:  Pub. L. 93-579, 88 Stat. 1896 (5 U.S.C. 552a).


Sec.  317.1  Purpose.

    This part provides policies and procedures for the Defense Contract 
Audit Agency's (DCAA) implementation of the Privacy Act of 1974 (5 
U.S.C. 552a) and 32 CFR part 310, and is intended to promote uniformity 
within DCAA.


Sec.  317.2  Applicability and scope.

    (a) This part applies to all DCAA organizational elements and takes 
precedence over all regional regulatory issuances that supplement the 
DCAA Privacy Program.
    (b) This part shall be made applicable by contract or other legally 
binding action to contractors whenever a DCAA contract provides for the 
operation of a system of records or portion of a system of records to 
accomplish an Agency function.


Sec.  317.3  Policy.

    (a) It is DCAA policy that personnel will comply with the DCAA 
Privacy Program; the Privacy Act of 1974; and the DoD Privacy Program 
(32 CFR part 310). Strict adherence is necessary to ensure uniformity 
in the implementation of the DCAA Privacy Program and create conditions 
that will foster public trust. It is also Agency policy to safeguard 
personal information contained in any system of records maintained by 
DCAA organizational elements and to make that information available to 
the individual to whom it pertains to the maximum extent practicable.
    (b) DCAA policy specifically requires that DCAA organizational 
elements:
    (1) Collect, maintain, use, and disseminate personal information 
only when it is relevant and necessary to achieve a purpose required by 
statute or Executive Order.
    (2) Collect personal information directly from the individuals to 
whom it pertains to the greatest extent practical.
    (3) Inform individuals who are asked to supply personal information 
for inclusion in any system of records:
    (i) The authority for the solicitation.
    (ii) Whether furnishing the information is mandatory or voluntary.
    (iii) The intended uses of the information.
    (iv) The routine disclosures of the information that may be made 
outside of DoD.
    (v) The effect on the individual of not providing all or any part 
of the requested information.
    (4) Ensure that records used in making determinations about 
individuals and those containing personal information are accurate,

[[Page 12560]]

relevant, timely, and complete for the purposes for which they are 
being maintained before making them available to any recipients outside 
of DoD, other than a Federal agency, unless the disclosure is made 
under DCAA Regulation 5410.8, DCAA Freedom of Information Act Program.
    (5) Keep no record that describes how individuals exercise their 
rights guaranteed by the First Amendment to the U.S. Constitution, 
unless expressly authorized by statute or by the individual to whom the 
records pertain or is pertinent to and within the scope of an 
authorized law enforcement activity.
    (6) Notify individuals whenever records pertaining to them are made 
available under compulsory legal processes, if such process is a matter 
of public record.
    (7) Establish safeguards to ensure the security of personal 
information and to protect this information from threats or hazards 
that might result in substantial harm, embarrassment, inconvenience, or 
unfairness to the individual.
    (8) Establish rules of conduct for DCAA personnel involved in the 
design, development, operation, or maintenance of any system of records 
and train them in these rules of conduct.
    (9) Assist individuals in determining what records pertaining to 
them are being collected, maintained, used, or disseminated.
    (10) Permit individual access to the information pertaining to them 
maintained in any system of records, and to correct or amend that 
information, unless an exemption for the system has been properly 
established for an important public purpose.
    (11) Provide, on request, an accounting of all disclosures of the 
information pertaining to them except when disclosures are made:
    (i) To DoD personnel in the course of their official duties.
    (ii) Under DCAA Regulation 5410.8, DCAA Freedom of Information Act 
Program.
    (iii) To another agency or to an instrumentality of any 
governmental jurisdiction within or under control of the United States 
conducting law enforcement activities authorized by law.
    (12) Advise individuals on their rights to appeal any refusal to 
grant access to or amend any record pertaining to them, and file a 
statement of disagreement with the record in the event amendment is 
refused.


Sec.  317.4  Responsibilities.

    (a) The Assistant Director, Resources has overall responsibility 
for the DCAA Privacy Act Program and will serve as the sole appellate 
authority for appeals to decisions of respective initial denial 
authorities.
    (b) The Chief, Administrative Management Division under the 
direction of the Assistant Director, Resources, shall:
    (1) Establish, issue, and update policies for the DCAA Privacy Act 
Program; monitor compliance with this part; and provide policy guidance 
for the DCAA Privacy Act Program.
    (2) Resolve conflicts that may arise regarding implementation of 
DCAA Privacy Act policy.
    (3) Designate an Agency Privacy Act Advisor, as a single point of 
contact, to coordinate on matters concerning Privacy Act policy.
    (4) Make the initial determination to deny an individual's written 
Privacy Act request for access to or amendment of documents filed in 
Privacy Act systems of records. This authority cannot be delegated.
    (c) The DCAA Privacy Act Advisor under the supervision of the 
Chief, Administrative Management Division shall:
    (1) Manage the DCAA Privacy Act Program in accordance with this 
part and applicable DCAA policies, as well as DoD and Federal 
regulations.
    (2) Provide guidelines for managing, administering, and 
implementing the DCAA Privacy Act Program.
    (3) Implement and administer the Privacy Act program at the 
Headquarters.
    (4) Ensure that the collection, maintenance, use, or dissemination 
of records of identifiable personal information is in a manner that 
assures that such action is for a necessary and lawful purpose; that 
the information is timely and accurate for its intended use; and that 
adequate safeguards are provided to prevent misuse of such information.
    (5) Prepare promptly any required new, amended, or altered system 
notices for systems of records subject to the Privacy Act and submit 
them to the Defense Privacy Office for subsequent publication in the 
Federal Register.
    (6) Conduct training on the Privacy Act program for Agency 
personnel.
    (d) Heads of Principal Staff Elements are responsible for:
    (1) Reviewing all regulations or other policy and guidance 
issuances for which they are the proponent to ensure consistency with 
the provisions of this part.
    (2) Ensuring that the provisions of this part are followed in 
processing requests for records.
    (3) Forwarding to the DCAA Privacy Act Advisor, any Privacy Act 
requests received directly from a member of the public, so that the 
request may be administratively controlled and processed.
    (4) Ensuring the prompt review of all Privacy Act requests, and 
when required, coordinating those requests with other organizational 
elements.
    (5) Providing recommendations to the DCAA Privacy Act Advisor 
regarding the releasability of DCAA records to members of the public, 
along with the responsive documents.
    (6) Providing the appropriate documents, along with a written 
justification for any denial, in whole or in part, of a request for 
records to the DCAA Privacy Act Advisor. Those portions to be excised 
should be bracketed in red pencil, and the specific exemption or 
exemptions cites which provide the basis for denying the requested 
records.
    (e) The General Counsel is responsible for:
    (1) Ensuring uniformity is maintained in the legal position, and 
the interpretation of the Privacy Act; 32 CFR part 310; and this part.
    (2) Consulting with DoD General Counsel on final denials that are 
inconsistent with decisions of other DoD components, involve issues not 
previously resolved, or raise new or significant legal issues of 
potential significance to other Government agencies.
    (3) Providing advice and assistance to the Assistant Director, 
Resources; Regional Directors; and the Regional Privacy Act Officer, 
through the DCAA Privacy Act Advisor, as required, in the discharge of 
their responsibilities.
    (4) Coordinating Privacy Act litigation with the Department of 
Justice.
    (5) Coordinating on Headquarters denials of initial requests.
    (f) Each Regional Director is responsible for the overall 
management of the Privacy Act program within their respective regions. 
Under his/her direction, the Regional Resources Manager is responsible 
for the management and staff supervision of the program and for 
designating a Regional Privacy Act Officer. Regional Directors will, as 
designee of the Director, make the initial determination to deny an 
individual's written Privacy Act request for access to or amendment of 
documents filed in Privacy Act systems of records. This authority 
cannot be delegated.
    (g) Regional Privacy Act Officers will:

[[Page 12561]]

    (1) Implement and administer the Privacy Act program throughout the 
region.
    (2) Ensure that the collection, maintenance, use, or dissemination 
of records of identifiable personal information is in compliance with 
this part to assure that such action is for a necessary and lawful 
purpose; that the information is timely and accurate for its intended 
use; and that adequate safeguards are provided to prevent misuse of 
such information.
    (3) Prepare input for the annual Privacy Act Report when requested 
by the DCAA Information and Privacy Advisor.
    (4) Conduct training on the Privacy Act program for regional and 
FAO personnel.
    (5) Provide recommendations to the Regional Director through the 
Regional Resources Manager regarding the releasability of DCAA records 
to members of the public.
    (h) Managers, Field Audit Offices (FAOs) will:
    (1) Ensure that the provisions of this part are followed in 
processing requests for records.
    (2) Forward to the Regional Privacy Act Officer, any Privacy Act 
requests received directly from a member of the public, so that the 
request may be administratively controlled and processed.
    (3) Ensure the prompt review of all Privacy Act requests, and when 
required, coordinating those requests with other organizational 
elements.
    (4) Provide recommendation to the Regional Privacy Act Officer 
regarding the releasability of DCAA records to members of the public, 
along with the responsive documents.
    (5) Provide the appropriate documents, along with a written 
justification for any denial, in whole or in part, of a request for 
records to the Regional Privacy Act Officer. Those portions to be 
excised should be bracketed in red pencil, and the specific exemption 
or exemptions cited which provide the basis for denying the requested 
records.
    (i) DCAA Employees will:
    (1) Not disclose any personal information contained in any system 
of records, except as authorized by this part.
    (2) Not maintain any official files which are retrieved by name or 
other personal identifier without first ensuring that a notice for the 
system has been published in the Federal Register.
    (3) Report any disclosures of personal information from a system of 
records or the maintenance of any system of records that are not 
authorized by this part to the appropriate Privacy Act officials for 
their action.


Sec.  317.5  Procedures.

    Procedures for processing material in accordance with the Privacy 
Act of 1974 are outlined in DoD 5400.11-R, DoD Privacy Program (32 CFR 
part 310).


Sec.  317.6  Procedures for exemptions.

    (a) General information. There are two types of exemptions, general 
and specific. The general exemption authorizes the exemption of a 
system of records from all but a few requirements of the Privacy Act. 
The specific exemption authorizes exemption of a system of records or 
portion thereof, from only a few specific requirements. If a new system 
of records originates for which an exemption is proposed, or an 
additional or new exemption for an existing system of records is 
proposed, the exemption shall be submitted with the system of records 
notice. No exemption of a system of records shall be considered 
automatic for all records in the system. The systems manager shall 
review each requested record and apply the exemptions only when this 
will serve significant and legitimate Government purposes.
    (b) Specific exemptions. (1) System identifier and name: RDCAA 
900.1, DCAA Internal Review Case Files
    (i) Exemption: Any portions of this system of records which fall 
under the provisions of 5 U.S.C. 552a(k)(2) and (k)(5) may be exempt 
from the following subsections of 5 U.S.C. 552a: (c)(3), (d), (e)(1), 
(e)(4)(G), (H), and (f).
    (ii) Authority: 5 U.S.C. 552a(k)(2) and (k)(5)
    (iii) Reason: (A) From subsection (c)(3) because disclosures from 
this system could interfere with the just, thorough and timely 
resolution of the complaint or inquiry, and possibly enable individuals 
to conceal their wrongdoing or mislead the course of the investigation 
by concealing, destroying or fabricating evidence or documents.
    (B) From subsection (d) because disclosures from this system could 
interfere with the just, thorough and timely resolution of the 
complaint or inquiry, and possibly enable individuals to conceal their 
wrongdoing or mislead the course of the investigation by concealing, 
destroying or fabricating evidence or documents. Disclosures could also 
subject sources and witnesses to harassment or intimidation which 
jeopardize the safety and well-being of themselves and their families.
    (C) From subsection (e)(1) because the nature of the investigation 
functions creates unique problems in prescribing specific parameters in 
a particular case as to what information is relevant or necessary. Due 
to close liaison and working relationships with other Federal, state, 
local, foreign country law enforcement agencies, and other governmental 
agencies, information may be received which may relate to a case under 
the investigative jurisdiction of another government agency. It is 
necessary to maintain this information in order to provide leads for 
appropriate law enforcement purposes and to establish patterns of 
activity which may relate to the jurisdiction of other cooperating 
agencies.
    (D) From subsection (e)(4)(G) through (H) because this system of 
records is exempt from the access provisions of subsection (d).
    (E) From subsection (f) because the agency's rules are inapplicable 
to those portions of the system that are exempt and would place the 
burden on the agency of either confirming or denying the existence of a 
record pertaining to a requesting individual might in itself provide an 
answer to that individual relating to an on-going investigation. The 
conduct of a successful investigation leading to the indictment of a 
criminal offender precludes the applicability of established agency 
rules relating to verification of record, disclosure of the record to 
that individual, and record amendment procedures for this record 
system.
    (2) [Reserved]

    Dated: March 4, 2015.
Aaron Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2015-05374 Filed 3-9-15; 8:45 am]
 BILLING CODE 5001-06-P
12558 Federal Register / Vol. 80, No. 46 / Tuesday, March 10, 2015 / Rules and Regulations

was so.46 The court further noted that evidence in the record did not suggest Commission requests that comments
foreign swaps regulations passed since that differences existed, with certain focus on information and analysis
the promulgation of the rules at issue in limited exceptions that the Commission specifically relevant to the inquiry
the litigation ‘‘may now raise issues of addressed.52 For example, as the district specified by the district court’s remand
duplicative regulatory burdens’’ but that court found, at the time of the order. Consistent with the district
‘‘the CFTC may well conclude that its promulgation of the rules at issue, court’s holding that the Commission is
policy of substituted compliance largely foreign swaps regulations generally not required to address the issue of what
negates these costs.’’ 47 were still being developed so any costs the geographical scope of its rules
4. Finally, the court noted that associated with potentially duplicative should be in the challenged
‘‘[p]laintiffs raise no complaints or inconsistent regulations remained rulemakings,56 the purpose of this
regarding the CFTC’s evaluation of the hypothetical.53 Thus, as the court noted, request for comments is to further
general, often unquantifiable, benefits the plaintiffs in SIFMA v. CFTC did not consider the cross-border costs and
and costs of the domestic application of ‘‘identify any specific data that the benefits of the substance of the rules,
the Title VII Rules.’’ 48 As a result, the CFTC failed to take into account.’’ 54 not to initiate a process to address the
court held, ‘‘[o]n remand, the CFTC rules’ cross-border scope, which, as the
would only need to make explicit which IV. Request for Comments
district court held, is prescribed by
of those benefits and costs similarly As noted above, the district court section 2(i).57 The Commission further
apply to the Rules’ extraterritorial stated that, on remand, the Commission requests that commenters supply the
applications.’’ 49 ‘‘would only need to make explicit’’ Commission with relevant data to
which of the costs and benefits support their comments.
III. Supplement to Preambles of identified in the rule preambles
Remanded Rulemakings Regarding the ‘‘similarly apply to the Rules’ Issued in Washington, DC, on March 4,
Scope of the Commission’s extraterritorial applications.’’ 55 In order 2015, by the Commission.
Consideration of Costs and Benefits to assist the Commission in determining Christopher J. Kirkpatrick,
The Commission hereby clarifies that whether any further consideration or Secretary of the Commission.
it considered costs and benefits based explanation—beyond that contained in Note: The following appendix will not
on the understanding that the swaps the original rule preambles and this appear in the Code of Federal Regulations.
market functions internationally, with release—is needed to respond to this
many transactions involving U.S. firms mandate, the Commission requests Appendix to Initial Response to District
taking place across international comments on the following questions: Court Remand Order in Securities
boundaries; with leading industry 1. Are there any benefits or costs that Industry and Financial Markets
members typically conducting the Commission identified in any of the Association, et al. v. United States
operations both within and outside the rule preambles that do not apply, or Commodity Futures Trading
United States; and with industry apply to a different extent, to the Commission—Commission Voting
members commonly following relevant rule’s extraterritorial Summary
substantially similar business practices applications?
2. Are there any costs or benefits that On this matter, Chairman Massad and
wherever located. The Commission Commissioners Wetjen, Bowen, and
considered all evidence in the record, are unique to one or more of the rules’
Giancarlo voted in the affirmative. No
and in the absence of evidence extraterritorial applications? If so,
Commissioner voted in the negative.
indicating differences in costs and please specify how.
3. Put another way, are the types of [FR Doc. 2015–05413 Filed 3–9–15; 8:45 am]
benefits between foreign and domestic
swaps activities, the Commission did costs and benefits that arise from the BILLING CODE 6351–01–P

not find occasion to characterize extraterritorial application of any of the
explicitly the identified costs and rules different from those that arise from
benefits as foreign or domestic. Thus, the domestic application? If so, how and DEPARTMENT OF DEFENSE
where the Commission did not to what extent?
4. If significant differences exist in the Office of the Secretary
specifically refer to matters of location,
costs and benefits of the extraterritorial
its discussion of costs and benefits 32 CFR Part 317
and domestic application of one or more
referred to the effects of its rules on all
of the rules, what are the implications [DOD–2008–OS–0068]
business activity subject to its
of those differences for the substantive
regulations, whether by virtue of the RIN 0790–AJ23
requirements of the rule or rules?
activity’s physical location in the Comments should specify, in the
United States or by virtue of the header of the comment, the particular DCAA Privacy Act Program
activity’s connection with or effect on rule or rules that they address. The
U.S. commerce under section 2(i).50 In AGENCY: Department of Defense.
the language of the district court, the 52 See, e.g., Portfolio Reconciliation Rule, 77 FR
ACTION: Final rule.
Commission ‘‘functionally considered at 55945–46, 55948–49 & nn.79, 84, 98, 108 SUMMARY: The Defense Contract Audit
the extraterritorial costs and (considering ISDA data regarding U.S. and foreign
Agency (DCAA) is amending the DCAA
benefits,’’ 51 and this was because the firms, and factoring in European proposals); Risk
Management Rule, 77 FR at 20177 n.104 (relying on Privacy Act Program Regulation.
46 Id.
UK FSA study); Swaps Entity Registration Rule, 77 Specifically, DCAA is adding an
FR at 2624–25 (stating in response to comments that exemption section to include an
47 Op. at *41. Commission ‘‘does not believe that foreign-based
mstockstill on DSK4VPTVN1PROD with RULES

48 Op. at *41. Swaps Entities will bear higher costs associated exemption for RDCAA 900.1, DCAA
49 Id. with the registration process’’ and giving Internal Review Case Files. This rule
50 The statement in the text reflects the explanation); SDR Reporting Rule, 77 FR at 2192
Commission’s approach in its consideration of costs (considering costs and benefits of swap identifiers, 56 Op. at *36–*37.
and benefits for all of its Dodd-Frank rules, unless including in cross-border activities). 57 However, as it has done in the past, the
53 Op. at *39.
otherwise specified for a particular issue or issues Commission will continue to consider the proper
in a particular rulemaking. 54 Op. at *39.
interpretation and application of section 2(i) in
51 Op. at *40. 55 Op. at *41. particular circumstances.

VerDate Sep<11>2014 16:34 Mar 09, 2015 Jkt 235001 PO 00000 Frm 00004 Fmt 4700 Sfmt 4700 E:\FR\FM\10MRR1.SGM 10MRR1
Federal Register / Vol. 80, No. 46 / Tuesday, March 10, 2015 / Rules and Regulations 12559

provides policies and procedures for the communities; (2) Create a serious § 317.1 Purpose.
DCAA’s implementation of the Privacy inconsistency or otherwise interfere This part provides policies and
Act of 1974, as amended. with an action taken or planned by procedures for the Defense Contract
DATES: This rule is effective on April 9, another Agency; (3) Materially alter the Audit Agency’s (DCAA) implementation
2015. budgetary impact of entitlements, of the Privacy Act of 1974 (5 U.S.C.
FOR FURTHER INFORMATION CONTACT: Mr. grants, user fees, or loan programs, or 552a) and 32 CFR part 310, and is
Keith Mastromichalis, FOIA/PA the rights and obligations of recipients intended to promote uniformity within
Management Analyst, DCAA HQ, 703– thereof; or (4) Raise novel legal or policy DCAA.
767–1022. issues arising out of legal mandates, the
President’s priorities, or the principles § 317.2 Applicability and scope.
SUPPLEMENTARY INFORMATION: The
set forth in these Executive Orders. (a) This part applies to all DCAA
revisions to this rule are part of DoD’s
organizational elements and takes
retrospective plan under EO 13563 Public Law 96–354, ‘‘Regulatory precedence over all regional regulatory
completed in August 2011. DoD’s full Flexibility Act’’ (5 U.S.C Chapter 6) issuances that supplement the DCAA
plan can be accessed at http://
It has been certified that this rule does Privacy Program.
www.regulations.gov/#!docket
(b) This part shall be made applicable
Browser;rpp=25;po=0;dct not have significant economic impact on
by contract or other legally binding
=N%252BFR%252BPR%252BO;D a substantial number of small entities
action to contractors whenever a DCAA
=DOD-2011-OS-0036. because it is concerned only with the
contract provides for the operation of a
administration of Privacy Act within the
Executive Summary system of records or portion of a system
Department of Defense.
of records to accomplish an Agency
I. Purpose of This Regulatory Action
Public Law 95–511, ‘‘Paperwork function.
a. This rule provides policies and Reduction Act’’ (44 U.S.C. Chapter 35)
procedures for DCAA’s implementation § 317.3 Policy.
of the Privacy Act of 1974, as amended. It has been determined that this rule (a) It is DCAA policy that personnel
b. Authority: Privacy Act of 1974, imposes no information collection will comply with the DCAA Privacy
Pub. L. 93–579, Stat. 1896 (5 U.S.C. requirements on the public under the Program; the Privacy Act of 1974; and
552a). Paperwork Reduction Act of 1995. the DoD Privacy Program (32 CFR part
310). Strict adherence is necessary to
II. Summary of the Major Provisions of Section 202, Public Law 104–4,
ensure uniformity in the
This Regulatory Action ‘‘Unfunded Mandates Reform Act’’
implementation of the DCAA Privacy
DCAA is adding an exemption section It has been determined that this rule Program and create conditions that will
to include an exemption for RDCAA does not involve a Federal mandate that foster public trust. It is also Agency
900.1, DCAA Internal Review Case may result in the expenditure by State, policy to safeguard personal information
Files. local and tribal governments, in the contained in any system of records
III. Costs and Benefits of This aggregate, or by the private sector, of maintained by DCAA organizational
Regulatory Action $100 million or more and that such elements and to make that information
rulemaking will not significantly or available to the individual to whom it
This regulatory action imposes no pertains to the maximum extent
monetary costs to the Agency or public. uniquely affect small governments.
practicable.
The benefit to the public is the accurate Executive Order 13132, ‘‘Federalism’’ (b) DCAA policy specifically requires
reflection of the Agency’s Privacy that DCAA organizational elements:
Program to ensure that policies and It has been determined that this rule
(1) Collect, maintain, use, and
procedures are known to the public. does not have federalism implications.
disseminate personal information only
This rule does not have substantial
Public Comments when it is relevant and necessary to
direct effects on the States, on the
achieve a purpose required by statute or
On Thursday, February 6, 2014 (79 FR relationship between the National
Executive Order.
7114–7117), the Department of Defense Government and the States, or on the
(2) Collect personal information
published a proposed rule requesting distribution of power and
directly from the individuals to whom
public comment. No comments were responsibilities among the various
it pertains to the greatest extent
received on the proposed rule, and no levels of government.
practical.
changes have been made in the final
List of Subjects in 32 CFR Part 317 (3) Inform individuals who are asked
rule.
to supply personal information for
Regulatory Procedures Privacy. inclusion in any system of records:
Accordingly 32 CFR part 317 is (i) The authority for the solicitation.
Executive Order 12866, ‘‘Regulatory (ii) Whether furnishing the
Planning and Review’’ and Executive revised to read as follows:
information is mandatory or voluntary.
Order 13563, ‘‘Improving Regulation (iii) The intended uses of the
and Regulatory Review’’ PART 317—DCAA PRIVACY ACT
PROGRAM information.
It has been determined that this rule (iv) The routine disclosures of the
is not a significant regulatory action Sec. information that may be made outside of
under these Executive Orders. This rule 317.1 Purpose. DoD.
mstockstill on DSK4VPTVN1PROD with RULES

does not (1) Have an annual effect on 317.2 Applicability and scope. (v) The effect on the individual of not
the economy of $100 million or more or 317.3 Policy. providing all or any part of the
adversely affect in a material way the 317.4 Responsibilities. requested information.
economy; a sector of the economy; 317.5 Procedures. (4) Ensure that records used in
productivity; competition; jobs; the 317.6 Procedures for exemptions. making determinations about
environment; public health or safety; or Authority: Pub. L. 93–579, 88 Stat. 1896 individuals and those containing
State, local, or tribal governments or (5 U.S.C. 552a). personal information are accurate,

VerDate Sep<11>2014 16:34 Mar 09, 2015 Jkt 235001 PO 00000 Frm 00005 Fmt 4700 Sfmt 4700 E:\FR\FM\10MRR1.SGM 10MRR1
12560 Federal Register / Vol. 80, No. 46 / Tuesday, March 10, 2015 / Rules and Regulations

relevant, timely, and complete for the § 317.4 Responsibilities. (2) Ensuring that the provisions of this
purposes for which they are being (a) The Assistant Director, Resources part are followed in processing requests
maintained before making them has overall responsibility for the DCAA for records.
available to any recipients outside of Privacy Act Program and will serve as (3) Forwarding to the DCAA Privacy
DoD, other than a Federal agency, the sole appellate authority for appeals Act Advisor, any Privacy Act requests
unless the disclosure is made under to decisions of respective initial denial received directly from a member of the
DCAA Regulation 5410.8, DCAA authorities. public, so that the request may be
Freedom of Information Act Program. (b) The Chief, Administrative administratively controlled and
(5) Keep no record that describes how Management Division under the processed.
individuals exercise their rights direction of the Assistant Director, (4) Ensuring the prompt review of all
guaranteed by the First Amendment to Resources, shall: Privacy Act requests, and when
the U.S. Constitution, unless expressly (1) Establish, issue, and update required, coordinating those requests
authorized by statute or by the policies for the DCAA Privacy Act with other organizational elements.
individual to whom the records pertain Program; monitor compliance with this (5) Providing recommendations to the
or is pertinent to and within the scope part; and provide policy guidance for DCAA Privacy Act Advisor regarding
of an authorized law enforcement the DCAA Privacy Act Program. the releasability of DCAA records to
activity. (2) Resolve conflicts that may arise members of the public, along with the
regarding implementation of DCAA responsive documents.
(6) Notify individuals whenever (6) Providing the appropriate
records pertaining to them are made Privacy Act policy.
(3) Designate an Agency Privacy Act documents, along with a written
available under compulsory legal justification for any denial, in whole or
processes, if such process is a matter of Advisor, as a single point of contact, to
coordinate on matters concerning in part, of a request for records to the
public record. DCAA Privacy Act Advisor. Those
(7) Establish safeguards to ensure the Privacy Act policy.
(4) Make the initial determination to portions to be excised should be
security of personal information and to bracketed in red pencil, and the specific
protect this information from threats or deny an individual’s written Privacy
Act request for access to or amendment exemption or exemptions cites which
hazards that might result in substantial provide the basis for denying the
harm, embarrassment, inconvenience, or of documents filed in Privacy Act
systems of records. This authority requested records.
unfairness to the individual. (e) The General Counsel is responsible
cannot be delegated.
(8) Establish rules of conduct for for:
(c) The DCAA Privacy Act Advisor (1) Ensuring uniformity is maintained
DCAA personnel involved in the design, under the supervision of the Chief,
development, operation, or maintenance in the legal position, and the
Administrative Management Division interpretation of the Privacy Act; 32
of any system of records and train them shall:
in these rules of conduct. CFR part 310; and this part.
(1) Manage the DCAA Privacy Act (2) Consulting with DoD General
(9) Assist individuals in determining Program in accordance with this part Counsel on final denials that are
what records pertaining to them are and applicable DCAA policies, as well inconsistent with decisions of other
being collected, maintained, used, or as DoD and Federal regulations. DoD components, involve issues not
disseminated. (2) Provide guidelines for managing, previously resolved, or raise new or
(10) Permit individual access to the administering, and implementing the significant legal issues of potential
information pertaining to them DCAA Privacy Act Program. significance to other Government
maintained in any system of records, (3) Implement and administer the agencies.
and to correct or amend that Privacy Act program at the (3) Providing advice and assistance to
information, unless an exemption for Headquarters. the Assistant Director, Resources;
the system has been properly (4) Ensure that the collection, Regional Directors; and the Regional
established for an important public maintenance, use, or dissemination of Privacy Act Officer, through the DCAA
purpose. records of identifiable personal Privacy Act Advisor, as required, in the
(11) Provide, on request, an information is in a manner that assures discharge of their responsibilities.
accounting of all disclosures of the that such action is for a necessary and (4) Coordinating Privacy Act litigation
information pertaining to them except lawful purpose; that the information is with the Department of Justice.
when disclosures are made: timely and accurate for its intended use; (5) Coordinating on Headquarters
(i) To DoD personnel in the course of and that adequate safeguards are denials of initial requests.
their official duties. provided to prevent misuse of such (f) Each Regional Director is
information. responsible for the overall management
(ii) Under DCAA Regulation 5410.8, (5) Prepare promptly any required of the Privacy Act program within their
DCAA Freedom of Information Act new, amended, or altered system notices respective regions. Under his/her
Program. for systems of records subject to the direction, the Regional Resources
(iii) To another agency or to an Privacy Act and submit them to the Manager is responsible for the
instrumentality of any governmental Defense Privacy Office for subsequent management and staff supervision of the
jurisdiction within or under control of publication in the Federal Register. program and for designating a Regional
the United States conducting law (6) Conduct training on the Privacy Privacy Act Officer. Regional Directors
enforcement activities authorized by Act program for Agency personnel. will, as designee of the Director, make
mstockstill on DSK4VPTVN1PROD with RULES

law. (d) Heads of Principal Staff Elements the initial determination to deny an
(12) Advise individuals on their rights are responsible for: individual’s written Privacy Act request
to appeal any refusal to grant access to (1) Reviewing all regulations or other for access to or amendment of
or amend any record pertaining to them, policy and guidance issuances for documents filed in Privacy Act systems
and file a statement of disagreement which they are the proponent to ensure of records. This authority cannot be
with the record in the event amendment consistency with the provisions of this delegated.
is refused. part. (g) Regional Privacy Act Officers will:

VerDate Sep<11>2014 16:34 Mar 09, 2015 Jkt 235001 PO 00000 Frm 00006 Fmt 4700 Sfmt 4700 E:\FR\FM\10MRR1.SGM 10MRR1
Document Created: 2018-02-21 09:34:54
Document Modified: 2018-02-21 09:34:54
Category		Regulatory Information
Collection		Federal Register
sudoc Class		AE 2.7: GS 4.107: AE 2.106:
Publisher		Office of the Federal Register, National Archives and Records Administration
Section		Rules and Regulations
Action		Final rule.
Dates		This rule is effective on April 9, 2015.
Contact		Mr. Keith Mastromichalis, FOIA/PA Management Analyst, DCAA HQ, 703-767-1022.
FR Citation		80 FR 12558
RIN Number		0790-AJ23
80 FR 12558 - DCAA Privacy Act Program

DEPARTMENT OF DEFENSEOffice of the Secretary

Federal Register Volume 80, Issue 46 (March 10, 2015)

DEPARTMENT OF DEFENSE
Office of the Secretary
