The Code of Federal Regulations (CFR) annual edition is the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the Federal Government produced by the Office of the Federal Register (OFR) and the Government Publishing Office.
Download the Code of Federal Regulations in XML.
Parallel Table of Authorities and Rules for the Code of Federal Regulations and the United States Code
Text | PDF
Find, review, and submit comments on Federal rules that are open for comment and published in the Federal Register using Regulations.gov.
Purchase individual CFR titles from the U.S. Government Online Bookstore.
Find issues of the CFR (including issues prior to 1996) at a local Federal depository library.
Electronic Code of Federal Regulations
Title 32: National Defense
PART 317—DCAA PRIVACY ACT PROGRAM
§317.2 Applicability and scope.
§317.6 Procedures for exemptions.
Authority: Pub. L. 93-579, 88 Stat. 1896 (5 U.S.C. 552a).
Source: 80 FR 12559, Mar. 10, 2015, unless otherwise noted.
This part provides policies and procedures for the Defense Contract Audit Agency's (DCAA) implementation of the Privacy Act of 1974 (5 U.S.C. 552a) and 32 CFR part 310, and is intended to promote uniformity within DCAA.
§317.2 Applicability and scope.
(a) This part applies to all DCAA organizational elements and takes precedence over all regional regulatory issuances that supplement the DCAA Privacy Program.
(b) This part shall be made applicable by contract or other legally binding action to contractors whenever a DCAA contract provides for the operation of a system of records or portion of a system of records to accomplish an Agency function.
(a) It is DCAA policy that personnel will comply with the DCAA Privacy Program; the Privacy Act of 1974; and the DoD Privacy Program (32 CFR part 310). Strict adherence is necessary to ensure uniformity in the implementation of the DCAA Privacy Program and create conditions that will foster public trust. It is also Agency policy to safeguard personal information contained in any system of records maintained by DCAA organizational elements and to make that information available to the individual to whom it pertains to the maximum extent practicable.
(b) DCAA policy specifically requires that DCAA organizational elements:
(1) Collect, maintain, use, and disseminate personal information only when it is relevant and necessary to achieve a purpose required by statute or Executive Order.
(2) Collect personal information directly from the individuals to whom it pertains to the greatest extent practical.
(3) Inform individuals who are asked to supply personal information for inclusion in any system of records:
(i) The authority for the solicitation.
(ii) Whether furnishing the information is mandatory or voluntary.
(iii) The intended uses of the information.
(iv) The routine disclosures of the information that may be made outside of DoD.
(v) The effect on the individual of not providing all or any part of the requested information.
(4) Ensure that records used in making determinations about individuals and those containing personal information are accurate, relevant, timely, and complete for the purposes for which they are being maintained before making them available to any recipients outside of DoD, other than a Federal agency, unless the disclosure is made under DCAA Regulation 5410.8, DCAA Freedom of Information Act Program.
(5) Keep no record that describes how individuals exercise their rights guaranteed by the First Amendment to the U.S. Constitution, unless expressly authorized by statute or by the individual to whom the records pertain or is pertinent to and within the scope of an authorized law enforcement activity.
(6) Notify individuals whenever records pertaining to them are made available under compulsory legal processes, if such process is a matter of public record.
(7) Establish safeguards to ensure the security of personal information and to protect this information from threats or hazards that might result in substantial harm, embarrassment, inconvenience, or unfairness to the individual.
(8) Establish rules of conduct for DCAA personnel involved in the design, development, operation, or maintenance of any system of records and train them in these rules of conduct.
(9) Assist individuals in determining what records pertaining to them are being collected, maintained, used, or disseminated.
(10) Permit individual access to the information pertaining to them maintained in any system of records, and to correct or amend that information, unless an exemption for the system has been properly established for an important public purpose.
(11) Provide, on request, an accounting of all disclosures of the information pertaining to them except when disclosures are made:
(i) To DoD personnel in the course of their official duties.
(ii) Under DCAA Regulation 5410.8, DCAA Freedom of Information Act Program.
(iii) To another agency or to an instrumentality of any governmental jurisdiction within or under control of the United States conducting law enforcement activities authorized by law.
(12) Advise individuals on their rights to appeal any refusal to grant access to or amend any record pertaining to them, and file a statement of disagreement with the record in the event amendment is refused.
(a) The Assistant Director, Resources has overall responsibility for the DCAA Privacy Act Program and will serve as the sole appellate authority for appeals to decisions of respective initial denial authorities.
(b) The Chief, Administrative Management Division under the direction of the Assistant Director, Resources, shall:
(1) Establish, issue, and update policies for the DCAA Privacy Act Program; monitor compliance with this part; and provide policy guidance for the DCAA Privacy Act Program.
(2) Resolve conflicts that may arise regarding implementation of DCAA Privacy Act policy.
(3) Designate an Agency Privacy Act Advisor, as a single point of contact, to coordinate on matters concerning Privacy Act policy.
(4) Make the initial determination to deny an individual's written Privacy Act request for access to or amendment of documents filed in Privacy Act systems of records. This authority cannot be delegated.
(c) The DCAA Privacy Act Advisor under the supervision of the Chief, Administrative Management Division shall:
(1) Manage the DCAA Privacy Act Program in accordance with this part and applicable DCAA policies, as well as DoD and Federal regulations.
(2) Provide guidelines for managing, administering, and implementing the DCAA Privacy Act Program.
(3) Implement and administer the Privacy Act program at the Headquarters.
(4) Ensure that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; that the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information.
(5) Prepare promptly any required new, amended, or altered system notices for systems of records subject to the Privacy Act and submit them to the Defense Privacy Office for subsequent publication in the Federal Register.
(6) Conduct training on the Privacy Act program for Agency personnel.
(d) Heads of Principal Staff Elements are responsible for:
(1) Reviewing all regulations or other policy and guidance issuances for which they are the proponent to ensure consistency with the provisions of this part.
(2) Ensuring that the provisions of this part are followed in processing requests for records.
(3) Forwarding to the DCAA Privacy Act Advisor, any Privacy Act requests received directly from a member of the public, so that the request may be administratively controlled and processed.
(4) Ensuring the prompt review of all Privacy Act requests, and when required, coordinating those requests with other organizational elements.
(5) Providing recommendations to the DCAA Privacy Act Advisor regarding the releasability of DCAA records to members of the public, along with the responsive documents.
(6) Providing the appropriate documents, along with a written justification for any denial, in whole or in part, of a request for records to the DCAA Privacy Act Advisor. Those portions to be excised should be bracketed in red pencil, and the specific exemption or exemptions cites which provide the basis for denying the requested records.
(e) The General Counsel is responsible for:
(1) Ensuring uniformity is maintained in the legal position, and the interpretation of the Privacy Act; 32 CFR part 310; and this part.
(2) Consulting with DoD General Counsel on final denials that are inconsistent with decisions of other DoD components, involve issues not previously resolved, or raise new or significant legal issues of potential significance to other Government agencies.
(3) Providing advice and assistance to the Assistant Director, Resources; Regional Directors; and the Regional Privacy Act Officer, through the DCAA Privacy Act Advisor, as required, in the discharge of their responsibilities.
(4) Coordinating Privacy Act litigation with the Department of Justice.
(5) Coordinating on Headquarters denials of initial requests.
(f) Each Regional Director is responsible for the overall management of the Privacy Act program within their respective regions. Under his/her direction, the Regional Resources Manager is responsible for the management and staff supervision of the program and for designating a Regional Privacy Act Officer. Regional Directors will, as designee of the Director, make the initial determination to deny an individual's written Privacy Act request for access to or amendment of documents filed in Privacy Act systems of records. This authority cannot be delegated.
(g) Regional Privacy Act Officers will:
(1) Implement and administer the Privacy Act program throughout the region.
(2) Ensure that the collection, maintenance, use, or dissemination of records of identifiable personal information is in compliance with this part to assure that such action is for a necessary and lawful purpose; that the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information.
(3) Prepare input for the annual Privacy Act Report when requested by the DCAA Information and Privacy Advisor.
(4) Conduct training on the Privacy Act program for regional and FAO personnel.
(5) Provide recommendations to the Regional Director through the Regional Resources Manager regarding the releasability of DCAA records to members of the public.
(h) Managers, Field Audit Offices (FAOs) will:
(1) Ensure that the provisions of this part are followed in processing requests for records.
(2) Forward to the Regional Privacy Act Officer, any Privacy Act requests received directly from a member of the public, so that the request may be administratively controlled and processed.
(3) Ensure the prompt review of all Privacy Act requests, and when required, coordinating those requests with other organizational elements.
(4) Provide recommendation to the Regional Privacy Act Officer regarding the releasability of DCAA records to members of the public, along with the responsive documents.
(5) Provide the appropriate documents, along with a written justification for any denial, in whole or in part, of a request for records to the Regional Privacy Act Officer. Those portions to be excised should be bracketed in red pencil, and the specific exemption or exemptions cited which provide the basis for denying the requested records.
(i) DCAA Employees will:
(1) Not disclose any personal information contained in any system of records, except as authorized by this part.
(2) Not maintain any official files which are retrieved by name or other personal identifier without first ensuring that a notice for the system has been published in the Federal Register.
(3) Report any disclosures of personal information from a system of records or the maintenance of any system of records that are not authorized by this part to the appropriate Privacy Act officials for their action.
Procedures for processing material in accordance with the Privacy Act of 1974 are outlined in DoD 5400.11-R, DoD Privacy Program (32 CFR part 310).
§317.6 Procedures for exemptions.
(a) General information. There are two types of exemptions, general and specific. The general exemption authorizes the exemption of a system of records from all but a few requirements of the Privacy Act. The specific exemption authorizes exemption of a system of records or portion thereof, from only a few specific requirements. If a new system of records originates for which an exemption is proposed, or an additional or new exemption for an existing system of records is proposed, the exemption shall be submitted with the system of records notice. No exemption of a system of records shall be considered automatic for all records in the system. The systems manager shall review each requested record and apply the exemptions only when this will serve significant and legitimate Government purposes.
(b) Specific exemptions. (1) System identifier and name: RDCAA 900.1, DCAA Internal Review Case Files
(i) Exemption: Any portions of this system of records which fall under the provisions of 5 U.S.C. 552a(k)(2) and (k)(5) may be exempt from the following subsections of 5 U.S.C. 552a: (c)(3), (d), (e)(1), (e)(4)(G), (H), and (f).
(ii) Authority: 5 U.S.C. 552a(k)(2) and (k)(5)
(iii) Reason: (A) From subsection (c)(3) because disclosures from this system could interfere with the just, thorough and timely resolution of the complaint or inquiry, and possibly enable individuals to conceal their wrongdoing or mislead the course of the investigation by concealing, destroying or fabricating evidence or documents.
(B) From subsection (d) because disclosures from this system could interfere with the just, thorough and timely resolution of the complaint or inquiry, and possibly enable individuals to conceal their wrongdoing or mislead the course of the investigation by concealing, destroying or fabricating evidence or documents. Disclosures could also subject sources and witnesses to harassment or intimidation which jeopardize the safety and well-being of themselves and their families.
(C) From subsection (e)(1) because the nature of the investigation functions creates unique problems in prescribing specific parameters in a particular case as to what information is relevant or necessary. Due to close liaison and working relationships with other Federal, state, local, foreign country law enforcement agencies, and other governmental agencies, information may be received which may relate to a case under the investigative jurisdiction of another government agency. It is necessary to maintain this information in order to provide leads for appropriate law enforcement purposes and to establish patterns of activity which may relate to the jurisdiction of other cooperating agencies.
(D) From subsection (e)(4)(G) through (H) because this system of records is exempt from the access provisions of subsection (d).
(E) From subsection (f) because the agency's rules are inapplicable to those portions of the system that are exempt and would place the burden on the agency of either confirming or denying the existence of a record pertaining to a requesting individual might in itself provide an answer to that individual relating to an on-going investigation. The conduct of a successful investigation leading to the indictment of a criminal offender precludes the applicability of established agency rules relating to verification of record, disclosure of the record to that individual, and record amendment procedures for this record system.