privacy act violations by MaryJeanMenintigar

VIEWS: 1,401 PAGES: 2

More Info
									                                Office of the Secretary of Defense                                                                  § 310.50

                                Components or the Component Inspec-                       notice in the FEDERAL REGISTER. (See
                                tor General.                                              subpart G of this part.)
                                                                                            (b) Any person who knowingly and
                                § 310.44     Inspection reporting.                        willfully requests or obtains access to
                                  (a) Document the findings of the in-                    any record concerning another indi-
                                spectors in official reports that are fur-                vidual under false pretenses may be
                                nished the responsible Component offi-                    found guilty of misdemeanor and fined
                                cials. These reports, when appropriate,                   up to $5,000.
                                shall reflect overall assets of the Com-
                                ponent Privacy Program inspected, or                      § 310.49 Litigation status sheet.
                                portion thereof, identify deficiencies,                      Whenever a complaint citing the Pri-
                                irregularities, and significant prob-                     vacy Act is filed in a U.S. District
                                lems. Also document remedial actions                      Court against the Department of De-
                                taken to correct problems identified.                     fense, a DoD Component, or any DoD
                                  (b) Retain inspections reports and                      employee, the responsible system man-
                                later follow-up reports in accordance                     ager shall notify the DPO. The litiga-
                                with established records disposition                      tion status sheet at appendix H to this
                                standards. These reports shall be made                    part provides a standard format for
                                available to the Privacy Program offi-                    this notification. The initial litigation
                                cials concerned upon request.                             status sheet forwarded shall, as a min-
                                                                                          imum, provide the information re-
                                Subpart K—Privacy Act Violations                          quired by items 1 through 6 of the sta-
                                                                                          tus sheet. A revised litigation status
                                § 310.45     Administrative remedies.                     sheet shall be provided at each stage of
                                                                                          the litigation. When a court renders a
                                  Any individual who believes he or she
                                                                                          formal opinion or judgment, copies of
                                has a legitimate complaint or griev-
                                                                                          the judgment and opinion shall be pro-
                                ance against the Department of De-
                                                                                          vided to the DPO with the litigation
                                fense or any DoD employee concerning
                                                                                          status sheet reporting that judgment
                                any right granted by this part shall be
                                                                                          or opinion.
                                permitted to seek relief through appro-
                                priate administrative channels.                           § 310.50 Lost, stolen, or compromised
                                § 310.46     Civil actions.
                                                                                             (a) When a loss, theft, or compromise
                                  An individual may file a civil suit                     of information occurs (see § 310.14), the
                                against a DoD Component if the indi-                      breach shall be reported to:
                                vidual believes his or her rights under                      (1) The United States Computer
                                the Act have been violated. (See 5                        Emergency Readiness Team (US CERT)
                                U.S.C. 552a(g).)                                          within one hour of discovering that a
                                                                                          breach of personally identifiable infor-
                                § 310.47     Civil remedies.
                                                                                          mation has occurred. Components shall
                                  In addition to specific remedial ac-                    establish procedures to ensure that US
                                tions, the Privacy Act provides for the                   CERT reporting is accomplished in ac-
                                payment of damages, court costs, and                      cordance with the guidance set forth at
                                attorney fees in some cases.                    
                                                                                             (i) The underlying incident that led
                                § 310.48     Criminal penalties.                          to the loss or suspected loss of PII (e.g.,
                                  (a) The Act also provides for criminal                  computer incident, theft, loss of mate-
                                penalties. (See 5 U.S.C. 552a(i).) Any of-                rial, etc.) shall continue to be reported
                                ficial or employee may be found guilty                    in accordance with established proce-
                                of a misdemeanor and fined not more                       dures (e.g., to designated Computer
                                than $5,000 if he or she willfully:                       Network Defense (CND) Service Pro-
                                  (1) Discloses information from a sys-                   viders (reference (z)), law enforcement
                                tem of records, knowing dissemination                     authorities, the chain of command,
                                is prohibited to anyone not entitled to                   etc.).
                                receive the information (see subpart E                       (ii) [Reserved]
                                of this part); or                                            (2) The Senior Component Official for
                                  (2) Maintains a system of records                       Privacy within 24 hours of discovering
                                without publishing the required public                    that a breach of personally identifiable


VerDate Aug<31>2005   08:44 Aug 22, 2007   Jkt 211124   PO 00000   Frm 00837   Fmt 8010   Sfmt 8010   Y:\SGML\211124.XXX   211124
                                § 310.51                                                                32 CFR Ch. I (7–1–07 Edition)

                                information has occurred. The Senior                        (1) Matches using records from Fed-
                                Component Official for Privacy, or                        eral personnel or payroll systems of
                                their designee, shall notify the Defense                  records, or
                                Privacy Office of the breach within 48                      (2) Matches involving Federal bene-
                                hours upon being notified that a loss,                    fits program if:
                                theft, or compromise has occurred. The                      (i) To determine eligibility for a Fed-
                                notification shall include the following                  eral benefit,
                                information:                                                (ii) To determine compliance with
                                  (i) Identify the Component/organiza-                    benefit program requirements, or
                                tion involved.                                              (iii) To effect recovery of improper
                                  (ii) Specify the date of the breach and                 payments or delinquent debts under a
                                the number of individuals impacted, to                    Federal benefit program.
                                include whether they are DoD civilian,                      (b) The requirements of this part do
                                military, or contractor personnel; DoD                    not apply if matches are:
                                civilian or military retirees; family                       (1) Performed solely to produce ag-
                                members; other Federal personnel or                       gregated statistical data without any
                                members of the public, etc.                               personal identifiers. Personally identi-
                                  (iii) Briefly describe the facts and                    fying data can be used for purposes of
                                circumstances surrounding the loss,                       conducting the match. However, the re-
                                theft, or compromise.                                     sults of the match shall be stripped of
                                  (iv) Briefly describe actions taken in                  any data that would identify an indi-
                                response to the breach, to include                        vidual. Under no circumstances shall
                                whether the incident was investigated                     match results be used to take action
                                and by whom; the preliminary results                      against specific individuals.
                                of the inquiry if then known; actions                       (2) Performed to support research or
                                taken to mitigate any harm that could                     statistical projects. Personally identi-
                                result from the breach; whether the af-                   fying data can be used for purposes of
                                fected individuals are being notified,                    conducting the match and the match
                                and if this will not be accomplished                      results may contain identifying data
                                within 10 working days, that action                       about individuals. However, the match
                                will be initiated to notify the Deputy                    results shall not be used to make a de-
                                Secretary (see § 310.14); what remedial                   cision that affects the rights, benefits,
                                actions have been, or will be, taken to                   or privileges of specific individuals.
                                prevent a similar such incident in the                      (3) Performed by an agency, or a
                                future, e.g., refresher training con-                     component thereof, whose principal
                                ducted, new or revised guidance issued;                   function is the enforcement of criminal
                                and any other information considered                      laws, subsequent to the initiation of a
                                pertinent as to actions to be taken to                    specific criminal or civil law enforce-
                                ensure that information is properly                       ment investigation of a named indi-
                                safeguarded.                                              vidual or individuals.
                                  (2) The Component shall determine                         (i) The match must flow from an in-
                                whether administrative or disciplinary                    vestigation already underway which fo-
                                action is warranted and appropriate for                   cuses on a named person or persons.
                                those individuals determined to be re-                    ‘‘Fishing expeditions’’ in which the
                                sponsible for the loss, theft, or com-                    subjects are generically identified,
                                promise.                                                  such as ‘‘program beneficiaries’’ are
                                                                                          not covered.
                                                                                            (ii) The match must be for the pur-
                                  Subpart L—Computer Matching                             pose of gathering evidence against the
                                      Program Procedures                                  named individual or individuals.
                                                                                            (4) Performed for tax information-re-
                                § 310.51     General.                                     lated purposes.
                                  (a) A computer matching program                           (5) Performed for routine administra-
                                covers two kinds of matching programs                     tive purposes using records relating to
                                (see OMB Matching Guidelines, 54 FR                       Federal personnel.
                                25818 (June 19, 1989)). If covered, the                     (i) The records to be used in the
                                matches are subject to the require-                       match must predominantly relate to
                                ments of this subpart. The covered pro-                   Federal personnel (i.e., the percentage
                                grams are:                                                of records in the system of records that


VerDate Aug<31>2005   08:44 Aug 22, 2007   Jkt 211124   PO 00000   Frm 00838   Fmt 8010   Sfmt 8010   Y:\SGML\211124.XXX   211124

To top