324.4—Responsibilities.
(2)
The Director, DFAS, will be the Final Denial Appellate Authority. This authority may be delegated to the Director for Resource Management.
(3)
Appoints the Director for External Affairs and Administrative Support, or a designated replacement, as the DFAS Headquarters Privacy Act Officer.
(b) DFAS Headquarters General Counsel.
(1)
Ensures uniformity is maintained in legal rulings and interpretation of the Privacy Act.
(2)
Consults with DoD General Counsel on final denials that are inconsistent with other final decisions within DoD. Responsible to raise new legal issues of potential significance to other Government agencies.
(3)
Provides advice and assistance to the DFAS Director, Center Directors, and the FSO as required, in the discharge of their responsibilities pertaining to the Privacy Act.
(c) DFAS Center Directors.
(1)
Ensures that all DFAS Center personnel, all personnel at subordinate levels, and contractor personnel working with personal data comply with the DFAS Privacy Act Program.
(2)
Serves as the DFAS Center Initial Denial Authority for requests made as a result of denying release of requested information at locations within DFAS Center authority. Initial denial authority may not be redelegated. Initial denial appeals will be forwarded to the appropriate DFAS Center marked to the attention of the DFAS Center Initial Denial Authority.
(d) Director, FSO.
(1)
Ensures that FSO and subordinate personnel and contractors working with personal data comply with the Privacy Act Program.
(2)
Serves as the FSO Initial Denial Authority for requests made as a result of denying release of requested information at locations within FSO authority. FSO Initial denial authority may not be redelegated.
(e) DFAS Headquarters Privacy Act Officer.
(1)
Establishes, issues and updates policy for the DFAS Privacy Act Program and monitors compliance. Serves as the DFAS single point of contact on all matters concerning Privacy Act policy. Resolves any conflicts resulting from implementation of the DFAS Privacy Act Program policy.
(2)
Serves as the DFAS single point of contact with the Department of Defense Privacy Office. This duty may be delegated.
(3)
Ensures that the collection, maintenance, use and/or dissemination of records of identifiable personal information is for a necessary and lawful purpose, that the information is current and accurate for the intended use and that adequate security safeguards are provided.
(4)
Monitors system notices for agency systems of records. Ensures that new, amended, or altered notices are promptly prepared and published. Reviews all notices submitted by the DFAS Privacy Act Officers for correctness and submits same to the Department of Defense Privacy Office for publication in the Federal Register. Maintains and publishes a listing of DFAS Privacy Act system notices.
(5)
Establishes DFAS Privacy Act reporting requirement due dates. Compiles all Agency reports and submits the completed annual report to the Defense Privacy Office. DFAS reporting requirements are provided in appendix A to this part.
(6)
Conducts annual Privacy Act Program training for DFAS Headquarters (HQ) personnel. Ensures that subordinate DFAS Center and FSO Privacy Act Officers fulfill annual training requirements.
(f) FSO and Financial System Activities (FSAs) Legal Support.
The FSO and subordinate FSA organizational elements will be supported by the appropriate DFAS-HQ or DFAS Center General Counsel office.
(g) DFAS Center(s) Assistant General Counsel.
(1)
Ensures uniformity is maintained in legal rulings and interpretation of the Privacy Act and this regulation. Consults with the DFAS-HQ General Counsel as required.
(2)
Provides advice and assistance to the DFAS Center Director and the FSA in the discharge of his/her responsibilities pertaining to the Privacy Act.
(h) DFAS Center Privacy Act Officer.
(1)
Implements and administers the DFAS Privacy Act Program for all personnel, to include contractor personnel, within the Center, Operating Locations (OpLocs) and Defense Accounting Offices (DAOs).
(2)
Ensures that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information. Advises the Program Manager that systems notices must be published in the Federal Register prior to collecting or maintenance of the information. Submits system notices to the DFAS-HQ Privacy Act Officer for review and subsequent submission to the Department of Defense Privacy Office.
(3)
Administratively controls and processes Privacy Act requests. Ensures that the provisions of this regulation and the DoD Privacy Act Program are followed in processing requests for records. Ensures all Privacy Act requests are promptly reviewed. Coordinates the reply with other organizational elements as required.
(4)
Prepares denials and partial denials for the Center Director's signature and obtain required coordination with the assistant General Counsel. Responses will include written justification citing a specific exemption or exemptions.
(5)
Prepares input for the annual Privacy Act Report as required using the guidelines provided in appendix A to this part.
(i) FSO Privacy Act Officer.
(1)
Implements and administers the DFAS Privacy Act Program for all personnel, to include contractor personnel, within the FSO.
(2)
Ensures that the collection, maintenance, use, or dissemination of records of identifiable personal information is in a manner that assures that such action is for a necessary and lawful purpose; the information is timely and accurate for its intended use; and that adequate safeguards are provided to prevent misuse of such information. Advises the Program Manager that systems notices must be published in the Federal Register prior to collecting or maintenance of the information. Submits system notices to the DFAS-HQ Privacy Act Officer for review and subsequent submission to the Department of Defense Privacy Office.
(3)
Administratively controls and processes Privacy Act requests. Ensures that the provisions of this regulation and the DoD Privacy Act Program are followed in processing requests for records. Ensure all Privacy Act requests are promptly reviewed. Coordinate the reply with other organizational elements as required.
(4)
Prepares denials and partial denials for signature by the Director, FSO and obtains required coordination with the assistant General Counsel. Responses will include written justification citing a specific exemption or exemptions.
(5)
Prepares input for the annual Privacy Act Report (RCS: DD DA&M(A)1379) as required using the guidelines provided in appendix A to this part.
(j) DFAS employees.
(1)
Will not disclose any personal information contained in any system of records, except as authorized by this regulation.
(2)
Will not maintain any official files which are retrieved by name or other personal identifier without first ensuring that a system notice has been published in the Federal Register.
(3)
Reports any disclosures of personal information from a system of records or the maintenance of any system of records not authorized by this regulation to the appropriate Privacy Act Officer for action.
(k) DFAS system managers (SM).
(1)
Ensures adequate safeguards have been established and are enforced to prevent the misuse, unauthorized disclosure, alteration, or destruction of personal information contained in system records.
(2)
Ensures that all personnel who have access to the system of records or are engaged in developing or supervising procedures for handling records are totally aware of their responsibilities to protect personal information established by the DFAS Privacy Act Program.
(3)
Evaluates each new proposed system of records during the planning stage. The following factors should be considered:
(i)
Relationship of data to be collected and retained to the purpose for which the system is maintained. All information must be relevant to the purpose.
(ii)
The impact on the purpose or mission if categories of information are not collected. All data fields must be necessary to accomplish a lawful purpose or mission.
(4)
Complies with the publication requirements of DoD 5400.11-R, ‘Department of Defense Privacy Program’ (see 32 CFR part 310 ). Submits final publication requirements to the appropriate DFAS Privacy Act Officer.
(l) DFAS program manager(s).
Reviews system alterations or amendments to evaluate for relevancy and necessity. Reviews will be conducted annually and reports prepared outlining the results and corrective actions taken to resolve problems. Reports will be forwarded to the appropriate Privacy Act Officer.
(m) Federal government contractors.
When a DFAS organizational element contracts to accomplish an agency function and performance of the contract requires the operation of a system of records or a portion thereof, DoD 5400.11-R, ‘Department of Defense Privacy Program’ (see 32 CFR part 310) and this part apply. For purposes of criminal penalties, the contractor and its employees shall be considered employees of DFAS during the performance of the contract.
(1) Contracting involving operation of systems of records.
Consistent with Federal Acquisition Regulation (FAR) 2 and the DoD Supplement to the Federal Acquisition Regulation (DFAR) 3, Part 224.1, contracts involving the operation of a system of records or portion thereof shall specifically identify the record system, the work to be performed and shall include in the solicitations and resulting contract such terms specifically prescribed by the FAR and DFAR.
Code of Federal Regulations
Footnote(s): 2 Copies may be obtained at cost from the Superintendent of Documents, P.O. Box 37195, Pittsburgh, PA 15250-7954.
Code of Federal Regulations
Footnote(s): 3 See footnote 2 to § 324.4(m)(1)
(ii)
Establishes an internal system for reviewing contractor performance to ensure compliance with the DFAS Privacy Act Program.
(i)
Established and maintained solely to assist the contractor in making internal contractor management decisions, such as records maintained by the contractor for use in managing the contract.
(ii)
Maintained as internal contractor employee records, even when used in conjunction with providing goods or services to the agency.
(4) Contracting procedures.
The Defense Acquisition Regulatory Council is responsible for developing the specific policies and procedures for soliciting, awarding, and administering contracts.
(5) Disclosing records to contractors.
Disclosing records to a contractor for use in performing a DFAS contract is considered a disclosure within DFAS. The contractor is considered the agent of DFAS when receiving and maintaining the records for the agency.