As employees of the Department of Defense Education Activity (DoDEA), many of you work with information about other people–principals, teachers, students, fellow employees, and others. You could not review activities, conduct audits, or perform other services, without knowing some personal information about these individuals. Likewise, DoDEA, and other Federal agencies need to know and maintain some personal information about you as an employee in order to hire, promote, pay you, and assure that personnel practices in keeping with Federal laws and regulations. This pamphlet describes your responsibilities as a DoDEA employee for safeguarding this information, and explains rights as a person who is also the subject of Government records.
The Privacy Act establishes safeguards for the protection of records the Government collects and keeps on individuals. The Privacy Act provides the Government with a framework in which to conduct its day-to-day business when that business requires the collection or use of information about individuals. Specifically, it requires that the Government:
The Privacy Act binds Federal agencies to a "code of fair information practices." The code sets standards which each Federal agency must meet as it collects, maintains, and uses information. As an employee who works with Federal records, you see effects of these standards.
For example, the last Government form for personal information you were asked to complete should have contained a Privacy Act Statement that indicated the authority for collecting this information, why the information is needed, who would use the information, and what the consequences would be for not providing the information.
The Privacy Act applies to Federal agencies. Federal agencies are defined in the law as all agencies, offices and departments of the Executive Branch, independent regulatory agencies such as the Securities and Exchange Commission, and Government-controlled corporations such as the Postal Service.
The Privacy Act does not apply to records held by the Legislative and Judicial Branches of the Federal Government, state and local governments or private organizations, except in isolated instances where these organizations hold special types of contracts with a Federal agency.
Specifically, the Privacy Act applies to Agency records that:
The Privacy Act defines an individual as a U.S. citizen or alien lawfully admitted for permanent residence. Excluded, then, from Privacy Act coverage are the records that Federal agencies maintain on organizations and businesses, including small businesses, even where the company's trade name could be the same as that of the owner. Also excluded are records that Federal agencies may maintain on deceased persons.
Privacy legislation had its origins in the late 1960's when people became concerned about abuses that could occur with computer data banks. The Privacy Act applies to personal information stored on computers as well as in manual files. Easy access to and quick transfer of information are features that make the computer a valuable tool. However, these very same features make the confidentiality of information difficult to protect. Since the Privacy Act became law, the Federal Government has been developing and establishing safeguards for the protection of personal information held in computer data banks.
DoDEA has published in the Federal Register a description of its record systems that are covered by the Privacy Act. Included among these are personnel, security, other administrative, and school student record files. In addition, the Office of Personnel Management and other Federal agencies have also published notices of record systems that may be of interest to you, such as official personnel folders, discrimination complaint records, and other personnel-related records.
For each one of these record systems, a specified person, known as a system manager, is responsible for answering questions you may have about seeing your records, and amending or correcting information contained in them. This person, along with his or her mailing address, is listed in the Federal Register notice. Summary information about all record system notices in the Federal Government is published in the Federal Register bi-annually and is periodically updated.
As a DoDEA employee you "wear two hats" one as a citizen entitled to the full protection and rights established by the Privacy Act, and the other as a Federal employee working with records containing personal information and sharing some responsibility in carrying out the requirements of the law. The seriousness of this responsibility is evident from the penalties the Privacy Act imposes upon Federal employees who willfully violate key sections of the law. Fines up to $5,000 can be imposed for willfully disclosing personal information that should not be released under the Privacy Act, or for maintaining secret records on individuals. The following presents a summary of your rights and responsibilities under the Privacy Act.
When you are requested to provide personal information to a Federal agency, you are entitled to know: the legal authority for requesting the information, the purpose for collecting it, what routine uses (disclosures) might be made of this mandatory or voluntary disclosure, and what effect your refusal to provide the information would have.
You must collect only personal information that is relevant and necessary, not simply useful to accomplish a specific objective. Whenever you request personal information from someone, you must inform him or her in writing of the legal authority for requesting the information, the purpose for collecting it, what routine uses will be made of this information, whether a response is mandatory or voluntary, and what will be the effect if he or she refuses to respond. Also, whenever you ask a person for his or her social security number, you must state the legal authority and purpose for requesting it, and whether a response is mandatory or voluntary. You should always attempt to collect personal information directly from the individual rather than from other sources wherever practicable.
You can request to see your records in writing, in person, or by telephone. You should describe the information you wish to see. Blanket requests for "all the information the agency has on me" cannot be honored. If you appear in person, identification will be required to verify you are the person whose record you are requesting.
If you have no suitable identification, you will be asked to certify your identity in writing.
Another person of your choice may accompany you when you check your records.
You are not required to receive a copy of your record or an acknowledgment of your request within a reasonable period.
You are not required to give a reason for your request; however, the more specific your request, the faster you can expect a response.
When a person requests to see his or her record, you must verify the identity (a driver's license, passport, alien or voter registration card) or require the person to certify in writing that he or she is the subject of the record requested and that the person understands that any knowing and willful request for a record under false pretense is a criminal offense subject to a $5,000 fine. If the request is by telephone, you should verify the person's identity, if possible, or require that a request be made in writing.
You must have the requester of a record authorize in writing the presence of another person if he or she desires someone to be present for the inspection and discussion of the record.
When a request for a record is received, you should check to see whether a record on the person exists in a system of records that is subject to the Privacy Act. The system manager or another designated official must either present the record or a copy of it, or acknowledge the request within ten working days or as soon as possible.
You should not ask the person to give a reason or justify a need to see his or her own record.
If the Privacy Act is to achieve its objectives, there must be cooperation by every Federal employee who works with records containing personal information. You are more than a program analyst, personnel management specialist, secretary, computer programmer, file clerk, auditor, and so on. In the course of your work you become a steward or custodian of the information entrusted to you. In order to meet the responsibilities of this stewardship, there are certain steps you should take:
In conclusion, it should be noted that this pamphlet has only tried to touch on the main points concerning your rights and responsibilities as a Federal employee under the Privacy Act. You are urged to become more familiar with DoDEA's policies on the Privacy Act and to consult your supervisor when you have any questions.
This document is adapted from an existing document written by Defense Contract Audit Agency, Fort Belvior, Virginia, http://www.dcaa.mil/privacy.htm.
This is a DoD mandated policy taken from the DoD Privacy Impact Assessment (PIA) Guidance - DoDI 5400.16, dated February 12, 2009.
a. Privacy Impact Assessments (PIA)s are completed on DoD information systems and electronic collections that collect, maintain, use, or disseminate Personal Identifiable Information (PII) in order to:
b. PIAs are performed when PII about members of the public, Federal personnel, contractors or foreign nationals employed at U.S. military facilities internationally, is collected, maintained, used, or disseminated in electronic form.
The Systems of Records notices are published in the Federal Register.