Browse: Departments Dates Agencies
DEPARTMENT OF DEFENSE
Western Area Power Administration
CFR Citation: 32 CFR Part 505
RIN ID: RIN 0702-AA53
Docket ID: [Docket No. USA-2006-0011]
NOTICE: Part VI
DOCUMENT ACTION: Final rule.
SUBJECT CATEGORY: The Army Privacy Program
DATES: Effective Date: September 11, 2006.
DOCUMENT SUMMARY: The Department of the Army is updating policies and responsibilities for the Army Privacy Program, which implements the Privacy Act of 1974, by showing organizational realignments and by revising referenced statutory and regulatory authority, such as the Health Insurance Portability and Accountability Act and EGovernment Act of 2002. This rule finalizes the proposed rule that was published in the Federal Register on April 25, 2006.
SUMMARY: Defense Department, Army Department,
SUPPLEMENTAL INFORMATION
A. BackgroundIn the April 25, 2006, issue of the Federal Register (71 FR 24494), the Department of the Army issued a proposed rule to revise 32 CFR part 505. It incorporates Privacy Act policy objectives to include (1) restricting disclosure of personally identifiable records maintained; (2) to grant individuals rights of access to agency records maintained on themselves; (3) to grant individuals the right to seek amendment of agency records maintained on themselves upon a showing that the records are not accurate, relevant, timely, or complete; and (4) to establish practices ensuring the Army is complying with statutory norms for collection, maintenance, and dissemination of records. The Department of the Army received two comments from one commenter. No substantive changes were requested or made; however, the proposed changes were accepted and made to the final rule. The commenter expressed concern on Sec. 5052(e) titled ``Nomination of individuals when personal information * * *'' It was changed to read ``Notification of individuals when personal information * * *'' The other concern was in Sec. 505.2(a)(2), suggestion was made to clarify the section by incorporating the DoD 6025.18R, Privacy of Individually Identifiable Health Information in DoD Health Care Programs, language. The proposed Sec. 505.2 (a)(3) through Sec. 505.2(a)(13) was redesignated as Sec. 505.2(a) (4) through Sec. 505.2(a)(14) and a new Sec. 505.2(a)(3) was added.
B. Executive Order 12866 (Regulatory Planning and Review)
It has been determined that Privacy Act rules for the Department of Defense are not significant rules. The rules do not (1) have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy; a sector of the economy; productivity; competition; jobs; the environment; public health or safety; or State, local, or tribal governments or communities; (2) create a serious inconsistency or otherwise interfere with an action taken or planned by another Agency; (3) materially alter the budgetary impact of entitlements, grants, user fees, or loan programs, or the rights and obligations of recipients thereof; or (4) raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in this Executive order.
C. Regulatory Flexibility
It has been certified that Privacy Act rules for the Department of Defense do not have significant economic impact on a substantial number of small entities because they are concerned only with the administration of Privacy Act systems of records within the Department of Defense.
D. Paperwork Reduction Act
It has been certified that Privacy Act rules for the Department of Defense impose no information requirements beyond the Department of Defense and that the information collected within the Department of Defense is necessary and consistent with 5 U.S.C. 552a, known as the Privacy Act of 1974.
E. Unfunded Mandates Reform Act
It has been certified that the Privacy Act rulemaking for the Department of Defense does not involve a Federal mandate that may result in the expenditure by State, local and tribal governments, in the aggregate, or by the private sector, of $100 million or more and that such rulemaking will not significantly or uniquely affect small governments.
F. Executive Order 13132 (Federalism)
It has been certified that the Privacy Act rules for the Department
of Defense do not have federalism implications. The rules do not have
substantial direct effects on the States, on the relationship between
the National Government and the States, or on the distribution of power
and responsibilities among the various levels of government. Robert Dickerson,
Chief, U.S. Army Freedom of Information Act and Privacy Office. List of Subjects in 32 CFR Part 505
Privacy.
For reasons stated in the preamble the Department of the Army revises 32 CFR part 505 to read as follows:
PART 505ARMY PRIVACY ACT PROGRAM
Sec.
505.1 General information.
505.2 General provisions.
505.3 Privacy Act systems of records.
505.4 Collecting personal information.
505.5 Individual access to personal information.
505.6 Amendment of records.
505.7 Disclosure of personal information to other agencies and third parties.
505.8 Training requirements.
505.9 Reporting requirements.
505.10 Use and establishment of exemptions.
505.11 Federal Register publishing requirements.
505.12 Privacy Act enforcement actions.
505.13 Computer Matching Agreement Program.
505.14 Recordkeeping requirements under the Privacy Act.
Appendix A to Part 505References
Appendix B to Part 505Denial Authorities for Records Under Their
Authority (Formerly Access and Amendment Refusal Authorities) Appendix C to Part 505Privacy Act Statement Format
Appendix D to Part 505Exemptions; Exceptions; and DoD Blanket Routine Uses
Appendix E to Part 505Litigation Status Sheet
Appendix F to Part 505Example of a System of Records Notice
Appendix G to Part 505Management Control Evaluation Checklist Appendix H to Part 505Definitions
Authority: Pub. L. 93579, 88 Stat. 1896 (5 U.S.C. 552a). Sec. 505.1 General information.
(a) Purpose. This part sets forth policies and procedures that
govern personal information maintained by the Department of the Army
(DA) in Privacy Act systems of records. This part also provides
guidance on collecting and disseminating personal information in [[Page 46053]]
general. The purpose of the Army Privacy Act Program is to balance the
government's need to maintain information about individuals with the
right of individuals to be protected against unwarranted invasions of
their privacy stemming from Federal agencies' collection, maintenance,
use and disclosure of personal information about them. Additionally,
this part promotes uniformity within the Army's Privacy Act Program.
(b) References: (1) Referenced publications are listed in Appendix A of this part.
(2) DOD Computer Matching Program and other Defense Privacy
Guidelines may be accessed at the Defense Privacy Office Web site
http://www.defenselink.mil/privacy.
(c) Definitions are provided at Appendix H of this part.
(d) Responsibilities. (1) The Office of the Administrative Assistant to the Secretary of the Army will
(i) Act as the senior Army Privacy Official with overall
responsibility for the execution of the Department of the Army Privacy Act Program;
(ii) Develop and issue policy guidance for the program in consultation with the Army General Counsel; and
(iii) Ensure the DA Privacy Act Program complies with Federal
statutes, Executive Orders, Office of Management and Budget guidelines, and 32 CFR part 310.
(2) The Chief Attorney, Office of the Administrative Assistant to the Secretary of the Army (OAASA) will
(i) Provide advice and assistance on legal matters arising out of,
or incident to, the administration of the DA Privacy Act Program;
(ii) Serve as the legal advisor to the DA Privacy Act Review Board.
This duty may be fulfilled by a designee in the Chief Attorney and Legal Services Directorate, OAASA;
(iii) Provide legal advice relating to interpretation and application of the Privacy Act of 1974; and
(iv) Serve as a member on the Defense Privacy Board Legal
Committee. This duty may be fulfilled by a designee in the Chief Attorney and Legal Services Directorate, OAASA.
(3) The Judge Advocate General will serve as the Denial Authority
on requests made pursuant to the Privacy Act of 1974 for access to or
amendment of Army records, regardless of functional category,
concerning actual or potential litigation in which the United States has an interest.
(4) The Chief, DA Freedom of Information Act and Privacy Office
(FOIA/P), U.S. Army Records Management and Declassification Agency will
(i) Develop and recommend policy;
(ii) Execute duties as the Army's Privacy Act Officer;
(iii) Promote Privacy Act awareness throughout the DA;
(iv) Serve as a voting member on the Defense Data Integrity Board and the Defense Privacy Board;
(v) Represent the Department of the Army in DOD policy meetings; and
(vi) Appoint a Privacy Act Manager who will
(A) Administer procedures outlined in this part;
(B) Review and approve proposed new, altered, or amended Privacy
Act systems of records notices and subsequently submit them to the Defense Privacy Office for coordination;
(C) Review Department of the Army Forms for compliance with the Privacy Act and this part;
(D) Ensure that reports required by the Privacy Act are provided upon request from the Defense Privacy Office;
(E) Review Computer Matching Agreements and recommend approval or denial to the Chief, DA FOIA/P Office;
(F) Provide Privacy Act training;
(G) Provide privacy guidance and assistance to DA activities and combatant commands where the Army is the Executive Agent;
(H) Ensure information collections are developed in compliance with the Privacy Act provisions;
(I) Ensure Office of Management and Budget reporting requirements, guidance, and policy are accomplished; and
(J) Immediately review privacy violations of personnel to locate
the problem and develop a means to prevent recurrence of the problem.
(5) Heads of Department of the Army activities, fieldoperating
agencies, direct reporting units, Major Army commands, subordinate
commands down to the battalion level, and installations will
(i) Supervise and execute the privacy program in functional areas and activities under their responsibility; and
(ii) Appoint a Privacy Act Official who will
(A) Serve as the staff advisor on privacy matters;
(B) Ensure that Privacy Act records collected and maintained within
the Command or agency are properly described in a Privacy Act system of records notice published in the Federal Register;
(C) Ensure no undeclared systems of records are being maintained;
(D) Ensure Privacy Act requests are processed promptly and responsively;
(E) Ensure a Privacy Act Statement is provided to individuals when
information is collected that will be maintained in a Privacy Act
system of records, regardless of the medium used to collect the
personal information (i.e., forms, personal interviews, stylized formats, telephonic interviews, or other methods);
(F) Review, biennially, recordkeeping practices to ensure
compliance with the Act, paying particular attention to the maintenance
of automated records. In addition, ensure cooperation with records
management officials on such matters as maintenance and disposal
procedures, statutory requirements, forms, and reports; and
(G) Review, biennially Privacy Act training practices. This is to
ensure all personnel are familiar with the requirements of the Act. (6) DA Privacy Act System Managers and Developers will
(i) Ensure that appropriate procedures and safeguards are
developed, implemented, and maintained to protect an individual's personal information;
(ii) Ensure that all personnel are aware of their responsibilities
for protecting personal information being collected and maintained under the Privacy Act Program;
(iii) Ensure official filing systems that retrieve records by name
or other personal identifier and are maintained in a Privacy Act system
of records have been published in the Federal Register as a Privacy Act
system of records notice. Any official who willfully maintains a system
of records without meeting the publication requirements, as prescribed
by 5 U.S.C. 552a, as amended, OMB Circular A130, 32 CFR part 310 and
this part, will be subject to possible criminal penalties and/or administrative sanctions;
(iv) Prepare new, amended, or altered Privacy Act system of records
notices and submit them to the DA Freedom of Information and Privacy
Office for review. After appropriate coordination, the system of
records notices will be submitted to the Defense Privacy Office for their review and coordination;
(v) Review, biennially, each Privacy Act system of records notice
under their purview to ensure that it accurately describes the system of records;
(vi) Review, every four years, the routine use disclosures
associated with each Privacy Act system of records notice in order to
determine if such routine use continues to be compatible with the purpose for which the activity collected the information;
(vii) Review, every four years, each Privacy Act system of records notice for which the Secretary of the Army has
[[Page 46054]]
promulgated exemption rules pursuant to Sections (j) or (k) of the Act. This is to ensure such exemptions are still appropriate;
(viii) Review, every year, contracts that provide for the
maintenance of a Privacy Act system of records to accomplish an
activity's mission. This requirement is to ensure each contract
contains provisions that bind the contractor, and its employees, to the requirements of 5 U.S.C. 552a(m)(1); and
(ix) Review, if applicable, ongoing Computer Matching Agreements.
The Defense Data Integrity Board approves Computer Matching Agreements
for 18 months, with an option to renew for an additional year. This
additional review will ensure that the requirements of the Privacy Act,
Office of Management and Budget guidance, local regulations, and the
requirements contained in the Matching Agreements themselves have been met.
(7) All DA personnel will
(i) Take appropriate actions to ensure personal information
contained in a Privacy Act system of records is protected so that the
security and confidentiality of the information is preserved;
(ii) Not disclose any personal information contained in a Privacy
Act system of records except as authorized by 5 U.S.C. 552a, DOD
5400.11R, or other applicable laws. Personnel willfully making a
prohibited disclosure are subject to possible criminal penalties and/or administrative sanctions; and
(iii) Report any unauthorized disclosures or unauthorized
maintenance of new Privacy Act systems of records to the applicable activity's Privacy Act Official.
(8) Heads of Joint Service agencies or commands for which the Army
is the Executive Agent or the Army otherwise provides fiscal,
logistical, or administrative support, will adhere to the policies and procedures in this part.
(9) Commander, Army and Air Force Exchange Service, will supervise
and execute the Privacy Program within that command pursuant to this part.
(10) Overall Governmentwide responsibility for implementation of
the Privacy Act is the Office of Management and Budget. The Department
of Defense is responsible for implementation of the Act within the
armed services. The Privacy Act also assigns specific Governmentwide
responsibilities to the Office of Personnel Management and the General Services Administration.
(11) Governmentwide Privacy Act systems of records notices are
available at http://www.defenselink.mil/privacy.
(e) Legal Authority. (1) Title 5, United States Code, Section 552a, as amended, The Privacy Act of 1974.
(2) Title 5, United States Code, Section 552, The Freedom of Information Act (FOIA).
(3) Office of Personnel Management, Federal Personnel Manual (5 CFR parts 293, 294, 297, and 7351).
(4) OMB Circular No. A130, Management of Federal Information Resources, Revised, August 2003.
(5) DOD Directive 5400.11, Department of Defense Privacy Program, November 16, 2004.
(6) DOD Regulation 5400.11R, Department of Defense Privacy Program, August 1983.
(7) Title 10, United States Code, Section 3013, Secretary of the Army.
(8) Executive Order No. 9397, Numbering System for Federal Accounts Relating to Individual Persons, November 30, 1943.
(9) Public Law 100503, the Computer Matching and Privacy Act of 1974.
(10) Public Law 107347, Section 208, Electronic Government (EGov) Act of 2002.
(11) DOD Regulation 6025.18R, DOD Health Information Privacy Regulation, January 24, 2003.
Sec. 505.2 General provisions.
(a) Individual privacy rights policy. Army policy concerning the
privacy rights of individuals and the Army's responsibilities for compliance with the Privacy Act are as follows
(1) Protect the privacy of United States living citizens and aliens
lawfully admitted for permanent residence from unwarranted intrusion.
(2) Deceased individuals do not have Privacy Act rights, nor do
executors or nextofkin in general. However, immediate family members
may have limited privacy rights in the manner of death details and
funeral arrangements of the deceased individual. Family members often
use the deceased individual's Social Security Number (SSN) for federal
entitlements; appropriate safeguards must be implemented to protect the
deceased individual's SSN from release. Also, the Health Insurance
Portability and Accountability Act extends protection to certain
medical information contained in a deceased individual's medical records.
(3) Personally identifiable health information of individuals, both
living and deceased, shall not be used or disclosed except for specifically permitted purposes.
(4) Maintain only such information about an individual that is necessary to accomplish the Army's mission.
(5) Maintain only personal information that is timely, accurate, complete, and relevant to the collection purpose.
(6) Safeguard personal information to prevent unauthorized use, access, disclosure, alteration, or destruction.
(7) Maintain records for the minimum time required in accordance
with an approved National Archives and Records Administration record disposition.
(8) Let individuals know what Privacy Act records the Army
maintains by publishing Privacy Act system of records notices in the
Federal Register. This will enable individuals to review and make
copies of these records, subject to the exemptions authorized by law
and approved by the Secretary of the Army. Department of the Army
Privacy Act systems of records notices are available at http://www.defenselink.mil/privacy .
(9) Permit individuals to correct and amend records about
themselves which they can prove are factually in error, not timely, not complete, not accurate, or not relevant.
(10) Allow individuals to request an administrative review of
decisions that deny them access to or the right to amend their records.
(11) Act on all requests promptly, accurately, and fairly.
(12) Keep paper and electronic records that are retrieved by name
or personal identifier only in approved Privacy Act systems of records.
(13) Maintain no records describing how an individual exercises his
or her rights guaranteed by the First Amendment (freedom of religion,
freedom of political beliefs, freedom of speech and press, freedom of
peaceful assemblage, and petition) unless expressly authorized by
statute, pertinent to and within the scope of an authorized law
enforcement activity, or otherwise authorized by law or regulation.
(14) Maintain appropriate administrative technical and physical
safeguards to ensure records are protected from unauthorized alteration or disclosure.
(b) Safeguard personal information. (1) Privacy Act data will be
afforded reasonable safeguards to prevent inadvertent or unauthorized
disclosure of records during processing, storage, transmission, and disposal.
(2) Personal information should never be placed on shared drives
that are accessed by groups of individuals unless each person has an
``official need to know'' the information in the performance of official duties.
[[Page 46055]]
(3) Safeguarding methods must strike a balance between the
sensitivity of the data, need for accuracy and reliability for
operations, general security of the area, and cost of the safeguards.
In some situations, a password may be enough protection for an
automated system with a logon protocol. For additional guidance on
safeguarding personal information in automated records see AR 38067, The Department of the Army Personnel Security Program.
(c) Conveying privacy protected data electronically via email and
the World Wide Web. (1) Unencrypted electronic transmission of privacy
protected data makes the Army vulnerable to information interception
which can cause serious harm to the individual and the accomplishment of the Army's mission.
(2) The Privacy Act requires that appropriate technical safeguards
be established, based on the media (e.g., paper, electronic) involved,
to ensure the security of the records and to prevent compromise or misuse during transfer.
(3) Privacy Web sites and hosted systems with privacyprotected
data will employ secure sockets layers (SSL) and Public Key
Infrastructure (PKI) encryption certificates or other DoDapproved
commercially available certificates for server authentication and
client/server authentication. Individuals who transmit data containing
personally identifiable information over email will employ PKI or other DoDapproved certificates.
(4) When sending Privacy Act protected information within the Army using encrypted or dedicated lines, ensure that
(i) There is an ``official need to know'' for each addressee (including ``cc'' addressees); and
(ii) The Privacy Act protected information is marked For Official
Use Only (FOUO) to inform the recipient of limitations on further
dissemination. For example, add FOUO to the beginning of an email
message, along with the following language: ``This contains FOR
OFFICIAL USE ONLY (FOUO) information which is protected under the
Privacy Act of 1974 and AR 34021, The Army Privacy Program. Do not
further disseminate this information without the permission of the sender.''
(iii) Do not indiscriminately apply this statement. Use it only in
situations when actually transmitting protected Privacy Act information.
(iv) For additional information about marking documents ``FOUO'' review AR 2555, Chapter IV.
(5) Add appropriate ``Privacy and Security Notices'' at major Web
site entry points. Refer to AR 251, para 64n for requirements for
posting ``Privacy and Security Notices'' on public Web sites.
Procedures related to the establishing, operating, and maintaining of
unclassified DA Web sites can be accessed at http://www.defenselink.mil/webmasters/policy/DOD_web_policy .
(6) Ensure public Web sites comply with policies regarding
restrictions on persistent and third party cookies. The Army prohibits
both persistent and third part cookies. (see AR 251, para 64n)
(7) A Privacy Advisory is required on Web sites which host
information systems soliciting personally identifying information, even
when not maintained in a Privacy Act system of records. The Privacy
Advisory informs the individual why the information is solicited and
how it will be used. Post the Privacy Advisory to the Web site page
where the information is being solicited, or to a well marked hyperlink
stating ``Privacy AdvisoryPlease refer to the Privacy and Security
Notice that describes why this information is collected and how it will be used.''
(d) Protecting records containing personal identifiers such as
names and Social Security Numbers. (1) Only those records covered by a
Privacy Act system of records notice may be arranged to permit
retrieval by a personal identifier (e.g., an individual's name or
Social Security Number). AR 254002, paragraph 62 requires all
records covered by a Privacy Act system of records notice to include
the system of record identification number on the record label to serve
as a reminder that the information contained within must be safeguarded.
(2) Use a coversheet or DA Label 87 (For Official Use Only) for
individual records not contained in properly labeled file folders or cabinets.
(3) When developing a coversheet, the following is an example of a
statement that you may use: ``The information contained within is FOR
OFFICIAL USE ONLY (FOUO) and protected by the Privacy Act of 1974.''
(e) Notification of Individuals when personal information is lost,
stolen, or compromised. (1) Whenever an Army organization becomes aware
the protected personal information pertaining to a Service member,
civilian employee (appropriated or nonappropriated fund), military
retiree, family member, or another individual affiliated with Army
organization (e.g., volunteer) has been lost, stolen, or compromised,
the organization shall inform the affected individuals as soon as
possible, but not later than ten days after the loss or compromise of protected personal information is discovered.
(2) At a minimum, the organization shall advise individuals of what
specific data was involved; the circumstances surrounding the loss,
theft, or compromise; and what protective actions the individual can take.
(3) If Army organizations are unable to comply with policy, they
will immediately notify their superiors, who will submit a memorandum
through the chain of command to the Administrative Assistant of the
Secretary of the Army to explain why the affected individuals or
population's personal information has been lost, stolen, or compromised.
(4) This policy is also applicable to Army contractors who collect,
maintain, use, or disseminate protected personal information on behalf of the organization.
(f) Federal government contractors' compliance. (1) When a DA
activity contracts for the design, development, or operation of a
Privacy Act system of records in order to accomplish a DA mission, the
agency must apply the requirements of the Privacy Act to the contractor
and its employees working on the contract (See 48 CFR part 24 and other applicable supplements to the FAR; 32 CFR part 310).
(2) System Managers will review annually, contracts contained
within the system(s) of records under their responsibility, to
determine which ones contain provisions relating to the design,
development, or operation of a Privacy Act system of records.
(3) Contractors are considered employees of the Army for the
purpose of the sanction provisions of the Privacy Act during the performance of the contract requirements.
(4) Disclosing records to a contractor for use in performing the
requirements of an authorized DA contract is considered a disclosure
within the agency under exception (b)(1), ``Official Need to Know'', of the Act.
Sec. 505.3 Privacy Act systems of records.
(a) Systems of records. (1) A system of records is a group of
records under the control of a DA activity that are retrieved by an
individual's name or by some identifying number, symbol, or other identifying particular assigned to an individual.
(2) Privacy Act systems of records must be
(i) Authorized by Federal statute or an Executive Order; (ii) Needed to carry out DA's mission; and
(iii) Published in the Federal Register in a system of records notice, which will provide the public an opportunity to
[[Page 46056]]
comment before DA implements or changes the system.
(3) The mere fact that records are retrievable by a name or
personal identifier is not enough. Records must actually be retrieved
by a name or personal identifier. Records in a group of records that
may be retrieved by a name or personal identifier but are not normally
retrieved by this method are not covered by this part. However, they
are covered by AR 2555, the Department of the Army Freedom of Information Act Program.
(4) The existence of a statute or Executive Order mandating the
maintenance of a system of records to perform an authorized activity
does not abolish the responsibility to ensure the information in the
system of records is relevant and necessary to perform the authorized activity.
(b) Privacy Act system of records notices. (1) DA must publish
notices in the Federal Register on new, amended, altered, or deleted
systems of records to inform the public of the Privacy Act systems of
records that it maintains. The Privacy Act requires submission of new
or significantly changed systems of records to OMB and both houses of
Congress before publication in the Federal Register (See Appendix E of this part).
(2) Systems managers must send a proposed notice at least 120 days
before implementing a new, amended or altered system to the DA Freedom
of Information and Privacy Office. The proposed or altered notice must
include a narrative statement and supporting documentation. A narrative statement must contain the following items:
(i) System identifier and name;
(ii) Responsible Official, title, and phone number;
(iii) If a new system, the purpose of establishing the system or if an altered system, nature of changes proposed;
(iv) Authority for maintenance of the system;
(v) Probable or potential effects of the system on the privacy of individuals;
(vi) Whether the system is being maintained, in whole or in part, by a contractor;
(vii) Steps taken to minimize risk of unauthorized access; (viii) Routine use compatibility;
(ix) Office of Management and Budget information collection requirements; and
(x) Supporting documentation as an attachment. Also as an
attachment should be the proposed new or altered system notice for publication in the Federal Register.
(3) An amended or altered system of records is one that has one or more of the following:
(i) A significant increase in the number, type, or category of individuals about whom records are maintained;
(ii) A change that expands the types of categories of information maintained;
(iii) A change that alters the purpose for which the information is used;
(iv) A change to equipment configuration (either hardware or
software) that creates substantially greater access to the records in the system of records;
(v) An addition of an exemption pursuant to Section (j) or (k) of the Act; or
(vi) An addition of a routine use pursuant to 5 U.S.C. 552a(b)(3).
(4) For additional guidance contact the DA FOIA/P Office.
(5) On behalf of DA, the Defense Privacy Office maintains a list of
DOD Components' Privacy Act system of records notices at the Defense
Privacy Office's Web site http://www.defenselink.mil/privacy.
(6) DA PAM 2551 sets forth procedures pertaining to Privacy Act system of records notices.
(7) For new systems, system managers must establish appropriate
administrative, technical, and physical safeguards to ensure the
security and confidentiality of records. This applies to all new
systems of records whether maintained manually or automated.
(i) One safeguard plan is the development and use of a Privacy
Impact Assessment (PIA) mandated by the EGov Act of 2002, Section 208.
The Office of Management and Budget specifically directs that a PIA be
conducted, reviewed, and published for all new or significantly altered
information in identifiable form collected from or about the members of
the public. The PIA describes the appropriate administrative,
technical, and physical safeguards for new automated systems. This will
assist in the protection against any anticipated threats or hazards to
the security or integrity of data, which could result in substantial
harm, embarrassment, inconvenience, or unfairness to any individual on
whom information is maintained. Contact your local Information Officer for guidance on conducting a PIA.
(ii) The development of appropriate safeguards must be tailored to
the requirements of the system as well as other factors, such as the system environment, location, and accessibility.
Sec. 505.4 Collecting personal information.
(a) General provisions. (1) Employees will collect personal
information to the greatest extent practicable directly from the
subject of the record. This is especially critical, if the information
may result in adverse determinations about an individual's rights,
benefits, and privileges under federal programs (See 5 U.S.C. 552a(e)(2)).
(2) It is unlawful for any Federal, State, or local government
agency to deny anyone a legal right, benefit, or privilege provided by
law for refusing to give their SSN unless the law requires disclosure,
or a law or regulation adopted before January 1, 1975, required the SSN
or if DA uses the SSN to verify a person's identity in a system of
records established and in use before that date. Executive Order 9397
(issued prior to January 1, 1975) authorizes the Army to solicit and
use the SSN as a numerical identifier for individuals in most federal
records systems. However, the SSN should only be collected as needed to
perform official duties. Executive Order 9397 does not mandate the
solicitation of SSNs from Army personnel as a means of identification.
(3) Upon entrance into military service or civilian employment with
DA, individuals are asked to provide their SSN. The SSN becomes the
service or employment number for the individual and is used to
establish personnel, financial, medical, and other official records.
After an individual has provided his or her SSN for the purpose of
establishing a record, the Privacy Act Statement is not required if the
individual is only requested to furnish or verify the SSN for
identification purposes in connection with the normal use of his or her
records. If the SSN is to be used for a purpose other than
identification, the individual must be informed whether disclosure of
the SSN is mandatory or voluntary; by what statutory authority the SSN
is solicited; and what uses will be made of the SSN. This notification
is required even if the SSN is not to be maintained in a Privacy Act system of records.
(4) When asking an individual for his or her SSN or other personal
information that will be maintained in a system of records, the individual must be provided with a Privacy Act Statement.
(b) Privacy Act Statement (PAS). (1) A Privacy Act Statement is
required whenever personal information is requested from an individual
and will become part of a Privacy Act system of records. The
information will be retrieved by the individual's name or other personal identifier (See 5 U.S.C. 552a(e)(3)).
(2) The PAS will ensure that individuals know why the information is being collected so they can make an
[[Page 46057]]
informed decision as to providing the personal information.
(3) In addition, the PAS will include language that is explicit,
easily understood, and not so lengthy as to deter an individual from reading it.
(4) A sign can be displayed in areas where people routinely furnish
this kind of information, and a copy of the PAS will be made available upon request by the individual.
(5) Do not ask the person to sign the PAS.
(6) A Privacy Act Statement must include the following four items
(i) Authority: Cite the specific statute or Executive Order,
including a brief title or subject that authorizes the DA to collect the personal information requested.
(ii) Principal Purpose (s): Cite the principal purposes for which the information will be used.
(iii) Routine Uses: A list of where and why the information will be
disclosed OUTSIDE of DOD. Applicable routine uses are published in the
applicable Privacy Act system of records notice(s). If none, the
language to be used is: ``Routine Use(s): None. However the `Blanket
Routine Uses' set forth at the beginning of the Army's compilation of systems of records notices apply.''
(iv) Disclosure: Voluntary or Mandatory. Include in the Privacy Act
Statement specifically whether furnishing the requested personal data
is mandatory or voluntary. A requirement to furnish personal data is
mandatory ONLY when a federal statute, Executive Order, regulation, or
other law specifically imposes a duty on the individual to provide the
information sought, and when the individual is subject to a penalty if
he or she fails to provide the requested information. If providing the
information is only a condition of or prerequisite to granting a
benefit or privilege and the individual has the option of receiving the
benefit or privilege, providing the information is always voluntary.
However, the loss or denial of the privilege, benefit, or entitlement
sought must be listed as a consequence of not furnishing the requested information.
(7) Some acceptable means of administering the PAS are as follows, in the order of preference
(i) Below the title of the media used to collect the personal
information. The PAS should be positioned so that the individual will
be advised of the PAS before he or she provides the requested information;
(ii) Within the body with a notation of its location below the title;
(iii) On the reverse side with a notation of its location below the title;
(iv) Attached as a tearoff sheet; or
(v) Issued as a separate supplement.
(8) An example of a PAS is at appendix B of this part.
(9) Include a PAS on a Web site page if it collects information
directly from an individual and is retrieved by his or her name or
personal identifier (See Office of Management and Budget Privacy Act Guidelines, 40 FR 28949, 28961 (July 9, 1975)).
(10) Army policy prohibits the collection of personally identifying
information on public Web sites without the express permission of the
user. Requests for exceptions must be forwarded to the Army CIO/G6. (See AR 251, para 64n.)
(c) Collecting personal information from third parties. (1) It may
not be practical to collect personal information directly from the
individual in all cases. Some examples of when collection from third parties may be necessary are when
(i) Verifying information;
(ii) Opinions or evaluations are needed;
(iii) The subject cannot be contacted; or
(iv) At the request of the subject individual.
(2) When asking third parties to provide information about other individuals, they will be advised of
(i) The purpose of the request; and
(ii) Their rights to confidentiality as defined by the Privacy Act
of 1974 (Consult with your servicing Staff Judge Advocate for potential
limitations to the confidentiality that may be offered pursuant to the Privacy Act).
(d) Confidentiality promises. Promises of confidentiality must be
prominently annotated in the record to protect from disclosure any
information provided in confidence pursuant to 5 U.S.C. 552a(k)(2), (k)(5), or (k)(7).
Sec. 505.5 Individual access to personal information.
(a) Individual access. (1) The access provisions of this part are
intended for use by individuals whose records are maintained in a
Privacy Act system of records. If a representative acts on their
behalf, a written authorization must be provided, with the exception of members of Congress acting on behalf of a constituent.
(2) A Department of the Army ``Blanket Routine Use'' allows the
release of Privacy Act protected information to members of Congress
when they are acting on behalf of the constituent and the information
is filed and retrieved by the constituent's name or personal
identifier. The said ``Blanket Routine Use'' is listed below.
``Congressional Inquiries Disclosure Routine Use: Disclosure from a
system of records maintained by a DOD Component may be made to a
congressional office from the record of an individual in response to an
inquiry from the congressional office made at the request of that individual.''
(3) Upon a written request, an individual will be granted access to
information pertaining to him or her that is maintained in a Privacy Act system of records, unless
(i) The information is subject to an exemption, the system manager
has invoked the exemption, and the exemption is published in the Federal Register; or
(ii) The information was compiled in reasonable anticipation of a civil action or proceeding.
(4) Legal guardians or parents acting on behalf of a minor child
have the minor child's rights of access under this part, unless the
records were created or maintained pursuant to circumstances where the
interests of the minor child were adverse to the interests of the legal guardian or parent.
(5) These provisions should allow for the maximum release of
information consistent with Army and DOD's statutory responsibilities.
(b) Individual requests for access. (1) Individuals will address
requests for access to records in a Privacy Act system of records to
the system manager or the custodian of the record designated in DA
systems of records notices (See DA PAM 2551 or the Defense Privacy
Office's Web site http://www.defenselink.mil/privacy).
(2) Individuals do not have to state a reason or justify the need to gain access to records under the Act.
(3) Release of personal information to individuals under this
section is not considered a ``public release'' of information.
(c) Verification of identity for first party requesters. (1) Before
granting access to personal data, an individual will provide reasonable verification of identity.
(2) When requesting records in writing, the preferred method of
verifying identity is the submission of a notarized signature. An
alternative method of verifying identity for individuals who do not
have access to notary services is the submission of an unsworn
declaration in accordance with 28 U.S.C. 1746 in the following format:
(i) If executed within the United States, its territories, possessions, or commonwealths: ``I declare (or certify,
[[Page 46058]]
verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature)''.
(ii) If executed outside of the United States: ``I declare under
perjury or penalty under the laws of the United States of America that
the foregoing is true and correct. Executed on (date). (Signature).''
(3) When an individual seeks access in person, identification can
be verified by documents normally carried by the individual (such as
identification card, driver's license, or other license, permit or pass
normally used for identification purposes). However, level of proof of
identity is commensurate with the sensitivity of the records sought.
For example, more proof is required to access medical records than is required to access parking records.
(4) Telephonic requests will not be honored.
(5) An individual cannot be denied access solely for refusal to
provide his or her Social Security Number (SSN) unless the SSN was
required for access by statute or regulation adopted prior to January 1, 1975.
(6) If an individual wishes to have his or her records released
directly to a third party or to be accompanied by a third party when
seeking access to his or her records, reasonable proof of authorization
must be obtained. The individual may be required to furnish a signed
access authorization with a notarized signature or other proof of
authenticity (i.e. telephonic confirmation) before granting the third party access.
(d) Individual access to medical records. (1) An individual must be
given access to his or her medical and psychological records unless a
judgment is made that access to such records could have an adverse
effect on the mental or physical health of the individual. This
determination normally should be made in consultation with a medical
doctor. Additional guidance is provided in DOD 5400.11R, Department of
Defense Privacy Program. In this instance, the individual will be asked
to provide the name of a personal health care provider, and the records
will be provided to that health care provider, along with an
explanation of why access without medical supervision could be harmful to the individual.
(2) Information that may be harmful to the record subject should
not be released to a designated individual unless the designee is qualified to make psychiatric or medical determinations.
(3) DA activities may offer the services of a military physician, other than the one who provided the treatment.
(4) Do not require the named health care provider to request the records for the individual.
(5) The agency's decision to furnish the records to a medical
designee and not directly to the individual is not considered a denial
for reporting purposes under the Act and cannot be appealed.
(6) However, no matter what the special procedures are, DA has a
statutory obligation to ensure that access is provided the individual.
(7) Regardless of age, all DA military personnel and all married
persons are considered adults. The parents of these individuals do not
have access to their medical records without written consent of the individual.
(8) DOD 6025.18R, DOD Health Information Privacy Regulation,
issued pursuant to the Health Insurance Portability and Accountability
Act (HIPAA) of 1996, has placed additional procedural requirements on
the uses and disclosure of individually identifiable health information
beyond those found in the Privacy Act of 1974 and this part. In order
to be in compliance with HIPAA, the additional guidelines and
procedures will be reviewed before release of an individual's identifiable health information.
(e) Personal notes. (1) The Privacy Act does not apply to personal
notes of individuals used as memory aids. These documents are not Privacy Act records and are not subject to this part.
(2) The five conditions for documents to be considered personal notes are as follows
(i) Maintained and discarded solely at the discretion of the author;
(ii) Created only for the author's personal convenience and the notes are restricted to that of memory aids;
(iii) Not the result of official direction or encouragement, whether oral or written;
(iv) Not shown to others for any reason; and
(v) Not filed in agency files.
(3) Any disclosure from personal notes, either intentional or
through carelessness, removes the information from the category of
memory aids and the personal notes then become subject to provisions of the Act.
(f) Denial or limitation of individual's right to access. (1) Even
if the information is filed and retrieved by an individual's name or
personal identifier, his or her right to access may be denied if
(i) The records were compiled in reasonable anticipation of a civil
action or proceeding including any action where DA expects judicial or
administrative adjudicatory proceedings. The term ``civil action or
proceeding'' includes quasijudicial, pretrial judicial, and administrative proceedings, as well as formal litigation;
(ii) The information is about a third party and does not pertain to
the requester. A third party's SSN and home address will be withheld.
However, information about the relationship between the individual and
the third party would normally be disclosed as it pertains to the individual;
(iii) The records are in a system of records that has been properly
exempted by the Secretary of the Army from the access provisions of
this part and the information is exempt from release under a provision
of the Freedom of Information Act (See appendix C of this part for a
list of applicable Privacy Act exemptions, exceptions, and ``Blanket'' routine uses);
(iv) The records contain properly classified information that has been exempted from the access provision of this part;
(v) The records are not described well enough to enable them to be
located with a reasonable amount of effort on the part of an employee
familiar with the file. Requesters should reasonably describe the
records they are requesting. They do not have to designate a Privacy
Act system of records notice identification number, but they should at
least identify a type of record or functional area. For requests that
ask for ``all records about me,'' DA personnel should ask the requester
for more information to narrow the scope of his or her request; and
(vi) Access is sought by an individual who fails or refuses to
comply with Privacy Act established procedural requirements, included refusing to pay fees.
(2) Requesters will not use government equipment, supplies,
stationery, postage, telephones, or official mail channels for making
Privacy Act requests. System managers will process such requests but
inform requesters that using government resources to make Privacy Act requests is not authorized.
(3) When a request for information contained in a Privacy Act
system of records is denied in whole or in part, the Denial Authority
or designee shall inform the requester in writing and explain why the request for access has been refused.
(4) A request for access, notification, or amendment of a record
shall be acknowledged in writing within 10 working days of receipt by the proper system manager or record custodian.
[[Page 46059]]
(g) Relationship between the Privacy Act and the Freedom of
Information Act. (1) Not all requesters are knowledgeable of the
appropriate statutory authority to cite when requesting information. In
some instances, they may cite neither the PA nor the Freedom of
Information Act in their request. In some instances they may cite one
Act but not the other. The Freedom of Information Act and the PA works
together to ensure that requesters receive the greatest amount of information possible.
(2) Do not deny the individual access to his or her records simply
because he or she failed to cite the appropriate statute or regulation.
(3) If the records are required to be released under the Freedom of
Information Act, the PA will never block disclosure to requester. If
the PA allows the DA activity to deny access to an individual, the
Freedom of Information Act must still be applied, and the information released if required by the Freedom of Information Act.
(4) Unlike the Freedom of Information Act, the Privacy Act applies
only to U.S. citizens and aliens lawfully admitted for permanent residence.
(5) Requesters who seek records about themselves contained in a
Privacy Act system of records (1st party requesters) and who cite or
imply only the Privacy Act, will have their request processed under the
provisions of both the PA and the Freedom of Information Act. If the
information requested is not contained in a Privacy Act system of
records or is not about the requester, the individual's request will be
processed under the provisions of the Freedom of Information Act only,
and the Freedom of Information Act processing requirements/time lines will apply.
(6) Third party information. (i) Third party information contained
in a Privacy Act system of records that does not pertain to the
requester, such as SSN, home addresses, and other purely personal
information that is not about the requester, will be processed under
the provisions of Freedom of Information Act only. Third party
information that is not about the requester is not subject to the Privacy Act's first party access provision.
(ii) Information about the relationship between the first party
requester and a third party is normally disclosed as pertaining to the
first party requester. Consult your servicing Staff Judge Advocate if
there is a question about the release of third party information to a first party requester.
(7) If an individual requests information about them contained in a
Privacy Act system of records, the individual may be denied the
information only if the information is exempt under both the PA and the
Freedom of Information Act. Both PA and Freedom of Information Act
exemptions will be cited in the denial letter and appeals will be processed in accordance with both Acts.
(8) Each time a first party requester cites or implies the PA, perform this analysis:
(i) Is the request from a United States living citizen or an alien lawfully admitted for permanent residence?
(ii) Is the individual requesting an agency record?
(iii) Are the records within a PA system of records that are filed
and retrieved by an individual's name or other personal identifier? (If
the answer is ``yes'' to all of these questions, then the records should be processed under the ``Privacy Act'') and
(iv) Does the information requested pertain exclusively to the requester?
(A) If yes, no further consideration of Freedom of Information Act
exemptions required. Release all information unless a PA exemption authorizes withholding.
(B) If no, process the information that is not about the requester
under the Freedom of Information Act and withhold only if a proper Freedom of Information Act exemption applies.
(h) Functional requests. If an individual asks for his or her
records and does not cite or reasonably imply either the Privacy Act or
the Freedom of Information Act, and another prescribing directive or
regulation authorizes the release, the records should be released under
that other directive or regulation and not the PA or the FOIA. Examples
of functional requests are military members asking to see their
Official Military Personnel Records or civilian employees asking to see their Official Personnel Folder.
(i) Procedures for denying or limiting an individual's right to
access or amendment and the role of the Denial Authority. (1) The only
officials authorized to deny a request for records or a request to
amend records in a PA system of records pertaining to the requesting
individual, are the appropriate Denial Authorities, their designees, or
the Secretary of the Army who will be acting through the General Counsel.
(2) Denial Authorities are authorized to deny requests, either in
whole or in part, for notification, access and amendment of Privacy Act
records contained in their respective areas of responsibility.
(i) The Denial Authority may delegate all or part of their
authority to a division chief under his supervision within the Agency
in the grade of 05/GS14 or higher. All delegations must be in writing.
(ii) The Denial Authority will send the names, office names, and
telephones numbers of their delegates to the DA Freedom of Information and Privacy Office.
(iii) If a Denial Authority delegate denies access or amendment,
the delegate must clearly state that he or she is acting on behalf of
the Denial Authority, who must be identified by name and position in
the written response to the requester. Denial Authority designation will not delay processing privacy requests/actions.
(iv) The official Denial Authorities are for records under their
authority (See appendix B of this part). The individuals designated as
Denial Authorities under this part are the same individuals designated
as Initial Denial Authorities under AR 2555, the Department of the
Army Freedom of Information Act Program. However, delegation of Denial
Authority pursuant to this part does not automatically encompass
delegation of Initial Denial Authority under AR 2555. Initial Denial
Authority must be expressly delegated pursuant to AR 2555 for an
individual to take action on behalf of an Initial Denial Authority under AR 2555.
(3) The custodian of the record will acknowledge requests for
access made under the provisions of the Privacy Act within 10 working days of receipt.
(4) Requests for information recommended for denial will be
forwarded to the appropriate Denial Authority, along with a copy of the
records and justification for withholding the record. At the same time,
notify the requester of the referral to the Denial Authority for
action. All documents or portions thereof determined to be releasable
to the requester will be released to the requester before forwarding the case to the Denial Authority.
(5) Within 30 working days, the Denial Authority will provide the
following notification to the requester in writing if the decision is to deny the requester access to the information.
(6) Included in the notification will be:
(i) Denying Official's name, position title, and business address; (ii) Date of the denial;
(iii) The specific reason for the denial, citing the appropriate
subsections of the Privacy Act, the Freedom of Information Act, AR 25
55, The Department of the Army Freedom of Information Act Program and this part; and
[[Page 46060]]
(iv) The individual's right to administratively appeal the denial
within 60 calendar days of the mailing date of the notice, through the
Denial Authority, to the Office of the General Counsel, Secretary of the Army, 104 Army Pentagon, Washington, DC 203100104.
(7) The appeal must be in writing and the requester should provide
a copy of the denial letter and a statement of their reasons for seeking review.
(8) For denials made by the DA when the record is maintained in a
Governmentwide system of records, an individual's request for further
review must be addressed to each of the appropriate government Privacy
Act offices listed in the Privacy Act system of records notices. For a
current listing of Governmentwide Privacy Act system of records
notices see the Defense Privacy Office's Web site http://www.defenselink.mil/privacy or DA PAM 2551.
(j) No records determinations. (1) Since a no record response may
be considered an ``adverse'' determination, the Denial Authority must
make the final determination that no records exist. The originating
agency shall notify the requester that an initial determination has
been made that there are no responsive records, however the final
determination will be made by the Denial Authority. A no records
certificate must accompany a no records determination that is forwarded to the Denial Authority.
(2) The Denial Authority must provide the requester with appeal rights.
(k) Referral of requests. (1) A request received by a DA activity
having no records responsive to a request shall be referred to another
DOD Component or DA activity, if the other Component or activity
confirms that they have the requested records, or verifies that they
are the proper custodian for that type of record. The requester will be
notified of the referral. In cases where the DA activity receiving the
request has reason to believe that the existence or nonexistence of the
record may in itself be classified, that activity will consult the
Component or activity having cognizance over the records in question
before referring the request. If the Component or activity that is
consulted determines that the existence or nonexistence of the records
is in itself classified, the requester shall be so notified by the DA
activity originally receiving the request that it can neither confirm
nor deny the existence of the record, and no referral shall take place.
(2) A DA activity shall refer a Privacy Act request for a
classified record that it holds to another DOD Component, DA activity,
or agency outside the Department of Defense, if the record originated
in the other DOD Component, DA activity, or outside agency, or if the
classification is derivative. The referring DA activity will provide
the records and a release recommendation with the referral action.
(3) Any DA activity receiving a request that has been misaddressed
will refer the request to the proper address and advise the requester.
(4) Within DA, referrals will be made directly to offices having
custody of the requested records (unless the Denial Authority is the
custodian of the requested records). If the office receiving the
Privacy Act request does not know where the requested records are
located, the office will contact the DA FOIA/P Office, to determine the appropriate office for referral.
(5) The requester will be informed of the referral whenever records
or a portion of records are, after prior consultation, referred to
another activity for a release determination and direct response.
Additionally, the DA activity referral letter will accomplish the following
(i) Fully describe the Privacy Act system of records from which the document was retrieved; and
(ii) Indicate whether the referring activity claims any exemptions in the Privacy Act system of records notice.
(6) Within the DA, an activity will refer a Privacy Act request for
records that it holds but was originated by another activity, to the
originating activity for direct response. An activity will not, in any
case, release or deny such records without prior consultation with the
originating activity. The requester will be notified of such referral.
(7) A DA activity may refer a Privacy Act request for records that
originated in an agency outside of DOD, or that is based on information
obtained from an agency outside the DOD, to that agency for direct
response to the requester, only if that agency is subject to the
Privacy Act. Otherwise, the DA activity must respond to the request.
(8) DA activities will not honor any Privacy Act requests for
investigative, intelligence, or any other type of records that are on
loan to the Department of Defense for a specific purpose, if the
records are restricted from further release in writing. Such requests will be referred to the agency that provided the records.
(9) A DA activity will notify requesters seeking National Security
Council (NSC) or White House documents that they should write directly
to the NSC or White House for such documents. DA documents in which the
NSC or White House have a concurrent reviewing interest will be
forwarded to the Department of Defense, Office of Freedom of
Information and Security Review, which will coordinate with the NSC or
White House, and return the documents to the originating DA activity
after NSC or White House review. NSC or White House documents
discovered in DA activity files which are responsive to a Privacy Act
request will be forwarded to DOD for coordination and return with a release determination.
(10) To the extent referrals are consistent with the policies
expressed above; referrals between offices of the same DA activity are authorized.
(l) Reproduction fees. (1) Use fees only to recoup direct reproduction costs associated with granting access.
(2) DA activities may use discretion in their decision to charge
for the first copy of records provided to an individual to whom the
records pertain. Thereafter, fees will be computed pursuant to the fee
schedule set forth in AR 2555, including the fee waiver provisions.
(3) Checks or money orders for fees should be made payable to the
Treasurer of the United States and will be deposited in the
miscellaneous receipts of the treasury account maintained at the activity's finance office.
(4) Reproduction costs shall only include the direct costs of reproduction and shall not include costs of
(i) Time or effort devoted to searching for or reviewing the records by personnel;
(ii) Fees not associated with the actual cost of reproduction;
(iii) Producing a copy when it must be provided to the individual without cost under another regulation, directive, or law;
(iv) Normal postage;
(v) Transportation of records or personnel; or
(vi) Producing a copy when the individual has requested only to
review the records and has not requested a copy, and the only means of
allowing review is to make a copy (e.g., the records are stored in a
computer and a copy must be printed to provide individual access, or
the activity does not wish to surrender temporarily the original records for the individual to review).
(m) Privacy Act case files. (1) Whenever an individual submits a
Privacy Act request, a case file will be established. This Privacy Act
case file is a specific type of file that is governed by a specific
Privacy Act system of records notice. In no instance will the individual's Privacy Act request and
[[Page 46061]]
corresponding Army actions be included in the individual's military
personnel file or other military filing systems, such as adverse action
files or general legal files, and in no instance will the Privacy Act
case file be
FOR FURTHER INFORMATION CONTACT Ms. Janice Thornton at (703) 428-6503.
Common CFR Searches
14 CFR Part 39 40 CFR Part 52 14 CFR Part 71 33 CFR Part 165 50 CFR Part 679 26 CFR Part 1 40 CFR Part 180 47 CFR Part 73 50 CFR Part 17 33 CFR Part 117 44 CFR Part 67 50 CFR Part 648 14 CFR Part 97 33 CFR Part 100 40 CFR Part 63 26 CFR Part 301 50 CFR Part 622 39 CFR Part 111 40 CFR Part 300 44 CFR Part 65 50 CFR Part 660 40 CFR Part 271 40 CFR Parts 52 and 81 47 CFR Part 64 50 CFR Part 665 49 CFR Part 571 21 CFR Part 522 44 CFR Part 64 14 CFR Part 23 47 CFR Part 76