Knowledge Management Block 2
DPCLO
Defense Privacy and Civil Liberties Office
Compliance
Department of Defense (DoD) personnel are expected to comply with the FOIA, Instructions and FOIA policy in both letter and spirit. This strict adherence is necessary to provide uniformity in the implementation of DoD FOIA Program and create conditions that will promote public trust.
Information designated as FOUO may be disseminated within
DoD Components and between official DoD offices to conduct official business provided dissemination is consistent with controls imposed by a distribution statement.
Avoidance of Procedural Obstacles
DoD components shall ensure that procedural matters do not unnecessarily impede a requester from obtaining DoD records promptly. Components shall provide assistance to requesters to help them understand and comply with procedures established by DoD/Air Force policy.
ERR
Electronic Reading Room
EITDR
Enterprise Information Technology Data Repository
Information maintained in Information Technology (IT) systems is stored in the ___________________________________.
Enterprise Information Technology Data Repository (EITDR)
FR
Federal Register
CONSTITUTIONAL AND AMENDMENT RIGHTS
First Amendment - Freedom of Religion; Freedom of Speech or Press, Right to Assemble and to Petition the Government for redress of grievances. Second Amendment - Right to Keep and Bear Arms. Fourth Amendment - Right Against Unreasonable Searches and Seizures. Fifth Amendment - Prohibition Against Deprivation of Life, Liberties, or Property, without due process to law. Fourteenth Amendment - Due Process and Equal Protection. Fifteenth, Nineteenth and Twenty Sixth Amendments: Right to Vote
FOUO
For Official Use Only
FOIA
Freedom of Information Act
DoD 5400.7-R_AFMAN 33-302
Freedom of Information Act Program, includes statute 5 U.S.C. § 552
PAS Purpose
Identifies the principal purpose or purposes for which the information is intended to be used.
PAS Disclosure
Identifies whether disclosure of information is voluntary or mandatory. (Mandatory is used when disclosure is required by law and the individual will be penalized for not providing information. All mandatory disclosure requirements must first be reviewed by the servicing legal office). Include any consequences of nondisclosure in non-threatening language.
Sensitive PII
If lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual when grouped with a name or unique identifier.
Non-Sensitive PII
If lost, compromised, or disclosed without authorization, Non-sensitive PII would NOT result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
MAJCOM/A6s and Wing Commanders Civil Liberties responsibilities
Implement the AF Civil Liberties program for personnel under their command/supervision. Appoint a Civil Liberties Point of Contact (POC) for their organization with commensurate duties and responsibilities. This individual is normally the Privacy Manager.
PAS AF SORN(s)
Lists applicable SORN by number and title
PAS Authority
Lists the legal authority that authorizes the solicitation of the personal information.
PAS Routine Uses
Lists who the personal information will be shared with on a routine basis outside the DoD.
Review end of year report
Mandated by law and reported on a fiscal year basis to the Directorate for Freedom of Information and Security Review office.
Step 2 - Determine Sufficiency of Request
Before disclosing any records, including whether records exist, the privacy manager should review the sufficiency of the request. The manager must seek clarification from the requester if the information supplied to locate and identify the records is insufficient. Misdirected requests must be forwarded to the appropriate location with a copy of the referral to the requestor.
Individuals can be granted access to FOUO information
When a valid need in connection with the accomplishment of a lawful and authorized Government purpose has been determined. Granted by the individual who has authorized possession, knowledge, or control of the information and not on the prospective recipient.
United States Postal Service
When transmitting via USPS, FOUO information is sent using first class, parcel post or fourth class.
Privacy Act Statement (PAS)
Personal information is maintained in a SOR or collected on an official AF Form.
PII
Personally Identifiable Information
What is Privacy Act Information?
Personally Identifiable Information (PII) which is personal information that is maintained in a System of Record (SOR). all agencies are required to give public notice of their SOR by publication in the Federal Register.
PA
Privacy Act
Warning Banner
Privacy Act Notices and Markings that are made available to individuals when their personal information is requested.
PA OPR
Privacy Act Office of Primary Responsibility
What is designated at each organization level to manage and implement the Air Force Privacy Act Program?
Privacy Act Office of Primary Responsibility (PA OPR)
PAS
Privacy Act Statement
PIA
Privacy Impact Assessments
Step 3 - Respond to the Requester
Privacy Managers must acknowledge requests for PA records within 10 days (excluding weekends and federal holidays) of receipt. Managers should date stamp the request upon receipt. If requested records are not immediately available, the manager must give the requester a date of availability. If records cannot be found or have been destroyed, the custodian must inform the requester.
Step 5 - Record Disclosures
Privacy managers must keep an accurate record of all disclosures made from any SOR except disclosures to DoD personnel for a valid official use. Use AF Form 771, Accounting of Disclosures. Retain disclosure accountings for 5 years after the disclosure, or for the life of the record, whichever is longer.
Findings that led to the citing of Public Law 93-579 were:
Privacy of an individual was directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies. The increasing use of computers and technology to perform essential operations magnified the harm to individual privacy. Opportunities to secure credit, employment, insurance, and other legal protections are endangered by the misuse of certain information systems.
What public law became the Privacy Act of 1974?
Public Law 93-579
Protection During Work Hours
Reasonable steps shall be taken to minimize risk of access by unauthorized personnel. FOUO information should be covered and placed out of sight. If available, use a privacy screen for monitors when working on electronic FOUO information.
RDS
Records Disposition Schedule
Base Records Managers are consulted prior to the deletion of any records to ensure records are authorized for destruction according to the ____________________.
Records Disposition Schedule (RDS)
RSC
Requester Service Center
US-CERT
United States Computer Emergency Readiness Team
Methods of Transmission
United States Postal Service (USPS), hand carry, or electronic transmission.
Labeling the removable device
Use the Standard Form (SF) 706 - Top Secret, 707 - Secret, 708 - Confidential, or 710 - Unclassified. Identifies the highest classification level of the information stored on the device.
PIA Content
What information is to be collected Why the information is being collected Intended use of the information Who the information will be shared with What opportunities individuals have to decline to provide information or to consent to particular uses of the information and how individuals can grant consent How the information will be secured
Openness with the Public
The DoD shall conduct its activities in an open manner consistent with the need for security and adherence to other requirements of law and regulation. Records not exempt from disclosure under the FOIA shall, upon request, be made readily accessible to the public in accordance with rules of the FOIA Program.
Hardware/removable media used to store FOUO information
must be labeled to notify users. Protection is applied to hardware/removable media by physically placing a label on the device.
OMB 10-22 PII Definition
not anchored to any single category of information or technology. It demands a case-by-case assessment of the specific risk that an individual can be identified. In this evaluation, agencies must understand that non-PII can become PII whenever additional information is made publicly available when combined with other available information.
United States Computer Emergency Readiness Team (US-CERT)
part of the Department of Homeland Security's National Cybersecurity and Communications Integration Center. This team leads efforts to improve the Nations' cybersecurity posture, coordinate cyber information sharing, and proactively manager cyber risks to the Nation.
DoD policy
protect the privacy and civil liberties of its employees, members of the military services, and the public to the greatest extent possible, consistent with its operational requirements.
Public Law 93-579
provide safeguards for the protection of individual information such as an individual's name, address, and Social Security Number.
Privacy Act Program Objectives
restrict disclosure increased rights of access to agency records amendment of agency records establish basic requirements
What are the four objectives of the Privacy Act?
restrict disclosure increased rights of access to agency records amendment of agency records establish basic requirements
Civil liberties
revolve around the right to be free from unequal treatment based on protected characteristics (ex: race, gender, disability).
Electronic Transmission
shall be by approved, secure communications systems or systems utilizing access controls such as Public Key Infrastructure (PKI)
two types of FOIA requests
simple and complex
OMB 10-22
states that "PII is not anchored to any single category of information or technology" and "demands a case-by-case assessment of the specific risk that an individual can be identified."
Disclosure
the act of releasing all relevant information that may influence a decision.
What must individuals receive when required to provide personal information that will not be maintained in a SOR?
they must receive a Privacy Act Statement (PAS) from the collector of the information.
FOUO dissemination control was established
to ensure routine official unclassified information is protected according to its sensitivity level. This standardization facilitates control, distribution, and release of such documents to prevent unauthorized disclosure.
Why was FOIA established?
to inform the general public of government activities. provides the public with the maximum amount of accurate and timely information concerning its activities.
Purpose of PA
to protect individuals from unwarranted invasion of their privacy.
What is the sole purpose of PA programs?
to protect individuals from unwarranted invasion of their privacy.
AFI 33-332, Air Force Privacy and Civil Liberties Program
transmitting personal information via e-mail, "FOUO\\" is added to the beginning of the subject line followed by the Privacy Act Statement at the beginning of the body of the message. If an attachment containing personal information is included, the e-mail must be digitally signed and encrypted. Note: This is also a requirement for PA and PII therefore you will see this throughout the text.
Hand Carry
use cover sheets with clear classification or protective markings.
PII Transmission
via e-mail, United States Postal Service (USPS), or hand carried
FOIA requests for records are submitted in
writing via hand-delivery, mail, fax, or online at www.efoia.af.mil to the applicable Requester Service Center (RSC)
Who are PII breaches reported to?
installation Privacy Official
Enterprise Information Technology Data Repository (EITDR)
is an AF system of record for Information Technology Compliance management data
The Privacy Act requires that each federal agency ______________
maintain a Privacy Act Program
The DoD shall conduct its activities in an open manner consistent with the need for security and adherence to other requirements of __________________________.
law and regulation
Office of Management Budget (OMB)
07-16, Safeguarding Against and Responding to PII Breach and OMB10-22, Online Use of Web Measurement and Customization.
Requests are processed within
20 working days unless a request for expeditious processing is approved.The 20 working day processing time begins the day the request is first received by the RSC.
Unit Privacy Monitor
Acts as the liaison between the unit and the Base Privacy Manager. They must provide direction and training to their commander and unit personnel. Unit Privacy Monitors will assist Commanders (equivalent) with implementing procedures to reinforce the protection of Privacy Act information
Civil Liberties Point of Contact (POC)
Administering direction and procedures prescribed in AFI 33-332 within their organization. Ensuring training is available for their organizations. POCs will promote civil liberties awareness throughout their organizations. Direct complaints that may have civil liberties implications to the appropriate investigative office, such as the Inspector General (IG), Equal Opportunity (EO), or the appropriate commanding officer for commander directed investigations.
Initial Denial Authority (IDA)
After the OPR and Legal Office concur on the request denial, all contents are forwarded to them. The ____________ is an official who has been granted authority to withhold records requested under the FOIA for one or more of the nine exemptions. Typically, Commanders and Vice Commanders are appointed; however, they may delegate authority within their organization.
Protection After Work Hours
After working hours, store FOUO information in unlocked containers, desks or cabinets if Government or Government-contract building security is provided. If building security is not provided, store the information in locked desks, file cabinets, bookcases, locked rooms, etc.
List the requirements for using e-mail to transmit PII.
All e-mails containing PA, PII or other sensitive information must be encrypted prior to sending. Alternate means to transmit sensitive information when e-mail is not possible include using the Safe Access File Exchange (SAFE).
FOIA Request for Records
Any person (excluding fugitives and Federal Agencies) can submit a FOIA request for records. The request for records must state a willingness to pay any/all fees, and must have a valid postal mailing address. Requests are submitted in writing and fees are collected after the request is processed.
PIA Review
At a minimum PIAs must be reviewed annually by the Information System Owner (ISO) and Privacy Manager. Also, PIAs are required to be performed, approved and/or updated when a system change exposes a new privacy risk for which an Information Assurance control must be identified and tested. The PIA must be performed before re-deployment or re-release of the system.
Privacy Act Statement (PAS) includes:
Authority Purpose Routine Uses Disclosure AF SORN(s)
Authorized Disclosure
Authorized disclosure is granted from the owner of the information to those with a need to know.
ACTS
Automated Case Tracking System
Step 1 - Verify Identity of the Requester
Avoid an unauthorized disclosure. Verification can be accomplished visually, by having personal knowledge of the requester, by signed letter, notarized statement, or unsworn statement.
Simple
Can be processed quickly with limited impact on responding units. Clearly identifies the records with no (few) complicating factors involved. Only one installation is involved and there is no outside Office of Primary Responsibility (OPR).
Under the FOIA, _________________ have the right to request records in writing from the Federal Government.
Citizens
Responsibilities
Commanders at each level maintain authority of the FOIA Program and will appoint a FOIA Manager at each level in writing. 3D0X1 Knowledge Managers may be appointed as FOIA Managers or be assigned to assist base FOIA Managers.
The three objectives of the FOIA
Compliance, Openness with the Public, and Avoidance of Obstacles
Who may request a copy of their records maintained in a SOR?
Individuals or their designated representatives may request a copy of their records maintained in a SOR. Requesters need not state why they want access to their records.
Compilation Effect
Information that is not otherwise attributed to one individual can become PII if it is associated with an identifier or other information which relates the information to a specific individual.
OMB 07-16 PII Definition
Information which can be used to distinguish or trace an individual's identity. This information includes but is not limited to their name, social security number, biometric records alone or when combined with other personal, or identifying information which is linked to a specific individual such as date and place of birth or mother's maiden name.
Privacy Act Mandates
Informs individuals of why information is being collected and how it is going to be used. Assures information is accurate, relevant, complete, and up-to-date before disclosing to others. Allows you to find out about disclosures of your records to other agencies or persons. Provides you with the opportunity to correct inaccuracies in your records.
IDA
Initial Denial Authority
IG
Inspector General
FOIA Manager
Installation Commanders appoints, in writing to comply with FOIA requirements. They receive, track, and coordinate all FOIA request for their base using eFOIA software. Required to review all requested records and assist with redaction in consultation with the responsible office of primary responsibility (OPR). Ensures their program complies with FOIA
Office of Primary Responsibility (OPR)
Is the organization that prepared or is responsible for the records requested in the FOIA request for records. Provide requested records and indicate withheld parts of records annotated with FOIA exemptions. Provide written recommendations to the disclosure authority to determine whether or not to release records, and act as the declassification authority when appropriate.
FOIA Monitor
Is the point of contact within an OPR. Once the OPR receives the request, the they are tasked to locate the records. Upon review, they will assist OPRs in reviewing all requested records to determine whether records are responsive to the request. If portions of the information are not releasable, they will assist with redactions. Finally, they will ensure a thorough search for records has been conducted by the OPR and ensures the OPR completes the no records certification when records are not located in response to the request.
Air Force Privacy Officer
Member of the HQ USAF (HAF) Air Staff and resides at the Pentagon. Administering guidance and procedures prescribed in AFI 33-332 and DoD policies. Developing AF policy to ensure protection of PA, PII, and Civil Liberties. Providing guidance and assistance to Privacy Managers.
Marking E-mails Containing FOUO
Needs to be marked in the subject line and body. Must only go to people with a need to know.
Step 4 - Provide Records in Person
Notify the requester when and where records will be available for inspection or copying, and comply with the requester's instructions if feasible. When a requester reviews records in person, the manager or designee must be present and observe the requester's handling of the records.
A Privacy Act complaint and violations
Occur when responsibilities aren't maintained and when an agency or individual knowingly or willfully fails to comply. An allegation that an agency or its employees violated a specific provision.
OMB
Office of Management Budget
OPR
Office of Primary Responsibility
Federal Register (FR)
Official journal of the federal government of the United States that contains government agency rules, proposed rules, and public notices. It is published daily to the internet, except on federal holidays. It is a way for the government to announce changes to government requirements, policies and guidance to the public. The FR is compiled by the Officer of the Federal Register.
Step 4 - Provide Records
Once records are located, provide them to the requester as soon as practical, unless they should be withheld (refer to exemptions).
OPREP
Operational Report
___________________ must promptly notify individuals in the event their personal information is lost, stolen or compromised.
Organizations
Air Force Civil Liberties Officer
Oversee the AF Civil Liberties program with execution by the AF Civil Liberties Point of Contact (POC). Review and approve AF Civil Liberties reports prior to submission to Defense Policy and Civil Liberties Office (DPCLO).
What action(s) must be taken in the event of an unauthorized disclosure?
PII breaches must be reported to installation Privacy Official by anyone discovering it. In return, the Privacy Manager/Monitor will submit a Preliminary PII Incident Report by unencrypted email according to the timeline to create the PII Incident Final Report. PII Breach Reports shall be completed using DD Form 2959, Breach of Personally Identifiable Information (PII) Report.
Misdirected FOIA requests are
forwarded to the applicable RSC. The response period for those are 10 days from the date the request is first received by any RSC or the date the correct RSC received the request, whichever is earlier.
SAFE
Safe Access File Exchange
Step 4 - Provide Records in writing
Send the requested information or copies of records to the requester via certified mail, return receipt service requested, as soon as any required fees or statement of release are received.
Air Force Civil Liberties POC
Serve as the AF member of the DoD Defense Civil Liberties board. Review AF publications and policies to support the proper protection of civil liberties. Maintain the AF Civil Liberties website to ensure training materials, and civil liberties directions are current. Create and maintain the Annual Civil Liberties ADLS training.
Military Limitations
Service members must exercise their civil liberties in a manner consistent with good order and discipline.
What plan is intended to reduce or eliminate the use of SSN in DoD and AF systems of records?
Social Security Number Removal Plan
How to Access a PIA for Review
Step 1 - Access the Air Force Privacy Act Home Page at http://www.privacy.af.mil Step 2 - Locate Quick Links (top right) and select "Privacy Impact Assessments" Step 3 - Select the Privacy Impact Assessment for the system you wish to review
Process a request for PA information:
Step 1 - Verify Identity of the Requester Step 2 - Determine Sufficiency of Request Step 3 - Respond to the Requester Step 4 - Provide Records Step 5 - Record Disclosures
Steps for Accessing the Air Force FOIA Library and Locating Records
Step 1. Access http://www.foia.af.mil. Step 2. Select FOIA Library (third tab) Step 3. Select AF FOIA Library (Frequently Requested FOIA Documents/Proactive Disclosures). Step 4. Select AF FOIA Library (on the left). Step 5. Enter search information.
Steps for Reviewing End of Year Reports
Step 1. Access http://www.foia.af.mil. Step 2. Select _______ _______ (tab at top of page). Step 3. Select the applicable report.
SOR
System of Record
SORN
System of Record Notice
Complex
Take time and cause significant impact on units. May include records sought maximum in volume. Multiple organizations must review/coordinate on requested records. Records may be classified, originated with a non-government source, are part of the Air Force's decision-making process, or are privileged.
Step 11
The FOIA Manager conducts a FOIA and PA exemption review.
Step 4
The FOIA Manager determines the Office of Primary Responsibility (OPR).
Step 5
The FOIA Manager forwards request to the OPR with a suspense for completion.
Step 8
The FOIA Manager forwards the request to the Legal Office.
Step 2
The FOIA Manager inputs the request information into eFOIA.
Step 3
The FOIA Manager prepares and sends a letter of acknowledgment to the requestor along with a tracking number.
Step 12
The FOIA Manager provides information to requester.
Step 1
The FOIA Manager receives the FOIA request.
Step 9
The Legal Office conducts a review of the request to ensure the release or denial of information is in compliance with law.
Step 10
The Legal Office returns the request to the FOIA Manager.
Step 6
The OPR conducts a review and determines what info can be released or denied.
Step 7
The OPR returns the request to the FOIA Manager.
Who is responsible for ensuring the FOIA Request for Records "reasonably" describes the records sought?
The Requester is.
Methods of Disposal
The methods include pulping, macerating, tearing, burning, shredding or via recycling through the Defense Reutilization and Marketing Office (DRMO). Records stored on magnetic media are destroyed by degaussing or overwriting according to established guidelines.
Requester
The person who submits a request for records in writing to the agency. He/she is responsible for ensuring the request "reasonably "describes the records sought.
Social Security Number Removal Plan
The plan is intended to reduce or eliminate the use of SSN in DoD and AF systems of records, IT systems, and forms.
FOIA Exemptions
The releasing and denying of records is based on the statutes that govern the request. Congress established categories called FOIA Exemptions to prevent the release of information that would be harmful to the government or private interest. There are nine exemptions.
Within how many workdays should the SOR owner provide requested records?
They will get a copy of the requested record within 20 workdays of receiving the request.
Legal Office
They will perform a review of all FOIA requests for records to ensure the FOIA representatives are following applicable laws and instructions. They will also determine whether one or more statutory exemptions permit withholding of information.
Protecting privacy information is the responsibility of
every federal employee, military member, and contractor who handles PII contained in any record.
The purpose of a PIA
To ensure there is no collection, storage, access, use or dissemination of PII that is not both needed and permitted.
Unit Privacy Monitor will:
Track assigned personnel privacy training and forward information to the Base PA OPR. Provide specialized training to individuals who handle personal information or PII on a daily or routine basis. Provide direction to the commander/equivalent to assist with resolution of privacy breaches, complaints, and violations. Submit quarterly reports and/or other required reports as directed by their privacy manager. Maintain copies of approved file plans with SOR for the purpose of identifying records protected under the PA of 1974 to assist with conducting inspections or PA requests. Process PA Requests as directed by the Base Privacy Manager.
Unauthorized Disclosure
Unauthorized disclosure occurs when an individual or individuals gain access to any information without permission.
determines whether the information
information owner
FOUO is defined as
a dissemination control applied by the Department of Defense (DoD) to unclassified information when disclosure to the public of that particular record, or portion of the record, would reasonably be expected to cause harm to an interest protected by one or more exemptions
System of Record Notice (SORN)
a legal document that describes the kinds of personal data collected and maintained in a SOR. It also describes what the records are used for, and how an individual may access or contest the records in the system. They're published in the Federal Register to provide the public an opportunity to comment before implementing the SOR. The records may be in paper format or in a database.
Upon receipt of the request,
a letter of acknowledgement is sent to the requester along with a tracking number.
PII breach
an actual or possible loss of control, compromise or any unauthorized disclosure of PII whether electronic or physical
Safe Access File Exchange (SAFE)
an application used to securely exchange files.
Official Records
any information in any format, including email, reports and presentations (electronic or printed), handwritten notes, databases, spreadsheets, maps, and photos.
System of Record (SOR)
defined as a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Records kept in a __________ must be identified on a file plan.
According to the provisions of chapter 33 of title 44, U.S.C. and Air Force records management directives
disposing of record copies of FOUO documents, consult with a Records Professional. Record copies are official and shall be disposed
Only officially approved System of Record
eFOIA
DoD Civil Liberties Program
ensures the Air Force has adequate procedures to receive, investigate, respond to, and provide redress for complaints from individuals who allege the AF has violated their civil liberties.
Privacy Act (PA)
established a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. Requires that each federal agency maintains it.