Other Sites

Point of Contacts

Air Force Privacy, Civil Liberties, Information Collection and AF Section 508 Compliance Office's
1800 Air Force Pentagon
Washington, DC 20330-1800

Point of  Contact:

AF PrivacyCivil Liberties, and Information Collections Offices
Phone: (571) 256-2515 (DSN: 260)

Section 508 Compliance Offices
Phone:  (703) 697-4593 (DSN:  225)

Questions

This page is a general Privacy Act questions and answers section.  If you encounter a problem or have any suggestions, please send comments via the comments and feedback page, and use the word "FAQ" in your comment.

Topics

Collapse All Expand All

How do I report a PII breach?

It is the responsibility of all Air Force employees to report within 1 hour of discovery any known PII breach to their Privacy Office.  Privacy Officers will report to the Air Force Privacy Office within 24 Hours.

Taking a few simple steps daily to safeguard PII should become a habit. If you have questions or need further information, please contact the Privacy Office at the link above.

 

Does the Privacy Act apply to all records maintained about individuals?

No. The Privacy Act only applies to U.S. citizens or lawful permanent resident aliens and only to Government records that meet select requirements . The Privacy Act does not apply to deceased persons.

 

Does the Privacy Act apply to all records?

No. The Privacy Act only applies to records that: 

  • contain information on individuals;

  • are maintained by a Government agency or its contractors in a system of records; and are retrieved by a personal identifier, such as a person's name, Social Security Number, medical record number or other unique identifier. 
     

 

Does the Privacy Act apply to contractors?

Yes, whenever a contractor establishes or maintains a system of records to carry out a function of the Air force.

 

How are recall/alert rosters handled?

When Personally Identifiable Information (PII) is collected from an individual to create a record that will be part of a Privacy Act (PA) system of records, the individual must be provided a Privacy Act Statement (PAS). As part of the PAS, the individual must be advised whether disclosure of their PII is voluntary or mandatory. Disclosure of PII is mandatory only when the Component is authorized to impose a penalty on the individual for failure to disclose. Otherwise, disclosure of PII is voluntary (see PAS example below).

PII on a roster should be appropriately handled; be mindful of privacy concerns. For example: PII about individuals listed on a roster should only be shared with individuals who have a "need to know" in order to fulfill the responsibilities of their duties; rosters of any type should never be posted, displayed, or shared where they might be viewed by someone without a need to know; the roster manager should password protect the roster file or otherwise secure it. Limit information on alert rosters only to information essential to perform the purpose for which it was collected, information such as dates of birth, Social Security Numbers, and other information not used to alert individuals is prohibited from being listed on such rosters.

 

How do I decide which Act , the Freedom of Information Act or the Privacy Act, pertains to the records I want?

You do not have to make that decision. When a request is received the FOIA Specialist will process your request according to the Act that allows the greatest access permitted by law.

 

How do I decide which Act pertains to the records I want?

You do not have to make that decision. When a request is received, our office will process your request according to the Act -- Freedom of Information or Privacy -- that assures the greatest access permitted by law.

 

How do I request my own records?

You do not need a special form. Just make your request in writing -- not electronically, since all Privacy Act requests must be signed -- and include your full name, date and place of birth, and as much detail as possible to identify the information requested or amended.

Send your request to:

Department of the Air Force
Freedom of Information and Privacy Act Office

1000 Air Force Pentagon
Washington, DC 20330-1000

Requests can also be faxed to (703) 696-7273. Privacy Act requests submitted by fax should be marked to the attention of the FOIA/Privacy Act Office.

 

May I request records pertaining to someone else?

Yes, you may request records concerning another individual, with their written permission. This kind of request is called a "third-party request." A third-party request that is accompanied by proper written consent will be processed as if it were made by the first party. Requests not accompanied by written consent may result in a denial of access pursuant to subsection (b)(6) of the FOIA. The person's written consent requires an original signature that must be notarized.

-- or --

If you are unable to visit a notary, you may instead have the individual attest to the truth and correctness of the authorization by adding the following statement to the consent form:

"I certify under penalty of perjury under the laws of the United States of America, that the foregoing is true and correct." 

This statement is then signed by the individual who the records pertain to, and must be an original, not a copy or fax. The request must contain the individual's date and place of birth, full name and any aliases, the type of records being requested and an approximate timeframe for search.

 

What are an individual's basic rights and the agency employees' responsibilities under the Privacy Act?

Indivisual's basic rights are covered under the below topics. For more detailed explanations, click here. Each group is covered by individual and employee rights.


A. Collection of Personal Information 

B. Access to Records 

C. Access to Health and Medical Records 

D. Amendment of Records 

 

What can I do to meet my Privacy Act responsibilities?

If the Privacy Act is to achieve its objectives, there must be cooperation by every employee and contractor who works with records containing individually identifiable information. In the course of your work you become a steward of the information entrusted to you. In order to meet the responsibilities of this stewardship, there are certain steps you should to take: 

a. Learn the requirements of the Privacy Act and how they relate to your particular job. This can be accomplished through formal training, on-the-job training, discussions with your supervisor, and reading. Acquaint yourself as much as possible with the Privacy Act policies and procedures that apply to the information that you work with day-to-day. 

b. Consider how you handle the information you work with, and what measures, if any, you need to take to safeguard the personal information that you have about others in your possession. 

c. Certain Air Force staff have been specially trained in the requirements of this law and they are available to assist you. Your supervisor can give the name of your nearest Privacy Act official. 

d. Respond promptly to requests for information by quickly referring such requests to the responsible Air Force Privacy Act official. Learn the procedures used for Privacy Act requests and follow them when requests for information are received. 

e. Be careful that personal information is not disclosed to anyone unless that individual has received prior permission to see the information from the subject of the record, or disclosures of the record are authorized by law. The Privacy Act authorizes disclosure of an Air Force Privacy Act record to Air Force employees who have a legitimate need for the record

 

What if I am not a U.S. citizen or permanent resident alien?

You may request records concerning yourself, even if you are not a U.S. citizen, but your request will be processed under the Freedom of Information Act -- not the Privacy Act.

 

What if I want the records of a deceased person?

You may request the records of a deceased person if you can provide proof of death. You should provide the person's date and place of birth, and a copy of the death certificate or a newspaper obituary. You should explain the type of material you seek and why you think the Air Force would have such records. Your request will be processed under provisions of the Freedom of Information Act.

 

What is the Privacy Act?

The Privacy Act is a Records Management act that provides safeguards against invasion of personal privacy through the misuse of records by Federal agencies. Congress passed the Act in 1974 to establish controls over what personal information is collected, maintained, used and disseminated by the Federal government. The Act applies to records about individuals maintained by agencies in the executive branch of the Federal government.

The Privacy Act guarantees three primary rights:

(1) the right to see records about oneself, subject to Privacy Act exemption
(2) the right to request the amendment of records that are not accurate, relevant, timely or complete
(3) the right to bring civil action against the Department for violations of the statute -- including permitting others to see another person's records, unless specifically permitted by the act

 

What is the purpose of the Privacy Act?

The Privacy Act provides safeguards against invasion of personal privacy through the misuse of records by Federal agencies. Records may be protected from release pursuant to one or more of the Privacy Act exemptions.. In accordance with the Privacy Act, these records may be withheld, even from the person to whom the records pertain, unless release is required under the Freedom of Information Act.

 

What records are available through the Act?

The Privacy Act applies only to records about individuals maintained by agencies in the executive branch of the federal government. It applies to these records only if they are in a "system of records," which means they are retrieved by an individual's name, Social Security number, or some other personal identifier. In other words, the Privacy Act does not apply to information about individuals in records that are filed under other subjects, such as organizations or events, unless the agency also indexes and retrieves them by individual names or other personal identifiers.

 

When can I expect a reply to my request?

The Privacy Act does not impose any response times for agency responses to requests. Normally, you can expect a response to your request within 10 days from the date it is received. If special situations exist, we will contact you with an estimated completion date and explain the reason for delay. The Air Force works requests on a first-in, first-out basis.

 

Who can request records under the Act?

You must be a United States citizen or an alien lawfully admitted for permanent residence to the U.S. to make a request for Privacy Act records.

 

Will I be charged any fees for my request?

No. The Air Force does not charge for initial release of documents under the Privacy Act.

What can I do to protect PII?

There are a number of steps that can be taken to make PII and sensitive information more secure. Some steps are:

  • Never leave PII unattended

  • Always safeguard your computer when away from it any length of time

  • Store all sensitive information, which includes PII, in lockable offices and/or cabinets

  • Protect PII when transporting--use simple coversheets and/or sealed envelopes, and deliver documents directly to the intended recipient that is authorized to handle PII

  • Shred documents containing PII when no longer needed

     

 

Can I participate in my Agency’s telework program if I use PII data?

Yes. However, you should not handle PII information in a telework situation unless you are using 'thin client' technology such as Citrix. PII information should not be processed or stored on a non-government system. Always check with your agency security staff and privacy officer if you have questions about the telework program and the information you are working with on a daily basis.

 

What is considered Personally Identifiable Information (PII)?

Information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a social security number; age; military rank; civilian grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc. Such information is also known as personally identifiable information (i.e., information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother's maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual).

 

What is defined as a “breach” of PII?

A  "breach" is definied as loss of control, compromise, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.

 

Where can PII be found?

Many of us either handle or have access to PII on a daily. We use PII stored in databases in our network and on internal databases within our offices, on our laptops and we also handle and transport many documents that contain PII in order to get our work done. It is our responsibility to become aware of how we operate and the many ways in which PII can be at risk.

 

Why should I protect PII?

We must protect PII for both our employees and our customers. It has a direct and critical impact on everyone's lives. The loss of PII can result in substantial harm, embarrassment, and inconvenience to individuals and may lead to identity theft or other fraudulent use of personal information. 

Today, we can electronically move vast quantities of information quickly. The rise of identity theft makes protecting this data imperative. As custodians of this information, we must protect it like we protect our own information. Finally, the Privacy Act of 1974, as amended, allows for personal remedies against individuals who knowingly misuse social security numbers.

What is a PAS?

Privacy Act Statement (PAS) are used to inform individuals of the purpose, routine uses, and authority for collecting personal information.

 

What is an example of a PAS?

AUTHORITY: DoD Directive 3020.26, The Defense Continuity Program.

PURPOSE: To document names and phone numbers of persons to be notified in emergency situations.

ROUTINE USE: The DoD 'Blanket Routine Uses' apply. (http://dpclo.defense.gov/privacy/SORNs/blanket_routine_uses.html)

DISCLOSURE: Voluntary. Failure to supply this information may result in not being notified of a potential emergency to include acts of nature, accidents and technological and/or attack-related emergencies.

 

What is included in a PAS?

Per AFI 33-332, Privacy Act Program, Para 3.2.1, A Privacy Act Statement must include four items:

  • Authority: The legal authority, that is, the U.S.C. or Executive Order authorizing the program the system supports.

  • Purpose: The reason you are collecting the information and what you intend to do with it.

  • Routine Uses: A list of where and why the information will be disclosed outside DOD.

  • Disclosure: Voluntary or Mandatory. (Use Mandatory only when disclosure is required by law and the individual will be penalized for not providing information.) Include any consequences of nondisclosure in nonthreatening language
     

 

When do you give a PAS?

Give a PAS orally or in writing to the subject of the record when you are collecting information from them that will go in a system of records. NOTE: Do this regardless of how you collect or record the answers. You may display a sign in areas where people routinely furnish this kind of information. Give a copy of the Privacy Act Statement if asked. Do not ask the person to sign the Privacy Act Statement. (Ref AFI 33-332 Para 3.3).

What is a PAS?

Privacy Act Statement (PAS) are used to inform individuals of the purpose, routine uses, and authority for collecting personal information.

 

What is an example of a PAS?

AUTHORITY: DoD Directive 3020.26, The Defense Continuity Program.

PURPOSE: To document names and phone numbers of persons to be notified in emergency situations.

ROUTINE USE: The DoD 'Blanket Routine Uses' apply. (http://dpclo.defense.gov/privacy/SORNs/blanket_routine_uses.html)

DISCLOSURE: Voluntary. Failure to supply this information may result in not being notified of a potential emergency to include acts of nature, accidents and technological and/or attack-related emergencies.

 

What is included in a PAS?

Per AFI 33-332, Privacy Act Program, Para 3.2.1, A Privacy Act Statement must include four items:

  • Authority: The legal authority, that is, the U.S.C. or Executive Order authorizing the program the system supports.

  • Purpose: The reason you are collecting the information and what you intend to do with it.

  • Routine Uses: A list of where and why the information will be disclosed outside DOD.

  • Disclosure: Voluntary or Mandatory. (Use Mandatory only when disclosure is required by law and the individual will be penalized for not providing information.) Include any consequences of nondisclosure in nonthreatening language
     

 

When do you give a PAS?

Give a PAS orally or in writing to the subject of the record when you are collecting information from them that will go in a system of records. NOTE: Do this regardless of how you collect or record the answers. You may display a sign in areas where people routinely furnish this kind of information. Give a copy of the Privacy Act Statement if asked. Do not ask the person to sign the Privacy Act Statement. (Ref AFI 33-332 Para 3.3).

Where is the Air Force Privacy Act policy?

The Air Force's Privacy Act policy can be found in Air Force Instruction 33-332, Privacy Act Program (PDF, 720 KB). It sets mandatory guidelines for collecting, safeguarding, maintaining, using, accessing, amending and disseminating personal information kept in systems of records to comply with the Privacy Act, Title 5, United States Code (U.S.C.), Section 552a.

Other policy information can be found on our Policy & Guidelines page.

What are the blanket Routine Uses?

1. Law Enforcement

2. Disclosure When Requesting Information 

3. Disclosure of Requested Information 

4. Congressional Inquiries Disclosure

5. Private Relief Legislation

6. Disclosures Required by International Agreements 

7. Disclosure to State and Local Taxing Authorities 

8. Disclosure to the Office of Personnel Management

9. Disclosure to the Department of Justice for Litigation 

10. Disclosure to Military Banking Facilities Overseas

11. Disclosure of Information to the General Services Administration

12. Disclosure of Information to the National Archives and Records Administration

13. Disclosure to the Merit Systems Protection Board

14. Counterintelligence Purpose

15. Data Breach Remediation Purposes

16. Information Sharing Environment

For more detailed information regarding the above Routine Uses, click here.

 

What is a Routine Use?

The disclosure of a record outside the Department of Defense for a use that is compatible with the purpose for which the information was collected and maintained by the Department of Defense. The routine use must be included in the published system notice for the system of records involved.

Are there government-wide SORNS?

For a listing of government-wide notices click here.

 

How does the Government inform the public about the record systems that are covered by the Privacy Act?

The Government informs the public about record systems covered by the Privacy Act by publishing notices in the Federal Register. The record systems are referred to as Privacy Act systems of records and the notices provide a description of particular systems of records.

 

What is a System of Records Notice (SORN)?

A SORN is a legally binding public notification identifying and documenting the purpose for a system of records, the individuals covered by the system, the types of records in the system, and how the information is shared. SORNs are required by the Privacy Act of 1974 and are published in the Federal Register to provide the public an opportunity for comment. A SORN is only required if the information in a system of records is actually retrieved by a personal identifier.  For a list of published Air Force SORNs, please click here.

 

What is a System of Records?

A group of records under the control of a DoD Component from which personal information about an individual is retrieved by the name of the individual, or by some other identifying number, symbol, or other identifying particular assigned, that is unique to the individual.

 

When is a SORN required?

A SORN is required when all of the following apply:

  • Records are maintained by a Federal agency.

  • The records contain information about an individual.

  • The records are retrieved by a personal identifier.

  • Maintain as defined by the Privacy Act of 1974 includes maintain, collect, use or disseminate.

  • Individual as defined by the Privacy Act of 1974 means a citizen of the United States or an alien lawfully admitted for permanent residence.
     


A SORN is not required when one or more of the following applies:

  • The information collected is not considered a record as defined by the Privacy Act.

  • The records are not retrieved using a personal identifier.