Steps people should take to protect Privacy Act information Published Jan. 13, 2011 By Robert Hughes 90th Missile Wing FOIA/PA manager F. E. WARREN AIR FORCE BASE, WYO -- The Privacy Act of 1974, 5 U.S.C. 552a, establishes safeguards for the protection of records the government collects and maintains on U.S. citizens and lawfully admitted permanent residents. It is a "confidentiality and records management" statute, which protects information about people from public scrutiny. It specifically mandates that the government protects this information and notifies individuals of any requests for personal information and why, as well as its responsibility to notify them if their information is lost or compromised. On military installations to include those within Air Force Global Strike Command, commanders are responsible for appointing Privacy Act monitors for each major functional area. Privacy Act monitors are required to brief all newly assigned personnel on Privacy Act provisions and to forward any Privacy Act requests to the Privacy Act manager for processing. Any request must be made in writing. No agency will disclose a record, which is contained in a system of records by any means of communication to any person or agency, except with the written consent of the individual to whom the record pertains. There are however, exceptions to this rule where a person's information may be disclosed without consent: - DoD officials and employees who need the record to perform their duties and who use it for the purpose for which it was collected (apply the need to know principle); - The public, as required by the Freedom of Information Act (FOIA) and agencies outside the DoD for a routine use. Any of the above instances must be documented and accounted for to include the date, nature and purpose of the disclosure and name and address of the recipient. If the Air Force or DoD fail to comply with the Privacy Act, an individual may file a civil suit in court and the offender may be found guilty of a misdemeanor and fined up to $5,000. 'FOUO' when sending e-mail E-mail has become a significant tool to help Airmen accomplish the mission and one of the easiest ways to transmit information and communicate in general. Unfortunately, sensitive and personal information is often sent via e-mail and not properly protected when doing so. When sending information that is for official business, the following should be placed at the beginning of the message, "FOR OFFICIAL USE ONLY (FOUO) information which must be protected under the Privacy Act and AFI 33-332." Do not use this statement indiscriminately. It is only for situations where personal or sensitive information is actually transmitted. Do not attach this statement to e-mails that discuss anything that doesn't contain Privacy Act information. Additionally, members of the military and civil service employees use the social security number and other personally identifiable information as part of their duties. If someone must send any personal information, digitally sign and encrypt the messages. AFI 33-119, Electronic Mail (E-mail) Management and Use can provide further guidance on this matter. Protecting Privacy Act information When hand-carrying Privacy Act information, never leave the documents unattended and ensure contents are properly covered and placed in an envelope to shield the contents. Consider using an AF IMT 3227, Privacy Act Cover Sheet as well. Never use "holey joes" to transport personally identifiable information. Recall and social rosters Documents should also be properly marked FOUO or Privacy Act as required. This includes documents such as recall rosters. Many units also have social rosters that list names, addresses and phone numbers of their members' spouses. This is a Privacy Act violation unless the spouse signs a consent form authorizing their information to be posted. The social roster is not for official use and should not be marked as such. However, the social roster should be marked with the Privacy Act statement. Destruction and disposing of material When it comes to disposing of Privacy Act information, one can never be too careful. Disposing of Privacy Act information when no longer needed is critical and any reasonable means can be used to prevent inadvertent compromise. Any disposal method is considered adequate if it renders the information unrecognizable or beyond reconstruction; this includes: tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding and mutilation. These methods are necessary when disposing of Privacy Act information. However, Warren has a 100 percent shred policy. Contacting Privacy Act monitors The Privacy Act is intended to balance the government's need for information against an individual's right to privacy, and it is everyone's responsibility to properly safeguard Privacy Act information. For further guidance or should someone discover a potential Privacy Act violation, contact your Privacy Act monitor and follow the correct reporting procedures immediately If unable to contact the unit's Privacy Act monitor, call the 90th Missile Wing FOIA/PA office directly at 773-2149. Editor's note: Additional guidance can be found in AFI 33-332 Privacy Act Program and DoDR 5400-11. The following are examples (not all inclusive) of information that is releasable without the written consent of an individual: Name Rank AFSC Pay Past duty assignments (unless sensitive or classified) Position Current assignment (stateside only) to include: Office Unit address & duty phone Date of rank Duty status Military awards and decorations The following are examples (not all inclusive) of information that is not releasable without the written consent of an individual: Social security number Marital status Dependent information Civilian educational degrees (unless the request for information relates to the professional qualifications for Federal employment) Home of record Home address & telephone number Date of birth Present or future overseas assignments or for routinely deployable or sensitive units Race or ethnic origin