Privacy; Privacy Act; DoD; Department of Defense; Privacy Program; PII; Personally Identifiable Information; SORN; System of Records

By final rule issued January 27, the Department of Defense (DoD) updated its Privacy Program, meaning that effective February 26, 2015, certain DoD contractors will be required to comply with additional “rules of conduct.”  These rules of conduct are consistent with the types of requirements imposed on federal agencies by the Privacy Act.

The final rule applies to all DoD components and to all DoD contractors (and any employee of such a contractor) involved in the “design, development, operation, or maintenance of any system of records.”[1]  Such contractors will be required to comply with expanded rules of conduct.  Specifically contractors must (new requirements are in bold):

  • preserve the security and confidentiality of Personally Identifiable Information (PII) on its systems;
  • refrain from disclosing any PII, except as authorized by applicable statutes, or be subject to criminal penalties and/or administrative sanctions;
  • report unauthorized disclosures of PII or any maintenance of a system of records not authorized by the DoD Privacy Program to the relevant privacy point of contact;
  • ensure anyone with access to a system of records is properly trained under the DoD Privacy Program;
  • prepare any required system of records notices (SORNs) for publication in the Federal Register;
  • refrain from maintaining a system of records without first ensuring a SORN was published in the Federal Register, or face criminal penalties and/or administrative sanctions;
  • minimize the collection of PII to that which is relevant and necessary to accomplish a DoD purpose;
  • refrain from maintaining records describing how any individual exercises his/her First Amendment rights, except when (1) authorized by statute; (2) authorized by the individual the record is about; (3) the record is pertinent and within the scope of an authorized law enforcement activity (including intelligence or administrative activities);
  • safeguard the privacy of all individuals and the confidentiality of all PII;
  • limit the availability of records containing PII to DoD personnel and contractors with a need to know;
  • prohibit unlawful possession, collection, or disclosure of PII whether or not within a system of records; and
  • maintain all records in a mixed system of records (a system that comingles the data of U.S. citizens and non-citizens) as if all records are subject to the Privacy Act.


Continue Reading DoD’s Updated Privacy Program Imposes Stringent Rules for Protection of PII