Privacy Act of 1974; Implementation

AGENCY:

Office of the Secretary of Defense (OSD), Department of Defense (DoD).

ACTION:

Final rule.

SUMMARY:

The DoD is issuing a final rule to amend its regulations to exempt portions of the DoD-0004, “Defense Repository for Common Enterprise Data (DRCED),” system of records from certain provisions of the Privacy Act of 1974.

DATES:

This rule is effective on January 21, 2022.

FOR FURTHER INFORMATION CONTACT:

Ms. Lyn Kirby, OSD.DPCLTD@mail.mil, (703) 571-0070.

SUPPLEMENTARY INFORMATION:

Discussion of Comments and Changes

The proposed rule published in the Federal Register (86 FR 498-499) on January 6, 2021. Comments were accepted for 60 days until March 8, 2021. A total of four comments were received. Please see the summarized comments and the Department's response as follows:

Commentators generally agreed that exempting national security and classified data is appropriate under this exemption rule and that exempting national security and classified information is in the best interests of the Department and the Nation. Notwithstanding that, a majority of the comments voiced a desire for more transparency about the classification process itself within the DoD. Although these comments do not directly pertain to the Privacy Act and the exemption claimed for this system of records notice (SORN), to promote public understanding in this area a description of the classification process at DoD is provided below.

Executive Order 13526 prescribes the framework for the Federal Government (to include DoD) to classify national security information. Only DoD personnel who hold positions of trust and are delegated original classification authority in writing are authorized to review the Department's information and determine whether damage would result to national security if that information were disclosed to the public. Several oversight and compliance mechanisms exist to ensure the classification of information process is appropriate.

These safeguards include the following: Personnel authorized to make classification determinations are required to receive training in proper classification, including the avoidance of over-classification, and declassification at least once a calendar year; information may only be classified if it pertains to specific categories or subjects, including military plans, weapons systems, or operations and intelligence activities; and agency heads must (on a periodic basis) complete a comprehensive review of the agency's classification guidance, to include reviewing information that is classified within the agency, provide the results of such review to appropriate officials outside the agency at the National Archives, and release an unclassified version of the review to the public. Authorized holders of classified information are also encouraged and expected to “challenge” classification determinations if they believe the classification status is improper, and any individual or entity can request any Federal agency to review classified information for declassification, regardless of its age or origin, in accordance with the Mandatory Declassification Review (MDR) process. Additional information about the MDR process can be found on the National Archives and Records Administration's MDR program page at https://www.archives.gov/isoo/training/mdr. In the interests of protecting information critical to the Nation's defense, it is appropriate for the DoD to properly classify and exempt such information from public release under the Privacy Act so as to protect U.S. national security. Having considered the public comments, the Department will implement the rulemaking as proposed.

Additionally, DoD received one supportive, but non-substantive, comment on the system of records notice (SORN) that published in the Federal Register on January 6, 2021 (86 FR 526-529). The public comment period for the SORN ended on February 5, 2021.

Background

In finalizing this rule, DoD exempts portions of the updated and reissued DoD-0004 DRCED system of records from certain provisions of the Privacy Act. DoD uses this system of records to automate financial and business transactions, perform cost-management analysis, produce oversight and audit reports, and provide critical data linking to improve performance of mission objectives. This system of records supports DoD in creating predictive analytic models based upon specific data streams to equip decision makers with critical data necessary for execution of fiscal and operational requirements. Some of the records that are part of the DoD-0004 DRCED system of records may contain classified national security information and disclosure of those records to an individual may cause damage to national security. The Privacy Act, pursuant to 5 U.S.C. 552a(k)(1), authorizes agencies to claim an exemption for systems of records that contain information properly classified pursuant to executive order. For this reason, DoD has exempted portions of the DoD-0004 DRCED system of records from the access and amendment requirements of the Privacy Act, pursuant to 5 U.S.C. 552a(k)(1), to prevent disclosure of any information properly classified pursuant to executive order, including Executive Order 13526, as implemented by DoD Instruction 5200.01, “DoD Information Security Program and Protection of Sensitive Compartmented Information (SCI)” (available at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520001p.PDF?ver=cF1II-jcFGP6jfNrnTr8lQ%3d%3d ); DoD Manual (DoDM) 5200.01, Volume 1, “DoD Information Security Program: Overview, Classification, and Declassification” (available at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/520001m_vol1.pdf?ver=2020-08-04-092500-203 ); and DoDM 5200.01, Volume 3, “DoD Information Security Program: Protection of Classified Information” (available at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/520001m_vol3.pdf?ver=MJfVD-nRd2HTyLSzDse9VQ%3d%3d ).

This rule will deny an individual access under the Privacy Act to only those portions of records for which the claimed exemption applies. In addition, records in the DoD-0004 DRCED system of records are only exempt from the Privacy Act to the extent the purposes underlying the exemption pertain to the record.

Regulatory Analysis

Executive Order 12866, “Regulatory Planning and Review” and Executive Order 13563, “Improving Regulation and Regulatory Review”

Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distribute impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. It has been determined that this rule is not a significant regulatory action.

Congressional Review Act

This rule is not a “major rule” as defined by 5 U.S.C. 804(2).

Public Law 96-354, “Regulatory Flexibility Act” (5 U.S.C. Chapter 6)

The Assistant to the Secretary of Defense for Privacy, Civil Liberties, and Transparency has certified that this Privacy Act rule does not have significant economic impact on a substantial number of small entities because they are concerned only with the administration of Privacy Act systems of records within the DoD.

Public Law 96-511, “Paperwork Reduction Act” (44 U.S.C. Chapter 35)

It has been determined that this rule does not impose additional information collection requirements on the public under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq. ).

Section 202, Public Law 104-4, “Unfunded Mandates Reform Act”

It has been determined that this rule does not involve a Federal mandate that may result in the expenditure by State, local and tribal governments, in the aggregate, or by the private sector, of $100 million or more and that it will not significantly or uniquely affect small governments.

Executive Order 13132, “Federalism”

It has been determined that this rule does not have federalism implications. This rule does not have substantial direct effects on the States, on the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government.

Executive Order 13175, “Consultation and Coordination With Indian Tribal Governments”

Executive Order 13175 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct compliance costs on one or more Indian tribes, preempts tribal law, or effects the distribution of power and responsibilities between the federal government and Indian tribes. This rule will not have a substantial effect on Indian tribal governments.

List of Subjects in 32 CFR Part 310

• Privacy

Accordingly, 32 CFR part 310 is amended as follows:

PART 310—[AMENDED]

1. The authority citation for 32 CFR part 310 continues to read as follows:

Authority: 5 U.S.C. 552a.

2. Section 310.13 is amended by adding paragraph (e)(3) to read as follows: