APPENDIX B-CUSTOMER CONSENT AND AUTHORIZATION FOR ACCESS-SAMPLE FORMAT Pursuant to section 3404(a) of the Right to Financial Privacy Act of 1978, I, (name of customer), having read the explanation of my rights on the reverse side, hereby authorize the (name and address of financial institution) to disclose these financial records: (list of particular financial records) to (Army law enforcement office) for the following purpose(s): (specify the purpose(s)). I understand that this authorization may be revoked by me in writing at any time before my records, as described above, are disclosed, and that this authorization is valid for no more than 3 months from the date of my signature. Date: Signature: (Typed name) (Mailing address of customer) STATEMENT OF CUSTOMER RIGHTS UNDER THE RIGHT TO FINANCIAL PRIVACY ACT OF 1978 Federal law protects the privacy of your financial records. Before banks, savings and loan associations, credit unions, credit card issuers, or other financial institutions may give financial information about you to a Federal agency, certain procedures must be followed. Consent to Financial Records You may be asked to consent to the financial institution making your financial records available to the Government. You may withhold your consent, and your consent is not required as a condition of doing business with any financial institution. If you give your consent, it can be revoked in writing at any time before your records are disclosed. Futhermore, any consent you give is effective for only 3 months and your financial institution must keep a record of the instances in which it discloses your financial information. Without Your Consent Without your consent, a Federal agency that wants to see your financial records may do so ordinarily only by means of a lawful subpoena, summons, formal written request, or search warrant for that purpose. Generally, the Federal agency must give you advance notice of its request for your records explaining why the information is being sought and telling you how to object in court. The Federal agency must also send you copies of court documents to be prepared by you with instructions for filling them out. While these procedures will be kept as simple as possible, you may want to consult an attorney before making a challenge to a Federal agency's request. Exceptions In some circumstances, a Federal agency may obtain financial information about you without advance notice or your consent. In most of these cases, the Federal agency will be required to go to court for permission to obtain your records without giving you notice beforehand. In these instances, the court will make the Government show that its investigation and request for your records are proper. When the reason for the delay of notice no longer exists, you will usually be notified that your records were obtained. Transfer of Information Generally, a Federal agency that obtains your financial records is prohibited from transferring them to another Federal agency unless it certifies in writing the transfer is proper and sends a notice to you that your records have been sent to another agency. Penalties If the Federal agency or financial institution violates the Right to Financial Privacy Act, you may sue for damages or seek compliance with the law. If you win, you may be repaid your attorney's fee and costs. Additional Information If you have any questions about your rights under this law, or about how to consent to release your financial records, please call the official whose name and telephone number appears below: (Last Name, First Name, Middle Initial) Title (Area Code) (Telephone Number) (Component activity, address) APPENDIX C-CERTIFICATE OF COMPLIANCE WITH THE RIGHT TO FINANCIAL PRIVACY Аст OF 1978-SAMPLE FORMAT (Official Letterhead) Mr./Mrs. XXXXXXXXXX, Manager, Army Federal Credit Union, Fort Ord, CA 93941. Dear Mr./Mrs. XXXXXXXXXX: I certify, pursuant to section 3403(b) of the Right to Financial Privacy Act of 1978, section 3401 et seq., Title 12, United States Code, that the applicable provisions of that statute have been complied with as to the (customer's consent, search warrant or judicial subpoena, formal written request, emergency access, as applicable) presented on (date), for the following financial records of (customer's name): (Describe the specific records) (Official Signature Block) Pursuant to section 3417(c) of the Right to Financial Privacy Act of 1978, good faith reliance upon this certificate relieves your institution and its employees and agents of any possible liability to the customer in connection with the disclosure of these financial records. APPENDIX D-FORMAL WRITTEN REQUEST FOR ACCESS-SAMPLE FORMAT (Official Letterhead) (Date) Mr./Mrs. XXXXXXXXXX, Dear Mr./Mrs. XXXXXXXXXX: In connection with a legitimate law enforcement inquiry and pursuant to section 3402(5) and section 3408 of the Right to Financial Privacy Act of 1978, section 3401 et seq., Title 12, United States Code, and Army Regulation 190-6, you are requested to provide the following account information pertaining to (identify customer); (Describe the specific records to be examined) The Army has no authority to issue an administrative summons or subpoena for access to these financial records which are required for (describe the nature or purpose of the inquiry). A copy of this request was (personally served upon or mailed to) the subject on (date) who has (10 or 14) days in which to challenge this request by filing an application in an appropriate United States district court if the subject desires to do so. Upon expiration of the above mentioned time period and in the absence of any filing or challenge by the subject, you will be furnished a certification certifying in writing that the applicable provisions of the Act have been complied with prior to obtaining the requested records. Upon your receipt of a Certificate of Compliance with the Right to Financial Privacy Act of 1978, you will be relieved of any possible liability to the subject in connection with the disclosure of the requested financial records. (Official Signature Block). Mr./Ms. XXXXX X. XXXXX, 1500 N. Main Street, Washington, DC 20314. Dear Mr./Ms. XXXXX: Information or records concerning your transactions held by the financial institution named in the attached request are being sought by the (agency/department) in accordance with the Right to Financial Privacy Act of 1978, section 3401 et seq., Title 12, United States Code, and Army Regulation 190-6, for the following purpose(s): (List the purpose(s)) If you desire that such records or information not be made available, you must do the following: a. Fill out the accompanying motion paper and sworn statement or write one of your own (1) Stating that you are the customer whose records are being requested by the Government. (2) Giving the reasons you believe that the records are not relevant or any other legal basis for objecting to the release of the records. b. File the motion and statement by mailing or delivering them to the clerk of any one of the following United States District Courts: (List applicable courts) c. Mail or deliver a copy of your motion and statement to the requesting authority: (give title and address). d. Be prepared to come to court and present your position in further detail. You do not need to have a lawyer, although you may wish to employ one to represent you and protect your rights. If you do not follow the above procedures, upon the expiration of (10 days from the date of personal service) (14 days from the date of mailing) of this notice, the records or information requested therein may be made available. These records may be transferred to other Government authorities for legitimate law enforcement inquiries, in which event you will be notified after the transfer if such transfer is made. 3 Inclosures (see para- -) (Signature) Sec. PART 505-THE ARMY PRIVACY PROGRAM 505.1 General information. 505.2 Individual rights of access and amendment. 505.3 Disclosure of personal information to other agencies and third parties. 505.4 Record-keeping requirements under the Privacy Act. § 505.1 General information. (a) Purpose. This regulation sets forth policies and procedures that govern personal information kept by the Department of the Army in systems of records. (b) References—(1) Required publications. (i) AR 195-2, Criminal Investigation Activities. (Cited in § 505.2(j)) (ii) AR 340-17, Release of Information and Records from Army Files. (Cited in §§ 505.2(h) and 505.4(d)) (iii) AR 430-21-8, The Army Privacy Program; System Notices and Exemption Rules for Civilian Personnel Functions. (Cited in § 505.2(i)) (iv) AR 380-380, Automated System Security. (Cited in § 505.4(d) and (f)) (2) Related publications. (A related publication is merely a source of additional information. The user does not have to read it to understand this regulation.) (i) DOD Directive 5400.11, DOD Privacy Program. (ii) DOD Regulation DOD Privacy Program. 5400.11-R, (iii) Treasury Fiscal Requirements Manual. This publication can be obtained from The Treasury Department, 15th and Pennsylvania Ave., NW, Washington, DC 20220 (c) Explanation of abbreviations and terms. Abbreviations and special terms used in this regulation are explained in the glossary. (d) Responsibilities. (1) The Assistant Chief of Staff for Information Management (ACISM) is responsible for issuing policy and guidance for the Army Privacy Program in consultation with the Army General Counsel. (2) Heads of Army Staff agencies, field operating agencies, major Army commands (MACOMS), and subordinate commands are responsible for supervision and execution of the privacy program in functional areas and activities under their command. (3) Heads of Joint Service agencies or commands for which the Army is the Executive Agent, or otherwise has responsibility for providing fiscal, logistical, or administrative support, will adhere to the policies and procedures in this regulation. (4) Commander, Army and Air Force Exchange Service (AAFES), is responsible for the supervision and execution of the privacy program within that command pursuant to this regulation. (e) Policy. Army Policy concerning the privacy rights of individuals and the Army's responsibilities for compliance with operational requirements established by the Privacy Act are as follows: (1) Protect, as required by the Privacy Act of 1974 (5 U.S.C. 552a), as amended, the privacy of individuals from unwarranted intrusion. Individuals covered by this protection are living citizens of the United States and aliens lawfully admitted for permanent residence. (2) Collect only the personal information about an individual that is legally authorized and necessary to support Army operations. Disclose this information only as authorized by the Privacy Act and this regulation. (3) Keep only personal information that is timely, accurate, complete, and relevant to the purpose for which it was collected. (4) Safeguard personal information to prevent unauthorized use, access, disclosure, alteration, or destruction. (5) Let individuals know what records the Army keeps on them and let them review or get copies of these records, subject to exemptions authorized by law and approved by the Secretary of the Army. (See § 505.5.) (6) Permit individuals to amend records about themselves contained in Army systems of records, which they can prove are factually in error, not up-to-date, not complete, or not relevant. (7) Allow individuals to ask for an administrative review or decisions that deny them access to or the right to amend their records. (8) Maintain only information about an individual that is relevant and necessary for Army purposes required to be accomplished by statute or Executive Order. (9) Act on all requests promptly, accurately, and fairly. (f) Authority. The Privacy Act of 1974 (5 U.S.C. 552a), as amended, is the statutory basis for the Army Privacy Program. With in the Department of Defense, the Act is implemented by DOD Directive 5400.11 and DOD 5400.11-R. The Act Assigns— (1) Overall Government-wide responsibilities for implementation to the Office of Management and Budget. (2) Specific responsibilities to the Office of Personnel Management and the General Services Administration. (g) Access and Amendment Refusal Authority (AARA). Each Access and Amendment Refusal Authority is responsible for action on requests for access to or amendment of, records referred to them under this regulation. The officials listed below are the sole Access and Amendment Refusal Authorities for records in their functional areas: (1) The Assistant Chief of Staff for Information Management: For DOD Dependent School student transcripts; and records not within the jurisdiction of another AARA. (2) The Administrative Assistant to the Secretary of the Army: For records of the Secretariat and its serviced activities, as well as those records requiring the personal attention of the Secretary of the Army. (3) The President or Executive Secretary of Boards, councils, and similar bodies established by the Department of the Army to consider personnel matters, excluding the Army Board of Correction of Military Records. (4) Chief of Chaplains: For ecclesiastical records. (5) Chief of Engineers: For records pertaining to civil works, including litigation; military construction; engineer procurement; other engineering matters not under the purview of another AARA; ecology; and contractor qualifications. (6) Comptroller of the Army: For financial records. (7) Deputy Chief of Staff for Personnel: For personnel records of current Federal civilian employees and active and former non-appropriated fund employees (except those in the Army and Air Force Exchange Service); military police records; prisoner confinement and correctional records; safety records; and alcohol and drug abuse treatment records. (Requests from former civilian employees to amend a record in an OPM system of records such as the Official Personnel Folder should be sent to the Office Personnel Management, Assistant Director for Workforce Information, Compliance and Investigations Group, 1900 E Street, NW., Washington, DC 204150001.) (8) The Inspector General: For IG investigative records. (9) The Judge Advocate General: For legal records for which responsible. (10) The Surgeon General: For medical records, except those properly part of the Official Personnel Folder (OPM/GOVT-1 system of records). (11) Commander, Army and Air Force Exchange Service: For records pertaining to employees, patrons, and other matters which are the responsibility of the Exchange Service. (12) Commander, US Army Criminal Investigation Command: For criminal investigation reports and military police reports included therein. (13) Commander, US Army Intelligence and Security Command: For intelligence and security investigative records. (14) Commander, US Army Materiel Command: For records of Army contractor personnel, exclusive of those in paragraph (f)(5) of this section. (15) Commander, US Army Military Personnel Center: For personnel and personnel related records of active duty Army members. (16) Commander, Military Traffic Management Command: For transportation records. (17) Chief, National Guard Bureau: For personnel records of the Army National Guard. (18) Chief, Army Reserve: For personnel records of Army retired, separated and reserve military members. (h) DA Privacy Review Board. The DA Privacy Review Board acts on behalf of the Secretary of the Army in deciding appeals from refusal of the appropriate Access and Amendment Refusal Authority to amend records. Board membership is comprised of the Administrative Assistant to the Secretary of the Army, The Assistant Chief of Staff for Information Management, and The Judge Advocate General or their representatives. The AARA may serve as a non-voting member when the Board considers matters in the AARA's area of functional specialization. The Assistant Chief of Staff for Information Management chairs the Board and provides the Recording Secretary. (i) Privacy Official. (1) Heads of Army Staff agencies and commanders of major Army commands and subordinate commands and activities will designate a privacy official who will serve as a staff adviser on privacy matters. This function will not be assigned below battalion level. (2) The privacy official will ensure that (i) requests are processed promptly and responsively, (ii) records subject to the Privacy Act in his/her command/agency are described properly by a published system notice, (iii) privacy statements are included on forms and questionnaires that seek personnel information from an individual, and (iv) procedures are in place to meet reporting requirements. § 505.2 Individual rights of access and amendment. (a) Access under the Privacy Act. Upon a written or oral request, an individual or his/her designated agent or legal guardian will be granted access to a record pertaining to that individual, maintained in a system of records, unless the record is subject to an exemption and the system manager has invoked the exemption (see § 505.5), or the record is information compiled in reasonable anticipation of a civil action or proceeding. The requester does not have to state a reason or otherwise justify the need to gain access. Nor can an individual be denied access solely because he/she refused to provide his/her Social Security Number unless the Social Security Number was required for access by statute or regulation adopted prior to January 1, 1975. The request should be submitted to the custodian of the record. (b) Notifying the individual. The custodian of the record will acknowledge requests for access within 10 work days of receipt. Records will be provided within 30 days, excluding Saturdays, Sundays, and legal public holidays. (c) Relationship between the Privacy Act and the Freedom of Information Act. A Privacy Act request for access to records should be processed also as a Freedom of Information Act request. If all or any portion of the requested material is to be denied, it must be considered under the substantive provisions of both the Privacy Act and the Freedom of Information Act. Any withholding of information must be justified by asserting a legally applica ble exemption in each Act. (d) Functional requests. If an individual asks for his/her record and does not cite, or reasonably imply, either the Privacy Act or the Freedom of Information Act, and another prescribing directive authorizes release, the records should be released under that directive. Examples of functional requests are military members asking to see their Military Personnel Records Jacket, or civilian employees asking to see their Official Personnel Folder. (e) Medical records. If it is determined that releasing medical information to the data subject could have an adverse affect on the mental or physical health of that individual, the requester should be asked to name a physician to receive the record. The data subject's failure to designate a physician is not a denial under the Privacy Act and cannot be appealed. (f) Third party information. Third party information pertaining to the data subject may not be deleted from a record when the data subject requests access to the record unless there is an established exemption (see § 505.5(d)). However, personal data such as SSN and home address of third parties in the data subject's |