BY ORDER OF THE COMMANDER OFFUTT AIR FORCE BASE AIR FORCE INSTRUCTION 33-332 OFFUTT AIR FORCE BASE SUPPLEMENT 1 NOVEMBER 2018 Communications and Information AIR FORCE PRIVACY AND CIVIL LIBERTIES PROGRAM COMPLIANCE WITH THIS PUBLICATION IS MANDATORY ACCESSIBILITY: Publications and forms are available on the e-publishing website at www.e-publishing.af.mil for downloading or ordering. RELEASABILITY: There are no reliability restrictions on this publication. OPR: 55 CS/SCXK Supersedes: AFI 33-332_OAFBSUP, 19 October 2007 Certified by: 55 CS/CC (Lt Col Scott R. Papineau) Pages: 6 This supplement implements and extends the guidance of Air Force Instruction (AFI) 33-332, Air Force Privacy and Civil Liberties Program. This supplement implements Public Law 110-53 (42 U.S.C. 2000ee-1) Section 803; Air Force Policy Directive (AFPD) 33-3, Information Management; Department of Defense Directive (DoDD) 5400.11, Department of Defense Privacy Program; Department of Defense Instruction (DoDI) 5400.16, DoD Privacy Impact Assessment (PIA) Guidance; DoDI 1000.30, Reduction of Social Security Number (SSN) Use Within DoD; and DoDI 1000.29, DoD Civil Liberties Program. The Instruction provides direction on the Privacy Act of 1974, 5 U.S.C. 552a, E-Government Act of 2002, 44 U.S.C. 3601, Safeguarding and Responding to Personally Identifiable Information (PII) breaches, Reduction of Social Security Number (SSN) and Civil Liberties. This supplement applies to Air Force Active Duty, Air Reserve Command (AFRC) and Air National Guard (ANG) units, government civilians, contractors and Civil Air Patrol when performing functions for the Air Force, and in accordance with (IAW) DoDD 5100.03, Support of the Headquarters of Combatant and Subordinate Joint Commands. Air National Guard personnel not in a federal status are subject to their respective state military code or applicable administrative actions, as appropriate. Refer recommended changes and questions about this supplement to the OPR listed above using the AF Form 847, Recommendation for Change of Publication; route AF Forms 847 through the appropriate chain of command. Ensure that all records created as a result of processes prescribed in this supplement are maintained in accordance with Air Force Manual (AFMAN) 33-363, Management of Records, and disposed of in accordance with the Air Force
2 AFI33-332_OFFUTTAFBSUP 1 NOVEMBER 2018 Records Information Management System (AFRIMS) Records Disposition Schedule (RDS) located at: https://www.my.af.mil/afrims/afrims/afrims/rds/rds_series.cfm. This Instruction requires collecting and maintaining information protected by the Privacy Act of 1974, System of Records Notices (SORN) F033 AF B, Privacy Act Request File, and F036 AF PC Q, Personnel Data Systems (PDS), apply and are available at: http://dpclo.defense.gov/privacy/sorns.aspx. Refer recommended changes and questions about this publication to the Offutt AFB Privacy Act Office (55 CS/SCXK), 201 Lincoln Highway, Suite 328A, Offutt AFB NE 68113-2040. The subject publication has been reviewed for Information Collection and OMB Reporting requirements and have found data collection and reporting requirements that may need to be approved and licensed prior to collecting or gathering information from one or more DoD component, other federal agencies, or the general public (to include contractors). The statement regarding the applicability of this supplement to former Air Force employees with respect to matters arising during previous employment may trigger the Paperwork Reduction Act (PRA) of 1995. Former Air Force employees are considered members of the general public. In accordance with the PRA and DoD policy, ensure that reports of information collections that are collected and/or is compiled and transmitted from the general public are cleared and licensed by OMB prior to collection. SUMMARY OF CHANGES This document is substantially revised and must be completely reviewed. This revision updates PII safeguarding, PII Breach Reporting, privacy statements, privacy notices and markings, Information Preservation Monitors (IPMs) and their roles, semi-annual Privacy and Civil Liberties reports, and System of Records (SORN) accuracy reviews. 1.1. Privacy Overview. 1.1.2.3.2.3. (Added) The following statement is placed in the contract file documenting the Contacting Officer s verification of compliance with PII: The COR verified the contractor is in compliance with AFI 33-332 and verified there are signed non-disclosure agreements for all contractors with access to sensitive PII on XXX date. 1.1.2.5.4.1. (Added) Within 48 hours of being notified by the Privacy Manager, the senior official (O-6/GS-15, or higher) will appoint an Investigating Officer (IO). 1.1.2.5.2.1. (Added) The Investigating Officer will conduct the investigation and update the PII Breach Report within 10 working days of being appointed. The report will summarize the facts of the case, discuss various forms of evidence evaluated, and show their independent analysis of the case. 1.1.2.5.3.1. (Added) A package containing the following shall be submitted to the Privacy Manager: 1) The Final PII Breach Report 2) Proof of Remedial Training 3) Copy/Draft of the Notification Letter or Memorandum Showing Intent to Notify Individual of Potential Breach (if needed) 4) OPREP (if needed). 2.2. Privacy Act Responsibilities. 2.2.1.13.1. (Added) Personal information that is being requested under the Freedom of Information Act can be transmitted to the requestor at their discretion.
AFI33-332_OFFUTTAFBSUP 1 NOVEMBER 2018 3 2.3. Privacy Act Complaints and Violations. 2.3.2.1. (Added) Individuals submitting a Privacy Act complaint or request for investigation must do so in writing and provide any evidential documents that support the complaint or request for investigation. The Privacy Act Manager will review and investigate the circumstances for which the complaint/investigation is based and will prepare a written report of validated violations or summary of policy adherence. Complaints or investigations warranting further action will be referred to the Wing Staff Judge Advocate, Civilian Personnel or other applicable office for action. 2.7. Privacy Act Records Request. 2.7.5. (Added) Obtaining Law Enforcement Records. The 55th Security Forces Squadron provides direct response to Privacy Act requests for incident reports, accidents, traffic tickets, and blotter entries using the provisions of AFI 33-332, Air Force Privacy and Civil Liberties Program. 2.7.6. (Added) Processing Insurance Company Requests for Law Enforcement, Vehicle Accident and Related Traffic Documents and Records. 2.7.6.1. (Added) Individuals making requests for vehicle accident records can have all pertinent information recorded on the documents as it relates to the claims process. Individual social security numbers and other personally identifying information are not authorized for release. Treat photographs and blotter entries in the same manner as other vehicle accident records. 2.7.6.2. (Added) Insurance companies representing an individual for the claims process must include a written release consent document from the individual they represent. 2.7.6.3. (Added) Insurance companies employing the use of insurance clearing house activities to obtain copies of accident reports will only receive the synopsis of the accident, patrolmen worksheet and AF Forms 1168, Statement of Suspect/Witness/Complainant, excluding all personally identifying information pertaining to individuals and their vehicles. The blotter entry provides the necessary information when available in the majority of cases. 2.7.7. (Added) Other Medical Requests. Individuals requesting medical records for the purpose of third party liability claims or other litigation will follow the procedures outlined in Title 28 of the Code Federal Regulations, AFI 51-502, Personnel and Carrier Recovery Claims, and local policy set forth by the servicing medical facility. 2.12. Disclosing Information. 2.12.3.1. (Added) The age of majority in Nebraska is 19. 2.12.4.2. (Added) System Managers should ensure that T33-30, R08.00, Accounting of Disclosure, is annotated on their file plans. 4.6. MAJCOM/A6s or Responsible Directorate and Wing Commanders shall: 4.6.8.1.1. (Added) Units will appoint a primary and an alternate Information Preservation Monitor (IPM) who will manage all Knowledge Management functions within the unit. Appointment letters should be update when there is a personnel change or a new commander is appointed.
4 AFI33-332_OFFUTTAFBSUP 1 NOVEMBER 2018 4.7. HAF/MAJCOM/FOA/DRU/Base Privacy Managers shall: 4.7.2.1. (Added) Privacy Act promotional devices will be emailed out to unit Information Preservation Monitors for dissemination. These promotional tools are also available on the Wing Privacy Act Share Point site. 4.7.6.1. (Added) All Offutt AFB publications, forms will be reviewed by the Privacy Act Manager. The Privacy Act Manager will also conduct random reviews of web pages and Share Point pages to ensure information posted meets the requirements of the Privacy Act. The Base Privacy Act Manager will review all new and renewed HTS agreements to determine specific Privacy Act support and services to be provided. 4.7.9.1. (Added) Privacy Act program compliance reviews will be accomplished on 55th Wing units in conjunction with the Records Management audits. 4.7.16. (Added) Shared Electronic Environment Reviews. 4.7.16.1. (Added) The Privacy Manager will work closely with the Cyber Security Liaisons (CSLs) to ensure access restrictions are sufficient within the Electronic Records Management (ERM) and Working Share (WS) drives. CSLs will be tasked on a bi-annual basis to conduct a scan of the drives to ensure their unit is compliant. 4.7.16.2. (Added) The Privacy Manager will coordinate the Content Management Office to ensure that a bi-annual review of Share Point is conducted. 4.7.16.3. (Added) The Privacy Manager conduct a bi-annual review of Offutt AFB Web Pages. These will be documented and filed in the ERM files. 4.8. (Added) Information Preservation Monitors (IPMs) shall: 4.8.1.1. (Added) IPMs will be responsible for ensuring that personnel obtain annual Privacy Act Training. Training curriculum will be provided by the Knowledge Management Section. It is up to the unit commander and IPM s discretion on how they want to provide the training material. It is recommended that the units perform the training in a mandatory Commander Call setting with additional make up sessions to be provided by the IPMs. Training is to be documented and provided to the Base Records Management office once completed. 4.8.2.1. (Added) The Wing Privacy Manager will email promotional devices to IPMs. It is their duty to disseminate this information to their prospective units. 4.8.2.2. (Added) Display OAFBVA 33-5, Recognize and Protect Personally Identifying Information in visible locations such as organizational bulletin boards. This provides a central point of contact and provides important information regarding Privacy Act matters. 4.11. (Added) Local System Managers shall: 4.11.1. (Added) A local system manager is defined as an individual with authorized access to a Privacy Act System of Record who has the ability to input, maintain, output and alter information within the system. Their responsibilities include: 4.11.1.1. (Added) Ensure locally developed databases that collect Privacy Act information are necessary and are approved through Federal Register channels or fall under the spectrum of an approved System of Record when required before being implemented. Develop applicable warning screens to alert users prior to accessing Privacy Act data.
AFI33-332_OFFUTTAFBSUP 1 NOVEMBER 2018 5 4.11.1.2. (Added) Ensure that locally create forms collecting PII for an approved System of Record have appropriate Privacy Act Statements annotated on the form. If collecting the social security number (SSN), ensure there is an operational necessity to collect the SSN to perform official duties. If the form is being used outside the internal component, the form must be prescribed within an Offutt Supplement and authorized/numbered by the Offutt Publishing Manager. 4.11.1.3. (Added) System Managers will assist the Privacy Act Manager and the Investigating Officer with Privacy Act Breach Investigations. 4.11.1.4. (Added) Continuously review information collection practices to ensure collection of any portion of the social security number (SSN) is only collected when required by written law or policy. 4.11.1.5. (Added) Systems Managers will refer any recommended Privacy Act denial recommendation to the Offutt AFB Privacy Act Manager for response to the person(s) making request or inquiry. 4.11.1.6. (Added) System Managers should ensure that T33-30, R08.00, Accounting of Disclosure, is annotated on their file plan. 6.4. Disposing of Records. 6.4.1.1. (Added) Offutt AFB organizations and supported tenant units may dispose of Privacy Act information in several ways. Material can be hand torn beyond reconstruction and recognition, shredded using an approved office shredder or entering into a fee for service agreement with an authorized commercial vender who is bonded to destroy Privacy Act and/or For Official Use Only material. Organizations are responsible to ensure that commercial venders meet the requirements to receive and destroy Privacy Act material. 6.4.3.1.1. (Added) Organizations may only present material residue (already shredded material) for recycling pickup and disposal. 7.3. Civil Liberties Responsibilities. 7.3.8.2.1. (Added) Civil Liberties Training can be found on the Wing Privacy Act SharePoint page. 7.3.8.4.1. (Added) Civil Liberties Promotional Tools can be found on the Wing Privacy Act SharePoint page. MICHAEL H. MANION, Colonel, USAF Commander, 55th Wing
6 AFI33-332_OFFUTTAFBSUP 1 NOVEMBER 2018 Attachment 1 GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION References AFI 33-322, Air Force Privacy Act and Civil Liberties Program, 12 Jan 2015 Title 5 United States Code, Section 552a, as amended, The Privacy Act of 1974 AFI 31-116, OAFB Instruction, Motor Vehicle Supervision, 30 Jan 2017 Title 28 United States Code, Code Federal Regulations AFI 51-502, Personnel and Carrier Recovery Claims, 05 Aug 2015 Prescribed Forms AF Form 3227, Privacy Act Cover Sheet OAFBVA 33-5, Recognize and Protect Personally Identifying Information Adopted Forms DD Form 2923, Privacy Act Data Coversheet. AF Forms 1168, Statement of Suspect/Witness/Complainant Abbreviations and Acronyms CSL Cyber Security Liaison ERM Electronic Records Management FAR Federal Acquisitions Regulations IPM Information Preservation Monitor WS Working Share