[Federal Register: January 9, 2007 (Volume 72, Number 5)]
[Notices]
[Page 952-956]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr09ja07-31]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary of Defense
[DOD-2006-OS-0221]
Privacy Act of 1974; System of Records
AGENCY: Office of the Secretary, OSD.
ACTION: Notice to amend systems of records.
-----------------------------------------------------------------------
SUMMARY: The Office of the Secretary of Defense is amending a system of
records notice in its existing inventory of record systems subject to
the Privacy Act of 1974 (5 U.S.C. 552a), as amended.
DATES: Effective Date: January 9, 2007.
FOR FURTHER INFORMATION CONTACT: Ms. Juanita Irvin at (703) 696-4940.
SUPPLEMENTARY INFORMATION: The Notice was published on May 23, 2005, in
the Federal Register (70 FR 29486). During the comment period, two
public comments were received, which were virtually identical in format
and content. The commenters assert that the collection and maintenance
of data in the Joint Advertising, Market Research & Studies (JAMRS)
Recruiting Database violates the Privacy Act of 1974. The commenters
also remarked that the Department of Defense (``DoD'') should not be
engaged in direct marketing activities; that the collection and use of
Social Security Numbers (SSNs) is unauthorized and poses significant
risks to an individual's privacy; that the transfer of information from
the DoD to a private contractor is inappropriate and that adequate
security for the database is lacking; and, that the Department does not
provide a means by which an individual may elect to have his or her
data deleted from the database. The JAMRS Database is maintained in a
manner that is consistent with the Privacy Act and other statutes and
regulations relating to the Department's recruiting authority. In its
discretion, however, the Department has determined that the publication
of a revised Systems Notice, providing further explanation and
clarification of the manner in which the JAMRS Database is maintained,
is appropriate at this time.
The Department received a comment asserting that the maintenance of
the JAMRS Database violates the Privacy Act. Commenters assert that
Congress, in enacting the Privacy Act, sought to restrict the amount of
personal information that Federal agencies could collect and maintain
on individuals; that direct marketing by the DoD does not constitute an
authorized purpose or use of the information; and that agencies
[[Page 953]]
should be transparent in their information practices.
The Department's use of the JAMRS Database is consistent with the
Privacy Act and its underlying purposes. The Department only collects
such information on individuals as is relevant and necessary to
accomplish a Departmental purpose prescribed by statute or Executive
Order of the President. Consistent with this mandate, and in
recognition of the importance of attracting qualified individuals to
serve in the nation's all-volunteer force, Congress has directed the
armed services to ``conduct intensive recruiting campaigns to obtain
enlistments'' in the military (10 U.S.C. 503(a)(1) (emphasis
supplied)). To this end, the Secretary of Defense has been provided
with a broad mandate to ``act on a continuing basis to enhance the
effectiveness of recruitment programs of the Department of Defense
(including programs conducted jointly and programs conducted by the
separate armed forces) through an aggressive program of advertising and
market research targeted at prospective recruits for the armed forces
and those who may influence prospective recruits'' (10 U.S.C. 502(a)(2)
(emphasis supplied)). In addition to these congressional directives to
the Secretary of Defense to conduct intensive recruiting campaigns,
Congress also has conferred broad grants of authority to recruit upon
the Under Secretary of Defense for Personnel and Readiness and the
Secretaries of the Army, Navy and Air Force. See 10 U.S.C. 136 (Under
Secretary); 3013 (Secretary of the Army); 5013 (Secretary of the Navy);
8013 (Secretary of the Air Force).
The Department disagrees with the commenters' assertion that direct
marketing is not an authorized agency purpose. Indeed, in
acknowledgment of the critical role of recruitment efforts in the
maintenance of the nation's all-volunteer military, Congress has
appropriated funds dedicated for this purpose. In particular, Congress
continues to provide for the appropriation of funds to carry out
advertising and market research programs to enhance the military's
recruiting efforts. This is neither a new effort nor a new system of
records, but rather a continuation of an ongoing activity supporting
the All-Volunteer Force. In the past, direct marketing data were
compiled by each of the Services independently. In order to achieve
significant costs savings, information is now purchased or obtained by
the Department through a variety of sources (including but not limited
to state motor vehicle departments, the Selective Service System
registry, and commercially-purchased lists). It is then provided to and
maintained by a contractor, and then, sent to the military Services for
use incident to their respective recruiting programs. In effect, the
success of the All-Volunteer Force is contingent on the Secretary's
continuing ability to be able to contact young Americans for purposes
of making them aware of their option to serve in the United States
military and to perform a vital service on behalf of their nation.
Although the Department did not initiate a new data collection effort,
after an internal organizational realignment, the Department published
the May 23, 2005 Systems Notice.
The commenters further remarked that data should be collected
directly from the individual as much as possible, that access and
correction rights should be provided, and that the adoption of the
Blanket Routine Uses for this database is inappropriate. These comments
reflect a lack of understanding of the requirements of the Privacy Act,
as well as the practical realities of collecting and maintaining data
for use in military recruiting. First, the Privacy Act requires that
information be collected to the ``greatest extent practicable''
directly from the subject individual when the information may result in
adverse determinations about an individual's rights, benefits, and
privileges under Federal programs (5 U.S.C. 552a(e)(2)). The only
practical cost-effective means of identifying the entire targeted
population for recruiting efforts, as contemplated by 10 U.S.C. 503(a),
is to obtain the information from a variety of third-party sources as
is now being done. Moreover, the collection does not adversely impact
an individual, in that it will not result in the denial of any Federal
benefits nor will it result in any other unfavorable action impacting
the individual. Second, access and amendment procedures are currently
set out in the notice as is required by the Privacy Act (5 U.S.C.
552a(e)(4)). These provisions--specifically the notification, access,
and contesting sections--advise individuals how they can determine if
the database contains information about themselves, how they may access
such information, and how they may contest the accuracy of the
information in the database. And third, the Blanket Routine Uses, which
are permissive in nature, generally are incorporated in all DoD system
notices for record systems covered by the Privacy Act, unless there is
a statutory or regulatory basis for not doing so. Since the information
in the JAMRS database is used within DoD for recruiting purposes only
and is not disclosed to non-DoD agencies, the Department has revised
the notice to make clear that the Blanket Routine Uses do not apply
except for those specific uses relating to disclosures to the
Department of Justice for litigation purposes and to the General
Services Administration and the National Archives and Records
Administration for records management purposes.
The commenters also remarked that the Department lacks authority
for collecting Social Security Numbers (SSNs) and that their use for
purposes of identifying individuals in the database is unnecessary.
These contentions are mistaken. Executive Order 9397 permits the use of
the SSN where Federal agencies require a system of numerical
identification for individual persons incident to administering an
agency activity. A unique identification system is essential in order
to accomplish the limited purposes for which the number is used. The
principal purpose for collecting the number is to identify individuals
who are presently members of the Armed Forces. The SSN is matched
against a DoD database containing the SSNs of new recruits. Where there
is a match, the information in the JAMRS Database is not released to
the Services for the recruitment mailings. Other unique identifiers,
such as a residential address or home telephone numbers, may not always
suffice, especially in a highly mobile society where individuals
frequently move. SSNs are only collected from the Selective Service
System (SSS) and are not collected from any other governmental or
private database. The Department has revised the notice to make clear
that SSNs are not collected from all data sources. Further, the SSNs
are used solely for internal database purposes and are not shared with
the military Services. The commenters also expressed the concern that
the use of SSNs heightens the risk of identity theft. DoD acknowledges
that identity theft is an important concern for the Department and that
the compromise of the SSN would constitute a significant invasion of
privacy. In order to minimize potential exposure, the Department
scrambles--a form of encryption--the SSN upon receipt and maintains the
SSN in a scrambled format during the time it is stored in the database.
These actions, along with other security features for the database,
constitute reasonable and appropriate safeguards to protect and
preserve the integrity of the number.
The commenters observed that use of a private contractor to
maintain the data is an ``aberration'' of normal practice, and also
expressed concern with regard
[[Page 954]]
to a perceived lack of security procedures by the contractor to prevent
abuse. Contractors or subcontractors are used to perform many
activities on behalf of the Department, principally because of the
unique expertise they possess and because the activity can be
accomplished in a more cost-effective manner. The JAMRS contract was
awarded based on the unique ability of the contractor to maintain and
store large amounts of data in a secure manner; the contract does not
permit the contractor to use the information for any non-Department of
Defense marketing efforts. The Department recognizes the importance of
ensuring that all data it collects are safely compiled, handled,
stored, and transferred. The subcontractor has established a highly
secure and restrictive environment by putting in place appropriate
administrative, technical, and physical safeguards to ensure the
security and confidentiality of the database. Vulnerability and risk
assessment reviews are conducted on a regular basis to ensure maximum
safeguarding of the information.
The commenters also expressed concern about whether the company
will be subject to the constraints imposed by the Privacy Act, or
specifically whether the contractor is subject to 5 U.S.C. 552a(m). The
contract includes the Privacy Act clause of the Federal Acquisition
Regulation (FAR), specifically FAR 52.224-2, under which the contractor
agrees to comply with the requirements of the Privacy Act and DoD rules
and regulations issued under the Act. This contract provision also
treats the contractor as an employee of DoD for purposes of the Privacy
Act, and it is thus subject to possible criminal penalties if the Act
is violated. The contract also was recently amended to incorporate the
contract clause at FAR 52.239-1, Privacy and Security Safeguards, which
includes a notification requirement if new or unanticipated threats or
hazards are discovered, or if existing safeguards cease to function.
Finally, the commenters asserted that individuals should be able to
opt-out from the database. The Department agrees that such an option
should be available. The Department currently permits any individual
who is 15\1/2\ years or older, or a parent or guardian acting on the
behalf of any minor who is between 15\1/2\ and 18 years old, to have
his or her name removed from the JAMRS list provided to the Services
for recruiting purposes. Individuals may accomplish this by sending a
written request to JAMRS, Attn: Opt-Out, 4040 N. Fairfax Drive, Suite
200, Arlington, VA 22203. In order to process such requests, the
individual's name, address, city, State, zip, and date of birth must be
provided. The ``Record Access Procedures'' section of the System Notice
has been expanded to set forth the above-prescribed procedures.
The specific changes to the record system being amended are set
forth below followed by the notice, as amended, published in its
entirety. The proposed amendments are not within the purview of
subsection (r) of the Privacy Act of 1974 (5 U.S.C. 552a), as amended,
which requires the submission of a new or altered system report.
Dated: December 18, 2006.
C.R. Choate,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
DHRA 04
System name:
Joint Advertising and Market Research Recruiting Database (May 23,
2005, 70 FR 29486).
Changes:
System name:
Delete entry and replace with ``Joint Advertising, Market Research
& Studies Recruiting Database.''
System location:
Delete entry and replace with ``Equifax Database Services, Inc.,
500 Edgewater Drive, Suite 525, Wakefield, MA 01880-3030.''
Categories of individuals covered by the system:
Delete entry and replace with ``Young adults aged 16 to 18; college
students; Selective Service System registrants; individuals who have
taken the Armed Services Vocational Aptitude Battery (ASVAB) test;
individuals who have responded to various paid/non-paid advertising
campaigns seeking enlistment information; current military personnel
who are on Active Duty or in the Reserves and prior service individuals
who still have remaining Military Service Obligation; individuals who
are in the process of enlisting; and individuals who have asked to be
removed from any future recruitment lists.''
Categories of records in the system:
Delete entry and replace with ``All Records: Full name, gender,
address, city, State, zip code, source code. For Young Adults aged 16
to 18: Date of birth, telephone number, high school name, graduation
date, grade point average, education level, military interest, college
intent, ethnicity, ASVAB test date, ASVAB Armed Forces Qualifying Test
Category Score. For College Students: Telephone number, college name,
college location, college type, college competitive ranking, class
year, ethnicity, field of study. For Selective Service System: Date of
birth, scrambled Social Security Number, Selective Service registration
method. Individuals who have responded to various paid/non-paid
advertising campaigns seeking enlistment information: Date of birth,
telephone number, Service Code, last grade completed, e-mail address,
contact immediately flag. For Military Personnel: Date of birth,
scrambled Social Security Number, ethnicity, education level,
application date, military service and occupation information. For
Individuals who have asked to be removed from future recruitment list:
Date of birth, reason code.''
Authority for maintenance of the system:
Delete entry and replace with ``10 U.S.C. 503(a), Enlistments:
Recruiting campaigns; 10 U.S.C. 136, Under Secretary of Defense for
Personnel and Readiness; 10 U.S.C. 3013 (Secretary of the Army); 10
U.S.C. 5013 (Secretary of the Navy); 10 U.S.C. 8013 (Secretary of the
Air Force); and E.O.9397 (SSN).''
Purpose(s):
Delete entry and replace with ``The purpose of the system of
records maintained by the Joint Advertising, Market Research and
Studies (JAMRS) is to compile, process and distribute files of
individuals to the Services to assist them in their direct marketing
recruiting efforts. The system also provides JAMRS with the ability to
measure effectiveness of list purchases through ongoing analysis and to
remove the names of individuals who are currently members of, or are
enlisting in, the Armed Forces or who have asked that their names be
removed from future recruitment lists.''
Routine uses of records maintained in the system, including categories
of users and the purposes of such uses:
Delete entry and replace with ``In addition to those disclosures
generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, these
records or information contained therein may specifically be disclosed
outside the DoD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as
follows:
The DoD ``Blanket Routine Uses set forth at the beginning of OSD's
compilation of systems of records notices do not apply to this system
except:
[[Page 955]]
To any component of the Department of Justice for the purpose of
representing the Department of Defense, or any officer, employee or
member of the Department, in pending or potential litigation to which
the record is pertinent.
To the General Services Administration and the National Archives
and Records Administration for the purpose of records management
inspections conducted under authority of 44 U.S.C. 2904 and 2906.''
* * * * *
Retrievability:
Delete entry and replace with ``Records may be retrieved by an
individual's full name, address, and date of birth.''
Safeguards:
Delete entry and replace with ``Access to information in the
database is highly restricted and limited to those that require the
records in the performance of their official duties. The database
utilizes a layered approach of overlapping controls, monitoring and
authentication to ensure overall security of the data, network and
system resources. Sophisticated physical security, perimeter security
(firewall, intrusion prevention), access control, authentication,
encryption, data transfer, and monitoring solutions prevent
unauthorized access from internal and external sources.''
Retention and disposal:
Delete entry and replace with ``Destroy three years from the date
the information pertaining to the individual is first distributed to
the Services or, where data are subsequently collected from a different
data source, from the date that subsequent data are subsequently
distributed to the Services. Records for individuals who have responded
to various paid/nonpaid advertising campaigns seeking enlistment are
kept, for analytical purposes, until they are no longer needed. Records
for individuals who wish to be removed from future recruitment lists
(opted-out) are retained for ten years.''
System manager(s) and address:
Delete entry and replace with ``Program Manager, Joint Advertising,
Market Research & Studies (JAMRS), 4040 N. Fairfax Drive, Suite
200, Arlington, VA 22203-1613.''
Notification procedure:
Delete entry and replace with ``Individuals seeking to determine
whether information about them is contained in this system should
address written inquiries to the Joint Advertising, Market Research &
Studies (JAMRS), Direct Marketing Program Officer, 4040 N. Fairfax
Drive, Suite 200, Arlington, Virginia 22203-1613.
Requests should contain the full name, date of birth, and current
address of the individual.''
Record access procedures:
Delete entry and replace with ``Individuals seeking access to
records about themselves contained in this system of records should
address written inquiries to the Joint Advertising, Market Research &
Studies (JAMRS), Direct Marketing Program Officer, 4040 N. Fairfax
Drive, Suite 200, Arlington, Virginia 22203-1613.
Requests should contain the full name, date of birth, and current
address of the individual.
Note 1: Individuals, who are 15\1/2\ years old or older, or
parents or legal guardians acting on behalf of individuals who are
between the ages of 15\1/2\ and 18 years old, seeking to have their
name or the name of their child or ward, as well as other
identifying data, removed from this system of records (or removed in
the future when such information is obtained) should address written
Opt-Out requests to the Joint Advertising, Marketing Research &
Studies (JAMRS), ATTN: Opt-Out, 4040 N. Fairfax Drive, Suite
200, Arlington, Virginia 22203-1613. Such requests must
contain the full name, date of birth, and current address of the
individual.
Note 2: Opt-Out requests will be honored for ten years. However,
because opt-out screening is based, in part, on the current address
of the individual, any change in address will require the submission
of a new opt-out request with the new address.''
* * * * *
DHRA 04
System name:
Joint Advertising, Market Research & Studies Recruiting Database.
System location:
Equifax Database Services, Inc., 500 Edgewater Drive, Suite 525,
Wakefield, MA 01880-3030.
Categories of individuals covered by the system:
Young adults aged 16 to 18; college students; Selective Service
System registrants; individuals who have taken the Armed Services
Vocational Aptitude Battery (ASVAB) test; individuals who have
responded to various paid/non-paid advertising campaigns seeking
enlistment information; current military personnel who are on Active
Duty or in the Reserves and prior service individuals who still have
remaining Military Service Obligation; individuals who are in the
process of enlisting; and individuals who have asked to be removed from
any future recruitment lists.
Categories of records in the system:
All Records: Full name, gender, address, city, State, zip code,
source code. For Young Adults aged 16 to 18: Date of birth, telephone
number, high school name, graduation date, grade point average,
education level, military interest, college intent, ethnicity, ASVAB
test date, ASVAB Armed Forces Qualifying Test Category Score. For
College Students: Telephone number, college name, college location,
college type, college competitive ranking, class year, ethnicity, field
of study. For Selective Service System: Date of birth, scrambled Social
Security Number, Selective Service registration method. Individuals who
have responded to various paid/non-paid advertising campaigns seeking
enlistment information: Date of birth, telephone number, Service Code,
last grade completed, e-mail address, contact immediately flag. For
Military Personnel: Date of birth, scrambled Social Security Number,
ethnicity, education level, application date, military service and
occupation information. For Individuals who have asked to be removed
from future recruitment list: Date of birth, reason code.
Authority for maintenance of the system:
10 U.S.C. 503(a), Enlistments: recruiting campaigns; 10 U.S.C. 136,
Under Secretary of Defense for Personnel and Readiness; 10 U.S.C. 3013
(Secretary of the Army); 10 U.S.C. 5013 (Secretary of the Navy); 10
U.S.C. 8013 (Secretary of the Air Force); and E.O. 9397 (SSN).
Purpose(s):
The purpose of the system of records maintained by the Joint
Advertising, Market Research and Studies (JAMRS) is to compile, process
and distribute files of individuals to the Services to assist them in
their direct marketing recruiting efforts. The system also provides
JAMRS with the ability to measure effectiveness of list purchases
through ongoing analysis and to remove the names of individuals who are
currently members of, or are enlisting in, the Armed Forces or who have
asked that their names be removed from future recruitment lists.
Routine uses of records maintained in the system, including categories
of users and the purposes of such uses:
In addition to those disclosures generally permitted under 5 U.S.C.
[[Page 956]]
552a(b) of the Privacy Act, these records or information contained
therein may specifically be disclosed outside the DoD as a routine use
pursuant to 5 U.S.C. 552a(b)(3) as follows: The DoD Blanket Routine
Uses set forth at the beginning of OSD's compilation of systems of
records notices do not apply to this system except:
To any component of the Department of Justice for the purpose of
representing the Department of Defense, or any officer, employee or
member of the Department, in pending or potential litigation to which
the record is pertinent.
To the General Services Administration and the National Archives
and Records Administration for the purpose of records management
inspections conducted under authority of 44 U.S.C. 2904 and 2906.
Policies and practices for storing, retrieving, accessing, retaining,
and disposing of records in the system:
Storage:
Records are maintained on electronic storage media.
Retrievability:
Records may be retrieved by an individual's full name, address, and
date of birth.
Safeguards:
Access to information in the database is highly restricted and
limited to those that require the records in the performance of their
official duties. The database utilizes a layered approach of
overlapping controls, monitoring and authentication to ensure overall
security of the data, network and system resources. Sophisticated
physical security, perimeter security (firewall, intrusion prevention),
access control, authentication, encryption, data transfer, and
monitoring solutions prevent unauthorized access from internal and
external sources.
Retention and disposal:
Destroy three years from the date the information pertaining to the
individual is first distributed to the Services or, where data are
subsequently collected from a different data source, from the date that
subsequent data are subsequently distributed to the Services. Records
for individuals who have responded to various paid/nonpaid advertising
campaigns seeking enlistment are kept, for analytical purposes, until
they are no longer needed. Records for individuals who wish to be
removed from future recruitment lists (opted-out) are retained for ten
years.
System manager(s) and address:
Program Manager, Joint Advertising, Market Research & Studies
(JAMRS), 4040 N. Fairfax Drive, Suite 200, Arlington, VA
22203-1613.
Notification procedure:
Individuals seeking to determine whether information about them is
contained in this system should address written inquiries to the Joint
Advertising, Market Research & Studies (JAMRS), Direct Marketing
Program Officer, 4040 N. Fairfax Drive, Suite 200, Arlington,
Virginia 22203-1613.
Requests should contain the full name, date of birth, and current
address of the individual.
Record access procedures:
Individuals seeking access to records about themselves contained in
this system of records should address written inquiries to the Joint
Advertising, Market Research & Studies (JAMRS), Direct Marketing
Program Officer, 4040 N. Fairfax Drive, Suite 200, Arlington,
Virginia 22203-1613.
Requests should contain the full name, date of birth, and current
address of the individual.
Note 1: Individuals, who are 15\1/2\ years old or older, or
parents or legal guardians acting on behalf of individuals who are
between the ages of 15\1/2\ and 18 years old, seeking to have their
name or the name of their child or ward, as well as other
identifying data, removed from this system of records (or removed in
the future when such information is obtained) should address written
Opt-Out requests to the Joint Advertising, Marketing Research &
Studies (JAMRS), ATTN: Opt-Out, 4040 N. Fairfax Drive, Suite
200, Arlington, Virginia 22203-1613. Such requests must
contain the full name, date of birth, and current address of the
individual.
Note 2: Opt-Out requests will be honored for ten years. However,
because opt-out screening is based, in part, on the current address
of the individual, any change in address will require the submission
of a new opt-out request with the new address.
Contesting record procedures:
The OSD rules for accessing records, for contesting contents and
appealing initial agency determinations are contained in OSD
Administrative Instruction 81; 32 CFR part 311; or may be obtained from
the system manager.
Record source categories:
Individuals; state Department of Motor Vehicle offices; commercial
information brokers/vendors; Selective Service System; Defense Manpower
Data Center (DMDC); United States Military Entrance Processing Command
for individuals who have taken the ASVAB test; and the Military
services and Congressional offices for individuals who have asked to be
removed from any future recruitment lists.
Exemptions claimed for the system:
None.
[FR Doc. E6-21942 Filed 1-8-07; 8:45 am]
BILLING CODE 5001-06-P