Congress passed the
Privacy Act of 1974, as amended (Privacy Act), to direct how an individual’s personally identifiable
information (PII) may be collected, maintained, and used by a Federal agency. The Department of Defense (DoD), including all DoD Components, is subject to the
Privacy Act. It provides individuals the right to access records about themselves and allows them to amend or correct information that is inaccurate, irrelevant,
untimely, or incomplete. By passing the Privacy Act, Congress intended to balance the privacy rights of individuals with the Government’s need to collect and
maintain information about them. The Privacy Act also provides both civil and criminal remedies for violations of the Privacy Act by a Federal agency or component.
The Privacy Act is codified at
5 U.S.C. 552a,
and implemented within DoD and the Military Health System through
DoD Privacy Program, May 8, 2007, incorporating Change 1, September 1, 2011, and
DoD 5400.11-R, Department of Defense Privacy Program, May 14, 2007.
The Privacy Act regulates how DoD Components solicit and collect PII from individuals,
and also sets forth requirements for the maintenance, use, and disclosure of
The Privacy Act applies when a group of records maintained by a DoD Component
contains PII, and that PII is retrieved by information unique to the individual whose PII is being
retrieved. That same group of records, when maintained by a contractor on behalf of a DoD
Component, is also subject to the Privacy Act.
Key Definitions (as found in DoD 5400.11-R, DL1., Definitions):
- Record: One or more items of information maintained by a DoD Component that is
about an individual and contains some identifying particular assigned to that individual, such as
a name or photograph.
- Personally identifiable information (PII): Information that can be linked to a specific
individual and may include the following:
- - Social Security Number;
- - DoD Identification Number;
- - Home address;
- - Home telephone;
- - Date of birth (year included);
- - Personal medical information;
- - Personal/Private information (e.g., an individual’s financial data); or
- - Family information.
- System of records: A group of records, under the control of a DoD Component and
containing PII, which is retrieved by information unique to that individual, such as a name or
The Defense Health Agency (DHA) Privacy Act Program:
- Provides guidance on the development of procedures that support
DHA compliance with the Privacy Act, DoD 5400.11-R, and other guidelines.
- Implements Privacy Act requirements throughout DHA, including the oversight of the
development and use of
the Privacy Act Statement required on forms (both paper and electronic) when PII is solicited
and collected for a system of records.
- Reviews DHA systems of records and coordinates the review and publication of required
systems of records notices (SORNs) and SORN updates in the