BY ORDER OF THE

SECRETARY OF THE AIR FORCE

HEADQUARTERS OPERATING

INSTRUCTION 33-19

29 JUNE 2018

Communications and Information

PRIVACY PROGRAM ROLES AND

RESPONSIBILITIES

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

ACCESSIBILITY: Headquarters Air Force Publications and forms are available on Air Force

e-Publishing (http://www.e-publishing.af.mil/) under Departmental:

Special Publications: HOI.

RELEASABILITY: There are no releasability restrictions on this publication.

OPR: SAF/AAII

Supersedes: HOI 33-19, 25 Sep 2015

Certified by: SAF/AAI

(Mr. Kent Chadrick)

Pages: 22

This Headquarters Operating Instruction (HOI) implements the Department of Defense (DoD)

5400.11R, Privacy Act, Air Force Policy Directive (AFPD) 33-3, Information Management, Air

Force Instruction (AFI) 33-332, Air Force Privacy and Civil Liberties Program, AFI 33-324, The

Air Force Information Collections and Reports Management Program, AFI 17-130, Cyber

Security Program Management, AFI 17-110, Air Force IT Portfolio Management and IT

Investment Review, and Air Force Manual (AFMAN) 17-1301, Computer Security

(COMPUSEC). The purpose of this instruction is to establish and describe the duties and

responsibilities of the SAF/AAI appointed Privacy Manager and organizational/unit Privacy

Managers/Monitors under the oversight of the Director, Information Management, and the two-

letter (2-ltr) Offices of Primary Responsibility (OPR) in regards to the Headquarters Air Force

(HAF) Privacy Program. It applies to personnel at the HAF, including contractor personnel.

Ensure all records created as a result of processes prescribed in this publication are maintained in

accordance with Air Force Manual 33-363, Management of Records, and disposed of in

accordance the Air Force Records Disposition Schedule located in the Air Force Records

Information Management System (AFRIMS). Send recommended changes and questions about

this publication to the Office of Primary Responsibility (OPR) at usaf.pentagon.saf-

aa.mbx.haf-privacy-office@mail.mil, using the AF Form 847, Recommendation for Change of

Publication.

2 HOI33-19 29 JUNE 2018

SUMMARY OF CHANGES

This revision changes the level of support to HAF organizations (para 2.3 and 2.4), differentiates

SAF/AAI Privacy Manager, Organizational Privacy Manager, and Unit Privacy Monitor

responsibilities (para 2.5 and 2.6), specifies requirements and reporting templates for privacy

inquiry (para 3.2.2), adds guidance relating to compliance of information technology (para 3.3)

and modifies training requirements (para 4).

1. Overview.

1.1. The HAF Privacy Program ensures the collection, maintenance, use, and dissemination

of Personally Identifying Information (PII) about individuals and the protection of individual

rights against an invasion of personal privacy is conducted in accordance with (IAW) the

Privacy Act of 1974 and DoD policies. The Privacy Act focuses on four policy objectives:

1.1.1. To restrict disclosure of personally identifiable records maintained by agencies.

1.1.2. To grant individuals increased rights of access to agency records maintained on

themselves.

1.1.3. To grant individuals the right to seek amendments of agency records maintained

on themselves upon a showing that the records are not accurate, relevant, timely, or

complete.

1.1.4. To implement the code of “Fair Information Practices” which requires agencies to

comply with statutory norms for collection, maintenance, use, and dissemination of

records.

1.2. All Air Force military, civilian, and contractor personnel are to comply with the

requirements and practices governing the collection, maintenance, use, and dissemination of

PII maintained by Federal agencies IAW the E-Government Act of 2002 and Privacy Act of

1974, as appropriate.

2. Responsibilities.

2.1. IAW AFPD 33-3 and AFI 33-332, the Chief, Information Dominance and Chief

Information Officer (SAF/CIO A6) implements the Privacy Act and DoD Privacy Program

for the Air Force. In addition, SAF/CIO appoints the Component Senior Official for Privacy

and the Air Force Privacy Officer.

2.1.1. The Air Force Privacy Officer administers the program for the Air Force and

performs the duties and functions outlined in AFI 33-332.

2.2. Individual HAF 2-ltr organizations are responsible for the implementation, oversight

and management of the Privacy Program within HAF and will:

2.2.1. Appoint Privacy Managers as outlined in this HOI and in compliance with AFI 33-

332.

2.2.2. Appoint Organizational Privacy Manager (OPMs)/Unit Privacy Monitors (UPMs)

as necessary to comply with AFI 33-332.

2.3. Consistent with responsibilities for Air Force Information Technology (see AFI 17-110)

and HAF Mission Directive 1-6, Administrative Assistant to the Secretary of the Air Force,

HOI33-19 29 JUNE 2018 3

SAF/AAI has delegated CIO responsibilities and is responsible for the implementation,

oversight, and management of the privacy program and IT compliance for privacy for

serviced organizations (see Figure 2.1). SAF/AAII will function as the SAF/AAI Privacy

Manager for the following 2-ltr organizations that are part of the “HAF Portfolio” (Figure

2.1) under the oversight of SAF/AAI:

2.3.1. Auditor General (SAF/AG)

2.3.2. General Counsel (SAF/GC)

2.3.3. International Affairs (SAF/IA)

2.3.4. Inspector General (SAF/IG)

2.3.5. Legislative Liaison (SAF/LL)

2.3.6. Public Affairs (SAF/PA)

2.3.7. Manpower & Reserve Affairs (SAF/MR)

2.3.8. Small Business (SAF/SB)

2.3.9. Judge Advocate General (AF/JA)

2.3.10. Chief of Chaplains (AF/HC)

2.3.11. History and Museums Policies and Programs (AF/HO)

2.3.12. Chief of Air Force Reserve (AF/RE)

2.3.13. Chief of Safety (AF/SE)

2.3.14. Test and Evaluation (AF/TE)

2.3.15. Chief Scientist (AF/ST)

2.3.16. Space (SAF/SP)

2.3.17. Executive Services (HAF/ES) to include Office of the Secretary of the Air Force

(SECAF), Under Secretary of the Air Force (SAF/US), Chief of Staff of the Air Force

(CSAF), Vice Chief of Staff, Assistant Vice Chief of Staff/Director of Staff (AF/CVA),

and Chief Master Sergeant of the Air Force (CCC)

2.3.18. Installation Environment and Energy (SAF/IE)

2.3.19. Management (SAF/MG)

2.3.20. Administrative Assistant (SAF/AA)

2.3.21. Air Force Integration Office (AF/IO)

2.3.22. Strategic Deterrence & Nuclear Integration (AF/A10)

2.4. The following HAF organizations with delegated CIO responsibilities (Figure 2.1) will

appoint Organizational Privacy Managers (OPM) for their organization.

2.4.1. Manpower, Personnel & Services (AF/A1)

2.4.2. Intelligence, Surveillance & Reconnaissance (AF/A2)

2.4.3. Operations (AF/A3)

4 HOI33-19 29 JUNE 2018

2.4.4. Logistics, Engineering and Force Protection (AF/A4)

2.4.5. Strategic Plans & Requirements (AF/A5/8)

2.4.6. Chief, Information Dominance & Chief Information Office (SAF/CIO A6)

2.4.7. Studies, Analyses & Assessments (AF/A9)

2.4.8. Acquisition, Technology, and Logistics (SAF/AQ)

2.4.9. Financial Management & Comptroller (SAF/FM)

2.4.10. Surgeon General (AF/SG) and connected organization, Air Force Medical

Services Agency (AFMSA)

Figure 2.1. CIO Area of Responsibility Coverage for HAF.

2.5. The SAF/AAI appointed Privacy Manager will:

2.5.1. Provide direct support for organizations within the HAF Portfolio.

2.5.2. Provide direction and training regarding implementing the AFI 33-332 to

commanders and personnel who are not in the HAF Portfolio.

2.5.3. Conduct inquiries (as necessary) and report findings of PII breaches to the Air

Force Privacy Officer (usaf.pentagon.saf-cio-a6.mbx.af-privacy@mail.mil).

2.5.4. Provide guidance to organization privacy monitors and employees implementing a

Privacy program.

2.5.5. Review and process System of Records Notice (SORNs) for supported

organizations.

HOI33-19 29 JUNE 2018 5

2.5.6. Provide guidance to supported organizations to ensure information systems, which

are developed to collect, maintain, process, or disseminate personal information, are

compliant and conform to the Privacy Act, Office of Management and Budget, DoD, and

AF requirements.

2.5.7. Ensure self-assessments are conducted by supported HAF organizations on a

biennial basis. Evaluations of Privacy Act program compliance in applicable 2-ltr

organizations may be conducted utilizing the HAF Privacy self-assessment checklist

located in https://cs2.eis.af.mil/sites/11841/privacy/default.aspx.

2.5.8. Serve as the Privacy subject matter expert (SME) and work with the HAF IT

portfolio management team to ensure information systems are in compliance with

Privacy Act, E-Government Act and Paperwork Reduction Act (PRA) as annotated in

Information Technology Investment Portfolio Suite (ITIPS). For more information,

please refer to AFI 17-110.

2.5.9. Assist and/or advise the organization’s IT investment Program Managers and

Information System Owners (ISO) during development, implementation, revision, or

submission of: SORNs; Paperwork Reduction Act submission packages for public

information collections; DD Form 2936, Request for Approval of Department of Defense

Internal Information Collections; DD Form 2930, Privacy Impact Assessment (PIA);

Privacy Act Statement (PAS), Privacy Statement, Privacy Act Advisory (PAA), or

Privacy Act System Notice and Social Security Number use reduction/elimination IAW

AFI 33-332.

2.5.10. Participate in regular system reviews with HAF IT portfolio management team.

Note: The periodic review of IT systems registered in the Air Force's Information

Technology Investment Portfolio Suite must involve organization privacy monitors to

ensure responses to privacy questions are validated. Failure to do so may risk system

non-concurrence by the AF Privacy Officer during annual compliance review,

certification, decertification, or request for funding.

2.5.11. In addition to the organizations listed in 2.3., the SAF/AAI appointed Privacy

Manager by agreement will provide support to the following organizations within the

National Capital Region (NCR):

2.5.11.1. The AF Audit Agency (AFAA), Air Force Legal Operations Agency

(AFLOA), and Air Force Review Board Agency (AFRBA). Support provided

consists of direct support parallel to their parent organization, SAF/AG, AF/JA, and

SAF/MR, respectively.

2.5.11.2. The Air Force Office of Special Investigations (AFOSI), Air Force

Inspection Agency (AFIA), Air Force Safety Center (AFSEC), Air Force Public

Affairs Agency (AFPAA) and Air Force Historical Research Agency (AFHRA).

Support provided consists of IT compliance oversight. The SAF/AAI appointed

Privacy Manager serves as the subject matter expert on Privacy Act, Federal Records

Act, Rehabilitation Act, PRA, and E-Government Act.

6 HOI33-19 29 JUNE 2018

2.6. The Organizational Privacy Manager/Unit Privacy Monitors shall:

2.6.1. Be appointed in writing by commander or director (GS-15/O-6 and above).

Organizations shall appoint a primary and alternate privacy monitor (see Attachment 2

for a sample appointment letter).

2.6.2. Complete privacy monitor training within 60 days of appointment.

2.6.3. Report PII breach and violations to the appointed Privacy Manager at the

appropriate level.

2.6.4. Administer appropriate Privacy training to members of the organization and track

training completed.

2.6.5. Assist and advise the records professionals on proper Privacy Act protection

methods for records and to ensure the “retention and disposal” section on a SORN is

consistent with the corresponding tables and rules in the AF Records Disposition

Schedule (RDS).

2.6.6. Provide guidance on proper safeguards for PII stored in shared drives or Electronic

Records Management (ERM), to include correct marking of ERM folders.

2.6.7. Conduct annual Privacy program assessment based on the current self-assessment

checklist to ensure privacy program compliance.”

2.6.8. Serve as the unit’s Privacy SME and work with the organization’s IT portfolio

management team to ensure information systems are in compliance with Privacy Act, E-

Government Act and PRA as annotated in Information Technology Investment Portfolio

Suite (ITIPS). For more information, please refer to AFI 17-110.

2.6.9. Participate in regular system reviews with organization’s IT portfolio management

team.

2.6.10. Work with the organization’s IT investment Program Managers and Information

System Owners (ISO) during development, implementation, revision, or submission of:

SORNs; PRA submission packages for public information collections; DD Form 2936,

Request for Approval of DoD Internal Information Collections; DD Form 2930, PIA;

PAS, Privacy Statement, PAA, or Privacy Act System Notice, and Social Security

Number use reduction/elimination IAW AFI 33-332.

3. Procedures.

3.1. Protection of Personal Information and PII.

3.1.1. E-mail and Electronic Records Containing Moderate and High Impact PII shall be:

3.1.1.1. Digitally signed and encrypted when transmitted using Simple Mail Transfer

Protocol (SMTP) by applying Digital Signature Enforcement Tool (DSET), which are

measures used to secure PII for e-mail. Other transmission methods that provide

encryption include Army Missile Research Development and Engineering Center

Safe Access File Exchange (AMRDEC SAFE – see Attachment 3).

3.1.1.2. Encrypted in transit and at rest when stored in federal systems. Federal

information must be encrypted at rest and in transit when applicable. For more

HOI33-19 29 JUNE 2018 7

information, please refer to OMB Circular A-130, Managing Information as a

Strategic Resource.

3.1.1.3. Properly safeguarded, accessible, or viewable only by individuals who have

an official need-to-know to conduct daily operations. Personal Information in shared

drives, and ERM drives must be safeguarded and appropriate permission must be in

place to ensure access is controlled. Note: Medium or High Impact PII cannot be

stored in SharePoint or other federal systems unless a data at rest encryption is

enabled.

3.1.2. Privacy Act records shall be:

3.1.2.1. Marked in AFRIMS inventory of records.

3.1.2.2. Labeled with appropriate markings when stored in ERM drives IAW AFI 33-

322.

3.1.2.3. Marked “FOR OFFICIAL USE ONLY” and must be protected and

accessible only by those with the official need to know.

3.2. PII Breach Reporting Procedures for organizations within HAF Portfolio. Note:

Organizational Privacy Managers assigned to Non-HAF Portfolio organizations report PII

breaches directly to the AF Privacy Officer, usaf.pentagon.saf-cio-a6.mbx.af-

privacy@mail.mil, IAW AFI 33-332.

3.2.1. Unit Privacy Monitors assigned to HAF Portfolio supported organizations report

Privacy Act violations, breaches, and complaints to the SAF/AAI Privacy Manager.

Privacy Monitors shall:

3.2.1.1. Report actual or suspected violations within 1 hour of discovery of the actual

or suspected PII breach to the United States Computer Emergency Readiness Team

(US-CERT) at www.us-cert.gov (if suspected breach involves government systems)

and to the SAF/AAI Privacy Manager, usaf.pentagon.saf-aa.mbx.haf-privacy-

office@mail.mil.

3.2.1.2. Provide incident report, DD Form 2959, to the SAF/AAI Privacy Manager or

within 24 hours of discovery of the breach using the DoD Breach reporting template.

3.2.1.3. Conduct a risk based management assessment on the potential impact of

each PII breach, present findings within 24 hours of breach discovery to senior-level

official (Directorate or higher or military commander, O-6 or higher) and the

SAF/AAI Privacy Manager. Findings will be used to validate decision to notify or

not to notify affected individuals. Complete notification of affected individuals, if

required, within 10 work days after a PII breach is discovered.

3.2.1.4. Submit a midway report to SAF/AAI Privacy Manager by updating the DD

Form 2959.

3.2.1.5. Submit a final report to the SAF/AAI Privacy Manager within 10 working

days.

3.2.2. Senior leaders may appoint an inquiry officer for unique or major PII incidents.

Inquiry Officers shall:

8 HOI33-19 29 JUNE 2018

3.2.2.1. Be appointed in writing by the senior-level individual in the chain of

command for the organization where the actual or possible loss, theft or compromise

of information occurred. Inquiry Officer Appointment letter (see Attachment 4 for a

sample letter) will be submitted to the SAF/AAI Privacy Manager through the Unit

Privacy Monitor.

3.2.2.2. Be an E-7 or above (or civilian equivalent) to conduct an inquiry of the

incident to determine whether it is an actual breach, the cause, and whether there was

criminal intent to warrant a criminal investigation.

3.2.2.3. Submit the Inquiry Officer report (see Attachment 5 for a report template) to

the senior official (GS-15, O-6 or higher) who is in the chain of command for

approval after the inquiry. For reports on Privacy Act Complaints, use the sample

format in Attachment 6 of this instruction.

3.2.2.4. Submit approved Inquiry Officer reports to the SAF/AAI Privacy Manager

through the Unit Privacy Monitor.

3.2.3. Loss of Account Access as a Result of PII Breach Incidents.

3.2.3.1. Privacy Act protected information and PII (moderate and high) must be

protected in transit and at rest with strong encryption IAW AFI 33-332, AFI AFI17-

130, and AFMAN17-1301. Violation will be processed as a PII breach.

3.2.3.2. Users may immediately and temporarily lose account access when user’s

conduct results in failure to protect high impact PII.

3.2.3.3. For repeat PII breach incidents, the violator’s account may be disabled.

Account lockouts resulting from three breach incidents within six months period may

be directed by commander or director with the advice of the SAF/AAI Privacy

Manager in the event of a high visibility breach.

3.2.3.4. The SAF/AAI Privacy Manager may notify HAF 2-ltr director/general

officer/civilian equivalent (GO/SES) or designated representative (GS-15/O-6)

assigned to HAF Portfolio organizations of any repeated user-involved incidents.

3.2.3.5. To restore account access, the following actions must be accomplished:

3.2.3.5.1. The user responsible for the PII breach must complete remedial Privacy

training.

3.2.3.5.2. The user’s HAF 2-ltr Director/General Officer/Civilian Equivalent

(GO/SES) or designated representative (GS-15/O-6) shall verify the user’s

completion of remedial training and Privacy Act certification statement before

signing reinstatement memo addressed to the appropriate organization handling

the user account through the SAF/AAI Privacy Manager. See attachment 7 for a

sample reinstatement memo.

3.2.3.5.3. Upon receipt of the reinstatement memo, the account can be reactivated

by the appropriate organization.

3.3. Compliance in IT Systems.

HOI33-19 29 JUNE 2018 9

3.3.1. To ensure compliance in PA, PRA, and E-Government Act, Program Managers

and Information System Owners or IT Asset Owners within the HAF Portfolio shall:

3.3.1.1. Coordinate with Unit Privacy Monitors and ensure applicable SORN (new,

modification, and rescindment), DD Form 2930, PIA and PRA packages are

submitted to SAF/AAI Privacy Manager and HAF Portfolio Records Manager before

final submission to the AF Privacy Office. Submit required documentation that

supports the PII Confidentiality Impact Level (PCIL) determination addressed in the

PIA.

3.3.1.2. To ensure compliance in PA, PRA, and E-Government Act, Program

Managers and Information System Owners for non- HAF Portfolio organizations will

coordinate with their organization privacy monitor as their SME and ensure

applicable SORN (new, modification, and rescindment), PIA, DD Form 2930, and

PRA packages are submitted directly to the AF Privacy Officer.

4. Training.

4.1. Users Privacy Training Requirements. Personnel must complete all required Privacy

training within 60 days of assuming duties and thereafter annually as necessary.

4.1.1. User Initial/Orientation and Annual Refresher Training includes:

4.1.1.1. Familiarization with Privacy practices and statutes presented through review

of visual aids and PII tri-fold.

4.1.1.2. Completion of AF and/or DoD required training, such as locally devised

training or any other means, as applicable.

4.1.1.3. The annual all users’ Privacy training completed by supported organizations

should be tracked using the HAF SharePoint training tracker at

https://cs2.eis.af.mil/sites/11841/privacy/trgtracker/_layouts/15/start.aspx#/SiteP

ages/Home.aspx.

4.2. Specialized Training. Specialized training is role-based training required for personnel

responsible for handling PII on a routine basis. Specialized training is required on an initial

and annual basis.

4.2.1. Role-Based. At a minimum, the following employees are required to complete

specialized training that must be job specific and commensurate with an individual's

responsibilities: knowledge operations managers, human resource specialists or other

employees who perform military or civilian personnel management functions or duties,

security managers, law enforcement, IT personnel (programmers/developers, system

administrators, SharePoint site owners, etc.), information system owners and program

managers of a system of records (SOR) and/or IT investment, FOIA analysts, personnel

who may be expected to deal with the news media or the public, supervisors or other

personnel who handle performance reviews or appraisals of military and civilian

employees (to include branch chiefs, division chiefs, directors), individuals working with

medical, personnel, financial, and security records, and organization privacy monitors

and other personnel responsible for carrying out functions under this instruction.

4.2.1.1. As a minimum, personnel must complete all users’ training and:

10 HOI33-19 29 JUNE 2018

4.2.1.1.1. Complete the Privacy course offered by DISA via CBT titled,

“Identifying and Safeguarding PII” (http://iase.disa.mil/eta/online-

catalog.html).

4.2.1.1.2. Read the AFI 33-332, AF Privacy Program, this HOI, AF Privacy

Specialized Briefing, and other AF and DoD guidance.

4.2.1.1.3. When available, all users who are required to complete the specialized

training should attend the face-to-face and/or classroom instruction.

4.2.1.1.4. Use the HAF SharePoint Specialized training tracker to document

training completed annually by supported organizations.

4.2.2. Training for Privacy Monitors.

4.2.2.1. Complete the Privacy course offered by DISA via CBT titled, “Identifying

and Safeguarding Personally Identifiable Information”

(http://iase.disa.mil/eta/online-catalog.html).

4.2.2.2. Complete Intro to Privacy Training (typically classroom training is offered

quarterly, contact the SAF/AAI Privacy Manager for more information).

4.2.2.3. Complete SORN and PIA Training (typically classroom training is offered

quarterly, contact the SAF/AAI Privacy Manager for more information).

4.2.2.4. Read the AFI 33-332, AF Privacy Program, this HOI, DoD guidance, and

other guidance as specified by the SAF/AAI Privacy Manager.

4.2.3. Remedial Training. Users who commit a PII breach or privacy violation, will

complete the remedial training within 24 hours of breach reporting.

4.2.3.1. Complete the Privacy course offered by DISA via CBT titled, “Identifying

and Safeguarding Personally Identifiable Information”

(http://iase.disa.mil/eta/online-catalog.html).

4.2.3.2. Re-familiarize themselves with Privacy practices and statutes presented

through visual aids, PII tri-fold, and other AF and DoD guidance, as applicable

(specific to type of breech).

4.2.3.3. Document training completed by supported organizations using the HAF

SharePoint Remedial training tracker.

4.2.3.4. Additional training may be directed and/or administered by the SAF/AAI

Privacy Manager as needed on a case-by-case basis.

PATRICIA ZARODKIEWICZ, SES

Administrative Assistant to the Secretary of the Air

Force

HOI33-19 29 JUNE 2018 11

Attachment 1

GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION

References

Title 5 United States Code, Section 552a, Privacy Act of 1974

Public Law 104-13, Paperwork Reduction Act of 1995

Public Law 107-347, Section 208, E-Government Act of 2002, Federal Information Security

Management Act (FISMA), 17 Dec 2002

OMB Circular A-130, Managing Information as a Strategic Resource, 28 Jul 2016

OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable

Information, 3 Jan 2017

DoD Directive 5400.11, Department of Defense Privacy Program, 29 Oct 2014

DoD 5400.11R, Department of Defense Privacy Program, 14 May 2007

AFI 17-110, Air Force IT Portfolio Management and IT Investment Review, 28 Oct 2016

(Renumbered from AFI 33-141) AFI 17-130, Air Force Cybersecurity Program Management,

30 Nov 2017

(Renumbered from 33-200 by AFI 17-130_AFGM2017-01) AFI 17-100, Air Force IT Service

Management, 16 Sep 2014

(Renumbered from 33-115) AFMAN 17-1301, Computer Security (COMPUSEC), 10 Feb

2017

AFI 33-322, Records Management Program, 4 Jun 2012

AFI 33-324, The Air Force Information Collections and Reports Management Program, 6 Mar

2013

AFI 33-332, Air Force Privacy and Civil Liberties Program, 12 Jan 2015

AFMAN 33-363, Management of Records, 1 Mar 2008

HAF MD 1-6, Administrative Assistant to the Secretary of the Air Force, 22 Dec 2014

Adopted Forms

AF Form 847, Recommendation for Change of Publication

DD Form 2930, Privacy Impact Assessment (PIA)

DD Form 2936, Request for Approval of Department of Defense Internal Information

Collections

DD Form 2959, Breach of Personally Identifiable Information Report

Abbreviations and Acronyms

AFI—Air Force Instruction

AFMAN—Air Force Manual

12 HOI33-19 29 JUNE 2018

AFRIMS—Air Force Records Information Management System

AMRDEC SAFE—Army Missile Research Development and Engineering Center Safe Access

File Exchange

CAC—Common Access Card

DSET—Digital Signature Enforcement Tool

FOUO—For Official Use Only

GO/SES—General Officer/Senior Executive Service

HAF—Headquarters Air Force

IAW—In Accordance With

OMB—Office of Management and Budget

OPM—Organizational Privacy Managers

OPR—Office of Primary Responsibility

PA—Privacy Act

PAA—Privacy Act Advisory

PAS—Privacy Act Statement

PIA—Privacy Impact Assessments

PII—Personally Identifiable Information

RDS—Records Disposition Schedule

SME—Subject Matter Expert

SOR—System of Records

SORN—System of Records Notice

IT—Information Technology

UPM—Unit Privacy Monitor

US-CERT—United States Computer Emergency Readiness Team

Terms

BitLocker—A full disk encryption feature included with Windows Vista and later. It is

designed to protect data by providing encryption for entire volumes.

Common Access Card—The CAC, a "smart" card about the size of a credit card, is the standard

identification for active duty uniformed Service personnel, Selected Reserve, DoD civilian

employees, and eligible contractor personnel. It is also the principal card used to enable physical

access to buildings and controlled spaces, and it provides access to DoD computer network and

systems.

DSET—Tool prompts users to provide a digital signature when an email contains an active

hyperlink or attachment or possible personally identifiable information found in a scan.

HOI33-19 29 JUNE 2018 13

Disclosure—To give information from a system, by any means, to anyone other than the record

subject.

Individual—A living US citizen or a permanent resident alien.

IT Portfolio—A grouping of IT investments by capability to accomplish a specific functional

goal, objective, or mission outcome.

National Capital Region (NCR)—Cities and other units of government within the geographic

boundaries of the District of Columbia; Montgomery and Prince Georges Counties in the State of

Maryland; and the City of Alexandria, Arlington, Fairfax, Loudoun, and Prince William

Counties in the Commonwealth of Virginia (from 10 U.S.C. Section 2674(f) (2)).

Personal Identifier—A name, number, or symbol that is unique to an individual, usually the

person’s name or social security number.

Personal Information—Information about an individual other than items of public record.

Personally Identifiable Information—Information that can be used to distinguish or trace an

individual's identity, either alone or when combined with other information that is linked or

linkable to a specific individual. The personally identifiable information may range from

common data elements such as names, addresses, dates of birth, and places of employment, to

identity documents, Social Security numbers (SSNs) or other government-issued identifiers,

precise location information, medical history, and biometrics.

Personally Identifiable Information Breach—Loss of control, compromise, unauthorized

disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an

authorized user accesses or potentially accesses personally identifiable information or (2) an

authorized user accesses or potentially accesses personally identifiable information for an other

than authorized purpose.

Portfolio Management—Management of selected groupings of IT investments using strategic

planning, architectures, and outcome-based performance measures to achieve a mission

capability.

Privacy Act Advisory—Text that informs an individual of the reasons the Privacy Act protected

information is being solicited and how it will be used.

Privacy Act Statement—Text that informs an individual of the authority, purpose, routine use,

if disclosure is voluntary or mandatory, and any consequences of nondisclosure; required when

soliciting personally-identifying information by an Air Force web site or form.

Privacy Impact Assessment—A written assessment of an information system that addresses the

information to be collected, the purpose and intended use; with whom the information will be

shared; notice or opportunities for consent to individuals; how the information will be secured;

and whether a new system of records is being created under the Privacy Act.

System of Records—A group of records under the control of a DoD Component from which an

individual’s record is retrieved by the name or personal identifier.

System of Records Owner—Individual who maintains a record protected under the Privacy

Act.

14 HOI33-19 29 JUNE 2018

System of Records Notice (SORN) /or/ Privacy Act System Notice—Official public notice

published in the Federal Register of the existence, content, and Points of Contact for the SOR

containing Privacy Act data.

Simple Mail Transfer Protocol (SMTP)—Most widely used protocol to send messages by

Message Transfer Agents on the Internet. SMTP was designed to transfer mail independently of

any specific transmission subsystem.

System Manager—Official responsible for managing a system of records, including policies

and procedures to operate and safeguard it. Local system managers operate record systems or

are responsible for part of a decentralized system.

HOI33-19 29 JUNE 2018 15

Attachment 2

SAMPLE APPOINTMENT OF ORGANIZATION / UNIT PRIVACY MONITORS

(Date)

MEMORANDUM FOR SAF/AAII (Privacy Manager)

FROM: (Sender Two-Letter Organization supported by HAF/CIO)

SUBJECT: Appointment of Organization / Unit Privacy Monitor

The following individuals are appointed as privacy monitor for this organization. Organization

privacy monitors will monitor the Privacy Act Programs for all assigned offices and perform

duties in accordance with HOI 33-19.

PRIMARY/NAME:

RANK/GRADE:

OFFICE SYMBOL:

DUTY PHONE:

E-MAIL:

ALTERNATE/NAME:

RANK/GRADE:

OFFICE SYMBOL:

DUTY PHONE:

E-MAIL:

Appointed monitors will complete training within 60 days from the date of this letter and will

contact SAF/AAII 90 days prior to any OPR changes (ex. Permanent Change of Station or

Assignment (PCS, PCA), retirement, etc.).

This letter supersedes previous letter, same subject.

Signature Block

16 HOI33-19 29 JUNE 2018

Attachment 3

INSTRUCTIONS FOR USING AMRDEC SAFE AND ENCRYPTION WIZARD

A3.1. AMRDEC SAFE Protection: The AMRDEC SAFE application is used to send large

files to individuals, which would normally be too large to send via email. The AMRDEC SAFE

application can be accessed via https://safe.amrdec.army.mil/safe/Welcome.aspx. There are

no user accounts for SAFE. Authentication is handled via email and Common Access Card

(CAC). Everyone has access to SAFE, and the application is available for use by anyone. There

are only a few differences between sending SAFE packages as a CAC user and sending them as

a guest:

A3.1.1. Guests are required to verify their email address after uploading each package.

A3.1.2. Guests cannot send packages to recipients that do not have a .mil or .gov email

address.

A3.1.3. CAC users can add recipients in bulk using a semicolon-delimited list.

A3.2. Sending Files: SAFE is designed to provide AMRDEC and its customers an alternative

way to send files other than email. SAFE supports file sizes up to 2GB. SAFE has received its

Privacy Impact Assessment (PIA) and is authorized for UNCLASSIFIED USE ONLY, TO

INCLUDE PRIVACY ACT DATA.

Step 1: There are two options to proceed from the SAFE homepage:

Proceed as CAC User - Select this option if you have a valid US Department of Defense issued

CAC.

Proceed as Guest - Select this option if you do not have a CAC.

Step 2: After selecting one of the options above, the page will be redirected to the package

upload form. Fill in all the required input fields: Name, Email address (confirm email address,

re-enter email address), Description of File(s), File(s), (Click the "Browse" button to select your

file(s)). You may add up to 25 files per package, so long as the total file size does not exceed

2GB), and Deletion Date (select a date for the package to be deleted from SAFE). The

maximum (which is also the default) is two weeks (14 days) from date of transmission. Provide

an email address to give access to “Enter your recipient here and click Add.” CAC users may

enter a semicolon-delimited list of emails in bulk so each recipient does not need to be added

individually. Grant access to these people (This is the list of people you have granted access to

the package). To remove a recipient, highlight their name and click the "Remove" button.

Caveats (Default is "None") and Encrypt email message when possible (Attempt to encrypt the

package's notification email to each recipient). Notify me when files are downloaded. You, the

sender, will receive a notification via email when a recipient downloads the package. Require

CAC for pickup. Require the recipient to be logged in with a valid US DoD issued CAC to

download the file(s). Recipients without a CAC will not be able to download the package.

Step 3: Clicking the "Submit" button will upload the files and submit the package. Guest users

will need to check their email to verify their email address before the recipients will be notified.

No additional action is required by CAC users.

Step 4: After the package has been uploaded (and verified, if proceeding as a guest), each

recipient will receive a link to the package download page as well as a password. These

passwords are unique for each recipient (not the package), and will be disabled once SAFE

HOI33-19 29 JUNE 2018 17

detects that the user successfully downloaded each file within the package. Forwarding recipient

and sender notification emails to anyone except the AMRDEC SAFE Team is strictly forbidden.

A3.3. Receiving Files:

Step 1: Recipients will automatically be notified via email when they have been added as a

recipient to a package. The email they receive will contain a link and a password. Clicking on

the link will take the recipient to a page where they will be asked for the password. The best

way to enter the password is to copy it from the email and then paste it into the password box.

Step 2: After logging in, the recipient will be able to download all the files within the package.

We recommend right-clicking on each file and selecting the "Save Target As" option to select the

location to save the file.

Step 3: After downloading every file within the package, the recipient will not be able to log

back in to download the files again. Simply logging in or starting a download will not lock the

user out. In order to be locked out, the recipient must successfully download every file within

the package.

A3.4. Managing Files: After uploading a package, the sender will receive a notification email

with a link and a password. After accessing the link and entering the password, the sender will

be able to manage their package.

A3.4.1. Adding Files: The sender can upload additional files to the package. Recipients will

receive an additional notice email informing them that the package has been updated.

Recipients who have already downloaded the package will be allowed back in to get the

additional files.

A3.4.2. Adding Recipients: The sender can grant access to additional recipients to the

package.

A3.4.3. Resending Recipient Notifications: If a recipient lost or never received their

notification to pick up the files, the notification can be resent.

A3.4.4. Checking Recipient Status: The list at the bottom of the status page will show each

recipient and whether or not they have downloaded the package. A download status of

"False" means that they have not downloaded the package, whereas a download status of

"True" means that they have. This feature is available regardless of whether or not the sender

selected the "Notify me" on the upload page.

A3.5. DSET: Encrypt all email by adding a plug-in called Digital Signature Enforcement Tool

(DS) which is configured to scan all outgoing emails for potential PII. It will prompt the user to

use encryption or declare the email as FOUO. This tool makes the user become more aware by

checking their email before sending sensitive PII.

18 HOI33-19 29 JUNE 2018

Attachment 4

SAMPLE APPOINTMENT OF PRIVACY INQUIRY OFFICER

DEPARTMENT OF THE AIR FORCE AIR FORCE UNIT HEADING

MEMORANDUM FOR

FROM: [Senior-level individual who is in the chain of command for the organization where the

breach took place]

SUBJECT: Appointment of Privacy Inquiry Official—[Unit] Personally Identifiable

Information Breach

This is to inform you that you are hereby appointed to conduct an inquiry into a possible breach

of personally identifiable information. You task is to determine if there was a breach. If there

was a breach, you need to determine the cause of the breach.

Explain the incident. “On xx May 2014, it was discovered that an email with a squadron rack

and stack roster, as well as a document titled “Work Stuff & Bio” was sent from the XXX office

to a personal dot-com email. The email was sent unencrypted and was detected by Privacy Act

Monitor at AF/XX at the Pentagon. These individuals were identified and need to be notified of

the breach by the Inquiry Official.”

You are directed to meet with the Privacy Manager………., who will provide you with guidance

on how to complete the PII Incident Final Report and with the AF Instructions, DoD policies and

a copy of the Privacy Act to be used in completing your inquiry. You are authorized to interview

personnel, take sworn statements or testimony, examine and copy any and all relevant Air Force

records, files and correspondence germane to this inquiry.

Please submit a complete report to me NLT xx June 2017. You may not release any information

related to this investigation without prior approval.

[Senior-level individual’s signature block who is in the chain of command for the organization

where the breach took place]

HOI33-19 29 JUNE 2018 19

Attachment 5

TEMPLATE FOR PERSONALLY INDENTIFIABLE INFORMATION INCIDENT

REPORT

DEPARTMENT OF THE AIR FORCE

AIR FORCE UNIT HEADING

MEMORANDUM FOR

FROM: [Senior-level individual in the chain of command for the organization where the breach

took place]

SUBJECT: Preliminary Inquiry of Possible Personally Identifiable Information Breach at (unit)

Authority: A preliminary inquiry was conducted (date) under the authority of the attached

memorandum

Matters investigated: The basis for this inquiry is to determine if there was a breach at the (unit

in question) (breach is defined as “possible loss of control, compromise, unauthorized disclosure,

unauthorized access, or any similar term referring to situations where persons other than

authorized users and for an other than authorized purpose have access or potential access to

personally identifiable information, whether physical or electronic”). Provide a short summary

of the personally identifiable information incident including the date it occurred.

Personnel Interviewed: (list all personnel interviewed, title, office symbol, and security

clearance).

Facts: (list specific details answering who, what, why, where, and when questions concerning

the personally identifiable information incident).

Conclusions: As a result of the investigation into the circumstances surrounding the personally

identifiable information incident, interviews, and personal observations, it is concluded that: (list

specific conclusions reached based on the facts and if a breach or potential compromise did or

did not occur). If a damage assessment is or has been done, provide the point of contact along

with: the status of the assessment if it hasn’t been completed; or, describe the outcome if it has

been completed; or, provide a copy of the completed assessment report.

Recommendations: (Discuss risk assessment factors; list corrective actions needed to preclude a

similar incident; the category of the incident; damage assessment; if the incident is a breach,

compromise, potential compromise or no compromise; and, if this inquiry should be closed

without further investigation or with a recommendation for a formal investigation).

(Signature block of inquiry official)

Appointment of Inquiry Official Memo, (date)

20 HOI33-19 29 JUNE 2018

1st Ind, XXXXX/CC Concur/NonConcur

FOR OFFICIAL USE ONLY (FOUO) When Filled In

HOI33-19 29 JUNE 2018 21

Attachment 6

SAMPLE PRIVACY COMPLAINT REPORT

1. Name of Official (IO) conducting the Inquiry: Rank and/or Grade:

Organization of Official: Fully identify the title of the organization and location without

abbreviations. (You may include authorized abbreviations or symbols in parentheses.)

Duty Position and Contact Telephone Number:

2. Headquarters Air Force (HAF) Portfolio Privacy Complaint #:

3. Summary: Identify the allegations, applicable organization and location, the person(s) or

organization(s) against whom the allegation is made, scope of the investigation conducted,

documents reviewed, witnesses interviewed and whether the interviews were conducted

telephonically or in person. The identity of interviewees need not be reflected in the report but

should be documented in the official file of the agency conducting the investigation.

4. Findings: For each allegation, state the analysis of the findings as they relate to each

allegation and a brief explanation of what led to the findings. Provide a list of relevant

documents and/or evidence, and witness testimony in support of the findings. If they are not

filed with the field working papers, list the location of relevant documents.

5. Cite any Criminal or Regulatory Violation(s) Substantiated:

6. Disposition: For investigations involving economies and efficiencies, include any

management actions taken as part of the final report. For examinations involving criminal or

other unlawful acts, include the results of criminal prosecutions, providing details of all charges

and sentences imposed. Include the results of administrative sanctions, reprimands, value of

property or money recovered or other such actions taken to preclude recurrence. Identify what

corrective action was taken based on the recommendations identified above.

7. Specify Security Classification of Information: Determine and state, when applicable, any

security classification of information included in the report that may jeopardize national defense

or otherwise compromise security if the contents were disclosed to unauthorized sources.

8. Location of Field Working Papers and files: (Identify where CDIs, OSI reports, etc. are stored

and who the release authority is.)

9. Conclusions and Corrective Action: For each allegation, state the conclusions made by the IO.

This section should also include comments as to the adequacy of existing policy or regulations,

noted weaknesses in systems of internal controls, and any recommended corrective actions.

10. Statement of Impartiality: Short statement demonstrating appointed Official is independent

(in both fact and appearance) from all subjects/complainants (whether persons or organizations).

Add the statement: “I certify that I do not have any personal impairment to independence

regarding this case.”

IO SIGNATURE BLOCK

FOR OFFICIAL USE ONLY (FOUO) When Filled In

22 HOI33-19 29 JUNE 2018

Attachment 7

SAMPLE ACCOUNT REINSTATEMENT MEMORANDUM

MEMORANDUM FOR (624 OC NETOPS)

FROM: (Insert originating org office symbol)

SUBJECT: Request to Reinstate Account Access

1. Please release the (S)AF/XX network account of _________ from quarantine.

2. I have ensured that ______ has completed the required remedial Privacy Act training,

including the DISA CBT - Identifying and Safeguarding Personally Identifiable Information, the

review of the following local guidance: OMB M-17-12, dated Jan 2017, Department of Defense

5400.11R, AFI 33-332, HQ Air Force Visual Aids, and SAF/AA personally identifiable

information Tri-Fold. Member has completed and signed a certification statement of

initial/annual/remedial refresher training for Privacy Act Information.

3. Member has scanned and sent a copy of DISA CBT certificate and signed certification

statement to the SAF/AAI Privacy Manager and (S)AF/XX Organization Privacy Monitor.

SIGNATURE BLOCK

(GS-15 OR O-6 AND ABOVE)

2 Attachments:

1. Identifying and Safeguarding Personally Identifiable Information CBT Certificate

2. Certification of Initial/Annual/Remedial Refresher Training