by order of the headquarters operating...
TRANSCRIPT
BY ORDER OF THE
SECRETARY OF THE AIR FORCE
HEADQUARTERS OPERATING
INSTRUCTION 33-19
29 JUNE 2018
Communications and Information
PRIVACY PROGRAM ROLES AND
RESPONSIBILITIES
COMPLIANCE WITH THIS PUBLICATION IS MANDATORY
ACCESSIBILITY: Headquarters Air Force Publications and forms are available on Air Force
e-Publishing (http://www.e-publishing.af.mil/) under Departmental:
Special Publications: HOI.
RELEASABILITY: There are no releasability restrictions on this publication.
OPR: SAF/AAII
Supersedes: HOI 33-19, 25 Sep 2015
Certified by: SAF/AAI
(Mr. Kent Chadrick)
Pages: 22
This Headquarters Operating Instruction (HOI) implements the Department of Defense (DoD)
5400.11R, Privacy Act, Air Force Policy Directive (AFPD) 33-3, Information Management, Air
Force Instruction (AFI) 33-332, Air Force Privacy and Civil Liberties Program, AFI 33-324, The
Air Force Information Collections and Reports Management Program, AFI 17-130, Cyber
Security Program Management, AFI 17-110, Air Force IT Portfolio Management and IT
Investment Review, and Air Force Manual (AFMAN) 17-1301, Computer Security
(COMPUSEC). The purpose of this instruction is to establish and describe the duties and
responsibilities of the SAF/AAI appointed Privacy Manager and organizational/unit Privacy
Managers/Monitors under the oversight of the Director, Information Management, and the two-
letter (2-ltr) Offices of Primary Responsibility (OPR) in regards to the Headquarters Air Force
(HAF) Privacy Program. It applies to personnel at the HAF, including contractor personnel.
Ensure all records created as a result of processes prescribed in this publication are maintained in
accordance with Air Force Manual 33-363, Management of Records, and disposed of in
accordance the Air Force Records Disposition Schedule located in the Air Force Records
Information Management System (AFRIMS). Send recommended changes and questions about
this publication to the Office of Primary Responsibility (OPR) at usaf.pentagon.saf-
[email protected], using the AF Form 847, Recommendation for Change of
Publication.
2 HOI33-19 29 JUNE 2018
SUMMARY OF CHANGES
This revision changes the level of support to HAF organizations (para 2.3 and 2.4), differentiates
SAF/AAI Privacy Manager, Organizational Privacy Manager, and Unit Privacy Monitor
responsibilities (para 2.5 and 2.6), specifies requirements and reporting templates for privacy
inquiry (para 3.2.2), adds guidance relating to compliance of information technology (para 3.3)
and modifies training requirements (para 4).
1. Overview.
1.1. The HAF Privacy Program ensures the collection, maintenance, use, and dissemination
of Personally Identifying Information (PII) about individuals and the protection of individual
rights against an invasion of personal privacy is conducted in accordance with (IAW) the
Privacy Act of 1974 and DoD policies. The Privacy Act focuses on four policy objectives:
1.1.1. To restrict disclosure of personally identifiable records maintained by agencies.
1.1.2. To grant individuals increased rights of access to agency records maintained on
themselves.
1.1.3. To grant individuals the right to seek amendments of agency records maintained
on themselves upon a showing that the records are not accurate, relevant, timely, or
complete.
1.1.4. To implement the code of “Fair Information Practices” which requires agencies to
comply with statutory norms for collection, maintenance, use, and dissemination of
records.
1.2. All Air Force military, civilian, and contractor personnel are to comply with the
requirements and practices governing the collection, maintenance, use, and dissemination of
PII maintained by Federal agencies IAW the E-Government Act of 2002 and Privacy Act of
1974, as appropriate.
2. Responsibilities.
2.1. IAW AFPD 33-3 and AFI 33-332, the Chief, Information Dominance and Chief
Information Officer (SAF/CIO A6) implements the Privacy Act and DoD Privacy Program
for the Air Force. In addition, SAF/CIO appoints the Component Senior Official for Privacy
and the Air Force Privacy Officer.
2.1.1. The Air Force Privacy Officer administers the program for the Air Force and
performs the duties and functions outlined in AFI 33-332.
2.2. Individual HAF 2-ltr organizations are responsible for the implementation, oversight
and management of the Privacy Program within HAF and will:
2.2.1. Appoint Privacy Managers as outlined in this HOI and in compliance with AFI 33-
332.
2.2.2. Appoint Organizational Privacy Manager (OPMs)/Unit Privacy Monitors (UPMs)
as necessary to comply with AFI 33-332.
2.3. Consistent with responsibilities for Air Force Information Technology (see AFI 17-110)
and HAF Mission Directive 1-6, Administrative Assistant to the Secretary of the Air Force,
HOI33-19 29 JUNE 2018 3
SAF/AAI has delegated CIO responsibilities and is responsible for the implementation,
oversight, and management of the privacy program and IT compliance for privacy for
serviced organizations (see Figure 2.1). SAF/AAII will function as the SAF/AAI Privacy
Manager for the following 2-ltr organizations that are part of the “HAF Portfolio” (Figure
2.1) under the oversight of SAF/AAI:
2.3.1. Auditor General (SAF/AG)
2.3.2. General Counsel (SAF/GC)
2.3.3. International Affairs (SAF/IA)
2.3.4. Inspector General (SAF/IG)
2.3.5. Legislative Liaison (SAF/LL)
2.3.6. Public Affairs (SAF/PA)
2.3.7. Manpower & Reserve Affairs (SAF/MR)
2.3.8. Small Business (SAF/SB)
2.3.9. Judge Advocate General (AF/JA)
2.3.10. Chief of Chaplains (AF/HC)
2.3.11. History and Museums Policies and Programs (AF/HO)
2.3.12. Chief of Air Force Reserve (AF/RE)
2.3.13. Chief of Safety (AF/SE)
2.3.14. Test and Evaluation (AF/TE)
2.3.15. Chief Scientist (AF/ST)
2.3.16. Space (SAF/SP)
2.3.17. Executive Services (HAF/ES) to include Office of the Secretary of the Air Force
(SECAF), Under Secretary of the Air Force (SAF/US), Chief of Staff of the Air Force
(CSAF), Vice Chief of Staff, Assistant Vice Chief of Staff/Director of Staff (AF/CVA),
and Chief Master Sergeant of the Air Force (CCC)
2.3.18. Installation Environment and Energy (SAF/IE)
2.3.19. Management (SAF/MG)
2.3.20. Administrative Assistant (SAF/AA)
2.3.21. Air Force Integration Office (AF/IO)
2.3.22. Strategic Deterrence & Nuclear Integration (AF/A10)
2.4. The following HAF organizations with delegated CIO responsibilities (Figure 2.1) will
appoint Organizational Privacy Managers (OPM) for their organization.
2.4.1. Manpower, Personnel & Services (AF/A1)
2.4.2. Intelligence, Surveillance & Reconnaissance (AF/A2)
2.4.3. Operations (AF/A3)
4 HOI33-19 29 JUNE 2018
2.4.4. Logistics, Engineering and Force Protection (AF/A4)
2.4.5. Strategic Plans & Requirements (AF/A5/8)
2.4.6. Chief, Information Dominance & Chief Information Office (SAF/CIO A6)
2.4.7. Studies, Analyses & Assessments (AF/A9)
2.4.8. Acquisition, Technology, and Logistics (SAF/AQ)
2.4.9. Financial Management & Comptroller (SAF/FM)
2.4.10. Surgeon General (AF/SG) and connected organization, Air Force Medical
Services Agency (AFMSA)
Figure 2.1. CIO Area of Responsibility Coverage for HAF.
2.5. The SAF/AAI appointed Privacy Manager will:
2.5.1. Provide direct support for organizations within the HAF Portfolio.
2.5.2. Provide direction and training regarding implementing the AFI 33-332 to
commanders and personnel who are not in the HAF Portfolio.
2.5.3. Conduct inquiries (as necessary) and report findings of PII breaches to the Air
Force Privacy Officer ([email protected]).
2.5.4. Provide guidance to organization privacy monitors and employees implementing a
Privacy program.
2.5.5. Review and process System of Records Notice (SORNs) for supported
organizations.
HOI33-19 29 JUNE 2018 5
2.5.6. Provide guidance to supported organizations to ensure information systems, which
are developed to collect, maintain, process, or disseminate personal information, are
compliant and conform to the Privacy Act, Office of Management and Budget, DoD, and
AF requirements.
2.5.7. Ensure self-assessments are conducted by supported HAF organizations on a
biennial basis. Evaluations of Privacy Act program compliance in applicable 2-ltr
organizations may be conducted utilizing the HAF Privacy self-assessment checklist
located in https://cs2.eis.af.mil/sites/11841/privacy/default.aspx.
2.5.8. Serve as the Privacy subject matter expert (SME) and work with the HAF IT
portfolio management team to ensure information systems are in compliance with
Privacy Act, E-Government Act and Paperwork Reduction Act (PRA) as annotated in
Information Technology Investment Portfolio Suite (ITIPS). For more information,
please refer to AFI 17-110.
2.5.9. Assist and/or advise the organization’s IT investment Program Managers and
Information System Owners (ISO) during development, implementation, revision, or
submission of: SORNs; Paperwork Reduction Act submission packages for public
information collections; DD Form 2936, Request for Approval of Department of Defense
Internal Information Collections; DD Form 2930, Privacy Impact Assessment (PIA);
Privacy Act Statement (PAS), Privacy Statement, Privacy Act Advisory (PAA), or
Privacy Act System Notice and Social Security Number use reduction/elimination IAW
AFI 33-332.
2.5.10. Participate in regular system reviews with HAF IT portfolio management team.
Note: The periodic review of IT systems registered in the Air Force's Information
Technology Investment Portfolio Suite must involve organization privacy monitors to
ensure responses to privacy questions are validated. Failure to do so may risk system
non-concurrence by the AF Privacy Officer during annual compliance review,
certification, decertification, or request for funding.
2.5.11. In addition to the organizations listed in 2.3., the SAF/AAI appointed Privacy
Manager by agreement will provide support to the following organizations within the
National Capital Region (NCR):
2.5.11.1. The AF Audit Agency (AFAA), Air Force Legal Operations Agency
(AFLOA), and Air Force Review Board Agency (AFRBA). Support provided
consists of direct support parallel to their parent organization, SAF/AG, AF/JA, and
SAF/MR, respectively.
2.5.11.2. The Air Force Office of Special Investigations (AFOSI), Air Force
Inspection Agency (AFIA), Air Force Safety Center (AFSEC), Air Force Public
Affairs Agency (AFPAA) and Air Force Historical Research Agency (AFHRA).
Support provided consists of IT compliance oversight. The SAF/AAI appointed
Privacy Manager serves as the subject matter expert on Privacy Act, Federal Records
Act, Rehabilitation Act, PRA, and E-Government Act.
6 HOI33-19 29 JUNE 2018
2.6. The Organizational Privacy Manager/Unit Privacy Monitors shall:
2.6.1. Be appointed in writing by commander or director (GS-15/O-6 and above).
Organizations shall appoint a primary and alternate privacy monitor (see Attachment 2
for a sample appointment letter).
2.6.2. Complete privacy monitor training within 60 days of appointment.
2.6.3. Report PII breach and violations to the appointed Privacy Manager at the
appropriate level.
2.6.4. Administer appropriate Privacy training to members of the organization and track
training completed.
2.6.5. Assist and advise the records professionals on proper Privacy Act protection
methods for records and to ensure the “retention and disposal” section on a SORN is
consistent with the corresponding tables and rules in the AF Records Disposition
Schedule (RDS).
2.6.6. Provide guidance on proper safeguards for PII stored in shared drives or Electronic
Records Management (ERM), to include correct marking of ERM folders.
2.6.7. Conduct annual Privacy program assessment based on the current self-assessment
checklist to ensure privacy program compliance.”
2.6.8. Serve as the unit’s Privacy SME and work with the organization’s IT portfolio
management team to ensure information systems are in compliance with Privacy Act, E-
Government Act and PRA as annotated in Information Technology Investment Portfolio
Suite (ITIPS). For more information, please refer to AFI 17-110.
2.6.9. Participate in regular system reviews with organization’s IT portfolio management
team.
2.6.10. Work with the organization’s IT investment Program Managers and Information
System Owners (ISO) during development, implementation, revision, or submission of:
SORNs; PRA submission packages for public information collections; DD Form 2936,
Request for Approval of DoD Internal Information Collections; DD Form 2930, PIA;
PAS, Privacy Statement, PAA, or Privacy Act System Notice, and Social Security
Number use reduction/elimination IAW AFI 33-332.
3. Procedures.
3.1. Protection of Personal Information and PII.
3.1.1. E-mail and Electronic Records Containing Moderate and High Impact PII shall be:
3.1.1.1. Digitally signed and encrypted when transmitted using Simple Mail Transfer
Protocol (SMTP) by applying Digital Signature Enforcement Tool (DSET), which are
measures used to secure PII for e-mail. Other transmission methods that provide
encryption include Army Missile Research Development and Engineering Center
Safe Access File Exchange (AMRDEC SAFE – see Attachment 3).
3.1.1.2. Encrypted in transit and at rest when stored in federal systems. Federal
information must be encrypted at rest and in transit when applicable. For more
HOI33-19 29 JUNE 2018 7
information, please refer to OMB Circular A-130, Managing Information as a
Strategic Resource.
3.1.1.3. Properly safeguarded, accessible, or viewable only by individuals who have
an official need-to-know to conduct daily operations. Personal Information in shared
drives, and ERM drives must be safeguarded and appropriate permission must be in
place to ensure access is controlled. Note: Medium or High Impact PII cannot be
stored in SharePoint or other federal systems unless a data at rest encryption is
enabled.
3.1.2. Privacy Act records shall be:
3.1.2.1. Marked in AFRIMS inventory of records.
3.1.2.2. Labeled with appropriate markings when stored in ERM drives IAW AFI 33-
322.
3.1.2.3. Marked “FOR OFFICIAL USE ONLY” and must be protected and
accessible only by those with the official need to know.
3.2. PII Breach Reporting Procedures for organizations within HAF Portfolio. Note:
Organizational Privacy Managers assigned to Non-HAF Portfolio organizations report PII
breaches directly to the AF Privacy Officer, usaf.pentagon.saf-cio-a6.mbx.af-
[email protected], IAW AFI 33-332.
3.2.1. Unit Privacy Monitors assigned to HAF Portfolio supported organizations report
Privacy Act violations, breaches, and complaints to the SAF/AAI Privacy Manager.
Privacy Monitors shall:
3.2.1.1. Report actual or suspected violations within 1 hour of discovery of the actual
or suspected PII breach to the United States Computer Emergency Readiness Team
(US-CERT) at www.us-cert.gov (if suspected breach involves government systems)
and to the SAF/AAI Privacy Manager, usaf.pentagon.saf-aa.mbx.haf-privacy-
3.2.1.2. Provide incident report, DD Form 2959, to the SAF/AAI Privacy Manager or
within 24 hours of discovery of the breach using the DoD Breach reporting template.
3.2.1.3. Conduct a risk based management assessment on the potential impact of
each PII breach, present findings within 24 hours of breach discovery to senior-level
official (Directorate or higher or military commander, O-6 or higher) and the
SAF/AAI Privacy Manager. Findings will be used to validate decision to notify or
not to notify affected individuals. Complete notification of affected individuals, if
required, within 10 work days after a PII breach is discovered.
3.2.1.4. Submit a midway report to SAF/AAI Privacy Manager by updating the DD
Form 2959.
3.2.1.5. Submit a final report to the SAF/AAI Privacy Manager within 10 working
days.
3.2.2. Senior leaders may appoint an inquiry officer for unique or major PII incidents.
Inquiry Officers shall:
8 HOI33-19 29 JUNE 2018
3.2.2.1. Be appointed in writing by the senior-level individual in the chain of
command for the organization where the actual or possible loss, theft or compromise
of information occurred. Inquiry Officer Appointment letter (see Attachment 4 for a
sample letter) will be submitted to the SAF/AAI Privacy Manager through the Unit
Privacy Monitor.
3.2.2.2. Be an E-7 or above (or civilian equivalent) to conduct an inquiry of the
incident to determine whether it is an actual breach, the cause, and whether there was
criminal intent to warrant a criminal investigation.
3.2.2.3. Submit the Inquiry Officer report (see Attachment 5 for a report template) to
the senior official (GS-15, O-6 or higher) who is in the chain of command for
approval after the inquiry. For reports on Privacy Act Complaints, use the sample
format in Attachment 6 of this instruction.
3.2.2.4. Submit approved Inquiry Officer reports to the SAF/AAI Privacy Manager
through the Unit Privacy Monitor.
3.2.3. Loss of Account Access as a Result of PII Breach Incidents.
3.2.3.1. Privacy Act protected information and PII (moderate and high) must be
protected in transit and at rest with strong encryption IAW AFI 33-332, AFI AFI17-
130, and AFMAN17-1301. Violation will be processed as a PII breach.
3.2.3.2. Users may immediately and temporarily lose account access when user’s
conduct results in failure to protect high impact PII.
3.2.3.3. For repeat PII breach incidents, the violator’s account may be disabled.
Account lockouts resulting from three breach incidents within six months period may
be directed by commander or director with the advice of the SAF/AAI Privacy
Manager in the event of a high visibility breach.
3.2.3.4. The SAF/AAI Privacy Manager may notify HAF 2-ltr director/general
officer/civilian equivalent (GO/SES) or designated representative (GS-15/O-6)
assigned to HAF Portfolio organizations of any repeated user-involved incidents.
3.2.3.5. To restore account access, the following actions must be accomplished:
3.2.3.5.1. The user responsible for the PII breach must complete remedial Privacy
training.
3.2.3.5.2. The user’s HAF 2-ltr Director/General Officer/Civilian Equivalent
(GO/SES) or designated representative (GS-15/O-6) shall verify the user’s
completion of remedial training and Privacy Act certification statement before
signing reinstatement memo addressed to the appropriate organization handling
the user account through the SAF/AAI Privacy Manager. See attachment 7 for a
sample reinstatement memo.
3.2.3.5.3. Upon receipt of the reinstatement memo, the account can be reactivated
by the appropriate organization.
3.3. Compliance in IT Systems.
HOI33-19 29 JUNE 2018 9
3.3.1. To ensure compliance in PA, PRA, and E-Government Act, Program Managers
and Information System Owners or IT Asset Owners within the HAF Portfolio shall:
3.3.1.1. Coordinate with Unit Privacy Monitors and ensure applicable SORN (new,
modification, and rescindment), DD Form 2930, PIA and PRA packages are
submitted to SAF/AAI Privacy Manager and HAF Portfolio Records Manager before
final submission to the AF Privacy Office. Submit required documentation that
supports the PII Confidentiality Impact Level (PCIL) determination addressed in the
PIA.
3.3.1.2. To ensure compliance in PA, PRA, and E-Government Act, Program
Managers and Information System Owners for non- HAF Portfolio organizations will
coordinate with their organization privacy monitor as their SME and ensure
applicable SORN (new, modification, and rescindment), PIA, DD Form 2930, and
PRA packages are submitted directly to the AF Privacy Officer.
4. Training.
4.1. Users Privacy Training Requirements. Personnel must complete all required Privacy
training within 60 days of assuming duties and thereafter annually as necessary.
4.1.1. User Initial/Orientation and Annual Refresher Training includes:
4.1.1.1. Familiarization with Privacy practices and statutes presented through review
of visual aids and PII tri-fold.
4.1.1.2. Completion of AF and/or DoD required training, such as locally devised
training or any other means, as applicable.
4.1.1.3. The annual all users’ Privacy training completed by supported organizations
should be tracked using the HAF SharePoint training tracker at
https://cs2.eis.af.mil/sites/11841/privacy/trgtracker/_layouts/15/start.aspx#/SiteP
ages/Home.aspx.
4.2. Specialized Training. Specialized training is role-based training required for personnel
responsible for handling PII on a routine basis. Specialized training is required on an initial
and annual basis.
4.2.1. Role-Based. At a minimum, the following employees are required to complete
specialized training that must be job specific and commensurate with an individual's
responsibilities: knowledge operations managers, human resource specialists or other
employees who perform military or civilian personnel management functions or duties,
security managers, law enforcement, IT personnel (programmers/developers, system
administrators, SharePoint site owners, etc.), information system owners and program
managers of a system of records (SOR) and/or IT investment, FOIA analysts, personnel
who may be expected to deal with the news media or the public, supervisors or other
personnel who handle performance reviews or appraisals of military and civilian
employees (to include branch chiefs, division chiefs, directors), individuals working with
medical, personnel, financial, and security records, and organization privacy monitors
and other personnel responsible for carrying out functions under this instruction.
4.2.1.1. As a minimum, personnel must complete all users’ training and:
10 HOI33-19 29 JUNE 2018
4.2.1.1.1. Complete the Privacy course offered by DISA via CBT titled,
“Identifying and Safeguarding PII” (http://iase.disa.mil/eta/online-
catalog.html).
4.2.1.1.2. Read the AFI 33-332, AF Privacy Program, this HOI, AF Privacy
Specialized Briefing, and other AF and DoD guidance.
4.2.1.1.3. When available, all users who are required to complete the specialized
training should attend the face-to-face and/or classroom instruction.
4.2.1.1.4. Use the HAF SharePoint Specialized training tracker to document
training completed annually by supported organizations.
4.2.2. Training for Privacy Monitors.
4.2.2.1. Complete the Privacy course offered by DISA via CBT titled, “Identifying
and Safeguarding Personally Identifiable Information”
(http://iase.disa.mil/eta/online-catalog.html).
4.2.2.2. Complete Intro to Privacy Training (typically classroom training is offered
quarterly, contact the SAF/AAI Privacy Manager for more information).
4.2.2.3. Complete SORN and PIA Training (typically classroom training is offered
quarterly, contact the SAF/AAI Privacy Manager for more information).
4.2.2.4. Read the AFI 33-332, AF Privacy Program, this HOI, DoD guidance, and
other guidance as specified by the SAF/AAI Privacy Manager.
4.2.3. Remedial Training. Users who commit a PII breach or privacy violation, will
complete the remedial training within 24 hours of breach reporting.
4.2.3.1. Complete the Privacy course offered by DISA via CBT titled, “Identifying
and Safeguarding Personally Identifiable Information”
(http://iase.disa.mil/eta/online-catalog.html).
4.2.3.2. Re-familiarize themselves with Privacy practices and statutes presented
through visual aids, PII tri-fold, and other AF and DoD guidance, as applicable
(specific to type of breech).
4.2.3.3. Document training completed by supported organizations using the HAF
SharePoint Remedial training tracker.
4.2.3.4. Additional training may be directed and/or administered by the SAF/AAI
Privacy Manager as needed on a case-by-case basis.
PATRICIA ZARODKIEWICZ, SES
Administrative Assistant to the Secretary of the Air
Force
HOI33-19 29 JUNE 2018 11
Attachment 1
GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION
References
Title 5 United States Code, Section 552a, Privacy Act of 1974
Public Law 104-13, Paperwork Reduction Act of 1995
Public Law 107-347, Section 208, E-Government Act of 2002, Federal Information Security
Management Act (FISMA), 17 Dec 2002
OMB Circular A-130, Managing Information as a Strategic Resource, 28 Jul 2016
OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable
Information, 3 Jan 2017
DoD Directive 5400.11, Department of Defense Privacy Program, 29 Oct 2014
DoD 5400.11R, Department of Defense Privacy Program, 14 May 2007
AFI 17-110, Air Force IT Portfolio Management and IT Investment Review, 28 Oct 2016
(Renumbered from AFI 33-141) AFI 17-130, Air Force Cybersecurity Program Management,
30 Nov 2017
(Renumbered from 33-200 by AFI 17-130_AFGM2017-01) AFI 17-100, Air Force IT Service
Management, 16 Sep 2014
(Renumbered from 33-115) AFMAN 17-1301, Computer Security (COMPUSEC), 10 Feb
2017
AFI 33-322, Records Management Program, 4 Jun 2012
AFI 33-324, The Air Force Information Collections and Reports Management Program, 6 Mar
2013
AFI 33-332, Air Force Privacy and Civil Liberties Program, 12 Jan 2015
AFMAN 33-363, Management of Records, 1 Mar 2008
HAF MD 1-6, Administrative Assistant to the Secretary of the Air Force, 22 Dec 2014
Adopted Forms
AF Form 847, Recommendation for Change of Publication
DD Form 2930, Privacy Impact Assessment (PIA)
DD Form 2936, Request for Approval of Department of Defense Internal Information
Collections
DD Form 2959, Breach of Personally Identifiable Information Report
Abbreviations and Acronyms
AFI—Air Force Instruction
AFMAN—Air Force Manual
12 HOI33-19 29 JUNE 2018
AFRIMS—Air Force Records Information Management System
AMRDEC SAFE—Army Missile Research Development and Engineering Center Safe Access
File Exchange
CAC—Common Access Card
DSET—Digital Signature Enforcement Tool
FOUO—For Official Use Only
GO/SES—General Officer/Senior Executive Service
HAF—Headquarters Air Force
IAW—In Accordance With
OMB—Office of Management and Budget
OPM—Organizational Privacy Managers
OPR—Office of Primary Responsibility
PA—Privacy Act
PAA—Privacy Act Advisory
PAS—Privacy Act Statement
PIA—Privacy Impact Assessments
PII—Personally Identifiable Information
RDS—Records Disposition Schedule
SME—Subject Matter Expert
SOR—System of Records
SORN—System of Records Notice
IT—Information Technology
UPM—Unit Privacy Monitor
US-CERT—United States Computer Emergency Readiness Team
Terms
BitLocker—A full disk encryption feature included with Windows Vista and later. It is
designed to protect data by providing encryption for entire volumes.
Common Access Card—The CAC, a "smart" card about the size of a credit card, is the standard
identification for active duty uniformed Service personnel, Selected Reserve, DoD civilian
employees, and eligible contractor personnel. It is also the principal card used to enable physical
access to buildings and controlled spaces, and it provides access to DoD computer network and
systems.
DSET—Tool prompts users to provide a digital signature when an email contains an active
hyperlink or attachment or possible personally identifiable information found in a scan.
HOI33-19 29 JUNE 2018 13
Disclosure—To give information from a system, by any means, to anyone other than the record
subject.
Individual—A living US citizen or a permanent resident alien.
IT Portfolio—A grouping of IT investments by capability to accomplish a specific functional
goal, objective, or mission outcome.
National Capital Region (NCR)—Cities and other units of government within the geographic
boundaries of the District of Columbia; Montgomery and Prince Georges Counties in the State of
Maryland; and the City of Alexandria, Arlington, Fairfax, Loudoun, and Prince William
Counties in the Commonwealth of Virginia (from 10 U.S.C. Section 2674(f) (2)).
Personal Identifier—A name, number, or symbol that is unique to an individual, usually the
person’s name or social security number.
Personal Information—Information about an individual other than items of public record.
Personally Identifiable Information—Information that can be used to distinguish or trace an
individual's identity, either alone or when combined with other information that is linked or
linkable to a specific individual. The personally identifiable information may range from
common data elements such as names, addresses, dates of birth, and places of employment, to
identity documents, Social Security numbers (SSNs) or other government-issued identifiers,
precise location information, medical history, and biometrics.
Personally Identifiable Information Breach—Loss of control, compromise, unauthorized
disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an
authorized user accesses or potentially accesses personally identifiable information or (2) an
authorized user accesses or potentially accesses personally identifiable information for an other
than authorized purpose.
Portfolio Management—Management of selected groupings of IT investments using strategic
planning, architectures, and outcome-based performance measures to achieve a mission
capability.
Privacy Act Advisory—Text that informs an individual of the reasons the Privacy Act protected
information is being solicited and how it will be used.
Privacy Act Statement—Text that informs an individual of the authority, purpose, routine use,
if disclosure is voluntary or mandatory, and any consequences of nondisclosure; required when
soliciting personally-identifying information by an Air Force web site or form.
Privacy Impact Assessment—A written assessment of an information system that addresses the
information to be collected, the purpose and intended use; with whom the information will be
shared; notice or opportunities for consent to individuals; how the information will be secured;
and whether a new system of records is being created under the Privacy Act.
System of Records—A group of records under the control of a DoD Component from which an
individual’s record is retrieved by the name or personal identifier.
System of Records Owner—Individual who maintains a record protected under the Privacy
Act.
14 HOI33-19 29 JUNE 2018
System of Records Notice (SORN) /or/ Privacy Act System Notice—Official public notice
published in the Federal Register of the existence, content, and Points of Contact for the SOR
containing Privacy Act data.
Simple Mail Transfer Protocol (SMTP)—Most widely used protocol to send messages by
Message Transfer Agents on the Internet. SMTP was designed to transfer mail independently of
any specific transmission subsystem.
System Manager—Official responsible for managing a system of records, including policies
and procedures to operate and safeguard it. Local system managers operate record systems or
are responsible for part of a decentralized system.
HOI33-19 29 JUNE 2018 15
Attachment 2
SAMPLE APPOINTMENT OF ORGANIZATION / UNIT PRIVACY MONITORS
(Date)
MEMORANDUM FOR SAF/AAII (Privacy Manager)
FROM: (Sender Two-Letter Organization supported by HAF/CIO)
SUBJECT: Appointment of Organization / Unit Privacy Monitor
The following individuals are appointed as privacy monitor for this organization. Organization
privacy monitors will monitor the Privacy Act Programs for all assigned offices and perform
duties in accordance with HOI 33-19.
PRIMARY/NAME:
RANK/GRADE:
OFFICE SYMBOL:
DUTY PHONE:
E-MAIL:
ALTERNATE/NAME:
RANK/GRADE:
OFFICE SYMBOL:
DUTY PHONE:
E-MAIL:
Appointed monitors will complete training within 60 days from the date of this letter and will
contact SAF/AAII 90 days prior to any OPR changes (ex. Permanent Change of Station or
Assignment (PCS, PCA), retirement, etc.).
This letter supersedes previous letter, same subject.
Signature Block
16 HOI33-19 29 JUNE 2018
Attachment 3
INSTRUCTIONS FOR USING AMRDEC SAFE AND ENCRYPTION WIZARD
A3.1. AMRDEC SAFE Protection: The AMRDEC SAFE application is used to send large
files to individuals, which would normally be too large to send via email. The AMRDEC SAFE
application can be accessed via https://safe.amrdec.army.mil/safe/Welcome.aspx. There are
no user accounts for SAFE. Authentication is handled via email and Common Access Card
(CAC). Everyone has access to SAFE, and the application is available for use by anyone. There
are only a few differences between sending SAFE packages as a CAC user and sending them as
a guest:
A3.1.1. Guests are required to verify their email address after uploading each package.
A3.1.2. Guests cannot send packages to recipients that do not have a .mil or .gov email
address.
A3.1.3. CAC users can add recipients in bulk using a semicolon-delimited list.
A3.2. Sending Files: SAFE is designed to provide AMRDEC and its customers an alternative
way to send files other than email. SAFE supports file sizes up to 2GB. SAFE has received its
Privacy Impact Assessment (PIA) and is authorized for UNCLASSIFIED USE ONLY, TO
INCLUDE PRIVACY ACT DATA.
Step 1: There are two options to proceed from the SAFE homepage:
Proceed as CAC User - Select this option if you have a valid US Department of Defense issued
CAC.
Proceed as Guest - Select this option if you do not have a CAC.
Step 2: After selecting one of the options above, the page will be redirected to the package
upload form. Fill in all the required input fields: Name, Email address (confirm email address,
re-enter email address), Description of File(s), File(s), (Click the "Browse" button to select your
file(s)). You may add up to 25 files per package, so long as the total file size does not exceed
2GB), and Deletion Date (select a date for the package to be deleted from SAFE). The
maximum (which is also the default) is two weeks (14 days) from date of transmission. Provide
an email address to give access to “Enter your recipient here and click Add.” CAC users may
enter a semicolon-delimited list of emails in bulk so each recipient does not need to be added
individually. Grant access to these people (This is the list of people you have granted access to
the package). To remove a recipient, highlight their name and click the "Remove" button.
Caveats (Default is "None") and Encrypt email message when possible (Attempt to encrypt the
package's notification email to each recipient). Notify me when files are downloaded. You, the
sender, will receive a notification via email when a recipient downloads the package. Require
CAC for pickup. Require the recipient to be logged in with a valid US DoD issued CAC to
download the file(s). Recipients without a CAC will not be able to download the package.
Step 3: Clicking the "Submit" button will upload the files and submit the package. Guest users
will need to check their email to verify their email address before the recipients will be notified.
No additional action is required by CAC users.
Step 4: After the package has been uploaded (and verified, if proceeding as a guest), each
recipient will receive a link to the package download page as well as a password. These
passwords are unique for each recipient (not the package), and will be disabled once SAFE
HOI33-19 29 JUNE 2018 17
detects that the user successfully downloaded each file within the package. Forwarding recipient
and sender notification emails to anyone except the AMRDEC SAFE Team is strictly forbidden.
A3.3. Receiving Files:
Step 1: Recipients will automatically be notified via email when they have been added as a
recipient to a package. The email they receive will contain a link and a password. Clicking on
the link will take the recipient to a page where they will be asked for the password. The best
way to enter the password is to copy it from the email and then paste it into the password box.
Step 2: After logging in, the recipient will be able to download all the files within the package.
We recommend right-clicking on each file and selecting the "Save Target As" option to select the
location to save the file.
Step 3: After downloading every file within the package, the recipient will not be able to log
back in to download the files again. Simply logging in or starting a download will not lock the
user out. In order to be locked out, the recipient must successfully download every file within
the package.
A3.4. Managing Files: After uploading a package, the sender will receive a notification email
with a link and a password. After accessing the link and entering the password, the sender will
be able to manage their package.
A3.4.1. Adding Files: The sender can upload additional files to the package. Recipients will
receive an additional notice email informing them that the package has been updated.
Recipients who have already downloaded the package will be allowed back in to get the
additional files.
A3.4.2. Adding Recipients: The sender can grant access to additional recipients to the
package.
A3.4.3. Resending Recipient Notifications: If a recipient lost or never received their
notification to pick up the files, the notification can be resent.
A3.4.4. Checking Recipient Status: The list at the bottom of the status page will show each
recipient and whether or not they have downloaded the package. A download status of
"False" means that they have not downloaded the package, whereas a download status of
"True" means that they have. This feature is available regardless of whether or not the sender
selected the "Notify me" on the upload page.
A3.5. DSET: Encrypt all email by adding a plug-in called Digital Signature Enforcement Tool
(DS) which is configured to scan all outgoing emails for potential PII. It will prompt the user to
use encryption or declare the email as FOUO. This tool makes the user become more aware by
checking their email before sending sensitive PII.
18 HOI33-19 29 JUNE 2018
Attachment 4
SAMPLE APPOINTMENT OF PRIVACY INQUIRY OFFICER
DEPARTMENT OF THE AIR FORCE AIR FORCE UNIT HEADING
MEMORANDUM FOR
FROM: [Senior-level individual who is in the chain of command for the organization where the
breach took place]
SUBJECT: Appointment of Privacy Inquiry Official—[Unit] Personally Identifiable
Information Breach
This is to inform you that you are hereby appointed to conduct an inquiry into a possible breach
of personally identifiable information. You task is to determine if there was a breach. If there
was a breach, you need to determine the cause of the breach.
Explain the incident. “On xx May 2014, it was discovered that an email with a squadron rack
and stack roster, as well as a document titled “Work Stuff & Bio” was sent from the XXX office
to a personal dot-com email. The email was sent unencrypted and was detected by Privacy Act
Monitor at AF/XX at the Pentagon. These individuals were identified and need to be notified of
the breach by the Inquiry Official.”
You are directed to meet with the Privacy Manager………., who will provide you with guidance
on how to complete the PII Incident Final Report and with the AF Instructions, DoD policies and
a copy of the Privacy Act to be used in completing your inquiry. You are authorized to interview
personnel, take sworn statements or testimony, examine and copy any and all relevant Air Force
records, files and correspondence germane to this inquiry.
Please submit a complete report to me NLT xx June 2017. You may not release any information
related to this investigation without prior approval.
[Senior-level individual’s signature block who is in the chain of command for the organization
where the breach took place]
HOI33-19 29 JUNE 2018 19
Attachment 5
TEMPLATE FOR PERSONALLY INDENTIFIABLE INFORMATION INCIDENT
REPORT
DEPARTMENT OF THE AIR FORCE
AIR FORCE UNIT HEADING
MEMORANDUM FOR
FROM: [Senior-level individual in the chain of command for the organization where the breach
took place]
SUBJECT: Preliminary Inquiry of Possible Personally Identifiable Information Breach at (unit)
Authority: A preliminary inquiry was conducted (date) under the authority of the attached
memorandum
Matters investigated: The basis for this inquiry is to determine if there was a breach at the (unit
in question) (breach is defined as “possible loss of control, compromise, unauthorized disclosure,
unauthorized access, or any similar term referring to situations where persons other than
authorized users and for an other than authorized purpose have access or potential access to
personally identifiable information, whether physical or electronic”). Provide a short summary
of the personally identifiable information incident including the date it occurred.
Personnel Interviewed: (list all personnel interviewed, title, office symbol, and security
clearance).
Facts: (list specific details answering who, what, why, where, and when questions concerning
the personally identifiable information incident).
Conclusions: As a result of the investigation into the circumstances surrounding the personally
identifiable information incident, interviews, and personal observations, it is concluded that: (list
specific conclusions reached based on the facts and if a breach or potential compromise did or
did not occur). If a damage assessment is or has been done, provide the point of contact along
with: the status of the assessment if it hasn’t been completed; or, describe the outcome if it has
been completed; or, provide a copy of the completed assessment report.
Recommendations: (Discuss risk assessment factors; list corrective actions needed to preclude a
similar incident; the category of the incident; damage assessment; if the incident is a breach,
compromise, potential compromise or no compromise; and, if this inquiry should be closed
without further investigation or with a recommendation for a formal investigation).
(Signature block of inquiry official)
Appointment of Inquiry Official Memo, (date)
20 HOI33-19 29 JUNE 2018
1st Ind, XXXXX/CC Concur/NonConcur
FOR OFFICIAL USE ONLY (FOUO) When Filled In
HOI33-19 29 JUNE 2018 21
Attachment 6
SAMPLE PRIVACY COMPLAINT REPORT
1. Name of Official (IO) conducting the Inquiry: Rank and/or Grade:
Organization of Official: Fully identify the title of the organization and location without
abbreviations. (You may include authorized abbreviations or symbols in parentheses.)
Duty Position and Contact Telephone Number:
2. Headquarters Air Force (HAF) Portfolio Privacy Complaint #:
3. Summary: Identify the allegations, applicable organization and location, the person(s) or
organization(s) against whom the allegation is made, scope of the investigation conducted,
documents reviewed, witnesses interviewed and whether the interviews were conducted
telephonically or in person. The identity of interviewees need not be reflected in the report but
should be documented in the official file of the agency conducting the investigation.
4. Findings: For each allegation, state the analysis of the findings as they relate to each
allegation and a brief explanation of what led to the findings. Provide a list of relevant
documents and/or evidence, and witness testimony in support of the findings. If they are not
filed with the field working papers, list the location of relevant documents.
5. Cite any Criminal or Regulatory Violation(s) Substantiated:
6. Disposition: For investigations involving economies and efficiencies, include any
management actions taken as part of the final report. For examinations involving criminal or
other unlawful acts, include the results of criminal prosecutions, providing details of all charges
and sentences imposed. Include the results of administrative sanctions, reprimands, value of
property or money recovered or other such actions taken to preclude recurrence. Identify what
corrective action was taken based on the recommendations identified above.
7. Specify Security Classification of Information: Determine and state, when applicable, any
security classification of information included in the report that may jeopardize national defense
or otherwise compromise security if the contents were disclosed to unauthorized sources.
8. Location of Field Working Papers and files: (Identify where CDIs, OSI reports, etc. are stored
and who the release authority is.)
9. Conclusions and Corrective Action: For each allegation, state the conclusions made by the IO.
This section should also include comments as to the adequacy of existing policy or regulations,
noted weaknesses in systems of internal controls, and any recommended corrective actions.
10. Statement of Impartiality: Short statement demonstrating appointed Official is independent
(in both fact and appearance) from all subjects/complainants (whether persons or organizations).
Add the statement: “I certify that I do not have any personal impairment to independence
regarding this case.”
IO SIGNATURE BLOCK
FOR OFFICIAL USE ONLY (FOUO) When Filled In
22 HOI33-19 29 JUNE 2018
Attachment 7
SAMPLE ACCOUNT REINSTATEMENT MEMORANDUM
MEMORANDUM FOR (624 OC NETOPS)
FROM: (Insert originating org office symbol)
SUBJECT: Request to Reinstate Account Access
1. Please release the (S)AF/XX network account of _________ from quarantine.
2. I have ensured that ______ has completed the required remedial Privacy Act training,
including the DISA CBT - Identifying and Safeguarding Personally Identifiable Information, the
review of the following local guidance: OMB M-17-12, dated Jan 2017, Department of Defense
5400.11R, AFI 33-332, HQ Air Force Visual Aids, and SAF/AA personally identifiable
information Tri-Fold. Member has completed and signed a certification statement of
initial/annual/remedial refresher training for Privacy Act Information.
3. Member has scanned and sent a copy of DISA CBT certificate and signed certification
statement to the SAF/AAI Privacy Manager and (S)AF/XX Organization Privacy Monitor.
SIGNATURE BLOCK
(GS-15 OR O-6 AND ABOVE)
2 Attachments:
1. Identifying and Safeguarding Personally Identifiable Information CBT Certificate
2. Certification of Initial/Annual/Remedial Refresher Training