The Privacy Act of 1974: An Assessment. APPENDIX 4 TO The Report of The Privacy Protection Study Commission.. The Department of Defense (DOD)


The Department of Defense took a highly structured approach to implementing the Privacy Act. It established the Defense Privacy Board, composed of representatives of each major component of the Department, with a full-time staff and a mandate to develop a comprehensive implemen-tation program. Federal Register notices were published on 2,145 record-keeping systems and Privacy Act Statements were added to 15,290 forms.49 Of the approximately 371,000 forms the Board reviewed, 58,560 were withdrawn on the grounds that they were incompatible with the spirit of the Act.50 The Department's rules for implementing the Act were published as DOD Directive 5400.11. [32 C.F.R. 286a]

A three-level, department-wide training program was also established. Level I was aimed at commanders, managers, and supervisors, and included a 22-minute film and additional briefing material on the Act's main features. Copies of the film were distributed to U.S. military installations around the world, and also made available to other Federal agencies for use in their training programs. Level II was aimed at the thousands of employees who handle records about individuals on a day-to-day basis. It has relied on special courses in the Department's various technical training schools, as well as on continuous on-the-job training. For example, beginning in early 1976, the Department of Defense Computer Institute offered a three-day course on the Privacy Act as it relates to automated data processing. At least one person from every DOD computer installation was required to attend (approximately 2,500 persons in 1976), and they, in turn, trained others at their home installations. Level III training has consisted of distributing films, posters, and memoranda throughout the Department, designed to make DOD personnel aware of what the Privacy Act means to them as individual citizens rather than as agency employees obligated to comply with its requirements.51

The Defense Privacy Board's Legal Committee has first-line responsi-bility for advising the Board on how to interpret the Act. Committee opinions are reviewed by the Board and ratified by the Department's General Counsel before being published or distributed to DOD compo-nents. Compliance monitoring is the responsibility of the inspector general of each major DOD component and has been made a part of the normal inspection and audit program. By and large, DOD contractor compliance is not monitored, although the central CHAMPUS52 office in Denver, Colorado has been made responsible for keeping contractors informed as to the proper treatment of medical records under the Act.