DEPARTMENT OF THE AIR FORCE - static.e-publishing.af.mil

1 AIR FORCE INSTRUCTION 33-332. BY ORDER OF THE. SECRETARY OF THE AIR FORCE 12 JANUARY 2015. Incorporating Change 1, 17 November 2016. Corrective Actions applied on 17 November 2016. Communications and Information AIR FORCE PRIVACY AND CIVIL. LIBERTIES PROGRAM. COMPLIANCE WITH THIS PUBLICATION IS MANDATORY. ACCESSIBILITY: Publications and forms are available on the e- publishing website at for downloading or ordering. RELEASABILITY: There are no releasability restrictions on this publication. OPR: SAF CIO/A6XA Certified by: SAF/A6X. Information Access Policy and Compliance Branch (Col Suzanne S.)

2 Kumashiro). Pages: 80. Supersedes: AFI33-332, 5 June 2013. This Instruction implements Public Law 110-53 (42 2000ee-1) Section 803; Air FORCE Policy Directive (AFPD) 33-3, Information Management; DEPARTMENT of Defense Directive (DoDD) , DEPARTMENT of Defense Privacy Program; DEPARTMENT of Defense Regulation (DoDR) , DEPARTMENT of Defense Privacy Program; DEPARTMENT of Defense Instruction (DoDI) , DoD Privacy Impact Assessment (PIA) Guidance; DoDI , Reduction of Social Security Number (SSN) Use Within DoD; and DoDI , DoD Civil Liberties Program. The Instruction provides direction on the Privacy Act of 1974, 5 552a, E-Government Act of 2002, 44 3601, Safeguarding and Responding to Personally Identifiable Information (PII) breaches, Reduction of Social Security Number (SSN) and Civil Liberties.

3 In addition to this instruction, Air FORCE medical organizations that meet the definition of a covered entity must also comply with the Health Insurance Portability and Accountability Act (HIPAA), as required by DoD , DoD Health Information Privacy Regulation; DoD , DoD Health Information Security Regulation; and Air FORCE Instruction (AFI) 41-210, TRICARE. Operations and Patient Administration Functions, which covers Protected Health Information (PHI) held by them. This Instruction applies to Air FORCE Active Duty, Air Reserve Command (AFRC) and Air National Guard (ANG) units, government civilians, contractors and Civil Air Patrol when performing functions for the Air FORCE , and in accordance with (IAW) DoDD , Support of the Headquarters of Combatant and Subordinate Joint Commands.

4 Air National Guard personnel not in a federal status are subject to their respective state military code or applicable 2 AFI33-332 12 JANUARY 2015. administrative actions, as appropriate. Ensure all records created as a result of processes prescribed in this Instruction are maintained in accordance with Air FORCE Manual (AFI) 33-363, Management of Records, and disposed of in accordance with the Air FORCE Records Disposition Schedule (RDS). maintained in the Air FORCE Records Information Management System (AFRIMS). Use of the term MAJCOM throughout this AFI includes MAJCOMs, FOAs, DRUs, and the Air FORCE Installation Mission Support Center (AFIMSC).

5 Refer recommended changes and questions about this Instruction to the Office of Primary Responsibility (OPR) using the AF Form 847, Recommendation for Change of Publication; route through the appropriate functional chain of command. Send supplements and implementing publications of this Instruction to the Chief Information Dominance and Chief Information Officer (SAF/CIO A6XA), 1800 Air FORCE Pentagon, Washington, DC 20330-1800 for review and coordination prior to publication. SUMMARY OF CORRECIVE ACTIONS. Recent changes include correcting currently published IC-1 to include the implementation of SECAF Memorandum, Reducing Ancillary and Computer-Based Training that was not processed in the IC.

6 A margin bar (|) indicates changed material. SUMMARY OF CHANGES. This interim change (IC) revises AFI 33-332 by (1) revising PII safeguarding (2) updating PII. Breach Reporting (3) updating PII Breach Reporting to US CERT (4) updating privacy statement (5) updating privacy act notices and markings (5) updating the guidance regarding periodic review of published SORNS, (7) providing clarification on deletion of SORNs, (8) updating Privacy Impact Assessment processing procedures, (9) updating approved PIAs submission, (10) updating Privacy managers PIA responsibilities, (11) updating records professionals responsibilities regarding PIAs, and (12)

7 Replacing quarterly with semi-annual for all Privacy and Civil Liberties reports previously referred to as quarterly , by(13) updating Attachment 11 and (14). adding Attachment 13, Air FORCE Biennial System of Records Notice (SORN) Accuracy Review Checklist . A margin bar (|) indicates changed material. Chapter 1 UNDERSTANDING PRIVACY AND HOW IT APPLIES TO THE AIR. FORCE 6. Privacy Overview.. 6. Privacy Act Notices.. 10. Privacy Act Information.. 10. Chapter 2 PRIVACY ACT 11. Overview of the Privacy Act of 1974, 5 U.. 11. Privacy Act Responsibilities.

8 13. Privacy Act Complaints and Violations.. 15. AFI33-332 12 JANUARY 2015 3. Maintaining Personal Information.. 16. Privacy Act Statements.. 16. publishing System of Records Notices (SORNs).. 18. Privacy Act Records 19. Amending a Privacy Act Record.. 21. Approving or Denying a Record to be Amended.. 21. Contents of Privacy Act Processing Case Files.. 22. First Party Appeal Process For Denial to Access or Amendment of a Privacy Act Record.. 22. Disclosing Information.. 23. Computer Matching.. 24. Privacy Act Exemptions.. 24. The Federal Records Act, 44 26.

9 Chapter 3 E-GOVERNMENT ACT 27. Overview of the E-Government Act of 2002, 44 U.. 27. The Purposes of the E-Government Act are the Following: .. 27. Privacy Impact Assessments (PIA).. 28. Chapter 4 ROLES AND RESPONSIBILITIES. 31. The Chief, Information Officer (SAF/CIO A6) shall: .. 31. The CSOP shall:.. 31. The AF Privacy Officer shall: .. 31. The Office of The Judge Advocate General, Administrative Law Directorate (AF/JAA), and Judge Advocate legal offices .. 32. AF Departmental Forms Management Officer shall: .. 32. MAJCOM/A6s or Responsible Directorate and Wing Commanders shall.

10 32. HAF/MAJCOM/FOA/DRU/Base Privacy Managers/Monitors shall: .. 34. Unit Privacy Monitors shall: .. 35. Functional Level ISOs, PMs, and IAMs shall: .. 35. Records Professionals 36. 4 AFI33-332 12 JANUARY 2015. Chapter 5 SOCIAL SECURITY NUMBER (SSN) REDUCTION PLAN 37. Overview.. 37. The Specific Requirement for Use of the SSN.. 37. Alternative Means of Identifying Records: .. 38. Protection of SSN.. 38. Reporting Results of Social Security Number Reduction.. 38. Chapter 6 PROTECTING RECORDS 40. Protecting Records.. 40. Protecting Personal information or PII Maintained in an Electronic System.