The WHS Privacy Program provides guidance and direction to the WHS Directorates, Programs and Personnel, as it relates to the Privacy Act of 1974, as amended.
Basic Privacy Principles
Privacy issues are implicated in a wide range of activities in both our personal and public lives.
Our concept of Privacy includes:
- Control of information concerning our personal life.
- Freedom from intrusion upon one's seclusion.
- Limits on publicity that places one in a false light.
- Prevention of identity theft, and the theft of one's name or likeness.
- Right to keep personal information confidential.
General Privacy Principles for Public and Private Sectors:
- Personal information should be acquired, disclosed, and used only in ways that respect an individual's privacy.
- Personal information should not be improperly altered or destroyed.
- Personal information should be accurate, timely, complete, and relevant to the purpose for which it is provided and used.
Please select a topic below to find further information:
- DOD/JOINT STAFF COMPONENT SORNS
- GOVERNMENT-WIDE NOTICES
- Guidance and Authority
- OSD Transition of the Office of the Secretary of Defense and Joint Staff (OSD/JS) Privacy and Civil Liberties Programs
- OMB A-108 Circular
- Privacy Act Statements
- FAR Clauses
- Privacy Act Coversheet DD 2923
- OSD/JS FOIA Office
- ID Theft
- Learning Management System
- Recall Roster Information Paper
- DoD Identification Number
- DoD PIAs
- DoD Instruction 5400.16
- DD Form 2930, Privacy Impact Assessment (PIA)
1. Report the Breach to US-CERT. Note: Non-cyber related (paper) incidents should not be reported to US-CERT, they should be reported to your agency’s privacy office within one hour of a suspected or confirmed breach. If this is a paper breach, skip to step 2.
Navigate to the link below within one hour after discovery to access the US-CERT Incident Reporting System. Review the instructions provided and complete the on-line questionnaire.
- US-CERT Incident Reporting System
2. Report the Breach to your Senior Component Official for Privacy and OSD/JS Privacy Program.
If there is a suspected or confirmed Privacy breach, report it immediately, fill out the Form , Breach of Personally Identifiable Information (PII) Report. DD 2959
After you complete the form, submit it to the DoD Privacy Office within 24 hours after discovery. NOTE: This form should also be used to report updates to previous submissions.
3. Conduct and document an assessment of the risk of harm to individuals potentially affected. If determined and approved by your senior leadership, notify the affected individuals of the breach.
Notification must be made within 10 days of the discovery of the incident. You will need to have the mailing address for each affected individual and be able to address the unique issue(s) pertaining to each breach. See DoD 5400.11-R, Appendix 2 for a sample notification letter.
For further information, see DoD 5400.11-R, paragraph C10.6, . Lost, Stolen or Compromised Information
4. Notify the appropriate Congressional Committee pursuant to FISMA no later than seven days after the date on which there is reasonable basis to conclude that a breach that constitutes a “major incident” has occurred.
A "major incident" is defined as “any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
The impacted agency is ultimately responsible for determining if an incident should be designated as major and may consult with US-CERT to make this determination. (See OMB Memorandum M-17-05, dated Nov. 4, 2016).
Contact Us With Any Questions, Comments, or Concerns
General Privacy Act Questions
Please send your general privacy question, along with your name, phone number and email address to the DoD Privacy Office at the below email address.NOTE: This email is NOT for privacy act requests.
DoD Privacy Office
Privacy Act Requests
Privacy Act requests (e.g. records about you and retrieved by your name or identifier) must be submitted IN WRITING
; must be signed by you; and include the name and number of the system of records notice which can be found at
. Privacy Act requests SYSTEM OF RECORDS NOTICES (SORNS)cannot
be submitted electronically; please use the below mailing address or fax.
Office of the Secretary of Defense/Joint Staff
FOIA Requester Service Center
1155 Defense Pentagon
Washington, DC 20301-1155
Alexandria, VA 22350
DoD Privacy Act Training
If you have privacy related questions or would like to schedule an agency live training session, please email the DoD Privacy Office
with your request and we will contact you for additional details and scheduling.