The OSD/JS Privacy Office is a branch of the Executive Services Directorate, Washington Headquarters Services. The office provides guidance and direction to members of the Office of the Secretary of Defense and the Joint Staff as it relates to the Privacy Act of 1974, as amended.
Basic Privacy Principles
Privacy issues are implicated in a wide range of activities in both our personal and public lives.
Our concept of Privacy includes:
- Control of information concerning our personal life.
- Freedom from intrusion upon one's seclusion.
- Limits on publicity that places one in a false light.
- Prevention of identity theft, and the theft of one's name or likeness.
- Right to keep personal information confidential.
General Privacy Principles for Public and Private Sectors:
- Personal information should be acquired, disclosed, and used only in ways that respect an individual's privacy.
- Personal information should not be improperly altered or destroyed.
- Personal information should be accurate, timely, complete, and relevant to the purpose for which it is provided and used.
Please select a topic below to find further information:
- DOD/JOINT STAFF COMPONENT SORNS
- GOVERNMENT-WIDE NOTICES
- Guidance and Authority
- AI 81
- OMB A-108 Circular
- Privacy Act Statements
- FAR Clauses
- Privacy Act Coversheet DD 2923
- OSD/JS FOIA Office
- ID Theft
- Learning Management System
- Recall Roster Information Paper
- DoD Identification Number
- DoD PIAs
- DoD Instruction 5400.16
- DD Form 2930, Privacy Impact Assessment (PIA)
1. Report the Breach to US-CERT. Note: Non-cyber related (paper) incidents should not be reported to US-CERT, they should be reported to your agency’s privacy office within one hour of a suspected or confirmed breach. If this is a paper breach, skip to step 2.
Navigate to the link below within one hour after discovery to access the US-CERT Incident Reporting System. Review the instructions provided and complete the on-line questionnaire.
US-CERT Incident Reporting System
2. Report the Breach to your Senior Component Official for Privacy and OSD/JS Privacy Program.
If there is a suspected or confirmed Privacy breach, report it immediately, fill out the Form , Breach of Personally Identifiable Information (PII) Report. DD 2959
After you complete the form, submit it to the OSD/JS Privacy Program within 24 hours after discovery. NOTE: This form should also be used to report updates to previous submissions.
3. The OSD/JS Privacy Program, in conjunction with the reporting component, will submit the Form DD 2959 to the Defense Privacy, Civil Liberties and Transparency Division within 48 hours.
4. Conduct and document an assessment of the risk of harm to individuals potentially affected. If determined and approved by your senior leadership, notify the affected individuals of the breach.
Notification must be made within 10 days of the discovery of the incident. You will need to have the mailing address for each affected individual and be able to address the unique issue(s) pertaining to each breach. See DoD 5400.11-R, Appendix 2 for a sample notification letter.
For further information, see DoD 5400.11-R, paragraph C10.6, . Lost, Stolen or Compromised Information
5. Notify the appropriate Congressional Committee pursuant to FISMA no later than seven days after the date on which there is reasonable basis to conclude that a breach that constitutes a “major incident” has occurred.
A "major incident" is defined as “any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
The impacted agency is ultimately responsible for determining if an incident should be designated as major and may consult with US-CERT to make this determination. (See OMB Memorandum M-17-05, dated Nov. 4, 2016).
Contact Us With Any Questions, Comments, or Concerns
General Privacy Act Questions
Please send your general privacy question, along with your name, phone number and email address to the OSD/JS
Privacy Office at the below email address.NOTE: This email is NOT for privacy act requests.
OSD/JS Privacy Inbox
Privacy Act Requests
Privacy Act requests (e.g. records about you and retrieved by your name or identifier) must be submitted IN
; must be signed by you; and include the name and number of the system of records notice which can be
. Privacy Act requests SYSTEM OF RECORDS NOTICES (SORNS)cannot
be submitted electronically; please use the below mailing address or fax.
Office of the Secretary of Defense/Joint Staff
FOIA Requester Service Center
1155 Defense Pentagon
Washington, DC 20301-1155
Alexandria, VA 22350
OSD/JS Privacy Act Training
If you have privacy related questions or would like to schedule an agency live training session, please email the OSD/JS Privacy Inbox
with your request and we will contact you for additional details and scheduling.
Privacy training is also available on