U.S. Africa Command (AFRICOM) oversees and directs the protection of the personal information of military and civilian command staff, their dependents, and the public at large.
Privacy Program information
The command's privacy program serves to advise and make recommendations to command leadership for the establishment of privacy priorities. The Privacy Office is also responsible for the development of privacy policies, procedures, and guidance essential to safeguarding the collection, access, use, dissemination, and storage of personally identifiable information (PII), business identifiable information (BII), and Privacy Act information. The mission of the AFRICOM Privacy Office is to ensure that the personal data of everyone who is assigned to or who interacts with the command is appropriately managed and protected.
The U.S. Africa Command Privacy Office ensures command compliance with regulatory requirements and legislated mandates governing those programs.
• Privacy Act of 1974 (as amended 5 U.S.C. § 552a) ;
- Office of Management and Budget (OMB) guidance for information systems
- OMB Circulars A-108 and A-130
- Government Paperwork Reduction Act
- E-Government Act of 2002
- Federal Information Modernization Act of 2014 (FISMA)
- National Institute of Standards and Technology (NIST) Privacy Standards
AFRICOM also ensures that activities within the functional areas of:
- Integrating with leadership, command directorates and staff to understand VA mission critical systems and where PHI/PII resides
- Establishing privacy risk policy and best practices for information management and sharing information within DoD and partners
- Training and educating the command staff on the implementation of privacy best practices
- Integrating with cybersecurity and VA engineering efforts to ensure appropriate privacy protections are identified, acquired, and implemented
- Ensuring that acquisitions instruments adhere to privacy best practices
U.S. Africa Command Staff: to report a privacy incident, call DSN 119
U.S. Africa Command internal documents (link coming soon)
System of Records Notices (link coming soon)
Privacy Impact Assessments:
- U.S. Africa Command public website (africom.mil)
- U.S. Africa Command official Facebook page (coming soon)
- U.S. Africa Command official Twitter account (coming soon)
- U.S. Africa Command official YouTube channel (coming soon)
All linked documents are in PDF.
- The Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501-06) (COPPA) regulates the online collection and use of personal information provided by and relating to children under the age of 13.
- The Clinger-Cohen Act of 1996 (40 U.S.C. 1401, et. seq.) (CCA), formerly the Information Technology Management Reform Act of 1996 (ITMRA), is designed to improve the way the federal government acquires, uses and disposes information technology (IT).
- The E-Government Act of 2002 (44 U.S.C. 3601 et. seq.) establishes procedures to ensure the privacy of personal information in electronic records.
- The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA). The CIPSEA protects the confidentiality of identifiable information acquired by federal agencies. It applies to data supplied by individuals and organizations to federal agencies under a pledge of confidentiality for statistical purposes. CIPSEA provides that data or information acquired by an agency under a pledge of confidentiality for exclusively statistical purposes shall not be disclosed by an agency in identifiable form, for any use other than an exclusively statistical purpose, except with the informed consent of the respondent.
- The Federal Information Security Management Act of 2002, (44 U.S.C. § 3541)(FISMA), requires agencies to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of an agency. FISMA requires federal government information systems to have security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction. FISMA requires a mandatory set of IT system security processes that must be followed for all federal information systems. Compliance is monitored through yearly audits. The annual reports must include: 1) by agency, the number of each type of privacy review conducted that year; 2) information about the privacy advice provided by the Senior Agency Official for Privacy; 3) the number of written complaints for each type of privacy issue allegation received, and 4) the number of complaints the agency referred to another agency.
- Freedom of Information Act (5 U.S.C. 552, as amended) (FOIA) generally provides that any person, including a business, to obtain access to federal agency records, except to the extent that such records (or portions of them) are protected from public disclosure by one of nine exemptions or by one of three special law enforcement record exclusions. The FOIA is a disclosure statute and applies to records that are: (1) either created or obtained by an agency, and (2) under agency control at the time of the FOIA request. When an agency receives a proper FOIA request for records, it must make the records "promptly available" unless the records or portions of the records are exempt from mandatory disclosure under subsection (b), or excluded under subsection (c). Subsection (c) permits an agency to respond to a request for excluded records as if the records do not exist.
- The Privacy Act of 1974, (5 U.S.C. § 552a), is a withholding statute that applies when the federal government maintains a “system of records” (a grouping of items or records) in which information about individuals is retrieved by use of the individuals’ personal identifiers (e.g., names, social security numbers, or any other codes or identifiers that are assigned to the individual). The Privacy Act of 1974 and its implementing regulations: 1) Prohibit the disclosure of personally identifiable information maintained by agencies in a system of records without the consent of the subject individual, subject to twelve codified exceptions; (2) Grant individuals increased rights of access to agency records maintained on them; (3) Grant individuals the right to seek amendment of agency records maintained on them upon a showing that the records are not accurate, relevant, timely, or complete; and (4) Establish a code of "fair information practices," requiring agencies to comply with statutory norms for collection, maintenance, and dissemination of records.
- Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501, et seq.) is designed to reduce the public’s burden of answering unnecessary, duplicative, and burdensome government surveys.
- Records Management by Federal Agencies (44 U.S.C. ch. 31), as amended, establishes the framework for records management programs in Federal agencies. As the primary agency for records management oversight, the National Archives and Records Administration (NARA) is responsible for assisting Federal agencies in maintaining adequate and proper documentation of policies and transactions of the Federal government. See General Records Schedule 4.2: Information Access and Protection Records.
Office of Management and Budget (OMB) Guidance
- Privacy Act Implementation (July 9, 1975)
- Privacy Act Responsibilities for Implementing the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 (November 3, 1997)
- M-99-05, Instructions on Complying with President’s Memorandum of May 14, 1998, “Privacy and Personal Information in Federal Records” (January 7, 1999) Biennial Privacy Act and Computer Matching Reports (June 1998)
- M-99-18, Privacy Policies on Federal Web Sites (June 2, 1999)
- Status of Biennial Reporting Requirements under the Privacy Act and the Computer Matching and Privacy Protection Act (June 21, 2000)
- M-00-13, Privacy Policies and Data Collection on Federal Web Sites (June 22, 2000) (Rescinded by OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies (June 25, 2010))
- Letter from John Spotila to Roger Baker, Cookies Letter (clarification of OMB Cookies Policy) (September 5, 2000)
- M-01-05, Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy (December 20, 2000). This guidance reminds agencies of several privacy-related legal requirements that apply to computer matching and to clarify how agencies should conduct computer matching activities
- OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003), requires agencies to conduct reviews of how information about individuals is handled when information technology (IT) is used to collect new information, or when agencies develop or buy new IT systems to handle collections of personally identifiable information (PII), and describes how the agency handles information that individuals provide electronically.
- M-05-04, Policies for Federal Agency Public Websites (December 17, 2004) Best Practices: Elements of a Federal Privacy Program June 2010)
- OMB Memo M-05-08, Designation Senior Agency Officials for Privacy (SAOP). This memorandum sets forth the requirement that federal agencies designate a senior official who has the overall agency-wide responsibility for information privacy issues.
- OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies, establishes new procedures and provides updated guidance and requirements for agency use of web measurement and customization technology.
- OMB Memorandum M-10-23, Guidance for Agency use of Third-Party Websites and Applications, requires Federal agencies to take specific steps to protect the individual privacy whenever they use third-party websites and applications to engage with the public.
- OMB Memorandum M-11-02, Sharing Data While Protecting Privacy (November 3, 2010), requires agencies to develop and implement solutions that allow data sharing to move forward in a manner that complies with applicable privacy laws, regulations, and policies.
- OMB Memorandum M-14-04, Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, provides agencies with instructions for meeting their agencies’ fiscal year reporting requirements under the Federal Information Security Management Act (FISMA) and includes reporting instructions on agencies’ privacy management program.
- OMB Memorandum M-14-06, Guidance for Providing and Using Administrative Data for Statistical Purposes, provides agencies with guidance for addressing the legal, policy, and operational issues that exist with respect to using administrative data for statistical purposes.
- OMB Memorandum M-15-01, Guidance on Improving Federal Information Security and Privacy Management Practices, identifies current Administration information security priorities, provides agencies with FISMA and Privacy Management reporting guidance and deadlines, and establishes new policy guidelines to improve Federal information security posture.
- OMB Memorandum M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government, identifies and addresses critical cybersecurity gaps and emerging priorities, and makes specific recommendations to address those gaps and priorities. The CSIP was developed to assist to strengthen Federal civilian cybersecurity through the following five objectives: (1) Prioritized Identification and Protection of high value information and assets; (2) Timely Detection of and Rapid Response to cyber incidents; (3) Rapid Recovery from incidents when they occur and Accelerated Adoption of lessons learned from the Sprint assessment; (4) Recruitment and Retention of the most highly-qualified Cybersecurity Workforce talent the Federal government can bring to bear; and (5) Efficient and Effective Acquisition and Deployment of Existing and Emerging Technology.
- OMB Memorandum M-16-14, Category Management Policy 16-2: Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response (July 1, 2016), which requires federal agencies, with limited exceptions, to address their requirements, when they need to identify protection services, by using the government-wide blanket purchase agreements (BPAs) for Identity Monitoring Data Breach Response and Protection Services (i.e., IPS BPAs) awarded by the General Services Administration (GSA).
- OMB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy, revises policies on the role and designation of the Senior Agency Official for Privacy (SAOP), as required by Executive Order 13719, Establishment of the Federal Privacy Council.
- OMB Memorandum 17-05, Fiscal Year 2016 – 2017 Guidance on Federal Information Security and Privacy Management Requirements, establishes current Administration information security priorities and provides agencies with Fiscal Year 2016 – 2017 Federal Information Security Modernization Act (FISMA) and Privacy Management reporting guidance and deadlines. OMB M-17-05 provides Federal agencies with timelines and requirements for quarterly and annual reporting; establishes detailed instructions for preparing the annual agency FISMA reports; and provides updates to the definition of “major incident” and the U.S. Computer Emergency Readiness Team (US-CERT) Incident Notification Guidelines.
- OMB Memorandum 17-06, Policies for Federal Agency Public Websites and Digital Services (Nov. 8, 2016), updates policies regarding Federal Agency public websites and digital services and requires that each agency maintain a central resource page dedicated to its privacy program on the agency’s principal website. The agency’s Privacy Program page must serve as a central source for information about the agency’s practices with respect to PII. The agency’s Privacy Program Page must be located at www.[agency].gov/privacy and must be accessible through the agency’s “About” page.
- OMB Memorandum 17-09, Management of Federal High Value Assets, contains general guidance for the planning, identification, categorization, prioritization, reporting, assessment, and remediation of Federal High Value Assets (HVAs), as well as the handling of information related to HVAs by the Federal Government.
- OMB M-17-12 Preparing for and Responding to a Breach of Personally Identifiable Information(January 3, 2017) states: “Each agency’s SAOP is required to update its respective agency’s data breach response plan and submit it to OMB within 180 days following the release of the Memorandum.” This Memorandum rescinds and replaces OMB M-07-16, M-06-19 and M-06-15. The Memorandum is directed at the Senior Agency Officials of Privacy (SAOP), and requires the Agencies (Departments) to update and submit the following action plans to OMB by June 3, 2017:
- Breach Response Planning; Breach Response Team;
- Identified Privacy Compliance Documentation;
- Pertinent Information Sharing; Reporting Requirements;
- Assessing Risk of Harm;
- Mitigating Risk of Harm; and
- Notifying Individuals Potentially Affected.
- OMB Circular A-108 (Dec. 23, 2016). The reissuance of Circular A-108 describes agency responsibilities for implementing the review, reporting, and publication requirements of the Privacy Act of 1974 and related OMB policies. It supplements and clarifies existing OMB guidance, including OMB Circular No. A-130, “Managing Information as a Strategic Resource,” “Privacy Act Implementation: Guidelines and Responsibilities,” “Implementation of the Privacy Act of 1974: Supplementary Guidance,” and “Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988.”
- OMB Circular A-130 (July 28,2016), Management of Federal Information Resources, provides uniform government-wide information resources management policies as required by the Paperwork Reduction Act of 1980, as amended by the Paperwork Reduction Act of 1995, 44 U.S.C. Chapter 35. This Circular establishes policy for the management of Federal information resources and rescinds OMB Memoranda M-10-28, “Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS).”
Process for Access to and Amendment of Privacy Act Records
Individuals seeking access to information about themselves contained in this system of records should address inquiries to:
Freedom of Information/Privacy Act Office
US Africa Command
APO AE 09751
Signed, written requests should include the individual’s full name, evidence of the requester's identity, such as a copy of a photo ID or passport or similar document bearing the requester's signature, current address, and telephone number and this System of Records Notice number. In addition, the requester must provide either a notarized statement or an unsworn declaration made in accordance with 28 U.S.C. 1746, in the following format:
If executed outside the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).”
If executed within the United States, its territories, possessions, or commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).”
The Department of Defense rules for accessing records, contesting contents, and appealing initial agency determinations are contained in 32 CFR Part 310, Subpart D, of the DoD Privacy Program.
To submit a privacy-related question or complaint, reach us by email or phone: +49 (0)711.7081.0066, and +49 (0)711.7081.0339