Brendon SorensonModule 3

The Division Protocol Office must develop an Information Privacy Policy in order to address the collection, transmission and safeguarding of personal information acquired from Senior Leaders within the Division Command and subordinate Commands. It is required, in accordance with Army Regulation 340-21 that information be protected, as required by the Privacy Act of 1974 and that only the information necessary to support required operations for the Protocol Office's mission. The Privacy Act of 1974 also requires that only information that is "timely, accurate, complete, and relevant to the purpose for which it was collected" should be maintained(Army Regulation 340-21). I will put forth a set of procedures and describe issues that must be considered before an established policy can be created. It is also my intent to detail the potential conflicts of disclosure of gathered information and provide possible solutions.The first procedure required for any individual that will have access to the information in question is to fully review both the Army Regulation 340-21 and the related Privacy Act of 1974. The Protocol team members with access should also review any referenced documentation provided in those two documents. Once the team member has developed a firm understanding of the Army's policy, they can begin with the collection of data as required for the mission as directed by the Division Command's requirements. In order to gather information from subordinate commanders and senior staff, the Protocol team should designate an Information Custodian that will oversee the creation of a database that contains only the relevant information to mission accomplishment. After this data set is defined a standard questionnaire should be created to ensure accurate and complete information is collected and verified. This document should include, when applicable, the name of the outgoing or replaced commander or staff member, so that information no longer accurate or timely can be removed. Additionally, based on established mission needs and guidance, a statement allowing or disallowing the release of the collected information should be included and annotated. A Privacy Act Statement will be provided to the individual when they return the questionnaire. It is vital that special care is taken to ensure the entry of gathered information into a database is accurate and human error is minimized. Further, there should be a schedule of regular reviews covering gathered information. I recommend that this review be performed on a quarterly basis to ensure all changes are captured and updated in the absence of notification by outgoing or replaced commanders or senior staff.It is the responsibility of the Protocol Information Custodian to safeguard all personal information, preventing unauthorized use, access, disclosure, alteration or destruction (Army Regulation 340-21). The Information Custodian must also ensure that anyone entered into the database is notified that a record of their information exists and provide the opportunity for individuals to review or retrieve copies of any information collected. If an individual feels there is a need to amend collected information, there should be a standard operation that allows them to make changes if they feel the information is not current, incomplete or that the individual feels is irrelevant to the Protocol mission. The Information Custodian should develop a form that annotates changes to the gathered information, as appropriate, and provides the requesting individual a clear copy of all information contained in the database. All requests should be processed quickly and in an accurate and fair manner, without exception.The largest challenge faced by the Information Custodian will be the rules of disclosure of gathered information. Normal mission required disclosure, or routine use, should be addressed at the time that the questionnaire is collected by the Information Custodian. Additional requests for disclosure outside of the Protocol mission may be requested by other agencies, both within and from outside the 10th Mountain Division, as well as third parties (non-federal). The Army as a whole is not allowed to provide information from a record without written consent of the individual in question, with very few exceptions as detailed in Chapter 3 of the Army Regulation 340-21. The Information Custodian should maintain a log of any disclosures. It is the duty of the Information Custodian to be familiar with all exceptions and seek legal guidance from the Administrative Law team if there is any doubt as the validity of the release. The Information Custodian should make an official request to the subject of the information request and create a standard response with a reasonable response time to the requestor. This will be a period long enough to allow contact with the subject and allow them to respond to the request. Should there be a delay that causes the time provided to the requestor to lapse, it should be the responsibility of the Information Custodian to communicate the delay to the requestor.

Works Cited:Army Regulation 340-21. The Army Privacy Program. Washington, DC: Headquarters Department of the Army, 1985. Print.