Draft PIA

RA
FT
PRIVACY IMPACT ASSESSMENT (PIA)
For the

Asset Protection Information System (APIS)

Army & Air Force Exchange Service (Exchange)

SECTION 1: IS A PIA REQUIRED?

a. Will this Department of Defense (DoD) information system or electronic collection of
information (referred to as an "electronic collection" for the purpose of this form) collect,
maintain, use, and/or disseminate PII about members of the public, Federal personnel,
contractors or foreign nationals employed at U.S. military facilities internationally? Choose
one option from the choices below. (Choose (3) for foreign nationals).
(1) Yes, from members of the general public.

(2) Yes, from Federal personnel* and/or Federal contractors.

(3) Yes, from both members of the general public and Federal personnel and/or Federal contractors.

D

(4) No

* "Federal personnel" are referred to in the DoD IT Portfolio Repository (DITPR) as "Federal employees."

b. If "No," ensure that DITPR or the authoritative database that updates DITPR is annotated
for the reason(s) why a PIA is not required. If the DoD information system or electronic
collection is not in DITPR, ensure that the reason(s) are recorded in appropriate
documentation.
c. If "Yes," then a PIA is required. Proceed to Section 2.

DD FORM 2930 NOV 2008

Page 1 of 16

SECTION 2: PIA SUMMARY INFORMATION
a. Why is this PIA being created or updated? Choose one:
New Electronic Collection

Existing DoD Information System

Existing Electronic Collection

RA
FT

New DoD Information System

Significantly Modified DoD Information
System

b. Is this DoD information system registered in the DITPR or the DoD Secret Internet Protocol
Router Network (SIPRNET) IT Registry?
Yes, DITPR

Enter DITPR System Identification Number

Yes, SIPRNET

Enter SIPRNET Identification Number

No

c. Does this DoD information system have an IT investment Unique Project Identifier (UPI), required
by section 53 of Office of Management and Budget (OMB) Circular A-11?
No

Yes

If "Yes," enter UPI

If unsure, consult the Component IT Budget Point of Contact to obtain the UPI.

d. Does this DoD information system or electronic collection require a Privacy Act System of
Records Notice (SORN)?

A Privacy Act SORN is required if the information system or electronic collection contains information about U.S. citizens
or lawful permanent U.S. residents that is retrieved by name or other unique identifier. PIA and Privacy Act SORN
information should be consistent.

No

D

Yes

If "Yes," enter Privacy Act SORN Identifier

AAFES 0207.02, 0409.01, 0602.04, 0702.34,

DoD Component-assigned designator, not the Federal Register number.
Consult the Component Privacy Office for additional information or
access DoD Privacy Act SORNs at: http://www.defenselink.mil/privacy/notices/

or

Date of submission for approval to Defense Privacy Office
Consult the Component Privacy Office for this date.

DD FORM 2930 NOV 2008

Page 2 of 16

e. Does this DoD information system or electronic collection have an OMB Control Number?
Contact the Component Information Management Control Officer or DoD Clearance Officer for this information.
This number indicates OMB approval to collect data from 10 or more members of the public in a 12-month period
regardless of form or format.

Yes
Enter OMB Control Number

RA
FT

Enter Expiration Date
No

f. Authority to collect information. A Federal law, Executive Order of the President (EO), or DoD
requirement must authorize the collection and maintenance of a system of records.
(1) If this system has a Privacy Act SORN, the authorities in this PIA and the existing Privacy Act
SORN should be the same.

(2) Cite the authority for this DoD information system or electronic collection to collect, use, maintain
and/or disseminate PII. (If multiple authorities are cited, provide all that apply.)
(a) Whenever possible, cite the specific provisions of the statute and/or EO that authorizes
the operation of the system and the collection of PII.
(b) If a specific statute or EO does not exist, determine if an indirect statutory authority can
be cited. An indirect authority may be cited if the authority requires the operation or administration of
a program, the execution of which will require the collection and maintenance of a system of records.
(c) DoD Components can use their general statutory grants of authority (“internal
housekeeping”) as the primary authority. The requirement, directive, or instruction implementing the
statute within the DoD Component should be identified.

D

10 U.S.C. 3013, Secretary of the Army; 10 U.S.C. 8013, Secretary of the Air Force; 10 U.S.C. 2481,
Defense Commissary and Exchange Systems: Existence and Purpose; Army Regulation 215-8/AFI
34-211(I), Army and Air Force Exchange Service Operations; E.O. 12196, Occupational Safety and
Health Programs for Federal Employees; Federal Claims Collection Act of 1966 (Pub.L. 89-508, as
amended); Debt Collection Act of 1982 (Pub.L. 97-365, as amended), as amended by the Debt
Collection Improvement Act of 1996 (Pub.L. 104-134, section 31001); 31 CFR 285.11, Administrative
Wage Garnishment; DoD 7000.14-R, Volume 13 Department of Defense Financial Management
Regulation, “Nonappropriated Funds Policy”; DoD 7000.14-R, Volume 16 Department of the Defense
Financial Management Regulation, “Department of Defense Debt Management”; and E.O. 9397 (SSN),
as amended.

DD FORM 2930 NOV 2008

Page 3 of 16

g. Summary of DoD information system or electronic collection. Answers to these questions
should be consistent with security guidelines for release of information to the public.
(1) Describe the purpose of this DoD information system or electronic collection and briefly
describe the types of personal information about individuals collected in the system.
Purpose: To record and maintain records regarding accidents, incidents, mishaps, fires, theft, etc., involving
Government property; and personal injuries/illnesses in connection therewith, for the purposes of recouping
damages, correcting deficiencies, initiating appropriate disciplinary action and collection methods; filing of
insurance and/or workmen's compensation claims therefore; addressing patron complaints made through
Military Star or the Inspector General Office; logging of customer refunds; and for managerial and statistical
reports.

RA
FT

Categories of Individuals within the System: Individuals involved in accidents, incidents, or mishaps resulting
in theft or reportable damage to Exchange property or facilities; individuals who are injured or become ill as a
result of such accidents, incidents or mishaps; customers, visitors, or employees who are alleged or
confirmed shoplifters, Individuals who have placed complaints with the Exchange and individuals who
receive Exchange refunds.
Types of PII Collected: Name, SSN, date of birth, home residence address, mailing address, telephone
number, Exchange Accident Report, Exchange Incident Report, record of injuries and illnesses, physician's
reports, witness statements and investigatory reports, customer orders and payment methods which may
include credit card or banking information.

(2) Briefly describe the privacy risks associated with the PII collected and how these risks are
addressed to safeguard privacy.

Possible data leakage. Records are maintained in a controlled facility. Physical entry is restricted by the use of locks,
guards, and is accessible only to authorized personnel. Access to records is limited to person(s) with an official
"need to know" who are responsible for servicing the record in performance of their official duties. Persons are
properly screened and cleared for access. Assess to computerized data is role-based and further restricted by
passwords, which are changed periodically. In addition, integrity of automated data is ensured by internal audit
procedures, data base access accounting report and controls to preclude unauthorized disclosure.

h. With whom will the PII be shared through data exchange, both within your DoD Component and
outside your Component (e.g., other DoD Components, Federal Agencies)? Indicate all that apply.
Within the DoD Component.

D

Specify.

Exchange LP Associates, Force Protection, Legal Staff, Inspector General,
HRM, Hearing Examiner, General Managers, Regions VP and SVP, and EEO
associates

Other DoD Components.

Specify.

Department of Army and/or Air Force Inspector General Office; Office of
Special Investigations

Other Federal Agencies.

Specify.

Department of Justice and their legal staff; Department of Labor; OSHA

State and Local Agencies.
DD FORM 2930 NOV 2008

Page 4 of 16

Specify.

State and Local Law Enforcement Agencies and Attorneys

Contractor (Enter name and describe the language in the contract that safeguards PII.)

Specify.
Other (e.g., commercial providers, colleges).

Specify.

RA
FT

i. Do individuals have the opportunity to object to the collection of their PII?
Yes

No

(1) If "Yes," describe method by which individuals can object to the collection of PII.

Individuals who are not employed by the Exchange have the opportunity to object to the collection of
information. However failure to do so may result in lack of benefits or complaints not being addressed.

(2) If "No," state the reason why individuals cannot object.

Individuals who are classified as employees of the Exchange, are required to provide information as a
condition of employment.

j. Do individuals have the opportunity to consent to the specific uses of their PII?
Yes

No

D

(1) If "Yes," describe the method by which individuals can give or withhold their consent.

(2) If "No," state the reason why individuals cannot give or withhold their consent.

Information is required and mandatory in processing benefits, TORT investigations, appeals, accident followup, collection efforts, employee rights and other legal issues.
DD FORM 2930 NOV 2008

Page 5 of 16

k. What information is provided to an individual when asked to provide PII data? Indicate all that
apply.
Privacy Advisory

RA
FT

Privacy Act Statement
Other

None

Describe PRIVACY ACT STATEMENT
each
applicable AUTHORITY: Title 110 U.S.C. 3013, Secretary of the Army; 10 U.S.C. 8013, Secretary of the Air
format.
Force; 10 U.S.C. 2481, Defense Commissary and Exchange Systems: Existence and Purpose; Army
Regulation 215-8/AFI 34-211(I), Army and Air Force Exchange Service Operations; E.O. 12196,
Occupational Safety and Health Programs for Federal Employees; Federal Claims Collection Act of
1966 (Pub.L. 89-508, as amended); Debt Collection Act of 1982 (Pub.L. 97-365, as amended), as
amended by the Debt Collection Improvement Act of 1996 (Pub.L. 104-134, section 31001); 31 CFR
285.11, Administrative Wage Garnishment; DoD 7000.14-R, Volume 13 Department of Defense
Financial Management Regulation, “Nonappropriated Funds Policy”; DoD 7000.14-R, Volume 16
Department of the Defense Financial Management Regulation, “Department of Defense Debt
Management”; and E.O. 9397 (SSN), as amended.
PRINCIPAL PURPOSES(S): To record and maintain records regarding accidents, incidents,
mishaps, fires, theft, etc., involving Government property; and personal injuries/illnesses in
connection therewith, for the purposes of recouping damages, correcting deficiencies, initiating
appropriate disciplinary action and collection methods; filing of insurance and/or workmen's
compensation claims therefore; addressing patron complaints made through Military Star or the
Inspector General Office; logging of customer refunds; and for managerial and statistical reports.

D

ROUTINE USE(S): Your records may be disclosed outside of DoD pursuant to Title 5 U.S.C. §552a
(b)(3) regarding DoD “Blanket Routine Uses” published at http://dpcld.defense.gov/Privacy/
SORNsIndex/BlanketRoutineUses.aspx. Disclosure may occur to the Department of the Treasury
and a debt collection agency who has contracted for collection services to recover debts owed to the
United States of America. Disclosure may be made to Federal agencies, and state, local and
territorial governments. To any employer (person or entity) that employs the services of others and
that pays their wages or salaries, where the employee owes a delinquent nontax debt to the United
States. The term employer includes, but is not limited to, State and local governments, but does not
include any agency of the Federal Government. To consumer reporting agencies pursuant to 5 U.S.
C. 552a(b)(12) as defined in the Fair Credit Reporting Act (14 U.S.C. 1681a(f)) or the Federal Claims
Collection Act of 1966 (31 U.S.C. 3701(a)(3)). The purpose of this disclosure is to aid in the collection
of outstanding debts owed to the Federal government; typically to provide an incentive for debtors to
repay delinquent Federal government debts by making these debts part of their credit report. The
disclosure is limited to information necessary to establish the identity of the individual, including
name, address, and taxpayer identification number (Social Security Number); the amount, status, and
history of the claim; and the agency or program under which the claim arose for the sole purpose of
allowing the consumer reporting agency to prepare a commercial credit report. This disclosure will be
made only after the procedural requirement of 31 U.S.C. 3711(f) has been followed.

This system of records contains individually identifiable health information. The DoD Health
Information Privacy Regulation (DoD 6025.18-R) issued pursuant to the Health Insurance Portability
and Accountability Act of 1996, applies to most such health information. DoD 6025.18-R may place
additional procedural requirements on the uses and disclosures of such information beyond those
found in the Privacy Act of 1974 or mentioned in this system of records notice.
Page 6 of 16
DD FORM 2930 NOV 2008

DISCLOSURE: Voluntary, however, refusal to provide information, concealment, or
misrepresentation of material facts reported or withheld may constitute grounds for employment
separation for cause, disciplinary action, civil or criminal litigation, and lack of benefit payout.
A copy of the Privacy Impact Assessment (PIA) for this collection may be located at www.
shopmyexchange.com.

RA
FT

NOTE:
Sections 1 and 2 above are to be posted to the Component's Web site. Posting of these
Sections indicates that the PIA has been reviewed to ensure that appropriate safeguards are in
place to protect privacy.

D

A Component may restrict the publication of Sections 1 and/or 2 if they contain information that
would reveal sensitive information or raise security concerns.

DD FORM 2930 NOV 2008

Page 7 of 16