Draft Privacy Impact Assessment

PRIVACY IMPACT ASSESSMENT (PIA)
PRESCRIBING AUTHORITY: DoD Instruction 5400.16, "DoD Privacy Impact Assessment (PIA) Guidance". Complete this form for Department of Defense
(DoD) information systems or electronic collections of information (referred to as an "electronic collection" for the purpose of this form) that collect, maintain, use,
and/or disseminate personally identifiable information (PII) about members of the public, Federal employees, contractors, or foreign nationals employed at U.S.
military facilities internationally. In the case where no PII is collected, the PIA will serve as a conclusive determination that privacy requirements do not apply to
system.
1. DOD INFORMATION SYSTEM/ELECTRONIC COLLECTION NAME:

Exchange Personnel Systems
3. PIA APPROVAL DATE:

2. DOD COMPONENT NAME:

If Other, enter the Component name in the box below.
Army and Air Force Exchange Service (the Exchange)
SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
a. The PII is: (Check one. Note: Federal contractors, military family members, and foreign nationals are included in general public.)
From members of the general public

From Federal employees

from both members of the general public and Federal employees

Not Collected (if checked proceed to Section 4)

b. The PII is in a: (Check one.)
New DoD Information System

New Electronic Collection

Existing DoD Information System

Existing Electronic Collection

Significantly Modified DoD Information System
c. Describe the purpose of this DoD information system or electronic collection and describe the types of personal information about individuals
collected in the system.

Purpose: Data is used to maintain a system of records that provides human resource information and system support for the Department of
Defense (DoD) civilian workforce worldwide that manages the human resources processing and reporting, including position, compensation
and benefits, performance management, and in making determinations of qualifications, as well as create efficiencies in Human Capital
Management. Data is also used for analysis in order to meet Congressional and Federal reporting requirements.
For the Exchange clarification the purpose can be identified as
A. To populate and maintain a repository of documentation of the history and status of an individual's employment relationship with the
Exchange.
B. To have a basic source of factual data of a person's Federal employment wile as an active Exchange associate and after his/her separation
to administer, compute, monitor, and report employee personnel actions such as pay entitlements and transactions, grade increases, length of
service and incentive and/or honor awards and recognitions, bonds due and issued, taxes paid, employee debts, leave accrued and usage of
that leave, and employment separation and outsourcing.
C. To determine an applicant's or employee's qualification and eligibility for hiring, promotion, and or transfer.
D. To capture and maintain individual applicant's essential job skills and aptitudes for consideration of hiring.
E. To administer proper health care, medical treatment, and processing of claims for employees who become ill or are injured during
working hours.
F. To process official travel requests for Exchange civilian employees including data to determine eligibility of associate dependents for
travel, obtain necessary clearance where foreign travel is required, assisting employees in applying for passports and visas, and counseling
where proposed travel includes visiting or transitioning to communist countries and danger zones.
G. To provide locator and emergency notification data.
H. To maintain information on participants in the Exchange tuition assistance program.
I. To obtain data to verify employment and wages.
J. To provide data in support of Equal Employment Opportunity Program requirements.
K. To respond and process claims, administer and investigate complaints, grievances, and appeals.
L. To respond and process payments to Court and Regulatory Bodies requests for information or garnishment orders such as Qualifying
Domestic Relations Orders (QDRO) or compliance with Child Support, Alimony obligations, Federal and Commercial (civil) debts, or tax
levies.
M. To produce managerial reporting and statistical analysis of Exchange work force strength trends and composition in support of
established man-hours, projected staffing requirements, and budgetary programs and procedures.

DD FORM 2930, JUN 2017

PREVIOUS EDITION IS OBSOLETE.

Page 1 of 10

d. Why is the PII collected and/or what is the intended use of the PII? (e.g., verification, identification, authentication, data matching, mission-related use,
administrative use)

Verification, identification, authentication, administration, and mission-related use to administer employee services.
e. Do individuals have the opportunity to object to the collection of their PII?

Yes

No

(1) If "Yes," describe the method by which individuals can object to the collection of PII.
(2) If "No," state the reason why individuals cannot object to the collection of PII.

Individuals have the opportunity not to provide PII and are notified of the voluntary collection in the Privacy Act Statement provided at the
time of collection. They are also informed of the need of the PII in order to be hired or take the appropriate action to administer employee
services, such as hiring, paying, providing benefits, etc.
f. Do individuals have the opportunity to consent to the specific uses of their PII?

Yes

No

(1) If "Yes," describe the method by which individuals can give or withhold their consent.
(2) If "No," state the reason why individuals cannot give or withhold their consent.

Information collected is used for proper processing of all employee services, including pay, garnishments, benefits, Workers' Compensation,
appeals, grievances, accident follow-up, employee legal issues, security clearance, and patron rights such as shopping while employed or
retired. Information of use is provided and not used in a means for which it was not collected.
g. When an individual is asked to provide PII, a Privacy Act Statement (PAS) and/or a Privacy Advisory must be provided. (Check as appropriate and
provide the actual wording.)
Privacy Act Statement

Privacy Advisory

Not Applicable

AUTHORITY: Title 10 U.S.C. §7013, “Secretary of the Army; Title 10 U.S.C. §9013, “Secretary of the Air Force”; Army Regulation
215-8/DAFI 34-110(I), “Army and Air Force Service Operations”; Title 421 U.S.C. 659, "Consent by United States to income withholding,
garnishment, and similar proceeding for enforcement of child support and alimony obligations"; 31 CFR 285.11, "Administrative Wage
Garnishment"; DoD Directive 7000.14-R, Volume 13, "Non Appropriated Funds Policy"; DoD Directive 7000.14-R, Volume 16,
"Department of Defense Debt Management"; and E.O. 9397 (SSN), as amended.
PRINCIPAL PURPOSES(S): Information collected is the basic source of factual data about a person's employment (or future employment)
with the Exchange. Data is used to evaluate applicants for hire and once hired used to compute that individual’s pay entitlements including
hourly pay, salary, leave time, annuities and retirement. Information may also be used to process court orders for child support and/or
garnishment of wages and required state and federal taxes.
ROUTINE USE(S): Records may be disclosed outside of DoD pursuant to Title 5 U.S.C. §552a(b)(3) regarding DoD “Blanket Routine
Uses” published at http://dpcld.defense.gov/Privacy/SORNsIndex/BlanketRoutineUses.aspx. This includes disclosure to Federal agencies,
and state, local and territorial governments. Application data may be verified by third-party agencies or organizations approved by the
Exchange to complete an applicant’s background investigation. Information may be disclosed to the U.S. Treasury for regulated taxes and/or
offsets or to court for legal processes. Dependent, beneficiary, survivor information may be disclosed to an outside contractor for processing
benefits such as health, retirement, and annuities.
DISCLOSURE: Voluntary, however, failure to provide all the requested information may result in the denial of your benefits.
A copy of the Privacy Impact Assessment (PIA) for this collection may be located at http://www.aafes.com/about-exchange/public-affairs/
foia.htm/Privacy Impact Assessments.
Privacy notices will vary based on the collective instrument and may include if required an Office of Management and Budget Control
Number and Expiration Date. All on-line collection is controlled for security and individuals have access to the on-line Privacy Statement.
h. With whom will the PII be shared through data/system exchange, both within your DoD Component and outside your Component?
(Check all that apply)
Within the DoD Component

Other DoD Components (i.e. Army, Navy, Air Force)
Other Federal Agencies (i.e. Veteran’s Affairs, Energy, State)

DD FORM 2930, JUN 2017

Human Resources, Loss Prevention, Financial, Benefits,
Office of the General Counsel, Equal Employment
Opportunity and Diversity, Supervisors, Management,
Specify.
Hearing Examiner, Inspector General, and Time Keepers.
All of which is role based per the data needed for official
business operations.
Department of the Army, Department of the Air Force,
Specify.
Office of Special Investigation, Inspector General Offices.
Department of Justice/Federal Bureau of Investigations,
U.S. Office of the Treasury, U.S. Department of Labor,
Department of State, Office of Personnel Management,

PREVIOUS EDITION IS OBSOLETE.

Page 2 of 10

National Archives and Records Administration, U.S. Equal
Employment Opportunity Commission, Social Security
Administration, Department of Transportation, United States
Forces Korea and Japan, U.S. Federal Installation Garrisons.
Law Enforcement Agencies, State Child Support Agencies,
Law Offices, Courts, attache or law enforcement authorities
Specify.
of foreign countries, State Department of Transportation,
Host Country Authorities.
IBM, First Advantage, Kenexa, Aetna, Hartford, Prudential,
and other insurance or benefit providers, AAFES Trust,
Specify. Contract Claims Services, Inc., Willis Tower Watson, Plus
Location, Military Airlift Command (MAC) Transportation,
Transportation Organizations.
Congress, banking and financial institutions, privacy
attorney law offices, Spouse or Ex-spouse, dependents,
Specify.
family members, survivors, medical providers and their
medical facility, educational institutions, ticket services.
Specify.

State and Local Agencies

Contractor (Name of contractor and describe the language in
the contract that safeguards PII. Include whether FAR privacy
clauses, i.e., 52.224-1, Privacy Act Notification, 52.224-2,
Privacy Act, and FAR 39.105 are included in the contract.)
Other (e.g., commercial providers, colleges).

i. Source of the PII collected is: (Check all that apply and list all information systems if applicable)
Individuals

Databases

Existing DoD Information Systems

Commercial Systems

Other Federal Information Systems

As much as possible and feasible, information collected is from the individual it pertains. Data is collected through resumes, applicants
records, employee or supervisor generated, self certified employee documents. Information USA staffing or Kenexa Exchange websites, or
from other federal agencies, an individual's past employer, other Exchange systems or databases, family members or survivors, and from
law enforcement entities or background approved vendors.
j. How will the information be collected? (Check all that apply and list all Official Form Numbers if applicable)
E-mail

Official Form (Enter Form Number(s) in the box below)

In-Person Contact

Paper

Fax

Telephone Interview

Information Sharing - System to System

Website/E-Form

Other (If Other, enter the information in the box below)

The Exchange attempts to collect most data through secured means electronically through website encrypted data. Many collective
documents are also available in Exchange Forms provided to Employees or available from Human Resources or supervisors.
k. Does this DoD Information system or electronic collection require a Privacy Act System of Records Notice (SORN)?
A Privacy Act SORN is required if the information system or electronic collection contains information about U.S. citizens or lawful permanent U.S. residents that
is retrieved by name or other unique identifier. PIA and Privacy Act SORN information must be consistent.
Yes

No

If "Yes," enter SORN System Identifier

DHRA-23 DoD

SORN Identifier, not the Federal Register (FR) Citation. Consult the DoD Component Privacy Office for additional information or http://dpcld.defense.gov/
Privacy/SORNs/
or
If a SORN has not yet been published in the Federal Register, enter date of submission for approval to Defense Privacy, Civil Liberties, and Transparency
Division (DPCLTD). Consult the DoD Component Privacy Office for this date
If "No," explain why the SORN is not required in accordance with DoD Regulation 5400.11-R: Department of Defense Privacy Program.

l. What is the National Archives and Records Administration (NARA) approved, pending or general records schedule (GRS) disposition authority
for the system or for the records maintained in the system?
(1) NARA Job Number or General Records Schedule Authority.

DD FORM 2930, JUN 2017

N1-334-01-1

PREVIOUS EDITION IS OBSOLETE.

Page 3 of 10

(2) If pending, provide the date the SF-115 was submitted to NARA.

(3) Retention Instructions.

e-OPF are maintained in systems for 129 years. N1-334-01-1 clarifies 65 years after the date of the birth of the individual or the date of
termination which ever is the longest retention time. Alternatively, some records are only maintained for a period of 25 years after its closure
defined as when an individual separates from from employment or the last payment to the employee or his/her survivor. Portions of
documents have lesser retention time as illustrated in Exchange Operating Procedure 05-01. OPF files for aliens, foreign nationals, or local
nationals, outside of the U.S. are maintained temporary till the fiscal year end in which the individual is separated then maintained for 5years. As an exception if the host government agreements require longer retention instructions to extend the period are issued and the
Official Personnel Folders that may be used to certify federal employment for admitting refugees into the United States will be offered to the
Department of State at the end of the retention period.
m. What is the authority to collect information? A Federal law or Executive Order must authorize the collection and maintenance of a system of
records. For PII not collected or maintained in a system of records, the collection or maintenance of the PII must be necessary to discharge the
requirements of a statue or Executive Order.
(1) If this system has a Privacy Act SORN, the authorities in this PIA and the existing Privacy Act SORN should be similar.
(2) If a SORN does not apply, cite the authority for this DoD information system or electronic collection to collect, use, maintain and/or disseminate PII.
(If multiple authorities are cited, provide all that apply).
(a) Cite the specific provisions of the statute and/or EO that authorizes the operation of the system and the collection of PII.
(b) If direct statutory authority or an Executive Order does not exist, indirect statutory authority may be cited if the authority requires the
operation or administration of a program, the execution of which will require the collection and maintenance of a system of records.
(c) If direct or indirect authority does not exist, DoD Components can use their general statutory grants of authority (“internal housekeeping”) as
the primary authority. The requirement, directive, or instruction implementing the statute within the DoD Component must be identified.

In addition to the authority provided in the applicable Privacy Act Statement(s), the following authorities or portions of these authorities
apply to the Exchange collection and maintenance of information within our personnel systems. The Exchange is self insured, nonappropriated instrumentality of the Department of Defense. In general, regulations associated with OPM do not apply to the Exchange unless
the regulations specifies applicability with Title 5 U.S.C. 2015(c) definition. Thereby the Exchange collection is authorized in part by the
following regulations.
Title 5 U.S.C. 11, Office of Personnel Management; Title 5 U.S.C. 41 Training; Title 5 U.S.C. Classification; Title 5 U.S.C. 54 Pay
Administration; Title 5 U.S.C. 72, Anti Discrimination; Title 5 U.S.C. 84 Federal Employees' Retirement System, Anti Discrimination
Policy; Title 10 U.S.C. 136 Under the Secretary of Defense for Personnel and Readiness; Title 10 U.S.C. 137 Under Secretary of Defense for
Intelligence and Security; 29 CFR 1614.601 Federal Sector Equal Employment Opportunity.
n. Does this DoD information system or electronic collection have an active and approved Office of Management and Budget (OMB) Control
Number?
Contact the Component Information Management Control Officer or DoD Clearance Officer for this information. This number indicates OMB approval to
collect data from 10 or more members of the public in a 12-month period regardless of form or format.
Yes

No

Pending

(1) If "Yes," list all applicable OMB Control Numbers, collection titles, and expiration dates.
(2) If "No," explain why OMB approval is not required in accordance with DoD Manual 8910.01, Volume 2, " DoD Information Collections Manual:
Procedures for DoD Public Information Collections.”
(3) If "Pending," provide the date for the 60 and/or 30 day notice and the Federal Register citation.

0702-0129, Exchange Identification and Privilege Card Application, January 31, 2025 (pending as of 60 FRN 63417, August 5, 2024.)
0702-0131, Exchange Travel Files, April 30, 2025.
0702-0133, Exchange Employment Applications, June 30, 2025.
0702-0139, Exchange Employee and Retirement Benefit System, December 31, 2025.

DD FORM 2930, JUN 2017

PREVIOUS EDITION IS OBSOLETE.

Page 4 of 10