Download:
pdf |
pdfPRIVACY IMPACT ASSESSMENT (PIA)
PRESCRIBING AUTHORITY: DoD Instruction 5400.16, "DoD Privacy Impact Assessment (PIA) Guidance". Complete this form for Department of Defense
(DoD) information systems or electronic collections of information (referred to as an "electronic collection" for the purpose of this form) that collect, maintain, use,
and/or disseminate personally identifiable information (PII) about members of the public, Federal employees, contractors, or foreign nationals employed at U.S.
military facilities internationally. In the case where no PII is collected, the PIA will serve as a conclusive determination that privacy requirements do not apply to
system.
1. DOD INFORMATION SYSTEM/ELECTRONIC COLLECTION NAME:
Exchange Retail and Sales (E-Commerce, Exchange Credit Program, and Customer Customer Relations)
3. PIA APPROVAL DATE:
2. DOD COMPONENT NAME:
Outside DoD
Army and Air Force Exchange Service (the Exchange)
D
SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
a. The PII is: (Check one. Note: Federal contractors, military family members, and foreign nationals are included in general public.)
From members of the general public
From Federal employees
from both members of the general public and Federal employees
Not Collected (if checked proceed to Section 4)
b. The PII is in a: (Check one.)
New DoD Information System
New Electronic Collection
R
Existing DoD Information System
Existing Electronic Collection
Significantly Modified DoD Information System
c. Describe the purpose of this DoD information system or electronic collection and describe the types of personal information about individuals
collected in the system.
To enable the Army and Air Force Exchange Service to carry out its mission to enhance the quality of life for authorized patrons and to
support military readiness, recruitment and retention, by providing a worldwide system of Exchanges with merchandise and household goods
similar to commercial stores and services.
AF
To authorize individuals for Morale, Welfare and Recreation (MWR) services, benefits and privileges administered through intra-agency
agreements between MWR and any military exchange or the Defense Commissary Agency (DeCA).
To authenticate authorized patrons, record purchases and purchase prices, account for and deduct coupons and other promotional discounts,
calculate the total amount owed by the customer, and accept payment by various media, such as cash, credit card, debit/ATM card, smart
card and other chip-based cards, electronic benefits transfer payments, prepaid/preloaded and stored value cards, gift cards/certificates, and
other similar methods of payments initiated through mobile device applications.
To locate order information to reply to customer inquiries, complaints; to create labels for shipment to proper Exchange Form 3900-055
(DEC 16) Page 4 of 18 location; to refund customer remittances or to collect monies due; to provide claim and postal authorities with
confirmation/certification of shipment for customer claims for damage or lost shipments.
T
To record customer transactions/payment for layaway and special orders; to determine payment status before finalizing transactions; to
identify account delinquencies and prepare customer reminder notices; to mail refunds on canceled layaway or special orders; to process
purchase refunds; to document receipt from customer of merchandise subsequently returned to vendors for repair or replacement, shipping/
delivery information, and initiate follow up actions; to monitor individual customer refunds; to perform data analysis and data research that
helps the Exchange understand the purchasing behavior of customers and better meet the needs, affinities and wants of our customers; to
improve efficiency of marketing system(s); and, to help detect and prevent criminal activity, and identify potential abuse of exchange
privileges.
To collect debts due to the United States in the event a patron's medium of payment is declined or returned unpaid.
To monitor purchases of restricted items outside the United States, its territories and possessions, as necessary to prevent black marketing in
violation of treaties or agreements, and to comply with age restrictions applicable to certain purchases by minors or those under allowable
ages.
To create, maintain and enhance system and mobile device shopping capability allowing authorized patrons to order Exchange retail products
on-line through their home computer, mobile device or other method through which the patron can access the Internet, and to pay for such
DD FORM 2930, FEB 2025
PREVIOUS EDITION IS OBSOLETE.
Page 1 of 11
�purchases electronically either at the time of ordering or at the time of pick up.
To create Exchange patron profiles for the purposes of determining aggregate patron demographic data for use in responding to individual
patron inquiries, assessing aggregate patron satisfaction with the delivery of the Exchange benefit, and in determining the appropriate
product availability meeting the Exchange customers' current and future needs and wants.
To aid the Exchange management in determining needs of customers and action required to settle customer complaints and to notify potential
customers who voluntarily provide their e-mail address and other personal information to receive information about special events, sales, and
other information about shopping at the Exchange, and to improve the efficiency and effectiveness of the Exchange's marketing programs.
d. Why is the PII collected and/or what is the intended use of the PII? (e.g., verification, identification, authentication, data matching, mission-related use,
administrative use)
D
Personal Identification Information (PII) is collected for verification and identification for DoD benefits and to apply for a Military Star
Card. PII may also be used for clarification and matching files with the correct individual to address issues with orders, shipments,
collection of debts, interactions with financial institutions, or provide benefits to the individual from any exchange, MWR, DeCA, or any
other retail and service organization within the Department of War.
e. Do individuals have the opportunity to object to the collection of their PII?
Yes
No
(1) If "Yes," describe the method by which individuals can object to the collection of PII.
(2) If "No," state the reason why individuals cannot object to the collection of PII.
R
The Exchange Customer Contact Database (CCD) is updated by Defense Manpower Data Center (DMDC) through an automated hourly
asynchronous feed (BBS). When an individual has a valid Exchange, Commissary, or MWR flag—or when DMDC updates a record—those
changes are sent directly to the Exchange. This routine process ensures we maintain accurate, timely data for authenticating Exchange and
MWR privileges. Other times the collection of information is triggered solely by the individual's desire to communicate to the Exchange or
another DoW entity for the purpose of verification and identity as a patron or to gain Government privileges. Collection is done "as needed"
or "on occasion" and to provide feedback or obtain service as an authorized patron of any exchanges, MWR, DeCA, or other federal entity
for whom the Exchange offers authenticating assistance.
f. Do individuals have the opportunity to consent to the specific uses of their PII?
Yes
No
(1) If "Yes," describe the method by which individuals can give or withhold their consent.
(2) If "No," state the reason why individuals cannot give or withhold their consent.
AF
Individuals have some rights in consenting to their use of their PII in areas such as marketing, advertising, third party partners, or use of
cookies when shopping on line. More details are available on-line at https://www.shopmyexchange.com/cp/static-pages/terms-andconditions.
g. When an individual is asked to provide PII, a Privacy Act Statement (PAS) and/or a Privacy Advisory must be provided. (Check as appropriate and
provide the actual wording.)
Privacy Act Statement
PRIVACY ACT STATEMENT
Privacy Advisory
Not Applicable
T
Privacy Act Statement
AUTHORITY: Federal Claims Collection Act of 1966 (Pub. L. 89-508, as amended) and Debt Collection Act of 1982 (Pub. L. 97-365, as
amended), as amended by the Debt Collection Improvement Act of 1996 (Pub. L. 104-134, section 31001) as codified in 31 U.S.C. 3711,
Collection and Compromise Activities; 10 U.S.C. 2481, Defense Commissary and Exchange Systems: Existence and Purpose; 10 U.S.C.
1146, Commissary and Exchange Benefits; 10 U.S.C. 2488, Combined Exchange and Commissary Stores; 14 U.S.C. 152, Nonappropriated
Fund Instrumentalities; DoD Instruction (DoDI) 1330.21, Armed Services Exchange Regulation; DoDI 1330.17, DoD Commissary Program;
DoDI 1330.09, Armed Services Exchange Policy; DoDI 1330.21, Armed Services Exchange Regulations; DoD 7000.14-R, Department of
Defense Financial Management Regulation Volume 13: “Nonappropriated Funds Policy” and Volume 16: “Department of Defense Debt
Management”; Army Regulation 215-8 / Department of the Air Force Instruction 34-110(I), Army and Air Force Exchange Service
Operations; and E.O. 9397 (SSN), as amended.
PRINCIPAL PURPOSE(S): Information is collected to authenticate patron eligibility and is used to enable and assist military exchanges,
MWR, and DeCA in their efforts to optimize shopping experiences; support regulatory requirements; record transactions; process payments;
monitor compliance with Federal laws, local laws, and treaties; process credit applications; and authenticate purchases for fraud detection,
abuse of privileges, and loss prevention.
ROUTINE USE(S): Records may be disclosed outside of DoD pursuant to Title 5 U.S.C. §552a(b)(3) regarding DoD “Blanket Routine
Uses” published at dpcld.defense.gov. This includes disclosure to contractors for improvement of service exchange programs, to incentive
programs, and pursuant to 5 U.S.C. 552a (b)(12) to a consumer reporting agency. In addition, records may be disclosed to Federal agencies,
and state, local and territorial governments, to U.S. Postal Service in order to provide claim and postal authorities with confirmation/
DD FORM 2930, FEB 2025
PREVIOUS EDITION IS OBSOLETE.
Page 2 of 11
�certification of shipment for customer claims for damage or lost shipments and to audit firms under contract with the service exchange to
collect delinquency accounts.
DISCLOSURE: Voluntary. However, failure to provide all requested information may result in denial of access to services or to specific
shopping websites.
The Exchange Privacy Policy is avaiable online at https://www.shopmyexchange.com/cp/static-pages/terms-and-conditions.
Each collection of PII may contain additional privacy act notices regarding the specific collection and its purpose.
PRIVACY NOTICE
Protecting your privacy is important to us. We adhere to the Privacy Act, 5 U.S.C. 552 et seq., as well as the Right to Financial Privacy Act,
12 U.S.C. 3401 et seq. We collect nonpublic personal information about you from the following sources:
D
• Information we receive from you on applications or other forms;
• Information about your transactions with us or others; and
• Information we receive from a consumer reporting agency.
We do not disclose any nonpublic personal information about our customers or former customers to anyone, except as permitted by law. We
restrict access to nonpublic personal information about you to those employees who need to know that information to provide products or
services to you. We maintain physical, electronic, and procedural safeguards that comply with federal standards to guard your nonpublic
personal information.
R
h. With whom will the PII be shared through data/system exchange, both within your DoD Component and outside your Component?
(Check all that apply)
Within the DoD Component
Other DoD Components (i.e. Army, Navy, Air Force)
AF
Marketing, Information Technology, Customer Service and
Relations, e-Commerce, Logistics, Counsel Staff, Human
Specify.
Resources, Loss Prevention, Exchange Credit Program,
Inspector General
Department of Defense Manpower Data Center (DMDC);
Department of the Navy and Marines including MCX and
NexCom; Department of the Air Force including USAF
Space Force; Department of the Army; Morale, Welfare, and
Specify. Recreation (MWR)’ Department of Defense's Inspector
General Offices, Department of Defense Offices of Special
Investigators, Defense Commissary Agency (DeCA), and
other DoW entities as required by law or for operational
needs.
Department of the Coast Guard, Department of Veterans
Affairs, U.S. Department of Homeland Security,
Specify.
Department of Justice, U.S. Attorneys, U.S.
Treasury, U.S. Postal Service.
Other Federal Agencies (i.e. Veteran’s Affairs, Energy, State)
State and Local Law Enforcement Agencies and Counsels
Contractor (Name of contractor and describe the language in
the contract that safeguards PII. Include whether FAR privacy
clauses, i.e., 52.224-1, Privacy Act Notification, 52.224-2,
Privacy Act, and FAR 39.105 are included in the contract.)
Specify.
TransWorld Services, Inc., other Debt Collection Agencies;
Exchange Third-Party Partners, Logistics/Shippers/Carriers
Other (e.g., commercial providers, colleges).
Specify.
Vendors and Manufactures of Merchandise sold, Consumer
Credit Bureaus, and delivery services.
T
Specify.
State and Local Agencies
i. Source of the PII collected is: (Check all that apply and list all information systems if applicable)
Individuals
Databases
Existing DoD Information Systems
Commercial Systems
Other Federal Information Systems
The majority of information is provided by the individual. Some individuals provide more data than that which is asked. Verification is
made through the Defense Enrollment Eligibility Reporting System (DEERS). Other data is obtained from Federal agencies such as MWR,
DeCA, exchange, etc.
j. How will the information be collected? (Check all that apply and list all Official Form Numbers if applicable)
DD FORM 2930, FEB 2025
PREVIOUS EDITION IS OBSOLETE.
Page 3 of 11
�E-mail
Official Form (Enter Form Number(s) in the box below)
In-Person Contact
Paper
Fax
Telephone Interview
Information Sharing - System to System
Website/E-Form
Other (If Other, enter the information in the box below)
Main source of data is through a secured online Website, ShopmyExchange.com or myECP.com. Individuals may choose to provide data
verbally or through email or paper forms.
k. Does this DoD Information system or electronic collection require a Privacy Act System of Records Notice (SORN)?
A Privacy Act SORN is required if the information system or electronic collection contains information about U.S. citizens or lawful permanent U.S. residents that
is retrieved by name or other unique identifier. PIA and Privacy Act SORN information must be consistent.
Yes
No
D
If "Yes," enter SORN System Identifier
DoD 0018
SORN Identifier, not the Federal Register (FR) Citation. Consult the DoD Component Privacy Office for additional information or http://dpcld.defense.gov/
Privacy/SORNs/
or
If a SORN has not yet been published in the Federal Register, enter date of submission for approval to Defense Privacy, Civil Liberties, and Transparency
Division (DPCLTD). Consult the DoD Component Privacy Office for this date.
If "No," explain why the SORN is not required in accordance with DoD Regulation 5400.11-R: Department of Defense Privacy Program.
R
n/a
l. What is the National Archives and Records Administration (NARA) approved, pending or general records schedule (GRS) disposition authority
for the system or for the records maintained in the system?
(1) NARA Job Number or General Records Schedule Authority.
AF
(2) If pending, provide the date the SF-115 was submitted to NARA.
(3) Retention Instructions.
DAA-GRS-2017-0002-0002, DAA-GRS-2013-0003-0001, 0002,
NN-173-119, NN-170-71, NC1-334-80-2
n/a
Varies. Some are temporary. Others range from 1-2 years or 6 years after the final payment is obtained to pay off debt. Records pertaining to
patronage are maintained as long as the individual is authorized as a patron. Information on paper media or microchip is destroyed by cross
shredding at the time regulated time of destruction. Electronic information is destroyed by removing from database and all deleting all
sources of data in electronic format.
m. What is the authority to collect information? A Federal law or Executive Order must authorize the collection and maintenance of a system of
records. For PII not collected or maintained in a system of records, the collection or maintenance of the PII must be necessary to discharge the
requirements of a statue or Executive Order.
(1) If this system has a Privacy Act SORN, the authorities in this PIA and the existing Privacy Act SORN should be similar.
(2) If a SORN does not apply, cite the authority for this DoD information system or electronic collection to collect, use, maintain and/or disseminate PII.
(If multiple authorities are cited, provide all that apply).
T
(a) Cite the specific provisions of the statute and/or EO that authorizes the operation of the system and the collection of PII.
(b) If direct statutory authority or an Executive Order does not exist, indirect statutory authority may be cited if the authority requires the
operation or administration of a program, the execution of which will require the collection and maintenance of a system of records.
(c) If direct or indirect authority does not exist, DoD Components can use their general statutory grants of authority (“internal housekeeping”) as
the primary authority. The requirement, directive, or instruction implementing the statute within the DoD Component must be identified.
Federal Claims Collection Act of 1966, (Pub. L. 89–508, as amended) and Debt, Collection Act of 1982 (Pub. L. 97–365, as amended), as
amended by the Debt Collection Improvement Act of 1996 (Pub. L. 104–134, section 31001) as codified in 31 U.S.C. 3711, Collection and
Compromise Activities; 10 U.S.C. 2481, Defense Commissary and Exchange Systems: Existence and Purpose; 10 U.S.C. 1146, Commissary
and Exchange Benefits; 10 U.S.C. 2488, Combined Exchange and Commissary Stores; 14 U.S.C. 152, Non-appropriated Fund
Instrumentalities; DoD Instruction (DoDI) 1330.21, Armed Services Exchange Regulation; DoDI 1330.17, DoD Commissary Program;
DoDI 1330.09, Armed Services Exchange Policy; DoDI 1330.21, Armed Services Exchange Regulations; DoD 7000.14–R, Department of
DD FORM 2930, FEB 2025
PREVIOUS EDITION IS OBSOLETE.
Page 4 of 11
�Defense Financial Management Regulation Volume 13: ‘‘Nonappropriated Funds Policy’’ and Volume 16: ‘‘Department of Defense Debt
Management’’; Army Regulation 215-8/Department of the Air Force Regulation 34-110 (I), and E.O. 9397 (SSN), as amended.
n. Does this DoD information system or electronic collection have an active and approved Office of Management and Budget (OMB) Control
Number?
Contact the Component Information Management Control Officer or DoD Clearance Officer for this information. This number indicates OMB approval to
collect data from 10 or more members of the public in a 12-month period regardless of form or format.
Yes
No
Pending
(1) If "Yes," list all applicable OMB Control Numbers, collection titles, and expiration dates.
(2) If "No," explain why OMB approval is not required in accordance with DoD Manual 8910.01, Volume 2, " DoD Information Collections Manual:
Procedures for DoD Public Information Collections.”
(3) If "Pending," provide the date for the 60 and/or 30 day notice and the Federal Register citation.
0702-0137, Exchange Credit Program, OMB Expires 31 OCT 2025 (pending OMB re-approval).
R
D
T
AF
DD FORM 2930, FEB 2025
PREVIOUS EDITION IS OBSOLETE.
Page 5 of 11
�
| File Type | application/pdf |
| File Title | DD Form 2930, "Privacy Impact Assessment (PIA)".pdf |
| Author | Schreurs, Teresa L. |
| File Modified | 2025-12-04 |
| File Created | 2025-12-04 |