Privacy Program information

The command's privacy program serves to advise and make recommendations to command leadership for the establishment of privacy priorities. The Privacy Office is also responsible for the development of privacy policies, procedures, and guidance essential to safeguarding the collection, access, use, dissemination, and storage of personally identifiable information (PII), business identifiable information (BII), and Privacy Act information. The mission of the AFRICOM Privacy Office is to ensure that the personal data of everyone who is assigned to or who interacts with the command is appropriately managed and protected.

 The U.S. Africa Command Privacy Office ensures command compliance with regulatory requirements and legislated mandates governing those programs.

•     Privacy Act of 1974 (as amended 5 U.S.C. § 552a) ;

• Office of Management and Budget (OMB) guidance for information systems
• OMB Circulars A-108 and A-130
• Government Paperwork Reduction Act
• E-Government Act of 2002
• Federal Information Modernization Act of 2014 (FISMA)
• National Institute of Standards and Technology (NIST) Privacy Standards

AFRICOM also ensures that activities within the functional areas of:

• Integrating with leadership, command directorates and staff to understand VA mission critical systems and where PHI/PII resides
• Establishing privacy risk policy and best practices for information management and sharing information within DoD and partners
• Training and educating the command staff on the implementation of privacy best practices
• Integrating with cybersecurity and systems management efforts to ensure appropriate privacy protections are identified, acquired, and implemented
• Ensuring that acquisitions instruments adhere to privacy best practices

U.S. Africa Command Staff: to report a privacy incident, call DSN 119

U.S. Africa Command internal documents (link coming soon)

System of Records Notices (link coming soon)

Privacy Impact Assessments:

• U.S. Africa Command public website (africom.mil)
• U.S. Africa Command official Facebook page
• U.S. Africa Command official Instagram account
• U.S. Africa Command official Twitter account
• U.S. Africa Command official YouTube channel
• U.S. Africa Command COVID-19 Vaccination Tracker
• U.S. BICES-X AC BILATS system
• AFRICOM Enterprise Network NIPR
• AFRICOM Enterprise Network SIPR
• Global Command & Control System JOINT
• Software Defined Data Center OBM
• USBICES-X CSfC
• WICKR Recall Alert and Messaging

Privacy Policies:

• U.S. Africa Command Privacy Program
• U.S. Africa Command Privacy Incident Response

Privacy Resources

Privacy-related Legislation

All linked documents are in PDF.

• The Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501-06) (COPPA) regulates the online collection and use of personal information provided by and relating to children under the age of 13.
• The Clinger-Cohen Act of 1996 (40 U.S.C. 1401, et. seq.) (CCA), formerly the Information Technology Management Reform Act of 1996 (ITMRA), is designed to improve the way the federal government acquires, uses and disposes information technology (IT).
• The E-Government Act of 2002 (44 U.S.C. 3601 et. seq.) establishes procedures to ensure the privacy of personal information in electronic records.
• The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA). The CIPSEA protects the confidentiality of identifiable information acquired by federal agencies. It applies to data supplied by individuals and organizations to federal agencies under a pledge of confidentiality for statistical purposes. CIPSEA provides that data or information acquired by an agency under a pledge of confidentiality for exclusively statistical purposes shall not be disclosed by an agency in identifiable form, for any use other than an exclusively statistical purpose, except with the informed consent of the respondent.
• The Federal Information Security Management Act of 2002, (44 U.S.C. § 3541)(FISMA), requires agencies to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of an agency. FISMA requires federal government information systems to have security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction. FISMA requires a mandatory set of IT system security processes that must be followed for all federal information systems. Compliance is monitored through yearly audits. The annual reports must include: 1) by agency, the number of each type of privacy review conducted that year; 2) information about the privacy advice provided by the Senior Agency Official for Privacy; 3) the number of written complaints for each type of privacy issue allegation received, and 4) the number of complaints the agency referred to another agency.
• Freedom of Information Act (5 U.S.C. 552, as amended) (FOIA) generally provides that any person, including a business, to obtain access to federal agency records, except to the extent that such records (or portions of them) are protected from public disclosure by one of nine exemptions or by one of three special law enforcement record exclusions. The FOIA is a disclosure statute and applies to records that are: (1) either created or obtained by an agency, and (2) under agency control at the time of the FOIA request. When an agency receives a proper FOIA request for records, it must make the records "promptly available" unless the records or portions of the records are exempt from mandatory disclosure under subsection (b), or excluded under subsection (c). Subsection (c) permits an agency to respond to a request for excluded records as if the records do not exist.
• The Privacy Act of 1974, (5 U.S.C. § 552a), is a withholding statute that applies when the federal government maintains a “system of records” (a grouping of items or records) in which information about individuals is retrieved by use of the individuals’ personal identifiers (e.g., names, social security numbers, or any other codes or identifiers that are assigned to the individual). The Privacy Act of 1974 and its implementing regulations: 1) Prohibit the disclosure of personally identifiable information maintained by agencies in a system of records without the consent of the subject individual, subject to twelve codified exceptions; (2) Grant individuals increased rights of access to agency records maintained on them; (3) Grant individuals the right to seek amendment of agency records maintained on them upon a showing that the records are not accurate, relevant, timely, or complete; and (4) Establish a code of "fair information practices," requiring agencies to comply with statutory norms for collection, maintenance, and dissemination of records.
• Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501, et seq.) is designed to reduce the public’s burden of answering unnecessary, duplicative, and burdensome government surveys.
• Records Management by Federal Agencies (44 U.S.C. ch. 31), as amended, establishes the framework for records management programs in Federal agencies. As the primary agency for records management oversight, the National Archives and Records Administration (NARA) is responsible for assisting Federal agencies in maintaining adequate and proper documentation of policies and transactions of the Federal government. See General Records Schedule 4.2: Information Access and Protection Records.

Office of Management and Budget guidance

• Privacy Act Implementation (July 9, 1975)
• Privacy Act Responsibilities for Implementing the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 (Nov. 3, 1997)
• M-99-05, Instructions on Complying with President’s Memorandum of May 14, 1998, “Privacy and Personal Information in Federal Records” (Jan. 7, 1999) Biennial Privacy Act and Computer Matching Reports (June 1998)
• M-99-18, Privacy Policies on Federal Web Sites (June 2, 1999)
• Status of Biennial Reporting Requirements under the Privacy Act and the Computer Matching and Privacy Protection Act (June 21, 2000)
• M-00-13, Privacy Policies and Data Collection on Federal Web Sites (June 22, 2000) (Rescinded by OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies (June 25, 2010))
• Letter from John Spotila to Roger Baker, Cookies Letter (clarification of OMB Cookies Policy) (Sept. 5, 2000).
• M-01-05, Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy (Dec. 20, 2000) reminds agencies of several privacy-related legal requirements that apply to computer matching and to clarify how agencies should conduct computer matching activities.
• OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (Sept. 26, 2003) requires agencies to conduct reviews of how information about individuals is handled when information technology is used to collect new information, or when agencies develop or buy new IT systems to handle collections of personally identifiable information, and describes how the agency handles information that individuals provide electronically.
•  M-05-04, Policies for Federal Agency Public Websites (Dec. 17, 2004) explains that the efficient, effective and appropriately consistent use of federal agency public websites is important to promote a more citizen-centered government. 
• OMB Memo M-05-08, Designation Senior Agency Officials for Privacy sets forth the requirement that federal agencies designate a senior official who has the overall agency-wide responsibility for information privacy issues.
• OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies establishes new procedures and provides updated guidance and requirements for agency use of web measurement and customization technology.
• OMB Memorandum M-10-23, Guidance for Agency use of Third-Party Websites and Applications requires federal agencies to take specific steps to protect the individual privacy whenever they use third-party websites and applications to engage with the public.
• OMB Memorandum M-11-02, Sharing Data While Protecting Privacy (Nov. 3, 2010) requires agencies to develop and implement solutions that allow data sharing to move forward in a manner that complies with applicable privacy laws, regulations and policies.
• OMB Memorandum M-14-04, Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management provides agencies with instructions for meeting their agencies’ fiscal year reporting requirements under the Federal Information Security Management Act and includes reporting instructions on agencies’ privacy management program.
• OMB Memorandum M-14-06, Guidance for Providing and Using Administrative Data for Statistical Purposes provides agencies with guidance for addressing the legal, policy and operational issues that exist with respect to using administrative data for statistical purposes.
• OMB Memorandum M-15-01, Guidance on Improving Federal Information Security and Privacy Management Practices identifies the Obama Administration's information security priorities, provides agencies with FISMA and Privacy Management reporting guidance and deadlines, and establishes new policy guidelines to improve Federal information security posture.
• OMB Memorandum M-16-04, Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government identifies and addresses critical cybersecurity gaps and emerging priorities, and makes specific recommendations to address those gaps and priorities. The CSIP was developed to assist to strengthen federal civilian cybersecurity through the following five objectives:
  • prioritized identification and protection of high value information and assets
  • timely detection of and rapid response to cyber incidents
  • rapid recovery from incidents when they occur and accelerated adoption of lessons learned from the Sprint assessment
  • recruitment and retention of the most highly-qualified cybersecurity workforce talent the federal government can bring to bear
  • efficient and effective acquisition and deployment of existing and emerging technology
• OMB Memorandum M-16-14 Category Management Policy 16-2: Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response (July 1, 2016), which requires federal agencies, with limited exceptions, to address their requirements, when they need to identify protection services, by using the government-wide blanket purchase agreements for Identity Monitoring Data Breach Response and Protection Services awarded by the General Services Administration.
• OMB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy revises policies on the role and designation of the Senior Agency Official for Privacy, as required by Executive Order 13719, Establishment of the Federal Privacy Council.
• OMB Memorandum 17-05, Fiscal Year 2016 – 2017 Guidance on Federal Information Security and Privacy Management Requirements establishes current administration information security priorities and provides agencies with fiscal year 2016-17 Federal Information Security Modernization Act and privacy management reporting guidance and deadlines. OMB M-17-05 provides federal agencies with timelines and requirements for quarterly and annual reporting, establishes detailed instructions for preparing the annual agency FISMA reports, and provides updates to the definition of “major incident” and the U.S. Computer Emergency Readiness Team Incident Notification Guidelines.
• OMB Memorandum 17-06, Policies for Federal Agency Public Websites and Digital Services (Nov. 8, 2016), updates policies regarding federal agency public websites and digital services and requires that each agency maintain a central resource page dedicated to its privacy program on the agency’s principal website. The agency’s Privacy Program page must serve as a central source for information about the agency’s practices with respect to PII. The agency’s Privacy Program Page must be located at www.[agency].gov/privacy and must be accessible through the agency’s “About” page.
• OMB Memorandum 17-09, Management of Federal High Value Assets contains general guidance for the planning, identification, categorization, prioritization, reporting, assessment, and remediation of federal High Value Assets, as well as the handling of information related to HVAs by the federal government.
• OMB M-17-12 Preparing for and Responding to a Breach of Personally Identifiable Information (Jan. 3, 2017) states: “each agency’s Senior Agency Officials of Privacy is required to update its respective agency’s data breach response plan and submit it to OMB within 180 days following the release of the memorandum.” This memorandum rescinds and replaces OMB M-07-16, M-06-19 and M-06-15. The memorandum is directed at the SAOP, and requires the agencies to update and submit the following action plans to OMB by June 3, 2017:  
  • breach response planning; breach response team
  • identified privacy compliance documentation
  • pertinent information sharing
  • reporting requirements
  • assessing risk of harm
  • mitigating risk of harm
  • notifying individuals potentially affected
• OMB Memorandum 21-04, Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act (Nov. 12, 2020) provides guidance for federal agencies to modernize the processes by which individuals may request access to, and consent to the disclosure of, records protected under the Privacy Act of 1974. As required by the Creating Advanced Streamlined Electronic Services for Constituents Act of 2019 ("CASES Act"), this guidance outlines the responsibilities of agencies for accepting access and consent forms provided in a digital format from individuals who are properly identity-proofed and authenticated.  

OMB Circulars

• OMB Circular A-108 (Dec. 23, 2016) the reissuance of Circular A-108 describes agency responsibilities for implementing the review, reporting and publication requirements of the Privacy Act of 1974 and related OMB policies. It supplements and clarifies existing OMB guidance, including OMB Circular No. A-130, “Managing Information as a Strategic Resource,” “Privacy Act Implementation: Guidelines and Responsibilities,” “Implementation of the Privacy Act of 1974: Supplementary Guidance,” and “Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988.”
• OMB Circular A-130 (July 28, 2016) Management of Federal Information Resources, provides uniform government-wide information resources management policies as required by the Paperwork Reduction Act of 1980, as amended by the Paperwork Reduction Act of 1995, 44 U.S.C. Chapter 35. This Circular establishes policy for the management of Federal information resources and rescinds OMB Memoranda M-10-28, “Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security.”

DoD Privacy Issuances

• DoDI 5400.11 "DoD Privacy and Civil Liberties Programs", Jan. 29, 2019

• DoD 5400.11-R "Department of Defense Privacy Program" May 14, 2007

• DoDI 1000.30 "Reduction of Social Security Number Use Within DoD" Aug. 1, 2012

• DoDD 5400.11 "DoD Privacy Program"

Consent for disclosure of records protected under the Privacy Act

If you are providing consent and authorizing the agency to disclose your records to another person or entity, please provide the information below. A parent seeking access to the records of a minor, or a legal guardian seeking access to the records of a person adjudged by a court of competent jurisdiction to be incompetent due to a physical or mental incapacity may also use this form.

Information required for identity-proving and authentication

This information is required for the agency to verify your identity. 

• Full Name
• Current address
• Copy of Military ID, U.S. state-issued identification card, or country-issued passport

If applicable, information for request by parent or legal guardian

This information is being requested as defined in 5 U.S.C. § 552a(h) and in accordance with Department of Defense policy and regulations implementing 5 § 552a(h).

• Name of record subject 
• Copy of Legal Guardianship Court Order (if applicable)
• Date of Birth (if requesting records for individual below the age of majority)

Information required to locate the record(s)

This information is required for the agency to be able to match the individual's information provided in this request with the records that pertain to that individual. 

• Description of Records Being Requested
  1. Information being sought
  2. Name of office where believed to be maintained
  3. Name of form or document on which the information is found

Other information to identify the record subject

• Electronic Data Interchange Personal Identifier (EDIPI) a.k.a. DOD ID 
• Date of Birth
• The address where you would like to receive the records 

Declaration of identity

All requests for records must be submitted with the following statement or they will not be processed:

“I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct, and that I am the person named above and requesting access to my records or records that I am entitled to request as the parent of a minor or the legal guardian of person adjudged by a court of competent jurisdiction to be incompetent due to a physical or mental incapacity, and I understand that any falsification of this statement is punishable under the provisions of 18 U.S.C. § 1001 by a fine, imprisonment of not more than five years, or both, and that requesting or obtaining any record(s) under false pretenses is punishable under the provisions of 5 U.S.C. § 552a(i)(3) by a fine of not more than $5,000.” 

Privacy Act statement

In accordance with DoD 5400.11-R,Department of Defense Privacy Program, personal information sufficient to identify the individuals requesting access to records under the Privacy Act of  1974, 5 U.S.C. § 552a, is required. The purpose of this solicitation is to ensure that the records of individuals who are the subject of systems of records are not wrongfully disclosed by U.S. Africa Command [Information about published routine uses to which the information is subject.] Requests will not be processed if this information is not furnished. False information on this form may subject the requester to criminal penalties under 18 U.S.C. § 1001 and/or 5 U.S.C. § 552a(i)(3). 

Contact us

To submit a privacy-related question or complaint, reach us by email or phone: +49 (0)711.7081.0066, and +49 (0)711.7081.0339