Please join Jennifer Schaus & Associates every Wednesday in 2021 for a complimentary Wednesday series. See the full recording on our YouTube Channel (https://www.youtube.com/watch?v=51FO9MEvcvs). For more information about our federal contracting services please visit http://www.Jenniferschaus.com or contact us at 202-365-0598. Win more federal government contracts!
Gov Con - DFARS Part 224 - Protection Of Privacy And Freedom Of Information
1. DFARS - 2021
Defense
Federal Acquisition Regulation
Supplement
Complimentary Webinar Series
JSchaus & Associates – Washington, DC – hello@JenniferSchaus.com
2. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington, DC – hello@JenniferSchaus.com
About The Series
- Complimentary Webinar Series
- Every Wednesday at 12pm EST
- Recorded and posted on our website and YouTube
Channel
- Speakers are attorneys, consultants, subject matter
experts in defense contracting
3. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington, DC – hello@JenniferSchaus.com
The National Veteran Small Business Coalition (NVSBC)
is the largest non-profit trade association in the country representing veteran
and service-disabled veteran-owned small business in the federal
marketplace as prime and subcontractors. NVSBC provides networking,
match-making, coaching, and training opportunities for members.
Please visit: www.nvsbc.org
4. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington, DC – hello@JenniferSchaus.com
Full training calendar: virginiaptac.org & useful links
Register for free counseling: https://virginiaptac.org/services/counseling/
Your “one stop” shop for Government Contracting assistance
Reach us at ptac@gmu.edu or 703-277-7750
This procurement technical assistance center is funded in part through a cooperative agreement with the Defense Logistics Agency.
5. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington, DC – hello@JenniferSchaus.com
6. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington, DC – hello@JenniferSchaus.com
7. Judy
Bradt, CEO
The Art Of Human Connection
In The Federal Arena
The right data.
For the right
conversations.
With the right people.
At the right time.
Judy.Bradt@GrowFedBiz.com
• Activate your custom sales plan.
• Meet your Federal Humans sooner.
• Grow your Federal Business.
• JSchaus & Associates – Washington, DC – hello@JenniferSchaus.com
8. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington, DC – hello@JenniferSchaus.com
Title Date Registration Link Partner
GSA In Focus:
Requirements,
Considerations & Power
June 10, 2021
12:00pm– 1:30pm
https://info.fedmine.us/en/f
edmine-webinar-gsa-in-
focus
Marketing and Messaging
For for Gov Cons 101 With
Live Q&A
July 01, 2021
4:00pm – 6:00pm
https://catalystcenter.ecent
erdirect.com/events/97144
3
GSA Schedule: What’s In It
For You? (Virtual)
July 08, 2021
12:30pm - 2:0pm
https://attendee.gotowebin
ar.com/rt/19046459221525
46572
9. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington, DC – hello@JenniferSchaus.com
About Us
- Professional services for federal contractors
- Market Analysis
- Proposal Writing / Pricing
- Contract Compliance & Administration
10. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington, DC – hello@JenniferSchaus.com
Advertise In Our Newsletter:
Reach 23,000+ Subscribers! Includes
Government & Government Contractors
Hello@JenniferSchaus.com
12. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
About Our Speaker
Daniel H. Ramish
Smith Pachter McWhorter PLC
dramish@smithpachter.com
703-847-6306
Disclaimer: The content of this presentation is not intended to serve as legal
advice related to any individual situation. This material is made available for
information purposes only.
13. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224
Protection of Privacy and Freedom of Information
Wednesday, 02 June 2021
14. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
Agenda
• DFARS Part 224
• Background
• What is the Privacy Act of 1974 (Privacy Act)?
• What is the Freedom of Information Act (FOIA)?
• FAR Part 24
• DoD Privacy Program
• DoD Instruction 5400.11 DoD Privacy and Civil Liberties Program
• DoD 5400.11-R Department of Defense Privacy Program
• DoD FOIA Program
• DoD Directive 5400.7 DoD Freedom of Information Act Program
• DoD Manual 5400.7 DoD Freedom of Information Act Program
15. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DFARS Part 224: Protection of Privacy and Freedom of Information
SUBPART 224.1—PROTECTION OF INDIVIDUAL PRIVACY
224.103 Procedures.
(b)(2) DoD rules and regulations are contained in DoDD 5400.11, Department of Defense Privacy
Program, and DoD 5400.11-R, Department of Defense Privacy Program.
SUBPART 224.2—FREEDOM OF INFORMATION ACT
224.203 Policy.
(a) DoD implementation is in DoDD 5400.7, DoD Freedom of Information Act Program, and DoD
5400.7-R, DoD Freedom of Information Act Program.
16. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
Background: What is the Privacy Act of 1974?
• The Privacy Act, 5 U.S.C. § 552a, regulates the collection, maintenance, use and dissemination of personal
information by federal executive agencies. Generally prohibits federal agencies from disclosing records
containing an individual’s personal data without their consent, enforced by civil and criminal penalties.
• Grants individuals rights relating to government records, including:
1) Right to access government records relating to yourself, subject to certain exemptions;
2) Right to amend a nonexempt record if it is inaccurate, irrelevant, untimely or incomplete;
3) Right to sue the Government for violations of the statute, e.g. if unauthorized persons gain access to
records with your information (minimum $1,000 civil penalty per unauthorized disclosure).
• Imposes rules and requirements on agencies, e.g.:
• Requires information about individuals be collected directly from the subject individual to the greatest
extent practicable when it may affect their rights, benefits or privileges under federal programs;
• Requires agencies to ensure that their records are accurate, relevant, timely, and complete; and
• Restricts collection of certain types of information, such as information regarding exercise of First
Amendment rights.
17. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
Background: What is the Privacy Act of 1974?
Applicability to Contractors:
• 5 U.S.C. § 552a (m)(1) Government contractors. – When an agency provides by a contract for the operation
by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall,
consistent with its authority, cause the requirements of this section to be applied to such system. For
purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such
contract is agreed to on or after the effective date of this section, shall be considered to be an employee of
an agency.
• Triggered by contract for operation of a system or records.
• Civil penalties do not apply to contractors.
• Criminal penalties may apply to contractors and contractor employees.
18. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
Background: FAR Part 24 – Protection of Privacy and Freedom of Information
Subpart 24.1 – Protection of Individual Privacy
Definitions:
• Operation of a system of records means performance of any of the activities associated with maintaining the system of
records, including the collection, use, and dissemination of records.
• Personally identifiable information means information that can be used to distinguish or trace an individual's identity, either
alone or when combined with other information that is linked or linkable to a specific individual. (See Office of Management
and Budget (OMB) Circular No. A-130, Managing Federal Information as a Strategic Resource).
• Record means any item, collection, or grouping of information about an individual that is maintained by an agency, including,
but not limited to, education, financial transactions, medical history, and criminal or employment history, and that contains the
individual’s name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a
fingerprint or voiceprint or a photograph.
• System of Records means a group of any records under the control of any agency from which information is retrieved by the
name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
19. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
Background: FAR Part 24 – Protection of Privacy and Freedom of Information
Subpart 24.1 – Protection of Individual Privacy
Contracting officer determines whether contract will involve design, development, or operation of system of records on
individuals to accomplish an agency function. If so, the agency must apply the requirements of the Privacy Act to the Contractor
and its employees working on the contract. CO shall:
• Ensure statement of work specifically identifies the system of records on individuals and the design, development or operation
work to be performed.
• Make agency rules and regulations implementing the Privacy Act available to contractor, in accordance with agency
procedures.
• Inserts in solicitations and contracts:
• FAR 52.224-1, Privacy Act Notification
• FAR 52.224-2, Privacy Act
See also FAR Subpart 24.3 – Privacy Training; FAR 52.224-3, Privacy Training
20. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
Background: What is the Freedom of Information Act (FOIA)?
• FOIA, 5 U.S.C. § 552, establishes right of access to government information based on principles of
transparency and accountability.
• Any person may request and obtain without explanation or justification, existing, identifiable, and
unpublished agency records on any topic, subject to exemptions and exclusions.
• Presumption of access to agency records unless subject to one of nine exemptions or three
exclusions.
• Applies to federal executive agencies; does not apply to Congress, federal or state courts, state
governments, or members of U.S. intelligence community.
• States have FOIA-equivalent laws and regulations.
21. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
Background: What is the Freedom of Information Act (FOIA)?
FOIA Exemptions:
1. Information classified as secret for national defense or foreign policy purposes.
2. Information solely related to agency internal personnel rules and practices.
3. Information prohibited from disclosure by another federal law.
4. Privileged or confidential trade secrets, commercial, or financial information.
5. Inter- or intra-agency memoranda or letters that would not be available by law except to another agency in
litigation (e.g., protected by deliberative process privilege, attorney-client privilege, or work product protection).
6. Personnel, medical, or similar files.
7. Certain records compiled for law enforcement purposes.
8. Information relating to regulation or supervision of financial institutions.
9. Geological and geophysical information and data concerning wells.
22. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
Background: FAR Part 24 – Protection of Privacy and Freedom of Information
Subpart 24.2 – Freedom of Information Act
• Notes that FOIA provides for making information available to the public by (a) publication in the Federal Register, (b) providing
an opportunity to read and copy documents or (c) upon request, providing a copy of a reasonably described record.
• Prohibits disclosure of: proposals submitted in response to a competitive solicitation unless incorporated in a contract; FOIA-
exempt data obtained pursuant to FAR 15.403-3(b) (data needed despite adequate price competition to determine price
reasonableness (obtained from sources other than the offeror to the maximum extent practicable) or cost realism, or to
evaluate competing approaches); or dispute resolution communications between a neutral and a party to alternative dispute
resolution.
• Contracting officers are cautioned that they may receive requests for records exempt from disclosure under FOIA, with the
exemptions most often applicable: classified information, trade secrets and confidential commercial or financial information,
interagency or intra-agency memoranda, or personal and medical information pertaining to an individual. Other exemptions
are for agency personnel practices and law enforcement. Contracting officers are required to comply with agency
implementing regulations and are advised to consult agency FOIA officers.
23. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD Privacy Program Sample Complaint #1:
Description of Complaint: Complainant claimed an individual placed an SF 3107
(Application for Immediate Retirement) belonging to one civil service employee in
another civil service employee’s Official Personnel File (OPF).
Findings: Substantiated. The inquiry conducted confirmed the allegation. There
was additional training provided to personnel and department staff. The document
was refiled and the complainant was notified. The issue was referred to the
command for disciplinary action.
Disposition: Responsive Action Taken.
Sample Complaint #2:
Description of Complaint: Complainant claimed an individual accessed an
employee’s Official Personnel File (OPF) without authorization after finding the
OPF on a printer.
Findings: Substantiated. The inquiry conducted confirmed the allegation.
Additional training was provided to personnel and department staff. The
complainant was notified. The issue was referred to the command for disciplinary
action.
Disposition: Responsive Action Taken.
DoD Privacy and Civil Liberties Program
• The Defense Privacy, Civil Liberties, and Transparency
Division (DPCLTD) is charged with implementing the
DoD Privacy and Civil Liberties programs through
advice, monitoring, official reporting and training.
• DoD issues semi-annual Privacy and Civil Liberties
Officer Reports. Reports privacy breach data and
information about privacy complaints. In the second
half of FY 2020 there were:
• 721 privacy breach reviews
• 12 privacy complaints
24. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD Privacy Program
• 2013 and 2014 data breaches involving the VA led to another
Privacy Act suit. An unencrypted laptop with PII was stolen
from a VA medical center, and then four boxes containing
pathology reports with PII of more than 2,000 patients went
missing. Fourth Circuit held the plaintiffs had not established
injury in fact because they did not show their information
was accessed or abused, or even that the data and
documents were taken with the intent to steal private
information. Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017).
• But: 2019 D.C. Circuit decision held plaintiffs whose personal
information was exposed in the 2014 OPM hack sufficiently
alleged an “injury in fact” based on their “risk of future
identity theft.” In re U.S. Office of Pers. Mgmt. Data Sec.
Breach Litig., 928 F.3d 42 (D.C. Cir. 2019).
Privacy Act Data Breach Lawsuits Must Allege “Injury in Fact”
• 2011 DoD security breach involving theft of computer tapes
from a contractor employee's car potentially exposed
medical data for 4.9 million TRICARE participants (members
of the United States military and their families) and led to
$4.9 billion class action suit against DoD and contractor.
Judge dismissed most claims because plaintiffs could not
show their data was accessed or abused to establish “injury
in fact” for purposes of standing. In re Sci. Applications Int'l
Corp. Backup Tape Data Theft Litig., 45 F. Supp. 3d 14
(D.D.C. 2014).
25. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD Privacy Program: DoD Instruction 5400.11 DoD Privacy and Civil Liberties Program
• Policy. Requires DoD Components to:
(1) Establish and maintain privacy and civil liberties programs that comply with applicable law and policy requirements,
develop and evaluated policies, and manage privacy risks;
(2) Comply with the Privacy Act and all other applicable statutes, regulations and executive orders, including applicable
guidance to DoD components conducting intelligence activities; (3) Limit creation, collection, use, processing storage,
maintenance, dissemination, and disclosure of PII maintained in systems of records to that which is legally authorized,
relevant, and reasonably deemed necessary;
(4) Maintain records with PII per records retention or disposition schedules approved by NARA;
(5) Impose appropriate conditions regarding security and privacy controls when sharing PII with other federal and non-
federal agencies or entities, using written agreements when appropriate;
(6) Maintain procedures to receive, investigate, respond to and redress privacy and civil liberties complaints;
(7) Prohibit reprisals or threats against individuals who make complaints regarding privacy or civil liberties violations.
26. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD Privacy Program: DoD Instruction 5400.11 DoD Privacy and Civil Liberties Program
• Responsibilities.
• Designates responsibilities of key officials, including DoD Chief Management Officer who acts as DoD Privacy and
Civil Liberties Officer (PCLO). Other important roles include: Director, Director for Oversight and Compliance (D
O&C), Chief, Defense Privacy, Civil Liberties and Transparency Division (DPCLTD), General Counsel, DoD CIO, IG.
• Establishes responsibilities of OSD and DoD Component Heads for maintaining their own programs.
• Describes duties of OSD and DoD Component Senior Component Officials for Privacy (SCOPs) and OSD and DoD
Component PCLOs, including: implementing DoD’s Breach Preparedness and Response Plan, ensuring adequate
policies are in place for management and remediation of privacy and civil liberties complaints and alleged
violations; ensuring adequate administrative, physical and technical safeguards and procedures for information
systems containing PII; processing records requests; submitting System of Records Notices (SORNs); and providing
training and employee awareness to employees and contractors.
• Describes Defense Data Integrity Board’s responsibilities to ensure Privacy Act compliance in receiving or disclosing
records in relation to matching programs (automated comparison of computer records with other agencies).
27. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD Privacy Program: DoD Instruction 5400.11 DoD Privacy and Civil Liberties Program
• Rules of Conduct.
• General. Provides overview of rules of conduct for DoD personnel involved in designing, developing,
operating or maintain a system of records containing PII. Requires training for DoD and contractor
personnel as applicable. Describes Privacy Act rules for PII.
• Fair Information Practice Principles (FIPPs).
• Access and Amendment
• Accountability
• Authority
• Minimization
• Quality and Integrity
• Individual Participation
• Purpose Specification and Use Limitation
• Security
• Transparency
28. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD Privacy Program: DoD 5400.11-R Department of Defense Privacy Program
Provides guidance and sets forth detailed procedures for DoD Privacy Program.
• Systems of Records.
• Defines “system of records”; establishes retrieval practices; requires relevance, necessity, and authority; prohibits
records regarding exercise of First Amendment rights; initial and ongoing evaluation of systems; discontinuing
collection and deletion of PII that is no longer justified; imposes accuracy requirements.
• States government contractors are subject to Privacy Act when contracts require operation or maintenance of
systems of records (C1.3). Contractors and their employees are considered agency employees for purposes of
Privacy Act criminal penalties. Requires inclusion of FAR Privacy Act provision and clause. Contractor must follow
same rules as agency (including DoD 5400.11-R), subject to instructions and guidance that DoD components must
publish. Privacy Act does not apply to contractor internal employee records, only records managed on behalf of
the agency under a contract.
• Requires DoD Components to establish appropriate safeguards for PII, including safeguards for records disposal.
Further requires DoD Components to promptly (within 10 working days) notify individuals when their PII is lost,
stolen or compromised.
29. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD Privacy Program: DoD 5400.11-R Department of Defense Privacy Program
• Collecting Personal Information. Elaborates on Privacy Act rules, setting forth particular rules for
Social Security Numbers and specifying use of Privacy Act statements and Forms.
• Access by Individuals. Provides for verification of identify, special rules for access to medical records,
and establishes a normal timeframe for granting access of 20 working days after receipt of request.
Also provides detailed rules for denial of access and amendment of records. Describes rules for
assessing fees, typically just direct costs of reproducing records.
• Disclosure of Personal Information to Other Agencies and Third Parties. Describes circumstances
when disclosure of PII among components or external to DoD is authorized.
• Exemptions. Describes exemptions to individual right of access to one’s own PII, and general or
specific exemption of systems of records from coverage by specified parts of the Privacy Act (e.g.
blanket exemption for classified material, general exemption for investigative records of law-
enforcement activities of DoD Component).
30. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD Privacy Program: DoD 5400.11-R Department of Defense Privacy Program
• Publication and Training Requirements. Sets forth rules and procedures for publishing DoD Components
privacy procedural rules; DoD Component exemption rules; system notices; match notices. Describes
Privacy Act requirement for training, OMB training guidelines, and requirements for DoD training programs.
DoD Components are responsible to develop their own training procedures and methodology.
• Reports and Inspections. Requires Defense Privacy Office to establish reports, to which DoD components
must provide data. Provides for DoD component internal inspection of Privacy Act compliance and
reporting of any findings.
• Privacy Act Violations. Describes administrative remedies and civil and criminal penalties for Privacy Act
Violations. Requires notice of Privacy Act litigation on a status sheet provided to the Defense Privacy Office.
Requires reporting of loss, theft or compromise of PII to U.S. Computer Emergency Readiness team within
one hour, and reporting to the SCOP within 24 hours. Specifies information that must be reported.
• Computer Matching Programs. Provides procedures for “matching programs” including matches using
federal personnel or payroll systems of records and certain matches involving federal benefit programs.
31. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD FOIA Program
• In FY 2020 DoD reported its agencies and
components received 54,023 FOIA requests and
processed 50,006, with 22,413 pending at year end.
Of requests received: 23,881 went to the Army,
10,792 to the Navy, 4,460 to the Air Force; DCMA
received 195 and DCAA received 76.
• In FY 2020, the federal government overall received
a total of 790,688 FOIA requests.
• A 2017 study looked at who was submitting FOIA
requests: businesses (39%), individuals (20%), law
firms (16.7%), media organizations (7.6%), non-
profits (7.5%), universities (4.5%).
Source: DOJ OIP, Summary of Annual FOIA Reports
for FY 2020 (most recent available)
32. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD FOIA Program
FOIA Process
(1) Submission of Request
(2) Government Review
• Intake/Notice
• Search for Records
• Process Records
• Approve Release
• Respond to Requester (20 days)
(3) Administrative Appeals
• Time to file set by agency [DoD=90 days*]
• 20 days for agency response
(4) Judicial Review
Source: DOJ OIP,
Summary of
Annual FOIA
Reports for FY
2020 (most recent
available)
*32 C.F.R. § 286.11
33. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD FOIA Program: DoD Directive 5400.7 DoD Freedom of Information Act Program
• Policy. The DoD FOIA Program:
a. While remaining consistent with DoD’s responsibility to protect national security and other sensitive
information, promotes transparency and accountability by:
(1) Adopting a presumption in favor of disclosure in all release decisions involving FOIA.
(2) Responding Promptly to FOIA requests in a spirit of cooperation.
b. In accordance with the procedures established by Part 286 of Title 32 Code of Federal Regulations and
DoD Manual 5400.07, provides DoD records requested by members of the public, unless those records are
exempt from disclosure in accordance with Section (b) of FOIA.
c. Works with Office of Government Information Services to resolve disputes between requesters and DoD.
• Responsibilities. The Chief Management Officer (CMO) of DoD serves as DoD Chief FOIA Officer and directs
and oversees the program. The Director, Directorate for Oversight and Compliance (DO&C) assists the CMO,
serves as FOIA appellate authority for OSD, etc., appoints the public liaison for OSD, and provides FOIA
training. Other significant roles: Director, Washington Headquarters Service, General Counsel of DoD, DoD
FOIA Program Component Heads.
34. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD FOIA Program: DoD Manual 5400.7 DoD Freedom of Information Act Program
• Restates public right to access agency records concerning U.S. Government activities, citing the
DoD FOIA regulation at 32 C.F.R. Part 286.
• Cites DoD FOIA Handbook for public reference in submitting FOIA requests to DoD:
http://open.defense.gov/Transparency/FOIA/FOIAHandbook.aspx
• Notes DoD FOIA program is largely decentralized, with most DoD Components having separate
FOIA offices. Lists the DoD Components that have their own FOIA programs with separate FOIA
appellate authority, Components that have their own programs but use the appellate authority for
the OSD/JS, and Components that do not have their own programs but have their FOIA requests
processed by OSD/JS.
35. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD FOIA Program: DoD Manual 5400.7 DoD Freedom of Information Act Program
• FOIA Libraries. Provides for establishment of certain DoD Component records in FOIA
libraries available online for public access.
• Exemptions. Describes the nine FOIA exemptions and DoD’s procedures for applying them.
• FOIA Request Processing. Describes DoD’s procedures for tracking and promptly acting on
FOIA requests; procedures for when exceptional circumstances prevent DoD from making a
final determination within the 20 working day statutory time limit; procedures for initial
determinations, including exemptions and other denials of requests.
• Education and Training. Provides for educational programs and training for DoD personnel
involved in day-to-day processing of FOIA requests and DoD attorneys to ensure compliance
with FOIA and DoD’s regulations and DoD and Component issuances.
36. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD FOIA Program: DoD Manual 5400.7 DoD Freedom of Information Act Program
5.2(d) Exemption 4. Pursuant to Section (b)(4) of the FOIA, certain non-government financial information is exempt from
disclosure.
(1) This exemption protects: (a) Trade secrets; or (b) Information that is:
1. Commercial or financial;
2. Obtained from a person or entity outside of the U.S. Government; and
3. Privileged or confidential.
(2) Commercial or financial information that is voluntarily submitted to the U.S. Government, absent any exercised authority
prescribing criteria for submission, may be categorically protected, provided it is not customarily disclosed to the public by the
submitter. Examples of exercised authorities prescribing criteria for submission include statutes, Executive orders, regulations,
invitations for bids, requests for proposals, and contracts. DoD Components should analyze submission of information pursuant to
these authorities in accordance with Part 286 of Title 32, CFR.
(3) Commercial or financial information that is not voluntarily provided to the U.S. Government is considered “confidential” for
Exemption 4 if its disclosure is likely to: (a) Impair the U.S. Government’s ability to obtain necessary information in the future
(known as the “impairment prong”); (b) Harm an identifiable private or governmental interest; or (c) Cause substantial harm to
the competitive position of the person providing the information.
*NOTE: DOES NOT REFLECT NEW
SCOTUS Ex. 4 TEST FROM FOOD
MARKETING V. ARGUS LEADER
37. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD FOIA Program: DoD Manual 5400.7 DoD Freedom of Information Act Program
5.2(d) Exemption 4, continued:
(5) When the DoD Components receive FOIA requests for information that could be protected by this exemption, they will notify
the submitter of the information in accordance with the procedures in Subpart 286.10 of Title 32, CFR.
32 C.F.R § 286.10 Confidential Commercial Information:
The DoD Component shall promptly provide written notice to the submitter of confidential commercial information whenever
records containing such information are requested under the FOIA if the DoD Component determines that it may be required to
disclose the records, provided:
(i) The requested information has been designated in good faith by the submitter as information considered protected from
disclosure under Exemption 4; or
(ii) The DoD Component has a reason to believe that the requested information may be protected from disclosure under
Exemption 4, but has not yet determined whether the information is protected from disclosure.
32 C.F.R § 286.10(c)(1). Regulation requires ”DoD Component shall specify a reasonable time period within which the submitter
must respond.” Id. at (e). See also EO 12600, Predisclosure Notification Procedures for Confidential Commercial Information.
38. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD FOIA Program: Exemption 4 and Food Marketing v. Argus Leader
“[T]rade secrets and commercial or financial information obtained from a person [that is] privileged or
confidential.” 5 U.S.C.§ 552(b)(4).
Old Exemption 4 Test
• National Parks test: Confidential only if disclosure likely to either:
(1) impair government’s ability to obtain necessary information in future (“impairment” prong); or
(2) cause substantial harm to competitive position of submitter. (“competitive harm” prong).
• Critical Mass test (D.C. Circuit) – for “voluntary” submissions:
Confidential if of a kind customarily not released to the public.
39. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
DoD FOIA Program: Exemption 4 and Food Marketing v. Argus Leader
In its 2019 decision in Food Marketing v. Argus Leader the Supreme Court overturned National Parks rejecting
“substantial competitive harm” test.
New Exemption 4 Rule (not reflected in DoDM 5400.7):
Two possible prongs for what is now "confidential":
• "[C]ustomarily kept private, or at least closely held, by the person imparting it." [Required]
• “[P]arty receiving it provides some assurance that it will remain secret." [Might Also Be Required]
"At least where commercial or financial information is both customarily and actually treated as private by its owner
and provided to the government under an assurance of privacy, the information is 'confidential' within the meaning
of Exemption 4." Food Mktg. Inst. v. Argus Leader Media, 139 S. Ct. 2356, 2366 (2019) (emphasis added).
*But see FOIA Improvement Act of 2016 (agency may apply a FOIA exemption only when it “reasonably foresees that
disclosure would harm an interest protected by” the exemption applied).
40. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
DFARS Part 224: Protection of Privacy and Freedom of Information
Final Take-Aways
Privacy Act
• The Privacy Act and associated regulations and policies are primarily intended to promote privacy and individual rights.
• The Act affects government procurement when contractors manage systems of records with PII on the Government’s behalf
under a contract. Contractors must look out for FAR 52.224-1 and 52.224-2, and scope of work references to Privacy Act
section m, 5 U.S.C. § 552a(m), indicating the contractor must follow the requirements of the Act and related agency rules.
• Contractor and Government employees alike must exercise great care when dealing with PII and comply with applicable law
and regulations or may risk criminal penalties. DoD’s Privacy issuances are a helpful compliance resource.
FOIA
• FOIA and associated regulations and policies are primarily intended to promote government transparency and accountability.
• Contractors use FOIA as a competitive tool to learn about the Government and its programs, or about other contractors.
• Contractors often have to disclose proprietary information to the Government in connection with proposals and performance
of contracts and need to take precautions to protect such information from disclosure. Government employees should be
aware of the rules about what contractor information may be exempt from FOIA, including under Exemption 4.
• Whether defense contractors are submitting FOIA requests or trying to avoid having their information disclosed, DoD’s FOIA
issuances and regulations establish key timeframes, describe the agency’s process, and offer useful organizational information.
41. DFARS – 2021 - Defense Federal Acquisition Regulation Supplement
JSchaus & Associates – Washington DC – hello@JenniferSchaus.com
THANK YOU To Our Speaker
Daniel H. Ramish
Smith Pachter McWhorter PLC
dramish@smithpachter.com
703-847-6306
Disclaimer: The content of this presentation is not intended to serve as legal
advice related to any individual situation. This material is made available for
information purposes only.
42. Thank You For Attending!
DFARS - 2021
Defense Federal Acquisition Regulation Supplement
Complimentary Webinar Series
JSchaus & Associates – Washington, DC – hello@JenniferSchaus.com