Brendon Sorenson

Module 3
The Division Protocol Office must develop an Information Privacy Policy in order to
address the collection, transmission and safeguarding of personal information acquired from
Senior Leaders within the Division Command and subordinate Commands. It is required, in
accordance with Army Regulation 340-21 that information be protected, as required by the
Privacy Act of 1974 and that only the information necessary to support required operations for
the Protocol Office's mission. The Privacy Act of 1974 also requires that only information that is
"timely, accurate, complete, and relevant to the purpose for which it was collected" should be
maintained(Army Regulation 340-21). I will put forth a set of procedures and describe issues
that must be considered before an established policy can be created. It is also my intent to
detail the potential conflicts of disclosure of gathered information and provide possible solutions.
The first procedure required for any individual that will have access to the information in
question is to fully review both the Army Regulation 340-21 and the related Privacy Act of 1974.
The Protocol team members with access should also review any referenced documentation
provided in those two documents. Once the team member has developed a firm understanding
of the Army's policy, they can begin with the collection of data as required for the mission as
directed by the Division Command's requirements. In order to gather information from
subordinate commanders and senior staff, the Protocol team should designate an Information
Custodian that will oversee the creation of a database that contains only the relevant
information to mission accomplishment. After this data set is defined a standard questionnaire
should be created to ensure accurate and complete information is collected and verified. This
document should include, when applicable, the name of the outgoing or replaced commander or
staff member, so that information no longer accurate or timely can be removed. Additionally,
based on established mission needs and guidance, a statement allowing or disallowing the
release of the collected information should be included and annotated. A Privacy Act Statement
will be provided to the individual when they return the questionnaire. It is vital that special care
is taken to ensure the entry of gathered information into a database is accurate and human error
is minimized. Further, there should be a schedule of regular reviews covering gathered
information. I recommend that this review be performed on a quarterly basis to ensure all
changes are captured and updated in the absence of notification by outgoing or replaced
commanders or senior staff.
It is the responsibility of the Protocol Information Custodian to safeguard all personal
information, preventing unauthorized use, access, disclosure, alteration or destruction (Army
Regulation 340-21). The Information Custodian must also ensure that anyone entered into the
database is notified that a record of their information exists and provide the opportunity for
individuals to review or retrieve copies of any information collected. If an individual feels there is
a need to amend collected information, there should be a standard operation that allows them to
make changes if they feel the information is not current, incomplete or that the individual feels is
irrelevant to the Protocol mission. The Information Custodian should develop a form that
annotates changes to the gathered information, as appropriate, and provides the requesting

individual a clear copy of all information contained in the database. All requests should be
processed quickly and in an accurate and fair manner, without exception.
The largest challenge faced by the Information Custodian will be the rules of disclosure
of gathered information. Normal mission required disclosure, or routine use, should be
addressed at the time that the questionnaire is collected by the Information Custodian.
Additional requests for disclosure outside of the Protocol mission may be requested by other
agencies, both within and from outside the 10th Mountain Division, as well as third parties (nonfederal). The Army as a whole is not allowed to provide information from a record without
written consent of the individual in question, with very few exceptions as detailed in Chapter 3 of
the Army Regulation 340-21. The Information Custodian should maintain a log of any
disclosures. It is the duty of the Information Custodian to be familiar with all exceptions and
seek legal guidance from the Administrative Law team if there is any doubt as the validity of the
release. The Information Custodian should make an official request to the subject of the
information request and create a standard response with a reasonable response time to the
requestor. This will be a period long enough to allow contact with the subject and allow them to
respond to the request. Should there be a delay that causes the time provided to the requestor
to lapse, it should be the responsibility of the Information Custodian to communicate the delay to
the requestor.

Works Cited:
Army Regulation 340-21. The Army Privacy Program. Washington, DC: Headquarters
Department of the Army, 1985. Print.