modification of personal data, whether it is intentional
or results from an accident or carelessness.
Department of the Navy Information Systems
Security (INFOSEC) Program, SECNAVINST 5239.3,
provides guidelines for use by all Navy organizations
in implementing any security safeguards that they must
adopt to implement the Privacy Act. It describes risks
and risk assessment, physical security measures,
appropriate information management practices, and
computer system/network security controls.
Department of the Navy Privacy Act (PA) Program,
SECNAVINST 5211.5, implements the Privacy Act and
personal privacy and rights of individuals regarding
their personal records. It delineates and prescribes
policies, conditions, and procedures for the following:
Any Department of the Navy system of records
possessing a record on an individual must verify
it has the record upon the request of the
The identity of any individual requesting
personal record information maintained on them
must be confirmed before the information is
An individual must be granted access to his/her
personal files on request.
Any request from an individual concerning the
amendment of any record or information
pertaining to the individual for the purpose of
making a determination on the request or
appealing an initial adverse determination must
Personal information is collected, safeguarded,
and maintained, and decisions are made
concerning its use and dissemination.
The disclosure of personal information, and
decisions concerning which systems records are
to be exempted from the Privacy Act.
Rules of conduct are established for the guidance
of Department of the Navy personnel who are
subject to criminal penalties for noncompliance
with the Privacy Act.
The Chief of Naval Operations is responsible for
administering and supervising the execution of the
Privacy Act and SECNAVINST 5211.5 within the
Department of the Navy. Additionally, the Chief of
Naval Operations is designated as the principal Privacy
Act coordinator for the Department of the Navy.
The major provisions of the Privacy Act that most
directly involve computer security are found in the
following parts of title 5, United States Code (U.S.C.),
Subsection (b)limits disclosure of personal
information to authorized persons and
Subsection (e)(5)requires accuracy,
relevance, timeliness, and completeness of
Subsection (e)(10)requires the use of
safeguards to ensure the confidentiality and
security of records.
The following terminology is used in discussing the
treatment of personal data:
Confidentiality. A concept that applies to data.
It is the status accorded to data that requires
protection from unauthorized disclosure.
Data integrity. The state existing when data
agrees with the source from which it is derived,
and when it has not been either accidentally or
maliciously altered, disclosed, or destroyed.
Data Security. The protection of data from
accidental or intentional, but unauthorized,
modification, destruction, or disclosure.
Safeguards that provide data protection are grouped
into three categories: physical security measures,
information management practices, and computer
system/network security controls. Specifically, these
Physical security measures. Measures for
protecting the physical assets of a system and
related facilities against environmental hazards
or deliberate actions as discussed earlier in this
Information management practices.
Procedures for collecting, validating,
processing, controlling, and distributing data.
Computer system/network security controls.
Techniques available in the hardware and
software of a computer system or network for
controlling the processing of and access to data
and other assets.
Technological safeguards for security risks are
presented in figure 4-15. They may be viewed in
relation to the control points within a computer