To collect on an NDAP, a three-step analysis must be followed before any collection activity begins.
The next question is, "Is there is a reasonable basis to believe (rather than merely a "hunch") that the information acquired shows a direct relationship between the NDAP or information collected on and an impact on DA or DoD?
Collection of identifying information on such an NDAP is acceptable as long as the information acquired is limited to the scope of the investigation.
342) Second, DoD personnel may not acquire information about an NDAP solely because that person lawfully advocates measures in opposition to Government policy.
Careful redaction (with the assistance of the supporting SJA office) of any NDAP personally identifying information (PII) would ensure such reports emphasize activities, since NDAP identities would be redacted.
Some misconduct that violates the rights of a USP or NDAP may also violate the Uniform Code of Military Justice (as a violation of a lawful regulation or as dereliction of duty) while not implicating a federal statute.
The second form of information, Non-Defense Personnel Information (NDPI), is information about NDAPs that was not acquired for DoD law enforcement purposes, but was nonetheless developed during the performance of official DoD or military operations.
The true challenge arises in that, just as in the case of domestic intelligence collection activities, DoD collection of domestic information regarding NDAPs in the United States may seem inconsistent with if not counterintuitive to, command responsibilities overseas.
The sensitive information rules apply any time any information is acquired on identified or identifiable NDAPs and their activities, whether inside the United States or anywhere else in the world.
Since virtually any location can be at risk, the NDAP is asking local government representatives to join in this initiative to encourage their constituents to ensure business continuity.
The NDAP will help businesses of all sizes develop a systematic approach to evaluating their current data protection and DR capabilities, look for weak spots in those existing plans and choose the optimal data protection products, technologies and services to minimize or eliminate their exposure to potential data loss.