[Federal Register Volume 72, Number 47 (Monday, March 12, 2007)] [Notices] [Pages 11036-11040] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: E7-4407] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF THE INTERIOR Office of the Secretary Privacy Act of 1974; as Amended; Amendments to an Existing System of Records AGENCY: Office of the Secretary, Department of the Interior. ACTION: Proposed amendment of an existing system of records. ----------------------------------------------------------------------- SUMMARY: In accordance with the Privacy Act of 1974 (5 U.S.C. 552a), the Office of the Secretary of the Department of the Interior is issuing public notice of its intent to amend an existing Privacy Act system of records notice, Interior, OS-45, ``Security Clearance Files and Other Reference Files,'' to implement Homeland Security Presidential Directive 12 (HSPD-12). HSPD-12 requires Federal agencies to use a common identification credential for both logical and physical access to federally controlled facilities and information systems. Accordingly, the National Business Center, within the Office of the Secretary of the Department of the Interior, is implementing an identity management system to automate the process of issuing credentials to all Departmental employees, contractors, volunteers and other individuals who require regular, ongoing access to agency facilities and information systems and networks, based on sound criteria to verify an individual's identity, that are strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation, and that provide for rapid, electronic authentification of personal identity, by a provider whose reliability has been established through an official accreditation process. For this reason, it is renaming and renumbering Interior, OS-45, ``Security Clearance Files and Other Reference Files,'' as Interior, DOI-45: ``HSPD-12: Identity Management System and Personnel Security Files.'' DATES: Effective Date: U.S.C. 552a(e)(11) requires that the public be provided a 30-day period in which to comment on the agency's intended use of the information in the system of records. The Office of Management and Budget, in its Circular A-130, requires an additional 10-day period (for a total of 40 days) in which to make these comments. Any persons interested in commenting on this proposed amendment may do so by submitting comments in writing to the Office of the Secretary Privacy Act Officer, Sue Ellen Sloca, U.S. Department of the Interior, MS-120 SIB, 1951 Constitution Avenue, NW., Washington, DC 20240, or by e-mail to [email protected]. Comments received within 40 days of publication in the Federal Register will be considered. The system will be effective as proposed at the end of the comment period unless comments are received which would require a contrary determination. The Department will publish a revised notice if changes are made based upon a review of comments received. FOR FURTHER INFORMATION CONTACT: David VanderWeele, Security Specialist, NBC Security Services, MS-1229 MIB, 1849 C St., NW., Washington, DC 20240, or by e-mail to [email protected]. SUPPLEMENTARY INFORMATION: In this notice, the Department of the Interior is amending Interior, OS-45, ``Security Clearance Files and Other Reference Files'' to implement HSPD-12, and is renaming and renumbering it as Interior, DOI-45: ``HSPD-12: Identity Management System and Personnel Security Files.'' In the process, it is expanding the categories of individuals covered by the system to include all individuals who require regular, ongoing access to Departmental facilities and information systems and networks, and is expending the categories of records in the system to include additional personal identity verification (PIV) data such as fingerprints and copies of documents used to verify identification. Note: This system notice also does not apply to individuals who require regular, ongoing access to facilities and information systems and networks managed by other Federal agencies on whose behalf the Department issues identification credentials, as a shared-service provider. Although data pertaining to these individuals are stored in the Department's identity management system, their records are covered, respectively, by their individual agency Privacy Act system of records notices. Accordingly, the Department of the Interior proposes to amend the system notice for Interior, OS-45, ``Security Clearance Files and Other Reference Files'' in its entirety to read as follows: Dated: March 7, 2007. Sue Ellen Sloca, Office of the Secretary Privacy Act Officer. INTERIOR/DOI-45 System Name: HSPD-12: Identity Management System and Personnel Security Files-- Interior, DOI-45. System Location: Data covered by this system are maintained at the following locations: (1) U.S. Department of the Interior, Office of the Secretary, National Business Center, 7301 West Mansfield Avenue, Mail Stop D-7200, Denver, CO 80225; U.S. Department of the Interior, Office of the Secretary, National Business Center, 1849 C St., NW., Mail Stop 1224 MIB, Washington, DC 20240. (2) Bureau of Indian Affairs: Bureau of Indian Affairs, Office of Human Capital [[Page 11037]] Management, 1011 Indian School Road, NW., Mail Stop 64, Albuquerque, NM 87104. (3) Bureau of Indian Education: Bureau of Indian Affairs, Office of Human Resources, P.O. Box 769, Albuquerque, NM 87103. (4) Bureau of Land Management: Bureau of Land Management, Office of Law Enforcement and Security, 1620 L Street, NW., Washington, DC 20036. (5) Bureau of Reclamation: Bureau of Reclamation, P.O. Box 25007, Denver, CO 80225. (6) Minerals Management Service: Minerals Management Service, 381 Elden Street, Mail Stop 2050, Herndon, VA 20170. (7) National Park Service: National Park Service, Office of Human Resources, 1201 Eye Street, NW., 12th Floor, Washington, DC 20005-5912. (8) Office of Surface Mining, Reclamation and Enforcement: Office of Surface Mining, Reclamation and Enforcement, 1951 Constitution Avenue, NW., SIB, Washington, DC 20240. (9) Office of the Inspector General: Office of the Inspector General, 12030 Sunrise Valley Drive, Suite 350, Mail Stop 5341, Reston, VA 20191. (10) Office of the Secretary/National Business Center: See (1), above. (11) Office of the Solicitor: Office of the Solicitor, Division of Administration, 1849 C St., NW., Mail Stop 6556 MIB, Washington, DC 20240. (12) U.S. Fish and Wildlife Service: U.S. Fish and Wildlife Service, 4401 N. Fairfax Dr., Arlington, VA 22203. (13) U.S. Geological Survey: U.S. Geological Survey, 250 National Center, 12201 Sunrise Valley Drive, Reston, VA 20192. Categories Of Individuals Covered By The System: (1) Individuals who require regular, ongoing access to Departmental facilities, information systems and networks, and/or information classified in the interest of national security, including applicants for employment or contracts with the Department of the Interior, Departmental employees, contractors, students, interns, volunteers, affiliates, and individuals formerly in any of these positions. The system also covers individuals authorized to perform or use services provided in Departmental facilities (e.g., Credit Union, Fitness Center, etc.) Note: This system notice does not apply to occasional visitors or short-term guests to whom the Department issues temporary identification and credentials. These records are covered by Interior/DOI-46, ``HSPD-12: Physical Security System Files.'' This system notice also does not apply to individuals who require regular, ongoing access to facilities and information systems and networks managed by other Federal agencies on whose behalf the Department issues identification credentials, as a shared-service provider. Although data pertaining to these individuals are stored in the Department's identity management system, their records are covered, respectively, by their individual agency Privacy Act system of records notices. Additionally, this system notice does not apply to individuals accused of security violations or found to be in violation. Records relating to personnel and building security violations will be covered by Interior/OS-18: ``Security Complaints and Investigations Files.'' (2) Employees of independent agencies, councils and commissions (which are provided administrative support by the Department of the Interior), whose duties have been designated ``special sensitive,'' ``critical sensitive,'' ``noncritical sensitive'' or ``clearance for FEMA special access program.'' (3) Individuals who require regular, ongoing access to facilities and information systems and networks managed by other Federal agencies on whose behalf the Department provides enrollment services but not identification credentials. Note: Information on these individuals is maintained for the minimum time required to process it before secure transmission to another agency's identity management system through a third party enrollment broker. Records pertaining to these individuals are covered, respectively, by their individual agency Privacy Act system of records notices. Categories Of Records In The System: (1) Copies of forms SF 85, SF 85P, SF 85P-S, SF 86, SF 86A, SF 86C, and FD 258 as supplied by individuals covered by the system. (2) Name, former names, birth date, birth place, Social Security Number, signature, home address, e-mail address, phone numbers, employment history, residential history, education and degrees earned, names of associates and references and their contact information, citizenship, names of relatives, birthdates and places of relatives, citizenship of relatives, names of relatives who work for the Federal government, criminal history, mental health history, drug use, financial information, fingerprints, summary report of investigation, results of suitability decisions, level of security clearance, date of issuance of security clearance, and requests for appeal. (3) Copies of letters of transmittal between the Department of the Interior and the Office of Personnel Management concerning the covered individual's background investigation, and copies of certification of clearance status and briefings and/or copies of debriefing certificates signed by the individual, as appropriate. Card files contain case file summaries, case numbers and dispositions of case files following review. (4) Copies of personal identity verification (PIV) application forms as supplied by individuals covered by the system. (5) Records maintained on individuals issued credentials by the Department include the following data fields: Full name, Social Security Number; date of birth; signature; image (photograph); fingerprints; hair color; eye color; height; weight; home address; work address; e-mail address; agency affiliation (i.e., employee, contractor, volunteer, etc.); telephone numbers; PIV card issue and expiration dates; personal identification number (PIN); results of background investigation; PIV request form; PIV registrar approval signature; PIV card serial number; emergency responder designation; copies of ``I-9'' documents (e.g., driver's license, passport, birth certificate, etc.) used to verify identification or information derived from those documents such as document title, document issuing authority, document number, or document expiration date; level of national security clearance and expiration date; computer system user name; user access and permission rights, authentication certificates; and digital signature information. Authority For Maintenance Of The System: Executive orders 10450, 10865, 12333, and 12356; sections 3301 and 9101 of title 5, U.S. Code; sections 2165 and 2201 of title 42; U.S. Code; sections 781 to 887 of title 50, U.S. Code; parts 5, 732, and 736 of title 5, Code of Federal Regulations; Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004; 5 U.S.C. 301; Federal Information Security Act (Pub. L. 104-106, sec. 5113); Electronic Government Act (Pub. L. 104-347, section 203); the Paperwork Reduction Act of 1995 (44 U.S.C. 3501); the Government Paperwork Elimination Act (Pub. L. 105-277, 44 U.S.C. 3504); and the Federal Property and Administrative Act of 1949, as amended. [[Page 11038]] Routine Uses Of Records Maintained In The System, Including Categories Of Users And The Purposes Of Such Uses. The primary purposes of the system are: (1) To document and support decisions regarding (a) Clearance for access to classified information; (b) Suitability, eligibility, and fitness for service of applicants for Federal employment and contract positions, including students, interns, or volunteers to the extent their duties require regular, ongoing access to Departmental facilities and information systems and networks; and (2) To verify the identity of individuals issued common identification credentials by the Department in compliance with the HSPD-12 directive. (3) To ensure the safety and security of Departmental facilities and information systems and networks, and their occupants and users. Note: This system interfaces with the Department's physical security system, covered by Interior/DOI-46, ``HSPD-12: Physical Security Files,'' and the Department's logical security system, covered by Interior/DOI-47, ``HSPD-12: Logical Security Files (Enterprise Access Control Service / EACS).'' This system will also interface with the Department's Federal Payroll and Personnel System (FPPS), covered by Interior/DOI-85, ``Payroll, Attendance, Retirement, and Leave Records.'' Disclosures outside the Department of the Interior may be made: (1) To the Office of Personnel Management for matters concerned with oversight activities (necessary for the Office of Personnel Management to carry out its legally-authorized Government-wide personnel management programs and functions.) (2)(a) To any of the following entities or individuals, when the circumstances set forth in paragraph (b) are met: (i) The U.S. Department of Justice (DOJ); (ii) A court or an adjudicative or other administrative body; (iii) A party in litigation before a court or an adjudicative or other administrative body; or (iv) Any DOI employee acting in his or her individual capacity if DOI or DOJ has agreed to represent that employee or pay for private representation of the employee; (b) When: (i) One of the following is a party to the proceeding or has an interest in the proceeding: (A) DOI or any component of DOI; (B) Any other Federal agency appearing before the Office of Hearings and Appeals; (C) Any DOI employee acting in his or her official capacity; (D) Any DOI employee acting in his or her individual capacity if DOI or DOJ has agreed to represent that employee or pay for private representation of the employee; (E) The United States, when DOJ determines that DOI is likely to be affected by the proceeding; and (ii) DOI deems the disclosure to be: (A) Relevant and necessary to the proceeding; and (B) Compatible with the purpose for which the records were compiled. (3) To a congressional office in response to a written inquiry that an individual covered by the system, or the heir of such individual if the covered individual is deceased, has made to the congressional office about the individual. (4) To the Federal Protective Service and appropriate Federal, State, local or foreign agencies responsible for investigating emergency response situations or investigating or prosecuting the violation of or for enforcing or implementing a statute, rule, regulation, order or license, when DOI becomes aware of a violation or potential violation of a statute, rule, regulation, order or license. (5) To an official of another Federal agency to provide information needed in the performance of official duties related to reconciling or reconstructing data files, in support of the functions for which the records were collected and maintained. (6) To Federal, State, or local agencies that have requested information relevant or necessary to the hiring, firing or retention of an employee, contractor, etc., or the issuance of a security clearance, license, contract, grant or other benefit. (7) To representatives of the National Archives and Records Administration to conduct records management inspections under the authority of 44 U.S.C. 2903 and 2904. (8) To state and local governments and tribal organizations to provide information needed in response to court order and/or discovery purposes related to litigation. (9) To an expert, consultant, or contractor (including employees of the contractor) of DOI that performs, on DOI's behalf, services requiring access to these records. (10) To the Office of Management and Budget when necessary to the review of private relief legislation pursuant to OMB Circular No. A-19. (11) To other Federal agencies through third party enrollment brokers serving as links in the secure chain of custody for the HSPD-12 process when the Department has entered into agreements with these agencies to provide enrollment services to their employees, contractors, etc. but not identification credentials. Note: In all such instances, the data being disclosed to these agencies through the enrollment brokers is data pertaining to their own employees, contractors, etc., and not data pertaining to Departmental employees, contractors, etc. (12) To the Federal Bureau of Investigation for the National Agency Check with Inquiries (NACI) background investigation. (13) To appropriate agencies, entities, and persons when: (a) It is suspected or confirmed that the security or confidentiality of information in the system of records has been compromised; and (b) The Department has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interest, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the compromised information; and (c) The disclosure is made to such agencies, entities and persons who are reasonably necessary to assist in connection with the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. Disclosure to consumer reporting agencies: Pursuant to 5 U.S.C. 552a(b)(12), records can be disclosed to consumer reporting agencies as they are defined in the Fair Credit Reporting Act. Policies And Practices For Storing, Retrieving, Accessing, Retaining, And Disposing Of Records In The System: Storage: Records are stored in paper files and in electronic media. Retrievability: Records are retrievable by name of employee or covered individual, Social Security Number, other ID number, PIV card serial number, image (photograph), or fingerprint. Safeguards: Access to records covered by the system will be permitted only to authorized personnel in accordance with requirements found in the Departmental Privacy Act regulations (43 CFR 2.51). Persons given roles in the PIV process must complete training [[Page 11039]] specific to their roles to ensure they are knowledgeable about how to protect individually identifiable information regardless of how and where it is stored. Paper records are stored in locked file cabinets in a secure area. Electronic records in the identity management system are maintained with safeguards meeting the requirements of 43 CFR 2.51 for automated records, which conform to Office of Management and Budget and Departmental guidelines reflecting the implementation of the Federal Information Security Management Act. The electronic data are protected through user identification, passwords, database permissions, encryption and software controls. Such security measures establish different degrees of access levels for different types of users. An audit trail is maintained and reviewed periodically to identify unauthorized access. A Privacy Impact Assessment was completed to ensure that Privacy Act requirements and personally identifiable information safeguard requirements are met. Retention And Disposal: Although paper records relating to individuals covered by the system are generally retained and disposed of in accordance with General Records Schedule 18, Item 22, approved by the National Archives and Records Administration, a separate records schedule, identified as item 6600 of the Office of the Secretary Consolidated Subject-Function Code Records Disposition Schedule is under development. This schedule prescribes that records are destroyed upon notification of death or not later than five years after separation or transfer of employee, whichever is applicable. Additionally, in accordance with HSPD-12, PIV Cards are deactivated within 18 hours of notification regarding cardholder separation, loss of card, or expiration. The information on PIV Cards is maintained in accordance with General Records Schedule 11, Item 4. PIV Cards are destroyed by cross-cut shredding no later than 90 days after deactivation. System Manager(S) And Address: (1) HSPD-12 System Manager: Security Manager, U.S. Department of the Interior, Office of the Secretary, National Business Center, 1849 C St., NW., Mail Stop 1229 MIB, Washington, DC 20240. (2) Bureau Personnel Security System Managers: (a) Bureau of Indian Affairs: Security Program Supervisor, Bureau of Indian Affairs, Office of Human Capital Management, 1011 Indian School Road, NW., Mail Stop 64, Albuquerque, NM 87104. (b) Bureau of Indian Education: Personnel Security Specialist, Bureau of Indian Education, Office of Human Resources, P.O. Box 769, Albuquerque, NM 87103. (c) Bureau of Land Management: Chief Security and Intelligence, Bureau of Land Management, Office of Law Enforcement and Security, 1620 L Street, NW., Washington, DC 20036. (d) Bureau of Reclamation: Security Specialist, Bureau of Reclamation, P.O. Box 25007, Denver, CO 80225. (e) Minerals Management Service: Personnel Security Specialist, Minerals Management Service, 381 Elden Street, Mail Stop 2050, Herndon, VA 20170. (f) National Park Service: Security Officer, National Park Service, Office of Human Resources, 1201 Eye Street, NW., 12th Floor, Washington, DC 20005-5912. (g) Office of Surface Mining, Reclamation and Enforcement: Personnel Security Officer, Office of Surface Mining, Reclamation and Enforcement, 1951 Constitution Avenue, NW., SIB, Washington, DC 20240. (h) Office of the Inspector General: Security Specialist, Office of the Inspector General, 12030 Sunrise Valley Drive, Suite 350, Mail Stop 5341, Reston, VA 20191. (i) Office of the Secretary/National Business Center: Security Manager, National Business Center, MS-1224 MIB, 1849 C St., NW., Washington, DC 20240. (j) Office of the Solicitor: Director of Administrative Services, Division of Administration, Office of the Solicitor, 1849 C St., NW., MS-6556, Washington, DC 20240. (k) U.S. Fish and Wildlife Service: Personnel Security Manager, U.S. Fish and Wildlife Service, 4501 N. Fairfax Dr., 3rd Fl., Arlington, VA 22203. (l) U.S. Geological Survey: Bureau Security Manager, U.S. Geological Survey, 250 National Center, 12201 Sunrise Valley Drive, Reston, VA 20192. Notification Procedure: A request for notification of the existence of electronic records pertaining to the HSPD-12 credentialing process shall be addressed to the HSPD-12 System Manager identified in (1) above. A request for notification of the existence of paper records pertaining to the personnel security management process shall be addressed to the appropriate Bureau Personnel Security System Manager identified in (2), above. All such requests for notification must be in writing, signed by the requester, include the requester's bureau and office affiliation and work address, if an employee, or the name and address of the bureau and office with whom the requester is associated for purposes of identity credentialing, and address of the facility or name of the system that the requester needed access to, to facilitate location of applicable paper records, if inquiring about paper records, and comply with the content requirements of 43 CFR 2.60. Note: Individuals who require regular, ongoing access to facilities and information systems and networks managed by other Federal agencies on whose behalf the Department issues identification credentials, as a shared-service provider, requesting notification of the existence of identity management and personnel security records pertaining to themselves, must contact the appropriate party identified in this section of the Privacy Act system of records notice published by the agency with which they are affiliated. Record Access Procedure: A request for access to or copies of electronic records pertaining to the HSPD-12 credentialing process shall be addressed to the HSPD-12 System Manager identified in (1) above. A request for access to or copies of paper records pertaining to the personnel security management process shall be addressed to the appropriate Bureau Personnel Security System Manager identified in (2), above. All such requests must be in writing, signed by the requester, include the requester's bureau and office affiliation and work address, if an employee, or the name and address of the bureau and office with whom the requester is associated for purposes of identity credentialing, and address of the facility or name of the system that the requester needed access to, to facilitate location of applicable paper records, if inquiring about paper records, and comply with the content requirements of 43 CFR 2.63. Note: Individuals who require regular, ongoing access to facilities and information systems and networks managed by other Federal agencies on whose behalf the Department issues identification credentials, as a shared-service provider, requesting access to or copies of identity management and personnel security records pertaining to themselves, must contact the appropriate party identified in this section of the Privacy Act system of records notice published by the agency with which they are affiliated. [[Page 11040]] Contesting Records Procedure: A request for amendment of electronic records pertaining to the HSPD-12 credentialing process shall be addressed to the HSPD-12 System Manager identified in (1) above. A request for amendment of paper records pertaining to the personnel security management process shall be addressed to the appropriate Bureau Personnel Security System Manager identified in (2), above. All such requests must be in writing, signed by the requester, include the requester's bureau and office affiliation and work address, if an employee, or the name and address of the bureau and office with whom the requester is associated for purposes of identity credentialing, and address of the facility or name of the system that the requester needed access to, to facilitate location of applicable paper records, if inquiring about paper records, and comply with the content requirements of 43 CFR 2.71. Note: Individuals who require regular, ongoing access to facilities and information systems and networks managed by other Federal agencies on whose behalf the Department issues identification credentials, as a shared-service provider, requesting amendment of identity management and personnel security records pertaining to themselves, must contact the appropriate party identified in this section of the Privacy Act system of records notice published by the agency with which they are affiliated. Record Source Categories: Information is obtained from a variety of sources including the employee, contractor, or applicant via use of the SF-85, SF-85P, SF-86, SF-87A and FD 258 and personal interviews; employers' and former employers' records; other Federal agencies supplying data on covered individuals; FBI criminal history records and other databases; financial institutions and credit reports; medical records and health care providers; educational institutions. Other Federal agencies providing HSPD-12 enrollment services to Department of the Interior employees, contractors, etc. through third party enrollment brokers. Exemptions Claimed For The System: None. [FR Doc. E7-4407 Filed 3-9-07; 8:45 am] BILLING CODE 4310-RK-P