[Federal Register Volume 72, Number 47 (Monday, March 12, 2007)]
[Notices]
[Pages 11043-11046]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-4414]


-----------------------------------------------------------------------

DEPARTMENT OF THE INTERIOR

Office of the Secretary


Privacy Act of 1974, as Amended; Amendment of an Existing System 
of Records

AGENCY: Office of the Secretary, Department of the Interior.

ACTION: Proposed amendment of an existing system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974 (5 U.S.C. 552a), 
the Office of the Secretary is issuing public notice of its intent to 
amend an existing Privacy Act system of records notice, Interior, OS-
01, ``Computerized ID Security System,'' to implement Homeland Security 
Presidential Directive 12 (HSPD-12) and to clarify its interpretation 
of 5 U.S.C. 6106. HSPD-12 requires federal agencies to use a common 
identification credential for both logical and physical access to 
federally controlled facilities and information systems. Accordingly, 
the National Business Center, within the Office of the Secretary of the 
Department of the Interior, is integrating its computerized smart-card 
physical security system with the identity management system which 
automates the process of issuing credentials to all Departmental 
employees, contractors, volunteers and other individuals who require 
regular, ongoing access to agency facilities, systems and networks 
based on sound criteria to verify an individual's identity, that are 
strongly resistant to fraud, tampering, counterfeiting, and terrorist 
exploitation, and that provide for rapid, electronic authentification 
of personal identity, by a provider whose reliability has been 
established through an official accreditation process. It is also 
expanding the coverage of this system to include all locations, 
Departmentwide, both Federal buildings and Federally-leased space, 
where paper-based physical security logs and registers have been 
established, in addition to or in place of smart-card access control 
systems. For this reason, it is renaming and renumbering this Privacy 
Act system notice as Interior, DOI-46: ``HSPD-12: Physical Security 
Files.''

DATES: Effective Date: 5 U.S.C. 552a(e)(11) requires that the public be 
provided a 30-day period in which to comment on the agency's intended 
use of the information in the system of records. The Office of 
Management and Budget, in its Circular A-130, requires an additional 
10-day period (for a total of 40 days) in which to make these comments. 
Any persons interested in commenting on this proposed amendment may do 
so by submitting comments in writing to the Office of the Secretary 
Privacy Act Officer, Sue Ellen Sloca, U.S. Department of the Interior, 
MS-120 SIB, 1951 Constitution Avenue, NW., Washington, DC 20240, or by 
e-mail to [email protected]. Comments received within 40 days 
of publication in the Federal Register will be considered. The system 
will be effective as proposed at the end of the comment period unless 
comments are received which would require a contrary determination. The 
Department will publish a revised notice if changes are made based upon 
a review of comments received.

FOR FURTHER INFORMATION CONTACT: David VanderWeele, Security 
Specialist, NBC Security Services, MS-1229 MIB, 1849 C St., NW., 
Washington, DC 20240, or by e-mail to [email protected].

SUPPLEMENTARY INFORMATION: In this notice, the Department of the 
Interior (DOI) is amending Interior, OS-01, ``Computerized ID Security 
System'' to implement HSPD-12, and is renaming and renumbering it as 
Interior, DOI-46: ``HSPD-12: Physical Security Files.'' In the process, 
it is expanding the categories of individuals covered by the system to 
include all individuals who have access to DOI facilities, and the 
categories of records covered by the system notice to include 
additional personal identity verification (PIV) data such as 
fingerprints. It is also clarifying its interpretation of 5 U.S.C. 6106 
by deleting the note that follows the list of the routine uses of the 
records maintained in the system. This note concerned disclosures 
within DOI of data pertaining to the date and time of entry and exit of 
an agency employee working in the District of Columbia.
    Accordingly, the Department of the Interior proposes to amend the 
system notice for Interior, OS-01, ``Computerized ID Security System'' 
in its entirety to read as follows:

    Dated: March 7, 2007.
Sue Ellen Sloca,
Office of the Secretary Privacy Act Officer.
INTERIOR/DOI-46

SYSTEM NAME:
    HSPD-12: Physical Security Files--Interior, DOI-46.

SYSTEM LOCATION:
    (1) Data covered by this system are maintained at the following 
main locations:
    (a) U.S. Department of the Interior, Office of the Secretary, 
National Business Center, Computer Center, 1849 C Street, NW., 
Washington, DC 20240; and
    (b) U.S. Department of the Interior, Office of the Secretary, 
National Business Center, 7301 W. Mansfield Ave., MS D-2130, Denver, CO 
80235-2300.
    (2) Portions of the data covered by this system are also maintained 
at other Department of the Interior locations, both Federal buildings 
and Federally-leased space, where staffed guard stations have been 
established in facilities that have installed a smart card ID system, 
and/or paper-based physical security logs and registers, as well as the 
physical security office(s) of those locations. A list of these 
locations (as applicable to each bureau) is maintained by each bureau's 
Security Manager, whose address is provided under item (2) in System 
Manager and Address, below.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    (1) Individuals who require regular, ongoing access to Departmental 
facilities, including Departmental employees, contractors, students, 
interns, volunteers, affiliates, and individuals formerly in any of 
these positions. The system also includes individuals authorized to 
perform or use services provided in Departmental facilities (e.g., 
Credit Union, Fitness Center, etc.) NOTE: All of these individuals are 
required to have HSPD-12 compliant credentials issued from the National 
Business Center, within the Office of the Secretary of the Department 
of the Interior, if they are employed by DOI for more than 180 days.
    (2) Individuals who have been issued HSPD-12 compliant credentials 
from

[[Page 11044]]

other Federal agencies who require access to Departmental facilities.
    (3) Visitors and other individuals who require infrequent access to 
Department facilities including services provided in Departmental 
facilities (e.g., Departmental Museum, Indian Arts and Crafts Shop, 
etc.)

CATEGORIES OF RECORDS IN THE SYSTEM:
    (1) Records maintained on individuals issued HSPD-12 compliant 
credentials by the Department and by other Federal agencies include the 
following data fields: full name, Social Security Number; date of 
birth; signature; image (photograph); fingerprints; hair color; eye 
color; height; weight; home address; work address; e-mail address; 
agency affiliation (i.e., employee, contractor, volunteer, etc.); 
telephone number; personal identity verification (PIV) card issue and 
expiration dates; personal identification number (PIN); results of 
background investigation; PIV request form; PIV registrar approval 
signature; PIV card serial number; emergency responder designation; 
copies of ``I-9'' documents (e.g., driver's license, passport, birth 
certificate, etc.) used to verify identification or information derived 
from those documents such as document title, document issuing 
authority, document number, or document expiration date; level of 
national security clearance and expiration date; computer system user 
name; user access and permission rights, authentication certificates; 
and digital signature information.
    (2) Records maintained on visitors and other individuals who 
require infrequent access to Department facilities include the 
following data fields: Full name, signature; image (photograph), Social 
Security Number (or one of the following: Driver's License number, 
``Green Card'' number, Visa number, or other ID number), images of 
relevant ID document(s), U.S. Citizenship (yes or no/logical data 
field), date of entry, time of entry, location of entry, time of exit, 
location of exit, purpose for entry, agency point of contact, company 
name, security access category, and access status.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301; Federal Information Security Act (Pub. L. 104-106, 
sec. 5113); Electronic Government Act (Pub. L. 104-347, sec. 203); the 
Paperwork Reduction Act of 1995 (44 U.S.C. 3501); the Government 
Paperwork Elimination Act (Pub. L. 105-277, 44 U.S.C. 3504); Homeland 
Security Presidential Directive 12, Policy for a Common Identification 
Standard for Federal Employees and Contractors, August 27, 2004; 
Federal Property and Administrative Act of 1949, as amended; 5 U.S.C. 
301; and Presidential Memorandum on Upgrading Security at Federal 
Facilities, June 28, 1995.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    The primary purposes of the system are:
    (1) To ensure the safety and security of DOI facilities and their 
occupants in which the system is installed.
    (2) To verify that all persons entering DOI facilities or other 
Government facilities with smart card systems are authorized to enter 
them.
    (3) To verify that all persons entering DOI facilities or other 
Government facilities without smart cards are authorized to enter them.

    Note: This system interfaces with the Department's identify 
management system and personnel security files, covered by Interior/
DOI-45, ``HSPD-12: Identity Management System and Personnel Security 
Files.''

    Disclosures outside the Department of the Interior may be made:
    (1) To an expert, consultant, or contractor (including employees of 
the contractor) of DOI that performs, on DOI's behalf, services 
requiring access to these records.
    (2) To the Federal Protective Service and appropriate Federal, 
State, local or foreign agencies responsible for investigating 
emergency response situations or investigating or prosecuting the 
violation of or for enforcing or implementing a statute, rule, 
regulation, order or license, when DOI becomes aware of a violation or 
potential violation of a statute, rule, regulation, order or license.
    (3) To another agency with a similar HSPD-12 (PIV/smart card) 
system when a person with identification credentials issued by the 
Department desires access to that agency's facilities.
    (4) (a) To any of the following entities or individuals, when the 
circumstances set forth in paragraph (b) are met:
    (i) The U.S. Department of Justice (DOJ);
    (ii) A court or an adjudicative or other administrative body;
    (iii) A party in litigation before a court or an adjudicative or 
other administrative body; or
    (iv) Any DOI employee acting in his or her individual capacity if 
DOI or DOJ has agreed to represent that employee or pay for private 
representation of the employee;
    (b) When:
    (i) One of the following is a party to the proceeding or has an 
interest in the proceeding:
    (A) DOI or any component of DOI;
    (B) Any other Federal agency appearing before the Office of 
Hearings and Appeals;
    (C) Any DOI employee acting in his or her official capacity;
    (D) Any DOI employee acting in his or her individual capacity if 
DOI or DOJ has agreed to represent that employee or pay for private 
representation of the employee;
    (E) The United States, when DOJ determines that DOI is likely to be 
affected by the proceeding; and
    (ii) DOI deems the disclosure to be:
    (A) Relevant and necessary to the proceeding; and
    (B) Compatible with the purpose for which the records were 
compiled.
    (5) To a congressional office in response to a written inquiry that 
an individual covered by the system, or the heir of such individual if 
the covered individual is deceased, has made to the congressional 
office about the individual.
    (6) To an official of another Federal agency to provide information 
needed in the performance of official duties related to reconciling or 
reconstructing data files, in support of the functions for which the 
records were collected and maintained.
    (7) To representatives of the General Services Administration or 
the National Archives and Records Administration to conduct records 
management inspections under the authority of 44 U.S.C. 2903 and 2904.
    (8) To another agency with a similar HSPD-12 (PIV/smart card) 
system when it controls access to facilities occupied by the agency.
    (9) To appropriate agencies, entities, and persons when:
    (a) It is suspected or confirmed that the security or 
confidentiality of information in the system of records has been 
compromised; and
    (b) The Department has determined that as a result of the suspected 
or confirmed compromise there is a risk of harm to economic or property 
interest, identity theft or fraud, or harm to the security or integrity 
of this system or other systems or programs (whether maintained by the 
Department or another agency or entity) that rely upon the compromised 
information; and
    (c) The disclosure is made to such agencies, entities and persons 
who are reasonably necessary to assist in connection with the 
Department's efforts to respond to the suspected or confirmed 
compromise and prevent, minimize, or remedy such harm.

[[Page 11045]]

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are stored in electronic media and in paper files.

RETRIEVABILITY:
    Records are retrievable by name, Social Security Number, other ID 
number, image (photograph), fingerprint, organization/office of 
assignment, agency point of contact, company name, security access, 
category, date of entry, time of entry, location of entry, time of 
exit, location of exit, ID security card issue date, ID security card 
expiration date, and ID security card serial number.

SAFEGUARDS:
    Access to records covered by the system will be permitted only to 
authorized personnel in accordance with requirements found in the 
Departmental Privacy Act regulations (43 CFR 2.51). Paper records are 
stored in locked file cabinets in a secure area. Electronic records are 
maintained with safeguards meeting the requirements of 43 CFR 2.51 for 
automated records, which conform to Office of Management and Budget and 
Departmental guidelines reflecting the implementation of the Federal 
Information Security Management Act. The computer servers in which 
records are stored are located in computer facilities that are secured 
by alarm systems and off-master key access. The computer servers 
themselves are password-protected. Access granted to individuals at 
guard stations is password-protected; each person granted access to the 
system at guard stations must be individually authorized to use the 
system. A Privacy Act Warning Notice appears on the monitor screen when 
records containing information on individuals are first displayed. Data 
exchanged between the servers and the client PCs at the guard stations 
and badging office are encrypted. Backup tapes are stored in a locked 
and controlled room in a secure, off-site location. A Privacy Impact 
Assessment was completed to ensure that Privacy Act requirements and 
personally identifiable information safeguard requirements are met.

RETENTION AND DISPOSAL:
    Records relating to persons covered by this system are retained in 
accordance with General Records Schedule 18, Item No. 17. Unless 
retained for specific, ongoing security investigations:
    (1) Records relating to individuals other than employees are 
destroyed two years after ID security card expiration date.
    (2) Records relating to date and time of entry and exit of 
employees are destroyed two years after date of entry and exit.
    (3) All other records relating to employees are destroyed two years 
after ID security card expiration date.

SYSTEM MANAGER(S) AND ADDRESS:
    (1) Security Manager, Physical Security Office, Division of 
Employee and Public Services, National Business Center, MS-1224, 1849 C 
Street, NW, Washington, DC 20240.
    (2) Bureau Physical Security Managers:
    (a) Bureau of Indian Affairs: Indian Affairs Homeland Security 
Coordinator, 1849 C St., NW., Mail Stop 4160 MIB, Washington, DC 20240.
    (b) Bureau of Indian Education: Indian Affairs Homeland Security 
Coordinator, 1849 C St., NW., Mail Stop 4160 MIB, Washington, DC 20240.
    (c) Bureau of Land Management: Chief Security and Intelligence, 
Bureau of Land Management, Office of Law Enforcement and Security, 1620 
L Street, NW., Washington, DC 20036.
    (d) Bureau of Reclamation: Reclamation Security Officer, Bureau of 
Reclamation, P.O. Box 25007, Denver, CO 80225.
    (e) Minerals Management Service: IT Specialist, Minerals Management 
Service, 381 Elden Street, Mail Stop 2050, Herndon, VA 20170.
    (f) National Park Service: Law Enforcement, Security and Emergency 
Service Manager, National Park Service, Security and Intelligence 
Branch, 1201 I (Eye) St., NW., 10th Floor, Washington, DC 20005.
    (g) Office of Surface Mining, Reclamation and Enforcement: Security 
Officer, Office of Surface Mining, Reclamation and Enforcement, 1951 
Constitution Ave., NW., Mail Stop 344 SIB, Washington, DC 20240.
    (h) Office of the Inspector General: Support Services Supervisor, 
Office of the Inspector General, 12030 Sunrise Valley Drive, Suite 350, 
Mail Stop 5341, Reston, VA 20191.
    (i) Office of the Secretary/National Business Center: Office of the 
Secretary/National Business Center: Security Manager, National Business 
Center, Mail Stop 1224 MIB, 1849 C St., NW., Washington, DC 20240.
    (j) Office of the Solicitor: Director of Administrative Services, 
Division of Administration, Office of the Solicitor, 1849 C St., NW., 
Mail Stop 6556 MIB, Washington, DC 20240.
    (k) U.S. Fish and Wildlife Service: Security and Emergency Manager, 
U.S. Fish and Wildlife Service, 4401 N. Fairfax Dr., Arlington, VA 
22203.
    (l) U.S. Geological Survey: Bureau Security Manager, U.S. 
Geological Survey, 250 National Center, 12201 Sunrise Valley Drive, 
Reston, VA 20192.

NOTIFICATION PROCEDURE:
    An individual requesting notification of the existence of records 
on himself or herself maintained at either of the two main system 
locations should address his/her request to the Security Manager 
identified in (1), above. A request for notification of the existence 
of physical security records located at any other location should be 
addressed to the appropriate Bureau Security Manager identified in (2), 
above. The request must be in writing, signed by the requester, and 
include the requester's bureau and office affiliation and the address 
of the facility to which the requester needed access to facilitate 
location of the applicable records. (See 43 CFR 2.60.)

RECORD ACCESS PROCEDURE:
    An individual requesting access to records maintained on himself or 
maintained at either of the two main system locations should address 
his/her request to the Security Manager identified in (1), above. A 
request for access to physical security records located at any other 
location should be addressed to the appropriate Bureau Security Manager 
identified in (2), above. The request must be in writing, signed by the 
requester, and include the requester's bureau and office affiliation 
and the address of the facility to which the requester needed access to 
facilitate location of the applicable records. (See 43 CFR 2.63.)

CONTESTING RECORDS PROCEDURE:
    An individual requesting amendment of a record maintained on 
himself or herself at either of the two main system locations should 
address his/her request to the Security Manager identified in (1), 
above. A request for amendment of physical security records located at 
any other location should be addressed to the appropriate Bureau 
Security Manager identified in (2), above. The request must be in 
writing, signed by the requester, and include the requester's bureau 
and office affiliation and the address of the facility to which the 
requester needed access to facilitate location of the applicable 
records. (See 43 CFR 2.71.)

RECORD SOURCE CATEGORIES:
    Information is obtained from individuals covered by the system,

[[Page 11046]]

supervisors, and designated approving officials, as well as records 
supplied by the National Business Center's identity management system, 
other Federal agencies issuing HSPD-12 compliant cards, and HSPD-12 
compliant cards carried by individuals seeking access to Departmental 
and other Federal facilities occupied by agency employees.

EXEMPTIONS CLAIMED FOR THE SYSTEM:
    None.
 [FR Doc. E7-4414 Filed 3-9-07; 8:45 am]
BILLING CODE 4310-RK-P