[Federal Register Volume 73, Number 95 (Thursday, May 15, 2008)]
[Notices]
[Pages 28139-28142]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-10895]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

[Docket No. DHS-2008-0042 ]


Privacy Act of 1974; General Information Technology Access 
Account Records System

AGENCY: Privacy Office; DHS.

ACTION: Notice of Privacy Act system of records update.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, the Department of 
Homeland Security is giving notice that it proposes to update a system 
of records in its inventory. The Department of Homeland Security is 
updating the General Information Technology Access Account Records 
System system of records notice to include four new routine uses and to 
add to the categories of records covered by the system. The first new 
routine use

[[Page 28140]]

will allow for information sharing with federal agencies such as the 
Office of Personnel Management, the Merit Systems Protection Board, 
Office of Management and Budget, Federal Labor Relations Authority, 
Government Accountability Office, or the Equal Employment Opportunity 
Commission when information is requested in the performance of those 
agencies' official duties. The second routine use will allow for the 
routine sharing of business information outside of the Department for 
official purposes. This includes the sharing of business contact 
information to contacts outside of the Department. The third routine 
use allows for sharing for the purpose of investigating an alleged or 
proven act of identity fraud or theft. The fourth routine use allows 
sharing of information to regulatory and oversight bodies, including 
auditors, who are responsible for ensuring appropriate use of 
government resources.
    The categories of records in the system have been updated to 
clarify that the information used to access DHS networks is logged and 
recorded, specifically user IDs, date and time of access, and the 
internet protocol (IP) address of the computer used to access the 
network. Further added to the categories of records are the names of 
senders and receivers of email on DHS networks.

DATES: Written comments must be submitted on or before June 16, 2008.

ADDRESSES: You may submit comments, identified by Docket Number DHS-
2008-0042 by one of the following methods:
     Federal e-Rulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Fax: 1-866-466-5370
     Mail: Hugo Teufel III, Chief Privacy Officer, Privacy 
Office, Department of Homeland Security, Washington, DC 20528.
     Instructions: All submissions received must include the 
agency name and docket number for this rulemaking. All comments 
received will be posted without change to http://www.regulations.gov, 
including any personal information provided.
     Docket: For access to the docket to read background 
documents or comments received go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Please identify by Docket Number Dhs-
2008-0042 to request further information by one of the following 
methods:
     Mail: Hugo Teufel III, Chief Privacy Officer, Privacy 
Office, Department of Homeland Security, Washington, DC 20528.
     Facsimile: 1-866-466-5370.
     E-Mail: [email protected].

SUPPLEMENTARY INFORMATION:

I. Background

    As part of its efforts to streamline and consolidate its record 
system, the Department of Homeland Security (DHS) established the 
agency-wide systems of records under the Privacy Act of 1974 (5 U.S.C. 
552a) called the Department of Homeland Security General Information 
Technology Access Account Records System (GITAARS). This system of 
records is part of DHS's ongoing record integration and management 
efforts. This system consists of information collected in order to 
provide authorized individuals with access to DHS information 
technology resources. This information includes user name, business 
affiliation, account information and passwords.
    In order to further streamline Department operations, the GITAARS 
system of records notice is being updated to include four new routine 
uses.
    The first new routine use will allow for sharing with agencies such 
as the Office of Personnel Management (OPM), the Merit Systems 
Protection Board, Federal Labor Relations Authority, the Office of 
Management and Budget (OMB), Government Accountability Office (GAO), 
and the Equal Employment Opportunity Commission in the fulfillment of 
these agencies' official duties. For example, agencies such as OPM 
conduct regular workforce surveys, which involve the need of DHS to 
share employee data such as an employee's name, e-mail address, gender, 
and race/national origin. In some cases DHS must provide, in addition 
or in combination to the aforementioned, other information such as: 
Occupation group/family, organization, supervisory status, grade, work 
role, duty station, series, pay plan, service in government, highest 
level of education, years of professional service, years of service in 
government, projected retirement, position title, work phone number, 
and work address. This new routine use allows for sharing with those 
agencies in furtherance of those agencies' official duties.
    The second routine use added to the system of records notice allows 
for the routine sharing of business contact information amongst 
contacts, which includes but is not limited to private sector companies 
(contractors and non-contractors), private citizens, and other Federal, 
state, and local employees and agencies. This type of sharing includes 
the exchange of contact information through e-mail, business cards, 
phone conversations, and other disclosures of personal information that 
are routine and associated with the daily official business of the 
Department.
    The third routine use added to the system of records notice allows 
for any necessary sharing of information as it relates to the 
investigation or resolution of an alleged or proven incident of 
identity theft. This sharing might include e-mail address or contact 
information, which may help resolve an issue of identity, among other 
related issues related to identity theft.
    The fourth routine use added to the system of records allows for 
sharing with government regulatory and oversight bodies, including 
auditing bodies, who are responsible for ensuring appropriate use of 
government resources. This routine use may overlap with the first 
routine use noted above, but this routine use is specifically related 
to sharing for auditing and oversight purposes.
    The categories of records have been clarified to specifically state 
that e-mail traffic on DHS networks is recorded (sender and recipient 
e-mail addresses), and that all activity on DHS networks is recorded 
and may be used internally at DHS or for the purposes outlined in the 
routine uses of this system of records notices.

II. Privacy Act

    The Privacy Act embodies fair information principles in a statutory 
framework governing the means by which the United States Government 
collects, maintains, uses and disseminates individuals' records. The 
Privacy Act applies to information that is maintained in a ``system of 
records.'' A ``system of records'' is a group of any records under the 
control of an agency from which information is retrieved by the name of 
the individual or by some identifying number such as property address, 
or mailing address symbol, assigned to the individual. The General 
Information Technology Access Account Records System is such a system 
of records.
    The Privacy Act requires each agency to publish in the Federal 
Register a description denoting the type and character of each system 
of records that the agency maintains, and the routine uses that are 
contained in each system in order to make agency record keeping 
practices transparent, to notify individuals regarding the uses to 
which their records are put, and to assist individuals to more easily 
find such files within the agency. Below is the description of the 
``General Information

[[Page 28141]]

Technology Access Account Records System'':
    In accordance with 5 U.S.C. 552a(r), DHS has provided a report of 
this new system of records to the Office of Management and Budget and 
to Congress.
DHS/ALL-004

System name:
    General Information Technology Access Account Records System, DHS/
ALL-004.

Security classification:
    Unclassified but sensitive.

System location:
    Records are maintained by the Department of Homeland Security at 
the DHS Data Center in Washington, DC, and at a limited number of 
remote locations where DHS components or programs maintain secure 
facilities and conducts its mission.

Categories of individuals covered by the system:
    A. All persons who are authorized to access DHS Information 
Technology resources, including employees, contractors, grantees, 
private enterprises and any lawfully designated representative of the 
above and including representatives of Federal, State, territorial, 
tribal, local, international, or foreign government agencies or 
entities, in furtherance of the DHS mission;
    B. Individuals who serve on DHS boards and committees;
    C. Individuals who have business with DHS and who have provided 
personal information in order to facilitate access to DHS Information 
Technology resources; and
    D. Individuals who are points of contact provided for government 
business, operations, or programs, and the individual(s) they list as 
emergency contacts.

Categories of records in the system:
    DHS/ALL-004 contains names, business affiliations, facility 
positions held, business telephone numbers, cellular phone numbers, 
pager numbers, numbers where individuals can be reached while on travel 
or otherwise away from the office, citizenship, home addresses, 
electronic mail addresses of senders and recipients, records on access 
to DHS computers and networks including user ID, date and time of 
access, IP address of access, logs of Internet activity, and records on 
the authentication of the access request; records on the names and 
phone numbers of other contacts, the positions or titles of those 
contacts, their business affiliations and other contact information 
provided to the Department that is derived from other sources to 
facilitate authorized access to DHS Information Technology resources.

Authority for maintenance of the system:
    5 U.S.C. 301; 44 U.S.C. 3101.

Purpose(s):
    This system will collect a discrete set of personal information in 
order to provide authorized individuals access to or interact with DHS 
information technology resources. The information collected by the 
system will include full name, user name, account information, 
citizenship, business affiliation, contact information, and passwords. 
Directly resulting from the use of DHS information technology resources 
is the collection, review, and maintenance of any logs, audits, or 
other such security data regarding the use of such information 
technology resources.
    The system enables DHS to maintain: (a) Account information for 
gaining access to information technology; (b) lists of individuals who 
are appropriate organizational points of contact; and (c) lists of 
individuals who are emergency points of contact. The system will also 
enable DHS to provide individuals access to certain programs and 
meeting attendance and where appropriate allow for sharing of 
information between individuals in the same operational program to 
facilitate collaboration.

Routine uses of records maintained in the system, including categories 
of users and the purposes of such uses:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside DHS as a 
routine use pursuant to 5 U.S.C. 552a(b)(3), limited by privacy impact 
assessments, data sharing, or other agreements, as follows:
    A. To DHS contractors, consultants or others, when necessary to 
perform a function or service related to this system of records for 
which they have been engaged. Such recipients are required to comply 
with the Privacy Act of 1974, as amended (5 U.S.C. 552a).
    B. To sponsors, employers, contractors, facility operators, 
grantees, experts, and consultants in connection with establishing an 
access account for an individual or maintaining appropriate points of 
contact and when necessary to accomplish a DHS mission function or 
objective related to this system of records.
    C. To other individuals in the same operational program supported 
by an information technology system, where appropriate notice to the 
individual has been made that his or her contact information will be 
shared with other members of the same operational program in order to 
facilitate collaboration.
    D. To a Congressional office from the record of an individual in 
response to an inquiry from that Congressional office made at the 
written or attested to request of the individual to whom the record 
pertains.
    E. To the National Archives and Records Administration or other 
Federal government agencies pursuant to records management inspections 
being conducted under the authority of 44 U.S.C. Sections 2904 and 
2906.
    F. To the Department of Justice (DOJ), or other Federal agency 
conducting litigation or in proceedings before any court, adjudicative 
or administrative body, when: (a) DHS; (b) any employee of DHS in his/
her official capacity; (c) any employee of DHS in his/her individual 
capacity where DOJ or DHS has agreed to represent the employee; or (d) 
the United States or any agency thereof, is a party to the litigation 
or has an interest in such litigation.
    G. To federal agencies such as Office of Personnel Management, the 
Merit Systems Protection Board, the Office of Management and Budget, 
Federal Labor Relations Authority, Government Accountability Office, 
and the Equal Employment Opportunity Commission in the fulfillment of 
these agencies' official duties.
    H. To international, Federal, State and local, tribal, private and/
or corporate entities for the purpose of the regular exchange of 
business contact information in order to facilitate collaboration for 
official business.
    I. To an appropriate Federal, State, territorial, tribal, local, 
international, or foreign law enforcement agency or other appropriate 
authority charged with investigating or prosecuting a violation or 
enforcing or implementing a law, rule, regulation, or order, where a 
record, either on its face or in conjunction with other information, 
indicates a violation or potential violation of law, which includes 
criminal, civil, or regulatory violations and such disclosure is proper 
and consistent with the official duties of the person making the 
disclosure.
    J. To appropriate agencies, entities, and persons when: (1) It is 
suspected or confirmed that the security or confidentiality of 
information in the system of records has been compromised; (2) DHS has 
determined that, as a result of the suspected or confirmed compromise, 
there is a risk of

[[Page 28142]]

harm to economic or property interests, identity theft or fraud, or 
harm to the security or integrity of this system or other systems or 
programs (whether maintained by DHS or another agency or entity) that 
rely upon the compromised information; and (3) the disclosure is made 
to such agencies, entities, and persons who are reasonably necessary to 
assist in DHS's efforts to respond to the suspected or confirmed 
compromise and prevent, minimize, or remedy such harm.
    K. To Federal regulatory bodies, auditors, and any other oversight 
body charged with ensuring the appropriate use of government resources 
which includes but is not limited to financial, information technology, 
physical, and other resources.

Disclosure to consumer reporting agencies:
    None.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system:
Storage:
    Records in this system are on paper and/or in digital or other 
electronic form. Digital and other electronic images are stored on a 
storage area network in a secured environment. Records, whether paper 
or electronic, may be stored at the DHS Headquarters or at the 
component level. See the ``System Manager'' section below for a 
complete list of component system managers and contact information.

Retrievability:
    Information may be retrieved, sorted, and/or searched by an 
identification number assigned by computer, by facility, by business 
affiliation, e-mail address, or by the name of the individual, or other 
employee data fields previously identified in this SORN.

Safeguards:
    Information in this system is safeguarded in accordance with 
applicable laws, rules and policies, including the DHS Information 
Technology Security Program Handbook. Further, GITAARS security 
protocols will meet multiple NIST Security Standards from 
Authentication to Certification and Accreditation. Records in the 
GITAARS will be maintained in a secure, password protected electronic 
system that will utilize security hardware and software to include: 
multiple firewalls, active intruder detection, and role-based access 
controls. Additional safeguards will vary by component and program. All 
records are protected from unauthorized access through appropriate 
administrative, physical, and technical safeguards. These safeguards 
include: restricting access to authorized personnel who have a ``need 
to know;'' using locks; and password protection identification 
features. Classified information is appropriately stored in accordance 
with applicable requirements. DHS file areas are locked after normal 
duty hours and the facilities are protected from the outside by 
security personnel.

Retention and disposal:
    Records are retained and disposed of in accordance with the 
National Archives and Records Administration's General Records Schedule 
24, section 6, ``User Identification, Profiles, Authorizations, and 
Password Files.'' Inactive records will be destroyed or deleted 6 years 
after the user account is terminated or password is altered, or when no 
longer needed for investigative or security purposes, whichever is 
later.

System manager(s) and address:
    For Headquarters components of the Department of Homeland Security, 
the System Manager is the Director of Departmental Disclosure, U.S. 
Department of Homeland Security, Washington DC 20528.
    For operational components that comprise the U.S. Department of 
Homeland Security, the System Managers are as follows:
     United States Coast Guard, FOIA Officer/PA System Manager, 
Commandant, CG-611, U.S. Coast Guard, 2100 2nd Street, SW., Washington, 
DC 20593-0001.
     United States Secret Service, FOIA/PA System Manager, 
Suite 3000, 950 H Street, NW., Washington, DC 20223.
     Under Secretary for Federal Emergency Management 
Directorate, FOIA/PA System Manager, 500 C Street, SW., Room 840, 
Washington, DC 20472.
     Director, Citizenship and Immigration Services, U.S. 
Citizenship and Immigration Services, ATTN: Records Services Branch 
(FOIA/PA), 111 Massachusetts Ave., NW., 2nd Floor, Washington, DC 
20529.
     Commissioner, Customs and Border Protection, FOIA/PA 
System Manager, Disclosure Law Branch, Office of Regulations & Rulings, 
Ronald Reagan Building, 1300 Pennsylvania Avenue, NW. (Mint Annex), 
Washington, DC 20229.
     Bureau of Immigration and Customs Enforcement, FOIA/PA 
System Manager, Office of Investigation, Chester Arthur Building (CAB), 
425 I Street, NW., Room 4038, Washington, DC 20538.
     Assistant Secretary, Transportation Security 
Administration, FOIA/PA System Manager, Office of Security, West 
Building, 4th Floor, Room 432-N, TSA-20, 601 South 12th Street, 
Arlington, VA 22202-4220.
     Federal Protective Service, FOIA/PA System Manager, 1800 F 
Street, NW., Suite 2341, Washington, DC 20405.
     Federal Law Enforcement Training Center, Disclosure 
Officer, 1131 Chapel Crossing Road, Building 94, Glynco, GA 31524.
     Under Secretary for Science & Technology, FOIA/PA System 
Manager, Washington, DC 20528.
     Under Secretary for Preparedness, Nebraska Avenue Complex, 
Building 81, 1st floor, Washington, DC 20528.
     Director, Operations Coordination, Nebraska Avenue 
Complex, Building 3, Washington, DC 20529.
     Officer of Intelligence and Analysis, Nebraska Avenue 
Complex, Building 19, Washington, DC 20529.

Notification procedure:
    To determine whether this system contains records relating to you, 
write to the appropriate System Manager(s) identified above.

Record access procedures:
    A request for access to records in this system may be made by 
writing to the System Manager, identified above, in conformance with 6 
CFR Part 5, Subpart B, which provides the rules for requesting access 
to Privacy Act records maintained by DHS.

Contesting record procedures:
    Same as ``Records Access Procedures'' above.

Record source categories:
    Information contained in this system is obtained from affected 
individuals/organizations/facilities, public source data, other 
government agencies and/or information already in other DHS records 
systems.

Exemptions claimed for the system:
    None.

Hugo Teufel III,
Chief Privacy Officer, Department of Homeland Security.
 [FR Doc. E8-10895 Filed 5-14-08; 8:45 am]
BILLING CODE 4410-10-P