[Federal Register Volume 73, Number 81 (Friday, April 25, 2008)]
[Notices]
[Pages 22380-22381]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-8886]
-----------------------------------------------------------------------
GENERAL SERVICES ADMINISTRATION
Privacy Act of 1974; Notice of Updated Systems of Records
AGENCY: General Services Administration.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: GSA reviewed its Privacy Act systems to ensure that they are
relevant, necessary, accurate, up-to-date, covered by the appropriate
legal or regulatory authority, and in response to OMB M-07-16. This
notice is a compilation of updated Privacy Act system of record
notices.
DATES: Effective May 27, 2008.
FOR FURTHER INFORMATION CONTACT: Call or e-mail the GSA Privacy Act
Officer: telephone 202-208-1317; e-mail [email protected].
ADDRESSES: GSA Privacy Act Officer (CIB), General Services
Administration, 1800 F Street NW., Washington, DC 20405.
SUPPLEMENTARY INFORMATION: GSA undertook and completed an agency wide
review of its Privacy Act systems of records. As a result of the review
GSA is publishing updated Privacy Act systems of records notices.
Rather than make numerous piecemeal revisions, GSA is republishing
updated notices for one of its systems. Nothing in the revised system
notices indicates a change in authorities or practices regarding the
collection and maintenance of information. Nor do the changes impact
individuals' rights to access or amend their records in the systems of
records. The updated system notices also includes the new requirement
from OMB Memorandum M-07-16 regarding a new routine use that allows
agencies to disclose information in connection with a response and
remedial efforts in the event of a data breach.
Dated: April 16, 2008.
Cheryl M. Paige,
Director, Office ofInformation Management.
GSA/GOVT-5
SYSTEM NAME:
Access Certificates for Electronic Services (ACES).
SYSTEM LOCATION:
System records are maintained for the General Services
Administration (GSA) by contractors at various physical locations. A
complete list of locations is available from: Administrative
Contracting Officer, FEDCAC, Federal Technology Service, General
Services Administration, 7th and D Streets, SW., Room 5060, Washington,
DC 20407; telephone (202) 708-6099.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Individuals covered are persons who have applied for the issuance
of a digital signature certificate under the ACES program; have had
their certificates amended, renewed, replaced, suspended, revoked, or
denied; have used their certificates to electronically make contact
with, retrieve information from, or submit information to an automated
information system of a participating agency; have requested access to
ACES records under the Freedom of Information Act (FOIA) or Privacy
Act; and have corresponded with GSA or its ACES contractors concerning
ACES services.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system contains information needed to establish and verify the
identity of ACES users, to maintain the system, and to establish
accountability and audit controls. System records include:
a. Applications for the issuance, amendment, renewal, replacement,
or revocation of digital signature certificates under the ACES program,
including evidence provided by applicants or proof of identity and
authority, and sources used to verify an applicant's identify and
authority.
b. Certificates issued.
c. Certificates denied, suspended, and revoked, including reasons
for denial, suspension, and revocation.
d. A list of currently valid certificates.
e. A list of currently invalid certificates.
f. A file of individuals requesting access and those granted access
to ACES information under FOIA or the Privacy Act.
g. A file of individuals requesting access and those granted access
for reasons other than FOIA or the Privacy Act.
h. A record of validation transactions attempted on digital
signature certificates issued by the system.
i. A record of validation transactions completed on digital
signature certificates issued by the system.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Section 5124(b) of the Clinger-Cohen Act of 1996, 40 U.S.C. 1424,
which provides authority for GSA to develop and facilitate
governmentwide electronic commerce resources and services, and the
Paperwork Reduction Act, 44 U.S.C. 3501, et. seq., which provides
authority for GSA to manage Federal information resources.
PURPOSE:
To establish and maintain an electronic system to facilitate
secure, on-line communication between Federal automated information
systems and the public, using digital signature technologies to
authenticate and verify identity.
ROUTINE USES OF THE SYSTEM RECORDS, INCLUDING CATEGORIES OF USERS AND
THEIR PURPOSES FOR USING THE SYSTEM:
Information from this system may be disclosed as a routine use:
a. To GSA ACES program contractors to compile and maintain
documentation on applicants for proofing applicants' identity and their
authority to access information system applications of participating
agencies.
b. To GSA ACES program contractors to establish and maintain
documentation on information sources for verifying applicants'
identities.
c. To Federal agencies participating in the ACES program to
determine the validity of applicants' digital signature certificates in
an on-line, near real time environment.
d. To GSA, participating Federal agencies, and ACES contractors,
for ensuring proper management, ensuring data accuracy, and evaluation
of the system.
e. To Federal, State, local or foreign agencies responsible for
investigating,
[[Page 22381]]
prosecuting, enforcing, or carrying out a statute, rule, regulation, or
order when GSA becomes aware of a violation or potential violation of
civil or criminal law or regulation.
f. To a member of Congress or to a congressional staff member in
response to a request from the person who is the subject of the record.
g. To an expert, consultant, or contractor of GSA in the
performance of a Federal duty to which the information is relevant.
h. To appropriate agencies, entities, and persons when (1) the
Agency suspects or has confirmed that the security or confidentiality
of information in the system of records has been compromised; (2) the
Agency has determined that as a result of the suspected or confirmed
compromise there is a risk of harm to economic or property interests,
identity theft or fraud, or harm to the security or integrity of this
system or other systems or programs (whether maintained by GSA or
another agency or entity) that rely upon the compromised information;
and (3) the disclosure made to such agencies, entities, and persons is
reasonably necessary to assist in connection with GSA's efforts to
respond to the suspected or confirmed compromise and prevent, minimize,
or remedy such harm.
i. To a Federal agency in connection with the hiring or retention
of an employee; the issuance of a security clearance; the reporting of
an investigation; the letting of a contract; or the issuance of a
grant, license, or other benefit to the extent that the information is
relevant and necessary to a decision.
j. To the Office of Personnel Management (OPM), the Office of
Management and Budget (OMB), or the Government Accountability Office
(GAO) when the information is required for program evaluation purposes.
k. To an expert, consultant, or contractor of GSA in the
performance of a Federal duty to which the information is relevant.
l. To the National Archives and Records Administration (NARA) for
records management purposes.
Disclosure to consumer reporting agencies: Disclosure of system
records to consumer reporting systems is not permitted.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF SYSTEM RECORDS:
STORAGE:
All records are stored by GSA ACES contractors or by GSA as hard
copy documents and/or on electronic media.
RETRIEVABILITY:
Records are retrievable by a personal identifier or by other
appropriate type of designation approved by GSA and made available to
ACES participants at the time of their application for ACES services.
SAFEGUARDS:
System records are safeguarded in accordance with the requirements
of the Privacy Act, the Computer Security Act, and OMB Circular A-130,
Appendices I and III. Technical, administrative, and personnel security
measures are implemented to ensure confidentiality and integrity of the
system data stored, processed, and transmitted. The ACES System
Security Plan, approved by GSA for each ACES contractor, provides for
inspections, testing, continuity of operations, and technical
certification of security safeguards. GSA accredits and annually re-
accredits each contractor system prior to its operation.
RETENTION AND DISPOSAL:
System records are retained and disposed of according to GSA
records maintenance and disposition schedules and the requirements of
the National Archives and Records Administration.
SYSTEM MANAGER AND ADDRESS:
Administrative Contracting Officer, FEDCAC, Federal Technology
Service, General Services Administration, Room 5060, 7th and D Streets,
SW., Washington, DC 20407.
NOTIFICATION PROCEDURE:
Inquiries from individuals should be addressed to the system
manager. Applicants for digital signature certificates will be notified
by the GSA ACES contractor which facilitates individual access to the
relevant Federal agency database as follows:
a. Each applicant will be provided, on a Government-approved form
that can be retained by the individual applicant, the principal
purposes of the ACES program; the authority for collecting the
information; the fact that participation is voluntary; the fact that
identity and authority information must be provided and verified before
a certificate will be issued; the fact that the information provided is
covered by the Privacy Act and the Computer Security Act; the routine
uses that will be made of the information being provided; the
limitations on the uses of the information being provided; the
procedures to be followed for requesting access to the individual's own
records; and the possible consequences of failing to provide all or
part of the required information or intentionally providing false
information.
b. Written notification in response to an individual's request to
be advised if the system contains a record pertaining to him/her.
c. Written notification to an individual when any record on the
individual is made available to any person under compulsory legal
process when such process becomes a matter of public record.
d. Written notification of the right to appeal to GSA by any
individual on any dispute concerning the accuracy of his/her record.
RECORD ACCESS PROCEDURE:
GSA ACES contractors will provide notification of, access to,
review of, or copies of an individual's record upon his/her request as
required by the Privacy Act.
CONTESTING RECORD PROCEDURE:
GSA ACES contractors will amend an individual's record upon his/her
written request, as required by the Privacy Act and GSA's implementing
regulations, 41 CFR part 105-64. If the ACES contractor determines that
an amendment is inappropriate, the contractor shall submit the request
to the System Manager for a determination by GSA whether to grant or
deny the request for amendment and direct response to the requester.
RECORD SOURCES CATEGORIES:
The sources for information in the system are the individuals who
apply for digital signature certificates, GSA ACES contractors using
independent sources to verify identities, and internal system
transactions designed to gather and maintain data needed to manage and
evaluate the ACES program.
[FR Doc. E8-8886 Filed 4-24-08; 8:45 am]
BILLING CODE 6820-34-P