[Federal Register Volume 59, Number 178 (Thursday, September 15, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-22797]


[[Page Unknown]]

[Federal Register: September 15, 1994]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS

 

Privacy Act of 1974; Amendment of System Notice

AGENCY: Department of Veterans Affairs.

ACTION: Notice.

-----------------------------------------------------------------------

    Notice is hereby given that the Department of Veterans Affairs (VA) 
is considering adding two new routine uses to, and is amending other 
parts of, a system or records entitled Current and Former Accredited 
Representative, Claims Agent, and Representative and Claims Agent 
Applicant and Rejected Applicant Records--VA (01VA022) as set forth in 
the Federal Register 40FR38095 (8/26/75) and revised in 47FR1460 (1/13/
82) and 54FR30969 (7/25/89). VA is amending the system by revising the 
System Name and the paragraphs for System Location, Categories of 
Individuals Covered by the System, Categories of Records in the System, 
Authority for Maintenance of the System, Routine Uses of Records 
Maintained in the System, Including Categories of Users and the 
Purposes of Such Uses, and Policies and Practices for Storing, 
Retrieving, Accessing, Retaining, and Disposing of Records in the 
System, including Storage, Retrievability and Safeguards.
    VA has decided, as a matter of policy, to authorize those 
individuals approved by VA to represent claimants for VA benefits under 
38 CFR 14.626-.635 to have remote, on-line access to the automated 
Veterans Benefits Administration (VBA) claim records of those 
individuals whom they represent. In order to implement this policy, VA 
has published a notice of proposed rulemaking (59 FR 37008 (7-20-94)) 
to add sections 38 CFR 14.640 through 14.643.
    In the course of providing expanded remote access to accredited 
representatives of veterans service organizations, claims agents and 
attorneys approved to represent veterans under 38 CFR 14.629 and 
persons recognized pursuant to 38 CFR 14.630, VA will have to maintain 
certain information about these individuals. The following discussion 
explains the various types of information which the Department will 
create as part of the expanded remote access program, where and how it 
will be maintained, and the security for it.
    Each individual approved for expanded read-only remote access to 
automated veterans claim records will receive several access codes from 
the VBA Central Office Security Officer. (Later this responsibility 
will be transferred to the VBA Regional Office of jurisdiction for the 
first claims folder to which access is sought.)
    The VBA Central Office Security Officer will obtain these various 
codes from the following sources and provide them to each person 
granted access. The Security Officer will not retain a copy of this 
information. Each representative, claims agent or attorney will be 
issued a user identification code and personal password for the 
Department's computerized electronic communications system, IDCU 
(Integrated Data Communications Utility), by the security office 
responsible for IDCU in Martinsburg, West Virginia, which will retain 
records of these codes in automated form. Only security personnel at 
Martinsburg may access these codes.
    When the individual uses these codes to access IDCU, he or she will 
be routed automatically to the migration gateway to VBA's automated 
Benefits Delivery Network (BDN); access to any other IDCU activity will 
not be possible. At the migration gateway to the BDN, the individual 
will use a ``login'' identification code, and a personal password to 
obtain access to the BDN.
    Initially, the VBA Central Office Security Officer will issue the 
migration gateway access codes in response to requests for remote 
access. These codes will be stored in automated form in Central Office. 
At some point, the Security Officer for the local VBA Regional Office 
of jurisdiction for the first claim to which access is sought will 
assume these responsibilities to issue and store the migration gateway 
codes. That Regional Office will retain the ``login'' identification 
code in automated form. The security officer of the Regional Office of 
jurisdiction, security personnel at the VBA automated Benefits Delivery 
Center (BDC) in Hines, Illinois, and the VBA Central Office Security 
Officer will be the only agency personnel who may access the ``login'' 
identification codes. An individual's personal password will remain in 
the computer system, but no one, including system security officers or 
system managers, may access it. If a person forgets his or her 
migration gateway personal password, the individual will have to obtain 
a new one.
    After passing through the migration gateway, the individual must 
then use a BDN password, also issued by the Regional Office Security 
Officer, to access the BDN. The BDN password obtains access to records 
concerning individuals in one of five geographical sections of the 
country. One individual will be given access to more than one 
geographical region when clients are located in different areas of the 
United States.
    Each IDCU user identification code and personal password, migration 
gateway ``login'' identification code and personal password, and BDN 
passwords will be unique for each individual.
    To ensure the security of the various systems, Benefits Delivery 
Centers in Hines, Illinois, and Philadelphia, Pennsylvania, will 
monitor daily the use of BDN passwords, and will issue a daily report 
in hard copy to each Regional Office of any apparent security 
violations associated with any BDN password issued for whom it has 
oversight responsibility. The BDCs will retain this daily security log 
in automated form for thirty days; only VBA personnel located at the 
Hines and Philadelphia BDC's who are cleared for access to the daily 
security violation logs may access this automated information.
    The daily security violation log will list the identifying 
assignment code for the individual (not the individual's BDN password), 
and the particular violation code(s) associated with that person's 
password for that day. Each Regional Office is to retain the daily logs 
for six months. Only the Regional Office Security Officer will have 
access to the daily security violation logs until such time as it is 
determined that further investigation may be needed. At that point, the 
appropriate VA employees may receive the logs as necessary to conduct 
any oversight or investigation.
    VA will maintain security profiles on each individual granted 
remote access privileges. The data bases for the security profiles will 
be maintained in Hines, Illinois, and Philadelphia, Pennsylvania. The 
security profile on each individual will contain the following 
information in automated form: the individual's name, the individual's 
BDN passwords; the individual's assignment code, the code identifying 
their status, such as whether they are operating under a power of 
attorney or as a service organization representative; whether they have 
been granted the ability to read a veteran client's diagnostic codes, 
their level of access to sensitive records, if a veteran, their claims 
file number, and a listing of the read-only access commands they may 
utilize. The security profile on an individual may be retrieved only by 
the security personnel at Hines and Philadelphia, the VBA Central 
Office Security Officer and the Regional Office Security Officer for 
the Regional Office of jurisdiction for the first claim for which the 
individual was granted remote access to the veteran's automated 
benefits records.
    If VA determines that an individual's access privileges should be 
suspended or revoked generally, records, including possibly copies of 
the records mentioned above, will be gathered in an evidence file which 
will be retained in the Regional Office and in the Office of General 
Counsel, both in the field and in Central Office.
    As a result of the above actions, we are changing the System name 
to reflect that records in the altered system will be kept on attorneys 
also because of the need to retain records concerning their exercise of 
remote access privileges.
    We are adding to the System Location paragraph of 01VA022 the 
locations at which new records in the system will be maintained. 
Records concerning the authorization of individuals to access automated 
veterans claim records from remote locations will be maintained in the 
locations discussed above.
    We are adding two new categories of individuals to the paragraph 
concerning individuals covered by the system. The first category is 
attorneys who have applied for, currently hold, or previously have held 
the privilege of remote access to VBA automated claim records. We are 
also expanding the existing category of accredited representatives to 
include county veterans' service officers recommended by a recognized 
state organization because VA recently recognized the national 
organization of these officials under 14 CFR Sec. 14.628 for purposes 
of representation of individuals on claims for title 38 benefits.
    We are adding a new category of records to be maintained in the 
system to the paragraph concerning the categories of records in the 
system. This information will include information and correspondence 
relating to the application for, evaluation of and grant or denial of a 
request for remote access privileges, as well as information concerning 
the individual's use of remote access privileges and information 
concerning any determination whether to suspend or revoke an 
individual's remote access privileges.
    Because Congress enacted legislation renumbering the sections of 
title 38, United States Code, we are revising the paragraph containing 
the authority for maintenance of the system to reflect the renumbering.
    We propose to add two new routine uses to the paragraph of 01VA022 
which sets forth the routine uses for records maintained in the system. 
The regulations governing the remote access activity provide that VA 
will release information about individuals who have access privileges 
in two circumstances for which routine uses do not currently exist. 
Consequently, VA is adding the following two new routine uses as part 
of the implementation of the remote access regulations.
    First, if VA is considering whether to deny or suspend or revoke an 
individual's access privileges generally, VA may then notify the 
representative's employer or any recognized service organization with 
which such a representative is affiliated. Second, if the 
representative is licensed by a governmental entity, such as a state 
bar association, VA will report the conduct of the representative to 
that entity after revocation of access privileges if VA concludes that 
the conduct which was the basis for revocation of access privileges 
merits reporting.
    Both routine uses satisfy the compatibility requirement of 
subsection (a)(7) of the Privacy Act. VA will gather this information 
for the purposes of determining whether it should grant, deny, suspend 
or revoke an individual's remote access privileges to claimants' 
automated claim records generally, as well as ensuring the individual's 
continued compliance with the agency's requirements for exercise of the 
remote access privileges. This information concerns the qualifications 
and conduct of the individual, that is, the appropriateness of the 
individual to have remote access privileges to represent beneficiaries 
and claimants.
    State licensing entities, such as bar associations, routinely 
monitor and enforce the individual member's compliance with rules of 
conduct which are intended, at least in part, to protect the public. 
Additionally, under the rules of these organizations, these persons 
normally have a responsibility to protect and preserve the 
confidentiality of information concerning their clients.
    VA's proposed routine use authorizing disclosures to state 
licensing entities would allow VA to provide those state licensing 
entities with information which is relevant to their enforcement 
activities concerning compliance with those rules. VA gathered the 
information, at least in part, to help ensure the confidentiality of 
the VA's information on people who are, in essence, the clients of the 
individuals who are licensed by the state governmental entities. The 
purposes are sufficiently similar that the disclosure satisfies the 
compatibility requirement of subsection (a)(7) of the Privacy Act.
    Veterans service organizations and other entities represent 
veterans on claims matters. To do so effectively, they must have access 
to the confidential claims records of those veterans. Part of their 
acceptance within the community they serve is a confidence on the 
public's part that they and their accredited representatives and 
employees will zealously protect the privacy of their clients. If 
veterans perceive that the confidentiality of their records will not be 
honored, it will limit the effectiveness of these organizations in 
representing their clients. Thus, in order to effectively represent 
veterans, they are concerned about ensuring that individuals whom they 
use to conduct their representational activities act in a manner 
consistent with the organization's goal of preserving the 
confidentiality of their clients' claim records.
    As we stated in regard to the routine use authorizing disclosure of 
records to state licensing entities, VA gathered the information about 
remote access users, at least in part, to help ensure the 
confidentiality of the VA's information on it claimants who are, in 
essence, the clients of the organization which uses the individual 
representatives and claims agents to prosecute the veterans claims. The 
purposes are sufficiently similar that the disclosure satisfies the 
compatibility requirement of subsection (a)(7) of the Privacy Act.
    VA has determined that release of information under the 
circumstances described above is a necessary and proper use of 
information in this system of records and that the specific routine 
uses proposed for the transfer of this information is appropriate.
    An altered system of records report and a copy of the revised 
system notice have been sent to the House of Representatives Committee 
on Government Operations, the Senate Committee on Governmental Affairs, 
and the Office of Management and Budget (OMB) as required by 5 U.S.C. 
552a(r) and guidelines issued by OMB (59 FR 37906, 37916-18 (7-25-94)).
    Interested persons are invited to submit written comments, 
suggestions, or objections regarding the new routine use in this system 
of records to the Secretary, Department of Veterans Affairs (271A), 810 
Vermont Avenue NW., Washington, DC 20420. All relevant material 
received before [date thirty days after date of publication] will be 
considered. All written comments received will be available for public 
inspection at the above address only between the hours of 8 a.m. and 
4:30 p.m., Monday through Friday, except holidays, until October 25, 
1994.
    If no public comment is received during the 30 day review period 
allowed for public comment or unless otherwise published in the Federal 
Register by VA, the routine uses included herein are effective October 
17, 1994 or 40 days after the notice was approved, whichever is latest. 
Other changes to the system of records notice contained herein are 
effective upon publication.

    Approved: September 1, 1994.
Jesse Brown,
Secretary of Veterans Affairs.

Notice of Amendment to System of Records

    The system of records identifies as 01VA022, ``Current and Former 
Accredited Representative, Claims Agent, and Representative and Claims 
Agent Applicant and Rejected Applicant Records--VA,'' as set forth in 
Federal Register publication, ``Privacy Act Issuances,'' 1991 
Compilation, Volume II, pages 919-20, is amended by adding the 
information and revising the entries as shown below:

01VA022

System Name

    Current and Former Accredited Representative, Claims Agent, 
Representative and Claims Agent Applicant and Rejected Applicant and 
Attorney Records--VA.

System Location

    Records are maintained in the Office of General Counsel (022), and 
in the Veterans Benefits Administration (213C), Department of Veterans 
Affairs Central Office, Washington, DC 20420. Records will also be 
maintained in the District Counsel Offices, and the security offices of 
the following components of the Veterans Benefits Administration: 
Regional Offices, and the Hines, Illinois and Philadelphia, 
Pennsylvania automated benefits records centers. Records also will be 
maintained in the Computer security office for the Integrated Data 
Communications Utility at the Department of Veterans Affairs Medical 
Center in Martinsburg, West Virginia. Address locations are listed in 
VA Appendix I as set forth in the Federal Register publication, 
``Privacy Act Issuances,'' 1991 Compilation, Volume II, pp. 989-994.

Categories of Individuals Covered by the System

    * * * (1) Individuals recommended by a recognized organization and 
accredited or previously accredited by VA to represent claimants for 
benefits; (2) claims agents (not attorneys) independent of a service 
organization who have applied for, and/or accredited or previously 
accredited by VA to represent claimants for benefits; (3) individuals 
whose names have been submitted to VA by service organizations for 
accreditation or who have applied to VA to become claims agents; and 
(4) attorneys who have applied for, currently hold, or previously held 
the privilege of remote access to Veterans Benefits Administration 
automated claims records.

Categories of Records in the System

    * * * (8) investigative reports, correspondence and other 
information concerning the fitness of a prospective, present, or former 
claims agent, accredited representative or attorney; (9) documents, 
decisions, correspondence and other information relating to or 
including the granting, denial, suspension or termination of 
accreditation of representatives or claims agents; (10) information 
concerning an individuals' exercise of remote access privileges to the 
Veterans Benefits Administration automated claim records, including 
identification codes and codes used to access various VA automated 
communications systems and records systems, as well as security 
profiles and possible security violations; and (11) information, 
documents, correspondence, and decisions relating to the application 
for, and the grant, denial, suspension, or revocation of an 
individual's privilege of remote access to Veterans Benefits 
Administration automated claim records.

Authority for Maintenance of the System

    Title 38, United States Code, Sections 501(a), 5902 and 5904.

Routine Uses of Records Maintained in the System, Including Categories 
of Users and the Purpose of Such Uses

* * * * *
    10. The name and address of an accredited representative, claims 
agent or attorney and any information concerning such individual 
relating to a suspension, revocation, or potential suspension or 
revocation of that individual's privilege of remote access to Veterans 
Benefits Administration automated claim records, may be disclosed to 
any recognized service organization with which the accredited 
representative is affiliated, and to any entity employing the 
individual to represent veterans on claims for veterans benefits.
    11. The name and address of a former accredited representative, 
claims agent or attorney, and any information concerning such 
individual, except a veteran's name and home address, which is relevant 
to a revocation of remote access privileges to Veterans Benefits 
Administration automated claim records may be disclosed to an 
appropriate governmental licensing organization where VA determines 
that the individual's conduct which resulted in revocation merits 
reporting.
* * * * *

Policies and Practices for Storing, Retrieving, Accessing, 
Retaining, and Disposing of Records in the System

Storage

    * * * Identification codes and codes used to access various VA 
automated communications systems and records systems, as well as 
security profiles and possible security violations, are maintained on 
magnetic media in a secure environment within VA workspaces. Hard 
copies are maintained in locked containers.
* * * * *

Retrievability

    * * * Information concerning possible security violations 
associated with exercise or remote access privileges is retrieved by 
individual assignment numbers. Information concerning individual 
security profiles and codes assigned to an individual for that person 
to obtain access to various computer systems is retrieved by the 
individual's assignment number.
* * * * *

Safeguards

    3. Access to automated records concerning identification codes and 
codes used to access various VA automated communications systems and 
records systems, as well as security profiles and possible security 
violations is limited to designated automated systems security 
personnel who need to know the information in order to maintain and 
monitor the security of the VA's automated communications and veterans' 
claim records systems. Access to these records in automated form is 
controlled by individually unique passwords/codes. Agency personnel may 
have access to the information on a need to know basis when necessary 
to advise agency security personnel or for use to suspend or revoke 
access privileges or to make disclosures authorized by a routine use.
    4. Access to VA facilities where identification codes, passwords, 
security profiles and possible security violations are maintained is 
controlled at all hours by the Federal Protective Service, VA or other 
security personnel and security access control devices.
* * * * *

[FR Doc. 94-22797 Filed 9-14-94; 8:45 am]
BILLING CODE 8320-01-M