[Federal Register Volume 64, Number 103 (Friday, May 28, 1999)]
[Notices]
[Pages 29032-29034]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-13636]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION


Privacy Act of 1974; System of Records

AGENCY: General Services Administration.

ACTION: Notice of a proposed new system of records subject to the 
Privacy Act of 1974.

-----------------------------------------------------------------------

SUMMARY: The General Services Administration (GSA) proposes to 
establish a new governmentwide system of records, Access Certificates 
for Electronic Services (ACES), GSA/GOVT-5. The system will allow on-
line access to personal information in participating Federal agencies' 
automated systems by individuals who are the subjects of the 
information. Up to now, many Federal information systems containing 
legally safeguarded personal information have been inaccessible to the 
public electronically because of an insufficient proof-of-identity 
capability. The new system will enable more timely and cost-effective 
communication between the public and the Federal Government while 
safeguarding personal information through state-of-the-art digital 
signature technologies.

DATES: Comments on the proposed system must be provided by June 28, 
1999. The proposed system will go into effect after that date without 
further notice unless the comments dictate otherwise.

ADDRESSES: Address comments to Stanley Choffrey, General Services 
Administration, Federal Technology Service, Office of Information 
Security, Room 5060, 7th and D Streets, SW, Washington, DC 20407, or e-
mail [email protected].

FOR FURTHER INFORMATION CONTACT: Stanley Choffrey on (202) 708-6099 or 
at the above address on the technical aspects of the ACES system; or 
Jinaita Kanarchuk concerning the GSA Privacy Program on (202) 501-1452, 
or e-mail [email protected].
GSA/GOVT-5

SYSTEM NAME:
    Access Certificates for Electronic Services (ACES).

SYSTEM LOCATION:
    System records are maintained for the General Services 
Administration (GSA) by contractors at various physical locations. A 
complete list of locations is available from: Administrative 
Contracting Officer, FEDCAC, Federal Technology Service, General 
Services Administration, 7th and D Streets, SW, Room 5060, Washington, 
DC 20407; telephone (202) 708-6099.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered are persons who have applied for the issuance 
of a digital signature certificate under the ACES program; have had 
their certificates amended, renewed, replaced, suspended, revoked, or 
denied; have used their certificates to electronically make contact 
with, retrieve information from, or submit information to an automated 
information system of a participating agency; have requested access to 
ACES records under the Freedom of Information Act (FOIA) or Privacy 
Act; and have corresponded with GSA or its ACES contractors concerning 
ACES services.

[[Page 29033]]

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system contains information needed to establish and verify the 
identity of ACES users, to maintain the system, and to establish 
accountability and audit controls. System records include:
    a. Applications for the issuance, amendment, renewal, replacement, 
or revocation of digital signature certificates under the ACES program, 
including evidence provided by applicants or proof of identity and 
authority, and sources used to verify an applicant's identify and 
authority.
    b. Certificates issued.
    c. Certificates denied, suspended, and revoked, including reasons 
for denial, suspension, and revocation.
    d. A list of currently valid certificates.
    3. A list of currently invalid certificates.
    f. A file of individuals requesting access and those granted access 
to ACES information under FOIA or the Privacy Act.
    g. A file of individuals requesting access and those granted access 
for reasons other than FOIA or the Privacy Act.
    h. A record of validation transactions attempted on digital 
signature certificates issued by the system.
    i. A record of validation transactions completed on digital 
signature certificates issued by the system.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Section 5124(b) of the Clinger-Cohen Act of 1996, 40 U.S.C. 1424, 
which provides authority for GSA to develop and facilitate 
governmentwide electronic commerce resources and services, and the 
Paperwork Reduction Act, 44 U.S.C. 3501, et seq., which provides 
authority for GSA to manage Federal information resources.

PURPOSE(S):
    To establish and maintain an electronic system to facilitate 
secure, on-line communication between Federal automated information 
systems and the public, using digital signature technologies to 
authenticate and verify identity.

ROUTINE USES OF THE SYSTEM RECORDS, INCLUDING CATEGORIES OF USERS AND 
THEIR PURPOSES FOR USING THE SYSTEM:
    Information from this system may be disclosed as a routine use:
    a. To GSA ACES program contractors to compile and maintain 
documentation on applicants for proofing applicants' identity and their 
authority to access information system applications of participating 
agencies.
    b. To GSA ACES program contractors to establish and maintain 
documentation on information sources for verifying applicants' 
identities.
    c. To Federal agencies participating in the ACES program to 
determine the validity of applicants' digital signature certificates in 
an on-line, near real time environment.
    d. To GSA, participating Federal agencies, and ACES contractors, 
for ensuring proper management, ensuring data accuracy, and evaluation 
of the system.
    e. To Federal, State, local or foreign agencies responsible for 
investigating, prosecuting, enforcing, or carrying out a statute, rule, 
regulation, or order when GSA becomes awares of a violation or 
potential violation of civil or criminal law or regulation.
    f. To a member of Congress or to a congressional staff member in 
response to a request from the person who is the subject of the record.
    g. To an expert, consultant, or contractor of GSA in the 
performance of a Federal duty to which the information is relevant.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    Disclosure of system records to consumer reporting systems is not 
permitted.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF SYSTEM RECORDS:
STORAGE:
    All records are stored by GSA ACES contractors or by GSA as hard 
copy documents and/or on electronic media.

RETRIEVAL:
    Records are retrievable by a personal identifier or by other 
appropriate type of designation approved by GSA and made available to 
ACES participants at the time of their application for ACES services.

Safeguards:
    System records are safeguarded in accordance with the requirements 
of the Privacy Act, the Computer Security Act, and OMB Circular A-130, 
Appendices I and III. Technical, administrative, and personnel security 
measures are implemented to ensure confidentiality and integrity of the 
system data stored, processed, and transmitted. The ACES System 
Security Plan, approved by GSA for each ACES contractor, provides for 
inspections, testing, continuity of operations, and technical 
certification of security safeguards. GSA accredits and annually re-
accredits each contractor system prior to its operation.

Retention and disposal:
    System records are retained and disposed of according to GSA 
records maintenance and disposition schedules and the requirements of 
the National Archives and Records Administration.

SYSTEM MANAGER(S) AND ADDREESS:
    Administrative Contracting Officer, FEDCAC, Federal Technology 
Service, General Services Administration, Room 5060, 7th and D Streets, 
SW, Washington, DC 20407.

Notification procedure:
    Inquiries from individuals should be addressed to the system 
manager. Applicants for digital signature certificates will be notified 
by the GSA ACES contractor which facilitates individual access to the 
relevant Federal agency database as follows:
    a. Each applicant will be provided, on a Government-approved form 
that can be retained by the individual applicant, the principal 
purposes of the ACES program; the authority for collecting the 
information; the fact that participation is voluntary; the fact that 
identity and authority information must be provided and verified before 
a certificate will be issued; the fact that the information provided is 
covered by the Privacy Act and the Computer Security Act; the routine 
uses that will be made of the information being provided; the 
limitations on the uses of the information being provided; the 
procedures to be followed for requesting access to the individual's own 
records; and the possible consequences of failing to provide all or 
part of the required information or intentionally providing false 
information.
    b. Written notification in response to an individual's request to 
be advised if the system contains a record pertaining to him/her.
    c. Written notification to an individual when any record on the 
individual is made available to any person under compulsory legal 
process when such process becomes a matter of public record.
    d. Written notification of the right to appeal to GSA by any 
individual on any dispute concerning the accuracy of his/her record.

Record access procedure:
    GSA ACES contractors will provide notification of, access to, 
review of, or copies of an individual's record upon his/her request as 
required by the Privacy Act.

Contesting record procedure:
    GSA ACES contractors will amend an individual's record upon his/her 
written

[[Page 29034]]

request, as required by the Privacy Act and GSA's implementing 
regulations, 41 CFR part 105-64. If the ACES contractor determines that 
an amendment is inappropriate, the contractor shall submit the request 
to the System Manager for a determination by GSA whether to grant or 
deny the request for amendment and direct response to the requester.

Record sources categories: 
    The sources for information in the system are the individuals who 
apply for digital signature certificates, GSA ACES contractors using 
independent sources to verify identities, and internal system 
transactions designed to gather and maintain data needed to manage and 
evaluate the ACES program.

Privacy Act exemptions claims for the system:
    None.

    Dated: May 21, 1999.
Daniel K. Cooper,
Director, Administrative Services Division.
[FR Doc. 99-13636 Filed 5-27-99; 8:45 am]
BILLING CODE 6820-34-M