[Federal Register Volume 66, Number 62 (Friday, March 30, 2001)]
[Notices]
[Pages 17451-17453]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 01-7929]


=======================================================================
-----------------------------------------------------------------------

POSTAL SERVICE


Privacy Act of 1974, System of Records

AGENCY: Postal Service.

ACTION: Notice of new system of records.

-----------------------------------------------------------------------

SUMMARY: The purpose of this document is to publish notice of a new 
Privacy Act system of records, USPS 400.010, eServices Customer Program 
Records--USPS eServices Registration System (eRS). The new system 
contains records about individuals and companies who register to use 
Postal Service Internet-based services.

DATES: Any interested party may submit written comments on the proposed 
new system of records. This proposal will become effective without 
further notice on May 9, 2001, unless comments received on or before 
that date result in a contrary determination.

ADDRESSES: Written comments on this proposal should be mailed or 
delivered to Finance Administration/FOIA, United States Postal Service, 
475 L'Enfant Plaza SW., Rm 8141, Washington, DC 20260-5202. Copies of 
all written comments will be available at the above address for public 
inspection and photocopying between 8 a.m. and 4 p.m., Monday through 
Friday.

FOR FURTHER INFORMATION CONTACT: Robert J. Faruq at (202) 268-2608.

SUPPLEMENTARY INFORMATION: The United States Postal Service (USPS) is 
developing a variety of services that have an Internet-based customer 
interface and/or service capability. USPS eServices Registration 
provides a centralized infrastructure platform and method for customers 
to register with the USPS in order to use these services. This notice 
establishes a new Privacy Act system of records, USPS 400.010, the USPS 
eServices Registration System, to cover records collected and 
maintained as a result of customers registering for USPS Internet-based 
services.
    To register, a customer is required to fill out an e-Form presented 
via the eServices Registration portion of the USPS Web site (http://www.usps.com).
    The USPS eServices Registration System standardizes a customer's 
registration process for all services that use it as a registration 
interface. It provides a customer the ability to register through one 
interface, making the registration process for various USPS 
applications convenient and efficient. While capturing application-
specific user information for each online service offered by the USPS, 
the

[[Page 17452]]

eServices Registration System will maintain a look and feel that is 
consistent with other USPS Web site interfaces.
    When a customer registers for any of the services supported by 
eServices Registration, a single customer registration information file 
is created for the registering customer. eServices Registration manages 
the customer information that has been provided and cross-references 
common data elements between services from this record as authorized by 
the customer.
    eServices Registration will cross reference data between 
applications so customers are not required to re-enter the same 
information each time they sign up for an additional service. If a user 
attempts to use an application, but has not previously registered for 
the service, the customer information specific to that application will 
be pre-populated with the user's current information, and the user will 
be required to enter only that additional information that is still 
needed by the new application. Once registered, the user will also be 
allowed to edit the information at any time.
    Because the USPS eServices Registration System stores data in a 
central database, when a customer updates the registration information, 
the changes automatically become available for all applications that 
have authorization to access the information. In addition, through 
interconnection with (a) the USPS channel for customers who are moving 
to file an official Change of Address and (b) the Address Management 
System, each customer's address will be automatically standardized 
using approved postal formats and will be updated across applications 
recorded in the eRS.
    General routine-use statements b, e, f, and j, listed in the 
prefatory statement at the beginning of the Postal Service's published 
system notices, apply to this system of records and are applicable to 
most of the Postal Service's systems of records in that they are 
disclosures routinely necessary to conduct business. These include the 
need to disclose information in litigation involving the Postal 
Service; to an agency contractor fulfilling an agency function; to a 
congressional office at the request of the records subject; and to 
outside auditors in connection with an audit of Postal Service 
finances. These general routine uses were last published in the Federal 
Register on October 26, 1989 (54 FR 43654-43655).
    In addition, five routine uses have been added: Routine Use 1 
permits disclosure to the Postal Service technology and/or service 
provider who is acting as an agent on behalf of the Postal Service. 
Routine Use 2 permits disclosure to a payee or financial institution 
for bill payment in conjunction with USPS electronic bill presentment 
and payment services. Routine Use 3 permits disclosure to an authorized 
credit bureau or another government agency for the purpose of identity 
verification. Routine Use 4 permits disclosure for law enforcement 
purposes, but only pursuant to a federal search warrant. Routine Use 5 
permits disclosure pursuant to a federal court order.
    The new system is not expected to have an adverse effect on 
individual privacy rights. Any contractor that maintains information 
collected by this system is made subject to the Privacy Act in 
accordance with subsection (m) of the Act and is required to apply 
appropriate protections subject to audit and inspection by the Postal 
Inspection Service. Procedures are in place to verify identity of 
individuals, the accuracy of information maintained, and the security 
of information maintained and transmitted.
    USPS envisions that certain services will (a) require eServices 
Registration to request construction of a USPS-approved Public Key 
Infrastructure (PKI)-based digital certificate from a Certificate 
Authority and (b) electronically deliver the digital certificate to 
customers in order for them to use the service. As part of this 
process, customers will be required to provide information and complete 
the necessary steps that enable their identity to be adequately 
verified. Customers wishing to use this type of service must agree to 
and comply with the USPS subscriber agreement that applies to the USPS-
approved digital certificate(s) issued to them, as well as any service-
specific terms and conditions that provide for enrollment to the 
requested service, if identity or other information cannot be verified. 
Customers must further accept the responsibility, if issued a USPS-
approved digital certificate, to protect both their system and their 
USPS PKI private key access passwords, not share them with others, and 
report any suspected compromise of their USPS PKI private key as 
directed.
    Security controls have been applied to protect the information 
during transmission and physical maintenance. The system is housed 
within a secure facility in a restricted area. Access is controlled by 
an installed security software package, logon identifications and 
passwords, and operating system controls. Information is transmitted in 
a secure session established by Secure Socket Layer (SSL) equivalent, 
or better, technology. These technologies encrypt or scramble the 
transmitted information so it is virtually impossible for anyone other 
than the Postal Service or its contracted agent to read it while in 
transit.
    Pursuant to 5 U.S.C. 552a(e)(11), interested persons are invited to 
submit written data, views, or arguments on this proposal. A report of 
the following proposed system has been sent to Congress and to the 
Office of Management and Budget for their evaluation.
USPS 400.010

System Name:
    eService Customer Program Records--USPS eServices Registration 
System (eRS) Records, USPS 400.010.

System Location:
    Office of Chief Technology Officer; National Customer Support 
Center (Memphis, TN), Postal Headquarters; and contractor site.

Categories of Individuals Covered by the System:
    Customers who register for USPS services via the USPS Web site: 
www.usps.com will use the Services Registration System (eRS) as its 
registration platform.

Categories of Records in the System:
    Depending on the service or product requested by the customer, this 
information is collected in order to provide that service or product 
and, if necessary, to verify the customer's identity. Customer-provided 
registration information captured and stored within eServices 
Registration will include username, password, verification question and 
answer, customer name, home/mailing address, e-mail address(es), and a 
promotional advertising acceptance (opt-in) answer. Depending on the 
service(s) requested by the customer, eRS information may also include 
secondary mailing address(es), employer name and address, date of 
birth, tax identification number, home and work phone number, fax phone 
number, public key data related to the customer, bank account 
information (name, type, account number, routing/transit number), 
credit card information (number, expiration date, type), driver's 
license information or state ID information (number, state, and 
expiration date), military ID information (number, branch, expiration 
date), or passport/visa information (number, expiration date, and 
issuing country).

[[Page 17453]]

    In some cases, depending on the service or product requested by the 
customer, eServices Registration may collect a customer's Social 
Security Number as part of the registration process in order for the 
application to provide the customer the desired product or service.

Authority for Maintenance of the System:
    39 U.S.C. 401, 403, and 404.

Purpose(s):
    Information in this system is used to provide online registration 
capability to postal customers who request an Internet-based eService, 
and to provide that service.

Routine Uses of Records Maintained in the System, Including Categories 
of Users and the Purposes of Such Uses:
    General routine-use statements b, e, f, and j, listed in the 
prefatory statement at the beginning of the Postal Service's published 
system notices apply to this system. Other routine uses of information 
from this system are as follows:
    1. Disclosure to a Postal Service technology and/or service 
provider who is acting as an agent on behalf of the Postal Service, 
such as a Registration Authority or Customer Care/helpdesk operator.
    2. Disclosure to a payee or financial institution for billing 
payment.
    3. Disclosure to an authorized credit bureau or government agency 
maintaining a system of records (Social Security Administration, Health 
Care Finance Administration, etc.) for the purpose of identity 
verification.
    4. Disclosure for law enforcement purposes to a government agency, 
either federal, state, local, or foreign, but only pursuant to a 
federal warrant duly issued under Rule 41 of the Federal Rules of 
Criminal Procedure. See Administrative Support Manual 274.6 for 
procedures relating to search warrants.
    5. Disclosure pursuant to the order of a federal court of competent 
jurisdiction.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, 
and Disposing of Records in the System:
Storage:
    Automated database, computer storage media, and paper forms.

Retrievability:
    Information is retrieved by customer identification name or number, 
email address, phone number, customer name, and/or physical address.

Safeguards:
    Paper records and computer storage tapes and disks are maintained 
in controlled-access areas or under general scrutiny of program 
personnel. Computers containing information are located in controlled-
access areas with personnel access controlled by a cypher lock system, 
card key system, or other physical access control method, as 
appropriate. Authorized persons must be identified by a badge. Computer 
systems are protected with an installed security software package, 
computer logon identifications, and operating system controls including 
access controls, terminal and user identifications, and file 
management. Online data transmission is protected by encryption. 
Contractors must provide similar protection subject to operational 
security compliance review by the Postal Inspection Service.

Retention and Disposal:
    Personal enrollment information stored in the eServices 
Registration database is maintained until the customer cancels the 
profile record or the profile information has not been accessed for any 
purpose for a period of 12 months; the information is then archived for 
2 years. If an individual has been issued a USPS digital certificate, 
the maintenance of that person's profile information in the eRS 
database will be extended beyond this 12-month disuse period, to 
coincide with the certificate's expiration date. Thereafter, the 
information is archived on nonportable computer hard disk or magnetic 
tape for seven (7) years. Customers who have requested postal services 
or products requiring in-person identity authentication will have a 
USPS Form 2001, Identity Validation Form, maintained on file as part of 
this record system. The information on this paper record will be 
maintained for seven (7) years. At the end of the retention period, 
data on magnetic tape is destroyed by over-recording, data on hard disk 
is deleted or over-recorded, and, if issued, USPS Form 2001 is 
shredded.

System Manager(s) and Address:
    Chief Technology Officer Senior Vice President, United States 
Postal Service, 475 L'Enfant Plaza SW RM 2100, Washington DC 20260-
4400.

Notification Procedure:
    Individuals wanting to know whether information about them is 
maintained in this system of records must address inquiries in writing 
to the system manager. Inquiries must contain name and address or other 
identifying information.

Record Access Procedures:
    Requests for access must be made in accordance with the 
Notification Procedure above and the Postal Service Privacy Act 
regulations regarding access to records and verification of identity 
under 39 CFR 266.6.

Contesting Record Procedures:
    See Notification Procedure and Record Access Procedures above.

Record Source Categories:
    Customers registering for USPS eServices.

Stanley F. Mires,
Chief Counsel, Legislative.
[FR Doc. 01-7929 Filed 3-29-01; 8:45 am]
BILLING CODE 7710-12-P