[Federal Register Volume 67, Number 242 (Tuesday, December 17, 2002)]
[Notices]
[Pages 77316-77318]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-31261]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY


Departmental Offices; Privacy Act of 1974; System of Records

AGENCY: Departmental Offices, Treasury.

ACTION: Notice of proposed Privacy Act system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended, the Department of the Treasury (Department) gives 
notice of a proposed system of records entitled ``Treasury/DO .216--
Treasury Security Access Control and Certificates Systems.''

DATES: Comments must be received no later than January 16, 2003. The 
proposed system of records will be effective January 27, 2003, unless 
the Department receives comments that would result in a contrary 
determination.

ADDRESSES: Comments should be sent to Patrick Geary, Director, Physical 
Security, Department of the Treasury, 1500 Pennsylvania Ave., NW., 
Washington, DC. E-mail: [email protected]

FOR FURTHER INFORMATION CONTACT: Patrick Geary, Office of Security, 
(202) 622-1058.

SUPPLEMENTARY INFORMATION: The Department of the Treasury is giving 
notice of a new system of records which is subject to the Privacy Act. 
The proposed system of records will maintain Treasury headquarters, 
Departmental Offices (DO), information on all employees and contractors 
working in DO for the purpose of providing additional physical and 
cyber security for DO assets. The new system of records covers three 
principal areas: (1) Physical access to the Treasury headquarters 
complex, selected spaces in that complex and other DO spaces; (2) 
Access to cyber information assets; and (3) Physical access to off-site 
continuity of operations locations. New

[[Page 77317]]

identification badges will be issued containing the employee's 
photograph, fingerprint minutia, a public key (PKI) certificate and the 
employee's social security number.
    DO plans to implement a new Access Control System for Treasury 
headquarters including the Main Treasury and Annex buildings that will 
utilize new DO identification badges to be issued because of the 
September 11, 2001 incidents. The new badge will be used to gain access 
to cyber assets including the DO desktop PC, the DO LAN, DO laptop and 
notebook computers. Finally, the new badge will be utilized by selected 
DO staff and contractors involved and/or designated as key personnel 
during conditions that require activation of the DO COOP locations. The 
badge, which includes biometrics, will be used as an additional level 
of security authentication during conditions that involve activation of 
COOP sites.
    The new system of records report, as required by 5 U.S.C. 552a(r) 
of the Privacy Act, has been submitted to the Committee on Government 
Reform and Oversight of the House of Representatives, the Committee on 
Governmental Affairs of the Senate and the Office of Management and 
Budget, pursuant to Appendix I to OMB Circular A-130, ``Federal Agency 
Responsibilities for Maintaining Records About Individuals,'' dated 
November 30, 2000. This system of records, ``Treasury/DO .216--Treasury 
Security Access Control and Certificates Systems,'' is published in its 
entirety below.

    Dated: December 3, 2002.
W. Earl Wright, Jr.,
Chief Management and Administrative Programs Officer.
Treasury/DO .216

System name:
    Treasury Security Access Control and Certificates Systems.

System location:
    Department of the Treasury, 1500 Pennsylvania Avenue, NW, 
Washington, DC 20220.

Categories of individuals covered by the system:
    Treasury employees, contractors, media representatives, other 
individuals requiring access to Treasury facilities or to receive 
government property, and those who need to gain access to a Treasury DO 
cyber asset including the network, LAN, desktops and notebooks.

Categories of records in the system:
    Individual's application for security/access badge, individual's 
photograph, finger print record, special credentials, allied papers, 
registers, and logs reflecting sequential numbering of security/access 
badges. The system also contains information needed to establish 
accountability and audit control of digital certificates that have been 
assigned to personnel who require access to Treasury DO cyber assets 
including the DO network and LAN as well as those who transmit 
electronic data that requires protection by enabling the use of public 
key cryptography. It also contains records that are needed to authorize 
an individual's access to a Treasury network.
    Records may include the individual's name, organization, work 
telephone number, Social Security Number, date of birth, Electronic 
Identification Number, work e-mail address, username and password, 
country of birth, citizenship, clearance and status, title, home 
address and phone number, biometric data including fingerprint minutia, 
and alias names.
    Records on the creation, renewal, replacement or revocation of 
digital certificates, including evidence provided by applicants for 
proof of identity and authority, sources used to verify an applicant's 
identity and authority, and the certificates issued, denied and 
revoked, including reasons for denial and revocation.

Authority for maintenance of the system:
    5 U.S.C. 301; 31 U.S.C. 321; the Electronic Signatures in Global 
and National Commerce Act, Pub. L. 106-229, and E.O. 9397 (SSN).

Purpose(s):
    The purpose is to: Improve security to both Treasury DO physical 
and cyber assets; maintain records concerning the security/access 
badges issued; restrict entry to installations and activities; ensure 
positive identification of personnel authorized access to restricted 
areas; maintain accountability for issuance and disposition of 
security/access badges; maintain an electronic system to facilitate 
secure, on-line communication between Federal automated systems, 
between Federal employees or contractors, and or the public, using 
digital signature technologies to authenticate and verify identity; 
provide a means of access to Treasury cyber assets including the DO 
network, LAN, desktop and laptops; and to provide mechanisms for non-
repudiation of personal identification and access to DO sensitive cyber 
systems including but not limited to human resource, financial, 
procurement, travel and property systems as well as tax, econometric 
and other mission critical systems. The system also maintains records 
relating to the issuance of digital certificates utilizing public key 
cryptography to employees and contractors for purpose of the 
transmission of sensitive electronic material that requires protection.

Routine uses of records maintained in the system, including categories 
of users and the purposes of such uses:
    These records may be used to disclose information to: (1) 
Appropriate Federal, state, local and foreign agencies for the purpose 
of enforcing and investigating administrative, civil or criminal law 
relating to the hiring or retention of an employee; issuance of a 
security clearance, license, contract, grant or other benefit;
    (2) A court, magistrate, or administrative tribunal in the course 
of presenting evidence, including disclosures to opposing counsel or 
witnesses in the course of or in preparation for civil discovery, 
litigation, or settlement negotiations, in response to a subpoena where 
relevant or potentially relevant to a proceeding, or in connection with 
criminal law proceedings;
    (3) A contractor for the purpose of compiling, organizing, 
analyzing, programming, or otherwise refining records to accomplish an 
agency function subject to the same limitations applicable to U.S. 
Department of the Treasury officers and employees under the Privacy 
Act;
    (4) A Congressional office in response to an inquiry made at the 
request of the individual to whom the record pertains;
    (5) Third parties during the course of an investigation to the 
extent necessary to obtain information pertinent to the investigation;
    (6) The Office of Personnel Management, Merit Systems Protection 
Board, Equal Employment Opportunity Commission, Federal Labor Relations 
Authority, and the Office of Special Counsel for the purpose of 
properly administering Federal personnel systems or other agencies' 
systems in accordance with applicable laws, Executive Orders, and 
regulations;
    (7) Representatives of the National Archives and Records 
Administration (NARA) who are conducting records management inspections 
under authority of 44 U.S.C. 2904 and 2906; and
    (8) Other Federal agencies or entities when the disclosure of the 
existence of the individual's security clearance is

[[Page 77318]]

needed for the conduct of government business.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system:
Storage:
    Records are stored as electronic media and paper records.

Retrievability:
    Records are retrieved by individual's name, social security number, 
electronic identification number and/or access/security badge number.

Safeguards:
    Entrance to data centers and support organization offices are 
restricted to those employees whose work requires them to be there for 
the system to operate. Identification (ID) cards are verified to ensure 
that only authorized personnel are present. Disclosure of information 
through remote terminals is restricted through the use of passwords and 
sign-on protocols which are periodically changed. Reports produced from 
the remote printers are in the custody of personnel and financial 
management officers and are subject to the same privacy controls as 
other documents of like sensitivity.
    Access is limited to authorized employees. Paper records are 
maintained in locked safes and/or file cabinets. Electronic records are 
password-protected. During non-work hours, records are stored in locked 
safes and/or cabinets in locked room.
    Protection and control of any sensitive but unclassified (SBU) 
records are in accordance with TD P 71-10, Department of the Treasury 
Security Manual. Access to the records is available only to employees 
responsible for the management of the system and/or employees of 
program offices who have a need for such information.

Retention and disposal:
    The records on government employees and contractor employees are 
retained for the duration of their employment at the Treasury 
Department. The records on separated employees are destroyed or sent to 
the Federal Records Center in accordance with General Records Schedule 
18.

System manager(s) and address:
    Departmental Offices: Director, Office of Physical Security, 1500 
Pennsylvania Ave., NW., Washington, DC 20220.

Notification Procedure:
    Individuals seeking notification and access to any record contained 
in the system of records, or seeking to contest its content, may 
inquire in accordance with instructions pertaining to individual 
Treasury components appearing at 31 CFR part 1, subpart C, appendix A.

Record Access Procedures:
    See ``Notification procedure'' above.

Contesting Record Procedures:
    See ``Notification procedure'' above.

Record source categories:
    The information contained in these records is provided by or 
verified by the subject individual of the record, supervisors, other 
personnel documents, and non-Federal sources such as private employers.

Exemptions claimed for the system:
    None.
[FR Doc. 02-31261 Filed 12-16-02; 8:45 am]
BILLING CODE 4811-16-P