[Federal Register Volume 68, Number 235 (Monday, December 8, 2003)]
[Notices]
[Pages 68384-68387]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-30371]


-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

[OEI-2003-0036; FRL-7595-8]


Amendment to System of Records Notice

AGENCY: Environmental Protection Agency.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended, the 
Environmental Protection Agency (EPA) publishes this amendment to EPA's 
notice of a system of records entitled ``Central Data Exchange-Customer 
Registration Subsystem (CDX-CRS)'', published on March 18, 2002 (67 FR 
12010-12013). The original System of Records Notice has been amended 
to: update the ``Location'' section to reflect the recent relocation of 
the CDX-CRS to a new facility; clarify the ``Categories of Records in 
the System'' section to describe information collected to support 
electronic signature functionality on some EPA forms; provide the 
public with a new System of Record number that will be associated with 
this system for the remainder of its operational life; provide a new 
EPA point of contact; and clarify the ``purpose'' section to ensure the 
public recognizes that the use of the CDX-CRS is optional and only 
necessary for those individuals who want to file information 
electronically with EPA. As described in the original notice, this 
system will contain information on individuals who have registered and 
established accounts to access CDX, EPA's electronic compliance filing 
and environmental data exchange system. Individuals with CDX accounts 
may engage in electronic filing of environmental documents as permitted 
under the Government Paperwork Elimination Act (GPEA), and as required 
under appropriate environmental statutes. Information maintained by the 
CDX-CRS includes the individual's name and related identifiers, work 
contact information, supervisor's name and contact information, and 
information about the EPA program under which the individual plans to 
report electronically. The information will be used to protect and 
manage access to the individual's account on CDX.

DATES: This system of records will continue operations.

ADDRESSES: Questions regarding this notice should be referred to the 
Environmental Protection Agency, Office of Environmental Information, 
Collection Services Division, MS-2823T, 1200 Pennsylvania Avenue, 
Washington, DC 20460.

FOR FURTHER INFORMATION CONTACT: Matthew Leopard at 
[email protected], or 202-566-1698. If you use a 
telecommunications device for the deaf (TDD), you may call the Federal 
Information Relay Service (FIRS) at 1-800-877-8339.

SUPPLEMENTARY INFORMATION:

I. General Information

    EPA has established an official public docket for this action under 
Docket ID No. OEI-2003-0036. The official public docket is the 
collection of materials that is available for public viewing at the OEI 
Docket in the EPA Docket Center (EPA/DC), EPA West, Room B102, 1301 
Constitution Ave. NW., Washington, DC. The EPA Docket Center Public 
Reading Room is open from 8:30 a.m. to 4:30 p.m., Monday through 
Friday,

[[Page 68385]]

excluding legal holidays. The telephone number for the Reading Room is 
(202) 566-1744, and the telephone number for the OEI Docket is (202) 
566-1752.
    An electronic version of the public docket is available through 
EPA's electronic public docket and comment system, EPA Dockets. You may 
use EPA Dockets at http://www.epa.gov/edocket/ to view public comments, 
access the index listing of the contents of the official public docket, 
and to access those documents in the public docket that are available 
electronically. Although not all docket materials may be available 
electronically, you may still access any of the publicly available 
docket materials through the docket facility identified above.

    Dated: November 25, 2003.
Kimberly T. Nelson,
Assistant Administrator and Chief Information Officer.
EPA-52

System Name:
    EPA Central Data Exchange--Customer Registration Subsystem (CDX-
CRS)

System Location:
    The system will be operated and maintained by EPA or organizations 
under contract with the EPA (henceforth referred to as ``EPA'') at 
their place of business. The operational CDX CRS, which performs the 
routine functions of registering CDX users, is maintained at U.S. EPA 
National Computer Center, 109 T.W. Alexander Drive, Research Triangle 
Park, NC 27711. A testing facility which includes a test version of the 
CDX-CRS which is used to validate any changes to the CDX-CRS system 
before they become operational, is maintained at Computer Sciences 
Corporation, 8400 Corporate Drive, New Carrollton, MD 20785.

Categories of Individuals Covered by the System:
    This system contains records on all individuals that have either 
attempted to register or have registered to obtain an account to use 
CDX for electronically exchanging data with EPA. Registered users of 
EPA's CDX-CRS may include representatives of industry, government or 
laboratories exchanging information with EPA through CDX.

Categories of Records in the System:
    This system contains records including individual's name, self-
assigned user name and security question, work title, work address and 
related work contact information (e.g., phone and fax numbers, E-mail 
address), supervisor's name and related contact information, and 
information related to the EPA reporting program the individual is 
planning to electronically file or report under (e.g., EPA program ID 
 and EPA program role), and the method of reporting (web 
browser, file exchange). In cases where individuals are asked to 
electronically ``sign'' certain EPA forms, CDX may request additional 
information items from an individual such as date of birth, mother's 
maiden name, high school graduation date, and similar personal 
identifiers. The individual registering for CDX will generate a self-
assigned password that will be stored on the CDX-CRS, but it will only 
be accessible to the registering individual. The system will also store 
other system-generated data such as the registration date and time, 
digital certificate identifier, and other identifiers for internal 
tracking. Upon assignment of the password and ID code, the user may 
subsequently access the CDX system by entering these data and CDX will 
use this information to authenticate the individual's access to CDX.

Authority for Maintenance of System:
    In accordance with the Government Paperwork Elimination Act (44 
U.S.C. 3504), EPA's electronic compliance filing and environmental data 
exchange system will enable the ``acquisition and use of information 
technology, including alternative information technologies that provide 
for electronic submission, maintenance, or disclosure of information as 
a substitute for paper and for the use and acceptance of electronic 
signatures.'' Section 3504(a)(1)(B)(vi) of Title 44, United States 
Code.

Purpose(s):
    Central Data Exchange is EPA's portal for electronically exchanging 
environmental data with our external customers. Individual external 
users with CDX accounts may choose to engage in secure, electronic 
filing of environmental documents as permitted under the Government 
Paperwork Elimination Act (GPEA), and as required under appropriate 
environmental statutes. CDX-CRS was developed to protect the EPA and 
CDX system users from individuals seeking to gain unauthorized access 
to user accounts on CDX. While compliance reporting to EPA may be a 
mandatory requirement, the use of CDX to file information 
electronically to EPA is optional. At any time during the CDX 
registration process the individual may opt out of registering with CDX 
to file information electronically, and may revert back to existing 
paper or diskette filings with EPA.
    The information contained in records maintained in the CDX-CRS 
system is used for the purposes of verifying the identity of the 
individual, informing users of the conditions and terms of using CDX, 
allowing individual users to establish an account on CDX, providing 
individual users access to their CDX account for electronically filing 
compliance data or exchanging other forms of environmental data, 
allowing individual users to customize, update or terminate their 
account with CDX, renewing or revoking an individual user's account on 
CDX, supporting the CDX help desk functions, investigating possible 
fraud and verifying compliance with program regulations, and initiating 
legal action against an individual involved in program fraud, abuse, or 
noncompliance. The information is also used to provide authenticated, 
protected access to the CDX system, thereby protecting CDX and CDX 
users from potential harm caused by individuals with malicious 
intentions gaining unauthorized access to the system.

Routine Uses of Records Maintained in the System, Including Categories 
of Users and the Purposes of Such Uses:
    CDX-CRS records will be used to facilitate registering CDX system 
users, issuing a username and password, and subsequently, verifying an 
individual's identity as he/she seeks to gain routine access to his/her 
account. In some cases, the user verification process will require EPA 
to contact the employer, based on the registration information provided 
by the user. The system has secondary uses that include: using the 
established username to facilitate tracking service calls or e-mails 
from the user in the event that there is a change in registration 
status or a problem the user has with CDX; offering the user new CDX 
service options, and facilitating the retrieval of user actions (e.g., 
historical submissions and help tickets); and events while on the CDX 
system. The records may also be subsequently used for auditing or other 
internal purposes of the EPA, including but not limited to: instances 
where enforcement of the conditions of using CDX are necessary; 
investigation of possible fraud involving a registered user; litigation 
purposes related to information reported to the agency; contacting the 
individual in the event of a system modification; a change to CDX; or 
modification, revocation or termination of user's access privileges to 
CDX.
    EPA may disclose information contained in a record in this system 
of records under the routine uses listed in

[[Page 68386]]

this notice without the consent of the individual if the disclosure is 
compatible with the purposes for which the record was collected. These 
disclosures may be made on a case-by-case basis or under a computer 
matching agreement if the Agency has complied with the computer 
matching requirements of the Act.
    The general routine uses for EPA's CDX are listed as follows: 
A,B,C,E,F,G,H,I, and K apply. A detailed description of these routine 
uses can be found in the Federal Register Notice (at 66 FR 49947 
(2001)) and also on the National Archives and Records Administration 
website, Privacy Act Issuances--1999 Compilation at: http://www.access.gpo.gov/su_docs/aces/PrivacyAct.shtml In addition, the 
following routine uses may also apply:
    Program Disclosures: The Agency may disclose information from this 
system to Federal, State, or local agencies, private parties such as 
relatives, present and former employers and business and personal 
associates, and hearing officials for the following purposes:
    (a) To verify the identity of the individual;
    (b) To enforce the conditions or terms of Agency program 
regulations;
    (c) To investigate possible fraud and verify compliance with Agency 
program regulations;
    (d) To prepare for litigation or to litigate collection service and 
audit;
    (e) To initiate a limitation, suspension and termination (LS&T), 
debarment, or suspension action;
    (f) To investigate complaints, update files, and correct errors.
    Litigation and Alternative Dispute Resolution (ADR) Disclosures:
    (a) In the event that one of the parties listed below is involved 
in litigation or ADR, or has an interest in litigation ADR, the Agency 
may disclose certain records to the parties described in paragraphs 
(b), (c), and (d) of this routine use under the conditions specified in 
those paragraphs:
    (i) The Environmental Protection Agency, or any component of the 
Agency; or
    (ii) Any Agency employee in his or her official capacity; or
    (iii) Any Agency employee in his or her individual capacity if the 
Department of Justice (DOJ) has agreed to provide or arrange for 
representation for the employee;
    (iv) Any Agency employee in his or her individual capacity where 
the agency has agreed to represent the employee; or
    (v) The United States where the Agency determines that the 
litigation is likely to affect the Agency or any of its components.
    (b) Disclosure to the DOJ. If the Agency determines that disclosure 
of certain records to the DOJ is relevant and necessary to litigation 
or ADR, the Agency may disclose those records as a routine use to the 
DOJ.
    (c) Administrative Disclosures. Agencies that may obtain 
information under this routine use include, but are not limited to, the 
Office of Personnel Management, Office of Special Counsel, Merit 
Systems Protection Board, Federal Labor Relations Authority, Equal 
Employment Opportunity Commission, and Office of Government Ethics.
    (d) Parties, counsels, representatives and witnesses. If the Agency 
determines that disclosure of certain records to a party, counsel, 
representative or witness in an administrative proceeding is relevant 
and necessary to the litigation, the Agency may disclose those records 
as a routine use to the party, counsel, representative or witness.
    Research Disclosure: The Agency may disclose records to a 
researcher if an appropriate official of the Agency determines that the 
individual or organization to which the disclosure would be made is 
qualified to carry out specific research related to functions or 
purposes of this system of records. The official may disclose records 
from this system of records to that researcher solely for the purpose 
of carrying out that research related to the functions or purposes of 
this system of records. The researcher shall be required to maintain 
Privacy Act safeguards with respect to the disclosed records.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, 
and Disposing of Records in the System:
Storage:
    The CDX is a system for which the Agency is in the process of 
establishing a records schedule. The CDX will be taking e-transactions 
and preserving them in accordance with applicable EPA and other Federal 
policy and regulations. The CDX currently stores records on magnetic 
and/or digital formats. All record storage procedures are in accordance 
with current applicable regulations.

Retrievability:
    Records are retrievable by the CDX user name, program ID number, or 
all or part of the individual's name.

Safeguards:
    EPA has minimized the risk of unauthorized access to the system by 
establishing a secure environment for exchanging electronic 
information. Physical access to the data system housed within the 
facility is controlled by a computerized badge reading system, and the 
entire complex is patrolled by security during non-business hours. The 
computer system offers a high degree of resistance to tampering and 
circumvention. Multiple levels of security are maintained with the 
computer system control program. This system limits data access to EPA 
and contract staff on a need to know basis, and controls individuals 
ability to access and alter records with the system. All users of the 
system of records are given a unique user identification (ID) with 
personal identifiers. All interactions between the system and the 
authorized individual users are recorded.

Retention and Disposal:
    The EPA will retain and dispose of these records in accordance with 
National Archives and Records Administration General Records Schedule 
20, Item 1.c. This schedule provides disposal authorization for 
electronic files and hard copy printouts created to monitor system 
usage, including but not limited to log-in files, audit trail files, 
system usage files, and cost-back files used to access charges for 
system use. Records will be deleted or destroyed when the Agency 
determines they are no longer needed for administrative, legal, audit, 
or other program purposes.

System Managers and Address:
    USEPA, Office of Environmental Information, (MS2823), 1200 
Pennsylvania Ave. NW., Washington, DC 20460, Attn: Chief, Central 
Receiving Branch.

Notification Procedure:
    Requests to determine whether this system of records contains a 
record pertaining to the requesting individual should be sent to the 
USEPA, Office of Environmental Information, (MS2823T), 1200 
Pennsylvania Ave. NW., Washington, D.C. 20460, Attn: Chief, Central 
Receiving Branch. To send a fax request: 202-566-1684. To determine 
whether a record exists regarding you in the system of records, provide 
the system manager with your name and username. Requests must meet the 
requirements of the regulations at 40 CFR part 16.

Record Access Procedures:
    A request for record access shall follow the directions described 
under Notification Procedure and will be addressed to the system 
manager at the address listed above.

[[Page 68387]]

Contesting Records Procedures:
    If you wish to contest a record in the system of records, contact 
the system manager with the information described under Notification 
Procedure, identify the specific items you are contesting, and provide 
a written justification for each item.

Record Source Categories:
    Information is obtained from individuals who have had or seek to 
have their identity authenticated except that a password and a username 
are explicitly self-assigned by the user registering to gain access to 
CDX.

System Exempted from Certain Provisions of the Act:
    None.

[FR Doc. 03-30371 Filed 12-5-03; 8:45 am]
BILLING CODE 6560-50-P