[Federal Register Volume 71, Number 190 (Monday, October 2, 2006)]
[Notices]
[Pages 58039-58041]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E6-15848]


-----------------------------------------------------------------------

SMALL BUSINESS ADMINISTRATION


Privacy Act of 1974; System of Records Notice

AGENCY: U.S. Small Business Administration (SBA).

ACTION: Notice of new system of records.

-----------------------------------------------------------------------

SUMMARY: The Small Business Administration is adding a new system of 
records to the Agency's Privacy Act Systems of Records. The system is 
called the SBA Identity Management System (IDMS). The purpose of this 
System is to automate records that maintain information required to 
comply with Homeland Security Presidential Directive 12 (HSPD-12).

[[Page 58040]]

The IDMS provides the workflow process used to enforce roles in 
personalizing and issuing Personal Identify Verification (PIV) cards. 
IDMS automates the current paper based process and is used to maintain 
the integrity of PIV card issuance.

DATES: Written comments on the System of records must be received 
November 1, 2006.

ADDRESSES: Written comments on the System of Records should be directed 
to Christine H. Liu, Agency Privacy Officer, U.S. Small Business 
Administration, 409 Third Street, SW., Washington, DC 20416 or 
[email protected].

FOR FURTHER INFORMATION CONTACT: Christine Liu, Agency Privacy Officer, 
U.S. Small Business Administration, 409 Third Street, SW., Washington, 
DC 20416; Telephone (202) 205-6708.
SBA 34

SYSTEM NAME:
    IDENTITY MANAGEMENT SYSTEM--SBA 34.

SYSTEM LOCATION:
    The servers and secure data storage are located at Maden 
Technologies; 2110 Washington Boulevard, Suite 200; Arlington, VA 
22204. Enrollment and queries can be performed by authorized 
individuals from any authorized, suitably-equipped SBA workstation.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM INCLUDE:
    Individuals, who require regular, ongoing access to SBA facilities, 
information technology systems, or information classified in the 
interest of national security, including:
    a. Applicants for employment or contracts.
    b. Federal employees.
    c. Contractors.
    d. Students.
    e. Interns.
    f. Volunteers, and
    The system also includes individuals authorized to perform or use 
services provided in SBA facilities (e.g., Credit Union, Fitness 
Center, etc.)
    The system does not apply to occasional visitors or short-term 
guests to whom SBA will issue temporary identification and credentials.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Full name, social security number; date of birth; signature; image 
(photograph); fingerprint images and minutia templates; hair color; eye 
color; height; weight; organization/office of assignment; company name; 
telephone number; copy of background investigation form; personal 
addresses for past 5 years; high school and college attended (as 
applicable); Card Holder Unique Identification Number; Personal 
Identity Verification (PIV) enrollment package; PIV card issue and 
expiration dates; results of background investigation; PIV request 
form; PIV registrar approval signature; PIV card serial number; 
emergency responder designation; copies of documents used to verify 
identification or information derived from those documents; level of 
national security clearance and expiration date; computer system user 
name; user access and permission rights, public key certificates; 
digital signature information; National Agency Check with Written 
Inquiries investigation; FBI fingerprint check results; FBI National 
Criminal History Name Check results.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    a. 5 U.S.C. 301; Federal Information Security Act (Pub. L. 104-106, 
sec. 5113)
    b. Electronic Government Act (Pub. L. 104-347, sec. 203)
    c. Paperwork Reduction Act of 1995 (44 U.S.C. 3501)
    d. Government Paperwork Elimination Act (Pub. L. 105-277, 44 U.S.C. 
3504)
    e. Homeland Security Presidential Directive (HSPD) 12, Policy for a 
Common Identification Standard for Federal Employees and Contractors, 
August 27, 2004
    f. Federal Property and Administrative Act of 1949, as amended.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES, THESE RECORDS MAY BE USED, 
DISCLOSED OR REFERRED:
    a. To a Congressional Office from an individual's record, when the 
office is inquiring on the individual's behalf with waiver; the 
Member's access rights are no greater than the individual's.
    b. To the National Archives and Records Administration or to the 
General Services Administration for records management inspections 
conducted under 44 U.S.C. 2904 and 2906.
    c. To SBA contractors, grantees, or volunteers who have been 
engaged to assist the SBA in the performance of a contract service, 
grant, cooperative agreement, or other activity related to this system 
of records and who need to have access to the records in order to 
perform their activity. Recipients shall be required to comply with the 
requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a.
    d. To a Federal, State, local, foreign, or tribal or other public 
authority of the fact that this system of records contains information 
relevant to the retention of an employee, the retention of a security 
clearance, the letting of a contract, or the issuance or retention of a 
license, grant, or other benefit with appropriate restrictions on 
further disclosure.
    e. To the Office of Management and Budget (OMB) when necessary to 
the review of private relief legislation pursuant to OMB Circular No. 
A-19.
    f. To a Federal, State, or local agency, or other appropriate 
entities or individuals, or through established liaison channels to 
selected foreign governments, in order to enable an intelligence agency 
to carry out its responsibilities under the National Security Act of 
1947 as amended, the CIA Act of 1949 as amended, Executive Order 12333 
or any successor order, applicable national security directives, or 
classified implementing procedures approved by the Attorney General and 
promulgated pursuant to such statutes, orders or directives.
    g. To notify another Federal agency when, or verify whether, a PIV 
card is no longer valid.
    h. To a supervisor or manager in order to verify employee time and 
attendance record for personnel actions.

    Note: Disclosures within SBA of data pertaining to date and time 
of entry and exit of an agency employee working in the District of 
Columbia may not be made to supervisors, managers or any other 
persons (other than the individual to whom the information applies) 
to verify employee time and attendance record for personnel actions 
because 5 U.S.C. 6106 prohibits Federal Executive agencies (other 
than the Bureau of Engraving and Printing) from using a recording 
clock within the District of Columbia, unless used as a part of a 
flexible schedule program under 5 U.S.C. 6120 et seq.

    i. To the Department of Justice (DOJ) when any of the following is 
a party to litigation or has an interest in such litigation, and the 
use of such records by the DOJ is deemed by the agency to be relevant 
and necessary to the litigation, provided, however, that in each case, 
the agency determines the disclosure of the records to the DOJ is a use 
of the information contained in the records that is compatible with the 
purpose for which the records were collected:
    (1) The agency, or any component thereof;
    (2) Any employee of the agency in his or her official capacity;
    (3) Any employee of the agency in his or her individual capacity 
where the DOJ has agreed to represent the employee; or
    (4) The United States Government, where the agency determines that

[[Page 58041]]

litigation is likely to affect the agency or any of its components.
    j. In a proceeding before a court, or adjudicative body, or a 
dispute resolution body before which the agency is authorized to appear 
or before which any of the following is a party to litigation or has an 
interest in litigation, provided, however, that the agency determines 
that the use of such records is relevant and necessary to the 
litigation, and that, in each case, the agency determines that 
disclosure of the records to a court or other adjudicative body is a 
use of the information contained in the records that is compatible with 
the purpose for which the records were collected:
    (1) The agency, or any component thereof;
    (2) Any employee of the agency in his or her official capacity;
    (3) Any employee of the agency in his or her individual capacity 
where the DOJ has agreed to represent the employee; or
    (4) The United States Government, where the agency determines that 
litigation is likely to affect the agency or any of its components.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS:
STORAGE:
    Records are stored in electronic media and in paper files and not 
on the card.

RETRIEVABILITY:
    Records are retrievable by name, social security number, PIV card 
serial number, or Card Holder Unique Identification Number.

SAFEGUARDS:
    Paper records are kept in locked cabinets in secure facilities and 
access to them is restricted to individuals whose role requires use of 
the records. Access to facilities will be controlled by the PIV card. 
The System requires a PIV card to log on and to digitally sign 
transactions. The computer servers in which records are stored are 
located in facilities that are secured by alarm systems and off-master 
key access. The computer servers themselves are password-protected. 
Access to individuals working at guard stations is password-protected; 
each person granted access to the system at guard stations must be 
individually authorized to use the system. A Privacy Act Warning Notice 
appears on the monitor screen when records containing information on 
individuals are first displayed. Data exchanged between the servers and 
the client PCs at the guard stations and badging office are encrypted. 
Backup tapes are stored in a locked and controlled room in a secure, 
off-site location.
    An audit trail is maintained and reviewed periodically to identify 
unauthorized access. Persons given roles in the PIV process must 
complete training specific to their roles to ensure they are 
knowledgeable about how to protect individually identifiable 
information. The system uses the high risk confidentiality and 
integrity security controls specified in the National Institute of 
Standards and Technology Special Publication 800-53.

RETENTION AND DISPOSAL:
    Records relating to persons covered by this system are retained in 
accordance with General Records Schedule 18, Item 17. Unless retained 
for specific, ongoing security investigations, for maximum security 
facilities, records of access are maintained for five years and then 
destroyed by wiping hard drives and shredding paper. For other 
facilities, records are maintained for two years and then destroyed by 
wiping hard drives and shredding paper. All other records relating to 
employees are destroyed two years after ID security card expiration 
date.
    In accordance with FIPS 201-1, PIV Cards are deactivated within 18 
hours of cardholder separation, notification of loss of card, or 
expiration. The information on PIV Cards is maintained in accordance 
with General Records Schedule 11, Item 4. PIV Cards that are turned in 
for destruction are shredded within 90 days.

SYSTEM MANAGER(S) AND ADDRESSES:
    Assistant Administrator/Human Capital Management, United States 
Small Business Administration, 409 3rd Street, SW., Washington, DC 
20416. Associate Administrator for Disaster Assistance, United States 
Small Business Administration, 409 3rd Street, SW., Washington, DC 
20416. This responsibility may be delegated.

NOTIFICATION PROCEDURES:
    An individual may submit a record inquiry either in person or in 
writing to the System Manager or the Senior Agency Official for 
Privacy. When requesting notification of or access to records covered 
by this Notice, an individual should provide his/her full name, date of 
birth, and work location. An individual requesting notification of 
records in person must provide identity documents sufficient to satisfy 
the custodian of the records that the requester is entitled to access, 
such as a government-issued photo ID. Individuals requesting 
notification via mail or telephone must furnish, at minimum, name, date 
of birth, social security number, and home address in order to 
establish identity.

ACCESS PROCEDURES:
    The Systems Manager or Senior Agency Official for Privacy will 
determine the process. Requesters should reasonably specify the record 
contents being sought.

CONTESTING PROCEDURES:
    Same as notification procedures. Requesters should also reasonably 
identify the record, specify the information they are contesting, state 
the corrective action sought and the reasons for the correction along 
with supporting justification showing why the record is not accurate, 
timely, relevant, or complete.

SOURCE CATEGORIES:
    Employee, contractor, or applicant; sponsoring SBA; former 
sponsoring SBA; other Federal agencies; contract employer; former 
employer.

    Dated: September 22, 2006.
Christine Liu,
Departmental Privacy Officer.
 [FR Doc. E6-15848 Filed 9-29-06; 8:45 am]
BILLING CODE 8025-01-P