[Federal Register Volume 71, Number 206 (Wednesday, October 25, 2006)]
[Notices]
[Pages 62469-62472]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E6-17896]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION


Privacy Act of 1974; Privacy Act System of Records

AGENCY:  General Services Administration

ACTION:  Notice of proposed system of records.

-----------------------------------------------------------------------

SUMMARY:  The General Services Administration (GSA) proposes to 
establish a system of records subject to the Privacy Act of 1974, 5 
U.S.C. 552a. This system of records notice is for the GSA Smart Card 
Program (GSA/CIO-1), which covers the Homeland Security Presidential 
Directive 12, Policy for a Common Identification Standard for Federal 
Employees and Contractors (HSPD-12), process after adjudication and 
determines if the individual can receive identification (ID) card. The 
records include both mandatory and optional information necessary to 
the request for an ID card, registration, verification, and issuance 
procedures, the index/database of active and invalid ID cards, and the 
information stored on the ID cards. The system may include records of 
individuals who entered and

[[Page 62470]]

exited Federal facilities or accessed systems.
    The GSA Smart Card Program will ensure the safety and security of 
Federal facilities, information systems, and their occupants and users, 
by verifying that all persons entering Federal facilities, using 
Federal information resources, or accessing classified information are 
authorized to do so. The system also will track and control 
identification ID cards issued to individuals for these purposes.

DATE:  The system of records will become effective on December 4, 2006 
unless comments received on or before that date result in a contrary 
determination.

ADDRESSES: Comments relating to the GSA Smart Card Program should be 
directed to: Director, GSA HSPD-12 Smart Card Program Management 
Office, Office of the Chief Information Officer, General Services 
Administration, 1800 F Street NW., Room G-006, Washington DC 20405-
0002; telephone (202) 501-1500; fax (202) 219-5818.

FOR FURTHER INFORMATION CONTACT: GSA Privacy Act Officer (CIB), General 
Services Administration, 1800 F Street NW, Washington, DC 20405; 
telephone (202) 501-1452.

SUPPLEMENTARY INFORMATION: The GSA notice entitled Credentials, Passes, 
and Licenses (GSA/HRO-8) is cancelled. However, existing GSA forms and 
associated databases covered by that system will continue in effect 
until replaced with those covered by this notice. The existing forms 
include: GSA Form 48, Request and Record of Identification; GSA Form 
277, Employee Identification and Authorization Credential; GSA Form 
277U, Temporary Pass; GSA Form 277V, Visitor Pass; GSA Form 2941 
Parking Application; as well as biometric information including photo, 
fingerprints and signature. The new forms and databases covered by this 
notice will be phased in to ensure a controlled and structured process.

    Dated: October 6, 2006.
Cheryl M. Paige,
Acting Director, Office of Information Management.

GSA/CIO-1

    System name: GSA Smart Card Program
    System location: Data are maintained in GSA Central Office 
databases with access from GSA regional offices. Additionally, some 
access control data may be located in Federal buildings and Federally-
leased facilities where staffed guard stations have been established to 
handle the GSA Smart Card Personal Identity Verification (PIV) process 
as well as the physical security and computer security offices at those 
locations. Contact the System Manager for additional information.
    Security classification: Most identity records are not classified. 
However, in some cases, records of certain individuals or portions of 
some records may be classified in the interest of national security.
    Categories of individuals covered by the system: Individuals who 
require regular, ongoing access to agency facilities, information 
technology systems, or information classified in the interest of 
national security, including:
    a. Applicants for employment or contracts
    b. Federal employees
    c. Contractors
    d. Students
    e. Interns
    f. Volunteers
    g. Individuals formerly in any of these positions
    Also included are individuals authorized to perform or use services 
provided in agency facilities (e.g., Credit Union, Fitness Center, 
Cafeteria, etc.).
    The system does not apply to occasional visitors or short-term 
guests, to whom GSA will issue temporary identification and 
credentials.

Categories of records in the system:

    a. Records maintained on individuals issued credentials by GSA 
include the following data fields:
     Full name,
     Social Security Number (SSN)
     Date of birth
     Signature
     Image (photograph)
     Fingerprints
     Hair color
     Eye color
     Height
     Organization / office of assignment
     Company / agency name
     Telephone number
     ID card issuance and expiration dates
     ID card request form
     Registrar approval signature
     ID card number
     Emergency responder designation
     Copies of documents used to verify identification or 
information derived from those documents such as document title, 
document issuing authority, document number, document expiration date, 
other document information
    b. Records maintained on cardholders entering GSA facilities or 
using GSA systems may include:
     Name
     ID card number
     Date and Time of entry/exit
     Location of entry and exit
     Computer access dates, times, and locations

Authorities for maintenance of the system:

    a. 5 U.S.C. 301;
    b. Federal Information Security Management Act (Pub. L. 107-296);
    c. E-Government Act (Pub. L. 107-347, Sec. 203);
    d. Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et al.)
    e. Government Paperwork Elimination Act (Pub. L. 105-277, 44 U.S.C. 
3504);
    f. Homeland Security Presidential Directive 12 (HSPD-12), Policy 
for a Common Identification Standard for Federal Employees and 
Contractors, August 27, 2004; and
    g. Federal Property and Administrative Services Act of 1949, as 
amended.
    Purpose: The primary purposes of the system are:
    a. To ensure the safety and security of GSA facilities, systems or 
information, and our occupants and users;
    b. To verify that all persons entering federal facilities, using 
federal information resources, or accessing classified information are 
authorized to do so; and
    c. To track and control ID cards issued to persons entering and 
exiting the facilities, using systems, or accessing classified 
information.

Routine uses of the system records, including categories of users and 
their purpose for using the system:

    Information about covered individuals may be disclosed without 
consent as permitted by the Privacy Act of 1974, 5 U.S.C. Sec.  
552a(b), and:
    a. To the Department of Justice when: (1) GSA or any component 
thereof; (2) any employee of GSA in his or her official capacity; (3) 
any employee of GSA in his or her individual capacity where GSA or the 
Department of Justice (DOJ) has agreed to represent the employee; or 
(4) the United States Government, is a party to litigation or has an 
interest in such litigation, and by careful review, GSA determines that 
the records are both relevant and necessary to the litigation, and the 
use of such records by DOJ is therefore deemed by GSA to be for a 
purpose compatible with the purpose for which GSA collected the 
records.
    b. To a court or adjudicative body in a proceeding when: (1) GSA or 
any component thereof; (2) any employee of GSA in his or her official 
capacity; (3) any employee of GSA in his or her

[[Page 62471]]

individual capacity where GSA or the Department of Justice has agreed 
to represent the employee; or (4) the United States Government, is a 
party to litigation or has an interest in such litigation, and by 
careful review, GSA determines that the records are both relevant and 
necessary to the litigation, and the use of such records is therefore 
deemed by GSA to be for a purpose that is compatible with the purpose 
for which the agency collected the records.
    c. Except as noted on Forms SF 85, 85-P, and 86, when a record on 
its face, or in conjunction with other records, indicates a violation 
or potential violation of law, whether civil, criminal, or regulatory 
in nature, and whether arising by general statute or particular program 
statute, or by regulation, rule, or order issued pursuant thereto, 
disclosure may be made to the appropriate public authority, whether 
Federal, foreign, State, local, or tribal, or otherwise responsible for 
enforcing, investigating or prosecuting such violation or charged with 
enforcing or implementing the statute, or rule, regulation, or order 
issued pursuant thereto, if the information disclosed is relevant to 
any enforcement, regulatory, investigative or prosecutorial 
responsibility of the receiving entity.
    d. To a Member of Congress or to a Congressional staff member in 
response to an inquiry of the Congressional office made at the written 
request of the constituent whose record is maintained.
    e. To the National Archives and Records Administration for records 
management purposes.
    f. To agency contractors, grantees, or volunteers who have been 
engaged to assist the agency in the performance of a contract service, 
grant, cooperative agreement, or other activity related to this system 
of records and who need to have access to the records in order to 
perform their activity. Recipients shall be required to comply with the 
requirements of the Privacy Act of 1974, as amended, 5 U.S.C. Sec.  
552a.
    g. To a Federal, State, local, foreign, tribal, or other public 
authority the fact that this system of records contains information 
relevant to the retention of an employee, the retention of a security 
clearance, the letting of a contract, or the issuance or retention of a 
license, grant, or other benefit. The other agency or licensing 
organization may then make a request supported by the written consent 
of the individual for the entire record if it so chooses. No disclosure 
will be made unless the information has been determined to be 
sufficiently reliable to support a referral to another office within 
the agency or to another Federal agency for criminal, civil, 
administrative, personnel, or regulatory action.
    h. To the Office of Management and Budget when necessary to the 
review of private relief legislation pursuant to OMB Circular No. A-19.
    i. To a Federal, State, or local agency, or other appropriate 
entities or individuals, or through established liaison channels to 
selected foreign governments, in order to enable an intelligence agency 
to carry out its responsibilities under the National Security Act of 
1947 as amended, the CIA Act of 1949 as amended, Executive Order 12333 
or any successor order, applicable national security directives, or 
classified implementing procedures approved by the Attorney General and 
promulgated pursuant to such statutes, orders, or directives.
    j. To notify another federal agency when, or verify whether, an ID 
card is no longer valid.
    Note: Disclosures within GSA of data pertaining to date and time of 
entry and exit of an agency employee working in the District of 
Columbia may not be made to supervisors, managers or any other persons 
(other than the individual to whom the information applies) to verify 
employee time and attendance record for personnel actions because 5 
U.S.C. Sec.  6106 prohibits Federal executive agencies (other than the 
Bureau of Engraving and Printing) from using a recording clock within 
the District of Columbia, unless used as a part of a flexible schedule 
program under 5 U.S.C. Sec.  6120 et seq.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of system records:

    Storage: Information may be collected on paper or electronically 
and may be stored on paper or on electronic media, as appropriate.
    Retrievability: Records are retrievable by name, Social Security 
Number, other ID number, ID card number, image (photograph), and 
fingerprint.
    Safeguards: Paper records are kept in locked cabinets in secure 
facilities and access to them is restricted to individuals whose role 
requires use of the records.
    The computer servers in which records are stored are located in 
facilities that are secured by alarm systems and off-master key access. 
The computer servers themselves are password-protected. Access to 
individuals working at guard stations is password-protected; each 
person granted access by the system at guard stations must be 
individually authorized to use the system. A Privacy Act Warning Notice 
appears on the monitor screen when records containing information on 
individuals are first displayed. Data exchanged between the servers and 
the client PCs at the guard stations and badging office are encrypted. 
Backup tapes are stored in a locked and controlled room in a secure, 
off-site location. Each of the component computer servers at the GSA 
Regions, or at the contract Card Production and Card Management Systems 
has been only authorized to act when it has been Certified and 
Accredited in accord with GSA Information Technology Security Policy 
and HSPD-12 criteria. This Certification is updated periodically on a 3 
year basis, or less if cause to do so has become apparent.
    An audit trail is maintained and reviewed periodically to identify 
unauthorized access. Persons given roles in the personal identity 
verification process must complete training specific to their roles to 
ensure they are knowledgeable about how to protect individually 
identifiable information.
    Retention and disposal: Records relating to persons covered by this 
system are retained in accordance with General Records Schedule 18, 
Item 17. Unless retained for specific, ongoing security investigations 
for maximum security facilities, records of access are maintained for 
five years and then destroyed by degaussing hard drives and shredding 
paper. For other facilities, records are maintained for two years and 
then destroyed by wiping hard drives and shredding paper. All other 
records relating to employees are destroyed two years after the ID card 
expiration date.
    In accordance with HSPD-12, ID cards are deactivated within 18 
hours of cardholder separation, loss of card, or expiration. The 
information on ID cards is maintained in accordance with General 
Records Schedule 11, Item 4. ID cards are destroyed by shredding 90 
days after deactivation. Once notification of deactivation has been 
received, the ID number is placed on a revocation list within no more 
than 2 hours, which immediately invalidates the access privileges for 
that card in accord with GSA policy.
    System manager and address:
    Director, GSA HSPD-12 Smart Card Program Management Office
    Office of the Chief Information Officer
    1800 F Street NW, Room G-006
    Washington DC 20405-0002
    Notification procedure: An individual can determine if this system 
contains a record pertaining to him/her by sending a request in 
writing, signed, to the System Manager at the above address.

[[Page 62472]]

    When requesting notification of or access to records covered by 
this notice, an individual should provide his/her full name, date of 
birth, agency name, and work location. An individual requesting 
notification of records in person must provide identity documents 
sufficient to satisfy the custodian of the records that the requester 
is entitled to access, such as a government-issued photo ID.
    Record access procedures: Same as notification procedures. 
Requesters also should reasonably specify the record contents being 
sought. Rules regarding access to Privacy Act records appear in 41 CFR 
part 105-64. If additional information or assistance is required, 
contact the GSA Privacy Act Officer (CIB), General Services 
Administration, 1800 F Street NW, Washington, DC 20405; telephone (202) 
501-1452.
    Contesting record procedures: Same as notification procedures. 
Requesters also should reasonably identify the record, specify the 
information they are contesting, state the corrective action sought and 
the reasons for the correction, along with supporting justification 
showing why the record is not accurate, timely, relevant, or complete. 
Rules regarding amendment of Privacy Act records appear in 41 CFR part 
105-64. If additional information or assistance is required, contact 
the GSA Privacy Act Officer.
    Record source categories: Employee, contractor, or applicant; 
sponsoring agency; former sponsoring agency; other Federal agencies; 
contract employer; former employer.
    Exemptions claimed for the system: None.
[FR Doc. E6-17896 Filed 10-24-06; 8:45 am]
BILLING CODE 6820-34-S