[Federal Register Volume 73, Number 206 (Thursday, October 23, 2008)]
[Notices]
[Pages 63135-63138]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-25279]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Patent and Trademark Office


Privacy Act of 1974; System of Records

AGENCY: United States Patent and Trademark Office, Commerce.

ACTION: Notice of amendment of Privacy Act system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended, the United States Patent and Trademark Office (USPTO) 
is amending the system of records currently listed under ``COMMERCE/
PAT-TM-18 USPTO Identification and Security Access Control Systems.'' 
This action is being taken to revise the Privacy Act Notice to include 
the information necessary for identification

[[Page 63136]]

cards that meet the standards set by Homeland Security Presidential 
Directive 12 (HSPD-12) ``Policy for a Common Identification Standard 
for Federal Employees and Contractors'' (August 27, 2004). The system 
of records will also be renamed ``COMMERCE/PAT-TM-18 USPTO Personal 
Identification Verification (PIV) and Security Access Control 
Systems.'' We invite the public to comment on the amended system noted 
in this publication.

DATES: Written comments must be received no later than November 24, 
2008. The proposed amendments will become effective on November 24, 
2008, unless the USPTO receives comments that would result in a 
contrary determination.

ADDRESSES: You may submit written comments by any of the following 
methods:
     E-mail: [email protected].
     Fax: (571) 273-6247, marked to the attention of J.R. 
Garland.
     Mail: Calib P. Garland, Jr., Director of Security and 
Safety, United States Patent and Trademark Office, 551 John Carlyle 
Street 1A21, Alexandria, VA 22314.
     Federal Rulemaking Portal: http://www.regulations.gov.

All comments received will be available for public inspection at the 
Federal rulemaking portal located at www.regulations.gov and on the 
USPTO Web site at www.uspto.gov.

FOR FURTHER INFORMATION CONTACT: Calib P. Garland, Jr., Director, 
Office of Security and Safety, United States Patent and Trademark 
Office, P.O. Box 1450, Alexandria, VA 22313-1450, (571) 272-8000.

SUPPLEMENTARY INFORMATION: The United States Patent and Trademark 
Office (USPTO) proposes to revise an existing system of records that is 
subject to the Privacy Act of 1974. The system is entitled ``COMMERCE/
PAT-TM-18 USPTO Identification and Security Access Control Systems,'' 
and was last published on December 14, 2004 (69 FR 74502). This system 
maintains information to produce photo identification cards for access 
to USPTO facilities as well as for building security, for identifying 
the bearer of the card as a Federal employee or contractor, for 
changing access permissions on cards, and for tracking stolen or lost 
cards. The system of records is being revised to describe the 
additional types of information being collected by the USPTO as 
required by Homeland Security Presidential Directive 12 (HSPD-12) 
``Policy for a Common Identification Standard for Federal Employees and 
Contractors'' (August 27, 2004), which mandates a common identity 
standard for Federal employees and contractors on duty for more than 
six months.
    The revised system of records is being renamed ``COMMERCE/PAT-TM-18 
USPTO Personal Identification Verification (PIV) and Security Access 
Control Systems'' and is published in its entirety below.
COMMERCE/PAT-TM-18

System name:
    USPTO Personal Identification Verification (PIV) and Security 
Access Control Systems.

Security classification:
    Sensitive but unclassified.

System location:
    Office of Corporate Services, Office of Security and Safety, United 
States Patent and Trademark Office, 600 Dulany Street, Alexandria, VA 
22314.

Categories of individuals covered by the system:
    All agency employees, contractors, consultants, and volunteers who 
require routine, long-term access (180 days or more) to USPTO 
facilities, information technology systems, and networks. At its 
discretion, the USPTO may include short-term employees and contractors 
in the PIV ID program and, therefore, inclusion into the USPTO Personal 
Identification Verification and Security Access Control System 
(PIVSACS). The system does not apply to occasional visitors or short-
term guests. The USPTO will issue temporary identification and 
credentials for those purposes.

Categories of records in the system:
    Enrollment records maintained in the PIVSACS and on individuals 
applying for the PIV program and a PIV credential through the USPTO 
HSPD-12 system contained within the PIVSACS include the following data 
fields: Full name; Social Security number; employee ID number, date of 
birth; current address; digital color photograph; fingerprints; 
biometric template (two fingerprints); organization; employee 
affiliation; work e-mail address; work telephone number(s); copies of 
identity source documents; employee status; foreign national status; 
federal emergency response official status; results of background 
check; Government agency code; and PIV card issuance location. Records 
in the PIV ID Management System (IDMS) needed for credential management 
for enrolled individuals in the PIV program include: PIV card serial 
number; digital certificate(s) serial number; PIV card issuance and 
expiration dates; PIV card PIN; Cardholder Unique Identifier (CHUID); 
and card management keys.
    Individuals enrolled in the USPTO PIVSACS will be issued a PIV 
card. The PIV card contains the following mandatory visual personally 
identifiable information: Name, photograph, employee affiliation, PIV 
card issue and expiration date, agency card serial number, and color-
coding for employee affiliation. The card also contains an integrated 
circuit chip which is encoded with the following mandatory data 
elements which comprise the standard data model for PIV logical 
credentials: PIV card PIN, cardholder unique identifier (CHUID), PIV 
authentication digital certificate, and two fingerprint biometric 
templates. The PIV data model may be optionally extended to include the 
following logical credentials: Digital certificate for digital 
signature, digital certificate for key management, card authentication 
keys, and card management system keys. All PIV logical credentials can 
only be read by machine.

Authority for maintenance of the system:
    5 U.S.C. 301; 35 U.S.C. 2; E.O. 9397; Federal Information Security 
Management Act (Pub. L. 107-296, Sec. 3544); E-Government Act (Pub. L. 
107-347, Sec. 203); Government Paperwork Elimination Act (Pub. L. 105-
277, 44 U.S.C. 3504); Homeland Security Presidential Directive 12 
(HSPD-12) ``Policy for a Common Identification Standard for Federal 
Employees and Contractors'' (August 27, 2004).

Purpose(s):
    The primary purposes of the system are to ensure the safety and 
security of USPTO facilities, systems, or information, and of facility 
occupants and users; to provide for interoperability and trust in 
allowing physical access to individuals entering other Federal 
facilities; and to allow logical access to USPTO information systems, 
networks, and resources.

Routine uses of records maintained in the system, including categories 
of users and the purposes of such uses:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside the USPTO 
as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    a. To the Department of Justice when: (1) The agency or any 
component

[[Page 63137]]

thereof; (2) any employee of the agency in his or her official 
capacity; (3) any employee of the agency in his or her individual 
capacity where the agency or the Department of Justice has agreed to 
represent the employee; or (4) the United States Government is a party 
to litigation or has an interest in such litigation, and by careful 
review, the agency determines that the records are both relevant and 
necessary to the litigation and the use of such records by the 
Department of Justice is therefore deemed by the agency to be for a 
purpose compatible with the purpose for which the agency collected the 
records.
    b. To a court or adjudicative body in a proceeding when: (1) The 
agency or any component thereof; (2) any employee of the agency in his 
or her official capacity; (3) any employee of the agency in his or her 
individual capacity where the agency or the Department of Justice has 
agreed to represent the employee; or (4) the United States Government 
is a party to litigation or has an interest in such litigation, and by 
careful review, the agency determines that the records are both 
relevant and necessary to the litigation and the use of such records is 
therefore deemed by the agency to be for a purpose that is compatible 
with the purpose for which the agency collected the records.
    c. Except as noted on Forms SF 85, SF 85-P, and SF 86, when a 
record on its face, or in conjunction with other records, indicates a 
violation or potential violation of law, whether civil, criminal, or 
regulatory in nature, and whether arising by general statute or 
particular program statute, or by regulation, rule, or order issued 
pursuant thereto, disclosure may be made to the appropriate public 
authority, whether Federal, foreign, State, local, or tribal, or 
otherwise, responsible for enforcing, investigating or prosecuting such 
violation or charged with enforcing or implementing the statute, or 
rule, regulation, or order issued pursuant thereto, if the information 
disclosed is relevant to any enforcement, regulatory, investigative or 
prosecutorial responsibility of the receiving entity.
    d. To a Member of Congress or to a Congressional staff member in 
response to an inquiry of the Congressional office made at the written 
request of the constituent about whom the record is maintained.
    e. To the National Archives and Records Administration or to the 
General Services Administration for records management inspections 
conducted under 44 U.S.C. 2904 and 2906.
    f. To agency contractors, grantees, or volunteers who have been 
engaged to assist the agency in the performance of a contract service, 
grant, cooperative agreement, or other activity related to this system 
of records and who need to have access to the records in order to 
perform their activity. Recipients shall be required to comply with the 
requirements of the Privacy Act of 1974, as amended (5 U.S.C. 552a), 
the Federal Information Security Management Act (Pub. L. 107-296), and 
associated Office of Management and Budget (OMB) policies, standards 
and guidance from the National Institute of Standards and Technology, 
and the General Services Administration.
    g. To a Federal, state, local, or international agency, or tribal 
or other public authority, on request, in connection with the hiring or 
retention of an employee, the issuance or retention of a security 
clearance, the letting of a contract, or the issuance or retention of a 
license, grant, or other benefit, to the extent that the information is 
relevant and necessary to the requesting agency's decision.
    h. To the OMB when necessary to the review of private relief 
legislation pursuant to OMB Circular No. A-19.
    i. To a Federal, State, or local agency, or other appropriate 
entities or individuals, or through established liaison channels to 
selected foreign governments, in order to enable an intelligence agency 
to carry out its responsibilities under the National Security Act of 
1947, as amended; the CIA Act of 1949, as amended; Executive Order 
12333 or any successor order; and applicable national security 
directives, or classified implementing procedures approved by the 
Attorney General and promulgated pursuant to such statutes, orders, or 
directives.
    j. To designated agency personnel for controlled access to specific 
records for the purposes of performing authorized audit or authorized 
oversight and administrative functions. All access is controlled 
systematically through authentication using PIV credentials based on 
access and authorization rules for specific audit and administrative 
functions.
    k. To the Office of Personnel Management in accordance with the 
agency's responsibility for evaluation of Federal personnel management.
    l. To the Federal Bureau of Investigation for the National Criminal 
History check.

Disclosure to consumer reporting agencies:
    Not applicable.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system:
Storage:
    Records are stored in electronic files.

Retrievability:
    Records may be retrieved by name of the individual, Cardholder 
Unique Identification Number, employee ID, and/or by any other unique 
individual identifier.

Safeguards:
    Consistent with the requirements of the Federal Information 
Security Management Act (Pub. L. 107-296) and associated OMB policies, 
standards and guidance from the National Institute of Standards and 
Technology, and the General Services Administration, the USPTO Office 
of Security and Safety protects all records from unauthorized access 
through appropriate administrative, physical, and technical safeguards. 
Access is restricted on a ``need to know'' basis, utilization of PIV 
card access, secure network access, and card readers on doors and 
approved storage containers. The building has security guards and 
secured doors. All entrances are monitored through electronic 
surveillance equipment. The hosting facility is supported by 24/7 
onsite hosting and network monitoring by trained technical staff. 
Physical security controls include indoor and outdoor security 
monitoring and surveillance; badge and picture ID access screening; and 
pincode access screening. Personally identifiable information is 
safeguarded and protected in conformance with all Federal statutory and 
OMB guidance requirements. All access has role-based restrictions, and 
individuals with access privileges have undergone vetting and 
suitability screening. All data is encrypted in transit. The USPTO will 
maintain an audit trail and perform random periodic reviews to identify 
unauthorized access. Persons given roles in the PIV process must be 
approved by the USPTO and complete training specific to their roles to 
ensure they are knowledgeable about how to protect personally 
identifiable information.

Retention and disposal:
    Records retention and disposal is in accordance with the series 
records schedules. The records on government employees and contractor 
employees are retained for the duration of their employment at the 
USPTO. Other individuals' records are kept for the duration of their 
affiliation with the USPTO and then treated as employee

[[Page 63138]]

records. The records on separated employees are destroyed or sent to 
the Federal Records Center in accordance with General Records Schedule 
18.

System manager(s) and address:
    Director, Office of Security and Safety, United States Patent and 
Trademark Office, P.O. Box 1450, Alexandria, VA 22313-1450.

Notification procedure:
    Information about the records contained in this system may be 
obtained by sending a request in writing, signed, to the system manager 
at the address above. When requesting notification of or access to 
records covered by this notice, requesters should provide the 
appropriate information in accordance with the inquiry provisions 
appearing in 37 CFR part 102, subpart B.

Record access procedures:
    Requests from individuals should be addressed to the system manager 
at the address above. Individuals must furnish their full names for 
their records to be located and identified. See ``Notification 
procedure'' above.

Contesting record procedures:
    The general provisions for access, contesting contents, and 
appealing initial determinations by the individual concerned appear in 
37 CFR part 102, subpart B. Requests from individuals should be 
addressed to the system manager at the address above. Individuals must 
furnish their full names for their records to be located and 
identified. See ``Notification procedure'' above.

Record source categories:
    Employees, contractors, and other applicants, and those authorized 
by the subject individuals to furnish information.

Exemptions claimed for the system:
    None.

    Dated: October 16, 2008.
Susan K. Fawcett,
Records Officer, USPTO, Office of the Chief Information Officer, 
Customer Information Services Group, Public Information Services 
Division.
[FR Doc. E8-25279 Filed 10-22-08; 8:45 am]
BILLING CODE 3510-16-P