[Federal Register Volume 73, Number 229 (Wednesday, November 26, 2008)]
[Notices]
[Pages 72123-72127]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-28199]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of establishment of new system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552(e) (4)) requires that 
all agencies publish in the Federal Register a notice of the existence 
and character of their systems of records. Notice is hereby given that 
the Department of Veterans Affairs (VA) is establishing a new system of 
records entitled ``Customer Relationship Management System (CRMS)-VA'' 
155VA16.

DATES: Comments on this new system of records must be received no later 
than December 26, 2008. If no public comment is received, the new 
system will become effective December 26, 2008.

ADDRESSES: Written comments concerning the proposed amended system of 
records may be submitted by: mail or hand-delivery to Director, 
Regulations Management (02REG), Department of Veterans Affairs, 810 
Vermont Avenue, NW., Room 1068, Washington, DC 20420; fax to (202) 273-
9026; or e-mail to [email protected]. All comments received 
will be available for public inspection in the Office of Regulation 
Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 
p.m., Monday through Friday (except holidays). Please call (202) 273-
9515 for an appointment.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue, 
NW., Washington, DC 20420; telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION:

I. Description of Proposed Systems of Records

    Electronic Service Records are maintained in a database at the 
Health Revenue Center (HRC), in Topeka, Kansas or at another Office of 
Information Technology (OI&T) approved location. These Service Records 
document telephone inquiries received from veterans, veteran's family 
members, members of the general public, VA customers, and VA employees.
    The Service Records may contain such information as identifying 
information including name, address,

[[Page 72124]]

social security number, date of birth, telephone number, VA claims file 
number, etc.; family information including spouse and dependent(s) 
name(s), address(es), telephone number(s), etc.; veteran's financial 
information concerning co-payment billing of medical care and 
prescriptions; veteran's health insurance carrier name and address; 
veteran's health care provider, services provided, amounts claimed and 
paid; facility location(s) where treatment is provided; information 
about military service; e.g., branch, combat service, military 
decorations, POW status, etc; information about veteran's eligibility 
and enrollment status for VA health care benefits; compensation, 
pension or education benefits; general public/job applicants' 
information, e.g., name, address, and telephone number, etc.; and VA 
employee and benefits information, e.g., name, address, social security 
number, date of birth, telephone number, and health insurance, life 
insurance coverage, retirement plan, etc. Overall, Service Records may 
be used to document all types of information resulting from 
communication with veterans, veteran's family members, members of the 
general public, VA customers, and VA employees during the course of 
conducting VA business.
    The Service Records are maintained for historical reference, 
quality assurance and training, and statistical reporting purposes.
    Magnetic media are also stored in a VA Office of Information and 
Technology (OI&T) approved location for contingency back-up purposes.

II. Proposed Routine Use Disclosures of Data in the System

    We are proposing to establish the following Routine Use disclosures 
of information maintained in the system for the potential purpose of 
releasing information on a call handled such as, the caller's name, 
date and time of call, purpose of call, and information obtained and/or 
response provided.
    1. The record of an individual who is covered by this system of 
records may be disclosed to a Member of Congress, or a staff person 
acting for the Member, when the Member or staff person requests the 
record on behalf of and at the written request of the individual.
    VA must be able to provide information about individuals to 
adequately respond to inquiries from Members of Congress at the request 
of constituents who have sought their assistance.
    2. Disclosure may be made to National Archives and Records 
Administration (NARA) and the General Services Administration (GSA) in 
records management inspections conducted under authority of Title 44, 
Chapter 29, of the United States Code (U.S.C.). NARA and GSA are 
responsible for management of old records no longer actively used, but 
which may be appropriate for preservation, and for the physical 
maintenance of the Federal government's records. VA must be able to 
provide the records to NARA and GSA in order to determine the proper 
disposition of such records.
    3. VA may disclose information in this system of records to the 
Department of Justice (DOJ), either on VA's initiative or in response 
to DOJ's request for the information, after either VA or DOJ determines 
that such information is relevant to DOJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DOJ 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that the disclosure of the records to the court or administrative body 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records.
    VA must be able to provide information to DOJ in litigation where 
the United States or any of its components is involved or has an 
interest. A determination would be made in each instance that under the 
circumstances involved, the purpose is compatible with the purpose for 
which VA collected the information. This routine use is distinct from 
the authority to disclose records in response to a court order under 
subsection (b)(11) of the Privacy Act, 5 U.S.C. 552(b)(11), or any 
other provision of subsection (b), in accordance with the court's 
analysis in Doe v. DiGenova, 779 F.2d 74, 78-84 (DC Cir. 1985) and Doe 
v. Stephens, 851 F.2d 1457, 1465-67 (DC Cir. 1988).
    4. Disclosure of relevant information may be made to individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement or where there is 
a subcontract to perform such services as VA may deem practicable for 
the purposes of laws administered by VA, in order for the contractor or 
subcontractor to perform the services of the contract or agreement. 
This routine use, which also applies to agreements that do not qualify 
as contracts defined by Federal procurement laws and regulations, is 
consistent with Office of Management and Budget (OMB) guidance in OMB 
Circular A-130, App. I, paragraph 5a(1)(b) that agencies promulgate 
routine uses to address disclosure of Privacy Act-protected information 
to contractors in order to perform the services contracts for the 
agency.
    5. VA may disclose, on its own initiative, any information in this 
system, except the names and home addresses of veterans and their 
dependents, that is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal, or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. VA may also disclose, on its 
own initiative, the names and addresses of veterans and their 
dependents to a Federal agency charged with the responsibility of 
investigating or prosecuting civil, criminal or regulatory violations 
of law, or charged with enforcing or implementing the statute, 
regulation, or order issued pursuant thereto.
    VA must be able to provide on its own initiative information that 
pertains to a violation of laws to law enforcement authorities in order 
for them to investigate and enforce those laws. Under 38 U.S.C. 5701(a) 
and (f), VA may only disclose the names and addresses of veterans and 
their dependents to Federal entities with law enforcement 
responsibilities. This is distinct from the authority to disclose 
records in response to a qualifying request from a law enforcement 
entity, as authorized by Privacy Act subsection 5 U.S.C. 552a(b)(7).
    6. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs. This routine use permits 
disclosures by the Department to report a suspected incident of 
identity theft and provide information and/or documentation related to 
or in support of the reported incident.
    7. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the

[[Page 72125]]

system of records has been compromised; (2) the Department has 
determined that as a result of the suspected or confirmed compromise, 
there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to economic or property interests, identity theft 
or fraud, or harm to the security, confidentiality, or integrity of 
this system or other systems or programs (whether maintained by the 
Department or another agency or entity) that rely upon the potentially 
compromised information; and (3) the disclosure is to agencies, 
entities, or persons whom VA determines are reasonably necessary to 
assist or carry out the Department's efforts to respond to the 
suspected or confirmed compromise and prevent, minimize, or remedy such 
harm. This routine use permits disclosures by the Department to respond 
to a suspected or confirmed data breach, including the conduct of any 
risk analysis or provision of credit protection services as provided in 
38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.
    8. Disclosure may be made to those officers and employees of the 
agency that maintains the record and who have a need for the record in 
the performance of their duties. This routine use permits disclosures 
by the Department to respond to Freedom of Information (FOIA)/Privacy 
Act requests and inquiries from officers and employees of Veteran 
Affairs organizations to aid in the services provided to veterans, 
veteran's family members, members of the general public, VA customers, 
and VA employees and to conduct general maintenance, trouble shooting 
and/or system upgrades.
    9. To disclose the information listed in 5 U.S.C. 7114(b)(4) to 
officials of labor organizations recognized under 5 U.S.C. Chapter 71 
when relevant and necessary to their duties of exclusive representation 
concerning personnel policies, practices, and matters affecting working 
conditions.
    This routine use permits disclosures by the Department to respond 
to requests made by the American Federation of Government Employees 
(AFGE) Local 906 officials for information and/or documents associated 
with their duties of exclusive representation of covered Health Revenue 
Center (HRC) employees.
    10. To disclose information to officials of the Merit Systems 
Protection Board (MSPB), or the Office of the Special Counsel, when 
requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as 
may be authorized by law. VA must be able to provide information to 
MSPB to assist it in fulfilling its duties as required by statute and 
regulation.
    11. To disclose information from this system to the Equal 
Employment Opportunity Commission (EEOC) when requested in connection 
with investigations of alleged or possible discriminatory practices, 
examination of Federal affirmative employment programs, or other 
functions of the Commission as authorized by statute and regulation. VA 
must be able to provide information to EEOC to assist it in fulfilling 
its duties to protect employees' rights, as required by statute 
regulation.
    12. To disclose to the Federal Labor Relations Authority (FLRA), 
including its General Counsel, information related to the establishment 
of jurisdiction, the investigation and resolution of allegations of 
unfair labor practices, or information in connection with the 
resolution of exceptions to arbitration awards when a question of 
material fact is raised; to disclose information in matters properly 
before the Federal Services Impasses Panel, and to investigate 
representation petitions and conduct or supervise representation 
elections. VA must be able to provide information to FLRA to comply 
with the statutory mandate under which it operates.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which we collected the information. In all of the routine 
use disclosures described above, the recipient of the information will 
use the information in connection with a matter relating to one of VA's 
programs, will use the information to provide a benefit to VA, or 
disclosure is required by law.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director of OMB as required by 5 U.S.C. 552a(r) (Privacy Act) 
and guidelines issued by OMB (65 FR 77677), December 12, 2000.

    Approved: November 7, 2008.
 Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
155VA16

SYSTEM NAME:
    Customer Relationship Management System (CRMS)-VA.

SYSTEM LOCATION:
    Records and magnetic media are maintained at the Health Revenue 
Center (HRC), Topeka, Kansas facility or at another OI&T approved 
location. Magnetic media are also stored at an OI&T approved location 
for contingency back-up purposes.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records include information concerning telephone inquiries from 
veterans, veteran's family members, members of the general public, VA 
customers, and VA employees.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include information related to:
    1. Veteran health benefits eligibility;
    2. Veteran medical claims processing and payments;
    3. Co-payments charged for medical care and prescriptions;
    4. General human resources management; e.g., employee benefits, 
recruitment/job applicants, etc.; and
    5. Other information related to veterans, veteran's family members, 
members of the general public, VA customers, and VA employees.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, sections 501(a), 1705, 1710, 1722, 
1722(a), 1781 and Title 5, United States Code, section 552(a).

PURPOSE(S):
    The records and information may be used for historical reference, 
quality assurance, training, and statistical reporting.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR Parts 160 and 164, i.e., individually 
identifiable health information, and 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia or infection with the human immunodeficiency 
virus, that information cannot be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR Parts 160 and 164 permitting disclosure.

[[Page 72126]]

    VA may disclose protected information pursuant to the following 
routine uses where required by law, or required or permitted by 45 CFR 
Parts 160 and 164.
    1. The record of an individual who is covered by this system of 
records may be disclosed to a Member of Congress, or a staff person 
acting for the Member, when the Member or staff person requests the 
record on behalf of and at the written request of the individual.
    2. Disclosure may be made to National Archives and Records 
Administration (NARA) and the General Services Administration (GSA) in 
records management inspections conducted under authority of Title, 
Chapter 29, of the United States Code (44 U.S.C.).
    3. VA may disclose information in this system of records to the 
Department of Justice (DOJ), either on VA's initiative or in response 
to DOJ's request for the information, after either VA or DOJ determines 
that such information is relevant to DOJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to DOJ is a 
use of the information contained in the records that is compatible with 
the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that the disclosure of the records to the court or administrative body 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records.
    4. Disclosure of relevant information may be made to individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement or where there is 
a subcontract to perform such services as VA may deem practicable for 
the purposes of laws administered by VA, in order for the contractor or 
subcontractor to perform the services of the contract or agreement.
    5. VA may disclose, on its own initiative, any information in this 
system, except the names and home addresses of veterans and their 
dependents, that is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. VA may also disclose, on its 
own initiative, the names and addresses of veterans and their 
dependents to a Federal agency charged with the responsibility of 
investigating or prosecuting civil, criminal or regulatory violations 
of law, or charged with enforcing or implementing the statute, 
regulation, or order issued pursuant thereto.
    6. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    7. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise, there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the Department or another agency or 
entity) that rely upon the potentially compromised information; and (3) 
the disclosure is to agencies, entities, or persons whom VA determines 
are reasonably necessary to assist or carry out the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm. This routine use permits 
disclosures by the Department to respond to a suspected or confirmed 
data breach, including the conduct of any risk analysis or provision of 
credit protection services as provided in 38 U.S.C. 5724, as the terms 
are defined in 38 U.S.C. 5727.
    8. Disclosure may be made to those officers and employees of the 
agency that maintains the record and who have a need for the record in 
the performance of their duties.
    9. To disclose the information listed in 5 U.S.C. 7114(b)(4) to 
officials of labor organizations recognized under 5 U.S.C. Chapter 71 
when relevant and necessary to their duties of exclusive representation 
concerning personnel policies, practices, and matters affecting working 
conditions.
    10. To disclose information to officials of the Merit Systems 
Protection Board (MSPB), or the Office of the Special Counsel, when 
requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as 
may be authorized by law.
    11. To disclose information from this system to the Equal 
Employment Opportunity Commission (EEOC) when requested in connection 
with investigations of alleged or possible discriminatory practices, 
examination of Federal affirmative employment programs, or other 
functions of the Commission as authorized by law or regulation.
    12. To disclose to the Federal Labor Relations Authority (FLRA), 
including its General Counsel, information related to the establishment 
of jurisdiction, the investigation and resolution of allegations of 
unfair labor practices, or information in connection with the 
resolution of exceptions to arbitration awards when a question of 
material fact is raised; to disclose information in matters properly 
before the Federal Services Impasses Panel, and to investigate 
representation petitions and conduct or supervise representation 
elections.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are stored on electronic media in a VA OI&T approved 
location.

RETRIEVABILITY:
    Records are retrieved by name, social security number, or other 
assigned identifiers of the individuals on whom they are maintained.

SAFEGUARDS:
    1. All entrance doors to the HRC require an electronic pass card to 
gain entry. Hours of entry to the facility are controlled based on 
position held and special needs. Visitors to the HRC are required to 
sign in at a specified location and are either escorted the entire time 
they are in the building or they are issued a temporary visitors badge. 
At the end of the visit, visitors are required to turn in their badge. 
The building is equipped with an intrusion alarm system which is 
activated when any of the doors are forced open or held ajar for a 
specified length of time. During business hours, the security system is 
monitored by the VA police and HRC staff. After business hours, the 
security system is monitored by the VA telephone operator(s) and VA 
police. The VA police conduct visual security

[[Page 72127]]

checks of the outside perimeter of the building.
    2. Access to the building is generally restricted to HRC staff and 
VA police, specified custodial personnel, engineering personnel, and 
canteen service personnel.
    3. Access to computer rooms is restricted to authorized VA OI-T 
personnel and requires entry of a personal identification number (PIN) 
with the pass card swipe. PINs must be changed periodically. All other 
persons gaining access to computer rooms are escorted. Information 
stored in the computer may be accessed by authorized VA employees at 
remote locations including the Health Eligibility Center in Atlanta, 
GA; Health Administration Center in Denver, CO; Consolidated Patient 
Accounting Center in Ashville, NC; and VA health care facilities.
    4. All new HRC employees receive initial information security and 
privacy policy training and sign a Statement of Commitment and 
Understanding; refresher training is provided to all employees on an 
annual basis. The HRC Information Security Officer performs an annual 
information security audit and periodic reviews to ensure security of 
the system.
    5. For contingency purposes, database backups on magnetic media are 
stored off-site at an approved VA OI&T location.

RETENTION AND DISPOSAL:
    Electronic Service Records are purged when they are no longer 
needed for current operation. Records are maintained and disposed of in 
accordance with records disposition authority approved by the Archivist 
of the United States, National Archives and Records Administration, and 
published in the VHA Records Control Schedule 10-1.

SYSTEM MANAGER(S) AND ADDRESS:
    Official responsible for policies and procedures: Chief Business 
Officer (16), VA Central Office, 1722 I Street, NW., Washington, DC 
20420. Official maintaining the system: Director, Health Revenue 
Center, 3401, SW., 21st Street, Bldg. 9, Topeka, Kansas 66604.

NOTIFICATION PROCEDURE:
    Individuals who wish to determine whether this system of records 
contains information about them should contact the VA facility location 
at which they are or were employed or made or have contact. Inquiries 
should include the person's full name, social security number, dates of 
employment, date(s) of contact, and return address.

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding access to and contesting 
of records in this system may write, call, or visit the VA facility 
location where they are or were employed or made contact.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by veterans, 
veteran's family members, members of the general public, VA customers, 
and VA employees.

[FR Doc. E8-28199 Filed 11-25-08; 8:45 am]
BILLING CODE 8320-01-P