[Federal Register Volume 74, Number 142 (Monday, July 27, 2009)]
[Notices]
[Pages 37093-37096]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-17776]



[[Page 37093]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act; Systems of Records

AGENCY: Department of Veteran Affairs.

ACTION: Notice of establishment of new system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552a (e)(4)) requires that 
all agencies publish in the Federal Register a notice of the existence 
and character of their systems of records. Notice is hereby given that 
the Department of Veterans Affairs (VA) is establishing a new 
electronic system of records entitled ``Veterans Affairs/Department of 
Defense Identity Repository (VADIR)--VA'' (138VA005Q).

DATES: Comments on this new system of records must be received no later 
than August 26, 2009. If no public comment is received, the new system 
will become effective August 26, 2009.

ADDRESSES: Written comments may be submitted through http://www.Regulations.gov; by mail or hand-delivery to the Director, 
Regulations Management (02REG), Department of Veterans Affairs, 810 
Vermont Avenue, NW., Room 1063B, Washington, DC 20420; or by fax to 
(202) 273-9026. Copies of comments received will be available for 
public inspection in the Office of Regulation Policy and Management, 
Room 1063B, between the hours of 8 a.m. and 4:30 p.m., Monday through 
Friday (except holidays). Please call (202) 461-4902 for an 
appointment. In addition, during the comment period, comments may 
viewed online through the Federal Docket Management System (FDMS) at 
http://www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT: David Lindsey, Program Manager, VADIR, 
Registration and Eligibility (005Q3), 810 Vermont Ave, NW., Washington, 
DC 20420; telephone (202) 245-1679.

SUPPLEMENTARY INFORMATION:
    a. Description of the Proposed System of Records:
    The Veterans Affairs/Department of Defense Identity Repository 
(VADIR) database is an electronic repository of military personnel's 
military history, payroll information and their dependents' data 
provided to VA by the Department of Defense's Defense Manpower Data 
Center (DMDC). The VADIR database repository is used in conjunction 
with other applications across VA business lines to provide an 
electronic consolidated view of comprehensive eligibility and benefits 
utilization data from across VA and Department of Defense (DoD). VA 
applications use the VADIR database to retrieve profile data, as well 
as address, military history, and information on compensation and 
benefits, disabilities, and dependents.
    b. Proposed Routine Use Disclosures of Data in the System:
    1. The record of an individual included in this system may be 
provided to DoD systems or offices for use in connection with matters 
relating to one of DoD's programs to enable delivery of healthcare or 
other DoD benefits to eligible beneficiaries.
    2. The name, address, VA file number, effective date of 
compensation or pension, current and historical benefit pay amounts for 
compensation or pension, service information, date of birth, competency 
payment status, incarceration status, and social security number of 
veterans and their surviving spouses may be disclosed to the Department 
of Defense Manpower Data Center (DMDC) to reconcile the amount and/or 
waiver of service, department and retired pay. These records may also 
be disclosed as part of a computer matching program to accomplish these 
purposes.
    3. The name, address, VA file number, date of birth, date of death, 
social security number, and service information may be disclosed to 
DoD. DoD will use this information to identify retired veterans and 
dependent members of their families who have entitlement to DoD 
benefits but who are not identified in the Department of Defense 
Enrollment Eligibility Reporting System (DEERS) program and to assist 
in determining eligibility for Civilian Health and Medical Program of 
the Uniformed Services (CHAMPUS) benefits. This purpose is consistent 
with 38 U.S.C. 5701.
    4. The name(s) and address (es) of a veteran may be disclosed to 
another Federal agency or to a contractor of that agency, at the 
written request of the head of that agency or designee of the head of 
that agency for the purpose of conducting government research necessary 
to accomplish a statutory purpose of that agency.
    5. VA may disclose on its own initiative any information in this 
system, except the names and addresses of veterans and their 
dependents, that is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal, or regulatory in nature and 
whether arising by general or program statute or by regulation, rule, 
or order issued pursuant thereto, a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule, or order. VA may also disclose on its 
own initiative the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal, or regulatory violations of law, or 
charged with enforcing or implementing the statute, regulation, rule, 
or order issued pursuant thereto.
    6. VA may disclose information in the system of records to the 
Department of Justice (DOJ), either on VA's initiative or in response 
to DOJ's request for the information, after either VA or DOJ determines 
that such information is relevant to DOJ's representation of the United 
States or any of its components in legal proceeding before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of records to the DOJ is a 
use of information contained in the records that is compatible with the 
purpose for which VA collected the records. VA, on its own initiative, 
may disclose records in this system of records in legal proceedings 
before a court or administrative body after determining that the 
disclosure of the records to the court or administrative body is a use 
of the information contained in the records that is compatible with the 
purpose for which VA collected the records.
    7. Where VA determines that there is good cause to question the 
legality or ethical propriety of the conduct of a person or 
organization representing a person in a matter before VA, a record from 
this system may be disclosed, on VA's initiative, to any or all of the 
following: (1) Applicable civil or criminal law enforcement authorities 
and (2) a person or entity responsible for the licensing, supervision, 
or professional discipline of the person or organization acting as 
representative. Names and home addresses of veterans and their 
dependents will be released on VA's initiative under this routine use 
only to Federal entities when VA believes that the names and addresses 
are required by the Federal department or agency.
    8. Disclosure of relevant information may be made to individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to perform such 
services as VA may deem practicable for the purposes of laws 
administered by VA, in order for the contractor, subcontractor or 
entity or individual with whom VA has an agreement or contract to 
perform the services of the contract or agreement.

[[Page 37094]]

    9. VA may disclose any information or records to appropriate 
agencies, entities, and persons when (1) it is suspected or confirmed 
that the integrity or confidentiality of information in the system of 
records has been compromised; (2) VA has determined that as a result of 
the suspected or confirmed compromise there is a risk of embarrassment 
or harm to the reputations of the records subjects, harm to economic or 
property interest, identity theft or fraud, or harm to the security, 
confidentiality or integrity of this system or other systems or 
programs (whether maintained by VA or another agency or entity) that 
rely upon the potentially compromised information; and (3) the 
disclosure is made to such agencies, entities, and persons whom VA 
determines are reasonably necessary to assist or carry out VA's efforts 
to respond to the suspected or confirmed compromise and prevent, 
minimize, or remedy such harm.
    10. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs. This routine use permits 
disclosures by VA to respond to a suspected or confirmed data breach, 
including the conduct of any risk analysis or provision or credit 
protection services as provide in 38 U.S.C. 5724, as the terms are 
defined in 38 U.S.C. 5727.
    11. The record of an individual who is covered by a system of 
records may be disclosed to a Member of Congress, or a staff person 
acting for the member, when the member or staff person requests the 
record on behalf of and at the written request of the individual.
    12. Disclosure may be made to the National Archives and Records 
Administration (NARA) or the General Services Administration (GSA) in 
records management inspections conducted under authority of Chapter 29 
of Title 44 United States Code.
    c. Design Constraints--The VADIR system sits within the Austin 
Automation Center (AAC) in Austin, Texas, and therefore must conform to 
their requirements and standards established for that environment. This 
includes requirements such as access control to the systems, revision/
patch levels for hardware operating systems and database management 
systems, and use of security tools such as antivirus software, 
intrusion detection software and spyware. All data stored by VADIR are 
received from DMDC; therefore any changes requiring additional data or 
data format changes must be coordinated with the DMDC Database 
Administrator.
    d. Certification & Accreditation--The VADIR database repository has 
gone through the Certification & Accreditation (C&A) process. During 
this process, the VADIR database underwent a series of risk and 
security assessments and had extensive documentation developed to 
support the integrity of the system. The VA C&A process is used to 
certify that the VADIR system has adequate, logical, management and 
technical security controls in place that minimize the system's risk to 
unauthorized access and disclosure.
    e. Privacy Impact Assessment--The VADIR database repository system 
has had a comprehensive Privacy Impact Assessment (PIA) conducted on it 
to ensure that the privacy of the information contained within the 
system is adequately protected according to VA and Office of Management 
and Budget (OMB) privacy and security standards.
    f. Internal Communications Architecture--Records are transmitted 
between DMDC and VA over a dedicated telecommunications circuit using 
approved encryption technologies. Records (or information contained in 
records) are maintained in electronic format in the VADIR Oracle 
database. These records cannot be directly accessed by any VA employee 
or other users. Information from VADIR is disseminated in three ways: 
(1) Approved VA systems electronically request and receive data from 
VADIR over the internal VA network, (2) data is provided over the 
dedicated circuit between VADIR and DMDC for reconciliation of records 
or to identify retired veterans and dependents who have entitlements to 
DoD benefits but are not identified in DEERS, and (3) periodic 
electronic data extracts of subsets of information contained in VADIR 
are provided to approved VA offices/systems over the internal VA 
network.
    g. File Extracts--Daily extracts of subsets of data contained in 
VADIR are created to support VA business lines. These extracts are 
transmitted to approved VA office/systems over the internal VA network 
using approved security protocols to protect the data.
    h. External Interfaces--DoD data feed that updates the primary 
VADIR repository is transmitted from DMDC at Auburn Hills, Michigan, to 
the AAC over a dedicated communications circuit; a second data feed 
transmits the same data from DMDC to the VADIR disaster recovery site 
in Hines, Illinois, over another dedicated circuit. All data 
transmissions are encrypted.
    i. Interface Architecture--No users can access VADIR directly. 
Other VA systems request specific information from VADIR and that 
information is displayed to the user by the requesting system. VADIR 
also provides periodic data extracts of subsets of data contained in 
the VADIR database to approved VA offices/systems.
    j. Compatibility of the Proposed Routine Uses--The Privacy Act 
permits VA to disclose information about the individuals contained in a 
system of records without their consent for a routine use, when the 
information will be used for a purpose that is compatible with the 
purpose for which the information was collected. In all of the routine 
use disclosures described above, either the recipient of the 
information will use the information in connection with a matter 
relating to one of VA's programs, to provide a benefit to the veteran, 
or disclosure is required by law.
    The notice of intent to publish an advance copy of the system 
notice has been sent to the appropriate Congressional committees and to 
the Director of the Office of Management and Budget (OMB) as required 
by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 
77677), December 12, 2000.

    Approved: July 8, 2009.
John R. Gingrich,
Chief of Staff, Department of Veterans Affairs.
138VA005Q

SYSTEM NAME:
    ``Veterans Affairs Department of Defense Identity Repository 
(VADIR)--VA'' 138VA005Q.

SYSTEM LOCATION:
    The primary VADIR database containing all records is maintained at 
the Austin Automation Center (AAC) at 1615 East Woodward Street, 
Austin, Texas 78772. A second VADIR database with an identical set of 
records is being established as a disaster recovery site at the Data 
Processing Center at Hines, Illinois. The disaster recovery site will 
be established in CY 2009. All records are maintained electronically.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The category of the individuals covered by the VADIR database 
encompasses veterans, service members, and their dependents. This would 
include current service members, separated service members, and their 
dependents; as well as veterans whose

[[Page 37095]]

VA military service benefits have been sought by others (e.g., burial 
benefits).

CATEGORIES OF RECORDS IN THE SYSTEM:
    The record, or information contained in the record, may include 
identifying information (e.g., name, contact information, Social 
Security number), association to dependents, cross reference to other 
names used, military service participation and status information 
(branch of service, rank, enter on duty date, release from active duty 
date, military occupations, type of duty, character of service, 
awards), reason and nature of active duty separation (completion of 
commitment, disability, hardship, etc.), combat/environmental exposures 
(combat pay, combat awards, theater location), combat deployments 
(period of deployment, location/country), Guard/Reserve activations 
(period of activation, type of activation), military casualty/
disabilities (line of duty death, physical examination board status, 
serious/very serious injury status, DoD rated disabilities), education 
benefit participation, eligibility and usage, healthcare benefit 
periods of eligibility (TRICARE, CHAMPVA), and VA compensation (rating, 
Dependency and Indemnity Compensation (DIC), award amount).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The authority for maintaining this system is Title 38 U.S.C. 
Section 5106.

PURPOSE:
    The purpose of VADIR is to receive electronically military 
personnel and payroll information from the Department of Defense (DoD) 
in a centralized VA system and then distribute the data to other VA 
systems and Lines of Business who require the information for health 
and benefits eligibility determinations. This information is provided 
to VADIR by the Defense Manpower Data Center (DMDC). VADIR will also 
provide veterans information concerning education benefits usage and 
death and disability status, as well as personal and demographic 
information on veterans discharged prior to 1978 to DMDC for 
reconciliation purposes.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    1. The record of an individual included in this system may be 
provided to DoD systems or offices for use in connection with matters 
relating to one of DoD's programs to enable delivery of healthcare or 
other DoD benefits to eligible beneficiaries.
    2. The name, address, VA file number, effective date of 
compensation or pension, current and historical benefit pay amounts for 
compensation or pension, service information, date of birth, competency 
payment status, incarceration status, and social security number of 
veterans and their surviving spouses may be disclosed to the DMDC to 
reconcile the amount and/or waiver of service, department and retired 
pay. These records may also be disclosed as part of a computer matching 
program to accomplish these purposes.
    3. The name, address, VA file number, date of birth, date of death, 
social security number, and service information may be disclosed to 
DoD's Defense Manpower Data Center. DoD will use this information to 
identify retired veterans and dependent members of their families who 
have entitlement to Department of Defense benefits but who are not 
identified in the Department of Defense Enrollment Eligibility 
Reporting System (DEERS) program and to assist in determining 
eligibility for Civilian Health and Medical Program of the Uniformed 
Services (CHAMPUS) benefits. This purpose is consistent with 38 U.S.C. 
5701.
    4. The name(s) and address(es) of a veteran may be disclosed to 
another Federal agency or to a contractor of that agency, at the 
written request of the head of that agency or designee of the head of 
that agency for the purpose of conducting government research necessary 
to accomplish a statutory purpose of that agency.
    5. VA may disclose on its own initiative any information in this 
system, except the names and addresses of veterans and their 
dependents, that is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal, or regulatory in nature and 
whether arising by general or program statute or by regulation, rule, 
or order issued pursuant thereto, a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule, or order. VA may also disclose on its 
own initiative the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal, or regulatory violations of law, or 
charged with enforcing or implementing the statute, regulation, rule, 
or order issued pursuant thereto.
    6. VA may disclose information in the system of records to the 
Department of Justice (DOJ), either VA's initiative or in response to 
DOJ's request for the information, after either VA or DOJ determines 
that such information is relevant to DOJ's representation of the United 
States or any of its components in legal proceeding before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of records to the DOJ is a 
use of information contained in the records that is compatible with the 
purpose for which VA collected the records. VA, on its own initiative, 
may disclose records in this system of records in legal proceedings 
before a court or administrative body after determining that the 
disclosure of the records to the court or administrative body is a use 
of the information contained in the records that is compatible with the 
purpose for which VA collected the records.
    7. Where VA determines that there is good cause to question the 
legality or ethical propriety of the conduct of a person or 
organization representing a person in a matter before VA, a record from 
this system may be disclosed, on VA's initiative, to any or all of the 
following: (1) Applicable civil or criminal law enforcement authorities 
and (2) a person or entity responsible for the licensing, supervision, 
or professional discipline of the person or organization acting as 
representative. Names and home addresses of veterans and their 
dependents will be released on VA's initiative under this routine use 
only to Federal entities when VA believes that the names and addresses 
are required by the Federal department or agency.
    8. Disclosure of relevant information may be made to individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to perform such 
services as VA may deem practicable for the purposes of laws 
administered by VA, in order for the contractor, subcontractor or 
entity or individual with whom VA has an agreement or contract to 
perform the services of the contract or agreement.
    9. VA may disclose information or records to appropriate agencies, 
entities, and persons when (1) it is suspected or confirmed that the 
integrity or confidentiality of information in the system of records 
has been compromised; (2) VA has determined that as a result of the 
suspected or confirmed compromise there is a risk of embarrassment or 
harm to the reputations of the records' subjects, harm to economic or 
property interest, identity theft or fraud, or harm to the security, 
confidentiality or integrity of

[[Page 37096]]

this system or other systems or programs (whether maintained by VA or 
another agency or entity) that rely upon the potentially compromised 
information; and (3) the disclosure is made to such agencies, entities, 
and persons whom VA determines are reasonably necessary to assist in or 
carry out VA's efforts to respond to the suspected or confirmed 
compromise and prevent, minimize, or remedy such harm.
    10. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs. This routine use permits 
disclosures by VA to respond to a suspected or confirmed data breach, 
including the conduct of any risk analysis or provision or credit 
protection services as provided in 38 U.S.C. 5724, as the terms are 
defined in 38 U.S.C. 5727.
    11. The record of an individual who is covered by a system of 
records may be disclosed to a Member of Congress, or a staff person 
acting for the member, when the member or staff person requests the 
record on behalf of and at the written request of the individual.
    12. Disclosure may be made to the National Archives and Records 
Administration (NARA) or the General Services Administration (GSA) in 
records management inspections conducted under authority of Chapter 29 
of Title 44 United States Code.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM STORAGE:
STORAGE:
    Records are transmitted between DMDC and VA over a dedicated 
telecommunications circuit using approved encryption technologies. 
Records (or information contained in records) are maintained in 
electronic format in the VADIR Oracle database. These records cannot be 
directly accessed by any VA employee or other users. Information from 
VADIR is disseminated in three ways: (1) Approved VA systems 
electronically request and receive data from VADIR, (2) data is 
provided between VADIR and DMDC for reconciliation of records or to 
identify retired veterans and dependents who have entitlements to DoD 
benefits but are not identified in DEERS, and (3) periodic electronic 
data extracts of subsets of information contained in VADIR are provided 
to approved VA offices/systems. Backups of VADIR data are created 
regularly and stored in a secure off-site facility.

RETRIEVABILITY:
    Electronic files are retrieved using various unique identifiers 
belonging to the individual to whom the information pertains to include 
such identifiers as name, claim file number, social security number and 
date of birth.

SAFEGUARDS:
    1. Physical Security: The primary VADIR system is located in the 
AAC and the backup disaster recovery system is located in the Hines 
Data Processing Center. Access to data processing centers is generally 
restricted to center employees, custodial personnel, Federal Protective 
Service and other security personnel. Access to computer rooms is 
restricted to authorized operational personnel through electronic 
locking devices. All other persons needing access to computer rooms are 
escorted.
    2. System Security: Access to the VA network is protected by the 
usage of ``logon'' identifications and passwords. Once on the VA 
network, separate ID and password credentials are required to gain 
access to the VADIR server and/or database. Access to the server and/or 
database is granted to only a limited number of system administrators 
and database administrators. In addition VADIR has undergone 
certification and accreditation. Based on a risk assessment that 
followed National Institute of Standards and Technology Vulnerability 
and Threat Guidelines, the system is considered stable and operational 
and a final Authority to Operate has been granted. The system was found 
to be operationally secure, with very few exceptions or recommendations 
for change.

RETENTION AND DISPOSAL:
    VA retains selected information for purposes of making eligibility 
determinations for VA benefits. The information retained may be 
included in the VA records that are maintained and disposed of in 
accordance with the appropriate record disposition authority approved 
by the Archivist of the United States.

SYSTEM MANAGER(S) AND ADDRESSES:
    The official responsible for maintaining the VADIR repository: 
David Lindsey, Program Manager, VADIR, Registration and Eligibility, 
Office of Enterprise Development, Interagency Program Executive Office 
(005Q3), ATTN: VADIR System of Records, 810 Vermont Avenue, NW., 
Washington, DC 20420.

NOTIFICATION PROCEDURES:
    Individuals seeking information on the existence and content of a 
record pertaining to them should contact the system manager, in 
writing, at the above address. Requests should contain the full name, 
address and telephone number of the individual making the inquiry.

RECORD ACCESS PROCEDURE:
    (See notification procedure above.)

CONTESTING RECORD PROCEDURES:
    See Notification Procedure above. Additionally, to the extent that 
information contested is identified as data provided by DMDC, which is 
part of the Defense Logistics Agency (DLA), the DLA rules for accessing 
records, for contesting contents, and appealing initial agency 
determinations are contained in 32 CFR Part 323, or may be obtained 
from the Privacy Act Officer, Headquarters, Defense Logistics Agency, 
ATTN: DES-B, 8725 John J. Kingman Road, Stop 6220, Fort Belvoir, VA 
22060-6221.

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by components of 
the Department of Defense.

[FR Doc. E9-17776 Filed 7-24-09; 8:45 am]
BILLING CODE 8320-01-P