[Federal Register Volume 74, Number 156 (Friday, August 14, 2009)]
[Notices]
[Pages 41190-41192]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-19489]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of Amendment of Systems of Records Notice ``Customer 
User Provisioning System (CUPS)-VA'' (87VA005OP).

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974 (5 U.S.C. 552a(e)(4)), 
notice is hereby given that the Department of Veterans Affairs (VA), is 
amending the system of records entitled ``Customer User Provisioning 
System (CUPS)-VA'' (87VA005OP) as set forth in 69 FR 18436. VA is 
amending the system of records by revising the system name, category of 
records, and the routine uses in the system. VA is re-publishing the 
system notice in its entirety.

DATES: Comments on this amended system of records must be received no 
later than September 14, 2009. If no public comment is received during 
the period allowed for comment or unless otherwise published in the 
Federal Register by VA, the amended system will become effective 
September 14, 2009.

ADDRESSES: Written comments may be submitted through http://

[[Page 41191]]

www.Regulations.gov; by mail or hand-delivery to the Director, 
Regulations Management (02REG), Department of Veterans Affairs, 810 
Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 
273-9026. Copies of comments received will be available for public 
inspection in the Office of Regulation Policy and Management, Room 
1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday 
(except holidays). Please call (202) 461-4902 (this is not a toll free 
number) for an appointment. In addition, during the comment period, 
comments may be viewed online through the Federal Docket Management 
System (FDMS).

FOR FURTHER INFORMATION CONTACT: Alvin J. Donnell, Chief, Systems 
Security Division, Corporate Data Center Operations (CDCO), Department 
of Veterans Affairs, 1615 Woodward Street, Austin, Texas 78772, 
telephone (512) 326-6006.

SUPPLEMENTARY INFORMATION: 
    Background: CDCO is the largest data center in the Department of 
Veterans Affairs. In order to record and track system access to the 
computers operated and maintained by this organization, CDCO must 
maintain a current list of all VA employees, employees of other 
government agencies, and authorized contractor personnel who require 
access to this computer resources, in accordance with Federal computer 
security requirements.
    In this system of record, the name is amended to reflect the name 
of the new system. The new system name is Customer User Provisioning 
System (CUPS). CUPS replaces the Automated Customer Registration System 
(ACRS) effective January 5, 2009.
    The Category of Records in the System is amended to reflect the 
records in this system, in both paper and electronic form, will not 
include the social security numbers of personnel who have requested and 
gained access to the automated resources at CDCO. In addition to 
deleting the Social Security number, the individual's log-on ID for 
their local area network will be included in the record, which is used 
as the unique identifier in lieu of the Social Security number. The 
records will include the name, business address and telephone number, 
job title and information relating to data file and computer system 
access permissions granted to that individual.
    Routine Uses numbers 8-14 have been added per the requirement of 
the Department and for further clarification of disclosures that VA may 
make to individuals, agencies and third party entities.
    The Report of Intent to Amend a System of Records notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of Office of Management 
and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and 
guidelines issued by OMB (65 FR 77677), December 12, 2000.

    Dated: July 28, 2009.

    Approved:
John R. Gingrich,
Chief of Staff, Department of Veterans Affairs.

SYSTEM NUMBER:
87VA005OP

SYSTEM NAME:
    Customer User Provisioning System--VA.

SYSTEM LOCATION:
    The automated records are maintained by the Corporate Data Center 
Operations, 1615 Woodward Street, Austin, TX 78772. The paper records 
will be maintained at each VA field station that has a responsibility 
for CUPS input.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    All Department of Veterans Affairs employees, employees of other 
government agencies, and authorized contractor personnel who have 
requested and have been granted access to the automated resources of 
the VA Corporate Data Center Operations (CDCO).

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records in this system, in both paper and electronic form, will 
include the names and network user-ID of all personnel who have 
requested and been granted access to the automated resources at the 
CDCO. The records will also include business address and telephone 
number, job title, and information relating to data file and computer 
system access permissions granted to that individual.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, Section 501.

PURPOSE(S):
    The purpose of this system of records is to allow the CDCO in 
Austin, Texas, to maintain a current list of all VA employees, 
employees of other government agencies, and authorized contractor 
personnel who require access to the computer resources of the CDCO, in 
accordance with Federal computer security requirements.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    1. At the initiative of VA, pertinent information may be disclosed 
to appropriate Federal, State or local agencies responsible for 
investigating, prosecuting, enforcing or implementing statutes, rules, 
regulations or orders, where VA becomes aware of an indication of a 
violation or potential violation of civil or criminal law or 
regulation.
    2. Disclosure of specific information may be made to a Federal 
agency, in response to its request, to the extent that the information 
requested is relevant and necessary to the requesting agency's decision 
in connection with hiring or retaining an employee, issuing a security 
clearance, conducting a security or suitability investigation on an 
individual, classifying jobs, awarding a contract or issuing a license, 
grant or other benefit.
    3. Disclosure of information may be made to officials of the Merit 
Systems Protection Board, including the Office of the Special Counsel, 
the Federal Labor Relations Authority and its General Counsel or the 
Equal Employment Opportunity Commission, when requested in performance 
of their authorized duties, and the request is not in connection with a 
law enforcement investigation.
    4. The record of an individual who is covered by this system or 
records may be disclosed to a member of Congress, or staff person 
acting for the member when the member or staff person requests the 
record on behalf of and at the written request of that individual.
    5. Disclosure may be made to the National Archives and Records 
Administration and General Services Administration for record 
management inspections conducted under Authority of Title 44 U.S.C.
    6. VA may disclose information from this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records

[[Page 41192]]

in this system of records in legal proceedings before a court or 
administrative body after determining that the disclosure of records to 
the court or administrative body is a use of the information contained 
in the records that is compatible with the purpose for which VA 
collected the records.
    7. Disclosure of relevant information may be made to individuals, 
organizations, private or public agencies, or other entities with whom 
VA has a contract or agreement or where there is a subcontract to 
perform such services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor or subcontractor 
to perform the services of the contract or agreement.
    8. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, that is relevant to a suspected violation or reasonably 
imminent violation of law, whether civil, criminal or regulatory in 
nature and whether arising by general or program statute or by 
regulation, rule or order issued pursuant thereto, to a Federal, State, 
local, tribal, or foreign agency charged with the responsibility of 
investigating or prosecuting such violation, or charged with enforcing 
or implementing the statute, rule, regulation or order. VA may also 
disclose on its own initiative the names and addresses of veterans with 
the responsibility of investigating or prosecuting civil, criminal, or 
regulatory violations if law, or charged with enforcing or implementing 
the statute regulation, or order issued pursuant thereto.
    9. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    10. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) VA has 
determined that as a result of the suspected or confirmed compromise, 
there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to the economic or property interests, identity 
theft or fraud, or harm to security, confidentially, or integrity of 
this system or other systems or programs (whether maintained by VA or 
another agency or entity) that rely upon the potentially compromised 
information; and (3) the disclosure is to agencies, entities, or 
persons whom VA determines are reasonably necessary to assist or carry 
out the VA's efforts to respond to the suspected or confirmed 
compromise and prevent, minimize, or remedy such harm. This routine use 
permits disclosures by VA to respond to a suspected or confirmed data 
breach, including the conduct of any risk analysis or provision of 
credit protection services as provided in 38 U.S.C. 5724, as the terms 
are defined in 38 U.S.C. 5727.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Each field station responsible for inputting records into the 
system will retain the original signed paper copies of requests for 
system access in locked containers. Data files supporting the automated 
system are stored in a secure area located at the CDCO. Data files are 
stored on magnetic disk and, for archival purposes, on magnetic tape.

RETRIEVABILITY:
    Paper records are maintained in alphabetical order by last name of 
the requester. Automated records are retrieved by individual name or by 
a specific automated resource.

SAFEGUARDS:
    Paper records in progress are maintained in a manned room during 
working hours. Paper records maintained for archival purposes are 
stored in locked containers until needed. During non-working hours, the 
paper records are kept in a locked container in a secured area. Access 
to the records is on a need-to-know basis only. Access to the automated 
system is via computer terminal; standard security procedures, 
including a unique customer identification code and password 
combination, are used to limit access to authorized personnel only. 
Specifically, in order to obtain access to the automated records 
contained in this system of records, an individual must: 1. Have access 
to the automated resources of the CDCO. An individual may not self-
register for this access. Formal documentation of the request for 
access, signed by the employee's supervisor, is required before an 
individual may obtain such access. Authorized customers are issued a 
customer identification code and one-time password.
    2. Be an authorized official of the CUPS system. Only two 
individuals per field station may be designated CUPS officials with 
access to add, modify or delete records from the system. These 
individuals require a specific functional task code in their customer 
profile; this functional task can only be assigned by the CDCO. A 
limited number of supervisory or managerial employees throughout VA 
will have read-only access for the purpose of monitoring CUPS 
activities.

RETENTION AND DISPOSAL:
    Records will be maintained and disposed of in accordance with the 
records disposal authority approved by the Archivist of the United 
States, the National Archives and Records Administration, and published 
in Agency Records Control Schedules. Paper records will be destroyed by 
shredding or other appropriate means for destroying sensitive 
information. Automated storage records are retained and destroyed in 
accordance with a disposition authorization approved by the Archivist 
of the United States.

SYSTEMS AND MANAGER(S) AND ADDRESS:
    Officials responsible for policies and procedures; Executive 
Director, Corporate Data Center Operations, 1615 Woodward Street, 
Austin, Texas 78772. The telephone number is (512) 326-6000.

NOTIFICATION PROCEDURE:
    Individuals who wish to determine whether this system of records 
contains information about them should contact the Executive Director, 
Corporate Data Center Operations, 1615 Woodward Street, Austin, Texas 
78772.

RECORD ACCESS PROCEDURE:
    An individual who seeks access or wishes to contest records 
maintained under his or her name or other personal identifier may 
write, call or visit the system manager.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

RECORD SOURCE CATEGORIES:
    Individuals who have applied for and been granted access permission 
to the resources of the CDCO.

[FR Doc. E9-19489 Filed 8-13-09; 8:45 am]
BILLING CODE 8320-01-P