[Federal Register Volume 78, Number 101 (Friday, May 24, 2013)]
[Notices]
[Pages 31528-31530]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-12414]



[[Page 31528]]

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

[Docket ID DoD-2013-OS-0104]


Privacy Act of 1974; System of Records

AGENCY: Defense Commissary Agency, DoD.

ACTION: Notice to alter a System of Records.

-----------------------------------------------------------------------

SUMMARY: The Defense Commissary Agency proposes to alter a system of 
records in its inventory of record systems subject to the Privacy Act 
of 1974 (5 U.S.C. 552a), as amended.

DATES: This proposed action will be effective on June 24, 2013 unless 
comments are received which result in a contrary determination. 
Comments will be accepted on or before June 24, 2013.

ADDRESSES: You may submit comments, identified by docket number and 
title, by any of the following methods:
    * Federal Rulemaking Portal: http://www.regulations.gov. Follow the 
instructions for submitting comments.
    * Mail: Federal Docket Management System Office, 4800 Mark Center 
Drive, East Tower, 2nd Floor, Suite 02G09, Alexandria, VA 22350-3100.
    Instructions: All submissions received must include the agency name 
and docket number for this Federal Register document. The general 
policy for comments and other submissions from members of the public is 
to make these submissions available for public viewing on the Internet 
at http://www.regulations.gov as they are received without change, 
including any personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: Mr. Thomas Rathgeb, Deputy General 
Counsel--Litigation, FOIA and Privacy Act, Office of the General 
Counsel, Defense Commissary Agency, 1300 E. Avenue, Fort Lee, VA 23801-
1800; telephone (804) 734-800, x48116.

SUPPLEMENTARY INFORMATION: The Department of the Navy's notices for 
systems of records subject to the Privacy Act of 1974 (5 U.S.C. 552a), 
as amended, have been published in the Federal Register and are 
available from the address in FOR FURTHER INFORMATION CONTACT or from 
the Defense Privacy and Civil Liberties Office Web site at http://dpclo.defense.gov/privacy/SORNs/component/deca/index.html.
    The proposed system report, as required by 5 U.S.C. 552a(r) of the 
Privacy Act of 1974, as amended, was submitted on May 6, 2013, to the 
House Committee on Oversight and Government Reform, the Senate 
Committee on Governmental Affairs, and the Office of Management and 
Budget (OMB) pursuant to paragraph 4c of Appendix I to OMB Circular No. 
A-130, ``Federal Agency Responsibilities for Maintaining Records About 
Individuals,'' dated February 8, 1996 (February 20, 1996, 61 FR 6427).

    Dated: May 7, 2013.
Aaron Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
Z0035-01

System Name:
    Financial Transaction Data (December 28, 2007, 72 FR 73781)

Changes:
* * * * *

System name:
    Delete entry and replace with ``Commissary Retail Sales Transaction 
Data.''

System location:
    Delete entry and replace with ``Defense Commissary Agency, 1300 E 
Avenue, Fort Lee, VA 23801-1800.
    An official listing of locations can be obtained from the Office of 
the Deputy Director/Chief Operating Office.''

Categories of individuals covered by the system:
    Delete entry and replace with ``Members of the uniformed services 
on active duty, members of the uniformed services entitled to retired 
pay, dependents of such members; persons authorized to use the system 
under chapter 54 of Title 10, U.S.C.; and other personnel listed in 
Department of Defense Instruction 1330.17, Armed Services Commissary 
Operations, such as recipients of the Medal of Honor, selected military 
personnel of foreign nations, and personnel of other organizations and 
activities, to include the American Red Cross, the United Service 
Organizations.''

Categories of records in the system:
    Delete entry and replace with ``Personal Information: Individual's 
name; address(es); zip code; ship-to address(es); email address(es); 
telephone number(s); date of birth; Social Security Number (SSN); 
Department of Defense Identification Number (DoD ID Number) and ID card 
bar code value; internet and mobile ordering web login username and 
password.

Financial Transactions Information:
    Store point-of-sale terminal number, date of transaction, 
transaction number, merchandise purchased, universal product codes 
(UPCs), global trade item numbers (GTINs), quantity, unit price, total 
purchase, on-line orders; method of payment information; account/card 
holder name, check number, financial institution routing number, 
financial institution bank account number, Magnetic Ink Character 
Recognition Number (MICR), credit and debit/ATM card number, expiration 
date, Card Verification Value 2 (CVV2), Card Validation Code (CVC), or 
Card Identifier (CID); smart card and other chip-based card payment 
information; issuer, card holder name, bank, credit or debit account 
and account limits; electronic benefit transfer card (Women, Infants 
and Children Program (WIC) and Supplemental Nutritional Assistance 
Program (SNAP))information; issuer, account/card holder name, account 
number, purchases and refunds, account balance; prepaid/preloaded/
stored value card information, issuer, account number, account limits, 
and account balance; gift card/certificate information; gift card/
certificate number, amount, limits, and balance; coupon information; 
brand, product, and value; loyalty card, rewards card, points card, 
advantage card or club card information; card holder name, card number, 
digital coupons available, buying preferences, and demographic data 
concerning the patron; other similar methods of payment information 
initiated by mobile device applications to include Near Field 
Communications (NFC).
    Commissary Patron Demographic Information: age, military status 
(active, reserve, retired, civilian, officer, enlisted, family member, 
survivor, foreign), military rank, branch of service, household size, 
distance from nearest commissary, frequency of grocery shopping trips, 
and income range; shopper preference information; preferred brand 
names, price, quality, size, availability of discounts, promotions or 
coupons; and commissary patron profile information; social media (e.g. 
Facebook, Twitter, Flickr, YouTube) username; compilation of commissary 
patron comments, inquiries, complaints, and feedback concerning 
commissary merchandise and the patron's commissary shopping experience 
posted by the commissary patron in the social media environment; and 
the commissary patron's publically viewable social media profile 
information.''

[[Page 31529]]

Authority for maintenance of the system:
    Delete entry and replace with ``5 U.S.C. 301, Departmental 
regulations; 10 U.S.C. 136, Under Secretary of Defense for Personnel 
and Readiness; 10 U.S.C. Sec.  2481, Defense Commissary and Exchange 
Systems; Existence and Purpose; 10 U.S.C. Sec.  2484, Commissary 
Stores: Merchandise That May Be Sold; Uniform Surcharges and Pricing; 
10 U.S.C. Sec.  2485, Commissary Stores: Operation; Department of 
Defense Directive 5105.55, Defense Commissary Agency (DeCA); Department 
of Defense Instruction 1330.17, Armed Services Commissary Operations; 
Department of Defense 7000.14-R, Department of Defense Financial 
Management Regulations (FMRs), Volume 4, Chapter 3, Receivables; Volume 
6A, Reporting Policy and Procedures, Volume 11A, Reimbursable 
Operations, Policy and Procedures, Volume 11B, Reimbursable Operations, 
Policy and Procedures--Working Capital Funds.''

Purpose(s):
    Delete entry and replace with ``To enable the Defense Commissary 
Agency to carry out its mission to enhance the quality of life of 
members of the uniformed services, retired members, and dependents of 
such members, and to support military readiness, recruitment and 
retention, by providing a world-wide system of commissaries similar to 
commercial grocery stores and selling merchandise and household goods 
similar to that sold in commercial grocery stores.
    To enable the authentication of authorized patrons, record 
purchases and purchase prices, calculate the total amount owed by the 
customer, and accept payment by various media.
    To enable the collection of debts due the United States in the 
event a patron's medium of payment is declined or returned unpaid.
    To enable the monitoring of purchases of restricted items outside 
the United States, its territories and possessions, as necessary to 
prevent black marketing in violation of treaties or agreements, and to 
comply with age restrictions applicable to certain purchases by minors 
or those under allowable ages.
    To enable authorized patrons to order commissary retail products 
on-line by home computer or mobile device and to pay for such purchases 
electronically either at the time of ordering or at the time of pick 
up.
    To enable authorized patrons to create a commissary patron profile 
for the purposes of determining aggregate patron demographic data, 
patron shopping preference information, the compilation of individual 
patron comments, inquiries, complaints, requests, and feedback posted 
to social media pages.
    For use in responding to individual patron inquiries, assessing 
aggregate patron satisfaction with the delivery of the commissary 
benefit, and in determining appropriate product availability meeting 
the commissary customers' current and future needs and wants.''
    Routine uses of records maintained in the system, including 
categories of users and the purposes of such uses:
    Delete entry and replace with ``In addition to those disclosures 
generally permitted under 5 U.S.C. 552a(b) of the Privacy Act of 1974, 
as amended, these records contained therein may specifically be 
disclosed outside the DoD as a routine use pursuant to 5 U.S.C. 
552a(b)(3) as follows:
    To the Department of Treasury and its designated contractors for 
electronic check processing and electronic funds transfers related to 
credit/debit card charges;
    To a loyalty card, rewards card, points card, advantage card or 
club card or digital coupon program coupon contractor that will use the 
information to verify a commissary customer's enrollment in a loyalty, 
rewards, points, advantage, club or digital coupon program, and to 
provide discounts, digital coupons or other incentives to be applied to 
the customers' commissary purchases.
    To the on-line ordering fulfillment contractor to allow for the 
confirmation by email of orders received, fulfilled, and closed.
    To purchasers of commissary sales transaction data pursuant to 10 
U.S.C. Sec.  2485(h), Release of certain commercially valuable 
information to the public.
    The DoD Blanket Routine Uses published at the beginning of the 
Defense Commissary Agency's compilation of systems of records notices 
may apply to this system of records.
    Disclosures pursuant to 5 U.S.C. 552a(b)(12) may be made from this 
system to ``consumer reporting agencies'' as defined in the Fair Credit 
Reporting Act (14 U.S.C. 1681a(f)) or the Federal Claims Collection Act 
of 1966 (31 U.S.C. 3701(a)(3)). The purpose of this disclosure is to 
aid in the collection of outstanding debts owed to the Federal 
government, typically to provide an incentive for debtors to repay 
delinquent Federal government debts by making these debts part of their 
credit records.
    The disclosure is limited to information necessary to establish the 
identity of the individual, including name, address, and SSN, DoD ID 
Number, DoD barcode value, credit card or debit/ATM card number, the 
amount, status, and history of the claim; and the agency or program 
under which the claim arose for the sole purpose of allowing the 
consumer reporting agency to prepare a commercial credit report.''
    Policies and practices for storing, retrieving, accessing, 
retaining, and disposing of records in the system:
* * * * *

Retrievability:
    Delete entry and replace with ``By individual's name, store, point-
of-sale terminal number, transaction date, order date, merchandise 
purchased, transaction number, SSN, Military Card Identification 
Number, DoD ID Number, DoD ID Bar Code value, financial institution 
routing number, financial institution account number, Magnetic Ink 
Character Recognition Number (MICR), loyalty, rewards, points, 
advantage, club or digital coupon card number, credit or debit/ATM card 
number, address(es)/email address(es), telephone number, zip code, 
military status, military rank, family size, income group, and shopping 
preferences.''

Safeguards:
    Delete entry and replace with ``Access to records is limited to the 
custodian of the records or by persons responsible for servicing the 
records in the performance of their official duties. Records are stored 
in locked cabinets or rooms and controlled by personnel screening. 
Computer terminals are located in supervised areas. Access to 
computerized data is controlled by password or other user 
authentication code systems. All electronic data is transmitted using 
approved, secured methods to ensure the data is protected while in 
transit, such as encryption and through the use of Secure File Transfer 
Protocol (FTP) using Secure Sockets Layer (SSL). Credit/debit card 
numbers are masked. Name, SSN, or DoD ID number is not collected for 
credit card purchases. PINs are automatically encrypted when entered by 
a patron at the point of sale using a touch-screen keyboard. Credit 
card information is also subject to the Data Security Standards (DSS) 
promulgated by the Payment Card Industry (PCI) Security Council.''

Retention and disposal:
    Delete entry and replace with ``Records of commissary retail 
transactions are maintained for 6 years and 3 months. Records of 
demographic

[[Page 31530]]

information, shopper preferences and customer profiles are maintained 
for 3 years. Paper records containing Personally Identifiable 
Information (PII) are shredded to a level where the information cannot 
be reconstructed. Electronic records, including metadata, are 
permanently deleted by Records Managers with administrator privileges 
from applicable information systems upon verification of disposal 
status.''

System manager(s) and address:
    Delete entry and replace with ``Deputy Director/Chief Operating 
Officer, Defense Commissary Agency, 1300 E Avenue, Fort Lee, VA 23801-
1800.''

Notification procedure:
    Delete entry and replace with ``Individuals seeking to determine 
whether information about themselves is contained in this system of 
records should address written inquiries to the Defense Commissary 
Agency, ATTN: Privacy Officer, 1300 E Avenue, Fort Lee, VA 23801-1800.
    Requests should contain individual's name and address, telephone 
number, email address, SSN, DoD ID Number, and DoD ID Bar Code value.''

Record access procedures:
    Delete entry and replace with ``Individuals seeking access to 
information about themselves contained in this system of records should 
address written inquiries the Defense Commissary Agency, ATTN: Privacy 
Officer, 1300 E Avenue, Fort Lee, VA 23801-1800.
    Requests should contain individual's name and address, telephone 
number, email address, SSN, DoD ID Number, and DoD ID Bar Code value.''

Contesting record procedures:
    Delete entry and replace with ``The Defense Commissary Agency rules 
for accessing records, for contesting contents, and for appealing 
initial agency determination can be obtained from the Privacy Act 
Officer, 1300 E. Avenue, Fort Lee, VA 23801-1800.''

Record source categories:
    Delete entry and replace with ``Individual, Defense Enrollment 
Eligibility System (DEERS), US Treasury Over the Counter Network 
(OTCNet), Commissary Advanced Retail Transaction System (CARTS), 
Defense Commissary Agency Enterprise Data Warehouse (EDW)''
* * * * *
[FR Doc. 2013-12414 Filed 5-23-13; 8:45 am]
BILLING CODE 5001-06-P