[Federal Register Volume 81, Number 17 (Wednesday, January 27, 2016)]
[Notices]
[Pages 4736-4738]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-01648]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF STATE

[Public Notice: 9425]


Privacy Act; System of Records: Digital Outreach and 
Communications, State-79

SUMMARY: Notice is hereby given that the Department of State proposes 
to amend an existing system of records, Digital Outreach and 
Communications, State-79, pursuant to the provisions of the Privacy Act 
of 1974, as amended (5 U.S.C. 552a) and Office of Management and Budget 
Circular No. A-130, Appendix I.

DATES: This system of records will be effective on March 7, 2016, 
unless we receive comments that will result in a contrary 
determination.

ADDRESSES: Any persons interested in commenting on the amended system 
of records may do so by writing to the Director; Office of Information 
Programs and Services, A/GIS/IPS; Department of State, SA-2; 515 22nd 
Street NW.; Washington, DC 20522-8100.

FOR FURTHER INFORMATION CONTACT: John Hackett, Director; Office of 
Information Programs and Services, A/GIS/IPS; Department of State, SA-
2; 515 22nd Street NW.; Washington, DC 20522-8100, or at 
[email protected].

SUPPLEMENTARY INFORMATION: The Department of State proposes that the 
current system retain the name ``Digital Outreach and Communications'' 
(previously published at 78 FR 54946). The purpose of the system is to 
extend outreach, engagement, and collaboration efforts with the public, 
and to facilitate transparency and accountability with regard to 
Department activities; to conduct and administer contests, challenges, 
and other competitions; and to track aggregate activity and analytics 
to determine the effectiveness of email campaigns. The proposed system 
will include modifications to the following sections: System location, 
Categories of individuals, Categories of records, Authority for 
maintenance of the system, Purpose, Routine uses, Retrievability, 
Safeguards, and Notification procedure. The modifications will allow 
the contact information to be stored in a FEDRAMP Certified Cloud 
provider, and will allow the Department to collect aggregate activity 
and analytics of email campaigns.
    The Department's report was filed with the Office of Management and 
Budget. The amended system description, ``Digital Outreach and 
Communications, State-79,'' will read as set forth below.

Joyce A. Barr,
Assistant Secretary for Administration, U.S. Department of State.
STATE-79

SYSTEM NAME:
    Digital Outreach and Communications.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Department of State domestic locations, posts abroad, and within a 
government cloud, implemented by State Department as a cloud-based 
cloud software as a service (SaaS) provider.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals who interact with the Department through a social media 
outlet, or other electronic means including by submitting feedback, 
subscription (RSS), email, requesting more information from the 
Department. Individuals participating in a contest, challenge, or other 
competition.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system may contain information passed through a social media 
site or cloud service provider to facilitate interaction with the 
Department such as, but not limited to the following: Name, username, 
email address, home or work address, contact information, phone 
numbers, date of birth, age, security questions, IP addresses, login 
credentials, topical interests, and educational, business, or volunteer 
affiliation. The system will also contain information on the topics 
about which users wish to receive communications, as well as input and 
feedback from the public, such as comments, emails, videos, and images, 
which may include tags, geotags, or geographical metadata. The system 
may also include information that does not meet the definition of a 
``record'' under the Privacy Act, such as aggregate metrics on user 
click rates, open rates, non-read rates, unsubscribes, and link 
activity.
    In addition to the information listed above, individuals who enter 
a contest, challenge, or other competition may be asked to provide 
certain specific information including financial data, passport and 
visa information, and other information necessary to authenticate 
qualifications for participation or for prize issuance.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Presidential Memorandum to the Heads of Executive Departments and 
Agencies on Transparency and Open Government, January 21, 2009. OMB M-
10-06, Open Government Directive, December 8, 2009. OMB M-10-23, 
Guidance for Agency Use of Third-Party Web sites and Applications, June 
25, 2010. 5 U.S.C. 301, Management of Executive Agencies. 22 U.S.C. 
2651a, Organization of the Department of State.

[[Page 4737]]

PURPOSE:
    To extend outreach, engagement, and collaboration efforts with the 
public, and to facilitate transparency and accountability with regard 
to Department activities. To conduct and administer contests, 
challenges, and other competitions. To track aggregate activity and 
analytics to determine the effectiveness of email campaigns.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Information in this system may be shared with the news media and 
the public, with the approval of the Chief of Mission or Bureau 
Assistant Secretary who supervises the office responsible for the 
outreach effort, except to the extent that release of the information 
would constitute an unwarranted invasion of personal privacy;
    To Government agencies and the White House for purposes of planning 
and coordinating public engagement activities;
    To a contractor of the Department having need for the information 
in the performance of the contract, but not operating a system of 
records within the meaning of 5 U.S.C. 552a(m);
    And to Federal, state, and city governments which are issued tax 
reports, the Internal Revenue Service and the Social Security 
Administration which are sent tax and withholding data.
    The Department of State periodically publishes in the Federal 
Register its standard routine uses which apply to all of its Privacy 
Act systems of records. These notices appear in the form of a Prefatory 
Statement. These standard routine uses apply to Digital Outreach and 
Communications, State-79.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    None.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Electronic media.

RETRIEVABILITY:
    Username; email; name.

SAFEGUARDS:
    All users are given cyber security awareness training which covers 
the procedures for handling Sensitive But Unclassified (SBU) 
information, including personally identifiable information (PII). 
Annual refresher training is mandatory. In addition, all Foreign 
Service and Civil Service employees and those Locally Engaged Staff who 
handle PII are required to take the Foreign Service Institute distance 
learning course, PA 459, instructing employees on privacy and security 
requirements, including the rules of behavior for handling PII and the 
potential consequences if it is handled improperly.
    Access to the Department of State, its annexes and posts abroad is 
controlled by security guards and admission is limited to those 
individuals possessing a valid identification card or individuals under 
proper escort. All paper records containing personal information are 
maintained in secured file cabinets in restricted areas, access to 
which is limited to authorized personnel only. Access to computerized 
files is password-protected and under the direct supervision of the 
system manager. The system manager has the capability of printing audit 
trails of access from the computer media, thereby permitting regular 
and ad hoc monitoring of computer usage. When it is determined that a 
user no longer needs access, the user account is disabled.
    Before being granted access to Protocol Records, a user must first 
be granted access to the Department of State computer system. Remote 
access to the Department of State network from non-Department owned 
systems is authorized only to unclassified systems and only through a 
Department approved access program. Remote access to the network is 
configured with the Office of Management and Budget Memorandum M-07-16 
security requirements which include but are not limited to two-factor 
authentication and time out function. All Department of State employees 
and contractors with authorized access have undergone a thorough 
background security investigation.
    The safeguards in the following paragraphs apply only to records 
that are maintained in cloud systems. All cloud systems that provide IT 
services and process Department of State information must be: (1) 
Provisionally authorized to operate by the Federal Risk and 
Authorization Management Program (FedRAMP), and (2) specifically 
authorized by the Department of State Authorizing Official and Senior 
Agency Official for Privacy. Only information that conforms with 
Department-specific definitions for Federal Information Security 
Management Act (FISMA) low or moderate categorization are permissible 
for cloud usage. Specific security measures and safeguards will depend 
on the FISMA categorization of the information in a given cloud system. 
In accordance with Department policy, systems that process more 
sensitive information will require more stringent controls and review 
by Department cybersecurity experts prior to approval. Prior to 
operation, all Cloud systems must comply with applicable security 
measures that are outlined in FISMA, FedRAMP, OMB regulations, NIST 
Federal Information Processing Standards (FIPS) and Special Publication 
(SP), and Department of State policy and standards.
    All data stored in cloud environments categorized above a low FISMA 
impact risk level must be encrypted at rest and in-transit using a 
federally approved encryption mechanism. The encryption keys shall be 
generated, maintained, and controlled in a Department data center by 
the Department key management authority. Deviations from these 
encryption requirements must be approved in writing by the Authorizing 
Official.

RETENTION AND DISPOSAL:
    Records are retired and destroyed in accordance with published 
Department of State Records Disposition Schedules as approved by the 
National Archives and Records Administration (NARA). More specific 
information may be obtained by writing to the Director; Office of 
Information Programs and Services, A/GIS/IPS; SA-2, Department of 
State; 515 22nd Street NW.; Washington, DC 20522-8100.

SYSTEM MANAGER(S) AND ADDRESS:
    The Under Secretary for Public Diplomacy and Public Affairs; 
Department of State; 2201 C Street NW.; Washington, DC 20520.

NOTIFICATION PROCEDURE:
    Individuals who have cause to believe that the Department may have 
outreach records pertaining to him or her should write to the Director; 
Office of Information Programs and Services, A/GIS/IPS; SA-2, 
Department of State; 515 22nd Street NW.; Washington, DC 20522-8100. 
The individual must specify that he or she wishes the outreach records 
of the Department to be checked. At a minimum, the individual must 
include the following: Name; email address; current mailing address and 
zip code; signature; and other information helpful in identifying the 
record.

RECORD ACCESS PROCEDURES:
    Individuals who wish to gain access to or amend records pertaining 
to themselves should write to the Director; Office of Information 
Programs and Services (address above).

[[Page 4738]]

CONTESTING RECORD PROCEDURES:
    Individuals who wish to contest records pertaining to themselves 
should write to the Director; Office of Information Programs and 
Services (address above).

RECORD SOURCE CATEGORIES:
    These records contain information obtained directly from 
individuals who interact with the Department of State through social 
media sites or who communicate electronically with the Department in 
response to public outreach.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

[FR Doc. 2016-01648 Filed 1-26-16; 8:45 am]
BILLING CODE 4710-45-P