[Federal Register Volume 83, Number 139 (Thursday, July 19, 2018)]
[Notices]
[Pages 34123-34126]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-15392]


=======================================================================
-----------------------------------------------------------------------

COMMODITY FUTURES TRADING COMMISSION


Privacy Act of 1974; System of Records

AGENCY: Commodity Futures Trading Commission.

ACTION: Notice of Two Modified Systems of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended, the Commodity Futures Trading Commission (CFTC or 
Commission) is republishing two existing System of Record Notices 
(SORNs): CFTC-39, Freedom of Information Act Requests and CFTC-40, 
Privacy Act Requests. The modification will add three routine uses, 
clarify existing routine uses, and bring the SORNs in compliance with 
the Office of Management and Budget (OMB) Circular A-108 SORN template. 
Two of the new routine uses pertain to sharing information to mitigate 
a breach and are required by OMB Memorandum 17-12. The third new 
routine use is requested by the Office of Government Information 
Services (OGIS) to allow disclosure of personally identifiable 
information to OGIS for Freedom of Information Act (FOIA) dispute 
resolution and compliance review purposes. Other updates include 
identifying the specific routine uses applicable to each of the systems 
of records rather than relying on CFTC's previously published blanket 
routine uses, and administrative updates to comply with the OMB 
Circular A-108 SORN template format.

DATES: Comments must be received on or before August 20, 2018. This 
action takes effect without further notice on August 20, 2018, unless 
revised pursuant to comments received.

ADDRESSES: You may submit comments identified as pertaining to 
``Freedom of Information Act Requests'' or ``Privacy Act Requests'' by 
any of the following methods:
     Agency website, via its Comments Online process: https://comments.cftc.gov. Follow the instructions for submitting comments 
through the website.
     Mail: Christopher J. Kirkpatrick, Secretary of the 
Commission, Commodity Futures Trading Commission, Three Lafayette 
Centre, 1155 21st Street NW, Washington, DC 20581.
     Hand Delivery/Courier: Same as Mail, above.

Please submit your comments using only one method.
    All comments must be submitted in English, or if not, accompanied 
by an English translation. Comments will be posted as received to 
http://www.cftc.gov. You should submit only information that you wish 
to make available publicly. If you wish the Commission to consider 
information that you believe is exempt from disclosure under the 
Freedom of Information Act (FOIA), a petition for confidential 
treatment of the exempt information may be submitted according to the 
procedures established in Sec.  145.9 of the Commission's regulations, 
17 CFR 145.9.
    The Commission reserves the right, but shall have no obligation, to 
review, pre-screen, filter, redact, refuse, or remove any or all of a 
submission from http://www.cftc.gov that it may deem to be 
inappropriate for publication, such as obscene language. All 
submissions that have been redacted or removed that contain comments on 
the merits of the notice will be retained in the comment file and will 
be considered as required under all applicable laws, and may be 
accessible under the FOIA.

FOR FURTHER INFORMATION CONTACT: Chief Privacy Officer, 
[email protected], Office of the Executive Director, Commodity Futures 
Trading Commission, Three Lafayette Centre, 1155 21st Street NW, 
Washington, DC 20581.

SUPPLEMENTARY INFORMATION:

I. The Privacy Act

    Under the Privacy Act of 1974, 5 U.S.C. 552a, a ``system of 
records'' is defined as any group of records under the control of a 
Federal government agency from which information about individuals is 
retrieved by name or by some identifying number, symbol, or other 
identifying particular assigned to the individual. The Privacy Act 
establishes the means by which government agencies must collect, 
maintain, and use information about an individual in a government 
system of records.
    Each government agency is required to publish a notice in the 
Federal Register in which the agency identifies and describes each 
system of records it maintains, the reasons why the agency uses the 
information therein, the routine uses for which the agency will 
disclose such information outside the agency, and how individuals may 
exercise their rights under the Privacy Act.
    In accordance with 5 U.S.C. 552a(r), CFTC has provided reports of 
these systems of records to the Office of Management and Budget (OMB) 
and to Congress.

II. Background

    The Commodity Futures Trading Commission (CFTC or Commission) is 
republishing two existing SORNs: CFTC-39, Freedom of Information Act 
Requests and CFTC-40, Privacy Act Requests. The SORNs are being 
republished to add three routine uses, clarify existing routine uses, 
and bring the SORN in compliance with OMB Circular A-108 SORN template. 
The records covered under the Freedom of Information Act Requests SORN 
are collected and maintained to process requests made under the 
provisions of the FOIA, and to assist the CFTC in carrying out any 
other responsibilities relating to the FOIA. The records covered under 
the Privacy Act Requests SORN are collected and maintained to process 
requests made under the provisions of the Privacy Act, and to assist 
the CFTC in carrying out any other responsibilities relating to the 
Privacy Act. Two routine uses are being added to both SORNs to permit 
sharing with other Federal agencies or Federal entities as required by 
OMB Memorandum 17-12, ``Preparing for and Responding to a Breach of 
Personally Identifiable Information.'' These routine uses will assist 
the CFTC and/or other Federal agencies or entities in responding to a 
suspected or confirmed breach and/or prevent, minimize, or remedy the 
risk of harm to the requesters, the CFTC, the Federal government, or 
national security. A third routine use is being added to both SORNs to 
permit sharing with the National Archives and Records Administration 
(NARA), Office of Government Information Services (OGIS) so OGIS can 
review administrative policies, procedures, and compliance, and to 
facilitate resolutions to disputes between persons making FOIA requests 
and the CFTC. Additional updates to both SORNs include clarifying the 
specific routine uses applicable to each system of records, and 
administrative updates including section name and organization updates 
to comply with the OMB Circular A-108 SORN template format.

[[Page 34124]]

III. Notice: Freedom of Information Act Requests, CFTC-39.

SYSTEM NAME AND NUMBER
    Freedom of Information Act Requests, CFTC-39.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    This system is located at the Commodity Futures Trading Commission, 
Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581. 
Other offices involved in the processing of requests may also maintain 
copies of the requests and any related internal administrative records.

SYSTEM MANAGER(S):
    General Counsel, Commodity Futures Trading Commission, Three 
Lafayette Centre, 1155 21st Street NW, Washington, DC 20581.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The collection of this information is authorized under the Freedom 
of Information Act, 5 U.S.C. 552, 5 U.S.C. 301.

PURPOSE(S) OF THE SYSTEM:
    The information in this system is being collected to enable the 
CFTC to carry out its responsibilities under the FOIA. These 
responsibilities include enabling CFTC staff to receive, track, and 
respond to FOIA requests. This requires maintaining documentation 
gathered during the consideration and disposition process and 
administering annual reporting requirements.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals requesting information from the Commission pursuant to 
provisions of FOIA, 5 U.S.C. 552, and individuals who are the subjects 
of FOIA requests.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system of records includes information that may contain: 
requests, responsive documents, internal memoranda, electronic mail, 
response letters, appeals of denials, appeal determinations, electronic 
tracking data, fee schedules, cost calculations, and assessed cost for 
disclosed FOIA records.

RECORD SOURCE CATEGORIES:
    Individuals requesting information from the Commission pursuant to 
the FOIA and CFTC staff processing the requests.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    These records and information in these records may be used:
    (a) To disclose information to the National Archives and Records 
Administration, Office of Government Information Services (OGIS), to 
the extent necessary to fulfill its responsibilities in 5 U.S.C. 
552(h), to review administrative agency policies, procedures, and 
compliance with the Freedom of Information Act, and to facilitate OGIS' 
offering of mediation services to resolve disputes between persons 
making FOIA requests and administrative agencies;
    (b) To disclose in any administrative proceeding before the 
Commission, in any injunctive action authorized under the Commodity 
Exchange Act, or in any other action or proceeding in which the 
Commission or its staff participates as a party or the Commission 
participates as amicus curiae;
    (c) To disclose to Federal, State, local, territorial, Tribal, or 
foreign agencies for use in meeting their statutory or regulatory 
requirements;
    (d) To disclose to contractors, grantees, volunteers, experts, 
students, and others performing or working on a contract, service, 
grant, cooperative agreement, or job for the Federal government when 
necessary to accomplish an agency function;
    (e) To disclose to Congress upon its request, acting within the 
scope of its jurisdiction, pursuant to the Commodity Exchange Act, 7 
U.S.C. 1 et seq., and the rules and regulations promulgated thereunder;
    (f) To disclose to appropriate agencies, entities, and persons when 
(1) the Commission suspects or has confirmed that there has been a 
breach of the system of records; (2) the Commission has determined that 
as a result of the suspected or confirmed breach there is a risk of 
harm to individuals, the Commission (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with the 
Commission's efforts to respond to the suspected or confirmed breach or 
to prevent, minimize, or remedy such harm; or
    (g) To disclose to another Federal agency or Federal entity, when 
the Commission determines that information from this system of records 
is reasonably necessary to assist the recipient agency or entity in (1) 
responding to a suspected or confirmed breach or (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the recipient 
agency or entity (including its information systems, programs, and 
operations), the Federal Government, or national security, resulting 
from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The FOIA system of records stores records in this system 
electronically. The records are stored on the Commission's secure 
network and secure back-up media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Information covered by this system of records notice may be 
retrieved by assigned control number, name of requester, or by subject 
of request.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records for this system will be maintained in accordance with 
General Records Schedule 4.2 of the National Archives and Records 
Administration. All approved schedules are available at http://www.cftc.gov.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Records are protected from unauthorized access and improper use 
through administrative, technical, and physical security measures. 
Administrative safeguards include written guidelines on handling FOIA 
information including agency-wide procedures for safeguarding 
personally identifiable information. In addition, all CFTC staff are 
required to take annual privacy and security training. Technical 
security measures within CFTC include restrictions on computer access 
to authorized individuals who have a legitimate need to know the 
information; required use of strong passwords that are frequently 
changed; multi-factor authentication for remote access and access to 
many CFTC network components; use of encryption for certain data types 
and transfers; firewalls and intrusion detection applications; and 
regular review of security procedures and best practices to enhance 
security. Physical safeguards include restrictions on building access 
to authorized individuals, 24-hour security guard service, and 
maintenance of records in lockable offices and filing cabinets.

RECORD ACCESS PROCEDURES:
    Individuals seeking to determine whether this system of records 
contains information about themselves or seeking access to records 
about themselves in

[[Page 34125]]

this system of records should address written inquiries to the Office 
of General Counsel, Commodity Futures Trading Commission, Three 
Lafayette Centre, 1155 21st Street NW, Washington, DC 20581. See 17 CFR 
146.3 for full details on what to include in a Privacy Act access 
request.

CONTESTING RECORD PROCEDURES:
    Individuals contesting the content of records about themselves 
contained in this system of records should address written inquiries to 
the Office of General Counsel, Commodity Futures Trading Commission, 
Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581. See 
17 CFR 146.8 for full details on what to include in a Privacy Act 
amendment request.

NOTIFICATION PROCEDURES:
    Individuals seeking notification of any records about themselves 
contained in this system of records should address written inquiries to 
the Office of General Counsel, Commodity Futures Trading Commission, 
Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581. See 
17 CFR 146.3 for full details on what to include in a Privacy Act 
notification request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    A previous version of this SORN was published in the Federal 
Register on February 02, 2011 at 76 FR 5973.
    IV. Notice: Privacy Act Requests, CFTC-40.
SYSTEM NAME AND NUMBER
    Privacy Act Requests, CFTC-40.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    This system is located at the Commodity Futures Trading Commission, 
Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581. 
Other offices involved in the processing of requests may also maintain 
copies of the requests and any related internal administrative records.

SYSTEM MANAGER(S):
    General Counsel, Commodity Futures Trading Commission, Three 
Lafayette Centre, 1155 21st Street NW, Washington, DC 20581.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The collection of this information is authorized under the Privacy 
Act, 5 U.S.C. 552a, 5 U.S.C. 301.

PURPOSE(S) OF THE SYSTEM:
    The information in this system is being collected to enable the 
CFTC to carry out its responsibilities under the Privacy Act. These 
responsibilities include enabling CFTC staff to receive, track, and 
respond to Privacy Act requests.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals filing requests for access to, correction of, or an 
accounting of disclosures of personal information contained in systems 
of records maintained by the Commission, pursuant to the Privacy Act of 
1974. 5 U.S.C. 552a.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Requests, responsive documents, internal memoranda, response 
letters, appeals of denials, appeal determinations, and electronic 
tracking data.

RECORD SOURCE CATEGORIES:
    Individuals requesting information from the Commission pursuant to 
the Privacy Act and CFTC staff processing the requests.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    These records and information in these records may be used:
    (a) To disclose information to the National Archives and Records 
Administration, Office of Government Information Services (OGIS), to 
the extent necessary to fulfill its responsibilities in 5 U.S.C. 
552(h), to review administrative agency policies, procedures, and 
compliance with the Freedom of Information Act, and to facilitate OGIS' 
offering of mediation services to resolve disputes between persons 
making FOIA requests and administrative agencies;
    (b) To disclose in any administrative proceeding before the 
Commission, in any injunctive action authorized under the Commodity 
Exchange Act, or in any other action or proceeding in which the 
Commission or its staff participates as a party or the Commission 
participates as amicus curiae;
    (c) To disclose to Federal, State, local, territorial, Tribal, or 
foreign agencies for use in meeting their statutory or regulatory 
requirements;
    (d) To disclose to anyone during the course of a Commission 
investigation if Commission staff has reason to believe that the person 
to whom it is disclosed may have further information about matters 
relevant to the subject of the investigation;
    (e) To disclose to contractors, grantees, volunteers, experts, 
students, and others performing or working on a contract, service, 
grant, cooperative agreement, or job for the Federal government when 
necessary to accomplish an agency function;
    (f) To disclose to Congress upon its request, acting within the 
scope of its jurisdiction, pursuant to the Commodity Exchange Act, 7 
U.S.C. 1 et seq., and the rules and regulations promulgated thereunder;
    (g) To disclose to appropriate agencies, entities, and persons when 
(1) the Commission suspects or has confirmed that there has been a 
breach of the system of records; (2) the Commission has determined that 
as a result of the suspected or confirmed breach there is a risk of 
harm to individuals, the Commission (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with the 
Commission's efforts to respond to the suspected or confirmed breach or 
to prevent, minimize, or remedy such harm; or
    (h) To disclose to another Federal agency or Federal entity, when 
the Commission determines that information from this system of records 
is reasonably necessary to assist the recipient agency or entity in (1) 
responding to a suspected or confirmed breach or (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the recipient 
agency or entity (including its information systems, programs, and 
operations), the Federal Government, or national security, resulting 
from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The Privacy Act Requests system of records stores records in this 
system electronically. The records are stored on the Commission's 
secure network, and on secure back-up media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Information covered by this system of records notice may be 
retrieved by assigned control number, name of requester, or by subject 
of request.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records for this system will be maintained in accordance with 
General Records Schedule 4.2 of the National Archives and Records 
Administration. All approved schedules are available at http://www.cftc.gov.

[[Page 34126]]

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Records are protected from unauthorized access and improper use 
through administrative, technical, and physical security measures. 
Administrative safeguards include agency-wide training and procedures 
for safeguarding personally identifiable information. Technical 
security measures within CFTC include restrictions on computer access 
to authorized individuals who have a legitimate need to know the 
information; required use of strong passwords that are frequently 
changed; multi-factor authentication for remote access and access to 
many CFTC network components; use of encryption for certain data types 
and transfers; firewalls and intrusion detection applications; and 
regular review of security procedures and best practices to enhance 
security. Physical safeguards include restrictions on building access 
to authorized individuals, 24-hour security guard service, and 
maintenance of records in lockable offices and filing cabinets.

RECORD ACCESS PROCEDURES:
    Individuals seeking to determine whether this system of records 
contains information about themselves or seeking access to records 
about themselves in this system of records should address written 
inquiries to the Office of General Counsel, Commodity Futures Trading 
Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 
20581. See 17 CFR 146.3 for full details on what to include in Privacy 
Act access request.

CONTESTING RECORD PROCEDURES:
    Individuals contesting the content of records about themselves 
contained in this system of records should address written inquiries to 
the Office of General Counsel, Commodity Futures Trading Commission, 
Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581. See 
17 CFR 146.8 for full details on what to include in a Privacy Act 
amendment request.

NOTIFICATION PROCEDURES:
    Individuals seeking notification of any records about themselves 
contained in this system of records should address written inquiries to 
the Office of General Counsel, Commodity Futures Trading Commission, 
Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581. See 
17 CFR 146.3 for full details on what to include in a Privacy Act 
notification request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    A previous version of this SORN was published in the Federal 
Register on February 02, 2011 at 76 FR 5973.

    Issued in Washington, DC, on July 13, 2018, by the Commission.
Robert Sidman,
Deputy Secretary of the Commission.
[FR Doc. 2018-15392 Filed 7-18-18; 8:45 am]
 BILLING CODE 6351-01-P