[Federal Register Volume 84, Number 74 (Wednesday, April 17, 2019)]
[Notices]
[Pages 16138-16141]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-07648]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; System of Records
AGENCY: Office of Inspector General, Department of Veterans Affairs
(VA).
ACTION: Notice of modified system of records.
-----------------------------------------------------------------------
SUMMARY: As required by the Privacy Act of 1974, notice is hereby given
that the Department of Veterans Affairs (VA) is amending the system of
records known as ``The Office of Inspector General Management
Information System (MIS)--VA'' (71VA53), by amending the Routine Uses
and Policies and Practices for Storing, Retrieving, Accessing,
Retaining, and Disposing of Records within the System.
DATES: Comments on this modified system of records must be received no
later than 30 days after date of publication in the Federal Register.
If no public comment is received during the period allowed for comment
or unless otherwise published in the Federal Register by VA, the
modified system of records will become effective a minimum of 30 days
after date of publication in the Federal Register. If VA receives
public comments, VA shall review the comments to determine whether any
changes to the notice are necessary.
ADDRESSES: Written comments may be submitted through
www.Regulations.gov; by mail or hand-delivery to Director, Regulation
Policy and Management (00REG), Department of Veterans Affairs, 810
Vermont Ave. NW, Room 1064, Washington, DC 20420; or by fax to (202)
273-9026 (not a toll-free number). Comments should indicate that they
are submitted in response to ``The Office of Inspector General
Management Information System (MIS)--VA'' (71VA53). Copies of comments
received will be available for public inspection in the Office of
Regulation Policy and Management, Room 1063B, between the hours of 8:00
a.m. and 4:30 p.m., Monday through Friday (except holidays). Please
call (202) 461-4902 for an appointment. (This is not a toll-free
number.) In addition, comments may be viewed online at
www.Regulations.gov.
[[Page 16139]]
FOR FURTHER INFORMATION CONTACT: Christopher Connor, Chief, Information
Release Office (50CI), Office of Inspector General, Department of
Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420, 202-461-
4269; or fax comments to (202) 495-5859. Amy L. Rose, VA Privacy
Service, Office of Information Security (OIS), Office of Information
and Technology (OIT), Department of Veterans Affairs, 810 Vermont
Avenue NW, Washington, DC 20420, (202) 632-7497.
SUPPLEMENTARY INFORMATION: This publication is in accordance with the
Privacy Act requirement that agencies publish their amended system of
records in the Federal Register when there is revision, change, or
addition. The VA Office of Inspector General (OIG) has reviewed its
system of records notices and has determined its record system, ``The
Office of Inspector General Management Information System (MIS)--VA''
(71VA53), should be amended to reflect evolving technology and
procedures, to conform to current practice, and to reflect current
authorities. The storage practices section will now reflect that data
is stored in VA OIG's new Enterprise Management System (EMS) database
in addition to the legacy Master Case Index (MCI) database. The Routine
Uses are amended to conform to changes recommended by OMB.
The Senior Agency Official for Privacy, or designee, approved this
document and authorized the undersigned to sign and submit the document
to the Office of the Federal Register for publication electronically as
an official document of the Department of Veterans Affairs.
Andr[eacute] Horton, Deputy Chief Information Security Officer,
Department of Veterans Affairs approved this document on January 8,
2019 for publication.
Dated: April 12, 2019.
Amy L. Rose,
Program Analyst, VA Privacy Service, Department of Veterans Affairs.
71VA53
SYSTEM NAME:
The Office of Inspector General Management Information System
(MIS)--VA (71VA53).
SECURITY CLASSIFICATION:
None.
SYSTEM LOCATION:
Department of Veterans Affairs (VA), Office of Inspector General
(OIG), Office of Assistant Inspector General for Management and
Administration (53), 810 Vermont Avenue NW, Washington, DC 20420.
SYSTEM MANAGER:
Assistant Inspector General for Management and Administration (53),
Department of Veterans Affairs, Office of Inspector General, 810
Vermont Avenue NW, Washington, DC 20420, (202) 461-4760,
[email protected].
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Inspector General Act of 1978, Public Law (Pub L.) 95-452, 5 U.S.C.
App., as amended through Public Law 115-254 (IG Act).
PURPOSE(S) OF THE SYSTEM:
The purpose of this system of records is to compile records and
information about individual OIG employees for various management and
human resources objectives. Case tracking data is used to measure
employee productivity. Employee contact information is maintained to
allow employees to be contacted in emergency situations and includes
third-party information provided by the employee as an alternate
emergency contact. Training records are used to make certain the
employees complete required training assignments and to maintain a
record of each employee's training activities for career development
and continuing professional education requirements.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The following category of individuals will be covered by the
system: All personnel assigned to VA Office of Inspector General (OIG)
and any third-party identified by those employees as an emergency
contact.
CATEGORIES OF RECORDS IN THE SYSTEM:
The Management Information System contains the following categories
of records: Time and Attendance, Phone Directory, Awards, Training,
Travel, and Personnel (which may include personnel suitability records
and preemployment inquiry records). Records (or information contained
in records) may include: (1) Individual's and designated third-party's
emergency contact name, address and telephone contact information; (2)
social security number; (3) date of birth; (4) service computation
date; (5) career status; (6) assigned station; (7) job series; (8)
education; (9) grade; (10) type of case; (11) work assignments; (12)
travel; (13) experience; (14) training; and (15) audit, hotline, health
care inspections and investigation case tracking data (e.g., case
number, budgeted and actual staff days, target and completion dates,
findings and results). Personnel suitability records may contain
investigative information about an individual's character, conduct and
behavior in the community where he or she lives or lived; arrests and
convictions for violations of law; reports of interviews with the
subject and with present and former supervisors; coworkers, associates,
neighbors, educators, etc., reports about the qualifications of an
individual for a specific position and correspondence relating to
adjudication matters; reports of inquiries with law enforcement
agencies, employers, educational institutions attended, and credit
reporting agencies; reports of action after Office of Personnel
Management (OPM) or Federal Bureau of Investigation (FBI) full field
investigations: And other information developed from the above.
Pre-Employment Inquiry Records:
These records may contain information relating to an applicant's
qualifications for employment in terms of character, reputation, and
fitness; including letters of reference, responses to preemployment
inquiries, qualifications and character information; reports of
inquiries with law enforcement agencies, employers, educational
institutions attended, and credit reporting agencies; and other
information which may relate to the specific selection factors
associated with the position sought.
RECORD SOURCE CATEGORIES:
Individual employees, supervisors, official personnel folder, other
personnel documents, individual applications, and forms.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
1. Congress: VA may disclose information from the record of an
individual in response to an inquiry from the congressional office made
at the request of that individual.
VA must be able to provide information about individuals to
adequately respond to inquiries from Members of Congress at the request
of constituents who have sought their assistance.
2. Data breach response and remedial efforts: VA may, on its own
initiative, disclose information from this system to appropriate
agencies, entities, and persons when (1) VA suspects or has confirmed
that the integrity or confidentiality of information in the system of
records has been compromised; (2) the Department has
[[Page 16140]]
determined that as a result of the suspected or confirmed compromise
there is a risk of embarrassment or harm to the reputations of the
record subjects, harm to economic or property interests, identity theft
or fraud, or harm to the security, confidentiality, or integrity of
this system or other systems or programs (whether maintained by the
Department or another agency or entity) that rely upon the potentially
compromised information; and (3) the disclosure is to agencies,
entities, or persons whom VA determines are reasonably necessary to
assist or carry out the Department's efforts to respond to the
suspected or confirmed compromise and prevent, minimize, or remedy such
harm.
This routine use permits disclosures by the Department to respond
to a suspected or confirmed data breach, including the conduct of any
risk analysis or provision of credit protection services as provided in
38 U.S.C. 5724.
a. Effective Response. A federal agency's ability to respond
quickly and effectively in the event of a breach of federal data is
critical to its efforts to prevent or minimize any consequent harm. An
effective response necessitates disclosure of information regarding the
breach to those individuals affected by it, as well as to persons and
entities in a position to cooperate, either by assisting in
notification to affected individuals or playing a role in preventing or
minimizing harms from the breach.
b. Disclosure of Information. Often, the information to be
disclosed to such persons and entities is maintained by federal
agencies and is subject to the Privacy Act (5 U.S.C. 552a). The Privacy
Act prohibits the disclosure of any record in a system of records by
any means of communication to any person or agency absent the written
consent of the subject individual, unless the disclosure falls within
one of twelve statutory exceptions. In order to ensure an agency is in
the best position to respond in a timely and effective manner, in
accordance with 5 U.S.C. 552a(b)(3) of the Privacy Act, agencies should
publish a routine use for appropriate systems specifically applying to
the disclosure of information in connection with response and remedial
efforts in the event of a data breach.
c. Data breach response and remedial efforts with another Federal
agency: VA may disclose information from this system to another Federal
agency or Federal entity, when VA determines that information from this
system of records is reasonably necessary to assist the recipient
agency or entity in (1) responding to a suspected or confirmed breach
or (2) preventing, minimizing, or remedying the risk of harm to
individuals, the recipient agency or entity (including its information
systems, programs, and operations), the Federal Government, or national
security, resulting from a suspected or confirmed breach.
3. Law Enforcement: VA may, on its own initiative, disclose
information in this system, except the names and home addresses of
veterans and their dependents, which is relevant to a suspected or
reasonably imminent violation of law, whether civil, criminal or
regulatory in nature and whether arising by general or program statute
or by regulation, rule or order issued pursuant thereto, to a federal,
state, local, tribal, or foreign agency charged with the responsibility
of investigating or prosecuting such violation, or charged with
enforcing or implementing the statute, regulation, rule or order. On
its own initiative, VA may also disclose the names and addresses of
veterans and their dependents to a federal agency charged with the
responsibility of investigating or prosecuting civil, criminal or
regulatory violations of law, or charged with enforcing or implementing
the statute, regulation, rule or order issued pursuant thereto.
VA must be able to provide on its own initiative information that
pertains to a violation of laws to law enforcement authorities in order
for them to investigate and enforce those laws. Under 38 U.S.C. 5701(a)
and (f), VA may disclose the names and addresses of veterans and their
dependents to federal entities with law enforcement responsibilities.
This is distinct from the authority to disclose records in response to
a qualifying request from a law enforcement entity, as authorized by
Privacy Act subsection 5 U.S.C. 552a(b)(7).
4. Litigation: VA may disclose information from this system of
records to the Department of Justice (DoJ), either on VA's initiative
or in response to DoJ's request for the information, after either VA or
DoJ determines that such information is relevant to DoJ's
representation of the United States or any of its components in legal
proceedings before a court or adjudicative body, provided that, in each
case, the agency also determines prior to disclosure that release of
the records to the DoJ is a use of the information contained in the
records that is compatible with the purpose for which VA collected the
records. VA, on its own initiative, may disclose records in this system
of records in legal proceedings before a court or administrative body
after determining that the disclosure of the records to the court or
administrative body is a use of the information contained in the
records that is compatible with the purpose for which VA collected the
records.
To determine whether to disclose records under this routine use, VA
will comply with the guidance promulgated by the Office of Management
and Budget in a May 24, 1985, memorandum entitled ``Privacy Act
Guidance--Update,'' currently posted at http://www.whitehouse.gov/omb/inforeg/guidance1985.pdf.
VA must be able to provide information to DoJ in litigation where
the United States or any of its components is involved or has an
interest. A determination would be made in each instance that under the
circumstances involved, the purpose is compatible with the purpose for
which VA collected the information. This routine use is distinct from
the authority to disclose records in response to a court order under
subsection (b)(11) of the Privacy Act, 5 U.S.C. 552(b)(11), or any
other provision of subsection (b), in accordance with the court's
analysis in Doe v. DiGenova, 779 F.2d 74, 78-85 (DC Cir. 1985) and Doe
v. Stephens, 851 F.2d 1457, 1465-67 (DC Cir. 1988).
5. Contractors: VA may disclose information from this system of
records to individuals, organizations, private or public agencies, or
other entities or individuals with whom VA has a contract or agreement
to perform such services as VA may deem practicable for the purposes of
laws administered by VA, in order for the contractor, subcontractor,
public or private agency, or other entity or individual with whom VA
has a contract or agreement to perform services under the contract or
agreement.
This routine use includes disclosures by an individual or entity
performing services for VA to any secondary entity or individual to
perform an activity that is necessary for individuals, organizations,
private or public agencies, or other entities or individuals with whom
VA has a contract or agreement to provide the service to VA.
This routine use, which also applies to agreements that do not
qualify as contracts defined by federal procurement laws and
regulations, is consistent with OMB guidance in OMB Circular A-130,
App. I, paragraph 5a(1)(b) that agencies promulgate routine uses to
address disclosure of Privacy Act-protected information to contractors
in order to perform the services contracts for the agency.
[[Page 16141]]
6. Equal Employment Opportunity Commission (EEOC): VA may disclose
information from this system to the EEOC when requested in connection
with investigations of alleged or possible discriminatory practices,
examination of federal affirmative employment programs, or other
functions of the Commission as authorized by law or regulation.
VA must be able to provide information to EEOC to assist it in
fulfilling its duties to protect employees' rights, as required by
statute and regulation.
7. Federal Labor Relations Authority (FLRA): VA may disclose
information from this system to the FLRA, including its General
Counsel, information related to the establishment of jurisdiction,
investigation, and resolution of allegations of unfair labor practices,
or in connection with the resolution of exceptions to arbitration
awards when a question of material fact is raised; for it to address
matters properly before the Federal Services Impasses Panel,
investigate representation petitions, and conduct or supervise
representation elections.
VA must be able to provide information to FLRA to comply with the
statutory mandate under which it operates.
8. Merit Systems Protection Board (MSPB): VA may disclose
information from this system to the MSPB, or the Office of the Special
Counsel, when requested in connection with appeals, special studies of
the civil service and other merit systems, review of rules and
regulations, investigation of alleged or possible prohibited personnel
practices, and such other functions promulgated in 5 U.S.C. 1205 and
1206, or as authorized by law.
VA must be able to provide information to MSPB to assist it in
fulfilling its duties as required by statute and regulation.
9. National Archives and Records Administration (NARA) and General
Services Administration (GSA): VA may disclose information from this
system to NARA and GSA in records management inspections conducted
under title 44, U.S.C.
NARA is responsible for archiving old records which are no longer
actively used but may be appropriate for preservation, and for the
physical maintenance of the federal government's records. VA must be
able to provide the records to NARA in order to determine the proper
disposition of such records.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Records and information are stored electronically in the VA OIG's
new Enterprise Management System (EMS) and legacy Master Case Index
(MCI) databases and servers at the OIG's office at 801 I Street NW,
Washington, DC, in the office of the Information Technology Division.
Backup records are stored on magnetic disc, tape, and CD-ROM and may
also be retained in hard copy format in secure file folders.
Information can be retrieved based on computer searches of various data
elements, including, but not limited to, MCI or EMS case numbers,
transaction numbers, key words, and names of individual OIG employees.
Electronic data is maintained indefinitely as described above. Policy
for the disposal of records as well as a retention schedule is being
developed by the OIG's Office of Management and Administration,
Information on awards and travel is maintained so that OIG managers
have readily available relevant information about their employees in
these areas.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records are retrieved by Social Security Number, case number, work
assignment, or name.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Information in the system is protected from unauthorized access
through administrative, physical, and technical safeguards. Categories
of records are restricted to those with an official need to know the
information. Only VA OIG supervisors, for example, can access the
Awards data, and only for employees within their supervisory chain.
Access to data is also limited by means of features such as ``read-only
access,'' i.e., where the person with access can read but not enter or
change the information in the system. Safeguards also include password
protection features and cipher locks securing the physical area. Some
information in the system is restricted to employees of the Human
Resources Management Division.
RECORD ACCESS PROCEDURES:
An individual who seeks access to or wishes to contest records
maintained under his or her name in this system must submit a written
request to the Chief, Information Release Office (50CI). However, a
majority of records in this system are exempt from the records access
and contesting requirements under 5 U.S.C. 552a (j) and (k). To the
extent that records in this system of records are not subject to
exemption, they are subject to access and contest. A determination as
to whether an exemption applies shall be made at the time a request for
access or contest is received.
CONTESTING RECORD PROCEDURES:
(See records access procedures above.)
NOTIFICATION PROCEDURES:
An individual who wishes to determine whether a record is being
maintained under his or her name in this system must furnish a written
request to the Chief, Information Release Office (50CI), Department of
Veteran Affairs, Office of Inspector General, 810 Vermont Avenue NW,
Washington, DC 20420.
HISTORY:
[See the last full Federal Register notice, 73 FR 56633, Sep. 29,
2008].
[FR Doc. 2019-07648 Filed 4-16-19; 8:45 am]
BILLING CODE P