[Federal Register Volume 85, Number 46 (Monday, March 9, 2020)]
[Notices]
[Pages 13708-13711]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-04669]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY


Privacy Act of 1974; System of Records

AGENCY: Departmental Offices, Department of the Treasury.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, the Department of 
the Treasury (``Treasury'' or the ``Department''), Departmental Offices 
proposes to modify a current Treasury system of records titled, 
``Department of the Treasury/Departmental Offices--.216 Treasury 
Security Access Control and Certificates Systems System of Records.''

DATES: Submit comments on or before April 8, 2020. The new routine uses 
will be applicable on April 8, 2020 unless Treasury receives comments 
and determines that changes to the system of records notice are 
necessary.

ADDRESSES: Comments may be submitted to the Federal eRulemaking Portal 
electronically at http://www.regulations.gov. Comments can also be sent 
to the Deputy Assistant Secretary for Privacy, Transparency, and 
Records, Department of the Treasury, Departmental Offices, 1500 
Pennsylvania Avenue NW, Washington, DC 20220, Attention: Revisions to 
Privacy Act Systems of Records. All comments received, including 
attachments and other supporting documents, are part of the public 
record and subject to public disclosure. All comments received will be 
posted without change to www.regulations.gov, including any personal 
information provided. You should submit only information that you wish 
to make publicly available.

FOR FURTHER INFORMATION CONTACT: For general questions and privacy 
issues please contact: Deputy Assistant Secretary for Privacy, 
Transparency, and Records (202-622-5710), Department of the Treasury, 
1500 Pennsylvania Avenue NW, Washington, DC 20220.

SUPPLEMENTARY INFORMATION: In accordance with the Privacy Act of 1974, 
the Department of the Treasury (``Treasury'') Departmental Offices (DO) 
proposes to modify a current Treasury system of records titled, 
``Treasury/Departmental Offices .216--Treasury Security Access Control 
and Certificates Systems.'' This action is necessary to meet the 
requirements of the Privacy Act to publish in the Federal Register 
notice of the existence and character of system of records maintained 
by the agency (5 U.S.C. 552a(e)(4)).
    The Treasury Security Access Control and Certificates System 
improves security for both Treasury and DO physical and cyber assets 
by: Maintaining records concerning the security/access badges Treasury 
issues; risk assessments (including background checks) to validate the 
decision to grant access (or not) to Treasury facilities and cyber 
assets; restricting entry to installations and activities; ensuring 
positive identification of personnel and others authorized to access 
restricted areas; maintaining accountability for issuance and 
disposition of security/access badges; maintaining an electronic system 
to facilitate secure on-line communication between federal automated 
systems, federal employees or contractors, and/or the public, using 
digital signature technologies to authenticate and verify identity; 
providing a means of access to Treasury cyber assets including the DO 
network, local area network (LAN), desktop and laptops; and to provide 
mechanisms for non-repudiation of personal identification and access to 
DO sensitive cyber systems; including, but not limited to human 
resource, financial, procurement, travel and property systems as well 
as tax, econometric and other mission critical systems. The system also 
maintains records relating to the issuance of digital certificates 
using public key cryptography to employees and contractors for the 
purpose of transmission of sensitive electronic material that requires 
protection. Treasury is authorized to collect and share this 
information for the above purposes under the following statutes and 
Executive Orders: 5 U.S.C. 301; 31 U.S.C. 321; 18 U.S.C. 3056A(3) and 
E.O. 9397 (SSN).
    The purpose of this report is to give notice of a modified system 
of records notice--Treasury/Departmental Offices .216 Treasury Security 
Access Control and Certificates Systems. Treasury is modifying this 
existing SORN to: (1) Add a new authority; (2) add a new category of 
records (and data elements); (2) clarify and make more explicit 
disclosures that are currently the subject

[[Page 13709]]

of existing routine uses; and (3) add two routine uses to replace an 
existing routine use on the same subject (as required by OMB).

(1) Additional Authority

    Treasury is modifying this existing SORN to add an authority. This 
new authority, 18 U.S.C. 3056A(3), establishes a ``permanent police 
force,'' under the USSS Uniformed Division, and the USSS authority to 
protect the Treasury Buildings and grounds. The EOP requires 
prospective Main Treasury and Freedman's Bank Building visitors 
(including new Treasury employees who have not yet been badged) to 
provide records necessary for the Executive Office of the President 
(EOP) and USSS to conduct risk assessments (including background 
investigations) to determine suitability for access to Main Treasury 
and the Freedman's Bank Building because of the proximity of these 
facilities to the White House. This authority, permits sharing between 
Treasury and USSS for the purposes of protecting the Main Treasury, the 
Freedman's Bank Building, and their occupants.

(2) Adding a New Category of Records/Data Elements

    Treasury is also modifying this SORN to include a new category of 
records the Executive Office of the President (EOP) requires from all 
visitors to the White House Complex to assist the EOP in conducting 
risk assessments before prospective visitors are allowed to enter Main 
Treasury and/or the Freedman's Bank Building. The new category of 
records will allow the collection of the names of countries/locations a 
prospective visitor has visited in the last 30 days before completing 
the form (including the dates reflecting when they entered and left 
each country/location visited). The EOP added these new data elements 
to enhance its risk assessments when considering visitor requests. The 
collection of these new records will improve personnel and visitor 
health and safety in accordance with EOP requirements. These purposes 
are consistent with the overall purpose of this system of records.
    Treasury is also modifying the SORN to add a data element (personal 
email address) to the category of records that is incidentally 
collected via an existing data field. The current SORN identifies 
``work email address'' as a data element collected in this system of 
records. The data field in one of the forms in which data in this 
system is collected requires ``Email.'' Experience has shown that some 
visitors are entering personal email addresses. Treasury is making this 
modification for the purpose of clarifying data collected in this 
field.
    Treasury is also modifying the SORN to make explicit data elements 
collected that are already encompassed in another existing category of 
records in the existing SORN. The existing categories of records 
includes ``home address.'' In some instances, when collecting records 
for inclusion in this system of records, the entire home address is not 
required and only components of the address (City and State of 
Residence) are collected. For purposes of clarification, City of 
Residence and State of Residence are added as separate data elements in 
the Categories of Records to avoid confusion.

(3) Clarifying and Making More Explicit Disclosures That Are Currently 
the Subject of Existing Routine Uses

    This is more of a clarification than a new routine use, but 
Treasury is also adding a new routine use (routine use 11) to make more 
explicit the disclosure of records to EOP and USSS that are pertinent 
to risk assessments (including background investigations). These 
disclosures are already covered under routine uses 1 and 5, but the new 
routine use language will make clear that the EOP and USSS are 
recipients of disclosures of records from this system of records.
    Treasury is also adding two modified routine uses (new routine uses 
9 & 10) to replace existing routine use 9 which covers the same subject 
(breach mitigation). The term ``modified'' is used because these new 
routine uses replace an existing routine use on the same subject. These 
modifications were required by Office of Management and Budget (OMB) 
Memorandum 17-12, ``Preparing for and Responding to a Breach of 
Personally Identifiable Information,'' dated January 3, 2017.
    Other changes throughout the document are editorial in nature and 
consist primarily of correction of citations, updates to addresses, 
authorities, notification procedure, and clarification to the storage 
and safeguards. Other changes throughout the document are editorial in 
nature and consist primarily of correction of citations, updates to 
addresses, and clarification to the storage and safeguards.
    Treasury has evaluated the effect of these modified systems on 
individual privacy and determined that the impact on individual privacy 
is outweighed by the risks associated with securing Treasury's physical 
and cyber assets and the physical safety and health of Treasury 
visitors, personnel, and facilities.
    Treasury will include this modified system in its inventory of 
record systems. Below is the description of the modified Treasury/
Departmental Offices .216--Treasury Security Access Control and 
Certificates Systems System of Records.
    Treasury has provided a report of this system of records to the 
Committee on Oversight and Government Reform of the House of 
Representatives, the Committee on Homeland Security and Governmental 
Affairs of the Senate, and OMB, pursuant to 5 U.S.C. 552a(r) and OMB 
Circular A-108, ``Federal Agency Responsibilities for Review, 
Reporting, and Publication under the Privacy Act,'' dated December 23, 
2016.

Ryan Law,
Deputy Assistant Secretary for Privacy, Transparency, and Records.

SYSTEM NAME AND NUMBER:
    Treasury/DO .216--Treasury Security Access Control and Certificates 
Systems.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    a. Physical records are maintained at Department of the Treasury, 
1500 Pennsylvania Avenue NW, Washington, DC 20220.
    b. Visitor records are maintained at Department of the Treasury, 
Departmental Offices, Chief Information Officer, 1750 Pennsylvania 
Avenue NW, Washington, DC 20220.

SYSTEM MANAGER(S):
    Departmental Offices:
    a. Director, Office of Security Programs, 1500 Pennsylvania Avenue 
NW, Washington, DC 20220.
    b. Chief Information Officer, 1750 Pennsylvania Avenue NW, 
Washington, DC 20220.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301; 31 U.S.C. 321; 18 U.S.C. 3056A(3) and E.O. 9397 
(SSN).

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to: Improve the security of Treasury 
Departmental Offices (DO) physical and cyber assets as well as the 
physical safety of Treasury visitors, personnel and facilities; issue 
security/access badges; restrict entry to installations and activities; 
ensure positive identification of personnel authorized access to 
restricted areas; conduct background checks to validate the decision to 
grant access (or not); maintain accountability for issuance and 
disposition of security/access badges; maintain an electronic system to 
facilitate secure, on-line

[[Page 13710]]

communication between Federal automated systems, and between Federal 
employees or contractors, and the public, using digital signature 
technologies to authenticate and verify identity; provide a means of 
access to Treasury cyber assets including the DO network, local area 
network (LAN), desktop and laptops; and to provide mechanisms for non-
repudiation of personal identification and access to DO sensitive cyber 
systems including but not limited to human resource, financial, 
procurement, travel and property systems as well as tax, econometric 
and other mission critical systems. The system also maintains records 
relating to the issuance of digital certificates utilizing public key 
cryptography to employees and contractors for the purpose of 
transmission of sensitive electronic material that requires protection.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Treasury employees, contractors, media representatives, and other 
individuals requiring access to Treasury facilities or government 
property, and those who need to gain access to a Treasury DO cyber 
asset including the network, LAN, desktops and notebooks.

CATEGORIES OF RECORDS IN THE SYSTEM:
     Individual's application for security/access badge or 
access to Main Treasury or the Freedman's Bank Building;
     Personal device identifier/Serial numbers certificate 
details;
     Individual's photograph;
     Fingerprint records;
     Special credentials;
     Treaty or agreement papers;
     Registers;
     Logs reflecting sequential numbering of security/access 
badges;
     Travel history information.
    The system also contains information needed to establish 
accountability and audit control of digital certificates that have been 
assigned to personnel who require visitor access, access to Treasury DO 
cyber assets including DO network and LAN as well as those who transmit 
electronic data that requires protection by enabling the use of public 
key cryptography. It also contains records that are needed to authorize 
an individual's access to a Treasury network, and Treasury facilities.
    Records may include the individual's:
     Name (first, middle, last);
     Gender;
     Organization;
     Work/personal telephone number;
     Social Security Number;
     Date of birth;
     Electronic Identification Number;
     Work/personal email address;
     Username and password;
     Country of birth;
     Citizenship;
     City of Residence;
     State of Residence;
     Names of countries/locations visited in the past 30 days 
(including travel start and end date(s));
     Clearance and status;
     Title;
     Work/home address and phone number;
     Biometric data including fingerprint minutia;
     Audit logs and security monitoring information such as 
Appointment ID number, Appointment Date and time, Appointment type, 
Location, Room number, salesforce ID;
     Specific aids or services for the disabled;
     Alias names; and
     Records on the creation, renewal, replacement or 
revocation of electronic access, ingress/egress rights, digital 
certificates including evidence provided by applicants for proof of 
identity, sources used to verify an applicant's identity and authority, 
the certificates, and electronic access and ingress/egress rights 
issued, denied, and revoked, including reasons for denial and 
revocation.

RECORD SOURCE CATEGORIES:
    The information contained in these records is provided by or 
verified by the subject individual of the record, supervisors, other 
personnel documents, and non-Federal sources such as private employers.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under the 
Privacy Act of 1974, 5 U.S.C. 552a(b), records and/or information or 
portions thereof maintained as part of this system may be disclosed 
outside Treasury as a routine use pursuant to 5 U.S.C. 552a(b)(3) as 
follows:
    (1) To appropriate federal, state, local, and foreign agencies for 
the purpose of enforcing and investigating administrative, civil or 
criminal law relating to the hiring or retention of an employee; 
issuance of a security clearance, license, contract, grant or other 
benefit;
    (2) To a court, magistrate, or administrative tribunal in the 
course of presenting evidence, including disclosures to opposing 
counsel or witnesses in the course of or in preparation for civil 
discovery, litigation, or settlement negotiations, in response to a 
court order where relevant or potentially relevant to a proceeding, or 
in connection with criminal law proceedings;
    (3) To a contractor for the purpose of compiling, organizing, 
analyzing, programming, or otherwise refining records to accomplish an 
agency function subject to the same limitations applicable to U.S. 
Department of the Treasury officers and employees under the Privacy 
Act;
    (4) To a congressional office from the record of an individual in 
response to an inquiry from that congressional office made pursuant to 
a written Privacy Act waiver at the request of the individual to whom 
the record pertains;
    (5) To third parties during the course of an investigation to the 
extent necessary to obtain information pertinent to the investigation;
    (6) To the Office of Personnel Management, Merit Systems Protection 
Board, Equal Employment Opportunity Commission, Federal Labor Relations 
Authority, and the Office of Special Counsel for the purpose of 
properly administering Federal personnel systems or other agencies' 
systems in accordance with applicable laws, Executive Orders, and 
regulations;
    (7) To the National Archives and Records Administration (NARA) or 
General Services Administration pursuant to records management 
inspections being conducted under the authority of 44 U.S.C. 2904 and 
2906;
    (8) To other Federal agencies or entities when the disclosure of 
the existence of the individual's security clearance is needed for the 
conduct of government business;
    (9) To appropriate agencies, entities, and person when (1) the 
Department of the Treasury and/or Departmental Offices suspects or has 
confirmed that there has been a breach of the system of records; (2) 
the Department of the Treasury and/or Departmental Offices has 
determined that as a result of the suspected or confirmed breach there 
is a risk of harm to individuals, the Department of the Treasury and/or 
Departmental Offices (including its information systems, programs, and 
operations), the Federal Government, or national security; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with the Department of the Treasury's 
and/or Departmental Offices' efforts to respond to the suspected or 
confirmed breach or to prevent, minimize, or remedy such harm;
    (10) To another Federal agency or Federal entity when the 
Department of

[[Page 13711]]

the Treasury and/or Departmental Offices determines that information 
from this system of records is reasonably necessary to assist the 
recipient agency or entity in (1) responding to a suspected or 
confirmed breach or (2) preventing, minimizing, or remedying the risk 
of harm to individuals, the recipient agency or entity (including its 
information systems, programs, and operations), the Federal Government, 
or national security, resulting from a suspected or confirmed breach; 
and
    (11) To the Executive Office of the President and the United States 
Secret Service to allow risk assessments (including background 
investigations) to determine if prospective visitors to Main Treasury 
and the Freedman's Bank Building should be granted or denied access to 
Department of the Treasury areas secured by USSS, or to areas in 
proximity to persons protected by USSS.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records in this system are stored electronically or on paper in 
secure facilities in a locked drawer behind a locked door.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records may be retrieved by an individual's name, social security 
number, email address, electronic identification number and/or access/
security badge number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    In accordance with National Archives and Records Administration 
General Records Schedule 5.2 item 20, records are maintained on 
government employees and contractor employees for the duration of their 
employment at the Treasury Department. Records on separated employees 
are destroyed or sent to the Federal Records Center. Records on members 
of the public seeking access to a Treasury facility protected by USSS 
are temporary records and are destroyed after USSS makes Treasury 
facility access determinations.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Records in this system are safeguarded in accordance with 
applicable rules and policies, including all applicable Treasury 
automated systems security and access policies. Strict controls have 
been imposed to minimize the risk of compromising the information that 
is being stored. Access to the computer system containing the records 
in this system is limited to those individuals who have a need to know 
the information for the performance of their official duties and who 
have appropriate clearances.
    Entrance to data centers and support organization offices is 
restricted to those employees whose work requires them to be there for 
the system to operate. Identification (ID) cards are verified to ensure 
that only authorized personnel are present. Disclosure of information 
through remote terminals is restricted through the use of passwords and 
sign-on protocols which are periodically changed. Reports produced from 
the remote printers are in the custody of personnel and financial 
management officers and are subject to the same privacy controls as 
other documents of similar sensitivity. Access is limited to authorized 
employees. Paper records are maintained in locked safes and/or file 
cabinets. Electronic records are password-protected. During non-work 
hours, records are stored in locked safes and/or cabinets in a locked 
room.
    Protection and control of any sensitive but unclassified (SBU) 
records are in accordance with TD P 71-10, Department of the Treasury 
Security Manual. Access to the records is available only to employees 
responsible for the management of the system and/or employees of 
program offices who have a need for such information.
    Temporary records are collected by Treasury on behalf of the USSS 
so they can determine whether members of the public will be granted or 
denied access to Department of the Treasury areas secured by the USSS. 
Those temporary records are only available to Treasury and authorized 
employees, and are maintained in password protected systems or locked 
containers until transmitted to the USSS.

RECORD ACCESS PROCEDURES:
    See ``Notification Procedures'' below.

CONTESTING RECORD PROCEDURES:
    See ``Notification Procedures'' below.

NOTIFICATION PROCEDURES:
    Individuals seeking notification and access to any record contained 
in the system of records, or seeking to contest its content, may 
inquire in accordance with instructions pertaining to individual 
Treasury components appearing at 31 CFR part 1, subpart C, appendix A.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    Notice of this system of records was last published in full in the 
Federal Register on November 7, 2016 (81 FR 78298) as the Department of 
the Treasury/Departmental Offices .216--Treasury Security Access 
Control and Certificates Systems.

[FR Doc. 2020-04669 Filed 3-6-20; 8:45 am]
 BILLING CODE 4810-25-P