[Federal Register Volume 85, Number 247 (Wednesday, December 23, 2020)]
[Notices]
[Pages 84123-84126]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-28337]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Debt Management Center, Department of Veterans Affairs (VA).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 (5 U.S.C. 522a(e)(4)) requires that 
all agencies publish in the Federal Register a notice of the existence 
and character of their systems of records. Notice is hereby given that 
the Department of Veterans Affairs (VA) is creating a new system of 
records entitled ``PayVA (QCR) Debt Management Center System of Records 
Notice'' (194VA189).

DATES: Comments on this modified system of records must be received no 
later than 30 days after date of publication in the Federal Register. 
If no public comment is received during the period allowed for comment 
or unless otherwise published in the Federal Register by VA, the new 
system of records will become effective a minimum of 30 days after date 
of publication in the Federal Register. If VA receives public comments, 
VA shall review the comments to determine whether any changes to the 
notice are necessary.

ADDRESSES: Written comments may be submitted through 
www.Regulations.gov; by mail or hand-delivery to Director, Regulation 
Policy and Management (00REG), Department of Veterans Affairs, 810 
Vermont Ave. NW, Room 1064, Washington, DC 20420; or by fax to (202) 
273-9026 (not a toll-free number). Comments should indicate that they 
are submitted in response to ``PayVA (QCR) Debt Management Center''. 
Copies of comments received will be available for public inspection in 
the Office of Regulation Policy and Management, Room 1063B, between the 
hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except 
holidays). Please call (202) 461-4902 for an appointment. (This is not 
a toll-free number.) In addition, comments may be viewed online at 
www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT: Chief, Support Services Division, Debt 
Management Center (189/00), U.S. Department of Veterans Affairs, Bishop 
Henry Whipple Federal Building, 1 Federal Drive, Ft. Snelling, 
Minnesota 55111. The internet email address for Debt Management Center 
is: [email protected].

SUPPLEMENTARY INFORMATION: PayVA is a custom-developed application 
(which is a website; https://www.pay.va.gov) that is used by the Debt 
Management Center (DMC) to verify debts are active at DMC before the 
Veteran makes a payment to pay.gov. PayVA collects basic debt 
information from users, redirects them to pay.gov (Department of 
Treasury) for online payments and collects responses from pay.gov. The 
production site with a secure certificate has already been created.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. James P. 
Gfrerer, Assistant Secretary of Information and Technology and Chief 
Information Officer, approved this document on November 15, 2020 for 
publication.


[[Page 84124]]


     Dated: December 18, 2020.
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, 
Office of Information and Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    PayVA (QCR) Debt Management Center System of Records Notice 
194VA189.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    PayVA is a custom-developed application (which is a website; 
https://www.pay.va.gov) that is used by the Debt Management Center 
(DMC) to verify debts are active at DMC before the Veteran makes a 
payment. PayVA collects basic debt information from users, redirects 
them to pay.gov (Department of Treasury) for online payments and 
collects responses from pay.gov. PayVA prevents DMC from over-
collecting and/or creating more refunds than necessary. The production 
site has a valid secure certificate. PayVA is housed in the WebOps 
server farm at the Capital Region Readiness Center (CRRC) in 
Martinsburg, WV. The system is currently owned by Enterprise Product 
Management Office (EPMO), Corporate Product Support (CPS) and is 
developing the Assessment and Authorization. DMC will take ownership of 
Assessment and Authorization activities once developed and in 
sustainment. The estimated number of Veterans whose financial 
information is stored in the system is 100,000 or more. PayVA receives 
information (a table containing PII) from the Centralized Accounts 
Receivable System/Central Accounts Receivable On-Line System (CARS/
CAROLS) an internal VA system, via a SQL job 3 times a week. PayVA also 
receives information each time a payment is completed via a form 
submission from Pay.Gov which is owned by the Department of Treasury.

SYSTEM MANAGER(S):
    Joseph Schmitt, Executive Director, Debt Management Center (189/
00), U.S. Department of Veterans Affairs, Bishop Henry Whipple Federal 
Building, 1 Federal Drive, Ft. Snelling, MN 55111. Email: 
[email protected]

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 10 United States Code (U.S.C.) Chapters 106a, 510, 1606 and 
1607 and Title 38, U.S.C., section 501(a) and Chapters 11, 13, 15, 18, 
23, 30, 31, 32, 33, 34, 35, 36, 39, 51, 53, and 55. The following 
notice is provided on the PayVA website: The information you furnish on 
this form, including your Social Security Number, is used to associate 
your payment with your accounts receivable record so that we may 
properly credit your account. Disclosure is voluntary. However, without 
disclosure, a credit card transaction or direct debit transaction 
cannot be processed. The responses you submit are confidential and 
protected from unauthorized disclosure by 38 U.S.C. 5701. The 
information may be disclosed outside the Department of Veterans Affairs 
(VA) only when authorized by the Privacy Act of 1974, as amended. The 
routine uses for which VA may disclose the information can be found in 
VA systems of records, including 58VA21/22, Compensation, Pension, 
Education and Rehabilitation Records-VA, and 88VA244.

PURPOSE(S) OF THE SYSTEM:
    The information collected from the PayVA user is needed to verify 
the information entered is applied to the correct debt.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Persons indebted to the United States Government as a result of 
their participation in benefit programs (including health care 
programs) administered by VA under title 38, United States Code, 
chapters 11, 13, 15, 17, 18, 21, 30, 31, 32, 33, 34, 35, 36 and 37, 
including persons indebted to the United States Government by virtue of 
their ownership, contractual obligation or rental of property owned by 
the Government or encumbered by a VA-guaranteed, insured, direct or 
vendee loan. The individuals covered are persons indebted to the United 
States Government as a result of their participation in a benefit 
program administered by VA, but who did not meet the requirements for 
receipt of such benefits or services. Persons indebted to the United 
States, a State or local government whose debts are referred to the 
Department of Veterans Affairs for Government-wide cross-servicing 
under 31 U.S.C. 3711(g)(4) or any valid interagency agreement. Persons 
indebted to the United States as the result of erroneous payment of pay 
or allowances or as the result of erroneous payment of travel, 
transportation or relocation expenses and allowances (previously and 
hereinafter referred to as ``pay administration'') under the provisions 
of title 5, United States Code, part III, subpart D.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The following information is collected from the user: File Number 
(which is sometimes the SSN and sometimes the SSN, reformatted); Payee 
Number; Deduction Code (which can be found in a letter the user 
received from the DMC). PayVA then verifies the information entered by 
the user against a table provided by CARS/CAROLS (an internal VA 
system). If the information entered is correct the user is directed to 
the Department of Treasury's Pay.Gov where payment is made, and then a 
form submission with the user's partial bank account number/credit card 
number and payer name is provided to PayVA and stored in its database.

RECORD SOURCE CATEGORIES:
    PayVA receives the following information from the user, directly, 
First Name, Last Name, Daytime Phone, File Number, Payee Number, Person 
Entitled, Deduction Code, and Payment Amount. PayVA, then checks 
whether the information entered by the user matches what is in the 
CARS/CAROLS table that is received by PayVA, 3 times a week; each time 
the table is refreshed the former table is deleted (no historical data 
from CARS/CAROLS is stored in PayVA). If the information entered by the 
User matches what is in the table received from CARS/CAROLS the user is 
transferred to Pay.Gov (which is managed by the Department of 
Treasury), where the payment is made. The only information PayVA shares 
with Pay.Gov is the first name, last name, and debt amount. The user 
then enters the following information to Pay.Gov, the Payment Amount, 
Account Type, Routing Number, and Account Number (which would be 
covered by the Department of Treasury's accreditation documentation). 
Once the payment is completed Pay.Gov passes payment results including 
partial bank account number, credit card number, and payer name which 
is stored in PayVA's Database.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    1. Congress: VA may disclose information from the record of an 
individual in response to an inquiry from the congressional office made 
at the request of that individual.
    VA must be able to provide information about individuals to 
adequately respond to inquiries from Members of Congress at the request 
of constituents who have sought their assistance.
    2. Data breach response and remedial efforts: VA may disclose 
information

[[Page 84125]]

from this system to appropriate agencies, entities, and persons when 
(1) VA suspects or has confirmed that there has been a breach of the 
system of records; (2) VA has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
VA (including its information systems, programs, and operations), and 
(3) the Federal Government, or national security; and the disclosure 
made to such agencies, entities, and persons is reasonably necessary to 
assist in connection with VA's efforts to respond to the suspected or 
confirmed breach or to prevent, minimize, or remedy such harm.
    3. Data breach response and remedial efforts with another Federal 
agency: VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    4. Law Enforcement: VA may, disclose information in this system, 
except the names and home addresses of veterans and their dependents, 
which is relevant to a suspected or reasonably imminent violation of 
law, whether civil, criminal or regulatory in nature and whether 
arising by general or program statute or by regulation, rule or order 
issued pursuant thereto, to a Federal, state, local, tribal, or foreign 
agency charged with the responsibility of investigating or prosecuting 
such violation, or charged with enforcing or implementing the statute, 
regulation, rule or order. VA may also disclose the names and addresses 
of veterans and their dependents to a Federal agency charged with the 
responsibility of investigating or prosecuting civil, criminal or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule or order issued pursuant thereto.
    VA must be able to provide information that pertains to a violation 
of laws to law enforcement authorities in order for them to investigate 
and enforce those laws. Under 38 U.S.C. 5701(a) and (f), VA may 
disclose the names and addresses of veterans and their dependents to 
Federal entities with law enforcement responsibilities. This is 
distinct from the authority to disclose records in response to a 
qualifying request from a law enforcement entity, as authorized by 
Privacy Act subsection 5 U.S.C. 552a(b)(7).
    5. Litigation: VA may disclose information from this system of 
records to the Department of Justice (DoJ), either on VA's initiative 
or in response to DoJ's request for the information, after either VA or 
DoJ determines that such information is relevant to DoJ's 
representation of the United States or any of its components in legal 
proceedings before a court or adjudicative body, provided that, in each 
case, the agency also determines prior to disclosure that release of 
the records to the DoJ is limited to circumstances where relevant and 
necessary to the litigation. VA may disclose records in this system of 
records in legal proceedings before a court or administrative body 
after determining that release of the records to the DoJ is limited to 
circumstances where relevant and necessary to the litigation.
    To determine whether to disclose records under this routine use, VA 
will comply with the guidance promulgated by the Office of Management 
and Budget in a May 24, 1985, memorandum entitled ``Privacy Act 
Guidance--Update,'' currently posted at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/guidance1985.pdf.
    VA must be able to provide information to DoJ in litigation where 
the United States or any of its components is involved or has an 
interest. A determination would be made in each instance that under the 
circumstances involved, the purpose is compatible with the purpose for 
which VA collected the information. This routine use is distinct from 
the authority to disclose records in response to a court order under 
subsection (b)(11) of the Privacy Act, 5 U.S.C. 552(b)(11), or any 
other provision of subsection (b), in accordance with the court's 
analysis in Doe v. DiGenova, 779 F.2d 74, 78-85 (D.C. Cir. 1985) and 
Doe v. Stephens, 851 F.2d 1457, 1465-67 (D.C. Cir. 1988).
    6. Contractors: VA may disclose information from this system of 
records to individuals, organizations, private or public agencies, or 
other entities or individuals with whom VA has a contract or agreement 
to perform such services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor, subcontractor, 
public or private agency, or other entity or individual with whom VA 
has a contract or agreement to perform services under the contract or 
agreement.
    This routine use includes disclosures by an individual or entity 
performing services for VA to any secondary entity or individual to 
perform an activity that is necessary for individuals, organizations, 
private or public agencies, or other entities or individuals with whom 
VA has a contract or agreement to provide the service to VA.
    This routine use, which also applies to agreements that do not 
qualify as contracts defined by Federal procurement laws and 
regulations, is consistent with OMB guidance in OMB Circular A-130, 
App. I, paragraph 5a(1)(b) that agencies promulgate routine uses to 
address disclosure of Privacy Act-protected information to contractors 
in order to perform the services contracts for the agency.
    7. Equal Employment Opportunity Commission (EEOC): VA may disclose 
information from this system to the EEOC when requested in connection 
with investigations of alleged or possible discriminatory practices, 
examination of Federal affirmative employment programs, or other 
functions of the Commission as authorized by law or regulation.
    VA must be able to provide information to EEOC to assist it in 
fulfilling its duties to protect employees' rights, as required by 
statute and regulation.
    8. Federal Labor Relations Authority (FLRA): VA may disclose 
information from this system to the FLRA, including its General 
Counsel, information related to the establishment of jurisdiction, 
investigation, and resolution of allegations of unfair labor practices, 
or in connection with the resolution of exceptions to arbitration 
awards when a question of material fact is raised; for it to address 
matters properly before the Federal Service Impasses Panel, investigate 
representation petitions, and conduct or supervise representation 
elections.
    VA must be able to provide information to FLRA to comply with the 
statutory mandate under which it operates.
    9. Merit Systems Protection Board (MSPB): VA may disclose 
information from this system to the MSPB, or the Office of the Special 
Counsel, when requested in connection with appeals, special studies of 
the civil service and other merit systems, review of rules and 
regulations, investigation of alleged or possible prohibited personnel 
practices, and such other functions promulgated in 5 U.S.C. 1205 and 
1206, or as authorized by law.
    VA must be able to provide information to MSPB to assist it in

[[Page 84126]]

fulfilling its duties as required by statute and regulation.
    10. National Archives and Records Administration (NARA) and General 
Services Administration (GSA): VA may disclose information from this 
system to NARA and GSA in records management inspections conducted 
under title 44, U.S.C.
    NARA is responsible for archiving old records which are no longer 
actively used but may be appropriate for preservation, and for the 
physical maintenance of the Federal government's records. VA must be 
able to provide the records to NARA in order to determine the proper 
disposition of such records.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Payment results are provided by Pay.Gov (system owned by the 
Department of Treasury) upon payment completion. The payment results 
contain the following PII which is stored indefinitely in PayVA's 
Database is: Partial bank account number/credit card number, and the 
payer name. PayVA also receives a table from CARS/CAROLS (an internal 
system to VA) 3 times a week via a SQL job that contains the following 
PII, File Number (which is sometimes the SSN), Payee Number and 
Deduction Code.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Automated records of VA claims and debts are indexed by VA claim 
number, Social Security account number, name and loan account number in 
appropriate circumstances. Paper documents, microfilm, microfiche and 
automated records of pay administration debts and debts referred to VA 
for cross servicing are indexed by Social Security account number or 
Taxpayer Identification Number. Records in CAIVRS may only be retrieved 
by Social Security number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    These records are retained and disposed of in accordance with the 
General Records Schedule 3.1 010-020, approved by National Archives and 
Records Administration (NARA) https://www.archives.gov/files/records-mgmt/grs/grs03-1.pdf. A retention policy specific to PayVA is being 
drafted. This PIA will be updated with that information upon 
completion; until that time, PayVA is retaining all records 
indefinitely.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    1. Physical Security:
    (a) Access to working spaces and document storage areas in DMC is 
restricted by cipher locks and to VA employees on a need-to-know basis. 
Generally, document storage areas in VA offices other than DMC are 
restricted to VA employees on a need-to-know basis. VA offices are 
generally protected from outside access by the Federal Protective 
Service or other security personnel. Strict control measures are 
enforced to ensure that access to and disclosure from documents, 
microfilm and microfiche are limited to a need-to-know basis.
    (b) Access to PayVA data telecommunications terminals is by 
authorization controlled by the site security officer. The security 
officer is assigned responsibility for privacy-security measures, 
especially for review of violation logs, information logs and control 
of password distribution.
    (c) Access to data processing centers is generally restricted to 
center employees, custodial personnel, Federal Protective Service and 
other security personnel. Access to computer rooms is restricted to 
authorized operational personnel through electronic locking devices. 
All other personnel gaining access to computer rooms are escorted.
    2. PayVA and Personal Computer Local Area Network (LAN) Security:
    (a) Usage of PayVA and LAN terminal equipment is authenticated by 
Single-Sign-On (SSOI) Two Factor Authentication (2FA). Electronic 
keyboard locks are activated on security errors.
    (b) At the data processing centers, identification of magnetic 
media containing data is rigidly enforced using labeling techniques. 
Automated storage media which are not in use are stored in tape 
libraries which are secured in locked rooms. Access to programs is 
controlled at three levels: Programming, auditing and operations.
    (c) Department of the Treasury Security: Access to the system is on 
a need-to-know basis, only, as authorized by the system manager. 
Procedural and physical safeguards are utilized to include 
accountability, receipt records and specialized communications 
security. The data system has an internal mechanism to restrict access 
to authorized officials. The building is patrolled by uniformed 
security guards.

RECORD ACCESS PROCEDURES:
    Individuals seeking information regarding access to and contesting 
of records maintained by VA may write, call or visit the nearest VA 
regional office. Address locations are listed in VA Appendix 1 of 
58VA21/22/28.

CONTESTING RECORD PROCEDURES:
    See record access procedures above.

NOTIFICATION PROCEDURES:
    A Privacy Notice is available for the user to click on via a link 
entitled, ``Read Important Privacy Information.'' A copy of the Privacy 
Information is included as Appendix A.
    The legal authorities are provided in the first paragraph of the 
PayVA Privacy Information (38.U.S.C.5701; Privacy Act of 1974; A new 
SORN is being drafted and its number is 194VA189. SORNs 58VA21/22 
Compensation, Pension, Education and Rehabilitation Records-VA, and 
88VA244, Accounts Receivable Records-VA (as can be seen below and in 
Appendix A).
    ``Privacy Act Information: The information you furnish on this 
form, including your Social Security Number, is used to associate your 
payment with your accounts receivable record so that we may properly 
credit your account. Disclosure is voluntary. However, without 
disclosure, a credit card transaction or direct debit transaction 
cannot be processed. The responses you submit are confidential and 
protected from unauthorized disclosure by 38 U.S.C. 5701. The 
information may be disclosed outside the Department of Veterans Affairs 
(VA) only when authorized by the Privacy Act of 1974, as amended. The 
routine uses for which VA may disclose the information can be found in 
VA systems of records, including 58VA21/22, Compensation, Pension, 
Education and Rehabilitation Records-VA, and 88VA244, Accounts 
Receivable Records-VA. VA systems of records and alterations to the 
systems are published in the Federal Register. Any information provided 
by you, including your Social Security Number, may be used in computer 
matching programs conducted in connection with any proceeding for the 
collection of an amount owed by virtue of your participation in any 
benefit program administered by VA.''

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

[FR Doc. 2020-28337 Filed 12-22-20; 8:45 am]
BILLING CODE P