[Federal Register Volume 86, Number 89 (Tuesday, May 11, 2021)]
[Notices]
[Pages 25899-25902]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-09754]


-----------------------------------------------------------------------

POSTAL SERVICE


Privacy Act System of Records

AGENCY: Postal Service\TM\.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The United States Postal Service (USPS\TM\) is proposing to 
create a new General Privacy Act System of Records.

DATES: These revisions will become effective without further notice on 
June

[[Page 25900]]

10, 2021, unless comments received on or before that date result in a 
contrary determination.

ADDRESSES: Comments may be submitted via email to the Privacy and 
Records Management Office, United States Postal Service Headquarters 
([email protected]). Arrangements to view copies of any written comments 
received, to facilitate public inspection, will be made upon request.

FOR FURTHER INFORMATION CONTACT: Janine Castorina, Chief Privacy and 
Records Management Officer, Privacy and Records Management Office, 202-
268-3069 or [email protected].

SUPPLEMENTARY INFORMATION:

Background

    The world of commercial information technology resources (``IT'') 
is constantly changing and innovating to improve the daily lives of 
businesses, their employees, and their customers. This pace can often 
result in unanticipated obsolescence, necessitating review of an 
organization's already implemented solutions. For the Postal Service, 
legal processes and notice required by the Privacy Act present 
additional challenges, as new technologies will require further review 
for possible compliance issues to meet statutory and regulatory 
requirements.
    To better meet the changing technology world, the Postal Service 
will consolidate existing Systems of Records (``SOR''s) covering IT 
into three new, comprehensive Systems of Records. These SORs will work 
in tandem, with each individual SOR covering a specific group of 
related functions, and all three SORs working together to support a 
seamless technology experience.
    These SORs, generally, will cover the following three areas:
     Infrastructure, covering records created for use 
throughout the entirety of a particular IT resource in addition to 
covering the records created from the usage of those records by users 
and applications.
     Applications, covering records created through the regular 
use of an application.
     Administrative, covering records created for monitoring 
and administration of users and applications within an IT resource.
    In addition to covering these three areas generally, the Postal 
Service will look ahead in an effort to include possible future 
technology solutions within this System of Records. This will give the 
Postal Service flexibility to more easily adapt to the advancing pace 
of information technology and to better fulfill its service 
obligations. This will also provide transparency into the collection of 
records relating to commercial IT, allowing Postal employees, 
contractors, and the public to more easily identify what we do with 
their information.

Rationale for the Creation of a New USPS System of Records

    Currently, records relating to the implementation of IT resources 
are housed primarily in USPS 500.000, Property Management Records, with 
other IT-related components appearing in 890.000, Sales, Marketing, 
Events, and Publications, and other SORs. SOR 500.000 reflects not only 
IT access records, but also building access and related records. This 
results in a mixture of uses within SOR 500.000, which reduces 
optimization and can result in confusion.
    The creation of a new SOR to encompass commercial IT resources, 
therefore, provides a platform which is easy to understand and allows 
for greater flexibility in use and maintenance. Since the new SOR will 
house only IT resources, the public can more easily understand what 
information is collected and how it is used.
    Further, documenting IT records within one SOR provides for greater 
flexibility in adding new resources as well as maintaining existing 
resources. For example, one application may already collect and store, 
for the same purpose, data elements that a new application will use. 
With a record already documented, the implementation process of the new 
technology will be streamlined while also meeting statutory and 
regulatory mandates.

Description of New or Modified System of Records

    This new System of Records is being developed to support the 
implementation of various commercial IT resources and to provide 
support for future implementations.
    This system specifically will cover categories of records referred 
to collectively as ``Applications.'' Categories of Records in this 
system reference data elements created through normal use and 
interactions in a software application. Applications covered in this 
SOR reference or incorporate data elements otherwise documented in USPS 
550.000 Commercial Information Technology Resources- Infrastructure; 
therefore, they will not be specifically documented here unless this 
system references a transformative use of that element.
    This System of Records may overlap with elements appearing in other 
Systems of Records, as indicated in the Rationale for Changes to USPS 
System of Records section. This new System of Records will encompass 
commercially developed or commercially assisted IT resources. 
Applications developed in-house or by the Postal Service, such as 
Informed Delivery[supreg], will still be represented in their own SOR.

SYSTEM NAME AND NUMBER:
    550.100 Commercial Information Technology Resources--Applications.

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    All USPS facilities and contractor sites.

SYSTEM MANAGER(S) AND ADDRESS:
    Chief Information Officer and Executive Vice President, United 
States Postal Service, 475 L'Enfant Plaza SW, Washington, DC 20260.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    39 U.S.C. 401, 403, and 404.

PURPOSE(S) OF THE SYSTEM:
    1. To provide event registration services to USPS customers, 
contractors, and other third parties.
    2. To allow task allocation and tracking among team members.
    3. To allow users to communicate by telephone, instant-messaging, 
and email through local machine and web-based applications on desktop 
and mobile operating systems.
    4. To share your personal image via your device camera during 
meetings and web conferences, if you voluntarily choose to turn the 
camera on, enabling virtual face-to-face conversations.
    5. To provide for the creation and storage of media files, 
including video recordings, audio recordings, desktop recording, and 
web-based meeting recordings.
    6. To provide a collaborative platform for viewing video and audio 
recordings.
    7. To create limited use applications using standard database 
formats.
    8. To review distance driven by approved individuals for accurate 
logging and compensation.
    9. To develop, maintain, and share computer code.
    10. To comply with Security Executive Agent Directive (SEAD) 3 
requirements for self-reporting of unofficial foreign travel pertaining 
to covered individuals who have access to classified information or who 
hold a sensitive position.

[[Page 25901]]

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    1. Individuals with authorized access to USPS computers, 
information resources, and facilities, including employees, 
contractors, business partners, suppliers, and third parties.
    2. Individuals participating in web-based meetings, web-based video 
conferencing, web-based communication applications, and web-based 
collaboration applications.

CATEGORIES OF RECORDS IN THE SYSTEM:
    1. Third-party Information records: Records relating to non-Postal, 
third-party individuals utilizing an information system, application, 
or piece of software, including: Third-Party Name, Third Party Date 
Request, Third Party Free Text, Guest User Information.
    2. Collaboration and Communication records: Records relating to 
web-conferencing, web-collaboration, and web-communication 
applications, including; Email Body Text, Email Metadata, Poll 
Responses, Survey Responses, Message Reactions, Group Names, Group IDs, 
Action Name, Number Of Actions Sent, Number Of Action Responses, 
Employee Phone Number, Group Chat History, Profile Information, Group 
Membership, Contacts, Enterprise Social Network User Name, Enterprise 
Social Network User State, Enterprise Social Network User State Change 
Date, Enterprise Social Network User Last Activity Date, Number Of 
Messages Posted By An Enterprise Social Network User In Specified Time 
Period, Number Of Messages Viewed By An Enterprise Social Network User, 
Number Of Liked Messages By An Enterprise Social Network User, Products 
Assigned To An Enterprise Social Network User, Home Network 
Information, External Network Information, External Network Name, 
External Network Description, External Network Image, Network Creation 
Date, Network Usage Policy, External Network User Name, External 
Network User Email Address, External Group Name, Number Of Users On A 
Network, Network ID, Live Event Video Links, Files Added Or Modified In 
Enterprise Social Network, Message ID, Thread ID, Message Privacy 
Status, Full Body Of Message, Project Owner, Project Creator, Event 
Start Time, Event Status, Event Organizer, Event Presenter, Event 
Producer, Event Production Type, Event Recording Setting, Total Number 
Of Event Media Viewings, Number Of Active Users, Number Of Active Users 
In Groups, Number Of Active Group Communication Channels, Number Of 
Messages Sent, Number Of Calls Participated In, Last Activity Date Of A 
User, Number Of Guest Users In A Group, Event Name, Event Description, 
Event Start Date, Event End Date, Video Platform Group Name, Video 
Platform Group Email Alias, Video Platform Group Description, Video 
Platform Group Classification, Video Platform Group Access Level, Video 
Platform Channel Name, Video Platform Channel Description, Video 
Platform Channel Access, Video Platform Live Event Recording.
    3. Multimedia records: Records relating to media associated with or 
originating from an information system, including; Video Platform User 
ID, Video Name, Videos Uploaded By User, Videos Accessed By User, 
Channels Created By User, User Group Membership, Comments Left By User 
On Videos, Screen Recordings, Video Transcript, Deep Search Captions, 
Video Metadata, Audio Metadata, Phone Number, Time Phone Call Started, 
User Name, Call Type, Phone Number Called To, Phone Number Called From, 
Called To Location, Called From Location, Telephone Minutes Used, 
Telephone Minutes Available, Charges For Use Of Telephone Services, 
Currency Of Charged Telephone Services, Call Duration, Call ID, 
Conference ID, Phone Number Type, Blocked Phone Numbers, Blocking 
Action, Reason For Blocking Action, Blocked Phone Number Display Name, 
Date And Time Of Blocking, Call Start Time, User Display Name, SIP 
Address, Caller Number, Called To Number, Call Type, Call Invite Time, 
Call Failure Time, Call End Time, Call Duration, Number Type, Media 
Bypass, SBC FQDN, Data Center Media Path, Data Center Signaling Path, 
Event Type, Final SIP, Final Vendor Subcode, Final SIP Phrase, Unique 
Customer Support ID.
    4. Limited Use Application records: Records relating to 
applications with a specific, limited use, including; Application 
Authoring Application Name, Application Authoring Application Author, 
Voice Search Text Strings, Miles Driven, Mileage Rates, Country 
Currency, Destination, Destination Classification, Car Make, Car Model, 
Working Hours, Total Number Of Monthly Drives, Total Number Of Monthly 
Miles, Total Number Of Personal Drives, Total Number Of Personal 
Drives.
    5. Development Records: Records relating to applications used for 
the creation, sharing, or modification of software code, including: 
Data Repository User ID, Data Repository Password, Data Repository User 
Address, Data Repository Payment Information, Data Repository User 
First Name, Data Repository User Last Name, Data Repository Profile 
Picture, Data Repository Profile Biography, Data Repository Profile 
Location, Data Repository User Company, Data Repository User 
Preferences, Data Repository User Preference Analytics, Data Repository 
Transaction Date, Data Repository Transaction Time, Data Repository 
Transaction Amount Charged, Data Repository web pages Viewed, Data 
Repository Referring website, Data Repository Date Of web page Request, 
Data Repository Time Of web page Request, Data Repository User Commits, 
Data Repository User Commit Comment Body Text, Data Repository Pull 
Request Comment Body Text, Data Repository Issue Comment Body Text, 
Data Repository User Comment Body Text, Data Repository User 
Authentication, Language Of Device Accessing Data Repository, Operating 
System Of Device Accessing Data Repository, Application Version Of 
Device Accessing Data Repository, Device Type Of Device Accessing Data 
Repository, Device ID Of Device Accessing Data Repository, Device Model 
Of Device Accessing Data Repository, Device Manufacturer Of Device 
Accessing Data Repository, Browser Version Of Device Accessing Data 
Repository, Client Application Information Of Device Accessing Data 
Repository, Data Repository User Usage Information, Data Repository 
Transactional Information, Data Repository API Notification Status, 
Data Repository API Issue Status, Data Repository API Pull Status, Data 
Repository API Commit Status, Data Repository API Review Status, Data 
Repository API Label, Data Repository API User Account Signin Status, 
Data Repository API Schedule Status, Data Repository API Schedule List.
    6. Unofficial Foreign Travel Monitoring: Records relating to 
covered individuals for the administration of the SEAD 3 program, 
including: Title, Name Of Traveler, Information Type: Pre-Travel And 
Post-Travel, Start Date Of Travel, End Date Of Travel, Carrier Of 
Transportation, Countries You Are Visiting, Passport Number, Passport 
Expiration Date, Names And Association Of Foreign National Travel 
Companions, Planned Foreign Contacts, Emergency Contact Name, Emergency 
Contact Phone Number, Emergency Contact Relationship, Post-Travel 
Questions Relating To Activity, Events, And Interactions.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Standard routine uses 1. through 9. apply. In addition:

[[Page 25902]]

    (a) Disclosure of records to appropriate agencies, entities, and 
persons when (1) the Postal Service suspects or has confirmed that 
there has been a breach of the system of records; (2) the Postal 
Service has determined that as a result of the suspected or confirmed 
breach there is a risk of harm to individuals, the Postal Service 
(including its information systems, programs, and operations), the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the Postal Service's efforts to respond to 
the suspected or confirmed breach or to prevent, minimize, or remedy 
such harm.

RECORD SOURCE CATEGORIES:
    Employees; contractors; suppliers; customers.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Automated database, computer storage media, and paper.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    1. Records relating to third-parties are retrievable by name and 
email address.
    2. Records relating to communication and collaboration are 
retrievable by name, email address, and user ID.
    3. Records pertaining to multimedia are retrievable by user name 
and media title.
    4. Records relating to application development are retrievable by 
user ID and application name.
    5. Records relating to Unofficial Foreign Travel Monitoring for 
covered individuals are retrievable by name.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    1. Records relating to third-parties are retained for twenty-four 
months.
    2. Records relating to communication and collaboration are retained 
for twenty-four months.
    3. Multimedia recordings are retained for twenty-four months.
    4. Records relating to application development are retained for 
twenty-four months.
    5. Records relating to Unofficial Foreign Travel Monitoring for 
covered individuals are retained for twenty-five years.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Paper records, computers, and computer storage media are located in 
controlled-access areas under supervision of program personnel. 
Computer access is limited to authorized personnel with a current 
security clearance, and physical access is limited to authorized 
personnel who must be identified with a badge.
    Access to records is limited to individuals whose official duties 
require such access. Contractors and licensees are subject to contract 
controls and unannounced on-site audits and inspections.
    Computers are protected by encryption, mechanical locks, card key 
systems, or other physical access control methods. The use of computer 
systems is regulated with installed security software, computer logon 
identifications, and operating system controls including access 
controls, terminal and transaction logging, and file management 
software.

RECORD ACCESS PROCEDURES:
    Requests for access must be made in accordance with the 
Notification Procedure above and USPS Privacy Act regulations regarding 
access to records and verification of identity under 39 CFR 266.5.

CONTESTING RECORD PROCEDURES:
    See Notification Procedure and Record Access Procedures above.

NOTIFICATION PROCEDURE:
    Customers wanting to know if other information about them is 
maintained in this system of records must address inquiries in writing 
to the Chief Information Officer and Executive Vice President and 
include their name and address.

EXEMPTION(S) PROMULGATED FROM THIS SYSTEM:
    None.

HISTORY:
    None.

Joshua J. Hofer,
Attorney, Ethics & Legal Compliance.
[FR Doc. 2021-09754 Filed 5-10-21; 8:45 am]
BILLING CODE P