[Federal Register Volume 86, Number 226 (Monday, November 29, 2021)]
[Notices]
[Pages 67755-67757]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-25871]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. PA-57A; File No. S7-14-21]


Privacy Act of 1974; System of Records

AGENCY: Securities and Exchange Commission.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (SEC) proposes to 
establish SEC-34, Public Health and Safety Records under the Privacy 
Act of 1974. This system of records maintains information collected in 
response to a public health emergency. Information will be collected 
from SEC personnel (political appointees, employees, consultants, 
detailees, interns, and volunteers), contractors, visitors, job 
applicants, and others who access or seek to access SEC facilities or 
worksites to assist the SEC with maintaining a safe and healthy 
workplace and to protect its workforce from risks associated with 
communicable diseases.

DATES: The changes will become effective November 29, 2021, to permit 
public comment on the revised routine uses. The Commission will publish 
a new notice if the effective date is delayed to review comments or if 
changes are made based on comments received. To assure consideration, 
comments should be received on or before November 29, 2021.

ADDRESSES: Comments may be submitted by any of the following methods:

Electronic Comments

     Use the Commission's internet comment form (http://www.sec.gov/rules/other.shtml); or
     Send an email to [email protected]. Please include 
File Number S7-14-21 on the subject line.

Paper Comments

    Send paper comments to Vanessa A. Countryman, Secretary, U.S. 
Securities and Exchange Commission, 100 F Street NE, Washington, DC 
20549-1090. All submissions should refer to S7-14-21. This file number 
should be included on the subject line if email is used. To help 
process and review your comments more efficiently, please use only one 
method. The Commission will post all comments on the Commission's 
internet website (http://www.sec.gov/rules/other.shtml). Comments are 
also available for website viewing and printing in the Commission's 
Public Reference Room, 100 F Street NE, Washington, DC 20549, on 
official business days between the hours of 10 a.m. and 3 p.m. All 
comments received will be posted without change; we do not edit 
personal identifying information from submissions. You should submit 
only information that you wish to make publicly available.

FOR FURTHER INFORMATION CONTACT: For general and privacy related 
questions please contact: Ronnette McDaniel, Privacy and Information 
Assurance Branch Chief, 202-551-7200 or [email protected].

SUPPLEMENTARY INFORMATION: In order to collect and maintain contractor, 
visitor and job applicant disclosures, the SEC established SEC-34, 
Public Health and Safety Records, a system of records under the Privacy 
Act. The SEC is committed to maintaining a safe and healthy workplace 
and to protect its workforce from risks associated with a public health 
emergency. To ensure and maintain the safety of all SEC personnel 
(political appointees, employees, consultants, detailees, interns, and 
volunteers), contractors, visitors, job applicants, and others who 
access or seek to access an SEC facility, space, or worksite during a 
public health emergency, the SEC may develop and institute safety 
measures that require the collection of personal information. Records 
may include information on individuals' vaccination status and 
information to support a request for reasonable accommodation based on 
disability or sincerely held religious belief. Records also may include 
information on individuals who have been suspected or confirmed to have 
contracted a disease or illness, or who have been exposed to an 
individual who had been suspected or confirmed to have contracted a 
disease or illness, related to a declared public health emergency. 
Records may also include information on the individual circumstances 
surrounding the disease or illness such as dates of suspected exposure, 
testing results, symptoms, treatments, and other related health status 
information. Any contact tracing conducted by SEC personnel will 
involve collecting information about SEC personnel, contractors and 
visitors who are exhibiting symptoms or who have tested positive for an 
infectious disease in order to identify and notify other SEC personnel, 
contractors and visitors with whom they may have come into contact and 
who may have been exposed. Records may also include information on 
individuals identified as emergency contacts for SEC personnel. 
Information from this system of records will be collected, maintained, 
and disclosed in accordance with applicable law, regulations, and 
statutes, including, but not limited to; the Americans with 
Disabilities Act of 1990 and regulations and guidance published by the 
U.S. Occupational Safety and Health Administration, the U.S. Equal 
Employment Opportunity Commission, and the U.S. Centers for Disease 
Control and Prevention.

SYSTEM NAME AND NUMBER:
    SEC-34 Public Health and Safety Records.

SECURITY CLASSIFICATION:
    Non-classified.

SYSTEM LOCATION:
    Securities and Exchange Commission (SEC), 100 F Street NE, 
Washington, DC 20549. Files may also be maintained in the following SEC 
Regional Offices: Atlanta Regional Office (ARO), 950 East Paces Ferry 
Road NE, Suite 900, Atlanta, GA 30326-1382; Boston Regional Office 
(BRO), 33 Arch Street, 24th Floor, Boston, MA 02110-1424; Chicago 
Regional Office (CHRO), 175 W Jackson Boulevard, Suite 1450, Chicago, 
IL 60604; Denver Regional Office (DRO), Byron Rogers Federal Office 
Building, 1961 Stout Street, Suite 1700, Denver, CO 80294-1961; Fort 
Worth Regional Office (FWRO), Burnett Plaza, 801 Cherry Street, Suite 
1900, Unit 18, Fort Worth, TX 76102; Los Angeles Regional Office 
(LARO), 444 South Flower Street, Suite 900, Los Angeles, CA 90071; 
Miami Regional Office (MIRO), 801 Brickell Avenue, Suite 1950, Miami, 
FL 33131; New York Regional Office (NYRO), Brookfield Place, 200 Vesey 
Street, Suite 400, New York, NY 10281-1022; Philadelphia Regional 
Office (PLRO), One Penn Center, 1617 John F. Kennedy Boulevard, Suite 
520, Philadelphia, PA 19103-1844; Salt Lake Regional Office (SLRO), 351 
S West Temple St., Suite 6.100, Salt Lake City, UT 84101; and San 
Francisco Regional

[[Page 67756]]

Office (SFRO), 44 Montgomery Street, Suite 2800, San Francisco, CA 
94104.

SYSTEM MANAGER(S):
    Chief Operating Officer, Securities and Exchange Commission, 100 F 
Street NE, Washington, DC 20549.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The authority to collect this information derives from General Duty 
Clause, Sections 5(a)(1) and 19(a) of the Occupational Safety and 
Health (OSH) Act of 1970 (29 U.S.C. 654(a)(1), 668(a)); Section 319 of 
the Public Health Service Act (42 U.S.C. 247d); E.O. 12196, 
Occupational Safety and Health Programs for Federal Employees (Feb. 26, 
1980); Section 791 of the Rehabilitation Act of 1973 (Pub. L. 93-112), 
as amended; Section 701(j) of Title VII, Civil Rights Act of 1964, as 
amended (42 U.S.C. 2000e); Executive Order 13164, Requiring Federal 
Agencies To Establish Procedures To Facilitate the Provision of 
Reasonable Accommodation (July 26, 2000); 29 CFR 1605 and 1614; E.O 
13991, Protecting the Federal Workforce and Requiring Mask-Wearing; 
(Jan. 25, 2021); Executive Order on Ensuring Adequate COVID Safety 
Protocols for Federal Contractors (September 9, 2021); Executive Order 
on Requiring Coronavirus Disease 2019 Vaccination for Federal Employees 
(September 9, 2021); OMB Memorandum M-20-23 Aligning Federal Agency 
Operations with the National Guidelines for Opening Up America Again 
(Apr. 20, 2020); and OMB Memorandum M-21-15 COVID-19 Safe Federal 
Workplace: Agency Model Safety Principles (Jan. 24, 2021). Information 
will be collected and maintained in accordance with the Americans with 
Disabilities Act of 1990 (42 U.S.C. 12101 et seq.)

PURPOSE(S) OF THE SYSTEM:
    The information in the system is collected to assist the SEC with 
maintaining a safe and healthy workplace and to protect its workforce 
from risks associated with communicable diseases that the Secretary of 
the Department of Health and Human Services has determined to be a 
public health emergency pursuant to Section 319(a) of the Public Health 
Service Act (42 U.S.C. 247d(a)) (``Public Health Emergency''). Records 
in this system may be collected, maintained, and used to: (1) Determine 
who may be allowed access to SEC facilities or worksites and what 
testing or medical screening is necessary before a person may enter; 
(2) respond to a significant risk of harm to SEC personnel, 
contractors, and visitors, as well as to any others in SEC facilities 
or worksites; (3) document reports that SEC personnel, contractors, or 
any persons who have been in SEC facilities or worksites may have or 
may have been exposed to a communicable disease that is the subject of 
a Public Health Emergency; (4) perform contact tracing investigations 
of and notifications to SEC personnel, contractors, and visitors known 
or suspected of exposure to communicable diseases that are the subject 
of a Public Health Emergency; (5) inform federal, state, or local 
public health authorities so that these authorities may act to protect 
public health as allowed or required by law; (6) implement such actions 
(e.g. quarantine or isolation) as necessary to prevent the 
introduction, transmission, and spread of a communicable disease that 
is the subject of a Public Health Emergency by SEC personnel, 
contractors, and persons who have been in SEC facilities or worksites; 
(7) comply with Occupational Safety and Health Administration Act 
recordkeeping requirements; and (8) process employee requests for 
reasonable accommodation based on disability or sincerely held 
religious belief.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered by this system include all SEC personnel 
(political appointees, employees, consultants, detailees, interns, and 
volunteers), contractors, visitors, job applicants, and others who 
access or seek to access SEC facilities or worksites. The system also 
covers individuals identified as emergency contacts for SEC staff.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Information collected and maintained may include, but is not 
limited to:

    --Biographical information: Name and contact information.
    --Health information: Body temperature, dates of and symptoms 
relating to a potential or actual exposure to a pathogen, or 
immunization and/or vaccination information.
    --Information to support a request for reasonable accommodation 
based on disability or sincerely held religious belief.
    --Contact tracing information: Dates of visits to SEC facilities, 
locations visited within the facility (e.g., office and cubicle 
number), the duration of time spent in the facility, dates the SEC was 
made aware of the exposure, and potential contacts between potentially 
contagious persons and others in SEC facilities.
    --Testing Results: Negative results, confirmed or unconfirmed 
positive test results, and documents related to the reasons for testing 
or other aspects of test results.
    --Subsequent actions taken by the SEC to address an incident: 
Identifying and contact information of individuals who have been 
suspected or confirmed to have contracted a communicable disease that 
is the subject of a Public Health Emergency, or who have been exposed 
to an individual who has been suspected or confirmed to have contracted 
a communicable disease that is the subject of a Public Health 
Emergency; individual circumstances and dates of suspected exposure; 
symptoms; and treatments. The SEC uses this information to maintain a 
safe and healthy workplace and to protect its workforce. Although it is 
not the intent for the SEC to collect family medical information, an 
individual may indicate that they were exposed to specific family 
members who have been diagnosed with, or are suspected to have, the 
disease in question. To the extent this information may be acquired 
inadvertently, such information will be kept as a confidential medical 
record and maintained separately from an employee's SEC personnel file.

RECORD SOURCE CATEGORIES:
    The information in this system is collected directly from the 
individual or from the individual's emergency contact. Information may 
also be collected from security systems that monitor access to SEC 
facilities, such as badging systems, video surveillance, human 
resources systems, emergency notification systems, and federal, state, 
and local agencies assisting with the response to a Public Health 
Emergency. Information may also be collected from SEC contractors or 
from property management companies responsible for managing office 
buildings that house SEC facilities or worksites, including the General 
Services Administration (GSA).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, these records or information contained 
therein may specifically be disclosed outside the Commission as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    1. To appropriate agencies, entities, and persons when (1) SEC 
suspects or has confirmed that there has been a breach of the system of 
records; (2) the SEC has determined that as a result of the suspected 
or confirmed breach there is a risk of harm to individuals, the SEC

[[Page 67757]]

(including its information systems, programs, and operations), the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, and the SEC's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    2. To a Federal, State, or local agency to the extent necessary to 
comply with laws governing reporting of infectious disease.
    3. To SEC personnel, contractors, visitors, emergency contacts, or 
others to notify an individual (1) who has been exposed or may have 
potentially been exposed to a communicable disease that is the subject 
of a Public Health Emergency of information regarding the exposure or 
potential exposure, or (2) who may have reason to know of circumstances 
that increase the risk of such exposure. To the extent possible, all 
information will be anonymized.
    4. To another Federal agency, to a court, or a party in litigation 
before a court or in an administrative proceeding being conducted by a 
Federal agency when the SEC is a party to the judicial or 
administrative proceeding where the information is relevant and 
necessary to the proceeding.
    5. To employees, grantees, experts, contractors, and others who 
have been engaged by the Commission to assist in the performance of a 
service related to this system of records and who need access to the 
records for the purpose of assisting the Commission in the efficient 
administration of its programs, including by performing clerical, 
stenographic, or data analysis functions, or by reproduction of records 
by electronic or other means. Recipients of these records shall be 
required to comply with the requirements of the Privacy Act of 1974, as 
amended, 5 U.S.C. 552a.
    6. To a Congressional office from the record of an individual in 
response to an inquiry from the Congressional office made at the 
request of that individual.
    7. To another Federal agency or Federal entity, when the SEC 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records in this system of records are stored electronically or on 
paper in secure facilities. Electronic records are stored on the SEC's 
secure network.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Information covered by this system of records notice may be 
retrieved by the name of the individual, contact information, or by 
some combination thereof.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The records will be maintained until they become inactive, at which 
time they will be retired or destroyed in accordance with records 
schedules of the United States Securities and Exchange Commission, and 
as approved by the National Archives and Records Administration.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Access to SEC facilities, data centers, and information or 
information systems is limited to authorized personnel with official 
duties requiring access. SEC facilities are equipped with security 
cameras, and, at certain SEC facilities, 24-hour security guard 
service. Computerized records are safeguarded in a secured environment. 
Security protocols meet the promulgating guidance as established by the 
National Institute of Standards and Technology (NIST) Security 
Standards from Access Control to Data Encryption and Security 
Assessment & Authorization (SA&A). Records are maintained in a secure, 
password-protected electronic system that will utilize commensurate 
safeguards that may include: Firewalls, intrusion detection and 
prevention systems, and role-based access controls. Additional 
safeguards will vary by program. All records are protected from 
unauthorized access through appropriate administrative, operational, 
and technical safeguards. These safeguards include: restricting access 
to authorized personnel who have a ``need to know''; using locks; and 
password protection identification features. Contractors and other 
recipients providing services to the Commission shall be required to 
maintain equivalent safeguards.

RECORD ACCESS PROCEDURES:
    Persons seeking to gain access to any record contained in this 
system of records may inquire in writing in accordance with 
instructions in SEC Privacy Act Regulations; 17 CFR 200.301 et seq. 
Address such request to: FOIA/PA Officer, Securities and Exchange 
Commission, 100 F Street NE, Mail Stop 5100, Washington, DC 20549-2736.

CONTESTING RECORD PROCEDURES:
    Persons seeking to contest the content of any record contained in 
this system of records may inquire in writing in accordance with 
instructions in SEC Privacy Act Regulations, 17 CFR 200.301 et seq. 
Address such requests to: FOIA/PA Officer, Securities and Exchange 
Commission, 100 F Street NE, Mail Stop 5100, Washington, DC 20549-2736.

NOTIFICATION PROCEDURES:
    See ``Record Access Procedures'' above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    Release No. PA-57; File No. S7-14-21; 86 FR 60496, November 2, 
2021.

    By the Commission.

    Dated: November 22, 2021.
J. Matthew DeLesDernier,
Assistant Secretary.
[FR Doc. 2021-25871 Filed 11-26-21; 8:45 am]
BILLING CODE 8011-01-P