[Federal Register Volume 86, Number 243 (Wednesday, December 22, 2021)]
[Rules and Regulations]
[Pages 72523-72525]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-27706]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 310

[Docket ID: DoD-2020-OS-0095]
RIN 0790-AK96


Privacy Act of 1974; Implementation

AGENCY: Office of the Secretary of Defense (OSD), Department of Defense 
(DoD).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The DoD is issuing a final rule to amend its regulations to 
exempt portions of the DoD-0004, ``Defense Repository for Common 
Enterprise Data (DRCED),'' system of records from certain provisions of 
the Privacy Act of 1974.

DATES: This rule is effective on January 21, 2022.

FOR FURTHER INFORMATION CONTACT: Ms. Lyn Kirby, [email protected], 
(703) 571-0070.

SUPPLEMENTARY INFORMATION:

Discussion of Comments and Changes

    The proposed rule published in the Federal Register (86 FR 498-499) 
on January 6, 2021. Comments were accepted for 60 days until March 8, 
2021. A total of four comments were received. Please see the summarized 
comments and the Department's response as follows:
    Commentators generally agreed that exempting national security and 
classified data is appropriate under this exemption rule and that 
exempting national security and classified information is in the best 
interests of the Department and the Nation. Notwithstanding that, a 
majority of the comments voiced a desire for more transparency about 
the classification process itself within the DoD. Although these 
comments do not directly pertain to the Privacy Act and the exemption 
claimed for this system of records notice (SORN), to promote public 
understanding in this area a description of the classification process 
at DoD is provided below.
    Executive Order 13526 prescribes the framework for the Federal 
Government (to include DoD) to classify national security information. 
Only DoD personnel who hold positions of trust and are delegated 
original classification authority in writing are authorized to review 
the Department's information and determine whether damage would result 
to national security if that information were disclosed to the public. 
Several oversight and compliance mechanisms exist to ensure the 
classification of information process is appropriate.
    These safeguards include the following: Personnel authorized to 
make classification determinations are required to receive training in 
proper classification, including the avoidance of over-classification, 
and declassification at least once a calendar year; information may 
only be classified if it pertains to specific categories or subjects, 
including military plans, weapons systems, or operations and 
intelligence activities; and agency heads must (on a periodic basis) 
complete a comprehensive review of the agency's classification 
guidance, to include reviewing information that is classified within 
the agency, provide the results of such review to appropriate officials 
outside the agency at the National Archives, and release an 
unclassified version of the review to the public. Authorized holders of 
classified information are also encouraged and expected to 
``challenge'' classification determinations if they believe the 
classification status is improper, and any individual or entity can 
request any Federal agency to review classified information for 
declassification, regardless of its age or origin, in accordance with 
the Mandatory Declassification Review (MDR) process. Additional 
information about the MDR process can be found on the National Archives 
and Records Administration's MDR program page at https://www.archives.gov/isoo/training/mdr. In the interests of protecting 
information critical to the Nation's defense, it is appropriate for the 
DoD to properly classify and exempt such information from public 
release under the Privacy Act so as to protect U.S. national security. 
Having considered the public comments, the Department will implement 
the rulemaking as proposed.
    Additionally, DoD received one supportive, but non-substantive, 
comment on the system of records notice (SORN) that published in the 
Federal Register on January 6, 2021 (86 FR 526-529). The public comment 
period for the SORN ended on February 5, 2021.

[[Page 72524]]

Background

    In finalizing this rule, DoD exempts portions of the updated and 
reissued DoD-0004 DRCED system of records from certain provisions of 
the Privacy Act. DoD uses this system of records to automate financial 
and business transactions, perform cost-management analysis, produce 
oversight and audit reports, and provide critical data linking to 
improve performance of mission objectives. This system of records 
supports DoD in creating predictive analytic models based upon specific 
data streams to equip decision makers with critical data necessary for 
execution of fiscal and operational requirements. Some of the records 
that are part of the DoD-0004 DRCED system of records may contain 
classified national security information and disclosure of those 
records to an individual may cause damage to national security. The 
Privacy Act, pursuant to 5 U.S.C. 552a(k)(1), authorizes agencies to 
claim an exemption for systems of records that contain information 
properly classified pursuant to executive order. For this reason, DoD 
has exempted portions of the DoD-0004 DRCED system of records from the 
access and amendment requirements of the Privacy Act, pursuant to 5 
U.S.C. 552a(k)(1), to prevent disclosure of any information properly 
classified pursuant to executive order, including Executive Order 
13526, as implemented by DoD Instruction 5200.01, ``DoD Information 
Security Program and Protection of Sensitive Compartmented Information 
(SCI)'' (available at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520001p.PDF?ver=cF1II-jcFGP6jfNrnTr8lQ%3d%3d); DoD 
Manual (DoDM) 5200.01, Volume 1, ``DoD Information Security Program: 
Overview, Classification, and Declassification'' (available at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/520001m_vol1.pdf?ver=2020-08-04-092500-203); and DoDM 5200.01, Volume 
3, ``DoD Information Security Program: Protection of Classified 
Information'' (available at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/520001m_vol3.pdf?ver=MJfVD-nRd2HTyLSzDse9VQ%3d%3d).
    This rule will deny an individual access under the Privacy Act to 
only those portions of records for which the claimed exemption applies. 
In addition, records in the DoD-0004 DRCED system of records are only 
exempt from the Privacy Act to the extent the purposes underlying the 
exemption pertain to the record.

Regulatory Analysis

Executive Order 12866, ``Regulatory Planning and Review'' and Executive 
Order 13563, ``Improving Regulation and Regulatory Review''

    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distribute impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. It has been determined that this rule is not a significant 
regulatory action.

Congressional Review Act

    This rule is not a ``major rule'' as defined by 5 U.S.C. 804(2).

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. Chapter 6)

    The Assistant to the Secretary of Defense for Privacy, Civil 
Liberties, and Transparency has certified that this Privacy Act rule 
does not have significant economic impact on a substantial number of 
small entities because they are concerned only with the administration 
of Privacy Act systems of records within the DoD.

Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)

    It has been determined that this rule does not impose additional 
information collection requirements on the public under the Paperwork 
Reduction Act of 1995 (44 U.S.C. 3501 et seq.).

Section 202, Public Law 104-4, ``Unfunded Mandates Reform Act''

    It has been determined that this rule does not involve a Federal 
mandate that may result in the expenditure by State, local and tribal 
governments, in the aggregate, or by the private sector, of $100 
million or more and that it will not significantly or uniquely affect 
small governments.

Executive Order 13132, ``Federalism''

    It has been determined that this rule does not have federalism 
implications. This rule does not have substantial direct effects on the 
States, on the relationship between the National Government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government.

Executive Order 13175, ``Consultation and Coordination With Indian 
Tribal Governments''

    Executive Order 13175 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct compliance costs on one or 
more Indian tribes, preempts tribal law, or effects the distribution of 
power and responsibilities between the federal government and Indian 
tribes. This rule will not have a substantial effect on Indian tribal 
governments.

List of Subjects in 32 CFR Part 310

    Privacy.

    Accordingly, 32 CFR part 310 is amended as follows:

PART 310--[AMENDED]

0
1. The authority citation for 32 CFR part 310 continues to read as 
follows:

    Authority:  5 U.S.C. 552a.


0
2. Section 310.13 is amended by adding paragraph (e)(3) to read as 
follows:


Sec.  310.13  Exemptions for DoD-wide systems.

* * * * *
    (e) * * *
    (3) System identifier and name. DoD-0004, ``Defense Repository for 
Common Enterprise Data (DRCED).''
    (i) Exemptions. This system of records is exempt from subsections 5 
U.S.C. 552a(c)(3), (d)(1), (d)(2), (d)(3), and (d)(4) of the Privacy 
Act.
    (ii) Authority. 5 U.S.C. 552a(k)(1).
    (iii) Exemption from the particular subsections. Exemption from the 
particular subsections is justified for the following reasons:
    (A) Subsection (c)(3) (accounting of disclosures). Because common 
enterprise records may contain information properly classified pursuant 
to executive order, the disclosure accountings of such records may also 
contain information properly classified pursuant to executive order, 
the disclosure of which may cause damage to national security.
    (B) Subsections (d)(1), (2), (3), and (4) (record subject's right 
to access and amend records). Access to and amendment of records by the 
record subject could disclose information properly classified pursuant 
to executive order. Disclosure of classified records to an individual 
may cause damage to national security.

[[Page 72525]]

    (iv) Exempt records from other systems. In addition, in the course 
of carrying out the overall purpose for this system, exempt records 
from other system of records may in turn become part of the records 
maintained in this system. To the extent that copies of exempt records 
from those other systems of records are maintained in this system, the 
DoD claims the same exemptions for the records from those other systems 
that are entered into this system, as claimed for the prior system(s) 
of which they are a part, provided the reason for the exemption remains 
valid and necessary.
* * * * *

    Dated: December 16, 2021.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2021-27706 Filed 12-21-21; 8:45 am]
BILLING CODE 5001-06-P