[Federal Register Volume 87, Number 55 (Tuesday, March 22, 2022)]
[Notices]
[Pages 16244-16245]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-06007]


=======================================================================
-----------------------------------------------------------------------

NATIONAL ARCHIVES AND RECORDS ADMINISTRATION

[NARA-2021-027]


Privacy Act of 1974; System of Records

AGENCY: National Archives and Records Administration (NARA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: We propose revising Appendix A of our existing Privacy Act 
inventory of systems subject to the Privacy Act of 1974, which contains 
the common routine uses that apply to some or all of our systems of 
records. We propose to revise routine use H, which permits sharing 
information when there has been a data breach and it's necessary to 
respond to the breach. And we propose adding a new routine use for 
sharing information with other agencies that experience a data breach. 
Both of these changes are required by an OMB memorandum and these 
routine uses apply to all of our systems of records. Routine use H is 
already included in all of our SORNs, but we are now adding routine use 
I to them as well. In this notice, we publish the revised routine use H 
and the new routine use I for public notice and comment and add routine 
use I to all of our SORNs.

DATES: Submit comments on these routine uses by April 21, 2022. This 
revision to Appendix A is effective on May 2, 2022 unless we receive 
comments that necessitate revising the SORN.

ADDRESSES: You may submit comments, identified by ``SORN Appendix A'' 
by one of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Due to COVID-19 restrictions, we do not have staff at the 
building to receive mail, so we are temporarily suspending the mailing 
option. If you are not able to submit comments using the eRulemaking 
portal and need to make other arrangements, please email us at 
[email protected] and we will work with you on an 
alternative.
    Instructions: All submissions must include SORN Appendix A so we 
can identify what the comment is responding to. We may publish any 
comments we receive without changes, including any personal information 
you include.

FOR FURTHER INFORMATION CONTACT: Kimberly Keravuori, Regulatory and 
External Policy Program Manager, by

[[Page 16245]]

email at [email protected] or by phone at 301.837.3151.

SUPPLEMENTARY INFORMATION: Appendix A is part of our system of records 
notices that cover systems containing information protected by the 
Privacy Act. Appendix A contains the routine uses that apply to all or 
many of our Privacy Act-covered systems and currently consists of uses 
A through H. Appendix A was last republished on December 20, 2013 (78 
FR 77255, 77287). For the most up-to-date information, see the Appendix 
on our website at www.archives.gov/privacy/inventory.
    The existing routine use H already covers disclosure of information 
in the system of records when necessary to facilitate responses to data 
breaches of the system. However, the Office of Management and Budget 
(OMB) issued a memorandum that included provisions relating to data 
breach routine uses that OMB required all agencies to incorporate into 
their SORNs. So we are updating routine use H to incorporate the 
required provisions from OMB M-17-12.
    OMB M-17-12 also required agencies to incorporate provisions for 
another routine use, also related to data breaches, but designed to 
facilitate sharing information between agencies when appropriate so 
that another agency can better respond to its data breach. For example, 
this may include information that would assist the other agency in 
locating or contacting individuals potentially affected by a breach, or 
information that is related to the other agency's programs or 
information. So that we can disclose records in our systems of records 
that may reasonably be needed by another agency in responding to a 
breach, we are adding this routine use to all our systems of records.
    The changes to routine use H will affect and be incorporated into 
all of our SORNs, and the new routine use I will be added to all of our 
SORNs based on this notice. To see the most current versions of our 
SORNs and Appendix A at any time, visit our website at 
www.archives.gov/privacy/inventory.
    The Privacy Act of 1974, as amended (5 U.S.C. 552a) (``Privacy 
Act''), provides certain safeguards for an individual against an 
invasion of personal privacy. It requires Federal agencies that 
disseminate any record of personally identifiable information to do so 
in a manner that assures the action is for a necessary and lawful 
purpose, the information is current and accurate for its intended use, 
and the agency provides adequate safeguards to prevent misuse of such 
information. NARA intends to follow these principles when transferring 
information to another agency or individual as a ``routine use,'' 
including assuring that the information is relevant for the purposes 
for which it is transferred.

David S. Ferriero,
Archivist of the United States.
APPENDIX A
    The following routine use statements apply to National Archives and 
Records Administration notices when indicated in the notice:
* * * * *
    H. Routine Use--Data breach: A record from this system of records 
may be disclosed to appropriate agencies, entities, and people when (1) 
we suspect or confirm that there has been a breach of the system of 
records; (2) we determine that, as a result of the suspected or 
confirmed breach, there is a risk of harm to individuals, NARA 
(including its information systems, programs, and operations), the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, and people is reasonably necessary to 
assist our efforts to respond to the suspected or confirmed breach or 
to prevent, minimize, or remedy such harm.
    I. Routine Use--Other agency data breach: A record from this system 
of records may be disclosed to another Federal agency or Federal 
entity, when we determine that information from this system of records 
is reasonably necessary to assist the recipient agency or entity to (1) 
respond to a suspected or confirmed breach or (2) prevent, minimize, or 
remedy the risk of harm to individuals, the recipient agency or entity 
(including its information systems, programs, and operations), the 
Federal Government, or national security, resulting from a suspected or 
confirmed breach.

HISTORY:
    Last republished in full on December 20, 2013 (78 FR 77255).
[FR Doc. 2022-06007 Filed 3-21-22; 8:45 am]
BILLING CODE 7515-01-P