[Federal Register Volume 87, Number 216 (Wednesday, November 9, 2022)]
[Notices]
[Pages 67690-67692]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-24423]


-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

[Notice-ID-2022-03; Docket No. 2022-0002; Sequence No. 27]


Privacy Act of 1974; System of Records

AGENCY: General Services Administration (GSA).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The purpose of the system of records is to maintain personal 
contact information of government employees in order to ship home 
office equipment.

DATES: This system of records will go into effect without further 
notice on December 9, 2022 unless otherwise revised pursuant to 
comments received.

ADDRESSES: You may submit comments by any of the following methods:
     By email to the GSA Privacy Act Officer: 
[email protected].
     By mail to: Privacy Office (IDE), GSA, 1800 F Street NW, 
Washington, DC 20405.

FOR FURTHER INFORMATION CONTACT: Richard Speidel, Chief Privacy 
Officer, GSA, by email at [email protected] or by phone at 202-
969-5830.

SUPPLEMENTARY INFORMATION: The General Services Administration seeks to 
establish a new system of records for the GSA Advantage! program. GSA 
Advantage! is an online shopping and ordering system used by government 
agencies to purchase goods and services. GSA seeks to use GSA 
Advantage! As a medium for government employees to order home office 
equipment. This system of records will securely manage users' personal 
contact information to facilitate shipping this equipment directly to 
federal employees' personal mailing addresses.

SYSTEM NAME AND NUMBER:
    GSA Advantage!--GSA/ADV-1.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The General Services Administration (GSA) Federal Acquisition 
Service (FAS) is the owner of the system. The system is hosted, 
operated, and maintained by GSA staff and contractors. Records are 
maintained in an electronic form on servers housed at government 
facilities within the United States. Contact the system manager for 
additional information.

SYSTEM MANAGER(S):
    Director, eCommerce Division GSA IT, Office of Acquisition IT 
Services, 1800 F St. NW, Washington, DC 20405.

[[Page 67691]]

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    E-Government Act of 2002, Public Law 107-347 Sec. 204 (44 U.S.C. 
3501 note); 40 U.S.C. 501; Public Law 104-52 Sec 620; 40 U.S.C. 
587(c)(3).

PURPOSE(S) OF THE SYSTEM:
    GSA Advantage! is the government's online electronic shopping and 
ordering system. The purpose for the GSA Advantage! Program collecting 
Personally Identifiable Information (PII) is to allow the purchase and 
shipment of home office equipment directly to federal employees.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered by the system are federal employees.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system contains information related to the purchase and 
shipment of home office equipment through the GSA Advantage! platform. 
Data elements include the covered individual's:
     full name;
     email address;
     phone number; and
     home address.

RECORD SOURCE CATEGORIES:
    Information is obtained from covered individuals ordering home 
office equipment.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed to authorized 
entities, as is determined to be relevant and necessary, outside GSA as 
a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    a. To the on-line ordering fulfillment contractor to allow for the 
confirmation by email of orders received, fulfilled and closed.
    b. To shipping contractors or government agencies responsible for 
mailing services to ship the equipment to employees.
    c. To an expert, consultant, or other contractor of GSA in the 
performance of a federal duty to which the information is relevant.
    d. To an appropriate federal, state, tribal, local, international, 
or foreign law enforcement agency or other appropriate authority 
charged with investigating or prosecuting a violation or enforcing or 
implementing a law, rule, regulation, or order, where a record, either 
on its face or in conjunction with other information, indicates a 
violation or potential violation of law, which includes criminal, 
civil, or regulatory violations.
    e. To the Department of Justice (DOJ) or other federal agency 
conducting litigation or in proceedings before any court, adjudicative 
or administrative body, when: (a) GSA or any component thereof, or (b) 
any employee of GSA in his/her official capacity, or (c) any employee 
of GSA in his/her individual capacity where DOJ or GSA has agreed to 
represent the employee, or (d) the United States or any agency thereof, 
is a party to the litigation or has an interest in such litigation, and 
GSA determines that the records are both relevant and necessary to the 
litigation.
    f. To a court in connection with any litigation or settlement 
discussions regarding claims by or against GSA, to the extent that GSA 
determines the disclosure of the information is relevant and necessary 
to the litigation or discussions.
    g. To an appeal, grievance, hearing, or complaints examiner; an 
equal employment opportunity investigator, arbitrator, or mediator; and 
an exclusive representative or other person authorized to investigate 
or settle a grievance, complaint, or appeal filed by an individual who 
is the subject of the record.
    h. To the National Archives and Records Administration (NARA) for 
records management purposes.
    i. To the Office of Personnel Management (OPM), the Office of 
Management and Budget (OMB), and the Government Accountability Office 
(GAO) in accordance with their responsibilities for evaluating federal 
programs.
    j. To a Member of Congress or his or her staff on behalf of and at 
the request of the individual who is the subject of the record.
    k. To another federal agency or federal entity, when GSA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the federal 
government, or national security, resulting from a suspected or 
confirmed breach.
    l. To appropriate agencies, entities, and persons when (1) GSA 
suspects or has confirmed that the security or confidentiality of 
information in the system of records has been compromised; (2) GSA has 
determined that as a result of the suspected or confirmed compromise 
there is a risk of harm to economic or property interests, identity 
theft or fraud, or harm to the security or integrity of this system or 
other systems or programs (whether maintained by GSA or another agency 
or entity) that rely upon the compromised information; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with GSA's efforts to respond to the 
suspected or confirmed compromise and prevent, minimize, or remedy such 
harm.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    All records are stored in a secure data center. PII is encrypted in 
transit, encrypted at rest, and not viewable by other users.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Application administrators can retrieve records by any field search 
using their administrative login via Multi-Factor authentication 
(including appropriate background investigation and access approvals). 
All direct data retrievals are logged for tracking.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    System records are retained and disposed of according to GSA 
records maintenance and disposition schedules, the requirements of the 
Recovery Board, and the National Archives and Records Administration 
guidance.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    System records are safeguarded in accordance with the requirements 
of the Privacy Act, the Computer Security Act, and the GSA Advantage! 
System Security Plan. System roles are assigned with specific 
permissions to allow or prevent accessing certain information. Records 
in the system are protected from unauthorized access and misuse through 
a combination of administrative, technical, and physical security 
measures. Administrative measures include, but are not limited to, 
policies that limit system access to individuals within an agency with 
a legitimate business need, and regular review of security procedures 
and best practices to enhance security. Technical measures include but 
are not limited to system design that enforces separation of duties for 
privileged users including role-based access controls; multi-factor 
authentication with strong passwords that are frequently changed; FIPS 
140-2 compliant database encryption, and FIPS 140-2 compliant 
encryption in

[[Page 67692]]

transit. Physical security measures include but are not limited to the 
use of secure data centers which meet government requirements for 
storage of sensitive data.

RECORD ACCESS PROCEDURES:
    Requests for access to records should be directed to the system 
manager. Individuals seeking access to their records in this system of 
records may submit a request by following the instructions provided in 
41 CFR part 105-64.2.

CONTESTING RECORD PROCEDURES:
    Individuals wishing to contest the content of records about 
themselves contained in this system of records should contact the 
system manager at the address above. See 41 CFR part 105-64.4 for full 
details on what to include in a Privacy Act amendment request.

NOTIFICATION PROCEDURES:
    Individuals seeking notification of any records about themselves 
contained in this system of records should contact the system manager 
at the address above. Follow the procedures on accessing records in 41 
CFR part 105-64.2 to request such notification.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    N/A.

Richard Speidel,
Chief Privacy Officer, Enterprise Data & Privacy Management Office, 
General Services Administration.
[FR Doc. 2022-24423 Filed 11-8-22; 8:45 am]
BILLING CODE 6820-34-P