[Federal Register Volume 88, Number 16 (Wednesday, January 25, 2023)]
[Notices]
[Pages 4882-4885]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-01437]
[[Page 4882]]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; System of Records
AGENCY: Department of Veterans Affairs, Veterans Health Administration.
ACTION: Notice of a Modified System of Records.
-----------------------------------------------------------------------
SUMMARY: Pursuant to the Privacy Act of 1974, notice is hereby given
that the Department of Veterans Affairs (VA) is modifying the system of
records entitled ``Voluntary Service Records--VA'' (57VA10B2A). This
system is used for training, compliance, work assignment, tracking the
number of regularly scheduled volunteers and occasional volunteers, to
produce statistical and managerial reports on the number of hours and
visits of all volunteers each month, and to present volunteers with
certificates of appreciation for service.
DATES: Comments on this modified system of records must be received no
later than 30 days after date of publication in the Federal Register.
If no public comment is received during the period allowed for comment
or unless otherwise published in the Federal Register by VA, the
modified system of records will become effective a minimum of 30 days
after date of publication in the Federal Register. If VA receives
public comments, VA shall review the comments to determine whether any
changes to the notice are necessary.
ADDRESSES: Comments may be submitted through www.Regulations.gov or
mailed to VA Privacy Service (005R1A), 810 Vermont Avenue NW,
Washington, DC 20420. Comments should indicate that they are submitted
in response to ``Voluntary Service Records--VA (57VA10B2A)''. Comments
received will be available at regulations.gov for public viewing,
inspection or copies.
FOR FURTHER INFORMATION CONTACT: Stephania Griffin, Veterans Health
Administration Chief Privacy Officer, Department of Veterans Affairs,
810 Vermont Avenue NW, Washington, DC 20420; telephone (704) 245-2492
(Note: this is not a toll-free number).
SUPPLEMENTARY INFORMATION: VA is modifying the system by revising the
System Number; System Location; System Manager; Purpose of the System;
Categories of Records in the System; Record Source Categories; Routine
Uses of Records Maintained in the System; Policies and Practices for
Storage of Records; Policies and Practices for Retrievability of
Records Policies; Practices for Retention and Disposal of Records;
Physical, Procedural, and Administrative Safeguards; Records Access
Procedure; Contesting Record Procedure; and Notification Procedure. VA
is republishing the system notice in its entirety.
The System Number will be changed from 57VA10B2A to 57VA10 to
reflect the current Veterans Health Administration organizational
routing symbol.
The System Location is being updated to remove references to
servers located at the Austin Information Technology Center, 1615
Woodward Street, Austin, Texas 78772. This section will include that
the system is in the Microsoft Government Community Cloud (GCC), a
government-authorized cloud-service provider, with Microsoft Global
Foundation Services (GFS) Datacenters in Boydton, Virginia; Des Moines,
Iowa; Dallas, Texas; and Phoenix, Arizona. For security reasons,
Microsoft does not disclose the physical location of the data centers.
For more information, please refer to the Joint Authorization Board
(JAB) Federal Risk and Authorization Management Program's (FedRAMP)
Authority to Operate (ATO) for Microsoft Dynamics Customer Relationship
Management (CRM).
The System Manager is being updated to replace Director, Voluntary
Service Office, with Director, VA Center for Development and Civic
Engagement. Being removed is Technatomy Contractor, Jay Singh, VHA
Oakland Office of Information Field Office, 1301 Clay Street, Suite
1350N, Oakland, California 94612. This section will include Stefano
Masi, Veteran Relationship Management Product Line Manager, 555 Willard
Ave., Newington, CT 06111.
The Purpose of the System is being modified to include training,
compliance and work assignment.
The Record Source Categories is being modified to change 24VA10P2
to 24VA10A7.
The following routine use is added and will be routine use #10,
Data Breach Response and Remediation, For Another Agency: To another
Federal agency or Federal entity, when VA determines that information
from this system of records is reasonably necessary to assist the
recipient agency or entity in (1) responding to a suspected or
confirmed breach or (2) preventing, minimizing, or remedying the risk
of harm to individuals, the recipient agency or entity (including its
information systems, programs, and operations), the Federal Government,
or national security, resulting from a suspected or confirmed breach.
The following routine use is added and will be routine use #11,
Parent or Guardian of Minor Volunteer: To the parent or legal guardian
of a minor volunteer. This routine use will allow VA to share
information on the work schedule for summer student volunteers with
their parents or legal guardians.
Policies and Practices for Storage of Records and Physical,
Procedural, and Administrative Safeguards are being modified to replace
Austin, Texas with the Microsoft GCC.
Policies and Practices for Retrievability of Records is being
modified to replace VistA patient files, with Occupational Health
Record-Keeping System.
Policies and Practices for Retention and Disposal of Records is
being modified to remove: 1. The individual volunteer's record of
service is maintained by the VA health care facility, as long as he or
she is living and actively participating in the VA Voluntary Service
(VAVS) program. VAVS maintains minimum information on all volunteers
indefinitely. These minimum records include the volunteer's name,
address, date of birth, telephone number, next of kin information,
assignments worked, hours and years of service, and last award
received.
2. Depending on the record medium, records are destroyed by either
shredding or degaussing. Summary reports and other output reports are
destroyed when no longer needed for current operation. Regardless of
record medium, no records will be retired to a Federal records center
reports and other output reports are destroyed when no longer needed
for current operation. Regardless of record medium, no records will be
retired to a Federal records center.
This section will now reflect the following: Records in this system
are retained and disposed of in accordance with the schedule approved
by the Archivist of the United States, VHA RCS 10-1, Item Number
3020.10-3020.11.
The Record Access Procedure, Contesting Record Procedure and
Notification Procedure have been modified to reflect standard language
across VA systems of records.
The Report of Intent to Modify a System of Records Notice and an
advance copy of the system notice have been sent to the appropriate
Congressional committees and to the Director of the Office of
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.
[[Page 4883]]
Signing Authority
The Senior Agency Official for Privacy, or designee, approved this
document and authorized the undersigned to sign and submit the document
to the Office of the Federal Register for publication electronically as
an official document of the Department of Veterans Affairs. Kurt D.
DelBene, Assistant Secretary for Information and Technology and Chief
Information Officer, approved this document on December 13, 2022 for
publication.
Dated: January 20, 2023.
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security,
Office of Information and Technology, Department of Veterans Affairs.
SYSTEM NAME AND NUMBER:
``Voluntary Service Records--VA'' (57VA10).
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Records are maintained at each of the VA health care facilities and
in the Center for Development and Civic Engagement Portal (CDCEP).
Active records are retained at the VA health care facility listed in
Appendix 1 where the individual has volunteered to assist the
administrative and professional personnel and in the CDCEP. Basic
information for all inactive records is retained at the facility where
the volunteer worked and in the CDCEP. CDCEP is a web-based volunteer
management system currently located in the Microsoft Government
Community Cloud (GCC), a government-authorized cloud-service provider,
with Microsoft Global Foundation Services (GFS) Datacenters in Boydton,
Virginia; Des Moines, Iowa; Dallas, Texas; and Phoenix, Arizona. For
security reasons, Microsoft does not disclose the physical location of
the data centers. For more information, please refer to the Joint
Authorization Board (JAB) Federal Risk and Authorization Management
Program's (FedRAMP) Authority to Operate (ATO) for Microsoft Dynamics
Customer Relationship Management (CRM).
SYSTEM MANAGER(S):
Official responsible for policies and procedures: Director, VA
Center for Development and Civic Engagement (CDCE), Department of
Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420.
Telephone number 202-461-7300 (this is not a toll-free number).
Official maintaining the system: Veteran Relationship Management
Product Line Manager, 555 Willard Ave., Newington, CT 06111.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
38 U.S.C. 513.
PURPOSE(S) OF THE SYSTEM:
This system of records is used for training, compliance, work
assignment, tracking the number of regularly scheduled volunteers and
occasional volunteers, to produce statistical and managerial reports on
the number of hours and visits of all volunteers each month, and to
present volunteers with certificates of appreciation for service.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
These records include information on all volunteers (i.e.,
regularly scheduled volunteers, occasional volunteers, student
volunteers), including but not limited to, non-affiliated and members
of voluntary service organizations, such as welfare, service, Veterans,
fraternal, religious, civic, industrial, labor, and social groups or
clubs, which voluntarily offer the services of their organizations and/
or individuals to assist with the provision of care to patients, either
directly or indirectly, through VA Voluntary Service under 38 U.S.C.
513.
CATEGORIES OF RECORDS IN THE SYSTEM:
The records may include personal information, such as name,
address, phone number, email address, date of birth, and volunteer date
in a VA health care facility, as provided by the volunteer on VA Form
10-7055, ``Application for Voluntary Service;'' information relating to
the individual membership in service organizations, qualifications,
restrictions and preferences of duty and availability to schedule time
of service; training records pertaining to the volunteer's service will
also be maintained for all active volunteers at the facility where the
volunteer works; medical records of active volunteers will be
maintained in the facility's Employee Health office; fingerprint and
background investigation records will be maintained by the local
facility's office that handles those investigations.
RECORD SOURCE CATEGORIES:
Information in this system of records is provided by the volunteer,
their family, civic and service organization, ``Patient Medical
Records--VA'' (24VA10A7), and CDCE/VA Voluntary Service (VAVS) at the
VA health care facility where the volunteer worked.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
To the extent that records contained in the system include
individually-identifiable patient information protected by 38 U.S.C.
7332, that information cannot be disclosed under a routine use unless
there is also specific disclosure authority in 38 U.S.C. 7332.
1. Law Enforcement: To a Federal, state, local, territorial,
tribal, or foreign law enforcement authority or other appropriate
entity charged with the responsibility of investigating or prosecuting
such violation or charged with enforcing or implementing such law,
provided that the disclosure is limited to information that, either
alone or in conjunction with other information, indicates a violation
or potential violation of law, whether civil, criminal, or regulatory
in nature. The disclosure of the names and addresses of Veterans and
their dependents from VA records under this routine use must also
comply with the provisions of 38 U.S.C. 5701.
2. Nonprofits, for RONA: To a nonprofit organization if the release
is directly connected with the conduct of programs and the utilization
of benefits under Title 38, provided that the disclosure is limited the
names and addresses of present or former members of the armed services
or their beneficiaries, the records will not be used for any purpose
other than that stated in the request and the agency or instrumentality
is aware of the penalty provision of 38 U.S.C. 5701(f).
3. Volunteer Administration: To confirm volunteer service, duty
schedule, and assignments to service organizations, Bureau of
Unemployment, insurance firms, office of personnel of the individual's
fulltime employment; to assist in the development of VA history of the
volunteer and their assignments; and to confirm voluntary hours for on-
the job accidents, and for recognition awards.
4. Congress: To a Member of Congress or staff acting upon the
Member's behalf when the Member or staff requests the information on
behalf of, and at the request of, the individual who is the subject of
the record.
5. NARA: To the National Archives and Records Administration (NARA)
in records management inspections conducted under 44 U.S.C. 2904 and
2906, or other functions authorized by laws and policies governing NARA
operations and VA records management responsibilities.
6. DOJ, Litigation, Administrative Proceeding: To the Department of
Justice (DoJ), or in a proceeding before
[[Page 4884]]
a court, adjudicative body, or other administrative body before which
VA is authorized to appear, when:
(a) VA or any component thereof;
(b) Any VA employee in their official capacity;
(c) Any VA employee in their individual capacity where DoJ has
agreed to represent the employee; or
(d) The United States, where VA determines that litigation is
likely to affect the agency or any of its components, is a party to
such proceedings or has an interest in such proceedings, and VA
determines that use of such records is relevant and necessary to the
proceedings.
7. Contractors: To contractors, grantees, experts, consultants,
students, and others performing or working on a contract, service,
grant, cooperative agreement, or other assignment for VA, when
reasonably necessary to accomplish an agency function related to the
records.
8. Federal Agencies, Fraud and Abuse: To other Federal agencies to
assist such agencies in preventing and detecting possible fraud or
abuse by individuals in their operations and programs.
9. Data Breach Response and Remediation, for VA: To appropriate
agencies, entities, and persons when (1) VA suspects or has confirmed
that there has been a breach of the system of records; (2) VA has
determined that as a result of the suspected or confirmed breach there
is a risk to individuals, VA (including its information systems,
programs, and operations), the Federal Government, or national
security; and (3) the disclosure made to such agencies, entities, or
persons reasonably necessary to assist in connection with VA efforts to
respond to the suspected or confirmed breach or to prevent, minimize,
or remedy such harm.
10. Data Breach Response and Remediation, for Another Federal
Agency: To another Federal agency or Federal entity, when VA determines
that information from this system of records is reasonably necessary to
assist the recipient agency or entity in (1) responding to a suspected
or confirmed breach or (2) preventing, minimizing, or remedying the
risk of harm to individuals, the recipient agency or entity (including
its information systems, programs, and operations), the Federal
Government, or national security, resulting from a suspected or
confirmed breach.
11. Parent or Guardian of Minor Volunteer: VA may disclose
information from this system to the parent or legal guardian of a minor
volunteer.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Records are maintained in the Microsoft GCC, a government-
authorized cloud-service provider, with Microsoft GFS Datacenters in
Boydton, Virginia; Des Moines, Iowa; Dallas, Texas; and Phoenix,
Arizona. For security reasons, Microsoft does not disclose the physical
location of the data centers. For more information, please refer to the
JAB FedRAMP ATO for Microsoft Dynamics CRM. Paper records for all
active volunteers are maintained in locked file cabinets at the
individual VA facilities where the volunteer has donated time. Computer
records containing basic information, such as name, address, date of
birth, volunteer assignments, hours/years volunteered, and award
information are retained for all volunteers, either active or inactive,
at the VA facility where the volunteer worked.
POLICIES AND PRACTICES FOR RETRIEVABILITY OF RECORDS:
Records in this system are retrieved by name and unique
identification numbers within the VA's CDCEP and are cross-referenced
under the organization(s) they represent. Health records in this system
are retrieved by name and full Social Security number in the
Occupational Health Record--Keeping System but are not retrievable
through CDCEP.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Records in this system are retained and disposed of in accordance
with the schedule approved by the Archivist of the United States, VHA
RCS 10-1, Item Number 3020.10-3020.11.
PHYSICAL, PROCEDURAL, AND ADMINISTRATIVE SAFEGUARDS:
1. Access to VA working space and medical record storage areas and
the servers and storage in the GCC is restricted to VA employees on a
``need to know'' basis. Generally, VA file areas are locked after
normal duty hours and are protected from outside access by the Federal
Protective Service. Volunteer records containing sensitive medical
record files are stored in separate locked files.
2. Strict control measures are enforced to ensure that access to
and disclosure of all records including electronic files and volunteer
specific data elements stored in the CDCEP are limited to CDCE/VAVS
employees whose official duties warrant access to those files. Access
to the VA network is protected by the usage of the personal identity
verification ``PIV.'' Once on the VA network, separate ID and password
credentials are required to gain access to the CDCEP servers and/or
databases. Access to the servers and/or databases is granted to only a
limited number of system administrators and database administrators.
Employees are required to sign a user access agreement acknowledging
their knowledge of confidentiality requirements, and all employees
receive annual training on information security. Access is deactivated
when no longer required for official duties. Recurring monitors are in
place to ensure compliance with nationally and locally established
security measures.
3. Online data resides on servers and storage in the GCC that are
highly secured.
4. Any sensitive information that may be downloaded or printed to
hard copy format is provided the same level of security as the
electronic records. All paper documents and informal notations
containing sensitive data are shredded prior to disposal.
5. All new CDCE/VAVS employees receive initial information security
training, and refresher training is provided to all employees on an
annual basis.
RECORD ACCESS PROCEDURE:
Individuals seeking information on the existence and content of
records in this system pertaining to them should contact the system
manager in writing as indicated above, or email [email protected],
or inquire in person at the VA health care facility where their
voluntary service was accomplished. A request for access to records
must contain the requester's full name, address, telephone number, be
signed by the requester, and describe the records sought in sufficient
detail to enable VA personnel to locate them with a reasonable amount
of effort.
CONTESTING RECORD PROCEDURE:
Individuals seeking to contest or amend records in this system
pertaining to them should contact the system manager in writing as
indicated above, or email [email protected] or inquire in person at
the VA health care facility where their voluntary service was
accomplished. A request to contest or amend records must state clearly
and concisely what record is being contested, the reasons for
contesting it, and the proposed amendment to the record.
NOTIFICATION PROCEDURE:
Generalized notice is provided by the publication of this notice.
For specific notice, see Record Access Procedure, above.
[[Page 4885]]
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
42 FR 6032 (February 1, 1977); 66 FR 6764 (January 22, 2001); 74 FR
17555 (April 15, 2009); 81 FR 59271 (August 29, 2016).
[FR Doc. 2023-01437 Filed 1-24-23; 8:45 am]
BILLING CODE P