[Federal Register Volume 88, Number 65 (Wednesday, April 5, 2023)]
[Notices]
[Pages 20144-20146]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-07029]


-----------------------------------------------------------------------

COMMODITY FUTURES TRADING COMMISSION


Privacy Act of 1974; System of Records

AGENCY: Commodity Futures Trading Commission.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The Commodity Futures Trading Commission (CFTC or Commission) 
is establishing a new system of records, CFTC-56, Office of the 
Inspector General Audit Files, to account for information maintained 
about individuals that is included in Office of the Inspector General 
(OIG) audit files.

DATES: Comments must be received on or before May 5, 2023. Routine uses 
will go into effect on May 5, 2023.

ADDRESSES: You may submit comments by any of the following methods:
     CFTC Comments Portal: https://comments.cftc.gov. Select 
the ``Submit Comments'' link for this notice and follow the 
instructions on the Public Comment Form.
     Mail: Send to Christopher Kirkpatrick, Secretary of the 
Commission, Commodity Futures Trading Commission, Three Lafayette 
Centre, 1155 21st Street NW, Washington, DC 20581.
     Hand Delivery/Courier: Follow the same instructions as for 
Mail, above. Please submit your comments using only one of these 
methods. Submissions through the CFTC Comments Portal are encouraged.
    All comments must be submitted in English, or if not, be 
accompanied by an English translation. Comments will be posted as 
received to comments.cftc.gov. You should submit only information that 
you wish to make available publicly.
    The Commission reserves the right, but shall have no obligation, to 
review, pre-screen, filter, redact, refuse, or remove any or all of a 
submission from comments.cftc.gov that it may deem to be inappropriate 
for publication, such as obscene language. All submissions that have 
been redacted or removed that contain comments on the merits of this 
notice will be retained in the comment file and will be considered as 
required under all applicable laws, and may be accessible under the 
Freedom of Information Act.

FOR FURTHER INFORMATION CONTACT: Marcela Souaya, (202) 418-5137, 
[email protected], Office of the General Counsel, Commodity Futures 
Trading Commission, Three Lafayette Centre, 1155 21st Street NW, 
Washington, DC 20581.

SUPPLEMENTARY INFORMATION: Background information is not applicable 
since this is a new SORN.

SYSTEM NAME AND NUMBER:
    Office of the Inspector General Audit Files; CFTC-56.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Office of the Inspector General, Commodity Futures Trading 
Commission, Three Lafayette Centre, 1155 21st Street, NW, Washington, 
DC 20581. The system will be hosted on a cloud and data center 
computing infrastructure. Duplicate versions of some or all system 
information may be at satellite locations where the CFTC has granted 
direct access to support CFTC operations, system backup, emergency 
preparedness, and/or continuity of operations.

[[Page 20145]]

SYSTEM MANAGER(S):
    Inspector General, Office of the Inspector General, Commodity 
Futures Trading Commission, Three Lafayette Centre, 1155 21st Street 
NW, Washington, DC 20581. Email is [email protected].

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Commodity Exchange Act, 7 U.S.C. 1 et seq., and regulations, rules 
or orders issued thereunder; Inspector General Act of 1978, as amended, 
Public Law 95-452, 5 U.S.C. Appx. 3.

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to maintain a management information 
system for CFTC OIG audit projects (such as financial statement audits, 
performance audits, and other audit projects relating to the programs 
and operations of the CFTC); and OIG personnel (such as staff training 
records and conflict of interest certifications necessary for peer 
review purposes); and to assist in the accurate and timely conduct of 
audits and audit projects.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered consist of: (1) CFTC program participants and 
CFTC employees and contractors who are associated with an activity that 
is performed by the CFTC OIG Office of Audit as an audit or audit 
product included under Generally Accepted Government Auditing Standards 
(such as a financial audit, an attestation engagement, a review 
engagement, an agreed-upon procedures engagement, or a review of 
financial statements); (2) requesters of an OIG audit or other activity 
(such as a member of Congress, Congressional staff, or a CFTC 
Chairperson or Commissioner); and (3) persons and entities performing 
some other role of significance to the OIG Office of Audit efforts 
(such as potential witnesses, or persons who represent legal entities 
that are connected to an OIG audit or other activity). The system also 
tracks information pertaining to OIG staff handling the audit or other 
activity, and may contain names of relevant staff in other agencies or 
private sector entities.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records consist of materials compiled and/or generated in 
connection with audits and other activities performed by OIG staff. 
These materials include work papers and information regarding the 
planning, conduct, and resolution of audits and reviews of CFTC 
programs and participants in those programs, internal legal assistance 
requests, information requests, responses to such requests, and reports 
of findings. The information consists of audit work papers and reports.

RECORD SOURCE CATEGORIES:
    Information in the system is obtained from the CFTC, other federal 
agencies and entities, the Government Accountability Office, 
contractors, program participants including individuals and business 
entities, subject individuals, complainants, witnesses, other 
nongovernmental sources and open source intelligence, including web-
based communities, user-generated content, social-networking sites, 
wikis, blogs and news sources maintained on the Surface, Deep, and Dark 
web. The Surface Web is what users access in their regular day-to-day 
activity. It is available to the general public using standard search 
engines and can be accessed using standard web browsers that do not 
require any special configuration. The Deep Web is the portion of the 
web that is not indexed or searchable by ordinary search engines. The 
Dark Web is a less accessible subset of the Deep Web that relies on 
connections made between trusted peers and requires specialized 
software, tools, or equipment to access.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Routine uses for the Office of the Inspector General Audit Files 
record systems are set forth below:
    1. The information may be given or shown to any person or entity 
during the course of an Office of the Inspector General (OIG) audit or 
audit activity (audit) if there is reason to believe that disclosure to 
the person or entity will further the audit.
    2. Information may be disclosed to the Department of Justice or 
other federal entity, the Merit Systems Protection Board, the Office of 
Special Counsel, or in a proceeding before a court, adjudicative body, 
or other administrative body before which the agency is authorized to 
appear, or in the course of civil discovery, litigation, or settlement 
negotiations, in actions authorized under the Commodity Exchange Act 
and otherwise authorized, when:
    a. The agency, or any component thereof; or
    b. Any employee of the agency in their official capacity; or
    c. Any employee of the agency in their personal capacity where the 
Department of Justice or the agency has agreed to represent the 
employee; or
    d. The United States, when the litigation is likely to affect the 
CFTC or any of its components; is a party to litigation or has an 
interest in such litigation, and the use of such records by the 
Department of Justice or the agency is deemed to be relevant and 
necessary to the litigation.
    3. In any case in which records in the system, either alone or in 
conjunction with other information, indicates a violation or potential 
violation of law, whether civil, criminal or regulatory in nature, 
whether arising by general statute or particular program statute, or by 
regulation, rule or order issued pursuant thereto, the relevant records 
may be referred to the appropriate agency, whether Federal, foreign, 
State or local, charged with enforcing or implementing the statute, 
regulation, rule or order. This includes a state or federal bar 
association, state accountancy board, or other federal, state, local, 
or foreign licensing or oversight authority; or professional 
association or self-regulatory authority to the extent that it performs 
similar functions (including the Public Company Accounting Oversight 
Board) for investigations or possible disciplinary action, including 
suspension and debarment.
    4. Information may be disclosed to the National Archives and 
Records Administration to the extent necessary to fulfill its 
responsibilities under the law relating to these records.
    5. Information may be disclosed to private and public entities, 
contractors, grantees, volunteers, experts, students, and others 
performing or working on a contract, service, grant, cooperative 
agreement, or job that facilitate or are necessary to accomplish an OIG 
audit, or to collate, aggregate or otherwise refine or dispose of data 
collected in the system of records. Each private or public entity, 
contractor, grantee, volunteer, expert, student, or other shall be 
required to maintain Privacy Act safeguards with respect to such 
information.
    6. To appropriate agencies, entities, and persons when (1) CFTC's 
OIG suspects or has confirmed that there has been a breach of the 
system of records, (2) CFTC's OIG has determined that as a result of 
the suspected or confirmed breach there is a risk of harm to 
individuals, CFTC's OIG (including its information systems, programs, 
and operations), the Federal Government, or national security; and (3) 
the disclosure made to such agencies, entities, and persons is 
reasonably necessary to assist in connection with CFTC's efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm.

[[Page 20146]]

    7. To another Federal agency or Federal entity, when CFTC's OIG 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.
    8. A record from the system of records may be disclosed to a grand 
jury agent pursuant either to a Federal or State grand jury subpoena, 
or to a prosecution request that such record be released for the 
purpose of its introduction to a grand jury, provided that the grand 
jury channels its request through the cognizant U.S. Attorney, that the 
U.S. Attorney has been delegated the authority to make such requests by 
the Attorney General, and that the U.S. Attorney actually signs the 
letter specifying both the information sought and the law enforcement 
purpose served. In the case of a State grand jury subpoena, the State 
equivalent of the U.S. Attorney and Attorney General shall be 
substituted.
    9. A record from the system of records may be disclosed in response 
to a subpoena issued by a Federal agency having the power to subpoena 
records of other Federal agencies, provided the subpoena is channeled 
through the head of the issuing agency, if the OIG determines that: (a) 
The head of the issuing agency signed the subpoena; (b) the subpoena 
specifies the information sought and the law enforcement purpose 
served; (c) the records are both relevant and necessary to the 
proceeding; and (d) such release is compatible with the purpose for 
which the records were collected.
    10. A record from the system of records may be disclosed to the 
Department of Justice for the purpose of obtaining its advice on an OIG 
audit, or other related inquiry, including Freedom of Information or 
Privacy Act matters relating to information in this record system.
    11. A record may be disclosed to any official charged with the 
responsibility to conduct investigations, qualitative assessment 
reviews, or peer reviews of audit operations within the Office of the 
Inspector General. This disclosure category includes members of the 
Council of the Inspectors General on Integrity and Efficiency or any 
successor entity and officials, designees, and administrative staff 
within their chain of command, as well as authorized officials of the 
Department of Justice and the Federal Bureau of Investigation.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored electronically or on paper in secure facilities.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Information in the system generally can be retrieved by OIG 
personnel in headquarters and working remotely. Information is 
generally retrieved by audit assignment number and can be retrieved by 
using alphanumeric queries and personal identifiers.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The records are retained and disposed of in compliance with CFTC 
record disposition authorities, approved by the National Archives and 
Records Administration. The OIG Audit Files are destroyed 10 years 
after the audit is completed, unless the audit is deemed of 
significance sufficient to justify permanent retention. The OIG staff 
training and related records are destroyed six years after cut off.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Administrative safeguards include restricting access to the OIG 
work area, and restricting relevant audit tasks to only those competent 
or qualified to perform the work. Technical security measures within 
CFTC include restrictions on computer access to authorized individuals 
who have a legitimate need to know the information; use of encryption 
for certain data types and transfers; firewalls and intrusion detection 
applications (set and maintained by the CFTC); and regular review of 
security procedures and best practices to enhance security (performed 
by the CFTC). Physical safeguards include restrictions on building 
access to authorized individuals, 24-hour security guard service, and 
maintenance of records in lockable offices, desks, and filing cabinets.

RECORD ACCESS PROCEDURES:
    Individuals seeking to determine whether this system of records 
contains information about themselves or seeking access to records 
about themselves in this system of records should address written 
inquiries to the Office of the General Counsel, Commodity Futures 
Trading Commission, Three Lafayette Centre, 1155 21st Street NW, 
Washington, DC 20581. See 17 CFR 146.3 for full details on what to 
include in a Privacy Act access request.

CONTESTING RECORD PROCEDURES:
    Individuals contesting the content of records about themselves 
contained in this system of records should address written inquiries to 
the Office of the General Counsel, Commodity Futures Trading 
Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 
20581. See 17 CFR 146.8 for full details on what to include in a 
Privacy Act amendment request.

NOTIFICATION PROCEDURES:
    Individuals seeking notification of any records about themselves 
contained in this system of records should address written inquiries to 
the Office of the General Counsel, Commodity Futures Trading 
Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 
20581. See 17 CFR 146.3 for full details on what to include in a 
Privacy Act notification request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

    Issued in Washington, DC, on March 30, 2023, by the Commission.
Christopher Kirkpatrick,
Secretary of the Commission.
[FR Doc. 2023-07029 Filed 4-4-23; 8:45 am]
BILLING CODE 6351-01-P