[Federal Register Volume 88, Number 77 (Friday, April 21, 2023)]
[Rules and Regulations]
[Pages 24476-24477]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-08475]



[[Page 24476]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 310

[Docket ID: DOD-2022-OS-0016]
RIN 0790-AK51


Privacy Act of 1974; Implementation

AGENCY: Office of the Secretary of Defense, Department of Defense 
(DoD).

ACTION: Direct final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Defense (DoD or Department) is amending its 
Privacy Program regulation to add four routine uses to its list of 
blanket routine uses. These new blanket routine uses will support 
necessary information sharing from DoD Privacy Act systems of records 
in the event of a data breach, and support sharing with other 
government agencies for counterterrorism purposes. This rule is being 
published as a direct final rule as the Department does not expect to 
receive any adverse comments. If such comments are received, this 
direct final rule will be withdrawn and a proposed rule for comments 
will be published.

DATES: This rule is effective May 31, 2023 unless comments are received 
that would result in a contrary determination. Comments will be 
accepted on or before May 22, 2023.

ADDRESSES: You may submit comments, identified by docket number and 
title, by any of the following methods.
     Federal eRulemaking Portal: https://www.regulations.gov.
    Follow the instructions for submitting comments.
     Mail: Department of Defense, Office of the Assistant to 
the Secretary of Defense for Privacy, Civil Liberties, and 
Transparency, Regulatory Directorate, 4800 Mark Center Drive, Attn: 
Mailbox 24, Suite 08D09, Alexandria, VA 22350-1700.
    Instructions: All submissions received must include the agency name 
and docket number or Regulatory Identifier Number (RIN) for this 
Federal Register document. The general policy for comments and other 
submissions from members of the public is to make these submissions 
available for public viewing on the internet at https://www.regulations.gov as they are received without change, including any 
personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: Ms. Mary Fletcher, 
[email protected], (703) 571-0080.

SUPPLEMENTARY INFORMATION: A ``routine use'' is defined in the Privacy 
Act of 1974 as ``with respect to the disclosure of a record, the use of 
such record for a purpose which is compatible with the purpose for 
which it was collected.'' See 5 U.S.C. 552a(a)(7). Routine uses are 
included in individual agency Privacy Act system of records notices 
(SORNs) to allow the agency to disclose records from a particular 
system of records to individuals or entities in accordance with the 
terms of the routine use. Some agencies have established a set of 
routine uses that apply to a wide array of published agency SORNs, 
sometimes referred to as blanket routine uses. Their purpose is to 
provide consistent information sharing authority across the SORNs for 
common or non-controversial purposes. Examples of typical blanket 
routine uses are ones that allow agencies to share information with 
members of Congress inquiring on behalf of a constituent, with the 
Department of Justice when litigation arises, and with agency 
contractors for purposes outlined in the contract. New or altered 
routine uses, including blanket routine uses, must be published in the 
Federal Register at least 30 days before any records may be disclosed 
pursuant to the terms of the routine use.
    In addition to the specific routine uses established in each DoD 
SORN, DoD has published blanket routine uses that are applicable to a 
wide array of DoD systems of records. In order for the blanket routine 
uses to apply to a specific system of records, the DoD SORN must 
indicate that the blanket routine uses apply to that system. DoD's 
blanket routine uses are located in Appendix A to 32 CFR part 310.
    This rule adds four new blanket routine uses to Appendix A. The 
first two blanket routine uses support information sharing in the event 
of a data breach to respond, remediate, or notify agencies, entities, 
and persons of the breach, or support other agencies in handling the 
breach. These routine uses are recommended for all agencies in guidance 
issued by the Office of Management and Budget (OMB). See OMB Memorandum 
M-17-12, ``Preparing for and Responding to a Breach of Personally 
Identifiable Information,'' January 3, 2017, available at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-12_0.pdf. The third blanket routine use supports information sharing of 
terrorism, homeland security, or law enforcement information from a DoD 
system of records to other domestic and international agencies for 
counterterrorism purposes. The fourth blanket routine use supports the 
Inspector General Act of 1978, as amended, to allow disclosures to 
perform the functions of Inspectors General in government.
    This rule is being published as a direct final rule as the 
Department does not expect to receive any significant adverse comments 
concerning the addition of these four blanket routine uses. If such 
comments are received, this direct final rule will be withdrawn and a 
proposed rule for comments will be published. If no such comments are 
received, this direct final rule will become effective ten days after 
the comment period expires.
    For purposes of this rulemaking, a significant adverse comment is 
one that explains (1) why the rule is inappropriate, including 
challenges to the rule's underlying premise or approach; or (2) why the 
direct final rule will be ineffective or unacceptable without a change. 
In determining whether a significant adverse comment necessitates 
withdrawal of this direct final rule, the Department will consider 
whether the comment raises an issue serious enough to warrant a 
substantive response had it been submitted in a standard notice-and-
comment process. A comment recommending an addition to the rule will 
not be considered significant and adverse unless the comment explains 
how this direct final rule would be ineffective without the addition.

Regulatory Analysis

Executive Order 12866, ``Regulatory Planning and Review'' and Executive 
Order 13563, ``Improving Regulation and Regulatory Review''

    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distribute impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. It has been determined that this rule is not a significant 
regulatory action under these Executive Orders.

Congressional Review Act (5 U.S.C. 804(2))

    The Congressional Review Act, 5 U.S.C. 801 et seq., generally 
provides that before a rule may take effect, the agency promulgating 
the rule must submit a rule report, which includes a copy of the rule, 
to each House of the Congress and to the Comptroller General of the 
United States. DoD will submit a

[[Page 24477]]

report containing this rule and other required information to the U.S. 
Senate, the U.S. House of Representatives, and the Comptroller General 
of the United States. A major rule may take effect no earlier than 60 
calendar days after Congress receives the rule report or the rule is 
published in the Federal Register, whichever is later. This rule is not 
a ``major rule'' as defined by 5 U.S.C. 804(2).

Section 202, Public Law 104-4, ``Unfunded Mandates Reform Act''

    Section 202(a) of the Unfunded Mandates Reform Act of 1995 (UMRA) 
(2 U.S.C. 1532(a)) requires agencies to assess anticipated costs and 
benefits before issuing any rule whose mandates may result in the 
expenditure by State, local, and Tribal governments in the aggregate, 
or by the private sector, in any one year of $100 million in 1995 
dollars, updated annually for inflation. This rule will not mandate any 
requirements for State, local, or Tribal governments, nor will it 
affect private sector costs.

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. 601 et 
seq.)

    The Assistant to the Secretary of Defense for Privacy, Civil 
Liberties, and Transparency has certified that this rule is not subject 
to the Regulatory Flexibility Act (5 U.S.C. 601 et seq.) because it 
would not, if promulgated, have a significant economic impact on a 
substantial number of small entities. This rule is concerned only with 
the administration of Privacy Act systems of records within the DoD. 
Therefore, the Regulatory Flexibility Act, as amended, does not require 
DoD to prepare a regulatory flexibility analysis.

Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. 3501 et seq.)

    The Paperwork Reduction Act (PRA) (44 U.S.C. 3501 et seq.) was 
enacted to minimize the paperwork burden for individuals; small 
businesses; educational and nonprofit institutions; Federal 
contractors; State, local, and Tribal governments; and other persons 
resulting from the collection of information by or for the Federal 
Government. The Act requires agencies obtain approval from the Office 
of Management and Budget before using identical questions to collect 
information from ten or more persons. This rule does not impose 
reporting or recordkeeping requirements on the public.

Executive Order 13132, ``Federalism''

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a rule that imposes substantial 
direct requirement costs on State and local governments, preempts State 
law, or otherwise has federalism implications. This rule will not have 
a substantial effect on State and local governments.

Executive Order 13175, ``Consultation and Coordination With Indian 
Tribal Governments''

    Executive Order 13175 establishes certain requirements that an 
agency must meet when it promulgates a rule that imposes substantial 
direct compliance costs on one or more Indian Tribes, preempts Tribal 
law, or affects the distribution of power and responsibilities between 
the Federal Government and Indian Tribes. This rule will not have a 
substantial effect on Indian Tribal governments.

List of Subjects in 32 CFR Part 310

    Privacy.

    Accordingly, 32 CFR part 310 is amended as follows:

PART 310--PROTECTION OF PRIVACY AND ACCESS TO AND AMENDMENT OF 
INDIVIDUAL RECORDS UNDER THE PRIVACY ACT OF 1974

0
1. The authority citation for 32 CFR part 310 continues to read as 
follows:

    Authority:  5 U.S.C. 552a.


0
2. Appendix A to 32 CFR part 310 is amended by adding blanket routine 
uses O, P, Q, and R to read as follows:

Appendix A to Part 310--DOD Blanket Routine Uses

* * * * *

O. Routine Use--Data Breach Response and Remediation

    A record from a system of records maintained by DoD or a 
Component may be disclosed to appropriate agencies, entities, and 
persons when (1) the Component suspects or has confirmed that there 
has been a breach of the system of records; (2) the Component has 
determined that as a result of the suspected or confirmed breach 
there is a risk of harm to individuals, DoD (including its 
information systems, programs, and operations), the Federal 
Government, or national security; and (3) the disclosure made to 
such agencies, entities, and persons is reasonably necessary to 
assist in connection with the Component's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy 
such harm.

P. Routine Use--Data Breach Inter-Agency Assistance

    A record from a system of records maintained by DoD or a 
Component may be disclosed to another Federal agency or Federal 
entity, when DoD or the Component determines that information from 
this system of records is reasonably necessary to assist the 
recipient agency or entity in (1) responding to a suspected or 
confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity 
(including its information systems, programs, and operations), the 
Federal Government, or national security, resulting from a suspected 
or confirmed breach.

Q. Routine Use--Agency Sharing To Support Counterterrorism

    A record from a system of records maintained by a Component 
consisting of, or relating to, terrorism information (6 U.S.C. 
485(a)(4)), homeland security information (6 U.S.C. 482(f)(1)), or 
law enforcement information (Guideline 2 Report attached to White 
House Memorandum, ``Information Sharing Environment,'' November 22, 
2006) may be disclosed to a Federal, State, local, Tribal, 
territorial, foreign governmental and/or multinational agency, 
either in response to its request or upon the initiative of the 
Component, for purposes of sharing such information as is necessary 
and relevant for the agencies for the detection, prevention, 
disruption, preemption, and mitigation of the effects of terrorist 
activities against the territory, people, and interests of the 
United States of America as contemplated by the Intelligence Reform 
and Terrorism Protection Act of 2004 (Pub. L. 108-458) and Executive 
Order 13388 (October 25, 2005).

R. Routine Use--Office of Inspector General

    A record from a system of records maintained by DoD or a 
Component may be disclosed to another Federal, State, or local 
agency for the purpose of comparing to the agency's system of 
records or to non-Federal records, in coordination with an Office of 
Inspector General, in conducting an audit, investigation, 
inspection, evaluation, or some other review as authorized by the 
Inspector General Act of 1978, as amended.

    Dated: April 18, 2023.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2023-08475 Filed 4-20-23; 8:45 am]
BILLING CODE 5001-06-P