[Federal Register Volume 88, Number 217 (Monday, November 13, 2023)]
[Notices]
[Pages 77572-77574]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-24901]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY


Privacy Act of 1974; System of Records

AGENCY: U.S. Department of Energy.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974 and the Office of 
Management and Budget (OMB) Circulars A-108 and A-130, the Department 
of Energy (DOE or the Department) is publishing notice of a 
modification to an existing Privacy Act System of Records. DOE proposes 
to amend System of Records DOE-66 Power Sales to Individuals. This 
System of Records Notice (SORN) is being modified to align with new 
formatting requirements, published by the Office of Management and 
Budget, and to ensure appropriate Privacy Act coverage of business 
processes and Privacy Act information. While there are no substantive 
changes to the ``Categories of Individuals'' or ``Categories of 
Records'' sections covered by this SORN, substantive changes have been 
made to the ``System Locations,'' ``Routine Uses,'' and 
``Administrative, Technical and Physical Safeguards'' sections to 
provide greater transparency. Changes to ``Routine Uses'' include new 
provisions related to responding to breaches of information held under 
a Privacy Act SORN as required by OMB's Memorandum M-17-12, ``Preparing 
for and Responding to a Breach of Personally Identifiable Information'' 
(January 3, 2017). Language throughout the SORN has been updated to 
align with applicable Federal privacy laws, policies, procedures, and 
best practices.

DATES: This modified SORN will become applicable following the end of 
the public comment period on December 13, 2023 unless comments are 
received that result in a contrary determination.

ADDRESSES: Written comments should be sent to the DOE Desk Officer, 
Office of Information and Regulatory Affairs, Office of Management and 
Budget, New Executive Office Building, Room 10102, 735 17th Street NW, 
Washington, DC 20503 and to Ken Hunt, Chief Privacy Officer, U.S. 
Department of Energy, 1000 Independence Avenue SW, Rm. 8H-085, 
Washington, DC 20585 or by facsimile at (202) 586-8151 or by email at 
[email protected].

FOR FURTHER INFORMATION CONTACT: Ken Hunt, Chief Privacy Officer, U.S. 
Department of Energy, 1000 Independence Avenue SW, Rm. 8H-085, 
Washington, DC 20585 or by facsimile at (202) 586-8151 or by email at 
[email protected], telephone: (240) 686-9485.

SUPPLEMENTARY INFORMATION: On January 9, 2009, DOE published a 
Compilation of its Privacy Act systems of records, which included 
system of records DOE-66 Power Sales to Individuals. This notice 
proposes amendments to the ``System Locations'' section of that system 
of records by removing the following system location where DOE-66 is no 
longer applicable: U.S. Department of Energy, Western Area Power 
Administration, Colorado River Storage Project, 257 E200S, Suite 475, 
Salt Lake City, UT 84111. In the ``Routine Uses'' section, this 
modified notice deletes a previous routine use concerning efforts 
responding to a suspected or confirmed loss of confidentiality of 
information as it appears in DOE's compilation of its Privacy Act 
systems of records (January 9, 2009) and replaces it with one to assist 
DOE with responding to a suspected or confirmed breach of its records 
of Personally Identifiable Information (PII), modeled with language 
from OMB's Memorandum M-17-12, ``Preparing for and Responding to a 
Breach of Personally Identifiable Information'' (January 3, 2017). 
Further, this notice adds one new routine use to ensure that DOE may 
assist another agency or entity in responding to the other agency's or 
entity's confirmed or suspected breach of PII, as appropriate, as 
aligned with OMB's Memorandum M-17-12. Additionally, the routine use 
formerly listed as number three has been removed, as it was determined 
to be duplicative. The routine use formerly covered by number three is 
currently covered by number three in the current version. An 
administrative change required by the FOIA Improvement Act of 2016 
extends the length of time a requestor is permitted to file an appeal 
under the Privacy Act from 30 to 90 days. Both the ``System Locations'' 
and ``Administrative, Technical and Physical Safeguards'' sections have 
been modified to reflect the Department's usage of cloud-based services 
for records storage. Language throughout the SORN has been updated to 
align with applicable Federal privacy laws, policies, procedures, and 
best practices.

SYSTEM NAME AND NUMBER:
    DOE-66 Power Sales to Individuals.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Systems leveraging this SORN may exist in multiple locations. All 
systems storing records in a cloud-based server are required to use 
government-approved cloud services and follow National Institute of 
Standards and Technology (NIST) security and privacy standards for 
access and data retention. Records maintained in a government-approved 
cloud server are accessed through secure data centers in the 
continental United States.
    U.S. Department of Energy, Western Area Power Administration, 
Headquarters, P.O. Box 281213, Lakewood, CO 80228-8213.
    U.S. Department of Energy, Western Area Power Administration, 
Colorado River Storage Project, 1800 South Rio Grande Avenue, Montrose, 
CO 81401.
    U.S. Department of Energy, Western Area Power Administration, 
Desert Southwest Region, 615 S 43rd Avenue, Phoenix, AZ 85009.
    U.S. Department of Energy, Western Area Power Administration, Rocky 
Mountain Region, 5555 E Crossroads Boulevard, Loveland, CO 80538-8986.
    U.S. Department of Energy, Western Area Power Administration, 
Sierra Nevada Region, 114 Parkshore Drive, Folsom, CA 95630-4710.
    U.S. Department of Energy, Western Area Power Administration, Upper 
Great Plains Region, 2900 4th Avenue North, Billings, MT 59101-1266.

[[Page 77573]]

SYSTEM MANAGER(S):
    Administrator, Western Area Power Administration (WAPA), U.S. 
Department of Energy, P.O. Box 281213, Lakewood, CO 80228-8213.
    Regional Offices: The Directors of the ``System Locations'' listed 
above are the system managers for their respective locations.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    42 U.S.C. 7101 et seq., and 50 U.S.C. 2401 et seq.

PURPOSE(S) OF THE SYSTEM:
    For those records described in Categories of Records in the System, 
such records are maintained and used by the Department to bill 
customers for the sale of purchase power.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals purchasing power from the Western Area Power 
Administration.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Executed contracts, agreements, amendments, extensions, and related 
correspondence.

RECORD SOURCE CATEGORIES:
    Subject individuals.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    1. A record from this system may be disclosed as a routine use for 
the purpose of an investigation, settlement of claims, or the 
preparation and conduct of litigation to: (1) persons representing the 
Department in the investigation, settlement or litigation, and to 
individuals assisting in such representation; (2) others involved in 
the investigation, settlement, and litigation, and their 
representatives and individuals assisting those representatives; (3) 
witnesses, potential witnesses, or their representatives and 
assistants; and (4) any other persons who possess information 
pertaining to the matter when it is necessary to obtain information or 
testimony relevant to the matter.
    2. A record from this system may be disclosed as a routine use in 
court or administrative proceedings to the tribunals, counsel, other 
parties, witnesses, and the public (in publicly available pleadings, 
filings or discussion in open court) when such disclosure: (1) Is 
relevant to, and necessary for, the proceeding; (2) is compatible with 
the purpose for which the Department collected the records; and (3) the 
proceedings involve:
    a. The Department, its predecessor agencies, current or former 
contractors of the Department, or other United States Government 
agencies and their components, or
    b. A current or former employee of the Department and its 
predecessor agencies, current or former contractors of the Department, 
or other United States Government agencies and their components, who is 
acting in an official capacity, or in any individual capacity where the 
Department or other United States Government agency has agreed to 
represent the employee.
    3. A record from this system of records may be disclosed as a 
routine use to a Federal, State, Tribal, or local agency to facilitate 
the requesting agency's decision concerning the hiring or retention of 
an employee, the issuance of a security clearance, the reporting of an 
investigation of an employee, the letting of a contract, or the 
issuance of a license, grant, or other benefit, to the extent that the 
information is relevant and necessary to the requesting agency's 
decision on the matter. The Department must deem such disclosure to be 
compatible with the purpose for which the Department collected the 
information.
    4. A record from the system may be disclosed as a routine use to 
the appropriate local, Tribal, State, or Federal agency when records, 
alone or in conjunction with other information, indicate a violation or 
potential violation of law whether civil, criminal, or regulatory in 
nature, and whether arising by general statute or particular program 
pursuant thereto.
    5. A record from this system may be disclosed as a routine use to a 
member of Congress submitting a request involving a constituent when 
the constituent has requested assistance from the member concerning the 
subject matter of the record. The member of Congress must provide a 
copy of the constituent's signed request for assistance.
    6. A record from the system may be disclosed as a routine use to 
DOE contractors in performance of their contracts, and their officers 
and employees who have a need for the record in the performance of 
their duties. Those provided information under this routine use are 
subject to the same limitations applicable to Department officers and 
employees under the Privacy Act.
    7. A record from this system may be disclosed as a routine use to 
appropriate agencies, entities, and persons when: (1) the Department 
suspects or has confirmed that there has been a breach of the System of 
Records; (2) the Department has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
DOE (including its information systems, programs, and operations), the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the Department's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    8. A record from this system may be disclosed as a routine use to 
another Federal agency or Federal entity, when the Department 
determines that information from this System of Records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records may be stored as paper files or electronic media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by name.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Retention and disposition of these records is in accordance with 
the National Archives and Records Administration and DOE-approved 
schedule: Power Sales and Marketing Records Disposition Authority 
Number: DAA-0201-2020-0001.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Electronic records may be secured and maintained on a cloud-based 
software server and operating system that resides in Federal Risk and 
Authorization Management Program (FedRAMP) and Federal Information 
Security Modernization Act (FISMA) hosting environment. Data located in 
the cloud-based server is firewalled and encrypted at rest and in 
transit. The security mechanisms for handling data at rest and in 
transit are in accordance with DOE encryption standards. Records are 
protected from unauthorized access through the following appropriate 
safeguards:
     Administrative: Access to all records is limited to lawful 
government purposes only, with access to electronic records based on 
role and either two-factor authentication or password

[[Page 77574]]

protection. The system requires passwords to be complex and to be 
changed frequently. Users accessing system records undergo frequent 
training in Privacy Act and information security requirements. Security 
and privacy controls are reviewed on an ongoing basis.
     Technical: Computerized records systems are safeguarded on 
Departmental networks configured for role-based access based on job 
responsibilities and organizational affiliation. Privacy and security 
controls are in place for this system and are updated in accordance 
with applicable requirements as determined by NIST and DOE directives 
and guidance.
     Physical: Computer servers on which electronic records are 
stored are located in secured Department facilities, which are 
protected by security guards, identification badges, and cameras. Paper 
copies of all records are locked in file cabinets, file rooms, or 
offices and are under the control of authorized personnel. Access to 
these facilities is granted only to authorized personnel and each 
person granted access to the system must be an individual authorized to 
use and/or administer the system.

RECORD ACCESS PROCEDURES:
    The Department follows the procedures outlined in 10 CFR 1008.4. 
Valid identification of the individual making the request is required 
before information will be processed, given, access granted, or a 
correction considered, to ensure that information is given, corrected, 
or records disclosed or corrected only at the request of the proper 
person.

CONTESTING RECORD PROCEDURES:
    Any individual may submit a request to the System Manager and 
request a copy of any records relating to them. In accordance with 10 
CFR 1008.11, any individual may appeal the denial of a request made by 
him or her for information about or for access to or correction or 
amendment of records. An appeal shall be filed within 90 calendar days 
after receipt of the denial. When an appeal is filed by mail, the 
postmark is conclusive as to timeliness. The appeal shall be in writing 
and must be signed by the individual. The words ``PRIVACY ACT APPEAL'' 
should appear in capital letters on the envelope and the letter. 
Appeals of denials relating to records maintained in government-wide 
System of Records reported by Office of Personnel Management (OPM), 
shall be filed, as appropriate, with the Assistant Director for Agency 
Compliance and Evaluation, OPM, 1900 E Street NW, Washington, DC 20415. 
All other appeals relating to DOE records shall be directed to the 
Director, Office of Hearings and Appeals (OHA), 1000 Independence Ave. 
SW, Washington, DC 20585.

NOTIFICATION PROCEDURES:
    In accordance with the DOE regulation implementing the Privacy Act, 
10 CFR part 1008, a request by an individual to determine if a System 
of Records contains information about themselves should be directed to 
the U.S. Department of Energy, Headquarters, Privacy Act Officer. The 
request should include the requester's complete name and the time 
period for which records are sought.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    This SORN was last published in the Federal Register (FR), 74 FR 
1071-1072, on January 9, 2009.

Signing Authority

    This document of the Department of Energy was signed on November 6, 
2023, by Ann Dunkin, Senior Agency Official for Privacy, pursuant to 
delegated authority from the Secretary of Energy. That document with 
the original signature and date is maintained by DOE. For 
administrative purposes only, and in compliance with requirements of 
the Office of the Federal Register, the undersigned DOE Federal 
Register Liaison Officer has been authorized to sign and submit the 
document in electronic format for publication, as an official document 
of the Department of Energy. This administrative process in no way 
alters the legal effect of this document upon publication in the 
Federal Register.

    Signed in Washington, DC, on November 7, 2023.
Treena V. Garrett,
Federal Register Liaison Officer, U.S. Department of Energy.
[FR Doc. 2023-24901 Filed 11-9-23; 8:45 am]
BILLING CODE 6450-01-P