[Federal Register Volume 88, Number 221 (Friday, November 17, 2023)]
[Rules and Regulations]
[Pages 80139-80141]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-24669]
=======================================================================
-----------------------------------------------------------------------
ENVIRONMENTAL PROTECTION AGENCY
40 CFR Part 16
[EPA-HQ-OMS-2019-0371; FRL-10082-04-OMS]
Privacy Act Regulations for EPA-83
AGENCY: Environmental Protection Agency (EPA).
ACTION: Direct final rule.
-----------------------------------------------------------------------
SUMMARY: The Environmental Protection Agency (EPA or Agency) is taking
direct final action to revise the Agency's Privacy Act regulations to
exempt a modified system of records, EPA-83, the Personnel Security
System (PSS) 2.0, from certain requirements of the Privacy Act because
of the data sensitivity contained within an insider threat inquiry. A
lack of protection of these data could jeopardize the insider threat
inquiry or additional investigations if warranted.
DATES: This rule is effective on January 16, 2024, without further
notice unless EPA receives adverse comment by December 18, 2023. If EPA
receives adverse comment, it will publish a timely withdrawal in the
Federal Register informing the public that the rule will not take
effect.
ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OMS-2019-0371, at https://www.regulations.gov/. Follow the online
instructions for submitting comments. Once submitted, comments cannot
be edited or removed from Regulations.gov. The EPA may publish any
comment received to its public docket. Do not submit electronically any
information you consider to be Confidential Business Information (CBI)
or other information whose disclosure is restricted by statute.
Multimedia submissions (audio, video, etc.) must be accompanied by a
written comment. The written comment is considered the official comment
and should include discussion of all points you wish to make. The EPA
will generally not consider comments or comment contents located
outside of the primary submission (i.e., on the web, cloud, or other
file sharing system). For additional submission methods, the full EPA
public comment policy, information about CBI or multimedia submissions,
and general guidance on making effective comments, please visit https://www.epa.gov/dockets/commenting-epa-dockets.
FOR FURTHER INFORMATION CONTACT: John Goldsby, Personnel Security
Branch, Environmental Protection Agency, William Jefferson Clinton
North Building, Mail code 3206A, 1200 Pennsylvania Avenue NW,
Washington, DC 20460; telephone number, (202) 564-1569; email address,
[email protected].
SUPPLEMENTARY INFORMATION:
I. Why is EPA using a direct final rule?
The EPA is publishing this rule without a prior proposed rule
because we view this as a noncontroversial action and anticipate no
adverse comment. However, in the ``Proposed Rules'' section of this
issue of the Federal Register, we are publishing a separate document
that will serve as the proposed rule to exempt a new system of records,
EPA-83, the Personnel Security System (PSS) 2.0, from certain
requirements of the Privacy Act if adverse comments are received on
this direct final rule. We will not institute a second comment period
on this action. Any parties interested in commenting must do so at this
time. For further information about commenting on this rule, see the
ADDRESSES section of this document.
If EPA receives adverse comment, we will publish a timely
withdrawal in the Federal Register informing the public that this
direct final rule will not take effect. We would address all public
comments in any subsequent final rule based on the proposed rule.
II. General Information
The EPA published a Privacy Act system of records notice for PSS
2.0 (85 FR 32380, May 29, 2020) to replace PSS 1.0, which was a module
of the Office of Administrative Services Information System (OASIS,
EPA-41), and create a stand-alone system. The Personnel Security Branch
(PSB) plans to update
[[Page 80140]]
PSS with a new module focused on providing the agency with insider
threat inquiry management and coordination capabilities. The PSS 2.0
supports the PSB with tracking the documentation associated with
background investigations for Federal and non-Federal personnel working
for EPA. This includes reporting requirements that meet the Security
Executive Agent Directive (SEAD) 3, which establishes reporting
requirements for all ``covered individuals'' who have access to
classified information or who hold a sensitive position. Access to the
system is restricted to authorized users and PSS is maintained in a
secure, password protected computer system, in secure areas and
buildings with physical access controls and environmental controls. In
the performance of their official duties, EPA federal personnel must
input and manage Sensitive Personally Identifiable Information (such as
social security number) and Personally Identifiable Information (such
as home address and email address). All personnel are required to take
annual Information Technology Security and Privacy Training to ensure
the proper handling and management of Sensitive Personally Identifiable
Information (SPII) and Personally Identifiable Information (PII). The
data is required in the system to start the onboarding process and to
manage personnel through lifecycle activity at EPA (such as background
investigations). PSS 2.0 displays a reminder about the appropriate PII
and SPII handling procedures every time a user begins to enter data for
a new background investigation. Additionally, PSS will include a module
dedicated specifically for insider threat inquiry management and
coordination. This module will contain details of insider threat
inquiries, including the names and identifiers of personnel involved in
such inquiries.
Pursuant to 5 U.S.C. 552a(k)(2) and (k)(5), an individual's request
for access to his or her record may be exempt from specific access and
accounting provisions of the Privacy Act where the ``investigatory
material [was] compiled for law enforcement purposes''. See 40 CFR
16.12. Note that the (k)(5) exemption applies only to access requests
for background investigation records that would identify a confidential
source. Under 5 U.S.C. 552a(k)(1), (k)(2), and (k)(5), EPA is proposing
to exempt the PSS 2.0 from the following provisions of the Privacy Act
of 1974 as amended; 5 U.S.C. 552a; (d); (e)(1); (e)(4) (G), (H), and
(I); and (f)(2) through (5) for the following reasons:
(1) From subsection 552a(c)(3), because making available to a named
individual an accounting of disclosures of records concerning him/her/
them could reveal investigative interest on the part of EPA and/or the
Department of Justice. This could allow record subjects to impede the
investigation, e.g., destroy evidence, intimidate potential witnesses,
or flee the area to avoid inquiries or apprehension by law enforcement
personnel. Further, such a disclosure could reveal the identity of a
confidential source and hamper the Agency's investigation.
(2) From subsection 552a(c)(4), which concerns providing notice to
others regarding corrections or disputed information in accordance with
subsection (d) of the Privacy Act, because no access to these records
is available under subsection (d) of the Act.
(3) From subsection 552a(d), which requires an agency to permit an
individual to access, contest or request amendment of records
pertaining to him/her/them, because the records contained in this
system relate to official Federal investigations. Individual access to
these records could compromise ongoing investigations, reveal
confidential informants and/or sensitive investigative techniques used
in particular investigations, or constitute unwarranted invasions of
the personal privacy of third parties who are involved in a certain
investigation.
(4) From subsections 552a(e)(1) and (e)(5), which require an agency
to collect/maintain only accurate and relevant information about an
individual, because the accuracy or relevance of information obtained
in the course of a law enforcement investigation is not always known
when collected. Material that may seem unrelated, irrelevant, or
incomplete when collected may take on added meaning or significance as
the investigation progresses. Also, in the interest of effective law
enforcement, it is appropriate to retain all information that may aid
in establishing patterns of criminal activity. Therefore, it would
impede the investigative process if it were necessary to assure the
relevance, accuracy, timeliness and completeness of all information
obtained.
(5) From subsections 552a(e)(4)(G) and (H), which require an agency
to publish--in the Federal Register--procedures concerning access to
records, because no access to these records is available under
subsection (d) of the Privacy Act, for the reasons explained above in
the discussion of subsection (d).
(6) From subsections 552a(f)(2), (f)(3), (f)(4), and (f)(5),
concerning agency rules for obtaining access to records under
subsection (d), because this system is exempt from the access and
amendment provisions of subsection (d). Since EPA is claiming that this
system of records is exempt from subsection (d) of the Act, concerning
access to records, the requirements of subsections (f)(2) through (5)
of the Act, concerning agency rules for obtaining access to such
records, are inapplicable and are exempted to the extent that this
system of records is exempted from subsection (d) of the Act.
(7) From subsection 552a(I), concerning agency rules for use of
records from another agency under a matching program. Such documents
are owned by and the responsibility of the source agency, and only that
source agency can share or release the information.
Note that the (k)(5) exemption applies only to access requests for
background investigation records that would identify a confidential
source.
III. Statutory and Executive Order Reviews
Additional information about these statutes and Executive orders
can be found at https://www.epa.gov/laws-regulations/laws-and-executive-orders.
A. Executive Order 12866: Regulatory Planning and Review, and Executive
Order 13563: Improving Regulation and Regulatory Review
This action was submitted to the Office of Management and Budget
(OMB) for review and reviewed without comment.
B. Paperwork Reduction Act (PRA)
This action does not impose an information collection burden under
the PRA. This action contains no provisions constituting a collection
of information under the PRA.
C. Regulatory Flexibility Act (RFA)
I certify that this action will not have a significant economic
impact on a substantial number of small entities under the RFA. This
action will not impose any requirements on small entities.
D. Unfunded Mandates Reform Act (UMRA)
This action does not contain any unfunded mandate as described in
UMRA, 2 U.S.C. 1531-1538, and does not significantly or uniquely affect
small governments.
[[Page 80141]]
E. Executive Order 13132 (Federalism)
This action does not have federalism implications. It will not have
substantial direct effects on the states, on the relationship between
the National Government and the states, or on the distribution of power
and responsibilities among the various levels of government.
F. Executive Order 13175: Consultation and Coordination With Indian
Tribal Governments
This action does not have tribal implications as specified in
Executive Order 13175. Thus, Executive Order 13175 does not apply to
this action.
G. Executive Order 13045: Protection of Children From Environmental
Health Risks and Safety Risks
The EPA interprets Executive Order 13045 as applying only to those
regulatory actions that concern environmental health or safety risks
that the EPA has reason to believe may disproportionately affect
children, per the definition of ``covered regulatory action'' in
section 2-202 of the Executive order. This action is not subject to
Executive Order 13045 because it does not concern an environmental
health risk or safety risk.
H. Executive Order 13211: Actions Concerning Regulations That
Significantly Affect Energy Supply, Distribution, or Use
This action is not subject to Executive Order 13211, because it is
not a significant regulatory action under Executive Order 12866.
I. National Technology Transfer and Advancement Act
This rulemaking does not involve technical standards.
J. Executive Order 12898: Federal Actions To Address Environmental
Justice in Minority Populations and Low-Income Populations
The EPA believes that this action does not have disproportionately
high and adverse human health or environmental effects on minority
populations, low-income populations and/or indigenous peoples, as
specified in Executive Order 12898 (59 FR 7629, February 16, 1994).
K. The Congressional Review Act
This rule is exempt from the Congressional Review Act (CRA) because
it is a rule of agency organization, procedure or practice that does
not substantially affect the rights or obligations of non-agency
parties.
List of Subjects in 40 CFR Part 16
Environmental protection, Administrative practice and procedure,
Confidential business information, Government employees, Privacy.
Kimberly Y. Patrick,
Principal Deputy Assistant Administrator, Office of Mission Support.
For the reasons stated in the preamble, title 40, chapter I, part
16 of the Code of Federal Regulations is amended as follows:
PART 16--IMPLEMENTATION OF PRIVACY ACT OF 1974
0
1. The authority citation for part 16 continues to read as follows:
Authority: 5 U.S.C. 301, 552a (as revised).
0
2. Amend Sec. 16.12 by:
0
a. Revising paragraphs (a)(1), (a)(4)(i) and (iii), (a)(5) introductory
text, and (b)(1);
0
b. Adding paragraph (b)(4)(iii); and
0
c. Revising paragraph (b)(5) introductory text.
The revisions and additions read as follows:
Sec. 16.12 Specific exemptions.
(a) * * *
(1) Systems of records affected. (i) EPA-17 Online Criminal
Enforcement Activities Network (OCEAN).
(ii) EPA-21 External Compliance Case Tracking System (EXCATS).
(iii) EPA-30 Inspector General Enterprise Management System (IGEMS)
Hotline Module.
(iv) EPA-40 Inspector General Enterprise Management System (IGEMS)
Investigative Module.
(v) EPA-63 eDiscovery Enterprise Tool Suite.
(vi) EPA-79 NEIC Master Tracking System.
(vii) EPA-83 Personnel Security System (PSS) 2.0.
* * * * *
(4) * * *
(i) EPA systems of records 17, 30, 40, 63, and 79 are exempted from
the following provisions of the PA, subject to the limitations set
forth in 5 U.S.C. 552a(k)(2): 5 U.S.C. 552a(c)(3); (d); (e)(1), (4)(G)
and (4)(H); and (f)(2) through (5). EPA system of records 21 is exempt
from the following provisions of the PA, subject to limitations set
forth in 5 U.S.C. 552a(k)(2): 5 U.S.C. 552a(c)(3), (d), and (e)(1). EPA
system of records 83 is exempt from the following provisions of the PA,
subject to the limitations set forth in 5 U.S.C. 552a(k)(2): 5 U.S.C.
552a(d); (e)(1); (e)(4)(G), (4)(H) and (4)(I); and (f)(2) through (5).
* * * * *
(iii) EPA-83 Personnel Security System (PSS) 2.0 is exempted under
5 U.S.C. 552a(k)(2).
(5) Reasons for exemption. EPA systems of records 17, 21, 30, 40,
63, 79, and 83 are exempted from the provisions of the PA in paragraph
(a)(4) of this section for the following reasons:
* * * * *
(b) * * *
(1) Systems of records affected. (i) EPA 36 Research Grant,
Cooperative Agreement, and Fellowship Application Files.
(ii) EPA 40 Inspector General's Operation and Reporting (IGOR)
System Personnel Security Files.
* * * * *
(4) * * *
(iii) EPA 83 is exempted from the following provisions of the PA,
subject to the limitations of 5 U.S.C. 552(a)(k)(5): 5 U.S.C. 552a(d);
(e)(1); (e)(4)(G), (4)(H) and (4)(I); and (f)(2) through (5).
(5) Reasons for exemption. EPA 36, 40, 83, and 100 are exempted
from the above provisions of the PA for the following reasons:
* * * * *
[FR Doc. 2023-24669 Filed 11-16-23; 8:45 am]
BILLING CODE 6560-50-P