[Federal Register Volume 88, Number 235 (Friday, December 8, 2023)]
[Notices]
[Pages 85660-85664]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-27027]


=======================================================================
-----------------------------------------------------------------------

NATIONAL SCIENCE FOUNDATION


Privacy Act of 1974; System of Records

AGENCY: National Science Foundation (NSF).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, NSF proposes to 
establish a new agency system of records, entitled Freedom of 
Information Act and Privacy Act Request and Appeal Records, NSF-81. 
This system comprises records of requests and administrative appeals 
filed by individuals seeking access to agency records under the Freedom 
of Information Act, and requests and appeals by individuals seeking to 
access or amend agency records, if any, that NSF may maintain about 
them under the Privacy Act. System records about individual requesters, 
and their attorneys or representatives, if applicable, include the 
original request for access, amendment, and any administrative appeal, 
and other supporting documentation, which can include memoranda, 
correspondence, notes, copies of records released to the requester, and 
other file materials compiled or generated in the processing and 
disposition of the individual's request or appeal.

DATES: This system of records shall be effective December 8, 2023, 
except for the ``Routine Use'' section of this document, which shall 
not become effective until January 8, 2024. Public comments on such 
Routine Uses or any other aspect of this notice will be accepted until 
January 8, 2024.

ADDRESSES: Submit comments, identified by ``FOIA/PA SORN,'' by any of 
the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Email: Dorothy Aronson, Senior Agency Official for 
Privacy, [email protected]. Include ``FOIA/PA SORN'' in the subject line 
of the message.
     Mail: Dorothy Aronson, Senior Agency Official for Privacy, 
Office of Information and Resource Management, NSF, 2415 Eisenhower 
Ave., Alexandria, VA 22314.
    Instructions: NSF intends to post all comments on the NSF's website 
(https://www.nsf.gov). All comments submitted in response to this 
Notice will become a matter of public record. Therefore, you should 
submit only information that you wish to make publicly available.

FOR FURTHER INFORMATION CONTACT: Sandra Evans, FOIA/PA Officer, NSF, 
Office of General Counsel, 2415 Eisenhower Avenue, Alexandria, VA 
22314, [email protected], (703) 292-8060.

SUPPLEMENTARY INFORMATION: As required by the Privacy Act of 1974, 5 
U.S.C. 552a, NSF is publishing this notice of the establishment of an 
agency system of records (i.e., system of records notice or SORN) 
pertaining to access requests and administrative appeals filed with NSF 
under the Freedom of Information Act (FOIA), and access and amendment 
requests and administrative appeals under the Privacy Act. This system 
(Freedom of Information Act and Privacy Act Request and Appeal Records, 
NSF-81) is being established due to NSF's acquisition of third-party 
commercial cloud-based services and software to track and manage 
electronically the receipt and processing

[[Page 85661]]

of FOIA and Privacy Act requests and appeals.
    The system will be used by NSF to maintain records about 
individuals who submit FOIA access requests, Privacy Act access and 
amendment requests, administrative appeals to NSF under either the FOIA 
or Privacy Act, and FOIA and Privacy Act requests referred to NSF by 
other agencies. These records, which may be created or submitted in 
electronic and paper format, include the individual's request for 
access, amendment, or administrative appeal, and other supporting 
documentation to include related internal memoranda, correspondence 
with the requester or third parties about the request, notes of NSF 
personnel or contractors assigned to handle the request or appeal, logs 
or other data automatically generated by the system (e.g., estimated 
deadline for the agency's response), copies of records, if any, 
released to the requester, and other file materials compiled or 
generated in the processing and disposition of the individual's request 
or appeal. The system does not duplicate any other existing NSF or 
Government-wide systems of records under the Privacy Act.
    In accordance with subsection (r) the Privacy Act, at 5 U.S.C. 
552a(r), and Office of Management and Budget (OMB) Circular No. A-108, 
in addition to publication in the Federal Register, NSF has also 
submitted notice of the establishment of this system of records to OMB 
and to the appropriate Congressional committees. All NSF SORNs, 
including this one, may be viewed at www.nsf.gov/privacy.

SYSTEM NAME AND NUMBER:
    Freedom of Information Act and Privacy Act Request and Appeal 
Records, NSF-81.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    NSF, 2415 Eisenhower Avenue, Alexandria, VA 22314. Information may 
also be maintained for NSF by third-party provider(s) in cloud-based 
storage, subject to applicable Federal information security and privacy 
controls.

 SYSTEM MANAGER(S):
    FOIA/PA Officer, NSF, Office of General Counsel, 2415 Eisenhower 
Avenue, Alexandria, VA 22314.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Freedom of Information Act, as amended, 5 U.S.C. 552; Privacy Act 
of 1974, as amended, 5 U.S.C. 552a; 45 CFR parts 612 and 613 (NSF FOIA 
and PA regulations); OMB Circular Nos. A-130 and A-108.

PURPOSE(S) OF THE SYSTEM:
    To report, track, and process access requests and administrative 
appeals under the FOIA, and access and amendment requests and 
administrative appeals under the Privacy Act; to participate in and 
support litigation that may arise from a FOIA and/or Privacy Act access 
request, amendment request, or administrative appeal; and to assist NSF 
in carrying out any other responsibilities under the FOIA or the access 
or amendment provisions of the Privacy Act.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals who submit access requests and appeals to NSF for 
records under the FOIA and/or the Privacy Act; individuals who submit 
access requests to other Federal agencies whose requests have been 
referred to NSF for processing or consultation; individuals who request 
amendment of their records in an NSF system of records under the 
Privacy Act; and attorneys or other representatives of the individuals 
listed above who make an authorized FOIA or PA request on behalf of 
such individuals.

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system comprises records created or compiled by NSF in 
response to FOIA access and Privacy Act access and amendment requests, 
and administrative appeals, including initial requests and 
administrative appeals, and related FOIA or Privacy Act litigation, if 
any. System records include:
    1. Identifying data about the requester or the request or appeal, 
including, but not limited to, the requester's name, mailing address, 
telephone numbers, email addresses, tracking number, date and subject 
of the request, and may include other information (e.g., Social 
Security number) voluntarily submitted or on behalf of the individual 
in support of their request or appeal, as well as other system-
generated data pertaining to the processing of the request or appeal 
(e.g., estimated date for agency's response, extensions);
    2. The agency's response to the individual's request or appeal 
(including copies of responsive records, if any, that were released to 
the requester), copies of emails, correspondence, and other 
communications with the requester or others (e.g., third-party 
submitters of responsive records) generated or compiled in the course 
of processing a request or appeal;
    3. Intra- or interagency memoranda, referrals, correspondence, 
notes, fee schedules, assessments, cost calculations, and other 
documentation related to the processing of the FOIA and/or Privacy Act 
request or appeal, including correspondence or data related to fee 
determinations and collection of fees owed under the FOIA or Privacy 
Act;
    4. Memoranda, correspondence, notes, statements of disagreement 
following a denial of an appeal of a Privacy Act record amendment 
request, and other related or supporting Privacy Act documentation, 
which may include a signed certification, SSN, drivers' license ID, or 
other information submitted by the individual or authorized 
representative as proof of the requester's identity (or, in lieu 
thereof, identity verification data from login.gov or other non-NSF 
third-party agent used to establish the individual's identity); and
    5. If a FOIA or PA request or appeal is litigated, information and 
materials relating to such litigation, including, but not limited to, 
affidavits, exhibits, record indexes, certifications, or other 
materials filed by or obtained from the Department of Justice (DOJ) and 
other government attorneys, personnel, and contractors.
    Consistent with para. 2, records responsive to an individual's FOIA 
request, if they have not been released to the individual, are not 
treated as records maintained about that individual, or accessible to 
that individual, in this system under the Privacy Act. Such records may 
be part of one or more other NSF Privacy Act systems of records, see 
NSF SORNs at www.nsf.gov/privacy, and remain protected by applicable 
exemptions if disclosure is requested under the Privacy Act and/or the 
FOIA by the subject individual, or by any other requester under the 
FOIA.

RECORD SOURCE CATEGORIES:
    Individuals who submit initial access requests and administrative 
appeals pursuant to the FOIA, and individuals submitting access or 
amendment requests and administrative appeals under the Privacy Act, 
and attorneys or other authorized representatives acting on behalf of 
such individuals with respect to such requests and appeals.
    1. NSF personnel and contractors who may be assigned to handle or 
assist with such requests and appeals, or related litigation arising 
therefrom.
    2. Other agencies that have referred a FOIA or Privacy Act request 
to NSF or with whom NSF consults or assists in processing a FOIA or 
Privacy Act

[[Page 85662]]

request received by or referred to NSF, or the litigation of such a 
request or appeal (e.g., Department of Justice).
    3. Third-party individuals or entities who have been consulted or 
notified regarding their proprietary or other interest in records 
responsive to a FOIA or Privacy Act request or appeal (e.g., as the 
submitter or source of such records).
    4. Governmental (e.g., shared service) or non-Governmental third-
party providers performing fee collection (e.g., pay.gov), identity 
verification (e.g., login.gov), or other administrative or other 
functions incidental to the processing of FOIA and Privacy Act requests 
and appeals.
    5. Metadata routinely or automatically generated by the system 
software, relating to the tracking and processing of FOIA and Privacy 
Act requests and appeals (e.g., date that the FOIA request was received 
or logged, estimated date for agency response, NSF staff assigned to 
process the request).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to the disclosures expressly permitted under 
subsections (b)(1)-(2) and (b)(4)-(12) of the Privacy Act of 1974, as 
amended, see 5 U.S.C. 552a(b)(1)-(2) and (b)(4)-(12), all or a portion 
of the records or information contained in this system are subject to 
the following NSF standard routine uses, pursuant to 5 U.S.C. 
552a(b)(3):
    1. Members of Congress. Information from a system may be disclosed 
to congressional offices in response to inquiries from the 
congressional offices made at the request of the individual to whom the 
record pertains.
    2. Freedom of Information Act/Privacy Act Compliance. Information 
from a system may be disclosed to the Department of Justice or the 
Office of Management and Budget in order to obtain advice regarding 
NSF's obligations under the Freedom of Information Act and the Privacy 
Act.
    3. Counsel. Information from a system may be disclosed to NSF's 
legal representatives, including the Department of Justice and other 
outside counsel, where the agency is a party in litigation or has an 
interest in litigation and the information is relevant and necessary to 
such litigation, including when any of the following is a party to the 
litigation or has an interest in such litigation: (a) NSF, or any 
component thereof; (b) any NSF employee in his or her official 
capacity; (c) any NSF employee in his or her individual capacity, where 
the Department of Justice has agreed to, or is considering a request 
to, represent the employee; or (d) the United States, where NSF 
determines that litigation is likely to affect the agency or any of its 
components.
    4. National Archives, General Services Administration. Information 
from a system may be disclosed to representatives of the General 
Services Administration and the National Archives and Records 
Administration (NARA) during the course of records management 
inspections conducted under the authority of 44 U.S.C. 2904 and 2906.
    5. Response to an Actual or Suspected Compromise or Breach of 
Personally Identifiable Information. NSF may disclose information from 
the system to appropriate agencies, entities, and persons when: (a) NSF 
suspects or has confirmed that there has been a breach of the system of 
records; (b) NSF has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals; NSF (including 
its information systems, programs, and operations); the Federal 
Government, or national security; and (c) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with NSF efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm. Furthermore, NSF 
may disclose information from the system to another Federal agency or 
Federal entity, when NSF determines that information from this system 
of records is reasonably necessary to assist the recipient agency or 
entity in: responding to a suspected or confirmed breach; or 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    6. Courts. Information from a system may be disclosed to the 
Department of Justice or other agencies in the event of a pending court 
or formal administrative proceeding, when the information is relevant 
and necessary to that proceeding, for the purpose of representing the 
government, or in the course of presenting evidence, or the information 
may be produced to parties or counsel involved in the proceeding in the 
course of pre-trial discovery.
    7. Contractors. Information from a system may be disclosed to 
contractors, agents, experts, consultants, or others performing work on 
a contract, service, cooperative agreement, job, or other activity for 
NSF and who have a need to access the information in the performance of 
their duties or activities for NSF.
    8. Audit. Information from a system may be disclosed to government 
agencies and other entities authorized to perform audits, including 
financial and other audits, of the agency and its activities.
    9. Law Enforcement. Information from a system may be disclosed, 
where the information indicates a violation or potential violation of 
civil or criminal law, including any rule, regulation or order issued 
pursuant thereto, to appropriate Federal, State, or local agencies 
responsible for investigating, prosecuting, enforcing, or implementing 
such statute, rule, regulation, or order.
    10. Disclosure When Requesting Information. Information from a 
system may be disclosed to Federal, State, or local agencies which 
maintain civil, criminal, or other relevant enforcement information or 
other pertinent information, such as current licenses, if necessary, to 
obtain information relevant to an agency decision concerning the hiring 
or retention of an employee, the issuance of a security clearance, the 
letting of a contract, or the issuance of a license, grant, or other 
benefit.
    11. To the news media and the public when: (a) A matter has become 
public knowledge, (b) the NSF Office of the Director determines that 
disclosure is necessary to preserve confidence in the integrity of NSF 
or is necessary to demonstrate the accountability of NSF's officers, 
employees, or individuals covered by this system, or (c) the Office of 
the Director determines that there exists a legitimate public interest 
in the disclosure of the information, except to the extent that the 
Office of the Director determines in any of these situations that 
disclosure of specific information in the context of a particular case 
would constitute an unwarranted invasion of personal privacy.
    Furthermore, records (or portions thereof) in this system may be 
routinely used and disclosed, pursuant to 5 U.S.C. 552a(b)(3), for the 
following purposes relating to FOIA and Privacy Act requests, appeals, 
and litigation, if any:
    12. To NARA, Office of Government Information Services (OGIS), to 
the extent necessary to fulfill its responsibilities in 5 U.S.C. 
552(h), to review administrative agency policies, procedures and 
compliance with the FOIA, and to facilitate OGIS's offering of 
mediation services to resolve disputes between persons making FOIA 
requests and administrative agencies.
    13. To a Federal agency or other Federal entity that furnished the 
record or information for the purpose of

[[Page 85663]]

permitting that agency or entity to make a decision regarding access to 
or correction of the record or information, or to a Federal agency or 
entity for purposes of providing guidance or advice regarding the 
handling of particular requests.
    14. To facilitate, at NSF's discretion, the placement of FOIA 
request and appeal letters, and agency letters responding thereto, on 
the agency's public record (e.g., www.nsf.gov) to be made available to 
the public for routine inspection and copying, including where records 
have been ``frequently requested'' and disclosed under the FOIA within 
the meaning of that Act, as determined by the NSF.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Official copies of system records are accessed electronically 
through secured NSF systems and principally maintained by NSF or on its 
behalf in electronic cloud storage by third-party service provider(s). 
Records may be collected for processing and storage via online portals 
or other electronic platforms or means operated by NSF, by other 
Government shared-service provider(s) (e.g., FOIA.gov), or by other 
(non-Government) third-party service providers on behalf of NSF. Paper 
records, such as copies of FOIA or Privacy Act requests and appeals 
received through postal mail, may be scanned and stored electronically, 
so that the paper copies need not be maintained and may be securely 
destroyed. NSF personnel or contractors may download or print non-
official copies of records or data from electronic system storage for 
temporary use or reference in processing a FOIA request or appeal, 
provided such copies are handled and stored under secure conditions 
(e.g., locked drawers, offices, and facilities).

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records may be retrieved by full name of requester; FOIA or Privacy 
Act tracking number pertaining to the request or appeal; date and/or 
year of request or appeal; subject matter; or by other searchable or 
indexed data elements pertaining to an individual's request or appeal 
in the electronic system used to manage and stored the records.
    Note: System records may also be electronically retrieved by the 
name or other personally assigned identifier of individual NSF 
personnel or contractors who may be responsible for or otherwise 
involved in the processing of FOIA and PA requests. Because the records 
pertain to the individuals who filed the request, and are not about the 
NSF personnel or contractors handling such requests, these third-party 
individuals are not included in the categories of individuals covered 
by this system for access, amendment, or other Privacy Act purposes.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Retention and disposal of records in this system of records is 
governed by National Archives and Records Administration (NARA) General 
Records Schedule 4.2, Information Access and Protection Records, as 
follows:
    1. Access request files. Case files created in response to requests 
for records under the FOIA and Privacy Act, including administrative 
appeals, are destroyed six years after final agency action (initial 
response or appeal) or three years after final adjudication by the 
courts if applicable, whichever is later. Longer retention is 
authorized if required for business use.
    2. Privacy Act amendment request files. Files relating to an 
individual's request to amend a record subject to the Privacy Act and 
any appeal or civil action that follows are destroyed with the records 
for which amendment was requested or four years after the final 
determination by agency or final adjudication by the courts if 
applicable, whichever is later. Longer retention is authorized if 
required for business use.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    NSF safeguards records in this system of records according to 
applicable Federal and NSF rules, policies, and procedures, including 
all applicable NSF automated systems security and access policies. 
Controls include mandatory information assurance and privacy training 
for individuals who will have access; identification, marking, and 
safeguarding of PII; physical access safeguards including multifactor 
identification physical access controls, detection and electronic alert 
systems for access to servers and other network infrastructure; and 
electronic intrusion detection systems in NSF facilities.
    The third-party provider that provides cloud-based management has 
developed a comprehensive computer security handbook that includes an 
overarching organization-wide information security policy and 
associated procedures for each NIST family of security controls, 
including, for example, awareness and training policies and procedures. 
The third-party provider, to the extent it provides cloud-based storage 
and other services for this system, follows FedRAMP guidance when 
preparing security authorization and security-related assessment 
documentation, and it follows FedRAMP policies to meet all relevant 
associated security assessment and authorization controls. The Security 
Assessment and Authorization policy and procedures are reviewed 
annually.

RECORD ACCESS PROCEDURES:
    You may seek access to records about you in this Privacy Act system 
(i.e., NSF records maintained about your FOIA or PA request(s)) by 
following the procedures in 45 CFR part 613 for making a Privacy Act 
access request. You may submit your request in person, via postal mail, 
via www.FOIA.gov, via the email address listed on the FOIA page at 
www.nsf.gov, or via the public access link (PAL) or other online 
portal, if any, provided by the agency or on its behalf by its 
contractor(s). (You do not need to submit such a request to check the 
status of your FOIA or PA request(s) in the system, which you can do 
online through the PAL portal.)
    To request access to your records under the Privacy Act, your 
request must be in writing, signed, and notarized, as detailed below. 
It should contain the name and number of the relevant Privacy Act 
records system to which you are seeking access--in this case, FOIA/PA 
Request and Appeal Records, NSF-81--along with your full name, current 
address, email address, and telephone number. Also include the assigned 
FOIA/PA tracking number, if any, for your FOIA or PA request(s) or 
appeal(s) maintained in this system, or other means of identifying 
records about you and your requests or appeals in this system.
    Before processing a Privacy Act access request, NSF also requires 
that you verify your identity in an appropriate fashion. Individuals 
appearing in person to submit a Privacy Act request should be prepared 
to show reasonable picture identification, such as driver's license, 
government or other employment identification card, or passport. Your 
Privacy Act request also must be notarized, or submitted by you under 
28 U.S.C. 1746, a law that permits statements to be made under penalty 
of perjury as a substitute for notarization, as provided below:
     If executed outside the United States: ``I declare (or 
certify, verify, or state) under penalty of perjury under the laws of 
the United States of America that the foregoing is true and correct. 
Executed on (date). (Signature).''
     If executed within the United States, its territories, 
possessions, or

[[Page 85664]]

commonwealths: ``I declare (or certify, verify, or state) under penalty 
of perjury that the foregoing is true and correct. Executed on (date). 
(Signature).''
    In addition, your Privacy Act request should include a statement 
that you understand that knowingly or willfully seeking or obtaining 
access to Privacy Act records under false pretenses is punishable by a 
fine of up to $5,000. See 5 U.S.C. 552a(i)(3).

CONTESTING RECORD PROCEDURES:
    Individuals seeking to amend or correct the content of records 
about themselves should follow the procedures in 45 CFR part 613.

NOTIFICATION PROCEDURES:
    Individuals seeking to determine whether information about 
themselves is contained in this system of records should follow the 
instructions for Record Access Procedures above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

    Dated: December 5, 2023.
Suzanne H. Plimpton,
Reports Clearance Officer, National Science Foundation.
[FR Doc. 2023-27027 Filed 12-7-23; 8:45 am]
BILLING CODE 7555-01-P