[Federal Register Volume 89, Number 28 (Friday, February 9, 2024)]
[Notices]
[Pages 9113-9116]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-02670]


-----------------------------------------------------------------------

AGENCY FOR INTERNATIONAL DEVELOPMENT


Privacy Act of 1974; System of Records

AGENCY: Agency for International for Development (USAID).

ACTION: Notice of new privacy act system of records.

-----------------------------------------------------------------------

SUMMARY: The Agency for International Development (USAID) proposes to 
establish a new system of records titled, ``USAID-38: Responsibility, 
Safeguarding, and Compliance Case Management System (RSC CMS)'' subject 
to the Privacy Act of 1974, as amended. The purpose of publishing this 
notice is to meet federal requirements and promote consistent 
maintenance of USAID RSC CMS records. The new system is a dedicated 
incident and case management system which will contain records that 
capture reports of misconduct allegations and issues related to USAID 
programming and supports USAID's ability to monitor and respond to 
misconduct.

DATES: Submit comments on or before March 11, 2024. This new system of 
records will be effective upon publication. The Routine Uses are 
effective at the close of the comment period.

ADDRESSES: You may submit comments:

Electronic

     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions on the website for submitting comments.
     Email: [email protected].

Paper

     Fax: 202-916-4946.
     Mail: Chief Privacy Officer, United States Agency for 
International Development, 1300 Pennsylvania Avenue NW, Washington, DC 
20523.

FOR FURTHER INFORMATION CONTACT: Ms. Celida A. Malone, USAID Privacy 
Program at United States Agency for International Development, Bureau 
for Management, Office of the Chief Information Officer, Information 
Assurance Division: ATTN: USAID Privacy Program, 1300 Pennsylvania 
Avenue, NW, Washington, DC 20523, or by phone number at 202-916-4605.

SUPPLEMENTARY INFORMATION: USAID proposes to establish a new System of 
Records subject to the Privacy Act of 1974, 5 U.S.C. 552a. The new 
system, Responsibility, Safeguarding, and Compliance Case Management 
System (RSC CMS), is a dedicated incident and case management system 
which will contain records that capture reports of misconduct 
allegations and issues from all partner types, including grantees, 
contractors, public international organizations, and sub awardees. This 
collection supports USAID's ability to monitor and respond to 
allegations of any partners engaging in misconduct and prohibited 
activities. RSC CMS will provide a coordinated, streamlined, and 
consistent mechanism for the Agency to receive, track and respond to 
allegations of misconduct consistent with the statutory authorities for 
the collection. This system will assist USAID in documenting, recording 
and responding to safeguarding allegations and managing administrative 
actions, such as suspension and debarment proceedings, related to 
misconduct allegations of all types, including fraud, waste, and abuse. 
The system will also assist USAID in tracking and documenting USAID's 
assistance appeal resolution process that gives implementing partners 
the right to appeal an Agreement Officer's final decision.

Dated: November 9, 2023

Mark Joseph Johnson,

Chief Privacy Officer, United States Agency for International 
Development.

SYSTEM NAME AND NUMBER:
    USAID-38, Responsibility, Safeguarding, and Compliance Case 
Management System (RSC CMS).

SECURITY CLASSIFICATION:
    Sensitive But Unclassified.

[[Page 9114]]

SYSTEM LOCATION:
    USAID AWS East for ServiceNow MID Servers (AWS US-EAST-1): 7600 
Doane Drive, Manassas VA, 20109); and ServiceNow's data centers 
(primary in Culpepper, VA and alternate in Miami, FL) for ServiceNow 
SaaS/PaaS.

SYSTEM MANAGER(S):
    Position: Compliance Division Chief.
    Office: Bureau for Management/Management Policy, Budget, and 
Performance/Compliance (M/MPBP/COMP).
    Email: [email protected].
    Address: 500 D Street SW, Washington DC, 20024.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM
    Foreign Assistance Act of 1961, as amended. Executive Order 12549, 
2 CFR part 180, 2 CFR 200.342 and 700.14, 2 CFR subtitle A, chapter I, 
parts 175, 180, 182, and 183. 2 CFR subtitle A, chapter I, parts 175, 
180, 182, and 183.

PURPOSE(S) OF THE SYSTEM:
    Responsibility, Safeguarding, and Compliance Case Management System 
(RSC CMS) is a comprehensive system which will be used to, record, 
investigate, track, respond to and report on allegations of misconduct 
including sexual exploitation and abuse (SEA), trafficking in persons 
(TIP), and child abuse, exploitation, and neglect (CAEN) allegations 
that USAID (``Agency'') receives. The RSC CMS is a dedicated incident 
and case management module to support a coordinated, streamlined, and 
consistent response to all misconduct allegations and issues from all 
partner types, including grantees, contractors, public international 
organizations, and sub awardees. The RSC CMS will contain information 
needed to track and take administrative actions, such as suspension and 
debarment, in response to misconduct allegations of all types, 
including safeguarding violations and allegations of fraud, waste, and 
abuse. It will also contain information related to USAID's assistance 
appeal resolution process that gives implementing partners the right to 
appeal an Agreement Officer's final decision.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM
    The System of Records covers individuals related to current, former 
and prospective deal participants (individuals and businesses), 
applicants, USAID employees, contractors, contractor employees, 
executives, managers, and personal and professional references 
associated with the deal applicants and participants; USAID's 
implementing partners, portfolio companies, service providers, 
participating United States Government (USG) Agency administrators, and 
certain other individuals associated, affiliated with or involved with 
USAID.

CATEGORIES OF RECORDS IN THE SYSTEM
    This system consists of records created or compiled during 
suspension and debarment and other administrative actions, USAID Office 
of Inspector General referrals, and disclosures of misconduct including 
sexual exploitation and abuse; child exploitation, abuse and neglect; 
and trafficking in persons associated with partners supporting USAID 
programs. These records contain names, position titles, email 
addresses, physical addresses, email address, system account creation 
date and time, last login, IP address, and browser type.

RECORD SOURCE CATEGORIES
    USAID implementing partners, the USAID Office of Inspector General, 
media, civil society organizations, witnesses, survivors, and USAID 
workforce.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the information 
contained in this system may be disclosed to authorized entities, as is 
determined to be relevant and necessary, outside USAID as a routine use 
pursuant to 5 U.S.C. 552a(b)(3) as follows:
    (1) To coordinators of the various USAID business development and 
entrepreneurial events, such as training, outreach, marketing, and 
matchmaking activities.
    (2) To an agency or organization, including the USAID's Office of 
Inspector General, for the purpose of performing audit or oversight 
operations as authorized by law, but only such information as is 
necessary and relevant to such audit or oversight function.
    (3) In the event of an indication of a violation or potential 
violation of law, whether civil, criminal or regulatory in nature, and 
whether arising by statute or particular program pursuant thereto, to 
the appropriate agency, whether federal, state, local, or foreign, 
charged with the responsibility of investigating or prosecuting such 
violation or charged with enforcing or implementing the statute, or 
rule, regulation or order involved.
    (4) To a Federal, State, or local agency maintaining civil, 
criminal, or other relevant enforcement information or other pertinent 
information if necessary to obtain information relevant to an Agency 
decision concerning the hiring or retention of an employee; the 
issuance of a security clearance; the reporting of an investigation of 
an employee; the assignment, detail, or deployment of an employee; the 
letting of a contract; or the approval of a grant or other benefits.
    (5) To provide information to a congressional office from the 
record of an individual in response to an inquiry from that 
congressional office made at the request of that individual.
    (6) To a court, magistrate, or other administrative body in the 
course of presenting evidence, including disclosures to counsel or 
witnesses in the course of civil discovery, litigation, or settlement 
negotiations or in connection with criminal proceedings, when the USAID 
is a party to the proceeding or has a significant interest in the 
proceeding, to the extent that the information is determined to be 
relevant and necessary.
    (7) To disclose information to officials of the Merit Systems 
Protection Board or the Office of the Special Counsel, when requested 
in connection with appeals, special studies of the civil service and 
other merit systems, review of OPM rules and regulations, 
investigations of alleged or possible prohibited personnel practices, 
and such other functions, e.g., as promulgated in 5 U.S.C. 1205 and 
1206, or as may be authorized by law.
    (8) To the National Archives and Records Administration for the 
purposes of records management inspections conducted under the 
authority of 44 U.S.C. 2904 and 2906.
    (9) To disclose information to the Equal Employment Opportunity 
Commission when requested in connection with investigations into 
alleged or possible discrimination practices in the Federal sector, 
compliance by Federal agencies with the Uniform Guidelines on Employee 
Selection Procedures or other functions vested in the Commission and to 
otherwise ensure compliance with the provisions of 5 U.S.C. 7201.
    (10) To appropriate agencies, entities, and persons when (a) USAID 
suspects or has confirmed that there has been a breach of the System of 
Records, (b) USAID has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, USAID 
(including its information systems, programs, and operations), the 
Federal Government, or national security; and (c) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist with

[[Page 9115]]

USAID's efforts to respond to the suspected or confirmed breach and/or 
to prevent, minimize, or remedy such harm.
    (11) To another Federal agency or Federal entity when USAID 
determines information from this System of Records is reasonably 
necessary to assist the recipient agency or entity in: (a) responding 
to a suspected or confirmed breach; or (b) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.
    (12) To another agency or agent of a Government jurisdiction within 
or under the control of the U.S., lawfully engaged in national security 
or homeland defense when disclosure is undertaken for intelligence, 
counterintelligence activities (as defined by 50 U.S.C. 3003(3)), 
counterterrorism, homeland security, or related law enforcement 
purposes, as authorized by U.S. law or Executive Order.
    (13) To either House of Congress, or, to the extent of matter 
within its jurisdiction, any committee or subcommittee thereof, any 
joint committee of Congress or subcommittee of any such joint 
committee.'' 5 U.S.C. 552a(b)(9).
    (14) To the Department of State and its posts abroad for the 
purpose of transmission of information between organizational units of 
the Agency, or for purposes related to the responsibilities of the 
Department of State in conducting United States foreign policy or 
protecting United States citizens, such as the assignment of employees 
to positions abroad, the reporting of accidents abroad, evacuation of 
employees and dependents, and other purposes for which officers and 
employees of the Department of State have a need for the records in the 
performance of their duties.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    All information contained in the System of Record is stored in 
electronic format. The data is encrypted at rest and in transit using 
Agency approved FIPS-compliant encryption solutions.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by case identification number or by the name 
of the individual or organization that is the subject of a disclosure, 
referral, or administrative action. Users must be properly 
authenticated in the system to retrieve the data.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are maintained and dispositioned in accordance with USAID 
Automated Directive System, Chapter 502 Records Management policy and 
the General Records Schedule/USAID Combined Records Disposition 
Schedules on a retention schedule of five years which are consistent 
with guidance established by the National Archives and Records 
Administration.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Technical, administrative, and physical security safeguards are 
implemented in accordance with the requirements of the Privacy Act, the 
Federal Information Security Modernization Act (FISMA), and USAID 
Automated Directive System privacy and security policies and system 
specific operating procedures. Detailed implementation descriptions are 
documented in the RSC CMS Privacy Impact Assessment and System Security 
Plan and include but are not limited to the following security controls 
to ensure the confidentiality and integrity of the data and records 
that are stored, processed, and transmitted: user awareness training, 
rules of behavior, and user agreements; logical and physical access; 
system and communications protections; identification and 
authentication; media protection; and audit and accountability 
controls. User access and roles are explicitly approved and assigned 
specific permissions to prevent, restrict, or allow individuals with 
the appropriate clearances and need to know access to the system and/or 
information only to the degree necessary in the performance of their 
official associated duties. These controls are monitored and assessed 
on a continuous basis to ensure the safeguards remain effective 
throughout the system and data lifecycles.

RECORD ACCESS PROCEDURES:
    Under the Privacy Act, individuals may request access to records 
about themselves. These individuals must be limited to citizens of the 
United States or aliens lawfully admitted for permanent residence. If a 
Federal Department or Agency or a person who is not the individual who 
is the subject of the records, requests access to records about an 
individual, the written consent of the individual who is the subject of 
the records is required.
    Individuals seeking access to information about themselves 
contained in this System of Records should address inquiries to the 
Bureau for Management, Office of Management Services, Information and 
Records Division (M/MS/IRD), USAID Annex--Room 2.4.0C, 1300 
Pennsylvania Avenue NW, Washington, DC 20523. The requester may 
complete and sign a USAID Form 507-1, Certification of Identity Form or 
submit signed, written requests that should include the individual's 
full name, current address, telephone number and this System of Records 
Notice number. In addition, the requester must provide either a 
notarized statement or an unsworn declaration made in accordance with 
28 U.S.C. 1746, in the following format:
    If executed outside the United States: ``I declare (or certify, 
verify, or state) under penalty of perjury under the laws of the United 
States of America that the foregoing is true and correct. Executed on 
(date). (Signature).''
    If executed within the United States, its territories, possessions, 
or commonwealths: ``I declare (or certify, verify, or state) under 
penalty of perjury that the foregoing is true and correct. Executed on 
(date). (Signature).''

CONTESTING RECORD PROCEDURES:
    The USAID rules for accessing records, contesting contents, and 
appealing initial agency determinations are contained in 22 CFR part 
212 or may be obtained from the program manager or system owner.

NOTIFICATION PROCEDURES:
    Individuals seeking to determine if information about themselves is 
contained in this System of Records should address inquiries to the 
Bureau for Management, Office of Management Services, Information and 
Records Division (M/MS/IRD), USAID Annex--Room 2.4.0C, 1300 
Pennsylvania Avenue NW, Washington, DC 20523. Individuals may complete 
and sign a USAID Form 507-1, Certification of Identity Form or submit 
signed, written requests that should include the individual's full 
name, current address, and telephone number. In addition, the requester 
must provide either a notarized statement or an unsworn declaration 
made in accordance with 28 U.S.C. 1746, in the following format:
    If executed outside the United States: ``I declare (or certify, 
verify, or state) under penalty of perjury under the laws of the United 
States of America that the foregoing is true and correct. Executed on 
(date). (Signature).''
    If executed within the United States, its territories, possessions, 
or

[[Page 9116]]

commonwealths: ``I declare (or certify, verify, or state) under penalty 
of perjury that the foregoing is true and correct. Executed on (date). 
(Signature).

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    To the extent permitted under the Privacy Act of 1974, 5 U.S.C. 
552a(k)(2), this system has been exempted from the provisions of the 
Privacy Act of 1974 that permit access and correction. However, USAID 
may, in its discretion, fully grant individual requests for access and 
correction if it determines that the exercise of these rights will not 
interfere with an interest that the exemption is intended to protect. 
The exemption from access is limited in some instances by law to 
information that would reveal the identity of a confidential source.
    Pursuant to 5 U.S.C. 552a(k)(2), this system is exempt from the 
following provisions of the Privacy Act of 1974, subject to the 
limitations set forth in that subsection: 5 U.S.C. 552a (c)(3); (d); 
(e)(1); (e)(4)(G); (e)(4)(H); and (f)(2) through (5). Pursuant to 5 
U.S.C. 552a(k)(5), this system is exempt from the following provisions 
of the Privacy Act, subject to the limitations set forth in that 
subsection: 5 U.S.C. 552a(c)(3) and (d).

HISTORY:
    None.

Celida Ann Malone,
Government Privacy Task Lead.
[FR Doc. 2024-02670 Filed 2-8-24; 8:45 am]
BILLING CODE 6116-01-P