[Federal Register Volume 89, Number 31 (Wednesday, February 14, 2024)]
[Notices]
[Pages 11278-11280]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-03000]


-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

[Notice-IE-2024-01; Docket No. 2024-0002; Sequence No. 2]


Privacy Act of 1974; Notice of a Modified System of Records

AGENCY: Office of the Chief Privacy Officer; General Services 
Administration (GSA).

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: GSA proposes to modify an existing System of Records Notice to 
more accurately describe functionality of the system of records and to 
bring the Notice into compliance with the format promulgated in OMB 
Guidance A-108.

DATES: Submit comments on or before March 15, 2024. The new and/or 
significantly modified routine uses will be applicable on March 15, 
2024.

ADDRESSES: Comments may be submitted to the Federal eRulemaking Portal, 
http://www.regulations.gov. Submit comments by searching for ``Notice-
IE-2024-01'', Notice of Revised System of Records. Comments may also be 
submitted by mail at GSA, Regulatory Secretariat Division (MVCB), 1800 
F Street NW, Washington, DC 20405.

FOR FURTHER INFORMATION CONTACT: Call or email Richard Speidel, Chief 
Privacy Officer at 202-969-5830 and [email protected].

SUPPLEMENTARY INFORMATION: GSA proposes to update a system of records 
subject to the Privacy Act of 1974, as amended. GSA is modifying the 
Notice to update the system name to ``Cloud Information Infrastructure 
System,'' which was previously entitled ``GSA's Enterprise Organization 
of Google

[[Page 11279]]

Applications, Moderate Impact Software as a Service Cloud (SaaS) Minor 
Applications & GSA's EEO Org of Salesforce.com.'' This system of 
records is directed to GSA's cloud-based information infrastructure 
systems and services implemented across various vendors as well as GSA 
applications, all of which are part of either the Google Workspace or 
Salesforce environments.
    Substantive updates are being made to the Name of the System, 
System Manager, Authority for Maintenance of the System, Purpose, 
Categories of Individuals Covered by the System, Categories of Records 
in the System, Record Source Categories, Policies and Practices for 
Storage of Records, Policies and Practices for Retrieval of Records, 
Policies and Practices for Retention and Disposal of Records, 
Administrative, Technical, and Physical Safeguards, Record Access 
Procedures, and Notification Procedures. Minor administrative edits are 
being made to the Routine Uses and Contesting Record Procedures.
    GSA is also making technical changes to GSA/CIO-3 consistent with 
OMB Circular No. A-108. Accordingly, GSA has made technical corrections 
to identify the newly-renamed sections: ``Policies and Practices for 
Storage of Records,'' ``Policies and Practices for Retrieval of 
Records,'' ``Policies and Practices for Retention and Disposal of 
Records,'' ``Administrative, Technical and Physical Safeguards,'' 
``Record Access Procedures,'' ``Contesting Record Procedures,'' and 
``Notification Procedures.'' GSA has also created the following new 
sections: ``Security Classification'' and ``History.''

SYSTEM NAME AND NUMBER:
    Cloud Information Infrastructure System, GSA/CIO-3.

SYSTEM CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The Cloud Information Infrastructure System is operated and 
maintained by GSA and on behalf of GSA by its contractor(s). It is 
hosted in secure cloud hosted data centers in the continental United 
States.

SYSTEM MANAGER:
    Associate CIO, Office of Corporate IT Services, Office of GSA IT, 
General Services Administration, 1800 F Street NW, Washington, DC 
20405.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301; 40 U.S.C. 11315; 44 U.S.C. 3506; E.O. 9397, as 
amended; 5 U.S.C. 1001-14; 40 U.S.C. 3306.

PURPOSES:
    To maintain a system of records directed to the use of GSA's cloud 
infrastructure systems, which contain a disparate set of systems and 
records. For example, GSA users maintain a limited set of personal 
information on the Google platform in order to facilitate use and 
management of information in order to carry out the requirements of 
their positions. Members of the public provide contact information to 
voluntarily participate in public outreach programs or to participate 
in the groups founded by the Federal Advisory Committee Act.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The categories of individuals covered by this system include 
members of the public, past and present GSA employees, past and present 
GSA contractors, and past and present employees of other federal 
agencies.

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system of records includes, but is not limited to Name, 
Business Contact Information (business phone number, business email 
address, business location, organizational information), Social 
Security Number (SSN), Personal Contact Information (personal physical 
address, personal phone number, personal email address), information 
regarding employee relocations, and/or information regarding an 
individual's appointment to one or more advisory committees (title, 
details of department/committee, occupation, appointment type, funding 
source).

RECORD SOURCE CATEGORIES:
    Information is provided by the individual to whom the record 
pertains.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed to authorized 
entities, as is determined to be relevant and necessary, outside GSA as 
a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    a. To a Member of Congress or his or her staff on behalf of and at 
the request of the individual who is the subject of the record.
    b. To the National Archives and Records Administration (NARA) for 
records management purposes.
    c. To an expert, consultant, or contractor of GSA in the 
performance of a Federal duty to which the information is relevant.
    d. To an appropriate Federal, State, tribal, local, international, 
or foreign law enforcement agency or other appropriate authority 
charged with investigating or prosecuting a violation or enforcing or 
implementing a law, rule, regulation, or order, where a record, either 
on its face or in conjunction with other information, indicates a 
violation or potential violation of law, which includes criminal, 
civil, or regulatory violations.
    e. To the Office of Personnel Management (OPM), the Office of 
Management and Budget (OMB), and the Government Accountability Office 
(GAO) in accordance with their responsibilities for evaluating Federal 
programs.
    f. To appropriate agencies, entities, and persons when
    (1) GSA suspects or has confirmed that the security or 
confidentiality of information in the system of records has been 
compromised;
    (2) GSA has determined that as a result of the suspected or 
confirmed compromise there is a risk of harm to economic or property 
interests, identity theft or fraud, or harm to the security or 
integrity of this system or other systems or programs (whether 
maintained by GSA or another agency or entity) that rely upon the 
compromised information; and (3) the disclosure made to such agencies, 
entities, and persons is reasonably necessary to assist in connection 
with GSA's efforts to respond to the suspected or confirmed compromise 
and prevent, minimize, or remedy such harm.
    g. To another Federal agency or Federal entity, when GSA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in
    (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    h. In connection with any litigation or settlement discussions 
regarding claims by or against the GSA, including public filing with a 
court, to the extent that GSA determines the disclosure of the 
information is relevant and necessary to the litigation or discussions.
    i. To an appeal, grievance, hearing, or complaints examiner; an 
equal employment opportunity investigator, arbitrator, or mediator; and 
an exclusive representative or other person

[[Page 11280]]

authorized to investigate or settle a grievance, complaint, or appeal 
filed by an individual who is the subject of the record.
    j. To compare such records to other agencies' systems of records or 
to non-Federal records, in coordination with an Office of Inspector 
General (OIG) in conducting an audit, investigation, inspection, 
evaluation, or some other review as authorized by the Inspector General 
Act.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Electronic records are stored on a secure server with access 
limited to staff on a need-to-know basis.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records may be retrieved by name or another identifier.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are retained and disposed of according to GSA records 
maintenance and disposition schedules, GSA Directive CIO 1820.2--``GSA 
Records Management Program,'' and requirements of the National Archives 
and Records Administration (e.g., NARA General Records Schedule (GRS)).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    The underlying information systems are authorized to operate by the 
GSA CIO. Two-factor authentication is required and used for all 
individuals who access this system.

RECORD ACCESS PROCEDURES:
    The Privacy Act allows individuals the right to access records 
about them in a system of records. A request for access must include: 
1. Full Name and Address; 2. A description of the records sought; the 
title and number of this system of records as published in the Federal 
Register; 3. A brief description of the nature, time, and place of 
association with GSA; and 4. Any other information that will help in 
locating the record.

CONTESTING RECORD PROCEDURES:
    An individual may request amendment to a record by writing to the 
system manager with the proposed amendment, which must bear the 
following marking: ``Privacy Act Request to Amend the Record.'' Certain 
records are unable to be amended.

NOTIFICATION PROCEDURES:
    An individual may determine if this system contains a record 
pertaining to them by sending a request in writing, signed, to the 
System Manager at the above address. The same requirements for Record 
Access Procedures must be followed for Notification Procedures.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    79 FR 47138, September 11, 2014; 78 FR 35033, July 11, 2013; 77 FR 
63316, November 15, 2012.

Richard Speidel,
Chief Privacy Officer, Office of the Deputy Chief Information Officer, 
General Services Administration.
[FR Doc. 2024-03000 Filed 2-13-24; 8:45 am]
BILLING CODE 6820-AB-P