[Federal Register Volume 89, Number 49 (Tuesday, March 12, 2024)]
[Rules and Regulations]
[Pages 17749-17751]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-05142]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 310

[Docket ID: DoD-2023-OS-0060]
RIN 0790-AL64


Privacy Act of 1974; Implementation

AGENCY: Office of the Secretary of Defense (OSD), Department of Defense 
(DoD).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Defense (Department or DoD) is issuing a 
final rule to amend its regulations to exempt portions of the system of 
records titled DoD-0019, ``Information Technology Access and Audit 
Records,'' from certain provisions of the Privacy Act of 1974.

DATES: This rule is effective on March 12, 2024.

FOR FURTHER INFORMATION CONTACT: Ms. Rahwa Keleta, Privacy and Civil 
Liberties Directorate, Office of the Assistant to the Secretary of 
Defense for Privacy, Civil Liberties, and Transparency, Department of 
Defense, 4800 Mark Center Drive, Mailbox #24, Suite 08D09, Alexandria, 
VA 22350-1700; [email protected]; (703) 571-0070.

SUPPLEMENTARY INFORMATION:

Discussion of Comments and Changes

    The proposed rule published in the Federal Register (88 FR 60411-
60413) on September 1, 2023. Comments were accepted for 60 days until 
October 31, 2023. No comments were received.

I. Background

    In finalizing this rule, DoD is exempting portions of this system 
of records titled, DoD-0019, ``Information Technology Access and Audit 
Records,'' from certain provisions of the Privacy Act of 1974. The 
purpose of this system of records is to support information systems 
being established within the DoD using the same categories of data for 
the same purposes. This system of records covers DoD's maintenance of 
records related to requests for user access, attempts to access, 
granting of access, records of user actions for DoD information 
technology (IT) systems, and user agreements. This includes details of 
programs, databases, functions, and sites accessed and/or used, and the 
information products created, received, or altered during the use of IT 
systems. The system consists of both electronic and paper records and 
will be used by DoD components and offices to maintain records about 
individuals who have user agreements, user access to and activity on 
networks, computer systems, applications, databases, or other digital 
technologies.

II. Privacy Act Exemption

    The Privacy Act allows Federal agencies to exempt eligible records 
in a system of records from certain provisions of the Act, including 
those that provide individuals with a right to request access to and 
amendment of their own records. If an agency intends to exempt a 
particular system of records, it must first go through the rulemaking 
process pursuant to 5 U.S.C. 553(b)(1)-(3), (c), and (e). The OSD is 
amending 32 CFR part 310 to add a new Privacy Act exemption rule for 
this system of records. The DoD is adding exemptions for this system of 
records pursuant to 5 U.S.C. 552a(k)(1) and (2) because some of its 
records may contain classified national security information or 
investigatory material compiled for law enforcement purposes. The DoD 
is claiming an exemption from several provisions of the Privacy Act, 
including various access, amendment, disclosure of accounting, and 
certain recordkeeping and notice requirements, to avoid, among other 
harms, frustrating the underlying purposes for which the information 
was gathered.

Regulatory Analysis

Executive Order 12866--Regulatory Planning and Review; Executive Order 
13563--Improving Regulation and Regulatory Review; and Executive Order 
14094--Modernizing Regulatory Review

    Executive Orders 12866 (as amended by Executive Order 14094) and 
13563 direct agencies to assess all costs and benefits of available 
regulatory alternatives and, if regulation is necessary, to select 
regulatory approaches that maximize net benefits (including potential 
economic, environmental, public health and safety effects, distributive 
impacts, and equity). Executive Order 13563 emphasizes the importance 
of quantifying both costs and benefits, of reducing costs, of 
harmonizing rules, and of promoting flexibility. It has been determined 
that this rule is not a significant regulatory action under these 
Executive orders.

[[Page 17750]]

Congressional Review Act

    The Congressional Review Act (5 U.S.C. 801 et seq.) generally 
provides that before a rule may take effect, the agency promulgating 
the rule must submit a rule report, which includes a copy of the rule, 
to each House of the Congress and to the Comptroller General of the 
United States. DoD will submit a report containing this rule and other 
required information to the U.S. Senate, the U.S. House of 
Representatives, and the Comptroller General of the United States. A 
major rule may take effect no earlier than 60 calendar days after 
Congress receives the rule report or the rule is published in the 
Federal Register, whichever is later. This rule is not a ``major rule'' 
as defined by 5 U.S.C. 804(2).

Unfunded Mandates Reform Act

    Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) 
(Pub. L. 104-4; 2 U.S.C. 1532(a)) requires agencies to assess 
anticipated costs and benefits before issuing any rule whose mandates 
may result in the expenditure by State, local and Tribal governments in 
the aggregate, or by the private sector, in any one year of $100 
million in 1995 dollars, updated annually for inflation. This rule will 
not mandate any requirements for State, local, or Tribal governments, 
nor will it affect private sector costs.

Regulatory Flexibility Act

    The Assistant to the Secretary of Defense for Privacy, Civil 
Liberties, and Transparency has certified that this rule is not subject 
to the Regulatory Flexibility Act (Pub. L. 96-354; 5 U.S.C. 601 et 
seq.) because it would not, if promulgated, have a significant economic 
impact on a substantial number of small entities. This rule is 
concerned only with the administration of Privacy Act systems of 
records within the DoD. Therefore, the Regulatory Flexibility Act, as 
amended, does not require DoD to prepare a regulatory flexibility 
analysis.

Paperwork Reduction Act

    The Paperwork Reduction Act (PRA) (Pub. L. 96-511; 44 U.S.C. 3501 
et seq.) was enacted to minimize the paperwork burden for individuals; 
small businesses; educational and nonprofit institutions; Federal 
contractors; State, local and Tribal governments; and other persons 
resulting from the collection of information by or for the Federal 
Government. The Act requires agencies to obtain approval from the 
Office of Management and Budget before using identical questions to 
collect information from ten or more persons. This rule does not impose 
reporting or recordkeeping requirements on the public.

Executive Order 13132--Federalism

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a rule that has federalism 
implications, imposes substantial direct requirement costs on State and 
local governments, and is not required by statute, or has federalism 
implications and preempts State law. This rule will not have a 
substantial effect on State and local governments.

Executive Order 13175--Consultation and Coordination With Indian Tribal 
Governments

    Executive Order 13175 establishes certain requirements that an 
agency must meet when it promulgates a rule that imposes substantial 
direct compliance costs on one or more Indian Tribes, preempts Tribal 
law, or affects the distribution of power and responsibilities between 
the Federal Government and Indian Tribes. This rule will not have a 
substantial effect on Indian Tribal governments.

List of Subjects in 32 CFR Part 310

    Privacy.

    Accordingly, 32 CFR part 310 is amended as follows:

PART 310--PROTECTION OF PRIVACY AND ACCESS TO AND AMENDEMENT OF 
INDIVIDUAL RECORDS UNDER THE PRIVACY ACT OF 1974

0
1. The authority citation for 32 CFR part 310 continues to read as 
follows:

    Authority: 5 U.S.C. 552a.


0
2. Amend Sec.  310.13 by adding paragraph (e)(14) to read as follows:


Sec.  310.13  Exemptions for DoD-wide systems.

* * * * *
    (e) * * *
    (14) System identifier and name. DoD-0019, ``Information Technology 
Access and Audit Records.''
    (i) Exemptions. This system of records is exempt from 5 U.S.C. 552a 
(c)(3); (d)(1), (2), (3), and (4); (e)(1); (e)(4)(G), (H), and(I); and 
(f).
    (ii) Authority. 5 U.S.C. 552a(k)(1) and (2).
    (iii) Exemption from the particular subsections. Exemption from the 
particular subsections is justified for the following reasons:
    (A) Subsections (c)(3), (d)(1), and (d)(2)--(1) Exemption (k)(1). 
Records in this system of records may contain information that is 
properly classified pursuant to executive order. Application of 
exemption (k)(1) may be necessary because access to and amendment of 
the records, or release of the accounting of disclosures for such 
records, could reveal classified information. Disclosure of classified 
records to an individual may cause damage to national security.
    (2) Exemption (k)(2). Records in this system of records may contain 
investigatory material compiled for law enforcement purposes other than 
material within the scope of 5 U.S.C. 552a(j)(2). Application of 
exemption (k)(2) may be necessary because access to, amendment of, or 
release of the accounting of disclosures of such records could: inform 
the record subject of an investigation of the existence, nature, or 
scope of an actual or potential law enforcement or disciplinary 
investigation, and thereby seriously impede law enforcement efforts by 
permitting the record subject and other persons to whom he might 
disclose the records or the accounting of records to avoid criminal 
penalties, civil remedies, or disciplinary measures; interfere with a 
civil or administrative action or investigation by allowing the subject 
to tamper with witnesses or evidence, and to avoid detection or 
apprehension, which may undermine the entire investigatory process; 
reveal confidential sources who might not have otherwise come forward 
to assist in an investigation and thereby hinder DoD's ability to 
obtain information from future confidential sources; and result in an 
unwarranted invasion of the privacy of others. Amendment of such 
records could also impose a highly impracticable administrative burden 
by requiring investigations to be continuously reinvestigated.
    (B) Subsections (d)(3) and (4). These subsections are inapplicable 
to the extent an exemption is claimed from subsections (d)(1) and (2). 
Accordingly, exemptions from subsections (d)(3) and (4) are claimed 
pursuant to (k)(1) and (2).
    (C) Subsection (e)(1). Additionally, records within this system may 
be properly classified pursuant to executive order. The collection of 
information pertaining to the use of government information technology 
and data systems may include classified records, and it is not always 
possible to conclusively determine the relevance and necessity of such 
information in the early stages of a collection. In some instances, it 
will be only after the collected information is evaluated in light of 
other information that its relevance and necessity can be assessed. 
Further, disclosure of classified records

[[Page 17751]]

to an individual may cause damage to national security. Additionally, 
in the collection of information for investigatory or law enforcement 
purposes it is not always possible to conclusively determine the 
relevance and necessity of particular information in the early stages 
of the investigation or adjudication. In some instances, it will be 
only after the collected information is evaluated in light of other 
information that its relevance and necessity for effective 
investigation and adjudication can be assessed. Collection of such 
information permits more informed decision-making by the Department 
when making required investigatory or law enforcement determinations. 
Accordingly, application of exemptions (k)(1) and (2) may be necessary.
    (D) Subsections (e)(4)(G) and (H). These subsections are 
inapplicable to the extent exemption is claimed from subsections (d)(1) 
and (2).
    (E) Subsection (e)(4)(I). To the extent that this provision is 
construed to require more detailed disclosure than the broad, generic 
information currently published in the system notice, an exemption from 
this provision is necessary to protect national security, the 
confidentiality of sources of information and to protect the privacy 
and physical safety of witnesses and informants. Accordingly, 
application of exemptions (k)(1) and (2) may be necessary.
    (F) Subsection (f). The agency's rules are inapplicable to those 
portions of the system that are exempt. Accordingly, application of 
exemptions (k)(1) and (2) may be necessary.
    (iv) Exempt records from other systems. In the course of carrying 
out the overall purpose for this system, exempt records from other 
systems of records may in turn become part of the records maintained in 
this system. To the extent that copies of exempt records from those 
other systems of records are maintained in this system, the DoD claims 
the same exemptions for the records from those other systems that are 
entered into this system, as claimed for the prior system(s) of which 
they are a part, provided the reason for the exemption remains valid 
and necessary.

    Dated: March 6, 2024.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2024-05142 Filed 3-11-24; 8:45 am]
BILLING CODE 6001-FR-P