80 FR 68500 - Privacy Act System of Records, New System of Records

DEPARTMENT OF COMMERCE

Federal Register Volume 80, Issue 214 (November 5, 2015)

Page Range		68500-68503
FR Document		2015-28056

The Department of Commerce (Department) publishes this notice to announce the effective date of a Privacy Act System of Records notice entitled: COMMERCE/DEPT-25, Access Control and Identity Management System.

Federal Register, Volume 80 Issue 214 (Thursday, November 5, 2015)

[Federal Register Volume 80, Number 214 (Thursday, November 5, 2015)]
[Notices]
[Pages 68500-68503]
From the Federal Register Online [www.thefederalregister.org]
[FR Doc No: 2015-28056]

[[Page 68500]]

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

[Docket No. 150324295-5963-03]

Privacy Act System of Records, New System of Records

AGENCY: Office of the Secretary, U.S. Department of Commerce.

ACTION: Notice of new Privacy Act System of Records: ``COMMERCE/DEPT-
25, Access Control and Identity Management System.''

-----------------------------------------------------------------------

SUMMARY: The Department of Commerce (Department) publishes this notice
to announce the effective date of a Privacy Act System of Records
notice entitled: COMMERCE/DEPT-25, Access Control and Identity
Management System.

DATES: The system of records becomes effective on November 5, 2015.

ADDRESSES: For a copy of the system of records please mail requests to:
Michael J. Toland, Departmental Freedom of Information and Privacy Act
Officer, Office of Privacy and Open Government, 1401 Constitution Ave.
NW., Room 52010, Washington, DC 20230.

FOR FURTHER INFORMATION CONTACT: Michael J. Toland, Department Freedom
of Information and Privacy Act Officer, Office of Privacy and Open
Government, 1401 Constitution Ave. NW., Room 52010, Washington, DC
20230.

SUPPLEMENTARY INFORMATION: On May 8, 2015, and June 29, 2015, the
Department published and requested comments on a proposed new Privacy
Act System of Records notice entitled: COMMERCE/DEPT-25, Access Control
and Identity Management System. The system serves to provide electronic
physical access control, intrusion detection and video management
solutions to ensure the safety and security of DOC assets to include
people, facilities, information and property. The system controls
access to only those authorized as well as aids in the monitoring,
assessment and response to security and emergency related incidents. By
this notice, the Department is adopting the proposed new system as
final effective November 5, 2015.

Public Comments and Responses

Interested parties were afforded the opportunity to participate in
the rulemaking process through the submission of written comments on
the proposed new systems of records notice (SORN). The Department
received five public submissions in response to the proposed SORN. Due
consideration was given to each comment received and the Department's
responses to those comments are noted below.
One commenter recommended adding language under the Safeguards
section to ``address how the records/system is planned to address
insider threats.'' The Department disagrees with this commenter's
suggestion. The addition of such language would potentially impact the
effectiveness of the Department's Insider Threat Program.
Several commenters urged the Department to withdraw this proposed
system of records and to ``refrain from implementing any intrusive
system that needlessly monitors the movements of its employees.'' In
support of their suggestion, two commenters said that ``The Department
has not explained the need for tracking employees' every physical
movement when on-site, which, in the proposed system of records, would
go so far as to include monitoring the buttons employees strike on
their work station keyboards.'' Further, those commenters raised
concerns about employee morale and the security of the system. In
addition, several commenters submitted the view that this SORN does not
adequately describe provisions or processes to insure the safety and
integrity of employees' sensitive personally identifiable information.
The Department disagrees with these comments. The system of records
covered by this SORN are subject to the Federal Information Security
Management Act (FISMA), which requires that controls be put in place to
protect IT systems and the information contained within. Additionally,
Privacy Impact Assessments have been conducted on these systems to
further define procedures for protecting Personally Identifiable
Information (PII) and address the impact on employees' privacy.
Further, the SAFEGUARDS section of this notice describes methods for
protecting information maintained in this system. For example, this
section mentions that ``electronic records are password-protected or
PKI-protected, consistent with the requirements of [FISMA] (Pub. L.
107-296), and associated OMB policies, standards and guidance from the
National Institutes of Standards and Technology, and the General
Services Administration, all records are protected from unauthorized
access through appropriate administrative, physical, and technical
safeguards.'' It should be noted that safeguards should be described in
general terms and to the extent they would not compromise system
security, which serves as an added layer of protection for employees'
data.
One commenter suggested that it was unclear whether the Department
is attempting to either (1) create a new database with all the
information set forth in the SORN, or (2) come into compliance with
statutes and regulations concerning employee data that the Department
already has in an existing system. The Department is issuing this new
SORN to ensure that the Department is in compliance with the Privacy
Act, as amended, 5 U.S.C. 552a(e)(4) and (11); and OMB Circular A-130,
Appendix I, Federal Agency Responsibilities for Maintaining Records
About Individuals for all categories of information covered by DEPT-25.
This SORN covers some similar categories of information as a
government-wide SORN, GOVT-7, ``Personal Identity Verification Identity
Management System (PIV IDMS).'' After a review, the Department decided
to implement a more specific SORN with respect to this system of
records.
The same commenter further suggested that if the SORN is bringing
the Department into compliance, then certain personnel actions
involving employee data collected prior to publication of the SORN are
called into question. This comment goes beyond the scope of the content
and adequacy of this SORN.
Another commenter proposed that implementation of the SORN will
result in a significant staffing increase to administer and monitor the
program. The Department disagrees. Adequate resources are available
within the Department's Office of Security and Office of the Chief
Information Officer to administer and monitor the program as it relates
to Access Control and Identity Management.
One commenter suggested that employees will have difficulty
determining what information the Department is maintaining on them and
how to obtain the information kept. The Department disagrees with the
commenter's suggestion. This notice has a section, CATEGORIES OF
RECORDS IN THE SYSTEM, which enumerates the information collected from
individuals. Should an employee need additional clarification on
information collected and maintained on him or her in this system of
records, the employee can file a Privacy Act request following the
procedures outlined in the NOTIFICATION PROCEDURE section of this
notice. With regard to obtaining information kept, another section,
RECORDS ACCESS PROCEDURES, provides instructions on how an individual
can request access to records on himself or herself. It should be noted
that under the SYSTEM EXEMPTIONS FROM CERTAIN PROVISION OF THE ACT
section, all information and material in the record which meets the

[[Page 68501]]

criteria of the subsections listed under parts of General Exemptions
and Specific Exceptions of the Privacy Act are exempted from the
notice, access, and contest requirement. Employees should refer to the
aforementioned SYSTEM EXEMPTIONS FROM CERTAIN PROVISION OF THE ACT
section of this notice for additional information about the
requirements for exemptions.
Another commenter asked whether an employee will be monitored more
closely based on political or religious or other beliefs. There is no
authority for an agency to monitor its employees based on their
political or religious beliefs. In fact, Section 552a(e)(7) of the
Privacy Act, prohibits an agency from maintaining a record of how an
individual exercises rights guaranteed under the First Amendment, and
there are a number of other statutory and policy protections in place
that guard against this type of behavior. Therefore, this commenter's
concern is misplaced.
Other commenters expressed concerns about how the Department would
employ the use of key-stroke monitoring. In particular, they wanted to
know whether the information would be used for all agency employees,
even those not suspected of committing any violations of Federal law or
Department policies. One of the commenters stressed that ``It is a
well-accepted IT Security policy within the Federal workspace (and also
the private sector) that key-logging programs are insidious, and are
used by cyber-criminals to mine data surreptitiously in order to gain
unauthorized access to protected information resources. Their presence
in the workplace is forbidden for these reasons.'' The Department would
like to clarify for these commenters that key-stroke monitoring, which
is included in this system of records, would be used under appropriate
conditions to evaluate anomalous behavior, including suspected or
established violations of Federal law or Department policies.
One commenter asked if the phrase ``agency, entity or persons''
referred to in a routine use includes data sharing with private sector
companies or ``entities.'' The Department notes that two routine uses,
numbers 12 and 13, found at 80 FR 26356 (May 8, 2015), of the notice
contain the phrase ``agency, entity or persons.'' Routine use number 12
deals with sharing information when a breach occurs, while routine use
13 concerns sharing information ``for the purpose of performing audit
or oversight operations as authorized by law.'' In both cases, sharing
of information may occur with private sector companies or ``entities''
that have been contracted to provide the support or services described
in the aforementioned routine uses. Information shared is kept to the
minimum necessary to accomplish the prescribed tasks. It should be
noted that pursuant to Federal Acquisition Regulations (FAR) Part 24,
Privacy Act clauses are required to be included with any contracts for
which a contractor is required to be involved with the design,
development, or operation of a system of records on individuals to
accomplish an agency function. Under one such clause, FAR 24.104, the
contractor agrees to ``comply with the Privacy Act of 1974 (Act) and
the agency rules'' when using any system of records on individuals in
the performance of duties specified in the work statement. The notice
also contains a routine use, number 9, which allows records from this
system to ``be disclosed to a contractor of the Department having need
for the information in the performance of the contract, but not
operating a system of records with the meaning of 5 U.S.C. 552a(m).''
The same commenter stated, ``Further, according to this new system,
Commerce could disclose information to Agencies, entities and persons,
to prevent, minimize, or remedy `a risk of harm to economic or property
interests, identity theft or fraud, or harm to the security or
integrity of the system.''' This commenter went on to ask whether some
interested party in a civil lawsuit could request and gain access to
data from this system of records under any of the notice's routine
uses. The commenter is referring to routine use number 12, which
concerns providing information for breach mitigation and notification.
Provision of data from this system of records to an interested party
engaged in a civil lawsuit is not part of this routine use.
One commenter suggested that according to the routine use 2 listed
in the Federal Register, 80 FR 26536 (May 8, 2015), ``protecting the
interest of the Department is an accepted justification for referring
relevant records, `as a routine use, to the appropriate agency, whether
[F]ederal, state, local, or foreign, charged with the responsibility of
. . . protecting the interest of the Department.' This seems to give
the Department a lot of leeway to protect itself from having to
disclose possible breaches, errors, or even somewhat embarrassing
information. It also seems to give leeway to selectively identify which
employees might be disciplined for wrongdoing or infractions that hurt
the Department.'' The Department disagrees with this commenter's
assertion. The Department has a duty to appropriately safeguard
personally identifiable information (PII) in its possession and to
prevent its compromise in order to maintain the public's trust.
Additionally, the Department, like each Federal agency covered under
OMB Memorandum M-07-16, ``Safeguarding Against and responding to the
Breach of Personally Identifiable Information,'' is required to develop
a breach notification policy and plan, and to establish a core
management team responsible for responding to the breach of PII. To
fulfill its commitment to employees, as well as to satisfy OMB
requirements, the Department has developed and fully expects all staff
to follow a Personally Identifiable Information (PII) and Business
Identifiable Information, and Privacy Act (PA) Breach Notification
Plan. There are no exceptions to following the plan, as well as
reporting breaches. The Department has also established a Computer
Incident Response Team (CIRT) and the Department of Commerce PII Breach
Response Task Force for reporting and managing breaches.
One commenter asked how the Department would ``ensure that the
usage of the new system of records will be limited in its scope [.]''
For instance, the individual proposed that the new system poses a risk
of the data being used for purposes not intended in this notice. This
commenter also suggested that ``the collection of badge in/badge out
data, time in/time out data, login/logout data, keystroke monitoring
and logs of internet activity all point to using this dataset to
monitor, by hours and minutes, employees' schedules and work patterns.
These paradata are not reliable indicators of the time employee's work
and they should not be used for disciplinary purposes.'' Employees are
responsible for performing their duties at acceptable levels and for
conducting themselves in a manner consistent with law, regulations, and
policies. If an employee would be found to have behaved in a way that
violated these standards, the Department will use evidence to prove
those failings by the appropriate statutory standard. Most acts of
misconduct are proved by evidence other than the data at issue here,
but this data may constitute evidence of misconduct under certain
circumstances. The Department's usage of badge records will be
undertaken in accordance with this SORN, and there are policies in
place that ensure evidence of employee misconduct used in disciplinary
actions is truthful, reliable, and probative of the misconduct that is
charged.

[[Page 68502]]

One commenter proposed that ``to ensure security of this system and
to protect employees, there should be a system of records of who
accesses [the] information [maintained in this system of records],
when, for what purposes, and how that information was authorized.'' The
Privacy Act of 1974, as amended, 5 U.S.C. 552a, defines conditions
under which agencies may disclose information from records retrieved by
a person's name or other personal identifier. As a general rule, the
Department may not disclose a record about such a person, except upon a
written request by, or with the prior written consent of, that
individual. However, it is important to note that to carry out its
statutory responsibilities the Department at times may need to disclose
information in Privacy Act records for purposes other than those listed
in the Act. With this in mind, under certain specific conditions, the
Privacy Act authorizes disclosure of information in a record, whether
or not the person to whom the information relates has requested or
consented to disclosure. For instance, the Act authorizes disclosures
under, 5 U.S.C. 552a(b), Conditions of Disclosure. The Act also
authorizes agencies, such as the Department, to make such disclosures,
once they publish a description of what are called the ``routine uses''
of information in their records.
A level of protection is afforded to individuals because the
routine use must be published in the Federal Register, and the routine
use must include categories of users and the purpose of the use. A
routine use must also be compatible with the purpose for which the
information was collected. Further, another level of protection may be
evidenced through the fact that publication of routine uses by the
Department does not require it to disclose information in a record--it
merely permits the Department to disclose information when deemed
appropriate or necessary by the Department. The Department's policy is
to carefully decide whether a disclosure of information permitted by a
routine use is appropriate or necessary, based on the totality of the
circumstances. If the Department believes that disclosure of
information protected by the Privacy Act is appropriate or necessary in
a situation not covered by a routine use, or by any other exception to
the act's general prohibition on disclosure, it will seek written
consent for the disclosure from the person to whom the record pertains.
Lastly, a level of protection comes from the Privacy Act requirement
for agencies to maintain an accurate accounting of certain disclosures,
except in instances where disclosure is made to the subject of the
record. This accounting must be maintained for a period of five years
or the life of the record, whichever is longer, and must be made
available upon request by the subject of the record, except for
disclosures related to law enforcement activities. With regard to this
accounting of disclosures, according to the OMB Privacy Act
Implementation Guide, published in the Federal Register on July 9, 1975
(40 FR 28948-28978), ``the intent was to view the accounting of
disclosures as other than a system of records and to conclude that an
accounting need not be maintained for the disclosures from the
accounting of disclosures.''
Several commenters expressed concerns that this system of records
could create Privacy Act issues. Along those lines, one commenter
specifically questioned the protections afforded employees when data is
released under one or more of the exemptions identified in notice's the
SYSTEM EXEMPTIONS FROM CERTAIN PROVISIONS OF THE ACT section. While
system exemptions from certain provisions of the Privacy Act have been
identified in this notice, those provisions are allowed by and used
following the Privacy Act; they do not revise the Act. Further, it was
recognized in the OMB Privacy Act Implementation Guide, published in
the Federal Register on July 9, 1975 (40 FR 28973), that `` `due
process' in both civil action and criminal prosecution will assure that
individuals have a reasonable opportunity to learn of the existence of,
and to challenge, investigatory records, which are to be used in legal
proceedings. To the extent that such an investigatory record is used as
a basis for denying an individual any right, privilege, or benefit
(including employment) to which the individual would be entitled in the
absence of that record, the individual must be granted access to that
record except to the extent that access would reveal the identity of a
confidential source.''
Two other commenters stated that the notice does not provide any
provisions or processes regarding any final disposition of employee
personal information (PII) once it has been disclosed to other
agencies, entities, or persons. This comment goes beyond the
requirements of the Privacy Act.
More than one commenter submitted the view that the routine uses
listed in this notice may result in matching programs as described in 5
U.S.C. 552a(a)(8). Further, commenters added that if the Department
engages in any matching program, it must follow matching program
requirements outlined in 5 U.S.C. 552a(o). The Department recognizes
the concerns commenters may have about matching programs with respect
to this system of records and would like to assure those commenters
that should the Department engage in matching programs as defined by
the Computer Matching and Privacy Protection Act of 1988, Public Law
100-503 (``Computer Matching Act''), it will follow applicable
procedural requirements. The Computer Matching Act, which amended the
Privacy Act, establishes procedural safeguards affecting agencies' use
of Privacy Act records when conducting certain types of computer
matching programs. These procedures ensure the integrity, privacy, and
verification of data used in computerized matching operations, and the
Department intends to fully comply with these procedures should it
engage in matching programs covered by the Computer Matching Act.
Multiple commenters requested that the Department work in
collaboration with unions to create a more useful and less intrusive
monitoring system of records. The Department has proposed to the Labor
Management Forum Members, to hold a meeting(s) to discuss the
appropriate process for access, reviewing and acting upon data
collected through an electronic process. Those meetings should begin in
early FY 16. In the view of the same commenters, the Department should
provide notice and allow bargaining under Federal Services-Labor
Management Relations Statute, 5 U.S.C. 7101-7135. The issuance of this
notice by the Department is a matter of compliance with the Privacy Act
and in no way interferes with labor's right to bargain over matters
that relate to a change in working conditions.
In the view of one of the commenters, ``the Department failed to
make any attempt to notify its labor partners of these proposed
changes.'' In order to address any concerns with notification, the
Department extended the comment period for this SORN so that labor
unions had ample time to submit comments.
One commenter wondered if the data expected to be obtained through
COMMERCE/DEPT-25 was worth the enormous investment of time in labor-
management negotiation, Congressional review, and potential negative
response from Department employees over such a program. Through a
variety of methods, the Department already collects employee data. This
SORN ensure employees understand the system of records and the means
through which

[[Page 68503]]

they can ensure that their data is correct.
Several commenters conveyed their concerns about data security
regarding this system of records, especially in light of the recent OPM
data breaches in which millions of current and former Federal
employees' records were compromised. One of those commenters put forth
that while the notice listed safeguards for the system, ``it was
unclear whether the data would be encrypted.'' Another commenter raised
concerns about identity theft and the potential use of data for
unintended purposes that increases risks and reduce privacy
protections, especially in the context of data aggregated in one
database. The Department recognizes these concerns and is applying
lessons learned from recent high-profile cyber events. As with all
Department IT systems, the appropriate FISMA controls, specifically
those regarding encryption, will be applied based upon the security
categorization of the system and the data contained within the system.
The Department has taken the potential risk related to data aggregation
into consideration with respect to this system of records. With this in
mind, the Department has applied and will continue to apply all
appropriate FISMA controls based upon the security categorization of a
system.
More than one commenter suggested that the Department provided
insufficient [business] justification for this system of records in the
Purposes section. The Department disagrees with this suggestion. As
articulated in the PURPOSES section, this notice is intended to ensure
protection of Department assets.
One commenter suggested that the system of records should exclude
home telephone numbers because ``the connection of home telephone to
the purposes stated in the notice is unexplained and unclear.'' While
this notice is intended to let employees know what information ``may''
be collected and what possible use of that information exists, the
collection of a ``home'' telephone number for this system of records is
not a mandatory requirement and as such the individuals have the option
of not providing their home telephone number. However, having contact
information, such as home telephone number, serves a number of
purposes, including but not limited to Continuity of Operations (COOP)
activities, telework, and notification of family in the event of an
emergency.
The same commenter also submitted that ``social security numbers
[(SSN] should be excluded and replaced by an employee number.'' The
commenter said the ``connection of [SSN] to the purposes stated in the
notice is unexplained and unclear.'' The Department has not adopted
this suggestion, because the use of SSNs in this system of records is
essential due to the various categories of individuals in the system.
For instance, government contractors would not have an employee number.
SSNs are also necessary for the Department to accurately report
employees' earnings, so they get the proper credit towards their social
security benefit. Even with the addition of an employee number, the
Department would still need to capture the social security number for
the reasons stated above.
The Department has considered this comment and to help clarify the
meaning of cellular numbers, the term ``government and personal'' will
be added before ``cellular telephone number'' under the CATEGORIES OF
RECORDS IN THE SYSTEM section. It should be noted that the Department
collects both personal and government cell numbers, because in many
cases employees have dropped land line service, so their cell number is
their personal home number. As previously stated, having contact
information, such as a telephone number, serves a number of purposes,
including but not limited to COOP activities, telework, and
notification of family in the event of an emergency.
One commenter suggested that ``if a security problem does exist
within the Commerce Department and its various Agencies that requires
[the] level of attention [identified in this system], consultation with
authoritative IT Security professionals on implementing a best-
practices solution would seem to be a simpler, more cost-effective, and
less intrusive alternative.'' The Department appreciates this
commenter's view, and it regularly consults with other Government
agencies and industry regarding best-practices for the identification,
mitigation, and response to cyber related issues and concerns with a
view towards improving Departmental capabilities. The Department
proactively places emphasis on all phases of the NIST Cyber Security
Framework--Identify, Protect, Detect, Respond, and Recover.
More than one commenter maintained that the descriptors in this
notice need to be defined in more detail. For instance, some suggested
that more information should be provided for the Purposes,
Retrievability, and Record Sources sections. One of the commenters
added that more clarity was needed for the RETRIEVABILITY section,
specifically for the statement ``Information may be retrieved . . . by
automated search based on extant indices and automated capabilities . .
.'' While the Department disagrees with the commenters that the
descriptors in this notice need to be defined in more detail within the
notice, it does agree that it would be beneficial to create a document
explaining SORN descriptors. As a way to provide explanations about the
different sections of a SORN, the Department has produced a fact sheet
about SORN descriptors, which will be made available on its public Web
site under the Office of Privacy and Open Government Web page at http://www.osec.doc.gov/opog/.
One of the same commenters suggested that a plain language document
should be provided that discusses this notice and its relationship to
the Privacy Act. The Department agrees with the commenter that is would
be beneficial to create a document explaining this notice and its
relationship to the Privacy Act. As a start to providing the type of
information requested, the Department has produced a fact sheet about
SORN COMMERCE/DEPT-25, which will be made available on its public Web
site under the Office of Privacy and Open Government Web page at http://www.osec.doc.gov/opog/.
In the view of another commenter, this notice did not provide an
indication of ``how long information is retained and how that duration
relates to the proposed uses.'' The Department notes that every SORN,
including this one, contains a RETENTION AND DISPOSAL section, which
describes the policies and guidelines in place with regard to the
retention and destruction of records in this system.

Dated: October 29, 2015.
Michael J. Toland,
Department of Commerce, Freedom of Information and Privacy Act Officer.

For the reasons stated in the preamble, the Department of Commerce
amends the Privacy Act System of Records: ``COMMERCE/DEPT-25, Access
Control and Identity Management System,'' with the minor change as
follows:
[ssquf] To help clarify the meaning of cellular numbers under the
CATEGORIES OF RECORDS IN THE SYSTEM section, the term ``government and
personal'' will be added before the language ``cellular telephone
number''.

[FR Doc. 2015-28056 Filed 11-3-15; 11:15 am]
BILLING CODE 3510-BX-P

68500 Federal Register / Vol. 80, No. 214 / Thursday, November 5, 2015 / Notices

DEPARTMENT OF COMMERCE One commenter recommended adding database with all the information set
language under the Safeguards section forth in the SORN, or (2) come into
[Docket No. 150324295–5963–03] to ‘‘address how the records/system is compliance with statutes and
planned to address insider threats.’’ The regulations concerning employee data
Privacy Act System of Records, New Department disagrees with this that the Department already has in an
System of Records commenter’s suggestion. The addition of existing system. The Department is
such language would potentially impact issuing this new SORN to ensure that
AGENCY: Office of the Secretary, U.S. the effectiveness of the Department’s the Department is in compliance with
Department of Commerce. Insider Threat Program. the Privacy Act, as amended, 5 U.S.C.
ACTION: Notice of new Privacy Act Several commenters urged the 552a(e)(4) and (11); and OMB Circular
System of Records: ‘‘COMMERCE/ Department to withdraw this proposed A–130, Appendix I, Federal Agency
DEPT–25, Access Control and Identity system of records and to ‘‘refrain from Responsibilities for Maintaining
Management System.’’ implementing any intrusive system that Records About Individuals for all
needlessly monitors the movements of categories of information covered by
SUMMARY: The Department of Commerce its employees.’’ In support of their DEPT–25. This SORN covers some
(Department) publishes this notice to suggestion, two commenters said that similar categories of information as a
announce the effective date of a Privacy ‘‘The Department has not explained the government-wide SORN, GOVT–7,
Act System of Records notice entitled: need for tracking employees’ every ‘‘Personal Identity Verification Identity
COMMERCE/DEPT–25, Access Control physical movement when on-site, Management System (PIV IDMS).’’ After
and Identity Management System. which, in the proposed system of a review, the Department decided to
DATES: The system of records becomes records, would go so far as to include implement a more specific SORN with
effective on November 5, 2015. monitoring the buttons employees strike respect to this system of records.
ADDRESSES: For a copy of the system of on their work station keyboards.’’ The same commenter further
records please mail requests to: Michael Further, those commenters raised suggested that if the SORN is bringing
J. Toland, Departmental Freedom of concerns about employee morale and the Department into compliance, then
Information and Privacy Act Officer, the security of the system. In addition, certain personnel actions involving
Office of Privacy and Open Government, several commenters submitted the view employee data collected prior to
1401 Constitution Ave. NW., Room that this SORN does not adequately publication of the SORN are called into
52010, Washington, DC 20230. describe provisions or processes to question. This comment goes beyond
insure the safety and integrity of the scope of the content and adequacy
FOR FURTHER INFORMATION CONTACT:
employees’ sensitive personally of this SORN.
Michael J. Toland, Department Freedom Another commenter proposed that
identifiable information.
of Information and Privacy Act Officer, The Department disagrees with these implementation of the SORN will result
Office of Privacy and Open Government, comments. The system of records in a significant staffing increase to
1401 Constitution Ave. NW., Room covered by this SORN are subject to the administer and monitor the program.
52010, Washington, DC 20230. Federal Information Security The Department disagrees. Adequate
SUPPLEMENTARY INFORMATION: On May 8, Management Act (FISMA), which resources are available within the
2015, and June 29, 2015, the Department requires that controls be put in place to Department’s Office of Security and
published and requested comments on a protect IT systems and the information Office of the Chief Information Officer
proposed new Privacy Act System of contained within. Additionally, Privacy to administer and monitor the program
Records notice entitled: COMMERCE/ Impact Assessments have been as it relates to Access Control and
DEPT–25, Access Control and Identity conducted on these systems to further Identity Management.
Management System. The system serves define procedures for protecting One commenter suggested that
to provide electronic physical access Personally Identifiable Information (PII) employees will have difficulty
control, intrusion detection and video and address the impact on employees’ determining what information the
management solutions to ensure the privacy. Further, the SAFEGUARDS Department is maintaining on them and
safety and security of DOC assets to section of this notice describes methods how to obtain the information kept. The
include people, facilities, information for protecting information maintained in Department disagrees with the
and property. The system controls this system. For example, this section commenter’s suggestion. This notice has
access to only those authorized as well mentions that ‘‘electronic records are a section, CATEGORIES OF RECORDS
as aids in the monitoring, assessment password-protected or PKI-protected, IN THE SYSTEM, which enumerates the
and response to security and emergency consistent with the requirements of information collected from individuals.
related incidents. By this notice, the [FISMA] (Pub. L. 107–296), and Should an employee need additional
Department is adopting the proposed associated OMB policies, standards and clarification on information collected
new system as final effective November guidance from the National Institutes of and maintained on him or her in this
5, 2015. Standards and Technology, and the system of records, the employee can file
General Services Administration, all a Privacy Act request following the
Public Comments and Responses procedures outlined in the
records are protected from unauthorized
Interested parties were afforded the access through appropriate NOTIFICATION PROCEDURE section of
opportunity to participate in the administrative, physical, and technical this notice. With regard to obtaining
rulemaking process through the safeguards.’’ It should be noted that information kept, another section,
submission of written comments on the RECORDS ACCESS PROCEDURES,
jstallworth on DSK7TPTVN1PROD with NOTICES

safeguards should be described in
proposed new systems of records notice general terms and to the extent they provides instructions on how an
(SORN). The Department received five would not compromise system security, individual can request access to records
public submissions in response to the which serves as an added layer of on himself or herself. It should be noted
proposed SORN. Due consideration was protection for employees’ data. that under the SYSTEM EXEMPTIONS
given to each comment received and the One commenter suggested that it was FROM CERTAIN PROVISION OF THE
Department’s responses to those unclear whether the Department is ACT section, all information and
comments are noted below. attempting to either (1) create a new material in the record which meets the

VerDate Sep<11>2014 15:06 Nov 04, 2015 Jkt 238001 PO 00000 Frm 00009 Fmt 4703 Sfmt 4703 E:\FR\FM\05NON1.SGM 05NON1

68502 Federal Register / Vol. 80, No. 214 / Thursday, November 5, 2015 / Notices

One commenter proposed that ‘‘to accounting of certain disclosures, except matching program, it must follow
ensure security of this system and to in instances where disclosure is made to matching program requirements
protect employees, there should be a the subject of the record. This outlined in 5 U.S.C. 552a(o). The
system of records of who accesses [the] accounting must be maintained for a Department recognizes the concerns
information [maintained in this system period of five years or the life of the commenters may have about matching
of records], when, for what purposes, record, whichever is longer, and must programs with respect to this system of
and how that information was be made available upon request by the records and would like to assure those
authorized.’’ The Privacy Act of 1974, as subject of the record, except for commenters that should the Department
amended, 5 U.S.C. 552a, defines disclosures related to law enforcement engage in matching programs as defined
conditions under which agencies may activities. With regard to this accounting by the Computer Matching and Privacy
disclose information from records of disclosures, according to the OMB Protection Act of 1988, Public Law 100–
retrieved by a person’s name or other Privacy Act Implementation Guide, 503 (‘‘Computer Matching Act’’), it will
personal identifier. As a general rule, published in the Federal Register on follow applicable procedural
the Department may not disclose a July 9, 1975 (40 FR 28948–28978), ‘‘the requirements. The Computer Matching
record about such a person, except upon intent was to view the accounting of Act, which amended the Privacy Act,
a written request by, or with the prior disclosures as other than a system of establishes procedural safeguards
written consent of, that individual. records and to conclude that an affecting agencies’ use of Privacy Act
However, it is important to note that to accounting need not be maintained for records when conducting certain types
carry out its statutory responsibilities the disclosures from the accounting of of computer matching programs. These
the Department at times may need to disclosures.’’ procedures ensure the integrity, privacy,
disclose information in Privacy Act Several commenters expressed and verification of data used in
records for purposes other than those concerns that this system of records computerized matching operations, and
listed in the Act. With this in mind, could create Privacy Act issues. Along the Department intends to fully comply
under certain specific conditions, the those lines, one commenter specifically with these procedures should it engage
Privacy Act authorizes disclosure of questioned the protections afforded in matching programs covered by the
information in a record, whether or not employees when data is released under Computer Matching Act.
the person to whom the information one or more of the exemptions Multiple commenters requested that
relates has requested or consented to identified in notice’s the SYSTEM the Department work in collaboration
disclosure. For instance, the Act EXEMPTIONS FROM CERTAIN with unions to create a more useful and
authorizes disclosures under, 5 U.S.C. PROVISIONS OF THE ACT section. less intrusive monitoring system of
552a(b), Conditions of Disclosure. The While system exemptions from certain records. The Department has proposed
Act also authorizes agencies, such as the provisions of the Privacy Act have been to the Labor Management Forum
Department, to make such disclosures, identified in this notice, those Members, to hold a meeting(s) to
once they publish a description of what provisions are allowed by and used discuss the appropriate process for
are called the ‘‘routine uses’’ of following the Privacy Act; they do not access, reviewing and acting upon data
information in their records. revise the Act. Further, it was collected through an electronic process.
recognized in the OMB Privacy Act Those meetings should begin in early
A level of protection is afforded to Implementation Guide, published in the FY 16. In the view of the same
individuals because the routine use Federal Register on July 9, 1975 (40 FR commenters, the Department should
must be published in the Federal 28973), that ‘‘ ‘due process’ in both civil provide notice and allow bargaining
Register, and the routine use must action and criminal prosecution will under Federal Services-Labor
include categories of users and the assure that individuals have a Management Relations Statute, 5 U.S.C.
purpose of the use. A routine use must reasonable opportunity to learn of the 7101–7135. The issuance of this notice
also be compatible with the purpose for existence of, and to challenge, by the Department is a matter of
which the information was collected. investigatory records, which are to be compliance with the Privacy Act and in
Further, another level of protection may used in legal proceedings. To the extent no way interferes with labor’s right to
be evidenced through the fact that that such an investigatory record is used bargain over matters that relate to a
publication of routine uses by the as a basis for denying an individual any change in working conditions.
Department does not require it to right, privilege, or benefit (including In the view of one of the commenters,
disclose information in a record—it employment) to which the individual ‘‘the Department failed to make any
merely permits the Department to would be entitled in the absence of that attempt to notify its labor partners of
disclose information when deemed record, the individual must be granted these proposed changes.’’ In order to
appropriate or necessary by the access to that record except to the extent address any concerns with notification,
Department. The Department’s policy is that access would reveal the identity of the Department extended the comment
to carefully decide whether a disclosure a confidential source.’’ period for this SORN so that labor
of information permitted by a routine Two other commenters stated that the unions had ample time to submit
use is appropriate or necessary, based notice does not provide any provisions comments.
on the totality of the circumstances. If or processes regarding any final One commenter wondered if the data
the Department believes that disclosure disposition of employee personal expected to be obtained through
of information protected by the Privacy information (PII) once it has been COMMERCE/DEPT–25 was worth the
Act is appropriate or necessary in a disclosed to other agencies, entities, or enormous investment of time in labor-
situation not covered by a routine use, management negotiation, Congressional
jstallworth on DSK7TPTVN1PROD with NOTICES

persons. This comment goes beyond the
or by any other exception to the act’s requirements of the Privacy Act. review, and potential negative response
general prohibition on disclosure, it will More than one commenter submitted from Department employees over such a
seek written consent for the disclosure the view that the routine uses listed in program. Through a variety of methods,
from the person to whom the record this notice may result in matching the Department already collects
pertains. Lastly, a level of protection programs as described in 5 U.S.C. employee data. This SORN ensure
comes from the Privacy Act requirement 552a(a)(8). Further, commenters added employees understand the system of
for agencies to maintain an accurate that if the Department engages in any records and the means through which

VerDate Sep<11>2014 15:06 Nov 04, 2015 Jkt 238001 PO 00000 Frm 00011 Fmt 4703 Sfmt 4703 E:\FR\FM\05NON1.SGM 05NON1

Document Created: 2015-12-14 15:03:38
Document Modified: 2015-12-14 15:03:38

Category		Regulatory Information
Collection		Federal Register
sudoc Class		AE 2.7: GS 4.107: AE 2.106:
Publisher		Office of the Federal Register, National Archives and Records Administration
Section		Notices
Action		Notice of new Privacy Act System of Records: ``COMMERCE/DEPT- 25, Access Control and Identity Management System.''
Dates		The system of records becomes effective on November 5, 2015.
Contact		Michael J. Toland, Department Freedom of Information and Privacy Act Officer, Office of Privacy and Open Government, 1401 Constitution Ave. NW., Room 52010, Washington, DC 20230.
FR Citation		80 FR 68500