81 FR 64127 - Privacy Act System of Records, Amended System of Records

DEPARTMENT OF COMMERCE

Federal Register Volume 81, Issue 181 (September 19, 2016)

In accordance with the Privacy Act of 1974, as amended, Title 5 United States Code (U.S.C.) 552a(e)(4) and (11); and Office of Management and Budget (OMB) Circular A-130, Appendix I, Federal Agency Responsibilities for Maintaining Records About Individuals, the Department of Commerce proposes to amend the system of records entitled: ``COMMERCE/DEPT-25, Access Control and Identity Management System.'' Based on a review of the system of records notice, the Department is making necessary administrative updates to the sections entitled ``SYSTEM LOCATION,'' ``SECURITY CLASSIFICATION,'' and ``NOTIFICATION PROCEDURE.''

[Federal Register Volume 81, Number 181 (Monday, September 19, 2016)]
[Notices]
[Pages 64127-64130]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2016-22469]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

[Docket No. 160907830-6830-01]


Privacy Act System of Records, Amended System of Records

AGENCY: U.S. Department of Commerce, Office of the Secretary.

ACTION: Notice of an Amended Privacy Act System of Records: ``COMMERCE/
DEPT-25, Access Control and Identity Management System.''

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended, Title 
5 United States Code (U.S.C.) 552a(e)(4) and (11); and Office of 
Management and Budget (OMB) Circular A-130, Appendix I, Federal Agency 
Responsibilities for Maintaining Records About Individuals, the 
Department of Commerce proposes to amend the system of records 
entitled: ``COMMERCE/DEPT-25, Access Control and Identity Management 
System.'' Based on a review of the system of records notice, the 
Department is making necessary administrative updates to the sections 
entitled ``SYSTEM LOCATION,'' ``SECURITY CLASSIFICATION,'' and 
``NOTIFICATION PROCEDURE.''

DATES: The system of records becomes effective on September 19, 2016.

ADDRESSES: For a copy of the system of records please mail requests to: 
Michael J. Toland, Deputy Chief Freedom of Information Act (FOIA) 
Officer and Department Privacy Act Officer, Office of Privacy and Open 
Government, 1401 Constitution Ave. NW., Room 52010, Washington, DC 
20230.

FOR FURTHER INFORMATION CONTACT: Michael J. Toland, Deputy Chief FOIA 
Officer and Department Privacy Act Officer, Office of Privacy and Open 
Government, 1401 Constitution Ave. NW., Room 52010, Washington, DC 
20230.

SUPPLEMENTARY INFORMATION: On May 8, 2015, the Department published a 
proposed new Privacy Act system of records notice in the Federal 
Register (80 FR 26534) entitled: ``COMMERCE/DEPT-25, Access Control and 
Identity Management System.'' The system serves to provide electronic 
physical access control, intrusion detection and video management 
solutions to ensure the safety and security of the Department's assets 
to include people, facilities, information and property. The system 
controls access to only those authorized as well as aids in the 
monitoring, assessment and response to security and emergency related 
incidents.
    As a result of the Department's internal review of the notice 
covering this system of records, we became aware that the National 
Technical Information Service was not included under the ``SYSTEM 
LOCATION'' and ``NOTIFICATION PROCEDURE'' sections. We also became 
aware that incorrect information was provided for the ``SECURITY 
CLASSIFICATION'' section. For the aforementioned reasons, the 
Department publishes a notice of an amended system of records entitled: 
``COMMERCE/DEPT-25, Access Control and Identity Management System,'' as 
published in the Federal Register on May 8, 2015 (80 FR 26534).
    OMB Circular A-130, Appendix I, indicates that minor changes to 
systems of records need not be reported. In this notice, we are making 
minor changes to the ``COMMERCE/DEPT-25, Access Control and Identity 
Management System'' system of records. Therefore, the Department has 
not filed a report describing the altered system of records covered by 
this notice with the Chair of the Senate Committee on Homeland Security 
and Governmental Affairs, the Chair of the House Committee on Oversight 
and Government Reform, or the Administrator of the Office of 
Information and Regulatory Affairs, OMB.
COMMERCE/DEPT-25

SYSTEM NAME:
    Access Control and Identity Management System.

SECURITY CLASSIFICATION:
    Unclassified, sensitive, for official use only, and classified.

SYSTEM LOCATION:
    a. For Office of Security, Office of the Secretary, U.S. Department 
of Commerce, Room 1033, 1401 Constitution Avenue NW., Washington, DC 
20230.
    b. For Office of Security, U.S. Census Bureau, Room 2J438, 4600 
Silver Hill Road, Washington, DC 20233-3700.
    c. For Office of Security, U.S. Census Bureau Indiana, Room 104, 
Building 66, 1201 E. 10th Street, Jeffersonville, IN 47132.
    d. For Office of Security, National Institute of Standards and 
Technology, Room A-105, Building 318, 100 Bureau Drive, Gaithersburg, 
MD 20899.
    e. For Office of Security, National Oceanic and Atmospheric 
Administration, Room G-101, SSMC- OFA543, 1335 East-West Highway, 
Silver Spring, MD 20910.
    f. For Office of Security, National Oceanic and Atmospheric 
Administration, Western Region, Building 1, 7600 Sand Point Way NE., 
Seattle, WA 38115.
    g. For Office of Security, FirstNet, John W. Powell Federal 
Building, 12201 Sunrise Valley, Drive, Reston, VA 22091.
    h. For Office of Security, U.S. Patent and Trademark Office, 600 
Dulany Street, Madison Building, West, Alexandria, VA 22313.
    i. For Office of the Secretary, Minority Business Development 
Agency, Economic and Statistics Administration, and Economic 
Development Administration: Office of the Secretary,

[[Page 64128]]

Chief Information Officer, 1401 Constitution Avenue NW., Washington, DC 
20230.
    j. For U.S. Census Bureau, Chief Information Officer, 4600 Silver 
Hill Road, Suitland, MD 20746.
    k. For Bureau of Industry and Security, Chief Information Officer, 
1401 Constitution Avenue NW., Washington, DC 20230.
    l. For International Trade Administration, Chief Information 
Officer, 1401 Constitution Avenue NW., Washington, DC 20230.
    m. For National Institute of Standards and Technology, Chief 
Information Officer, 100 Bureau Drive, Gaithersburg, MD 20899.
    n. For National Telecommunications and Information Administration, 
Chief Information Officer, 1401 Constitution Avenue NW., Washington, DC 
20230.
    o. For National Oceanic and Atmospheric Administration, Chief 
Information Officer, 1305 East-West Highway, SSMC3, Silver Spring, MD 
20910.
    p. For U.S. Patent and Trademark Office, Chief Information Officer, 
600 Dulany Street, Madison Building, Alexandria, VA 22314.
    q. For Office of Inspector General, Chief Information Officer, 
Chief Information Officer, 1401 Constitution Avenue NW., Washington, DC 
20230.
    r. For National Technical Information Service, Office of the Chief 
Information Officer, Security Division, 5301 Shawnee Road., Alexandria, 
VA 22312.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Employees, contractors, and other affiliates requiring access to 
Department of Commerce electronic (including PKI-authenticated) and 
physical assets.

CATAGORIES OF RECORDS IN THE SYSTEM:
    Records may include the individual's name; organization; work 
telephone number; cellular telephone number; home telephone number, 
work email; Federal agency Smart Card Number (FASC-N); social security 
number; employee number; status as an employee, contractor or other 
affiliation with the Department of Commerce; PIN number (encrypted); 
sign-in/out, badge-in/out, time-in/out, log-in/out data; computer 
transaction data to include, but not limited to, key stroke monitoring; 
IP address of access; logs of internet activity and records on the 
authentication of the access request; key fob identifier; token 
identifier; Personal Identity Verification (PIV) Card identifier; 
computer access login name; and any computer generated identifier 
assigned to a user.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301; 35 U.S.C. 2; the Electronic Signatures in Global and 
National Commerce Act, Public Law 106-229; 28 U.S.C. 533-535; 44 U.S.C. 
1301; Homeland Security Presidential Directive 12 and IRS Publication-
1075.

PURPOSES:
    Records in this system are used by authorized personnel to improve 
security for Department of Commerce physical facilities for purposes 
including: Ensuring process integrity; enabling employees to carry out 
their lawful and authorized responsibilities; verifying individuals' 
authorization to access buildings and facilities; creating a record of 
individuals' access to buildings and facilities; facilitating the 
issuance and retrieval of visitor and temporary badges; and providing 
statistical data on building and facility access patterns including 
electronic and physical sign/badge-in and sign/badge-out data for 
resource planning and emergency management purposes.
    Records may also be used to secure electronic assets; to maintain 
accountability for issuance and disposition of security access; to 
maintain an electronic system to facilitate secure on-line 
communication between Federal automated systems, between Federal 
employees or contractors, and with the public, using digital signature 
technologies to authenticate and verify identity; to provide a means of 
access to electronic assets, desktops, and laptops; and to provide 
mechanisms for non- repudiation of personal identification and access 
to electronic systems, including but not limited to human resource, 
financial, procurement, travel and property systems, as well as systems 
containing information on intellectual property and other mission 
critical systems. The system also maintains records relating to the 
issuance of digital certificates utilizing public key cryptography to 
employees and contractors for the transmission of sensitive electronic 
material that requires protection.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    1. Records in this system are accessed on a daily basis by 
authorized personnel to verify individuals' authorized access to 
buildings and facilities; electronic systems and computers; facilitate 
the issuance and retrieval of visitor and temporary badges; determine 
whether administrative action (including disciplinary action) should be 
taken regarding any employee, contractor, or visitor; and provide 
statistical data on computer information systems, building and facility 
access patterns including electronic and physical sign/badge-in and 
sign/badge-out data for resource planning, emergency management 
purposes, assuring the security of computer information systems, and 
implementing Executive Order 13587.
    2. In the event that a system of records maintained by the 
Department to carry out its functions indicates or relates to a 
violation or potential violation of law or contract, whether civil, 
criminal or regulatory in nature, and whether arising by general 
statute or particular program statute or contract, or rule, regulation, 
or order issued pursuant thereto, or where necessary to protect an 
interest of the Department, the relevant records in the system of 
records may be referred, as a routine use, to the appropriate agency, 
whether Federal, state, local or foreign, charged with the 
responsibility of investigating or prosecuting such violation or 
charged with enforcing or implementing the statute or contract, or 
rule, regulation or order issued pursuant thereto, or protecting the 
interest of the Department.
    3. A record from this system of records may be disclosed to a 
Federal, state or local agency maintaining civil, criminal or other 
relevant enforcement information or other pertinent information, such 
as current licenses, if necessary to obtain information relevant to a 
Department decision concerning the assignment, hiring or retention of 
an individual, the issuance of a security clearance, the letting of a 
contract, or the issuance of a license, grant or other benefit.
    4. A record from this system of records may be disclosed to a 
Federal, state, local, or international agency, in response to its 
request, in connection with the assignment, hiring or retention of an 
individual, the issuance of a security clearance, the reporting of an 
investigation of an individual, the letting of a contract, or the 
issuance of a license, grant, or other benefit by the requesting 
agency, to the extent that the information is relevant and necessary to 
the requesting agency's decision on the matter.
    5. A record from this system of records may be disclosed in the 
course of presenting evidence to a court, magistrate or administrative 
tribunal, including disclosures to opposing counsel in the course of 
settlement negotiations.
    6. A record in this system of records may be disclosed to a Member 
of Congress submitting a request involving an individual when the 
individual has

[[Page 64129]]

requested assistance from the Member with respect to the subject matter 
of the record.
    7. A record in this system of records may be disclosed to the 
Office of Management and Budget in connection with the review of 
private relief legislation as set forth in OMB Circular No. A-19 at any 
stage of the legislative coordination and clearance process as set 
forth in that Circular.
    8. A record in this system of records may be disclosed to the 
Department of Justice in connection with determining whether disclosure 
thereof is required by the Freedom of Information Act (5 U.S.C. 552).
    9. A record in this system of records may be disclosed to a 
contractor of the Department having need for the information in the 
performance of the contract, but not operating a system of records 
within the meaning of 5 U.S.C. 552a(m).
    10. A record in this system may be transferred to the Office of 
Personnel Management for personnel research purposes; as a data source 
for management information; for the production of summary descriptive 
statistics and analytical studies in support of the function for which 
the records are collected and maintained; or for related manpower 
studies.
    11. A record from this system of records may be disclosed to the 
Administrator, General Services, or his designee, during an inspection 
of records conducted by the General Services Administration as part of 
that agency's responsibility to recommend improvements in records 
management practices and programs, under authority of 44 U.S.C. 2904 
and 2906. Such disclosure shall be made in accordance with the GSA 
regulations governing inspection of records for this purpose, and any 
other relevant (i.e. GSA or Commerce) directive. Such disclosure shall 
not be used to make determinations about individuals.
    12. A record in this system of records may be disclosed to 
appropriate agencies, entities and persons when (1) it is suspected or 
determined that the security or confidentiality of information in the 
system of records has been compromised; (2) the DOC has determined that 
as a result of the suspected or confirmed compromise there is a risk of 
harm to economic or property interests, identity theft or fraud, or 
harm to the security or integrity of this system or whether systems or 
programs (whether maintained by the DOC or another agency or entity) 
that rely upon the compromised information; and (3) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the DOC's efforts to respond to the suspected 
or confirmed compromise and to prevent, minimize, or remedy such harm.
    13. A record in this system of records may be disclosed to 
appropriate agencies, entities and persons for the purpose of 
performing audit or oversight operations as authorized by law, but only 
such information as is necessary and relevant to such audit or 
oversight function.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    Not applicable.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
Storage:
    Records in this system are on paper and/or in digital or other 
electronic form. Paper records are stored in secure rooms and storage 
cabinets and electronic records are stored as electronic/digital media 
and stored in secure file-servers within controlled environment. Both 
paper and electronic/digital records are accessed only by authorized 
personnel.

RETRIEVABILITY:
    Records are retrieved by individual's name, employment status, 
organization and/or security access badge number, or other Department 
of Commerce identifier. Information may be retrieved from this system 
of records by automated search based on extant indices and automated 
capabilities utilized in the normal course of business.

SAFEGUARDS:
    Entrance to data centers and support organization offices is 
restricted to those employees whose work requires them to be there for 
the system to operate. Identification cards are verified to ensure that 
records are in areas accessible only to authorized personnel who are 
properly screened, cleared, and trained. Disclosure of electronic 
information through remote terminals is restricted through the use of 
passwords and sign-on protocols that are periodically changed. Reports 
produced from the remote printers are subject to the same privacy 
controls as other documents of like sensitivity. Electronic and digital 
certificates ensure secure local and remote access and allow only 
authorized employees, contractor employees, or other affiliated 
individuals to gain access to federal information assets available 
through secured systems access.
    Access to sensitive records is available only to authorized 
employees and contractor employees responsible for the management of 
the system and/or employees of program offices who have a need for such 
information. Electronic records are password-protected or PKI-
protected, consistent with the requirements of the Federal Information 
Security Management Act (Pub. L. 107-296), and associated OMB policies, 
standards and guidance from the National Institute of Standards and 
Technology, and the General Services Administration; all records are 
protected from unauthorized access through appropriate administrative, 
physical, and technical safeguards.
    Access is restricted on a ``need to know'' basis, utilization of 
PIV Card access, secure VPN for Web access, and locks on doors and 
approved storage containers. Buildings have security guards and secured 
doors. Entrances are monitored through electronic surveillance 
equipment.

RETENTION AND DISPOSAL:
    Records are disposed of in accordance with the appropriate records 
disposition schedule approved by the Archivist of the United States.

SYSTEM MANGER(S) AND ADDRESS:
    System managers are the same as stated in the System Location 
section above.

NOTIFICATION PROCEDURE:
    An individual requesting notification of existence of records on 
himself or herself should send a signed, written inquiry to the 
locations listed below. The request letter should be clearly marked, 
``PRIVACY ACT REQUEST.'' The written inquiry must be signed and 
notarized or submitted with certification of identity under penalty of 
perjury. Requesters should reasonably specify the record contents being 
sought.
    For records at locations a., g., and i.: Departmental Freedom of 
Information and Privacy Act Officer, Room 52010, U.S. Department of 
Commerce, 1401 Constitution Avenue NW., Washington, DC 20230.
    For records at locations b., c., and j.: U.S. Census Bureau, 
Freedom of Information and Privacy Act Officer, Room 8H027, 4600 Silver 
Hill Road, Washington, DC 20233-3700.
    For records at locations d. and m.: National Institute of Standards 
and Technology, Freedom of Information and Privacy Act Officer, Room 
1710, 100 Bureau Drive, Gaithersburg, MD 20899.
    For records at locations e., f., and o.: National Oceanic and 
Atmospheric

[[Page 64130]]

Administration, Freedom of Information and Privacy Act Officer, Room 
9719, SSMC3, 1315 East-West Highway, Silver Spring, MD 20910.
    For records at locations h. and p.: U.S. Patent and Trademark 
Office, Freedom of Information and Privacy Act Officer, 600 Dulany 
Street, Madison Building, East, Room 10B20, Alexandria, VA 22313.
    For records at location k.: Bureau of Industry and Security, 
Freedom of Information and Privacy Act Officer, Room 6622, 1401 
Constitution Avenue NW., Washington, DC 20230.
    For records at location l.: International Trade Administration, 
Freedom of Information and Privacy Act Officer, Room 40003, 1401 
Constitution Avenue NW., Washington, DC 20230.
    For records at location n.: National Telecommunications and 
Information Administration, Freedom of Information and Privacy Act 
Officer, Room 4713, 1401 Constitution Avenue NW., Washington, DC 20230.
    For records at location q.: Office of Inspector General, Freedom of 
Information and Privacy Act Officer, Room 7892, 1401 Constitution 
Avenue NW., Washington, DC 20230.
    For records at location r.: National Technical Information Service, 
Freedom of Information Act Officer, 5301 Shawnee Road, Alexandria, VA 
22312.

RECORD ACCESS PROCEDURES:
    An individual requesting access to records on himself or herself 
should send a signed, written inquiry to the same address as stated in 
the Notification Procedure section above. The request letter should be 
clearly marked, ``PRIVACY ACT REQUEST.'' The written inquiry must be 
signed and notarized or submitted with certification of identity under 
penalty of perjury. Requesters should specify the record contents being 
sought.

CONTESTING RECORD PROCEDURES:
    An individual requesting corrections or contesting information 
contained in his or her records must send a signed, written request 
inquiry to the same address as stated in the Notification Procedure 
section above. Requesters should reasonably identify the records, 
specify the information they are contesting and state the corrective 
action sought and the reasons for the correction with supporting 
justification showing how the record is incomplete, untimely, 
inaccurate, or irrelevant. The Department's rules for access, for 
contesting contents, and for appealing initial determination by the 
individual concerned appear in 15 CFR part 4, Appendix B.

RECORD SOURCE CATEGORIES:
    The information contained in these records is provided by or 
verified by: The subject individual of the record, supervisors, other 
personnel documents, other Department systems, access log records and 
sensors and non-Federal sources such as private employers and their 
agents, along with those authorized by the individuals to furnish 
information.

EXEMPTIONS CLAIMED FOR THE SYSTEM:
    Pursuant to 5 U.S.C. 552a(j)(2), (k)(1), (k)(2), and (k)(5), all 
information and material in the record which meets the criteria of 
these subsections are exempted from the notice, access, and contest 
requirements under 5 U.S.C. 552a(c)3, (d), (e)(1), (e)(4)(G), (H), and 
(I), and (f) of the agency regulations because of the necessity to 
exempt this information and material in order to accomplish the law 
enforcement function of the agency, to prevent disclosure of classified 
information as required by Executive Order 12958, as amended by 
Executive Order 13292, to assure the protection of the President, to 
prevent subjects of investigation from frustrating the investigatory 
process, to prevent the disclosure of investigative techniques, to 
fulfill commitments made to protect the confidentiality of information, 
and to avoid endangering these sources and law enforcement personnel.

    Dated: September 14, 2016.
Michael J. Toland,
Department of Commerce, Deputy Chief FOIA Officer, Department Privacy 
Act Officer.
[FR Doc. 2016-22469 Filed 9-16-16; 8:45 am]
 BILLING CODE 3510-BX-P