83 FR 50682 - Privacy Act of 1974; System of Records

DEPARTMENT OF THE INTERIOR
Office of the Secretary

Federal Register Volume 83, Issue 195 (October 9, 2018)

Pursuant to the provisions of the Privacy Act of 1974, as amended, the Department of the Interior proposes to modify the Department of the Interior ``DOI-16, DOI LEARN (Department-wide Learning Management System)'' system of records notice. This system of records helps the Department of the Interior maintain and validate training records, manage class rosters and transcripts, meet Federal mandatory training and statistical reporting requirements, and manage other functions related to training and educational programs. This modified system will be included in the Department of the Interior's inventory of record systems.

[Federal Register Volume 83, Number 195 (Tuesday, October 9, 2018)]
[Notices]
[Pages 50682-50686]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2018-21796]


-----------------------------------------------------------------------

DEPARTMENT OF THE INTERIOR

Office of the Secretary

[DOI-2018-0008; 18XD4523WS, DS64900000, DWSN00000.000000, DP.64916]


Privacy Act of 1974; System of Records

AGENCY: Office of the Secretary, Interior.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the provisions of the Privacy Act of 1974, as 
amended, the Department of the Interior proposes to modify the 
Department of the Interior ``DOI-16, DOI LEARN (Department-wide 
Learning Management System)'' system of records notice. This system of

[[Page 50683]]

records helps the Department of the Interior maintain and validate 
training records, manage class rosters and transcripts, meet Federal 
mandatory training and statistical reporting requirements, and manage 
other functions related to training and educational programs. This 
modified system will be included in the Department of the Interior's 
inventory of record systems.

DATES: This modified system will be effective upon publication. New or 
modified routine uses will be effective November 8, 2018. Submit 
comments on or before November 8, 2018.

ADDRESSES: You may submit comments, identified by docket number DOI-
2018-0008, by any of the following methods:
     Federal e-Rulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Mail: Teri Barnett, Departmental Privacy Officer, U.S. 
Department of the Interior, 1849 C Street NW, Room 7112, Washington, DC 
20240.
     Hand-delivering comments to Teri Barnett, Departmental 
Privacy Officer, U.S. Department of the Interior, 1849 C Street NW, 
Room 7112, Washington, DC 20240.
     Email: [email protected].
    All submissions received must include the agency name and docket 
number. All comments received will be posted without change to http://www.regulations.gov, including any personal information provided.

FOR FURTHER INFORMATION CONTACT: Teri Barnett, Departmental Privacy 
Officer, U.S. Department of the Interior, 1849 C Street NW, Room 7112, 
Washington, DC 20240, email at [email protected] or by telephone 
at (202) 208-1605.

SUPPLEMENTARY INFORMATION: 

I. Background

    The Department of the Interior (DOI), Office of the Secretary 
maintains the DOI-16, DOI LEARN, system of records to manage 
Department-wide, bureau and office training and learning programs. This 
system of record helps DOI maintain and validate training records, 
manage class rosters and transcripts for course administrators and the 
student or learner, meet Federal mandatory training and statistical 
reporting requirements, and manage other programmatic functions related 
to training and educational programs. DOI collects personal information 
from students in order to communicate training opportunities, manage 
course registration and delivery, validate training records necessary 
for certification or granting of college credit, process billing 
information for training classes, and to meet Federal training 
reporting requirements. Information may also be collected to comply 
with the Americans with Disabilities Act requirements to address 
facilities accommodations. Training and learning records are maintained 
in DOI's web-based learning management system, and bureau and office 
systems and locations where training programs are managed.
    DOI is revising the system of records notice to update the system 
name, system location, system manager and address, categories of 
individuals, categories of records, storage, retrievability, 
safeguards, retention and disposal, notification procedures, records 
access and contesting procedures, and records source categories; 
reorganize the sections and add new sections to describe the purpose of 
the system and history in accordance with Office of Management and 
Budget (OMB) Circular A-108; and provide general and administrative 
updates to the remaining sections. Additionally, DOI is modifying 
existing routine uses to provide clarity and transparency, and 
proposing to add new proposed routine uses to permit sharing of 
information with other agencies to respond to breaches of personally 
identifiable information. Routine uses D, E, H, I, and J have been 
modified to provide additional clarification on external organizations 
and circumstances where disclosures are proper and necessary to 
facilitate training functions or to comply with Federal requirements. 
Routine use G was modified to further clarify disclosures to the 
Department of Justice or other Federal agencies when necessary in 
relation to litigation or judicial proceedings.
    DOI is proposing to add new routine uses K through S to facilitate 
sharing of information with agencies and organizations to ensure the 
efficient and effective management of training for employees, promote 
the integrity of the records in the system, or carry out a statutory 
responsibility of the DOI or the Federal Government. Proposed routine 
use K facilitates sharing of information with the Executive Office of 
the President to resolve issues concerning individual's records. 
Routine use L allows DOI to refer matters to the appropriate Federal, 
state, local, or foreign agencies, or other public authority agencies 
responsible for investigating or prosecuting violations of law. Routine 
use M facilitates sharing with other government and tribal 
organizations pursuant to a court order or discovery request. Modified 
routine use N and proposed routine use O allow DOI to share information 
with appropriate Federal agencies or entities when reasonably necessary 
to respond to a breach of personally identifiable information and to 
prevent, minimize, or remedy the risk of harm to individuals or the 
Federal Government, or assist an agency in locating individuals 
affected by a breach in accordance with OMB Memorandum M-17-12, 
``Preparing for and Responding to a Breach of Personally Identifiable 
Information.'' Routine use P facilitates sharing of privacy information 
with OMB as required under OMB Circular A-19, ``Legislative 
Coordination and Clearance.'' Routine use Q allows DOI to share 
information with the Department of the Treasury to recover debts owed 
to the United States. Routine use R allows DOI to disclose information 
to the news media and the public when there is a legitimate public 
interest in the information, or to demonstrate accountability or ensure 
effective Government functions. Routine use S allows DOI to share 
information with the Office of Personnel Management to maintain 
integrity of employee training records and provide training reports to 
meet Federal training requirements.

II. Privacy Act

    The Privacy Act of 1974, as amended, embodies fair information 
practice principles in a statutory framework governing the means by 
which Federal agencies collect, maintain, use, and disseminate 
individuals' records. The Privacy Act applies to records about 
individuals that are maintained in a ``system of records.'' A ``system 
of records'' is a group of any records under the control of an agency 
from which information is retrieved by the name of an individual or by 
some identifying number, symbol, or other identifying particular 
assigned to the individual. The Privacy Act defines an individual as a 
United States citizen or an alien lawfully admitted for permanent 
residence. Individuals may request access to their own records that are 
maintained in a system of records in the possession or under the 
control of DOI by complying with DOI Privacy Act regulations at 43 CFR 
part 2, subpart K, and following the procedures outlined in the Records 
Access, Contesting Record, and Notification Procedures sections of this 
notice.
    The Privacy Act requires each agency to publish in the Federal 
Register a description denoting the existence and character of each 
system of records that the agency maintains and the routine uses of 
each system. The revised DOI

[[Page 50684]]

learning management system of records notice is published in its 
entirety below. In accordance with 5 U.S.C. 552a(r), DOI has provided a 
report of this system of records to the Office of Management and Budget 
and to Congress.

III. Public Participation

    You should be aware your entire comment including your personal 
identifying information, such as your address, phone number, email 
address, or any other personal identifying information in your comment, 
may be made publicly available at any time. While you may request to 
withhold your personal identifying information from public review, we 
cannot guarantee we will be able to do so.

Teri Barnett,
Departmental Privacy Officer.

SYSTEM NAME AND NUMBER:
INTERIOR/DOI-16, Learning Management System.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    (1) Department-wide training records are centrally managed by the 
Office of Policy, Management and Budget, Chief Human Capital Office, 
and are maintained in the Department's learning management system 
located at a DOI-controlled datacenter at U.S. Department of the 
Interior, 7301 W Mansfield Avenue, Denver, CO 80235.
    (2) Records are also located in DOI bureau and office facilities, 
systems, and portals that manage or sponsor training and educational 
programs.

SYSTEM MANAGER(S):
    (1) Chief Learning Officer, Office of the Secretary, Department of 
the Interior, Main Interior Building, 1849 C Street NW, Washington, DC 
20240.
    (2) Bureau and Office Learning Managers responsible for managing 
training, educational and learning programs. A current list of the 
Learning Managers and their addresses is available on the DOI Learn 
Bureau Contact website at https://www.doi.gov/doilearn/datastewards/.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 4101, et seq., Government Organization and Employee 
Training; 5 U.S.C. 1302, 2951, 4118, 4506, 3101; 43 U.S.C. 1457; Title 
VI of the Civil Rights Act of 1964 as amended (42 U.S.C. 2000d); 
Executive Order 11348, Providing for Further Training of Government 
Employees, as amended by Executive Order 12107, Relating to Civil 
Service Commission and Labor Management in Federal Service; 5 CFR 410, 
Subpart C, Establishing and Implementing Training Programs; Americans 
with Disabilities Act (42 U.S.C. 12101); and the E-Government Act of 
2002 (44 U.S.C. 3501, et seq.).

PURPOSE(S) OF THE SYSTEM:
    The primary purposes of the system are to: (1) Manage training and 
learning programs; (2) plan and facilitate training courses including 
outreach, registration, enrollment and payment; (3) maintain and 
validate training records for certification and mandatory compliance 
reporting; (4) meet Federal training statistical reporting 
requirements; (5) maintain class rosters and transcripts for course 
administrators, students and learners; and (6) generate budget 
estimates for training requirements.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    DOI employees, contractors, interns, emergency workers, volunteers 
and appointees who receive training related to their official duties, 
whether or not sponsored by DOI bureaus and offices. Non-DOI 
individuals who participate in DOI-sponsored training and educational 
programs, or participate in DOI-sponsored meetings and activities 
related to training and educational programs. Non-DOI individuals may 
include individuals from other Federal, state or local agencies, 
private or not-for-profit organizations, universities and other 
schools, and members of the public.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Training, educational and learning management records may include 
course registration, attendance rosters, and course information 
including course title, class name, objectives, description, and who 
should attend; class status information including begin and end dates, 
responsible class instructor, completion status and certification 
requirements; student transcripts (course(s) completed/not completed, 
test scores, acquired skills); and correspondence, reports and 
documentation related to training, education and learning management 
programs. These records may contain: Name, Social Security number, 
employee common identifier generated from the DOI Federal Personnel and 
Payroll System (FPPS), login username, password, agency or organization 
affiliation, work or personal address, work or personal phone and fax 
number, work or personal email address, gender, date of birth, 
organization code, position title, occupational series, pay plan, grade 
level, supervisory status, type of appointment, education level, duty 
station code, agency, bureau, office, organization, supervisor's name 
and phone number, date of Federal service, date of organization or 
position assignment, date of last promotion, occupational category, 
race, national origin, and adjusted basic pay. Records may also include 
billing information such as responsible agency, tax identifier number, 
DUNS number, purchase order numbers, agency location codes and credit 
card information. Records maintained on non-DOI individuals is 
generally limited to name, agency or organization affiliation, address, 
work and personal phone and fax numbers, work and personal email 
addresses, supervisor name and contact information, position title, 
occupational series, and billing information.

RECORD SOURCE CATEGORIES:
    Information on DOI employees is obtained directly from individuals 
on whom the records are maintained, supervisors, or existing DOI 
records. Historical employee training records may be obtained from 
other DOI learning management systems. Information from non-DOI 
individuals who register or participate in DOI-sponsored training 
programs is obtained from individuals through paper and electronic 
forms. Information may also be obtained by another agency, institution 
or organization that sponsored the training event.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside DOI as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    A. To release statistical information and training reports to other 
organizations who are involved with the training.
    B. To disclose information to other Government training facilities 
(Federal, state, and local) and to non-Government training facilities 
(private vendors of training courses or programs, private schools, 
etc.) for training purposes.
    C. To provide transcript information to education institutions upon 
the student's request in order to facilitate transfer of credit to that 
institution, and to provide college and university officials with 
information about their students working in the Pathways

[[Page 50685]]

Program, Volunteer Service, or other similar programs necessary to a 
student's obtaining credit for the experience.
    D. To Federal, state, territorial, local, tribal, or foreign 
agencies that have requested information relevant or necessary to the 
hiring, firing or retention of an employee or contractor, or the 
issuance of a security clearance, license, contract, grant or other 
benefit, when the disclosure is compatible with the purpose for which 
the records were compiled.
    E. To an expert, consultant, grantee, or contractor (including 
employees of the contractor) of DOI that performs services requiring 
access to these records on DOI's behalf to carry out the purposes of 
the system.
    F. To share logistical or attendance information with partner 
agencies (Government or non-Government) who, based on cooperative 
training agreements, have a need to know.
    G. To the Department of Justice (DOJ), including Offices of the 
U.S. Attorneys, or other Federal agency conducting litigation or in 
proceedings before any court, adjudicative, or administrative body, 
when it is relevant or necessary to the litigation and one of the 
following is a party to the litigation or has an interest in such 
litigation:
    (1) DOI or any component of DOI;
    (2) Any other Federal agency appearing before the Office of 
Hearings and Appeals;
    (3) Any DOI employee or former employee acting in his or her 
official capacity;
    (4) Any DOI employee or former employee acting in his or her 
individual capacity when DOI or DOJ has agreed to represent that 
employee or pay for private representation of the employee; or
    (5) The United States Government or any agency thereof, when DOJ 
determines that DOI is likely to be affected by the proceeding.
    H. To a congressional office when requesting information on behalf 
of, and at the request of, the individual who is the subject of the 
record.
    I. To an official of another Federal, state or local government or 
Tribal organization to provide information needed in the performance of 
official duties related to reconciling or reconstructing data files, in 
support of the functions for which the records were collected and 
maintained, or to enable that agency to respond to an inquiry by the 
individual to whom the record pertains.
    J. To representatives of the National Archives and Records 
Administration (NARA) to conduct records management inspections under 
the authority of 44 U.S.C. 2904 and 2906.
    K. To the Executive Office of the President in response to an 
inquiry from that office made at the request of the subject of a record 
or a third party on that person's behalf, or for a purpose compatible 
with the reason for which the records are collected or maintained.
    L. To any criminal, civil, or regulatory law enforcement authority 
(whether Federal, state, territorial, local, tribal or foreign) when a 
record, either alone or in conjunction with other information, 
indicates a violation or potential violation of law--criminal, civil, 
or regulatory in nature, and the disclosure is compatible with the 
purpose for which the records were compiled.
    M. To state, territorial and local governments and tribal 
organizations to provide information needed in response to court order 
and/or discovery purposes related to litigation, when the disclosure is 
compatible with the purpose for which the records were compiled.
    N. To appropriate agencies, entities, and persons when:
    (1) DOI suspects or has confirmed that there has been a breach of 
the system of records;
    (2) DOI has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, DOI (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and
    (3) the disclosure made to such agencies, entities and persons is 
reasonably necessary to assist in connection with DOI's efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm.
    O. To another Federal agency or Federal entity, when DOI determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in:
    (1) responding to a suspected or confirmed breach; or
    (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    P. To the Office of Management and Budget (OMB) during the 
coordination and clearance process in connection with legislative 
affairs as mandated by OMB Circular A-19.
    Q. To the Department of the Treasury to recover debts owed to the 
United States.
    R. To the news media and the public, with the approval of the 
Public Affairs Officer in consultation with counsel and the Senior 
Agency Official for Privacy, where there exists a legitimate public 
interest in the disclosure of the information, except to the extent it 
is determined that release of the specific information in the context 
of a particular case would constitute an unwarranted invasion of 
personal privacy.
    S. To the Office of Personnel Management to disclose information on 
employee general training, including recommendations and completion, 
specialized training obtained, participation in government-sponsored 
training, or training history as required to provide workforce 
information for official personnel files.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    Pursuant to 5 U.S.C. 552a(b)(12), records may be disclosed to 
consumer reporting agencies as they are defined in the Fair Credit 
Reporting Act (15 U.S.C. 1681a(f)) or the Federal Claims Collection Act 
of 1966 (31 U.S.C. 3701(a)(3)).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored in systems, databases, electronic media on hard 
disks, magnetic tapes, compact disks and paper media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Information from this system is retrieved by either unique 
identifying fields (e.g., student name or email address) or by general 
category (e.g., course code, training location, class start date, 
registration date, affiliation, mandatory training compliance and 
payment status).

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    DOI training records are maintained under Department Records 
Schedule (DRS)--1.2.0004, Short-Term Human Resources Records (DAA-0048-
2013-0001-0004) and DRS -1.2.0005, Long-term Human Resources Records 
(DAA-0048-2013-0001-0005), which were approved by NARA. General 
employee training records and working files have a temporary 
disposition authority and are maintained for three years. Records will 
be cut off at the end of fiscal year in which files are closed, and the 
records will be destroyed 3 years after cut-off. Employee performance 
and competency management records maintained under DRS 1.2.0005 have a 
longer retention period. The records

[[Page 50686]]

disposition is temporary, and records will be cut off at the end of the 
fiscal year in which the record is created. Contractor data will be cut 
off when the contractor separates or is no longer employed by the 
agency. Records must be retained 7 years after cut-off.
    Training records related to specialized program areas may be 
covered under other approved records retention schedules based on the 
program or mission area and agency needs. Retention periods may vary 
based on the training program or subject matter, and longer retention 
is authorized for specific training programs when it is necessary to 
support business use or to meet Federal records requirements. Approved 
destruction methods for temporary records that have met their retention 
period include shredding or pulping paper records, and erasing or 
degaussing electronic records in accordance with 384 Departmental 
Manual 1 and NARA guidelines.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    The records maintained in this system are safeguarded in accordance 
with 43 CFR 2.226 and other applicable security rules and policies. 
During normal hours of operation, paper or micro format records are 
maintained in locked file cabinets in secured rooms under the control 
of authorized personnel. Information technology systems follow the 
National Institute of Standards and Technology privacy and security 
standards developed to comply with the Privacy Act of 1974 as amended, 
5 U.S.C. 552a; the Paperwork Reduction Act of 1995, Public Law 104-13; 
the Federal Information Security Modernization Act of 2014, Public Law 
113-283, as codified at 44 U.S.C. 3551, et seq.; and the Federal 
Information Processing Standard 199, Standards for Security 
Categorization of Federal Information and Information Systems.
    Computer servers on which electronic records are stored are located 
in secured DOI facilities with physical, technical and administrative 
levels of security to prevent unauthorized access to the DOI network 
and information assets. Security controls include encryption, 
firewalls, audit logs, and network system security monitoring. 
Electronic data is protected through user identification, passwords, 
database permissions and software controls. Access to records in the 
system is limited to authorized personnel who have a need to access the 
records in the performance of their official duties, and each person's 
access is restricted to only the functions and data necessary to 
perform that person's job responsibilities. System administrators and 
authorized users for DOI are trained and required to follow established 
internal security protocols and must complete all security, privacy, 
and records management training, and sign DOI Rules of Behavior.
    Computerized records systems follow the National Institute of 
Standards and Technology privacy and security standards as developed to 
comply with the Privacy Act of 1974, 5 U.S.C. 552a; Paperwork Reduction 
Act of 1995, 44 U.S.C. 3501-3521; Federal Information Security 
Modernization Act of 2014, 44 U.S.C. 3551-3558; and the Federal 
Information Processing Standards 199: Standards for Security 
Categorization of Federal Information and Information Systems. Security 
controls include user identification, passwords, database permissions, 
encryption, firewalls, audit logs, and network system security 
monitoring, and software controls. A privacy impact assessment was 
conducted on DOI's learning management system to ensure that Privacy 
Act requirements are met and appropriate privacy controls were 
implemented to safeguard personally identifiable information.

RECORD ACCESS PROCEDURES:
    An individual requesting records on himself or herself should send 
a signed, written inquiry to the System Manager as identified above. 
The request must include the specific bureau or office that maintains 
the record to facilitate location of the applicable records. The 
request envelope and letter should both be clearly marked ``PRIVACY ACT 
REQUEST FOR ACCESS.'' A request for access must meet the requirements 
of 43 CFR 2.238.

CONTESTING RECORD PROCEDURES:
    An individual requesting corrections or the removal of material 
from his or her records should send a signed, written request to the 
System Manager as identified above. The request must include the 
specific bureau or office that maintains the record to facilitate 
location of the applicable records. A request for corrections or 
removal must meet the requirements of 43 CFR 2.246.

NOTIFICATION PROCEDURES:
    An individual requesting notification of the existence of records 
on himself or herself should send a signed, written inquiry to the 
System Manager as identified above. The request must include the 
specific bureau or office that maintains the record to facilitate 
location of the applicable records. The request envelope and letter 
should both be clearly marked ``PRIVACY ACT INQUIRY.'' A request for 
notification must meet the requirements of 43 CFR 2.235.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    70 FR 58230 (October 5, 2005); modification published at 73 FR 8342 
(February 13, 2008).
[FR Doc. 2018-21796 Filed 10-5-18; 8:45 am]
 BILLING CODE 4334-63-P