[Federal Register Volume 85, Number 13 (Tuesday, January 21, 2020)]
[Notices]
[Pages 3406-3410]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-00355]



[[Page 3406]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE INTERIOR

Office of the Secretary

[DOI-2019-0005; DS65100000, DWSN00000.000000, DP.65106, 20XD4523WS]


Privacy Act of 1974; System of Records

AGENCY: Office of the Secretary, Interior.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the provisions of the Privacy Act of 1974, as 
amended, the Department of the Interior is issuing a public notice of 
its intent to modify the Department of the Interior Privacy Act system 
of records titled, ``HSPD-12: Physical Security Files--Interior, DOI-
46''. This system of records helps the Department of the Interior 
manage physical security operations and visitor access to Federally-
controlled facilities and information systems. The Department of the 
Interior is updating this system of records notice to add new proposed 
routine uses, modify existing routine uses to provide clarification, 
modify the categories of records and categories of individuals covered 
by the system, and provide updates to remaining sections to accurately 
reflect management of the system of records. This modified system will 
be included in the Department of the Interior's inventory of record 
systems.

DATES: This modified system will be effective upon publication. New or 
modified routine uses will be effective February 20, 2020. Submit 
comments on or before February 20, 2020.

ADDRESSES: You may send comments, identified by docket number [DOI-
2019-0005], by any of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for sending comments.
     Email: [email protected]. Include docket number 
[DOI-2019-0005] in the subject line of the message.
     U.S. mail or hand-delivery: Teri Barnett, Departmental 
Privacy Officer, U.S. Department of the Interior, 1849 C Street NW, 
Room 7112, Washington, DC 20240.
    Instructions: All submissions received must include the agency name 
and docket number [DOI-2019-0005]. All comments received will be posted 
without change to http://www.regulations.gov, including any personal 
information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Teri Barnett, Departmental Privacy 
Officer, U.S. Department of the Interior, 1849 C Street NW, Room 7112, 
Washington, DC 20240, [email protected] or (202) 208-1605.

SUPPLEMENTARY INFORMATION: 

I. Background

    The Department of the Interior (DOI), Office of Law Enforcement and 
Security maintains the HSPD-12: Physical Security Files--Interior, DOI-
46 system of records. This system helps DOI manage physical security 
operations and visitor access to DOI-controlled facilities and 
implement Homeland Security Presidential Directive 12 (HSPD-12), which 
requires Federal agencies to use a common identification credential for 
both logical and physical access to Federally-controlled facilities and 
information systems. DOI employees, contractors, consultants, 
volunteers, Federal emergency response officials, Federal employees on 
detail or temporarily assigned to work in DOI facilities, visitors, and 
other individuals require access to agency facilities, systems or 
networks. DOI uses integrated identity management systems to issue 
credentials to verify individuals' identities, manage access controls, 
and ensure the security of DOI controlled facilities. This Department-
wide system notice covers physical security program records and 
activities, including all DOI controlled areas where paper-based 
physical security logs and registers have been established, in addition 
to or in place of smart-card access control systems.
    DOI is publishing this revised notice to describe the purpose of 
the system, propose new and modified routine uses, and provide updates 
to the categories of records, categories of individuals covered by the 
system and the remaining sections to accurately reflect management of 
the system of records in accordance with the Office of Management and 
Budget (OMB) Circular A-108, Federal Agency Responsibilities for 
Review, Reporting, and Publication under the Privacy Act. Additionally, 
DOI is claiming exemptions for certain records maintained in this 
system from some provisions of the Privacy Act pursuant to 5 U.S.C. 
552a(k)(2), (k)(3), and (k)(5).
    DOI is proposing to modify existing routine uses to provide clarity 
and transparency, and reflect updates consistent with standard DOI 
routine uses. Routine uses A, B, E, G, and I have been modified to 
provide additional clarification on external organizations and 
circumstances where disclosures are proper and necessary to facilitate 
physical security operations or to comply with Federal requirements. 
Modified routine use J and new routine use K allow DOI to share 
information with appropriate Federal agencies or entities when 
reasonably necessary to respond to a breach of personally identifiable 
information and to prevent, minimize, or remedy the risk of harm to 
individuals or the Federal Government, or assist an agency in locating 
individuals affected by a breach in accordance with OMB Memorandum M-
17-12, Preparing for and Responding to a Breach of Personally 
Identifiable Information.
    DOI is proposing to add new routine uses to facilitate sharing of 
information with agencies and organizations to ensure the efficient and 
effective management of physical security functions, promote the 
integrity of the records in the system, or carry out a statutory 
responsibility of the DOI or Federal Government. New proposed routine 
use C facilitates sharing of information with the Executive Office of 
the President to resolve issues concerning an individual's records. 
Routine use D allows DOI to share information with other agencies when 
there is an indication of a violation of law. Routine use F facilitates 
sharing of information related to hiring, issuance of a security 
clearance, or a license, contract, grant or benefit. Routine use H 
allows sharing of information with government agencies and 
organizations in response to court orders or for discovery purposes 
related to litigation. Routine use L facilitates sharing with the OMB 
in relation to legislative affairs mandated by OMB Circular A-19. 
Routine use M allows sharing of information with the Department of the 
Treasury to recover debts owed to the United States. Routine use N 
allows sharing with the news media and the public, when it is necessary 
to preserve the confidence in the integrity of DOI, demonstrate the 
accountability of its officers, employees, or individuals covered in 
the system, or where there exists a legitimate public interest in the 
disclosure of the information such as circumstances that support a 
legitimate law enforcement or public safety function, or protects the 
public from imminent threat of life or property.
    Some Personal Identity Verification (PIV) card information in this 
system may also be covered under government-wide system of records 
notice, GSA/GOVT-7, Federal Personal Identity Verification Identity 
Management System (PIV IDMS), which applies to participating Federal 
agency employees, consultants, and volunteers who require long-term 
access to Federal facilities,

[[Page 3407]]

systems and networks, and individuals who are authorized to perform or 
use services in agency facilities. This system notice covers additional 
categories of individuals and records to include occasional and short-
term visitors and guests, temporary credentials, paper-based security 
logs, and other information necessary to ensure the safety and security 
of DOI facilities, systems, occupants, and users.
    In a notice of proposed rulemaking, which is published separately 
in the Federal Register, DOI is proposing to exempt records maintained 
in this system from certain provisions of the Privacy Act pursuant to 5 
U.S.C. 552a(k)(2), (k)(3) and (k)(5).

II. Privacy Act

    The Privacy Act of 1974, as amended, embodies fair information 
practice principles in a statutory framework governing the means by 
which Federal agencies collect, maintain, use, and disseminate 
individuals' personal information. The Privacy Act applies to records 
about individuals that are maintained in a ``system of records.'' A 
``system of records'' is a group of any records under the control of an 
agency for which information is retrieved by the name of an individual 
or by some identifying number, symbol, or other identifying particular 
assigned to the individual. The Privacy Act defines an individual as a 
United States citizen or lawful permanent resident. Individuals may 
request access to their own records that are maintained in a system of 
records in the possession or under the control of DOI by complying with 
DOI Privacy Act regulations at 43 CFR part 2, subpart K, and following 
the procedures outlined in the Records Access, Contesting Record, and 
Notification Procedures sections of this notice.
    The Privacy Act requires each agency to publish in the Federal 
Register a description denoting the existence and character of each 
system of records that the agency maintains and the routine uses of 
each system. The revised INTERIOR/DOI-46, Physical Security Access 
Files, system of records notice is published in its entirety below. In 
accordance with 5 U.S.C. 552a(r), DOI has provided a report of this 
system of records to the Office of Management and Budget and to 
Congress.

III. Public Participation

    You should be aware your entire comment including your personal 
identifying information, such as your address, phone number, email 
address, or any other personal identifying information in your comment, 
may be made publicly available at any time. While you may request to 
withhold your personal identifying information from public review, we 
cannot guarantee we will be able to do so.

SYSTEM NAME AND NUMBER:
    INTERIOR/DOI-46, Physical Security Access Files.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records covered by this system are maintained at the following 
locations:
    (1) U.S. Department of the Interior, Office of Law Enforcement and 
Security, Physical Security Office, 1849 C Street NW, Mail Stop 1324 
MIB, Washington, DC 20240; and
    (2) U.S. Department of the Interior, Office of the Secretary, 
Interior Business Center, 7301 W. Mansfield Avenue, MS D-2130, Denver, 
CO 80235-2300.
     (3) Portions of the data covered by this system are also 
maintained at other Department of the Interior locations, both Federal 
buildings and Federally-leased space, where staffed guard stations have 
been established in facilities that have installed a smart-card ID 
system, and/or paper-based physical security logs and registers, as 
well as the physical security office(s) of those locations. A list of 
these locations (as applicable to each bureau) is maintained by each 
bureau's Physical Security Manager, whose address is provided under 
item (2) in the System Manager(s) section below.

SYSTEM MANAGER(S):
    (1) Security Manager, Physical Security Office, Office of Law 
Enforcement and Security, Mail Stop 1324 MIB, 1849 C Street NW, 
Washington, DC 20240.
    (2) Bureau Physical Security Managers:
    (a) Bureau of Indian Affairs: Indian Affairs Homeland Security 
Coordinator, 1849 C Street NW, Mail Stop 4160 MIB, Washington, DC 
20240.
    (b) Bureau of Indian Education: Indian Affairs Homeland Security 
Coordinator, 1849 C Street NW, Mail Stop 4160 MIB, Washington, DC 
20240.
    (c) Bureau of Land Management: Chief Security and Intelligence, 
Bureau of Land Management, Office of Law Enforcement and Security, 20 M 
Street SE, Washington, DC 20036.
    (d) Bureau of Ocean Energy Management: Bureau of Ocean Energy 
Management physical security is managed by Security Specialist, Bureau 
of Safety and Environmental Enforcement, 45600 Woodland Road, Mail Stop 
VAE-MSD, Sterling, VA 20166.
    (e) Bureau of Reclamation: Reclamation Security Officer, Bureau of 
Reclamation, P.O. Box 25007, Denver, CO 80225.
    (f) Bureau of Safety and Environmental Enforcement: Security 
Specialist, Bureau of Safety and Environmental Enforcement, 45600 
Woodland Road, Mail Stop VAE-MSD, Sterling, VA 20166.
    (g) National Park Service: Law Enforcement, Security and Emergency 
Service Manager, National Park Service, Security and Intelligence 
Branch, 1201 I (Eye) Street NW, 10th Floor, Washington, DC 20005.
    (h) Office of Surface Mining, Reclamation and Enforcement: Security 
Officer, Office of Surface Mining, Reclamation and Enforcement, 1951 
Constitution Avenue NW, Mail Stop 344 SIB, Washington, DC 20240.
    (i) Office of Inspector General: Support Services Supervisor, 
Office of Inspector General, 12030 Sunrise Valley Drive, Suite 350, 
Mail Stop 5341, Reston, VA 20191.
    (j) Office of the Secretary/Interior Business Center Security 
Manager, Interior Business Center, Mail Stop 1224 MIB, 1849 C Street 
NW, Washington, DC 20240.
    (k) Office of the Solicitor: Director of Administrative Services, 
Division of Administration, Office of the Solicitor, 1849 C Street NW, 
Mail Stop 6556 MIB, Washington, DC 20240.
    (l) U.S. Fish and Wildlife Service: Security and Emergency Manager, 
U.S. Fish and Wildlife Service, 5275 Leesburg Pike, Falls Church, VA 
22041.
    (m) U.S. Geological Survey: Bureau Security Manager, U.S. 
Geological Survey, 250 National Center, 12201 Sunrise Valley Drive, 
Reston, VA 20192.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301; Federal Information Security Act (Pub. L. 104-106, 
section 5113); E-Government Act (Pub. L. 104-347, section 203); 
Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3521); Government 
Paperwork Elimination Act (44 U.S.C. 3504); Homeland Security 
Presidential Directive 12, Policy for a Common Identification Standard 
for Federal Employees and Contractors, August 27, 2004; Federal 
Property and Administrative Act of 1949, as amended; Intelligence 
Reform and Terrorism Prevention Act of 2004, Public Law 108-458, 
Section 3001 (50 U.S.C. 3341); Executive Order 9397; Executive Order 
12968; Federal Property Regulations, July 2002; and Presidential 
Memorandum on

[[Page 3408]]

Upgrading Security at Federal Facilities, June 28, 1995.

PURPOSE(S) OF THE SYSTEM:
    The primary purposes of the system are to manage physical security 
and access to DOI-controlled facilities and information systems, verify 
that all persons entering DOI facilities or other Federal Government 
facilities are authorized, and ensure the safety and security of DOI 
facilities and their occupants.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    (1) Individuals who require regular, ongoing access to Departmental 
facilities, including DOI employees, contractors, consultants, 
volunteers, Federal emergency response officials, Federal employees on 
detail or assigned to work at DOI facilities, students, interns, 
affiliates, and individuals formerly in any of these positions. The 
system also includes individuals authorized to perform or use services 
provided in DOI facilities (e.g., Credit Union, Fitness Center, 
Library, Indian Craft Shop, Museum, Child Care Center, etc.). Note: 
These individuals are required to have HSPD-12 compliant credentials 
issued by a certified USAccess credentialing center if they are 
employed by DOI for more than 180 days.
    (2) Individuals who have been issued HSPD-12 compliant credentials 
from other Federal agencies who require access to DOI facilities.
    (3) Federal government officials, visiting dignitaries, visitors, 
guests, and other individuals who require infrequent access to DOI 
facilities, including services provided in DOI facilities (e.g., Credit 
Union, Fitness Center, Library, Indian Craft Shop, Museum, Child Care 
Center, etc.).

CATEGORIES OF RECORDS IN THE SYSTEM:
    (1) Records maintained on individuals requiring regular access to 
DOI-controlled facilities and information systems, or who are issued 
HSPD-12 compliant credentials by DOI and by other Federal agencies, 
include the following data fields: Full name; Social Security number 
(SSN); date of birth; signature; digital image (photograph) and video; 
fingerprints; hair color; eye color; height; weight; home address; work 
address; email address; agency affiliation (e.g., employee, contractor, 
volunteer, etc.); telephone number; vehicle identification, license 
plate and state of issuance; personal identity verification (PIV) card 
issue and expiration dates; personal identification number (PIN); 
results of background investigation; PIV request form; PIV registrar 
approval signature; PIV card serial number; emergency responder 
designation; copies of ``I-9'' documents (e.g., driver's license, 
passport, birth certificate, etc.) used to verify identification or 
information derived from those documents such as document title, 
document issuing authority, document number, or document expiration 
date; level of national security clearance and expiration date; 
computer system user name; user access and permission rights; 
authentication certificates; digital signature information; and date, 
time, and location of entry and exit.
    (2) Records maintained on visitors, guests, and other individuals 
who require infrequent access to DOI facilities include the following 
data fields: Full name; signature; image, including photograph and 
video; SSN or other identification number such as driver's license 
number, ``Green Card'' number, Visa number, etc.; images of relevant ID 
document(s); U.S. Citizenship (yes or no/logical data field); vehicle 
identification and license plate; date, time, and location of entry and 
exit; purpose for entry; agency point of contact; company name; 
security access category; and access status.
    (3) Records related to DOI physical security program management and 
operations include facility access logs; visitor logs; closed circuit 
television (CCTV) recordings; information pertaining to incidents, 
offenses, or suspected security violations; statements, affidavits, and 
correspondence related to potential security violations or incidents; 
reports of investigations, security violations or remedial actions; 
referrals to law enforcement organizations; investigations or records 
related to security details or events involving DOI officials or 
visiting dignitaries; and information obtained from another system or 
agency related to providing protective services to the President of the 
United States or other individuals pursuant to 18 U.S.C. 3056. These 
records may include: Full name; SSN; driver's license number, ``Green 
Card'' number, Visa number, or other documents used to verify 
identification; date of birth; digital image, including photograph or 
video; fingerprints; hair color; eye color; height; weight; home or 
work address; email address; agency affiliation; telephone number; 
vehicle identification, license plate and state of issuance; PIV card 
number and dates; information related to background investigation and 
security clearance; computer system user name; date, time, and location 
of entry and exit; purpose for entry; any other information identified 
above for regular or infrequent access to DOI-controlled facilities and 
information systems; and information related to potential security 
violations and incidents occurring on DOI-controlled facilities.

RECORD SOURCE CATEGORIES:
    Information is obtained from individuals covered by the system, 
supervisors, and designated approving officials, as well as records 
supplied by DOI's identity management system, other Federal agencies 
issuing HSPD-12 compliant cards, and HSPD-12 compliant cards carried by 
individuals seeking access to Departmental and other Federal facilities 
occupied by agency employees.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information maintained in this system may be disclosed to authorized 
entities outside DOI for purposes determined to be relevant and 
necessary as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    A. To the Department of Justice (DOJ), including Offices of the 
U.S. Attorneys, or other Federal agency conducting litigation, or in 
proceedings before any court, adjudicative, or administrative body, 
when it is relevant or necessary to the litigation and one of the 
following is a party to the litigation or has an interest in such 
litigation:
    (1) DOI or any component of DOI;
    (2) Any other Federal agency appearing before the Office of 
Hearings and Appeals;
    (3) Any DOI employee or former employee acting in his or her 
official capacity;
    (4) Any DOI employee or former employee acting in his or her 
individual capacity when DOI or DOJ has agreed to represent that 
employee or pay for private representation of the employee; or
    (5) The United States Government or any agency thereof, when DOJ 
determines that DOI is likely to be affected by the proceeding.
    B. To a congressional office when requesting information on behalf 
of, and at the request of, the individual who is the subject of the 
record.
    C. To the Executive Office of the President in response to an 
inquiry from that office made at the request of the subject of a record 
or a third party on that person's behalf, or for a purpose

[[Page 3409]]

compatible with the reason for which the records are collected or 
maintained.
    D. To any criminal, civil, or regulatory law enforcement authority 
(whether Federal, state, territorial, local, tribal or foreign) when a 
record, either alone or in conjunction with other information, 
indicates a violation or potential violation of law--criminal, civil, 
or regulatory in nature, and the disclosure is compatible with the 
purpose for which the records were compiled.
    E. To an official of another Federal agency to provide information 
needed in the performance of official duties related to reconciling or 
reconstructing data files or to enable that agency to respond to an 
inquiry by the individual to whom the record pertains.
    F. To Federal, state, territorial, local, tribal, or foreign 
agencies that have requested information relevant or necessary to the 
hiring, firing or retention of an employee or contractor, or the 
issuance of a security clearance, license, contract, grant or other 
benefit, when the disclosure is compatible with the purpose for which 
the records were compiled.
    G. To representatives of the National Archives and Records 
Administration (NARA) to conduct records management inspections under 
the authority of 44 U.S.C. 2904 and 2906.
    H. To state, territorial and local governments and tribal 
organizations to provide information needed in response to court order 
and/or discovery purposes related to litigation, when the disclosure is 
compatible with the purpose for which the records were compiled.
    I. To an expert, consultant, or contractor (including employees of 
the contractor) of DOI that performs services requiring access to these 
records on DOI's behalf to carry out the purposes of the system.
    J. To appropriate agencies, entities, and persons when:
    (1) DOI suspects or has confirmed that there has been a breach of 
the system of records;
    (2) DOI has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, DOI (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and
    (3) the disclosure made to such agencies, entities and persons is 
reasonably necessary to assist in connection with DOI's efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm.
    K. To another Federal agency or Federal entity, when DOI determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in:
    (1) Responding to a suspected or confirmed breach; or
    (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    L. To the Office of Management and Budget (OMB) during the 
coordination and clearance process in connection with legislative 
affairs as mandated by OMB Circular A-19.
    M. To the Department of the Treasury to recover debts owed to the 
United States.
    N. To the news media and the public, with the approval of the 
Public Affairs Officer in consultation with counsel and the Senior 
Agency Official for Privacy, when a matter has become public knowledge, 
when it is necessary to preserve the confidence in the integrity of DOI 
or is necessary to demonstrate the accountability of its officers, 
employees, or individuals covered in the system, or where there exists 
a legitimate public interest in the disclosure of the information, such 
as circumstances where providing information supports a legitimate law 
enforcement or public safety function, or protects the public from 
imminent threat of life or property, except to the extent it is 
determined that release of the specific information in the context of a 
particular case would constitute an unwarranted invasion of personal 
privacy.
    O. To the Federal Protective Service and appropriate Federal, 
state, local or foreign agencies responsible for investigating 
emergency response situations or investigating or prosecuting the 
violation of or for enforcing or implementing a statute, rule, 
regulation, order or license, when DOI becomes aware of a violation or 
potential violation of a statute, rule, regulation, order or license.
    P. To another agency with a similar HSPD-12 (PIV/smart-card) system 
when a person with identification credentials issued by the Department 
desires access to that agency's facilities.
    Q. To another agency with a similar HSPD-12 (PIV/smart-card) system 
when it controls access to facilities occupied by the agency.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    None.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Paper records are contained in file folders stored within filing 
cabinets in secured rooms. Electronic records are contained in 
computers, compact discs, computer tapes, removable drives, email, 
diskettes, and electronic databases.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records may be retrieved by name; SSN; image; organization/office 
of assignment; date, time or location of entry or exit; ID security 
card number or date; or other personal identifier listed in the 
Category of Records section of this notice.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records covered by this system are retained in accordance with 
General Records Schedule (GRS) 5.6, Security Records, which cover 
records about protecting an organization's personnel, assets, and 
facilities. These records generally have a temporary disposition, and 
retention schedules vary on the type of record and needs of the agency. 
Records related to visitor controls files are destroyed two years after 
final entry or ID security card expiration date. Records related to 
physical security and protection of facilities, including 
correspondence relating to administration and operations, and some 
investigative files are destroyed when two years old. See specific 
items under GRS 5.6 for retention periods. Retention periods for 
security violation files relating to investigations referred to 
administrative or law enforcement organizations may vary depending on 
the subject matter, legal requirements and Departmental policy. 
Approved disposition methods for temporary records include shredding or 
pulping paper records, and erasing or degaussing electronic records in 
accordance with 384 Departmental Manual 1 and NARA guidelines.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    The records contained in this system are safeguarded in accordance 
with 43 CFR 2.226 and other applicable security and privacy rules and 
policies. During normal hours of operation, paper records are 
maintained in locked file cabinets under the control of authorized 
personnel. Computer servers on which electronic records are stored are 
located in secured DOI facilities with physical, technical and 
administrative levels of security to prevent unauthorized access to the 
DOI network and information assets. Access granted to authorized

[[Page 3410]]

personnel and individuals at guard stations is password-protected; each 
person granted access to the system at guard stations must be 
individually authorized to use the system. A Privacy Act Warning Notice 
appears on the monitor screen when records containing information on 
individuals are first displayed. Data exchanged between the servers and 
the systems at the guard stations and badging office are encrypted. 
Backup tapes are stored in a locked and controlled room in a secure, 
off-site location.
    Computerized records systems follow the National Institute of 
Standards and Technology privacy and security standards as developed to 
comply with the Privacy Act of 1974, 5 U.S.C. 552a; Paperwork Reduction 
Act of 1995, 44 U.S.C. 3501-3521; Federal Information Security 
Modernization Act of 2014, 44 U.S.C. 3551-3558; and the Federal 
Information Processing Standards 199: Standards for Security 
Categorization of Federal Information and Information Systems. Security 
controls include user identification, passwords, database permissions, 
encryption, firewalls, audit logs, and network system security 
monitoring, and software controls.
    Access to records in the system is limited to authorized personnel 
who have a need to access the records in the performance of their 
official duties, and each user's access is restricted to only the 
functions and data necessary to perform that person's job 
responsibilities. System administrators and authorized users are 
trained and required to follow established internal security protocols 
and must complete all security, privacy, and records management 
training and sign the DOI Rules of Behavior. A Privacy Impact 
Assessment was completed on the PACS system to ensure that Privacy Act 
requirements are met and appropriate privacy controls were implemented 
to safeguard personally identifiable information.

RECORD ACCESS PROCEDURES:
    An individual requesting records on himself or herself should send 
a signed, written inquiry to the applicable System Manager as 
identified above. The request must include the requester's bureau and 
office affiliation and the address of the facility to which the 
requester needed access to facilitate location of the applicable 
records. The request envelope and letter should both be clearly marked 
``PRIVACY ACT REQUEST FOR ACCESS.'' A request for access must meet the 
requirements of 43 CFR 2.238.

CONTESTING RECORD PROCEDURES:
    An individual requesting corrections or the removal of material 
from his or her records should send a signed, written request to the 
applicable System Manager as identified above. The request must include 
the requester's bureau and office affiliation and the address of the 
facility to which the requester needed access to facilitate location of 
the applicable records. A request for corrections or removal must meet 
the requirements of 43 CFR 2.246.

NOTIFICATION PROCEDURE:
    An individual requesting notification of the existence of records 
on himself or herself should send a signed, written inquiry to the 
applicable System Manager as identified above. The request must include 
the requester's bureau and office affiliation and the address of the 
facility to which the requester needed access to facilitate location of 
the applicable records. The request envelope and letter should both be 
clearly marked ``PRIVACY ACT INQUIRY.'' A request for notification must 
meet the requirements of 43 CFR 2.235.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    This system contains investigatory records related to law 
enforcement and counterintelligence activities that are exempt from 
certain provisions of the Privacy Act, 5 U.S.C. 552a(k)(2), (k)(3), and 
(k)(5). Pursuant to the Privacy Act, 5 U.S.C. 552a(k)(2), (k)(3), and 
(k)(5), the Department of the Interior has exempted portions of this 
system from the following subsections of the Privacy Act: (c)(3), (d), 
(e)(1), (e)(4)(G) through (e)(4)(I), and (f). In accordance with 5 
U.S.C. 553(b), (c) and (e), the Department of the Interior has 
promulgated rules at 43 CFR Part 2, Subpart K, and is proposing to 
amend these rules in a Notice of Proposed Rulemaking, which was 
published separately in today's Federal Register.

HISTORY:
    72 FR 11043 (March 12, 2007).

Teri Barnett,
Departmental Privacy Officer, Department of the Interior.
[FR Doc. 2020-00355 Filed 1-17-20; 8:45 am]
 BILLING CODE 4334-63-P