[Federal Register Volume 86, Number 211 (Thursday, November 4, 2021)] [Notices] [Pages 60900-60905] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2021-24024] ----------------------------------------------------------------------- DEPARTMENT OF THE INTERIOR Office of the Secretary [DOI-2021-0011; 22XD4523WS, DWSN00000.000000, DS64800000, DP64803] Privacy Act of 1974; System of Records AGENCY: Office of the Secretary, Interior. ACTION: Notice of a new system of records. ----------------------------------------------------------------------- SUMMARY: Pursuant to the provisions of the Privacy Act of 1974, as amended, the Department of the Interior (DOI) is issuing a public notice of its intent to create a new Privacy Act system of records titled, ``INTERIOR/DOI-92, Public Health Emergency Response Records.'' This system of records notice (SORN) describes DOI's collection, maintenance, and use of records on individuals associated with DOI efforts to respond to the Coronavirus Disease 2019 (COVID-19), a declared public health emergency, and protect the health and safety of its workforce and members of the public. This newly established system will be included in DOI's inventory of record systems. DATES: This new system will be effective upon publication. New routine uses will be effective December 6, 2021. Submit comments on or before December 6, 2021. ADDRESSES: You may send comments identified by docket number [DOI-2021- 0011] by any of the following methods:Federal eRulemaking Portal: https://www.regulations.gov. Follow the instructions for sending comments. Email: [email protected]. Include docket number [DOI-2021-0011] in the subject line of the message. U.S. mail or hand-delivery: Teri Barnett, Departmental Privacy Officer, U.S. Department of the Interior, 1849 C Street NW, Room 7112, Washington, DC 20240. Instructions: All submissions received must include the agency name and docket number [DOI-2021-0011]. All comments received will be posted without change to https://www.regulations.gov, including any personal information provided. Docket: For access to the docket to read background documents or comments received, go to https://www.regulations.gov. FOR FURTHER INFORMATION CONTACT: Teri Barnett, Departmental Privacy Officer, U.S. Department of the Interior, 1849 C Street NW, Washington, DC 20240, [email protected] or 202-208-1605. SUPPLEMENTARY INFORMATION: I. Background The DOI Office of Occupational Safety and Health (OSH) is establishing a new Department-wide system of records, INTERIOR/DOI-92, Public Health Emergency Response Records. This system will help DOI manage records related to DOI's response to the COVID-19 public health emergency and future high consequence public health threats, support emergency or medically related decisions affecting DOI personnel, and ensure the health and safety of the various categories of personnel, contractors, grantees, detailees, volunteers, interns, long-term trainees, and visitors at DOI owned, operated, leased or managed facilities or properties. This system supports DOI's COVID-19 vaccination and testing program as required by Executive Orders 14043 and 14042; Office of Management and Budget (OMB) Memorandums M-21-15 and M-21-25; COVID-19 Workplace Safety: Agency Model Safety Principles issued by the Federal Safer Federal Workforce Task Force; and other applicable law and policy. Federal labor, employment and workforce health and safety laws that govern the collection, dissemination, and retention of DOI employees' medical information include the Americans with Disability Act (ADA), the Rehabilitation Act of 1973 (Rehab Act), and the Occupational Safety and Health Act of 1970. The Department of Health and Human Services (HHS) Secretary may, under section 319 of the Public Health Service (PHS) Act codified at 42 U.S.C 247d, declare that: (a) A disease or disorder presents a public health emergency; or (b) that a public health emergency, including significant outbreaks of infectious disease or bioterrorist attacks, otherwise exists. The Occupational Safety and Health Act (OSHA) of 1970, Public Law 91-596, 29 U.S.C. 668, Section 19(a) requires the head of each Federal agency to establish and maintain an effective and comprehensive occupational safety and health program and safe and healthful places and conditions of employment, and to keep adequate records of all occupational accidents and illnesses for proper evaluation and necessary corrective action. OSHA also requires that Federal agencies maintain an injury and illness prevention program, which is a proactive process designed to reduce injuries, illnesses, and fatalities. State governors also have the authority to declare public health emergencies by executive order or other declaration. State declared public health emergencies could also involve a significant risk of substantial harm to DOI personnel or visitors at DOI buildings, facilities and events. Executive Order 14043, Requiring Coronavirus Disease 2019 Vaccination for Federal Employees, signed September 9, 2021, establishes mandatory requirements for Federal executive agencies to implement a program to require COVID-19 vaccinations for Federal employees, with some exceptions as required by law. Additionally, Executive Order 14042, Ensuring Adequate COVID Safety Protocols for Federal Contractors, signed September 9, 2021, establishes requirements for Federal executive agencies to implement workplace safety protocols for contractors and subcontractors to protect the health and safety of the Federal workforce and members of the public. DOI is implementing these requirements to ensure the safety of its workforce and visitors to its facilities and sponsored events. DOI will collect and maintain information within the scope of this system of records when it is determined that it is authorized and necessary to meet Federal requirements and respond to a declared public health emergency. To make this determination, DOI will evaluate the privacy risks for the collection of information, who the information pertains to, how the information is used and shared, the actions needed to protect individuals and respond to the public health emergency, and the laws that may apply, including the U.S. Constitution, Executive orders, Federal privacy laws, Federal labor and employment laws, and Federal workforce health and safety laws. DOI will only collect the minimum information necessary to respond to COVID-19, or future high consequence [[Page 60901]] public health threat, and comply with Federal workforce safety requirements, when DOI determines that a significant risk of substantial harm exists to individuals working at or visiting a DOI controlled facility, or attending a DOI sponsored event in a non-DOI controlled facility. These circumstances may include mitigation response activities in response to: (1) An Executive order or mandate or health related declaration of a national emergency by the President; (2) a declared public health emergency by the HHS Secretary; (3) when designated Federal or state officials make a declaration or official determination that a public health emergency exists; or (4) when DOI determines that a significant risk of substantial harm exists to the health of DOI personnel or visitors and it is necessary to ensure their health and safety in accordance with the Centers for Disease Control and Prevention (CDC) and other Federal and local guidance on communicable disease. DOI's responsibilities for ensuring a safe workforce and secure buildings and workspaces depend on the nature and circumstances of the public health emergency. In order to meet requirements for workforce safety and the Federal government-wide COVID-19 response, DOI must collect information on its workforce related to the COVID-19 disease to protect its workforce and customers. DOI will make all efforts to minimize the collection of information to the greatest extent possible to protect individual privacy and will only share information when authorized by the subject individuals or when authorized or required by law. Records may include personally identifiable information of individuals who have: (1) Contracted or may have been exposed to a suspected or confirmed disease or illness that is the subject of a declared public health emergency; (2) attested to their vaccination status or are required to participate in a vaccination program; or (3) are required to participate in a testing program or have undergone testing for a disease or illness that is the subject of a declared public health emergency or a Federal, state, or local public health order. Records on individuals may include circumstances and dates of suspected exposure; symptoms, referrals and results of screening or treatments; health status information; and related medical information such as vaccination records and results of testing for disease or illness. DOI may also collect location and dates of potential exposure, information related to employee requests for reasonable accommodation, and other information that may be relevant or required for DOI to comply with Federal guidelines and prevent or slow the spread of the COVID-19 disease and mitigate health impacts to DOI personnel, visitors, and other individuals at DOI controlled facilities and sponsored events. DOI is establishing a screening testing program for SARS-CoV-2, the virus that causes COVID-19, in limited circumstances to test personnel who work onsite and who are not fully vaccinated and have requested a legal exception under the law for reasonable accommodations due to medical reasons or religious belief. The purpose of the testing is to identify asymptomatic or presymptomatic infected individuals who may have been exposed to the SARS-CoV-2 virus to protect the health and safety of individuals in DOI buildings, facilities, and events. Employees who are fully vaccinated generally do not need to participate in the testing program. An employee's failure to comply with vaccination or testing requirements may result in disciplinary action, including an adverse action. However, records of proposed disciplinary actions are maintained in other employee personnel records under a separate SORN and will not be maintained in this system of records. Federal civilian employee medical records are covered by a government-wide Privacy Act SORN published by the Office of Personnel Management (OPM), OPM/GOVT-10, Employee Medical File System Records (75 FR 35099, June 21, 2010; modification published at 80 FR 74815, November 30, 2015). These Federal employee confidential medical records are managed in accordance with OPM regulations at 5 CFR part 293, the OPM/GOVT-10 SORN, and its published routine uses. The OPM/GOVT-10 SORN covers Federal civilians that are identified under Title 5 U.S.C. chapter 21. The majority of DOI Federal employees fall under Title 5 and their medical records are covered by the OPM/GOVT-10 SORN and must be managed in accordance with that SORN and applicable OPM regulations. This DOI-92 notice covers DOI employees and individuals that do not fall under Title 5 and OPM's personnel recordkeeping authority and thus are not covered by the OPM/GOVT-10 SORN. This includes DOI workers, such as Title 25 Indian education personnel and any other DOI workers, to the extent they are not Federal employees as defined under 5 U.S.C. 2105 or are not subject to OPM regulations. This system may also include information collected or maintained on DOI personnel, contractors, partners, detailees, volunteers, interns, long-term trainees, and visitors at or on facilities, buildings, grounds, and properties that are owned, operated, leased, managed or used by DOI, or DOI sponsored meetings and events. The information collected is required to conduct health screening for COVID-19 or other high consequence public health threat, and will be used to prevent the spread of disease and reduce the risk of individuals with symptoms of a communicable disease entering a DOI building, facility, or DOI hosted event. As part of health screening efforts, DOI may be required to monitor symptoms to identify persons who may have been exposed to communicable disease, or identify and notify personnel or visitors who were present in a DOI building, facility or event that may have had physical contact with or come into close proximity with individuals who were infected or had symptoms of infection with a communicable disease. Information in this system may be shared with other DOI bureaus and offices that have a need to know to carry out their mission-essential functions, when it is determined that the sharing is authorized under applicable laws and DOI policy and it is necessary to allow DOI to manage a vaccination and testing program and respond to a declared public health emergency. To the extent permitted by law, DOI may also share information with appropriate Federal, state, local, tribal, territorial, foreign, or international government agencies when authorized and compatible with the purpose of this system, or when proper and necessary, consistent with the routine uses set forth in this system of records notice. II. Privacy Act The Privacy Act of 1974, as amended, embodies fair information practice principles in a statutory framework governing the means by which Federal agencies collect, maintain, use, and disseminate individuals' records. The Privacy Act applies to records about individuals that are maintained in a ``system of records.'' A ``system of records'' is a group of any records under the control of an agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the individual. The Privacy Act defines an individual as a United States citizen or lawful permanent resident. Individuals may request access to their own records that are maintained in a system of records in [[Page 60902]] the possession or under the control of DOI by complying with DOI Privacy Act regulations at 43 CFR part 2, subpart K, and following the procedures outlined in the Records Access, Contesting Record, and Notification Procedures sections of this notice. The Privacy Act requires each agency to publish in the Federal Register a description denoting the existence and character of each system of records that the agency maintains and the routine uses of each system. The INTERIOR/DOI-92, Public Health Emergency Response Records, SORN is published in its entirety below. In accordance with 5 U.S.C. 552a(r), DOI has provided a report of this system of records to the Office of Management and Budget and to Congress. III. Public Participation You should be aware your entire comment including your personally identifiable information, such as your address, phone number, email address, or any other personal information in your comment, may be made publicly available at any time. While you may request to withhold your personally identifiable information from public review, we cannot guarantee we will be able to do so. SYSTEM NAME AND NUMBER: INTERIOR/DOI-92, Public Health Emergency Response Records. SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: Records are maintained by the Office of Occupational Safety and Health, U.S. Department of the Interior, 1849 C Street NW, Washington, DC 20240; all DOI bureaus and offices in Washington, DC, and in field locations; and DOI contractor facilities. SYSTEM MANAGER(S): Director, Office of Occupational Safety and Health, U.S. Department of the Interior, 1849 C Street NW, Office 4316, Mail Stop 4310, Washington, DC 20240. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 5 U.S.C. 301; Section 319 of the Public Health Service (PHS) Act (42 U.S.C. 247d); 40 U.S.C. 1315; Coronavirus Aid, Relief, and Economic Security (CARES) Act, Public Law 116-136, Div. B., Title VIII, sec. 18115, 134 Stat. 574 (codified in 42 U.S.C. 274d note); Americans with Disabilities Act, 42 U.S.C. 12112, 29 CFR 1602.14, 1630.14; the Rehabilitation Act of 1973 (Rehab Act), 29 U.S.C. 701 et seq.; Medical Examinations for Fitness for Duty Requirements, including 5 CFR part 339; the Occupational Safety and Health Act of 1970, 29 U.S.C. Chapter 15, 29 CFR part 1904, 29 CFR 1910.1020, and 29 CFR 1960.66; Executive Order 13991; Executive Order 13994; Executive Order 14042; Executive Order 14043; Executive Order 12196; 5 U.S.C. 7902; 25 U.S.C. 2012, Indian Education Personnel; 25 CFR chapter I, subchapter E, Education; Section 2 of the Reorganization Plan No. 3 of 1950 (64 Stat. 1262). PURPOSE(S) OF THE SYSTEM: The purpose of this system is to maintain records related to DOI's response to the COVID-19 public health emergency or other high- consequence public health threat, to mange a workplace health screening and vaccination program, and document results of screening and diagnostic testing to protect the Federal workforce and stop or reduce the spread of infectious disease or illness. This system will be used to: (1) Comply with Executive orders, Federal Government and OSHA requirements; (2) Manage records as part of the COVID-19 vaccination requirement including confirming vaccination status and maintaining proof of vaccination; (3) Manage records related to a testing program including overseeing preventative testing to test personnel working onsite who are not fully vaccinated, and to permit entry to DOI managed or controlled facilities and events to meet Federal requirements and fulfill DOI's responsibilities to the extent permitted by law; (4) Conduct screening and testing for select circumstances such as employees who have a need to physically enter another Federal facility or workspace for official DOI business; (5) Conduct screening and testing for employees on official travel to meet local requirements where testing is a condition for entry, or for employees on official travel returning from an area of high risk of exposure as a condition of entry to a DOI facility; (6) Document reports of illness or communicable disease that are the subject of a declaration of public health emergency by HHS or designated state officials that may pose a significant risk of substantial harm to the health of DOI personnel and visitors; (7) Identify and provide notifications to personnel and visitors who may have been exposed to individuals while working onsite or visiting DOI buildings, facilities or events; (8) Inform Federal, state or local public health authorities as necessary to protect public health as allowed or when required by law; and (9) Take appropriate actions as necessary to prevent the introduction, transmission, and spread of communicable disease by persons who have contracted or were exposed to such a disease and came in close physical proximity to or had physical contact with other persons while working in or visiting a DOI facility or event. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: DOI personnel, including non-Title 5 employees, contractors, detailees, interns, volunteers, long-term trainees; DOI partners and employees and detailees from other Federal agencies; visitors or participants at DOI managed meetings, events and conferences; visitors or individuals who participate in health screening at DOI owned, operated, managed, or leased buildings and facilities; and visitors or individuals who are suspected or confirmed to have a disease or illness that is the subject of a declared public health emergency, or may have been exposed to someone who is suspected or confirmed to have a disease or illness that is the subject of a declared public health emergency. CATEGORIES OF RECORDS IN THE SYSTEM: Information collected for health screening includes contact information, vaccination and testing program related information, medical reports and assessments, and other related information that may be required. This information may include but is not limited to: Full name; Address; Bureau, office, organization, duty location, facility, work site, and specific work space(s) accessed; Official contact information; Work or personal phone number(s); Work or personal email address(es); Employee's supervisor name, address, and contact information; Contractor's supervisor/contracting officer representative name, address, and contact information; Date(s) and time(s) of entrance and exit from DOI buildings, facilities, workspaces, or events; Date(s) and/or circumstances of the individual's suspected or actual exposure to disease or illness including symptoms, as well as locations within DOI workplaces where an individual may have contracted or been exposed to the disease or illness; Names and contact information of other personnel or visitors that the individual interacted with at or on a DOI workspace, facility, or grounds [[Page 60903]] during the time the individual was suspected to or had contracted the disease or illness; Current work status of the individual (e.g., administrative leave, sick leave, teleworking, in the office); Vaccination status, dates of vaccination, type of vaccine, and proof of vaccination including copies of COVID-19 Vaccination Record Card, a copy of medical records documenting vaccination, a copy of immunization records, or other official documentation containing information on vaccination; Medical screening information including name, date of birth, age, medical status medical history, and other information that may be required; Information directly related to screening and testing for disease or illness including but not limited to testing status, date and location of testing, test type, test results, disease type, symptoms, treatments; Dates and source of exposure, and recent dates and DOI locations and workspaces visited; and Other information that may be relevant and necessary to achieve the purpose of health screening or the vaccination and testing program. For other agency Federal employees, detailees, partners, non-DOI contractors, visitors and members of the public at or on DOI owned, operated, leased or managed buildings, facilities, and events, the following information may be collected: Full name; Preferred phone number(s); Preferred email address(es); Name(s) and contact information for DOI personnel sponsoring visitors or participants at meetings or conferences or meetings in or at DOI workspaces, facilities, buildings, parks and grounds; Name(s) of individuals encountered while in or at DOI workspaces, facilities, buildings, parks and grounds; Information directly related to screening and testing for disease or illness including but not limited to date of testing, frequency of testing, test results, symptoms, treatments; Dates and source of exposure, and recent dates and DOI locations and workspaces visited; Vaccination status, including fully vaccinated, not vaccinated, or decline to provide status; and Date(s) and time(s) of entrance and exit from DOI buildings, facilities, or events, or other related information. Information on entry and exit from DOI buildings may be obtained from the INTERIOR/DOI-46, Physical Security Access Files, system when relevant and necessary to achieve the purpose of this SORN. This system may also include records on individuals created, collected or required to be reported to health officials in accordance with the requirements of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which requires laboratories that perform or analyze a test that is intended to detect or to diagnose a possible case of COVID-19 to report the result of that testing to public health officials. This information includes: Full Name; Address; and Test results. RECORD SOURCE CATEGORIES: Records are obtained from DOI personnel, partners, other Federal agency employees, and individuals who provide relevant information on vaccination, testing or exposure to COVID-19 or other high-consequence public health threat; visitors at DOI owned, operated, leased or managed buildings, facilities or events; their family members or other potential source of exposure to COVID-19 or other high-consequence public health threat; DOI, bureau, and office records including other systems of records; contractors or service providers performing testing, screening or related services; other Federal or state agencies, public health organizations, or physicians with consent of the subject individual or when authorized by law; employers and other entities and individuals who may provide relevant information on a suspected or confirmed disease or illness that is the subject of a declared public health emergency. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside DOI as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows: A. To the Department of Justice (DOJ), including Offices of the U.S. Attorneys, or other Federal agency conducting litigation or in proceedings before any court, adjudicative, or administrative body, when it is relevant or necessary to the litigation and one of the following is a party to the litigation or has an interest in such litigation: (1) DOI or any component of DOI; (2) Any other Federal agency appearing before the Office of Hearings and Appeals; (3) Any DOI employee or former employee acting in his or her official capacity; (4) Any DOI employee or former employee acting in his or her individual capacity when DOI or DOJ has agreed to represent that employee or pay for private representation of the employee; or (5) The United States Government or any agency thereof, when DOJ determines that DOI is likely to be affected by the proceeding. B. To a congressional office when requesting information on behalf of, and at the request of, the individual who is the subject of the record. C. To the Executive Office of the President in response to an inquiry from that office made at the request of the subject of a record or a third party on that person's behalf, or for a purpose compatible with the reason for which the records are collected or maintained. D. To any criminal, civil, or regulatory law enforcement authority (whether Federal, state, territorial, local, tribal or foreign) when a record, either alone or in conjunction with other information, indicates a violation or potential violation of law--criminal, civil, or regulatory in nature, and the disclosure is compatible with the purpose for which the records were compiled. E. To an official of another Federal agency to provide information needed in the performance of official duties related to reconciling or reconstructing data files or to enable that agency to respond to an inquiry by the individual to whom the record pertains. F. To Federal, state, territorial, local, tribal, or foreign agencies that have requested information relevant or necessary to the hiring, firing or retention of an employee or contractor, or the issuance of a security clearance, license, contract, grant or other benefit, when the disclosure is compatible with the purpose for which the records were compiled. G. To representatives of the National Archives and Records Administration (NARA) to conduct records management inspections under the authority of 44 U.S.C. 2904 and 2906. H. To state, territorial and local governments and tribal organizations to provide information needed in response to court order and/or discovery purposes related to litigation, when the disclosure is compatible with the purpose for which the records were compiled. I. To an expert, consultant, grantee, or contractor (including employees of the contractor) of DOI that performs services requiring access to these records on [[Page 60904]] DOI's behalf to carry out the purposes of the system. J. To appropriate agencies, entities, and persons when: (1) DOI suspects or has confirmed that there has been a breach of the system of records; (2) DOI has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, DOI (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with DOI's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. K. To another Federal agency or Federal entity, when DOI determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in: (1) Responding to a suspected or confirmed breach; or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. L. To the Office of Management and Budget (OMB) during the coordination and clearance process in connection with legislative affairs as mandated by OMB Circular A-19. M. To the Department of the Treasury to recover debts owed to the United States. N. To the news media and the public, with the approval of the Public Affairs Officer in consultation with counsel and the Senior Agency Official for Privacy, where there exists a legitimate public interest in the disclosure of the information, except to the extent it is determined that release of the specific information in the context of a particular case would constitute an unwarranted invasion of personal privacy. O. To appropriate Federal, state, local, tribal, or foreign governmental agencies or multilateral governmental organizations, to the extent permitted by law, and in consultation with legal counsel, for the purpose of protecting the vital interests of a data subject or other persons, including to assist such agencies or organizations in preventing exposure to or transmission of a communicable or quarantinable disease or to combat other significant public health threats. P. To Federal agencies such as the Health and Human Services (HHS), State and local health departments, and other public health or cooperating medical authorities in connection with program activities and related collaborative efforts to deal more effectively with exposures to communicable diseases, and to satisfy mandatory reporting requirements when applicable. Q. To missing person or location organizations where DOI does not have sufficient contact information to the extent necessary to obtain information to aid in locating persons who were possibly exposed or exposed others to a communicable disease at a DOI facility. R. To a contractor or shared service provider conducting health screening, testing or notification activities on behalf of DOI, to help DOI manage vaccination and testing program records and procedures, and implementation of health screening, testing, and contact tracing. DISCLOSURE TO CONSUMER REPORTING AGENCIES: None. POLICIES AND PRACTICES FOR STORAGE OF RECORDS: Electronic records are stored in secure facilities. Confidential employee records are maintained with appropriate administrative, physical and technical controls to protect individual privacy. Paper records are contained in file folders stored in file cabinets in secure office locations. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: Records may be retrieved by any of the categories of records, including name, location, date of exposure, or work status. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: In accordance with the ADA and the Rehabilitation Act, information in this system must be maintained as confidential medical records, on separate forms and in separate medical files (42 U.S.C. 12112(d)(3)(B); 42 U.S.C. sec 2000ff-5(a); 29 CFR 1630.14(b)(1), (c)(1), (d)(4)(i); and 29 CFR 1635.9(a)). Therefore, these records must be stored separately from other personnel records and must be maintained for at least one year from creation date (29 CFR 1602.14). Records in this system are maintained in accordance with the NARA General Records Schedule (GRS) 2.7, Item 060, Occupational individual medical case files, which covers OSHA medical records and medical surveillance records that include personal and occupational health histories. The disposition is temporary. Short-term records are destroyed one year after employee separation or transfer (DAA-GRS-2017- 0010-0010). Long-term records are destroyed 30 years after employee separation or when the employee's Official Personnel Folder is destroyed, whichever is longer (DAA-GRS-2017-0010-0009). Visitor processing records are covered by GRS 5.6, Items 110 and 111, and must be destroyed when either two or five years old, depending on security level, but may be retained longer if required for business use, pursuant to DAA-GRS-2017-0006-0014 and -0015. Approved destruction methods for temporary records that have met their retention period include shredding or pulping paper records, and erasing or degaussing electronic records in accordance with DOI policy and NARA guidelines. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: Records contained in this system are safeguarded in accordance with 43 CFR 2.226 and other applicable security and privacy rules and policies. During normal hours of operation, paper records are maintained in locked file cabinets under the control of authorized personnel. Computer servers on which electronic records are stored are located in secured DOI controlled facilities with physical, technical and administrative levels of security to prevent unauthorized access to the DOI network and information assets. Access is only granted to authorized personnel and each person granted access to the system must be individually authorized to use the system. A Privacy Act Warning Notice appears on computer monitor screens when records containing information on individuals are first displayed. Data exchanged between the servers and the system is encrypted. Backup tapes are encrypted and stored in a locked and controlled room in a secure, off-site location. Computerized records systems follow the National Institute of Standards and Technology privacy and security standards as developed to comply with the Privacy Act of 1974, as amended, 5 U.S.C. 552a; Paperwork Reduction Act of 1995, 44 U.S.C. 3501-3521 et seq.; Federal Information Security Modernization Act of 2014, 44 U.S.C. 3551 et seq.; and the Federal Information Processing Standards 199: Standards for Security Categorization of Federal Information and Information Systems. Security controls include user identification, multi-factor [[Page 60905]] authentication, database permissions, encryption, firewalls, audit logs, and network system security monitoring, and software controls. Access to records in the system is limited to authorized personnel who have a need to access the records in the performance of their official duties, and each user's access is restricted to only the functions and data necessary to perform that person's job responsibilities. System administrators and authorized users are trained and required to follow established internal security protocols and must complete all security, privacy, and records management training and sign the DOI Rules of Behavior. DOI has conducted privacy impact assessments on the collection of information for the vaccination program and the supporting IT system to identify and evaluate potential privacy risks and ensure appropriate safeguards are implemented to protect privacy. RECORD ACCESS PROCEDURES: An individual requesting records on himself or herself should send a signed, written inquiry to the System Manager identified above. The request must include the specific bureau or office that maintains the record to facilitate location of the applicable records. The request envelope and letter should both be clearly marked ``PRIVACY ACT REQUEST FOR ACCESS.'' A request for access must meet the requirements of 43 CFR 2.238. CONTESTING RECORD PROCEDURES: An individual requesting corrections or the removal of material from his or her records should send a signed, written request to the System Manager identified above. The request must include the specific bureau or office that maintains the record to facilitate location of the applicable records. A request for corrections or removal must meet the requirements of 43 CFR 2.246. NOTIFICATION PROCEDURES: An individual requesting notification of the existence of records on himself or herself should send a signed, written inquiry to the System Manager identified above. The request must include the specific bureau or office that maintains the record to facilitate location of the applicable records. The request envelope and letter should both be clearly marked ``PRIVACY ACT INQUIRY.'' A request for notification must meet the requirements of 43 CFR 2.235. EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. HISTORY: None. Teri Barnett, Departmental Privacy Officer, Department of the Interior. [FR Doc. 2021-24024 Filed 11-1-21; 11:15 am] BILLING CODE 4334-63-P