[Federal Register Volume 89, Number 194 (Monday, October 7, 2024)]
[Notices]
[Pages 81102-81106]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-23080]
-----------------------------------------------------------------------
DEPARTMENT OF THE INTERIOR
Office of the Secretary
[DOI-2024-0006; 24XD4523WD DWDFJ0000.000000 DS68664000]
Privacy Act of 1974; System of Records
AGENCY: Office of the Secretary, Interior.
ACTION: Notice of a modified system of records.
-----------------------------------------------------------------------
SUMMARY: Pursuant to the provisions of the Privacy Act of 1974, as
amended, the Department of the Interior (DOI) is issuing a public
notice of its intent to modify the Privacy Act system of records,
INTERIOR/DOI-91, Oracle Federal Financials (OFF). DOI is revising this
notice to update the system manager and system location, authorities,
storage, retrieval, records retention schedule, safeguards, record
source categories, and notification, records access and contesting
procedures; propose new and modified routine uses, and all sections to
accurately reflect changes in management of the system of records. This
modified system will be included in DOI's inventory of record systems.
DATES: This modified system will be effective upon publication. New or
modified routine uses will be effective November 6, 2024. Submit
comments on or before November 6, 2024.
ADDRESSES: You may send comments identified by docket number [DOI-2024-
0006] by any of the following methods:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for sending comments.
[[Page 81103]]
Email: [email protected]. Include docket number
[DOI-2024-0006] in the subject line of the message.
U.S. mail or hand-delivery: Teri Barnett, Departmental
Privacy Officer, U.S. Department of the Interior, 1849 C Street NW,
Room 7112, Washington, DC 20240.
Instructions: All submissions received must include the agency name
and docket number [DOI-2024-0006]. All comments received will be posted
without change to https://www.regulations.gov, including any personal
information provided.
Docket: For access to the docket to read background documents or
comments received, go to https://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Teri Barnett, Departmental Privacy
Officer, U.S. Department of the Interior, 1849 C Street NW, Room 7112,
Washington, DC 20240, [email protected] or (202) 208-1605.
SUPPLEMENTARY INFORMATION:
I. Background
The DOI Interior Business Center (IBC) maintains the INTERIOR/DOI-
91, Oracle Federal Financials (OFF), system of records. The IBC is a
service provider that performs services for Federal government
agencies. The IBC's service offerings include providing and maintaining
various types of business management systems for its clients, including
human resources and financial management applications. The OFF system
provides IBC clients with a web-based application that contains
customizable financial management modules that combine to provide a
comprehensive financial software package to support budgeting,
purchasing, Federal procurement, accounts payable, fixed assets,
general ledger, inventory, accounts receivable, reimbursement,
reporting, and collection functions.
IBC hosts the OFF system and is responsible for system
administration functions and other management functions in accordance
with interagency agreements with internal and external Federal customer
agencies. Each external client agency retains control over its data in
the system and is responsible for maintaining client agency records in
the OFF system and for meeting the requirements of the Privacy Act and
other laws, regulations, and policies. While DOI records generated and
maintained in OFF are covered under this system of records notice
(SORN), each client agency that maintains records within the system has
published system notices that cover their financial management
activities. IBC does not collect personally identifiable information
directly from individuals on behalf of the customer agency for this
system. Therefore, individuals seeking access to or amendment of their
records under the control of an external client agency should follow
the access procedures outlined in the applicable client agency SORN or
send a written inquiry to that Federal agency Chief Privacy Officer.
Additionally, some records maintained within the OFF system may
also be covered by existing government-wide SORNs published by the
General Services Administration, including GSA/GOVT-3, Travel Charge
Card Program, 78 FR 20108 (April 3, 2013); GSA/GOVT-4, Contracted
Travel Services Program 74 FR 26700 (June 3, 2009), modification
published at 74 FR 28048 (June 12, 2009); and GSA/GOVT-6, GSA SmartPay
Purchase Charge Card Program, 73 FR 22376 (April 25, 2008). These
records may be subject to handling and disclosure requirements pursuant
to the routine uses in the government-wide SORNs, as applicable. Client
agencies are responsible for ensuring the handling, use, and sharing of
their records in OFF are in compliance with the Privacy Act of 1974,
including the provisions regarding notice, access, collection, use,
retention, and disclosure of records.
In this notice, DOI is proposing to update the system manager and
system location sections; expand on the record source categories
section; update authorities for maintenance of the system; update the
storage, retrieval, records retention schedule, and safeguards; update
the notification, records access and contesting procedures; and provide
general updates in accordance with the Privacy Act of 1974 and Office
of Management and Budget (OMB) Circular A-108, Federal Agency
Responsibilities for Review, Reporting, and Publication under the
Privacy Act.
DOI is also changing the routine uses from a numeric to alphabetic
list and is proposing to modify existing routine uses to provide
clarity and transparency and reflect updates consistent with standard
DOI routine uses. The notice of disclosure to consumer reporting
agencies section was moved to the end of this section. Routine use A
has been modified to further clarify disclosures to the Department of
Justice or other Federal agencies when necessary in relation to
litigation or judicial proceedings. Routine use B has been modified to
clarify disclosures to a congressional office to respond to or resolve
an individual's request made to that office. Routine use H has been
modified to expand the sharing of information with territorial
organizations in response to court orders or for discovery purposes
related to litigation. Routine use I has been modified to include the
sharing of information with grantees and shared service providers that
perform services requiring access to these records on DOI's behalf to
carry out the purposes of the system. Routine use J was slightly
modified to allow DOI to share information with appropriate Federal
agencies or entities when reasonably necessary to prevent, minimize, or
remedy the risk of harm to individuals or the Federal Government
resulting from a breach in accordance with OMB Memorandum M-17-12,
Preparing for and Responding to a Breach of Personally Identifiable
Information. Routine use R has been modified to reflect the agency name
change for the Government Accountability Office.
DOI is proposing a new routine use to facilitate the sharing of
information with another Federal agency to carry out a statutory
responsibility of the DOI. Proposed routine use S allows DOI to share
information with the Department of the Treasury in support of the Do
Not Pay Program in accordance with the Payment Integrity Information
Act of 2019 to prevent and detect improper payments.
Pursuant to the Privacy Act, 5 U.S.C. 552a(b)(12), DOI may disclose
information from this system to consumer reporting agencies as defined
in the Fair Credit Reporting Act (15 U.S.C. 1681a(f)) or the Federal
Claims Collection Act of 1966 (31 U.S.C. 3701(a)(3)) to aid in the
collection of outstanding debts owed to the Federal Government.
II. Privacy Act
The Privacy Act of 1974, as amended, embodies fair information
practice principles in a statutory framework governing the means by
which Federal agencies collect, maintain, use, and disseminate
individuals' records. The Privacy Act applies to records about
individuals that are maintained in a ``system of records.'' A ``system
of records'' is a group of any records under the control of an agency
from which information is retrieved by the name of an individual or by
some identifying number, symbol, or other identifying particular
assigned to the individual. The Privacy Act defines an individual as a
United States citizen or lawful permanent resident. Individuals may
request access to their own records that are maintained in a system of
records in the possession or under the control of
[[Page 81104]]
DOI by complying with DOI Privacy Act regulations at 43 CFR part 2,
subpart K, and following the procedures outlined in the Records Access,
Contesting Record, and Notification Procedures sections of this notice.
The Privacy Act requires each agency to publish in the Federal
Register a description denoting the existence and character of each
system of records that the agency maintains and the routine uses of
each system. The INTERIOR/DOI-91, Oracle Federal Financials (OFF), SORN
is published in its entirety below. In accordance with 5 U.S.C.
552a(r), DOI has provided a report of this system of records to the
Office of Management and Budget and to Congress.
III. Public Participation
You should be aware your entire comment including your personally
identifiable information, such as your address, phone number, email
address, or any other personal information in your comment, may be made
publicly available at any time. While you may request to withhold your
personally identifiable information from public review, we cannot
guarantee we will be able to do so.
SYSTEM NAME AND NUMBER:
INTERIOR/DOI-91, Oracle Federal Financials (OFF).
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Interior Business Center, U.S. Department of the Interior, One
Denver Federal Center, Building 48, Denver, CO 80225.
SYSTEM MANAGER(S):
Chief, Technical Services and Solutions Division, U.S. Department
of the Interior, Interior Business Center, 381 Elden Street, Suite 200,
Herndon, VA 20170.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Executive agency accounting and other financial management reports
and plans, 31 U.S.C. 3512; Acceptance of contributions, awards, and
other payments, 5 U.S.C. 4111; Installment deduction for indebtedness
to the United States, 5 U.S.C. 5514; Travel and Subsistence Expenses;
Mileage Allowances, 5 U.S.C. chapter 57, subchapter I ; Collection and
compromise, 31 U.S.C. 3711; and the Office of Management and Budget
Circular A-123, appendix D, Compliance with the Federal Financial
Management Improvement Act of 1996.
PURPOSE(S) OF THE SYSTEM:
The primary purpose of the system is to support financial
management for Federal agencies by providing a standardized, automated
capability for performing administrative control of funds, general
accounting, billing and collections, payments, management reporting,
and regulatory reporting.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Individuals covered by the system include employees of various
Federal agencies that are IBC clients using OFF, as well as employees
or agents for third party vendors, contractors and suppliers who
provide OFF clients with related financial services. This system also
contains information about individuals, both employees and non-
employees, who owe debts to the Federal government. Records relating to
corporations and other business entities contained in this system are
not subject to the Privacy Act, however, records relating to
individuals acting on behalf of corporations and other business
entities may reflect personal information that may be maintained in
this system of records.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system contains financial and administrative records that
include but are not limited to:
(1) Accounts receivable records, including individuals and
employees who owe money to OFF clients and are the subject of
collections actions. Records may include first and last names, home
addresses, phone numbers, email addresses, Employee Identification
Numbers (EINs), and Social Security Numbers (SSNs).
(2) Accounts payable records about non-employee individuals and
sole proprietors, including individuals who provide services to OFF
clients. These records may include names, home or business addresses,
phone or fax numbers, email addresses, Tax Identification Numbers,
SSNs, banking account numbers for electronic fund transfer payments,
and invoices and claims for reimbursement.
(3) Records of employees of OFF clients who submit claims for
reimbursable expenses. These records may include names, EINs, SSNs,
work addresses, phone numbers, email addresses, and receipts and claims
for reimbursement.
(4) Records of employees of OFF clients who hold government bank or
debit cards for purchases or travel. These records may include names,
EINs, SSNs, home or work addresses, phone numbers, email addresses,
card numbers and purchase histories.
The system may contain other information collected or created
through correspondence, reports, or during the processing and support
of financial management transactions, administrative controls, and
general accounting. The system may also contain additional business and
financial records for OFF clients that do not include personal
information. Records in this system are subject to the Privacy Act only
if they are about an individual within the meaning of the Privacy Act,
and not if they are about a business, organization, or other non-
individual.
RECORD SOURCE CATEGORIES:
Information sources are Federal customer agencies, contractors,
sole proprietors, service providers, third-party vendors, and suppliers
who provide related financial and other services to clients using the
system.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
In addition to those disclosures generally permitted under 5 U.S.C.
552a(b) of the Privacy Act, all or a portion of the records or
information contained in this system may be disclosed outside DOI as a
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
A. To the Department of Justice (DOJ), including Offices of the
U.S. Attorneys, or other Federal agency conducting litigation or in
proceedings before any court, adjudicative, or administrative body,
when it is relevant or necessary to the litigation and one of the
following is a party to the litigation or has an interest in such
litigation:
(1) DOI or any component of DOI;
(2) Any other Federal agency appearing before the Office of
Hearings and Appeals;
(3) Any DOI employee or former employee acting in his or her
official capacity;
(4) Any DOI employee or former employee acting in his or her
individual capacity when DOI or DOJ has agreed to represent that
employee or pay for private representation of the employee; or
(5) The United States Government or any agency thereof, when DOJ
determines that DOI is likely to be affected by the proceeding.
B. To a congressional office when requesting information on behalf
of, and at the request of, the individual who is the subject of the
record.
C. To the Executive Office of the President in response to an
inquiry from
[[Page 81105]]
that office made at the request of the subject of a record or a third
party on that person's behalf, or for a purpose compatible with the
reason for which the records are collected or maintained.
D. To any criminal, civil, or regulatory law enforcement authority
(whether Federal, State, territorial, local, Tribal or foreign) when a
record, either alone or in conjunction with other information,
indicates a violation or potential violation of law--criminal, civil,
or regulatory in nature, and the disclosure is compatible with the
purpose for which the records were compiled.
E. To an official of another Federal agency to provide information
needed in the performance of official duties related to reconciling or
reconstructing data files or to enable that agency to respond to an
inquiry by the individual to whom the record pertains.
F. To Federal, State, territorial, local, Tribal, or foreign
agencies that have requested information relevant or necessary to the
hiring, firing or retention of an employee or contractor, or the
issuance of a security clearance, license, contract, grant or other
benefit, when the disclosure is compatible with the purpose for which
the records were compiled.
G. To representatives of the National Archives and Records
Administration (NARA) to conduct records management inspections under
the authority of 44 U.S.C. 2904 and 2906.
H. To State, territorial and local governments and Tribal
organizations to provide information needed in response to court order
and/or discovery purposes related to litigation, when the disclosure is
compatible with the purpose for which the records were compiled.
I. To an expert, consultant, grantee, shared service provider, or
contractor (including employees of the contractor) of DOI that performs
services requiring access to these records on DOI's behalf to carry out
the purposes of the system.
J. To appropriate agencies, entities, and persons when:
(1) DOI suspects or has confirmed that there has been a breach of
the system of records;
(2) DOI has determined that as a result of the suspected or
confirmed breach there is a risk of harm to individuals, DOI (including
its information systems, programs, and operations), the Federal
Government, or national security; and
(3) the disclosure made to such agencies, entities, and persons is
reasonably necessary to assist in connection with DOI's efforts to
respond to the suspected or confirmed breach or to prevent, minimize,
or remedy such harm.
K. To another Federal agency or Federal entity, when DOI determines
that information from this system of records is reasonably necessary to
assist the recipient agency or entity in:
(1) responding to a suspected or confirmed breach; or
(2) preventing, minimizing, or remedying the risk of harm to
individuals, the recipient agency or entity (including its information
systems, programs, and operations), the Federal Government, or national
security, resulting from a suspected or confirmed breach.
L. To the Office of Management and Budget (OMB) during the
coordination and clearance process in connection with legislative
affairs as mandated by OMB Circular A-19.
M. To the Department of the Treasury to recover debts owed to the
United States.
N. To the news media and the public, with the approval of the
Public Affairs Officer in consultation with counsel and the Senior
Agency Official for Privacy, where there exists a legitimate public
interest in the disclosure of the information, except to the extent it
is determined that release of the specific information in the context
of a particular case would constitute an unwarranted invasion of
personal privacy.
O. To a commercial credit card contractor(s) for the accounting and
payment of employee obligation for travel, purchasing, and fleet
management credit card usage.
P. To OFF clients for the purpose of processing, using, and
maintaining their agency's data in the OFF system.
Q. To DOJ or other Federal agencies for further collection action
on any delinquent debt when circumstances warrant.
R. To the Government Accountability Office, DOJ, or a United States
Attorney for actions regarding debt and attempts to collect monies
owed.
S. To the Department of the Treasury in order to eliminate waste,
fraud, and abuse in Federal programs and to prevent payment errors
before they occur in accordance with the Do Not Pay Program which is
authorized and governed by the Payment Integrity Information Act of
2019.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Electronic records are maintained on servers located in secure
facilities. Paper records are contained in file folders stored in file
cabinets in accordance with Departmental policy.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
The personal identifiers that can be used to retrieve information
on individuals are name, SSN, EIN, bank account number, government
travel/small purchase bank card number, and supplier number.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
DOI financial management records are retained in accordance with
Departmental Records Schedule (DRS) 1--Administrative Records, Long-
term Financial and Acquisition Records (DAA-0048-2013-0001-0011), which
was approved by NARA. The disposition for these records is temporary
with destruction authorized seven years after the cut off of the record
as instructed in the bureau or office records manual or at the end of
fiscal year in which the files are closed, if no unique cut-off is
specified. Approved disposition methods include shredding or pulping
for paper records, and degaussing or erasing electronic records in
accordance with NARA guidelines and Departmental policy.
Each Federal agency client maintains records in the system in
accordance with records retention schedules approved by NARA, and
agency clients are responsible for the retention and disposal of their
own records. While the IBC provides system administration and
management support to agency clients, any records disposal is in
accordance with client agency approved data disposal procedures.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
The records contained in this system are safeguarded in accordance
with 43 CFR 2.226 and other applicable security and privacy rules and
policies. During normal hours of operation, paper records are
maintained in locked file cabinets under the control of authorized
personnel. Computer servers on which electronic records are stored are
located in secured DOI controlled facilities with physical, technical
and administrative levels of security to prevent unauthorized access to
the DOI network and information assets. A Privacy Act Warning Notice
appears on computer monitor screens when records containing information
on individuals are first displayed. Data exchanged between the servers
and the system is encrypted. Backup tapes are encrypted and stored in a
locked and controlled room in a secure, off-site location.
Computerized records systems follow the National Institute of
Standards and Technology privacy and security
[[Page 81106]]
standards as developed to comply with the Privacy Act of 1974, as
amended, 5 U.S.C. 552a; Paperwork Reduction Act of 1995, 44 U.S.C. 3501
et seq.; Federal Information Security Modernization Act of 2014, 44
U.S.C. 3551 et seq.; and the Federal Information Processing Standards
199: Standards for Security Categorization of Federal Information and
Information Systems. Security controls include user identification,
multi-factor authentication, database permissions, encryption,
firewalls, audit logs, and network system security monitoring, and
software controls.
Access to records in the system is limited to authorized personnel
who have a need to access the records in the performance of their
official duties, and each user's access is restricted to only the
functions and data necessary to perform that person's job
responsibilities. System administrators and authorized users are
trained and required to follow established internal security protocols
and must complete all security, privacy, and records management
training and sign the DOI Rules of Behavior. Privacy Impact Assessments
are conducted on use of systems and third-party applications to ensure
that Privacy Act requirements are met and appropriate privacy controls
are implemented to safeguard the personally identifiable information
contained in the system.
RECORD ACCESS PROCEDURES:
An individual requesting access to their records should send a
written inquiry to the System Manager identified above. DOI forms and
instructions for submitting a Privacy Act request may be obtained from
the DOI Privacy Act Requests website at https://www.doi.gov/privacy/privacy-act-requests. The request must include a general description of
the records sought and the requester's full name, current address, and
sufficient identifying information such as date of birth or other
information required for verification of the requester's identity. The
request must be signed and dated and be either notarized or submitted
under penalty of perjury in accordance with 28 U.S.C. 1746. The request
must include the specific bureau or office that maintains the record to
facilitate location of the applicable records. Requests submitted by
mail must be clearly marked ``PRIVACY ACT REQUEST FOR ACCESS'' on both
the envelope and letter. A request for access must meet the
requirements of 43 CFR 2.238.
CONTESTING RECORD PROCEDURES:
An individual requesting amendment of their records should send a
written request to the System Manager as identified above. DOI
instructions for submitting a request for amendment of records are
available on the DOI Privacy Act Requests website at https://www.doi.gov/privacy/privacy-act-requests. The request must clearly
identify the records for which amendment is being sought, the reasons
for requesting the amendment, and the proposed amendment to the record.
The request must include the requester's full name, current address,
and sufficient identifying information such as date of birth or other
information required for verification of the requester's identity. The
request must be signed and dated and be either notarized or submitted
under penalty of perjury in accordance with 28 U.S.C. 1746. Requests
submitted by mail must be clearly marked ``PRIVACY ACT REQUEST FOR
AMENDMENT'' on both the envelope and letter. A request for amendment
must meet the requirements of 43 CFR 2.246.
NOTIFICATION PROCEDURES:
An individual requesting notification of the existence of records
about them should send a written inquiry to the System Manager as
identified above. DOI instructions for submitting a request for
notification are available on the DOI Privacy Act Requests website at
https://www.doi.gov/privacy/privacy-act-requests. The request must
include a general description of the records and the requester's full
name, current address, and sufficient identifying information such as
date of birth or other information required for verification of the
requester's identity. The request must be signed and dated and be
either notarized or submitted under penalty of perjury in accordance
with 28 U.S.C. 1746. Requests submitted by mail must be clearly marked
``PRIVACY ACT INQUIRY'' on both the envelope and letter. A request for
notification must meet the requirements of 43 CFR 2.235.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
80 FR 66551 (October 29, 2015); modification published at 86 FR
50156 (September 7, 2021).
Teri Barnett,
Departmental Privacy Officer, U.S. Department of the Interior.
[FR Doc. 2024-23080 Filed 10-4-24; 8:45 am]
BILLING CODE 4334-63-P