Privacy Act of 1974; System of Records
| Published date | 15 March 2024 |
| Record Number | 2024-05500 |
| Citation | 89 FR 18921 |
| Court | Energy Department |
| Section | Notices |
Federal Register, Volume 89 Issue 52 (Friday, March 15, 2024)
[Federal Register Volume 89, Number 52 (Friday, March 15, 2024)]
[Notices]
[Pages 18921-18924]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-05500]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Privacy Act of 1974; System of Records
AGENCY: U.S. Department of Energy.
ACTION: Notice of a modified system of records.
-----------------------------------------------------------------------
SUMMARY: As required by the Privacy Act of 1974 and the Office of
Management and Budget (OMB) Circulars A-108 and A-130, the Department
of Energy (DOE or the Department) is publishing notice of a
modification to an existing Privacy Act System of Records. DOE proposes
to amend System of Records DOE-7 Whistleblower Investigation, Hearings,
and Appeals Records. This System of Records Notice (SORN) is being
modified to align with new formatting requirements, published by OMB,
and to ensure appropriate Privacy Act coverage of business processes
and Privacy Act information. While there are no substantive changes to
the ``Categories of Individuals'' or ``Categories of Records'' sections
covered by this SORN, substantive changes have been made to the
``System Locations,'' ``Routine Uses,'' and ``Administrative, Technical
and Physical Safeguards'' sections to provide greater transparency.
Changes to ``Routine Uses'' include new provisions related to
responding to breaches of information held under a Privacy Act SORN as
required by OMB's Memorandum M-17-12, ``Preparing for and Responding to
a Breach of
[[Page 18922]]
Personally Identifiable Information'' (January 3, 2017). Language
throughout the SORN has been updated to align with applicable Federal
privacy laws, policies, procedures, and best practices.
DATES: This modified SORN will become applicable following the end of
the public comment period on April 15, 2024 unless comments are
received that result in a contrary determination.
ADDRESSES: Written comments should be sent to the DOE Desk Officer,
Office of Information and Regulatory Affairs, Office of Management and
Budget, New Executive Office Building, Room 10102, 735 17th Street NW,
Washington, DC 20503 and to Ken Hunt, Chief Privacy Officer, U.S.
Department of Energy, 1000 Independence Avenue SW, Rm 8H-085,
Washington, DC 20585 or by facsimile at (202) 586-8151 or by email at
[email protected].
FOR FURTHER INFORMATION CONTACT: Ken Hunt, Chief Privacy Officer, U.S.
Department of Energy, 1000 Independence Avenue SW, Rm 8H-085,
Washington, DC 20585 or by facsimile at (202) 586-8151, by email at
[email protected], or by telephone at (240) 686-9485.
SUPPLEMENTARY INFORMATION: On January 9, 2009, DOE published a
Compilation of its Privacy Act Systems of Records, which included
System of Records DOE-7 Whistleblower Investigation, Hearings, and
Appeals Records. This notice deletes a previous routine use concerning
efforts responding to a suspected or confirmed loss of confidentiality
of information as it appears in DOE's compilation of its Privacy Act
systems of records (January 9, 2009) and replaces it with one to assist
DOE with responding to a suspected or confirmed breach of its records
of PII, modeled with language from OMB's Memorandum M-17-12,
``Preparing for and Responding to a Breach of Personally Identifiable
Information'' (January 3, 2017). Further, this notice adds one new
routine use to ensure that DOE may assist another agency or entity in
responding to the other agency's or entity's confirmed or suspected
breach of PII, as appropriate, in alignment with OMB's Memorandum M-17-
12. Additionally, in the seventh routine use, ``Hearing Officers'' has
been changed to ``Administrative Judges,'' pursuant to recent title
changes. The URL for this routine has also been updated. In the
``Categories of Individuals'' section, the citation for the National
Defense Authorization Act for FY 2000 has been revised from ``42 U.S.C.
7239'' to ``50 U.S.C. 2702.'' An administrative change required by the
FOIA Improvement Act of 2016 extends the length of time a requestor is
permitted to file an appeal under the Privacy Act from 30 to 90 days.
Both the ``System Locations'' and ``Administrative, Technical and
Physical Safeguards'' sections have been modified to reflect the
Department's usage of cloud-based services for records storage.
Language throughout the SORN has been updated to align with applicable
Federal privacy laws, policies, procedures, and best practices.
SYSTEM NAME AND NUMBER:
DOE-7 Whistleblower Investigation, Hearings, and Appeals Records.
SECURITY CLASSIFICATION:
Unclassified and classified.
SYSTEM LOCATION:
Systems leveraging this SORN may exist in multiple locations. All
systems storing records in a cloud-based server are required to use
government-approved cloud services and follow National Institute of
Standards and Technology (NIST) security and privacy standards for
access and data retention. Records maintained in a government-approved
cloud server are accessed through secure data centers in the
continental United States.
U.S. Department of Energy, Office of Hearings and Appeals, 1000
Independence Avenue SW, Washington, DC 20585-1615.
SYSTEM MANAGER(S):
Headquarters: U.S. Department of Energy, Office of Hearings and
Appeals, 1000 Independence Avenue SW, Washington, DC 20585-1615.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
42 U.S.C. 7101 et seq.; 50 U.S.C. 2401 et seq.; 42 U.S.C. 2201(b),
(c), (i), (p), 5814, 5815, 7251, 7254, 7255, 7257; 50 U.S.C. 2702.
PURPOSE(S) OF THE SYSTEM:
Records in this system are maintained and used by the DOE to
document and resolve complaints made by current and former employees,
contractors, and subcontractors of DOE (including National Nuclear
Security Administration (NNSA) contractors and subcontractors), who
allege retaliation by their employer for disclosure of information
concerning danger to public or worker health or safety, substantial
violations of law, or gross mismanagement; for participation in
Congressional proceedings; or for refusal to participate in dangerous
activities.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Current and former employees of DOE, contractors, and
subcontractors (including NNSA contractors and subcontractors), whose
complaints are received at the Office of Hearings and Appeals pursuant
to 10 CFR part 708, and pursuant to Section 3164 of the National
Defense Authorization Act for FY 2000, Public Law 106-65, codified at
50 U.S.C. 2702.
CATEGORIES OF RECORDS IN THE SYSTEM:
Whistleblower reprisal complaints; names, Social Security numbers,
case numbers, work and home addresses and telephone numbers, job
titles, series, grade or pay levels; organization information;
supervisors' names and telephone numbers; copies of employee records
such as personnel actions, performance appraisals, pay and leave
records, and security clearance documents; management reports; witness
statements; affidavits; checklists; notes; reports of investigation;
and relevant correspondence.
RECORD SOURCE CATEGORIES:
The complainant; individuals and organizations that have pertinent
knowledge about the subject of the complaint; those authorized by the
complainant to furnish information; confidential informants; and
Congressional offices.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
1. A record from this system may be disclosed to any source from
which additional information is requested when necessary to obtain
information relevant to the processing of a whistleblower complaint by
the Office of Hearings and Appeals. The source will be provided such
information from the System of Records only to the extent necessary to
identify the individual, inform the source of the purpose(s) of the
request, and to identify the type of information requested, as
appropriate to the necessary information to process the complaint.
2. A record from this system may be disclosed as a routine use to
the appropriate local, Tribal, state, or Federal agency when records,
alone or in conjunction with other information, indicate a violation or
potential violation of law whether civil, criminal, or regulatory in
nature, and whether arising by general statute or particular program
pursuant thereto.
3. A record from this system may be disclosed as a routine use for
the
[[Page 18923]]
purpose of an investigation, settlement of claims, or the preparation
and conduct of litigation to (1) persons representing the Department in
the investigation, settlement or litigation, and to individuals
assisting in such representation; (2) others involved in the
investigation, settlement, and litigation, and their representatives
and individuals assisting those representatives; (3) witnesses,
potential witnesses, or their representatives and assistants; and (4)
any other persons who possess information pertaining to the matter when
it is necessary to obtain information or testimony relevant to the
matter.
4. A record from this system may be disclosed as a routine use in
court or administrative proceedings to the tribunals, counsel, other
parties, witnesses, and the public (in publicly available pleadings,
filings, or discussion in open court) when such disclosure: (1) is
relevant to, and necessary for, the proceeding; (2) is compatible with
the purpose for which the Department collected the records; and (3) the
proceedings involve:
a. The Department, its predecessor agencies, current or former
contractor of the Department, or other United States Government
agencies and their components, or
b. A current or former employee of the Department and its
predecessor agencies, current or former contractors of the Department,
or other United States Government agencies and their components, who is
acting in an official capacity or in any individual capacity where the
Department or other United States Government agency has agreed to
represent the employee.
5. A record from this system may be disclosed as a routine use to
DOE contractors in performance of their contracts, and their officers
and employees who have a need for the record in the performance of
their duties. Those provided information under this routine use are
subject to the same limitations applicable to Department officers and
employees under the Privacy Act.
6. A record from this system may be disclosed as a routine use to a
member of Congress submitting a request involving a constituent when
the constituent has requested assistance from the member concerning the
subject matter of the record. The member of Congress must provide a
copy of the constituent's signed request for assistance.
7. Decisions, opinions, reports of investigation, orders, and other
determinations signed by investigators, Administrative Judges or the
Director of the Office of Hearings and Appeals that are records
contained in this System of Records may be published for the general
public, for precedential or educational purposes, in paper format and
electronically on the Office of Hearings and Appeals' website, the
current address of which is www.energy.gov/oha/office-hearings-and-appeals.
8. A record from this system may be disclosed as a routine use to
appropriate agencies, entities, and persons when (1) the Department
suspects or has confirmed that there has been a breach of the System of
Records; (2) the Department has determined that as a result of the
suspected or confirmed breach there is a risk of harm to individuals,
DOE (including its information systems, programs, and operations), the
Federal Government, or national security; and (3) the disclosure made
to such agencies, entities, and persons is reasonably necessary to
assist in connection with the Department's efforts to respond to the
suspected or confirmed breach or to prevent, minimize, or remedy such
harm.
9. A record from this system may be disclosed as a routine use to
another Federal agency or Federal entity, when the Department
determines that information from this System of Records is reasonably
necessary to assist the recipient agency or entity in (1) responding to
a suspected or confirmed breach or (2) preventing, minimizing, or
remedying the risk of harm to individuals, the recipient agency or
entity (including its information systems, programs, and operations),
the Federal Government, or national security, resulting from a
suspected or confirmed breach.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Records may be stored as paper records or electronic media.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records are retrieved by complainant's name or other personal
identifier or case number.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Retention and disposition of these records are unscheduled. This
requires the records to be retained as permanent until the National
Archives and Records Administration approves the draft schedule, which
will require the records to be retained 7 years.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Electronic records may be secured and maintained on a cloud-based
software server and operating system that resides in Federal Risk and
Authorization Management Program (FedRAMP) and Federal Information
Security Modernization Act (FISMA) hosting environment. Data located in
the cloud-based server is firewalled and encrypted at rest and in
transit. The security mechanisms for handling data at rest and in
transit are in accordance with DOE encryption standards. Records are
protected from unauthorized access through the following appropriate
safeguards:
Administrative: Access to all records is limited to lawful
government purposes only, with access to electronic records based on
role and either two-factor authentication or password protection. The
system requires passwords to be complex and to be changed frequently.
Users accessing system records undergo frequent training in Privacy Act
and information security requirements. Security and privacy controls
are reviewed on an ongoing basis.
Technical: Computerized records systems are safeguarded on
Departmental networks configured for role-based access based on job
responsibilities and organizational affiliation. Privacy and security
controls are in place for this system and are updated in accordance
with applicable requirements as determined by NIST and DOE directives
and guidance.
Physical: Computer servers on which electronic records are
stored are located in secured Department facilities, which are
protected by security guards, identification badges, and cameras. Paper
copies of all records are locked in file cabinets, file rooms, or
offices and are under the control of authorized personnel. Access to
these facilities is granted only to authorized personnel and each
person granted access to the system must be an individual authorized to
use and/or administer the system.
RECORD ACCESS PROCEDURES:
The Department follows the procedures outlined in 10 CFR 1008.4.
Valid identification of the individual making the request is required
before information will be processed, given, access granted, or a
correction considered, to ensure that information is processed, given,
corrected, or records disclosed or corrected only at the request of the
proper person.
[[Page 18924]]
CONTESTING RECORD PROCEDURES:
Any individual may submit a request to the System Manager and
request a copy of any records relating to them. In accordance with 10
CFR 1008.11, any individual may appeal the denial of a request made by
him or her for information about or for access to or correction or
amendment of records. An appeal shall be filed within 90 calendar days
after receipt of the denial. When an appeal is filed by mail, the
postmark is conclusive as to timeliness. The appeal shall be in writing
and must be signed by the individual. The words ``PRIVACY ACT APPEAL''
should appear in capital letters on the envelope and the letter.
Appeals of denials relating to records maintained in government-wide
System of Records reported by Office of Personnel Management (OPM),
shall be filed, as appropriate, with the Assistant Director for Agency
Compliance and Evaluation, OPM, 1900 E Street NW, Washington, DC 20415.
All other appeals relating to DOE records shall be directed to the
Director, Office of Hearings and Appeals (OHA), 1000 Independence
Avenue SW, Washington, DC 20585.
NOTIFICATION PROCEDURES:
In accordance with the DOE regulation implementing the Privacy Act,
10 CFR part 1008, a request by an individual to determine if a System
of Records contains information about themselves should be directed to
the U.S. Department of Energy, Headquarters, Privacy Act Officer. The
request should include the requester's complete name and the time
period for which records are sought.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
The system is exempt under subsections 552a(k)(1), (2) and (5) of
the Privacy Act to the extent that information within the system meets
the criteria of those subsections of the Act. Such information has been
exempted from the provisions of subsections (c)(3); 5 U.S.C. 552a(d)
and (e)(1) of the Act; see the DOE Privacy Act regulation at 10 CFR
part 1008.
HISTORY:
This SORN was last published in the Federal Register (FR), 74 FR
1005-1006, on January 9, 2009.
Signing Authority
This document of the Department of Energy was signed on January 22,
2024, by Ann Dunkin, Senior Agency Official for Privacy, pursuant to
delegated authority from the Secretary of Energy. That document with
the original signature and date is maintained by DOE. For
administrative purposes only, and in compliance with requirements of
the Office of the Federal Register, the undersigned DOE Federal
Register Liaison Officer has been authorized to sign and submit the
document in electronic format for publication, as an official document
of the Department of Energy. This administrative process in no way
alters the legal effect of this document upon publication in the
Federal Register.
Signed in Washington, DC, on March 11, 2024.
Treena V. Garrett,
Federal Register Liaison Officer, U.S. Department of Energy.
[FR Doc. 2024-05500 Filed 3-14-24; 8:45 am]
BILLING CODE 6450-01-P
