Privacy Act of 1974; System of Records

Published date07 February 2020
Citation85 FR 7389
Record Number2020-02480
SectionNotices
CourtVeterans Affairs Department
Federal Register, Volume 85 Issue 26 (Friday, February 7, 2020)
[Federal Register Volume 85, Number 26 (Friday, February 7, 2020)]
                [Notices]
                [Pages 7389-7395]
                From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
                [FR Doc No: 2020-02480]
                =======================================================================
                -----------------------------------------------------------------------
                DEPARTMENT OF VETERANS AFFAIRS
                Privacy Act of 1974; System of Records
                AGENCY: Department of Veterans Affairs (VA).
                ACTION: Notice of a modified system of records.
                -----------------------------------------------------------------------
                SUMMARY: As required by the Privacy Act of 1974, notice is hereby given
                that the Department of Veterans Affairs (VA) is amending the system of
                records currently entitled, ``Veterans Canteen Service (VCS) Payroll
                Deduction
                [[Page 7390]]
                Program (PDP)--VA'' (117VA103) as set forth in the Federal Register 75
                FR 26851. VA is amending the system of records by revising the System
                Name; System Number; System Location; System Manager; Purpose of the
                System; Categories of Individuals Covered by the System; Categories of
                the Records in the System; Record Source Categories; Routine Uses of
                Records Maintained in the System, Including Categories of Users and the
                Purposes of Such Uses; Policies and Practices for Storage of Records;
                Policies and Practices for Retrievability of Records; Policies and
                Practices For Retention and Disposal of Records; Physical, Procedural,
                and Administrative Safeguards; Record Access Procedure; and
                Notification Procedure. VA is republishing the system notice in its
                entirety.
                DATES: Comments on this amended system of records must be received no
                later than March 9, 2020. If no public comment is received during the
                period allowed for comment or unless otherwise published in the Federal
                Register by the VA, the new system will become effective March 9, 2020.
                ADDRESSES: Written comments may be submitted through
                www.Regulations.gov; by mail or hand-delivery to Director, Regulation
                Policy and Management (00REG), Department of Veterans Affairs, 810
                Vermont Avenue NW, Room 1064, Washington, DC 20420; or by fax to (202)
                273-9026 (Note: Not a toll-free number). Comments should indicate they
                are submitted in response to ``Veterans Canteen Service (VCS) Payroll
                Deduction Program (PDP)--VA'' (117VA103). Copies of comments received
                will be available for public inspection in the Office of Regulation
                Policy and Management, Room 1063B, between the hours of 8:00 a.m. and
                4:30 p.m., Monday through Friday (except holidays). Please call (202)
                461-4902 for an appointment (Note: Not a toll-free number). In
                addition, comments may be viewed online at www.Regulations.gov.
                FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA)
                Privacy Act Officer, Department of Veterans Affairs, 810 Vermont Avenue
                NW, Washington, DC 20420; telephone (704) 245-2492.
                SUPPLEMENTARY INFORMATION: The System Name is being changed from
                ``Veterans Canteen Service (VCS) Payroll Deduction Program (PDP)--VA''
                to ``Veterans Canteen Service (VCS) Payroll Deduction Program (PDP),
                Point of Sale (POS) Help Desk and eCommerce--VA.''
                 The System Number will be changed from 117VA103 to 117VA10NA6 to
                reflect the current organizational alignment.
                 The System Location is being amended to replace Austin Automation
                Center (AAC) with Austin Information Technology Center (AITC). This
                section will add POS Help Desk and VCS eCommerce Site information,
                which is maintained on a contractor-owned data center located in their
                Service Desk Online (SDO) system in Coventry, United Kingdom (UK) and
                Phoenix, Arizona, respectively.
                 The System Manager has been amended to add the POS Help Desk and
                eCommerce Site official responsible for policies and procedures: Office
                of the Business Operations and Support, Veterans Canteen Service (103),
                Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC
                20420. Addresses for VA facilities are listed in VA Appendix 1.
                 Purpose of the System is being amended to add for the POS Help Desk
                and eCommerce Site. The VCS records allow authorized VCS contractors to
                collect relevant data to the end of providing operational support to
                maintain both cash register systems and the eCommerce Site. User data
                will be used for incident reporting and help desk activities, site
                personalization, Email communication, product recommendations, order
                management and payment processing. The VCS system of records allows
                authorized VCS employees and contractors to collect VCS canteen
                addresses, VCS canteen phone numbers, VCS system users first and last
                name and VCS employee's VA Email addresses through an incident
                management system for the purposes of in-taking, troubleshooting and
                triaging VCS call tickets. The operations and maintenance portions must
                be reported by the end user to a VCS contracted designated help desk
                who has been designated to resolve the issue. Records would be used to
                identify issues, conduct follow-up on unresolved issues, perform trend
                analyses on types of call ticket issues, generate reports and analytics
                on call ticket trends and notify VCS management of call ticket volume
                and trends. The additional functions serve to provide a modern system
                as an eCommerce platform that is comparable to commercial eCommerce
                sites.
                 The Categories of Individuals Covered by the System is being
                amended to define the types of user data covered by the POS Help Desk
                and eCommerce Site.
                 The Categories of Records in the System is being amended to include
                the POS Help Desk and eCommerce Site records include the following
                identification information:
                --User First and Last Name, Prefix, Suffix
                --User Email address
                --User Gender
                --User Date of Birth
                --User Address, City, State, and Postal Zip Code
                --User Military Affiliation
                --User Site Behavioral Patterns
                --User Site Purchase History
                --User Phone Number
                --User PDP Account Number
                --User PDP Account Balance
                --User Date of Purchase
                --User Purchase Amount
                --User Identification Control Number (ICN)
                --User Security ID
                --User Assurance Level
                --User Credential Service Identifier
                --User Identifier
                --User Hash
                --User Authentication Time
                --Credit Card Number
                --Credit Card CVV
                --Credit Card Date of Expiration
                --PayPal credentials
                --VCS Canteen location including Address, City, State and Postal Zip
                Code
                --VCS Canteen Phone Number; and
                --Description of System or Application Issue.
                 Record Source Categories is being amended to include the POS Help
                Desk and eCommerce Site information in this system of records is
                provided by authorized VCS employees who call, Email or submit a call
                ticket to the vendor in order to report a system, application or
                operational issue relative to a system application. The updates also
                provide the ability to offer a modern eCommerce platform that is
                comparable to commercial eCommerce sites, to include custom site
                personalization, product recommendations and order management.
                 The Routine Uses of Records Maintained in the System is amending
                the language in Routine Use #11, which states that disclosure of the
                records to the DoJ is a use of the information contained in the records
                that is compatible with the purpose for which VA collected the records.
                VA may disclose records in this system of records in legal proceedings
                before a court or administrative body after determining that the
                disclosure of the records to the court or administrative body is a use
                of the information contained in the records that is compatible with the
                purpose for which VA collected the records. This routine use will now
                state that release of the records to the DoJ is limited to
                circumstances where relevant and
                [[Page 7391]]
                necessary to the litigation. VA may disclose records in this system of
                records in legal proceedings before a court or administrative body
                after determining that release of the records to the court or
                administrative body is limited to circumstances where relevant and
                necessary to the litigation.
                 Routine Use #14 is clarifying the language to state, ``VA may
                disclose any information or records to appropriate agencies, entities,
                and persons when (1) VA suspects or has confirmed that there has been a
                breach of the system of records; (2) VA has determined that as a result
                of the suspected or confirmed breach there is a risk to individuals, VA
                (including its information systems, programs, and operations), the
                Federal Government, or national security; and (3) the disclosure made
                to such agencies, entities, or persons is reasonably necessary to
                assist in connection with VA efforts to respond to the suspected or
                confirmed breach or to prevent, minimize, or remedy such harm.''
                 Routine use #15 is being added to state, ``VA may disclose
                information from this system of records to another Federal agency or
                Federal entity, when VA determines that information from this system of
                records is reasonably necessary to assist the recipient agency or
                entity in (1) responding to a suspected or confirmed breach or (2)
                preventing, minimizing, or remedying the risk of harm to individuals,
                the recipient agency or entity (including its information systems,
                programs, and operations), the Federal Government, or national
                security, resulting from a suspected or confirmed breach.''
                 Routine use #16 is being added to state, ``VA may disclose relevant
                information to VCS contracted vendors, in order to provide a single
                point of contact for all incidents relative to VCS' POS software
                application.'' VA needs this routine use for VCS contracted vendors to
                use the information to intake, troubleshoot and triage call tickets as
                appropriate. In some cases, the incident may need to be escalated to a
                third party vendor or VA Office of Information Technology (OI&T) for
                further review and troubleshooting.
                 Routine use #17 is being added to state, ``VA may disclose relevant
                information to third party vendors for issues outside the scope of VCS
                software application vendor. This includes, but is not limited to
                notification of canteen location, contact information, canteen manager
                first and last name, VA Email address, and description of the issue.''
                VA needs this routine use for vendors to triage and troubleshoot
                customer transactions.
                 Policies and Practices for Storage of Records is being amended to
                include the POS Help Desk records are maintained electronically within
                the managed service database.
                 Policies and Practices for Retrievability of Records is being
                amended to include the POS Help Desk and eCommerce Site records are
                retrieved by Incident Number.
                 Policies and Practices For Retention and Disposal of Records to
                replace ``records for active participants in the Payroll Deduction
                Program are maintained indefinitely. Records for participants who leave
                VA employment voluntarily or involuntarily terminate their
                participation in the Payroll Deduction Program are retained for three
                years following the date the account attains a zero balance; or for
                three years following the date the account balance is written off
                following unsuccessful collection action'' with Payroll System Reports
                which include error reports, ticklers, and system operation reports,
                destroy when related actions are completed or when no longer needed,
                not to exceed 2 years. (N1-GRS-92-4 item 22a). Reports providing fiscal
                information on agency payroll destroy after GAO audit or when 3 years
                old, whichever is sooner. (N1-GRS-92-4 item 22c). Information
                Technology (IT) Customer Service File records related to providing help
                desk information to customers, including pamphlets, responses to
                Frequently Asked Questions, and other documents prepared in advance to
                assist customers, destroy/delete 1 year after record is superseded or
                obsolete. (N1-GRS-03-1 item 10a). Help desk logs and reports and other
                files related to customer query and problem response; query monitoring
                and clearance; and customer feedback records; and related trend
                analysis and reporting, destroy/delete when 1 year old or when no
                longer needed for review and analysis, whichever is later. (N1-GRS-03-1
                item 10b).''
                 Physical, Procedural, and Administrative Safeguards is being
                amended to include:
                POS Help Desk and eCommerce Site--
                 1. Access to VA work and file areas is restricted to VA personnel
                and authorized contractors with a legitimate need for the information
                in the performance of their official duties. Strict control measures
                are enforced to ensure that access by these individuals is
                appropriately limited. Contractor and VCS employees are required to
                complete and adhere to annual VA security and privacy awareness
                training and rules of behavior and are VA cleared. Access is controlled
                by individual unique passwords or codes, which must be changed
                periodically by the users.
                 2. Physical access to the contractor's data processing center is
                generally restricted to contractor employees, custodial personnel,
                Federal Protective Service, and other security personnel. Access to
                computer rooms is restricted to authorized operational personnel
                through electronic locking devices. All other persons gaining access to
                computer rooms are escorted. The only personnel who are able to
                physically access SDO are the Contractor's IT Team and emergency
                responders.
                 3. All data transmissions are encrypted to prevent disclosure of
                protected Privacy Act information. Access to backup copies of data is
                restricted to authorized personnel in the same manner as the data
                processing center.
                 Record Access Procedure is being amended to include for the POS
                Help Desk, individuals seeking information regarding access to and
                contesting of records in this system may write, call, or visit the VCS'
                Chief, Business Operations and Support at the Veterans Canteen Service
                Central Office (VCSCO), St. Louis, Missouri 63125; telephone; (314)
                845-1200.
                 Notification Procedure is being amended to include for the POS Help
                Desk and eCommerce Site, individuals who wish to determine whether the
                system contains records about them should contact the VCS Chief,
                Business Operations and Support at the Veterans Canteen Service Central
                Office (VCSCO), St. Louis, Missouri 63125; telephone; (314) 845-1200.
                Inquiries should contain the person's full name, date(s) of contact,
                and return address.
                 The Report of Intent to Amend a System of Records Notice and an
                advance copy of the system notice have been sent to the appropriate
                Congressional committees and to the Director of the Office of
                Management and Budget (OMB) as required by 5 U.S.C. Sec. 552a(r)
                (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12,
                2000.
                 Signing Authority: The Senior Agency Official for Privacy, or
                designee, approved this document and authorized the undersigned to sign
                and submit the document to the Office of the Federal Register for
                publication electronically as an official document of the Department of
                Veterans Affairs. F. John Buck, Director, Office of Privacy Information
                and Identity Protection, Office of Quality, Privacy and Risk, Office of
                Information and Technology, Department of Veterans Affairs,
                [[Page 7392]]
                approved this document on June 5, 2018 for publication.
                 Dated: February 4, 2020.
                Amy L. Rose,
                Program Analyst, VA Privacy Service, Department of Veterans Affairs.
                SYSTEM NAME:
                 Veterans Canteen Service (VCS) Payroll Deduction Program (PDP),
                Point of Sale (POS) Help Desk and eCommerce--VA (117VA10NA6)
                SECURITY CLASSIFICATION:
                 Unclassified.
                SYSTEM LOCATION:
                 Individual PDP purchase records are maintained in the VCS office at
                each Department of Veterans Affairs (VA) health care facility.
                Addresses for VA facilities are listed in VA Appendix 1. In addition,
                information from these records or copies of records is maintained in a
                centralized electronic database at the Austin Information Technology
                Center (AITC), 1615 East Woodward Street, Austin, TX 78772.
                 For the POS Help Desk, information is maintained on a contractor
                owned-data center located in their Service-Desk Online (SDO) system in
                Coventry, United Kingdom (UK). For the eCommerce Site, data is
                maintained in a contracted data center located at the Phoenix, Arizona
                hosting site.
                SYSTEM MANAGER(S):
                 PDP official responsible for policies and procedures: Office of the
                Chief Financial Officer, Veterans Canteen Service (103), Department of
                Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420.
                Officials maintaining the system: Chief of the Canteen Service at the
                facility where the individuals were associated. Addresses for VA
                facilities are listed in VA Appendix 1.
                 For POS Help Desk and eCommerce Site, official responsible for
                policies and procedures: Office of the Business Operations and Support,
                Veterans Canteen Service (103), Department of Veterans Affairs, 810
                Vermont Avenue NW, Washington, DC 20420. Addresses for VA facilities
                are listed in VA Appendix 1.
                AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
                 Title 38, United States Code, Part V, Chapter 78.
                PURPOSE(S) OF THE SYSTEM:
                 PDP records and information will be used to track customer
                purchases, payments and balances due to VCS. Records and information
                may also be used for the purpose of debt collection. The records and
                information may be used for management and analysis reports of VCS
                programs.
                 For the POS Help Desk and eCommerce Site, the VCS System of Records
                allows authorized VCS contractors to collect data relevant to system
                processing to include addresses, phone numbers, user's first and last
                name, and Email addresses for the purposes of sustaining order
                fulfillment, payment processing, in-take, troubleshooting and triaging
                of VCS call tickets. Issues concerning the operation and maintenance of
                the must be reported by the end user to a VCS contracted designated
                help desk employee who has been designated to resolve the issue.
                Records are used to identify issues, conduct follow-up of unresolved
                issues, generate reports, perform trend analysis and notify VCS
                management of results from treading to include types of call tickets
                and call ticket volume. The VCS system of records allows authorized VCS
                employees and contractors to collect VCS canteen addresses, VCS canteen
                phone numbers, VCS system users first and last name and VCS employee's
                VA Email addresses through an incident management system for the
                purposes of in-taking, troubleshooting and triaging VCS call tickets.
                The records on the eCommerce Site will be further used to deliver a
                commercial grade eCommerce platform that will include the ability to
                provide site customizations and product recommendations based on user
                browsing patterns, and modern order fulfillment and payment processing
                methods.
                CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
                 The individuals covered by the system encompass permanent VA
                employees, also known as customers, who participate in the VCS Payroll
                Deduction System, which permits them to pay for purchases in VCS
                canteens through deduction from their pay. For the POS Help Desk, the
                individuals covered by the system encompass VCS employees. The VCS
                eCommerce site covers the VCS customer base which includes Veterans
                enrolled in VA's health care system, their families, caregivers, VA
                employees, volunteers, and visitors.
                CATEGORIES OF RECORDS IN THE SYSTEM:
                 These records include the following Information for PDP:
                 --Customer identification information such as last name, first
                name, middle initial, social security number;
                 --Customer purchases made under the program;
                 --Timestamps for payments;
                 --Payroll payments, cash payments, refunds for returned
                merchandise, and refunds for overpayments;
                 --Customer account balances and amounts written-off as
                uncollectible;
                 --Customer pay status when customer is in a ``without pay'' status;
                 --Identification of VCS employees creating customer transactions is
                by manual or electronic data capture. Manual transactions can be traced
                by a user ID within the payroll deduction system that identifies the
                individual entering the manual transaction. Electronic transactions can
                be traced by cashier code of the cashier ringing the transaction into
                the cash register; and
                 --Customer station number and canteen of purchase.
                 The POS Help Desk and eCommerce Site records include the following
                identification information:
                 --User First and Last Name, Prefix, Suffix;
                 --User Email address;
                 --User Gender;
                 --User Date of Birth;
                 --User Address, City, State, and Postal Zip Code;
                 --User Military Affiliation;
                 --User Site Behavioral Patterns;
                 --User Site Purchase History;
                 --User Phone Number;
                 --User PDP Account Number;
                 --User PDP Account Balance;
                 --User Date of Purchase;
                 --User Purchase Amount;
                 --User ICN;
                 --User Security ID;
                 --User Assurance Level;
                 --User Credential Service Identifier;
                 --User Identifier;
                 --User Hash;
                 --User Authentication Time;
                 --Credit Card Number;
                 --Credit Card CVV;
                 --Credit Card Date of Expiration;
                 --PayPal credentials;
                 --VCS canteen location including Address, City, State and Postal
                Zip Code;
                 --VCS canteen Phone Number; and
                 --Description of System or Application Issue.
                RECORD SOURCE CATEGORIES:
                 Information in this system of records is provided by the customers
                who participate in the PDP program, users of the VCS eCommerce Site, VA
                employees and various VA systems.
                 The POS Help Desk information in this system of records is provided
                by authorized users who call, Email or submit a call ticket to a VCS
                contracted vendor in order to report a system, application or
                operational issue relative to the system.
                [[Page 7393]]
                ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
                OF USERS AND THE PURPOSES OF SUCH USES:
                 To the extent that records contained in the system include
                information protected by 45 CFR parts 160 and 164, i.e., individually
                identifiable health information, and 38 U.S.C. 7332, i.e., medical
                treatment information related to drug abuse, alcoholism or alcohol
                abuse, sickle cell anemia or infection with the human immunodeficiency
                virus, that information cannot be disclosed under a routine use unless
                there is also specific statutory authority in 38 U.S.C. 7332 and
                regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
                 1. VA may disclose information from this system of records to a
                private debt collection agent for the purpose of collecting unpaid
                balances from customers who have left VA employment without making full
                payment for purchases made under the program.
                 2. VA may disclose information from this system of records to the
                U.S. Treasury Offset Program (TOPS) for the purpose of collecting
                unpaid balances from customers who have left VA employment without
                making full payment for purchases made under the program. VA needs to
                be able to collect unpaid balances from customers who have left VA
                employment without making full payment to VCS for purchases made under
                the program.
                 3. Disclosure may be made to the Federal Labor Relations Authority
                (FLRA), including its General Counsel, when requested in connection
                with investigation and resolution of allegations of unfair labor
                practices, in connection with the resolution of exceptions to
                arbitrator awards when a question of material fact is raised, and in
                connection with matters before the Federal Service Impasses Panel. The
                release of information to FLRA from this Privacy Act system of records
                is necessary to comply with the statutory mandate under which FLRA
                operates.
                 4. Disclosure may be made to officials of labor organizations
                recognized under 5 U.S.C. chapter 71 when relevant and necessary to
                their duties of exclusive representation concerning personnel policies,
                practices, and matters affecting working conditions.
                 5. Disclosure may be made to officials of the Merit Systems
                Protection Board, including the Office of the Special Counsel, when
                requested in connection with appeals, special studies of the civil
                service and other merit systems, review of rules and regulations,
                investigation of alleged or possible prohibited personnel practices,
                and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as
                may be authorized by law.
                 6. Disclosure may be made to the Equal Employment Opportunity
                Commission when requested in connection with investigations of alleged
                or possible discrimination practices, examination of Federal
                affirmative employment programs, compliance with the Uniform Guidelines
                of Employee Selection Procedures, or other functions vested in the
                Commission by the President's Reorganization Plan No. 1 of 1978.
                 7. A record from a system of records maintained by this component
                may be disclosed as a routine use to the National Archives and Records
                Administration (NARA) for the purpose of records management inspections
                conducted under authority of Title 44 United States Code. NARA is
                responsible for archiving old records no longer actively used but which
                may be appropriate for preservation; they are responsible in general
                for the physical maintenance of the Federal government's records. VA
                must be able to turn records over to these agencies in order to
                determine the proper disposition of such records.
                 8. Disclosure of relevant information may be made to individuals,
                organizations, private or public agencies, etc., with whom VA has a
                contract or agreement to perform such services as VA may deem
                practicable for the purposes of laws administered by VA, in order for
                the contractor or subcontractor to perform the services of the contract
                or agreement. VA occasionally contracts out certain functions when this
                would contribute to effective and efficient operations. VA must be able
                to give a contractor whatever information is necessary for the
                contractor to fulfill its duties. In these situations, safeguards are
                provided in the contract prohibiting the contractor from using or
                disclosing the information for any purpose other than that described in
                the contract.
                 9. Disclosure from a system of records maintained by this component
                may be made to a Congressional office from the record of an individual
                in response to an inquiry from the Congressional office made at the
                request of that individual. Individuals sometimes request the help of a
                member of Congress in resolving some issues relating to a matter before
                VA. The member of Congress then writes VA, and VA must be able to give
                sufficient information to be responsive to the inquiry.
                 10. Disclosure may be made to a Federal, State or local agency,
                upon its official request, to the extent that it is relevant and
                necessary to that agency's decision regarding: The hiring, retention or
                transfer of an employee, the issuance of a security clearance, the
                letting of a contract, or the issuance or continuance of a license,
                grant or other benefit given by that agency. However, in accordance
                with an agreement with the U.S. Postal Service, disclosures to the U.S.
                Postal Service for decisions concerning the employment of veterans will
                only be made with the Veteran's prior written consent. VA must be able
                to provide information to agencies conducting background checks on
                applicants for employment or licensure.
                 11. VA may disclose information in this system of records to the
                Department of Justice (DoJ), either on VA's initiative or in response
                to DoJ's request for the information, after either VA or DoJ determines
                that such information is relevant to DoJ's representation of the United
                States or any of its components in legal proceedings before a court or
                adjudicative body, provided that, in each case, the agency also
                determines prior to disclosure that release of the records to the DoJ
                is limited to circumstances where relevant and necessary to the
                litigation. VA may disclose records in this system of records in legal
                proceedings before a court or administrative body after determining
                that release of the records to the court or administrative body is
                limited to circumstances where relevant and necessary to the
                litigation.
                 12. VA may disclose any information in this system, except the
                names and home addresses of Veterans and their dependents, which is
                relevant to a suspected or reasonably imminent violation of law,
                whether civil, criminal or regulatory in nature and whether arising by
                general or program statute or by regulation, rule or order issued
                pursuant thereto, to a Federal, State, local, tribal, or foreign agency
                charged with the responsibility of investigating or prosecuting such
                violation, or charged with enforcing or implementing the statute,
                regulation, rule or order. VA may also disclose the names and addresses
                of Veterans and their dependents to a Federal agency charged with the
                responsibility of investigating or prosecuting civil, criminal or
                regulatory violations of law, or charged with enforcing or implementing
                the statute, regulation, rule or order issued pursuant thereto.
                 13. Disclosure to other Federal agencies may be made to assist such
                agencies in preventing and detecting possible fraud or abuse by
                individuals in their operations and programs.
                 14. VA may disclose any information or records to appropriate
                agencies, entities, and persons when (1) VA
                [[Page 7394]]
                suspects or has confirmed that there has been a breach of the system of
                records; (2) VA has determined that as a result of the suspected or
                confirmed breach there is a risk to individuals, VA (including its
                information systems, programs, and operations), the Federal Government,
                or national security; and (3) the disclosure made to such agencies,
                entities, or persons is reasonably necessary to assist in connection
                with VA efforts to respond to the suspected or confirmed breach or to
                prevent, minimize, or remedy such harm.
                 15. VA may disclose information from this system to another Federal
                agency or Federal entity, when VA determines that information from this
                system of records is reasonably necessary to assist the recipient
                agency or entity in (1) responding to a suspected or confirmed breach
                or (2) preventing, minimizing, or remedying the risk of harm to
                individuals, the recipient agency or entity (including its information
                systems, programs, and operations), the Federal Government, or national
                security, resulting from a suspected or confirmed breach.
                 16. VA may disclose relevant information to VCS contracted POS and
                eCommerce vendor, in order to provide a single point of contact for all
                incidents relative to the VCS system. This routine use permits VCS
                contracted vendors to use the information to process orders and
                payment, call intake, troubleshoot and triage call tickets as
                appropriate. In some cases, the incident may need to be escalated to a
                third-party vendor or VA Office of Information Technology (OI&T) for
                further review and resolution.
                 17. VA may disclose relevant information to third party vendors to
                analyze product recommendations, perform site customizations, process
                payments, and resolve issues outside the scope of the VCS system
                vendors. This information may include canteen location, contact
                information, canteen manager first and last name, VA Email address,
                issues description, site browsing patterns, purchase history, military
                affiliation, gender, and date of birth. This routine use permits third
                party vendors to triage and troubleshoot customer issues when the VCS
                vendor is unable due to the scope of their contract.
                DISCLOSURE TO CONSUMER REPORTING AGENCIES:
                 Pursuant to 5 U.S.C. 552a(b)(12), VA may disclose records from this
                system to consumer reporting agencies as defined in the Fair Credit
                Reporting Act (15 U.S.C. 168la(f)) or the Federal Claims Collection Act
                of 1966 (31 US.C. 3701(a)(3)).
                POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
                 PDP records are maintained primarily on a computer disk in a
                centralized database system. Paper records of program Participation
                Agreements and individual customer records are maintained in canteen
                office files. The POS Help Desk and eCommerce records are maintained
                electronically within the respective vendors managed service databases.
                POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
                 PDP records are retrieved by name and/or Social Security number of
                the participating VA employees or customers. The POS Help Desk records
                are retrieved by Incident Number. There is typically a three-letter
                mnemonic that identifies the customer with an incremented number
                following the mnemonic. eCommerce Site records can be retrieved by
                Email address or User Identifier data element.
                POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
                 Payroll System Reports which include error reports, ticklers, and
                system operation reports, destroy when related actions are completed or
                when no longer needed, not to exceed 2 years. (N1-GRS-92-4 item 22a).
                Reports providing fiscal information on agency payroll destroy after
                GAO audit or when 3 years old, whichever is sooner. (N1-GRS-92-4 item
                22c). Information Technology Customer Service File records related to
                providing help desk information to customers, including pamphlets,
                responses to Frequently Asked Questions, and other documents prepared
                in advance to assist customers, destroy/delete 1 year after record is
                superseded or obsolete. (N1-GRS-03-1 item 10a). Help desk logs and
                reports and other files related to customer query and problem response;
                query monitoring and clearance; and customer feedback records; and
                related trend analysis and reporting, destroy/delete when 1 year old or
                when no longer needed for review and analysis, whichever is later. (N1-
                GRS-03-1 item 10b).
                ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
                 PDP--
                 1. Access to VA work and file areas is restricted to VA personnel
                with a legitimate need for the information in the performance of their
                official duties. Strict control measures are enforced to ensure that
                access by these individuals is appropriately limited. Information
                stored electronically may be accessed by authorized VCS employees at
                remote locations, including VA health care facilities. Access is
                controlled by individually unique passwords or codes, which must be
                changed periodically by the users.
                 2. Physical access to the Austin VA Data Processing Center is
                generally restricted to Center employees, custodial personnel, Federal
                Protective Service, and other security personnel. VA file areas are
                generally locked after normal duty hours, and the facilities are
                protected from outside access by the Federal Protective Service or
                other security personnel. Access to computer rooms is restricted to
                authorized operational personnel through electronic locking devices.
                All other persons gaining access to computer rooms are escorted.
                 3. All data transmissions are encrypted to prevent disclosure of
                protected Privacy Act information. Access to backup copies of data is
                restricted to authorized personnel in the same manner as the Austin VA
                Data Processing Center.
                 POS Help Desk and eCommerce Site--
                 1. Access to VA work and file areas is restricted to VA personnel
                and authorized contractors with a legitimate need for the information
                in the performance of their official duties. Strict control measures
                are enforced to ensure that access by these individuals is
                appropriately limited. Contractors and VCS employees are required to
                annually complete and adhere to VA security and privacy awareness
                training and sign the rules of behavior. Access is controlled by
                individual unique passwords or codes, which must be changed
                periodically by the users.
                 2. Physical access to the contractor's data processing center is
                generally restricted to contractor employees, custodial personnel,
                Federal Protective Service, and other security personnel. Access to
                computer rooms is restricted to authorized personnel through electronic
                locking devices. All other persons gaining access to computer rooms are
                escorted. The only personnel who are provided physical access are the
                Contractor's Information Technology (IT) Team and emergency responders.
                 3. All data transmissions are encrypted to prevent disclosure of
                protected information. Access to backup copies of data is restricted to
                authorized personnel in the same manner as the AITC.
                [[Page 7395]]
                RECORD ACCESS PROCEDURE:
                 Individuals seeking information regarding PDP access to and
                contesting of records in this system may write, call, or visit the VCS
                Payroll Deduction Program Specialist at the Veterans Canteen Service
                Central Office (VCSCO- FC), St. Louis, Missouri 63125; telephone: (314)
                845-1301.
                 For the POS Help Desk or VCS eCommerce Site, individuals seeking
                information regarding access to and contesting of records in this
                system may write, call, or visit the VCS' Chief, Business Operations
                and Support at the Veterans Canteen Service Central Office (VCSCO), St.
                Louis, Missouri 63125; telephone; (314) 845-1200.
                CONTESTING RECORD PROCEDURES:
                 (See Record Access Procedures above.)
                NOTIFICATION PROCEDURE:
                 Individuals who wish to determine whether this system of records
                contains PDP records about them should contact the VCS Payroll
                Deduction Program Specialist at the Veterans Canteen Service Central
                Office (VCSCO-FC), St. Louis, Missouri 63125; telephone: (314) 845-
                1301. Inquiries should include the person's full name, Social Security
                number, date(s) of contact, and return address.
                 For the POS Help Desk and VCS eCommerce Site, individuals who wish
                to determine whether the system contains records about them should
                contact the VCS Chief, Business Operations and Support at the Veterans
                Canteen Service Central Office (VCSCO), St. Louis, Missouri 63125;
                telephone; (314) 845-1200. Inquiries should contain the person's full
                name, date(s) of contact, and return address.
                EXEMPTIONS PROMULGATED FOR THE SYSTEM:
                 None.
                HISTORY:
                 Last full publication provided in 75 FR 26851 dated May 12, 2010.
                [FR Doc. 2020-02480 Filed 2-6-20; 8:45 am]
                BILLING CODE 8320-01-P
                

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT