Privacy Act: Systems of records,
[Federal Register: December 17, 2002 (Volume 67, Number 242)]
[Notices]
[Page 77316-77318]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr17de02-83]
DEPARTMENT OF THE TREASURY
Departmental Offices; Privacy Act of 1974; System of Records
AGENCY: Departmental Offices, Treasury.
ACTION: Notice of proposed Privacy Act system of records.
SUMMARY: In accordance with the requirements of the Privacy Act of 1974, as amended, the Department of the Treasury (Department) gives notice of a proposed system of records entitled ``Treasury/DO .216-- Treasury Security Access Control and Certificates Systems.''
DATES: Comments must be received no later than January 16, 2003. The proposed system of records will be effective January 27, 2003, unless the Department receives comments that would result in a contrary determination.
ADDRESSES: Comments should be sent to Patrick Geary, Director, Physical Security, Department of the Treasury, 1500 Pennsylvania Ave., NW., Washington, DC. E-mail: patrick.geary@do.treas.gov
FOR FURTHER INFORMATION CONTACT: Patrick Geary, Office of Security, (202) 622-1058.
SUPPLEMENTARY INFORMATION: The Department of the Treasury is giving notice of a new system of records which is subject to the Privacy Act. The proposed system of records will maintain Treasury headquarters, Departmental Offices (DO), information on all employees and contractors working in DO for the purpose of providing additional physical and cyber security for DO assets. The new system of records covers three principal areas: (1) Physical access to the Treasury headquarters complex, selected spaces in that complex and other DO spaces; (2) Access to cyber information assets; and (3) Physical access to off-site continuity of operations locations. New
[[Page 77317]]
identification badges will be issued containing the employee's photograph, fingerprint minutia, a public key (PKI) certificate and the employee's social security number.
DO plans to implement a new Access Control System for Treasury headquarters including the Main Treasury and Annex buildings that will utilize new DO identification badges to be issued because of the September 11, 2001 incidents. The new badge will be used to gain access to cyber assets including the DO desktop PC, the DO LAN, DO laptop and notebook computers. Finally, the new badge will be utilized by selected DO staff and contractors involved and/or designated as key personnel during conditions that require activation of the DO COOP locations. The badge, which includes biometrics, will be used as an additional level of security authentication during conditions that involve activation of COOP sites.
The new system of records report, as required by 5 U.S.C. 552a(r) of the Privacy Act, has been submitted to the Committee on Government Reform and Oversight of the House of Representatives, the Committee on Governmental Affairs of the Senate and the Office of Management and Budget, pursuant to Appendix I to OMB Circular A-130, ``Federal Agency Responsibilities for Maintaining Records About Individuals,'' dated November 30, 2000. This system of records, ``Treasury/DO .216--Treasury Security Access Control and Certificates Systems,'' is published in its entirety below.
Dated: December 3, 2002. W. Earl Wright, Jr., Chief Management and Administrative Programs Officer. Treasury/DO .216
System name:
Treasury Security Access Control and Certificates Systems.
System location:
Department of the Treasury, 1500 Pennsylvania Avenue, NW, Washington, DC 20220.
Categories of individuals covered by the system:
Treasury employees, contractors, media representatives, other individuals requiring access to Treasury facilities or to receive government property, and those who need to gain access to a Treasury DO cyber asset including the network, LAN, desktops and notebooks.
Categories of records in the system:
Individual's application for security/access badge, individual's photograph, finger print record, special credentials, allied papers, registers, and logs reflecting sequential numbering of security/access badges. The system also contains information needed to establish accountability and audit control of digital certificates that have been assigned to personnel who require access to Treasury DO cyber assets including the DO network and LAN as well as those who transmit electronic data that requires protection by enabling the use of public key cryptography. It also contains records that are needed to authorize an individual's access to a Treasury network.
Records may include the individual's name, organization, work telephone number, Social Security Number, date of birth, Electronic Identification Number, work e-mail address, username and password, country of birth, citizenship, clearance and status, title, home address and phone number, biometric data including fingerprint minutia, and alias names.
Records on the creation, renewal, replacement or revocation of digital certificates, including evidence provided by applicants for proof of identity and authority, sources used to verify an applicant's identity and authority, and the certificates issued, denied and revoked, including reasons for denial and revocation.
Authority for maintenance of the system:
5 U.S.C. 301; 31 U.S.C. 321; the Electronic Signatures in Global and National Commerce Act, Pub. L. 106-229, and E.O. 9397 (SSN).
Purpose(s):
The purpose is to: Improve security to both Treasury DO physical and cyber assets; maintain records concerning the security/access badges issued; restrict entry to installations and activities; ensure positive identification of personnel authorized access to restricted areas; maintain accountability for issuance and disposition of security/access badges; maintain an electronic system to facilitate secure, on-line communication between Federal automated systems, between Federal employees or contractors, and or the public, using digital signature technologies to authenticate and verify identity; provide a means of access to Treasury cyber assets including the DO network, LAN, desktop and laptops; and to provide mechanisms for non- repudiation of personal identification and access to DO sensitive cyber systems including but not limited to human resource, financial, procurement, travel and property systems as well as tax, econometric and other mission critical systems. The system also maintains records relating to the issuance of digital certificates utilizing public key cryptography to employees and contractors for purpose of the transmission of sensitive electronic material that requires protection.
Routine uses of records maintained in the system, including categories of users and the purposes of such uses:
These records may be used to disclose information to: (1) Appropriate Federal, state, local and foreign agencies for the purpose of enforcing and investigating administrative, civil or criminal law relating to the hiring or retention of an employee; issuance of a security clearance, license, contract, grant or other benefit;
(2) A court, magistrate, or administrative tribunal in the course of presenting evidence, including disclosures to opposing counsel or witnesses in the course of or in preparation for civil discovery, litigation, or settlement negotiations, in response to a subpoena where relevant or potentially relevant to a proceeding, or in connection with criminal law proceedings;
(3) A contractor for the purpose of compiling, organizing, analyzing, programming, or otherwise refining records to accomplish an agency function subject to the same limitations applicable to U.S. Department of the Treasury officers and employees under the Privacy Act;
(4) A Congressional office in response to an inquiry made at the request of the individual to whom the record pertains;
(5) Third parties during the course of an investigation to the extent necessary to obtain information pertinent to the investigation;
(6) The Office of Personnel Management, Merit Systems Protection Board, Equal Employment Opportunity Commission, Federal Labor Relations Authority, and the Office of Special Counsel for the purpose of properly administering Federal personnel systems or other agencies' systems in accordance with applicable laws, Executive Orders, and regulations;
(7) Representatives of the National Archives and Records Administration (NARA) who are conducting records management inspections under authority of 44 U.S.C. 2904 and 2906; and
(8) Other Federal agencies or entities when the disclosure of the existence of the individual's security clearance is
[[Page 77318]]
needed for the conduct of government business.
Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system: Storage:
Records are stored as electronic media and paper records.
Retrievability:
Records are retrieved by individual's name, social security number, electronic identification number and/or access/security badge number.
Safeguards:
Entrance to data centers and support organization offices are restricted to those employees whose work requires them to be there for the system to operate. Identification (ID) cards are verified to ensure that only authorized personnel are present. Disclosure of information through remote terminals is restricted through the use of passwords and sign-on protocols which are periodically changed. Reports produced from the remote printers are in the custody of personnel and financial management officers and are subject to the same privacy controls as other documents of like sensitivity.
Access is limited to authorized employees. Paper records are maintained in locked safes and/or file cabinets. Electronic records are password-protected. During non-work hours, records are stored in locked safes and/or cabinets in locked room.
Protection and control of any sensitive but unclassified (SBU) records are in accordance with TD P 71-10, Department of the Treasury Security Manual. Access to the records is available only to employees responsible for the management of the system and/or employees of program offices who have a need for such information.
Retention and disposal:
The records on government employees and contractor employees are retained for the duration of their employment at the Treasury Department. The records on separated employees are destroyed or sent to the Federal Records Center in accordance with General Records Schedule 18.
System manager(s) and address:
Departmental Offices: Director, Office of Physical Security, 1500 Pennsylvania Ave., NW., Washington, DC 20220.
Notification Procedure:
Individuals seeking notification and access to any record contained in the system of records, or seeking to contest its content, may inquire in accordance with instructions pertaining to individual Treasury components appearing at 31 CFR part 1, subpart C, appendix A.
Record Access Procedures:
See ``Notification procedure'' above.
Contesting Record Procedures:
See ``Notification procedure'' above.
Record source categories:
The information contained in these records is provided by or verified by the subject individual of the record, supervisors, other personnel documents, and non-Federal sources such as private employers.
Exemptions claimed for the system:
None.
[FR Doc. 02-31261 Filed 12-16-02; 8:45 am]
BILLING CODE 4811-16-P
