Privacy Act of 1974; System of Records, 19770-19774 [E7-7440]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 72, Number 75 (Thursday, April 19, 2007)]
[Notices]
[Pages 19770-19774]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-7440]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of amendment to an existing System of Records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974 (title 5, United States 
Code (U.S.C.), Section 552a(e)), notice is hereby given that the 
Department of Veterans Affairs (VA) is amending the system of records 
currently entitled, ``Shipboard Hazard and Defense Integrated 
Database--VA'' (128VA008A) as set forth in the Federal Register 68 FR 
56379. VA is amending the system by revising the System Number, System 
Name, System Location, Categories of Individuals Covered by the System, 
Categories of Records in the System, Authority for Maintenance of the 
System, Purpose, and Routine Uses of Records Maintained in the System, 
including Categories of Users and the Purposes of Such Uses, the System 
Manager, System Address and Notification and Records Access sections of 
the system notice. VA is republishing the system notice in its 
entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than May 21, 2007. If no public comment is received, 
the new system will become effective May 21, 2007.

ADDRESSES: Written comments may be submitted through

[[Page 19771]]

www.Regulations.gov; by mail or hand-delivery to the Director, 
Regulations Management (00REG), U. S. Department of Veterans Affairs, 
810 Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to 
(202) 273-9026. Copies of comments received will be available for 
public inspection in the Office of Regulation Policy and Management, 
Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through 
Friday (except holidays). Please call (202) 273-9515 for an 
appointment. In addition, during the comment period, comments may be 
viewed online through the Federal Docket Management System.

FOR FURTHER INFORMATION CONTACT: Dat Tran, Director, Data Development 
and Analysis Service, (008A3), U.S. Department of Veterans Affairs, 810 
Vermont Ave., NW., Washington, DC 20420, (202) 273-6482.

SUPPLEMENTARY INFORMATION:

I. Description of the Proposed Amendments to Systems of Records 
``Shipboard Hazard and Defense Integrated Database--VA'' (128VA008A)

    The System Name is changed from ``Shipboard Hazard and Defense 
Integrated Database--VA'' to the ``Chemical and Biological Agent 
Exposure Database--VA'' because the Department of Defense (DoD) will 
provide VA with individually-identified data on individuals whom DoD 
identifies as having been exposed (or possibly exposed) to chemical and 
biological agents while on active duty. The System Number is changed 
from 128VA008A to 128VA008 to reflect the current office within the VA 
Office of Policy and Planning (OPP), previously known as the Office of 
Policy, Planning, and Preparedness, that is the System Manager for the 
system of records.
    VA is changing the System Location to reflect the fact that OPP 
also stores copies of electronic data on a secured server in VA's 
Austin Automation Center. VA is also amending the Storage and 
Safeguards portions of the notice to provide relevant information about 
the storage and safeguards for electronic data stored at the Austin 
Automation Center.
    The Categories of Individuals Covered in the System portion of the 
System notice is amended to include all veterans, not just Project 
Shipboard Hazard and Defense (Project SHAD) and Project 112 veterans, 
whom DoD identifies as having been exposed (or possibly exposed) to 
chemical and biological agents while on active duty.
    VA is expanding the Categories of Records in the System Section to 
include protected health information received from VA's Veterans Health 
Administration (VHA), financial-related information (i.e., VA and other 
Federal benefits etc.) for benefits utilization reports, as well as 
additional data elements from select VA databases currently providing 
information for this system of records. VA is also simplifying the 
description of the categories of records in the system by listing the 
various types of records maintained rather than continuing the current 
``laundry list'' of records. For example, the new notice states that VA 
will maintain ``personal identifiers'' rather than listing name, social 
security number and veteran service number as is done in the current 
notice. VA is not deleting any records from the Categories of Records 
in the System.
    The Authority for Maintenance of the System was previously the 
general regulatory authority of the Secretary of Veterans Affairs, 
section 501 of title 38, U.S.C. VA is revising this section of the 
notice to read title 38, U.S.C. 527, which mandates that the Department 
engage in gathering and conducting statistical analysis on data in 
order to evaluate and improve the delivery of title 38 benefits to 
America's veterans and their dependents.
    VA is amending the Purposes section of the notice to reflect the 
duties that OPP performs with the data under section 527 of title 38, 
U.S.C.
    VA is amending the Policies and Practices for Storing, Retrieving, 
Accessing, Retaining, and Disposing of Records in the System to reflect 
the change in how OPP stores records in VA Central Office. VA is also 
providing information concerning the data stored on the secured server 
at the Austin Automation Center.
    Retrievability is amended to state the other data fields by which 
OPP will retrieve information from this system of records.
    Safeguards are changed to reflect a new storage location, and 
enhanced security measures adopted since VA last published this notice.
    The Systems Managers, Addresses, Notification, and Records Access 
Procedures Sections are amended to reflect new point of contact 
information and organizational name changes.
    The Department has made minor edits to the System Notice for 
grammar and clarity purposes to reflect plain language, including 
changes to routine uses. These changes are not, and are not intended to 
be, substantive, and are not further discussed or enumerated.

II. Proposed Routine Use of Disclosures of Data in the System

    VA is rewriting existing routine uses in the System using plain 
language. The use of plain language in these routine uses does not, and 
is not intended to, change the disclosures authorized under these 
routine uses. VA is amending, deleting, rewriting and reorganizing the 
order of the routine uses in this system of records, as well as adding 
new routine uses.
    VA is amending the preamble before the listing of routine uses to 
state that the Health Insurance Portability and Accountability Act 
(HIPAA) Privacy Rule must also permit disclosure of individually-
identifiable information from the system of records before OPP may 
disclose records under the routine use.
    Routine Use Number 1 is not changed substantively.
    VA is deleting current routine use number 2 because the Agency does 
not disclose information from this system of records under this routine 
use.
    VA is deleting current routine use number 3 because the Agency does 
not disclose information from this system of records under this routine 
use.
    VA is not amending current routine use number 4 substantively, but 
is renumbering it as routine use number 2 in the amended system of 
records notice.
    VA is not amending current routine use number 5, but is renumbering 
it as routine use number 8 in the amended system of records notice.
    VA is amending current routine use number 6 and renumbering it as 
routine use number 3. The new routine use states prior to disclosure 
that OPP will determine: (A) That the disclosure does not violate legal 
or policy limitations under which the record was provided, collected, 
or obtained; (B) that the study purpose (1) cannot be reasonably 
accomplished unless the record is provided in individually-identifiable 
form, and (2) warrants the risk to the privacy of the individual that 
additional exposure of the record might bring; and (C) that the 
recipient has agreed that (1) It will establish (if it hasn't already) 
reasonable administrative, technical, and physical safeguards to 
prevent unauthorized use or disclosure of the record, (2) it will 
remove or destroy the information that identifies the individual at the 
earliest time at which removal or destruction can be accomplished 
consistent with the purpose of the study, unless the recipient has 
presented adequate justification of a study or health nature for 
retaining such information, and (3)

[[Page 19772]]

it will make no further use or disclosure of the record except (a) In 
emergency circumstances affecting the health or safety of any 
individual, (b) for use in another study, under these same conditions, 
and only with prior written authorization of the Department, (c) for 
disclosure to a properly identified person for the purpose of an audit 
related to the study, if information that would enable veterans or 
their dependents to be identified is removed or destroyed at the 
earliest opportunity consistent with the purpose of the audit, or (d) 
when required by law. VA will secure a written statement attesting to 
the recipient's understanding of, and willingness to abide by, these 
provisions.
    In an effort to obtain health and other information, OPP may 
disclose limited individual identification information to another 
Federal agency for the purpose of matching and acquiring information 
held by that agency. Records that are matched with information owned by 
another Federal agency, such as DoD, will not be used for determining 
eligibility of benefits or services through VA or another Federal 
agency.
    VA is renumbering current routine use number 7 as routine use 
number 4 and amending it to more accurately reflect the conditions 
under which VA, on its own initiative, may disclose information from 
this system of records for law enforcement purposes.
    VA is deleting current routine use number 8 because VA does not 
anticipate releasing information from this system of records for the 
purpose stated in current routine use number 8.
    VA is renumbering current routine use number 9 as routine use 
number 5, and amending it to more clearly state when OPP will disclose 
information to the Department of Justice or may itself disclose records 
in litigation involving the United States. In determining whether to 
disclose records under this routine use, VA will comply with the 
guidance promulgated by the Office of Management and Budget (OMB) in a 
May 24, 1985, memorandum entitled ``Privacy Act Guidance--Update'' 
currently posted at https://www.whitehouse.gov/omb/inforeg/
guidance1985.pdf.
    Routine use number 6 is a new routine use authorizing OPP to 
disclose individually-identifiable information to contractors or other 
entities that will provide services to OPP for which the recipient 
needs that information in order to perform the services.
    Routine use number 7 is a new routine use that states the 
circumstances, and to whom, VA may disclose records in order to respond 
to, and minimize possible harm to individuals as a result of a data 
breach. This routine use is promulgated in order to meet VA's statutory 
duties under title 38, U.S.C. 5724 and the Privacy Act.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their authorization for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which we collected the information. In all of the routine 
use disclosures, either the recipient of the information will use the 
information in connection with a matter relating to one of VA's 
programs, will use the information to provide a benefit to VA, or the 
disclosure is required by law.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director of OMB as required by title 5 U.S.C. 552a(r) (Privacy 
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

    Approved: April 5, 2007.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
128VA008

SYSTEM NAME:
    Chemical and Biological Agent Exposure Database--VA''.

SYSTEM LOCATION:
    One location for electronic and paper records, following VA-
approved procedures, is in the Office of the Director, Data Development 
and Analysis Service, (008A3), U.S. Department of Veterans Affairs, 810 
Vermont Ave., NW., Washington, DC 20420. Additionally, electronic 
records are also placed on the Department of Veterans Affairs' (VA's) 
secured server which is housed at VA's Austin Automation Center, 1615 
Woodward St., Austin, TX 78772. Records necessary for a contractor to 
perform under a VA-approved contract are located at the respective 
contractor's facility.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Veterans identified by DoD or another government agency as having 
been exposed to any type of chemical (including psycho-chemical) and 
biological agents during active duty.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records include personal identifiers, residential and 
professional contact data, population demographics, military service-
related data, financial-related data, claims processing codes and 
information, and other VA and non-VA Federal benefit information. 
Additionally, some records may contain DoD health care-related data or 
VHA-originated health care information.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, U.S.C 527.

PURPOSE(S):
    To measure and evaluate on a continuing basis all programs 
authorized under title 38, U.S.C., including analysis and review of 
policy and planning issues affecting VA programs, in order to support 
legislative, regulatory and policy recommendations, initiatives and 
decisions affecting VA programs and activities.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by Title 45, Code of Federal Regulations (CFR) 
Parts 160 and 164 (i.e., individually identifiable health information) 
and title 38, U.S.C. 7332 (i.e., medical treatment information related 
to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or 
infection with the human immunodeficiency virus), that information 
cannot be disclosed under a routine use unless there is also specific 
statutory authority in title 38, U.S.C. 7332 and regulatory authority 
in Title 45, CFR Parts 160 and 164 permitting disclosure.
    1. Disclosure may be made to a congressional office from the record 
of an individual in response to an inquiry from the congressional 
office made at the request of that individual.
    2. Any disclosure from the system of records may be made to the 
National Archives and Records Administration (NARA) in records 
management inspections under title 44, U.S.C.
    3. Any system records may be disclosed to a Federal agency for the 
conduct of research and data analysis to perform a statutory purpose of 
that Federal agency upon the prior written request of that agency, 
provided that there is legal authority under all applicable 
confidentiality statutes and regulations to provide the data and OPP 
has determined prior to the disclosure that OPP data handling 
requirements are satisfied. OPP may disclose limited individual 
identification information to another Federal agency for the purpose of 
matching and acquiring information held by that agency for OPP to use 
for the purposes stated for this system of records.

[[Page 19773]]

    4. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. On its own initiative, VA may 
also disclose the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.
    5. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
DoJ is a use of the information contained in the records that is 
compatible with the purpose for which VA collected the records. VA, on 
its own initiative, may disclose records in this system of records in 
legal proceedings before a court or administrative body after 
determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    6. Any system records may be disclosed to individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement for the 
performance of the services identified in the contract or agreement. 
The person performing the agreement or contract (or employees of the 
person) also may disclose records covered by the contract or agreement 
to any secondary entity or individual to perform an activity necessary 
to provide to VA the service identified in the contract or agreement as 
permitted under the contract or agreement.
    7. VA may, on its own initiative, disclose information when VA 
reasonably believes that there may have been a data breach with respect 
to information in the system such that the confidentiality or integrity 
of information in the system of records may have been compromised to 
such agencies, entities, and persons who are reasonably necessary to 
assist in connection with the Department's efforts to respond to the 
suspected or confirmed data breach and prevent, minimize, or remedy 
such harm, including conduct of any risk analysis, or provision of 
credit protection services as provided in title 38, U.S.C. 5724.
    8. Disclosure of information, excluding names and address (unless 
furnished by the requestor) for research purposes determined to be 
necessary and proper, may be made to epidemiological and other research 
facilities approved by the Under Secretary for Health.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    VA will not disclose information to consumer reporting agencies.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    OPP's secured records are maintained electronically or remain in 
textual form. All portable storage devices and media are kept in a safe 
when not in immediate use. The devices and other media are located in a 
combination-locked safe which is secured inside a key-accessed room at 
the U.S. Department of Veterans Affairs, 810 Vermont Ave., NW., 
Washington, DC 20420. Other electronic data are placed on VA's 
segregated server which is housed at VA's Austin Automation Center, 615 
Woodward St., Austin, TX 78772. Information stored on paper is kept 
locked in file cabinets when not in immediate use. Databases are 
temporarily placed on a secured server inside a restricted network area 
for data match purposes only. Information that resides on a segregated 
server is kept behind cipher locked doors with limited access. 
Requestors of OPP stored health information within VA, or from external 
individuals, contractors, organizations, and/or agencies with whom VA 
has a contract or agreement, must provide an equivalent level of 
security protection and comply with all applicable VA policies and 
procedures for storage and transmission as codified in VA directives 
such as but not limited to VA Directive 6504.

RETRIEVABILITY:
    OPP's records may be retrieved by using a social security number, 
military service number, VA claim or file number, non-VA Federal 
benefit identifiers, and other personal identifiers.

SAFEGUARDS:
    This list of safeguards furnished in this system of records is a 
general statement of measures taken to protect data in this system of 
records and is not an exclusive list of measures taken. Other policies 
and protections apply. For example, HIPAA guidelines for protecting 
health information will be followed by adopting health-care-industry 
best practices in order to provide adequate safeguards. Further, VA 
policy directives that specify the standards that will be applied to 
protect information will be reviewed by VA staff and contractors 
through mandatory data privacy and security training annually.
    All VA offices are protected from unauthorized access by security 
personnel seven days a week. Entrances and exits are monitored by 
security cameras and protected by an alarm system. All VA staff and 
visitors are required to either have a VA-issued employment 
identification card or a temporary visitor identification badge. All 
work stations are secured during daytime and evening hours.
    Electronic data located in Washington, DC, are stored in a 
combination-key-locked safe which is secured inside a limited-access 
room. Authorized employee access to the limited-access room and the 
safe is based upon strict business needs as determined by the Assistant 
Secretary for Policy and Planning. Textual data are stored in key-
locked cabinets inside secured rooms. Access to the server in Austin, 
TX, is generally limited by appropriate locking devices and restricted 
to authorized VA personnel.
    Access to health information provided by VHA pursuant to a Business 
Associate Agreement (BAA) is restricted to those OPP employees and 
contractors who have a need for the information in the performance of 
their official duties related to the terms of the BAA. As a general 
rule, full sets of health care information are not provided for use 
unless authorized by the Assistant Secretary for Policy and Planning. 
File extracts provided for specific official uses will be limited to 
the minimum necessary records and contain only the information fields 
needed for the analysis. Data used for analyses will have individual 
identifying characteristics removed whenever possible.
    Security complies with applicable Federal Information Processing

[[Page 19774]]

Standards (FIPS) issued by the National Institute of Standards and 
Technology (NIST). Health information files containing unique 
identifiers such as social security numbers are encrypted to NIST 
verified FIPS 140-2 standard or higher for storage, transport, or 
transmission. All files stored or transmitted on laptops, workstations, 
or data storage devices are encrypted. Files are kept encrypted at all 
times except when data are in immediate use. These methods are applied 
in accordance with HIPAA Privacy and Security regulations.
    All data requests must be received in writing, vetted through a 
review board, concurred on by the Assistant Secretary for Policy and 
Planning, and released under the auspices of a signed data use 
agreement. File extracts provided for specific official uses will be 
limited to contain only the information fields needed for the analysis. 
Data used for analyses will have individual identifying characteristics 
removed or encrypted whenever possible. Unencrypted sensitive variables 
will only be used for analysis as a last resort.
    In the event of a contract or special project, VA may secure the 
services of contractors and/or subcontractors. In such cases, VA will 
maximize the utilization of encrypted data when possible. Contractors 
and their subcontractors are required to maintain the same level of 
security as VA staff for health care information that has been 
disclosed to them. Any data disclosed to a contractor or subcontractor 
to perform authorized analyses requires the use of Data Use Agreements 
(DUAs), Non-Disclosure Statements and BAAs to protect health 
information. Unless explicitly authorized in writing by VA, sensitive 
or protected data made available to the contractor and subcontractors 
shall not be divulged or made known in any manner to other parties or 
to any person. Other Federal or State agencies requesting health care 
information need to provide DUAs to protect data.

RETENTION AND DISPOSAL:
    Records are destroyed or deleted when no longer needed for 
administrative, legal, audit, or other operational purposes in 
accordance with applicable, approved records disposition authority.
    If the Archivist has not approved disposition authority for any 
records covered by the system notice, the System Manager will take 
immediate action to obtain an approved records disposition authority in 
accordance with VA Handbook 6300.1, Records Management Procedures. The 
records may not be destroyed until VA obtains an approved records 
disposition authority.

SYSTEM MANAGER(S) AND ADDRESS(ES):
    OPP's system manager is the Director, Data Development and Analysis 
Service, (008A3), U.S. Department of Veterans Affairs, 810 Vermont 
Ave., NW., Washington, DC 20420.

NOTIFICATION PROCEDURE:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to determine the contents of such record, should 
submit a written request to the Director, Office of Data Development 
and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont 
Ave., NW., Washington, DC 20420. Such requests must contain a 
reasonable description of the records requested. In addition, 
identification of the individual requesting the information will be 
required in the written request and will minimally consist of the 
requester's name, signature, social security number, address, telephone 
number, and return address.

RECORD ACCESS PROCEDURES:
    Individuals seeking information regarding access to and contesting 
of records maintained by OPP under his or her name or other personal 
identifier may write the System Manager named above and specify the 
information being requested or contested.

CONTESTING RECORDS PROCEDURES:
    (See Notification procedure above.)

RECORD SOURCE CATEGORIES:
    Information is obtained from VHA patient medical records, various 
automated record systems providing clinical and managerial support to 
VA health care facilities, records from VA's Veterans Benefits 
Administration, DoD, and other Federal agencies.

[FR Doc. E7-7440 Filed 4-18-07; 8:45 am]
BILLING CODE 8320-01-P