Privacy Act of 1974, 9620-9624 [E8-3291]

Download as PDF 9620 Federal Register / Vol. 73, No. 35 / Thursday, February 21, 2008 / Notices pwalker on PROD1PC71 with NOTICES nature of the information collection and its expected cost and burden; it includes the actual data collection instrument. DATE: Comments must be submitted on or before March 24, 2008. ADDRESSES: Submit written comments on the collection of information through www.Regulations.gov or to VA’s OMB Desk Officer, OMB Human Resources and Housing Branch, New Executive Office Building, Room 10235, Washington, DC 20503, (202) 395–7316. Please refer to ‘‘OMB Control No. 2900– 0114’’ in any correspondence. FOR FURTHER INFORMATION CONTACT: Denise McLamb, Records Management Service (005R1B), Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, (202) 461– 7485, FAX (202) 273–0443 or e-mail denise.mclamb@mail.va.gov. Please refer to ‘‘OMB Control No. 2900–0114.’’ SUPPLEMENTARY INFORMATION: Title: Statement of Marital Relationship, VA Form 21–4170. OMB Control Number: 2900–0114. Type of Review: Extension of a currently approved collection. Abstract: VA Form 21–4170 is completed by individuals claiming to be common law widows/widowers of deceased veterans and by veterans and their claimed common law spouses to establish marital status. VA uses the information collected to determine whether a common law marriage was valid under the law of the place where the parties resided at the time of the marriage or under the law of the place where the parties resided when the right to benefits accrued. An agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless it displays a currently valid OMB control number. The Federal Register Notice with a 60-day comment period soliciting comments on this collection of information was published on October 1, 2007, at page 55861. Affected Public: Individuals or households. Estimated Annual Burden: 2,708 hours. Estimated Average Burden per Respondent: 25 minutes. Frequency of Response: On occasion. Estimated Number of Respondents: 6,500. Dated: February 12, 2008. By direction of the Secretary. Denise McLamb, Program Analyst, Records Management Service. [FR Doc. E8–3245 Filed 2–20–08; 8:45 am] BILLING CODE 8320–01–P VerDate Aug<31>2005 16:34 Feb 20, 2008 Jkt 214001 DEPARTMENT OF VETERANS AFFAIRS National Research Advisory Council; Notice of Meeting The Department of Veterans Affairs (VA) gives notice under Public Law 92– 463 (Federal Advisory Committee Act) that the National Research Advisory Council will hold a meeting on Monday, April 14, 2008 in Room 900 at the Greenhoot Cohen Building, 1722 Eye Street, NW., Washington, DC. The meeting will convene at 8:30 a.m. and end at 1 p.m. The meeting is open to the public. The purpose of the Council is to provide external advice and review for VA’s research mission. The April 14 meeting agenda will include a review of the VA research portfolio. The Council will also provide feedback on the direction/focus of VA’s research initiatives. Any member of the public who expects to attend the meeting or wants additional information should contact Jay A Freedman, PhD, Designated Federal Officer, at (202) 254–0267. Oral comments from the public will not be accepted at the meeting. Written statement or comments should be transmitted electronically to jay.freedman@va.gov or mailed to Dr. Freedman at Department of Veterans Affairs, Office of Research and Development (12), 810 Vermont Avenue, Washington, DC 20420. Dated: February 14, 2008. By Direction of the Secretary. E. Philip Riggin, Committee Management Officer. [FR Doc. 08–782 Filed 2–20–08; 8:45 am] BILLING CODE 8320–01–M DEPARTMENT OF VETERANS AFFAIRS Privacy Act of 1974 AGENCY: Department of Veterans Affairs (VA). Notice of amendment to system of records. ACTION: SUMMARY: The Privacy Act of 1974, 5 U.S.C. 522a (e), requires that all agencies publish in the Federal Register a notice of the existence and character of their systems of records. Notice is hereby given that VA is amending the system of records entitled ‘‘Center for Veterans Enterprise VA VetBiz Vendor Information Pages (VIP)’’ (123VA00VE) as set forth in the Federal Register 68 FR 26685. VA is amending the system by revising the System Name, Categories PO 00000 Frm 00105 Fmt 4703 Sfmt 4703 of Individuals Covered by the System, Categories of Records in the System, Authority for Maintenance of the System, Routine Uses of Records Maintained in the System, including Categories of Users and the Purposes of Such Uses, Retrievability, and Safeguards. VA is also adding data elements to the System Notice required by the Federal Register Document Drafting Handbook. VA is republishing the system notice in its entirety. DATES: Comments on the amendment of this system of records must be received no later than March 24, 2008. If no public comment is received, the amended system will become effective March 24, 2008. ADDRESSES: Written comments may be submitted through www.Regulations.gov; by mail or handdelivery to the Director, Regulations Management (00REG), Department of Veterans Affairs, 810 Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 273–9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday (except holidays). Please call (202) 461–4902 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System (FDMS). FOR FURTHER INFORMATION CONTACT: Kelsey Mortimer II (00VE), Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, telephone number (202) 303–3260 ext 5246. SUPPLEMENTARY INFORMATION: I. Description of the Proposed Amendments to System of Records ‘‘Center for Veterans Enterprise (CVE) VA VetBiz Vendor Information Pages (VIP)’’ (123VA00VE) The Department of Veterans Affairs is amending the VetBiz system of records notice to implement legal requirements that became applicable to the system since the last publication of the system notice by the Agency. The legal requirements are imposed by legislation and government-wide direction of the Office of Management and Budget (OMB), as well as paragraph 3.12 of the Federal Register Document Drafting Handbook. In December 2006, Congress enacted the Veterans Benefits, Health Care and Information Technology Act of 2006 (Act), Public Law 109–461, 120 Stat. 3403. Section 502(a)(1) of the Act created a new section 8127 of title 38, United States Code, 38 U.S.C. 8127. E:\FR\FM\21FEN1.SGM 21FEN1 pwalker on PROD1PC71 with NOTICES Federal Register / Vol. 73, No. 35 / Thursday, February 21, 2008 / Notices Subsection 8127 requires the Secretary of Veterans Affairs to create and maintain a database of veteran-owned small businesses. Veterans’ participation in the database is voluntary. VA was maintaining such a database prior to enactment of section 8127; the contents of the database are covered by the system of records notice published at 68 FR 26685. Section 8127 requires VA to verify specific information concerning the veteran business owners who choose to be listed in the database. VA is required to verify that the business is owned and controlled by a veteran or eligible surviving spouse, and if a veteran indicates that s/he has a serviceconnected disability, VA is required to verify the service-disabled status of the veteran. The term service-connected disability means a disability that the individual incurred or had it aggravated in the line of duty in active military, naval or air service. The Veterans Benefits Administration (VBA) makes these decisions, and maintains the records of the service-disabled status of individuals. The VetBiz program will verify the three items of information in two ways. First, VA will ask the small business owners to provide certain information about the ownership and control of their businesses. VA has obtained OMB approval (2900–0675) of the form that VA intends to use to collect this information, and therefore has authority to use the form under OMB’s regulations implementing the Paperwork Reduction Act. 5 CFR Part 1320. Second, the VetBiz program will verify through VBA the service-disabled status of any veteran or eligible surviving spouse who decides to participate in the program, and claims service-disabled status. Section 8127 requires VA to make the database available to all Federal departments and agencies, and make portions of the database publicly available. However, section 8127(f)(6) states that if the Secretary determines that the public dissemination of certain types of information maintained in the database is inappropriate, the Secretary shall take such steps as are necessary to maintain such types of information in a secure and confidential manner. The database will contain information that VA needs to administer the program and assist veteran-owned small businesses. In the normal course of administering the program, VA may share limited personal data with other government entities. VA will not disclose veteran’s personal information or data in the public portion of the database. The Act also added a new subchapter III, Information Security, to Chapter 57 VerDate Aug<31>2005 16:34 Feb 20, 2008 Jkt 214001 of title 38, United States Code. Section 5724 requires VA to conduct an independent risk analysis (IRA) when VA has experienced a data breach involving the sensitive personal information of those individuals. The section also requires VA to provide credit protection services to those individuals if VA determines after the IRA that there is a reasonable risk for potential misuse of the individuals’ sensitive personal information. In order to conduct the independent risk analysis and provide credit protection services, if appropriate, VA will have to disclose the sensitive personal information of these individuals to the entities performing the IRA and providing the credit protection services. Because the sensitive personal information is contained in this system of records, VA needs to add a routine use to the system of records permitting these disclosures. In addition to the requirements of section 5724, the Office of Management and Budget (OMB) issued OMB Memorandum M–07–16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007, which is publicly available at http://www.whitehouse.gov/ omb/memoranda/fy2007/m07–16.pdf. This Memorandum requires agencies to promulgate a routine use to permit agencies to disclose information to those persons or entities that may assist in notification of individuals of a data breach or prevent or minimize the harms from a data breach. Attachment 2, section B2. The Agency is promulgating one routine use that enables VA to meet its responsibilities under both section 5724 and OMB Memorandum M–07–16. Turning to the substantive amendments to the System Notice, VA is amending the System Name to include the abbreviation for the Vendor Information Pages (VIP) because it is the Agency’s experience that individuals, agencies and vendors interacting with the system commonly use the abbreviation when referring to the program. To comply with paragraph 3.12 of the Federal Register Document Drafting Handbook, VA is adding a statement that this system of records does not contain classified information. The Department is amending the Categories of Individuals Covered by the System to clarify that the System Notice only covers individual veterans who have applied to have their company included in the VetBiz database, and after the veteran is deceased, their qualifying surviving spouse as provided in section 8127(h). PO 00000 Frm 00106 Fmt 4703 Sfmt 4703 9621 The Department is amending the Categories of Records covered to reflect the personal information about veteran business owners maintained in the system. The information about participating veterans and about their companies is maintained in one, combined database. However, the Privacy Act only applies to information about individuals retrieved by their names; it does not apply to information about their companies, except to the extent that the information is also personal information about them. This interpretation of the Privacy Act is consistent with the express language of the Privacy Act, and long-standing OMB guidance on this issue at 40 FR 28948, 28951 (1975). Records in the VetBiz database that are not covered by the Privacy Act and this System Notice generally may include business addresses and other business contact information, information concerning products/services offered, and information pertaining to the business, including Federal contracts. More noncovered data elements are contained in the discussion of ‘‘Retrievability’’ below. VA is amending the Authority for Maintenance of the System to include 38 U.S.C. 8127, which now specifically provides for the maintenance of the VetBiz database. The Federal Register Document Drafting Handbook, paragraph 3.12, states that agencies must include in their System Notice a statement of the purpose for maintaining the System Notice. VA is providing the statement of purpose, namely to assist veterans, including service-disabled veterans, in obtaining Federal contracts and otherwise market their companies. The Department is deleting the section of the System Notice entitled ‘‘Compatibility of the Proposed Routine Uses’’ because that is not one of the data elements that the Document Drafting Handbook requires in the System Notice. However, VA is including this statement in the Report of Intent submitted to OMB and the congressional oversight committees as required in OMB Circular A–130, Appendix I. The Department is amending the Retrievabililty data element to state that VA retrieves information in the VetBiz database covered by the Privacy Act by the names and/or social security numbers. The following information is not covered by the Privacy Act and this System Notice because it is not information about veterans. However, for general information, VA also retrieves information from the VetBiz database by other, non-personal E:\FR\FM\21FEN1.SGM 21FEN1 9622 Federal Register / Vol. 73, No. 35 / Thursday, February 21, 2008 / Notices pwalker on PROD1PC71 with NOTICES elements, including the following: Business name, type, location, previous experience, certifications (e.g. HUBZone, 8(a), etc.), product identifiers (e.g., North American Industry Classification System [NAICS]), and Dun and Bradstreet’s Data Universal Numbering System [DUNS] number, etc. VA is amending the Safeguards data element to state that VA maintains the VetBiz database in accordance with applicable Federal and VA information security requirements. The Department is adding a statement, as required by paragraph 3.12 of the Document Drafting Handbook, that it does not disclose records from this system of records at VA’s initiative to consumer reporting agencies. VA is adding a statement to the System Notice clarifying that VA has not claimed any Privacy Act exemptions under 5 U.S.C. 552a(j) and (k) for records in the system. In addition, the Department has made minor edits to the System Notice for grammar and clarity purposes to reflect plain language. These changes are not, and are not intended to be, substantive, and are not further discussed or enumerated. II. Proposed Routine Use Disclosures of Data in the System VA is proposing to delete one routine use disclosure and add the following routine use disclosures of information that will be maintained in the system. The Department is deleting routine use 3 because it states the purpose for which VA uses the data in the system and belongs in the ‘‘Purpose(s)’’ section of the System Notice. The Department is promulgating a new routine use 3 required of all systems of records of all Federal agencies by the Memorandum from the Office of Management and Budget (M– 07–16), dated May 22, 2007, as discussed above. Further, the disclosures allow VA to respond to a suspected or confirmed data breach, including the conduct of any independent risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727. VA is promulgating a new routine use 4 that authorizes VA to disclose information to law enforcement entities when information in the system is relevant to a suspected or reasonably imminent violation of law. VA must be able to disclose information within its possession on its own initiative that pertains to a violation of law to the appropriate authorities in order for them to investigate and enforce those laws. VA may disclose the names of veterans VerDate Aug<31>2005 16:34 Feb 20, 2008 Jkt 214001 and their dependents only to Federal entities with law enforcement responsibilities under 38 U.S.C. 5701(a) and (f). Accordingly, VA has so limited this routine use. New routine use 5 implements guidance from OMB concerning the promulgation of a routine use permitting disclosure of information to Members of Congress acting on behalf of the record subject. Individuals sometimes request the help of a Member of Congress in resolving some issue relating to a matter before VA. When the Member of Congress writes VA, VA must be able to provide sufficient information to be responsive to the inquiry. This routine use is consistent with guidance from the Office of Management and Budget (OMB), issued on October 3, 1974, that directed all Federal agencies to insert this language in their systems of records. (http:// www.whitehouse.gov/omb/inforeg/ lynn1975.pdf). New routine use 6 implements the statutory requirement that VA provide information to the National Archives and Records Administration (NARA). NARA is responsible for archiving old records no longer actively used but which may be appropriate for preservation and for the physical maintenance of the Federal Government’s records. VA must be able to turn records over to NARA in order to determine the proper disposition of such records, as well as permit NARA to perform its statutory records management responsibilities. New routine use 7 permits VA to disclose information to the United States Department of Justice for use in performing its statutory duties to represent the United States, the Agency and agency officials in litigation. When VA is involved in litigation or an adjudicative or administrative process, or occasionally when another party is involved in litigation or an adjudicative or administrative process, and VA policies or operations could be affected by the outcome of the litigation or process, VA must be able to disclose information to the court, the adjudicative or administrative body, or the parties involved. A determination would be made in each instance that, under the circumstances involved, the purpose served by use of the information in the particular litigation or process is compatible with the purpose for which VA collected the information. This routine use is consistent with OMB guidance issued on May 24, 1985, directing all Federal agencies to promulgate such a routine use (http://www.whitehouse.gov/omb/ inforeg/guidance1985.pdf). PO 00000 Frm 00107 Fmt 4703 Sfmt 4703 The Department is promulgating a new routine use 8 to permit disclosures to contractors who need to see the information in this system to perform a contract with the agency. Appendix I to OMB Circular A–130 states in paragraph 5a(1)(b) that agencies promulgate a routine use to address disclosure of Privacy Act-protected information to contractors in order to perform the contracts for the agency. VA must be able to provide information to contractors or subcontractors with which VA has a contract or agreement in order to perform the services of the contract or agreement. In these situations, safeguards are provided in the contract prohibiting the contractor or subcontractor from using or disclosing the information for any purpose other than that described in the contract. III. Compatibility of the Proposed Routine Uses The Privacy Act permits VA to disclose information about individuals without their consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which VA collected the information. In the routine use disclosures described above, except those governed by the Department of Labor (DOL), either the recipient of the information will use the information in connection with a matter relating to one of VA’s programs or to provide a benefit to VA, or disclosure is required by law. The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by the Privacy Act, 5 U.S.C. 552a(r), and guidelines issued by OMB, 65 FR 77677, December 12, 2000. Approved: February 5, 2008. Gordon H. Mansfield, Deputy Secretary of Veterans Affairs. 123VA00VE SYSTEM NAME: Center for Veterans Enterprise (CVE) VA VetBiz Vendor Information Pages (VIP) (123VA00VE). SECURITY CLASSIFICATION: None. This system of records does not contain classified information or records. SYSTEM LOCATION: Records are maintained at the Center for Veterans Enterprise’s office in VA Headquarters, Washington, DC. VA’s Web Operations (WebOps), Third Floor, E:\FR\FM\21FEN1.SGM 21FEN1 Federal Register / Vol. 73, No. 35 / Thursday, February 21, 2008 / Notices 1335 East-West Highway, Silver Spring, MD 20910, maintains the computerized database and Web site. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: Veterans who have applied to have their small businesses included in the VetBiz database, and, if deceased, their surviving spouses. CATEGORIES OF RECORDS IN THE SYSTEM: The records in this system include: 1. Identifying information on veterans and the surviving spouses of veterans who apply to have their businesses listed in the VetBiz database, including names and social security numbers. 2. Information documenting the eligibility of veterans to have their businesses listed in the VetBiz database, including service-connected status and information concerning ownership of the business(es) listed in VetBiz, including certifications, and security clearances held. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 38 U.S.C. 8127 and Public Law No. 106–50, as amended. PURPOSE(S): To gather and maintain information on small businesses owned and controlled by veterans, including service-disabled veterans, to enable them to effectively compete for Federal contracts, as well as working with the Small Business Administration in its provision of services to veteran-owned businesses under the Veterans Entrepreneurship and Small Business Development Act of 1999, as amended, Public Law 106–50, 113 Stat. 233. pwalker on PROD1PC71 with NOTICES ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: 1. The Department may disclose information in the system to Federal, State, and local government personnel to assist them in finding veteran-owned businesses to contract with and for purposes of market research, in compliance with their respective procurement regulations and procedures. 2. The Department may disclose information to the general public, including companies and corporate entities, to assist them in locating potential contractors, subcontractors and/or potential teaming partners, for purposes of complying with applicable regulations concerning use of veteranowned businesses. 3. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has VerDate Aug<31>2005 16:34 Feb 20, 2008 Jkt 214001 confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the potentially compromised information; and (3) the disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. 4. VA may disclose on its own initiative any information in this system, except the names and addresses of veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal, or regulatory in nature and whether arising by general or program statute or by regulation, rule, or order issued pursuant thereto, to a Federal, State, local, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule, or order. VA may also disclose on its own initiative the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule, or order. 5. VA may disclose information to a Congressional office from the record of an individual in response to an inquiry from the Congressional office made on behalf of and at the request of that individual. 6. VA may disclose information to the National Archives and Records Administration (NARA) in records disposition and management inspections conducted under authority of Title 44 of United States Code. 7. VA may disclose information in this system of records to the Department of Justice (DoJ), either on VA’s initiative or in response to DoJ’s request for the information, after either VA or DoJ determines that such information is relevant to DoJ’s representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in PO 00000 Frm 00108 Fmt 4703 Sfmt 4703 9623 each case, the agency also determines prior to disclosure that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. 8. VA may disclose information to individuals, organizations, private or public agencies, or other entities with which VA has a contract or agreement, or where there is a subcontract to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor or subcontractor to perform the services of the contract or agreement. DISCLOSURES TO CONSUMER REPORTING AGENCIES: None. POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM: STORAGE: The VetBiz VIP will be stored in a computerized database. The system will operate on servers, located at VA’s Web Operations (WebOps), 822 TJ Jackson Drive, Falling Waters, WV 25419. Data backups will reside on appropriate media, according to normal system backup plans for WebOps. The system will be managed by the CVE, in VA Headquarters, Washington, DC. RETRIEVABILITY: Automated records may be retrieved by the names of the veteran business owners and/or their social security numbers. SAFEGUARDS: Read access to the system is via Internet access. WebOps, CVE, and contractor personnel will have access to the system, via VA Intranet and local connections, for management and maintenance purposes and tasks. Access to the Intranet portion of the system is via user-id and password, at officially approved access points. Veteran-owned small businesses will establish and maintain user-ids and passwords for accessing their corporate information under system control. Contracting officers will establish and maintain user-ids and passwords for accessing E:\FR\FM\21FEN1.SGM 21FEN1 9624 Federal Register / Vol. 73, No. 35 / Thursday, February 21, 2008 / Notices non-vital business information. Policy regarding issuance of user-ids and passwords is formulated in VA by the Office of Information and Technology, Washington, DC. Security for data in the VetBiz database complies with applicable statutes, regulations and government-wide and VA policies. The system is configured so that access to the public data elements in the database does not lead to access to the non-public data elements, such as veteran social security number. SYSTEM MANAGER(S) AND ADDRESS: Deputy Director, Center for Veterans Enterprise (00VE), 810 Vermont Avenue, NW., Washington, DC 20420. NOTIFICATION PROCEDURES: Individuals wishing to inquire, whether this system of records contains information about themselves, should contact the Deputy Director, Center for Veterans Enterprise (00VE), 810 Vermont Avenue, NW., Washington, DC 20420. RECORD ACCESS PROCEDURE: RETENTION AND DISPOSAL: pwalker on PROD1PC71 with NOTICES Records will be maintained and disposed of, in accordance with the records disposal authority approved by the Archivist of the United States, the National Archives and Records Administration, and published in Agency Records Control Schedules. VerDate Aug<31>2005 16:34 Feb 20, 2008 Jkt 214001 Individuals seeking access to records about themselves, contained in this system of records, may access the records via the Internet, or submit a written request to the system manager. An individual, who wishes to contest records maintained under his or her Frm 00109 Fmt 4703 Sfmt 4703 RECORD SOURCE CATEGORIES: The information in this system of records is obtained from the following source: a. Information voluntarily submitted by the business owners; and/ or information extracted from CCR database. EXEMPTIONS CLAIMED FOR THE SYSTEM: None. CONTESTING RECORD PROCEDURES: PO 00000 name or other personal identifier, may write or call the system manager. VA’s rules for accessing records, contesting contents and appealing initial agency determinations are published in regulations, set forth in the Code of Federal Regulations. See 38 CFR 1.577, 1.578. [FR Doc. E8–3291 Filed 2–20–08; 8:45 am] BILLING CODE 8320–01–P E:\FR\FM\21FEN1.SGM 21FEN1

Agencies

[Federal Register Volume 73, Number 35 (Thursday, February 21, 2008)]
[Notices]
[Pages 9620-9624]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-3291]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of amendment to system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974, 5 U.S.C. 522a (e), requires that all 
agencies publish in the Federal Register a notice of the existence and 
character of their systems of records. Notice is hereby given that VA 
is amending the system of records entitled ``Center for Veterans 
Enterprise VA VetBiz Vendor Information Pages (VIP)'' (123VA00VE) as 
set forth in the Federal Register 68 FR 26685. VA is amending the 
system by revising the System Name, Categories of Individuals Covered 
by the System, Categories of Records in the System, Authority for 
Maintenance of the System, Routine Uses of Records Maintained in the 
System, including Categories of Users and the Purposes of Such Uses, 
Retrievability, and Safeguards. VA is also adding data elements to the 
System Notice required by the Federal Register Document Drafting 
Handbook. VA is republishing the system notice in its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than March 24, 2008. If no public comment is 
received, the amended system will become effective March 24, 2008.

ADDRESSES: Written comments may be submitted through 
www.Regulations.gov; by mail or hand-delivery to the Director, 
Regulations Management (00REG), Department of Veterans Affairs, 810 
Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 
273-9026. Copies of comments received will be available for public 
inspection in the Office of Regulation Policy and Management, Room 
1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday 
(except holidays). Please call (202) 461-4902 for an appointment. In 
addition, during the comment period, comments may be viewed online 
through the Federal Docket Management System (FDMS).

FOR FURTHER INFORMATION CONTACT: Kelsey Mortimer II (00VE), Department 
of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, 
telephone number (202) 303-3260 ext 5246.

SUPPLEMENTARY INFORMATION:

I. Description of the Proposed Amendments to System of Records ``Center 
for Veterans Enterprise (CVE) VA VetBiz Vendor Information Pages 
(VIP)'' (123VA00VE)

    The Department of Veterans Affairs is amending the VetBiz system of 
records notice to implement legal requirements that became applicable 
to the system since the last publication of the system notice by the 
Agency. The legal requirements are imposed by legislation and 
government-wide direction of the Office of Management and Budget (OMB), 
as well as paragraph 3.12 of the Federal Register Document Drafting 
Handbook. In December 2006, Congress enacted the Veterans Benefits, 
Health Care and Information Technology Act of 2006 (Act), Public Law 
109-461, 120 Stat. 3403. Section 502(a)(1) of the Act created a new 
section 8127 of title 38, United States Code, 38 U.S.C. 8127.

[[Page 9621]]

Subsection 8127 requires the Secretary of Veterans Affairs to create 
and maintain a database of veteran-owned small businesses. Veterans' 
participation in the database is voluntary. VA was maintaining such a 
database prior to enactment of section 8127; the contents of the 
database are covered by the system of records notice published at 68 FR 
26685.
    Section 8127 requires VA to verify specific information concerning 
the veteran business owners who choose to be listed in the database. VA 
is required to verify that the business is owned and controlled by a 
veteran or eligible surviving spouse, and if a veteran indicates that 
s/he has a service-connected disability, VA is required to verify the 
service-disabled status of the veteran. The term service-connected 
disability means a disability that the individual incurred or had it 
aggravated in the line of duty in active military, naval or air 
service. The Veterans Benefits Administration (VBA) makes these 
decisions, and maintains the records of the service-disabled status of 
individuals.
    The VetBiz program will verify the three items of information in 
two ways. First, VA will ask the small business owners to provide 
certain information about the ownership and control of their 
businesses. VA has obtained OMB approval (2900-0675) of the form that 
VA intends to use to collect this information, and therefore has 
authority to use the form under OMB's regulations implementing the 
Paperwork Reduction Act. 5 CFR Part 1320. Second, the VetBiz program 
will verify through VBA the service-disabled status of any veteran or 
eligible surviving spouse who decides to participate in the program, 
and claims service-disabled status.
    Section 8127 requires VA to make the database available to all 
Federal departments and agencies, and make portions of the database 
publicly available. However, section 8127(f)(6) states that if the 
Secretary determines that the public dissemination of certain types of 
information maintained in the database is inappropriate, the Secretary 
shall take such steps as are necessary to maintain such types of 
information in a secure and confidential manner. The database will 
contain information that VA needs to administer the program and assist 
veteran-owned small businesses. In the normal course of administering 
the program, VA may share limited personal data with other government 
entities. VA will not disclose veteran's personal information or data 
in the public portion of the database.
    The Act also added a new subchapter III, Information Security, to 
Chapter 57 of title 38, United States Code. Section 5724 requires VA to 
conduct an independent risk analysis (IRA) when VA has experienced a 
data breach involving the sensitive personal information of those 
individuals. The section also requires VA to provide credit protection 
services to those individuals if VA determines after the IRA that there 
is a reasonable risk for potential misuse of the individuals' sensitive 
personal information. In order to conduct the independent risk analysis 
and provide credit protection services, if appropriate, VA will have to 
disclose the sensitive personal information of these individuals to the 
entities performing the IRA and providing the credit protection 
services. Because the sensitive personal information is contained in 
this system of records, VA needs to add a routine use to the system of 
records permitting these disclosures.
    In addition to the requirements of section 5724, the Office of 
Management and Budget (OMB) issued OMB Memorandum M-07-16, Safeguarding 
Against and Responding to the Breach of Personally Identifiable 
Information, May 22, 2007, which is publicly available at http://
www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf. This Memorandum 
requires agencies to promulgate a routine use to permit agencies to 
disclose information to those persons or entities that may assist in 
notification of individuals of a data breach or prevent or minimize the 
harms from a data breach. Attachment 2, section B2. The Agency is 
promulgating one routine use that enables VA to meet its 
responsibilities under both section 5724 and OMB Memorandum M-07-16.
    Turning to the substantive amendments to the System Notice, VA is 
amending the System Name to include the abbreviation for the Vendor 
Information Pages (VIP) because it is the Agency's experience that 
individuals, agencies and vendors interacting with the system commonly 
use the abbreviation when referring to the program.
    To comply with paragraph 3.12 of the Federal Register Document 
Drafting Handbook, VA is adding a statement that this system of records 
does not contain classified information.
    The Department is amending the Categories of Individuals Covered by 
the System to clarify that the System Notice only covers individual 
veterans who have applied to have their company included in the VetBiz 
database, and after the veteran is deceased, their qualifying surviving 
spouse as provided in section 8127(h).
    The Department is amending the Categories of Records covered to 
reflect the personal information about veteran business owners 
maintained in the system. The information about participating veterans 
and about their companies is maintained in one, combined database. 
However, the Privacy Act only applies to information about individuals 
retrieved by their names; it does not apply to information about their 
companies, except to the extent that the information is also personal 
information about them. This interpretation of the Privacy Act is 
consistent with the express language of the Privacy Act, and long-
standing OMB guidance on this issue at 40 FR 28948, 28951 (1975). 
Records in the VetBiz database that are not covered by the Privacy Act 
and this System Notice generally may include business addresses and 
other business contact information, information concerning products/
services offered, and information pertaining to the business, including 
Federal contracts. More non-covered data elements are contained in the 
discussion of ``Retrievability'' below.
    VA is amending the Authority for Maintenance of the System to 
include 38 U.S.C. 8127, which now specifically provides for the 
maintenance of the VetBiz database.
    The Federal Register Document Drafting Handbook, paragraph 3.12, 
states that agencies must include in their System Notice a statement of 
the purpose for maintaining the System Notice. VA is providing the 
statement of purpose, namely to assist veterans, including service-
disabled veterans, in obtaining Federal contracts and otherwise market 
their companies.
    The Department is deleting the section of the System Notice 
entitled ``Compatibility of the Proposed Routine Uses'' because that is 
not one of the data elements that the Document Drafting Handbook 
requires in the System Notice. However, VA is including this statement 
in the Report of Intent submitted to OMB and the congressional 
oversight committees as required in OMB Circular A-130, Appendix I.
    The Department is amending the Retrievabililty data element to 
state that VA retrieves information in the VetBiz database covered by 
the Privacy Act by the names and/or social security numbers. The 
following information is not covered by the Privacy Act and this System 
Notice because it is not information about veterans. However, for 
general information, VA also retrieves information from the VetBiz 
database by other, non-personal

[[Page 9622]]

elements, including the following: Business name, type, location, 
previous experience, certifications (e.g. HUBZone, 8(a), etc.), product 
identifiers (e.g., North American Industry Classification System 
[NAICS]), and Dun and Bradstreet's Data Universal Numbering System 
[DUNS] number, etc.
    VA is amending the Safeguards data element to state that VA 
maintains the VetBiz database in accordance with applicable Federal and 
VA information security requirements.
    The Department is adding a statement, as required by paragraph 3.12 
of the Document Drafting Handbook, that it does not disclose records 
from this system of records at VA's initiative to consumer reporting 
agencies.
    VA is adding a statement to the System Notice clarifying that VA 
has not claimed any Privacy Act exemptions under 5 U.S.C. 552a(j) and 
(k) for records in the system.
    In addition, the Department has made minor edits to the System 
Notice for grammar and clarity purposes to reflect plain language. 
These changes are not, and are not intended to be, substantive, and are 
not further discussed or enumerated.

II. Proposed Routine Use Disclosures of Data in the System

    VA is proposing to delete one routine use disclosure and add the 
following routine use disclosures of information that will be 
maintained in the system.
    The Department is deleting routine use 3 because it states the 
purpose for which VA uses the data in the system and belongs in the 
``Purpose(s)'' section of the System Notice.
    The Department is promulgating a new routine use 3 required of all 
systems of records of all Federal agencies by the Memorandum from the 
Office of Management and Budget (M-07-16), dated May 22, 2007, as 
discussed above. Further, the disclosures allow VA to respond to a 
suspected or confirmed data breach, including the conduct of any 
independent risk analysis or provision of credit protection services as 
provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.
    VA is promulgating a new routine use 4 that authorizes VA to 
disclose information to law enforcement entities when information in 
the system is relevant to a suspected or reasonably imminent violation 
of law. VA must be able to disclose information within its possession 
on its own initiative that pertains to a violation of law to the 
appropriate authorities in order for them to investigate and enforce 
those laws. VA may disclose the names of veterans and their dependents 
only to Federal entities with law enforcement responsibilities under 38 
U.S.C. 5701(a) and (f). Accordingly, VA has so limited this routine 
use.
    New routine use 5 implements guidance from OMB concerning the 
promulgation of a routine use permitting disclosure of information to 
Members of Congress acting on behalf of the record subject. Individuals 
sometimes request the help of a Member of Congress in resolving some 
issue relating to a matter before VA. When the Member of Congress 
writes VA, VA must be able to provide sufficient information to be 
responsive to the inquiry. This routine use is consistent with guidance 
from the Office of Management and Budget (OMB), issued on October 3, 
1974, that directed all Federal agencies to insert this language in 
their systems of records. (http://www.whitehouse.gov/omb/inforeg/
lynn1975.pdf).
    New routine use 6 implements the statutory requirement that VA 
provide information to the National Archives and Records Administration 
(NARA). NARA is responsible for archiving old records no longer 
actively used but which may be appropriate for preservation and for the 
physical maintenance of the Federal Government's records. VA must be 
able to turn records over to NARA in order to determine the proper 
disposition of such records, as well as permit NARA to perform its 
statutory records management responsibilities.
    New routine use 7 permits VA to disclose information to the United 
States Department of Justice for use in performing its statutory duties 
to represent the United States, the Agency and agency officials in 
litigation. When VA is involved in litigation or an adjudicative or 
administrative process, or occasionally when another party is involved 
in litigation or an adjudicative or administrative process, and VA 
policies or operations could be affected by the outcome of the 
litigation or process, VA must be able to disclose information to the 
court, the adjudicative or administrative body, or the parties 
involved. A determination would be made in each instance that, under 
the circumstances involved, the purpose served by use of the 
information in the particular litigation or process is compatible with 
the purpose for which VA collected the information. This routine use is 
consistent with OMB guidance issued on May 24, 1985, directing all 
Federal agencies to promulgate such a routine use (http://
www.whitehouse.gov/omb/inforeg/guidance1985.pdf).
    The Department is promulgating a new routine use 8 to permit 
disclosures to contractors who need to see the information in this 
system to perform a contract with the agency. Appendix I to OMB 
Circular A-130 states in paragraph 5a(1)(b) that agencies promulgate a 
routine use to address disclosure of Privacy Act-protected information 
to contractors in order to perform the contracts for the agency. VA 
must be able to provide information to contractors or subcontractors 
with which VA has a contract or agreement in order to perform the 
services of the contract or agreement. In these situations, safeguards 
are provided in the contract prohibiting the contractor or 
subcontractor from using or disclosing the information for any purpose 
other than that described in the contract.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which VA collected the information. In the routine use 
disclosures described above, except those governed by the Department of 
Labor (DOL), either the recipient of the information will use the 
information in connection with a matter relating to one of VA's 
programs or to provide a benefit to VA, or disclosure is required by 
law.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director of the Office of Management and Budget (OMB) as 
required by the Privacy Act, 5 U.S.C. 552a(r), and guidelines issued by 
OMB, 65 FR 77677, December 12, 2000.

    Approved: February 5, 2008.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
123VA00VE

System Name:
    Center for Veterans Enterprise (CVE) VA VetBiz Vendor Information 
Pages (VIP) (123VA00VE).

Security Classification:
    None. This system of records does not contain classified 
information or records.

System Location:
    Records are maintained at the Center for Veterans Enterprise's 
office in VA Headquarters, Washington, DC. VA's Web Operations 
(WebOps), Third Floor,

[[Page 9623]]

1335 East-West Highway, Silver Spring, MD 20910, maintains the 
computerized database and Web site.

Categories of Individuals Covered by the System:
    Veterans who have applied to have their small businesses included 
in the VetBiz database, and, if deceased, their surviving spouses.

Categories of Records in the System:
    The records in this system include:
    1. Identifying information on veterans and the surviving spouses of 
veterans who apply to have their businesses listed in the VetBiz 
database, including names and social security numbers.
    2. Information documenting the eligibility of veterans to have 
their businesses listed in the VetBiz database, including service-
connected status and information concerning ownership of the 
business(es) listed in VetBiz, including certifications, and security 
clearances held.

Authority for Maintenance of the System:
    38 U.S.C. 8127 and Public Law No. 106-50, as amended.

Purpose(s):
    To gather and maintain information on small businesses owned and 
controlled by veterans, including service-disabled veterans, to enable 
them to effectively compete for Federal contracts, as well as working 
with the Small Business Administration in its provision of services to 
veteran-owned businesses under the Veterans Entrepreneurship and Small 
Business Development Act of 1999, as amended, Public Law 106-50, 113 
Stat. 233.

Routine Uses of Records Maintained in the System Including Categories 
of Users and the Purposes of Such Uses:
    1. The Department may disclose information in the system to 
Federal, State, and local government personnel to assist them in 
finding veteran-owned businesses to contract with and for purposes of 
market research, in compliance with their respective procurement 
regulations and procedures.
    2. The Department may disclose information to the general public, 
including companies and corporate entities, to assist them in locating 
potential contractors, subcontractors and/or potential teaming 
partners, for purposes of complying with applicable regulations 
concerning use of veteran-owned businesses.
    3. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the Department or another agency or 
entity) that rely upon the potentially compromised information; and (3) 
the disclosure is to agencies, entities, or persons whom VA determines 
are reasonably necessary to assist or carry out the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm.
    4. VA may disclose on its own initiative any information in this 
system, except the names and addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal, or regulatory in nature and 
whether arising by general or program statute or by regulation, rule, 
or order issued pursuant thereto, to a Federal, State, local, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule, or order. VA may also disclose on its 
own initiative the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal, or regulatory violations of law, or 
charged with enforcing or implementing the statute, regulation, rule, 
or order.
    5. VA may disclose information to a Congressional office from the 
record of an individual in response to an inquiry from the 
Congressional office made on behalf of and at the request of that 
individual.
    6. VA may disclose information to the National Archives and Records 
Administration (NARA) in records disposition and management inspections 
conducted under authority of Title 44 of United States Code.
    7. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
Department of Justice is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. VA, on its own initiative, may disclose records in this system 
of records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    8. VA may disclose information to individuals, organizations, 
private or public agencies, or other entities with which VA has a 
contract or agreement, or where there is a subcontract to perform such 
services as VA may deem practicable for the purposes of laws 
administered by VA, in order for the contractor or subcontractor to 
perform the services of the contract or agreement.

Disclosures to Consumer Reporting Agencies:
    None.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, 
and Disposing of Records in the System:
Storage:
    The VetBiz VIP will be stored in a computerized database. The 
system will operate on servers, located at VA's Web Operations 
(WebOps), 822 TJ Jackson Drive, Falling Waters, WV 25419. Data backups 
will reside on appropriate media, according to normal system backup 
plans for WebOps. The system will be managed by the CVE, in VA 
Headquarters, Washington, DC.

Retrievability:
    Automated records may be retrieved by the names of the veteran 
business owners and/or their social security numbers.

Safeguards:
    Read access to the system is via Internet access. WebOps, CVE, and 
contractor personnel will have access to the system, via VA Intranet 
and local connections, for management and maintenance purposes and 
tasks. Access to the Intranet portion of the system is via user-id and 
password, at officially approved access points. Veteran-owned small 
businesses will establish and maintain user-ids and passwords for 
accessing their corporate information under system control. Contracting 
officers will establish and maintain user-ids and passwords for 
accessing

[[Page 9624]]

non-vital business information. Policy regarding issuance of user-ids 
and passwords is formulated in VA by the Office of Information and 
Technology, Washington, DC. Security for data in the VetBiz database 
complies with applicable statutes, regulations and government-wide and 
VA policies. The system is configured so that access to the public data 
elements in the database does not lead to access to the non-public data 
elements, such as veteran social security number.

Retention and Disposal:
    Records will be maintained and disposed of, in accordance with the 
records disposal authority approved by the Archivist of the United 
States, the National Archives and Records Administration, and published 
in Agency Records Control Schedules.

System Manager(s) and Address:
    Deputy Director, Center for Veterans Enterprise (00VE), 810 Vermont 
Avenue, NW., Washington, DC 20420.

Notification Procedures:
    Individuals wishing to inquire, whether this system of records 
contains information about themselves, should contact the Deputy 
Director, Center for Veterans Enterprise (00VE), 810 Vermont Avenue, 
NW., Washington, DC 20420.

Record Access Procedure:
    Individuals seeking access to records about themselves, contained 
in this system of records, may access the records via the Internet, or 
submit a written request to the system manager.

Contesting Record Procedures:
    An individual, who wishes to contest records maintained under his 
or her name or other personal identifier, may write or call the system 
manager. VA's rules for accessing records, contesting contents and 
appealing initial agency determinations are published in regulations, 
set forth in the Code of Federal Regulations. See 38 CFR 1.577, 1.578.

Record Source Categories:
    The information in this system of records is obtained from the 
following source: a. Information voluntarily submitted by the business 
owners; and/or information extracted from CCR database.

Exemptions Claimed for the System:
    None.

[FR Doc. E8-3291 Filed 2-20-08; 8:45 am]
BILLING CODE 8320-01-P