Privacy Act of 1974, 9620-9624 [E8-3291]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 73, Number 35 (Thursday, February 21, 2008)]
[Notices]
[Pages 9620-9624]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-3291]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of amendment to system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974, 5 U.S.C. 522a (e), requires that all 
agencies publish in the Federal Register a notice of the existence and 
character of their systems of records. Notice is hereby given that VA 
is amending the system of records entitled ``Center for Veterans 
Enterprise VA VetBiz Vendor Information Pages (VIP)'' (123VA00VE) as 
set forth in the Federal Register 68 FR 26685. VA is amending the 
system by revising the System Name, Categories of Individuals Covered 
by the System, Categories of Records in the System, Authority for 
Maintenance of the System, Routine Uses of Records Maintained in the 
System, including Categories of Users and the Purposes of Such Uses, 
Retrievability, and Safeguards. VA is also adding data elements to the 
System Notice required by the Federal Register Document Drafting 
Handbook. VA is republishing the system notice in its entirety.

DATES: Comments on the amendment of this system of records must be 
received no later than March 24, 2008. If no public comment is 
received, the amended system will become effective March 24, 2008.

ADDRESSES: Written comments may be submitted through 
www.Regulations.gov; by mail or hand-delivery to the Director, 
Regulations Management (00REG), Department of Veterans Affairs, 810 
Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 
273-9026. Copies of comments received will be available for public 
inspection in the Office of Regulation Policy and Management, Room 
1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday 
(except holidays). Please call (202) 461-4902 for an appointment. In 
addition, during the comment period, comments may be viewed online 
through the Federal Docket Management System (FDMS).

FOR FURTHER INFORMATION CONTACT: Kelsey Mortimer II (00VE), Department 
of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, 
telephone number (202) 303-3260 ext 5246.

SUPPLEMENTARY INFORMATION:

I. Description of the Proposed Amendments to System of Records ``Center 
for Veterans Enterprise (CVE) VA VetBiz Vendor Information Pages 
(VIP)'' (123VA00VE)

    The Department of Veterans Affairs is amending the VetBiz system of 
records notice to implement legal requirements that became applicable 
to the system since the last publication of the system notice by the 
Agency. The legal requirements are imposed by legislation and 
government-wide direction of the Office of Management and Budget (OMB), 
as well as paragraph 3.12 of the Federal Register Document Drafting 
Handbook. In December 2006, Congress enacted the Veterans Benefits, 
Health Care and Information Technology Act of 2006 (Act), Public Law 
109-461, 120 Stat. 3403. Section 502(a)(1) of the Act created a new 
section 8127 of title 38, United States Code, 38 U.S.C. 8127.

[[Page 9621]]

Subsection 8127 requires the Secretary of Veterans Affairs to create 
and maintain a database of veteran-owned small businesses. Veterans' 
participation in the database is voluntary. VA was maintaining such a 
database prior to enactment of section 8127; the contents of the 
database are covered by the system of records notice published at 68 FR 
26685.
    Section 8127 requires VA to verify specific information concerning 
the veteran business owners who choose to be listed in the database. VA 
is required to verify that the business is owned and controlled by a 
veteran or eligible surviving spouse, and if a veteran indicates that 
s/he has a service-connected disability, VA is required to verify the 
service-disabled status of the veteran. The term service-connected 
disability means a disability that the individual incurred or had it 
aggravated in the line of duty in active military, naval or air 
service. The Veterans Benefits Administration (VBA) makes these 
decisions, and maintains the records of the service-disabled status of 
individuals.
    The VetBiz program will verify the three items of information in 
two ways. First, VA will ask the small business owners to provide 
certain information about the ownership and control of their 
businesses. VA has obtained OMB approval (2900-0675) of the form that 
VA intends to use to collect this information, and therefore has 
authority to use the form under OMB's regulations implementing the 
Paperwork Reduction Act. 5 CFR Part 1320. Second, the VetBiz program 
will verify through VBA the service-disabled status of any veteran or 
eligible surviving spouse who decides to participate in the program, 
and claims service-disabled status.
    Section 8127 requires VA to make the database available to all 
Federal departments and agencies, and make portions of the database 
publicly available. However, section 8127(f)(6) states that if the 
Secretary determines that the public dissemination of certain types of 
information maintained in the database is inappropriate, the Secretary 
shall take such steps as are necessary to maintain such types of 
information in a secure and confidential manner. The database will 
contain information that VA needs to administer the program and assist 
veteran-owned small businesses. In the normal course of administering 
the program, VA may share limited personal data with other government 
entities. VA will not disclose veteran's personal information or data 
in the public portion of the database.
    The Act also added a new subchapter III, Information Security, to 
Chapter 57 of title 38, United States Code. Section 5724 requires VA to 
conduct an independent risk analysis (IRA) when VA has experienced a 
data breach involving the sensitive personal information of those 
individuals. The section also requires VA to provide credit protection 
services to those individuals if VA determines after the IRA that there 
is a reasonable risk for potential misuse of the individuals' sensitive 
personal information. In order to conduct the independent risk analysis 
and provide credit protection services, if appropriate, VA will have to 
disclose the sensitive personal information of these individuals to the 
entities performing the IRA and providing the credit protection 
services. Because the sensitive personal information is contained in 
this system of records, VA needs to add a routine use to the system of 
records permitting these disclosures.
    In addition to the requirements of section 5724, the Office of 
Management and Budget (OMB) issued OMB Memorandum M-07-16, Safeguarding 
Against and Responding to the Breach of Personally Identifiable 
Information, May 22, 2007, which is publicly available at https://
www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf. This Memorandum 
requires agencies to promulgate a routine use to permit agencies to 
disclose information to those persons or entities that may assist in 
notification of individuals of a data breach or prevent or minimize the 
harms from a data breach. Attachment 2, section B2. The Agency is 
promulgating one routine use that enables VA to meet its 
responsibilities under both section 5724 and OMB Memorandum M-07-16.
    Turning to the substantive amendments to the System Notice, VA is 
amending the System Name to include the abbreviation for the Vendor 
Information Pages (VIP) because it is the Agency's experience that 
individuals, agencies and vendors interacting with the system commonly 
use the abbreviation when referring to the program.
    To comply with paragraph 3.12 of the Federal Register Document 
Drafting Handbook, VA is adding a statement that this system of records 
does not contain classified information.
    The Department is amending the Categories of Individuals Covered by 
the System to clarify that the System Notice only covers individual 
veterans who have applied to have their company included in the VetBiz 
database, and after the veteran is deceased, their qualifying surviving 
spouse as provided in section 8127(h).
    The Department is amending the Categories of Records covered to 
reflect the personal information about veteran business owners 
maintained in the system. The information about participating veterans 
and about their companies is maintained in one, combined database. 
However, the Privacy Act only applies to information about individuals 
retrieved by their names; it does not apply to information about their 
companies, except to the extent that the information is also personal 
information about them. This interpretation of the Privacy Act is 
consistent with the express language of the Privacy Act, and long-
standing OMB guidance on this issue at 40 FR 28948, 28951 (1975). 
Records in the VetBiz database that are not covered by the Privacy Act 
and this System Notice generally may include business addresses and 
other business contact information, information concerning products/
services offered, and information pertaining to the business, including 
Federal contracts. More non-covered data elements are contained in the 
discussion of ``Retrievability'' below.
    VA is amending the Authority for Maintenance of the System to 
include 38 U.S.C. 8127, which now specifically provides for the 
maintenance of the VetBiz database.
    The Federal Register Document Drafting Handbook, paragraph 3.12, 
states that agencies must include in their System Notice a statement of 
the purpose for maintaining the System Notice. VA is providing the 
statement of purpose, namely to assist veterans, including service-
disabled veterans, in obtaining Federal contracts and otherwise market 
their companies.
    The Department is deleting the section of the System Notice 
entitled ``Compatibility of the Proposed Routine Uses'' because that is 
not one of the data elements that the Document Drafting Handbook 
requires in the System Notice. However, VA is including this statement 
in the Report of Intent submitted to OMB and the congressional 
oversight committees as required in OMB Circular A-130, Appendix I.
    The Department is amending the Retrievabililty data element to 
state that VA retrieves information in the VetBiz database covered by 
the Privacy Act by the names and/or social security numbers. The 
following information is not covered by the Privacy Act and this System 
Notice because it is not information about veterans. However, for 
general information, VA also retrieves information from the VetBiz 
database by other, non-personal

[[Page 9622]]

elements, including the following: Business name, type, location, 
previous experience, certifications (e.g. HUBZone, 8(a), etc.), product 
identifiers (e.g., North American Industry Classification System 
[NAICS]), and Dun and Bradstreet's Data Universal Numbering System 
[DUNS] number, etc.
    VA is amending the Safeguards data element to state that VA 
maintains the VetBiz database in accordance with applicable Federal and 
VA information security requirements.
    The Department is adding a statement, as required by paragraph 3.12 
of the Document Drafting Handbook, that it does not disclose records 
from this system of records at VA's initiative to consumer reporting 
agencies.
    VA is adding a statement to the System Notice clarifying that VA 
has not claimed any Privacy Act exemptions under 5 U.S.C. 552a(j) and 
(k) for records in the system.
    In addition, the Department has made minor edits to the System 
Notice for grammar and clarity purposes to reflect plain language. 
These changes are not, and are not intended to be, substantive, and are 
not further discussed or enumerated.

II. Proposed Routine Use Disclosures of Data in the System

    VA is proposing to delete one routine use disclosure and add the 
following routine use disclosures of information that will be 
maintained in the system.
    The Department is deleting routine use 3 because it states the 
purpose for which VA uses the data in the system and belongs in the 
``Purpose(s)'' section of the System Notice.
    The Department is promulgating a new routine use 3 required of all 
systems of records of all Federal agencies by the Memorandum from the 
Office of Management and Budget (M-07-16), dated May 22, 2007, as 
discussed above. Further, the disclosures allow VA to respond to a 
suspected or confirmed data breach, including the conduct of any 
independent risk analysis or provision of credit protection services as 
provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.
    VA is promulgating a new routine use 4 that authorizes VA to 
disclose information to law enforcement entities when information in 
the system is relevant to a suspected or reasonably imminent violation 
of law. VA must be able to disclose information within its possession 
on its own initiative that pertains to a violation of law to the 
appropriate authorities in order for them to investigate and enforce 
those laws. VA may disclose the names of veterans and their dependents 
only to Federal entities with law enforcement responsibilities under 38 
U.S.C. 5701(a) and (f). Accordingly, VA has so limited this routine 
use.
    New routine use 5 implements guidance from OMB concerning the 
promulgation of a routine use permitting disclosure of information to 
Members of Congress acting on behalf of the record subject. Individuals 
sometimes request the help of a Member of Congress in resolving some 
issue relating to a matter before VA. When the Member of Congress 
writes VA, VA must be able to provide sufficient information to be 
responsive to the inquiry. This routine use is consistent with guidance 
from the Office of Management and Budget (OMB), issued on October 3, 
1974, that directed all Federal agencies to insert this language in 
their systems of records. (https://www.whitehouse.gov/omb/inforeg/
lynn1975.pdf).
    New routine use 6 implements the statutory requirement that VA 
provide information to the National Archives and Records Administration 
(NARA). NARA is responsible for archiving old records no longer 
actively used but which may be appropriate for preservation and for the 
physical maintenance of the Federal Government's records. VA must be 
able to turn records over to NARA in order to determine the proper 
disposition of such records, as well as permit NARA to perform its 
statutory records management responsibilities.
    New routine use 7 permits VA to disclose information to the United 
States Department of Justice for use in performing its statutory duties 
to represent the United States, the Agency and agency officials in 
litigation. When VA is involved in litigation or an adjudicative or 
administrative process, or occasionally when another party is involved 
in litigation or an adjudicative or administrative process, and VA 
policies or operations could be affected by the outcome of the 
litigation or process, VA must be able to disclose information to the 
court, the adjudicative or administrative body, or the parties 
involved. A determination would be made in each instance that, under 
the circumstances involved, the purpose served by use of the 
information in the particular litigation or process is compatible with 
the purpose for which VA collected the information. This routine use is 
consistent with OMB guidance issued on May 24, 1985, directing all 
Federal agencies to promulgate such a routine use (https://
www.whitehouse.gov/omb/inforeg/guidance1985.pdf).
    The Department is promulgating a new routine use 8 to permit 
disclosures to contractors who need to see the information in this 
system to perform a contract with the agency. Appendix I to OMB 
Circular A-130 states in paragraph 5a(1)(b) that agencies promulgate a 
routine use to address disclosure of Privacy Act-protected information 
to contractors in order to perform the contracts for the agency. VA 
must be able to provide information to contractors or subcontractors 
with which VA has a contract or agreement in order to perform the 
services of the contract or agreement. In these situations, safeguards 
are provided in the contract prohibiting the contractor or 
subcontractor from using or disclosing the information for any purpose 
other than that described in the contract.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which VA collected the information. In the routine use 
disclosures described above, except those governed by the Department of 
Labor (DOL), either the recipient of the information will use the 
information in connection with a matter relating to one of VA's 
programs or to provide a benefit to VA, or disclosure is required by 
law.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director of the Office of Management and Budget (OMB) as 
required by the Privacy Act, 5 U.S.C. 552a(r), and guidelines issued by 
OMB, 65 FR 77677, December 12, 2000.

    Approved: February 5, 2008.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
123VA00VE

System Name:
    Center for Veterans Enterprise (CVE) VA VetBiz Vendor Information 
Pages (VIP) (123VA00VE).

Security Classification:
    None. This system of records does not contain classified 
information or records.

System Location:
    Records are maintained at the Center for Veterans Enterprise's 
office in VA Headquarters, Washington, DC. VA's Web Operations 
(WebOps), Third Floor,

[[Page 9623]]

1335 East-West Highway, Silver Spring, MD 20910, maintains the 
computerized database and Web site.

Categories of Individuals Covered by the System:
    Veterans who have applied to have their small businesses included 
in the VetBiz database, and, if deceased, their surviving spouses.

Categories of Records in the System:
    The records in this system include:
    1. Identifying information on veterans and the surviving spouses of 
veterans who apply to have their businesses listed in the VetBiz 
database, including names and social security numbers.
    2. Information documenting the eligibility of veterans to have 
their businesses listed in the VetBiz database, including service-
connected status and information concerning ownership of the 
business(es) listed in VetBiz, including certifications, and security 
clearances held.

Authority for Maintenance of the System:
    38 U.S.C. 8127 and Public Law No. 106-50, as amended.

Purpose(s):
    To gather and maintain information on small businesses owned and 
controlled by veterans, including service-disabled veterans, to enable 
them to effectively compete for Federal contracts, as well as working 
with the Small Business Administration in its provision of services to 
veteran-owned businesses under the Veterans Entrepreneurship and Small 
Business Development Act of 1999, as amended, Public Law 106-50, 113 
Stat. 233.

Routine Uses of Records Maintained in the System Including Categories 
of Users and the Purposes of Such Uses:
    1. The Department may disclose information in the system to 
Federal, State, and local government personnel to assist them in 
finding veteran-owned businesses to contract with and for purposes of 
market research, in compliance with their respective procurement 
regulations and procedures.
    2. The Department may disclose information to the general public, 
including companies and corporate entities, to assist them in locating 
potential contractors, subcontractors and/or potential teaming 
partners, for purposes of complying with applicable regulations 
concerning use of veteran-owned businesses.
    3. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the Department or another agency or 
entity) that rely upon the potentially compromised information; and (3) 
the disclosure is to agencies, entities, or persons whom VA determines 
are reasonably necessary to assist or carry out the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm.
    4. VA may disclose on its own initiative any information in this 
system, except the names and addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal, or regulatory in nature and 
whether arising by general or program statute or by regulation, rule, 
or order issued pursuant thereto, to a Federal, State, local, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule, or order. VA may also disclose on its 
own initiative the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal, or regulatory violations of law, or 
charged with enforcing or implementing the statute, regulation, rule, 
or order.
    5. VA may disclose information to a Congressional office from the 
record of an individual in response to an inquiry from the 
Congressional office made on behalf of and at the request of that 
individual.
    6. VA may disclose information to the National Archives and Records 
Administration (NARA) in records disposition and management inspections 
conducted under authority of Title 44 of United States Code.
    7. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
Department of Justice is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. VA, on its own initiative, may disclose records in this system 
of records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    8. VA may disclose information to individuals, organizations, 
private or public agencies, or other entities with which VA has a 
contract or agreement, or where there is a subcontract to perform such 
services as VA may deem practicable for the purposes of laws 
administered by VA, in order for the contractor or subcontractor to 
perform the services of the contract or agreement.

Disclosures to Consumer Reporting Agencies:
    None.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, 
and Disposing of Records in the System:
Storage:
    The VetBiz VIP will be stored in a computerized database. The 
system will operate on servers, located at VA's Web Operations 
(WebOps), 822 TJ Jackson Drive, Falling Waters, WV 25419. Data backups 
will reside on appropriate media, according to normal system backup 
plans for WebOps. The system will be managed by the CVE, in VA 
Headquarters, Washington, DC.

Retrievability:
    Automated records may be retrieved by the names of the veteran 
business owners and/or their social security numbers.

Safeguards:
    Read access to the system is via Internet access. WebOps, CVE, and 
contractor personnel will have access to the system, via VA Intranet 
and local connections, for management and maintenance purposes and 
tasks. Access to the Intranet portion of the system is via user-id and 
password, at officially approved access points. Veteran-owned small 
businesses will establish and maintain user-ids and passwords for 
accessing their corporate information under system control. Contracting 
officers will establish and maintain user-ids and passwords for 
accessing

[[Page 9624]]

non-vital business information. Policy regarding issuance of user-ids 
and passwords is formulated in VA by the Office of Information and 
Technology, Washington, DC. Security for data in the VetBiz database 
complies with applicable statutes, regulations and government-wide and 
VA policies. The system is configured so that access to the public data 
elements in the database does not lead to access to the non-public data 
elements, such as veteran social security number.

Retention and Disposal:
    Records will be maintained and disposed of, in accordance with the 
records disposal authority approved by the Archivist of the United 
States, the National Archives and Records Administration, and published 
in Agency Records Control Schedules.

System Manager(s) and Address:
    Deputy Director, Center for Veterans Enterprise (00VE), 810 Vermont 
Avenue, NW., Washington, DC 20420.

Notification Procedures:
    Individuals wishing to inquire, whether this system of records 
contains information about themselves, should contact the Deputy 
Director, Center for Veterans Enterprise (00VE), 810 Vermont Avenue, 
NW., Washington, DC 20420.

Record Access Procedure:
    Individuals seeking access to records about themselves, contained 
in this system of records, may access the records via the Internet, or 
submit a written request to the system manager.

Contesting Record Procedures:
    An individual, who wishes to contest records maintained under his 
or her name or other personal identifier, may write or call the system 
manager. VA's rules for accessing records, contesting contents and 
appealing initial agency determinations are published in regulations, 
set forth in the Code of Federal Regulations. See 38 CFR 1.577, 1.578.

Record Source Categories:
    The information in this system of records is obtained from the 
following source: a. Information voluntarily submitted by the business 
owners; and/or information extracted from CCR database.

Exemptions Claimed for the System:
    None.

[FR Doc. E8-3291 Filed 2-20-08; 8:45 am]
BILLING CODE 8320-01-P