Privacy Act of 1974, 72117-72121 [E8-28183]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 73, Number 229 (Wednesday, November 26, 2008)]
[Notices]
[Pages 72117-72121]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-28183]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of New System of Records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552(e)(4)) requires that all 
agencies publish in the Federal Register a notice of the existence and 
character of their systems of records. Notice is hereby given that the 
Department of Veterans Affairs (VA) is establishing a new system of 
records entitled ``Administrative Data Repository--VA'' (150VA19).

DATES: Comments on this new system of records must be received no later 
than December 26, 2008. If no public comment is received during the 
period allowed for comment or unless otherwise published in the Federal 
Register by VA, the new system will become effective December 26, 2008.

ADDRESSES: Written comments may be submitted through https://
www.Regulations.gov; by mail or hand-delivery to the Director, 
Regulations Management (02REG), Department of Veterans Affairs, 810 
Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 
273-9026. Copies of comments received will be available for public 
inspection in the Office of Regulation Policy and Management, Room 
1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday 
(except holidays). Please call (202) 461-4902 for an appointment. In 
addition, during the comment period, comments may be viewed online 
through the Federal Docket Management System (FDMS).

FOR FURTHER INFORMATION CONTACT: Stephania H, Putt, Veterans Health 
Administration (VHA) Privacy Officer, Department of Veterans Affairs, 
810 Vermont Avenue, NW., Washington, DC 20420, telephone (704) 245-
2492.

SUPPLEMENTARY INFORMATION:

[[Page 72118]]

I. Description of Proposed Systems of Records

    VHA Administrative Data Repository, ADR, is the enterprise data 
store for VHA persons. It includes identity, demographic and other 
administrative data for patients and non-patients, including employees, 
providers, IT users, etc.
    The Administrative Data Repository (ADR) has been established to 
provide support for those cross-cutting administrative data elements 
relative to multiple categories of a person entity. Although, initially 
focused on the computing needs of VHA, the ADR is positioned to provide 
identity management and demographics support for all IT systems within 
the Department of Veterans Affairs. As the authoritative data store for 
cross cutting administrative person data, the ADR will establish and 
manage this data as a VHA corporate asset. State-of-the-art security 
methodology will be implemented to ensure the integrity and 
confidentiality of person data administered by the ADR.

II. Proposed Routine Use Disclosures of Data in the System

    To the extent that records contained in the system include 
information protected by 38 U.S.C. 7332, i.e., medical treatment 
information related to drug abuse, alcoholism, or alcohol abuse, sickle 
cell anemia or infection with the human immunodeficiency virus, that 
information cannot be disclosed under a routine use unless there is 
also specific statutory authority permitting disclosure.
    Data stored in ADR is used as the source of identity, demographic 
and other administrative data for VHA enterprise. The routine uses of 
records maintained in the system, including categories of users and the 
purposes of such uses are described below:
    VHA is proposing the following routine use disclosures of 
information to be maintained in the system:
    1. The record of an individual who is covered by a system of 
records may be disclosed to a Member of Congress, or a staff person 
acting for the Member, when the Member or staff person requests the 
record on behalf of and at the written request of the individual.
    2. Disclosure may be made to National Archives and Records 
Administration (NARA) and the General Services Administration (GSA) in 
records management inspections conducted under authority of Title 44, 
Chapter 29, of the United States Code (U.S.C). NARA and GSA are 
responsible for management of old records no longer actively used, but 
which may be appropriate for preservation, and for the physical 
maintenance of the Federal government's records. VA must be able to 
provide the records to NARA and GSA in order to determine the proper 
disposition of such records.
    3. Disclosure may be made to other Government agencies in support 
of data exchanges of electronic medical record information approved by 
the individual.
    4. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, that is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. VA may also disclose on its own 
initiative the names and addresses of veterans and their dependents to 
a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.
    5. VA may disclose information from this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that the disclosure of the records to the court or administrative body 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records.
    6. Disclosures of relevant information may be made to individuals, 
organizations, private or public agencies, or other entities with whom 
VA has a contract or agreement or where there is a subcontract to 
perform the services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor or subcontractor 
to perform the services of the contract or agreement. This routine use 
includes disclosures by the individual or entity performing the service 
for VA to any secondary entity or individual to perform an activity 
that is necessary for individuals, organizations, private or public 
agencies, or other entities or individuals with whom VA has a contract 
or agreement to provide the service to VA.
    7. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    8. VA may disclose information to the Equal Employment Opportunity 
Commission when requested in connection with investigations of alleged 
or possible discriminatory practices, examination of Federal 
affirmative employment programs, or for other functions of the 
Commission as authorized by law or regulation. VA must be able to 
provide information to the Commission to assist it in fulfilling its 
duties to protect employee's rights, as required by statute and 
regulation.
    9. VA may disclose to the Fair Labor Relations Authority (FLRA) 
(including its General Counsel) information related to the 
establishment of jurisdiction, the investigation and resolution of 
allegations of unfair labor practices, or information in connection 
with the resolution of exceptions to arbitration awards when a question 
of material fact is raised; to disclose information in matters properly 
before the Federal Services Impasse Panel, and to investigate 
representation petitions and conduct or supervise representation 
elections. VA must be able to provide information to FLRA to comply 
with the statutory mandate under which it operates.
    10. VA may disclose information to officials of the Merit Systems 
Protection Board (MSPB), or the Office of Special Counsel, when 
requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as 
authorized by law.
    11. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise,

[[Page 72119]]

there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to economic or property interests, identity theft 
or fraud, or harm to the security, confidentiality, or integrity of 
this system or other systems or programs (whether maintained by the 
Department or another agency or disclosure is to agencies, entities, or 
persons whom VA determines are reasonably necessary to assist or carry 
out the Department's efforts to respond to the suspected or confirmed 
compromise and prevent, minimize, or remedy such harm. This routine use 
permits disclosures by the Department to respond to a suspected or 
confirmed data breach, including the conduct of any risk analysis or 
provision of credit protection services as provided in 38 U.S.C. 5724, 
as the terms are defined in 38 U.S.C. 5727.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which VA collected the information. In all of the routine 
use disclosures described above, either the recipient of the 
information will use the information in connection with a matter 
relating to one of VA's programs, will use the information to provide a 
benefit to VA, or disclosure is required by law.
    The notice of intent to publish and an advance copy of the system 
notice have been sent to the appropriate Congressional committees and 
to the Director of the Office of Management and Budget (OMB) as 
required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB 
(65 FR 77677), December 12, 2000.

    Approved: November 7, 2008.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
150VA19

SYSTEM NAME:
    Administrative Data Repository--VA.

SYSTEM LOCATION:
    Records are maintained in the Corporate Franchise Data Center. 
Address locations for VA AAC are 1615 Woodward Street, Austin, Texas 
78772-001. In addition, information from these records or copies of 
records may be maintained at the Department of Veterans Affairs, 810 
Vermont Avenue, NW., Washington, DC, VA Data Processing Centers, VA CIO 
Field Offices, Veterans Integrated Service Network Offices, and 
Employee Education Systems.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records include information concerning current and former VHA 
patients, employees, providers, volunteers, trainees and contractors, 
as well as individuals working collaboratively with VHA.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include information related to:
    1. Administrative assignments or categorization of duties of 
certain VHA personnel;
    2. The record may include identifying demographic information 
(e.g., name, date of birth, gender, social security number, taxpayer 
identification number); and other demographic information such as 
address (e.g., home and/or mailing address, home telephone number, 
emergency contact information such as name, address, telephone number, 
and relationship); education and continuing education (e.g., name and 
address of schools and dates of attendance, courses attended and 
scheduled to attend, grades, type of degree, certificate, etc.); 
information related to military service and status; qualifications for 
employment (e.g., license, degree, registration or certification, 
experience); veteran enrollment and eligibility information including 
financial assessments.
    3. Electronic messages used for network communication between VHA 
systems; and
    4. Health care providers' social security number and National 
Provider Identifier.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, Section 501.and Section 7304.

PURPOSE (S):
    The main purpose of the Administrative Data Repository is to 
establish person identity throughout the VHA enterprise. The purpose of 
the system of records is to provide a repository for the administrative 
information that is used to accomplish the purposes described within 
this document including determining veteran benefits and eligibility. 
The records include information provided by patients, providers, 
employees, volunteers, trainees, contractors and others that receive IT 
access to our computer systems and information obtained in the course 
of routine work done including VHA patient care provided. Quality 
assurance information that is protected by 38 U.S.C. 7311 and 38 CFR 
17.500-17.511 is not within the scope of the Privacy Act and, 
therefore, is not included in this system of records or filed in a 
manner in which the information may be retrieved by reference to an 
individual identifier.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 38 U.S.C. 7332, i.e., medical treatment 
information related to drug abuse, alcoholism, or alcohol abuse, sickle 
cell anemia or infection with the human immunodeficiency virus, that 
information cannot be disclosed under a routine use unless there is 
also specific statutory authority permitting disclosure.
    Data stored in ADR is used as the source of identity, demographic 
and other administrative data for VHA enterprise. The routine uses of 
records maintained in the system, including categories of users and the 
purposes of such uses are described below:
    1. The record of an individual who is covered by a system of 
records may be disclosed to a Member of Congress, or a staff person 
acting for the Member, when the Member or staff person requests the 
record on behalf of and at the written request of the individual.
    2. Disclosure may be made to National Archives and Records 
Administration (NARA) and the General Services Administration (GSA) in 
records management inspections conducted under authority of Title 44, 
Chapter 29, of the United States Code (U.S.C).
    3. Disclosure may be made to other Government agencies in support 
of data exchanges of electronic medical record information approved by 
the individual.
    4. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, that is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. VA may also disclose on its own 
initiative the names and addresses of veterans and their dependents to 
a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or

[[Page 72120]]

implementing the statute, regulation, rule or order issued pursuant 
thereto.
    5. VA may disclose information from this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records. VA, on its own 
initiative, may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that the disclosure of the records to the court or administrative body 
is a use of the information contained in the records that is compatible 
with the purpose for which VA collected the records.
    6. Disclosures of relevant information may be made to individuals, 
organizations, private or public agencies, or other entities with whom 
VA has a contract or agreement or where there is a subcontract to 
perform the services as VA may deem practicable for the purposes of 
laws administered by VA, in order for the contractor or subcontractor 
to perform the services of the contract or agreement.
    7. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    8. VA may disclose information to the Equal Employment Opportunity 
Commission when requested in connection with investigations of alleged 
or possible discriminatory practices, examination of Federal 
affirmative employment programs, or for other functions of the 
Commission as authorized by law or regulation.
    9. VA may disclose to the Fair Labor Relations Authority (FLRA) 
(including its General Counsel) information related to the 
establishment of jurisdiction, the investigation and resolution of 
allegations of unfair labor practices, or information in connection 
with the resolution of exceptions to arbitration awards when a question 
of material fact is raised; to disclose information in matters properly 
before the Federal Services Impasse Panel, and to investigate 
representation petitions and conduct or supervise representation 
elections.
    10. VA may disclose information to officials of the Merit Systems 
Protection Board (MSPB), or the Office of Special Counsel, when 
requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as 
authorized by law.
    11. VA may, on its own initiative, disclose any information or 
records to appropriate agencies, entities, and persons when (1) VA 
suspects or has confirmed that the integrity or confidentiality of 
information in the system of records has been compromised; (2) the 
Department has determined that as a result of the suspected or 
confirmed compromise, there is a risk of embarrassment or harm to the 
reputations of the record subjects, harm to economic or property 
interests, identity theft or fraud, or harm to the security, 
confidentiality, or integrity of this system or other systems or 
programs (whether maintained by the Department or another agency or 
disclosure is to agencies, entities, or persons whom VA determines are 
reasonably necessary to assist or carry out the Department's efforts to 
respond to the suspected or confirmed compromise and prevent, minimize, 
or remedy such harm. This routine use permits disclosures by the 
Department to respond to a suspected or confirmed data breach, 
including the conduct of any risk analysis or provision of credit 
protection services as provided in 38 U.S.C. 5724, as the terms are 
defined in 38 U.S.C. 5727.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are maintained at the Corporate Franchise Data Center which 
is a VA operated facility. Information is stored on disk media.

RETRIEVABILITY:
    Records are retrieved by person identifying traits such as name, 
social security number and other assigned unique identifiers of the 
individuals on whom they are maintained.

SAFEGUARDS:
    1. Access to VA working and storage areas is restricted to VA 
employees on a ``need-to-know'' basis; strict control measures are 
enforced to ensure that disclosure to these individuals is also based 
on this same principle. Generally, VA file areas are locked after 
normal duty hours and the facilities are protected from outside access 
by the Federal Protective Service or other security personnel.
    2. Access to file information is controlled at two levels; the 
systems recognize authorized employees by series of individually unique 
passwords/codes as a part of each data message, and the employees are 
limited to only that information in the file which is needed in the 
performance of their official duties. Information that is downloaded 
from ADR and maintained on personal computers is afforded similar 
storage and access protections as the data that is maintained in the 
original files. Access to information stored on automated storage media 
at other VA locations is controlled by individually unique passwords/
codes.
    3. Access to the Austin Automation Center is generally restricted 
to Center employees, custodial personnel, Federal Protective Service 
and other security personnel. Access to computer rooms is restricted to 
authorized operational personnel through electronic locking devices. 
All other persons gaining access to computer rooms are escorted. 
Information stored in the computer may be accessed by authorized VA 
employees at remote locations including VA health care facilities, 
Information Systems Centers, VA Central Office, and Veteran Integrated 
Service Networks. Access is controlled by individually unique 
passwords/codes which must be changed periodically by the employee.

RETENTION AND DISPOSAL:
    The records must be disposed of in accordance with the records 
retention standards authorized by the National Archives and Records 
Administration General Records Schedule 14, item 6, and published in 
the Veterans Health Administration Records Control Schedule 10-1, Item 
XLV.

SYSTEM MANAGER(S) AND ADDRESS:
    Official responsible for policies and procedures; Chief Information 
Officer (19), Department of Veterans Affairs, 810 Vermont Avenue, NW., 
Washington, DC 20420. Official maintaining this system of record: 
Director National Data Systems (19F-4), Corporate Franchise Center, 
1615 Woodward Street, Austin, Texas 78772.

NOTIFICATION PROCEDURE:
    Individuals who wish to determine whether this system of records 
contains information about them should contact the VA facility location 
at which they are or were employed or treated or made or have contact. 
Inquiries should include the person's full name, social security 
number, dates of treatment, dates of employment, date(s) of contact, 
and/or return address.

[[Page 72121]]

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding access to and contesting 
of records in this system may write, call or visit the VA facility 
location where they are or were employed or treated or made contact.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by patients, 
employees, providers, IT users, and others that work collaboratively 
with VHA.

 [FR Doc. E8-28183 Filed 11-25-08; 8:45 am]
BILLING CODE 8320-01-P