Privacy Act of 1974, Implementation of Exemptions, 9-17 [E8-31131]

Agencies

• Agency for International Development

[Federal Register Volume 74, Number 1 (Friday, January 2, 2009)]
[Rules and Regulations]
[Pages 9-17]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-31131]



[[Page 9]]

=======================================================================
-----------------------------------------------------------------------

AGENCY FOR INTERNATIONAL DEVELOPMENT

22 CFR Part 215

RIN 0412-AA61


Privacy Act of 1974, Implementation of Exemptions

AGENCY: United States Agency for International Development.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The United States Agency for International Development (USAID) 
has established a new system of records (see 72 FR 39042) pursuant to 
the provisions of the Privacy Act of 1974 (5 U.S.C. 552a), entitled the 
``Partner Vetting System''. USAID published a proposed rule on July 20, 
2007 (see 72 FR 39769) and is issuing this final rule after thorough 
review of all comments and suggestions received by the Agency through 
the public notice process and outreach sessions held for interested 
individuals. The final rule exempts portions of this system of records 
from one or more provisions of the Privacy Act. The decision as to 
whether to implement PVS will be made by the incoming Obama 
Administration.

DATES: This final rule will go into effect February 2, 2009.

FOR FURTHER INFORMATION CONTACT:  Jeff Denale, Coordinator for 
Counterterrorism, Office of Security, United States Agency for 
International Development, Ronald Reagan Building, 1300 Pennsylvania 
Avenue, NW., Washington, DC 20523, telephone: (202) 712-1264.

SUPPLEMENTARY INFORMATION:

A. Background

    In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, USAID 
established a new system of records (see 72 FR 39042), entitled the 
``Partner Vetting System'' (PVS). The PVS would support the vetting of 
individuals and directors, officers, or other principal employees of 
non-governmental organizations (NGOs) who apply for USAID contracts, 
grants, cooperative agreements, or other funding and of NGOs who apply 
for registration with USAID as Private and Voluntary Organizations. The 
information collected for these individuals would be used to conduct 
screening to ensure USAID funds and USAID-funded activities are not 
purposefully or inadvertently used to provide support to entities or 
individuals deemed to be a risk to national security. As these 
individuals and organizations are neither employees of USAID or job 
applicants for jobs with USAID, nor would they be eligible for or 
require security clearances, traditional employment or security 
clearance investigative mechanisms are not authorized or appropriate 
for the stated purposes.
    USAID will exempt portions of the PVS from certain provisions of 
the Privacy Act and add the PVS to 22 CFR 215.13, General Exemptions, 
and 22 CFR 215.14, Specific Exemptions. USAID requires this exemption 
from the Privacy Act in order to protect information, recompiled from 
records of other government agencies and related to investigations, 
from disclosure to subjects of investigations and to protect classified 
information related to the government's national security programs. 
Specifically, the exemptions are required to preclude subjects of 
investigations from frustrating the investigative process; to avoid 
disclosure of investigative techniques; protect the identities and 
physical safety of confidential informants and of law enforcement 
personnel; ensure the ability of USAID's Office of Security to obtain 
information from third parties and other sources; protect the privacy 
of third parties; and safeguard classified information.
    Aside from the specific protections afforded classified 
information, USAID must also protect the names of organizations and 
individuals within any classified systems associated with the PVS that 
mistakenly become recompiled into the non-classified USAID system. 
Nondisclosure of this information protects the government's operational 
counterterrorism and counterintelligence missions, as well as the 
personal safety of those involved in counterterrorism investigations.

B. Summary of the Final Rule

    The final rule issued by USAID generally exempts portions of the 
PVS which qualify from:

Accounting of Certain Disclosures.
Access to Records.
Agency Maintenance, Collection, and Notification Requirements.
Agency Rulemaking Requirements Relating to Notification, Accounting, 
and Access.
Civil Remedies.
Right of Legal Guardians.

    These exemptions are necessary to insure the proper functioning of 
the law enforcement activity, to protect confidential sources of 
information, to fulfill promises of confidentiality, to maintain 
integrity of the law enforcement procedures, to avoid premature 
disclosure of the knowledge of criminal activity and the evidentiary 
basis of possible enforcement actions, to prevent interference with law 
enforcement proceedings, to avoid the disclosure of investigative 
techniques, to avoid endangering law enforcement personnel, to maintain 
the ability to obtain candid and necessary information, to fulfill 
commitments made to sources to protect the confidentiality of 
information, to avoid endangering these sources, and to facilitate 
proper selection or continuance of the best applicants or persons for a 
given position or contract. Although USAID is not a law enforcement or 
intelligence agency, the mandate to ensure USAID funding is not 
purposefully or inadvertently used to provide support to entities or 
individuals deemed to be a risk to national security necessarily 
requires coordination with law enforcement and intelligence agencies as 
well as use of their information. Use of these agencies' information 
necessitates the conveyance of these other systems' exemptions to 
protect the information as stated.
    The final rule issued by USAID specifically exempts portions of the 
PVS which qualify from:

Accounting of Certain Disclosures.
Access to Records.
Agency Maintenance, Collection, and Notification Requirements.
Agency Rulemaking Requirements Relating to Notification, Accounting, 
and Access.

    These exemptions are claimed to protect the materials required by 
executive order to be kept secret in the interest of national defense 
or foreign policy, to prevent subjects of investigation from 
frustrating the investigatory process, to insure the proper functioning 
and integrity of law enforcement activities, to prevent disclosure of 
investigative techniques, to maintain the ability to obtain candid and 
necessary information, to fulfill commitments made to sources to 
protect the confidentiality of information, to avoid endangering these 
sources, and to facilitate proper selection or continuance of the best 
applicants or persons for a given position or contract.

C. Rulemaking History

    On July 20, 2007, USAID published a proposed rule in the Federal 
Register (72 FR 39769) exempting portions of the PVS which originate 
with government departments and agencies other than USAID from sections 
of the Privacy Act of 1974. Interested individuals were given 60 days 
to comment on the proposed rule. During the 60-day comment period, 
USAID received more than 175 comments from respondents.

[[Page 10]]

The respondents included NGOs, academic institutions, private 
companies, public interest groups, and interested individuals.
    This final rule amends 22 CFR 215.13 and 215.14 to exempt the PVS 
from certain requirements under the Privacy Act. Prior to issuing this 
final rule, USAID has carefully considered program requirements, 
respondent comments, and national security and foreign policy impacts.

D. Discussion of Comments

Demonstrated Need for PVS

    Many of the organizations that submitted comments suggested that 
since there is no evidence that USAID funds are flowing to terrorist 
organizations through NGOs, there is no need for a vetting system. 
Support for this proposition was based, in part, on the assertion that 
the Office of Inspector General (OIG) at USAID, in its Semi-Annual 
Reports to Congress on USAID's program for West Bank and Gaza, has 
stated that there has been no finding of terrorist organizations 
receiving USAID funds under that program. USAID notes, however, that in 
its November 6, 2007 audit report of USAID's anti-terrorism vetting 
procedures, the OIG recommended that USAID should develop and implement 
a worldwide anti-terrorism vetting program to include both U.S. and 
non-U.S.-based partners.
    USAID is the Executive Branch agency primarily responsible for 
implementing the bilateral foreign assistance program of the United 
States. USAID relies heavily upon U.S. and foreign NGOs in implementing 
international assistance, education and other programs in furtherance 
of U.S. foreign policy, humanitarian, international relations, and 
national security interests and objectives.
    Consistent with applicable law and agency policy, USAID has taken a 
number of steps, when implementing the U.S. foreign assistance program, 
to help ensure that agency funds and other resources do not 
inadvertently benefit individuals or entities that are terrorists, 
supporters of terrorists or affiliated with terrorists. Specifically, 
USAID has taken the actions described below.
    In March 2002, USAID issued Acquisition and Assistance Policy 
Directive (AAPD) 02-04. AAPD 02-04 required all USAID solicitations and 
contracts, Annual Program Statements or Requests for Applications and 
grants or cooperative agreements, or other comparable documents issued 
by USAID to contain a clause reminding the Agency's contractor and 
grantee partners of U.S. Executive Orders (such as Executive Order 
13224) and U.S. law prohibiting transactions with, and the provision of 
resources and support to, individuals and organizations associated with 
terrorism. This requirement subsequently has been incorporated into 
USAID's Automated Directives System (ADS).
    In December 2002, USAID issued AAPD 02-19 (as revised, now AAPD 04-
14), which requires USAID agreement officers to obtain a terrorist 
financing certification from both U.S. and non-U.S. NGOs before the NGO 
would be eligible to receive an award of a grant or cooperative 
agreement. The purpose of the certification is to provide USAID with 
assurances that it is not entering into an assistance agreement with an 
organization that provides or has provided assistance to terrorists or 
for terrorist activity.
    In November 2005, USAID issued Procurement Executive's Bulletin No. 
2005-12, reminding contracting officers and agreement officers of their 
responsibilities to perform due diligence in ensuring that 
organizations receiving contracts, grants and cooperative agreements 
are eligible for these awards in accordance with Federal statutes and 
policy. Among other things, that Bulletin reminds contracting officers 
and agreement officers of their responsibility, before making an award, 
of checking the master list of specially designated nationals and 
blocked persons maintained by the Office of Foreign Assets Control 
(OFAC) within the U.S. Department of the Treasury.
    USAID recognizes, however, that merely checking names against the 
OFAC master list and requiring self-certification may not constitute 
adequate due diligence in certain situations. In its terrorist 
financing certification, USAID discusses the need for applicants for 
USAID funds also to check the list maintained by the United Nations' 
1267 Committee, the need to take into account their own knowledge and 
the need to take into account relevant public information that is 
reasonably available. Similarly, in the U.S. Department of the Treasury 
Anti-Terrorist Financing Guidelines: Voluntary Best Practices for U.S.-
Based Charities, it is noted that, ``while the [OFAC-maintained] List 
is a critically important compliance tool that can assist charities in 
meeting their legal obligations under the variety of sanctions programs 
that OFAC administers, it should only form one part of a charitable 
organization's broader risk-based approach to protect against the risks 
of terrorist abuse.''
    Accordingly, to complement its requirements for terrorist financing 
clauses, terrorist financing certifications, and review of public lists 
of designated groups and individuals, USAID proposes implementation of 
the PVS. The decision as to whether to implement PVS will be made by 
the incoming Obama Administration.
    There have been allegations in the media and within the Executive 
and Legislative Branches that USAID funds may have gone (i) to 
organizations in West Bank and Gaza which are controlled by Hamas or 
which otherwise have ties to terrorist groups, (ii) to an organization 
in Pakistan controlled by an individual who was indicted based on 
alleged ties with terrorists, and (iii) to an organization in Bosnia 
controlled by an individual about whom derogatory information was 
reported. Although none of these grant activities resulted in 
assistance being furnished directly to a designated individual or 
entity, USAID believes that the development of a comprehensive, 
systematic, and automated vetting system is essential to ensuring that 
funds or other resources provided in the future are not diverted to the 
control of terrorists or terrorist organizations.
    Moreover, whether or not any of the allegations referred to above 
had a valid basis in fact, USAID does not believe that it should wait 
for hard proof that our funds are actually flowing to terrorists before 
implementing additional safeguards to its anti-terrorist financing 
program--even the suggestion that our funds or resources are benefiting 
terrorists is harmful to U.S. foreign policy and U.S. national 
interests.
    Vetting conducted since 2001 for the USAID West Bank and Gaza 
Mission has already proven effective in preventing USAID funds and 
materials from flowing to foreign terrorist organizations or groups or 
individuals associated with such organizations. Individuals involved in 
or otherwise associated with terrorism have been specifically 
identified through the West Bank and Gaza vetting process. Without 
vetting, USAID funds or materials could have inadvertently been given 
to these individuals or groups. In light of the fact that the 
statutorily required vetting currently being carried out for our West 
Bank and Gaza programs has uncovered derogatory information on some of 
the applicants for USAID funds and materials, a more comprehensive, 
systematic, and automated vetting process unquestionably will improve 
the Agency's due diligence and will result in more effective methods to 
help minimize the risk that USAID funds will

[[Page 11]]

be diverted to terrorists or for terrorist purposes.

Statutory Basis for PVS

    Some organizations suggested that, with the exception of USAID 
programs in West Bank and Gaza, there is no basis in statute or 
Executive Order justifying implementation of PVS.
    The Foreign Assistance Act of 1961, as amended (the ``FAA''), 
provides the President with broad discretion to set terms and 
conditions in the area of foreign policy. Specifically, numerous 
sections of the FAA authorize the President to furnish foreign 
assistance ``on such terms and conditions as he may determine''. See, 
e.g., section 122 of the FAA, which provides that, ``[i]n order to 
carry out the purposes of this chapter [i.e., development assistance], 
the President is authorized to furnish assistance, on such terms and 
conditions as he may determine, to countries and areas through programs 
of grant and loan assistance, bilaterally or through regional, 
multilateral, or private entities.'' Similarly, sections 103 through 
106 of the FAA authorize the President to furnish assistance, on such 
terms and conditions as he may determine, for agriculture, rural 
development and nutrition; for population and health (including 
assistance to combat HIV/AIDS); for education and human resources 
development; and for energy, private voluntary organizations, and 
selected development activities, respectively. The FAA also authorizes 
the President to ``make loans, advances, and grants to, make and 
perform agreements and contracts with, any individual, corporation, or 
other body of persons, friendly government or government agency, 
whether within or without the United States and international 
organizations in furtherance of the purposes and within the limitations 
of this Act.''
    These authorities have been delegated from the President to the 
Secretary of State and, pursuant to State Department Delegation of 
Authority 293, from the Secretary of State to the Administrator of 
USAID. Agency delegations of authority, in turn, delegate these 
authorities from the Administrator to Assistant Administrators, office 
directors, Mission Directors, and other Agency officials.
    In providing foreign assistance, the Administrator must take into 
account relevant legal restrictions. For example, the FAA requires that 
all reasonable steps be taken to ensure that assistance is not provided 
to or through individuals who have been or are illicit narcotics 
traffickers. Pursuant to annual foreign operations appropriations acts, 
assistance to foreign security forces requires vetting to ensure that 
assistance is not provided to units where there is credible evidence 
that the unit committed gross violations of human rights. These vetting 
requirements now have been incorporated into the FAA. Restrictions in 
the FAA against supporting terrorism or providing assistance to 
terrorist states, as well as restrictions in Title 18 of the United 
States Code on the provision of support or resources to terrorists, 
similarly support a decision by the Administrator of USAID to authorize 
terrorist screening procedures.
    In addition, the broad authority of the FAA permits the 
Administrator of USAID to consider a range of foreign policy and 
national security interests in determining how to provide foreign 
assistance. The United States has a strong foreign policy and national 
security interest in ensuring that U.S. assistance is not provided to 
or through individuals or organizations that have links to terrorists. 
This interest arises both because of our concern about the potential 
diversion of U.S. assistance to other uses and also our interest in 
ensuring that terrorist individuals and groups do not garner the 
benefit of being the distributor of U.S. assistance to needy recipients 
in foreign countries. The United States is an advocate of strong anti-
terrorism provisions and has urged other nations to control the flow of 
funds and support to terrorists. There could be significant negative 
foreign policy repercussions if it were determined that the United 
States was funding individuals and organizations with ties to 
terrorists.
    Further, Homeland Security Presidential Directive/HSPD-6 states 
that to protect against terrorism it is the policy of the United States 
to (1) develop, integrate, and maintain thorough, accurate, and current 
information about individuals known or appropriately suspected to be or 
have been engaged in conduct constituting, in preparation for, in aid 
of, or related to terrorism, and (2) use that information as 
appropriate and to the full extent permitted by law to support Federal 
screening processes. HSPS-6 also requires the heads of executive 
departments and agencies to conduct screening using Terrorist 
Information (as defined therein) at all appropriate opportunities. In 
accordance with HSPD-11, USAID has identified NGO applications for 
USAID funds as one of the opportunities for which screening could be 
conducted. Accordingly, use by USAID of information contained in USG 
terrorist databases, i.e., vetting, is entirely consistent with HSPD-6.
    Finally, legislative and Executive Order prohibitions against 
furnishing financial or other support to terrorists or for terrorist 
related purposes, or against engaging in transactions with individuals 
or entities that engage in terrorist acts, provide justification not to 
award assistance if USAID already has access to information showing 
that the applicant for assistance is involved in terrorism. Some of 
these prohibitions can be found in Sections 2339A and 2339B of Title 18 
of the United States Code, Executive Order 12947, as amended by 
Executive Order 13099, Executive Order 13224, and Title VIII of the USA 
Patriot Act. Accordingly, USAID's authority to conduct vetting is 
implied from these authorities since, to avoid violation of the 
authorities, USAID must use some sort of screening.
    Based upon all of the above, USAID has concluded that it does 
indeed have the legal authority to implement the PVS.
    Related comments suggested that USAID could not implement PVS 
without first obtaining a deviation from the Office of Management and 
Budget (OMB) in accordance with OMB Circular A-110 and USAID Regulation 
226 (22 CFR 226). OMB Circular A-110 governs the administration of 
grants and cooperative agreements to institutions of higher education, 
hospitals, and other non-profit organizations. USAID Regulation 226 
implements OMB Circular A-110. 22 CFR 226.1 provides that USAID will 
not ``impose additional or inconsistent requirements, except [through a 
deviation granted by OMB] * * *, or unless specifically required by 
Federal statute or executive order.''
    USAID has reviewed the comments regarding Regulation 226 and has 
concluded that a deviation from OMB is not required. USAID has the 
freedom to make suitability determinations regarding applicants for 
grants and the use of PVS is part of the suitability determination 
process. Furthermore, the Partner Information Form, published in the 
Federal Register on October 2, 2007, and approved by OMB on August 19, 
2008, complies with 5 CFR 1320, OMB's regulations on controlling 
paperwork burdens on the public, as required by 22 CFR 226.12, USAID's 
regulatory provision requiring compliance with OMB, and supplements the 
Standard Form 424 series.

Burden on Applicants

    The most frequent concern expressed in the comments received was 
that providing information to USAID would create an undue burden on

[[Page 12]]

organizations applying for U.S. funds in terms of non-programmatic 
costs and person hours. Organizations submitting comments feared that 
detailed personal information would have to be collected from every 
director, board member, officer and employee of an applicant, in 
addition to information collected from similar personnel of sub-
recipients. Concerns also were expressed about the burden placed on 
USAID personnel who will receive and process the information provided.
    It is contemplated that if the incoming Obama Administration 
approves implementation of PVS, it will be rolled out in an orderly 
fashion, with initial implementation for approximately four programs 
worldwide. While USAID believes that its Paperwork Reduction Act 
estimate of the burden of the proposed collection of information for 
PVS is accurate, USAID would continue to monitor implementation of PVS 
if it is implemented to determine what the burden on applicants 
actually will be and to determine what operation of PVS will cost USAID 
in terms of dollars and in terms of personnel hours.
    NGO partners can be assured that USAID has no intention to vet 
hundreds or thousands of employees for each acquisition or assistance 
action. Review of Mission Order No. 21, issued by USAID's Mission for 
West Bank and Gaza to describe the Mission's current terrorist 
financing procedures, and the recently approved Partner Information 
Form, are instructive in this regard.
    Under the definition of ``key individuals,'' Mission Order No. 21 
lists only ``principal'' officers of an organization's governing body 
and only ``principal'' officers of an organization, as opposed to all 
of these officers. The Mission reports that during the first ten months 
that the Mission utilized a database vetting system similar to that 
proposed under PVS, vetting was conducted only on an average of 
approximately 3.2 key individuals per organization. Based on the 
Mission's experience during that time period, a typical organization 
would submit information on 4 to 6 key individuals, with the high range 
being 10 to 14 and the low range (for sole proprietorships or simple 
two-person partnerships) being 1 to 2 persons. Moreover, under those 
screening procedures, the initial determination as to who would be 
considered a ``key individual'' for a particular activity, and thus 
will require vetting, is left to the organization applying for funds. 
After receiving the information, the Mission then may request 
clarification or, if appropriate, go back to an organization to seek 
information on additional individuals. The Partner Information Form 
also includes a section of instructions to ensure that applicants are 
accurately filling out the form and are not over-reporting information 
that is unnecessary. The form includes a definition of ``key 
individuals'' that is similar to the definition contained in West Bank 
and Gaza Mission Order No. 21. It is expected that the numbers of key 
individuals selected for vetting under programs identified for initial 
PVS implementation will be comparable to the numbers cited above for 
West Bank and Gaza program.
    USAID does recognize that including more complex and sophisticated 
U.S. organizations into this mix may well result in higher numbers and 
of course this will be carefully monitored during the early phases of 
PVS implementation should PVS be approved for implementation by the 
incoming Obama Administration.
    USAID's NGO partners also commented that individuals who serve on 
the boards of NGOs typically are distinguished and prominent 
individuals who serve without remuneration as a public service. In 
addition, many NGOs also deploy volunteers. Concerns were expressed 
over the adverse effect that the proposed PVS screening might have on 
these prominent board members or on NGO volunteers. Based on the West 
Bank and Gaza procedures described above, however, it may well be that 
neither the NGO applicant nor USAID will consider these prominent board 
members or these volunteers as the type of individual necessary to 
include in the screening process.
    USAID currently is developing guidance and protocol for the initial 
implementation of PVS, if approved, and the Agency will monitor the 
accompanying administrative burden on our partners and on our staff 
throughout the process. In the development of this information, USAID 
is taking into consideration experience, expertise and results that the 
Mission for West Bank and Gaza has obtained through more than six years 
of vetting. Once the guidance and protocol have been developed, the 
Agency will share it with our NGO partners and also provide appropriate 
training for affected applicant organizations.

Privacy Act and Due Process Requirements

    Comments received by USAID expressed concern that implementation of 
PVS would result in the creation of files or databases of innocent 
people not suspected of a crime and that sharing of information between 
USAID and other agencies not authorized to view private information 
would violate the Privacy Act. Concern also was expressed that 
individuals and organizations would not know their status in the PVS 
since one of USAID's Federal Register notices states that USAID will 
not confirm or deny that an individual ``passed'' or ``failed'' 
screening. Comments received asserted that this lack of due process 
would result in loss of employment and/or award of funds without 
effective recourse. Finally, at least one organization asserted that 
European based NGOs might have problems complying with PVS due to 
European data protection regulations.
    Throughout the design process of PVS, USAID has been committed to 
protecting national security while complying with all administrative 
requirements, and protecting all privacy, civil liberty and other 
rights of its NGO partners and their employees. In that regard, the 
July 17, 2007 System of Records Notice for the PVS does include an 
appropriate routine use allowed for under the Privacy Act, permitting 
the sharing of information, provided to USAID by applicants, with the 
intelligence community for the purposes of vetting following the 
processes established by the PVS.
    Information provided to USAID by applicants will be transmitted to 
USAID employees who will check that information against one or more 
databases maintained by the intelligence community. Once checked, the 
information provided by NGO partners will be maintained in secure 
files, as detailed in the Federal Register notices, by and at USAID. 
Consistent with the Privacy Act, all information submitted on 
individuals and maintained in the USAID system will be available for 
those individuals to request, review and correct. Intelligence 
community systems will not retain information on individuals where 
there is no match.
    USAID will not deny an application merely because there is an 
``encounter'' or positive match between information provided by an 
applicant and information maintained in a terrorism database. Instead, 
USAID will ``look behind'' that match, considering the accuracy and 
severity of the information, the reliability of the source, 
corroboration, and other pertinent matters before any decision is made 
regarding an award. This review will include assessment of the 
terrorist information available in relevant databases, consideration of 
information provided by USAID Missions or U.S. Embassies and any other 
relevant information available to the Agency.

[[Page 13]]

    USAID has been working closely with the Department of Justice to 
ensure that due process rights are incorporated into PVS. Any decision 
communicated to an applicant that award will not be made as a result of 
PVS screening will be accompanied by a reason for such denial. Further, 
opportunity for review of that decision will be afforded to the denied 
applicant. The statement in USAID's rulemaking notice that USAID will 
not ``confirm or deny that an individual `passed' or `failed' 
screening'' only pertains to the fact that USAID has not been 
authorized to confirm information maintained in terrorist screening 
databases. This is to protect the classified nature of information 
maintained by the intelligence community, preclude frustration of the 
investigative process, avoid disclosure of investigative techniques, 
and for other reasons specified in our rulemaking notice. Since, as 
stated above, USAID award decisions will not be based simply on a 
``match'' between information provided to USAID by an applicant and 
information already contained in a terrorism database, refusal to 
acknowledge whether or not there was a match should be of no 
consequence for purposes of implementation of PVS.
    One European based agency expressed concerns to the effect that 
compliance with PVS requirements by our European partners could result 
in violation of EU privacy laws. More specifically, the European based 
agency suggested that article 25 of EU Directive 95/46/EC on Data 
Protection, designed to protect the privacy rights of NGO employees and 
other individuals, might prohibit transfer to USAID of the information 
requested under PVS. This is because the ``EU data protection 
authorities do not generally regard the United States as ensuring 
adequate protection for personal data since the United States does not 
have data privacy laws similar to the European regime.'' The European 
based agency also suggested that article 7 of the EU Directive might 
pose problems for compliance with PVS requirements. That article 
prohibits the disclosure or other processing of personal data except 
where disclosure is necessary for compliance with a legal obligation or 
in other limited circumstances. Support for this proposition is based 
on the SWIFT opinion issued by EU data protection authorities.
    USAID has conducted a preliminary legal review of these concerns. 
The Agency does not believe that PVS requirements violate article 7 of 
the EU Directive since the information proposed to be provided to USAID 
is necessary for USAID to further legitimate U.S. interests, i.e., 
ensuring that U.S. funds are not diverted to terrorists or used for 
terrorist purposes. Pursuit of legitimate interests is one of the 
stated exceptions to the prohibition contained in article 7. USAID also 
does not believe that fundamental rights or freedoms of the data 
subjects will be compromised through compliance with PVS. In this 
regard, USAID does not believe that the facts in the SWIFT opinion are 
relevant to the national security screening procedures contemplated 
under PVS. In SWIFT, financial information was collected and then 
transferred to U.S. intelligence and such transfer was accomplished 
without notifying the affected individuals. Neither of those actions is 
contemplated by PVS.
    Similarly, USAID does not believe that article 25 of the EU 
Directive will be violated as PVS is being designed to provide more 
than ``an adequate level of protection.'' For more information on this 
point, see the response to data security and other related concerns in 
this final rule. In any event, USAID is not inclined to ease or 
otherwise dilute its information requirements because European data 
protection authorities possibly might view PVS as a system that will 
not adequately protect information provided.

Consultation With Partners

    A number of organizations expressed concern over the lack of prior 
consultation between USAID and its traditional implementing partners. 
In particular, (i) the timing of the publication of the PVS notices in 
the Federal Register (mid-July) and (ii) the statement in the Privacy 
Act System of Records notice that the new system of records would 
become effective on the same date that comments on that notice were due 
have generated questions about USAID's willingness to effectively and 
transparently engage the NGO community in a dialogue on PVS.
    Administrative regulations prevented USAID from discussing 
specifics of the proposed PVS prior to publication of the Federal 
Register notices. However, to remedy this perceived oversight in 
communication, USAID convened a number of outreach sessions with its 
NGO partners. Moreover, USAID considered seriously all comments 
submitted by the NGOs in response to the four Federal Register notices, 
as reflected in this final rule. In any event, it should be pointed out 
that by no means did USAID ``slip'' notice of the proposed PVS into the 
Federal Register in mid-summer to avoid meaningful review and comment 
by the NGO community. Publication of the PVS notices was approved by 
USAID leadership in April 2007. Following that decision, USAID staff 
engaged in consultations with OMB for several months, discussing both 
procedural and substantive aspects of the proposed PVS and the required 
notices. In addition, internal USAID procedures governing publication 
of notices in the Federal Register had to be followed, further delaying 
publication. It was not until July 2007 that all prerequisite steps for 
publication had been satisfied. Thus, publication at that time was 
merely the next logical step in the administrative process and not the 
result of any intention on the part of USAID to sneak these notices by 
a vacationing NGO community.
    Similarly, the effective date selected for the PVS system of 
records does not reflect unwillingness on USAID's part to give serious 
consideration to and incorporate into the proposed PVS, as appropriate, 
comments submitted by the NGOs in response to the PVS notices.
    The Privacy Act System of Records notice for PVS was published in 
the Federal Register for public comment on July 17, 2007. The notice 
provided that written comments must be received on or before August 27, 
2007. The notice went on to state that unless there is further notice 
in the Federal Register, the new system of records would become 
effective on August 27, 2007. This did not mean that USAID would not 
review comments or that USAID would not take these comments into 
account as decisions were being made on whether to or how to implement 
the PVS.
    USAID was required to select a date to insert in the System of 
Records Notice at which time the system of records would become 
effective. Effectiveness of the PVS system of records on August 27, 
2007 in no way indicated that the proposed PVS was approved on that 
date, that it became operational on that date, or that comments 
received in response to any of the four notices would be ignored. As 
demonstrated by USAID subsequent to the August 27, 2007 date, the 
Agency has been ready, willing and able to continue the dialogue with 
the NGOs and to ensure that approval of PVS only would be granted once 
the recommendations, concerns and comments of the NGOs have fully been 
reviewed and considered by USAID.
    As previously indicated, on October 2, 2007, USAID published a 
fourth notice in the Federal Register. That notice, issued pursuant to 
the Paperwork Reduction Act, republished and amended the notice 
previously

[[Page 14]]

published by USAID on July 23, 2007, and contains the proposed Partner 
Information Form, which will be used during the pilot phase of PVS. The 
form was developed with guidance from the USAID Mission in West Bank 
and Gaza, in response to recommendations made by the GAO and in 
compliance with all administrative approvals and with requirements set 
by the intelligence community. Comments on this fourth notice were due 
on or before December 3, 2007, and the Partner Information Form was 
approved by OMB on August 19, 2008. All comments received in response 
to this fourth notice have been taken into account by USAID.

Risk to Partners

    Some organizations claimed in their comments that there were 
considerable dangers associated with USAID using its implementing 
partners for U.S. law enforcement or intelligence purposes in foreign 
countries and that this could lead to retaliation by foreign 
governments against partner employees and employees of subs of 
partners.
    First of all, PVS is not, and should not be characterized as, a 
system in which USAID implementing partners will be acting as agents 
for U.S. law enforcement or intelligence activities. Rather, PVS simply 
is an additional mechanism for USAID to use in determining the 
eligibility of organizations applying for U.S. funds. Such applicants 
already provide information to USAID on its management personnel and on 
key employees as part of the application and evaluation process. PVS 
merely requires applicants to provide additional information in that 
process. In no way should this exercise be viewed as law enforcement or 
intelligence gathering.
    Further, as previously communicated to the NGO community, one of 
the purposes of PVS is to enhance the safety overseas of both USAID 
personnel and officials and employees of USAID's partners. Ensuring 
that principal individuals, officers, directors or other employees are 
not associated with terrorists or terrorism, where such individuals 
will be working with USAID Missions and will be implementing USAID 
foreign assistance activities alongside other partner employees, can 
only improve safety and reduce the risk of kidnapping, assassination or 
injury.

Public Comment Period

    Concerns were expressed that the time periods made available for 
public comment did not afford the NGO community adequate time to 
prepare comments or for USAID to carefully consider and respond to 
these comments. It also was asserted that OMB regulations require USAID 
to provide between 60 and 90 days for comment. Consequently, NGOs have 
requested extension of the comment periods.
    USAID has followed all administrative requirements and provided a 
full 40-day comment period for the system of records notice, a full 60-
day comment period for the proposed rule, and a full 60-day comment 
period for both the original and amended information collection 
notices. All time limits are set by the Privacy Act and the Paperwork 
Reduction Act and no deviations to those time limits were requested by 
USAID.
    In any event, USAID did express its willingness to maintain a 
dialogue with the NGO community and with interested Congressional 
committee staff on PVS and associated notices. Expiration of the stated 
time periods for our public notices did not dictate when PVS will be 
put into operation.

Procedural Specifics

    Some comments received expressed concern over the lack of specifics 
with respect to PVS procedures. For example, questions were raised over 
the type and extent of information to be requested by USAID, which 
people will be screened, and how long information provided to USAID 
will be retained. The perceived lack of procedural specifics also 
resulted in fears that USAID would compile a secret blacklist of 
ineligible grant applicants, that individuals whose identifying data 
match data in an intelligence community database will not be told of 
the source of this match and that NGO applicants will be unable to 
appeal or dispute denials of their applications for funding.
    While some of the procedures attendant to PVS already have been 
agreed upon, other procedures remain to be developed as part of the 
Agency's guidance and protocol development process. For example, as 
stated in the system of records notice published in the Federal 
Register, a retention and disposition schedule will need to be 
developed for PVS. Currently, in West Bank and Gaza, required 
information is submitted by applicants via paper. However, USAID's 
Office of Security is working with a contractor to design a secure 
portal to permit applicants to submit data electronically. With respect 
to retention of records generated under PVS, it is likely that the same 
rules applicable to documents submitted to the U.S. Government under 
acquisition and assistance activities will be made applicable to 
information submitted under PVS. In any event, should implementation of 
PVS be approved by the incoming Obama Administration, all these 
procedures would be fleshed out during the guidance policy and protocol 
development process leading up to the initiation of PVS and then 
adjusted as USAID gathers information and experience.
    Once specific procedures for PVS have been agreed upon, they will 
be published by USAID in its ADS and, as appropriate, in applicable 
regulation. Current operation of vetting and other related procedures 
in West Bank and Gaza can be found in Mission Order No. 21 and may 
provide a solid basis for the proposed implementation of PVS for other 
programs.
    USAID will not maintain in its files any information other than 
information provided by applicants, maintained in the USAID PVS system 
of records, and information that constitutes related administrative 
records. Screening of an organization will consist of a review of 
potential derogatory information regarding principal individuals of the 
organization or the organization itself. Results of this screening will 
be recorded to document actions taken concerning the award for which 
the organization was screened. Results will not be utilized to create 
lists of organizations which would then be used for subsequent 
screening, which is what is suggested by allegations that there will be 
a secret blacklist. Instead, whether an organization is being screened 
for the first time or whether screening is being conducted at 
subsequent dates, screening will be conducted through the same original 
process.
    Moreover, as previously indicated, award decisions will not be 
based simply on whether there has been a match with respect to one or 
more principal individuals of an organization and information contained 
in a terrorism database. Instead, USAID will review the intelligence 
behind the match. This review will include consideration of the 
severity of the information, the reliability of the source, 
corroboration, if any, etc. As previously stated, USAID cannot confirm 
or deny a person's appearance in a terrorism database. Nevertheless, 
any denial of funding by USAID as a result of PVS screening will be 
accompanied by a reason for that denial and an opportunity for the 
organization to appeal administratively. The amount of information 
provided to a denied applicant will be dependent on the sensitivity of 
the information, i.e., whether some or all of the information is 
classified and, if so, how much of that

[[Page 15]]

information can be released without compromising investigative or 
operational interests.

Unconstitutionally Vague

    It was asserted in some of the comments received that USAID's 
description of the purpose of the proposed PVS in the Federal Register 
notices, i.e., to ensure that neither USAID funds nor USAID-funded 
activities inadvertently or otherwise provide support to entities or 
individuals ``associated with terrorism,'' was Constitutionally vague. 
In support of this position, reference was made to Humanitarian Law 
Project v. Treasury, a case decided in the Central District of 
California in November 2006. In that decision, provisions of Executive 
Order 13224 referencing people and groups ``otherwise associated'' with 
terrorism were held to be impermissibly vague.
    It should be noted that in April 2007, the Humanitarian Law Project 
court granted the U.S. Government's motion for reconsideration. The 
court ruled that the regulation issued by the OFAC defining the 
``otherwise associated with'' provision of Executive Order 13224 
remedied the provision's ``Constitutional defects''. In addition, the 
court also vacated its order and decision finding that the President's 
designation authority under Executive Order 13224 was 
unconstitutionally vague and overbroad.
    It also should be noted that violations of OFAC-administered 
economic sanctions activities may result in imposition of civil fines 
and/or criminal penalties. PVS, on the other hand, is being designed to 
help determine whether applicants for USAID funds are responsible, 
suitable or otherwise eligible to receive these funds. The legal 
standards applicable to imposition of civil fines or criminal penalties 
for violation of sanctions differ substantially from the legal 
standards applicable to denial of Federal grants and other funding. 
Accordingly, analogies between the Humanitarian Law Project case and 
the proposed PVS are misplaced.
    While the development of a static template which listed all 
applicable criteria or a point scoring system which would 
scientifically identify individuals and entities ``associated with 
terrorism'' may be preferred, such an approach, if even feasible, would 
prove to be an inefficient and ineffective way to address the issue of 
funds or other support flowing to terrorists or terrorist organizations 
or for terrorist activities. USAID needs to have the ability to be 
flexible in its analysis so that the Agency can adapt to the range of 
activities and the range of circumstances surrounding implementation of 
the U.S. foreign assistance program. The proposed PVS includes a 
process where all data available to USAID on applicants will be 
reviewed at various levels within the Agency. This information will be 
checked for accuracy, relevance, timeliness, reliability, etc. Foreign 
policy and other related views of the country team also can be taken 
account. In addition, USAID has been working closely with the 
Department of Justice to ensure that due process and other relevant 
legal rights are incorporated into the design and implementation of 
PVS.
    Based upon all of the above, USAID believes that PVS meets all 
applicable legal standards.

Data Security

    Concern was expressed over the security of records maintained by 
USAID under PVS, particularly in overseas locations. An example 
provided was GAO criticism of the security of information held in West 
Bank and Gaza. Concern also was expressed about who would have access 
to data maintained in PVS. Specifically, questions were raised about 
the propriety of ``authorized'' USAID contractors having access to the 
data involving other contractors and involving all grantees.
    In response to vetting database weaknesses identified by both the 
GAO and OIG, the Mission for West Bank and Gaza has incorporated a 
number of improvements in its system. For example, vetting reports that 
previously had been held in an unlocked file cabinet now are stored in 
secure, locked cabinets. The Mission also has developed user 
requirements, system architecture, data dictionaries, and user manuals 
for its vetting system. PVS will, of course, take advantage of all 
these improved methods.
    On an Agency-wide basis, USAID's information security program is 
considered to be exceptional. USAID is required to report annually on 
Federal Information Security Act compliance, both to OMB and to the 
House of Representatives. Additionally, the program is audited by the 
USAID OIG. The House Oversight and Government Reform committee issues 
each year a governmentwide scorecard rating all agencies. For each of 
the past four years, USAID has been rated at the A+ level.
    In structuring USAID's ``award winning'' computer security program, 
the Office of the Chief Information Officer has deployed a very robust 
and sophisticated set of technical defenses on USAID's network. In 
addition, USAID has a very strong security awareness training program.
    The PVS system will be housed in USAID headquarters in Washington, 
DC, within the Agency's firewall and on USAID servers. When an 
authorized user of PVS accesses the application through the USAID 
intranet, the user's network credentials will be authenticated. PVS 
will limit the user's capability to view personally identifiable data 
and operate the system based on the user's roles configured within the 
system. Policy will dictate that each user will be assigned only those 
roles required to perform his or her job function within the system. 
All personally identifiable information will be protected in accordance 
with the Privacy Act.
    Specific retention and disposition instructions will be formulated 
by USAID at a later date as policy makers are better informed by the 
proposed pilot for PVS. Typical disposition instructions for electronic 
data include archiving and later destruction, as well as specified 
periods of time for such actions.

Evidence of Effectiveness

    One organization indicated that its objections to PVS are based on 
its research and advocacy relating to charities and counterterrorism 
programs. The organization stated that it had found that similar 
programs tended to create barriers to effective delivery of aid 
programs, to discourage small NGO application for grants, and to 
alienate international partners. However, the organization did not 
provide any data or other information to support its claims.
    USAID recognizes that any additional requirement (whether PVS 
related or otherwise) will affect the delivery of assistance. The goal 
of USAID is to achieve the purpose behind any new requirement in the 
most efficient manner that will minimize any potential negative impact 
on implementation of activities. In the experience of USAID's Mission 
in West Bank and Gaza, the most significant negative impact of vetting 
over the past five years or so has been delay. Vetting conducted 
manually with limited dedicated resources resulted in backlogs well in 
excess of 3,500 names. Delays in processing these vetting requests 
clearly caused significant barriers to effective delivery of aid. This, 
however, further underlines the need to have a comprehensive, 
systematic and automated system for vetting requests to be processed 
formally and electronically, rather than on an ad-hoc basis. Under such 
a program, it is expected that delays encountered by the Mission in 
West

[[Page 16]]

Bank and Gaza will significantly be reduced during implementation of 
PVS for subsequent programs.
    The suggestion that small NGOs are discouraged from applying for 
grants seems to be based on anecdotal evidence. USAID's experience in 
the West Bank and Gaza can neither confirm nor deny this hypothesis as 
data is not collected on number of potential partners that may abstain 
from applying for assistance. The Mission for West Bank and Gaza does, 
however, provide assistance to a large number of small NGOs and those 
NGOs are indeed vetted. To the extent that some small NGOs may be 
apprehensive about vetting, it is hoped that the transparency, public 
information and education, and comment periods surrounding the PVS 
public notice process will provide assurances about the uses of the 
system and its safeguards, and help dispel any extreme rumors about the 
system.
    The same response largely is applicable to the situation with 
international partners. Concerns raised by international partners in 
the West Bank and Gaza may reflect the uniqueness of vetting to that 
program. International partners not accustomed to working in countries 
or programs where PVS may be implemented may be less comfortable than 
partners that have worked in those countries or with those programs for 
years. If PVS is implemented, such apprehensions should subside.

Inaccuracies and Errors

    Comments received suggest that government watch lists are 
inaccurate. Recently, the Department of Justice's Inspector General 
reported that these lists continue ``to have significant weaknesses,'' 
producing a high error rate and a slow response to complaints from 
citizens. Since PVS proposes to utilize such terrorism databases, 
concerns have been expressed that USAID vetting will generate numerous 
``false positives.''
    Although the watch list error rate actually is quite low, the 
intelligence community continues to seek improvement in the terrorist 
screening process. While the intelligence community will continue to 
observe all privacy rules and policies, it also seeks to improve its 
information technology capabilities by researching and developing the 
latest computerized name-matching programs to ensure the highest watch 
list data quality. In fact, in an October 2007 report on Terrorist 
Watch List Screening, the GAO recommended that the intelligence 
community prepare plans to facilitate expanded and enhanced use of the 
watch list.
    In any event, decisions by USAID under PVS as to whether or not to 
award funds to applicants will not be based on the mere fact that there 
is a ``match'' between information provided by an applicant and 
information contained in these terrorism databases. Rather, USAID will 
determine whether any such match is valid or is a false positive. The 
detailed identifying information required of applicants under the PVS 
will help minimize instances of individuals being misidentified.

Lack of Office of Management and Budget (OMB) Involvement

    Some comments suggested that clearance or other involvement of OMB 
in the PVS process was not obtained by USAID. More specifically, it was 
asserted that USAID overlooked its responsibilities under Executive 
Order 12866 concerning the determination that PVS is not a 
``significant'' regulatory action.
    As required by OMB Circular A-130, USAID provided appropriate 
materials (cover letter, system of records notice, proposed rule) to 
OMB as well as to the Senate Committee on Homeland Security and 
Government Affairs and the House Committee on Government Reform. The 
proposed rule contained a statement that USAID had determined that it 
was not a significant regulatory action and, therefore, is not subject 
to review under Executive Order 12866. OMB agreed with this 
determination, and cleared the proposed rule for publication in the 
Federal Register. OMB continues to view this rule as not a significant 
regulatory action. Consistent with the requirements of the 
Congressional Review Act, USAID is submitting this final rule to each 
house of Congress and to OMB. This submittal includes USAID's 
determination that it is not a major rule. USAID has kept OMB apprised 
of the procedures being followed to establish PVS and has engaged in 
consultations with OMB prior to the publication of the notices in the 
Federal Register, during the comment periods, and after the comment 
periods closed. Where clearance from OMB is required, USAID is 
complying with these clearance requirements by consulting with OMB as 
necessary.

E. Impact Assessment

Regulatory Planning and Review

    This is not a significant regulatory action and, therefore, is not 
subject to review under section 6(b) of Executive Order 12866, 
Regulatory Planning and Review, dated September 30, 1993. This rule is 
not a major rule under 5 U.S.C. 804.

Regulatory Flexibility Act

    Pursuant to requirements set forth in the Regulatory Flexibility 
Act (RFA) (5 U.S.C. 601 et seq.), USAID has considered the economic 
impact of the rule and has determined that its provisions would not 
have a significant economic impact on a substantial number of small 
entities.

Paperwork Reduction Act

    The Paperwork Reduction Act does apply because the proposed changes 
impose information collection requirements that require the approval of 
the Office of Management and Budget under 44 U.S.C. 3601 et seq.

Lists of Subjects in 22 CFR Part 215

    Freedom of Information, Investigations, Privacy.

Regulatory Text

0
For the reasons stated in the preamble, USAID amends 22 CFR part 215 as 
follows:

PART 215--REGULATIONS FOR IMPLEMENTATION OF PRIVACY ACT OF 1974

0
1. The authority citation for 22 CFR part 215 is revised to read as 
follows:

    Authority: Public Law 93-579, 88 Stat. 1896 (5 U.S.C. 553, (b), 
(c), and (e))


0
2. Amend Sec.  215.13 by adding paragraph (c)(2) to read as follows:


Sec.  215.13  General exemptions.

* * * * *
    (c) * * *
    (2) Partner Vetting System. This system is exempt from sections 
(c)(3) and (4); (d); (e)(1), (2), and (3); (e)(4)(G), (H), and (I); 
(e)(5) and (8); (f), (g), and (h) of 5 U.S.C. 552a. These exemptions 
are necessary to insure the proper functioning of the law enforcement 
activity, to protect confidential sources of information, to fulfill 
promises of confidentiality, to maintain the integrity of law 
enforcement procedures, to avoid premature disclosure of the knowledge 
of criminal activity and the evidentiary basis of possible enforcement 
actions, to prevent interference with law enforcement proceeding, to 
avoid the disclosure of investigative techniques, to avoid endangering 
law enforcement personnel, to maintain the ability to obtain candid and 
necessary information, to fulfill commitments made to sources to 
protect the confidentiality of information, to avoid endangering these 
sources, and to

[[Page 17]]

facilitate proper selection or continuance of the best applicants or 
persons for a given position or contract. Although the primary 
functions of USAID are not of a law enforcement nature, the mandate to 
ensure USAID funding is not purposefully or inadvertently used to 
provide support to entities or individuals deemed to be a risk to 
national security necessarily requires coordination with law 
enforcement and intelligence agencies as well as use of their 
information. Use of these agencies' information necessitates the 
conveyance of these other systems exemptions to protect the information 
as stated.
0
3. Amend Sec.  215.14 by adding the heading ``Note to paragraph 
(c)(5)'' to the undesignated text at the end of the section and 
paragraph (c)(6) to read as follows:


Sec.  215.14  Specific exemptions.

* * * * *
    (c) * * *
    (6) Partner Vetting System. This system is exempt under 5 U.S.C. 
552a (k)(1), (k)(2), and (k)(5) from the provision of 5 U.S.C. 552a 
(c)(3); (d); (e)(1); (e)(4)(G), (H), (I); and (f). These exemptions are 
claimed to protect the materials required by executive order to be kept 
secret in the interest of national defense or foreign policy, to 
prevent subjects of investigation from frustrating the investigatory 
process, to insure the proper functioning and integrity of law 
enforcement activities, to prevent disclosure of investigative 
techniques, to maintain the ability to obtain candid and necessary 
information, to fulfill commitments made to sources to protect the 
confidentiality of information, to avoid endangering these sources, and 
to facilitate proper selection or continuance of the best applicants or 
persons for a given position or contract.

    Dated: December 23, 2008.
Randy T. Streufert,
Director, Office of Security.
[FR Doc. E8-31131 Filed 12-31-08; 8:45 am]
BILLING CODE 6116-01-P