Privacy Act of 1974; Implementation, 71378-71381 [2016-24536]
Download as PDF
<![CDATA[
71378
Federal Register / Vol. 81, No. 200 / Monday, October 17, 2016 / Rules and Regulations
Export Administration Regulations (15 CFR
parts 730 through 774) may require separate
authorization from the Department of
Commerce.
*
*
*
*
*
22. Revise § 515.581 to read as
follows:
■
§ 515.581 Transactions related to
conferences in third countries.
Persons subject to U.S. jurisdiction
are authorized to sponsor, organize, or
provide services in connection with, as
well as participate in, conferences or
other similar events in a third country
that are attended by Cuban nationals.
Note to § 515.581: The export or reexport
to Cuba of technology subject to the Export
Administration Regulations (15 CFR parts
730 through 774) may require separate
authorization from the Department of
Commerce.
23. Amend § 515.584 by revising
paragraphs (c) and (f) to read as follows:
■
§ 515.584 Certain financial transactions
involving Cuba.
*
*
*
*
*
(c) Credit and debit cards. All
transactions incident to the processing
and payment of credit and debit cards
involving travel-related and other
transactions consistent with § 515.560
are authorized.
*
*
*
*
*
(f) Any banking institution, as defined
in § 515.314, that is a person subject to
U.S. jurisdiction is authorized to
provide financing for exports or
reexports of items, other than
agricultural commodities, authorized
pursuant to § 515.533, including
issuing, advising, negotiating, paying, or
confirming letters of credit (including
letters of credit issued by a financial
institution that is a national of Cuba),
accepting collateral for issuing or
confirming letters of credit, and
processing documentary collections.
*
*
*
*
*
■ 24. Amend § 515.585 by revising
paragraph (c), removing the note to
paragraph (c), adding paragraph (d), and
amending Note 3 and Note 4 to
§ 515.585 to read as follows:
§ 515.585 Certain transactions in third
countries.
jstallworth on DSK7TPTVN1PROD with RULES
*
*
*
*
*
(c) Individuals who are persons
subject to U.S. jurisdiction who are
present in a third country are authorized
to purchase or acquire merchandise
subject to the prohibitions in § 515.204,
including Cuban-origin goods, and to
receive or obtain services in which Cuba
or a Cuban national has an interest that
are ordinarily incident to travel and
maintenance within that country.
VerDate Sep<11>2014
14:00 Oct 14, 2016
Jkt 241001
(d) Individuals who are persons
subject to U.S. jurisdiction are
authorized to import into the United
States as accompanied baggage
merchandise subject to the prohibitions
in § 515.204, including Cuban-origin
goods, that is purchased or acquired in
a third country, provided that the
merchandise is imported for personal
use only.
*
*
*
*
*
Note 3 to § 515.585: Except as provided in
paragraphs (c) and (d) of this section, this
section does not authorize any transactions
prohibited by § 515.204.
Note 4 to § 515.585: The export or reexport
to Cuba of goods (including software) or
technology subject to the Export
Administration Regulations (15 CFR parts
730 through 774) may require separate
authorization from the Department of
Commerce.
25. Add § 515.590 to subpart E to read
as follows:
■
§ 515.590 Certain grants, scholarships,
and awards.
The provision of grants, scholarships,
or awards relating to the following
activities to a Cuban national or in
which Cuba or a Cuban national
otherwise has an interest is authorized:
(a) Educational activities;
(b) Humanitarian projects, as set forth
in § 515.575(b);
(c) Scientific research; and
(d) Religious activities.
■ 26. Add § 515.591 to subpart E to read
as follows:
Persons subject to the jurisdiction of
the United States are authorized to
provide to Cuba or Cuban nationals
services related to developing, repairing,
maintaining, and enhancing Cuban
infrastructure that directly benefit the
Cuban people, provided that those
services are consistent with the export
or reexport licensing policy of the
Department of Commerce. For the
purposes of this section, infrastructure
means systems and assets used to
provide the Cuban people with goods
and services produced or provided by
the public transportation, water
management, waste management, nonnuclear electricity generation, and
electricity distribution sectors, as well
as hospitals, public housing, and
primary and secondary schools. This
authorization includes projects related
to the environmental protection of U.S.,
Cuban, and international air quality,
waters, and coastlines.
Note 1 to § 515.591: For provisions related
to transactions ordinarily incident to the
Frm 00054
Fmt 4700
Sfmt 4700
Note 2 to § 515.591: See § 515.564 for a
general license authorizing travel-related and
other transactions incident to professional
research and professional meetings in Cuba,
§ 515.533(c) for a general license authorizing
travel-related and other transactions relating
to certain exports and reexports to Cuba, and
§ 515.575(a) for a general license authorizing
transactions, including travel-related
transactions, related to certain humanitarian
projects.
Subpart H—Procedures
§ 515.803
■
[Removed]
27. Remove § 515.803 from subpart H.
Dated: October 11, 2016.
John E. Smith,
Acting Director, Office of Foreign Assets
Control.
[FR Doc. 2016–25032 Filed 10–14–16; 8:45 am]
BILLING CODE 4810–AL–P
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 310
[Docket ID: DOD–2016–OS–0059]
Privacy Act of 1974; Implementation
Office of the Secretary of
Defense, DoD.
ACTION: Final rule.
AGENCY:
§ 515.591 Services related to
infrastructure.
PO 00000
exportation or reexportation of items to Cuba,
see §§ 515.533 and 515.559. See § 746.2(b) of
the Export Administration Regulations (15
CFR parts 730 through 774) for the
Department of Commerce’s Cuba licensing
policy.
The Office of the Secretary of
Defense is exempting records
maintained in DUSDI 01-DoD,
‘‘Department of Defense (DoD) Insider
Threat Management and Analysis
Center (DITMAC) and DoD Component
Insider Threat Records System,’’ from
subsections (c)(3) and (4); (d)(1), (2), (3),
and (4); (e)(1), (2), (3), (4)(G), (H), and
(I), (5), and (8); and (g) of the Privacy
Act.
In addition, in the course of carrying
out collections and analysis of
information in connection with the
operations of the DITMAC and DoD
Component insider threat programs,
exempt records received from other
systems of records may become part of
this system. To the extent that copies of
exempt records from those other
systems of records are maintained in
this system, the Department also claims
the same exemptions for the records
from those other systems that are
maintained in this system, as claimed
SUMMARY:
E:\FR\FM\17OCR1.SGM
17OCR1
Federal Register / Vol. 81, No. 200 / Monday, October 17, 2016 / Rules and Regulations
jstallworth on DSK7TPTVN1PROD with RULES
for the original primary system of which
they are a part.
DATES: Effective Date: This rule is
effective October 17, 2016.
FOR FURTHER INFORMATION CONTACT:
Cindy Allard, Chief, of the Defense
Privacy, Civil Liberties, and
Transparency Division, 703–571–0070.
SUPPLEMENTARY INFORMATION:
Background
The DITMAC was established by the
Under Secretary of Defense for
Intelligence in order to consolidate and
analyze insider threat information
reported by the DoD Component insider
threat programs mandated by
Presidential Executive Order 13587,
issued October 7, 2011, which required
Federal agencies to establish an insider
threat detection and prevention program
to ensure the security of classified
networks and the responsible sharing
and safeguarding of classified
information consistent with appropriate
protections for privacy and civil
liberties. For purposes of this system of
records, the term ‘‘insider threat’’ is
defined in the Minimum Standards for
Executive Branch Insider Threat Task
Force based on direction provided in
Section 6.3(b) of Executive Order 13587.
The DITMAC helps prevent, deter,
detect, and/or mitigate the potential
threat that personnel, including DoD
military personnel, civilian employees,
and contractor personnel, who have or
had been granted eligibility for access to
classified information or eligibility to
hold a sensitive position may harm the
security of the United States. This threat
can include damage to the United States
through espionage, terrorism,
unauthorized disclosure of national
security information, or through the loss
or degradation of departmental
resources or capabilities.
The system of records will be used to
analyze, monitor, and audit insider
threat information for insider threat
detection and mitigation within DoD on
threats that persons who have or had
been granted eligibility for access to
classified information or eligibility to
hold sensitive positions may pose to
DoD and U.S. Government installations,
facilities, personnel, missions, or
resources. The system of records will
support the DITMAC and DoD
Component insider threat programs,
enable the identification of systemic
insider threat issues and challenges, and
provide a basis for the development and
recommendation of solutions to deter,
detect, and/or mitigate potential insider
threats. It will assist in identifying best
practices among other Federal
Government insider threat programs,
VerDate Sep<11>2014
14:00 Oct 14, 2016
Jkt 241001
through the use of existing DoD
resources and functions and by
leveraging existing authorities, policies,
programs, systems, and architectures.
Public Comments
The Department of Defense published
a proposed Privacy Act exemption rule
for its Insider Threat Management and
Analysis Center (DITMAC) and DoD
Component Insider Threat Records
Systems (hereafter Insider Threat) on
May 19, 2016 (81 FR 31561). The
Department of Defense received
comments from seven submitters related
to a proposed Federal Rulemaking
(docket: DOD–2016–OS–0059,
published May 19, 2016) relating to a
Privacy Act exemption rule for the
Department of Defense (DoD) Insider
Threat Management and Analysis
Center (DITMAC) and DoD Component
Insider Threat Records System
(hereafter Insider Threat). In addressing
comments submitted to this proposed
Privacy Act exemption rule, the
Department notes that such rules do not
mandate exemptions in every instance,
and are not intended to apply to all
records, but must be reviewed in each
specific case.
Two commenters were opposed to the
proposed exemption rule but did not
provide specific concerns; an additional
commenter provided a number of
proposals for the Insider Threat program
at large, as well as one addressing an
access concern which is addressed in
the access discussion.
The largest number of comments
related to the proposed exemption from
the access provisions of the Privacy Act
(5 U.S.C. 552a(d)(1), (2), (3), and (4)).
The Department notes that the specific
exemptions upon which the access
limitation is based are generally
predicated on ‘‘the identity of a source
who furnished information to the
Government under an express promise
that the identity of the source would be
held in confidence’’ found in 5 U.S.C.
552a(k)(2), (5), and (7). One of these
commenters raised concerns that the
‘‘largest and most common sources
providing information to the DITMAC
provide such information under a
general promise of confidentiality.’’ It is
not clear to the Department which
sources the commenter believes are
providing information under a general
promise of confidentiality, but the
language used in exemptions (k)(2), (5),
and (7) requires an ‘‘express promise’’
(if promised after the Act took effect).
This is normally done on a case-by-case
basis. One commenter noted that ‘‘it is
important to allow people as much
access as possible to the data being
collected about them, so that they can
PO 00000
Frm 00055
Fmt 4700
Sfmt 4700
71379
make informed decisions about what to
do in the event of a data loss.’’ In
response, the Department anticipates
providing access rights, except in those
specific cases where an exemption rule
would appropriately apply. In view of
the earlier discussion in this paragraph,
DoD anticipates exercising access
exemption rules as the exception rather
than the norm.
Another commenter was also
particularly concerned that ‘‘it would
become entirely possible that qualified
Soldiers might unknowingly become
flagged as non-promotable for being a
possible insider threat.’’ We note first
that when exercising the (k)(7)
exemption, the Department uses
reasonable segregability to provide the
maximum amount of the record to the
subject while honoring the express
promise of confidentiality to the source.
Moreover, the Department notes that the
Insider Threat system of records is not
a source of information for the
promotion selection process.
Several comments also addressed the
proposed exemption from the
amendment provisions of the Privacy
Act. The Insider Threat Hubs will
aggregate information from a number of
sources, the first of which is the subject
of the record. Since the subjects of
Insider Threat records are cleared
personnel, the most appropriate place
for them to address a factual error is
with the appropriate DoD source (e.g.,
human resources offices for human
resources records or the security officer
for personnel security concerns). Insider
Threat records are updated at scheduled
intervals or upon a specified query for
current information and validated prior
to any investigative or administrative
action taken by a DoD Component.
One commenter noted that the
collections and proposed exemptions
asserted by the Department of Defense
were overly extensive and would
diminish accountability:
DoD claims the authority to collect any
information it wants without disclosing
where it came from or even acknowledging
its existence. The net result of these
exemptions, coupled with DoD’s proposal to
collect and retain virtually unlimited
information unrelated to any purpose
Congress delegated to the agency, would be
to diminish the legal accountability of the
agency’s information collection activities.
In response, disclosure could interfere
with or reveal information relating to
actual or potential criminal, civil, or
administrative investigations or actions.
DoD further notes that it identified the
varied sources of Insider Threat
information in the System of Records
Notice and has asserted exemptions to
protect from disclosure sources
E:\FR\FM\17OCR1.SGM
17OCR1
jstallworth on DSK7TPTVN1PROD with RULES
71380
Federal Register / Vol. 81, No. 200 / Monday, October 17, 2016 / Rules and Regulations
expressly promised confidentiality
(pursuant to 5 U.S.C. 552a(k)(2), (5), and
(7) as discussed above). Such promises
apply to a relatively narrow scope of
DoD records. If DoD were not able to
provide such promises on a case-by-case
basis, they would find it difficult, if not
impossible, to gather candid
information that is not generally known,
precisely the type of information needed
to make well-informed assessments of
behavior (and potential behavior) to
identify and address insider threats. As
previously mentioned, exemption rules
do not mandate the application of
exemptions in every instance, are not
intended to apply to all records, and
will be applied on a case-by-case basis.
The commenter claims that DoD
‘‘contemplates collecting information
that will not be relevant or necessary to
a specific investigation’’ and that ‘‘the
inability to determine, in advance,
whether information is accurate,
relevant, timely, and complete
precludes its agents from complying
with the obligation to ensure that the
information meets these criteria after it
is stored.’’ In response, the Department
notes that it is implementing an insider
threat program required by Executive
Order as well as by Public Law (e.g.,
Public Law 112–81, Title IX, Section
922, (10 U.S.C. 2224 note), Insider
Threat Detection). The statutory note
requires the use of anomaly detection
techniques, which logically require
ingestion of non-anomalous information
in order to identify anomalous
information. Further, the purpose of the
Insider Threat program is to identify
potential insider threat behavior; cases
of concern are referred to the
appropriate DoD or Federal investigative
entity. DoD takes seriously its
requirement under the Privacy Act to
‘‘balance the Government’s need to
maintain information about individuals
with the rights of those individuals to be
protected from unwarranted invasions
of their privacy.’’
There were no comments related to
the exemption of the access provisions
through (k)(1), pertaining to classified
information; (k)(4), applicable to records
required by statute to be maintained and
used solely as statistical records; or
(k)(6), testing or examination material
used solely to determine individual
qualifications for appointment or
promotion in the Federal service the
disclosure of which would compromise
the objectivity or fairness of the testing
or examination process. The Department
also asserted an access exemption under
(j)(2), which addresses law enforcement
activities, which did not receive
comment.
VerDate Sep<11>2014
14:00 Oct 14, 2016
Jkt 241001
DoD made no changes to the
regulatory text of the rule based on
public comments received.
Regulatory Procedures
Executive Order 12866, ‘‘Regulatory
Planning and Review’’ and Executive
Order 13563, ‘‘Improving Regulation
and Regulatory Review’’
It has been determined that this rule
is not a significant rule. This rule does
not (1) Have an annual effect on the
economy of $100 million or more or
adversely affect in a material way the
economy; a sector of the economy;
productivity; competition; jobs; the
environment; public health or safety; or
State, local, or tribal governments or
communities; (2) Create a serious
inconsistency or otherwise interfere
with an action taken or planned by
another Agency; (3) Materially alter the
budgetary impact of entitlements,
grants, user fees, or loan programs, or
the rights and obligations of recipients
thereof; or (4) Raise novel legal or policy
issues arising out of legal mandates, the
President’s priorities, or the principles
set forth in these Executive orders.
Public Law 96–354, ‘‘Regulatory
Flexibility Act’’ (5 U.S.C. Chapter 6)
It has been certified that this rule does
not have a significant economic impact
on a substantial number of small entities
because it is concerned only with the
administration of Privacy Act systems of
records within DoD. A Regulatory
Flexibility Analysis is not required.
Public Law 96–511, ‘‘Paperwork
Reduction Act’’ (44 U.S.C. Chapter 35)
It has been determined that this rule
does not impose additional information
collection requirements on the public
under the Paperwork Reduction Act of
1995 (44 U.S.C. 3501 et seq.).
Section 202, Public Law 104–4,
‘‘Unfunded Mandates Reform Act’’
It has been determined that this rule
does not involve a Federal mandate that
may result in the expenditure by State,
local and tribal governments, in the
aggregate, or by the private sector, of
$100 million or more and that it will not
significantly or uniquely affect small
governments.
Executive Order 13132, ‘‘Federalism’’
It has been determined that this rule
does not have federalism implications.
This rule does not have substantial
direct effects on the States, on the
relationship between the National
Government and the States, or on the
distribution of power and
responsibilities among the various
levels of government.
PO 00000
Frm 00056
Fmt 4700
Sfmt 4700
List of Subjects in 32 CFR Part 310
Privacy.
Accordingly, 32 CFR part 310 is
amended as follows:
PART 310 [AMENDED]
1. The authority citation for 32 CFR
part 310 continues to read as follows:
■
Authority: 5 U.S.C. 552a.
§§ 310.30 through 310.53 [Redesignated as
§§ 310.31 through 310.54]
2. Redesignate § 310.30 through
§ 310.53 as § 310.31 through § 310.54.
■ 3. In Subpart F, add a new § 310.30 to
read as follows:
■
§ 310.30
DoD-wide exemptions.
(a) Use of DoD-wide exemptions. DoDwide exemptions for DOD-wide systems
of records are established pursuant to 5
U.S.C. 552a(j) and (k) of the Privacy Act.
(b) Promises of confidentiality. (1)
Only the identity of sources that have
been given an express promise of
confidentiality may be protected from
disclosure under paragraphs (d)(3)(i),
(ii), and (iii) and (d)(4) of this section.
However, the identity of sources who
were given implied promises of
confidentiality in inquiries conducted
before September 27, 1975, also may be
protected from disclosure.
(2) Ensure promises of confidentiality
are not automatically given but are used
sparingly. Establish appropriate
procedures and identify fully categories
of individuals who may make such
promises. Promises of confidentiality
shall be made only when they are
essential to obtain the information
sought (see 5 CFR part 736).
(c) Access to records for which DODwide exemptions are claimed. Deny the
individual access only to those portions
of the records for which the claimed
exemption applies.
(d) DoD-wide exemptions. The
following exemptions are applicable to
all components of the Department of
Defense for the following system(s) of
records:
(1) System identifier and name:
DUSDI 01-DoD ‘‘Department of Defense
(DoD) Insider Threat Management and
Analysis Center (DITMAC) and DoD
Component Insider Threat Records
System.’’
Exemption: This system of records is
exempted from subsections (c)(3) and
(4); (d)(1), (2), (3) and (4); (e)(1), (2), (3),
(4)(G)(H) and (I), (5) and (8); and (g) of
the Privacy Act pursuant to 5 U.S.C.
552a(j)(2) and (k)(1), (2), (4), (5), (6), and
(7).
(2) Records are only exempt from
pertinent provisions of 5 U.S.C. 552a to
E:\FR\FM\17OCR1.SGM
17OCR1
Federal Register / Vol. 81, No. 200 / Monday, October 17, 2016 / Rules and Regulations
the extent that such provisions have
been identified and an exemption
claimed for the record and the purposes
underlying the exemption for the record
pertain to the record.
(3) Exemption from the particular
subsections is justified for the following
reasons:
(i) Subsection (c)(3). To provide the
subject with an accounting of
disclosures of records in this system
could inform that individual of the
existence, nature, or scope of an actual
or potential law enforcement or
counterintelligence investigation, and
thereby seriously impede law
enforcement or counterintelligence
efforts by permitting the record subject
and other persons to whom he might
disclose the records to avoid criminal
penalties, civil remedies, or
counterintelligence measures. Access to
the accounting of disclosures could also
interfere with a civil or administrative
action or investigation which may
impede those actions or investigations.
Access also could reveal the identity of
confidential sources incident to Federal
employment, military service, contract,
and security clearance determinations.
(ii) Subsection (c)(4). This subsection
is inapplicable to the extent that an
exemption is being claimed for
subsection (d).
(iii) Subsection (d)(1). Disclosure of
records in the system could reveal the
identity of confidential sources and
result in an unwarranted invasion of the
privacy of others. Disclosure may also
reveal information relating to actual or
potential criminal investigations.
Disclosure of classified national security
information would cause damage to the
national security of the United States.
Disclosure could also interfere with a
civil or administrative action or
investigation; reveal the identity of
confidential sources incident to Federal
employment, military service, contract,
and security clearance determinations;
and reveal the confidentiality and
integrity of Federal testing materials and
evaluation materials used for military
promotions when furnished by a
confidential source.
(iv) Subsection (d)(2). Amendment of
the records could interfere with ongoing
criminal or civil law enforcement
proceedings and impose an impossible
administrative burden by requiring
investigations to be continuously
reinvestigated.
(v) Subsections (d)(3) and (4). These
subsections are inapplicable to the
extent exemption is claimed from (d)(1)
and (2).
(vi) Subsection (e)(1). It is often
impossible to determine in advance if
investigatory records contained in this
system are accurate, relevant, timely
and complete, but, in the interests of
effective law enforcement and
counterintelligence, it is necessary to
retain this information to aid in
establishing patterns of activity and
provide investigative leads.
(vii) Subsection (e)(2). To collect
information from the subject individual
could serve notice that he or she is the
subject of a criminal investigation and
thereby present a serious impediment to
such investigations.
(viii) Subsection (e)(3). To inform
individuals as required by this
subsection could reveal the existence of
a criminal investigation and
compromise investigative efforts.
(ix) Subsection (e)(4)(G), (H), and (I).
These subsections are inapplicable to
the extent exemption is claimed from
(d)(1) and (2).
(x) Subsection (e)(5). It is often
impossible to determine in advance if
investigatory records contained in this
system are accurate, relevant, timely
and complete, but, in the interests of
effective law enforcement, it is
necessary to retain this information to
aid in establishing patterns of activity
and provide investigative leads.
(xi) Subsection (e)(8). To serve notice
could give persons sufficient warning to
evade investigative efforts.
(xii) Subsection (g). This subsection is
inapplicable to the extent that the
system is exempt from other specific
subsections of the Privacy Act.
(4) In addition, in the course of
carrying out analysis for insider threats,
exempt records from other systems of
records may in turn become part of the
case records maintained in this system.
To the extent that copies of exempt
records from those other systems of
records are maintained into this system,
the DoD claims the same exemptions for
71381
the records from those other systems
that are entered into this system, as
claimed for the original primary system
of which they are a part.
Dated: October 5, 2016.
Aaron Siegel,
Alternate OSD Federal Register Liaison
Officer, Department of Defense.
[FR Doc. 2016–24536 Filed 10–14–16; 8:45 am]
BILLING CODE 5001–06–P
DEPARTMENT OF HOMELAND
SECURITY
Coast Guard
33 CFR Part 165
[Docket No. USCG–2016–0908]
Safety Zones; Fireworks Events in
Captain of the Port New York Zone
Coast Guard, DHS.
Notice of enforcement of
regulation.
AGENCY:
ACTION:
The Coast Guard will enforce
various safety zones within the Captain
of the Port New York Zone on the
specified date and time. This action is
necessary to ensure the safety of vessels
and spectators from hazards associated
with fireworks displays. During the
enforcement period, no person or vessel
may enter the safety zone without
permission of the Captain of the Port
(COTP).
SUMMARY:
The regulation for the safety
zones described in 33 CFR 165.160 will
be enforced on the date and time listed
in the table below.
FOR FURTHER INFORMATION CONTACT: If
you have questions on this notice, call
or email Petty Officer First Class Ronald
Sampert U.S. Coast Guard; telephone
718–354–4154, email ronald.j.sampert@
uscg.mil.
SUPPLEMENTARY INFORMATION:
The Coast Guard will enforce the
safety zones listed in 33 CFR 165.160 on
the specified dates and times as
indicated in Table 1 below. This
regulation was published in the Federal
Register on November 9, 2011 (76 FR
69614).
DATES:
jstallworth on DSK7TPTVN1PROD with RULES
TABLE 1
3. Tzell Travel Group Liberty Island Safety Zone 33 CFR
165.160(2.1).
VerDate Sep<11>2014
14:00 Oct 14, 2016
Jkt 241001
PO 00000
Frm 00057
Fmt 4700
• Launch site: A barge located in approximate position 40°41′16.5″ N.,
074°02′23″ W. (NAD 1983), approximately 360 yards east of Liberty
Island. This Safety Zone is a 240-yard radius from the barge.
• Date: October 27, 2016.
• Time: 8:50 p.m.–10:30 p.m.
Sfmt 4700
E:\FR\FM\17OCR1.SGM
17OCR1
]]>Agencies
[Federal Register Volume 81, Number 200 (Monday, October 17, 2016)]
[Rules and Regulations]
[Pages 71378-71381]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-24536]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 310
[Docket ID: DOD-2016-OS-0059]
Privacy Act of 1974; Implementation
AGENCY: Office of the Secretary of Defense, DoD.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Office of the Secretary of Defense is exempting records
maintained in DUSDI 01-DoD, ``Department of Defense (DoD) Insider
Threat Management and Analysis Center (DITMAC) and DoD Component
Insider Threat Records System,'' from subsections (c)(3) and (4);
(d)(1), (2), (3), and (4); (e)(1), (2), (3), (4)(G), (H), and (I), (5),
and (8); and (g) of the Privacy Act.
In addition, in the course of carrying out collections and analysis
of information in connection with the operations of the DITMAC and DoD
Component insider threat programs, exempt records received from other
systems of records may become part of this system. To the extent that
copies of exempt records from those other systems of records are
maintained in this system, the Department also claims the same
exemptions for the records from those other systems that are maintained
in this system, as claimed
[[Page 71379]]
for the original primary system of which they are a part.
DATES: Effective Date: This rule is effective October 17, 2016.
FOR FURTHER INFORMATION CONTACT: Cindy Allard, Chief, of the Defense
Privacy, Civil Liberties, and Transparency Division, 703-571-0070.
SUPPLEMENTARY INFORMATION:
Background
The DITMAC was established by the Under Secretary of Defense for
Intelligence in order to consolidate and analyze insider threat
information reported by the DoD Component insider threat programs
mandated by Presidential Executive Order 13587, issued October 7, 2011,
which required Federal agencies to establish an insider threat
detection and prevention program to ensure the security of classified
networks and the responsible sharing and safeguarding of classified
information consistent with appropriate protections for privacy and
civil liberties. For purposes of this system of records, the term
``insider threat'' is defined in the Minimum Standards for Executive
Branch Insider Threat Task Force based on direction provided in Section
6.3(b) of Executive Order 13587. The DITMAC helps prevent, deter,
detect, and/or mitigate the potential threat that personnel, including
DoD military personnel, civilian employees, and contractor personnel,
who have or had been granted eligibility for access to classified
information or eligibility to hold a sensitive position may harm the
security of the United States. This threat can include damage to the
United States through espionage, terrorism, unauthorized disclosure of
national security information, or through the loss or degradation of
departmental resources or capabilities.
The system of records will be used to analyze, monitor, and audit
insider threat information for insider threat detection and mitigation
within DoD on threats that persons who have or had been granted
eligibility for access to classified information or eligibility to hold
sensitive positions may pose to DoD and U.S. Government installations,
facilities, personnel, missions, or resources. The system of records
will support the DITMAC and DoD Component insider threat programs,
enable the identification of systemic insider threat issues and
challenges, and provide a basis for the development and recommendation
of solutions to deter, detect, and/or mitigate potential insider
threats. It will assist in identifying best practices among other
Federal Government insider threat programs, through the use of existing
DoD resources and functions and by leveraging existing authorities,
policies, programs, systems, and architectures.
Public Comments
The Department of Defense published a proposed Privacy Act
exemption rule for its Insider Threat Management and Analysis Center
(DITMAC) and DoD Component Insider Threat Records Systems (hereafter
Insider Threat) on May 19, 2016 (81 FR 31561). The Department of
Defense received comments from seven submitters related to a proposed
Federal Rulemaking (docket: DOD-2016-OS-0059, published May 19, 2016)
relating to a Privacy Act exemption rule for the Department of Defense
(DoD) Insider Threat Management and Analysis Center (DITMAC) and DoD
Component Insider Threat Records System (hereafter Insider Threat). In
addressing comments submitted to this proposed Privacy Act exemption
rule, the Department notes that such rules do not mandate exemptions in
every instance, and are not intended to apply to all records, but must
be reviewed in each specific case.
Two commenters were opposed to the proposed exemption rule but did
not provide specific concerns; an additional commenter provided a
number of proposals for the Insider Threat program at large, as well as
one addressing an access concern which is addressed in the access
discussion.
The largest number of comments related to the proposed exemption
from the access provisions of the Privacy Act (5 U.S.C. 552a(d)(1),
(2), (3), and (4)). The Department notes that the specific exemptions
upon which the access limitation is based are generally predicated on
``the identity of a source who furnished information to the Government
under an express promise that the identity of the source would be held
in confidence'' found in 5 U.S.C. 552a(k)(2), (5), and (7). One of
these commenters raised concerns that the ``largest and most common
sources providing information to the DITMAC provide such information
under a general promise of confidentiality.'' It is not clear to the
Department which sources the commenter believes are providing
information under a general promise of confidentiality, but the
language used in exemptions (k)(2), (5), and (7) requires an ``express
promise'' (if promised after the Act took effect). This is normally
done on a case-by-case basis. One commenter noted that ``it is
important to allow people as much access as possible to the data being
collected about them, so that they can make informed decisions about
what to do in the event of a data loss.'' In response, the Department
anticipates providing access rights, except in those specific cases
where an exemption rule would appropriately apply. In view of the
earlier discussion in this paragraph, DoD anticipates exercising access
exemption rules as the exception rather than the norm.
Another commenter was also particularly concerned that ``it would
become entirely possible that qualified Soldiers might unknowingly
become flagged as non-promotable for being a possible insider threat.''
We note first that when exercising the (k)(7) exemption, the Department
uses reasonable segregability to provide the maximum amount of the
record to the subject while honoring the express promise of
confidentiality to the source. Moreover, the Department notes that the
Insider Threat system of records is not a source of information for the
promotion selection process.
Several comments also addressed the proposed exemption from the
amendment provisions of the Privacy Act. The Insider Threat Hubs will
aggregate information from a number of sources, the first of which is
the subject of the record. Since the subjects of Insider Threat records
are cleared personnel, the most appropriate place for them to address a
factual error is with the appropriate DoD source (e.g., human resources
offices for human resources records or the security officer for
personnel security concerns). Insider Threat records are updated at
scheduled intervals or upon a specified query for current information
and validated prior to any investigative or administrative action taken
by a DoD Component.
One commenter noted that the collections and proposed exemptions
asserted by the Department of Defense were overly extensive and would
diminish accountability:
DoD claims the authority to collect any information it wants
without disclosing where it came from or even acknowledging its
existence. The net result of these exemptions, coupled with DoD's
proposal to collect and retain virtually unlimited information
unrelated to any purpose Congress delegated to the agency, would be
to diminish the legal accountability of the agency's information
collection activities.
In response, disclosure could interfere with or reveal information
relating to actual or potential criminal, civil, or administrative
investigations or actions. DoD further notes that it identified the
varied sources of Insider Threat information in the System of Records
Notice and has asserted exemptions to protect from disclosure sources
[[Page 71380]]
expressly promised confidentiality (pursuant to 5 U.S.C. 552a(k)(2),
(5), and (7) as discussed above). Such promises apply to a relatively
narrow scope of DoD records. If DoD were not able to provide such
promises on a case-by-case basis, they would find it difficult, if not
impossible, to gather candid information that is not generally known,
precisely the type of information needed to make well-informed
assessments of behavior (and potential behavior) to identify and
address insider threats. As previously mentioned, exemption rules do
not mandate the application of exemptions in every instance, are not
intended to apply to all records, and will be applied on a case-by-case
basis.
The commenter claims that DoD ``contemplates collecting information
that will not be relevant or necessary to a specific investigation''
and that ``the inability to determine, in advance, whether information
is accurate, relevant, timely, and complete precludes its agents from
complying with the obligation to ensure that the information meets
these criteria after it is stored.'' In response, the Department notes
that it is implementing an insider threat program required by Executive
Order as well as by Public Law (e.g., Public Law 112-81, Title IX,
Section 922, (10 U.S.C. 2224 note), Insider Threat Detection). The
statutory note requires the use of anomaly detection techniques, which
logically require ingestion of non-anomalous information in order to
identify anomalous information. Further, the purpose of the Insider
Threat program is to identify potential insider threat behavior; cases
of concern are referred to the appropriate DoD or Federal investigative
entity. DoD takes seriously its requirement under the Privacy Act to
``balance the Government's need to maintain information about
individuals with the rights of those individuals to be protected from
unwarranted invasions of their privacy.''
There were no comments related to the exemption of the access
provisions through (k)(1), pertaining to classified information;
(k)(4), applicable to records required by statute to be maintained and
used solely as statistical records; or (k)(6), testing or examination
material used solely to determine individual qualifications for
appointment or promotion in the Federal service the disclosure of which
would compromise the objectivity or fairness of the testing or
examination process. The Department also asserted an access exemption
under (j)(2), which addresses law enforcement activities, which did not
receive comment.
DoD made no changes to the regulatory text of the rule based on
public comments received.
Regulatory Procedures
Executive Order 12866, ``Regulatory Planning and Review'' and Executive
Order 13563, ``Improving Regulation and Regulatory Review''
It has been determined that this rule is not a significant rule.
This rule does not (1) Have an annual effect on the economy of $100
million or more or adversely affect in a material way the economy; a
sector of the economy; productivity; competition; jobs; the
environment; public health or safety; or State, local, or tribal
governments or communities; (2) Create a serious inconsistency or
otherwise interfere with an action taken or planned by another Agency;
(3) Materially alter the budgetary impact of entitlements, grants, user
fees, or loan programs, or the rights and obligations of recipients
thereof; or (4) Raise novel legal or policy issues arising out of legal
mandates, the President's priorities, or the principles set forth in
these Executive orders.
Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. Chapter 6)
It has been certified that this rule does not have a significant
economic impact on a substantial number of small entities because it is
concerned only with the administration of Privacy Act systems of
records within DoD. A Regulatory Flexibility Analysis is not required.
Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)
It has been determined that this rule does not impose additional
information collection requirements on the public under the Paperwork
Reduction Act of 1995 (44 U.S.C. 3501 et seq.).
Section 202, Public Law 104-4, ``Unfunded Mandates Reform Act''
It has been determined that this rule does not involve a Federal
mandate that may result in the expenditure by State, local and tribal
governments, in the aggregate, or by the private sector, of $100
million or more and that it will not significantly or uniquely affect
small governments.
Executive Order 13132, ``Federalism''
It has been determined that this rule does not have federalism
implications. This rule does not have substantial direct effects on the
States, on the relationship between the National Government and the
States, or on the distribution of power and responsibilities among the
various levels of government.
List of Subjects in 32 CFR Part 310
Privacy.
Accordingly, 32 CFR part 310 is amended as follows:
PART 310 [AMENDED]
0
1. The authority citation for 32 CFR part 310 continues to read as
follows:
Authority: 5 U.S.C. 552a.
Sec. Sec. 310.30 through 310.53 [Redesignated as Sec. Sec. 310.31
through 310.54]
0
2. Redesignate Sec. 310.30 through Sec. 310.53 as Sec. 310.31
through Sec. 310.54.
0
3. In Subpart F, add a new Sec. 310.30 to read as follows:
Sec. 310.30 DoD-wide exemptions.
(a) Use of DoD-wide exemptions. DoD-wide exemptions for DOD-wide
systems of records are established pursuant to 5 U.S.C. 552a(j) and (k)
of the Privacy Act.
(b) Promises of confidentiality. (1) Only the identity of sources
that have been given an express promise of confidentiality may be
protected from disclosure under paragraphs (d)(3)(i), (ii), and (iii)
and (d)(4) of this section. However, the identity of sources who were
given implied promises of confidentiality in inquiries conducted before
September 27, 1975, also may be protected from disclosure.
(2) Ensure promises of confidentiality are not automatically given
but are used sparingly. Establish appropriate procedures and identify
fully categories of individuals who may make such promises. Promises of
confidentiality shall be made only when they are essential to obtain
the information sought (see 5 CFR part 736).
(c) Access to records for which DOD-wide exemptions are claimed.
Deny the individual access only to those portions of the records for
which the claimed exemption applies.
(d) DoD-wide exemptions. The following exemptions are applicable to
all components of the Department of Defense for the following system(s)
of records:
(1) System identifier and name: DUSDI 01-DoD ``Department of
Defense (DoD) Insider Threat Management and Analysis Center (DITMAC)
and DoD Component Insider Threat Records System.''
Exemption: This system of records is exempted from subsections
(c)(3) and (4); (d)(1), (2), (3) and (4); (e)(1), (2), (3), (4)(G)(H)
and (I), (5) and (8); and (g) of the Privacy Act pursuant to 5 U.S.C.
552a(j)(2) and (k)(1), (2), (4), (5), (6), and (7).
(2) Records are only exempt from pertinent provisions of 5 U.S.C.
552a to
[[Page 71381]]
the extent that such provisions have been identified and an exemption
claimed for the record and the purposes underlying the exemption for
the record pertain to the record.
(3) Exemption from the particular subsections is justified for the
following reasons:
(i) Subsection (c)(3). To provide the subject with an accounting of
disclosures of records in this system could inform that individual of
the existence, nature, or scope of an actual or potential law
enforcement or counterintelligence investigation, and thereby seriously
impede law enforcement or counterintelligence efforts by permitting the
record subject and other persons to whom he might disclose the records
to avoid criminal penalties, civil remedies, or counterintelligence
measures. Access to the accounting of disclosures could also interfere
with a civil or administrative action or investigation which may impede
those actions or investigations. Access also could reveal the identity
of confidential sources incident to Federal employment, military
service, contract, and security clearance determinations.
(ii) Subsection (c)(4). This subsection is inapplicable to the
extent that an exemption is being claimed for subsection (d).
(iii) Subsection (d)(1). Disclosure of records in the system could
reveal the identity of confidential sources and result in an
unwarranted invasion of the privacy of others. Disclosure may also
reveal information relating to actual or potential criminal
investigations. Disclosure of classified national security information
would cause damage to the national security of the United States.
Disclosure could also interfere with a civil or administrative action
or investigation; reveal the identity of confidential sources incident
to Federal employment, military service, contract, and security
clearance determinations; and reveal the confidentiality and integrity
of Federal testing materials and evaluation materials used for military
promotions when furnished by a confidential source.
(iv) Subsection (d)(2). Amendment of the records could interfere
with ongoing criminal or civil law enforcement proceedings and impose
an impossible administrative burden by requiring investigations to be
continuously reinvestigated.
(v) Subsections (d)(3) and (4). These subsections are inapplicable
to the extent exemption is claimed from (d)(1) and (2).
(vi) Subsection (e)(1). It is often impossible to determine in
advance if investigatory records contained in this system are accurate,
relevant, timely and complete, but, in the interests of effective law
enforcement and counterintelligence, it is necessary to retain this
information to aid in establishing patterns of activity and provide
investigative leads.
(vii) Subsection (e)(2). To collect information from the subject
individual could serve notice that he or she is the subject of a
criminal investigation and thereby present a serious impediment to such
investigations.
(viii) Subsection (e)(3). To inform individuals as required by this
subsection could reveal the existence of a criminal investigation and
compromise investigative efforts.
(ix) Subsection (e)(4)(G), (H), and (I). These subsections are
inapplicable to the extent exemption is claimed from (d)(1) and (2).
(x) Subsection (e)(5). It is often impossible to determine in
advance if investigatory records contained in this system are accurate,
relevant, timely and complete, but, in the interests of effective law
enforcement, it is necessary to retain this information to aid in
establishing patterns of activity and provide investigative leads.
(xi) Subsection (e)(8). To serve notice could give persons
sufficient warning to evade investigative efforts.
(xii) Subsection (g). This subsection is inapplicable to the extent
that the system is exempt from other specific subsections of the
Privacy Act.
(4) In addition, in the course of carrying out analysis for insider
threats, exempt records from other systems of records may in turn
become part of the case records maintained in this system. To the
extent that copies of exempt records from those other systems of
records are maintained into this system, the DoD claims the same
exemptions for the records from those other systems that are entered
into this system, as claimed for the original primary system of which
they are a part.
Dated: October 5, 2016.
Aaron Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2016-24536 Filed 10-14-16; 8:45 am]
BILLING CODE 5001-06-P
