Privacy Act of 1974; System of Records, 28058-28062 [2018-12872]

Download as PDF 28058 Federal Register / Vol. 83, No. 116 / Friday, June 15, 2018 / Notices DEPARTMENT OF STATE [Public Notice 10450] Privacy Act of 1974; System of Records Department of State. Notice of a modified system of AGENCY: ACTION: records. This system of records, Security Records, captures data related to incidents and threats affecting U.S. Government personnel, U.S. Government information, or U.S. Government facilities world-wide, for a variety of legal purposes including federal and state law enforcement, counterterrorism purposes, and administrative security functions. DATES: This system of records notice is effective upon publication, with the exception of the new or modified routine uses (b), (c), (d), (e), (m), (n), (p), (q), (r), (s), (t), and (u) that are subject to a 30-day period during which interested persons may submit comments to the Department. Please submit any comments by July 16, 2018. ADDRESSES: Questions can be submitted by mail or email. If mail, please write to: U.S. Department of State; Office of Global Information Systems, Privacy Staff; A/GIS/PRV; SA–2, Suite 8100; Washington, DC 20522–0208. If email, please address the email to the Senior Agency Official for Privacy, Mary R. Avery, at Privacy@state.gov or call (202) 663–2215. Please write ‘‘Security Records, State-36’’ on the envelope or the subject line of your email. FOR FURTHER INFORMATION CONTACT: Mary R. Avery, Senior Agency Official for Privacy; U.S. Department of State; Office of Global Information Services, A/GIS/PRV; SA–2, Suite 8100; Washington, DC 20522–0208; at Privacy@state.gov, or (202) 663–2215. SUPPLEMENTARY INFORMATION: In accordance with the Privacy Act of 1974, the Department of State proposes to consolidate two record systems: Security Records, State-36 (previously published at 80 FR 77691) and Identity Management System, State-72 (previously published at 71 FR 62653) under Security Records, State-36. These two systems are being merged because the records and system purposes are substantially related. This notice modifies the following sections of State36, Security Records: System Location; Authority for Maintenance of the System; Purposes of the System; Categories of Individuals Covered by the System; Categories of Records in the System; Routine Uses of Records Maintained in the System, including sradovich on DSK3GMQ082PROD with NOTICES SUMMARY: VerDate Sep<11>2014 17:11 Jun 14, 2018 Jkt 244001 categories of users and purposes of such uses; Policies and Practices for Storage of Records; Policies and Practices for Retention and Disposal of Records; and Administrative, Technical, and Physical safeguards. In addition, this notice makes administrative updates to the following sections: Policies and Procedures for Retrieval of Records, Record Access Procedures, Notification Procedures, and History. These changes reflect the incorporation of State-72 into State-36, the Department’s move to cloud storage, new OMB guidance, expanded authorities and routine uses for these records, updated contact information, and a notice publication history. SYSTEM NAME AND NUMBER State-36, Security Records. SECURITY CLASSIFICATION: Unclassified and Classified. SYSTEM LOCATION: Department of State, located at 2201 C Street NW, Washington, DC 20520, and its annexes, Bureau of Diplomatic Security, and various field and regional offices throughout the United States, and abroad at some U.S. Embassies, U.S. Consulates General, and U.S. Consulates. Within a government certified cloud provided, implemented, and overseen by the Department’s Enterprise Server Operations Center (ESOC), 2201 C Street NW, Washington, DC 20520. SYSTEM MANAGER(S): Principal Deputy Assistant Secretary for Diplomatic Security and Director for the Diplomatic Security Service; Department of State; SA–20; 23rd Floor; 1801 North Lynn Street; Washington, DC 20522–2008 for the Harry S Truman Building, domestic annexes, field offices and missions; Security Officers at respective U.S. Embassies, Consulates, and missions overseas. The Principal Deputy Assistant Secretary for Diplomatic Security can be reached at (571) 345–3815. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: (a) 5 U.S.C. 301 (Government Organization and Employees) (Departmental regulations); (b) 5 U.S.C. Chapter 73 (Suitability, Security, and Conduct); (c) 5 U.S.C. 7531–33 (National Security); (d) 8 U.S.C. 1104 (Enforcement of immigration and nationality laws); (e) 18 U.S.C. 111 (Crimes and Criminal Procedures) (Assaulting, resisting, or impeding certain officers or employees); (f) 18 U.S.C. 112 (Protection of foreign officials, official guests, and PO 00000 Frm 00110 Fmt 4703 Sfmt 4703 internationally protected persons); (g) 18 U.S.C. 201 (Bribery of public officials and witnesses); (h) 18 U.S.C. 1030 (Fraud and related activity in connection with computers); (i) 18 U.S.C. 1114 (Protection of officers and employees of the U.S.); (j) 18 U.S.C. 1116 (Murder or manslaughter of foreign officials, official guests, or internationally protected persons); (k) 18 U.S.C. 1117 (Conspiracy to murder); (l) 18 U.S.C. 1541–1546 (Issuance without authority, false statement in application and use of passport, forgery or false use of passport, misuse of passport, safe conduct violation, fraud and misuse of visas, permits, and other documents); (m) 22 U.S.C. 211a (Foreign Relations and Intercourse) (Authority to grant, issue, and verify passports); (n) 22 U.S.C. 842, 846, 911 (Duties of Officers and Employees and Foreign Service Officers) (Repealed, but applicable to past records); (o) 22 U.S.C. 2454 (Administration); (p) 22 U.S.C. 2651a (Organization of the Department of State); (q) 22 U.S.C. 2658 (Rules and regulations; promulgation by Secretary; delegation of authority) (Repealed, but applicable to past records); (r) 22 U.S.C. 2708 (Department of State Rewards Program); (s) 22 U.S.C. 2709 (Special Agents); (t) 22 U.S.C. 2712 (Authority to control certain terrorism-related services); (u) 22 U.S.C. 3921 (Administration by Secretary of State); (v) 22 U.S.C. 4802 (Diplomatic Security) (Responsibility of Secretary of State), (w) 22 U.S.C. 4804(3)(D) (Responsibilities of Assistant Secretary for Diplomatic Security) (Repealed, but applicable to past records); (x) 22 U.S.C. 4831–4835 (Accountability review, accountability review board, procedures, findings and recommendations by a board, relation to other proceedings); (y) 22 U.S.C. Sec. 4807 (Establishment of Visa and Passport Security Program in the Department of State) (z) 44 U.S.C. 31 (Federal Records Act of 1950, Sec. 506(a), as amended) (applicable to past records); (aa) 44 U.S.C. 3541 (Federal Information Security Management); (bb) Executive Order 10450 (Security requirements for government employment) (revoked but applicable to past records) and its successor orders; (cc) Executive Order 12107 (Relating to the Civil Service Commission and Labor-Management in the Federal Service); (dd) Executive Order 13526 and its predecessor orders (Classified National Security Information); (ee) Executive Order 12968, as amended (Access to Classified Information); (ff) Executive Order 13587 (Structural Reforms to Improve the Security of E:\FR\FM\15JNN1.SGM 15JNN1 sradovich on DSK3GMQ082PROD with NOTICES Federal Register / Vol. 83, No. 116 / Friday, June 15, 2018 / Notices Classified Networks and Information); (gg) Executive Order 12333, as amended, and its predecessor orders (United States Intelligence Activities); (hh) Executive Order 13467, as amended (Reforming Processes Related to Suitability for Government Employment, Fitness, for Contractor Employees, and Eligibility for Access to Classified National Security Information); (ii) 22 CFR Subchapter M (International Traffic in Arms) (applicable to past records); (jj) 40 U.S.C. Chapter 10 (Federal Property and Administrative Services Act (1949)); (kk) 31 U.S.C. (Internal Revenue Code); (ll) Public Law 99–399, 8/27/1986 (Omnibus Diplomatic Security and Antiterrorism Act of 1986, as amended); (mm) Public Law 100–202, 12/22/1987 (Appropriations for Departments of Commerce, Justice, and State) (applicable to past records); (nn) Public Law 100–461, 10/1/1988 (Foreign Operations, Export Financing, and Related Programs Appropriations Act); (oo) Public Law 104–347, sec. 203 (Electronic Government Act); (pp) Public Law 107–56, 10/26/2001 (USA PATRIOT Act—Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism); (qq) Public Law 108–21, 4/30/2003 (PROTECT Act—Prosecutorial Remedies and Other Tools to End the Exploitation of Children Today Act of 2003); (rr) Executive Order 12356 (National Security Information) (applicable to past records); (ss) Executive Order 9397 (Numbering System for Federal Accounts Relating to Individual Persons); (tt) Homeland Security Presidential Directive (HSPD–12) (Policy for a Common Identification Standard for Federal Employees and Contractors, 8/27/2004; (uu) Executive Order 13356 (Strengthening the Sharing of Terrorism Information to Protect Americans); (vv) Public Law 108–458 (Sect.1016), 12/17/2004 (Intelligence Reform and Terrorism Prevention Act of 2004; (ww) Public Law 92–463: 5 U.S.C. App. (Federal Advisory Committee Act); (xx) E.O. 12829, National Industrial Security Program; (yy) PDD/NSC–12 Security Awareness and Reporting Foreign Contacts; (yy) Security Executive Agent Directive 3 (Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position); (zz) Security Executive Agent Directive 4 (National Security Adjudicative Guidelines); (aaa) Security Executive Agent Directive 5 (Social Media in Background Investigations). VerDate Sep<11>2014 17:11 Jun 14, 2018 Jkt 244001 PURPOSE(S) OF THE SYSTEM: The records maintained in State-36, Security Records, capture data related to incidents and threats affecting U.S. Government personnel, U.S. Government information, or U.S. Government facilities world-wide, for a variety of legal purposes including federal, state, and international law enforcement and counterterrorism purposes. The information maintained in Security Records may be used to determine general suitability for employment or retention in employment, to grant a contract or issue a license, grant, national security eligibility, security clearance, or Department credential (including PIV card). CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: Present and former employees of the Department of State; U.S. Agency for International Development (AID), and Peace Corps employees; applicants for Department employment who are presently undergoing a background investigation; individuals communicating on publicly available social media with employees or applicants undergoing a background investigation; contractors working for the Department; interns and detailees to the Department; employees of other federal agencies who have accounts on Department networks; individuals requiring access to the official Department of State premises who have undergone or are undergoing security clearance; some passport and visa applicants concerning matters of adjudication; individuals and institutions identified in passport and visa crime investigations; individuals and institutions identified in investigations regarding identity theft or document fraud affecting or relating to the programs, functions or authorities of the Department of State; individuals identified in investigations of Federal offenses committed within the special maritime and territorial jurisdiction of the United States; individuals involved in unauthorized access to classified information; prospective alien spouses of U.S. citizen employees of the Department of State; individuals or groups whose activities have a potential bearing on the security of Departmental or Foreign Service operations, domestically or abroad, including those involved in criminal or terrorist activity; individuals and organizations who apply to be constituents in the exchange of security information from publicprivate partnerships; and visitors to the Department of State main building (Harry S Truman Building), to its PO 00000 Frm 00111 Fmt 4703 Sfmt 4703 28059 domestic annexes, field offices, missions, and to the U.S. Embassies and U.S. Consulates and missions overseas. Also covered are individuals issued security or cybersecurity violations or infractions; litigants in civil suits and criminal prosecutions of interest to the Bureau of Diplomatic Security; individuals who have Department building passes; individuals using Department devices or networks; uniformed security officers; individuals named in congressional inquiries to the Bureau of Diplomatic Security; individuals subject to investigations conducted abroad on behalf of other federal agencies; individuals who participate in Department rewards programs; and individuals whose activities other agencies believe may have a bearing on U.S. foreign policy interests. The Privacy Act defines an individual at 5 U.S.C. 552a(a)(2) as a United States citizen or lawful permanent resident. CATEGORIES OF RECORDS IN THE SYSTEM: Incident and investigative material relating to any category of individual described above, including case files containing items such as name, date and place of birth, citizenship, telephone numbers, addresses, physical description (including height, weight, body type, hair, clothing, gender, ethnicity, race, and other general and distinguishing physical features), medical records, accent description, identification media (such as passport, residency, or driver’s license numbers), vehicle registration and vehicle information; email address, family identifiers (such as names of relatives and biographic information), employer identifiers, applications for passports and employment, photographs, biometric data (to include fingerprints, and deoxyribonucleic acid (DNA) information), birth certificates, credit checks, security evaluations and clearances, national security eligibility determinations, fitness determinations, other agency reports and informant reports; legal case pleadings and files; evidence collected during investigations; polygraphs; network audit records, network use records, email, chat conversations, and text messages sent using Department devices or networks; social media account communications and/or findings for individuals undergoing background or security investigations; publicly available social media communications of third parties with individuals undergoing background investigations; security violation files; training reports; weapons assignment database; firing proficiency and other security-related E:\FR\FM\15JNN1.SGM 15JNN1 28060 Federal Register / Vol. 83, No. 116 / Friday, June 15, 2018 / Notices testing scores; availability for special protective assignments; language proficiency scores; intelligence reports; counterintelligence material; counterterrorism material; threat information pertaining to private U.S. entities and individuals operating overseas; internal Departmental memoranda; internal personnel, fiscal, and other administrative documents, to include PIV-related documents; emergency contact information for Department employees and contractors; Social Security number; specific areas and times of authorized accessibility; escort authority; status and level of security clearance; issuing agency and issue date; and for all individuals: Date and times of building entrance and exit. For visitors, information collected can include name, date of birth, citizenship, identification type, identification number, temporary badge number, host’s name, office symbol, room number, and telephone number. For public-private partnerships to exchange security information, information collected can include name, address, telephone number and email address. Security files contain information needed to provide protective services for the Secretary of State and visiting and resident foreign officials and associated foreign official facilities, and to protect the Department’s official facilities and information assets. Security files contain documents and reports furnished to the Department by other agencies concerning individuals whose activities the other agencies believe may have a bearing on U.S. foreign policy interests. RECORD SOURCE CATEGORIES: sradovich on DSK3GMQ082PROD with NOTICES These records contain information obtained from the individual; persons having knowledge of the individual; persons having knowledge of incidents or other matters of investigative interest to the Department; other U.S. law enforcement agencies and court systems; pertinent records of other federal, state, or local agencies or foreign governments; pertinent records of private firms or organizations; the intelligence community; and other public sources. The records also contain information obtained from interviews, review of records, and other authorized investigative techniques. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES: The information in Security Records is used by: (a) Department of State officials in the administration of their responsibilities; (b) Appropriate committees and subcommittees of Congress in VerDate Sep<11>2014 17:11 Jun 14, 2018 Jkt 244001 furtherance of their respective oversight functions; (c) Department of Treasury; U.S. Office of Personnel Management; Agency for International Development; Department of Commerce; Peace Corps; Department of Defense; Central Intelligence Agency; Department of Justice; Department of Homeland Security; National Counter Terrorism Center; and other federal agencies inquiring pursuant to law or Executive Order, in order to make a determination of or verify general suitability for employment, fitness, or retention in employment, to grant a contract or issue a license, grant, security clearance, national security eligibility, credential or accreditation; (d) Any federal, state, municipal, foreign or international law enforcement or other relevant agency or organization as needed for security, law enforcement or counterterrorism purposes, such as: Investigative material, threat alerts and analyses, protective intelligence and counterintelligence information, information relevant for screening purposes; (e) Any other agency or department of the federal government pursuant to statutory intelligence responsibilities or other lawful purposes (including, but not limited to, adjudications, hearings and appeals, continuous evaluation, inspector general functions, counterintelligence, and research, and insider threat programs); (f) Any other agency or department of the Executive Branch having oversight or review authority with regard to its investigative responsibilities; (g) A federal, state, local, foreign, or international agency or other public authority that investigates, prosecutes, or assists in investigation or prosecution of violation of criminal law or enforces, implements, or assists in enforcement or implementation of statute, rule, regulation, or order; (h) A federal, state, local or foreign agency or other public authority or professional organization maintaining civil, criminal, and other relevant enforcement or pertinent records such as current licenses; information may be given to a consumer reporting agency: (1) To obtain information, relevant enforcement records or other pertinent records such as current licenses, or (2) to obtain information relevant to an agency investigation, a decision concerning the hiring or retention of an employee or other personnel action, the issuance of a security clearance or the initiation of administrative, civil, or criminal action; (i) Officials of government agencies in the letting of a contract, issuance of a PO 00000 Frm 00112 Fmt 4703 Sfmt 4703 license, grant or other benefit, and the establishment of a claim; (j) Any private or public source, witness, or subject from which information is requested in the course of a legitimate agency investigation or other inquiry, to the extent necessary to identify an individual; to inform a source, witness or subject of the nature and purpose of the investigation or other inquiry; and to identify the information requested; (k) An attorney or other designated representative of any source, witness or subject described in paragraph (j) of the Privacy Act only to the extent that the information would be provided to that category of individual itself in the course of an investigation or other inquiry; (l) A federal agency following a response to its subpoena or to a prosecution request that such record be released for the purpose of its introduction to a grand jury or in another criminal proceeding; (m) Relevant information may be disclosed from this system to the news media and general public in furtherance of a legitimate law enforcement or public safety function as determined by the Department. Such uses may include, for example to assist in the location of federal fugitives, to provide notification of arrests, to provide alerts, assessments, or similar information on potential threats to life, health, or property, or to keep the public appropriately informed of other law enforcement matters where disclosure could not reasonably be expected to constitute an unwarranted invasion of personal privacy and could not reasonably be expected to prejudice the outcome of a pending or future trial; (n) State, local, federal or nongovernmental agencies and entities as needed for purposes of emergency or disaster response or identification of bodies; (o) U.S. government agencies within the framework of the National Suspicious Activity Report (SAR) Initiative (NSI) regarding foreign intelligence and terrorist threats, managed by the Department of Justice; (p) Appropriate agencies, entities, and persons when (1) the Department of State suspects or has confirmed that there has been a breach of the system of records; (2) the Department of State has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Department of State (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist E:\FR\FM\15JNN1.SGM 15JNN1 sradovich on DSK3GMQ082PROD with NOTICES Federal Register / Vol. 83, No. 116 / Friday, June 15, 2018 / Notices in connection with the Department of State efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm; (q) To another Federal agency or Federal entity, when the Department of State determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach; (r) To Department of State officials for the purpose of vetting for employee participation in public speaking events, recruitment events, awards, and assignments; (s) To private U.S. entities operating overseas to communicate threats against them and their employees; (t) To the Office of the Director of National Intelligence for inclusion in its Scattered Castles system in order to facilitate reciprocity of background investigations and national security eligibility determinations; and (u) To a court, adjudicative body, or administrative body before which the Department is authorized to appear when (a) the Department; (b) any employee of the Department in his or her official capacity; (c) any employee of the Department in his or her individual capacity where the U.S. Department of Justice (‘‘DOJ’’) or the Department has agreed to represent the employee; or (d) the Government of the United States, when the Department determines that litigation is likely to affect the Department, is a party to litigation or has an interest in such litigation, and the use of such records by the Department is deemed to be relevant and necessary to the litigation or administrative proceeding. The Department of State periodically publishes in the Federal Register its standard routine uses that apply to all of its Privacy Act systems of records. These notices appear in the form of a Prefatory Statement (published in Volume 73, Number 136, Public Notice 6290, on July 15, 2008). All these standard routine uses apply to Security Records, State-36. POLICIES AND PRACTICES FOR STORAGE OF RECORDS: Records are stored both in hard copy and on electronic media. A description of standard Department of State policies concerning storage of electronic records is found here https://fam.state.gov/ VerDate Sep<11>2014 17:11 Jun 14, 2018 Jkt 244001 FAM/05FAM/05FAM0440.html. All hard copies of records containing personal information are maintained in secured file cabinets in restricted areas, access to which is limited to authorized personnel only. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: By individual name, personal or biometric identifier, case number, Department building passes, and Social Security number (for other than visitors), as well as by each category of records in the system. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: Retention of these records varies depending upon the specific kind of record involved. The retention periods of records maintained in this system of records range from three years for security support records to 100 years for investigation case files. These records are retired or destroyed in accordance with published schedules of the Department of State and as approved by the National Archives and Records Administration and outlined here https://foia.state.gov/Learn/Records Disposition.aspx. More specific information may be obtained by writing to the following address: U.S. Department of State; Director, Office of Information Programs and Services; A/ GIS/IPS; SA–2, Suite 8100; Washington, DC 20522–8100. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: All users are given cybersecurity awareness training which covers the procedures for handling Sensitive But Unclassified information, including personally identifiable information (PII). Annual refresher training is mandatory. In addition, all Foreign Service and Civil Service employees and those Locally Engaged Staff who handle PII are required to take the Foreign Service Institute distance learning course, PA 459, instructing employees on privacy and security requirements, including the rules of behavior for handling PII and the potential consequences if it is handled improperly. Access to the Department of State, its annexes and posts abroad is controlled by security guards and admission is limited to those individuals possessing a valid identification card or individuals under proper escort. All paper records containing personal information are maintained in secured file cabinets in restricted areas, access to which is limited to authorized personnel. Access to computerized files is passwordprotected and under the direct supervision of the system manager. The PO 00000 Frm 00113 Fmt 4703 Sfmt 4703 28061 system manager has the capability of printing audit trails of access from the computer media, thereby permitting regular and ad hoc monitoring of computer usage. When it is determined that a user no longer needs access, the user account is disabled. Before being granted access to Security Records, a user must first be granted access to the Department of State computer system, and user access is not granted until a background investigation has been completed. All Department of State employees and contractors with authorized access have undergone a thorough background security investigation. Remote access to the Department of State network from non-Department owned systems is authorized only through a Departmentapproved access program. Remote access to the network is configured with the authentication requirements contained in the Office of Management and Budget Circular Memorandum A– 130. The Department of State will store records maintained in this system of records in cloud systems. All cloud systems that provide IT services and process Department of State information must be specifically authorized by the Department of State Authorizing Official and Senior Agency Official for Privacy. Only information that conforms with Department-specific definitions for FISMA low or moderate categorization are permissible for cloud usage unless specifically authorized by the Cloud Computing Governance Board. Prior to operation, all Cloud systems must comply with applicable security measures that are outlined in FISMA, FedRAMP, OMB regulations, NIST Federal Information Processing Standards (FIPS) and Special Publication (SP), and Department of State policy and standards. RECORD ACCESS PROCEDURES: Individuals who wish to gain access to or amend records pertaining to themselves should write to U.S. Department of State; Director, Office of Information Programs and Services; A/ GIS/IPS; SA–2, Suite 8100; Washington, DC 20522–8100. The individual must specify that he or she wishes Security Records to be checked. At a minimum, the individual must include: Full name (including maiden name, if appropriate) and any other names used; current mailing address and zip code; date and place of birth; notarized signature or statement under penalty of perjury; a brief description of the circumstances that caused the creation of the record (including the city and/or country and the approximate dates) which gives the E:\FR\FM\15JNN1.SGM 15JNN1 28062 Federal Register / Vol. 83, No. 116 / Friday, June 15, 2018 / Notices individual cause to believe that Security Records include records pertaining to him or her. Detailed instructions on Department of State procedures for accessing and amending records can be found at the Department’s FOIA website (https://foia.state.gov/Request/ Guide.aspx). Individuals who wish to contest record procedures should write to U.S. Department of State; Director, Office of Information Programs and Services; A/ GIS/IPS; SA–2, Suite 8100; Washington, DC 20522–8100. SYSTEM NAME AND NUMBER [FR Doc. 2018–12872 Filed 6–14–18; 8:45 am] EXEMPTIONS PROMULGATED FOR THE SYSTEM: Any other exempt records from other agencies’ systems of records that are recompiled into this system are also considered exempt to the extent they are claimed as such in the original systems. Pursuant to 5 U.S.C. 552a (j)(2), records in this system may be exempted from subsections (c)(3) and (4), (d), (e)(1), (2), (3), and (e)(4)(G), (H), and (I), and (f) of the Privacy Act. Pursuant to 5 U.S.C. 552a (k)(1), (k)(2), and (k)(5), records in this system may be exempted from subsections (c)(3), (d)(1), (d)(2), (d)(3), (d)(4), (d)(5), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), (f)(1), (f)(2), (f)(3), (f)(4), and (f)(5). See 22 CFR 171. HISTORY: Security Records, State-36, was previously published at 80 FR 77691 and Identity Management System, State- Jkt 244001 [Public Notice 10449] Privacy Act of 1974; System of Records Department of State. Notice of a modified system of records. This System of Records compiles information used in the adjudication of U.S. visas. DATES: This system of records notice is effective upon publication, with the exception of the routine uses (m), (n), and (o) that are subject to a 30-day period during which interested persons may submit comments to the Department. Please submit any comments by July 16, 2018. ADDRESSES: Questions can be submitted by mail or email. If mail, please write to: U.S. Department of State; Office of Global Information Services, Privacy Staff; A/GIS/PRV; SA–2, Suite 8100; Washington, DC 20522–0208. If email, please address the email to the Senior Agency Official for Privacy, Mary R. Avery, at Privacy@state.gov or call (202) 663–2215. Please write ‘‘Visa Records, State-39’’ on the envelope or the subject line of your email. FOR FURTHER INFORMATION CONTACT: Mary R. Avery, Senior Agency Official for Privacy; U.S. Department of State; Office of Global Information Services, A/GIS/PRV; SA–2, Suite 8100; Washington, DC 20522–0208; at Privacy@state.gov or (202) 663–2215. SUPPLEMENTARY INFORMATION: The purpose of this modification is to make substantive and administrative changes to the previously published notice. This notice modifies the following sections of State-39, Visa Records: System Location, Categories of Individuals, Categories of Records, Routine Uses, Policies and Practices for Retention and Disposal of Records, and Safeguards. In addition, this notice makes administrative updates to the following sections: Record Access Procedures, Contesting Record Procedures, Notification Procedures, and History. These changes reflect new OMB guidance, new visa adjudication procedures, updated SUMMARY: PO 00000 Frm 00114 Fmt 4703 Visa Records, State-39. SECURITY CLASSIFICATION: Unclassified and Classified. SYSTEM LOCATION: DEPARTMENT OF STATE ACTION: Individuals who have reason to believe that this system of records may contain information pertaining to themselves should write to following address: U.S. Department of State; Director, Office of Information Programs and Services; A/GIS/IPS; SA–2, Suite 8100; Washington, DC 20522–8100. The individual must specify that he or she wishes Security Records to be checked. At a minimum, the individual must include: Full name (including maiden name, if appropriate) and any other names used; date and place of birth; current mailing address and zip code; notarized signature or statement under penalty of perjury; a brief description of the circumstances that caused the creation of the record (including the city and/or country and the approximate dates) which gives the individual cause to believe that Security Records include records to him or her. sradovich on DSK3GMQ082PROD with NOTICES Mary R. Avery, Senior Agency Official for Privacy, Senior Advisor, Office of Global Information Services, Bureau of Administration, Department of State. AGENCY: NOTIFICATION PROCEDURES: 17:11 Jun 14, 2018 contact information, and a notice publication history. BILLING CODE 4710–24–P CONTESTING RECORD PROCEDURES: VerDate Sep<11>2014 72, was previously published at 71 FR 62653. Sfmt 4703 Department of State (‘‘Department’’), located at 2201 C Street NW, Washington, DC 20520; Visa Office, Department of State, Annex 17, 600 19th Street NW, Washington, DC 20006; National Visa Center, 32 Rochester Avenue, Portsmouth, NH 03801; Kentucky Consular Center, 3505 N U.S. Hwy. 25 W, Williamsburg, KY 40769; U.S. embassies, consulates general, and consulates (henceforth referred to as the Department of State). SYSTEM MANAGER(S): Deputy Assistant Secretary for Visa Services, Room 6811, Department of State, 2201 C Street NW, Washington, DC 20520–4818; Director, National Visa Center, 32 Rochester Avenue, Portsmouth, NH 63801; Director, Kentucky Consular Center, 3505 N U.S. Hwy. 25 W, Williamsburg, KY 40769; VO_SORN@state.gov. At specific locations abroad, the on-site manager is the consular officer responsible for visa processing. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 5 U.S.C. 301 (Secretary of State’s authorities with respect to Management of the Department of State); 22 U.S.C. 2651a (Organization of the Department of State); 22 U.S.C. 3921 (Management of the Foreign Service); 8 U.S.C. 1101– 1537 (Immigration and Nationality Act of 1952, as amended). PURPOSE(S) OF THE SYSTEM: The Visa Records system maintains information used to assist the Bureau of Consular Affairs and consular officers in the Department and abroad in adjudicating visas and Certificates of Identity. It is also used in dealing with problems of a legal, enforcement, technical, or procedural nature that may arise in connection with a U.S. visa or Certificate of Identity. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: Visa Records may include the following individuals when required by a visa application or a Certificate of Identity application: U.S. petitioners, U.S. persons applying for returning residence travel documentation, and visa and Certificate of Identity applicants who subsequently become documented as U.S. persons. E:\FR\FM\15JNN1.SGM 15JNN1

Agencies

[Federal Register Volume 83, Number 116 (Friday, June 15, 2018)]
[Notices]
[Pages 28058-28062]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-12872]



[[Page 28058]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF STATE

[Public Notice 10450]


Privacy Act of 1974; System of Records

AGENCY: Department of State.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: This system of records, Security Records, captures data 
related to incidents and threats affecting U.S. Government personnel, 
U.S. Government information, or U.S. Government facilities world-wide, 
for a variety of legal purposes including federal and state law 
enforcement, counterterrorism purposes, and administrative security 
functions.

DATES: This system of records notice is effective upon publication, 
with the exception of the new or modified routine uses (b), (c), (d), 
(e), (m), (n), (p), (q), (r), (s), (t), and (u) that are subject to a 
30-day period during which interested persons may submit comments to 
the Department. Please submit any comments by July 16, 2018.

ADDRESSES: Questions can be submitted by mail or email. If mail, please 
write to: U.S. Department of State; Office of Global Information 
Systems, Privacy Staff; A/GIS/PRV; SA-2, Suite 8100; Washington, DC 
20522-0208. If email, please address the email to the Senior Agency 
Official for Privacy, Mary R. Avery, at [email protected] or call (202) 
663-2215. Please write ``Security Records, State-36'' on the envelope 
or the subject line of your email.

FOR FURTHER INFORMATION CONTACT: Mary R. Avery, Senior Agency Official 
for Privacy; U.S. Department of State; Office of Global Information 
Services, A/GIS/PRV; SA-2, Suite 8100; Washington, DC 20522-0208; at 
[email protected], or (202) 663-2215.

SUPPLEMENTARY INFORMATION: In accordance with the Privacy Act of 1974, 
the Department of State proposes to consolidate two record systems: 
Security Records, State-36 (previously published at 80 FR 77691) and 
Identity Management System, State-72 (previously published at 71 FR 
62653) under Security Records, State-36. These two systems are being 
merged because the records and system purposes are substantially 
related. This notice modifies the following sections of State-36, 
Security Records: System Location; Authority for Maintenance of the 
System; Purposes of the System; Categories of Individuals Covered by 
the System; Categories of Records in the System; Routine Uses of 
Records Maintained in the System, including categories of users and 
purposes of such uses; Policies and Practices for Storage of Records; 
Policies and Practices for Retention and Disposal of Records; and 
Administrative, Technical, and Physical safeguards. In addition, this 
notice makes administrative updates to the following sections: Policies 
and Procedures for Retrieval of Records, Record Access Procedures, 
Notification Procedures, and History. These changes reflect the 
incorporation of State-72 into State-36, the Department's move to cloud 
storage, new OMB guidance, expanded authorities and routine uses for 
these records, updated contact information, and a notice publication 
history.
SYSTEM NAME AND NUMBER
    State-36, Security Records.

SECURITY CLASSIFICATION:
    Unclassified and Classified.

SYSTEM LOCATION:
    Department of State, located at 2201 C Street NW, Washington, DC 
20520, and its annexes, Bureau of Diplomatic Security, and various 
field and regional offices throughout the United States, and abroad at 
some U.S. Embassies, U.S. Consulates General, and U.S. Consulates. 
Within a government certified cloud provided, implemented, and overseen 
by the Department's Enterprise Server Operations Center (ESOC), 2201 C 
Street NW, Washington, DC 20520.

SYSTEM MANAGER(S):
    Principal Deputy Assistant Secretary for Diplomatic Security and 
Director for the Diplomatic Security Service; Department of State; SA-
20; 23rd Floor; 1801 North Lynn Street; Washington, DC 20522-2008 for 
the Harry S Truman Building, domestic annexes, field offices and 
missions; Security Officers at respective U.S. Embassies, Consulates, 
and missions overseas. The Principal Deputy Assistant Secretary for 
Diplomatic Security can be reached at (571) 345-3815.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    (a) 5 U.S.C. 301 (Government Organization and Employees) 
(Departmental regulations); (b) 5 U.S.C. Chapter 73 (Suitability, 
Security, and Conduct); (c) 5 U.S.C. 7531-33 (National Security); (d) 8 
U.S.C. 1104 (Enforcement of immigration and nationality laws); (e) 18 
U.S.C. 111 (Crimes and Criminal Procedures) (Assaulting, resisting, or 
impeding certain officers or employees); (f) 18 U.S.C. 112 (Protection 
of foreign officials, official guests, and internationally protected 
persons); (g) 18 U.S.C. 201 (Bribery of public officials and 
witnesses); (h) 18 U.S.C. 1030 (Fraud and related activity in 
connection with computers); (i) 18 U.S.C. 1114 (Protection of officers 
and employees of the U.S.); (j) 18 U.S.C. 1116 (Murder or manslaughter 
of foreign officials, official guests, or internationally protected 
persons); (k) 18 U.S.C. 1117 (Conspiracy to murder); (l) 18 U.S.C. 
1541-1546 (Issuance without authority, false statement in application 
and use of passport, forgery or false use of passport, misuse of 
passport, safe conduct violation, fraud and misuse of visas, permits, 
and other documents); (m) 22 U.S.C. 211a (Foreign Relations and 
Intercourse) (Authority to grant, issue, and verify passports); (n) 22 
U.S.C. 842, 846, 911 (Duties of Officers and Employees and Foreign 
Service Officers) (Repealed, but applicable to past records); (o) 22 
U.S.C. 2454 (Administration); (p) 22 U.S.C. 2651a (Organization of the 
Department of State); (q) 22 U.S.C. 2658 (Rules and regulations; 
promulgation by Secretary; delegation of authority) (Repealed, but 
applicable to past records); (r) 22 U.S.C. 2708 (Department of State 
Rewards Program); (s) 22 U.S.C. 2709 (Special Agents); (t) 22 U.S.C. 
2712 (Authority to control certain terrorism-related services); (u) 22 
U.S.C. 3921 (Administration by Secretary of State); (v) 22 U.S.C. 4802 
(Diplomatic Security) (Responsibility of Secretary of State), (w) 22 
U.S.C. 4804(3)(D) (Responsibilities of Assistant Secretary for 
Diplomatic Security) (Repealed, but applicable to past records); (x) 22 
U.S.C. 4831-4835 (Accountability review, accountability review board, 
procedures, findings and recommendations by a board, relation to other 
proceedings); (y) 22 U.S.C. Sec. 4807 (Establishment of Visa and 
Passport Security Program in the Department of State) (z) 44 U.S.C. 31 
(Federal Records Act of 1950, Sec. 506(a), as amended) (applicable to 
past records); (aa) 44 U.S.C. 3541 (Federal Information Security 
Management); (bb) Executive Order 10450 (Security requirements for 
government employment) (revoked but applicable to past records) and its 
successor orders; (cc) Executive Order 12107 (Relating to the Civil 
Service Commission and Labor-Management in the Federal Service); (dd) 
Executive Order 13526 and its predecessor orders (Classified National 
Security Information); (ee) Executive Order 12968, as amended (Access 
to Classified Information); (ff) Executive Order 13587 (Structural 
Reforms to Improve the Security of

[[Page 28059]]

Classified Networks and Information); (gg) Executive Order 12333, as 
amended, and its predecessor orders (United States Intelligence 
Activities); (hh) Executive Order 13467, as amended (Reforming 
Processes Related to Suitability for Government Employment, Fitness, 
for Contractor Employees, and Eligibility for Access to Classified 
National Security Information); (ii) 22 CFR Subchapter M (International 
Traffic in Arms) (applicable to past records); (jj) 40 U.S.C. Chapter 
10 (Federal Property and Administrative Services Act (1949)); (kk) 31 
U.S.C. (Internal Revenue Code); (ll) Public Law 99-399, 8/27/1986 
(Omnibus Diplomatic Security and Antiterrorism Act of 1986, as 
amended); (mm) Public Law 100-202, 12/22/1987 (Appropriations for 
Departments of Commerce, Justice, and State) (applicable to past 
records); (nn) Public Law 100-461, 10/1/1988 (Foreign Operations, 
Export Financing, and Related Programs Appropriations Act); (oo) Public 
Law 104-347, sec. 203 (Electronic Government Act); (pp) Public Law 107-
56, 10/26/2001 (USA PATRIOT Act--Uniting and Strengthening America by 
Providing Appropriate Tools Required to Intercept and Obstruct 
Terrorism); (qq) Public Law 108-21, 4/30/2003 (PROTECT Act--
Prosecutorial Remedies and Other Tools to End the Exploitation of 
Children Today Act of 2003); (rr) Executive Order 12356 (National 
Security Information) (applicable to past records); (ss) Executive 
Order 9397 (Numbering System for Federal Accounts Relating to 
Individual Persons); (tt) Homeland Security Presidential Directive 
(HSPD-12) (Policy for a Common Identification Standard for Federal 
Employees and Contractors, 8/27/2004; (uu) Executive Order 13356 
(Strengthening the Sharing of Terrorism Information to Protect 
Americans); (vv) Public Law 108-458 (Sect.1016), 12/17/2004 
(Intelligence Reform and Terrorism Prevention Act of 2004; (ww) Public 
Law 92-463: 5 U.S.C. App. (Federal Advisory Committee Act); (xx) E.O. 
12829, National Industrial Security Program; (yy) PDD/NSC-12 Security 
Awareness and Reporting Foreign Contacts; (yy) Security Executive Agent 
Directive 3 (Reporting Requirements for Personnel with Access to 
Classified Information or Who Hold a Sensitive Position); (zz) Security 
Executive Agent Directive 4 (National Security Adjudicative 
Guidelines); (aaa) Security Executive Agent Directive 5 (Social Media 
in Background Investigations).

PURPOSE(S) OF THE SYSTEM:
    The records maintained in State-36, Security Records, capture data 
related to incidents and threats affecting U.S. Government personnel, 
U.S. Government information, or U.S. Government facilities world-wide, 
for a variety of legal purposes including federal, state, and 
international law enforcement and counterterrorism purposes. The 
information maintained in Security Records may be used to determine 
general suitability for employment or retention in employment, to grant 
a contract or issue a license, grant, national security eligibility, 
security clearance, or Department credential (including PIV card).

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Present and former employees of the Department of State; U.S. 
Agency for International Development (AID), and Peace Corps employees; 
applicants for Department employment who are presently undergoing a 
background investigation; individuals communicating on publicly 
available social media with employees or applicants undergoing a 
background investigation; contractors working for the Department; 
interns and detailees to the Department; employees of other federal 
agencies who have accounts on Department networks; individuals 
requiring access to the official Department of State premises who have 
undergone or are undergoing security clearance; some passport and visa 
applicants concerning matters of adjudication; individuals and 
institutions identified in passport and visa crime investigations; 
individuals and institutions identified in investigations regarding 
identity theft or document fraud affecting or relating to the programs, 
functions or authorities of the Department of State; individuals 
identified in investigations of Federal offenses committed within the 
special maritime and territorial jurisdiction of the United States; 
individuals involved in unauthorized access to classified information; 
prospective alien spouses of U.S. citizen employees of the Department 
of State; individuals or groups whose activities have a potential 
bearing on the security of Departmental or Foreign Service operations, 
domestically or abroad, including those involved in criminal or 
terrorist activity; individuals and organizations who apply to be 
constituents in the exchange of security information from public-
private partnerships; and visitors to the Department of State main 
building (Harry S Truman Building), to its domestic annexes, field 
offices, missions, and to the U.S. Embassies and U.S. Consulates and 
missions overseas. Also covered are individuals issued security or 
cybersecurity violations or infractions; litigants in civil suits and 
criminal prosecutions of interest to the Bureau of Diplomatic Security; 
individuals who have Department building passes; individuals using 
Department devices or networks; uniformed security officers; 
individuals named in congressional inquiries to the Bureau of 
Diplomatic Security; individuals subject to investigations conducted 
abroad on behalf of other federal agencies; individuals who participate 
in Department rewards programs; and individuals whose activities other 
agencies believe may have a bearing on U.S. foreign policy interests. 
The Privacy Act defines an individual at 5 U.S.C. 552a(a)(2) as a 
United States citizen or lawful permanent resident.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Incident and investigative material relating to any category of 
individual described above, including case files containing items such 
as name, date and place of birth, citizenship, telephone numbers, 
addresses, physical description (including height, weight, body type, 
hair, clothing, gender, ethnicity, race, and other general and 
distinguishing physical features), medical records, accent description, 
identification media (such as passport, residency, or driver's license 
numbers), vehicle registration and vehicle information; email address, 
family identifiers (such as names of relatives and biographic 
information), employer identifiers, applications for passports and 
employment, photographs, biometric data (to include fingerprints, and 
deoxyribonucleic acid (DNA) information), birth certificates, credit 
checks, security evaluations and clearances, national security 
eligibility determinations, fitness determinations, other agency 
reports and informant reports; legal case pleadings and files; evidence 
collected during investigations; polygraphs; network audit records, 
network use records, email, chat conversations, and text messages sent 
using Department devices or networks; social media account 
communications and/or findings for individuals undergoing background or 
security investigations; publicly available social media communications 
of third parties with individuals undergoing background investigations; 
security violation files; training reports; weapons assignment 
database; firing proficiency and other security-related

[[Page 28060]]

testing scores; availability for special protective assignments; 
language proficiency scores; intelligence reports; counterintelligence 
material; counterterrorism material; threat information pertaining to 
private U.S. entities and individuals operating overseas; internal 
Departmental memoranda; internal personnel, fiscal, and other 
administrative documents, to include PIV-related documents; emergency 
contact information for Department employees and contractors; Social 
Security number; specific areas and times of authorized accessibility; 
escort authority; status and level of security clearance; issuing 
agency and issue date; and for all individuals: Date and times of 
building entrance and exit.
    For visitors, information collected can include name, date of 
birth, citizenship, identification type, identification number, 
temporary badge number, host's name, office symbol, room number, and 
telephone number. For public-private partnerships to exchange security 
information, information collected can include name, address, telephone 
number and email address.
    Security files contain information needed to provide protective 
services for the Secretary of State and visiting and resident foreign 
officials and associated foreign official facilities, and to protect 
the Department's official facilities and information assets. Security 
files contain documents and reports furnished to the Department by 
other agencies concerning individuals whose activities the other 
agencies believe may have a bearing on U.S. foreign policy interests.

RECORD SOURCE CATEGORIES:
    These records contain information obtained from the individual; 
persons having knowledge of the individual; persons having knowledge of 
incidents or other matters of investigative interest to the Department; 
other U.S. law enforcement agencies and court systems; pertinent 
records of other federal, state, or local agencies or foreign 
governments; pertinent records of private firms or organizations; the 
intelligence community; and other public sources. The records also 
contain information obtained from interviews, review of records, and 
other authorized investigative techniques.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    The information in Security Records is used by:
    (a) Department of State officials in the administration of their 
responsibilities;
    (b) Appropriate committees and subcommittees of Congress in 
furtherance of their respective oversight functions;
    (c) Department of Treasury; U.S. Office of Personnel Management; 
Agency for International Development; Department of Commerce; Peace 
Corps; Department of Defense; Central Intelligence Agency; Department 
of Justice; Department of Homeland Security; National Counter Terrorism 
Center; and other federal agencies inquiring pursuant to law or 
Executive Order, in order to make a determination of or verify general 
suitability for employment, fitness, or retention in employment, to 
grant a contract or issue a license, grant, security clearance, 
national security eligibility, credential or accreditation;
    (d) Any federal, state, municipal, foreign or international law 
enforcement or other relevant agency or organization as needed for 
security, law enforcement or counterterrorism purposes, such as: 
Investigative material, threat alerts and analyses, protective 
intelligence and counterintelligence information, information relevant 
for screening purposes;
    (e) Any other agency or department of the federal government 
pursuant to statutory intelligence responsibilities or other lawful 
purposes (including, but not limited to, adjudications, hearings and 
appeals, continuous evaluation, inspector general functions, 
counterintelligence, and research, and insider threat programs);
    (f) Any other agency or department of the Executive Branch having 
oversight or review authority with regard to its investigative 
responsibilities;
    (g) A federal, state, local, foreign, or international agency or 
other public authority that investigates, prosecutes, or assists in 
investigation or prosecution of violation of criminal law or enforces, 
implements, or assists in enforcement or implementation of statute, 
rule, regulation, or order;
    (h) A federal, state, local or foreign agency or other public 
authority or professional organization maintaining civil, criminal, and 
other relevant enforcement or pertinent records such as current 
licenses; information may be given to a consumer reporting agency:
    (1) To obtain information, relevant enforcement records or other 
pertinent records such as current licenses, or
    (2) to obtain information relevant to an agency investigation, a 
decision concerning the hiring or retention of an employee or other 
personnel action, the issuance of a security clearance or the 
initiation of administrative, civil, or criminal action;
    (i) Officials of government agencies in the letting of a contract, 
issuance of a license, grant or other benefit, and the establishment of 
a claim;
    (j) Any private or public source, witness, or subject from which 
information is requested in the course of a legitimate agency 
investigation or other inquiry, to the extent necessary to identify an 
individual; to inform a source, witness or subject of the nature and 
purpose of the investigation or other inquiry; and to identify the 
information requested;
    (k) An attorney or other designated representative of any source, 
witness or subject described in paragraph (j) of the Privacy Act only 
to the extent that the information would be provided to that category 
of individual itself in the course of an investigation or other 
inquiry;
    (l) A federal agency following a response to its subpoena or to a 
prosecution request that such record be released for the purpose of its 
introduction to a grand jury or in another criminal proceeding;
    (m) Relevant information may be disclosed from this system to the 
news media and general public in furtherance of a legitimate law 
enforcement or public safety function as determined by the Department. 
Such uses may include, for example to assist in the location of federal 
fugitives, to provide notification of arrests, to provide alerts, 
assessments, or similar information on potential threats to life, 
health, or property, or to keep the public appropriately informed of 
other law enforcement matters where disclosure could not reasonably be 
expected to constitute an unwarranted invasion of personal privacy and 
could not reasonably be expected to prejudice the outcome of a pending 
or future trial;
    (n) State, local, federal or non-governmental agencies and entities 
as needed for purposes of emergency or disaster response or 
identification of bodies;
    (o) U.S. government agencies within the framework of the National 
Suspicious Activity Report (SAR) Initiative (NSI) regarding foreign 
intelligence and terrorist threats, managed by the Department of 
Justice;
    (p) Appropriate agencies, entities, and persons when (1) the 
Department of State suspects or has confirmed that there has been a 
breach of the system of records; (2) the Department of State has 
determined that as a result of the suspected or confirmed breach there 
is a risk of harm to individuals, the Department of State (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist

[[Page 28061]]

in connection with the Department of State efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm;
    (q) To another Federal agency or Federal entity, when the 
Department of State determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach;
    (r) To Department of State officials for the purpose of vetting for 
employee participation in public speaking events, recruitment events, 
awards, and assignments;
    (s) To private U.S. entities operating overseas to communicate 
threats against them and their employees;
    (t) To the Office of the Director of National Intelligence for 
inclusion in its Scattered Castles system in order to facilitate 
reciprocity of background investigations and national security 
eligibility determinations; and
    (u) To a court, adjudicative body, or administrative body before 
which the Department is authorized to appear when (a) the Department; 
(b) any employee of the Department in his or her official capacity; (c) 
any employee of the Department in his or her individual capacity where 
the U.S. Department of Justice (``DOJ'') or the Department has agreed 
to represent the employee; or (d) the Government of the United States, 
when the Department determines that litigation is likely to affect the 
Department, is a party to litigation or has an interest in such 
litigation, and the use of such records by the Department is deemed to 
be relevant and necessary to the litigation or administrative 
proceeding.
    The Department of State periodically publishes in the Federal 
Register its standard routine uses that apply to all of its Privacy Act 
systems of records. These notices appear in the form of a Prefatory 
Statement (published in Volume 73, Number 136, Public Notice 6290, on 
July 15, 2008). All these standard routine uses apply to Security 
Records, State-36.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored both in hard copy and on electronic media. A 
description of standard Department of State policies concerning storage 
of electronic records is found here https://fam.state.gov/FAM/05FAM/05FAM0440.html. All hard copies of records containing personal 
information are maintained in secured file cabinets in restricted 
areas, access to which is limited to authorized personnel only.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    By individual name, personal or biometric identifier, case number, 
Department building passes, and Social Security number (for other than 
visitors), as well as by each category of records in the system.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Retention of these records varies depending upon the specific kind 
of record involved. The retention periods of records maintained in this 
system of records range from three years for security support records 
to 100 years for investigation case files. These records are retired or 
destroyed in accordance with published schedules of the Department of 
State and as approved by the National Archives and Records 
Administration and outlined here https://foia.state.gov/Learn/RecordsDisposition.aspx. More specific information may be obtained by 
writing to the following address: U.S. Department of State; Director, 
Office of Information Programs and Services; A/GIS/IPS; SA-2, Suite 
8100; Washington, DC 20522-8100.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    All users are given cybersecurity awareness training which covers 
the procedures for handling Sensitive But Unclassified information, 
including personally identifiable information (PII). Annual refresher 
training is mandatory. In addition, all Foreign Service and Civil 
Service employees and those Locally Engaged Staff who handle PII are 
required to take the Foreign Service Institute distance learning 
course, PA 459, instructing employees on privacy and security 
requirements, including the rules of behavior for handling PII and the 
potential consequences if it is handled improperly.
    Access to the Department of State, its annexes and posts abroad is 
controlled by security guards and admission is limited to those 
individuals possessing a valid identification card or individuals under 
proper escort. All paper records containing personal information are 
maintained in secured file cabinets in restricted areas, access to 
which is limited to authorized personnel. Access to computerized files 
is password-protected and under the direct supervision of the system 
manager. The system manager has the capability of printing audit trails 
of access from the computer media, thereby permitting regular and ad 
hoc monitoring of computer usage. When it is determined that a user no 
longer needs access, the user account is disabled.
    Before being granted access to Security Records, a user must first 
be granted access to the Department of State computer system, and user 
access is not granted until a background investigation has been 
completed. All Department of State employees and contractors with 
authorized access have undergone a thorough background security 
investigation. Remote access to the Department of State network from 
non-Department owned systems is authorized only through a Department-
approved access program. Remote access to the network is configured 
with the authentication requirements contained in the Office of 
Management and Budget Circular Memorandum A-130.
    The Department of State will store records maintained in this 
system of records in cloud systems. All cloud systems that provide IT 
services and process Department of State information must be 
specifically authorized by the Department of State Authorizing Official 
and Senior Agency Official for Privacy.
    Only information that conforms with Department-specific definitions 
for FISMA low or moderate categorization are permissible for cloud 
usage unless specifically authorized by the Cloud Computing Governance 
Board. Prior to operation, all Cloud systems must comply with 
applicable security measures that are outlined in FISMA, FedRAMP, OMB 
regulations, NIST Federal Information Processing Standards (FIPS) and 
Special Publication (SP), and Department of State policy and standards.

RECORD ACCESS PROCEDURES:
    Individuals who wish to gain access to or amend records pertaining 
to themselves should write to U.S. Department of State; Director, 
Office of Information Programs and Services; A/GIS/IPS; SA-2, Suite 
8100; Washington, DC 20522-8100. The individual must specify that he or 
she wishes Security Records to be checked. At a minimum, the individual 
must include: Full name (including maiden name, if appropriate) and any 
other names used; current mailing address and zip code; date and place 
of birth; notarized signature or statement under penalty of perjury; a 
brief description of the circumstances that caused the creation of the 
record (including the city and/or country and the approximate dates) 
which gives the

[[Page 28062]]

individual cause to believe that Security Records include records 
pertaining to him or her. Detailed instructions on Department of State 
procedures for accessing and amending records can be found at the 
Department's FOIA website (https://foia.state.gov/Request/Guide.aspx).

CONTESTING RECORD PROCEDURES:
    Individuals who wish to contest record procedures should write to 
U.S. Department of State; Director, Office of Information Programs and 
Services; A/GIS/IPS; SA-2, Suite 8100; Washington, DC 20522-8100.

NOTIFICATION PROCEDURES:
    Individuals who have reason to believe that this system of records 
may contain information pertaining to themselves should write to 
following address: U.S. Department of State; Director, Office of 
Information Programs and Services; A/GIS/IPS; SA-2, Suite 8100; 
Washington, DC 20522-8100. The individual must specify that he or she 
wishes Security Records to be checked. At a minimum, the individual 
must include: Full name (including maiden name, if appropriate) and any 
other names used; date and place of birth; current mailing address and 
zip code; notarized signature or statement under penalty of perjury; a 
brief description of the circumstances that caused the creation of the 
record (including the city and/or country and the approximate dates) 
which gives the individual cause to believe that Security Records 
include records to him or her.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    Any other exempt records from other agencies' systems of records 
that are recompiled into this system are also considered exempt to the 
extent they are claimed as such in the original systems.
    Pursuant to 5 U.S.C. 552a (j)(2), records in this system may be 
exempted from subsections (c)(3) and (4), (d), (e)(1), (2), (3), and 
(e)(4)(G), (H), and (I), and (f) of the Privacy Act. Pursuant to 5 
U.S.C. 552a (k)(1), (k)(2), and (k)(5), records in this system may be 
exempted from subsections (c)(3), (d)(1), (d)(2), (d)(3), (d)(4), 
(d)(5), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), (f)(1), (f)(2), 
(f)(3), (f)(4), and (f)(5).
    See 22 CFR 171.

HISTORY:
    Security Records, State-36, was previously published at 80 FR 77691 
and Identity Management System, State-72, was previously published at 
71 FR 62653.

Mary R. Avery,
Senior Agency Official for Privacy, Senior Advisor, Office of Global 
Information Services, Bureau of Administration, Department of State.
[FR Doc. 2018-12872 Filed 6-14-18; 8:45 am]
 BILLING CODE 4710-24-P