Privacy Act of 1974; System of Records, 7389-7395 [2020-02480]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 85, Number 26 (Friday, February 7, 2020)]
[Notices]
[Pages 7389-7395]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-02480]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, notice is hereby given 
that the Department of Veterans Affairs (VA) is amending the system of 
records currently entitled, ``Veterans Canteen Service (VCS) Payroll 
Deduction

[[Page 7390]]

Program (PDP)--VA'' (117VA103) as set forth in the Federal Register 75 
FR 26851. VA is amending the system of records by revising the System 
Name; System Number; System Location; System Manager; Purpose of the 
System; Categories of Individuals Covered by the System; Categories of 
the Records in the System; Record Source Categories; Routine Uses of 
Records Maintained in the System, Including Categories of Users and the 
Purposes of Such Uses; Policies and Practices for Storage of Records; 
Policies and Practices for Retrievability of Records; Policies and 
Practices For Retention and Disposal of Records; Physical, Procedural, 
and Administrative Safeguards; Record Access Procedure; and 
Notification Procedure. VA is republishing the system notice in its 
entirety.

DATES: Comments on this amended system of records must be received no 
later than March 9, 2020. If no public comment is received during the 
period allowed for comment or unless otherwise published in the Federal 
Register by the VA, the new system will become effective March 9, 2020.

ADDRESSES: Written comments may be submitted through 
www.Regulations.gov; by mail or hand-delivery to Director, Regulation 
Policy and Management (00REG), Department of Veterans Affairs, 810 
Vermont Avenue NW, Room 1064, Washington, DC 20420; or by fax to (202) 
273-9026 (Note: Not a toll-free number). Comments should indicate they 
are submitted in response to ``Veterans Canteen Service (VCS) Payroll 
Deduction Program (PDP)--VA'' (117VA103). Copies of comments received 
will be available for public inspection in the Office of Regulation 
Policy and Management, Room 1063B, between the hours of 8:00 a.m. and 
4:30 p.m., Monday through Friday (except holidays). Please call (202) 
461-4902 for an appointment (Note: Not a toll-free number). In 
addition, comments may be viewed online at www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Act Officer, Department of Veterans Affairs, 810 Vermont Avenue 
NW, Washington, DC 20420; telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION: The System Name is being changed from 
``Veterans Canteen Service (VCS) Payroll Deduction Program (PDP)--VA'' 
to ``Veterans Canteen Service (VCS) Payroll Deduction Program (PDP), 
Point of Sale (POS) Help Desk and eCommerce--VA.''
    The System Number will be changed from 117VA103 to 117VA10NA6 to 
reflect the current organizational alignment.
    The System Location is being amended to replace Austin Automation 
Center (AAC) with Austin Information Technology Center (AITC). This 
section will add POS Help Desk and VCS eCommerce Site information, 
which is maintained on a contractor-owned data center located in their 
Service Desk Online (SDO) system in Coventry, United Kingdom (UK) and 
Phoenix, Arizona, respectively.
    The System Manager has been amended to add the POS Help Desk and 
eCommerce Site official responsible for policies and procedures: Office 
of the Business Operations and Support, Veterans Canteen Service (103), 
Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 
20420. Addresses for VA facilities are listed in VA Appendix 1.
    Purpose of the System is being amended to add for the POS Help Desk 
and eCommerce Site. The VCS records allow authorized VCS contractors to 
collect relevant data to the end of providing operational support to 
maintain both cash register systems and the eCommerce Site. User data 
will be used for incident reporting and help desk activities, site 
personalization, Email communication, product recommendations, order 
management and payment processing. The VCS system of records allows 
authorized VCS employees and contractors to collect VCS canteen 
addresses, VCS canteen phone numbers, VCS system users first and last 
name and VCS employee's VA Email addresses through an incident 
management system for the purposes of in-taking, troubleshooting and 
triaging VCS call tickets. The operations and maintenance portions must 
be reported by the end user to a VCS contracted designated help desk 
who has been designated to resolve the issue. Records would be used to 
identify issues, conduct follow-up on unresolved issues, perform trend 
analyses on types of call ticket issues, generate reports and analytics 
on call ticket trends and notify VCS management of call ticket volume 
and trends. The additional functions serve to provide a modern system 
as an eCommerce platform that is comparable to commercial eCommerce 
sites.
    The Categories of Individuals Covered by the System is being 
amended to define the types of user data covered by the POS Help Desk 
and eCommerce Site.
    The Categories of Records in the System is being amended to include 
the POS Help Desk and eCommerce Site records include the following 
identification information:

--User First and Last Name, Prefix, Suffix
--User Email address
--User Gender
--User Date of Birth
--User Address, City, State, and Postal Zip Code
--User Military Affiliation
--User Site Behavioral Patterns
--User Site Purchase History
--User Phone Number
--User PDP Account Number
--User PDP Account Balance
--User Date of Purchase
--User Purchase Amount
--User Identification Control Number (ICN)
--User Security ID
--User Assurance Level
--User Credential Service Identifier
--User Identifier
--User Hash
--User Authentication Time
--Credit Card Number
--Credit Card CVV
--Credit Card Date of Expiration
--PayPal credentials
--VCS Canteen location including Address, City, State and Postal Zip 
Code
--VCS Canteen Phone Number; and
--Description of System or Application Issue.
    Record Source Categories is being amended to include the POS Help 
Desk and eCommerce Site information in this system of records is 
provided by authorized VCS employees who call, Email or submit a call 
ticket to the vendor in order to report a system, application or 
operational issue relative to a system application. The updates also 
provide the ability to offer a modern eCommerce platform that is 
comparable to commercial eCommerce sites, to include custom site 
personalization, product recommendations and order management.
    The Routine Uses of Records Maintained in the System is amending 
the language in Routine Use #11, which states that disclosure of the 
records to the DoJ is a use of the information contained in the records 
that is compatible with the purpose for which VA collected the records. 
VA may disclose records in this system of records in legal proceedings 
before a court or administrative body after determining that the 
disclosure of the records to the court or administrative body is a use 
of the information contained in the records that is compatible with the 
purpose for which VA collected the records. This routine use will now 
state that release of the records to the DoJ is limited to 
circumstances where relevant and

[[Page 7391]]

necessary to the litigation. VA may disclose records in this system of 
records in legal proceedings before a court or administrative body 
after determining that release of the records to the court or 
administrative body is limited to circumstances where relevant and 
necessary to the litigation.
    Routine Use #14 is clarifying the language to state, ``VA may 
disclose any information or records to appropriate agencies, entities, 
and persons when (1) VA suspects or has confirmed that there has been a 
breach of the system of records; (2) VA has determined that as a result 
of the suspected or confirmed breach there is a risk to individuals, VA 
(including its information systems, programs, and operations), the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, or persons is reasonably necessary to 
assist in connection with VA efforts to respond to the suspected or 
confirmed breach or to prevent, minimize, or remedy such harm.''
    Routine use #15 is being added to state, ``VA may disclose 
information from this system of records to another Federal agency or 
Federal entity, when VA determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.''
    Routine use #16 is being added to state, ``VA may disclose relevant 
information to VCS contracted vendors, in order to provide a single 
point of contact for all incidents relative to VCS' POS software 
application.'' VA needs this routine use for VCS contracted vendors to 
use the information to intake, troubleshoot and triage call tickets as 
appropriate. In some cases, the incident may need to be escalated to a 
third party vendor or VA Office of Information Technology (OI&T) for 
further review and troubleshooting.
    Routine use #17 is being added to state, ``VA may disclose relevant 
information to third party vendors for issues outside the scope of VCS 
software application vendor. This includes, but is not limited to 
notification of canteen location, contact information, canteen manager 
first and last name, VA Email address, and description of the issue.'' 
VA needs this routine use for vendors to triage and troubleshoot 
customer transactions.
    Policies and Practices for Storage of Records is being amended to 
include the POS Help Desk records are maintained electronically within 
the managed service database.
    Policies and Practices for Retrievability of Records is being 
amended to include the POS Help Desk and eCommerce Site records are 
retrieved by Incident Number.
    Policies and Practices For Retention and Disposal of Records to 
replace ``records for active participants in the Payroll Deduction 
Program are maintained indefinitely. Records for participants who leave 
VA employment voluntarily or involuntarily terminate their 
participation in the Payroll Deduction Program are retained for three 
years following the date the account attains a zero balance; or for 
three years following the date the account balance is written off 
following unsuccessful collection action'' with Payroll System Reports 
which include error reports, ticklers, and system operation reports, 
destroy when related actions are completed or when no longer needed, 
not to exceed 2 years. (N1-GRS-92-4 item 22a). Reports providing fiscal 
information on agency payroll destroy after GAO audit or when 3 years 
old, whichever is sooner. (N1-GRS-92-4 item 22c). Information 
Technology (IT) Customer Service File records related to providing help 
desk information to customers, including pamphlets, responses to 
Frequently Asked Questions, and other documents prepared in advance to 
assist customers, destroy/delete 1 year after record is superseded or 
obsolete. (N1-GRS-03-1 item 10a). Help desk logs and reports and other 
files related to customer query and problem response; query monitoring 
and clearance; and customer feedback records; and related trend 
analysis and reporting, destroy/delete when 1 year old or when no 
longer needed for review and analysis, whichever is later. (N1-GRS-03-1 
item 10b).''
    Physical, Procedural, and Administrative Safeguards is being 
amended to include:
POS Help Desk and eCommerce Site--
    1. Access to VA work and file areas is restricted to VA personnel 
and authorized contractors with a legitimate need for the information 
in the performance of their official duties. Strict control measures 
are enforced to ensure that access by these individuals is 
appropriately limited. Contractor and VCS employees are required to 
complete and adhere to annual VA security and privacy awareness 
training and rules of behavior and are VA cleared. Access is controlled 
by individual unique passwords or codes, which must be changed 
periodically by the users.
    2. Physical access to the contractor's data processing center is 
generally restricted to contractor employees, custodial personnel, 
Federal Protective Service, and other security personnel. Access to 
computer rooms is restricted to authorized operational personnel 
through electronic locking devices. All other persons gaining access to 
computer rooms are escorted. The only personnel who are able to 
physically access SDO are the Contractor's IT Team and emergency 
responders.
    3. All data transmissions are encrypted to prevent disclosure of 
protected Privacy Act information. Access to backup copies of data is 
restricted to authorized personnel in the same manner as the data 
processing center.
    Record Access Procedure is being amended to include for the POS 
Help Desk, individuals seeking information regarding access to and 
contesting of records in this system may write, call, or visit the VCS' 
Chief, Business Operations and Support at the Veterans Canteen Service 
Central Office (VCSCO), St. Louis, Missouri 63125; telephone; (314) 
845-1200.
    Notification Procedure is being amended to include for the POS Help 
Desk and eCommerce Site, individuals who wish to determine whether the 
system contains records about them should contact the VCS Chief, 
Business Operations and Support at the Veterans Canteen Service Central 
Office (VCSCO), St. Louis, Missouri 63125; telephone; (314) 845-1200. 
Inquiries should contain the person's full name, date(s) of contact, 
and return address.
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. Sec.  552a(r) 
(Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 
2000.
    Signing Authority: The Senior Agency Official for Privacy, or 
designee, approved this document and authorized the undersigned to sign 
and submit the document to the Office of the Federal Register for 
publication electronically as an official document of the Department of 
Veterans Affairs. F. John Buck, Director, Office of Privacy Information 
and Identity Protection, Office of Quality, Privacy and Risk, Office of 
Information and Technology, Department of Veterans Affairs,

[[Page 7392]]

approved this document on June 5, 2018 for publication.

    Dated: February 4, 2020.
Amy L. Rose,
Program Analyst, VA Privacy Service, Department of Veterans Affairs.

SYSTEM NAME:
    Veterans Canteen Service (VCS) Payroll Deduction Program (PDP), 
Point of Sale (POS) Help Desk and eCommerce--VA (117VA10NA6)

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Individual PDP purchase records are maintained in the VCS office at 
each Department of Veterans Affairs (VA) health care facility. 
Addresses for VA facilities are listed in VA Appendix 1. In addition, 
information from these records or copies of records is maintained in a 
centralized electronic database at the Austin Information Technology 
Center (AITC), 1615 East Woodward Street, Austin, TX 78772.
    For the POS Help Desk, information is maintained on a contractor 
owned-data center located in their Service-Desk Online (SDO) system in 
Coventry, United Kingdom (UK). For the eCommerce Site, data is 
maintained in a contracted data center located at the Phoenix, Arizona 
hosting site.

SYSTEM MANAGER(S):
    PDP official responsible for policies and procedures: Office of the 
Chief Financial Officer, Veterans Canteen Service (103), Department of 
Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420. 
Officials maintaining the system: Chief of the Canteen Service at the 
facility where the individuals were associated. Addresses for VA 
facilities are listed in VA Appendix 1.
    For POS Help Desk and eCommerce Site, official responsible for 
policies and procedures: Office of the Business Operations and Support, 
Veterans Canteen Service (103), Department of Veterans Affairs, 810 
Vermont Avenue NW, Washington, DC 20420. Addresses for VA facilities 
are listed in VA Appendix 1.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, Part V, Chapter 78.

PURPOSE(S) OF THE SYSTEM:
    PDP records and information will be used to track customer 
purchases, payments and balances due to VCS. Records and information 
may also be used for the purpose of debt collection. The records and 
information may be used for management and analysis reports of VCS 
programs.
    For the POS Help Desk and eCommerce Site, the VCS System of Records 
allows authorized VCS contractors to collect data relevant to system 
processing to include addresses, phone numbers, user's first and last 
name, and Email addresses for the purposes of sustaining order 
fulfillment, payment processing, in-take, troubleshooting and triaging 
of VCS call tickets. Issues concerning the operation and maintenance of 
the must be reported by the end user to a VCS contracted designated 
help desk employee who has been designated to resolve the issue. 
Records are used to identify issues, conduct follow-up of unresolved 
issues, generate reports, perform trend analysis and notify VCS 
management of results from treading to include types of call tickets 
and call ticket volume. The VCS system of records allows authorized VCS 
employees and contractors to collect VCS canteen addresses, VCS canteen 
phone numbers, VCS system users first and last name and VCS employee's 
VA Email addresses through an incident management system for the 
purposes of in-taking, troubleshooting and triaging VCS call tickets. 
The records on the eCommerce Site will be further used to deliver a 
commercial grade eCommerce platform that will include the ability to 
provide site customizations and product recommendations based on user 
browsing patterns, and modern order fulfillment and payment processing 
methods.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The individuals covered by the system encompass permanent VA 
employees, also known as customers, who participate in the VCS Payroll 
Deduction System, which permits them to pay for purchases in VCS 
canteens through deduction from their pay. For the POS Help Desk, the 
individuals covered by the system encompass VCS employees. The VCS 
eCommerce site covers the VCS customer base which includes Veterans 
enrolled in VA's health care system, their families, caregivers, VA 
employees, volunteers, and visitors.

CATEGORIES OF RECORDS IN THE SYSTEM:
    These records include the following Information for PDP:
    --Customer identification information such as last name, first 
name, middle initial, social security number;
    --Customer purchases made under the program;
    --Timestamps for payments;
    --Payroll payments, cash payments, refunds for returned 
merchandise, and refunds for overpayments;
    --Customer account balances and amounts written-off as 
uncollectible;
    --Customer pay status when customer is in a ``without pay'' status;
    --Identification of VCS employees creating customer transactions is 
by manual or electronic data capture. Manual transactions can be traced 
by a user ID within the payroll deduction system that identifies the 
individual entering the manual transaction. Electronic transactions can 
be traced by cashier code of the cashier ringing the transaction into 
the cash register; and
    --Customer station number and canteen of purchase.
    The POS Help Desk and eCommerce Site records include the following 
identification information:
    --User First and Last Name, Prefix, Suffix;
    --User Email address;
    --User Gender;
    --User Date of Birth;
    --User Address, City, State, and Postal Zip Code;
    --User Military Affiliation;
    --User Site Behavioral Patterns;
    --User Site Purchase History;
    --User Phone Number;
    --User PDP Account Number;
    --User PDP Account Balance;
    --User Date of Purchase;
    --User Purchase Amount;
    --User ICN;
    --User Security ID;
    --User Assurance Level;
    --User Credential Service Identifier;
    --User Identifier;
    --User Hash;
    --User Authentication Time;
    --Credit Card Number;
    --Credit Card CVV;
    --Credit Card Date of Expiration;
    --PayPal credentials;
    --VCS canteen location including Address, City, State and Postal 
Zip Code;
    --VCS canteen Phone Number; and
    --Description of System or Application Issue.

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by the customers 
who participate in the PDP program, users of the VCS eCommerce Site, VA 
employees and various VA systems.
    The POS Help Desk information in this system of records is provided 
by authorized users who call, Email or submit a call ticket to a VCS 
contracted vendor in order to report a system, application or 
operational issue relative to the system.

[[Page 7393]]

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information, and 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia or infection with the human immunodeficiency 
virus, that information cannot be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
    1. VA may disclose information from this system of records to a 
private debt collection agent for the purpose of collecting unpaid 
balances from customers who have left VA employment without making full 
payment for purchases made under the program.
    2. VA may disclose information from this system of records to the 
U.S. Treasury Offset Program (TOPS) for the purpose of collecting 
unpaid balances from customers who have left VA employment without 
making full payment for purchases made under the program. VA needs to 
be able to collect unpaid balances from customers who have left VA 
employment without making full payment to VCS for purchases made under 
the program.
    3. Disclosure may be made to the Federal Labor Relations Authority 
(FLRA), including its General Counsel, when requested in connection 
with investigation and resolution of allegations of unfair labor 
practices, in connection with the resolution of exceptions to 
arbitrator awards when a question of material fact is raised, and in 
connection with matters before the Federal Service Impasses Panel. The 
release of information to FLRA from this Privacy Act system of records 
is necessary to comply with the statutory mandate under which FLRA 
operates.
    4. Disclosure may be made to officials of labor organizations 
recognized under 5 U.S.C. chapter 71 when relevant and necessary to 
their duties of exclusive representation concerning personnel policies, 
practices, and matters affecting working conditions.
    5. Disclosure may be made to officials of the Merit Systems 
Protection Board, including the Office of the Special Counsel, when 
requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as 
may be authorized by law.
    6. Disclosure may be made to the Equal Employment Opportunity 
Commission when requested in connection with investigations of alleged 
or possible discrimination practices, examination of Federal 
affirmative employment programs, compliance with the Uniform Guidelines 
of Employee Selection Procedures, or other functions vested in the 
Commission by the President's Reorganization Plan No. 1 of 1978.
    7. A record from a system of records maintained by this component 
may be disclosed as a routine use to the National Archives and Records 
Administration (NARA) for the purpose of records management inspections 
conducted under authority of Title 44 United States Code. NARA is 
responsible for archiving old records no longer actively used but which 
may be appropriate for preservation; they are responsible in general 
for the physical maintenance of the Federal government's records. VA 
must be able to turn records over to these agencies in order to 
determine the proper disposition of such records.
    8. Disclosure of relevant information may be made to individuals, 
organizations, private or public agencies, etc., with whom VA has a 
contract or agreement to perform such services as VA may deem 
practicable for the purposes of laws administered by VA, in order for 
the contractor or subcontractor to perform the services of the contract 
or agreement. VA occasionally contracts out certain functions when this 
would contribute to effective and efficient operations. VA must be able 
to give a contractor whatever information is necessary for the 
contractor to fulfill its duties. In these situations, safeguards are 
provided in the contract prohibiting the contractor from using or 
disclosing the information for any purpose other than that described in 
the contract.
    9. Disclosure from a system of records maintained by this component 
may be made to a Congressional office from the record of an individual 
in response to an inquiry from the Congressional office made at the 
request of that individual. Individuals sometimes request the help of a 
member of Congress in resolving some issues relating to a matter before 
VA. The member of Congress then writes VA, and VA must be able to give 
sufficient information to be responsive to the inquiry.
    10. Disclosure may be made to a Federal, State or local agency, 
upon its official request, to the extent that it is relevant and 
necessary to that agency's decision regarding: The hiring, retention or 
transfer of an employee, the issuance of a security clearance, the 
letting of a contract, or the issuance or continuance of a license, 
grant or other benefit given by that agency. However, in accordance 
with an agreement with the U.S. Postal Service, disclosures to the U.S. 
Postal Service for decisions concerning the employment of veterans will 
only be made with the Veteran's prior written consent. VA must be able 
to provide information to agencies conducting background checks on 
applicants for employment or licensure.
    11. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is limited to circumstances where relevant and necessary to the 
litigation. VA may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that release of the records to the court or administrative body is 
limited to circumstances where relevant and necessary to the 
litigation.
    12. VA may disclose any information in this system, except the 
names and home addresses of Veterans and their dependents, which is 
relevant to a suspected or reasonably imminent violation of law, 
whether civil, criminal or regulatory in nature and whether arising by 
general or program statute or by regulation, rule or order issued 
pursuant thereto, to a Federal, State, local, tribal, or foreign agency 
charged with the responsibility of investigating or prosecuting such 
violation, or charged with enforcing or implementing the statute, 
regulation, rule or order. VA may also disclose the names and addresses 
of Veterans and their dependents to a Federal agency charged with the 
responsibility of investigating or prosecuting civil, criminal or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule or order issued pursuant thereto.
    13. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    14. VA may disclose any information or records to appropriate 
agencies, entities, and persons when (1) VA

[[Page 7394]]

suspects or has confirmed that there has been a breach of the system of 
records; (2) VA has determined that as a result of the suspected or 
confirmed breach there is a risk to individuals, VA (including its 
information systems, programs, and operations), the Federal Government, 
or national security; and (3) the disclosure made to such agencies, 
entities, or persons is reasonably necessary to assist in connection 
with VA efforts to respond to the suspected or confirmed breach or to 
prevent, minimize, or remedy such harm.
    15. VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    16. VA may disclose relevant information to VCS contracted POS and 
eCommerce vendor, in order to provide a single point of contact for all 
incidents relative to the VCS system. This routine use permits VCS 
contracted vendors to use the information to process orders and 
payment, call intake, troubleshoot and triage call tickets as 
appropriate. In some cases, the incident may need to be escalated to a 
third-party vendor or VA Office of Information Technology (OI&T) for 
further review and resolution.
    17. VA may disclose relevant information to third party vendors to 
analyze product recommendations, perform site customizations, process 
payments, and resolve issues outside the scope of the VCS system 
vendors. This information may include canteen location, contact 
information, canteen manager first and last name, VA Email address, 
issues description, site browsing patterns, purchase history, military 
affiliation, gender, and date of birth. This routine use permits third 
party vendors to triage and troubleshoot customer issues when the VCS 
vendor is unable due to the scope of their contract.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    Pursuant to 5 U.S.C. 552a(b)(12), VA may disclose records from this 
system to consumer reporting agencies as defined in the Fair Credit 
Reporting Act (15 U.S.C. 168la(f)) or the Federal Claims Collection Act 
of 1966 (31 US.C. 3701(a)(3)).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    PDP records are maintained primarily on a computer disk in a 
centralized database system. Paper records of program Participation 
Agreements and individual customer records are maintained in canteen 
office files. The POS Help Desk and eCommerce records are maintained 
electronically within the respective vendors managed service databases.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    PDP records are retrieved by name and/or Social Security number of 
the participating VA employees or customers. The POS Help Desk records 
are retrieved by Incident Number. There is typically a three-letter 
mnemonic that identifies the customer with an incremented number 
following the mnemonic. eCommerce Site records can be retrieved by 
Email address or User Identifier data element.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Payroll System Reports which include error reports, ticklers, and 
system operation reports, destroy when related actions are completed or 
when no longer needed, not to exceed 2 years. (N1-GRS-92-4 item 22a). 
Reports providing fiscal information on agency payroll destroy after 
GAO audit or when 3 years old, whichever is sooner. (N1-GRS-92-4 item 
22c). Information Technology Customer Service File records related to 
providing help desk information to customers, including pamphlets, 
responses to Frequently Asked Questions, and other documents prepared 
in advance to assist customers, destroy/delete 1 year after record is 
superseded or obsolete. (N1-GRS-03-1 item 10a). Help desk logs and 
reports and other files related to customer query and problem response; 
query monitoring and clearance; and customer feedback records; and 
related trend analysis and reporting, destroy/delete when 1 year old or 
when no longer needed for review and analysis, whichever is later. (N1-
GRS-03-1 item 10b).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    PDP--
    1. Access to VA work and file areas is restricted to VA personnel 
with a legitimate need for the information in the performance of their 
official duties. Strict control measures are enforced to ensure that 
access by these individuals is appropriately limited. Information 
stored electronically may be accessed by authorized VCS employees at 
remote locations, including VA health care facilities. Access is 
controlled by individually unique passwords or codes, which must be 
changed periodically by the users.
    2. Physical access to the Austin VA Data Processing Center is 
generally restricted to Center employees, custodial personnel, Federal 
Protective Service, and other security personnel. VA file areas are 
generally locked after normal duty hours, and the facilities are 
protected from outside access by the Federal Protective Service or 
other security personnel. Access to computer rooms is restricted to 
authorized operational personnel through electronic locking devices. 
All other persons gaining access to computer rooms are escorted.
    3. All data transmissions are encrypted to prevent disclosure of 
protected Privacy Act information. Access to backup copies of data is 
restricted to authorized personnel in the same manner as the Austin VA 
Data Processing Center.
    POS Help Desk and eCommerce Site--
    1. Access to VA work and file areas is restricted to VA personnel 
and authorized contractors with a legitimate need for the information 
in the performance of their official duties. Strict control measures 
are enforced to ensure that access by these individuals is 
appropriately limited. Contractors and VCS employees are required to 
annually complete and adhere to VA security and privacy awareness 
training and sign the rules of behavior. Access is controlled by 
individual unique passwords or codes, which must be changed 
periodically by the users.
    2. Physical access to the contractor's data processing center is 
generally restricted to contractor employees, custodial personnel, 
Federal Protective Service, and other security personnel. Access to 
computer rooms is restricted to authorized personnel through electronic 
locking devices. All other persons gaining access to computer rooms are 
escorted. The only personnel who are provided physical access are the 
Contractor's Information Technology (IT) Team and emergency responders.
    3. All data transmissions are encrypted to prevent disclosure of 
protected information. Access to backup copies of data is restricted to 
authorized personnel in the same manner as the AITC.

[[Page 7395]]

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding PDP access to and 
contesting of records in this system may write, call, or visit the VCS 
Payroll Deduction Program Specialist at the Veterans Canteen Service 
Central Office (VCSCO- FC), St. Louis, Missouri 63125; telephone: (314) 
845-1301.
    For the POS Help Desk or VCS eCommerce Site, individuals seeking 
information regarding access to and contesting of records in this 
system may write, call, or visit the VCS' Chief, Business Operations 
and Support at the Veterans Canteen Service Central Office (VCSCO), St. 
Louis, Missouri 63125; telephone; (314) 845-1200.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

NOTIFICATION PROCEDURE:
    Individuals who wish to determine whether this system of records 
contains PDP records about them should contact the VCS Payroll 
Deduction Program Specialist at the Veterans Canteen Service Central 
Office (VCSCO-FC), St. Louis, Missouri 63125; telephone: (314) 845-
1301. Inquiries should include the person's full name, Social Security 
number, date(s) of contact, and return address.
    For the POS Help Desk and VCS eCommerce Site, individuals who wish 
to determine whether the system contains records about them should 
contact the VCS Chief, Business Operations and Support at the Veterans 
Canteen Service Central Office (VCSCO), St. Louis, Missouri 63125; 
telephone; (314) 845-1200. Inquiries should contain the person's full 
name, date(s) of contact, and return address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    Last full publication provided in 75 FR 26851 dated May 12, 2010.

[FR Doc. 2020-02480 Filed 2-6-20; 8:45 am]
BILLING CODE 8320-01-P