Privacy Act of 1974; System of Records, 7389-7395 [2020-02480]

Download as PDF Federal Register / Vol. 85, No. 26 / Friday, February 7, 2020 / Notices jbell on DSKJLSW7X2PROD with NOTICES accessible to individuals with differing abilities. DATES: Both the meeting on Tuesday, March 31, 2020, and the meeting on Wednesday, September 16, 2020, will be held from 9 a.m.–1 p.m. Eastern Time. ADDRESSES: The meetings will be held in the Cash Room at the Treasury Building located at 1500 Pennsylvania Avenue NW, Washington, DC 20220. Both meetings will be open to the public. Because each meeting will be held in a secured facility, members of the public who plan to attend the meetings must register online or by telephone by 5 p.m. Eastern Time on Wednesday, March 25, 2020, for the meeting on March 31, 2020, and by 5 p.m. Eastern Time on Thursday, September 10, 2020, for the meeting on September 16, 2020. For the meeting on March 31, 2020, attendees with a valid email address may visit http:// www.cvent.com/d/8hqrcm to complete a secure online registration form. For the meeting on September 16, 2020, attendees with a valid email address may visit http://www.cvent.com/d/ 8nhqf20 to complete a secure online registration form. All other attendees may contact Marie Vazquez Lopez at marie.vazquezlopez@treasury.gov. If you require a reasonable accommodation, please contact Lisa Jones at lisa.jones@treasury.gov or 202– 622–0315. To request a sign language interpreter, please make your request five days prior to the event, if possible, by contacting Lillian Wright at lillian.wright@treasury.gov. For all other inquiries concerning the TTAC meeting, please contact TTAC@treasury.gov. FOR FURTHER INFORMATION CONTACT: Nancy Montoya, Policy Analyst, Department of the Treasury, 1500 Pennsylvania Avenue NW, Room 1426G, Washington, DC 20220, or at (202) 622–2031 (this is not a toll-free number). Persons who have difficulty hearing or speaking may access this number via TTY by calling the toll-free Federal Relay Service at (800) 877–8339. Further information may also be found at: https://home.treasury.gov/policyissues/tribal-affairs/treasury-tribaladvisory-committee. SUPPLEMENTARY INFORMATION: Background Section 3 of the Tribal General Welfare Exclusion Act of 2014, Public Law 113–68, 128 Stat. 1883, enacted on September 26, 2014 (TGWEA), directs the Secretary of the Treasury (Secretary) to establish a seven member Tribal Advisory Committee to advise the Secretary on matters related to the taxation of Indians, the training of VerDate Sep<11>2014 17:42 Feb 06, 2020 Jkt 250001 Internal Revenue Service field agents, and the provision of training and technical assistance to Native American financial officers. Pursuant to Section 3 of the TGWEA and in accordance with the provisions of the Federal Advisory Committee Act (FACA), 5 U.S.C. App. 1 et seq., the TTAC was established on February 10, 2015, as the ‘‘U.S. Department of the Treasury Tribal Advisory Committee.’’ The TTAC’s Charter provides that it shall operate under the provisions of the FACA and shall advise and report to the Secretary on: (1) Matters related to the taxation of Indians; (2) The establishment of training and education for internal revenue field agents who administer and enforce internal revenue laws with respect to Indian tribes of Federal Indian law and the Federal Government’s unique legal treaty and trust relationship with Indian tribal governments; and (3) The establishment of training of such internal revenue field agents, and provisions of training and technical assistance to tribal financial officers, about implementation of the TGWEA and any amendments. Fourth and Fifth Periodic Meetings In accordance with section 10(a)(2) of the FACA and implementing regulations at 41 CFR 102–3.150, Krishna P. Vallabhaneni, the Tax Legislative Counsel and Designated Federal Officer of the TTAC, has ordered publication of this notice to inform the public that the TTAC will convene its fourth periodic meeting on Tuesday, March 31, 2020, from 9 a.m.–1 p.m. Eastern Time in the Cash Room of the Treasury Building located at 1500 Pennsylvania Avenue NW, Washington, DC 20220. Further, in accordance with section 10(a)(2) of the FACA and implementing regulations at 41 CFR 102–3.150, Krishna P. Vallabhaneni, the Tax Legislative Counsel and Designated Federal Officer of the TTAC, has ordered publication of this notice to inform the public that the TTAC will convene its fifth periodic meeting on Wednesday, September 16, 2020, from 9:00 a.m.–1:00 p.m. Eastern Time in the Cash Room of the Treasury Building located at 1500 Pennsylvania Avenue NW, Washington, DC 20220. Summary of Agenda and Topics To Be Discussed During these periodic meetings, the seven members of the TTAC will approve meeting minutes, provide updates on TTAC and subcommittee activities, review the TTAC’s priority issues matrix, review and receive public comments, and take other actions PO 00000 Frm 00125 Fmt 4703 Sfmt 4703 7389 necessary to fulfill the Committee’s mandate. Public Comments Members of the public wishing to comment on the business of the TTAC are invited to submit written statements 15 calendar days in advance of each Public Meeting by any of the following methods: Electronic Statements • Send electronic comments to TTAC@treasury.gov. Paper Statements • Send paper statements in triplicate to the Treasury Tribal Advisory Committee, Department of the Treasury, 1500 Pennsylvania Avenue NW, Room 1426G, Washington, DC 20220. The TTAC will post all statements on the Department of the Treasury’s website at https://home.treasury.gov/ policy-issues/tribal-affairs/treasurytribal-advisory-committee without change, including any business or personal information provided such as names, addresses, email addresses, or telephone numbers. The Department of the Treasury will also make such statements available for public inspection and copying in the Department of the Treasury’s Library, 720 Madison Place NW, Room 1020, Washington, DC 20220, on official business days between the hours of 10 a.m. and 5 p.m. Eastern Time. You can make an appointment to inspect statements by telephoning (202) 622– 2000. All statements received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. You should submit only information that you wish to make available publicly. Krishna P. Vallabhaneni, Tax Legislative Counsel. [FR Doc. 2020–02442 Filed 2–6–20; 8:45 am] BILLING CODE 4810–25–P DEPARTMENT OF VETERANS AFFAIRS Privacy Act of 1974; System of Records AGENCY: Department of Veterans Affairs (VA). ACTION: Notice of a modified system of records. As required by the Privacy Act of 1974, notice is hereby given that the Department of Veterans Affairs (VA) is amending the system of records currently entitled, ‘‘Veterans Canteen Service (VCS) Payroll Deduction SUMMARY: E:\FR\FM\07FEN1.SGM 07FEN1 jbell on DSKJLSW7X2PROD with NOTICES 7390 Federal Register / Vol. 85, No. 26 / Friday, February 7, 2020 / Notices Program (PDP)—VA’’ (117VA103) as set forth in the Federal Register 75 FR 26851. VA is amending the system of records by revising the System Name; System Number; System Location; System Manager; Purpose of the System; Categories of Individuals Covered by the System; Categories of the Records in the System; Record Source Categories; Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses; Policies and Practices for Storage of Records; Policies and Practices for Retrievability of Records; Policies and Practices For Retention and Disposal of Records; Physical, Procedural, and Administrative Safeguards; Record Access Procedure; and Notification Procedure. VA is republishing the system notice in its entirety. DATES: Comments on this amended system of records must be received no later than March 9, 2020. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by the VA, the new system will become effective March 9, 2020. ADDRESSES: Written comments may be submitted through www.Regulations.gov; by mail or handdelivery to Director, Regulation Policy and Management (00REG), Department of Veterans Affairs, 810 Vermont Avenue NW, Room 1064, Washington, DC 20420; or by fax to (202) 273–9026 (Note: Not a toll-free number). Comments should indicate they are submitted in response to ‘‘Veterans Canteen Service (VCS) Payroll Deduction Program (PDP)—VA’’ (117VA103). Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461–4902 for an appointment (Note: Not a toll-free number). In addition, comments may be viewed online at www.Regulations.gov. FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) Privacy Act Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420; telephone (704) 245–2492. SUPPLEMENTARY INFORMATION: The System Name is being changed from ‘‘Veterans Canteen Service (VCS) Payroll Deduction Program (PDP)—VA’’ to ‘‘Veterans Canteen Service (VCS) Payroll Deduction Program (PDP), Point of Sale (POS) Help Desk and eCommerce—VA.’’ The System Number will be changed from 117VA103 to 117VA10NA6 to VerDate Sep<11>2014 17:42 Feb 06, 2020 Jkt 250001 reflect the current organizational alignment. The System Location is being amended to replace Austin Automation Center (AAC) with Austin Information Technology Center (AITC). This section will add POS Help Desk and VCS eCommerce Site information, which is maintained on a contractor-owned data center located in their Service Desk Online (SDO) system in Coventry, United Kingdom (UK) and Phoenix, Arizona, respectively. The System Manager has been amended to add the POS Help Desk and eCommerce Site official responsible for policies and procedures: Office of the Business Operations and Support, Veterans Canteen Service (103), Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420. Addresses for VA facilities are listed in VA Appendix 1. Purpose of the System is being amended to add for the POS Help Desk and eCommerce Site. The VCS records allow authorized VCS contractors to collect relevant data to the end of providing operational support to maintain both cash register systems and the eCommerce Site. User data will be used for incident reporting and help desk activities, site personalization, Email communication, product recommendations, order management and payment processing. The VCS system of records allows authorized VCS employees and contractors to collect VCS canteen addresses, VCS canteen phone numbers, VCS system users first and last name and VCS employee’s VA Email addresses through an incident management system for the purposes of in-taking, troubleshooting and triaging VCS call tickets. The operations and maintenance portions must be reported by the end user to a VCS contracted designated help desk who has been designated to resolve the issue. Records would be used to identify issues, conduct follow-up on unresolved issues, perform trend analyses on types of call ticket issues, generate reports and analytics on call ticket trends and notify VCS management of call ticket volume and trends. The additional functions serve to provide a modern system as an eCommerce platform that is comparable to commercial eCommerce sites. The Categories of Individuals Covered by the System is being amended to define the types of user data covered by the POS Help Desk and eCommerce Site. The Categories of Records in the System is being amended to include the POS Help Desk and eCommerce Site records include the following identification information: PO 00000 Frm 00126 Fmt 4703 Sfmt 4703 —User First and Last Name, Prefix, Suffix —User Email address —User Gender —User Date of Birth —User Address, City, State, and Postal Zip Code —User Military Affiliation —User Site Behavioral Patterns —User Site Purchase History —User Phone Number —User PDP Account Number —User PDP Account Balance —User Date of Purchase —User Purchase Amount —User Identification Control Number (ICN) —User Security ID —User Assurance Level —User Credential Service Identifier —User Identifier —User Hash —User Authentication Time —Credit Card Number —Credit Card CVV —Credit Card Date of Expiration —PayPal credentials —VCS Canteen location including Address, City, State and Postal Zip Code —VCS Canteen Phone Number; and —Description of System or Application Issue. Record Source Categories is being amended to include the POS Help Desk and eCommerce Site information in this system of records is provided by authorized VCS employees who call, Email or submit a call ticket to the vendor in order to report a system, application or operational issue relative to a system application. The updates also provide the ability to offer a modern eCommerce platform that is comparable to commercial eCommerce sites, to include custom site personalization, product recommendations and order management. The Routine Uses of Records Maintained in the System is amending the language in Routine Use #11, which states that disclosure of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. This routine use will now state that release of the records to the DoJ is limited to circumstances where relevant and E:\FR\FM\07FEN1.SGM 07FEN1 jbell on DSKJLSW7X2PROD with NOTICES Federal Register / Vol. 85, No. 26 / Friday, February 7, 2020 / Notices necessary to the litigation. VA may disclose records in this system of records in legal proceedings before a court or administrative body after determining that release of the records to the court or administrative body is limited to circumstances where relevant and necessary to the litigation. Routine Use #14 is clarifying the language to state, ‘‘VA may disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.’’ Routine use #15 is being added to state, ‘‘VA may disclose information from this system of records to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.’’ Routine use #16 is being added to state, ‘‘VA may disclose relevant information to VCS contracted vendors, in order to provide a single point of contact for all incidents relative to VCS’ POS software application.’’ VA needs this routine use for VCS contracted vendors to use the information to intake, troubleshoot and triage call tickets as appropriate. In some cases, the incident may need to be escalated to a third party vendor or VA Office of Information Technology (OI&T) for further review and troubleshooting. Routine use #17 is being added to state, ‘‘VA may disclose relevant information to third party vendors for issues outside the scope of VCS software application vendor. This includes, but is not limited to notification of canteen location, contact information, canteen manager first and last name, VA Email address, and description of the issue.’’ VA needs this routine use for vendors to triage and troubleshoot customer transactions. VerDate Sep<11>2014 17:42 Feb 06, 2020 Jkt 250001 Policies and Practices for Storage of Records is being amended to include the POS Help Desk records are maintained electronically within the managed service database. Policies and Practices for Retrievability of Records is being amended to include the POS Help Desk and eCommerce Site records are retrieved by Incident Number. Policies and Practices For Retention and Disposal of Records to replace ‘‘records for active participants in the Payroll Deduction Program are maintained indefinitely. Records for participants who leave VA employment voluntarily or involuntarily terminate their participation in the Payroll Deduction Program are retained for three years following the date the account attains a zero balance; or for three years following the date the account balance is written off following unsuccessful collection action’’ with Payroll System Reports which include error reports, ticklers, and system operation reports, destroy when related actions are completed or when no longer needed, not to exceed 2 years. (N1–GRS–92–4 item 22a). Reports providing fiscal information on agency payroll destroy after GAO audit or when 3 years old, whichever is sooner. (N1– GRS–92–4 item 22c). Information Technology (IT) Customer Service File records related to providing help desk information to customers, including pamphlets, responses to Frequently Asked Questions, and other documents prepared in advance to assist customers, destroy/delete 1 year after record is superseded or obsolete. (N1–GRS–03–1 item 10a). Help desk logs and reports and other files related to customer query and problem response; query monitoring and clearance; and customer feedback records; and related trend analysis and reporting, destroy/delete when 1 year old or when no longer needed for review and analysis, whichever is later. (N1–GRS–03–1 item 10b).’’ Physical, Procedural, and Administrative Safeguards is being amended to include: POS Help Desk and eCommerce Site— 1. Access to VA work and file areas is restricted to VA personnel and authorized contractors with a legitimate need for the information in the performance of their official duties. Strict control measures are enforced to ensure that access by these individuals is appropriately limited. Contractor and VCS employees are required to complete and adhere to annual VA security and privacy awareness training and rules of behavior and are VA cleared. Access is PO 00000 Frm 00127 Fmt 4703 Sfmt 4703 7391 controlled by individual unique passwords or codes, which must be changed periodically by the users. 2. Physical access to the contractor’s data processing center is generally restricted to contractor employees, custodial personnel, Federal Protective Service, and other security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other persons gaining access to computer rooms are escorted. The only personnel who are able to physically access SDO are the Contractor’s IT Team and emergency responders. 3. All data transmissions are encrypted to prevent disclosure of protected Privacy Act information. Access to backup copies of data is restricted to authorized personnel in the same manner as the data processing center. Record Access Procedure is being amended to include for the POS Help Desk, individuals seeking information regarding access to and contesting of records in this system may write, call, or visit the VCS’ Chief, Business Operations and Support at the Veterans Canteen Service Central Office (VCSCO), St. Louis, Missouri 63125; telephone; (314) 845–1200. Notification Procedure is being amended to include for the POS Help Desk and eCommerce Site, individuals who wish to determine whether the system contains records about them should contact the VCS Chief, Business Operations and Support at the Veterans Canteen Service Central Office (VCSCO), St. Louis, Missouri 63125; telephone; (314) 845–1200. Inquiries should contain the person’s full name, date(s) of contact, and return address. The Report of Intent to Amend a System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. § 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000. Signing Authority: The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. F. John Buck, Director, Office of Privacy Information and Identity Protection, Office of Quality, Privacy and Risk, Office of Information and Technology, Department of Veterans Affairs, E:\FR\FM\07FEN1.SGM 07FEN1 7392 Federal Register / Vol. 85, No. 26 / Friday, February 7, 2020 / Notices approved this document on June 5, 2018 for publication. Dated: February 4, 2020. Amy L. Rose, Program Analyst, VA Privacy Service, Department of Veterans Affairs. SYSTEM NAME: Veterans Canteen Service (VCS) Payroll Deduction Program (PDP), Point of Sale (POS) Help Desk and eCommerce—VA (117VA10NA6) SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: Individual PDP purchase records are maintained in the VCS office at each Department of Veterans Affairs (VA) health care facility. Addresses for VA facilities are listed in VA Appendix 1. In addition, information from these records or copies of records is maintained in a centralized electronic database at the Austin Information Technology Center (AITC), 1615 East Woodward Street, Austin, TX 78772. For the POS Help Desk, information is maintained on a contractor owned-data center located in their Service-Desk Online (SDO) system in Coventry, United Kingdom (UK). For the eCommerce Site, data is maintained in a contracted data center located at the Phoenix, Arizona hosting site. SYSTEM MANAGER(S): PDP official responsible for policies and procedures: Office of the Chief Financial Officer, Veterans Canteen Service (103), Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420. Officials maintaining the system: Chief of the Canteen Service at the facility where the individuals were associated. Addresses for VA facilities are listed in VA Appendix 1. For POS Help Desk and eCommerce Site, official responsible for policies and procedures: Office of the Business Operations and Support, Veterans Canteen Service (103), Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420. Addresses for VA facilities are listed in VA Appendix 1. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: jbell on DSKJLSW7X2PROD with NOTICES Title 38, United States Code, Part V, Chapter 78. PURPOSE(S) OF THE SYSTEM: PDP records and information will be used to track customer purchases, payments and balances due to VCS. Records and information may also be used for the purpose of debt collection. VerDate Sep<11>2014 17:42 Feb 06, 2020 Jkt 250001 The records and information may be used for management and analysis reports of VCS programs. For the POS Help Desk and eCommerce Site, the VCS System of Records allows authorized VCS contractors to collect data relevant to system processing to include addresses, phone numbers, user’s first and last name, and Email addresses for the purposes of sustaining order fulfillment, payment processing, in-take, troubleshooting and triaging of VCS call tickets. Issues concerning the operation and maintenance of the must be reported by the end user to a VCS contracted designated help desk employee who has been designated to resolve the issue. Records are used to identify issues, conduct follow-up of unresolved issues, generate reports, perform trend analysis and notify VCS management of results from treading to include types of call tickets and call ticket volume. The VCS system of records allows authorized VCS employees and contractors to collect VCS canteen addresses, VCS canteen phone numbers, VCS system users first and last name and VCS employee’s VA Email addresses through an incident management system for the purposes of in-taking, troubleshooting and triaging VCS call tickets. The records on the eCommerce Site will be further used to deliver a commercial grade eCommerce platform that will include the ability to provide site customizations and product recommendations based on user browsing patterns, and modern order fulfillment and payment processing methods. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The individuals covered by the system encompass permanent VA employees, also known as customers, who participate in the VCS Payroll Deduction System, which permits them to pay for purchases in VCS canteens through deduction from their pay. For the POS Help Desk, the individuals covered by the system encompass VCS employees. The VCS eCommerce site covers the VCS customer base which includes Veterans enrolled in VA’s health care system, their families, caregivers, VA employees, volunteers, and visitors. CATEGORIES OF RECORDS IN THE SYSTEM: These records include the following Information for PDP: —Customer identification information such as last name, first name, middle initial, social security number; —Customer purchases made under the program; PO 00000 Frm 00128 Fmt 4703 Sfmt 4703 —Timestamps for payments; —Payroll payments, cash payments, refunds for returned merchandise, and refunds for overpayments; —Customer account balances and amounts written-off as uncollectible; —Customer pay status when customer is in a ‘‘without pay’’ status; —Identification of VCS employees creating customer transactions is by manual or electronic data capture. Manual transactions can be traced by a user ID within the payroll deduction system that identifies the individual entering the manual transaction. Electronic transactions can be traced by cashier code of the cashier ringing the transaction into the cash register; and —Customer station number and canteen of purchase. The POS Help Desk and eCommerce Site records include the following identification information: —User First and Last Name, Prefix, Suffix; —User Email address; —User Gender; —User Date of Birth; —User Address, City, State, and Postal Zip Code; —User Military Affiliation; —User Site Behavioral Patterns; —User Site Purchase History; —User Phone Number; —User PDP Account Number; —User PDP Account Balance; —User Date of Purchase; —User Purchase Amount; —User ICN; —User Security ID; —User Assurance Level; —User Credential Service Identifier; —User Identifier; —User Hash; —User Authentication Time; —Credit Card Number; —Credit Card CVV; —Credit Card Date of Expiration; —PayPal credentials; —VCS canteen location including Address, City, State and Postal Zip Code; —VCS canteen Phone Number; and —Description of System or Application Issue. RECORD SOURCE CATEGORIES: Information in this system of records is provided by the customers who participate in the PDP program, users of the VCS eCommerce Site, VA employees and various VA systems. The POS Help Desk information in this system of records is provided by authorized users who call, Email or submit a call ticket to a VCS contracted vendor in order to report a system, application or operational issue relative to the system. E:\FR\FM\07FEN1.SGM 07FEN1 Federal Register / Vol. 85, No. 26 / Friday, February 7, 2020 / Notices jbell on DSKJLSW7X2PROD with NOTICES ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: To the extent that records contained in the system include information protected by 45 CFR parts 160 and 164, i.e., individually identifiable health information, and 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority in 38 U.S.C. 7332 and regulatory authority in 45 CFR parts 160 and 164 permitting disclosure. 1. VA may disclose information from this system of records to a private debt collection agent for the purpose of collecting unpaid balances from customers who have left VA employment without making full payment for purchases made under the program. 2. VA may disclose information from this system of records to the U.S. Treasury Offset Program (TOPS) for the purpose of collecting unpaid balances from customers who have left VA employment without making full payment for purchases made under the program. VA needs to be able to collect unpaid balances from customers who have left VA employment without making full payment to VCS for purchases made under the program. 3. Disclosure may be made to the Federal Labor Relations Authority (FLRA), including its General Counsel, when requested in connection with investigation and resolution of allegations of unfair labor practices, in connection with the resolution of exceptions to arbitrator awards when a question of material fact is raised, and in connection with matters before the Federal Service Impasses Panel. The release of information to FLRA from this Privacy Act system of records is necessary to comply with the statutory mandate under which FLRA operates. 4. Disclosure may be made to officials of labor organizations recognized under 5 U.S.C. chapter 71 when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices, and matters affecting working conditions. 5. Disclosure may be made to officials of the Merit Systems Protection Board, including the Office of the Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions VerDate Sep<11>2014 17:42 Feb 06, 2020 Jkt 250001 promulgated in 5 U.S.C. 1205 and 1206, or as may be authorized by law. 6. Disclosure may be made to the Equal Employment Opportunity Commission when requested in connection with investigations of alleged or possible discrimination practices, examination of Federal affirmative employment programs, compliance with the Uniform Guidelines of Employee Selection Procedures, or other functions vested in the Commission by the President’s Reorganization Plan No. 1 of 1978. 7. A record from a system of records maintained by this component may be disclosed as a routine use to the National Archives and Records Administration (NARA) for the purpose of records management inspections conducted under authority of Title 44 United States Code. NARA is responsible for archiving old records no longer actively used but which may be appropriate for preservation; they are responsible in general for the physical maintenance of the Federal government’s records. VA must be able to turn records over to these agencies in order to determine the proper disposition of such records. 8. Disclosure of relevant information may be made to individuals, organizations, private or public agencies, etc., with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor or subcontractor to perform the services of the contract or agreement. VA occasionally contracts out certain functions when this would contribute to effective and efficient operations. VA must be able to give a contractor whatever information is necessary for the contractor to fulfill its duties. In these situations, safeguards are provided in the contract prohibiting the contractor from using or disclosing the information for any purpose other than that described in the contract. 9. Disclosure from a system of records maintained by this component may be made to a Congressional office from the record of an individual in response to an inquiry from the Congressional office made at the request of that individual. Individuals sometimes request the help of a member of Congress in resolving some issues relating to a matter before VA. The member of Congress then writes VA, and VA must be able to give sufficient information to be responsive to the inquiry. 10. Disclosure may be made to a Federal, State or local agency, upon its official request, to the extent that it is relevant and necessary to that agency’s PO 00000 Frm 00129 Fmt 4703 Sfmt 4703 7393 decision regarding: The hiring, retention or transfer of an employee, the issuance of a security clearance, the letting of a contract, or the issuance or continuance of a license, grant or other benefit given by that agency. However, in accordance with an agreement with the U.S. Postal Service, disclosures to the U.S. Postal Service for decisions concerning the employment of veterans will only be made with the Veteran’s prior written consent. VA must be able to provide information to agencies conducting background checks on applicants for employment or licensure. 11. VA may disclose information in this system of records to the Department of Justice (DoJ), either on VA’s initiative or in response to DoJ’s request for the information, after either VA or DoJ determines that such information is relevant to DoJ’s representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is limited to circumstances where relevant and necessary to the litigation. VA may disclose records in this system of records in legal proceedings before a court or administrative body after determining that release of the records to the court or administrative body is limited to circumstances where relevant and necessary to the litigation. 12. VA may disclose any information in this system, except the names and home addresses of Veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. VA may also disclose the names and addresses of Veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto. 13. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs. 14. VA may disclose any information or records to appropriate agencies, entities, and persons when (1) VA E:\FR\FM\07FEN1.SGM 07FEN1 7394 Federal Register / Vol. 85, No. 26 / Friday, February 7, 2020 / Notices jbell on DSKJLSW7X2PROD with NOTICES suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. 15. VA may disclose information from this system to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. 16. VA may disclose relevant information to VCS contracted POS and eCommerce vendor, in order to provide a single point of contact for all incidents relative to the VCS system. This routine use permits VCS contracted vendors to use the information to process orders and payment, call intake, troubleshoot and triage call tickets as appropriate. In some cases, the incident may need to be escalated to a third-party vendor or VA Office of Information Technology (OI&T) for further review and resolution. 17. VA may disclose relevant information to third party vendors to analyze product recommendations, perform site customizations, process payments, and resolve issues outside the scope of the VCS system vendors. This information may include canteen location, contact information, canteen manager first and last name, VA Email address, issues description, site browsing patterns, purchase history, military affiliation, gender, and date of birth. This routine use permits third party vendors to triage and troubleshoot customer issues when the VCS vendor is unable due to the scope of their contract. DISCLOSURE TO CONSUMER REPORTING AGENCIES: Pursuant to 5 U.S.C. 552a(b)(12), VA may disclose records from this system to consumer reporting agencies as defined in the Fair Credit Reporting Act (15 U.S.C. 168la(f)) or the Federal Claims VerDate Sep<11>2014 17:42 Feb 06, 2020 Jkt 250001 Collection Act of 1966 (31 US.C. 3701(a)(3)). POLICIES AND PRACTICES FOR STORAGE OF RECORDS: PDP records are maintained primarily on a computer disk in a centralized database system. Paper records of program Participation Agreements and individual customer records are maintained in canteen office files. The POS Help Desk and eCommerce records are maintained electronically within the respective vendors managed service databases. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: PDP records are retrieved by name and/or Social Security number of the participating VA employees or customers. The POS Help Desk records are retrieved by Incident Number. There is typically a three-letter mnemonic that identifies the customer with an incremented number following the mnemonic. eCommerce Site records can be retrieved by Email address or User Identifier data element. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: Payroll System Reports which include error reports, ticklers, and system operation reports, destroy when related actions are completed or when no longer needed, not to exceed 2 years. (N1–GRS–92–4 item 22a). Reports providing fiscal information on agency payroll destroy after GAO audit or when 3 years old, whichever is sooner. (N1– GRS–92–4 item 22c). Information Technology Customer Service File records related to providing help desk information to customers, including pamphlets, responses to Frequently Asked Questions, and other documents prepared in advance to assist customers, destroy/delete 1 year after record is superseded or obsolete. (N1–GRS–03–1 item 10a). Help desk logs and reports and other files related to customer query and problem response; query monitoring and clearance; and customer feedback records; and related trend analysis and reporting, destroy/delete when 1 year old or when no longer needed for review and analysis, whichever is later. (N1–GRS–03–1 item 10b). ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: PDP— 1. Access to VA work and file areas is restricted to VA personnel with a legitimate need for the information in the performance of their official duties. Strict control measures are enforced to ensure that access by these individuals PO 00000 Frm 00130 Fmt 4703 Sfmt 4703 is appropriately limited. Information stored electronically may be accessed by authorized VCS employees at remote locations, including VA health care facilities. Access is controlled by individually unique passwords or codes, which must be changed periodically by the users. 2. Physical access to the Austin VA Data Processing Center is generally restricted to Center employees, custodial personnel, Federal Protective Service, and other security personnel. VA file areas are generally locked after normal duty hours, and the facilities are protected from outside access by the Federal Protective Service or other security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other persons gaining access to computer rooms are escorted. 3. All data transmissions are encrypted to prevent disclosure of protected Privacy Act information. Access to backup copies of data is restricted to authorized personnel in the same manner as the Austin VA Data Processing Center. POS Help Desk and eCommerce Site— 1. Access to VA work and file areas is restricted to VA personnel and authorized contractors with a legitimate need for the information in the performance of their official duties. Strict control measures are enforced to ensure that access by these individuals is appropriately limited. Contractors and VCS employees are required to annually complete and adhere to VA security and privacy awareness training and sign the rules of behavior. Access is controlled by individual unique passwords or codes, which must be changed periodically by the users. 2. Physical access to the contractor’s data processing center is generally restricted to contractor employees, custodial personnel, Federal Protective Service, and other security personnel. Access to computer rooms is restricted to authorized personnel through electronic locking devices. All other persons gaining access to computer rooms are escorted. The only personnel who are provided physical access are the Contractor’s Information Technology (IT) Team and emergency responders. 3. All data transmissions are encrypted to prevent disclosure of protected information. Access to backup copies of data is restricted to authorized personnel in the same manner as the AITC. E:\FR\FM\07FEN1.SGM 07FEN1 Federal Register / Vol. 85, No. 26 / Friday, February 7, 2020 / Notices RECORD ACCESS PROCEDURE: Individuals seeking information regarding PDP access to and contesting of records in this system may write, call, or visit the VCS Payroll Deduction Program Specialist at the Veterans Canteen Service Central Office (VCSCO– FC), St. Louis, Missouri 63125; telephone: (314) 845–1301. For the POS Help Desk or VCS eCommerce Site, individuals seeking information regarding access to and contesting of records in this system may write, call, or visit the VCS’ Chief, Business Operations and Support at the Veterans Canteen Service Central Office (VCSCO), St. Louis, Missouri 63125; telephone; (314) 845–1200. CONTESTING RECORD PROCEDURES: (See Record Access Procedures above.) NOTIFICATION PROCEDURE: Individuals who wish to determine whether this system of records contains PDP records about them should contact the VCS Payroll Deduction Program Specialist at the Veterans Canteen Service Central Office (VCSCO–FC), St. Louis, Missouri 63125; telephone: (314) 845–1301. Inquiries should include the person’s full name, Social Security number, date(s) of contact, and return address. For the POS Help Desk and VCS eCommerce Site, individuals who wish to determine whether the system contains records about them should contact the VCS Chief, Business Operations and Support at the Veterans Canteen Service Central Office (VCSCO), St. Louis, Missouri 63125; telephone; (314) 845–1200. Inquiries should contain the person’s full name, date(s) of contact, and return address. EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. HISTORY: Last full publication provided in 75 FR 26851 dated May 12, 2010. [FR Doc. 2020–02480 Filed 2–6–20; 8:45 am] BILLING CODE 8320–01–P DEPARTMENT OF VETERANS AFFAIRS jbell on DSKJLSW7X2PROD with NOTICES Privacy Act of 1974; System of Records Veterans Health Administration (VHA). ACTION: Notice of a modified system of records. AGENCY: As required by the Privacy Act of 1974, notice is hereby given that SUMMARY: VerDate Sep<11>2014 17:42 Feb 06, 2020 Jkt 250001 the Department of Veterans Affairs (VA) is amending the system of records entitled, ‘‘Health Care Provider Credentialing and Privileging Records— VA’’ (77VA10A4) as set forth in the Federal Register 80 FR 36595. VA is amending the system of records by revising the System Number; Routine Uses of Records Maintained in the System and Policies; and Practices for Retention and Disposal of Records. VA is republishing the system notice in its entirety. DATES: Comments on the amendment of this system of records must be received no later than March 9, 2020. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the amended system will become effective March 9, 2020. ADDRESSES: Written comments may be submitted through www.Regulations.gov; by mail or handdelivery to Director, Regulation Policy and Management (00REG), Department of Veterans Affairs, 810 Vermont Ave. NW, Room 1064, Washington, DC 20420; or by fax to (202) 273–9026 (not a toll-free number). Comments should indicate that they are submitted in response to ‘‘Health Care Provider Credentialing and Privileging Records— VA’’. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461–4902 for an appointment. (This is not a toll-free number.) In addition, comments may be viewed online at www.Regulations.gov. FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Ave. NW, Washington, DC 20420, (704) 245–2492. SUPPLEMENTARY INFORMATION: The System Number is being changed from (77VA10A4 to 77VA10E2E) to reflect the current organizational alignment. The Routine Uses of Records Maintained in the System is amending the language in Routine Use #8 which states that disclosure of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which PO 00000 Frm 00131 Fmt 4703 Sfmt 4703 7395 VA collected the records. This routine use will now state that release of the records to the DoJ is limited to circumstances where relevant and necessary to the litigation. VA may disclose records in this system of records in legal proceedings before a court or administrative body after determining that release of the records to the court or administrative body is limited to circumstances where relevant and necessary to the litigation. Routine Use #22 has been amended by clarifying the language to state, ‘‘VA may disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons is reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.’’ Routine Use #25 which states, ‘‘VA may disclose information to the Department of Defense (DoD) from the joint platform electronic credentialing system being shared with DoD for credentialing/privileging purposes.’’ VA needs the ability to disclose limited information concerning the health care provider’s professional qualifications (professional education, training and current licensure/certification status), professional employment history, and current clinical privileges. Routine use #26 is being added to state, ‘‘VA may disclose information to a former VA employee or contractor, as well as the authorized representative of a current or former employee or contractor of VA, in connection with or in consideration of the reporting of: (a) Any payment for the benefit of the former VA employee or contractor that was made as the result of a settlement or judgment of a claim of medical malpractice, if an appropriate determination is made in accordance with Department policy that payment was related to substandard care, professional incompetence, or professional misconduct on the part of the individual; (b) A final decision which relates to possible incompetence or improper professional conduct that adversely affects the former employee’s or contractor’s clinical privileges for a period longer than 30 days; or E:\FR\FM\07FEN1.SGM 07FEN1

Agencies

[Federal Register Volume 85, Number 26 (Friday, February 7, 2020)]
[Notices]
[Pages 7389-7395]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-02480]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, notice is hereby given 
that the Department of Veterans Affairs (VA) is amending the system of 
records currently entitled, ``Veterans Canteen Service (VCS) Payroll 
Deduction

[[Page 7390]]

Program (PDP)--VA'' (117VA103) as set forth in the Federal Register 75 
FR 26851. VA is amending the system of records by revising the System 
Name; System Number; System Location; System Manager; Purpose of the 
System; Categories of Individuals Covered by the System; Categories of 
the Records in the System; Record Source Categories; Routine Uses of 
Records Maintained in the System, Including Categories of Users and the 
Purposes of Such Uses; Policies and Practices for Storage of Records; 
Policies and Practices for Retrievability of Records; Policies and 
Practices For Retention and Disposal of Records; Physical, Procedural, 
and Administrative Safeguards; Record Access Procedure; and 
Notification Procedure. VA is republishing the system notice in its 
entirety.

DATES: Comments on this amended system of records must be received no 
later than March 9, 2020. If no public comment is received during the 
period allowed for comment or unless otherwise published in the Federal 
Register by the VA, the new system will become effective March 9, 2020.

ADDRESSES: Written comments may be submitted through 
www.Regulations.gov; by mail or hand-delivery to Director, Regulation 
Policy and Management (00REG), Department of Veterans Affairs, 810 
Vermont Avenue NW, Room 1064, Washington, DC 20420; or by fax to (202) 
273-9026 (Note: Not a toll-free number). Comments should indicate they 
are submitted in response to ``Veterans Canteen Service (VCS) Payroll 
Deduction Program (PDP)--VA'' (117VA103). Copies of comments received 
will be available for public inspection in the Office of Regulation 
Policy and Management, Room 1063B, between the hours of 8:00 a.m. and 
4:30 p.m., Monday through Friday (except holidays). Please call (202) 
461-4902 for an appointment (Note: Not a toll-free number). In 
addition, comments may be viewed online at www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT: Veterans Health Administration (VHA) 
Privacy Act Officer, Department of Veterans Affairs, 810 Vermont Avenue 
NW, Washington, DC 20420; telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION: The System Name is being changed from 
``Veterans Canteen Service (VCS) Payroll Deduction Program (PDP)--VA'' 
to ``Veterans Canteen Service (VCS) Payroll Deduction Program (PDP), 
Point of Sale (POS) Help Desk and eCommerce--VA.''
    The System Number will be changed from 117VA103 to 117VA10NA6 to 
reflect the current organizational alignment.
    The System Location is being amended to replace Austin Automation 
Center (AAC) with Austin Information Technology Center (AITC). This 
section will add POS Help Desk and VCS eCommerce Site information, 
which is maintained on a contractor-owned data center located in their 
Service Desk Online (SDO) system in Coventry, United Kingdom (UK) and 
Phoenix, Arizona, respectively.
    The System Manager has been amended to add the POS Help Desk and 
eCommerce Site official responsible for policies and procedures: Office 
of the Business Operations and Support, Veterans Canteen Service (103), 
Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 
20420. Addresses for VA facilities are listed in VA Appendix 1.
    Purpose of the System is being amended to add for the POS Help Desk 
and eCommerce Site. The VCS records allow authorized VCS contractors to 
collect relevant data to the end of providing operational support to 
maintain both cash register systems and the eCommerce Site. User data 
will be used for incident reporting and help desk activities, site 
personalization, Email communication, product recommendations, order 
management and payment processing. The VCS system of records allows 
authorized VCS employees and contractors to collect VCS canteen 
addresses, VCS canteen phone numbers, VCS system users first and last 
name and VCS employee's VA Email addresses through an incident 
management system for the purposes of in-taking, troubleshooting and 
triaging VCS call tickets. The operations and maintenance portions must 
be reported by the end user to a VCS contracted designated help desk 
who has been designated to resolve the issue. Records would be used to 
identify issues, conduct follow-up on unresolved issues, perform trend 
analyses on types of call ticket issues, generate reports and analytics 
on call ticket trends and notify VCS management of call ticket volume 
and trends. The additional functions serve to provide a modern system 
as an eCommerce platform that is comparable to commercial eCommerce 
sites.
    The Categories of Individuals Covered by the System is being 
amended to define the types of user data covered by the POS Help Desk 
and eCommerce Site.
    The Categories of Records in the System is being amended to include 
the POS Help Desk and eCommerce Site records include the following 
identification information:

--User First and Last Name, Prefix, Suffix
--User Email address
--User Gender
--User Date of Birth
--User Address, City, State, and Postal Zip Code
--User Military Affiliation
--User Site Behavioral Patterns
--User Site Purchase History
--User Phone Number
--User PDP Account Number
--User PDP Account Balance
--User Date of Purchase
--User Purchase Amount
--User Identification Control Number (ICN)
--User Security ID
--User Assurance Level
--User Credential Service Identifier
--User Identifier
--User Hash
--User Authentication Time
--Credit Card Number
--Credit Card CVV
--Credit Card Date of Expiration
--PayPal credentials
--VCS Canteen location including Address, City, State and Postal Zip 
Code
--VCS Canteen Phone Number; and
--Description of System or Application Issue.
    Record Source Categories is being amended to include the POS Help 
Desk and eCommerce Site information in this system of records is 
provided by authorized VCS employees who call, Email or submit a call 
ticket to the vendor in order to report a system, application or 
operational issue relative to a system application. The updates also 
provide the ability to offer a modern eCommerce platform that is 
comparable to commercial eCommerce sites, to include custom site 
personalization, product recommendations and order management.
    The Routine Uses of Records Maintained in the System is amending 
the language in Routine Use #11, which states that disclosure of the 
records to the DoJ is a use of the information contained in the records 
that is compatible with the purpose for which VA collected the records. 
VA may disclose records in this system of records in legal proceedings 
before a court or administrative body after determining that the 
disclosure of the records to the court or administrative body is a use 
of the information contained in the records that is compatible with the 
purpose for which VA collected the records. This routine use will now 
state that release of the records to the DoJ is limited to 
circumstances where relevant and

[[Page 7391]]

necessary to the litigation. VA may disclose records in this system of 
records in legal proceedings before a court or administrative body 
after determining that release of the records to the court or 
administrative body is limited to circumstances where relevant and 
necessary to the litigation.
    Routine Use #14 is clarifying the language to state, ``VA may 
disclose any information or records to appropriate agencies, entities, 
and persons when (1) VA suspects or has confirmed that there has been a 
breach of the system of records; (2) VA has determined that as a result 
of the suspected or confirmed breach there is a risk to individuals, VA 
(including its information systems, programs, and operations), the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, or persons is reasonably necessary to 
assist in connection with VA efforts to respond to the suspected or 
confirmed breach or to prevent, minimize, or remedy such harm.''
    Routine use #15 is being added to state, ``VA may disclose 
information from this system of records to another Federal agency or 
Federal entity, when VA determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.''
    Routine use #16 is being added to state, ``VA may disclose relevant 
information to VCS contracted vendors, in order to provide a single 
point of contact for all incidents relative to VCS' POS software 
application.'' VA needs this routine use for VCS contracted vendors to 
use the information to intake, troubleshoot and triage call tickets as 
appropriate. In some cases, the incident may need to be escalated to a 
third party vendor or VA Office of Information Technology (OI&T) for 
further review and troubleshooting.
    Routine use #17 is being added to state, ``VA may disclose relevant 
information to third party vendors for issues outside the scope of VCS 
software application vendor. This includes, but is not limited to 
notification of canteen location, contact information, canteen manager 
first and last name, VA Email address, and description of the issue.'' 
VA needs this routine use for vendors to triage and troubleshoot 
customer transactions.
    Policies and Practices for Storage of Records is being amended to 
include the POS Help Desk records are maintained electronically within 
the managed service database.
    Policies and Practices for Retrievability of Records is being 
amended to include the POS Help Desk and eCommerce Site records are 
retrieved by Incident Number.
    Policies and Practices For Retention and Disposal of Records to 
replace ``records for active participants in the Payroll Deduction 
Program are maintained indefinitely. Records for participants who leave 
VA employment voluntarily or involuntarily terminate their 
participation in the Payroll Deduction Program are retained for three 
years following the date the account attains a zero balance; or for 
three years following the date the account balance is written off 
following unsuccessful collection action'' with Payroll System Reports 
which include error reports, ticklers, and system operation reports, 
destroy when related actions are completed or when no longer needed, 
not to exceed 2 years. (N1-GRS-92-4 item 22a). Reports providing fiscal 
information on agency payroll destroy after GAO audit or when 3 years 
old, whichever is sooner. (N1-GRS-92-4 item 22c). Information 
Technology (IT) Customer Service File records related to providing help 
desk information to customers, including pamphlets, responses to 
Frequently Asked Questions, and other documents prepared in advance to 
assist customers, destroy/delete 1 year after record is superseded or 
obsolete. (N1-GRS-03-1 item 10a). Help desk logs and reports and other 
files related to customer query and problem response; query monitoring 
and clearance; and customer feedback records; and related trend 
analysis and reporting, destroy/delete when 1 year old or when no 
longer needed for review and analysis, whichever is later. (N1-GRS-03-1 
item 10b).''
    Physical, Procedural, and Administrative Safeguards is being 
amended to include:
POS Help Desk and eCommerce Site--
    1. Access to VA work and file areas is restricted to VA personnel 
and authorized contractors with a legitimate need for the information 
in the performance of their official duties. Strict control measures 
are enforced to ensure that access by these individuals is 
appropriately limited. Contractor and VCS employees are required to 
complete and adhere to annual VA security and privacy awareness 
training and rules of behavior and are VA cleared. Access is controlled 
by individual unique passwords or codes, which must be changed 
periodically by the users.
    2. Physical access to the contractor's data processing center is 
generally restricted to contractor employees, custodial personnel, 
Federal Protective Service, and other security personnel. Access to 
computer rooms is restricted to authorized operational personnel 
through electronic locking devices. All other persons gaining access to 
computer rooms are escorted. The only personnel who are able to 
physically access SDO are the Contractor's IT Team and emergency 
responders.
    3. All data transmissions are encrypted to prevent disclosure of 
protected Privacy Act information. Access to backup copies of data is 
restricted to authorized personnel in the same manner as the data 
processing center.
    Record Access Procedure is being amended to include for the POS 
Help Desk, individuals seeking information regarding access to and 
contesting of records in this system may write, call, or visit the VCS' 
Chief, Business Operations and Support at the Veterans Canteen Service 
Central Office (VCSCO), St. Louis, Missouri 63125; telephone; (314) 
845-1200.
    Notification Procedure is being amended to include for the POS Help 
Desk and eCommerce Site, individuals who wish to determine whether the 
system contains records about them should contact the VCS Chief, 
Business Operations and Support at the Veterans Canteen Service Central 
Office (VCSCO), St. Louis, Missouri 63125; telephone; (314) 845-1200. 
Inquiries should contain the person's full name, date(s) of contact, 
and return address.
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. Sec.  552a(r) 
(Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 
2000.
    Signing Authority: The Senior Agency Official for Privacy, or 
designee, approved this document and authorized the undersigned to sign 
and submit the document to the Office of the Federal Register for 
publication electronically as an official document of the Department of 
Veterans Affairs. F. John Buck, Director, Office of Privacy Information 
and Identity Protection, Office of Quality, Privacy and Risk, Office of 
Information and Technology, Department of Veterans Affairs,

[[Page 7392]]

approved this document on June 5, 2018 for publication.

    Dated: February 4, 2020.
Amy L. Rose,
Program Analyst, VA Privacy Service, Department of Veterans Affairs.

SYSTEM NAME:
    Veterans Canteen Service (VCS) Payroll Deduction Program (PDP), 
Point of Sale (POS) Help Desk and eCommerce--VA (117VA10NA6)

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Individual PDP purchase records are maintained in the VCS office at 
each Department of Veterans Affairs (VA) health care facility. 
Addresses for VA facilities are listed in VA Appendix 1. In addition, 
information from these records or copies of records is maintained in a 
centralized electronic database at the Austin Information Technology 
Center (AITC), 1615 East Woodward Street, Austin, TX 78772.
    For the POS Help Desk, information is maintained on a contractor 
owned-data center located in their Service-Desk Online (SDO) system in 
Coventry, United Kingdom (UK). For the eCommerce Site, data is 
maintained in a contracted data center located at the Phoenix, Arizona 
hosting site.

SYSTEM MANAGER(S):
    PDP official responsible for policies and procedures: Office of the 
Chief Financial Officer, Veterans Canteen Service (103), Department of 
Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420. 
Officials maintaining the system: Chief of the Canteen Service at the 
facility where the individuals were associated. Addresses for VA 
facilities are listed in VA Appendix 1.
    For POS Help Desk and eCommerce Site, official responsible for 
policies and procedures: Office of the Business Operations and Support, 
Veterans Canteen Service (103), Department of Veterans Affairs, 810 
Vermont Avenue NW, Washington, DC 20420. Addresses for VA facilities 
are listed in VA Appendix 1.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code, Part V, Chapter 78.

PURPOSE(S) OF THE SYSTEM:
    PDP records and information will be used to track customer 
purchases, payments and balances due to VCS. Records and information 
may also be used for the purpose of debt collection. The records and 
information may be used for management and analysis reports of VCS 
programs.
    For the POS Help Desk and eCommerce Site, the VCS System of Records 
allows authorized VCS contractors to collect data relevant to system 
processing to include addresses, phone numbers, user's first and last 
name, and Email addresses for the purposes of sustaining order 
fulfillment, payment processing, in-take, troubleshooting and triaging 
of VCS call tickets. Issues concerning the operation and maintenance of 
the must be reported by the end user to a VCS contracted designated 
help desk employee who has been designated to resolve the issue. 
Records are used to identify issues, conduct follow-up of unresolved 
issues, generate reports, perform trend analysis and notify VCS 
management of results from treading to include types of call tickets 
and call ticket volume. The VCS system of records allows authorized VCS 
employees and contractors to collect VCS canteen addresses, VCS canteen 
phone numbers, VCS system users first and last name and VCS employee's 
VA Email addresses through an incident management system for the 
purposes of in-taking, troubleshooting and triaging VCS call tickets. 
The records on the eCommerce Site will be further used to deliver a 
commercial grade eCommerce platform that will include the ability to 
provide site customizations and product recommendations based on user 
browsing patterns, and modern order fulfillment and payment processing 
methods.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The individuals covered by the system encompass permanent VA 
employees, also known as customers, who participate in the VCS Payroll 
Deduction System, which permits them to pay for purchases in VCS 
canteens through deduction from their pay. For the POS Help Desk, the 
individuals covered by the system encompass VCS employees. The VCS 
eCommerce site covers the VCS customer base which includes Veterans 
enrolled in VA's health care system, their families, caregivers, VA 
employees, volunteers, and visitors.

CATEGORIES OF RECORDS IN THE SYSTEM:
    These records include the following Information for PDP:
    --Customer identification information such as last name, first 
name, middle initial, social security number;
    --Customer purchases made under the program;
    --Timestamps for payments;
    --Payroll payments, cash payments, refunds for returned 
merchandise, and refunds for overpayments;
    --Customer account balances and amounts written-off as 
uncollectible;
    --Customer pay status when customer is in a ``without pay'' status;
    --Identification of VCS employees creating customer transactions is 
by manual or electronic data capture. Manual transactions can be traced 
by a user ID within the payroll deduction system that identifies the 
individual entering the manual transaction. Electronic transactions can 
be traced by cashier code of the cashier ringing the transaction into 
the cash register; and
    --Customer station number and canteen of purchase.
    The POS Help Desk and eCommerce Site records include the following 
identification information:
    --User First and Last Name, Prefix, Suffix;
    --User Email address;
    --User Gender;
    --User Date of Birth;
    --User Address, City, State, and Postal Zip Code;
    --User Military Affiliation;
    --User Site Behavioral Patterns;
    --User Site Purchase History;
    --User Phone Number;
    --User PDP Account Number;
    --User PDP Account Balance;
    --User Date of Purchase;
    --User Purchase Amount;
    --User ICN;
    --User Security ID;
    --User Assurance Level;
    --User Credential Service Identifier;
    --User Identifier;
    --User Hash;
    --User Authentication Time;
    --Credit Card Number;
    --Credit Card CVV;
    --Credit Card Date of Expiration;
    --PayPal credentials;
    --VCS canteen location including Address, City, State and Postal 
Zip Code;
    --VCS canteen Phone Number; and
    --Description of System or Application Issue.

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by the customers 
who participate in the PDP program, users of the VCS eCommerce Site, VA 
employees and various VA systems.
    The POS Help Desk information in this system of records is provided 
by authorized users who call, Email or submit a call ticket to a VCS 
contracted vendor in order to report a system, application or 
operational issue relative to the system.

[[Page 7393]]

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information, and 38 U.S.C. 7332, i.e., medical 
treatment information related to drug abuse, alcoholism or alcohol 
abuse, sickle cell anemia or infection with the human immunodeficiency 
virus, that information cannot be disclosed under a routine use unless 
there is also specific statutory authority in 38 U.S.C. 7332 and 
regulatory authority in 45 CFR parts 160 and 164 permitting disclosure.
    1. VA may disclose information from this system of records to a 
private debt collection agent for the purpose of collecting unpaid 
balances from customers who have left VA employment without making full 
payment for purchases made under the program.
    2. VA may disclose information from this system of records to the 
U.S. Treasury Offset Program (TOPS) for the purpose of collecting 
unpaid balances from customers who have left VA employment without 
making full payment for purchases made under the program. VA needs to 
be able to collect unpaid balances from customers who have left VA 
employment without making full payment to VCS for purchases made under 
the program.
    3. Disclosure may be made to the Federal Labor Relations Authority 
(FLRA), including its General Counsel, when requested in connection 
with investigation and resolution of allegations of unfair labor 
practices, in connection with the resolution of exceptions to 
arbitrator awards when a question of material fact is raised, and in 
connection with matters before the Federal Service Impasses Panel. The 
release of information to FLRA from this Privacy Act system of records 
is necessary to comply with the statutory mandate under which FLRA 
operates.
    4. Disclosure may be made to officials of labor organizations 
recognized under 5 U.S.C. chapter 71 when relevant and necessary to 
their duties of exclusive representation concerning personnel policies, 
practices, and matters affecting working conditions.
    5. Disclosure may be made to officials of the Merit Systems 
Protection Board, including the Office of the Special Counsel, when 
requested in connection with appeals, special studies of the civil 
service and other merit systems, review of rules and regulations, 
investigation of alleged or possible prohibited personnel practices, 
and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as 
may be authorized by law.
    6. Disclosure may be made to the Equal Employment Opportunity 
Commission when requested in connection with investigations of alleged 
or possible discrimination practices, examination of Federal 
affirmative employment programs, compliance with the Uniform Guidelines 
of Employee Selection Procedures, or other functions vested in the 
Commission by the President's Reorganization Plan No. 1 of 1978.
    7. A record from a system of records maintained by this component 
may be disclosed as a routine use to the National Archives and Records 
Administration (NARA) for the purpose of records management inspections 
conducted under authority of Title 44 United States Code. NARA is 
responsible for archiving old records no longer actively used but which 
may be appropriate for preservation; they are responsible in general 
for the physical maintenance of the Federal government's records. VA 
must be able to turn records over to these agencies in order to 
determine the proper disposition of such records.
    8. Disclosure of relevant information may be made to individuals, 
organizations, private or public agencies, etc., with whom VA has a 
contract or agreement to perform such services as VA may deem 
practicable for the purposes of laws administered by VA, in order for 
the contractor or subcontractor to perform the services of the contract 
or agreement. VA occasionally contracts out certain functions when this 
would contribute to effective and efficient operations. VA must be able 
to give a contractor whatever information is necessary for the 
contractor to fulfill its duties. In these situations, safeguards are 
provided in the contract prohibiting the contractor from using or 
disclosing the information for any purpose other than that described in 
the contract.
    9. Disclosure from a system of records maintained by this component 
may be made to a Congressional office from the record of an individual 
in response to an inquiry from the Congressional office made at the 
request of that individual. Individuals sometimes request the help of a 
member of Congress in resolving some issues relating to a matter before 
VA. The member of Congress then writes VA, and VA must be able to give 
sufficient information to be responsive to the inquiry.
    10. Disclosure may be made to a Federal, State or local agency, 
upon its official request, to the extent that it is relevant and 
necessary to that agency's decision regarding: The hiring, retention or 
transfer of an employee, the issuance of a security clearance, the 
letting of a contract, or the issuance or continuance of a license, 
grant or other benefit given by that agency. However, in accordance 
with an agreement with the U.S. Postal Service, disclosures to the U.S. 
Postal Service for decisions concerning the employment of veterans will 
only be made with the Veteran's prior written consent. VA must be able 
to provide information to agencies conducting background checks on 
applicants for employment or licensure.
    11. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that release of the records to the DoJ 
is limited to circumstances where relevant and necessary to the 
litigation. VA may disclose records in this system of records in legal 
proceedings before a court or administrative body after determining 
that release of the records to the court or administrative body is 
limited to circumstances where relevant and necessary to the 
litigation.
    12. VA may disclose any information in this system, except the 
names and home addresses of Veterans and their dependents, which is 
relevant to a suspected or reasonably imminent violation of law, 
whether civil, criminal or regulatory in nature and whether arising by 
general or program statute or by regulation, rule or order issued 
pursuant thereto, to a Federal, State, local, tribal, or foreign agency 
charged with the responsibility of investigating or prosecuting such 
violation, or charged with enforcing or implementing the statute, 
regulation, rule or order. VA may also disclose the names and addresses 
of Veterans and their dependents to a Federal agency charged with the 
responsibility of investigating or prosecuting civil, criminal or 
regulatory violations of law, or charged with enforcing or implementing 
the statute, regulation, rule or order issued pursuant thereto.
    13. Disclosure to other Federal agencies may be made to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    14. VA may disclose any information or records to appropriate 
agencies, entities, and persons when (1) VA

[[Page 7394]]

suspects or has confirmed that there has been a breach of the system of 
records; (2) VA has determined that as a result of the suspected or 
confirmed breach there is a risk to individuals, VA (including its 
information systems, programs, and operations), the Federal Government, 
or national security; and (3) the disclosure made to such agencies, 
entities, or persons is reasonably necessary to assist in connection 
with VA efforts to respond to the suspected or confirmed breach or to 
prevent, minimize, or remedy such harm.
    15. VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    16. VA may disclose relevant information to VCS contracted POS and 
eCommerce vendor, in order to provide a single point of contact for all 
incidents relative to the VCS system. This routine use permits VCS 
contracted vendors to use the information to process orders and 
payment, call intake, troubleshoot and triage call tickets as 
appropriate. In some cases, the incident may need to be escalated to a 
third-party vendor or VA Office of Information Technology (OI&T) for 
further review and resolution.
    17. VA may disclose relevant information to third party vendors to 
analyze product recommendations, perform site customizations, process 
payments, and resolve issues outside the scope of the VCS system 
vendors. This information may include canteen location, contact 
information, canteen manager first and last name, VA Email address, 
issues description, site browsing patterns, purchase history, military 
affiliation, gender, and date of birth. This routine use permits third 
party vendors to triage and troubleshoot customer issues when the VCS 
vendor is unable due to the scope of their contract.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    Pursuant to 5 U.S.C. 552a(b)(12), VA may disclose records from this 
system to consumer reporting agencies as defined in the Fair Credit 
Reporting Act (15 U.S.C. 168la(f)) or the Federal Claims Collection Act 
of 1966 (31 US.C. 3701(a)(3)).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    PDP records are maintained primarily on a computer disk in a 
centralized database system. Paper records of program Participation 
Agreements and individual customer records are maintained in canteen 
office files. The POS Help Desk and eCommerce records are maintained 
electronically within the respective vendors managed service databases.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    PDP records are retrieved by name and/or Social Security number of 
the participating VA employees or customers. The POS Help Desk records 
are retrieved by Incident Number. There is typically a three-letter 
mnemonic that identifies the customer with an incremented number 
following the mnemonic. eCommerce Site records can be retrieved by 
Email address or User Identifier data element.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Payroll System Reports which include error reports, ticklers, and 
system operation reports, destroy when related actions are completed or 
when no longer needed, not to exceed 2 years. (N1-GRS-92-4 item 22a). 
Reports providing fiscal information on agency payroll destroy after 
GAO audit or when 3 years old, whichever is sooner. (N1-GRS-92-4 item 
22c). Information Technology Customer Service File records related to 
providing help desk information to customers, including pamphlets, 
responses to Frequently Asked Questions, and other documents prepared 
in advance to assist customers, destroy/delete 1 year after record is 
superseded or obsolete. (N1-GRS-03-1 item 10a). Help desk logs and 
reports and other files related to customer query and problem response; 
query monitoring and clearance; and customer feedback records; and 
related trend analysis and reporting, destroy/delete when 1 year old or 
when no longer needed for review and analysis, whichever is later. (N1-
GRS-03-1 item 10b).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    PDP--
    1. Access to VA work and file areas is restricted to VA personnel 
with a legitimate need for the information in the performance of their 
official duties. Strict control measures are enforced to ensure that 
access by these individuals is appropriately limited. Information 
stored electronically may be accessed by authorized VCS employees at 
remote locations, including VA health care facilities. Access is 
controlled by individually unique passwords or codes, which must be 
changed periodically by the users.
    2. Physical access to the Austin VA Data Processing Center is 
generally restricted to Center employees, custodial personnel, Federal 
Protective Service, and other security personnel. VA file areas are 
generally locked after normal duty hours, and the facilities are 
protected from outside access by the Federal Protective Service or 
other security personnel. Access to computer rooms is restricted to 
authorized operational personnel through electronic locking devices. 
All other persons gaining access to computer rooms are escorted.
    3. All data transmissions are encrypted to prevent disclosure of 
protected Privacy Act information. Access to backup copies of data is 
restricted to authorized personnel in the same manner as the Austin VA 
Data Processing Center.
    POS Help Desk and eCommerce Site--
    1. Access to VA work and file areas is restricted to VA personnel 
and authorized contractors with a legitimate need for the information 
in the performance of their official duties. Strict control measures 
are enforced to ensure that access by these individuals is 
appropriately limited. Contractors and VCS employees are required to 
annually complete and adhere to VA security and privacy awareness 
training and sign the rules of behavior. Access is controlled by 
individual unique passwords or codes, which must be changed 
periodically by the users.
    2. Physical access to the contractor's data processing center is 
generally restricted to contractor employees, custodial personnel, 
Federal Protective Service, and other security personnel. Access to 
computer rooms is restricted to authorized personnel through electronic 
locking devices. All other persons gaining access to computer rooms are 
escorted. The only personnel who are provided physical access are the 
Contractor's Information Technology (IT) Team and emergency responders.
    3. All data transmissions are encrypted to prevent disclosure of 
protected information. Access to backup copies of data is restricted to 
authorized personnel in the same manner as the AITC.

[[Page 7395]]

RECORD ACCESS PROCEDURE:
    Individuals seeking information regarding PDP access to and 
contesting of records in this system may write, call, or visit the VCS 
Payroll Deduction Program Specialist at the Veterans Canteen Service 
Central Office (VCSCO- FC), St. Louis, Missouri 63125; telephone: (314) 
845-1301.
    For the POS Help Desk or VCS eCommerce Site, individuals seeking 
information regarding access to and contesting of records in this 
system may write, call, or visit the VCS' Chief, Business Operations 
and Support at the Veterans Canteen Service Central Office (VCSCO), St. 
Louis, Missouri 63125; telephone; (314) 845-1200.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

NOTIFICATION PROCEDURE:
    Individuals who wish to determine whether this system of records 
contains PDP records about them should contact the VCS Payroll 
Deduction Program Specialist at the Veterans Canteen Service Central 
Office (VCSCO-FC), St. Louis, Missouri 63125; telephone: (314) 845-
1301. Inquiries should include the person's full name, Social Security 
number, date(s) of contact, and return address.
    For the POS Help Desk and VCS eCommerce Site, individuals who wish 
to determine whether the system contains records about them should 
contact the VCS Chief, Business Operations and Support at the Veterans 
Canteen Service Central Office (VCSCO), St. Louis, Missouri 63125; 
telephone; (314) 845-1200. Inquiries should contain the person's full 
name, date(s) of contact, and return address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    Last full publication provided in 75 FR 26851 dated May 12, 2010.

[FR Doc. 2020-02480 Filed 2-6-20; 8:45 am]
BILLING CODE 8320-01-P