Privacy Act of 1974; System of Records, 48753-48758 [2021-18710]

Agencies

• DEPARTMENT OF THE INTERIOR
• Office of the Secretary

[Federal Register Volume 86, Number 166 (Tuesday, August 31, 2021)]
[Notices]
[Pages 48753-48758]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-18710]


-----------------------------------------------------------------------

DEPARTMENT OF THE INTERIOR

Office of the Secretary

[DOI-2019-0006; 201D0102DM, DS65100000, DLSN00000.000000, DX65103]


Privacy Act of 1974; System of Records

AGENCY: Office of the Secretary, Interior.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the provisions of the Privacy Act of 1974, as 
amended, the Department of the Interior (DOI) proposes to modify the 
DOI-50, Insider Threat Program, system of records. The DOI Office of 
Law Enforcement and Security uses this system to identify potential 
threats to DOI resources and information assets and facilitate 
management of insider threat investigations, complaints, inquiries, and 
counterintelligence threat detection activities. DOI is publishing this 
revised system of records notice to reflect the updated system location 
and system manager address, authorities, expand the scope of categories 
of individuals and categories of records in the modified system, 
propose new and modified routine uses, and provide general and 
administrative updates to the remaining sections of the notice. 
Additionally, DOI is publishing a Notice of Proposed Rulemaking 
elsewhere in the Federal Register to exempt this system of records from 
certain provisions of the Privacy Act. This modified system will be 
included in DOI's inventory of record systems.

DATES: This modified system will be effective upon publication. New or 
modified routine uses will be effective September 30, 2021. Submit 
comments on or before September 30, 2021.

ADDRESSES: You may submit comments, identified by docket number [DOI-
2019-0006], by any of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for sending comments.
     Email: [email protected]. Include docket number 
[DOI-2019-0006] in the subject line of the message.
     U.S. mail or hand-delivery: Teri Barnett, Departmental 
Privacy Officer, U.S. Department of the Interior, 1849 C Street NW, 
Room 7112, Washington, DC 20240.
    Instructions: All submissions received must include the agency name 
and docket number [DOI-2019-0006]. All comments received will be posted 
without change to https://www.regulations.gov, including any personal 
information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Teri Barnett, Departmental Privacy 
Officer, U.S. Department of the Interior, 1849 C Street NW, Room 7112, 
Washington, DC 20240, [email protected] or (202) 208-1605.

SUPPLEMENTARY INFORMATION:

I. Background

    The DOI Office of Law and Enforcement and Security (OLES) maintains 
the Insider Threat Program system of records. This system of records 
helps the OLES manage insider threat matters and counterintelligence 
threat detection and prevention within the DOI. The Insider Threat 
Program was mandated by Presidential Executive Order 13587, issued 
October 7, 2011, which requires Federal agencies to establish an 
insider threat detection and prevention program to ensure the security 
of classified networks and the responsible sharing and safeguarding of 
classified information consistent with

[[Page 48754]]

appropriate protections for privacy and civil liberties. The OLES uses 
this system to detect, deter and mitigate potential threats to the DOI 
resources and information assets; facilitate insider threat 
investigations, complaints, and inquiries; and conduct 
counterintelligence threat detection activities.
    Insider threats include attempted or actual espionage, subversion, 
sabotage, terrorism or extremist activities directed against the DOI 
and its personnel, facilities, resources, and activities; unauthorized 
use of or intrusion into proprietary information systems; unauthorized 
disclosure of classified, controlled unclassified, sensitive, or 
proprietary-information or technology; and indicators of potential 
insider threats or other incidents that may indicate activities of an 
insider threat. This system may include information from any DOI 
bureau, office, program, record or source, and includes records from 
information security, personnel security, and systems security for both 
internal and external security threats.
    The DOI is publishing this revised notice to update authorities, 
reflect the expanded scope of categories of records and categories of 
individuals covered by the modified system, add a new section to 
describe the purpose of the system, and provide general and 
administrative updates to the remaining sections of the notice in 
accordance with the Office of Management and Budget (OMB) Circular A-
108, Federal Agency Responsibilities for Review, Reporting, and 
Publication under the Privacy Act. Additionally, the DOI is modifying 
existing routine uses to further provide clarity and transparency, and 
reflect updates consistent with standard DOI routine uses. The DOI is 
proposing new routine uses to facilitate the sharing of information 
with agencies and organizations as necessary to ensure the efficient 
and effective management of inquiries, investigations, or referrals 
related to insider threat or counterintelligence matters, promote the 
integrity of the records in the system, or carry out a statutory 
responsibility of the DOI or Federal Government.
    Routine uses A, B, H, I, and O have been modified to provide 
additional clarification on external organizations and circumstances 
where disclosures are proper and necessary to facilitate insider threat 
investigations or comply with Federal requirements. Modified routine 
use J and new routine use K allow the DOI to share information with 
appropriate Federal agencies or entities when reasonably necessary to 
respond to a breach of personally identifiable information and to 
prevent, minimize, or remedy the risk of harm to individuals or the 
Federal Government, or assist an agency in locating individuals 
affected by a breach in accordance with OMB Memorandum M-17-12, 
Preparing for and Responding to a Breach of Personally Identifiable 
Information.
    Proposed routine use N allows sharing with the news media and the 
public, when it is necessary to preserve the confidence in the 
integrity of the DOI, demonstrate the accountability of its officers, 
employees, or individuals covered in the system, or where there exists 
a legitimate public interest in the disclosure of the information such 
as circumstances that support a legitimate law enforcement or public 
safety function, or protects the public from imminent threat of life or 
property. Proposed routine use R allows DOI to share information with 
third parties when necessary to obtain information pertinent to an 
investigation. Proposed routine use S allows DOI to share information 
with a public or professional licensing organization when there is an 
indication of potential violation of professional standards. Proposed 
routine use T facilitates sharing with other Federal agencies in 
support of authorized counterintelligence activities. Proposed routine 
use U allows DOI to share information with any individual, organization 
or entity to notify them of a serious threat to homeland security so 
they may guard against or respond to the threat when relevant to the 
protection of life, health or property. Proposed routine use V allows 
sharing of information with the House Committee on Oversight and 
Government Reform and the Senate Homeland Security and Governmental 
Affairs Committee pursuant to a written request made under 5 U.S.C. 
2954. Proposed routine use W allows DOI to share information with 
Federal agencies or entities regarding counterintelligence or insider 
threat matters, to obtain information or guidance on the handling of 
the matter. Proposed routine use X allows DOI to share information with 
former DOI employees, contractors or individuals who were sponsored by 
DOI for security clearance to respond to official inquiries or to 
facilitate communications or obtain information that is relevant and 
necessary for personnel related purposes or other official purpose as 
required by DOI. Proposed routine use Y facilitates sharing of records 
for audit and oversight purposes as authorized by law and where 
necessary and proper to the audit or oversight function. Proposed 
routine use Z allows DOI to share information with prospective or 
current employers to determine employment eligibility.
    In a Notice of Proposed Rulemaking, which is published separately 
in the Federal Register, the DOI is proposing to exempt records 
maintained in this system from certain provisions of the Privacy Act 
pursuant to 5 U.S.C. 552a(k)(1) and (k)(5).

II. Privacy Act

    The Privacy Act of 1974, as amended, embodies fair information 
practice principles in a statutory framework governing the means by 
which Federal agencies collect, maintain, use, and disseminate 
individuals' records. The Privacy Act applies to records about 
individuals that are maintained in a ``system of records.'' A ``system 
of records'' is a group of any records under the control of an agency 
from which information is retrieved by the name of an individual or by 
some identifying number, symbol, or other identifying particular 
assigned to the individual. The Privacy Act defines an individual as a 
United States citizen or lawful permanent resident. Individuals may 
request access to their own records that are maintained in a system of 
records in the possession or under the control of the DOI by complying 
with DOI Privacy Act regulations at 43 CFR part 2, subpart K, and 
following the procedures outlined in the Records Access, Contesting 
Record, and Notification Procedures sections of this notice.
    The Privacy Act requires each agency to publish in the Federal 
Register a description denoting the existence and character of each 
system of records that the agency maintains and the routine uses of 
each system. The revised DOI-50, Insider Threat Program, system of 
records notice is published in its entirety below. In accordance with 5 
U.S.C. 552a(r), the DOI has provided a report of this system of records 
to the Office of Management and Budget and to Congress.

[[Page 48755]]

III. Public Participation

    You should be aware that your entire comment including your 
personally identifiable information, such as your address, phone 
number, email address, or any other personal information in your 
comment, may be made publicly available at any time. While you may 
request to withhold your personally identifiable information from 
public review, we cannot guarantee we will be able to do so.

SYSTEM NAME AND NUMBER:
    INTERIOR/DOI-50, Insider Threat Program.

SECURITY CLASSIFICATION:
    Classified and unclassified.

SYSTEM LOCATION:
    Counterintelligence Unit, Office of Law Enforcement and Security, 
U.S. Department of the Interior, 12201 Sunrise Valley Drive, Reston, VA 
20192.

SYSTEM MANAGER(S):
    DOI Counterintelligence/Insider Threat Program Manager, 
Counterintelligence Unit, Office of Law Enforcement and Security, U.S. 
Department of the Interior, 12201 Sunrise Valley Drive, Reston, VA 
20192.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Intelligence Reform and Terrorism Prevention Act of 2004, Public 
Law 108-458; Intelligence Authorization Act for FY 2010, Public Law 
111-259; Title 28 U.S.C. 535, Investigation of Crimes Involving 
Government Officers and Employees; Limitations; Title 50 U.S.C. 402a, 
Coordination of Counterintelligence Activities; Executive Order 10450, 
Security Requirements for Government Employment, April 17, 1953; 
Executive Order 12333, United States Intelligence Activities (as 
amended); Executive Order 12829, National Industrial Security Program; 
Executive Order 12968, Access to Classified Information, August 2, 
1995; Executive Order 13467, Reforming Processes Related to Suitability 
for Government Employment, Fitness for Contractor Employees, and 
Eligibility for Access to Classified National Security Information, 
June 30, 2008; Executive Order 13488, Granting Reciprocity on Excepted 
Service and Federal Contractor Employee Fitness and Reinvestigating 
Individuals in Positions of Public Trust, January 16, 2009; Executive 
Order 13526, Classified National Security Information; Executive Order 
13587, Structural Reforms to Improve the Security of Classified 
Networks and the Responsible Sharing and Safeguarding of Classified 
Information, October 7, 2011; Presidential Memorandum National Insider 
Threat Policy and Minimum Standards for Executive Branch Insider Threat 
Programs, November 21, 2012; and Security Executive Agent Directives 
issued by the Office of the Director of National Intelligence.

PURPOSE(S) OF THE SYSTEM:
    The purposes of the Insider Threat Program system of records are to 
manage counterintelligence and insider threat matters; facilitate 
insider threat investigations and activities associated with 
counterintelligence complaints, inquiries and investigations; identify 
potential threats to DOI resources and information assets; evaluate and 
track DOI employees on foreign travel; evaluate and track foreign 
visitors as part of the Foreign Visitors Program; review and evaluate 
individuals and companies desiring to conduct business with DOI; 
evaluate and track supply chain risks; track referrals of potential 
insider threats to internal and external partners; and provide 
statistical reports and meet other insider threat reporting 
requirements.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The categories of individuals covered in the system include current 
and former DOI employees, potential employees, and contractors; other 
officials or employees of Federal, state, tribal, territorial, and 
local law enforcement organizations; complainants, informants, suspects 
and witnesses; covered individuals who have been granted access to 
controlled unclassified information or classified information, or who 
hold a sensitive position; persons requesting or having access to DOI 
facilities, information systems, programs, and infrastructure; members 
of the general public, including individuals and/or groups of 
individuals who report or are involved with counterintelligence or 
insider threat matters, complaints or incidents involving classified 
information or systems, or controlled unclassified information; 
individuals being investigated as potential insider threats; 
individuals desiring to conduct business with DOI; individuals involved 
in contracts, bids, or proposals related to procurement or acquisition 
activities; individuals identified as the result of an administrative, 
security or investigative function who could pose a threat to DOI 
operations, data, personnel, facilities and systems; family members, 
dependents, relatives, and individuals with a personal association to 
an individual who is the subject of an insider threat investigation; 
and foreign visitors or foreign contacts that become involved in 
potential counterintelligence or insider threat matters.
    This system maintains records on U.S. citizens, non-U.S. citizens 
and foreign nationals; however, the Privacy Act only applies to 
individuals who are U.S. citizens or aliens lawfully admitted for 
permanent residence.

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system maintains records related to counterintelligence 
activities and referrals or investigations of potential insider 
threats. Records include incident reports; criminal, civil or 
administrative investigative records; background investigations; 
personnel security records; facility access records; network security 
and communications records; information systems security logs; analyses 
and reports; security violations, and inquiries and recommended 
remedial actions related to suspected security violations; official and 
foreign travel records; foreign visitor records; records of contacts 
with foreign persons; financial disclosure reports; financial records; 
personnel records; medical records; criminal history records; drug test 
results; training records; information on complainants, informants, 
suspects, and witnesses; information from Standard Form (SF) 85 and SF 
86 questionnaires; Closed Circuit Television (CCTV) recordings; 
polygraph examination records; document control registries; courier 
authorization requests; derivative classification unique identifiers; 
requests for access to sensitive compartmented information (SCI); 
briefing/debriefing statements for special programs, sensitive 
positions, and related information required in connection to personnel 
security clearance determinations; results of preliminary screening 
reviews; exhibits, evidence, statements, and affidavits; permits or 
leases related to DOI infrastructure or managed resources; bids, 
contracts, procurements or acquisition activities related to 
individuals and organizations desiring to conduct business with DOI; 
and other records involving potential insider threats or activities 
directed against DOI and its personnel, facilities, systems or 
resources.
    These records may contain: Name, Social Security number, date of 
birth, place of birth, citizenship, security clearance, home address, 
work address, personal or official phone number, personal or official 
email address, other

[[Page 48756]]

contact information, drivers license number, vehicle identification 
number, license plate number, ethnicity and race, tribal identification 
number or other tribal enrollment data, work history, educational 
history, affiliations, information on family members, dependents, 
relatives and other personal associations, passport number, gender, 
fingerprint, hair and eye color, photographic image, video recording, 
voiceprint, biometric data, any other physical or distinguishing 
attributes of an individual, and publicly available social media 
account information.
    Investigation records and incident reports may include additional 
information such as photos, video, sketches, medical reports, and 
network use records, identification badge data, facility and access 
control records, email and text messages. Records may also include 
information concerning potential counterintelligence or insider threat 
activity, counterintelligence complaints, investigative referrals, 
results of incident investigations, case number, forms, nondisclosure 
agreements, consent forms, documents, reports, investigative or 
analytical efforts of DOI Insider Threat Program personnel, 
intelligence reports and database query results relating to individuals 
covered by this system; information obtained from other Federal 
agencies, organizations, or sources about individuals known or 
reasonably suspected of being engaged in conduct constituting, 
preparing for, aiding, or relating to an insider threat, including but 
not limited to espionage or unauthorized disclosures of controlled 
unclassified information and classified national security information; 
and correspondence, documents and reports received, generated or 
maintained in the course of managing insider threat activities and 
conducting investigations related to the protection of DOI resources 
and information assets against potential insider threats.

RECORD SOURCE CATEGORIES:
    Sources of information in the system include Department, bureau, 
office and program officials, employees, contractors, and other 
individuals who are associated with or represent the DOI; officials 
from other Federal, Tribal, State, territorial, and local government 
organizations; other Federal agencies, organizations, or sources 
providing information about individuals known or reasonably suspected 
of being engaged in conduct constituting, preparing for, aiding, or 
relating to an insider threat, including but not limited to espionage 
or unauthorized disclosures of classified national security information 
or controlled unclassified information; relevant DOI records, databases 
and files, including personnel security files, facility access records, 
security incidents or violation files, network security records, 
investigatory records, visitor records, travel records, foreign visitor 
or contact reports, and financial disclosure reports; and complainants, 
informants, suspects, and witnesses.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside DOI as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    A. To the U.S. Department of Justice (DOJ), including Offices of 
the U.S. Attorneys, or other Federal agency conducting litigation or in 
proceedings before any court, adjudicative, or administrative body, 
when it is relevant or necessary to the litigation and one of the 
following is a party to the litigation or has an interest in such 
litigation:
    (1) DOI or any component of DOI;
    (2) Any other Federal agency appearing before the Office of 
Hearings and Appeals;
    (3) Any DOI employee or former employee acting in his or her 
official capacity;
    (4) Any DOI employee or former employee acting in his or her 
individual capacity when DOI or DOJ has agreed to represent that 
employee or pay for private representation of the employee; or
    (5) The U.S. Government or any agency thereof, when DOJ determines 
that DOI is likely to be affected by the proceeding.
    B. To a congressional office in response to a written inquiry that 
an individual covered by the system has made to the office, to the 
extent the records have not been exempted from disclosure pursuant to 5 
U.S.C. 552a(j) and (k).
    C. To the Executive Office of the President in response to an 
inquiry from that office made at the request of the subject of a record 
or a third party on that person's behalf, or for a purpose compatible 
with the reason for which the records are collected or maintained, to 
the extent the records have not been exempted from disclosure pursuant 
to 5 U.S.C. 552a(j) and (k).
    D. To any criminal, civil, or regulatory law enforcement authority 
(whether Federal, state, territorial, local, tribal or foreign) when a 
record, either alone or in conjunction with other information, 
indicates a violation or potential violation of law--criminal, civil, 
or regulatory in nature, and the disclosure is compatible with the 
purpose for which the records were compiled.
    E. To an official of another Federal agency to provide information 
needed in the performance of official duties related to reconciling or 
reconstructing data files or to enable that agency to respond to an 
inquiry by the individual to whom the record pertains.
    F. To Federal, state, territorial, local, tribal, or foreign 
agencies that have requested information relevant or necessary to the 
hiring, firing or retention of an employee or contractor, or the 
issuance of a security clearance, license, contract, grant or other 
benefit, when the disclosure is compatible with the purpose for which 
the records were compiled.
    G. To representatives of the National Archives and Records 
Administration (NARA) to conduct records management inspections under 
the authority of 44 U.S.C. 2904 and 2906.
    H. To state, territorial and local governments and tribal 
organizations to provide information needed in response to court order 
and/or discovery purposes related to litigation, when the disclosure is 
compatible with the purpose for which the records were compiled.
    I. To an expert, consultant, grantee, or contractor (including 
employees of the contractor) of DOI that performs services requiring 
access to these records on DOI's behalf to carry out the purposes of 
the system.
    J. To appropriate agencies, entities, and persons when:
    (1) DOI suspects or has confirmed that there has been a breach of 
the system of records;
    (2) DOI has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, DOI (including 
its information systems, programs, and operations), the Federal 
government, or national security; and
    (3) the disclosure made to such agencies, entities and persons is 
reasonably necessary to assist in connection with DOI's efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm.
    K. To another Federal agency or Federal entity, when DOI determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in:
    (1) responding to a suspected or confirmed breach; or
    (2) preventing, minimizing, or remedying the risk of harm to

[[Page 48757]]

individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    L. To the Office of Management and Budget (OMB) during the 
coordination and clearance process in connection with legislative 
affairs as mandated by OMB Circular A-19.
    M. To the Department of the Treasury to recover debts owed to the 
United States.
    N. To the news media and the public, with the approval of the 
Public Affairs Officer in consultation with counsel and the Senior 
Agency Official for Privacy, where there exists a legitimate public 
interest in the disclosure of the information, except to the extent it 
is determined that release of the specific information in the context 
of a particular case would constitute an unwarranted invasion of 
personal privacy.
    O. To the Department of Justice, the Federal Bureau of 
Investigation, the Department of Homeland Security, the Office of the 
Director of National Intelligence, and other Federal, State, 
territorial and local law enforcement agencies for the purpose of 
referring potential counterintelligence or insider threats and 
information exchange on counterintelligence and or insider threat 
activity.
    P. To agency contractors, grantees, or volunteers for DOI or other 
Federal Departments who have been engaged to assist the Government in 
the performance of a contract, grant, cooperative agreement, or other 
activity related to this system of records and who need to have access 
to the records in order to perform the activity.
    Q. To any criminal, civil, or regulatory authority (whether 
Federal, State, territorial, local, or tribal) for the purpose of 
providing background search information on individuals for legally 
authorized purposes, including but not limited to background checks on 
individuals residing in a home with a minor or individuals seeking 
employment opportunities requiring background checks.
    R. To third parties during the course of an investigation to the 
extent necessary to obtain information pertinent to the investigation, 
provided disclosure is appropriate to the proper performance of the 
official duties of the individual making the disclosure.
    S. To a public or professional licensing organization for the 
purpose of verifying information, or when information indicates, either 
by itself or in combination with other information, a violation or 
potential violation of professional standards, or reflects on the 
moral, educational, or professional qualifications of an individual who 
is licensed or who is seeking to become licensed.
    T. To any Federal, State, local, tribal, territorial, foreign, or 
multinational government or agency, or appropriate private sector 
individuals and organizations lawfully engaged in intelligence or 
counterintelligence activities, national security, homeland defense, 
counterterrorism, or law enforcement intelligence for that entity's 
official responsibilities, including responsibilities to counter, 
deter, prevent, prepare for, respond to, threats to national or 
homeland security, including an act of terrorism or espionage.
    U. To any individual, organization, or entity, as appropriate, to 
notify them of a serious threat to homeland security for the purpose of 
guarding them against or responding to such a threat, or when there is 
a reason to believe that the recipient is or could become the target of 
a particular threat, to the extent the information is relevant to the 
protection of life, health, or property.
    V. To members of the House Committee on Oversight and Government 
Reform and the Senate Homeland Security and Governmental Affairs 
Committee pursuant to a written request under 5 U.S.C. 2954, or other 
committee with oversight of matters within their jurisdiction 
pertaining to Insider Threat Program activities, after consultation 
with the Senior Agency Official for Privacy and legal counsel.
    W. To a Federal agency or entity that has information relevant to 
an allegation or investigation regarding an insider threat for purposes 
of obtaining guidance, additional information, or advice from such 
federal agency or entity regarding the handling of a 
counterintelligence or insider threat matter, or to a federal agency or 
entity that was consulted during the processing of the allegation or 
investigation but that did not ultimately have relevant information.
    X. To a former DOI employee, DOI contractor, or individual 
sponsored by DOI for a security clearance for purposes of responding to 
an official inquiry by Federal, State, local, tribal, or territorial 
government agencies or professional licensing authorities; or 
facilitating communications with a former employee that may be relevant 
and necessary for personnel-related or other official purposes when DOI 
requires information or consultation assistance from the former 
employee regarding a matter within that person's former area of 
responsibility.
    Y. To an agency or organization for the purpose of performing 
audits or oversight operations as authorized by law, but only such 
information as is necessary and relevant to such audit or oversight 
function.
    Z. To an individual's prospective or current employer to the extent 
necessary to determine employment eligibility.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Electronic records are maintained in information systems, or stored 
on magnetic disc, tape or digital media. Paper records are maintained 
in file cabinets in a secure facility behind a locked door.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records may be retrieved by name, Social Security number, date of 
birth, phone number, and other types of information by keyword search.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    A records retention schedule for the Insider Threat Program has 
been developed and submitted to NARA for approval. Pending approval by 
NARA, these records will be treated as permanent. The proposed records 
disposition is temporary. Records in the Insider Threat Program system 
of records related to a particular insider threat will be maintained 
for twenty-five years from the date when the insider threat was 
discovered. Records related to cases that are not insider threats will 
be destroyed three years after notifications of death, or five years 
after (1) the individual no longer has an active security clearance 
held by DOI, (2) separation or transfer of employment, or (3) the 
individual's contract relationship with DOI expires; whichever is 
applicable. Approved disposition methods include shredding or pulping 
paper records, and degaussing or erasing electronic records in 
accordance with 384 Department Manual 1 and NARA guidelines.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    The records contained in this system are safeguarded in accordance 
with 43 CFR 2.226 and other applicable security and privacy rules and 
policies. During normal hours of operation, paper records are 
maintained in locked file cabinets under the control of authorized 
personnel. Computerized records systems follow the National Institute 
of Standards and Technology privacy and security standards as developed 
to

[[Page 48758]]

comply with the Privacy Act of 1974 (Pub. L. 93-579), Paperwork 
Reduction Act of 1995 (Pub. L. 104-13), Federal Information Security 
Modernization Act of 2014 (Pub. L. 113-283), and the Federal 
Information Processing Standards 199, Standards for Security 
Categorization of Federal Information and Information Systems. Computer 
servers in which electronic records are stored are located in secured 
Department of the Interior facilities with physical, technical and 
administrative levels of security to prevent unauthorized access to the 
DOI network and information assets. Security controls include 
encryption, firewalls, audit logs, and network system security 
monitoring.
    Electronic data is protected through user identification, 
passwords, database permissions and software controls. Access to 
records in the system is limited to authorized personnel who have a 
need to access the records in the performance of their official duties, 
and each user's access is restricted to only the functions and data 
necessary to perform that person's job responsibilities. System 
administrators and authorized users are trained and required to follow 
established internal security protocols and must complete all security, 
privacy, and records management training and sign the DOI Rules of 
Behavior.

RECORD ACCESS PROCEDURES:
    The Department of the Interior has exempted portions of this system 
from the access procedures of the Privacy Act pursuant to 5 U.S.C. 
552a(j)(2), (k)(1), (k)(2) and (k)(5). An individual requesting records 
on himself or herself should send a signed, written inquiry to the 
System Manager identified above. The request envelope and letter should 
both be clearly marked ``PRIVACY ACT REQUEST FOR ACCESS.'' A request 
for access must meet the requirements of 43 CFR 2.238.

CONTESTING RECORD PROCEDURES:
    The Department of the Interior has exempted portions of this system 
from the amendment procedures of the Privacy Act pursuant to 5 U.S.C. 
552a(j)(2), (k)(1), (k)(2) and (k)(5). An individual requesting 
correction or the removal of material from his or her records should 
send a signed, written request to the System Manager identified above. 
A request for corrections or removal must meet the requirements of 43 
CFR 2.246.

NOTIFICATION PROCEDURES:
    The Department of the Interior has exempted portions of this system 
from the notification procedures of the Privacy Act pursuant to 5 
U.S.C. 552a(j)(2), (k)(1), (k)(2) and (k)(5). An individual requesting 
notification of the existence of records on himself or herself should 
send a signed, written inquiry to the System Manager identified above. 
The request envelope and letter should both be clearly marked ``PRIVACY 
ACT INQUIRY.'' A request for notification must meet the requirements of 
43 CFR 2.235.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    This system contains classified and unclassified intelligence and 
law enforcement investigatory records related to insider threat and 
counterintelligence activities that are exempt from certain provisions 
of the Privacy Act, 5 U.S.C. 552a(j) and (k). Pursuant to 5 U.S.C. 
552a(j)(2), (k)(1), (k)(2) and (k)(5), the Department of the Interior 
has exempted portions of this system from the Privacy Act subsections 
(c)(3), (c)(4), (d), (e)(1) through (e)(3), (e)(4)(G) through 
(e)(4)(I), (e)(5), (e)(8), (e)(12), (f), and (g). In accordance with 5 
U.S.C. 553(b), (c) and (e), the Department of the Interior has 
promulgated rules at 43 CFR part 2, subpart K, and is proposing to 
amend these rules in a Notice of Proposed Rulemaking published 
separately in the Federal Register.

HISTORY:
    79 FR 52033 (September 2, 2014).

Teri Barnett,
Departmental Privacy Officer, Department of the Interior.
[FR Doc. 2021-18710 Filed 8-30-21; 8:45 am]
BILLING CODE 4334-63-P