Privacy Act Regulations; Exemption for the Insider Threat Program, 51645-51648 [2021-18711]

Agencies

• DEPARTMENT OF THE INTERIOR
• Office of the Secretary

[Federal Register Volume 86, Number 177 (Thursday, September 16, 2021)]
[Proposed Rules]
[Pages 51645-51648]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-18711]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE INTERIOR

Office of the Secretary

43 CFR Part 2

[DOI-2018-0012: 201D0102DM, DS65100000, DLSN00000.000000, DX65103]
RIN 1090-AB15


Privacy Act Regulations; Exemption for the Insider Threat Program

AGENCY: Office of the Secretary, Interior.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Department of the Interior is proposing to amend its 
regulations to exempt certain records in the INTERIOR/DOI-50, Insider 
Threat Program, system of records from one or more provisions of the 
Privacy Act of 1974 because of criminal, civil, and administrative law 
enforcement requirements.

DATES: Submit comments on or before November 15, 2021.

ADDRESSES: You may submit comments, identified by docket number [DOI-
2018-0012] or [Regulatory Information Number (RIN) 1090-AB15], by any 
of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for sending comments.
     Email: [email protected]. Include docket number 
[DOI-2018-0012] or RIN 1090-AB15 in the subject line of the message.
     U.S. mail or hand-delivery: Teri Barnett, Departmental 
Privacy Officer, U.S. Department of the Interior, 1849 C Street NW, 
Room 7112, Washington, DC 20240.
    Instructions: All submissions received must include the agency name 
and docket number [DOI-2018-0012] or RIN 1090-AB15 for this rulemaking. 
All comments received will be posted without change to https://www.regulations.gov, including any personal information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Teri Barnett, Departmental Privacy 
Officer, U.S. Department of the Interior, 1849 C Street NW, Room 7112, 
Washington, DC 20240, [email protected] or (202) 208-1605.

SUPPLEMENTARY INFORMATION:

Background

    The Privacy Act of 1974, as amended, 5 U.S.C. 552a, governs the 
means by which the U.S. Government collects, maintains, uses and 
disseminates personally identifiable information. The Privacy Act 
applies to records about individuals that are maintained in a ``system 
of records.'' A system of records is a group of any records under the 
control of an agency from which information about an individual is 
retrieved by the name of the individual or by some identifying number, 
symbol, or other identifying particular assigned to the individual. See 
5 U.S.C. 552a(a)(4) and (5).
    An individual may request access to records containing information 
about him or herself, 5 U.S.C. 552a(b), (c) and (d). However, the 
Privacy Act authorizes Federal agencies to exempt systems of records 
from access by individuals under certain circumstances, such as where 
the access or disclosure of such information would impede national 
security or law enforcement efforts. Exemptions from Privacy Act 
provisions must be established by regulation, 5 U.S.C. 552a(j) and (k).
    The Department of the Interior (DOI) Office of Law Enforcement and 
Security published the INTERIOR/DOI-50, Insider Threat Program, system 
of records notice in the Federal Register at 79 FR 52033 on September 
2, 2014, in accordance with Presidential Executive Order 13587, issued 
October 7, 2011, which required Federal agencies to establish an 
insider threat detection and prevention program to ensure the security 
of classified networks and the responsible sharing and safeguarding of 
classified information consistent with appropriate protections for 
privacy and civil liberties. This system of records

[[Page 51646]]

facilitates management of counterintelligence and insider threat 
investigations and activities associated with counterintelligence 
complaints, inquiries and investigations; identification of potential 
threats to DOI resources and information assets; and referrals of 
potential insider threats to internal and external partners. Insider 
threats include attempted or actual espionage, subversion, sabotage, 
terrorism or extremist activities directed against the DOI and its 
personnel, facilities, resources, and activities; unauthorized use of 
or intrusion into automated information systems; unauthorized 
disclosure of classified, controlled unclassified, sensitive, or 
proprietary-information or technology; indicators of potential insider 
threats or other incidents that may indicate activities of an insider 
threat.
    The system contains classified and unclassified intelligence and 
investigatory records related to counterintelligence and insider threat 
activities that are exempt from certain provisions of the Privacy Act, 
5 U.S.C. 552a(j) and (k). The DOI previously published a final rule in 
the Federal Register at 79 FR 68799 (November 19, 2014) to amend DOI 
Privacy Act regulations at 43 CFR 2.254 to exempt certain records in 
this system from subsections (c)(3), (c)(4), (d), (e)(1) through 
(e)(3), (e)(4)(G) through (e)(4)(I), (e)(5), (e)(8), (e)(12), (f), and 
(g) of the Privacy Act pursuant to 5 U.S.C. 552a(j)(2) and (k)(2). In 
this notice of proposed rulemaking (NPRM), DOI is proposing to claim 
additional exemptions from certain provisions of the Privacy Act 
pursuant to 5 U.S.C. 552a(k)(1) and (k)(5).
    DOI previously published an NPRM in the Federal Register at 85 FR 
7515 (February 10, 2020) to claim exemptions for the INTERIOR/DOI-46, 
Physical Security Access Files, system of records that proposed a 
revision of the DOI Privacy Act regulations at 43 CFR 2.254 to 
redesignate the existing paragraphs and add new paragraphs for 
additional exemptions under 5 U.S.C. 552a(k). A new paragraph (b) was 
reserved for exemptions claimed under 5 U.S.C. 552a(k)(1) as indicated 
in this NPRM for the INTERIOR/DOI-50, Insider Threat Program. The 
previous paragraph (c) for investigatory records exempt under 5 U.S.C. 
552a(k)(5) was redesignated to paragraph (e) to allow for a new 
paragraph (d) for exemptions claimed under 5 U.S.C. 552(k)(3) related 
to records maintained in connection with providing protective services. 
The new and redesignated paragraphs proposed for section 2.254 will be 
effective upon publication of the INTERIOR/DOI-46 final rule in the 
Federal Register and will align with the exemptions proposed in this 
NPRM for the INTERIOR/DOI-50, Insider Threat Program.
    Under 5 U.S.C. 552a(k)(1), the head of a Federal agency may 
promulgate rules to exempt a system of records from certain provisions 
of the Privacy Act of 1974, 5 U.S.C. 552a, if the system of records is 
subject to the provisions of 5 U.S.C. 552(b)(1) where the records are 
(A) specifically authorized under criteria established by an Executive 
Order to be kept secret in the interest of national defense or foreign 
policy, and (B) are in fact properly classified pursuant to such 
Executive Order. Some records in this system are deemed classified and 
subject to Executive Orders for the maintenance of records that must be 
kept secret in the interest of national security, such as Executive 
Order 12333, United States Intelligence Activities (as amended); 
Executive Order 12829, National Industrial Security Program; Executive 
Order 12968, Access to Classified Information; Executive Order 13526, 
Classified National Security Information; and Executive Order 13587, 
Structural Reforms to Improve the Security of Classified Networks and 
the Responsible Sharing and Safeguarding of Classified Information. 
Additionally, records in this system may be related to investigatory 
material compiled solely for the purpose of determining suitability, 
eligibility, or qualifications for Federal civilian employment, 
military service, Federal contracts, or access to classified 
information that are exempt from one or more provisions of the Privacy 
Act pursuant to 5 U.S.C. 552a(k)(5).
    Because this system of records contains classified and 
investigative material within the provisions of 5 U.S.C. 552a(k)(1) and 
(k)(5), the DOI proposes to exempt the system of records from one or 
more of the following provisions: 5 U.S.C. 552a(c)(3), (d), (e)(1), 
(e)(4)(G) through (e)(4)(I), and (f). Where a release would not 
interfere with or adversely affect investigations or law enforcement 
activities, including but not limited to revealing sensitive 
information or compromising confidential sources, the exemption may be 
waived on a case-by-case basis. Exemptions from these particular 
subsections are justified for the following reasons:
    1. 5 U.S.C. 552a(c)(3). This section requires an agency to make the 
accounting of each disclosure of records available to the individual 
named in the record upon request. Release of accounting of disclosures 
would alert the subjects of an investigation to the existence of the 
investigation and the fact that they are subjects of the investigation. 
The release of such information to the subjects of an investigation 
would provide them with significant information concerning the nature 
of the investigation, and could seriously impede or compromise the 
investigation, endanger the physical safety of confidential sources, 
witnesses and their families, and lead to the improper influencing of 
witnesses, the destruction of evidence, or the fabrication of 
testimony.
    2. 5 U.S.C. 552a(d); (e)(4)(G) and (e)(4)(H); and (f). These 
sections require an agency to provide notice and disclosure to 
individuals that a system contains records pertaining to the 
individual, as well as providing rights of access and amendment. 
Granting access to records in the Insider Threat Program system could 
inform the subject of an investigation of an actual or potential 
criminal violation of the existence of that investigation, of the 
nature and scope of the information and evidence obtained, of the 
identity of confidential sources, witnesses, and law enforcement 
personnel, and could provide information to enable the subject to avoid 
detection or apprehension. Granting access to such information could 
seriously impede or compromise an investigation; endanger the physical 
safety of confidential sources, witnesses, and law enforcement 
personnel, as well as their families; lead to the improper influencing 
of witnesses, the destruction of evidence, or the fabrication of 
testimony; and disclose investigative techniques and procedures. In 
addition, granting access to such information could disclose 
classified, security-sensitive, or confidential information and could 
constitute an unwarranted invasion of the personal privacy of others.
    3. 5 U.S.C. 552a(e)(1). This section requires the agency to 
maintain information about an individual only to the extent that such 
information is relevant or necessary. The application of this provision 
could impair investigations and law enforcement, because it is not 
always possible to determine the relevance or necessity of specific 
information in the early stages of an investigation. Relevance and 
necessity are often questions of judgment and timing, and it is only 
after the information is evaluated that the relevance and necessity of 
such information can be established. In addition, during the course of 
the investigation, the investigator may obtain information that is 
incidental to the main purpose of the investigation but which may 
relate to matters under

[[Page 51647]]

the investigative jurisdiction of another agency. Such information 
cannot readily be segregated. Furthermore, during the course of the 
investigation, an investigator may obtain information concerning the 
violation of laws outside the scope of the investigator's jurisdiction. 
In the interest of effective law enforcement, DOI investigators should 
retain this information, since it can aid in establishing patterns of 
criminal activity and can provide valuable leads for other law 
enforcement agencies.
    4. 5 U.S.C. 552a(e)(4)(I). This section requires an agency to 
provide public notice of the categories of sources of records in the 
system. The application of this section could disclose investigative 
techniques and procedures and cause sources to refrain from giving such 
information because of fear of reprisal, or fear of breach of 
promise(s) of anonymity and confidentiality. This could compromise 
DOI's ability to conduct investigations and to identify, detect and 
apprehend violators.

Procedural Requirements

1. Regulatory Planning and Review (E.O. 12866 and E.O. 13563)

    Executive Order 12866 provides that the Office of Information and 
Regulatory Affairs in the Office of Management and Budget will review 
all significant rules. The Office of Information and Regulatory Affairs 
has determined that this rule is not significant.
    Executive Order 13563 reaffirms the principles of Executive Order 
12866 while calling for improvements in the nation's regulatory system 
to promote predictability, to reduce uncertainty, and to use the best, 
most innovative, and least burdensome tools for achieving regulatory 
ends. The executive order directs agencies to consider regulatory 
approaches that reduce burdens and maintain flexibility and freedom of 
choice for the public where these approaches are relevant, feasible, 
and consistent with regulatory objectives. Executive Order 13563 
emphasizes further that regulations must be based on the best available 
science and that the rulemaking process must allow for public 
participation and an open exchange of ideas. We have developed this 
rule in a manner consistent with these requirements.

2. Regulatory Flexibility Act

    The Department of the Interior certifies that this document will 
not have a significant economic effect on a substantial number of small 
entities under the Regulatory Flexibility Act (5 U.S.C. 601, et seq.). 
This rule does not impose a requirement for small businesses to report 
or keep records on any of the requirements contained in this rule. The 
exemptions to the Privacy Act apply to individuals, and individuals are 
not covered entities under the Regulatory Flexibility Act.

3. Small Business Regulatory Enforcement Fairness Act (SBREFA)

    This rule is not a major rule under 5 U.S.C. 804(2), the Small 
Business Regulatory Enforcement Fairness Act. This rule:
    (a) Does not have an annual effect on the economy of $100 million 
or more.
    (b) Will not cause a major increase in costs or prices for 
consumers, individual industries, Federal, State, or local government 
agencies, or geographic regions.
    (c) Does not have significant adverse effects on competition, 
employment, investment, productivity, innovation, or the ability of 
United States-based enterprises to compete with foreign-based 
enterprises.

4. Unfunded Mandates Reform Act

    This rule does not impose an unfunded mandate on State, local, or 
tribal governments in the aggregate, or on the private sector, of more 
than $100 million per year. The rule does not have a significant or 
unique effect on State, local, or tribal governments or the private 
sector. This rule makes only minor changes to 43 CFR part 2. A 
statement containing the information required by the Unfunded Mandates 
Reform Act (2 U.S.C. 1531 et seq.) is not required.

5. Takings (E.O. 12630)

    In accordance with Executive Order 12630, the rule does not have 
significant takings implications. This rule makes only minor changes to 
43 CFR part 2. A takings implication assessment is not required.

6. Federalism (E.O. 13132)

    In accordance with Executive Order 13132, this rule does not have 
any federalism implications to warrant the preparation of a Federalism 
Assessment. The rule is not associated with, nor will it have 
substantial direct effects on the States, on the relationship between 
the national government and the States, or on the distribution of power 
and responsibilities among the various levels of government. A 
Federalism Assessment is not required.

7. Civil Justice Reform (E.O. 12988)

    This rule complies with the requirements of Executive Order 12988. 
Specifically, this rule:
    (a) Does not unduly burden the judicial system.
    (b) Meets the criteria of section 3(a) requiring that all 
regulations be reviewed to eliminate errors and ambiguity and be 
written to minimize litigation; and
    (c) Meets the criteria of section 3(b)(2) requiring that all 
regulations be written in clear language and contain clear legal 
standards.

8. Consultation With Indian Tribes (E.O. 13175)

    In accordance with Executive Order 13175, the Department of the 
Interior has evaluated this rule and determined that it would have no 
substantial effects on federally recognized Indian Tribes.

9. Paperwork Reduction Act

    This rule does not require an information collection from 10 or 
more parties and a submission under the Paperwork Reduction Act is not 
required.

10. National Environmental Policy Act

    This rule does not constitute a major Federal Action significantly 
affecting the quality for the human environment. A detailed statement 
under the National Environmental Policy Act of 1969 (NEPA) is not 
required because the rule is covered by a categorical exclusion. We 
have determined the rule is categorically excluded under 43 CFR 
46.210(i) because it is administrative, legal, and technical in nature. 
We also have determined the rule does not involve any of the 
extraordinary circumstances listed in 43 CFR 46.215 that would require 
further analysis under NEPA.

11. Effects on Energy Supply (E.O. 13211)

    This rule is not a significant energy action under the definition 
in Executive Order 13211. A Statement of Energy Effects is not 
required.

12. Clarity of This Regulation

    We are required by Executive Order 12866 and 12988, the Plain 
Writing Act of 2010 (Pub. L. 111-274), and the Presidential Memorandum 
of June 1, 1998, to write all rules in plain language. This means each 
rule we publish must:

--Be logically organized;
--Use the active voice to address readers directly;
--Use clear language rather than jargon;
--Be divided into short sections and sentences; and
--Use lists and table wherever possible.

[[Page 51648]]

List of Subjects in 43 CFR Part 2

    Administrative practice and procedure, Confidential information, 
Courts, Freedom of Information Act, Privacy Act.

    For the reasons stated in the preamble, the Department of the 
Interior proposes to amend 43 CFR part 2 as follows:

PART 2--FREEDOM OF INFORMATION ACT; RECORDS AND TESTIMONY

0
1. The authority citation for part 2 continues to read as follows:

    Authority:  5 U.S.C. 301, 552, 552a, 553; 31 U.S.C. 3717; 43 
U.S.C. 1460, 1461.

0
2. Amend Sec.  2.254 by:
0
a. Revising paragraphs (b) introductory text and (b)(1);
0
b. Reserving paragraph (b)(2);
0
c. Revising paragraph (c) introductory text;
0
d. Reserving paragraph (c)(5); and
0
e. Adding paragraph (c)(6).
    The revisions and additions read as follows:


Sec.  2.254  Exemptions.

* * * * *
    (b) Classified records exempt under 5 U.S.C. 552a(k)(1). Pursuant 
to 5 U.S.C. 552a(k)(1), the following systems of records have been 
exempted from paragraphs (c)(3), (d), (e)(1), (e)(4) (G), (H), and (I), 
and (f) of 5 U.S.C. 552a and the provisions of the regulations in this 
subpart implementing these paragraphs:
    (1) INTERIOR/DOI-50, Insider Threat Program.
    (2) [Reserved]
* * * * *
    (c) Investigatory records exempt under 5 U.S.C. 552a(k)(5). 
Pursuant to 5 U.S.C. 552a(k)(5), the following systems of records have 
been exempted from paragraphs (c)(3), (d), (e)(1), (e)(4) (G), (H), and 
(I), and (f) of 5 U.S.C. 552a and the provisions of the regulations in 
this subpart implementing these paragraphs:
* * * * *
    (5) [Reserved]
    (6) INTERIOR/DOI-50, Insider Threat Program.

Teri Barnett,
Departmental Privacy Officer, Department of the Interior.
[FR Doc. 2021-18711 Filed 9-15-21; 8:45 am]
BILLING CODE 4334-63-P