Privacy Act of 1974; System of Records, 60900-60905 [2021-24024]

Agencies

• DEPARTMENT OF THE INTERIOR
• Office of the Secretary

[Federal Register Volume 86, Number 211 (Thursday, November 4, 2021)]
[Notices]
[Pages 60900-60905]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-24024]


-----------------------------------------------------------------------

DEPARTMENT OF THE INTERIOR

Office of the Secretary

[DOI-2021-0011; 22XD4523WS, DWSN00000.000000, DS64800000, DP64803]


Privacy Act of 1974; System of Records

AGENCY: Office of the Secretary, Interior.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the provisions of the Privacy Act of 1974, as 
amended, the Department of the Interior (DOI) is issuing a public 
notice of its intent to create a new Privacy Act system of records 
titled, ``INTERIOR/DOI-92, Public Health Emergency Response Records.'' 
This system of records notice (SORN) describes DOI's collection, 
maintenance, and use of records on individuals associated with DOI 
efforts to respond to the Coronavirus Disease 2019 (COVID-19), a 
declared public health emergency, and protect the health and safety of 
its workforce and members of the public. This newly established system 
will be included in DOI's inventory of record systems.

DATES: This new system will be effective upon publication. New routine 
uses will be effective December 6, 2021. Submit comments on or before 
December 6, 2021.

ADDRESSES: You may send comments identified by docket number [DOI-2021-
0011] by any of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for sending comments.
     Email: [email protected]. Include docket number 
[DOI-2021-0011] in the subject line of the message.
     U.S. mail or hand-delivery: Teri Barnett, Departmental 
Privacy Officer, U.S. Department of the Interior, 1849 C Street NW, 
Room 7112, Washington, DC 20240.
    Instructions: All submissions received must include the agency name 
and docket number [DOI-2021-0011]. All comments received will be posted 
without change to https://www.regulations.gov, including any personal 
information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Teri Barnett, Departmental Privacy 
Officer, U.S. Department of the Interior, 1849 C Street NW, Washington, 
DC 20240, [email protected] or 202-208-1605.

SUPPLEMENTARY INFORMATION:

I. Background

    The DOI Office of Occupational Safety and Health (OSH) is 
establishing a new Department-wide system of records, INTERIOR/DOI-92, 
Public Health Emergency Response Records. This system will help DOI 
manage records related to DOI's response to the COVID-19 public health 
emergency and future high consequence public health threats, support 
emergency or medically related decisions affecting DOI personnel, and 
ensure the health and safety of the various categories of personnel, 
contractors, grantees, detailees, volunteers, interns, long-term 
trainees, and visitors at DOI owned, operated, leased or managed 
facilities or properties.
    This system supports DOI's COVID-19 vaccination and testing program 
as required by Executive Orders 14043 and 14042; Office of Management 
and Budget (OMB) Memorandums M-21-15 and M-21-25; COVID-19 Workplace 
Safety: Agency Model Safety Principles issued by the Federal Safer 
Federal Workforce Task Force; and other applicable law and policy. 
Federal labor, employment and workforce health and safety laws that 
govern the collection, dissemination, and retention of DOI employees' 
medical information include the Americans with Disability Act (ADA), 
the Rehabilitation Act of 1973 (Rehab Act), and the Occupational Safety 
and Health Act of 1970. The Department of Health and Human Services 
(HHS) Secretary may, under section 319 of the Public Health Service 
(PHS) Act codified at 42 U.S.C 247d, declare that: (a) A disease or 
disorder presents a public health emergency; or (b) that a public 
health emergency, including significant outbreaks of infectious disease 
or bioterrorist attacks, otherwise exists.
    The Occupational Safety and Health Act (OSHA) of 1970, Public Law 
91-596, 29 U.S.C. 668, Section 19(a) requires the head of each Federal 
agency to establish and maintain an effective and comprehensive 
occupational safety and health program and safe and healthful places 
and conditions of employment, and to keep adequate records of all 
occupational accidents and illnesses for proper evaluation and 
necessary corrective action. OSHA also requires that Federal agencies 
maintain an injury and illness prevention program, which is a proactive 
process designed to reduce injuries, illnesses, and fatalities. State 
governors also have the authority to declare public health emergencies 
by executive order or other declaration. State declared public health 
emergencies could also involve a significant risk of substantial harm 
to DOI personnel or visitors at DOI buildings, facilities and events.
    Executive Order 14043, Requiring Coronavirus Disease 2019 
Vaccination for Federal Employees, signed September 9, 2021, 
establishes mandatory requirements for Federal executive agencies to 
implement a program to require COVID-19 vaccinations for Federal 
employees, with some exceptions as required by law. Additionally, 
Executive Order 14042, Ensuring Adequate COVID Safety Protocols for 
Federal Contractors, signed September 9, 2021, establishes requirements 
for Federal executive agencies to implement workplace safety protocols 
for contractors and subcontractors to protect the health and safety of 
the Federal workforce and members of the public. DOI is implementing 
these requirements to ensure the safety of its workforce and visitors 
to its facilities and sponsored events.
    DOI will collect and maintain information within the scope of this 
system of records when it is determined that it is authorized and 
necessary to meet Federal requirements and respond to a declared public 
health emergency. To make this determination, DOI will evaluate the 
privacy risks for the collection of information, who the information 
pertains to, how the information is used and shared, the actions needed 
to protect individuals and respond to the public health emergency, and 
the laws that may apply, including the U.S. Constitution, Executive 
orders, Federal privacy laws, Federal labor and employment laws, and 
Federal workforce health and safety laws.
    DOI will only collect the minimum information necessary to respond 
to COVID-19, or future high consequence

[[Page 60901]]

public health threat, and comply with Federal workforce safety 
requirements, when DOI determines that a significant risk of 
substantial harm exists to individuals working at or visiting a DOI 
controlled facility, or attending a DOI sponsored event in a non-DOI 
controlled facility. These circumstances may include mitigation 
response activities in response to: (1) An Executive order or mandate 
or health related declaration of a national emergency by the President; 
(2) a declared public health emergency by the HHS Secretary; (3) when 
designated Federal or state officials make a declaration or official 
determination that a public health emergency exists; or (4) when DOI 
determines that a significant risk of substantial harm exists to the 
health of DOI personnel or visitors and it is necessary to ensure their 
health and safety in accordance with the Centers for Disease Control 
and Prevention (CDC) and other Federal and local guidance on 
communicable disease.
    DOI's responsibilities for ensuring a safe workforce and secure 
buildings and workspaces depend on the nature and circumstances of the 
public health emergency. In order to meet requirements for workforce 
safety and the Federal government-wide COVID-19 response, DOI must 
collect information on its workforce related to the COVID-19 disease to 
protect its workforce and customers. DOI will make all efforts to 
minimize the collection of information to the greatest extent possible 
to protect individual privacy and will only share information when 
authorized by the subject individuals or when authorized or required by 
law. Records may include personally identifiable information of 
individuals who have: (1) Contracted or may have been exposed to a 
suspected or confirmed disease or illness that is the subject of a 
declared public health emergency; (2) attested to their vaccination 
status or are required to participate in a vaccination program; or (3) 
are required to participate in a testing program or have undergone 
testing for a disease or illness that is the subject of a declared 
public health emergency or a Federal, state, or local public health 
order. Records on individuals may include circumstances and dates of 
suspected exposure; symptoms, referrals and results of screening or 
treatments; health status information; and related medical information 
such as vaccination records and results of testing for disease or 
illness. DOI may also collect location and dates of potential exposure, 
information related to employee requests for reasonable accommodation, 
and other information that may be relevant or required for DOI to 
comply with Federal guidelines and prevent or slow the spread of the 
COVID-19 disease and mitigate health impacts to DOI personnel, 
visitors, and other individuals at DOI controlled facilities and 
sponsored events.
    DOI is establishing a screening testing program for SARS-CoV-2, the 
virus that causes COVID-19, in limited circumstances to test personnel 
who work onsite and who are not fully vaccinated and have requested a 
legal exception under the law for reasonable accommodations due to 
medical reasons or religious belief. The purpose of the testing is to 
identify asymptomatic or presymptomatic infected individuals who may 
have been exposed to the SARS-CoV-2 virus to protect the health and 
safety of individuals in DOI buildings, facilities, and events. 
Employees who are fully vaccinated generally do not need to participate 
in the testing program. An employee's failure to comply with 
vaccination or testing requirements may result in disciplinary action, 
including an adverse action. However, records of proposed disciplinary 
actions are maintained in other employee personnel records under a 
separate SORN and will not be maintained in this system of records.
    Federal civilian employee medical records are covered by a 
government-wide Privacy Act SORN published by the Office of Personnel 
Management (OPM), OPM/GOVT-10, Employee Medical File System Records (75 
FR 35099, June 21, 2010; modification published at 80 FR 74815, 
November 30, 2015). These Federal employee confidential medical records 
are managed in accordance with OPM regulations at 5 CFR part 293, the 
OPM/GOVT-10 SORN, and its published routine uses. The OPM/GOVT-10 SORN 
covers Federal civilians that are identified under Title 5 U.S.C. 
chapter 21. The majority of DOI Federal employees fall under Title 5 
and their medical records are covered by the OPM/GOVT-10 SORN and must 
be managed in accordance with that SORN and applicable OPM regulations.
    This DOI-92 notice covers DOI employees and individuals that do not 
fall under Title 5 and OPM's personnel recordkeeping authority and thus 
are not covered by the OPM/GOVT-10 SORN. This includes DOI workers, 
such as Title 25 Indian education personnel and any other DOI workers, 
to the extent they are not Federal employees as defined under 5 U.S.C. 
2105 or are not subject to OPM regulations. This system may also 
include information collected or maintained on DOI personnel, 
contractors, partners, detailees, volunteers, interns, long-term 
trainees, and visitors at or on facilities, buildings, grounds, and 
properties that are owned, operated, leased, managed or used by DOI, or 
DOI sponsored meetings and events. The information collected is 
required to conduct health screening for COVID-19 or other high 
consequence public health threat, and will be used to prevent the 
spread of disease and reduce the risk of individuals with symptoms of a 
communicable disease entering a DOI building, facility, or DOI hosted 
event. As part of health screening efforts, DOI may be required to 
monitor symptoms to identify persons who may have been exposed to 
communicable disease, or identify and notify personnel or visitors who 
were present in a DOI building, facility or event that may have had 
physical contact with or come into close proximity with individuals who 
were infected or had symptoms of infection with a communicable disease.
    Information in this system may be shared with other DOI bureaus and 
offices that have a need to know to carry out their mission-essential 
functions, when it is determined that the sharing is authorized under 
applicable laws and DOI policy and it is necessary to allow DOI to 
manage a vaccination and testing program and respond to a declared 
public health emergency. To the extent permitted by law, DOI may also 
share information with appropriate Federal, state, local, tribal, 
territorial, foreign, or international government agencies when 
authorized and compatible with the purpose of this system, or when 
proper and necessary, consistent with the routine uses set forth in 
this system of records notice.

II. Privacy Act

    The Privacy Act of 1974, as amended, embodies fair information 
practice principles in a statutory framework governing the means by 
which Federal agencies collect, maintain, use, and disseminate 
individuals' records. The Privacy Act applies to records about 
individuals that are maintained in a ``system of records.'' A ``system 
of records'' is a group of any records under the control of an agency 
from which information is retrieved by the name of an individual or by 
some identifying number, symbol, or other identifying particular 
assigned to the individual. The Privacy Act defines an individual as a 
United States citizen or lawful permanent resident. Individuals may 
request access to their own records that are maintained in a system of 
records in

[[Page 60902]]

the possession or under the control of DOI by complying with DOI 
Privacy Act regulations at 43 CFR part 2, subpart K, and following the 
procedures outlined in the Records Access, Contesting Record, and 
Notification Procedures sections of this notice.
    The Privacy Act requires each agency to publish in the Federal 
Register a description denoting the existence and character of each 
system of records that the agency maintains and the routine uses of 
each system. The INTERIOR/DOI-92, Public Health Emergency Response 
Records, SORN is published in its entirety below. In accordance with 5 
U.S.C. 552a(r), DOI has provided a report of this system of records to 
the Office of Management and Budget and to Congress.

III. Public Participation

    You should be aware your entire comment including your personally 
identifiable information, such as your address, phone number, email 
address, or any other personal information in your comment, may be made 
publicly available at any time. While you may request to withhold your 
personally identifiable information from public review, we cannot 
guarantee we will be able to do so.

SYSTEM NAME AND NUMBER:
    INTERIOR/DOI-92, Public Health Emergency Response Records.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are maintained by the Office of Occupational Safety and 
Health, U.S. Department of the Interior, 1849 C Street NW, Washington, 
DC 20240; all DOI bureaus and offices in Washington, DC, and in field 
locations; and DOI contractor facilities.

SYSTEM MANAGER(S):
    Director, Office of Occupational Safety and Health, U.S. Department 
of the Interior, 1849 C Street NW, Office 4316, Mail Stop 4310, 
Washington, DC 20240.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301; Section 319 of the Public Health Service (PHS) Act 
(42 U.S.C. 247d); 40 U.S.C. 1315; Coronavirus Aid, Relief, and Economic 
Security (CARES) Act, Public Law 116-136, Div. B., Title VIII, sec. 
18115, 134 Stat. 574 (codified in 42 U.S.C. 274d note); Americans with 
Disabilities Act, 42 U.S.C. 12112, 29 CFR 1602.14, 1630.14; the 
Rehabilitation Act of 1973 (Rehab Act), 29 U.S.C. 701 et seq.; Medical 
Examinations for Fitness for Duty Requirements, including 5 CFR part 
339; the Occupational Safety and Health Act of 1970, 29 U.S.C. Chapter 
15, 29 CFR part 1904, 29 CFR 1910.1020, and 29 CFR 1960.66; Executive 
Order 13991; Executive Order 13994; Executive Order 14042; Executive 
Order 14043; Executive Order 12196; 5 U.S.C. 7902; 25 U.S.C. 2012, 
Indian Education Personnel; 25 CFR chapter I, subchapter E, Education; 
Section 2 of the Reorganization Plan No. 3 of 1950 (64 Stat. 1262).

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to maintain records related to DOI's 
response to the COVID-19 public health emergency or other high-
consequence public health threat, to mange a workplace health screening 
and vaccination program, and document results of screening and 
diagnostic testing to protect the Federal workforce and stop or reduce 
the spread of infectious disease or illness. This system will be used 
to:
    (1) Comply with Executive orders, Federal Government and OSHA 
requirements;
    (2) Manage records as part of the COVID-19 vaccination requirement 
including confirming vaccination status and maintaining proof of 
vaccination;
    (3) Manage records related to a testing program including 
overseeing preventative testing to test personnel working onsite who 
are not fully vaccinated, and to permit entry to DOI managed or 
controlled facilities and events to meet Federal requirements and 
fulfill DOI's responsibilities to the extent permitted by law;
    (4) Conduct screening and testing for select circumstances such as 
employees who have a need to physically enter another Federal facility 
or workspace for official DOI business;
    (5) Conduct screening and testing for employees on official travel 
to meet local requirements where testing is a condition for entry, or 
for employees on official travel returning from an area of high risk of 
exposure as a condition of entry to a DOI facility;
    (6) Document reports of illness or communicable disease that are 
the subject of a declaration of public health emergency by HHS or 
designated state officials that may pose a significant risk of 
substantial harm to the health of DOI personnel and visitors;
    (7) Identify and provide notifications to personnel and visitors 
who may have been exposed to individuals while working onsite or 
visiting DOI buildings, facilities or events;
    (8) Inform Federal, state or local public health authorities as 
necessary to protect public health as allowed or when required by law; 
and
    (9) Take appropriate actions as necessary to prevent the 
introduction, transmission, and spread of communicable disease by 
persons who have contracted or were exposed to such a disease and came 
in close physical proximity to or had physical contact with other 
persons while working in or visiting a DOI facility or event.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    DOI personnel, including non-Title 5 employees, contractors, 
detailees, interns, volunteers, long-term trainees; DOI partners and 
employees and detailees from other Federal agencies; visitors or 
participants at DOI managed meetings, events and conferences; visitors 
or individuals who participate in health screening at DOI owned, 
operated, managed, or leased buildings and facilities; and visitors or 
individuals who are suspected or confirmed to have a disease or illness 
that is the subject of a declared public health emergency, or may have 
been exposed to someone who is suspected or confirmed to have a disease 
or illness that is the subject of a declared public health emergency.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Information collected for health screening includes contact 
information, vaccination and testing program related information, 
medical reports and assessments, and other related information that may 
be required. This information may include but is not limited to:
     Full name;
     Address;
     Bureau, office, organization, duty location, facility, 
work site, and specific work space(s) accessed;
     Official contact information;
     Work or personal phone number(s);
     Work or personal email address(es);
     Employee's supervisor name, address, and contact 
information;
     Contractor's supervisor/contracting officer representative 
name, address, and contact information;
     Date(s) and time(s) of entrance and exit from DOI 
buildings, facilities, workspaces, or events;
     Date(s) and/or circumstances of the individual's suspected 
or actual exposure to disease or illness including symptoms, as well as 
locations within DOI workplaces where an individual may have contracted 
or been exposed to the disease or illness;
     Names and contact information of other personnel or 
visitors that the individual interacted with at or on a DOI workspace, 
facility, or grounds

[[Page 60903]]

during the time the individual was suspected to or had contracted the 
disease or illness;
     Current work status of the individual (e.g., 
administrative leave, sick leave, teleworking, in the office);
     Vaccination status, dates of vaccination, type of vaccine, 
and proof of vaccination including copies of COVID-19 Vaccination 
Record Card, a copy of medical records documenting vaccination, a copy 
of immunization records, or other official documentation containing 
information on vaccination;
     Medical screening information including name, date of 
birth, age, medical status medical history, and other information that 
may be required;
     Information directly related to screening and testing for 
disease or illness including but not limited to testing status, date 
and location of testing, test type, test results, disease type, 
symptoms, treatments;
     Dates and source of exposure, and recent dates and DOI 
locations and workspaces visited; and
     Other information that may be relevant and necessary to 
achieve the purpose of health screening or the vaccination and testing 
program.
    For other agency Federal employees, detailees, partners, non-DOI 
contractors, visitors and members of the public at or on DOI owned, 
operated, leased or managed buildings, facilities, and events, the 
following information may be collected:
     Full name;
     Preferred phone number(s);
     Preferred email address(es);
     Name(s) and contact information for DOI personnel 
sponsoring visitors or participants at meetings or conferences or 
meetings in or at DOI workspaces, facilities, buildings, parks and 
grounds;
     Name(s) of individuals encountered while in or at DOI 
workspaces, facilities, buildings, parks and grounds;
     Information directly related to screening and testing for 
disease or illness including but not limited to date of testing, 
frequency of testing, test results, symptoms, treatments;
     Dates and source of exposure, and recent dates and DOI 
locations and workspaces visited;
     Vaccination status, including fully vaccinated, not 
vaccinated, or decline to provide status; and
     Date(s) and time(s) of entrance and exit from DOI 
buildings, facilities, or events, or other related information. 
Information on entry and exit from DOI buildings may be obtained from 
the INTERIOR/DOI-46, Physical Security Access Files, system when 
relevant and necessary to achieve the purpose of this SORN.
    This system may also include records on individuals created, 
collected or required to be reported to health officials in accordance 
with the requirements of the Coronavirus Aid, Relief, and Economic 
Security Act (CARES Act), which requires laboratories that perform or 
analyze a test that is intended to detect or to diagnose a possible 
case of COVID-19 to report the result of that testing to public health 
officials. This information includes:
     Full Name;
     Address; and
     Test results.

RECORD SOURCE CATEGORIES:
    Records are obtained from DOI personnel, partners, other Federal 
agency employees, and individuals who provide relevant information on 
vaccination, testing or exposure to COVID-19 or other high-consequence 
public health threat; visitors at DOI owned, operated, leased or 
managed buildings, facilities or events; their family members or other 
potential source of exposure to COVID-19 or other high-consequence 
public health threat; DOI, bureau, and office records including other 
systems of records; contractors or service providers performing 
testing, screening or related services; other Federal or state 
agencies, public health organizations, or physicians with consent of 
the subject individual or when authorized by law; employers and other 
entities and individuals who may provide relevant information on a 
suspected or confirmed disease or illness that is the subject of a 
declared public health emergency.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside DOI as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    A. To the Department of Justice (DOJ), including Offices of the 
U.S. Attorneys, or other Federal agency conducting litigation or in 
proceedings before any court, adjudicative, or administrative body, 
when it is relevant or necessary to the litigation and one of the 
following is a party to the litigation or has an interest in such 
litigation:
    (1) DOI or any component of DOI;
    (2) Any other Federal agency appearing before the Office of 
Hearings and Appeals;
    (3) Any DOI employee or former employee acting in his or her 
official capacity;
    (4) Any DOI employee or former employee acting in his or her 
individual capacity when DOI or DOJ has agreed to represent that 
employee or pay for private representation of the employee; or
    (5) The United States Government or any agency thereof, when DOJ 
determines that DOI is likely to be affected by the proceeding.
    B. To a congressional office when requesting information on behalf 
of, and at the request of, the individual who is the subject of the 
record.
    C. To the Executive Office of the President in response to an 
inquiry from that office made at the request of the subject of a record 
or a third party on that person's behalf, or for a purpose compatible 
with the reason for which the records are collected or maintained.
    D. To any criminal, civil, or regulatory law enforcement authority 
(whether Federal, state, territorial, local, tribal or foreign) when a 
record, either alone or in conjunction with other information, 
indicates a violation or potential violation of law--criminal, civil, 
or regulatory in nature, and the disclosure is compatible with the 
purpose for which the records were compiled.
    E. To an official of another Federal agency to provide information 
needed in the performance of official duties related to reconciling or 
reconstructing data files or to enable that agency to respond to an 
inquiry by the individual to whom the record pertains.
    F. To Federal, state, territorial, local, tribal, or foreign 
agencies that have requested information relevant or necessary to the 
hiring, firing or retention of an employee or contractor, or the 
issuance of a security clearance, license, contract, grant or other 
benefit, when the disclosure is compatible with the purpose for which 
the records were compiled.
    G. To representatives of the National Archives and Records 
Administration (NARA) to conduct records management inspections under 
the authority of 44 U.S.C. 2904 and 2906.
    H. To state, territorial and local governments and tribal 
organizations to provide information needed in response to court order 
and/or discovery purposes related to litigation, when the disclosure is 
compatible with the purpose for which the records were compiled.
    I. To an expert, consultant, grantee, or contractor (including 
employees of the contractor) of DOI that performs services requiring 
access to these records on

[[Page 60904]]

DOI's behalf to carry out the purposes of the system.
    J. To appropriate agencies, entities, and persons when:
    (1) DOI suspects or has confirmed that there has been a breach of 
the system of records;
    (2) DOI has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, DOI (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and
    (3) the disclosure made to such agencies, entities, and persons is 
reasonably necessary to assist in connection with DOI's efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm.
    K. To another Federal agency or Federal entity, when DOI determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in:
    (1) Responding to a suspected or confirmed breach; or
    (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    L. To the Office of Management and Budget (OMB) during the 
coordination and clearance process in connection with legislative 
affairs as mandated by OMB Circular A-19.
    M. To the Department of the Treasury to recover debts owed to the 
United States.
    N. To the news media and the public, with the approval of the 
Public Affairs Officer in consultation with counsel and the Senior 
Agency Official for Privacy, where there exists a legitimate public 
interest in the disclosure of the information, except to the extent it 
is determined that release of the specific information in the context 
of a particular case would constitute an unwarranted invasion of 
personal privacy.
    O. To appropriate Federal, state, local, tribal, or foreign 
governmental agencies or multilateral governmental organizations, to 
the extent permitted by law, and in consultation with legal counsel, 
for the purpose of protecting the vital interests of a data subject or 
other persons, including to assist such agencies or organizations in 
preventing exposure to or transmission of a communicable or 
quarantinable disease or to combat other significant public health 
threats.
    P. To Federal agencies such as the Health and Human Services (HHS), 
State and local health departments, and other public health or 
cooperating medical authorities in connection with program activities 
and related collaborative efforts to deal more effectively with 
exposures to communicable diseases, and to satisfy mandatory reporting 
requirements when applicable.
    Q. To missing person or location organizations where DOI does not 
have sufficient contact information to the extent necessary to obtain 
information to aid in locating persons who were possibly exposed or 
exposed others to a communicable disease at a DOI facility.
    R. To a contractor or shared service provider conducting health 
screening, testing or notification activities on behalf of DOI, to help 
DOI manage vaccination and testing program records and procedures, and 
implementation of health screening, testing, and contact tracing.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    None.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Electronic records are stored in secure facilities. Confidential 
employee records are maintained with appropriate administrative, 
physical and technical controls to protect individual privacy. Paper 
records are contained in file folders stored in file cabinets in secure 
office locations.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records may be retrieved by any of the categories of records, 
including name, location, date of exposure, or work status.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    In accordance with the ADA and the Rehabilitation Act, information 
in this system must be maintained as confidential medical records, on 
separate forms and in separate medical files (42 U.S.C. 12112(d)(3)(B); 
42 U.S.C. sec 2000ff-5(a); 29 CFR 1630.14(b)(1), (c)(1), (d)(4)(i); and 
29 CFR 1635.9(a)). Therefore, these records must be stored separately 
from other personnel records and must be maintained for at least one 
year from creation date (29 CFR 1602.14).
    Records in this system are maintained in accordance with the NARA 
General Records Schedule (GRS) 2.7, Item 060, Occupational individual 
medical case files, which covers OSHA medical records and medical 
surveillance records that include personal and occupational health 
histories. The disposition is temporary. Short-term records are 
destroyed one year after employee separation or transfer (DAA-GRS-2017-
0010-0010). Long-term records are destroyed 30 years after employee 
separation or when the employee's Official Personnel Folder is 
destroyed, whichever is longer (DAA-GRS-2017-0010-0009). Visitor 
processing records are covered by GRS 5.6, Items 110 and 111, and must 
be destroyed when either two or five years old, depending on security 
level, but may be retained longer if required for business use, 
pursuant to DAA-GRS-2017-0006-0014 and -0015.
    Approved destruction methods for temporary records that have met 
their retention period include shredding or pulping paper records, and 
erasing or degaussing electronic records in accordance with DOI policy 
and NARA guidelines.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Records contained in this system are safeguarded in accordance with 
43 CFR 2.226 and other applicable security and privacy rules and 
policies. During normal hours of operation, paper records are 
maintained in locked file cabinets under the control of authorized 
personnel. Computer servers on which electronic records are stored are 
located in secured DOI controlled facilities with physical, technical 
and administrative levels of security to prevent unauthorized access to 
the DOI network and information assets. Access is only granted to 
authorized personnel and each person granted access to the system must 
be individually authorized to use the system. A Privacy Act Warning 
Notice appears on computer monitor screens when records containing 
information on individuals are first displayed. Data exchanged between 
the servers and the system is encrypted. Backup tapes are encrypted and 
stored in a locked and controlled room in a secure, off-site location.
    Computerized records systems follow the National Institute of 
Standards and Technology privacy and security standards as developed to 
comply with the Privacy Act of 1974, as amended, 5 U.S.C. 552a; 
Paperwork Reduction Act of 1995, 44 U.S.C. 3501-3521 et seq.; Federal 
Information Security Modernization Act of 2014, 44 U.S.C. 3551 et seq.; 
and the Federal Information Processing Standards 199: Standards for 
Security Categorization of Federal Information and Information Systems. 
Security controls include user identification, multi-factor

[[Page 60905]]

authentication, database permissions, encryption, firewalls, audit 
logs, and network system security monitoring, and software controls.
    Access to records in the system is limited to authorized personnel 
who have a need to access the records in the performance of their 
official duties, and each user's access is restricted to only the 
functions and data necessary to perform that person's job 
responsibilities. System administrators and authorized users are 
trained and required to follow established internal security protocols 
and must complete all security, privacy, and records management 
training and sign the DOI Rules of Behavior. DOI has conducted privacy 
impact assessments on the collection of information for the vaccination 
program and the supporting IT system to identify and evaluate potential 
privacy risks and ensure appropriate safeguards are implemented to 
protect privacy.

RECORD ACCESS PROCEDURES:
    An individual requesting records on himself or herself should send 
a signed, written inquiry to the System Manager identified above. The 
request must include the specific bureau or office that maintains the 
record to facilitate location of the applicable records. The request 
envelope and letter should both be clearly marked ``PRIVACY ACT REQUEST 
FOR ACCESS.'' A request for access must meet the requirements of 43 CFR 
2.238.

CONTESTING RECORD PROCEDURES:
    An individual requesting corrections or the removal of material 
from his or her records should send a signed, written request to the 
System Manager identified above. The request must include the specific 
bureau or office that maintains the record to facilitate location of 
the applicable records. A request for corrections or removal must meet 
the requirements of 43 CFR 2.246.

NOTIFICATION PROCEDURES:
    An individual requesting notification of the existence of records 
on himself or herself should send a signed, written inquiry to the 
System Manager identified above. The request must include the specific 
bureau or office that maintains the record to facilitate location of 
the applicable records. The request envelope and letter should both be 
clearly marked ``PRIVACY ACT INQUIRY.'' A request for notification must 
meet the requirements of 43 CFR 2.235.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

Teri Barnett,
Departmental Privacy Officer, Department of the Interior.
[FR Doc. 2021-24024 Filed 11-1-21; 11:15 am]
BILLING CODE 4334-63-P