Privacy Act of 1974; System of Records, 61325-61328 [2021-24267]

Agencies

• National Intelligence, Office of the National Director

[Federal Register Volume 86, Number 212 (Friday, November 5, 2021)]
[Notices]
[Pages 61325-61328]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-24267]


=======================================================================
-----------------------------------------------------------------------

OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE


Privacy Act of 1974; System of Records

AGENCY: Office of the Director of National Intelligence (ODNI)

ACTION: Notice of a revised system of records.

-----------------------------------------------------------------------

SUMMARY: ODNI provides notice of a revision to a Privacy Act system of 
records at the National Counterintelligence and Security Center (NCSC). 
This notice revises the system of records titled Continuous Evaluation 
Records, also identified as ODNI/NCSC-003. This notice is necessary to 
inform the public of revisions to the notice summary, system purpose, 
categories of individuals covered, and supplementary information about 
the records that the agency maintains. This revised notice to the 
Continuous Evaluation (CE) Records system adds one-time record checks 
of employment applicants in addition to the previous uses of CE for 
enrolled individuals.
    CE is a personnel security investigative process used to review the 
continued eligibility of individuals who have been determined eligible 
for access to classified information or to hold a sensitive position. 
Individuals subject to CE include current Executive Branch employees, 
detailees, contractors, and other sponsored individuals who are cleared 
for access to classified information or to hold a sensitive position. 
The Departments and Agencies (D/A) that sponsor these individuals for 
access to classified information or to hold a sensitive position 
``enroll'' the individuals (enrollees) by electronically entering their 
identifying information into the CE System, an information technology 
system that conducts automated checks of security-relevant information.
    All D/As are required to submit their qualifying populations for CE 
automated record checks. D/As may choose to develop a CE system of 
their own, or subscribe to CE services provided by another agency. NCSC 
will provide CE services to subscribing agencies via the ODNI CE 
System. The CE System conducts automated checks of government and 
commercial databases and, based on personnel security business rules, 
transmits electronic alerts and reports to the subscribing agency. 
Databases queried in the CE process are those that contain security-
relevant information, e.g., government-owned financial, law 
enforcement, terrorism, foreign travel, and current clearance status 
information. Credit bureau records and commercially-aggregated 
publically available data are also used. On receipt of an electronic 
alert or report, authorized personnel security officials at the 
subscribing agency verify that the alert or report received pertains to 
the enrollee (the subject of the electronic queries). Where the agency 
verifies that the alert or report pertains to the enrollee, authorized 
personnel security officials review the nature of the alert or report 
to determine the need for further investigation, as dictated by Federal 
Investigative Standards requirements. Information obtained through any 
follow-on investigation is considered in adjudicating the enrollee's 
continued eligibility for access to classified information or to hold a 
sensitive position.
    The ODNI CE System retains the enrollment information (personal 
identifiers provided by the subscribing agency to facilitate ongoing CE 
checks for individuals who are enrolled in the CE System. The system 
does not retain the records returned from the electronic database 
queries beyond the time

[[Page 61326]]

needed to ensure proper electronic delivery to the subscribing agency. 
Data necessary to implement CE business rules, to perform program 
assessments, and to satisfy auditing requirements will be retained. D/
As conducting CE will adhere to the principles articulated in Security 
Executive Agent Directive (SEAD) 6, Continuous Evaluation. SEAD 6 
establishes policy and provides high-level guidance and requirements 
specific to the personnel security investigative process.
    The CE System is being revised to now also conduct one-time 
electronic record checks for initial vetting of individuals seeking 
Executive Branch employment that requires eligibility for access to 
classified information or to hold a sensitive position. Employment 
applicants receiving one-time checks of security-relevant information 
are not enrolled in the CE System for ongoing record checks, and 
personal identifiers and records returned are only retained in the 
system for the time needed to ensure proper electronic delivery to the 
subscribing agency.

DATES: This revised System of Records Notice will go into effect on 
November 5, 2021, unless comments are received that result in a 
contrary determination.

ADDRESSES: You may submit comments by any of the following methods:
    Federal eRulemaking Portal: https://www.regulations.gov.
    Email: [email protected].
    Mail: Director, Information Management Office, Chief Operating 
Officer, ODNI, Washington, DC 20511.

SUPPLEMENTARY INFORMATION: The ODNI CE System provides the technical 
capability to conduct automated record checks pursuant to Public Law 
114-113, 5 U.S.C. 11001 (Enhanced Personnel Security Programs); 
Executive Order 12968, as amended (Access to Classified Information); 
Executive Order 13467, as amended, (Reforming Processes Related to 
Suitability for Government Employment, Fitness for Contractor 
Employees, and Eligibility for Access to Classified National Security 
Information), and; Executive Order 13764 (Amending the Civil Service 
Rules, Executive Order 13488, and Executive Order 13467 to Modernize 
the Executive Branch-Wide Governance Structure and Processes for 
Security Clearances, Suitability and Fitness for Employment, and 
Credentialing, and Related Matters).
    To protect classified and sensitive personnel or law enforcement 
information covered by this system of records, the Director of National 
Intelligence (DNI) has exempted this system from certain requirements 
of the Privacy Act where necessary, as permitted by law. By previously 
established rule, the DNI may exempt records contained in this system 
of records from the requirements of subsections (c)(3), (d)(1), (d)(2), 
(d)(3), (d)(4), (e)(1), (e)(4)(G), (H), (I), and (f) of the Privacy Act 
pursuant to 5 U.S.C. 552a(k)(1), (k)(2) and (k)(5). Additionally, the 
DNI may exercise derivative exemption authority by preserving the 
exempt status of records received from providing agencies when the 
reason for exemption remains valid. See 32 CFR part 1701.20 (a)(2) (73 
FR 16531, 16537).

SYSTEM NAME AND NUMBER:
    Continuous Evaluation Records (ODNI/NCSC-003).

SECURITY CLASSIFICATION:
    The classification of records in this system ranges from 
UNCLASSIFIED to TOP SECRET.

SYSTEM LOCATION:
    National Counterintelligence and Security Center, Office of the 
Director of National Intelligence, Washington, DC 20511.

SYSTEM MANAGER(S):
    Assistant Director, Special Security Directorate, ODNI/NCSC, 
Washington, DC 20511.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The Intelligence Reform and Terrorism Prevention Act of 2004, 
Public Law 108-458, 118 Stat. 3638 (Dec. 17, 2004); the National 
Security Act of 1947, as amended, 50 U.S.C. 3023 et seq.; the 
Counterintelligence Enhancement Act of 2002, as amended, 50 U.S.C. 
3382; Executive Order 12333, 46 FR 59941 (1981), as amended by 
Executive Order 13284, 68 FR 4075 (2003), Executive Order 13355, 69 FR 
53593 (2004), and Executive Order 13470, 73 FR 45325 (2008); Executive 
Order 13488, 74 FR 4111 (2009), as amended by Executive Order 13764, 82 
FR 8115 (2017); Executive Order 13549, 75 FR 51609 (2010); Executive 
Order 12968, 60 FR 40245 (1995), as amended by Executive Order 13467, 
73 FR 38103 (2008), and Executive Order 13764, 82 FR 8115 (2017); 
Executive Order 13467, as amended by Executive Order 13764 82 FR 8115 
(2017).

PURPOSE(S) OF THE SYSTEM:
    Records in this system of records are collected for the purpose of 
electronically comparing an individual's identifying data against 
specified U.S. Government (financial, law enforcement, terrorism, 
foreign travel, and clearance status) databases and credit bureau and 
commercial public records databases. The comparison serves to identify 
security-relevant conduct, practices, activities, or incidents that 
personnel security officials evaluate, consistent with the Federal 
Investigative Standards, to determine a CE enrollee's initial and 
continued eligibility for access to classified information or to hold a 
sensitive position. Additionally, one-time record checks of employment 
applicants may be conducted using data within the CE system.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Executive Branch employees, detailees, contractors, and other 
sponsored individuals who have been determined to be eligible for 
access to classified information or eligible to hold a sensitive 
position; applicants seeking Executive Branch employment that requires 
eligibility for access to classified information or to hold a sensitive 
position.

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system maintains: (i) Biographic enrollment data including 
name, date and place of birth, Social Security number, gender, current 
address, other first or last names, prior address(es), personal email 
address(es), personal phone numbers, passport information, employment 
type (contractor/government) or other status, and; (ii) data returned 
from or about the automated record checks conducted against current 
clearance status information and against financial, law enforcement, 
credit, terrorism, foreign travel, and commercial databases.

RECORD SOURCE CATEGORIES:
    Record source categories include government-owned financial, law 
enforcement, terrorism, foreign travel databases, and current clearance 
status information, as well as credit and commercial entities, and 
providers of aggregated public source data.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act of 1974, as amended, these records may 
specifically be disclosed outside ODNI as a routine use pursuant to 5 
U.S.C. 552a(b)(3), and as contained in the ODNI rule implementing the 
Privacy Act, 32 CFR part 1701 (73 FR 16531)as follows:
    (i) Except as noted on Standard Forms 85 and 86 and supplemental 
forms thereto (questionnaires for employment in, respectively, ``non-
sensitive'' and

[[Page 61327]]

``national security'' positions within the federal government), a 
record that on its face or in conjunction with other information 
indicates or relates to a violation or potential violation of law, 
whether civil, criminal, administrative, or regulatory in nature, and 
whether arising by general statute, particular program statute, 
regulation, rule, or order issued pursuant thereto, may be disclosed as 
a routine use to an appropriate federal, state, territorial, tribal, 
local law enforcement authority, foreign government, or international 
law enforcement authority, or to an appropriate regulatory body charged 
with investigating, enforcing, or prosecuting such violations;
    (ii) A record from a system of records maintained by ODNI may be 
disclosed as a routine use to representatives of another Intelligence 
Community (IC) entity addressing intelligence equities in the context 
of a legislative proceeding or hearing when ODNI interests are 
implicated, and the record is relevant and necessary to the matter;
    (iii) A record from a system of records maintained by ODNI may be 
disclosed as a routine use in a proceeding before a court or 
adjudicative body when any of the following is a party to litigation or 
has an interest in such litigation, and the ODNI Office of General 
Counsel determines that use of such records is relevant and necessary 
to the litigation: ODNI; any staff of ODNI in his/her official 
capacity; any staff of ODNI in his/her individual capacity where the 
Department of Justice has agreed to represent the staff or has agreed 
to provide counsel at government expense; or the United States or 
another federal agency, where the ODNI Office of General Counsel 
determines that litigation is likely to affect the ODNI;
    (iv) A record from this system of records may be disclosed to the 
Department of Justice when: (a) ODNI, or any component thereof; or (b) 
any employee of ODNI in his/her official capacity; or (c) any employee 
of ODNI in his/her individual capacity where the Department of Justice 
has agreed to represent the employee; or (d) the United States, where 
ODNI determines that litigation is likely to affect the agency, or any 
of its components, is a party to litigation or has an interest in such 
litigation, and the use of such records by the Department of Justice is 
deemed by the agency to be relevant and necessary to the litigation 
provided, however, that in each case, the agency determines that 
disclosure of the records to the Department of Justice is a use of the 
information contained in the records that is compatible with the 
purpose for which the records were collected.
    (v) A record from a system of records maintained by ODNI may be 
disclosed as a routine use to representatives of the Department of 
Justice and other U.S. Government entities, to the extent necessary to 
obtain advice on any matter within the official responsibilities of 
such representatives, and the responsibilities of ODNI;
    (vi) A record from a system of records maintained by ODNI may be 
disclosed as a routine use to a federal, state, or local agency or 
other appropriate entities or individuals from which/whom information 
may be sought relevant to: a decision concerning the hiring or 
retention of an employee or other personnel action; the issuing or 
retention of a security clearance or special access, contract, grant, 
credential, or other benefit; or the conduct of an authorized 
investigation or inquiry, to the extent necessary to identify the 
individual, inform the source of the nature and purpose of the inquiry, 
and identify the type of information requested;
    (vii) A record from a system of records maintained by ODNI may be 
disclosed as a routine use to any federal, state, local, tribal, or 
other public authority, or to a legitimate agency of a foreign 
government or international authority to the extent the record is 
relevant and necessary to the other entity's decision regarding the 
hiring or retention of an employee or other personnel action, the 
issuing or retention of a security clearance or special access, 
contract, grant, license, or other benefit, or the conduct of an 
authorized inquiry or investigation;
    (viii) A record from a system of records maintained by ODNI may be 
disclosed as a routine use to any agency, for authorized audit 
operations, and for meeting-related reporting requirements, including 
disclosure to the National Archives and Records Administration for 
records management inspections and such other purposes conducted under 
the authority of 44 U.S.C. 2904 and 2906, or successor provisions;
    (ix) A record from a system of records maintained by ODNI may be 
disclosed as a routine use to contractors, grantees, experts, 
consultants, or others when access to the record is necessary to 
perform the function or service for which they have been engaged by the 
ODNI;
    (x) A record from the Continuous Evaluation system of records 
maintained by ODNI may be disclosed as a routine use to any federal 
agency that has provided employee enrollment data to ODNI for purposes 
of conducting continuous evaluation when records obtained by ODNI are 
relevant to the subscribing agency's adjudication of the employee's 
continued eligibility for access to classified information or to hold a 
sensitive position.
    (xi) A record from a system of records maintained by ODNI may be 
disclosed as a routine use to appropriate agencies, entities, and 
persons when: (1) ODNI suspects or has confirmed that there has been a 
breach of the system of records; (2) ODNI has determined that as a 
result of the suspected or confirmed breach there is a risk of harm to 
individuals, ODNI (including its information systems, programs, and 
operations), the federal government, or national security, and; (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with the Department's efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm.
    (xii) A record from a system of records maintained by ODNI may be 
disclosed as a routine use to another federal agency or federal entity, 
when the ODNI determines that information from this system of records 
is reasonably necessary to assist the recipient agency or entity in: 
(1) responding to a suspected or confirmed breach, or; (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the recipient 
agency or entity (including its information systems, programs, and 
operations), the federal government, or national security, resulting 
from a suspected or confirmed breach.
    (xiii) A record from a system of records maintained by ODNI may be 
disclosed as a routine use to a federal, state, local, tribal, 
territorial, foreign, or multinational agency or entity or to any other 
appropriate entity or individual for any of the following purposes: To 
provide notification of a serious terrorist threat for the purpose of 
guarding against or responding to such threat; to
    assist in coordination of terrorist threat awareness, assessment, 
analysis, or response, or; to assist the recipient in performing 
authorized responsibilities relating to terrorism or counterterrorism;
    (xiv) A record from a system of records maintained by ODNI may be 
disclosed as a routine use for the purpose of conducting or supporting 
authorized counterintelligence activities as defined by section 3003(3) 
of the National Security Act of 1947, as amended, to elements of the 
IC, as defined by section 3003(4) of the National Security Act of 1947, 
as amended, to the head of any federal agency or department, and to 
selected

[[Page 61328]]

counterintelligence officers within the federal government, and;
    (xv) A record from a system of records maintained by ODNI may be 
disclosed as a routine use to a federal, state, local, tribal, 
territorial, foreign, or multinational government agency or entity, or 
to other authorized entities or individuals, but only if such 
disclosure is undertaken in furtherance of responsibilities conferred 
by, and in a manner consistent with: the National Security Act of 1947, 
as amended; the Counterintelligence Enhancement Act of 2002, as 
amended; Executive Order 12333 or any successor order together with its 
implementing procedures approved by the Attorney General, and; other 
provisions of law, Executive Order or directive relating to national 
intelligence, or otherwise applicable to ODNI. This routine use is not 
intended to supplant the other routine uses published by the ODNI.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Electronic records are stored in secure file-servers located in 
government-managed facilities on secure private cloud-based systems 
that are connected only to a government network.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    The records in this system are retrieved by name, Social Security 
number, or other unique identifier. Information may be retrieved from 
this system of records by automated capabilities used in the normal 
course of business. All searches of this system of records are 
performed by authorized Executive Branch security personnel.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Pursuant to 44 U.S.C. 3303a(d) and 36 CFR Chapter 12, Subchapter 
B--Records Management, CE records about applicants seeking Executive 
Branch employment that requires eligibility for access to classified 
information or to hold a sensitive position; and CE records about 
Executive Branch employees, detailees, contractors, and other sponsored 
individuals who have been determined to be eligible for access to 
classified information or eligible to hold a sensitive position; are 
covered by the National Archives and Records Administration (NARA) 
General Records Schedule (GRS) 5.6, Security Records. All CE records 
will be retained and disposed of according to the applicable NARA GRS 
provisions. Biographic data and data about protecting and accessing 
information will be retained consistent with the Privacy Act of 1974, 5 
U.S.C. 552a, and GRS 4.2, Information Access and Protection Records. 
Records about security data and information systems are listed in GRS 
3.2, Information Systems Security Records.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Information in this system is safeguarded in accordance with 
recommended and/or prescribed administrative, physical, and technical 
safeguards. Records are maintained in secure government-managed 
facilities with access limited to authorized personnel. Physical 
security protections include guards and locked facilities requiring 
badges and passwords for access.
    Records are accessed only by current government-authorized 
personnel whose official duties require access to the records. 
Electronic authorization and authentication of users is required at all 
points before any system information can be accessed. Communications 
are encrypted where required and other safeguards are in place to 
monitor and audit access, and to detect intrusions. System backup is 
maintained separately.

RECORD ACCESS PROCEDURES:
    As specified below, records in this system have been exempted from 
certain notification, access, and amendment procedures. A request for 
access shall be made in writing with the envelope and letter clearly 
marked ``Privacy Act Request.'' Requesters shall provide their full 
name and complete address. The requester must sign the request and have 
it verified by a notary public. Alternately, the request may be 
submitted under 28 U.S.C. 1746, certifying the requester's identity and 
understanding that obtaining a record under false pretenses constitutes 
a criminal offense. Requests for access to information must be 
addressed to the Director, Information Management Office, Chief 
Operating Officer, Office of the Director of National Intelligence, 
Washington, DC 20511. Regulations governing access to one's records or 
for appealing an initial determination concerning access to records are 
contained in the ODNI regulation implementing the Privacy Act, 32 CFR 
part 1701 (73 FR 16531).

CONTESTING RECORD PROCEDURES:
    As specified below, records in this system are exempt from certain 
notification, access, and amendment procedures. Individuals seeking to 
correct or amend non-exempt records should address their requests to 
ODNI at the address and according to the requirements set forth above 
under the heading ``Record Access Procedures.'' Regulations governing 
access to and amendment of one's records or for appealing an initial 
determination concerning access or amendment of records are contained 
in the ODNI regulation implementing the Privacy Act, 32 CFR part 1701 
(73 FR 16531).

NOTIFICATION PROCEDURES:
    As specified below, records in this system are exempt from certain 
notification, access, and amendment procedures. Individuals seeking to 
learn whether this system contains non- exempt information about them 
should address inquiries to ODNI at the address and according to the 
requirements set forth above under the heading ``Record Access 
Procedures.''

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    The Privacy Act authorizes ODNI to exempt records contained in this 
system of records from the requirements of subsections (c)(3), (d)(1), 
(d)(2), (d)(3), (d)(4), (e)(1), (e)(4)(G), (H), (I), and (f) of the 
Privacy Act pursuant to 5 U.S.C. 552a(k)(1), (k)(2) and (k)(5). In 
addition, pursuant to published rule, ODNI may derivatively exempt 
records from other agencies in this system from the requirements of the 
subsections listed above, as well as subsections (c)(4), (e)(2), 
(e)(3), (e)(5), (e)(8), (e)(12), and (g) of the Privacy Act consistent 
with any exemptions claimed under 5
    U.S.C. 552a(j) or (k) by the originator of the record, provided the 
reason for the exemption remains valid and necessary.

HISTORY:
    This is a revision to an existing ODNI/NCSC CE system of records, 
Continuous Evaluation Records (ODNI/NCSC-003), 83 FR 61395 (Nov. 29, 
2018).
    In accordance with 5 U.S.C. 552(r), ODNI has provided a report of 
this revision to the Office of Management and Budget and to Congress.

Gregory M. Koch,
Director, Information Management Office, Chief Operating Officer, 
Office of the Director of National Intelligence.
[FR Doc. 2021-24267 Filed 11-4-21; 8:45 am]
BILLING CODE 9500-01-P-P