Privacy Act of 1974; System of Records, 64448-64452 [2021-25136]

Download as PDF 64448 Federal Register / Vol. 86, No. 220 / Thursday, November 18, 2021 / Notices DEPARTMENT OF AGRICULTURE Forest Service Southwest Montana Resource Advisory Committee Forest Service, Agriculture (USDA). ACTION: Notice of meeting. AGENCY: The Southwest Montana Resource Advisory Committee (RAC) will hold two virtual meetings by phone and/or video conference. The committee is authorized under the Secure Rural Schools and Community SelfDetermination Act (the Act) and operates in compliance with the Federal Advisory Committee Act. The purpose of the committee is to improve collaborative relationships and to provide advice and recommendations to the Forest Service concerning projects and funding consistent with Title II of the Act as well as to make recommendations on recreation fee proposals for sites on the BeaverheadDeerlodge National Forest within Beaverhead, Jefferson, Madison, and Silver Bow Counties, consistent with the Federal Lands Recreation Enhancement Act. RAC information and virtual meeting information can be found at the following website: https:// www.fs.usda.gov/main/bdnf/working together/advisorycommittees. DATES: The virtual meetings will be held on: • December 13, 2021, 9:00 a.m.–12:00 p.m., Mountain Standard Time; and • December 14, 2021, 9:00 a.m.–12:00 p.m., Mountain Standard Time. All RAC meetings are subject to cancellation. For status of the meetings prior to attendance, please contact the person listed under FOR FURTHER INFORMATION CONTACT. ADDRESSES: The meetings will be held virtually via telephone and/or video conference. Details on how members of the public can join the meetings can be found at the website link in the above SUMMARY. Written comments may be submitted as described under SUPPLEMENTARY INFORMATION. All comments, including names and addresses when provided, are placed in the record and are available for public inspection and copying. The public may inspect comments received upon request. FOR FURTHER INFORMATION CONTACT: Cheri Ford, Designated Federal Officer (DFO), by phone at 406–683–3973 or email at cheri.ford@usda.gov or Jeanne Dawson, RAC Coordinartor, at 406–683– 3987 or email at jeanne.dawson@ usda.gov. khammond on DSKJM1Z7X2PROD with NOTICES SUMMARY: VerDate Sep<11>2014 17:11 Nov 17, 2021 Jkt 256001 Individuals who use telecommunication devices for the deaf/ hard-of-hearing (TDD) may call the Federal Relay Service (FRS) at 1–800– 877–8339, 24 hours a day, every day of the year, including holidays. SUPPLEMENTARY INFORMATION: The purpose of the meetings are to: 1. Hear from Title II project proponents and discuss Title II project proposals; 2. Make funding recommendations on Title II projects; 3. Discuss recreation fee proposals for developed recreation sites; and 4. Make recommendations on fees for the recreation fee proposals. The meetings are open to the public. The agenda will include time for people to make oral statements of three minutes or less. Individuals wishing to make an oral statement should make a request in writing by Monday, November 29, 2021, to be scheduled on the agenda for a particular meeting. Anyone who would like to bring related matters to the attention of the committee may file written statements with the committee staff before or after the meeting. Written comments and requests for time for oral comments must be sent to Jeanne Dawson, RAC Coordinator, 420 Barrett Street, Dillon, MT 59725 or by email to jeanne.dawson@usda.gov. Meeting Accommodations: Please make requests in advance for sign language interpreter services, assistive listening devices, or other reasonable accommodation. For access to proceedings, please contact the person listed in the section titled FOR FURTHER INFORMATION CONTACT. All reasonable accommodation requests are managed on a case-by-case basis. Equal opportunity practices, in line with USDA policies, will be followed in all membership appointments to the RAC. To help ensure that recommendations of the RAC have taken into account the needs of the diverse groups served by the Department, membership shall include, to the extent practicable, individuals with demonstrated ability to represent minorities, women, and persons with disabilities. The USDA prohibits discrimination in all of its programs and activities on the basis of race, color, national origin, religion, sex, gender identity (including gender expression), sexual orientation, disability, age, marital status, family/ parental status, political beliefs, income derived from a public assistance program, or reprisal or retaliation for prior civil rights activity in any program or activity conducted or funded by USDA (not all bases apply to all programs). PO 00000 Frm 00004 Fmt 4703 Sfmt 4703 Dated: November 12, 2021. Cikena Reid, USDA Committee Management Officer. [FR Doc. 2021–25107 Filed 11–17–21; 8:45 am] BILLING CODE 3411–15–P DEPARTMENT OF COMMERCE [Docket No. 210923–0194] Privacy Act of 1974; System of Records Department of Commerce, Office of the Secretary. ACTION: Notice of a new system of records. AGENCY: This notice announces the Department of Commerce’s (Department) proposal to establish a new system of records entitled ‘‘COMMERCE/DEPT–31, Public Health Emergency Records of Employees, Visitors, and Other Individuals at Department Locations’’ under the Privacy Act of 1974, and the Office of Management and Budget (OMB) Circular A–108, ‘‘Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act’’. This system of records describes the Department’s collection, use, and maintenance of records on individuals associated with the Department and its facilities during a public health emergency or similar health and safety incident. This newly established system will be included in the Department’s inventory of record systems. We invite public comment on the new system announced in this publication. DATES: This new system of records will become effective upon publication, subject to a 30-day comment period in which to comment on the routine uses, described below. Please submit any comments by December 20, 2021. ADDRESSES: You may submit written comments to Tahira Murphy, Acting Program Director for Privacy Act Compliance, tmurphy2@doc.gov. FOR FURTHER INFORMATION CONTACT: Tahira Murphy, Acting Program Director for Privacy Act Compliance, (202) 482–8075. SUPPLEMENTARY INFORMATION: The Department of Commerce must ensure the safety of its workforce and the public, including when the Secretary of Health and Human Services (HHS) or other designated official determines and declares that a public health emergency exists or when a similar health and safety emergency or incident occurs. Responses to public health emergencies or similar health and safety incidents SUMMARY: E:\FR\FM\18NON1.SGM 18NON1 khammond on DSKJM1Z7X2PROD with NOTICES Federal Register / Vol. 86, No. 220 / Thursday, November 18, 2021 / Notices depend on the nature of the emergency or incident, but in the context of an infectious disease outbreak, or a pandemic or epidemic that can cause widespread harm to the health of individuals, the Department of Commerce may collect information on Department personnel (including employees, detailees, guest researchers, affiliates, interns, and volunteers), contractors, long-term trainees, mission support individuals, and visitors at or on Department locations (including buildings, grounds, ships, aircraft, vehicles, or properties that are owned or leased by the Department; otherwise used by the Department for meetings, conferences, events, or other official business; or contractor or subcontractor workplace locations and individuals in those locations working on or in connection with a Federal Government contract or contract-like instrument) in order to ensure a safe and secure work environment. The information collected may include names and contact information; individual circumstances and dates of suspected exposure; testing results, symptoms, and treatments; health status information, and other information related to the public health emergency. For federal employees, in certain instances, depending on the type of record collected and maintained, this information will also be maintained and covered by OPM/GOVT–10, Employee Medical File System Records, 75 FR 35099 (June 21, 2010), and modified at 80 FR 74815 (Nov. 30, 2015). However, any collection and use of records covered by COMMERCE/DEPT–31, Public Health Emergency Records of Employees, Visitors, and Other Individuals at Department Locations, is only permitted during times of a public health emergency or similar health and safety incident and when the circumstances permit the Department to collect and maintain such information on the various categories of Department personnel, contractors, long-term trainees, mission support individuals, and visitors at Department locations. The circumstances must be examined in conjunction with all applicable laws, including the U.S. Constitution, federal privacy laws, federal labor and employment laws, and federal workforce health and safety laws. Different laws may apply depending upon the type of information at issue, who the information pertains to, who collected the information, and how the information is collected, maintained, and used by the Department. For instance, when collecting information on Department employees, there are several employment laws that govern the collection, dissemination, VerDate Sep<11>2014 17:11 Nov 17, 2021 Jkt 256001 and retention of employee medical information. These employment laws include the Americans with Disabilities Act of 1990, as amended (ADA), the Rehabilitation Act of 1973 (Rehab Act), and the Occupational Safety and Health Act of 1970 (OSH Act). Generally, under federal employment laws, medical information pertaining to employees is confidential and may be obtained by an employer only for certain reasons and only at certain points in the employment relationship. During a public health emergency, an employer may be permitted to collect certain employee medical information that it would not otherwise be permitted to collect depending upon the circumstances. Whether an employer is permitted to collect otherwise confidential employee medical information during a public health emergency depends upon whether an employee or a potential employee poses a ‘‘direct threat’’ to others within the meaning of the ADA and the Rehab Act. Again, this system of records will apply if it is determined that the circumstances permit the Department to legally collect the employee medical information at issue in the first instance. Information stored in this system of records may be shared with other Department components that have a need to know the information to carry out their mission essential functions, but only if it is first determined that the information may be shared under all other applicable laws and Department policies. In addition, the Department may share information with appropriate federal, state, local, tribal, territorial, foreign, or international government agencies consistent with the routine uses set forth in this system of records notice, but, again, only if it is first determined that the information may be shared under all other applicable laws and Department policies. This newly established system will be included in the Department’s inventory of record systems. Privacy Act The Privacy Act embodies fair information practice principles in a statutory framework governing the means by which federal government agencies collect, maintain, use, and disseminate individuals’ records. The Privacy Act applies to information that is maintained in a ‘‘system of records.’’ A ‘‘system of records’’ is a group of any records under the control of an agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the PO 00000 Frm 00005 Fmt 4703 Sfmt 4703 64449 individual. In the Privacy Act, an individual is defined to encompass U.S. citizens and lawful permanent residents. Additionally, the Judicial Redress Act (JRA) provides covered persons with a statutory right to make requests for access and amendment to covered records, as defined by the JRA, along with judicial review for denials of such requests. In addition, the JRA prohibits disclosures of covered records, except as otherwise permitted by the Privacy Act. Below is the description of the COMMERCE/DEPT–31, Public Health Emergency Records of Employees, Visitors, and Other Individuals at Department Locations, system of records. In accordance with 5 U.S.C. 552a(r), the Department has provided a report of this system of records to the Office of Management and Budget and to Congress. SYSTEM NAME AND NUMBER: COMMERCE/DEPT–31, Public Health Emergency Records of Employees, Visitors, and Other Individuals at Department Locations. SECURITY CLASSIFICATION: Controlled Unclassified Information. SYSTEM LOCATION: Records are maintained at the Department of Commerce (Department) Headquarters, component offices, field offices, and contractor-owned and operated facilities. SYSTEM MANAGER AND ADDRESS: Director, Office of Privacy and Open Government, U.S. Department of Commerce, 1401 Constitution Ave. NW, Room 61025, Washington, DC 20230. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Section 319 of the Public Health Service (PHS) Act (42 U.S.C. 247d); Coronavirus Aid, Relief, and Economic Security (CARES) Act, Public Law 116– 136, Div. B., Title VIII, sec. 18115, 134 Stat. 574 (codified in 42 U.S.C. 247d note); 21 U.S.C. 360bbb–3; Rehabilitation Act, 29 U.S.C. 701 et. seq.; Americans with Disabilities Act of 1990, as amended, 102(d), 42 U.S.C. 12112(d); 29 CFR part 1602; 29 CFR part 1630; Medical Examinations for Fitness for Duty Requirements, including 5 CFR part 339; Workforce safety federal requirements, including the Occupational Safety and Health Act of 1970, Executive Order 12196, 5 U.S.C. 7902; 29 U.S.C. chapter 15 (e.g., 29 U.S.C. 668), 29 CFR part 1904, 29 CFR part 1910, and 29 CFR part 1960; and the Genetic Information Nondiscrimination Act of 2008, 42 E:\FR\FM\18NON1.SGM 18NON1 64450 Federal Register / Vol. 86, No. 220 / Thursday, November 18, 2021 / Notices U.S.C. 2000ff to ff–11, and 29 CFR part 1635; and other federal laws, regulations, Executive orders, or guidance related to the specific public health emergency or similar health and safety incident, including guidance issued by the Office of Management and Budget, the Centers for Disease Control and Prevention, or other appropriate agency or entity, as applicable. PURPOSE(S) OF THE SYSTEM: The purpose of this system is to maintain records to protect the Department’s workforce and other individuals at or on ‘‘Department locations’’—which is defined to include buildings, grounds, ships, aircraft, vehicles, or properties that are owned or leased by the Department; otherwise used by the Department for meetings, conferences, events, or other official business; or contractor or subcontractor workplace locations and individuals in those locations working on or in connection with a Federal Government contract or contract-like instrument— and respond to or mitigate a public health emergency or similar health and safety incident. For instance, the Department may use the information collected to conduct contact tracing (i.e., the subsequent identification, monitoring, and support of a confirmed or probable case’s close contacts who have been exposed to, and possibly infected with, a disease or illness at or on Department locations); institute preventative testing or other measures to permit entry to Department locations to minimize exposure; and fulfill testing reporting requirements, to the extent permitted by law. khammond on DSKJM1Z7X2PROD with NOTICES CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: Department personnel (including employees, detailees, guest researchers, affiliates, interns, and volunteers), longterm trainees (such as Honors graduates, Pathways employees, Temporary, Notto-Exceed (NTE) employees, Knauss Fellows, etc.), contractors, mission support individuals, visitors (such as all other federal employees, applicants, and members of the public) at or on Department locations, and potentially affected individuals otherwise present during official Department business. For example, individuals covered by this system may include those who are suspected or confirmed to have a disease or illness that is the subject of a public health emergency, may have been or could have been exposed to someone who is suspected or confirmed to have a disease or illness that is the subject of a public health emergency, or who must undergo preventative testing VerDate Sep<11>2014 17:11 Nov 17, 2021 Jkt 256001 or treatment (e.g., vaccines) for a disease or illness that is the subject of a public health emergency. Mission support individuals include those individuals who are assigned from other federal, state, local, or private agencies to support Department missions and operations at Department locations. The system also covers individuals listed as emergency contacts for such individuals. CATEGORIES OF RECORDS IN THE SYSTEM: The records in this system include information related to the public health emergency or similar health and safety incident that is relevant and necessary to achieve the purpose of this system or records, which may vary depending on the nature of the specific emergency or incident. For Department personnel, long-term trainees, contractors, and mission support individuals, the information collected may include, for example: Individual’s full name; Preferred phone number(s); Department duty location, facility, and specific work space accessed; Preferred email address(es); Individual’s supervisor’s name, address, and contact information, and/or the contractor’s supervisor/ contracting officer representative name, address, and contact information; Date(s) and circumstances of the individual’s suspected or actual exposure to disease or illness including symptoms, as well as locations within the Department workplace where an individual may have contracted or been exposed to the disease or illness, and names and contact information of other employees, long-term trainees, contractors, mission support individuals, or visitors that the individual interacted with at or on a Department location during time the individual was suspected to or had contracted the disease or illness; Work status of the individual (e.g., administrative leave, sick leave, teleworking, in the office, deployed to the field) and affiliated leave status information; Emergency contact information; Other individual information directly related to the disease or illness, such as vaccination status, testing results/information, symptoms, source of potential exposure, or prior infection status; Other information for identification verification purposes when disclosing testing results or other health emergency data to third-parties; and Information collected in accordance with CARES Act reporting requirements or other statutory, regulatory, and administrative reporting requirements. For visitors at Department locations, the information collected may include, for example: Full PO 00000 Frm 00006 Fmt 4703 Sfmt 4703 name; Preferred phone number(s); Preferred email address(es); Date(s) and time(s) of entrance and exit from Department workspaces, ships, aircraft, facilities, and grounds; Name(s) of all individuals encountered while in or at Department locations; Public-health emergency-related data, such as vaccination status, testing results/ information, symptoms, source of potential exposure, or prior infection status; Emergency contact information; and Information indicating plans on entering a Department location in the near future. RECORD SOURCE CATEGORIES: When permitted by applicable law, records may be obtained from Department personnel, long-term trainees, contractors, mission support individuals, and visitors at or on Department locations; their family members; federal, state, local, tribal, territorial, and foreign government agencies; employers; and other entities and individuals who may provide relevant information on a suspected or confirmed disease or illness that is the subject of a public health emergency. Records in this system may also be obtained from security systems or other systems of records, such as OPM/ GOVT–10. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES: In the event the Department’s Senior Agency Official for Privacy or other senior Department privacy official determines, in consultation with the Office of the General Counsel, that disclosure of a record contained in this system is not prohibited by the Rehabilitation Act or other applicable laws, regulations, or policies, that record may be disclosed as generally permitted by the Privacy Act and for the following routine uses pursuant to 5 U.S.C. 552a(b)(3): 1. In the event that a system of records maintained by the Department to carry out its functions indicates a violation or potential violation of law or contract, whether civil, criminal or regulatory in nature and whether arising by general statute or particular program statute or contract, or rule, regulation, or order issued pursuant thereto, or the necessity to protect an interest of the Department, the relevant records in the system of records may be referred, as a routine use, to the appropriate agency, whether federal, state, local or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute or contract, or rule, regulation, or E:\FR\FM\18NON1.SGM 18NON1 khammond on DSKJM1Z7X2PROD with NOTICES Federal Register / Vol. 86, No. 220 / Thursday, November 18, 2021 / Notices order issued pursuant thereto, or protecting the interest of the Department. 2. A record from this system of records may be disclosed, as a routine use, to a federal, state, or local agency maintaining civil, criminal, or other relevant enforcement information or other pertinent information, such as current licenses, if necessary to obtain information relevant to the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant or other benefit. 3. A record from this system of records may be disclosed, as a routine use, to a federal, state, local, or international agency, in response to its request, in connection with the issuance of a security clearance, the reporting of an investigation of an individual, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency’s decision on the matter. 4. A record from this system of records may be disclosed, as a routine use, in the course of presenting evidence to a court, magistrate or administrative tribunal, including disclosures to duly-authorized investigators or opposing counsel in the course of discovery or settlement negotiations. 5. A record in this system of records may be disclosed, as routine use, to a Member of Congress submitting a request involving an individual when the individual has requested assistance from the Member with respect to the subject matter of the record. 6. A record in this system of records which contains medical information may be disclosed, as a routine use, to the medical advisor of any individual submitting a request for access to the record under the Act and 15 CFR part 4, subpart B if, in the sole judgment of the Department, disclosure directly to the individual could have an adverse effect upon the individual, under the provision of 5 U.S.C. 552a(f)(3) and implementing regulations at 15 CFR 4.26. 7. (Reserved) 8. A record in this system of records may be disclosed, as a routine use, to the Office of Management and Budget in connection with the review of private relief legislation as set forth in OMB Circular No. A–19 at any stage of the legislative coordination and clearance process as set forth in that Circular. 9. A record in this system of records may be disclosed, as a routine use, to the Department of Justice in connection with determining whether disclosure VerDate Sep<11>2014 17:11 Nov 17, 2021 Jkt 256001 thereof is required by the Freedom of Information Act (5 U.S.C. 552). 10. A record in this system of records may be disclosed, as a routine use, to a contractor of the Department having need for the information in the performance of the contract, but not operating a system of records within the meaning of 5 U.S.C. 552a(m). 11. (Reserved) 12. A record in this system may be transferred, as a routine use, to the Office of Personnel Management: For personnel research purposes; as a data source for management information; for the production of summary descriptive statistics and analytical studies in support of the function for which the records are collected and maintained; or for related manpower studies. 13. A record from this system of records may be disclosed, as a routine use, to the Administrator, General Services Administration (GSA), or his designee, during an inspection of records conducted by GSA as part of that agency’s responsibility to recommend improvements in records management practices and programs, under authority of 44 U.S.C. 2904 and 2906. Such disclosure shall be made in accordance with the GSA regulations governing inspection of records for this purpose, and any other relevant (i.e., GSA or Department of Commerce) directive. Such disclosure shall not be used to make determinations about individuals. 14. A record in this system of records may be disclosed to appropriate agencies, entities, and persons when (1) the Department suspects or has confirmed that there has been a breach of the system of records; (2) the Department has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Department (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Department’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. 15. A record in this system of records may be disclosed to another Federal agency or Federal entity, when the Department determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information PO 00000 Frm 00007 Fmt 4703 Sfmt 4703 64451 systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. 16. A record in this system of records may be disclosed to student volunteers, individuals working under a personal services contract, and other workers who technically do not have the status of Federal employees, when they are performing work for the Department and/or its operating units, as authorized by law, as needed to perform their assigned functions. 17. A record in this system may be disclosed to the Department of Treasury for the purpose of reporting and recouping delinquent debts owed the United States pursuant to the Debt Collection Improvement Act of 1996. 18. A record in this system may be disclosed to an agency or organization for the purpose of performing audit or oversight operations as authorized by law, but only such information as is necessary and relevant to such audit or oversight function. 19. A record in this system of records may be disclosed to appropriate federal, state, local, tribal, or foreign governmental agencies or multilateral governmental organizations for the purpose of protecting the vital interests of a data subject or other persons, including to assist such agencies or organizations in preventing exposure to or transmission of a communicable or quarantinable disease, to combat other significant public health threats, or to identify mission critical personnel appropriate for potential early vaccination or other treatment options. 20. A record in this system of records may be disclosed to such recipients and under such circumstances and procedures as are mandated by Federal statute or treaty. 21. A record in this system of records may be disclosed to Federal agencies such as the Department of Health and Human Services (HHS), State and local health departments, and other public health or cooperating medical authorities in connection with program activities and related collaborative efforts to deal more effectively with exposures to communicable diseases, and to satisfy mandatory reporting requirements when applicable. 22. A record in this system of records may be disclosed to a potentially affected individual’s emergency contact for purposes of locating the individual to communicate that they may have been exposed to a public health emergency contaminant in a Department location, while otherwise present during official Department business, or at contractor or subcontractor workplace E:\FR\FM\18NON1.SGM 18NON1 64452 Federal Register / Vol. 86, No. 220 / Thursday, November 18, 2021 / Notices locations where individuals in those locations were working on or in connection with a Federal Government contract or contract-like instrument. 23. A record in this system of records may be disclosed to affected individuals or potentially affected individuals, or, when needed, to the (potentially) affected individual’s employer, grantee organization, federal agency to whom the individual is contracted, or other similar designated external points of contact, to the extent the information is necessary for contact tracing. POLICIES AND PRACTICES FOR STORAGE OF RECORDS: Records in this system of records are stored electronically or on paper in secure facilities. Electronic records are stored on a secure network. Records are protected from unauthorized access and improper use through administrative, technical, and physical security measures. Medical information collected is maintained on separate forms and in separate medical files and is treated as a confidential medical record. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: The Department may retrieve records by any of the categories of records, including name, location, date of vaccination, date of potential exposure, or work status. khammond on DSKJM1Z7X2PROD with NOTICES POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: All records are retained and disposed of in accordance with National Archive and Records Administration regulations (36 CFR chapter XII, subchapter B— Records Management); Departmental directives and comprehensive records schedules; and, to the extent applicable, NOAA Administrative Order 205–01 or other directives issued by a Departmental component. To the extent applicable, to ensure compliance with the Americans with Disabilities Act (ADA), the Rehabilitation Act, and the Genetic Information Nondiscrimination Act of 2008 (GINA), medical information must be maintained on separate forms and in separate medical files and be treated as a confidential medical record. 42 U.S.C. 12112(d)(3)(B); 42 U.S.C. 2000ff–5(a); 29 CFR 1630.14(b)(1), (c)(1), (d)(4)(i); and 29 CFR 1635.9(a). This means that medical information and documents must be stored separately from other personnel records. As such, the Department must keep medical records for at least one year from creation date. 29 CFR 1602.14. Further, any records compiled under this system and incorporated into an occupational VerDate Sep<11>2014 17:11 Nov 17, 2021 Jkt 256001 individual medical case record pursuant to the OSH Act must be maintained in accordance with 5 CFR 293.511(b) and 29 CFR 1910.1020(d), and must be destroyed 30 years after employee separation or when the Official Personnel Folder (OPF) is destroyed, whichever is longer, in accordance with NARA General Records Schedule (GRS) 2.7, Item 60, and NARA records retention schedule DAA–GRS–2017– 0010–0009, to the extent applicable. Visitor processing records are covered by GRS 5.6, Items 110 and 111, and must be destroyed when either two or five years old, depending on security level, but may be retained longer if required for business use, pursuant to DAA–GRS–2017–0006–0014 and –0015. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: The system of records is stored in buildings with doors that are locked during and after business hours. Visitors to the facility must register with security guards and must be accompanied by Federal personnel at all times. Records are stored in a locked room and/or a locked file cabinet. Electronic records containing Privacy Act information are protected by a user identification/ password. The user identification/ password is issued to those individuals who have a need to access the records for the performance of their official duties and who have appropriate clearances or permissions. Technical security safeguards include restrictions on computer access to authorized individuals who have a legitimate need to know the information; required use of strong passwords that are frequently changed; multi-factor authentication for remote access; use of encryption for certain data types and transfers; firewalls and intrusion detection applications; and regular review of security procedures and best practices to enhance security. Physical safeguards include restrictions on building access to authorized individuals and storage of records in locked offices and filing cabinets. All electronic information disseminated by the Department adheres to the standards set out in Appendix III, Security of Automated Information Resources, OMB Circular A–130; the Computer Security Act (15 U.S.C. 278g–3 and 278g–4); and the Government Information Security Reform Act, Public Law 106–398; and follows NIST SP 800–18, Guide for Developing Security Plans for Federal Information Systems; NIST SP 800–26, Security Self-Assessment Guide for Information Technology Systems; and NIST SP 800–53, Recommended PO 00000 Frm 00008 Fmt 4703 Sfmt 4703 Security Controls for Federal Information Systems. RECORD ACCESS PROCEDURES: Requests from individuals should be addressed to: Chief Privacy Officer, U.S. Department of Commerce, Office of Privacy and Open Government, 1401 Constitution Ave. NW, Room 61025, Washington, DC 20230, pursuant to 15 CFR part 4, subpart B. CONTESTING RECORD PROCEDURES: The Department’s rules for access, contesting contents, and appealing initial determinations by the individual concerned appear in 15 CFR part 4, subpart B. Use address cited in Record Access Procedures above. NOTIFICATION PROCEDURES: Requests for notification of the existence of records pertaining to the requester should be submitted pursuant to the inquiry provisions of the Department’s rules which appear in 15 CFR part 4, subpart B. Use address cited in Record Access Procedures above. EXEMPTIONS CLAIMED FOR THE SYSTEM: None. HISTORY: No history. Notice of New System of Record. Jennifer Goode, Department of Commerce, Acting Chief Privacy Officer and Director, Office of Privacy and Open Government. [FR Doc. 2021–25136 Filed 11–17–21; 8:45 am] BILLING CODE 3510–22–P DEPARTMENT OF COMMERCE Foreign-Trade Zones Board [B–55–2021] Foreign-Trade Zone (FTZ) 22— Chicago, Illinois; Authorization of Production Activity AbbVie, Inc. (Pharmaceutical Products) North Chicago and Lake County, Illinois On July 16, 2021, AbbVie, Inc., submitted a notification of proposed production activity to the FTZ Board for its facilities within Subzone 22S, in North Chicago and Lake County, Illinois. The notification was processed in accordance with the regulations of the FTZ Board (15 CFR part 400), including notice in the Federal Register inviting public comment (86 FR 41008, July 30, 2021). On November 15, 2021, the applicant was notified of the FTZ Board’s decision that no further review of the activity is warranted at this time. E:\FR\FM\18NON1.SGM 18NON1

Agencies

[Federal Register Volume 86, Number 220 (Thursday, November 18, 2021)]
[Notices]
[Pages 64448-64452]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-25136]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

[Docket No. 210923-0194]


Privacy Act of 1974; System of Records

AGENCY: Department of Commerce, Office of the Secretary.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: This notice announces the Department of Commerce's 
(Department) proposal to establish a new system of records entitled 
``COMMERCE/DEPT-31, Public Health Emergency Records of Employees, 
Visitors, and Other Individuals at Department Locations'' under the 
Privacy Act of 1974, and the Office of Management and Budget (OMB) 
Circular A-108, ``Federal Agency Responsibilities for Review, 
Reporting, and Publication under the Privacy Act''. This system of 
records describes the Department's collection, use, and maintenance of 
records on individuals associated with the Department and its 
facilities during a public health emergency or similar health and 
safety incident. This newly established system will be included in the 
Department's inventory of record systems. We invite public comment on 
the new system announced in this publication.

DATES: This new system of records will become effective upon 
publication, subject to a 30-day comment period in which to comment on 
the routine uses, described below. Please submit any comments by 
December 20, 2021.

ADDRESSES: You may submit written comments to Tahira Murphy, Acting 
Program Director for Privacy Act Compliance, [email protected].

FOR FURTHER INFORMATION CONTACT: Tahira Murphy, Acting Program Director 
for Privacy Act Compliance, (202) 482-8075.

SUPPLEMENTARY INFORMATION: The Department of Commerce must ensure the 
safety of its workforce and the public, including when the Secretary of 
Health and Human Services (HHS) or other designated official determines 
and declares that a public health emergency exists or when a similar 
health and safety emergency or incident occurs. Responses to public 
health emergencies or similar health and safety incidents

[[Page 64449]]

depend on the nature of the emergency or incident, but in the context 
of an infectious disease outbreak, or a pandemic or epidemic that can 
cause widespread harm to the health of individuals, the Department of 
Commerce may collect information on Department personnel (including 
employees, detailees, guest researchers, affiliates, interns, and 
volunteers), contractors, long-term trainees, mission support 
individuals, and visitors at or on Department locations (including 
buildings, grounds, ships, aircraft, vehicles, or properties that are 
owned or leased by the Department; otherwise used by the Department for 
meetings, conferences, events, or other official business; or 
contractor or subcontractor workplace locations and individuals in 
those locations working on or in connection with a Federal Government 
contract or contract-like instrument) in order to ensure a safe and 
secure work environment. The information collected may include names 
and contact information; individual circumstances and dates of 
suspected exposure; testing results, symptoms, and treatments; health 
status information, and other information related to the public health 
emergency. For federal employees, in certain instances, depending on 
the type of record collected and maintained, this information will also 
be maintained and covered by OPM/GOVT-10, Employee Medical File System 
Records, 75 FR 35099 (June 21, 2010), and modified at 80 FR 74815 (Nov. 
30, 2015). However, any collection and use of records covered by 
COMMERCE/DEPT-31, Public Health Emergency Records of Employees, 
Visitors, and Other Individuals at Department Locations, is only 
permitted during times of a public health emergency or similar health 
and safety incident and when the circumstances permit the Department to 
collect and maintain such information on the various categories of 
Department personnel, contractors, long-term trainees, mission support 
individuals, and visitors at Department locations.
    The circumstances must be examined in conjunction with all 
applicable laws, including the U.S. Constitution, federal privacy laws, 
federal labor and employment laws, and federal workforce health and 
safety laws. Different laws may apply depending upon the type of 
information at issue, who the information pertains to, who collected 
the information, and how the information is collected, maintained, and 
used by the Department.
    For instance, when collecting information on Department employees, 
there are several employment laws that govern the collection, 
dissemination, and retention of employee medical information. These 
employment laws include the Americans with Disabilities Act of 1990, as 
amended (ADA), the Rehabilitation Act of 1973 (Rehab Act), and the 
Occupational Safety and Health Act of 1970 (OSH Act). Generally, under 
federal employment laws, medical information pertaining to employees is 
confidential and may be obtained by an employer only for certain 
reasons and only at certain points in the employment relationship. 
During a public health emergency, an employer may be permitted to 
collect certain employee medical information that it would not 
otherwise be permitted to collect depending upon the circumstances. 
Whether an employer is permitted to collect otherwise confidential 
employee medical information during a public health emergency depends 
upon whether an employee or a potential employee poses a ``direct 
threat'' to others within the meaning of the ADA and the Rehab Act. 
Again, this system of records will apply if it is determined that the 
circumstances permit the Department to legally collect the employee 
medical information at issue in the first instance.
    Information stored in this system of records may be shared with 
other Department components that have a need to know the information to 
carry out their mission essential functions, but only if it is first 
determined that the information may be shared under all other 
applicable laws and Department policies.
    In addition, the Department may share information with appropriate 
federal, state, local, tribal, territorial, foreign, or international 
government agencies consistent with the routine uses set forth in this 
system of records notice, but, again, only if it is first determined 
that the information may be shared under all other applicable laws and 
Department policies.
    This newly established system will be included in the Department's 
inventory of record systems.

Privacy Act

    The Privacy Act embodies fair information practice principles in a 
statutory framework governing the means by which federal government 
agencies collect, maintain, use, and disseminate individuals' records. 
The Privacy Act applies to information that is maintained in a ``system 
of records.'' A ``system of records'' is a group of any records under 
the control of an agency from which information is retrieved by the 
name of an individual or by some identifying number, symbol, or other 
identifying particular assigned to the individual. In the Privacy Act, 
an individual is defined to encompass U.S. citizens and lawful 
permanent residents. Additionally, the Judicial Redress Act (JRA) 
provides covered persons with a statutory right to make requests for 
access and amendment to covered records, as defined by the JRA, along 
with judicial review for denials of such requests. In addition, the JRA 
prohibits disclosures of covered records, except as otherwise permitted 
by the Privacy Act.
    Below is the description of the COMMERCE/DEPT-31, Public Health 
Emergency Records of Employees, Visitors, and Other Individuals at 
Department Locations, system of records.
    In accordance with 5 U.S.C. 552a(r), the Department has provided a 
report of this system of records to the Office of Management and Budget 
and to Congress.

SYSTEM NAME AND NUMBER:
    COMMERCE/DEPT-31, Public Health Emergency Records of Employees, 
Visitors, and Other Individuals at Department Locations.

SECURITY CLASSIFICATION:
    Controlled Unclassified Information.

SYSTEM LOCATION:
    Records are maintained at the Department of Commerce (Department) 
Headquarters, component offices, field offices, and contractor-owned 
and operated facilities.

SYSTEM MANAGER AND ADDRESS:
    Director, Office of Privacy and Open Government, U.S. Department of 
Commerce, 1401 Constitution Ave. NW, Room 61025, Washington, DC 20230.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Section 319 of the Public Health Service (PHS) Act (42 U.S.C. 
247d); Coronavirus Aid, Relief, and Economic Security (CARES) Act, 
Public Law 116-136, Div. B., Title VIII, sec. 18115, 134 Stat. 574 
(codified in 42 U.S.C. 247d note); 21 U.S.C. 360bbb-3; Rehabilitation 
Act, 29 U.S.C. 701 et. seq.; Americans with Disabilities Act of 1990, 
as amended, 102(d), 42 U.S.C. 12112(d); 29 CFR part 1602; 29 CFR part 
1630; Medical Examinations for Fitness for Duty Requirements, including 
5 CFR part 339; Workforce safety federal requirements, including the 
Occupational Safety and Health Act of 1970, Executive Order 12196, 5 
U.S.C. 7902; 29 U.S.C. chapter 15 (e.g., 29 U.S.C. 668), 29 CFR part 
1904, 29 CFR part 1910, and 29 CFR part 1960; and the Genetic 
Information Nondiscrimination Act of 2008, 42

[[Page 64450]]

U.S.C. 2000ff to ff-11, and 29 CFR part 1635; and other federal laws, 
regulations, Executive orders, or guidance related to the specific 
public health emergency or similar health and safety incident, 
including guidance issued by the Office of Management and Budget, the 
Centers for Disease Control and Prevention, or other appropriate agency 
or entity, as applicable.

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to maintain records to protect the 
Department's workforce and other individuals at or on ``Department 
locations''--which is defined to include buildings, grounds, ships, 
aircraft, vehicles, or properties that are owned or leased by the 
Department; otherwise used by the Department for meetings, conferences, 
events, or other official business; or contractor or subcontractor 
workplace locations and individuals in those locations working on or in 
connection with a Federal Government contract or contract-like 
instrument--and respond to or mitigate a public health emergency or 
similar health and safety incident. For instance, the Department may 
use the information collected to conduct contact tracing (i.e., the 
subsequent identification, monitoring, and support of a confirmed or 
probable case's close contacts who have been exposed to, and possibly 
infected with, a disease or illness at or on Department locations); 
institute preventative testing or other measures to permit entry to 
Department locations to minimize exposure; and fulfill testing 
reporting requirements, to the extent permitted by law.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Department personnel (including employees, detailees, guest 
researchers, affiliates, interns, and volunteers), long-term trainees 
(such as Honors graduates, Pathways employees, Temporary, Not-to-Exceed 
(NTE) employees, Knauss Fellows, etc.), contractors, mission support 
individuals, visitors (such as all other federal employees, applicants, 
and members of the public) at or on Department locations, and 
potentially affected individuals otherwise present during official 
Department business. For example, individuals covered by this system 
may include those who are suspected or confirmed to have a disease or 
illness that is the subject of a public health emergency, may have been 
or could have been exposed to someone who is suspected or confirmed to 
have a disease or illness that is the subject of a public health 
emergency, or who must undergo preventative testing or treatment (e.g., 
vaccines) for a disease or illness that is the subject of a public 
health emergency. Mission support individuals include those individuals 
who are assigned from other federal, state, local, or private agencies 
to support Department missions and operations at Department locations. 
The system also covers individuals listed as emergency contacts for 
such individuals.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records in this system include information related to the 
public health emergency or similar health and safety incident that is 
relevant and necessary to achieve the purpose of this system or 
records, which may vary depending on the nature of the specific 
emergency or incident. For Department personnel, long-term trainees, 
contractors, and mission support individuals, the information collected 
may include, for example: Individual's full name; Preferred phone 
number(s); Department duty location, facility, and specific work space 
accessed; Preferred email address(es); Individual's supervisor's name, 
address, and contact information, and/or the contractor's supervisor/
contracting officer representative name, address, and contact 
information; Date(s) and circumstances of the individual's suspected or 
actual exposure to disease or illness including symptoms, as well as 
locations within the Department workplace where an individual may have 
contracted or been exposed to the disease or illness, and names and 
contact information of other employees, long-term trainees, 
contractors, mission support individuals, or visitors that the 
individual interacted with at or on a Department location during time 
the individual was suspected to or had contracted the disease or 
illness; Work status of the individual (e.g., administrative leave, 
sick leave, teleworking, in the office, deployed to the field) and 
affiliated leave status information; Emergency contact information; 
Other individual information directly related to the disease or 
illness, such as vaccination status, testing results/information, 
symptoms, source of potential exposure, or prior infection status; 
Other information for identification verification purposes when 
disclosing testing results or other health emergency data to third-
parties; and Information collected in accordance with CARES Act 
reporting requirements or other statutory, regulatory, and 
administrative reporting requirements. For visitors at Department 
locations, the information collected may include, for example: Full 
name; Preferred phone number(s); Preferred email address(es); Date(s) 
and time(s) of entrance and exit from Department workspaces, ships, 
aircraft, facilities, and grounds; Name(s) of all individuals 
encountered while in or at Department locations; Public-health 
emergency-related data, such as vaccination status, testing results/
information, symptoms, source of potential exposure, or prior infection 
status; Emergency contact information; and Information indicating plans 
on entering a Department location in the near future.

RECORD SOURCE CATEGORIES:
    When permitted by applicable law, records may be obtained from 
Department personnel, long-term trainees, contractors, mission support 
individuals, and visitors at or on Department locations; their family 
members; federal, state, local, tribal, territorial, and foreign 
government agencies; employers; and other entities and individuals who 
may provide relevant information on a suspected or confirmed disease or 
illness that is the subject of a public health emergency. Records in 
this system may also be obtained from security systems or other systems 
of records, such as OPM/GOVT-10.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In the event the Department's Senior Agency Official for Privacy or 
other senior Department privacy official determines, in consultation 
with the Office of the General Counsel, that disclosure of a record 
contained in this system is not prohibited by the Rehabilitation Act or 
other applicable laws, regulations, or policies, that record may be 
disclosed as generally permitted by the Privacy Act and for the 
following routine uses pursuant to 5 U.S.C. 552a(b)(3):
    1. In the event that a system of records maintained by the 
Department to carry out its functions indicates a violation or 
potential violation of law or contract, whether civil, criminal or 
regulatory in nature and whether arising by general statute or 
particular program statute or contract, or rule, regulation, or order 
issued pursuant thereto, or the necessity to protect an interest of the 
Department, the relevant records in the system of records may be 
referred, as a routine use, to the appropriate agency, whether federal, 
state, local or foreign, charged with the responsibility of 
investigating or prosecuting such violation or charged with enforcing 
or implementing the statute or contract, or rule, regulation, or

[[Page 64451]]

order issued pursuant thereto, or protecting the interest of the 
Department.
    2. A record from this system of records may be disclosed, as a 
routine use, to a federal, state, or local agency maintaining civil, 
criminal, or other relevant enforcement information or other pertinent 
information, such as current licenses, if necessary to obtain 
information relevant to the issuance of a security clearance, the 
letting of a contract, or the issuance of a license, grant or other 
benefit.
    3. A record from this system of records may be disclosed, as a 
routine use, to a federal, state, local, or international agency, in 
response to its request, in connection with the issuance of a security 
clearance, the reporting of an investigation of an individual, the 
letting of a contract, or the issuance of a license, grant, or other 
benefit by the requesting agency, to the extent that the information is 
relevant and necessary to the requesting agency's decision on the 
matter.
    4. A record from this system of records may be disclosed, as a 
routine use, in the course of presenting evidence to a court, 
magistrate or administrative tribunal, including disclosures to duly-
authorized investigators or opposing counsel in the course of discovery 
or settlement negotiations.
    5. A record in this system of records may be disclosed, as routine 
use, to a Member of Congress submitting a request involving an 
individual when the individual has requested assistance from the Member 
with respect to the subject matter of the record.
    6. A record in this system of records which contains medical 
information may be disclosed, as a routine use, to the medical advisor 
of any individual submitting a request for access to the record under 
the Act and 15 CFR part 4, subpart B if, in the sole judgment of the 
Department, disclosure directly to the individual could have an adverse 
effect upon the individual, under the provision of 5 U.S.C. 552a(f)(3) 
and implementing regulations at 15 CFR 4.26.
    7. (Reserved)
    8. A record in this system of records may be disclosed, as a 
routine use, to the Office of Management and Budget in connection with 
the review of private relief legislation as set forth in OMB Circular 
No. A-19 at any stage of the legislative coordination and clearance 
process as set forth in that Circular.
    9. A record in this system of records may be disclosed, as a 
routine use, to the Department of Justice in connection with 
determining whether disclosure thereof is required by the Freedom of 
Information Act (5 U.S.C. 552).
    10. A record in this system of records may be disclosed, as a 
routine use, to a contractor of the Department having need for the 
information in the performance of the contract, but not operating a 
system of records within the meaning of 5 U.S.C. 552a(m).
    11. (Reserved)
    12. A record in this system may be transferred, as a routine use, 
to the Office of Personnel Management: For personnel research purposes; 
as a data source for management information; for the production of 
summary descriptive statistics and analytical studies in support of the 
function for which the records are collected and maintained; or for 
related manpower studies.
    13. A record from this system of records may be disclosed, as a 
routine use, to the Administrator, General Services Administration 
(GSA), or his designee, during an inspection of records conducted by 
GSA as part of that agency's responsibility to recommend improvements 
in records management practices and programs, under authority of 44 
U.S.C. 2904 and 2906. Such disclosure shall be made in accordance with 
the GSA regulations governing inspection of records for this purpose, 
and any other relevant (i.e., GSA or Department of Commerce) directive. 
Such disclosure shall not be used to make determinations about 
individuals.
    14. A record in this system of records may be disclosed to 
appropriate agencies, entities, and persons when (1) the Department 
suspects or has confirmed that there has been a breach of the system of 
records; (2) the Department has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
the Department (including its information systems, programs, and 
operations), the Federal Government, or national security; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with the Department's efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm.
    15. A record in this system of records may be disclosed to another 
Federal agency or Federal entity, when the Department determines that 
information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    16. A record in this system of records may be disclosed to student 
volunteers, individuals working under a personal services contract, and 
other workers who technically do not have the status of Federal 
employees, when they are performing work for the Department and/or its 
operating units, as authorized by law, as needed to perform their 
assigned functions.
    17. A record in this system may be disclosed to the Department of 
Treasury for the purpose of reporting and recouping delinquent debts 
owed the United States pursuant to the Debt Collection Improvement Act 
of 1996.
    18. A record in this system may be disclosed to an agency or 
organization for the purpose of performing audit or oversight 
operations as authorized by law, but only such information as is 
necessary and relevant to such audit or oversight function.
    19. A record in this system of records may be disclosed to 
appropriate federal, state, local, tribal, or foreign governmental 
agencies or multilateral governmental organizations for the purpose of 
protecting the vital interests of a data subject or other persons, 
including to assist such agencies or organizations in preventing 
exposure to or transmission of a communicable or quarantinable disease, 
to combat other significant public health threats, or to identify 
mission critical personnel appropriate for potential early vaccination 
or other treatment options.
    20. A record in this system of records may be disclosed to such 
recipients and under such circumstances and procedures as are mandated 
by Federal statute or treaty.
    21. A record in this system of records may be disclosed to Federal 
agencies such as the Department of Health and Human Services (HHS), 
State and local health departments, and other public health or 
cooperating medical authorities in connection with program activities 
and related collaborative efforts to deal more effectively with 
exposures to communicable diseases, and to satisfy mandatory reporting 
requirements when applicable.
    22. A record in this system of records may be disclosed to a 
potentially affected individual's emergency contact for purposes of 
locating the individual to communicate that they may have been exposed 
to a public health emergency contaminant in a Department location, 
while otherwise present during official Department business, or at 
contractor or subcontractor workplace

[[Page 64452]]

locations where individuals in those locations were working on or in 
connection with a Federal Government contract or contract-like 
instrument.
    23. A record in this system of records may be disclosed to affected 
individuals or potentially affected individuals, or, when needed, to 
the (potentially) affected individual's employer, grantee organization, 
federal agency to whom the individual is contracted, or other similar 
designated external points of contact, to the extent the information is 
necessary for contact tracing.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records in this system of records are stored electronically or on 
paper in secure facilities. Electronic records are stored on a secure 
network. Records are protected from unauthorized access and improper 
use through administrative, technical, and physical security measures. 
Medical information collected is maintained on separate forms and in 
separate medical files and is treated as a confidential medical record.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    The Department may retrieve records by any of the categories of 
records, including name, location, date of vaccination, date of 
potential exposure, or work status.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    All records are retained and disposed of in accordance with 
National Archive and Records Administration regulations (36 CFR chapter 
XII, subchapter B--Records Management); Departmental directives and 
comprehensive records schedules; and, to the extent applicable, NOAA 
Administrative Order 205-01 or other directives issued by a 
Departmental component. To the extent applicable, to ensure compliance 
with the Americans with Disabilities Act (ADA), the Rehabilitation Act, 
and the Genetic Information Nondiscrimination Act of 2008 (GINA), 
medical information must be maintained on separate forms and in 
separate medical files and be treated as a confidential medical record. 
42 U.S.C. 12112(d)(3)(B); 42 U.S.C. 2000ff-5(a); 29 CFR 1630.14(b)(1), 
(c)(1), (d)(4)(i); and 29 CFR 1635.9(a). This means that medical 
information and documents must be stored separately from other 
personnel records. As such, the Department must keep medical records 
for at least one year from creation date. 29 CFR 1602.14. Further, any 
records compiled under this system and incorporated into an 
occupational individual medical case record pursuant to the OSH Act 
must be maintained in accordance with 5 CFR 293.511(b) and 29 CFR 
1910.1020(d), and must be destroyed 30 years after employee separation 
or when the Official Personnel Folder (OPF) is destroyed, whichever is 
longer, in accordance with NARA General Records Schedule (GRS) 2.7, 
Item 60, and NARA records retention schedule DAA-GRS-2017-0010-0009, to 
the extent applicable. Visitor processing records are covered by GRS 
5.6, Items 110 and 111, and must be destroyed when either two or five 
years old, depending on security level, but may be retained longer if 
required for business use, pursuant to DAA-GRS-2017-0006-0014 and -
0015.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    The system of records is stored in buildings with doors that are 
locked during and after business hours. Visitors to the facility must 
register with security guards and must be accompanied by Federal 
personnel at all times. Records are stored in a locked room and/or a 
locked file cabinet. Electronic records containing Privacy Act 
information are protected by a user identification/password. The user 
identification/password is issued to those individuals who have a need 
to access the records for the performance of their official duties and 
who have appropriate clearances or permissions. Technical security 
safeguards include restrictions on computer access to authorized 
individuals who have a legitimate need to know the information; 
required use of strong passwords that are frequently changed; multi-
factor authentication for remote access; use of encryption for certain 
data types and transfers; firewalls and intrusion detection 
applications; and regular review of security procedures and best 
practices to enhance security. Physical safeguards include restrictions 
on building access to authorized individuals and storage of records in 
locked offices and filing cabinets.
    All electronic information disseminated by the Department adheres 
to the standards set out in Appendix III, Security of Automated 
Information Resources, OMB Circular A-130; the Computer Security Act 
(15 U.S.C. 278g-3 and 278g-4); and the Government Information Security 
Reform Act, Public Law 106-398; and follows NIST SP 800-18, Guide for 
Developing Security Plans for Federal Information Systems; NIST SP 800-
26, Security Self-Assessment Guide for Information Technology Systems; 
and NIST SP 800-53, Recommended Security Controls for Federal 
Information Systems.

RECORD ACCESS PROCEDURES:
    Requests from individuals should be addressed to: Chief Privacy 
Officer, U.S. Department of Commerce, Office of Privacy and Open 
Government, 1401 Constitution Ave. NW, Room 61025, Washington, DC 
20230, pursuant to 15 CFR part 4, subpart B.

CONTESTING RECORD PROCEDURES:
    The Department's rules for access, contesting contents, and 
appealing initial determinations by the individual concerned appear in 
15 CFR part 4, subpart B. Use address cited in Record Access Procedures 
above.

NOTIFICATION PROCEDURES:
    Requests for notification of the existence of records pertaining to 
the requester should be submitted pursuant to the inquiry provisions of 
the Department's rules which appear in 15 CFR part 4, subpart B. Use 
address cited in Record Access Procedures above.

EXEMPTIONS CLAIMED FOR THE SYSTEM:
    None.

HISTORY:
    No history.
    Notice of New System of Record.

Jennifer Goode,
Department of Commerce, Acting Chief Privacy Officer and Director, 
Office of Privacy and Open Government.
[FR Doc. 2021-25136 Filed 11-17-21; 8:45 am]
BILLING CODE 3510-22-P