Privacy Act of 1974; System of Records, 4882-4885 [2023-01437]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 88, Number 16 (Wednesday, January 25, 2023)]
[Notices]
[Pages 4882-4885]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-01437]



[[Page 4882]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs, Veterans Health Administration.

ACTION: Notice of a Modified System of Records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, notice is hereby given 
that the Department of Veterans Affairs (VA) is modifying the system of 
records entitled ``Voluntary Service Records--VA'' (57VA10B2A). This 
system is used for training, compliance, work assignment, tracking the 
number of regularly scheduled volunteers and occasional volunteers, to 
produce statistical and managerial reports on the number of hours and 
visits of all volunteers each month, and to present volunteers with 
certificates of appreciation for service.

DATES: Comments on this modified system of records must be received no 
later than 30 days after date of publication in the Federal Register. 
If no public comment is received during the period allowed for comment 
or unless otherwise published in the Federal Register by VA, the 
modified system of records will become effective a minimum of 30 days 
after date of publication in the Federal Register. If VA receives 
public comments, VA shall review the comments to determine whether any 
changes to the notice are necessary.

ADDRESSES: Comments may be submitted through www.Regulations.gov or 
mailed to VA Privacy Service (005R1A), 810 Vermont Avenue NW, 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``Voluntary Service Records--VA (57VA10B2A)''. Comments 
received will be available at regulations.gov for public viewing, 
inspection or copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, Veterans Health 
Administration Chief Privacy Officer, Department of Veterans Affairs, 
810 Vermont Avenue NW, Washington, DC 20420; telephone (704) 245-2492 
(Note: this is not a toll-free number).

SUPPLEMENTARY INFORMATION: VA is modifying the system by revising the 
System Number; System Location; System Manager; Purpose of the System; 
Categories of Records in the System; Record Source Categories; Routine 
Uses of Records Maintained in the System; Policies and Practices for 
Storage of Records; Policies and Practices for Retrievability of 
Records Policies; Practices for Retention and Disposal of Records; 
Physical, Procedural, and Administrative Safeguards; Records Access 
Procedure; Contesting Record Procedure; and Notification Procedure. VA 
is republishing the system notice in its entirety.
    The System Number will be changed from 57VA10B2A to 57VA10 to 
reflect the current Veterans Health Administration organizational 
routing symbol.
    The System Location is being updated to remove references to 
servers located at the Austin Information Technology Center, 1615 
Woodward Street, Austin, Texas 78772. This section will include that 
the system is in the Microsoft Government Community Cloud (GCC), a 
government-authorized cloud-service provider, with Microsoft Global 
Foundation Services (GFS) Datacenters in Boydton, Virginia; Des Moines, 
Iowa; Dallas, Texas; and Phoenix, Arizona. For security reasons, 
Microsoft does not disclose the physical location of the data centers. 
For more information, please refer to the Joint Authorization Board 
(JAB) Federal Risk and Authorization Management Program's (FedRAMP) 
Authority to Operate (ATO) for Microsoft Dynamics Customer Relationship 
Management (CRM).
    The System Manager is being updated to replace Director, Voluntary 
Service Office, with Director, VA Center for Development and Civic 
Engagement. Being removed is Technatomy Contractor, Jay Singh, VHA 
Oakland Office of Information Field Office, 1301 Clay Street, Suite 
1350N, Oakland, California 94612. This section will include Stefano 
Masi, Veteran Relationship Management Product Line Manager, 555 Willard 
Ave., Newington, CT 06111.
    The Purpose of the System is being modified to include training, 
compliance and work assignment.
    The Record Source Categories is being modified to change 24VA10P2 
to 24VA10A7.
    The following routine use is added and will be routine use #10, 
Data Breach Response and Remediation, For Another Agency: To another 
Federal agency or Federal entity, when VA determines that information 
from this system of records is reasonably necessary to assist the 
recipient agency or entity in (1) responding to a suspected or 
confirmed breach or (2) preventing, minimizing, or remedying the risk 
of harm to individuals, the recipient agency or entity (including its 
information systems, programs, and operations), the Federal Government, 
or national security, resulting from a suspected or confirmed breach.
    The following routine use is added and will be routine use #11, 
Parent or Guardian of Minor Volunteer: To the parent or legal guardian 
of a minor volunteer. This routine use will allow VA to share 
information on the work schedule for summer student volunteers with 
their parents or legal guardians.
    Policies and Practices for Storage of Records and Physical, 
Procedural, and Administrative Safeguards are being modified to replace 
Austin, Texas with the Microsoft GCC.
    Policies and Practices for Retrievability of Records is being 
modified to replace VistA patient files, with Occupational Health 
Record-Keeping System.
    Policies and Practices for Retention and Disposal of Records is 
being modified to remove: 1. The individual volunteer's record of 
service is maintained by the VA health care facility, as long as he or 
she is living and actively participating in the VA Voluntary Service 
(VAVS) program. VAVS maintains minimum information on all volunteers 
indefinitely. These minimum records include the volunteer's name, 
address, date of birth, telephone number, next of kin information, 
assignments worked, hours and years of service, and last award 
received.
    2. Depending on the record medium, records are destroyed by either 
shredding or degaussing. Summary reports and other output reports are 
destroyed when no longer needed for current operation. Regardless of 
record medium, no records will be retired to a Federal records center 
reports and other output reports are destroyed when no longer needed 
for current operation. Regardless of record medium, no records will be 
retired to a Federal records center.
    This section will now reflect the following: Records in this system 
are retained and disposed of in accordance with the schedule approved 
by the Archivist of the United States, VHA RCS 10-1, Item Number 
3020.10-3020.11.
    The Record Access Procedure, Contesting Record Procedure and 
Notification Procedure have been modified to reflect standard language 
across VA systems of records.
    The Report of Intent to Modify a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy 
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

[[Page 4883]]

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Kurt D. 
DelBene, Assistant Secretary for Information and Technology and Chief 
Information Officer, approved this document on December 13, 2022 for 
publication.

    Dated: January 20, 2023.
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, 
Office of Information and Technology, Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    ``Voluntary Service Records--VA'' (57VA10).

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are maintained at each of the VA health care facilities and 
in the Center for Development and Civic Engagement Portal (CDCEP). 
Active records are retained at the VA health care facility listed in 
Appendix 1 where the individual has volunteered to assist the 
administrative and professional personnel and in the CDCEP. Basic 
information for all inactive records is retained at the facility where 
the volunteer worked and in the CDCEP. CDCEP is a web-based volunteer 
management system currently located in the Microsoft Government 
Community Cloud (GCC), a government-authorized cloud-service provider, 
with Microsoft Global Foundation Services (GFS) Datacenters in Boydton, 
Virginia; Des Moines, Iowa; Dallas, Texas; and Phoenix, Arizona. For 
security reasons, Microsoft does not disclose the physical location of 
the data centers. For more information, please refer to the Joint 
Authorization Board (JAB) Federal Risk and Authorization Management 
Program's (FedRAMP) Authority to Operate (ATO) for Microsoft Dynamics 
Customer Relationship Management (CRM).

SYSTEM MANAGER(S):
    Official responsible for policies and procedures: Director, VA 
Center for Development and Civic Engagement (CDCE), Department of 
Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420. 
Telephone number 202-461-7300 (this is not a toll-free number). 
Official maintaining the system: Veteran Relationship Management 
Product Line Manager, 555 Willard Ave., Newington, CT 06111.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    38 U.S.C. 513.

PURPOSE(S) OF THE SYSTEM:
    This system of records is used for training, compliance, work 
assignment, tracking the number of regularly scheduled volunteers and 
occasional volunteers, to produce statistical and managerial reports on 
the number of hours and visits of all volunteers each month, and to 
present volunteers with certificates of appreciation for service.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    These records include information on all volunteers (i.e., 
regularly scheduled volunteers, occasional volunteers, student 
volunteers), including but not limited to, non-affiliated and members 
of voluntary service organizations, such as welfare, service, Veterans, 
fraternal, religious, civic, industrial, labor, and social groups or 
clubs, which voluntarily offer the services of their organizations and/
or individuals to assist with the provision of care to patients, either 
directly or indirectly, through VA Voluntary Service under 38 U.S.C. 
513.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include personal information, such as name, 
address, phone number, email address, date of birth, and volunteer date 
in a VA health care facility, as provided by the volunteer on VA Form 
10-7055, ``Application for Voluntary Service;'' information relating to 
the individual membership in service organizations, qualifications, 
restrictions and preferences of duty and availability to schedule time 
of service; training records pertaining to the volunteer's service will 
also be maintained for all active volunteers at the facility where the 
volunteer works; medical records of active volunteers will be 
maintained in the facility's Employee Health office; fingerprint and 
background investigation records will be maintained by the local 
facility's office that handles those investigations.

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by the volunteer, 
their family, civic and service organization, ``Patient Medical 
Records--VA'' (24VA10A7), and CDCE/VA Voluntary Service (VAVS) at the 
VA health care facility where the volunteer worked.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
individually-identifiable patient information protected by 38 U.S.C. 
7332, that information cannot be disclosed under a routine use unless 
there is also specific disclosure authority in 38 U.S.C. 7332.
    1. Law Enforcement: To a Federal, state, local, territorial, 
tribal, or foreign law enforcement authority or other appropriate 
entity charged with the responsibility of investigating or prosecuting 
such violation or charged with enforcing or implementing such law, 
provided that the disclosure is limited to information that, either 
alone or in conjunction with other information, indicates a violation 
or potential violation of law, whether civil, criminal, or regulatory 
in nature. The disclosure of the names and addresses of Veterans and 
their dependents from VA records under this routine use must also 
comply with the provisions of 38 U.S.C. 5701.
    2. Nonprofits, for RONA: To a nonprofit organization if the release 
is directly connected with the conduct of programs and the utilization 
of benefits under Title 38, provided that the disclosure is limited the 
names and addresses of present or former members of the armed services 
or their beneficiaries, the records will not be used for any purpose 
other than that stated in the request and the agency or instrumentality 
is aware of the penalty provision of 38 U.S.C. 5701(f).
    3. Volunteer Administration: To confirm volunteer service, duty 
schedule, and assignments to service organizations, Bureau of 
Unemployment, insurance firms, office of personnel of the individual's 
fulltime employment; to assist in the development of VA history of the 
volunteer and their assignments; and to confirm voluntary hours for on-
the job accidents, and for recognition awards.
    4. Congress: To a Member of Congress or staff acting upon the 
Member's behalf when the Member or staff requests the information on 
behalf of, and at the request of, the individual who is the subject of 
the record.
    5. NARA: To the National Archives and Records Administration (NARA) 
in records management inspections conducted under 44 U.S.C. 2904 and 
2906, or other functions authorized by laws and policies governing NARA 
operations and VA records management responsibilities.
    6. DOJ, Litigation, Administrative Proceeding: To the Department of 
Justice (DoJ), or in a proceeding before

[[Page 4884]]

a court, adjudicative body, or other administrative body before which 
VA is authorized to appear, when:
    (a) VA or any component thereof;
    (b) Any VA employee in their official capacity;
    (c) Any VA employee in their individual capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components, is a party to 
such proceedings or has an interest in such proceedings, and VA 
determines that use of such records is relevant and necessary to the 
proceedings.
    7. Contractors: To contractors, grantees, experts, consultants, 
students, and others performing or working on a contract, service, 
grant, cooperative agreement, or other assignment for VA, when 
reasonably necessary to accomplish an agency function related to the 
records.
    8. Federal Agencies, Fraud and Abuse: To other Federal agencies to 
assist such agencies in preventing and detecting possible fraud or 
abuse by individuals in their operations and programs.
    9. Data Breach Response and Remediation, for VA: To appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, or 
persons reasonably necessary to assist in connection with VA efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm.
    10. Data Breach Response and Remediation, for Another Federal 
Agency: To another Federal agency or Federal entity, when VA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    11. Parent or Guardian of Minor Volunteer: VA may disclose 
information from this system to the parent or legal guardian of a minor 
volunteer.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are maintained in the Microsoft GCC, a government-
authorized cloud-service provider, with Microsoft GFS Datacenters in 
Boydton, Virginia; Des Moines, Iowa; Dallas, Texas; and Phoenix, 
Arizona. For security reasons, Microsoft does not disclose the physical 
location of the data centers. For more information, please refer to the 
JAB FedRAMP ATO for Microsoft Dynamics CRM. Paper records for all 
active volunteers are maintained in locked file cabinets at the 
individual VA facilities where the volunteer has donated time. Computer 
records containing basic information, such as name, address, date of 
birth, volunteer assignments, hours/years volunteered, and award 
information are retained for all volunteers, either active or inactive, 
at the VA facility where the volunteer worked.

POLICIES AND PRACTICES FOR RETRIEVABILITY OF RECORDS:
    Records in this system are retrieved by name and unique 
identification numbers within the VA's CDCEP and are cross-referenced 
under the organization(s) they represent. Health records in this system 
are retrieved by name and full Social Security number in the 
Occupational Health Record--Keeping System but are not retrievable 
through CDCEP.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records in this system are retained and disposed of in accordance 
with the schedule approved by the Archivist of the United States, VHA 
RCS 10-1, Item Number 3020.10-3020.11.

PHYSICAL, PROCEDURAL, AND ADMINISTRATIVE SAFEGUARDS:
    1. Access to VA working space and medical record storage areas and 
the servers and storage in the GCC is restricted to VA employees on a 
``need to know'' basis. Generally, VA file areas are locked after 
normal duty hours and are protected from outside access by the Federal 
Protective Service. Volunteer records containing sensitive medical 
record files are stored in separate locked files.
    2. Strict control measures are enforced to ensure that access to 
and disclosure of all records including electronic files and volunteer 
specific data elements stored in the CDCEP are limited to CDCE/VAVS 
employees whose official duties warrant access to those files. Access 
to the VA network is protected by the usage of the personal identity 
verification ``PIV.'' Once on the VA network, separate ID and password 
credentials are required to gain access to the CDCEP servers and/or 
databases. Access to the servers and/or databases is granted to only a 
limited number of system administrators and database administrators. 
Employees are required to sign a user access agreement acknowledging 
their knowledge of confidentiality requirements, and all employees 
receive annual training on information security. Access is deactivated 
when no longer required for official duties. Recurring monitors are in 
place to ensure compliance with nationally and locally established 
security measures.
    3. Online data resides on servers and storage in the GCC that are 
highly secured.
    4. Any sensitive information that may be downloaded or printed to 
hard copy format is provided the same level of security as the 
electronic records. All paper documents and informal notations 
containing sensitive data are shredded prior to disposal.
    5. All new CDCE/VAVS employees receive initial information security 
training, and refresher training is provided to all employees on an 
annual basis.

RECORD ACCESS PROCEDURE:
    Individuals seeking information on the existence and content of 
records in this system pertaining to them should contact the system 
manager in writing as indicated above, or email [email protected], 
or inquire in person at the VA health care facility where their 
voluntary service was accomplished. A request for access to records 
must contain the requester's full name, address, telephone number, be 
signed by the requester, and describe the records sought in sufficient 
detail to enable VA personnel to locate them with a reasonable amount 
of effort.

CONTESTING RECORD PROCEDURE:
    Individuals seeking to contest or amend records in this system 
pertaining to them should contact the system manager in writing as 
indicated above, or email [email protected] or inquire in person at 
the VA health care facility where their voluntary service was 
accomplished. A request to contest or amend records must state clearly 
and concisely what record is being contested, the reasons for 
contesting it, and the proposed amendment to the record.

NOTIFICATION PROCEDURE:
    Generalized notice is provided by the publication of this notice. 
For specific notice, see Record Access Procedure, above.

[[Page 4885]]

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    42 FR 6032 (February 1, 1977); 66 FR 6764 (January 22, 2001); 74 FR 
17555 (April 15, 2009); 81 FR 59271 (August 29, 2016).


[FR Doc. 2023-01437 Filed 1-24-23; 8:45 am]
BILLING CODE P