Privacy Act of 1974; System of Records, 26998-26999 [2024-08000]

Agencies

• SMALL BUSINESS ADMINISTRATION

[Federal Register Volume 89, Number 74 (Tuesday, April 16, 2024)]
[Notices]
[Pages 26998-26999]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-08000]


=======================================================================
-----------------------------------------------------------------------

SMALL BUSINESS ADMINISTRATION


Privacy Act of 1974; System of Records

AGENCY: U.S. Small Business Administration.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: The U.S. Small Business Administration (SBA) proposes to 
modify its system of records titled, Small Business Investment Company 
Information System (SBICIS) (SBA 40), to update its inventory of 
records systems subject to the Privacy Act of 1974, as amended. 
Publication of this notice complies with the Privacy Act and the Office 
of Management and Budget (OMB) Circular A-108 and Circular A-130. 
System of Records Notice (SORN) titled, Small Business Investment 
Company Information System (SBA 40), serves as a centralized and 
automated framework for the organization, retrieval, and analysis of 
SBIC information which supports the SBA's oversight and risk management 
roles for the SBIC program.

DATES: Submit comments on or before May 16, 2024. This revised system 
will be effective upon publication. Routine uses will become effective 
on the date following the end of the comment period unless comments are 
received which result in a contrary determination.

ADDRESSES: You may submit comments on this notice, identified by 
[DOCKET NUMBER SBA-2023-0014], by any of the following methods:
    Federal e-Rulemaking Portal: https://www.regulations.gov: Follow the 
instructions for submitting comments. Mail/Hand Delivery/Courier: 
Submit written comments to: Kerry Vance, Director, Information 
Technology and Data Strategy, Office of Investment and Innovation, U.S. 
Small Business Administration, 409 3rd Street SW, Washington, DC 20416.

FOR FURTHER INFORMATION CONTACT: General questions, please contact 
Kerry Vance, Director, Information Technology and Data Strategy, Office 
of Investment and Innovation, U.S. Small Business Administration, 409 
3rd Street SW, Washington, DC 20416 or via email, [email protected], 
telephone 202-205-6160 or Kelvin L. Moore, Chief Information Security 
Officer, Office of the Chief Information Officer, U.S. Small Business 
Administration, 409 3rd Street SW, Suite 4000, Washington, DC 20416, 
email address: [email protected], telephone 202-921-6273. For 
Privacy related matters, please contact LaWanda Burnette, Chief Privacy 
Officer, Office of the Chief Information Officer, or via email to 
[email protected].

SUPPLEMENTARY INFORMATION: The Privacy Act of 1974 (5 U.S.C. 552a), as 
amended, embodies fair information practice principles in a statutory 
framework governing how federal agencies collect, maintain, use, and 
disseminate individuals' personal information. The Privacy Act applies 
to records about individuals that are maintained in a ``system of 
records.'' A system of records is any group of records under the 
control of a federal agency from which information is retrieved by the 
name of an individual or by a number, symbol or any other identifier 
assigned to the individual. The Privacy Act requires each federal 
agency to publish in the Federal Register a System of Records Notice 
(SORN) identifying and describing each system of records the agency 
maintains, the purpose for which the agency uses the Personally 
Identifiable Information (PII) in the system, the routine uses for 
which the agency discloses such information outside the agency, and how 
individuals can exercise their rights related to their PII information.
    The modified Privacy Act system of records titled Small Business 
Investment Company Information System (SBICIS) (SBA 40) will be used to 
provide notice to current and former (i) prospective Small Business 
Investment Company license applicants, (ii) SBIC applicants, (iii) 
SBICs (solely for the purpose of this SORN, the term ``SBIC'' refers to 
each of (i), (ii), and (iii). This includes managers, executives, 
members, and employees associated or affiliated with an SBIC, and 
personal and professional references for certain of the foregoing. It 
also includes SBIC investors, SBIC portfolio companies, certain SBIC 
portfolio company employees, SBIC service providers, and certain other 
individuals associated, affiliated or involved with an SBIC.
    Additionally, this modification to the system of records Small 
Business Investment Company Information System (SBICIS) (SBA 40) also 
includes changing the short name to SBA SBICIS 40 to easily identify 
the system short name with its numeric value. Lastly, this modification 
adds three new routine uses: (H), (I) and (J), respectively.
    This system of records is comprised of electronic records managed 
by the Office of Investment and Innovation (OII). SBA SBICIS 40 will 
not have any undue impact on the privacy of individuals and its use is 
compatible with collection.

SYSTEM NAME AND NUMBER:
    Small Business Investment Company Information System (SBA SBICIS 
40).

SECURITY CLASSIFICATION:
    Controlled Unclassified Information

SYSTEM LOCATION:
    SBA Headquarters, 409 3rd Street SW, Washington, DC 20416 and 
vendor cloud platform.

SYSTEM MANAGER(S):
    Kerry Vance, Director, Information Technology and Data Strategy, 
Office of Investment and Innovation, U.S. Small Business 
Administration, 409 3rd Street SW, Washington, DC 20416 or via email 
[email protected], telephone 202-205-6160.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The Small Business Investment Act of 1958, as amended, 15 U.S.C. 
661, et seq.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Personal and commercial information (including name, address, 
telephone number, credit history, background information, business 
information, employer identification number, SBIC License number, 
financial information, investor commitments, identifying number or 
other personal identifiers, regulatory compliance information) on 
individuals and portfolio companies named in SBIC files.

[[Page 26999]]

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the information 
contained in this system may be disclosed to authorized entities, as is 
determined to be relevant and necessary, outside SBA as a routine use 
pursuant to 5 U.S.C. 552a(b)(3) as follows:
    A. To the Department of Justice (DOJ), including offices of the 
U.S. Attorneys, or other Federal agency conducting litigation or in 
proceedings before any court, adjudicative, or administrative body, 
when it is deemed by the SBA to be relevant or necessary to the 
litigation or SBA has an interest in such litigation when any of the 
following are a party to the litigation or have an interest in the 
litigation: (1) Any employee or former employee of the SBA in his or 
her official capacity; (2) Any employee or former employee of the SBA 
in his or her individual capacity when DOJ or SBA has agreed to 
represent the employee or a party to the litigation or have an interest 
in the litigation; or (3) The United States or any agency thereof.
    B. To a Congressional office from the record of an individual in 
response to an inquiry from that Congressional office made at the 
request of the individual. The member's access rights are no greater 
than those of the individual.
    C. To the National Archives and Records Administration (NARA) or 
General Services Administration (GSA) pursuant to records management 
inspections being conducted under the authority of 44 U.S.C. 2904 and 
2906.
    D. To an agency or organization, including the SBA's Office of 
Inspector General, for the purpose of performing audit or oversight 
operations as authorized by law, but only such information as is 
necessary and relevant to such audit or oversight function.
    E. To appropriate agencies, entities, and persons when: (1) The SBA 
suspects or has confirmed that the security or confidentiality of 
information processed and maintained by the SBA has been compromised, 
(2) the SBA has determined that as a result of the suspected or 
confirmed compromise, there is a risk of identity theft or fraud, harm 
to economic or property interests, harm to an individual, or harm to 
the security or integrity of this system or other systems or programs 
(whether maintained by SBA or any other agency or entity) that rely 
upon the compromised information; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with the SBA's efforts to respond to the suspected or 
confirmed compromise and prevent, minimize, or remedy such harm.
    F. To another Federal agency or Federal entity, when the SBA 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in: (1) Responding 
to a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.
    G. To another agency or agent of a government jurisdiction within 
or under the control of the U.S., lawfully engaged in national security 
or homeland defense when disclosure is undertaken for intelligence, 
counterintelligence activities (as defined by 50 U.S.C. 3003(3)), 
counterterrorism, homeland security, or related law enforcement 
purposes, as authorized by U.S. law or Executive Order.
    H. To other Federal agencies or Federal entities when mandated by 
executive orders or statute, or as documented by a Memorandum of 
Understanding or Memorandum of Agreement or Information Exchange 
Agreement or Data Sharing Agreement (``Agreements'') and approved by 
the applicable Authorizing Officials in compliance with the Privacy Act 
of 1974, as amended, 5 U.S.C. 552a and SBA's policies. These Agreements 
may be subject to review and approval by SBA's Office of General 
Counsel and SBA's Senior Agency Official for Privacy or designee and 
are for the purpose of performing analysis, metrics, or reports in 
support of marketing or initiatives and programs that SBICs may opt 
into participate in without any obligation or commitment.
    I. To other Federal agencies or Federal entities in aggregate and 
anonymized for the purpose of marketing, trends, statistical analysis, 
forecasting, reporting, and research where the information must 
preserve anonymity.
    J. To SBA contractors, grantees, interns, regulators, and experts 
who have been engaged by SBA to assist in the performance and 
performance improvement of a service related to this system of records 
and who need access to the records to perform this activity which may 
also include for regulatory purposes. Recipients of these records shall 
be required to comply with the requirements of the Privacy Act of 1974, 
as amended, 5 U.S.C. 552a.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    SBICIS records are retrieved by SBIC or Portfolio Company Name, 
affiliation with a particular SBIC personal identifier, SBA identifier, 
employer identification number, or any other data field that would 
enable SBA to perform its official duties.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are maintained in accordance with SBA Standard Operating 
Procedure (SOP) 00 41 latest edition, applicable General Records 
Schedules (GRS) and are disposed of in accordance with applicable SBA 
policies.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Information stored by SBICIS is stored electronically and supported 
by the applicable Privacy Impact Assessment(s). Data is protected 
through the implementation of access controls--least permissions, role-
based user permissions, event logging, monitoring, security assessment 
and authorization reviews, encryption transmission and encrypted data 
at rest. Safeguards implemented comply to SBA policies, industry best 
practices, and Federal Government standards, memoranda, and circulars.

RECORD ACCESS PROCEDURES:
    Individuals wishing to request access to records about them should 
submit a Privacy Act request to the SBA Chief, Freedom of Information 
and Privacy Act Office, U.S. Small Business Administration, 409 Third 
St. SW, Eighth Floor, Washington, DC 20416 or [email protected]. Individuals 
must provide their full name, mailing address, personal email address, 
telephone number, and a detailed description of the records being 
requested. Individuals requesting access must also follow SBA's Privacy 
Act regulations regarding verification of identity and access to 
records (13 CFR part 102 subpart B).

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    [FR Doc. 2019-19153, Vol. 84, No. 172]

Jennifer Shieh,
Acting, Deputy Associate Administrator, Office of Investment and 
Innovation.
[FR Doc. 2024-08000 Filed 4-15-24; 8:45 am]
BILLING CODE 8026-09-P