Privacy Act of 1974; System of Records, 74265-74268 [2024-20622]

Agencies

• DEPARTMENT OF ENERGY

[Federal Register Volume 89, Number 177 (Thursday, September 12, 2024)]
[Notices]
[Pages 74265-74268]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-20622]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY


Privacy Act of 1974; System of Records

AGENCY: Department of Energy.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974 and the Office of 
Management and Budget (OMB) Circulars A-108 and A-130, the Department 
of Energy (DOE or the Department) is publishing notice of a 
modification to an existing Privacy Act System of Records. DOE proposes 
to amend System of Records DOE-71, The Radiation Accident Registry. 
This System of Records Notice (SORN) is being modified to align with 
new formatting requirements, published by the OMB, and to ensure 
appropriate Privacy Act coverage of business processes and Privacy Act 
information. While there are no substantive changes to the ``Categories 
of Individuals'' or ``Categories of Records'' sections covered by this 
SORN, substantive changes have been made to the ``System Locations,'' 
``Routine Uses,'' and ``Administrative, Technical and Physical 
Safeguards'' sections to provide greater transparency. Changes to 
``Routine Uses'' include new provisions related to responding to 
breaches of information held under a Privacy Act SORN as required by 
OMB's Memorandum M-17-12, ``Preparing for and Responding to a Breach of 
Personally Identifiable Information'' (January 3, 2017). Language 
throughout the SORN has been updated to align with applicable Federal 
privacy laws, policies, procedures, and best practices.

DATES: This modified SORN will become applicable following the end of 
the public comment period on October 15, 2024 unless comments are 
received that result in a contrary determination.

ADDRESSES: Written comments should be sent to the DOE Desk Officer, 
Office of Information and Regulatory Affairs, Office of Management and 
Budget, New Executive Office Building, Room 10102, 735 17th Street NW, 
Washington, DC 20503 and to Ken Hunt, Chief Privacy Officer, U.S. 
Department of Energy, 1000 Independence Avenue SW, Rm. 8H-085, 
Washington, DC 20585, by facsimile at (202) 586-8151, or by email at 
[email protected].

FOR FURTHER INFORMATION CONTACT: Ken Hunt, Chief Privacy Officer, U.S. 
Department of Energy, 1000 Independence Avenue SW, Rm. 8H-085, 
Washington, DC 20585 or by facsimile at (202) 586-8151, or by email at 
[email protected], or by telephone at (240) 686-9485.

SUPPLEMENTARY INFORMATION: On January 9, 2009, DOE published a 
Compilation of its Privacy Act Systems of Records, which included 
System of Records DOE-71, The Radiation Accident Registry. In the 
``Routine Uses'' section, this modified notice deletes a previous 
routine use concerning efforts responding to a suspected or confirmed 
loss of confidentiality of information as it appears in DOE's 
compilation of its Privacy Act Systems of Records (January 9, 2009) and 
replaces it with one to assist DOE with responding to a suspected or 
confirmed breach of its records of Personally Identifiable Information 
(PII), modeled with language from OMB's Memorandum M-17-12, ``Preparing 
for and Responding to a Breach of Personally Identifiable Information'' 
(January 3, 2017). Further, this notice adds one new routine use to 
ensure that DOE may assist another agency or entity in responding to 
the other agency's or entity's confirmed or suspected breach of PII, as 
appropriate, as aligned with OMB's Memorandum M-17-12. Updates to the 
routine uses includes aligning them with the 2004 and 2015 amendments 
to The Energy Employees Occupational Illness Compensation Program Act 
(EEOICPA) of 2000 by Subtitle E of Division C of the Ronald W. Reagan 
National Defense Authorization Act for Fiscal Year 2005 (Pub. L. 108-
375) and Carl Levin and Howard P. ``Buck'' McKeon National Defense 
Authorization Act for Fiscal Year 2015 (Pub. L. 113-291). These changes 
include removing two categories of obsolete users and modifying a 
category to include advisory boards. The routine use formerly numbered 
four has been deleted as its governing Memorandum

[[Page 74266]]

of Understanding is no longer valid. An administrative change required 
by the FOIA Improvement Act of 2016 extends the length of time a 
requestor is permitted to file an appeal under the Privacy Act from 30 
to 90 days. Both the ``System Locations'' and ``Administrative, 
Technical and Physical Safeguards'' sections have been modified to 
reflect the Department's usage of cloud-based services for records 
storage. Language throughout the SORN has been updated to align with 
applicable Federal privacy laws, policies, procedures, and best 
practices.

SYSTEM NAME AND NUMBER:
    DOE-71, The Radiation Accident Registry.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Systems leveraging this SORN may exist in multiple locations. All 
systems storing records in a cloud-based server are required to use 
government-approved cloud services and follow National Institute of 
Standards and Technology (NIST) security and privacy standards for 
access and data retention. Records maintained in a government-approved 
cloud server are accessed through secure data centers in the 
continental United States.
    U.S. Department of Energy, Office of Science, Consolidated Service 
Center, P.O. Box 2001, Oak Ridge, TN 37831.

SYSTEM MANAGER(S):
    Manager, U.S. Department of Energy, Office of Science, Consolidated 
Service Center, P.O. Box 2001, Oak Ridge, TN 37831.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    42 U.S.C. 7101 et seq.; 50 U.S.C. 2401 et seq.; The Energy 
Employees Occupational Illness Compensation Program Act (EEOICPA) of 
2000, Public Law 106-398, 42 U.S.C. 7384 et. seq., as amended, 
including by Subtitle E of Division C of the Ronald W. Reagan National 
Defense Authorization Act for Fiscal Year 2005 (Pub. L. 108-375) and 
Carl Levin and Howard P. ``Buck'' McKeon National Defense Authorization 
Act for Fiscal Year 2015 (Pub. L. 113-291); DOE order 151.1D Chg1 
(MinChg), Comprehensive Emergency Management System, October 4, 2019; 
42 U.S.C. 7274i. Program to monitor Department of Energy workers 
exposed to hazardous and radioactive substances, 50 U.S.C. 2733 et. 
seq.

PURPOSE(S) OF THE SYSTEM:
    Records in this system are maintained and used by the Department to 
provide a current record of radiation accidents; to identify specific 
populations for use in epidemiological and clinical studies; and to 
conduct medical surveillance during the lifetime of the registrants.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Those persons accidentally exposed to acute dose of ionizing 
radiation as defined by exposure dose criteria agreed to by DOE, 
including the National Nuclear Security Administration (NNSA) and the 
Nuclear Regulatory Commission (NRC), by an interagency agreement. The 
dose criteria established by this agreement include one or more of the 
following: Greater than or equal to 25 REM (Roentgen Equivalent in Man) 
to the whole body, active blood forming organs or gonads; greater than 
or equal to 600 REM to skin of the whole body or extremities; greater 
than or equal to 75 REM to other tissues or organs from an external 
source; and greater than or equal to \1/2\ National Council on 
Radiation Protection (NCRP) maximum permissible organ burden 
internally; all those medical administrations of radioisotopes that 
result in a dose or organ burden equal to or greater than those given 
above.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Official accident reports including reports of those accidents that 
have occurred within the jurisdiction of the NRC and have been 
transferred to the DOE for the Accident Registry according to the DOE/
NRC agreement; names, addresses, Social Security numbers, unique 
identifiers for the Department employees and applicants for employment 
with the Department (e.g., DOE OneID, employee number, and any other 
government identifier), date of birth, and sex; medical records 
compiled at the time of the accident (such records include physician 
and hospital records, diagnostic and laboratory test reports, 
radiographs, electrocardiograms, and radiation exposure reports); 
medical records of illnesses, examinations, including routine follow-up 
examinations, and investigations that have occurred since the radiation 
exposure; photographs or facsimiles of radiation-induced injuries; 
search and contact information for registrants not identified or 
located; consent to release information forms completed by registrants; 
death certificates; anecdotal information; and correspondence relating 
to the accident or the individuals involved.

RECORD SOURCE CATEGORIES:
    The individual, medical records, physicians, medical institutions, 
and reports of incident/accident/accident investigations from private 
and public sources, radiation dosimetry records, security clearance 
records, and employment records.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    1. A record from this system may be disclosed as a routine use to a 
member of Congress submitting a request involving a constituent when 
the constituent has requested assistance from the member concerning the 
subject matter of the record. The member of Congress must provide a 
copy of the constituent's signed request for assistance.
    2. A record from this system may be disclosed to contractor 
personnel, grantees, and cooperative agreement holders of components of 
the Department of Health and Human Services, including the National 
Institute for Occupational Safety and Health (NIOSH) and the National 
Center for Environmental Health of the Centers for Disease Control and 
Prevention, and the Agency for Toxic Substances and Disease Registry 
(ATSDR) to facilitate health hazard evaluations, epidemiological 
studies, or public health activities required by law pursuant to a 
Memoranda of Understanding between the Department and the Department of 
Health and Human Services or its components. Those provided information 
under this routine use are subject to the same limitations applicable 
to Department officers and employees under the Privacy Act.
    3. A record from this system may be disclosed as a routine use to 
DOE contractors, grantees, participants in cooperative agreements, and 
collaborating researchers, or the employees of these parties, in 
performance of health studies or related health or environmental duties 
pursuant to their contracts, grants, and cooperating or collaborating 
research agreements; Federal, state, and local health and medical 
agencies or authorities; to subcontractors in order to determine a 
subject' s vital status or cause of death; to health care providers to 
verify a diagnosis or cause of death; or to third parties to obtain 
current addresses for participants in health-related studies, surveys 
and surveillances. Those provided information under this routine use 
are subject to the same limitations applicable to Department officers 
and employees under the Privacy Act.
    4. A record from this system may be disclosed as a routine use for 
the

[[Page 74267]]

purpose of an investigation, settlement of claims, or the preparation 
and conduct of litigation to: (1) persons representing the Department 
in the investigation, settlement or litigation, and to individuals 
assisting in such representation; (2) others involved in the 
investigation, settlement, and litigation, and their representatives 
and individuals assisting those representatives; (3) witnesses, 
potential witnesses, or their representatives and assistants; and (4) 
any other persons who possess information pertaining to the matter when 
it is necessary to obtain information or testimony relevant to the 
matter.
    5. A record from this system may be disclosed as a routine use in 
court or administrative proceedings to the tribunals, counsel, other 
parties, witnesses, and the public (in publicly available pleadings, 
filings, or discussion in open court) when such disclosure: (1) is 
relevant to, and necessary for, the proceeding; (2) is compatible with 
the purpose for which the Department collected the records; and (3) the 
proceedings involve:
    a. The Department, its predecessor agencies, current or former 
contractors of the Department, or other United States Government 
agencies and their components; or
    b. A current or former employee of the Department and its 
predecessor agencies, current or former contractors of the Department, 
or other United States Government agencies and their components, who is 
acting in an official capacity, or in any individual capacity where the 
Department or other United States Government agency has agreed to 
represent the employee.
    6. A record from this system may be disclosed as a routine use to 
the appropriate local, tribal, state, or Federal agency when records, 
alone or in conjunction with other information, indicate a violation or 
potential violation of law whether civil, criminal, or regulatory in 
nature, and whether arising by general statute or particular program 
pursuant thereto.
    7. A record from this system may be disclosed to foreign 
governments or international organizations, in accordance with 
treaties, international conventions, or executive agreements.
    8. A record from this system may be disclosed to the Department of 
Labor, the Department of Health and Human Services, their contractors, 
advisory boards, grantees, and cooperative agreement holders, pursuant 
to the Energy Employees Occupational Illness Compensation Program Act 
of 2000, to estimate radiation doses and other workplace exposures 
received by the Department of Energy and contractor employees. Those 
provided information under this routine use are subject to the same 
limitations applicable to the Department officers and employees under 
the Privacy Act.
    9. A record from this system may be disclosed as a routine use to 
other state and Federal agencies or entities whose mission entails 
reviewing or managing workers' compensation claims or administering 
other benefits programs. Those provided information under this routine 
use are subject to the same limitations applicable to Department 
officers and employees under the Privacy Act.
    10. A record from this system may be disclosed as a routine use to 
appropriate agencies, entities, and persons when: (1) the Department 
suspects or has confirmed that there has been a breach of the System of 
Records; (2) the Department has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
DOE (including its information systems, programs, and operations), the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the Department's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    11. A record from this system may be disclosed as a routine use to 
another Federal agency or Federal entity, when the Department 
determines that information from this System of Records is reasonably 
necessary to assist the recipient agency or entity in: (1) responding 
to a suspected or confirmed breach; or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records may be stored as paper records, microfilm, or electronic 
media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by name or Social Security number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Retention and disposition of these records are unscheduled. This 
requires the records to be retained as permanent until the National 
Archives and Records Administration approves a DOE Records Disposition 
Schedule.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Electronic records may be secured and maintained on a cloud-based 
software server and operating system that resides in the Federal Risk 
and Authorization Management Program (FedRAMP) and the Federal 
Information Security Modernization Act (FISMA) hosting environment. 
Data located in the cloud-based server is firewalled and encrypted at 
rest and in transit. The security mechanisms for handling data at rest 
and in transit are in accordance with DOE encryption standards. Records 
are protected from unauthorized access through the following 
appropriate safeguards:
     Administrative: Access to all records is limited to lawful 
government purposes only, with access to electronic records based on 
role and either two-factor authentication or password protection. The 
system requires passwords to be complex and to be changed frequently. 
Users accessing system records undergo frequent training in Privacy Act 
and information security requirements. Security and privacy controls 
are reviewed on an ongoing basis.
     Technical: Computerized records systems are safeguarded on 
Departmental networks configured for role-based access based on job 
responsibilities and organizational affiliation. Privacy and security 
controls are in place for this system and are updated in accordance 
with applicable requirements as determined by NIST and DOE directives 
and guidance.
     Physical: Computer servers on which electronic records are 
stored are located in secured Department facilities, which are 
protected by security guards, identification badges, and cameras. Paper 
copies of all records are locked in file cabinets, file rooms, or 
offices and are under the control of authorized personnel. Access to 
these facilities is granted only to authorized personnel and each 
person granted access to the system must be an individual authorized to 
use or administer the system.

RECORD ACCESS PROCEDURES:
    The Department follows the procedures outlined in 10 CFR 1008.4. 
Valid identification of the individual making the request is required 
before information will be processed, given, access granted, or a 
correction considered, to ensure that information is processed, given, 
corrected, or records

[[Page 74268]]

disclosed or corrected only at the request of the proper person.

CONTESTING RECORD PROCEDURES:
    Any individual may submit a request to the System Manager and 
request a copy of any records relating to them. In accordance with 10 
CFR 1008.11, any individual may appeal the denial of a request made by 
him or her for information about or for access to or correction or 
amendment of records. An appeal shall be filed within 90 calendar days 
after receipt of the denial. When an appeal is filed by mail, the 
postmark is conclusive as to timeliness. The appeal shall be in writing 
and must be signed by the individual. The words ``PRIVACY ACT APPEAL'' 
should appear in capital letters on the envelope and the letter. 
Appeals relating to DOE records shall be directed to the Director, 
Office of Hearings and Appeals (OHA), 1000 Independence Avenue SW, 
Washington, DC 20585.

NOTIFICATION PROCEDURES:
    In accordance with the DOE regulation implementing the Privacy Act, 
10 CFR part 1008, a request by an individual to determine if a System 
of Records contains information about themselves should be directed to 
the U.S. Department of Energy, Headquarters, Privacy Act Officer. The 
request should include the requester's complete name and the time 
period for which records are sought.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    This SORN was last published in the Federal Register, 74 FR 1072-
1073, on January 9, 2009.

Signing Authority

    This document of the Department of Energy was signed on September 
5, 2024, by Ann Dunkin, Senior Agency Official for Privacy, pursuant to 
delegated authority from the Secretary of Energy. That document with 
the original signature and date is maintained by DOE. For 
administrative purposes only, and in compliance with requirements of 
the Office of the Federal Register, the undersigned DOE Federal 
Register Liaison Officer has been authorized to sign and submit the 
document in electronic format for publication, as an official document 
of the Department of Energy. This administrative process in no way 
alters the legal effect of this document upon publication in the 
Federal Register.

    Signed in Washington, DC, on September 6, 2024.
Treena V. Garrett,
Federal Register Liaison Officer, U.S. Department of Energy.
[FR Doc. 2024-20622 Filed 9-11-24; 8:45 am]
BILLING CODE 6450-01-P