Privacy Act of 1974; System of Records, 81102-81106 [2024-23080]

Agencies

• DEPARTMENT OF THE INTERIOR
• Office of the Secretary

[Federal Register Volume 89, Number 194 (Monday, October 7, 2024)]
[Notices]
[Pages 81102-81106]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-23080]


-----------------------------------------------------------------------

DEPARTMENT OF THE INTERIOR

Office of the Secretary

[DOI-2024-0006; 24XD4523WD DWDFJ0000.000000 DS68664000]


Privacy Act of 1974; System of Records

AGENCY: Office of the Secretary, Interior.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the provisions of the Privacy Act of 1974, as 
amended, the Department of the Interior (DOI) is issuing a public 
notice of its intent to modify the Privacy Act system of records, 
INTERIOR/DOI-91, Oracle Federal Financials (OFF). DOI is revising this 
notice to update the system manager and system location, authorities, 
storage, retrieval, records retention schedule, safeguards, record 
source categories, and notification, records access and contesting 
procedures; propose new and modified routine uses, and all sections to 
accurately reflect changes in management of the system of records. This 
modified system will be included in DOI's inventory of record systems.

DATES: This modified system will be effective upon publication. New or 
modified routine uses will be effective November 6, 2024. Submit 
comments on or before November 6, 2024.

ADDRESSES: You may send comments identified by docket number [DOI-2024-
0006] by any of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for sending comments.

[[Page 81103]]

     Email: [email protected]. Include docket number 
[DOI-2024-0006] in the subject line of the message.
     U.S. mail or hand-delivery: Teri Barnett, Departmental 
Privacy Officer, U.S. Department of the Interior, 1849 C Street NW, 
Room 7112, Washington, DC 20240.
    Instructions: All submissions received must include the agency name 
and docket number [DOI-2024-0006]. All comments received will be posted 
without change to https://www.regulations.gov, including any personal 
information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Teri Barnett, Departmental Privacy 
Officer, U.S. Department of the Interior, 1849 C Street NW, Room 7112, 
Washington, DC 20240, [email protected] or (202) 208-1605.

SUPPLEMENTARY INFORMATION:

I. Background

    The DOI Interior Business Center (IBC) maintains the INTERIOR/DOI-
91, Oracle Federal Financials (OFF), system of records. The IBC is a 
service provider that performs services for Federal government 
agencies. The IBC's service offerings include providing and maintaining 
various types of business management systems for its clients, including 
human resources and financial management applications. The OFF system 
provides IBC clients with a web-based application that contains 
customizable financial management modules that combine to provide a 
comprehensive financial software package to support budgeting, 
purchasing, Federal procurement, accounts payable, fixed assets, 
general ledger, inventory, accounts receivable, reimbursement, 
reporting, and collection functions.
    IBC hosts the OFF system and is responsible for system 
administration functions and other management functions in accordance 
with interagency agreements with internal and external Federal customer 
agencies. Each external client agency retains control over its data in 
the system and is responsible for maintaining client agency records in 
the OFF system and for meeting the requirements of the Privacy Act and 
other laws, regulations, and policies. While DOI records generated and 
maintained in OFF are covered under this system of records notice 
(SORN), each client agency that maintains records within the system has 
published system notices that cover their financial management 
activities. IBC does not collect personally identifiable information 
directly from individuals on behalf of the customer agency for this 
system. Therefore, individuals seeking access to or amendment of their 
records under the control of an external client agency should follow 
the access procedures outlined in the applicable client agency SORN or 
send a written inquiry to that Federal agency Chief Privacy Officer.
    Additionally, some records maintained within the OFF system may 
also be covered by existing government-wide SORNs published by the 
General Services Administration, including GSA/GOVT-3, Travel Charge 
Card Program, 78 FR 20108 (April 3, 2013); GSA/GOVT-4, Contracted 
Travel Services Program 74 FR 26700 (June 3, 2009), modification 
published at 74 FR 28048 (June 12, 2009); and GSA/GOVT-6, GSA SmartPay 
Purchase Charge Card Program, 73 FR 22376 (April 25, 2008). These 
records may be subject to handling and disclosure requirements pursuant 
to the routine uses in the government-wide SORNs, as applicable. Client 
agencies are responsible for ensuring the handling, use, and sharing of 
their records in OFF are in compliance with the Privacy Act of 1974, 
including the provisions regarding notice, access, collection, use, 
retention, and disclosure of records.
    In this notice, DOI is proposing to update the system manager and 
system location sections; expand on the record source categories 
section; update authorities for maintenance of the system; update the 
storage, retrieval, records retention schedule, and safeguards; update 
the notification, records access and contesting procedures; and provide 
general updates in accordance with the Privacy Act of 1974 and Office 
of Management and Budget (OMB) Circular A-108, Federal Agency 
Responsibilities for Review, Reporting, and Publication under the 
Privacy Act.
    DOI is also changing the routine uses from a numeric to alphabetic 
list and is proposing to modify existing routine uses to provide 
clarity and transparency and reflect updates consistent with standard 
DOI routine uses. The notice of disclosure to consumer reporting 
agencies section was moved to the end of this section. Routine use A 
has been modified to further clarify disclosures to the Department of 
Justice or other Federal agencies when necessary in relation to 
litigation or judicial proceedings. Routine use B has been modified to 
clarify disclosures to a congressional office to respond to or resolve 
an individual's request made to that office. Routine use H has been 
modified to expand the sharing of information with territorial 
organizations in response to court orders or for discovery purposes 
related to litigation. Routine use I has been modified to include the 
sharing of information with grantees and shared service providers that 
perform services requiring access to these records on DOI's behalf to 
carry out the purposes of the system. Routine use J was slightly 
modified to allow DOI to share information with appropriate Federal 
agencies or entities when reasonably necessary to prevent, minimize, or 
remedy the risk of harm to individuals or the Federal Government 
resulting from a breach in accordance with OMB Memorandum M-17-12, 
Preparing for and Responding to a Breach of Personally Identifiable 
Information. Routine use R has been modified to reflect the agency name 
change for the Government Accountability Office.
    DOI is proposing a new routine use to facilitate the sharing of 
information with another Federal agency to carry out a statutory 
responsibility of the DOI. Proposed routine use S allows DOI to share 
information with the Department of the Treasury in support of the Do 
Not Pay Program in accordance with the Payment Integrity Information 
Act of 2019 to prevent and detect improper payments.
    Pursuant to the Privacy Act, 5 U.S.C. 552a(b)(12), DOI may disclose 
information from this system to consumer reporting agencies as defined 
in the Fair Credit Reporting Act (15 U.S.C. 1681a(f)) or the Federal 
Claims Collection Act of 1966 (31 U.S.C. 3701(a)(3)) to aid in the 
collection of outstanding debts owed to the Federal Government.

II. Privacy Act

    The Privacy Act of 1974, as amended, embodies fair information 
practice principles in a statutory framework governing the means by 
which Federal agencies collect, maintain, use, and disseminate 
individuals' records. The Privacy Act applies to records about 
individuals that are maintained in a ``system of records.'' A ``system 
of records'' is a group of any records under the control of an agency 
from which information is retrieved by the name of an individual or by 
some identifying number, symbol, or other identifying particular 
assigned to the individual. The Privacy Act defines an individual as a 
United States citizen or lawful permanent resident. Individuals may 
request access to their own records that are maintained in a system of 
records in the possession or under the control of

[[Page 81104]]

DOI by complying with DOI Privacy Act regulations at 43 CFR part 2, 
subpart K, and following the procedures outlined in the Records Access, 
Contesting Record, and Notification Procedures sections of this notice.
    The Privacy Act requires each agency to publish in the Federal 
Register a description denoting the existence and character of each 
system of records that the agency maintains and the routine uses of 
each system. The INTERIOR/DOI-91, Oracle Federal Financials (OFF), SORN 
is published in its entirety below. In accordance with 5 U.S.C. 
552a(r), DOI has provided a report of this system of records to the 
Office of Management and Budget and to Congress.

III. Public Participation

    You should be aware your entire comment including your personally 
identifiable information, such as your address, phone number, email 
address, or any other personal information in your comment, may be made 
publicly available at any time. While you may request to withhold your 
personally identifiable information from public review, we cannot 
guarantee we will be able to do so.

SYSTEM NAME AND NUMBER:
    INTERIOR/DOI-91, Oracle Federal Financials (OFF).

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Interior Business Center, U.S. Department of the Interior, One 
Denver Federal Center, Building 48, Denver, CO 80225.

SYSTEM MANAGER(S):
    Chief, Technical Services and Solutions Division, U.S. Department 
of the Interior, Interior Business Center, 381 Elden Street, Suite 200, 
Herndon, VA 20170.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Executive agency accounting and other financial management reports 
and plans, 31 U.S.C. 3512; Acceptance of contributions, awards, and 
other payments, 5 U.S.C. 4111; Installment deduction for indebtedness 
to the United States, 5 U.S.C. 5514; Travel and Subsistence Expenses; 
Mileage Allowances, 5 U.S.C. chapter 57, subchapter I ; Collection and 
compromise, 31 U.S.C. 3711; and the Office of Management and Budget 
Circular A-123, appendix D, Compliance with the Federal Financial 
Management Improvement Act of 1996.

PURPOSE(S) OF THE SYSTEM:
    The primary purpose of the system is to support financial 
management for Federal agencies by providing a standardized, automated 
capability for performing administrative control of funds, general 
accounting, billing and collections, payments, management reporting, 
and regulatory reporting.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered by the system include employees of various 
Federal agencies that are IBC clients using OFF, as well as employees 
or agents for third party vendors, contractors and suppliers who 
provide OFF clients with related financial services. This system also 
contains information about individuals, both employees and non-
employees, who owe debts to the Federal government. Records relating to 
corporations and other business entities contained in this system are 
not subject to the Privacy Act, however, records relating to 
individuals acting on behalf of corporations and other business 
entities may reflect personal information that may be maintained in 
this system of records.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system contains financial and administrative records that 
include but are not limited to:
    (1) Accounts receivable records, including individuals and 
employees who owe money to OFF clients and are the subject of 
collections actions. Records may include first and last names, home 
addresses, phone numbers, email addresses, Employee Identification 
Numbers (EINs), and Social Security Numbers (SSNs).
    (2) Accounts payable records about non-employee individuals and 
sole proprietors, including individuals who provide services to OFF 
clients. These records may include names, home or business addresses, 
phone or fax numbers, email addresses, Tax Identification Numbers, 
SSNs, banking account numbers for electronic fund transfer payments, 
and invoices and claims for reimbursement.
    (3) Records of employees of OFF clients who submit claims for 
reimbursable expenses. These records may include names, EINs, SSNs, 
work addresses, phone numbers, email addresses, and receipts and claims 
for reimbursement.
    (4) Records of employees of OFF clients who hold government bank or 
debit cards for purchases or travel. These records may include names, 
EINs, SSNs, home or work addresses, phone numbers, email addresses, 
card numbers and purchase histories.
    The system may contain other information collected or created 
through correspondence, reports, or during the processing and support 
of financial management transactions, administrative controls, and 
general accounting. The system may also contain additional business and 
financial records for OFF clients that do not include personal 
information. Records in this system are subject to the Privacy Act only 
if they are about an individual within the meaning of the Privacy Act, 
and not if they are about a business, organization, or other non-
individual.

RECORD SOURCE CATEGORIES:
    Information sources are Federal customer agencies, contractors, 
sole proprietors, service providers, third-party vendors, and suppliers 
who provide related financial and other services to clients using the 
system.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside DOI as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    A. To the Department of Justice (DOJ), including Offices of the 
U.S. Attorneys, or other Federal agency conducting litigation or in 
proceedings before any court, adjudicative, or administrative body, 
when it is relevant or necessary to the litigation and one of the 
following is a party to the litigation or has an interest in such 
litigation:
    (1) DOI or any component of DOI;
    (2) Any other Federal agency appearing before the Office of 
Hearings and Appeals;
    (3) Any DOI employee or former employee acting in his or her 
official capacity;
    (4) Any DOI employee or former employee acting in his or her 
individual capacity when DOI or DOJ has agreed to represent that 
employee or pay for private representation of the employee; or
    (5) The United States Government or any agency thereof, when DOJ 
determines that DOI is likely to be affected by the proceeding.
    B. To a congressional office when requesting information on behalf 
of, and at the request of, the individual who is the subject of the 
record.
    C. To the Executive Office of the President in response to an 
inquiry from

[[Page 81105]]

that office made at the request of the subject of a record or a third 
party on that person's behalf, or for a purpose compatible with the 
reason for which the records are collected or maintained.
    D. To any criminal, civil, or regulatory law enforcement authority 
(whether Federal, State, territorial, local, Tribal or foreign) when a 
record, either alone or in conjunction with other information, 
indicates a violation or potential violation of law--criminal, civil, 
or regulatory in nature, and the disclosure is compatible with the 
purpose for which the records were compiled.
    E. To an official of another Federal agency to provide information 
needed in the performance of official duties related to reconciling or 
reconstructing data files or to enable that agency to respond to an 
inquiry by the individual to whom the record pertains.
    F. To Federal, State, territorial, local, Tribal, or foreign 
agencies that have requested information relevant or necessary to the 
hiring, firing or retention of an employee or contractor, or the 
issuance of a security clearance, license, contract, grant or other 
benefit, when the disclosure is compatible with the purpose for which 
the records were compiled.
    G. To representatives of the National Archives and Records 
Administration (NARA) to conduct records management inspections under 
the authority of 44 U.S.C. 2904 and 2906.
    H. To State, territorial and local governments and Tribal 
organizations to provide information needed in response to court order 
and/or discovery purposes related to litigation, when the disclosure is 
compatible with the purpose for which the records were compiled.
    I. To an expert, consultant, grantee, shared service provider, or 
contractor (including employees of the contractor) of DOI that performs 
services requiring access to these records on DOI's behalf to carry out 
the purposes of the system.
    J. To appropriate agencies, entities, and persons when:
    (1) DOI suspects or has confirmed that there has been a breach of 
the system of records;
    (2) DOI has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, DOI (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and
    (3) the disclosure made to such agencies, entities, and persons is 
reasonably necessary to assist in connection with DOI's efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm.
    K. To another Federal agency or Federal entity, when DOI determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in:
    (1) responding to a suspected or confirmed breach; or
    (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    L. To the Office of Management and Budget (OMB) during the 
coordination and clearance process in connection with legislative 
affairs as mandated by OMB Circular A-19.
    M. To the Department of the Treasury to recover debts owed to the 
United States.
    N. To the news media and the public, with the approval of the 
Public Affairs Officer in consultation with counsel and the Senior 
Agency Official for Privacy, where there exists a legitimate public 
interest in the disclosure of the information, except to the extent it 
is determined that release of the specific information in the context 
of a particular case would constitute an unwarranted invasion of 
personal privacy.
    O. To a commercial credit card contractor(s) for the accounting and 
payment of employee obligation for travel, purchasing, and fleet 
management credit card usage.
    P. To OFF clients for the purpose of processing, using, and 
maintaining their agency's data in the OFF system.
    Q. To DOJ or other Federal agencies for further collection action 
on any delinquent debt when circumstances warrant.
    R. To the Government Accountability Office, DOJ, or a United States 
Attorney for actions regarding debt and attempts to collect monies 
owed.
    S. To the Department of the Treasury in order to eliminate waste, 
fraud, and abuse in Federal programs and to prevent payment errors 
before they occur in accordance with the Do Not Pay Program which is 
authorized and governed by the Payment Integrity Information Act of 
2019.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Electronic records are maintained on servers located in secure 
facilities. Paper records are contained in file folders stored in file 
cabinets in accordance with Departmental policy.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    The personal identifiers that can be used to retrieve information 
on individuals are name, SSN, EIN, bank account number, government 
travel/small purchase bank card number, and supplier number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    DOI financial management records are retained in accordance with 
Departmental Records Schedule (DRS) 1--Administrative Records, Long-
term Financial and Acquisition Records (DAA-0048-2013-0001-0011), which 
was approved by NARA. The disposition for these records is temporary 
with destruction authorized seven years after the cut off of the record 
as instructed in the bureau or office records manual or at the end of 
fiscal year in which the files are closed, if no unique cut-off is 
specified. Approved disposition methods include shredding or pulping 
for paper records, and degaussing or erasing electronic records in 
accordance with NARA guidelines and Departmental policy.
    Each Federal agency client maintains records in the system in 
accordance with records retention schedules approved by NARA, and 
agency clients are responsible for the retention and disposal of their 
own records. While the IBC provides system administration and 
management support to agency clients, any records disposal is in 
accordance with client agency approved data disposal procedures.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    The records contained in this system are safeguarded in accordance 
with 43 CFR 2.226 and other applicable security and privacy rules and 
policies. During normal hours of operation, paper records are 
maintained in locked file cabinets under the control of authorized 
personnel. Computer servers on which electronic records are stored are 
located in secured DOI controlled facilities with physical, technical 
and administrative levels of security to prevent unauthorized access to 
the DOI network and information assets. A Privacy Act Warning Notice 
appears on computer monitor screens when records containing information 
on individuals are first displayed. Data exchanged between the servers 
and the system is encrypted. Backup tapes are encrypted and stored in a 
locked and controlled room in a secure, off-site location.
    Computerized records systems follow the National Institute of 
Standards and Technology privacy and security

[[Page 81106]]

standards as developed to comply with the Privacy Act of 1974, as 
amended, 5 U.S.C. 552a; Paperwork Reduction Act of 1995, 44 U.S.C. 3501 
et seq.; Federal Information Security Modernization Act of 2014, 44 
U.S.C. 3551 et seq.; and the Federal Information Processing Standards 
199: Standards for Security Categorization of Federal Information and 
Information Systems. Security controls include user identification, 
multi-factor authentication, database permissions, encryption, 
firewalls, audit logs, and network system security monitoring, and 
software controls.
    Access to records in the system is limited to authorized personnel 
who have a need to access the records in the performance of their 
official duties, and each user's access is restricted to only the 
functions and data necessary to perform that person's job 
responsibilities. System administrators and authorized users are 
trained and required to follow established internal security protocols 
and must complete all security, privacy, and records management 
training and sign the DOI Rules of Behavior. Privacy Impact Assessments 
are conducted on use of systems and third-party applications to ensure 
that Privacy Act requirements are met and appropriate privacy controls 
are implemented to safeguard the personally identifiable information 
contained in the system.

RECORD ACCESS PROCEDURES:
    An individual requesting access to their records should send a 
written inquiry to the System Manager identified above. DOI forms and 
instructions for submitting a Privacy Act request may be obtained from 
the DOI Privacy Act Requests website at https://www.doi.gov/privacy/privacy-act-requests. The request must include a general description of 
the records sought and the requester's full name, current address, and 
sufficient identifying information such as date of birth or other 
information required for verification of the requester's identity. The 
request must be signed and dated and be either notarized or submitted 
under penalty of perjury in accordance with 28 U.S.C. 1746. The request 
must include the specific bureau or office that maintains the record to 
facilitate location of the applicable records. Requests submitted by 
mail must be clearly marked ``PRIVACY ACT REQUEST FOR ACCESS'' on both 
the envelope and letter. A request for access must meet the 
requirements of 43 CFR 2.238.

CONTESTING RECORD PROCEDURES:
    An individual requesting amendment of their records should send a 
written request to the System Manager as identified above. DOI 
instructions for submitting a request for amendment of records are 
available on the DOI Privacy Act Requests website at https://www.doi.gov/privacy/privacy-act-requests. The request must clearly 
identify the records for which amendment is being sought, the reasons 
for requesting the amendment, and the proposed amendment to the record. 
The request must include the requester's full name, current address, 
and sufficient identifying information such as date of birth or other 
information required for verification of the requester's identity. The 
request must be signed and dated and be either notarized or submitted 
under penalty of perjury in accordance with 28 U.S.C. 1746. Requests 
submitted by mail must be clearly marked ``PRIVACY ACT REQUEST FOR 
AMENDMENT'' on both the envelope and letter. A request for amendment 
must meet the requirements of 43 CFR 2.246.

NOTIFICATION PROCEDURES:
    An individual requesting notification of the existence of records 
about them should send a written inquiry to the System Manager as 
identified above. DOI instructions for submitting a request for 
notification are available on the DOI Privacy Act Requests website at 
https://www.doi.gov/privacy/privacy-act-requests. The request must 
include a general description of the records and the requester's full 
name, current address, and sufficient identifying information such as 
date of birth or other information required for verification of the 
requester's identity. The request must be signed and dated and be 
either notarized or submitted under penalty of perjury in accordance 
with 28 U.S.C. 1746. Requests submitted by mail must be clearly marked 
``PRIVACY ACT INQUIRY'' on both the envelope and letter. A request for 
notification must meet the requirements of 43 CFR 2.235.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    80 FR 66551 (October 29, 2015); modification published at 86 FR 
50156 (September 7, 2021).

Teri Barnett,
Departmental Privacy Officer, U.S. Department of the Interior.
[FR Doc. 2024-23080 Filed 10-4-24; 8:45 am]
BILLING CODE 4334-63-P