Privacy Act of 1974; System of Records, 99335-99338 [2024-28959]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 89, Number 237 (Tuesday, December 10, 2024)]
[Notices]
[Pages 99335-99338]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-28959]


-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA) Veterans Benefits 
Administration.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, notice is hereby given 
that the Department of Veterans Affairs (VA) is modifying the system of 
records titled, ``Veterans Affairs/Department of Defense Identity 
Repository (VADIR)-VA'' (138VA005Q). This system of records is an 
electronic repository of military personnel's military history, payroll 
information and their dependents' data provided to VA by the Department 
of Defense's Defense Manpower Data Center (DMDC). The VADIR database 
repository is used in conjunction with other applications across VA 
business lines to provide an electronic consolidated view of 
comprehensive eligibility and benefits utilization data from across VA 
and Department of Defense (DoD). VA applications use the VADIR database 
to retrieve profile data, military history, and information on 
benefits, and dependents.

DATES: Comments on this modified system of records must be received no 
later than January 9, 2025. If no public comment is received during the 
period allowed for comment or unless otherwise published in the Federal 
Register by VA, the modified system of records will become effective a 
minimum of 30 days after date of publication in the Federal Register. 
If VA receives public comments, VA shall review the comments to 
determine whether any changes to the notice are necessary.

ADDRESSES: Comments may be submitted through www.Regulations.gov or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005X6F), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``Veterans Affairs/Department of Defense Identity 
Repository (VADIR)-VA'' (138VA005Q). Comments received will be 
available at regulations.gov for public viewing, inspection, or copies.

FOR FURTHER INFORMATION CONTACT: Trisha Dang, Veterans Experience 
Office, (VEO), Department of Veterans Affairs, 810 Vermont Ave. NW, 
Building 810, Washington, DC 20420; telephone (202) 461-9898; email 
[email protected].

SUPPLEMENTARY INFORMATION: VA has updated the System Manager to reflect 
``Alexander Torres, Project Manager, Department of Veterans Affairs, 
OIT/Product Engineering/Data&Analytics, 810 Vermont Ave. NW, Building 
810, Washington, DC 20420, email: [email protected], telephone 
number (470) 364-4797.''
    VA has also updated the Categories of Records to reflect: ``The 
record, or information contained in the record, may include identifying 
information (e.g., name, contact information, Social Security number), 
association to dependents, cross reference to other names used, 
military service participation and status information (branch of 
service, rank, enter on duty date, release from active duty date, 
military occupations, type of duty, character of service, awards), 
reason and nature of active duty separation (completion of commitment, 
etc.), combat pay, combat awards, theater location, combat deployments 
(period of

[[Page 99336]]

deployment, location/country), Guard/Reserve activations (period of 
activation, type of activation), education benefit participation, 
Transfer of Eligibility (TOE) of educational benefits to dependents, 
group life insurance participation, survivor pay, disability pay, 
separation pay, military retirement pay, and medals and awards.''

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Kurt D. 
DelBene, Assistant Secretary for Information and Technology and Chief 
Information Officer, approved this document on October 31, 2024 for 
publication.

    Dated: December 5, 2024.
Amy L. Rose,
Government Information Specialist, VA Privacy Service, Office of 
Compliance, Risk and Remediation, Office of Information and Technology, 
Department of Veterans Affairs.

SYSTEM NAME AND NUMBER:
    Veterans Affairs/Department of Defense Identity Repository (VADIR)-
VA (138VA005Q).

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    VADIR is hosted at an OI&T approved VA sponsored data warehouse 
location via secured cloud storage on a Federal Risk and Authorization 
Management Program (FedRAMP) certified VA Enterprise Cloud (VAEC).

SYSTEM MANAGER(S):
    Alexander Torres, Project Manager, Department of Veterans Affairs, 
OIT/Product Engineering/Data&Analytics, 810 Vermont Ave. NW, Building 
810, Washington, DC 20420, email: [email protected], telephone 
number (470) 364-4797.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    38 U.S.C. 5106.

PURPOSE(S) OF THE SYSTEM:
    The purpose of VADIR is to receive electronically military 
personnel and payroll information from the Department of Defense (DoD) 
in a centralized VA system and then distribute the data to other VA 
systems and lines of business who require the information for health 
and benefits eligibility determinations. This information is provided 
to VADIR by the Defense Manpower Data Center (DMDC). VADIR will also 
provide veterans information concerning education benefits usage and 
death, as well as personal and demographic information.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The category of the individuals covered by the VADIR database 
encompasses veterans, service members, and their dependents. This would 
include current service members, separated service members, and their 
dependents; as well as veterans whose VA military service benefits have 
been sought by others (e.g., burial benefits).

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records include identifying information (e.g., name, contact 
information, Social Security number), association to dependents, cross 
reference to other names used, military service participation and 
status information (branch of service, rank, enter on duty date, 
release from active duty date, military occupations, type of duty, 
character of service, awards), reason and nature of active duty 
separation (completion of commitment, etc.), combat pay, combat awards, 
theater location, combat deployments (period of deployment, location/
country), Guard/Reserve activations (period of activation, type of 
activation), education benefit participation, Transfer of Eligibility 
(TOE) of educational benefits to dependents, group life insurance 
participation, survivor pay, disability pay, separation pay, military 
retirement pay, and medals and awards.

RECORD SOURCE CATEGORIES:
    Information in this system of records is provided by components of 
the Department of Defense.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
1. Congress
    To a Member of Congress or staff acting upon the Member's behalf 
when the Member or staff requests the information on behalf of, and at 
the request of, the individual who is the subject of the record.
2. Data Breach Response and Remediation, for VA
    To appropriate agencies, entities, and persons when (a) VA suspects 
or has confirmed that there has been a breach of the system of records, 
(b) VA has determined that as a result of the suspected or confirmed 
breach there is a risk of harm to individuals, VA (including its 
information systems, programs, and operations), the Federal Government, 
or national security; and (c) the disclosure made to such agencies, 
entities, and persons is reasonably necessary to assist in connection 
with VA's efforts to respond to the suspected or confirmed breach or to 
prevent, minimize, or remedy such harm.
3. Data Breach Response and Remediation, for Another Federal Agency
    To another Federal agency or Federal entity, when VA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (a) responding to a suspected 
or confirmed breach or (b) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
4. Law Enforcement
    To a Federal, State, local, territorial, Tribal, or foreign law 
enforcement authority or other appropriate entity charged with the 
responsibility of investigating or prosecuting a violation or potential 
violation of law, whether civil, criminal, or regulatory in nature, or 
charged with enforcing or implementing such law, provided that the 
disclosure is limited to information that, either alone or in 
conjunction with other information, indicates such a violation or 
potential violation. The disclosure of the names and addresses of 
veterans and their dependents from VA records under this routine use 
must also comply with the provisions of 38 U.S.C. 5701.
5. DoJ, Litigation, Administrative Proceeding
    To the Department of Justice (DoJ), or in a proceeding before a 
court, adjudicative body, or other administrative body before which VA 
is authorized to appear, when:
    (a) VA or any component thereof;
    (b) Any VA employee in his or her official capacity;
    (c) Any VA employee in his or her individual capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components is a party to such 
proceedings or has an interest in such proceedings, and VA determines 
that use of such records is relevant and necessary to the proceedings.

[[Page 99337]]

6. Contractors
    To contractors, grantees, experts, consultants, students, and 
others performing or working on a contract, service, grant, cooperative 
agreement, or other assignment for VA, when reasonably necessary to 
accomplish an agency function related to the records.
7. NARA
    To the National Archives and Records Administration (NARA) in 
records management inspections conducted under 44 U.S.C. 2904 and 2906, 
or other functions authorized by laws and policies governing NARA 
operations and VA records management responsibilities.
8. Department of Defense
    To DoD systems or offices for use in connection with matters 
relating to one of DoD's programs to enable delivery of healthcare or 
other DoD benefits to eligible beneficiaries.
9. Department of Defense Manpower Data Center (DMDC)
    To the Department of Defense Manpower Data Center (DMDC) to 
reconcile the amount and/or waiver of service, department and retired 
pay, provided that information disclosed is the name, address, VA file 
number, service information, date of birth, incarceration status, and 
social security number of veterans and their surviving spouses
10. Department of Defense Enrollment Eligibility Reporting System 
(DEERS)
    To DoD, to identify retired veterans and dependent members of their 
families who have entitlement to DoD benefits but who are not 
identified in the Department of Defense Enrollment Eligibility 
Reporting System (DEERS) program and to assist in determining 
eligibility for Civilian Health and Medical Program of the Uniformed 
Services (CHAMPUS) benefits, provided that information disclosed is the 
name, address, VA file number, date of birth, date of death, social 
security number, and service information. This purpose is consistent 
with 38 U.S.C. 5701.
11. Federal Agencies, for Research
    To a Federal agency for the purpose of conducting research and data 
analysis to perform a statutory purpose of that Federal agency upon the 
prior written request of that agency.
12. Nonprofits, for RONA
    To a nonprofit organization if the release is directly connected 
with the conduct of programs and the utilization of benefits under 
title 38, provided that the disclosure is limited the names and 
addresses of present or former members of the armed services or their 
beneficiaries, the records will not be used for any purpose other than 
that stated in the request, and the organization is aware of the 
penalty provision of 38 U.S.C. 5701(f).
13. Federal Agencies, for Computer Matches
    To other Federal agencies in accordance with a computer matching 
program to determine or verify eligibility of veterans receiving VA 
benefits or medical care under title 38.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are transmitted between DMDC and VA over a dedicated 
telecommunications circuit using approved encryption technologies. 
Records (or information contained in records) are maintained in 
electronic format in the VADIR Oracle database. These records cannot be 
directly accessed by any VA employee or other users. Information from 
VADIR is disseminated in three ways: (1) Approved VA systems 
electronically request and receive data from VADIR, (2) data is 
replicated via secure link between VADIR and DMDC, and (3) periodic 
electronic data extracts of subsets of information contained in VADIR 
are provided to approved VA offices/systems. Backups of VADIR data are 
created regularly and stored in a secure undisclosed off-site facility.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved using various unique identifiers belonging to 
the individual to whom the information pertains to include such 
identifiers as name, claim file number, social security number and date 
of birth.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records in this system are retained indefinitely until a records 
retention schedule is approved by the Archivist of the United States. 
The records control for the VDR system hardware and user logs is GRS 
4.2: Information Access and Protection Records Item 130 located 
www.archives.gov/records-mgmt/grs.html.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Physical Security: The primary VADIR system is located in an 
undisclosed location for security purposes. Access to data processing 
centers is generally restricted to VA employees, VADIR custodial 
personnel, Federal Protective Service, and other security personnel. 
Access to computer rooms is restricted AWS staff.
    System Security: Access to the VA network is protected by the usage 
of two factor authentication. Once on the VA network, two factor 
authentication is required to gain access to the VADIR server and/or 
database. Access to the server and/or database is granted to only a 
limited number of system administrators and database administrators 
approved by the System Manager. In addition, VADIR has undergone 
assessment and authorization based on a risk assessment that followed 
National Institute of Standards and Technology Vulnerability and Threat 
Guidelines. The system is considered stable and operational and a final 
Authority to Operate (ATO) has been granted and is updated annually. 
The system was found to be operationally secure, with very few 
exceptions or recommendations for change.

RECORD ACCESS PROCEDURES:
    Individuals seeking information on the existence and content of 
records in this system pertaining to them should contact the VA Privacy 
Service, 810 Vermont Avenue NW, (005X6F), Washington, DC 20420, in 
writing as indicated above. The VA Privacy Officer will route the 
request to the System Manager. A request for access to records must 
contain the requester's full name, address, telephone number, be signed 
by the requester, include copy of government issued ID for 
verification, and describe the records sought in sufficient detail to 
enable VA personnel to locate them.

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest or amend records in this system 
pertaining to them should contact the system manager in writing as 
indicated above. A request to contest or amend records must state 
clearly and concisely what record is being contested, the reasons for 
contesting it, and the proposed amendment to the record. Additionally, 
to the extent that information contested is identified as data provided 
by DMDC, which is part of the Defense Logistics Agency (DLA), the DLA 
rules for accessing records, for contesting contents, and appealing 
initial agency determinations are contained in 32 CFR part 323, or may 
be obtained from the Privacy Act Officer, Headquarters, Defense 
Logistics Agency, ATTN: DES-B, 8725 John J. Kingman Road, Stop 6220, 
Fort Belvoir, VA 22060-6221.

[[Page 99338]]

NOTIFICATION PROCEDURES:
    Generalized notice is provided by the publication of this notice. 
For specific notice, see Record Access Procedure, above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    74 FR 37093 (July 27, 2009); 87 FR 79066 (December 23, 2022).

[FR Doc. 2024-28959 Filed 12-9-24; 8:45 am]
BILLING CODE 8320-01-P