[Federal Register: October 2, 2006 (Volume 71, Number 190)]
[Notices]
[Page 58039-58041]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr02oc06-145]
-----------------------------------------------------------------------
SMALL BUSINESS ADMINISTRATION
Privacy Act of 1974; System of Records Notice
AGENCY: U.S. Small Business Administration (SBA).
ACTION: Notice of new system of records.
-----------------------------------------------------------------------
SUMMARY: The Small Business Administration is adding a new system of
records to the Agency's Privacy Act Systems of Records. The system is
called the SBA Identity Management System (IDMS). The purpose of this
System is to automate records that maintain information required to
comply with Homeland Security Presidential Directive 12 (HSPD-12).
[[Page 58040]]
The IDMS provides the workflow process used to enforce roles in
personalizing and issuing Personal Identify Verification (PIV) cards.
IDMS automates the current paper based process and is used to maintain
the integrity of PIV card issuance.
DATES: Written comments on the System of records must be received
November 1, 2006.
ADDRESSES: Written comments on the System of Records should be directed
to Christine H. Liu, Agency Privacy Officer, U.S. Small Business
Administration, 409 Third Street, SW., Washington, DC 20416 or
Christine.Liu@sba.gov.
FOR FURTHER INFORMATION CONTACT: Christine Liu, Agency Privacy Officer,
U.S. Small Business Administration, 409 Third Street, SW., Washington,
DC 20416; Telephone (202) 205-6708.
SBA 34
SYSTEM NAME:
IDENTITY MANAGEMENT SYSTEM--SBA 34.
SYSTEM LOCATION:
The servers and secure data storage are located at Maden
Technologies; 2110 Washington Boulevard, Suite 200; Arlington, VA
22204. Enrollment and queries can be performed by authorized
individuals from any authorized, suitably-equipped SBA workstation.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM INCLUDE:
Individuals, who require regular, ongoing access to SBA facilities,
information technology systems, or information classified in the
interest of national security, including:
a. Applicants for employment or contracts.
b. Federal employees.
c. Contractors.
d. Students.
e. Interns.
f. Volunteers, and
The system also includes individuals authorized to perform or use
services provided in SBA facilities (e.g., Credit Union, Fitness
Center, etc.)
The system does not apply to occasional visitors or short-term
guests to whom SBA will issue temporary identification and credentials.
CATEGORIES OF RECORDS IN THE SYSTEM:
Full name, social security number; date of birth; signature; image
(photograph); fingerprint images and minutia templates; hair color; eye
color; height; weight; organization/office of assignment; company name;
telephone number; copy of background investigation form; personal
addresses for past 5 years; high school and college attended (as
applicable); Card Holder Unique Identification Number; Personal
Identity Verification (PIV) enrollment package; PIV card issue and
expiration dates; results of background investigation; PIV request
form; PIV registrar approval signature; PIV card serial number;
emergency responder designation; copies of documents used to verify
identification or information derived from those documents; level of
national security clearance and expiration date; computer system user
name; user access and permission rights, public key certificates;
digital signature information; National Agency Check with Written
Inquiries investigation; FBI fingerprint check results; FBI National
Criminal History Name Check results.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
a. 5 U.S.C. 301; Federal Information Security Act (Pub. L. 104-106,
sec. 5113)
b. Electronic Government Act (Pub. L. 104-347, sec. 203)
c. Paperwork Reduction Act of 1995 (44 U.S.C. 3501)
d. Government Paperwork Elimination Act (Pub. L. 105-277, 44 U.S.C.
3504)
e. Homeland Security Presidential Directive (HSPD) 12, Policy for a
Common Identification Standard for Federal Employees and Contractors,
August 27, 2004
f. Federal Property and Administrative Act of 1949, as amended.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES, THESE RECORDS MAY BE USED,
DISCLOSED OR REFERRED:
a. To a Congressional Office from an individual's record, when the
office is inquiring on the individual's behalf with waiver; the
Member's access rights are no greater than the individual's.
b. To the National Archives and Records Administration or to the
General Services Administration for records management inspections
conducted under 44 U.S.C. 2904 and 2906.
c. To SBA contractors, grantees, or volunteers who have been
engaged to assist the SBA in the performance of a contract service,
grant, cooperative agreement, or other activity related to this system
of records and who need to have access to the records in order to
perform their activity. Recipients shall be required to comply with the
requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a.
d. To a Federal, State, local, foreign, or tribal or other public
authority of the fact that this system of records contains information
relevant to the retention of an employee, the retention of a security
clearance, the letting of a contract, or the issuance or retention of a
license, grant, or other benefit with appropriate restrictions on
further disclosure.
e. To the Office of Management and Budget (OMB) when necessary to
the review of private relief legislation pursuant to OMB Circular No.
A-19.
f. To a Federal, State, or local agency, or other appropriate
entities or individuals, or through established liaison channels to
selected foreign governments, in order to enable an intelligence agency
to carry out its responsibilities under the National Security Act of
1947 as amended, the CIA Act of 1949 as amended, Executive Order 12333
or any successor order, applicable national security directives, or
classified implementing procedures approved by the Attorney General and
promulgated pursuant to such statutes, orders or directives.
g. To notify another Federal agency when, or verify whether, a PIV
card is no longer valid.
h. To a supervisor or manager in order to verify employee time and
attendance record for personnel actions.
Note: Disclosures within SBA of data pertaining to date and time
of entry and exit of an agency employee working in the District of
Columbia may not be made to supervisors, managers or any other
persons (other than the individual to whom the information applies)
to verify employee time and attendance record for personnel actions
because 5 U.S.C. 6106 prohibits Federal Executive agencies (other
than the Bureau of Engraving and Printing) from using a recording
clock within the District of Columbia, unless used as a part of a
flexible schedule program under 5 U.S.C. 6120 et seq.
i. To the Department of Justice (DOJ) when any of the following is
a party to litigation or has an interest in such litigation, and the
use of such records by the DOJ is deemed by the agency to be relevant
and necessary to the litigation, provided, however, that in each case,
the agency determines the disclosure of the records to the DOJ is a use
of the information contained in the records that is compatible with the
purpose for which the records were collected:
(1) The agency, or any component thereof;
(2) Any employee of the agency in his or her official capacity;
(3) Any employee of the agency in his or her individual capacity
where the DOJ has agreed to represent the employee; or
(4) The United States Government, where the agency determines that
[[Page 58041]]
litigation is likely to affect the agency or any of its components.
j. In a proceeding before a court, or adjudicative body, or a
dispute resolution body before which the agency is authorized to appear
or before which any of the following is a party to litigation or has an
interest in litigation, provided, however, that the agency determines
that the use of such records is relevant and necessary to the
litigation, and that, in each case, the agency determines that
disclosure of the records to a court or other adjudicative body is a
use of the information contained in the records that is compatible with
the purpose for which the records were collected:
(1) The agency, or any component thereof;
(2) Any employee of the agency in his or her official capacity;
(3) Any employee of the agency in his or her individual capacity
where the DOJ has agreed to represent the employee; or
(4) The United States Government, where the agency determines that
litigation is likely to affect the agency or any of its components.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS:
STORAGE:
Records are stored in electronic media and in paper files and not
on the card.
RETRIEVABILITY:
Records are retrievable by name, social security number, PIV card
serial number, or Card Holder Unique Identification Number.
SAFEGUARDS:
Paper records are kept in locked cabinets in secure facilities and
access to them is restricted to individuals whose role requires use of
the records. Access to facilities will be controlled by the PIV card.
The System requires a PIV card to log on and to digitally sign
transactions. The computer servers in which records are stored are
located in facilities that are secured by alarm systems and off-master
key access. The computer servers themselves are password-protected.
Access to individuals working at guard stations is password-protected;
each person granted access to the system at guard stations must be
individually authorized to use the system. A Privacy Act Warning Notice
appears on the monitor screen when records containing information on
individuals are first displayed. Data exchanged between the servers and
the client PCs at the guard stations and badging office are encrypted.
Backup tapes are stored in a locked and controlled room in a secure,
off-site location.
An audit trail is maintained and reviewed periodically to identify
unauthorized access. Persons given roles in the PIV process must
complete training specific to their roles to ensure they are
knowledgeable about how to protect individually identifiable
information. The system uses the high risk confidentiality and
integrity security controls specified in the National Institute of
Standards and Technology Special Publication 800-53.
RETENTION AND DISPOSAL:
Records relating to persons covered by this system are retained in
accordance with General Records Schedule 18, Item 17. Unless retained
for specific, ongoing security investigations, for maximum security
facilities, records of access are maintained for five years and then
destroyed by wiping hard drives and shredding paper. For other
facilities, records are maintained for two years and then destroyed by
wiping hard drives and shredding paper. All other records relating to
employees are destroyed two years after ID security card expiration
date.
In accordance with FIPS 201-1, PIV Cards are deactivated within 18
hours of cardholder separation, notification of loss of card, or
expiration. The information on PIV Cards is maintained in accordance
with General Records Schedule 11, Item 4. PIV Cards that are turned in
for destruction are shredded within 90 days.
SYSTEM MANAGER(S) AND ADDRESSES:
Assistant Administrator/Human Capital Management, United States
Small Business Administration, 409 3rd Street, SW., Washington, DC
20416. Associate Administrator for Disaster Assistance, United States
Small Business Administration, 409 3rd Street, SW., Washington, DC
20416. This responsibility may be delegated.
NOTIFICATION PROCEDURES:
An individual may submit a record inquiry either in person or in
writing to the System Manager or the Senior Agency Official for
Privacy. When requesting notification of or access to records covered
by this Notice, an individual should provide his/her full name, date of
birth, and work location. An individual requesting notification of
records in person must provide identity documents sufficient to satisfy
the custodian of the records that the requester is entitled to access,
such as a government-issued photo ID. Individuals requesting
notification via mail or telephone must furnish, at minimum, name, date
of birth, social security number, and home address in order to
establish identity.
ACCESS PROCEDURES:
The Systems Manager or Senior Agency Official for Privacy will
determine the process. Requesters should reasonably specify the record
contents being sought.
CONTESTING PROCEDURES:
Same as notification procedures. Requesters should also reasonably
identify the record, specify the information they are contesting, state
the corrective action sought and the reasons for the correction along
with supporting justification showing why the record is not accurate,
timely, relevant, or complete.
SOURCE CATEGORIES:
Employee, contractor, or applicant; sponsoring SBA; former
sponsoring SBA; other Federal agencies; contract employer; former
employer.
Dated: September 22, 2006.
Christine Liu,
Departmental Privacy Officer.
[FR Doc. E6-15848 Filed 9-29-06; 8:45 am]
BILLING CODE 8025-01-P