89 FR 49 pgs. 17749-17751 - Privacy Act of 1974; Implementation
Type: RULEVolume: 89Number: 49Pages: 17749 - 17751
Pages: 17749, 17750, 17751Docket number: [Docket ID: DoD-2023-OS-0060]
FR document: [FR Doc. 2024-05142 Filed 3-11-24; 8:45 am]
Agency: Defense Department
Official PDF Version: PDF Version
[top]
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 310
[Docket ID: DoD-2023-OS-0060]
RIN 0790-AL64
Privacy Act of 1974; Implementation
AGENCY:
Office of the Secretary of Defense (OSD), Department of Defense (DoD).
ACTION:
Final rule.
SUMMARY:
The Department of Defense (Department or DoD) is issuing a final rule to amend its regulations to exempt portions of the system of records titled DoD-0019, "Information Technology Access and Audit Records," from certain provisions of the Privacy Act of 1974.
DATES:
This rule is effective on March 12, 2024.
FOR FURTHER INFORMATION CONTACT:
Ms. Rahwa Keleta, Privacy and Civil Liberties Directorate, Office of the Assistant to the Secretary of Defense for Privacy, Civil Liberties, and Transparency, Department of Defense, 4800 Mark Center Drive, Mailbox #24, Suite 08D09, Alexandria, VA 22350-1700; OSD.DPCLTD@mail.mil; (703) 571-0070.
SUPPLEMENTARY INFORMATION:
Discussion of Comments and Changes
The proposed rule published in the Federal Register (88 FR 60411-60413) on September 1, 2023. Comments were accepted for 60 days until October 31, 2023. No comments were received.
I. Background
In finalizing this rule, DoD is exempting portions of this system of records titled, DoD-0019, "Information Technology Access and Audit Records," from certain provisions of the Privacy Act of 1974. The purpose of this system of records is to support information systems being established within the DoD using the same categories of data for the same purposes. This system of records covers DoD's maintenance of records related to requests for user access, attempts to access, granting of access, records of user actions for DoD information technology (IT) systems, and user agreements. This includes details of programs, databases, functions, and sites accessed and/or used, and the information products created, received, or altered during the use of IT systems. The system consists of both electronic and paper records and will be used by DoD components and offices to maintain records about individuals who have user agreements, user access to and activity on networks, computer systems, applications, databases, or other digital technologies.
II. Privacy Act Exemption
The Privacy Act allows Federal agencies to exempt eligible records in a system of records from certain provisions of the Act, including those that provide individuals with a right to request access to and amendment of their own records. If an agency intends to exempt a particular system of records, it must first go through the rulemaking process pursuant to 5 U.S.C. 553(b)(1)-(3), (c), and (e). The OSD is amending 32 CFR part 310 to add a new Privacy Act exemption rule for this system of records. The DoD is adding exemptions for this system of records pursuant to 5 U.S.C. 552a(k)(1) and (2) because some of its records may contain classified national security information or investigatory material compiled for law enforcement purposes. The DoD is claiming an exemption from several provisions of the Privacy Act, including various access, amendment, disclosure of accounting, and certain recordkeeping and notice requirements, to avoid, among other harms, frustrating the underlying purposes for which the information was gathered.
Regulatory Analysis
Executive Order 12866-Regulatory Planning and Review; Executive Order 13563-Improving Regulation and Regulatory Review; and Executive Order 14094-Modernizing Regulatory Review
[top] Executive Orders 12866 (as amended by Executive Order 14094) and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. It has been determined that this rule is not a significant regulatory action under these Executive orders.
Congressional Review Act
The Congressional Review Act (5 U.S.C. 801 et seq. ) generally provides that before a rule may take effect, the agency promulgating the rule must submit a rule report, which includes a copy of the rule, to each House of the Congress and to the Comptroller General of the United States. DoD will submit a report containing this rule and other required information to the U.S. Senate, the U.S. House of Representatives, and the Comptroller General of the United States. A major rule may take effect no earlier than 60 calendar days after Congress receives the rule report or the rule is published in the Federal Register , whichever is later. This rule is not a "major rule" as defined by 5 U.S.C. 804(2).
Unfunded Mandates Reform Act
Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) (Pub. L. 104-4; 2 U.S.C. 1532(a)) requires agencies to assess anticipated costs and benefits before issuing any rule whose mandates may result in the expenditure by State, local and Tribal governments in the aggregate, or by the private sector, in any one year of $100 million in 1995 dollars, updated annually for inflation. This rule will not mandate any requirements for State, local, or Tribal governments, nor will it affect private sector costs.
Regulatory Flexibility Act
The Assistant to the Secretary of Defense for Privacy, Civil Liberties, and Transparency has certified that this rule is not subject to the Regulatory Flexibility Act (Pub. L. 96-354; 5 U.S.C. 601 et seq. ) because it would not, if promulgated, have a significant economic impact on a substantial number of small entities. This rule is concerned only with the administration of Privacy Act systems of records within the DoD. Therefore, the Regulatory Flexibility Act, as amended, does not require DoD to prepare a regulatory flexibility analysis.
Paperwork Reduction Act
The Paperwork Reduction Act (PRA) (Pub. L. 96-511; 44 U.S.C. 3501 et seq. ) was enacted to minimize the paperwork burden for individuals; small businesses; educational and nonprofit institutions; Federal contractors; State, local and Tribal governments; and other persons resulting from the collection of information by or for the Federal Government. The Act requires agencies to obtain approval from the Office of Management and Budget before using identical questions to collect information from ten or more persons. This rule does not impose reporting or recordkeeping requirements on the public.
Executive Order 13132-Federalism
Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a rule that has federalism implications, imposes substantial direct requirement costs on State and local governments, and is not required by statute, or has federalism implications and preempts State law. This rule will not have a substantial effect on State and local governments.
Executive Order 13175-Consultation and Coordination With Indian Tribal Governments
Executive Order 13175 establishes certain requirements that an agency must meet when it promulgates a rule that imposes substantial direct compliance costs on one or more Indian Tribes, preempts Tribal law, or affects the distribution of power and responsibilities between the Federal Government and Indian Tribes. This rule will not have a substantial effect on Indian Tribal governments.
List of Subjects in 32 CFR Part 310
Privacy.
Accordingly, 32 CFR part 310 is amended as follows:
PART 310-PROTECTION OF PRIVACY AND ACCESS TO AND AMENDEMENT OF INDIVIDUAL RECORDS UNDER THE PRIVACY ACT OF 1974
1. The authority citation for 32 CFR part 310 continues to read as follows:
Authority:
5 U.S.C. 552a.
2. Amend §?310.13 by adding paragraph (e)(14) to read as follows:
§?310.13 Exemptions for DoD-wide systems.
(e) * * *
(14) System identifier and name. DoD-0019, "Information Technology Access and Audit Records."
(i) Exemptions. This system of records is exempt from 5 U.S.C. 552a (c)(3); (d)(1), (2), (3), and (4); (e)(1); (e)(4)(G), (H), and(I); and (f).
(ii) Authority. 5 U.S.C. 552a(k)(1) and (2).
(iii) Exemption from the particular subsections. Exemption from the particular subsections is justified for the following reasons:
(A) Subsections (c)(3), (d)(1), and (d)(2) -( 1 ) Exemption (k)(1). Records in this system of records may contain information that is properly classified pursuant to executive order. Application of exemption (k)(1) may be necessary because access to and amendment of the records, or release of the accounting of disclosures for such records, could reveal classified information. Disclosure of classified records to an individual may cause damage to national security.
( 2 ) Exemption (k)(2). Records in this system of records may contain investigatory material compiled for law enforcement purposes other than material within the scope of 5 U.S.C. 552a(j)(2). Application of exemption (k)(2) may be necessary because access to, amendment of, or release of the accounting of disclosures of such records could: inform the record subject of an investigation of the existence, nature, or scope of an actual or potential law enforcement or disciplinary investigation, and thereby seriously impede law enforcement efforts by permitting the record subject and other persons to whom he might disclose the records or the accounting of records to avoid criminal penalties, civil remedies, or disciplinary measures; interfere with a civil or administrative action or investigation by allowing the subject to tamper with witnesses or evidence, and to avoid detection or apprehension, which may undermine the entire investigatory process; reveal confidential sources who might not have otherwise come forward to assist in an investigation and thereby hinder DoD's ability to obtain information from future confidential sources; and result in an unwarranted invasion of the privacy of others. Amendment of such records could also impose a highly impracticable administrative burden by requiring investigations to be continuously reinvestigated.
(B) Subsections (d)(3) and (4). These subsections are inapplicable to the extent an exemption is claimed from subsections (d)(1) and (2). Accordingly, exemptions from subsections (d)(3) and (4) are claimed pursuant to (k)(1) and (2).
[top] (C) Subsection (e)(1). Additionally, records within this system may be properly classified pursuant to executive order. The collection of information pertaining to the use of government information technology and data systems may include classified records, and it is not always possible to conclusively determine the relevance and necessity of such information in the early stages of a collection. In some instances, it will be only after the collected information is evaluated in light of other information that its relevance and necessity can be assessed. Further, disclosure of classified records
(D) Subsections (e)(4)(G) and (H). These subsections are inapplicable to the extent exemption is claimed from subsections (d)(1) and (2).
(E) Subsection (e)(4)(I). To the extent that this provision is construed to require more detailed disclosure than the broad, generic information currently published in the system notice, an exemption from this provision is necessary to protect national security, the confidentiality of sources of information and to protect the privacy and physical safety of witnesses and informants. Accordingly, application of exemptions (k)(1) and (2) may be necessary.
(F) Subsection (f). The agency's rules are inapplicable to those portions of the system that are exempt. Accordingly, application of exemptions (k)(1) and (2) may be necessary.
(iv) Exempt records from other systems. In the course of carrying out the overall purpose for this system, exempt records from other systems of records may in turn become part of the records maintained in this system. To the extent that copies of exempt records from those other systems of records are maintained in this system, the DoD claims the same exemptions for the records from those other systems that are entered into this system, as claimed for the prior system(s) of which they are a part, provided the reason for the exemption remains valid and necessary.
Dated: March 6, 2024.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2024-05142 Filed 3-11-24; 8:45 am]
BILLING CODE 6001-FR-P