E8-31131. Privacy Act of 1974, Implementation of Exemptions  

  • Start Preamble Start Printed Page 9

    AGENCY:

    United States Agency for International Development.

    ACTION:

    Final rule.

    SUMMARY:

    The United States Agency for International Development (USAID) has established a new system of records (see 72 FR 39042) pursuant to the provisions of the Privacy Act of 1974 (5 U.S.C. 552a), entitled the “Partner Vetting System”. USAID published a proposed rule on July 20, 2007 (see 72 FR 39769) and is issuing this final rule after thorough review of all comments and suggestions received by the Agency through the public notice process and outreach sessions held for interested individuals. The final rule exempts portions of this system of records from one or more provisions of the Privacy Act. The decision as to whether to implement PVS will be made by the incoming Obama Administration.

    DATES:

    This final rule will go into effect February 2, 2009.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Jeff Denale, Coordinator for Counterterrorism, Office of Security, United States Agency for International Development, Ronald Reagan Building, 1300 Pennsylvania Avenue, NW., Washington, DC 20523, telephone: (202) 712-1264.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    A. Background

    In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, USAID established a new system of records (see 72 FR 39042), entitled the “Partner Vetting System” (PVS). The PVS would support the vetting of individuals and directors, officers, or other principal employees of non-governmental organizations (NGOs) who apply for USAID contracts, grants, cooperative agreements, or other funding and of NGOs who apply for registration with USAID as Private and Voluntary Organizations. The information collected for these individuals would be used to conduct screening to ensure USAID funds and USAID-funded activities are not purposefully or inadvertently used to provide support to entities or individuals deemed to be a risk to national security. As these individuals and organizations are neither employees of USAID or job applicants for jobs with USAID, nor would they be eligible for or require security clearances, traditional employment or security clearance investigative mechanisms are not authorized or appropriate for the stated purposes.

    USAID will exempt portions of the PVS from certain provisions of the Privacy Act and add the PVS to 22 CFR 215.13, General Exemptions, and 22 CFR 215.14, Specific Exemptions. USAID requires this exemption from the Privacy Act in order to protect information, recompiled from records of other government agencies and related to investigations, from disclosure to subjects of investigations and to protect classified information related to the government's national security programs. Specifically, the exemptions are required to preclude subjects of investigations from frustrating the investigative process; to avoid disclosure of investigative techniques; protect the identities and physical safety of confidential informants and of law enforcement personnel; ensure the ability of USAID's Office of Security to obtain information from third parties and other sources; protect the privacy of third parties; and safeguard classified information.

    Aside from the specific protections afforded classified information, USAID must also protect the names of organizations and individuals within any classified systems associated with the PVS that mistakenly become recompiled into the non-classified USAID system. Nondisclosure of this information protects the government's operational counterterrorism and counterintelligence missions, as well as the personal safety of those involved in counterterrorism investigations.

    B. Summary of the Final Rule

    The final rule issued by USAID generally exempts portions of the PVS which qualify from:

    Accounting of Certain Disclosures.

    Access to Records.

    Agency Maintenance, Collection, and Notification Requirements.

    Agency Rulemaking Requirements Relating to Notification, Accounting, and Access.

    Civil Remedies.

    Right of Legal Guardians.

    These exemptions are necessary to insure the proper functioning of the law enforcement activity, to protect confidential sources of information, to fulfill promises of confidentiality, to maintain integrity of the law enforcement procedures, to avoid premature disclosure of the knowledge of criminal activity and the evidentiary basis of possible enforcement actions, to prevent interference with law enforcement proceedings, to avoid the disclosure of investigative techniques, to avoid endangering law enforcement personnel, to maintain the ability to obtain candid and necessary information, to fulfill commitments made to sources to protect the confidentiality of information, to avoid endangering these sources, and to facilitate proper selection or continuance of the best applicants or persons for a given position or contract. Although USAID is not a law enforcement or intelligence agency, the mandate to ensure USAID funding is not purposefully or inadvertently used to provide support to entities or individuals deemed to be a risk to national security necessarily requires coordination with law enforcement and intelligence agencies as well as use of their information. Use of these agencies' information necessitates the conveyance of these other systems' exemptions to protect the information as stated.

    The final rule issued by USAID specifically exempts portions of the PVS which qualify from:

    Accounting of Certain Disclosures.

    Access to Records.

    Agency Maintenance, Collection, and Notification Requirements.

    Agency Rulemaking Requirements Relating to Notification, Accounting, and Access.

    These exemptions are claimed to protect the materials required by executive order to be kept secret in the interest of national defense or foreign policy, to prevent subjects of investigation from frustrating the investigatory process, to insure the proper functioning and integrity of law enforcement activities, to prevent disclosure of investigative techniques, to maintain the ability to obtain candid and necessary information, to fulfill commitments made to sources to protect the confidentiality of information, to avoid endangering these sources, and to facilitate proper selection or continuance of the best applicants or persons for a given position or contract.

    C. Rulemaking History

    On July 20, 2007, USAID published a proposed rule in the Federal Register (72 FR 39769) exempting portions of the PVS which originate with government departments and agencies other than USAID from sections of the Privacy Act of 1974. Interested individuals were given 60 days to comment on the proposed rule. During the 60-day comment period, USAID received more than 175 comments from respondents. Start Printed Page 10The respondents included NGOs, academic institutions, private companies, public interest groups, and interested individuals.

    This final rule amends 22 CFR 215.13 and 215.14 to exempt the PVS from certain requirements under the Privacy Act. Prior to issuing this final rule, USAID has carefully considered program requirements, respondent comments, and national security and foreign policy impacts.

    D. Discussion of Comments

    Demonstrated Need for PVS

    Many of the organizations that submitted comments suggested that since there is no evidence that USAID funds are flowing to terrorist organizations through NGOs, there is no need for a vetting system. Support for this proposition was based, in part, on the assertion that the Office of Inspector General (OIG) at USAID, in its Semi-Annual Reports to Congress on USAID's program for West Bank and Gaza, has stated that there has been no finding of terrorist organizations receiving USAID funds under that program. USAID notes, however, that in its November 6, 2007 audit report of USAID's anti-terrorism vetting procedures, the OIG recommended that USAID should develop and implement a worldwide anti-terrorism vetting program to include both U.S. and non-U.S.-based partners.

    USAID is the Executive Branch agency primarily responsible for implementing the bilateral foreign assistance program of the United States. USAID relies heavily upon U.S. and foreign NGOs in implementing international assistance, education and other programs in furtherance of U.S. foreign policy, humanitarian, international relations, and national security interests and objectives.

    Consistent with applicable law and agency policy, USAID has taken a number of steps, when implementing the U.S. foreign assistance program, to help ensure that agency funds and other resources do not inadvertently benefit individuals or entities that are terrorists, supporters of terrorists or affiliated with terrorists. Specifically, USAID has taken the actions described below.

    In March 2002, USAID issued Acquisition and Assistance Policy Directive (AAPD) 02-04. AAPD 02-04 required all USAID solicitations and contracts, Annual Program Statements or Requests for Applications and grants or cooperative agreements, or other comparable documents issued by USAID to contain a clause reminding the Agency's contractor and grantee partners of U.S. Executive Orders (such as Executive Order 13224) and U.S. law prohibiting transactions with, and the provision of resources and support to, individuals and organizations associated with terrorism. This requirement subsequently has been incorporated into USAID's Automated Directives System (ADS).

    In December 2002, USAID issued AAPD 02-19 (as revised, now AAPD 04-14), which requires USAID agreement officers to obtain a terrorist financing certification from both U.S. and non-U.S. NGOs before the NGO would be eligible to receive an award of a grant or cooperative agreement. The purpose of the certification is to provide USAID with assurances that it is not entering into an assistance agreement with an organization that provides or has provided assistance to terrorists or for terrorist activity.

    In November 2005, USAID issued Procurement Executive's Bulletin No. 2005-12, reminding contracting officers and agreement officers of their responsibilities to perform due diligence in ensuring that organizations receiving contracts, grants and cooperative agreements are eligible for these awards in accordance with Federal statutes and policy. Among other things, that Bulletin reminds contracting officers and agreement officers of their responsibility, before making an award, of checking the master list of specially designated nationals and blocked persons maintained by the Office of Foreign Assets Control (OFAC) within the U.S. Department of the Treasury.

    USAID recognizes, however, that merely checking names against the OFAC master list and requiring self-certification may not constitute adequate due diligence in certain situations. In its terrorist financing certification, USAID discusses the need for applicants for USAID funds also to check the list maintained by the United Nations' 1267 Committee, the need to take into account their own knowledge and the need to take into account relevant public information that is reasonably available. Similarly, in the U.S. Department of the Treasury Anti-Terrorist Financing Guidelines: Voluntary Best Practices for U.S.-Based Charities, it is noted that, “while the [OFAC-maintained] List is a critically important compliance tool that can assist charities in meeting their legal obligations under the variety of sanctions programs that OFAC administers, it should only form one part of a charitable organization's broader risk-based approach to protect against the risks of terrorist abuse.”

    Accordingly, to complement its requirements for terrorist financing clauses, terrorist financing certifications, and review of public lists of designated groups and individuals, USAID proposes implementation of the PVS. The decision as to whether to implement PVS will be made by the incoming Obama Administration.

    There have been allegations in the media and within the Executive and Legislative Branches that USAID funds may have gone (i) to organizations in West Bank and Gaza which are controlled by Hamas or which otherwise have ties to terrorist groups, (ii) to an organization in Pakistan controlled by an individual who was indicted based on alleged ties with terrorists, and (iii) to an organization in Bosnia controlled by an individual about whom derogatory information was reported. Although none of these grant activities resulted in assistance being furnished directly to a designated individual or entity, USAID believes that the development of a comprehensive, systematic, and automated vetting system is essential to ensuring that funds or other resources provided in the future are not diverted to the control of terrorists or terrorist organizations.

    Moreover, whether or not any of the allegations referred to above had a valid basis in fact, USAID does not believe that it should wait for hard proof that our funds are actually flowing to terrorists before implementing additional safeguards to its anti-terrorist financing program—even the suggestion that our funds or resources are benefiting terrorists is harmful to U.S. foreign policy and U.S. national interests.

    Vetting conducted since 2001 for the USAID West Bank and Gaza Mission has already proven effective in preventing USAID funds and materials from flowing to foreign terrorist organizations or groups or individuals associated with such organizations. Individuals involved in or otherwise associated with terrorism have been specifically identified through the West Bank and Gaza vetting process. Without vetting, USAID funds or materials could have inadvertently been given to these individuals or groups. In light of the fact that the statutorily required vetting currently being carried out for our West Bank and Gaza programs has uncovered derogatory information on some of the applicants for USAID funds and materials, a more comprehensive, systematic, and automated vetting process unquestionably will improve the Agency's due diligence and will result in more effective methods to help minimize the risk that USAID funds will Start Printed Page 11be diverted to terrorists or for terrorist purposes.

    Statutory Basis for PVS

    Some organizations suggested that, with the exception of USAID programs in West Bank and Gaza, there is no basis in statute or Executive Order justifying implementation of PVS.

    The Foreign Assistance Act of 1961, as amended (the “FAA”), provides the President with broad discretion to set terms and conditions in the area of foreign policy. Specifically, numerous sections of the FAA authorize the President to furnish foreign assistance “on such terms and conditions as he may determine”. See, e.g., section 122 of the FAA, which provides that, “[i]n order to carry out the purposes of this chapter [i.e., development assistance], the President is authorized to furnish assistance, on such terms and conditions as he may determine, to countries and areas through programs of grant and loan assistance, bilaterally or through regional, multilateral, or private entities.” Similarly, sections 103 through 106 of the FAA authorize the President to furnish assistance, on such terms and conditions as he may determine, for agriculture, rural development and nutrition; for population and health (including assistance to combat HIV/AIDS); for education and human resources development; and for energy, private voluntary organizations, and selected development activities, respectively. The FAA also authorizes the President to “make loans, advances, and grants to, make and perform agreements and contracts with, any individual, corporation, or other body of persons, friendly government or government agency, whether within or without the United States and international organizations in furtherance of the purposes and within the limitations of this Act.”

    These authorities have been delegated from the President to the Secretary of State and, pursuant to State Department Delegation of Authority 293, from the Secretary of State to the Administrator of USAID. Agency delegations of authority, in turn, delegate these authorities from the Administrator to Assistant Administrators, office directors, Mission Directors, and other Agency officials.

    In providing foreign assistance, the Administrator must take into account relevant legal restrictions. For example, the FAA requires that all reasonable steps be taken to ensure that assistance is not provided to or through individuals who have been or are illicit narcotics traffickers. Pursuant to annual foreign operations appropriations acts, assistance to foreign security forces requires vetting to ensure that assistance is not provided to units where there is credible evidence that the unit committed gross violations of human rights. These vetting requirements now have been incorporated into the FAA. Restrictions in the FAA against supporting terrorism or providing assistance to terrorist states, as well as restrictions in Title 18 of the United States Code on the provision of support or resources to terrorists, similarly support a decision by the Administrator of USAID to authorize terrorist screening procedures.

    In addition, the broad authority of the FAA permits the Administrator of USAID to consider a range of foreign policy and national security interests in determining how to provide foreign assistance. The United States has a strong foreign policy and national security interest in ensuring that U.S. assistance is not provided to or through individuals or organizations that have links to terrorists. This interest arises both because of our concern about the potential diversion of U.S. assistance to other uses and also our interest in ensuring that terrorist individuals and groups do not garner the benefit of being the distributor of U.S. assistance to needy recipients in foreign countries. The United States is an advocate of strong anti-terrorism provisions and has urged other nations to control the flow of funds and support to terrorists. There could be significant negative foreign policy repercussions if it were determined that the United States was funding individuals and organizations with ties to terrorists.

    Further, Homeland Security Presidential Directive/HSPD-6 states that to protect against terrorism it is the policy of the United States to (1) develop, integrate, and maintain thorough, accurate, and current information about individuals known or appropriately suspected to be or have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism, and (2) use that information as appropriate and to the full extent permitted by law to support Federal screening processes. HSPS-6 also requires the heads of executive departments and agencies to conduct screening using Terrorist Information (as defined therein) at all appropriate opportunities. In accordance with HSPD-11, USAID has identified NGO applications for USAID funds as one of the opportunities for which screening could be conducted. Accordingly, use by USAID of information contained in USG terrorist databases, i.e., vetting, is entirely consistent with HSPD-6.

    Finally, legislative and Executive Order prohibitions against furnishing financial or other support to terrorists or for terrorist related purposes, or against engaging in transactions with individuals or entities that engage in terrorist acts, provide justification not to award assistance if USAID already has access to information showing that the applicant for assistance is involved in terrorism. Some of these prohibitions can be found in Sections 2339A and 2339B of Title 18 of the United States Code, Executive Order 12947, as amended by Executive Order 13099, Executive Order 13224, and Title VIII of the USA Patriot Act. Accordingly, USAID's authority to conduct vetting is implied from these authorities since, to avoid violation of the authorities, USAID must use some sort of screening.

    Based upon all of the above, USAID has concluded that it does indeed have the legal authority to implement the PVS.

    Related comments suggested that USAID could not implement PVS without first obtaining a deviation from the Office of Management and Budget (OMB) in accordance with OMB Circular A-110 and USAID Regulation 226 (22 CFR 226). OMB Circular A-110 governs the administration of grants and cooperative agreements to institutions of higher education, hospitals, and other non-profit organizations. USAID Regulation 226 implements OMB Circular A-110. 22 CFR 226.1 provides that USAID will not “impose additional or inconsistent requirements, except [through a deviation granted by OMB] * * *, or unless specifically required by Federal statute or executive order.”

    USAID has reviewed the comments regarding Regulation 226 and has concluded that a deviation from OMB is not required. USAID has the freedom to make suitability determinations regarding applicants for grants and the use of PVS is part of the suitability determination process. Furthermore, the Partner Information Form, published in the Federal Register on October 2, 2007, and approved by OMB on August 19, 2008, complies with 5 CFR 1320, OMB's regulations on controlling paperwork burdens on the public, as required by 22 CFR 226.12, USAID's regulatory provision requiring compliance with OMB, and supplements the Standard Form 424 series.

    Burden on Applicants

    The most frequent concern expressed in the comments received was that providing information to USAID would create an undue burden on Start Printed Page 12organizations applying for U.S. funds in terms of non-programmatic costs and person hours. Organizations submitting comments feared that detailed personal information would have to be collected from every director, board member, officer and employee of an applicant, in addition to information collected from similar personnel of sub-recipients. Concerns also were expressed about the burden placed on USAID personnel who will receive and process the information provided.

    It is contemplated that if the incoming Obama Administration approves implementation of PVS, it will be rolled out in an orderly fashion, with initial implementation for approximately four programs worldwide. While USAID believes that its Paperwork Reduction Act estimate of the burden of the proposed collection of information for PVS is accurate, USAID would continue to monitor implementation of PVS if it is implemented to determine what the burden on applicants actually will be and to determine what operation of PVS will cost USAID in terms of dollars and in terms of personnel hours.

    NGO partners can be assured that USAID has no intention to vet hundreds or thousands of employees for each acquisition or assistance action. Review of Mission Order No. 21, issued by USAID's Mission for West Bank and Gaza to describe the Mission's current terrorist financing procedures, and the recently approved Partner Information Form, are instructive in this regard.

    Under the definition of “key individuals,” Mission Order No. 21 lists only “principal” officers of an organization's governing body and only “principal” officers of an organization, as opposed to all of these officers. The Mission reports that during the first ten months that the Mission utilized a database vetting system similar to that proposed under PVS, vetting was conducted only on an average of approximately 3.2 key individuals per organization. Based on the Mission's experience during that time period, a typical organization would submit information on 4 to 6 key individuals, with the high range being 10 to 14 and the low range (for sole proprietorships or simple two-person partnerships) being 1 to 2 persons. Moreover, under those screening procedures, the initial determination as to who would be considered a “key individual” for a particular activity, and thus will require vetting, is left to the organization applying for funds. After receiving the information, the Mission then may request clarification or, if appropriate, go back to an organization to seek information on additional individuals. The Partner Information Form also includes a section of instructions to ensure that applicants are accurately filling out the form and are not over-reporting information that is unnecessary. The form includes a definition of “key individuals” that is similar to the definition contained in West Bank and Gaza Mission Order No. 21. It is expected that the numbers of key individuals selected for vetting under programs identified for initial PVS implementation will be comparable to the numbers cited above for West Bank and Gaza program.

    USAID does recognize that including more complex and sophisticated U.S. organizations into this mix may well result in higher numbers and of course this will be carefully monitored during the early phases of PVS implementation should PVS be approved for implementation by the incoming Obama Administration.

    USAID's NGO partners also commented that individuals who serve on the boards of NGOs typically are distinguished and prominent individuals who serve without remuneration as a public service. In addition, many NGOs also deploy volunteers. Concerns were expressed over the adverse effect that the proposed PVS screening might have on these prominent board members or on NGO volunteers. Based on the West Bank and Gaza procedures described above, however, it may well be that neither the NGO applicant nor USAID will consider these prominent board members or these volunteers as the type of individual necessary to include in the screening process.

    USAID currently is developing guidance and protocol for the initial implementation of PVS, if approved, and the Agency will monitor the accompanying administrative burden on our partners and on our staff throughout the process. In the development of this information, USAID is taking into consideration experience, expertise and results that the Mission for West Bank and Gaza has obtained through more than six years of vetting. Once the guidance and protocol have been developed, the Agency will share it with our NGO partners and also provide appropriate training for affected applicant organizations.

    Privacy Act and Due Process Requirements

    Comments received by USAID expressed concern that implementation of PVS would result in the creation of files or databases of innocent people not suspected of a crime and that sharing of information between USAID and other agencies not authorized to view private information would violate the Privacy Act. Concern also was expressed that individuals and organizations would not know their status in the PVS since one of USAID's Federal Register notices states that USAID will not confirm or deny that an individual “passed” or “failed” screening. Comments received asserted that this lack of due process would result in loss of employment and/or award of funds without effective recourse. Finally, at least one organization asserted that European based NGOs might have problems complying with PVS due to European data protection regulations.

    Throughout the design process of PVS, USAID has been committed to protecting national security while complying with all administrative requirements, and protecting all privacy, civil liberty and other rights of its NGO partners and their employees. In that regard, the July 17, 2007 System of Records Notice for the PVS does include an appropriate routine use allowed for under the Privacy Act, permitting the sharing of information, provided to USAID by applicants, with the intelligence community for the purposes of vetting following the processes established by the PVS.

    Information provided to USAID by applicants will be transmitted to USAID employees who will check that information against one or more databases maintained by the intelligence community. Once checked, the information provided by NGO partners will be maintained in secure files, as detailed in the Federal Register notices, by and at USAID. Consistent with the Privacy Act, all information submitted on individuals and maintained in the USAID system will be available for those individuals to request, review and correct. Intelligence community systems will not retain information on individuals where there is no match.

    USAID will not deny an application merely because there is an “encounter” or positive match between information provided by an applicant and information maintained in a terrorism database. Instead, USAID will “look behind” that match, considering the accuracy and severity of the information, the reliability of the source, corroboration, and other pertinent matters before any decision is made regarding an award. This review will include assessment of the terrorist information available in relevant databases, consideration of information provided by USAID Missions or U.S. Embassies and any other relevant information available to the Agency.Start Printed Page 13

    USAID has been working closely with the Department of Justice to ensure that due process rights are incorporated into PVS. Any decision communicated to an applicant that award will not be made as a result of PVS screening will be accompanied by a reason for such denial. Further, opportunity for review of that decision will be afforded to the denied applicant. The statement in USAID's rulemaking notice that USAID will not “confirm or deny that an individual ‘passed’ or ‘failed’ screening” only pertains to the fact that USAID has not been authorized to confirm information maintained in terrorist screening databases. This is to protect the classified nature of information maintained by the intelligence community, preclude frustration of the investigative process, avoid disclosure of investigative techniques, and for other reasons specified in our rulemaking notice. Since, as stated above, USAID award decisions will not be based simply on a “match” between information provided to USAID by an applicant and information already contained in a terrorism database, refusal to acknowledge whether or not there was a match should be of no consequence for purposes of implementation of PVS.

    One European based agency expressed concerns to the effect that compliance with PVS requirements by our European partners could result in violation of EU privacy laws. More specifically, the European based agency suggested that article 25 of EU Directive 95/46/EC on Data Protection, designed to protect the privacy rights of NGO employees and other individuals, might prohibit transfer to USAID of the information requested under PVS. This is because the “EU data protection authorities do not generally regard the United States as ensuring adequate protection for personal data since the United States does not have data privacy laws similar to the European regime.” The European based agency also suggested that article 7 of the EU Directive might pose problems for compliance with PVS requirements. That article prohibits the disclosure or other processing of personal data except where disclosure is necessary for compliance with a legal obligation or in other limited circumstances. Support for this proposition is based on the SWIFT opinion issued by EU data protection authorities.

    USAID has conducted a preliminary legal review of these concerns. The Agency does not believe that PVS requirements violate article 7 of the EU Directive since the information proposed to be provided to USAID is necessary for USAID to further legitimate U.S. interests, i.e., ensuring that U.S. funds are not diverted to terrorists or used for terrorist purposes. Pursuit of legitimate interests is one of the stated exceptions to the prohibition contained in article 7. USAID also does not believe that fundamental rights or freedoms of the data subjects will be compromised through compliance with PVS. In this regard, USAID does not believe that the facts in the SWIFT opinion are relevant to the national security screening procedures contemplated under PVS. In SWIFT, financial information was collected and then transferred to U.S. intelligence and such transfer was accomplished without notifying the affected individuals. Neither of those actions is contemplated by PVS.

    Similarly, USAID does not believe that article 25 of the EU Directive will be violated as PVS is being designed to provide more than “an adequate level of protection.” For more information on this point, see the response to data security and other related concerns in this final rule. In any event, USAID is not inclined to ease or otherwise dilute its information requirements because European data protection authorities possibly might view PVS as a system that will not adequately protect information provided.

    Consultation With Partners

    A number of organizations expressed concern over the lack of prior consultation between USAID and its traditional implementing partners. In particular, (i) the timing of the publication of the PVS notices in the Federal Register (mid-July) and (ii) the statement in the Privacy Act System of Records notice that the new system of records would become effective on the same date that comments on that notice were due have generated questions about USAID's willingness to effectively and transparently engage the NGO community in a dialogue on PVS.

    Administrative regulations prevented USAID from discussing specifics of the proposed PVS prior to publication of the Federal Register notices. However, to remedy this perceived oversight in communication, USAID convened a number of outreach sessions with its NGO partners. Moreover, USAID considered seriously all comments submitted by the NGOs in response to the four Federal Register notices, as reflected in this final rule. In any event, it should be pointed out that by no means did USAID “slip” notice of the proposed PVS into the Federal Register in mid-summer to avoid meaningful review and comment by the NGO community. Publication of the PVS notices was approved by USAID leadership in April 2007. Following that decision, USAID staff engaged in consultations with OMB for several months, discussing both procedural and substantive aspects of the proposed PVS and the required notices. In addition, internal USAID procedures governing publication of notices in the Federal Register had to be followed, further delaying publication. It was not until July 2007 that all prerequisite steps for publication had been satisfied. Thus, publication at that time was merely the next logical step in the administrative process and not the result of any intention on the part of USAID to sneak these notices by a vacationing NGO community.

    Similarly, the effective date selected for the PVS system of records does not reflect unwillingness on USAID's part to give serious consideration to and incorporate into the proposed PVS, as appropriate, comments submitted by the NGOs in response to the PVS notices.

    The Privacy Act System of Records notice for PVS was published in the Federal Register for public comment on July 17, 2007. The notice provided that written comments must be received on or before August 27, 2007. The notice went on to state that unless there is further notice in the Federal Register, the new system of records would become effective on August 27, 2007. This did not mean that USAID would not review comments or that USAID would not take these comments into account as decisions were being made on whether to or how to implement the PVS.

    USAID was required to select a date to insert in the System of Records Notice at which time the system of records would become effective. Effectiveness of the PVS system of records on August 27, 2007 in no way indicated that the proposed PVS was approved on that date, that it became operational on that date, or that comments received in response to any of the four notices would be ignored. As demonstrated by USAID subsequent to the August 27, 2007 date, the Agency has been ready, willing and able to continue the dialogue with the NGOs and to ensure that approval of PVS only would be granted once the recommendations, concerns and comments of the NGOs have fully been reviewed and considered by USAID.

    As previously indicated, on October 2, 2007, USAID published a fourth notice in the Federal Register. That notice, issued pursuant to the Paperwork Reduction Act, republished and amended the notice previously Start Printed Page 14published by USAID on July 23, 2007, and contains the proposed Partner Information Form, which will be used during the pilot phase of PVS. The form was developed with guidance from the USAID Mission in West Bank and Gaza, in response to recommendations made by the GAO and in compliance with all administrative approvals and with requirements set by the intelligence community. Comments on this fourth notice were due on or before December 3, 2007, and the Partner Information Form was approved by OMB on August 19, 2008. All comments received in response to this fourth notice have been taken into account by USAID.

    Risk to Partners

    Some organizations claimed in their comments that there were considerable dangers associated with USAID using its implementing partners for U.S. law enforcement or intelligence purposes in foreign countries and that this could lead to retaliation by foreign governments against partner employees and employees of subs of partners.

    First of all, PVS is not, and should not be characterized as, a system in which USAID implementing partners will be acting as agents for U.S. law enforcement or intelligence activities. Rather, PVS simply is an additional mechanism for USAID to use in determining the eligibility of organizations applying for U.S. funds. Such applicants already provide information to USAID on its management personnel and on key employees as part of the application and evaluation process. PVS merely requires applicants to provide additional information in that process. In no way should this exercise be viewed as law enforcement or intelligence gathering.

    Further, as previously communicated to the NGO community, one of the purposes of PVS is to enhance the safety overseas of both USAID personnel and officials and employees of USAID's partners. Ensuring that principal individuals, officers, directors or other employees are not associated with terrorists or terrorism, where such individuals will be working with USAID Missions and will be implementing USAID foreign assistance activities alongside other partner employees, can only improve safety and reduce the risk of kidnapping, assassination or injury.

    Public Comment Period

    Concerns were expressed that the time periods made available for public comment did not afford the NGO community adequate time to prepare comments or for USAID to carefully consider and respond to these comments. It also was asserted that OMB regulations require USAID to provide between 60 and 90 days for comment. Consequently, NGOs have requested extension of the comment periods.

    USAID has followed all administrative requirements and provided a full 40-day comment period for the system of records notice, a full 60-day comment period for the proposed rule, and a full 60-day comment period for both the original and amended information collection notices. All time limits are set by the Privacy Act and the Paperwork Reduction Act and no deviations to those time limits were requested by USAID.

    In any event, USAID did express its willingness to maintain a dialogue with the NGO community and with interested Congressional committee staff on PVS and associated notices. Expiration of the stated time periods for our public notices did not dictate when PVS will be put into operation.

    Procedural Specifics

    Some comments received expressed concern over the lack of specifics with respect to PVS procedures. For example, questions were raised over the type and extent of information to be requested by USAID, which people will be screened, and how long information provided to USAID will be retained. The perceived lack of procedural specifics also resulted in fears that USAID would compile a secret blacklist of ineligible grant applicants, that individuals whose identifying data match data in an intelligence community database will not be told of the source of this match and that NGO applicants will be unable to appeal or dispute denials of their applications for funding.

    While some of the procedures attendant to PVS already have been agreed upon, other procedures remain to be developed as part of the Agency's guidance and protocol development process. For example, as stated in the system of records notice published in the Federal Register, a retention and disposition schedule will need to be developed for PVS. Currently, in West Bank and Gaza, required information is submitted by applicants via paper. However, USAID's Office of Security is working with a contractor to design a secure portal to permit applicants to submit data electronically. With respect to retention of records generated under PVS, it is likely that the same rules applicable to documents submitted to the U.S. Government under acquisition and assistance activities will be made applicable to information submitted under PVS. In any event, should implementation of PVS be approved by the incoming Obama Administration, all these procedures would be fleshed out during the guidance policy and protocol development process leading up to the initiation of PVS and then adjusted as USAID gathers information and experience.

    Once specific procedures for PVS have been agreed upon, they will be published by USAID in its ADS and, as appropriate, in applicable regulation. Current operation of vetting and other related procedures in West Bank and Gaza can be found in Mission Order No. 21 and may provide a solid basis for the proposed implementation of PVS for other programs.

    USAID will not maintain in its files any information other than information provided by applicants, maintained in the USAID PVS system of records, and information that constitutes related administrative records. Screening of an organization will consist of a review of potential derogatory information regarding principal individuals of the organization or the organization itself. Results of this screening will be recorded to document actions taken concerning the award for which the organization was screened. Results will not be utilized to create lists of organizations which would then be used for subsequent screening, which is what is suggested by allegations that there will be a secret blacklist. Instead, whether an organization is being screened for the first time or whether screening is being conducted at subsequent dates, screening will be conducted through the same original process.

    Moreover, as previously indicated, award decisions will not be based simply on whether there has been a match with respect to one or more principal individuals of an organization and information contained in a terrorism database. Instead, USAID will review the intelligence behind the match. This review will include consideration of the severity of the information, the reliability of the source, corroboration, if any, etc. As previously stated, USAID cannot confirm or deny a person's appearance in a terrorism database. Nevertheless, any denial of funding by USAID as a result of PVS screening will be accompanied by a reason for that denial and an opportunity for the organization to appeal administratively. The amount of information provided to a denied applicant will be dependent on the sensitivity of the information, i.e., whether some or all of the information is classified and, if so, how much of that Start Printed Page 15information can be released without compromising investigative or operational interests.

    Unconstitutionally Vague

    It was asserted in some of the comments received that USAID's description of the purpose of the proposed PVS in the Federal Register notices, i.e., to ensure that neither USAID funds nor USAID-funded activities inadvertently or otherwise provide support to entities or individuals “associated with terrorism,” was Constitutionally vague. In support of this position, reference was made to Humanitarian Law Project v. Treasury, a case decided in the Central District of California in November 2006. In that decision, provisions of Executive Order 13224 referencing people and groups “otherwise associated” with terrorism were held to be impermissibly vague.

    It should be noted that in April 2007, the Humanitarian Law Project court granted the U.S. Government's motion for reconsideration. The court ruled that the regulation issued by the OFAC defining the “otherwise associated with” provision of Executive Order 13224 remedied the provision's “Constitutional defects”. In addition, the court also vacated its order and decision finding that the President's designation authority under Executive Order 13224 was unconstitutionally vague and overbroad.

    It also should be noted that violations of OFAC-administered economic sanctions activities may result in imposition of civil fines and/or criminal penalties. PVS, on the other hand, is being designed to help determine whether applicants for USAID funds are responsible, suitable or otherwise eligible to receive these funds. The legal standards applicable to imposition of civil fines or criminal penalties for violation of sanctions differ substantially from the legal standards applicable to denial of Federal grants and other funding. Accordingly, analogies between the Humanitarian Law Project case and the proposed PVS are misplaced.

    While the development of a static template which listed all applicable criteria or a point scoring system which would scientifically identify individuals and entities “associated with terrorism” may be preferred, such an approach, if even feasible, would prove to be an inefficient and ineffective way to address the issue of funds or other support flowing to terrorists or terrorist organizations or for terrorist activities. USAID needs to have the ability to be flexible in its analysis so that the Agency can adapt to the range of activities and the range of circumstances surrounding implementation of the U.S. foreign assistance program. The proposed PVS includes a process where all data available to USAID on applicants will be reviewed at various levels within the Agency. This information will be checked for accuracy, relevance, timeliness, reliability, etc. Foreign policy and other related views of the country team also can be taken account. In addition, USAID has been working closely with the Department of Justice to ensure that due process and other relevant legal rights are incorporated into the design and implementation of PVS.

    Based upon all of the above, USAID believes that PVS meets all applicable legal standards.

    Data Security

    Concern was expressed over the security of records maintained by USAID under PVS, particularly in overseas locations. An example provided was GAO criticism of the security of information held in West Bank and Gaza. Concern also was expressed about who would have access to data maintained in PVS. Specifically, questions were raised about the propriety of “authorized” USAID contractors having access to the data involving other contractors and involving all grantees.

    In response to vetting database weaknesses identified by both the GAO and OIG, the Mission for West Bank and Gaza has incorporated a number of improvements in its system. For example, vetting reports that previously had been held in an unlocked file cabinet now are stored in secure, locked cabinets. The Mission also has developed user requirements, system architecture, data dictionaries, and user manuals for its vetting system. PVS will, of course, take advantage of all these improved methods.

    On an Agency-wide basis, USAID's information security program is considered to be exceptional. USAID is required to report annually on Federal Information Security Act compliance, both to OMB and to the House of Representatives. Additionally, the program is audited by the USAID OIG. The House Oversight and Government Reform committee issues each year a governmentwide scorecard rating all agencies. For each of the past four years, USAID has been rated at the A+ level.

    In structuring USAID's “award winning” computer security program, the Office of the Chief Information Officer has deployed a very robust and sophisticated set of technical defenses on USAID's network. In addition, USAID has a very strong security awareness training program.

    The PVS system will be housed in USAID headquarters in Washington, DC, within the Agency's firewall and on USAID servers. When an authorized user of PVS accesses the application through the USAID intranet, the user's network credentials will be authenticated. PVS will limit the user's capability to view personally identifiable data and operate the system based on the user's roles configured within the system. Policy will dictate that each user will be assigned only those roles required to perform his or her job function within the system. All personally identifiable information will be protected in accordance with the Privacy Act.

    Specific retention and disposition instructions will be formulated by USAID at a later date as policy makers are better informed by the proposed pilot for PVS. Typical disposition instructions for electronic data include archiving and later destruction, as well as specified periods of time for such actions.

    Evidence of Effectiveness

    One organization indicated that its objections to PVS are based on its research and advocacy relating to charities and counterterrorism programs. The organization stated that it had found that similar programs tended to create barriers to effective delivery of aid programs, to discourage small NGO application for grants, and to alienate international partners. However, the organization did not provide any data or other information to support its claims.

    USAID recognizes that any additional requirement (whether PVS related or otherwise) will affect the delivery of assistance. The goal of USAID is to achieve the purpose behind any new requirement in the most efficient manner that will minimize any potential negative impact on implementation of activities. In the experience of USAID's Mission in West Bank and Gaza, the most significant negative impact of vetting over the past five years or so has been delay. Vetting conducted manually with limited dedicated resources resulted in backlogs well in excess of 3,500 names. Delays in processing these vetting requests clearly caused significant barriers to effective delivery of aid. This, however, further underlines the need to have a comprehensive, systematic and automated system for vetting requests to be processed formally and electronically, rather than on an ad-hoc basis. Under such a program, it is expected that delays encountered by the Mission in West Start Printed Page 16Bank and Gaza will significantly be reduced during implementation of PVS for subsequent programs.

    The suggestion that small NGOs are discouraged from applying for grants seems to be based on anecdotal evidence. USAID's experience in the West Bank and Gaza can neither confirm nor deny this hypothesis as data is not collected on number of potential partners that may abstain from applying for assistance. The Mission for West Bank and Gaza does, however, provide assistance to a large number of small NGOs and those NGOs are indeed vetted. To the extent that some small NGOs may be apprehensive about vetting, it is hoped that the transparency, public information and education, and comment periods surrounding the PVS public notice process will provide assurances about the uses of the system and its safeguards, and help dispel any extreme rumors about the system.

    The same response largely is applicable to the situation with international partners. Concerns raised by international partners in the West Bank and Gaza may reflect the uniqueness of vetting to that program. International partners not accustomed to working in countries or programs where PVS may be implemented may be less comfortable than partners that have worked in those countries or with those programs for years. If PVS is implemented, such apprehensions should subside.

    Inaccuracies and Errors

    Comments received suggest that government watch lists are inaccurate. Recently, the Department of Justice's Inspector General reported that these lists continue “to have significant weaknesses,” producing a high error rate and a slow response to complaints from citizens. Since PVS proposes to utilize such terrorism databases, concerns have been expressed that USAID vetting will generate numerous “false positives.”

    Although the watch list error rate actually is quite low, the intelligence community continues to seek improvement in the terrorist screening process. While the intelligence community will continue to observe all privacy rules and policies, it also seeks to improve its information technology capabilities by researching and developing the latest computerized name-matching programs to ensure the highest watch list data quality. In fact, in an October 2007 report on Terrorist Watch List Screening, the GAO recommended that the intelligence community prepare plans to facilitate expanded and enhanced use of the watch list.

    In any event, decisions by USAID under PVS as to whether or not to award funds to applicants will not be based on the mere fact that there is a “match” between information provided by an applicant and information contained in these terrorism databases. Rather, USAID will determine whether any such match is valid or is a false positive. The detailed identifying information required of applicants under the PVS will help minimize instances of individuals being misidentified.

    Lack of Office of Management and Budget (OMB) Involvement

    Some comments suggested that clearance or other involvement of OMB in the PVS process was not obtained by USAID. More specifically, it was asserted that USAID overlooked its responsibilities under Executive Order 12866 concerning the determination that PVS is not a “significant” regulatory action.

    As required by OMB Circular A-130, USAID provided appropriate materials (cover letter, system of records notice, proposed rule) to OMB as well as to the Senate Committee on Homeland Security and Government Affairs and the House Committee on Government Reform. The proposed rule contained a statement that USAID had determined that it was not a significant regulatory action and, therefore, is not subject to review under Executive Order 12866. OMB agreed with this determination, and cleared the proposed rule for publication in the Federal Register. OMB continues to view this rule as not a significant regulatory action. Consistent with the requirements of the Congressional Review Act, USAID is submitting this final rule to each house of Congress and to OMB. This submittal includes USAID's determination that it is not a major rule. USAID has kept OMB apprised of the procedures being followed to establish PVS and has engaged in consultations with OMB prior to the publication of the notices in the Federal Register, during the comment periods, and after the comment periods closed. Where clearance from OMB is required, USAID is complying with these clearance requirements by consulting with OMB as necessary.

    E. Impact Assessment

    Regulatory Planning and Review

    This is not a significant regulatory action and, therefore, is not subject to review under section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

    Regulatory Flexibility Act

    Pursuant to requirements set forth in the Regulatory Flexibility Act (RFA) (5 U.S.C. 601 et seq.), USAID has considered the economic impact of the rule and has determined that its provisions would not have a significant economic impact on a substantial number of small entities.

    Paperwork Reduction Act

    The Paperwork Reduction Act does apply because the proposed changes impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3601 et seq.

    Start List of Subjects

    Lists of Subjects in 22 CFR Part 215

    • Freedom of Information
    • Investigations
    • Privacy
    End List of Subjects

    Regulatory Text

    Start Amendment Part

    For the reasons stated in the preamble, USAID amends 22 CFR part 215 as follows:

    End Amendment Part Start Part

    PART 215—REGULATIONS FOR IMPLEMENTATION OF PRIVACY ACT OF 1974

    End Part Start Amendment Part

    1. The authority citation for 22 CFR part 215 is revised to read as follows:

    End Amendment Part Start Authority

    Authority: Public Law 93-579, 88 Stat. 1896 (5 U.S.C. 553, (b), (c), and (e))

    End Authority Start Amendment Part

    2. Amend § 215.13 by adding paragraph (c)(2) to read as follows:

    End Amendment Part
    General exemptions.
    * * * * *

    (c) * * *

    (2) Partner Vetting System. This system is exempt from sections (c)(3) and (4); (d); (e)(1), (2), and (3); (e)(4)(G), (H), and (I); (e)(5) and (8); (f), (g), and (h) of 5 U.S.C. 552a. These exemptions are necessary to insure the proper functioning of the law enforcement activity, to protect confidential sources of information, to fulfill promises of confidentiality, to maintain the integrity of law enforcement procedures, to avoid premature disclosure of the knowledge of criminal activity and the evidentiary basis of possible enforcement actions, to prevent interference with law enforcement proceeding, to avoid the disclosure of investigative techniques, to avoid endangering law enforcement personnel, to maintain the ability to obtain candid and necessary information, to fulfill commitments made to sources to protect the confidentiality of information, to avoid endangering these sources, and to Start Printed Page 17facilitate proper selection or continuance of the best applicants or persons for a given position or contract. Although the primary functions of USAID are not of a law enforcement nature, the mandate to ensure USAID funding is not purposefully or inadvertently used to provide support to entities or individuals deemed to be a risk to national security necessarily requires coordination with law enforcement and intelligence agencies as well as use of their information. Use of these agencies' information necessitates the conveyance of these other systems exemptions to protect the information as stated.

    Start Amendment Part

    3. Amend § 215.14 by adding the heading “Note to paragraph (c)(5)” to the undesignated text at the end of the section and paragraph (c)(6) to read as follows:

    End Amendment Part
    Specific exemptions.
    * * * * *

    (c) * * *

    (6) Partner Vetting System. This system is exempt under 5 U.S.C. 552a (k)(1), (k)(2), and (k)(5) from the provision of 5 U.S.C. 552a (c)(3); (d); (e)(1); (e)(4)(G), (H), (I); and (f). These exemptions are claimed to protect the materials required by executive order to be kept secret in the interest of national defense or foreign policy, to prevent subjects of investigation from frustrating the investigatory process, to insure the proper functioning and integrity of law enforcement activities, to prevent disclosure of investigative techniques, to maintain the ability to obtain candid and necessary information, to fulfill commitments made to sources to protect the confidentiality of information, to avoid endangering these sources, and to facilitate proper selection or continuance of the best applicants or persons for a given position or contract.

    Start Signature

    Dated: December 23, 2008.

    Randy T. Streufert,

    Director, Office of Security.

    End Signature End Supplemental Information

    [FR Doc. E8-31131 Filed 12-31-08; 8:45 am]

    BILLING CODE 6116-01-P

Document Information

Comments Received:
0 Comments
Effective Date:
2/2/2009
Published:
01/02/2009
Department:
Agency for International Development
Entry Type:
Rule
Action:
Final rule.
Document Number:
E8-31131
Dates:
This final rule will go into effect February 2, 2009.
Pages:
9-17 (9 pages)
RINs:
0412-AA61: Privacy Act of 1974; Implementation of Exemptions
RIN Links:
https://www.federalregister.gov/regulations/0412-AA61/privacy-act-of-1974-implementation-of-exemptions
Topics:
Freedom of information, Investigations, Privacy
PDF File:
e8-31131.pdf
CFR: (2)
22 CFR 215.13
22 CFR 215.14