AGENCY:

Department of Veterans Affairs, Veterans Health Administration.

ACTION:

Notice of a Modified System of Records.

SUMMARY:

Pursuant to the Privacy Act of 1974, notice is hereby given that the Department of Veterans Affairs (VA) is modifying the system of records entitled “Voluntary Service Records—VA” (57VA10B2A). This system is used for training, compliance, work assignment, tracking the number of regularly scheduled volunteers and occasional volunteers, to produce statistical and managerial reports on the number of hours and visits of all volunteers each month, and to present volunteers with certificates of appreciation for service.

DATES:

Comments on this modified system of records must be received no later than 30 days after date of publication in the Federal Register . If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the modified system of records will become effective a minimum of 30 days after date of publication in the Federal Register . If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.

ADDRESSES:

Comments may be submitted through www.Regulations.gov or mailed to VA Privacy Service (005R1A), 810 Vermont Avenue NW, Washington, DC 20420. Comments should indicate that they are submitted in response to “Voluntary Service Records—VA (57VA10B2A)”. Comments received will be available at regulations.gov for public viewing, inspection or copies.

FOR FURTHER INFORMATION CONTACT:

Stephania Griffin, Veterans Health Administration Chief Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420; telephone (704) 245-2492 (Note: this is not a toll-free number).

SUPPLEMENTARY INFORMATION:

VA is modifying the system by revising the System Number; System Location; System Manager; Purpose of the System; Categories of Records in the System; Record Source Categories; Routine Uses of Records Maintained in the System; Policies and Practices for Storage of Records; Policies and Practices for Retrievability of Records Policies; Practices for Retention and Disposal of Records; Physical, Procedural, and Administrative Safeguards; Records Access Procedure; Contesting Record Procedure; and Notification Procedure. VA is republishing the system notice in its entirety.

The System Number will be changed from 57VA10B2A to 57VA10 to reflect the current Veterans Health Administration organizational routing symbol.

The System Location is being updated to remove references to servers located at the Austin Information Technology Center, 1615 Woodward Street, Austin, Texas 78772. This section will include that the system is in the Microsoft Government Community Cloud (GCC), a government-authorized cloud-service provider, with Microsoft Global Foundation Services (GFS) Datacenters in Boydton, Virginia; Des Moines, Iowa; Dallas, Texas; and Phoenix, Arizona. For security reasons, Microsoft does not disclose the physical location of the data centers. For more information, please refer to the Joint Authorization Board (JAB) Federal Risk and Authorization Management Program's (FedRAMP) Authority to Operate (ATO) for Microsoft Dynamics Customer Relationship Management (CRM).

The System Manager is being updated to replace Director, Voluntary Service Office, with Director, VA Center for Development and Civic Engagement. Being removed is Technatomy Contractor, Jay Singh, VHA Oakland Office of Information Field Office, 1301 Clay Street, Suite 1350N, Oakland, California 94612. This section will include Stefano Masi, Veteran Relationship Management Product Line Manager, 555 Willard Ave., Newington, CT 06111.

The Purpose of the System is being modified to include training, compliance and work assignment.

The Record Source Categories is being modified to change 24VA10P2 to 24VA10A7.

The following routine use is added and will be routine use #10, Data Breach Response and Remediation, For Another Agency: To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

The following routine use is added and will be routine use #11, Parent or Guardian of Minor Volunteer: To the parent or legal guardian of a minor volunteer. This routine use will allow VA to share information on the work schedule for summer student volunteers with their parents or legal guardians.

Policies and Practices for Storage of Records and Physical, Procedural, and Administrative Safeguards are being modified to replace Austin, Texas with the Microsoft GCC.

Policies and Practices for Retrievability of Records is being modified to replace VistA patient files, with Occupational Health Record-Keeping System.

Policies and Practices for Retention and Disposal of Records is being modified to remove: 1. The individual volunteer's record of service is maintained by the VA health care facility, as long as he or she is living and actively participating in the VA Voluntary Service (VAVS) program. VAVS maintains minimum information on all volunteers indefinitely. These minimum records include the volunteer's name, address, date of birth, telephone number, next of kin information, assignments worked, hours and years of service, and last award received.

2. Depending on the record medium, records are destroyed by either shredding or degaussing. Summary reports and other output reports are destroyed when no longer needed for current operation. Regardless of record medium, no records will be retired to a Federal records center reports and other output reports are destroyed when no longer needed for current operation. Regardless of record medium, no records will be retired to a Federal records center.

This section will now reflect the following: Records in this system are retained and disposed of in accordance with the schedule approved by the Archivist of the United States, VHA RCS 10-1, Item Number 3020.10-3020.11.

The Record Access Procedure, Contesting Record Procedure and Notification Procedure have been modified to reflect standard language across VA systems of records.

The Report of Intent to Modify a System of Records Notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000. Start Printed Page 4883

Signing Authority

The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Kurt D. DelBene, Assistant Secretary for Information and Technology and Chief Information Officer, approved this document on December 13, 2022 for publication.

SYSTEM NAME AND NUMBER:

“Voluntary Service Records—VA” (57VA10).

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Records are maintained at each of the VA health care facilities and in the Center for Development and Civic Engagement Portal (CDCEP). Active records are retained at the VA health care facility listed in Appendix 1 where the individual has volunteered to assist the administrative and professional personnel and in the CDCEP. Basic information for all inactive records is retained at the facility where the volunteer worked and in the CDCEP. CDCEP is a web-based volunteer management system currently located in the Microsoft Government Community Cloud (GCC), a government-authorized cloud-service provider, with Microsoft Global Foundation Services (GFS) Datacenters in Boydton, Virginia; Des Moines, Iowa; Dallas, Texas; and Phoenix, Arizona. For security reasons, Microsoft does not disclose the physical location of the data centers. For more information, please refer to the Joint Authorization Board (JAB) Federal Risk and Authorization Management Program's (FedRAMP) Authority to Operate (ATO) for Microsoft Dynamics Customer Relationship Management (CRM).

SYSTEM MANAGER(S):

Official responsible for policies and procedures: Director, VA Center for Development and Civic Engagement (CDCE), Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420. Telephone number 202-461-7300 (this is not a toll-free number). Official maintaining the system: Veteran Relationship Management Product Line Manager, 555 Willard Ave., Newington, CT 06111.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

38 U.S.C. 513.

PURPOSE(S) OF THE SYSTEM:

This system of records is used for training, compliance, work assignment, tracking the number of regularly scheduled volunteers and occasional volunteers, to produce statistical and managerial reports on the number of hours and visits of all volunteers each month, and to present volunteers with certificates of appreciation for service.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

These records include information on all volunteers ( i.e., regularly scheduled volunteers, occasional volunteers, student volunteers), including but not limited to, non-affiliated and members of voluntary service organizations, such as welfare, service, Veterans, fraternal, religious, civic, industrial, labor, and social groups or clubs, which voluntarily offer the services of their organizations and/or individuals to assist with the provision of care to patients, either directly or indirectly, through VA Voluntary Service under 38 U.S.C. 513.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records may include personal information, such as name, address, phone number, email address, date of birth, and volunteer date in a VA health care facility, as provided by the volunteer on VA Form 10-7055, “Application for Voluntary Service;” information relating to the individual membership in service organizations, qualifications, restrictions and preferences of duty and availability to schedule time of service; training records pertaining to the volunteer's service will also be maintained for all active volunteers at the facility where the volunteer works; medical records of active volunteers will be maintained in the facility's Employee Health office; fingerprint and background investigation records will be maintained by the local facility's office that handles those investigations.

RECORD SOURCE CATEGORIES:

Information in this system of records is provided by the volunteer, their family, civic and service organization, “Patient Medical Records—VA” (24VA10A7), and CDCE/VA Voluntary Service (VAVS) at the VA health care facility where the volunteer worked.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

To the extent that records contained in the system include individually-identifiable patient information protected by 38 U.S.C. 7332, that information cannot be disclosed under a routine use unless there is also specific disclosure authority in 38 U.S.C. 7332.

1. Law Enforcement: To a Federal, state, local, territorial, tribal, or foreign law enforcement authority or other appropriate entity charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing such law, provided that the disclosure is limited to information that, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature. The disclosure of the names and addresses of Veterans and their dependents from VA records under this routine use must also comply with the provisions of 38 U.S.C. 5701.

2. Nonprofits, for RONA: To a nonprofit organization if the release is directly connected with the conduct of programs and the utilization of benefits under Title 38, provided that the disclosure is limited the names and addresses of present or former members of the armed services or their beneficiaries, the records will not be used for any purpose other than that stated in the request and the agency or instrumentality is aware of the penalty provision of 38 U.S.C. 5701(f).

3. Volunteer Administration: To confirm volunteer service, duty schedule, and assignments to service organizations, Bureau of Unemployment, insurance firms, office of personnel of the individual's fulltime employment; to assist in the development of VA history of the volunteer and their assignments; and to confirm voluntary hours for on-the job accidents, and for recognition awards.

4. Congress: To a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.

5. NARA: To the National Archives and Records Administration (NARA) in records management inspections conducted under 44 U.S.C. 2904 and 2906, or other functions authorized by laws and policies governing NARA operations and VA records management responsibilities.

6. DOJ, Litigation, Administrative Proceeding: To the Department of Justice (DoJ), or in a proceeding before Start Printed Page 4884 a court, adjudicative body, or other administrative body before which VA is authorized to appear, when:

(a) VA or any component thereof;

(b) Any VA employee in their official capacity;

(c) Any VA employee in their individual capacity where DoJ has agreed to represent the employee; or

(d) The United States, where VA determines that litigation is likely to affect the agency or any of its components, is a party to such proceedings or has an interest in such proceedings, and VA determines that use of such records is relevant and necessary to the proceedings.

7. Contractors: To contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for VA, when reasonably necessary to accomplish an agency function related to the records.

8. Federal Agencies, Fraud and Abuse: To other Federal agencies to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

9. Data Breach Response and Remediation, for VA: To appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk to individuals, VA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, or persons reasonably necessary to assist in connection with VA efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

10. Data Breach Response and Remediation, for Another Federal Agency: To another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

11. Parent or Guardian of Minor Volunteer: VA may disclose information from this system to the parent or legal guardian of a minor volunteer.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are maintained in the Microsoft GCC, a government-authorized cloud-service provider, with Microsoft GFS Datacenters in Boydton, Virginia; Des Moines, Iowa; Dallas, Texas; and Phoenix, Arizona. For security reasons, Microsoft does not disclose the physical location of the data centers. For more information, please refer to the JAB FedRAMP ATO for Microsoft Dynamics CRM. Paper records for all active volunteers are maintained in locked file cabinets at the individual VA facilities where the volunteer has donated time. Computer records containing basic information, such as name, address, date of birth, volunteer assignments, hours/years volunteered, and award information are retained for all volunteers, either active or inactive, at the VA facility where the volunteer worked.

POLICIES AND PRACTICES FOR RETRIEVABILITY OF RECORDS:

Records in this system are retrieved by name and unique identification numbers within the VA's CDCEP and are cross-referenced under the organization(s) they represent. Health records in this system are retrieved by name and full Social Security number in the Occupational Health Record—Keeping System but are not retrievable through CDCEP.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records in this system are retained and disposed of in accordance with the schedule approved by the Archivist of the United States, VHA RCS 10-1, Item Number 3020.10-3020.11.

PHYSICAL, PROCEDURAL, AND ADMINISTRATIVE SAFEGUARDS:

1. Access to VA working space and medical record storage areas and the servers and storage in the GCC is restricted to VA employees on a “need to know” basis. Generally, VA file areas are locked after normal duty hours and are protected from outside access by the Federal Protective Service. Volunteer records containing sensitive medical record files are stored in separate locked files.

2. Strict control measures are enforced to ensure that access to and disclosure of all records including electronic files and volunteer specific data elements stored in the CDCEP are limited to CDCE/VAVS employees whose official duties warrant access to those files. Access to the VA network is protected by the usage of the personal identity verification “PIV.” Once on the VA network, separate ID and password credentials are required to gain access to the CDCEP servers and/or databases. Access to the servers and/or databases is granted to only a limited number of system administrators and database administrators. Employees are required to sign a user access agreement acknowledging their knowledge of confidentiality requirements, and all employees receive annual training on information security. Access is deactivated when no longer required for official duties. Recurring monitors are in place to ensure compliance with nationally and locally established security measures.

3. Online data resides on servers and storage in the GCC that are highly secured.

4. Any sensitive information that may be downloaded or printed to hard copy format is provided the same level of security as the electronic records. All paper documents and informal notations containing sensitive data are shredded prior to disposal.

5. All new CDCE/VAVS employees receive initial information security training, and refresher training is provided to all employees on an annual basis.

RECORD ACCESS PROCEDURE:

Individuals seeking information on the existence and content of records in this system pertaining to them should contact the system manager in writing as indicated above, or email VHA15CDCEStaff@va.gov, or inquire in person at the VA health care facility where their voluntary service was accomplished. A request for access to records must contain the requester's full name, address, telephone number, be signed by the requester, and describe the records sought in sufficient detail to enable VA personnel to locate them with a reasonable amount of effort.

CONTESTING RECORD PROCEDURE:

Individuals seeking to contest or amend records in this system pertaining to them should contact the system manager in writing as indicated above, or email VHA15CDCEStaff@va.gov or inquire in person at the VA health care facility where their voluntary service was accomplished. A request to contest or amend records must state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record.

NOTIFICATION PROCEDURE:

Generalized notice is provided by the publication of this notice. For specific notice, see Record Access Procedure, above. Start Printed Page 4885

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

42 FR 6032 (February 1, 1977); 66 FR 6764 (January 22, 2001); 74 FR 17555 (April 15, 2009); 81 FR 59271 (August 29, 2016).