AGENCY:

U.S. Small Business Administration (SBA).

ACTION:

Notice of new system of records.

SUMMARY:

The Small Business Administration is adding a new system of records to the Agency's Privacy Act Systems of Records. The system is called the SBA Identity Management System (IDMS). The purpose of this System is to automate records that maintain information required to comply with Homeland Security Presidential Directive 12 (HSPD-12). Start Printed Page 58040The IDMS provides the workflow process used to enforce roles in personalizing and issuing Personal Identify Verification (PIV) cards. IDMS automates the current paper based process and is used to maintain the integrity of PIV card issuance.

DATES:

Written comments on the System of records must be received November 1, 2006.

ADDRESSES:

Written comments on the System of Records should be directed to Christine H. Liu, Agency Privacy Officer, U.S. Small Business Administration, 409 Third Street, SW., Washington, DC 20416 or Christine.Liu@sba.gov.

FOR FURTHER INFORMATION CONTACT:

Christine Liu, Agency Privacy Officer, U.S. Small Business Administration, 409 Third Street, SW., Washington, DC 20416; Telephone (202) 205-6708.

SBA 34

SYSTEM NAME:

IDENTITY MANAGEMENT SYSTEM—SBA 34.

SYSTEM LOCATION:

The servers and secure data storage are located at Maden Technologies; 2110 Washington Boulevard, Suite 200; Arlington, VA 22204. Enrollment and queries can be performed by authorized individuals from any authorized, suitably-equipped SBA workstation.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM INCLUDE:

Individuals, who require regular, ongoing access to SBA facilities, information technology systems, or information classified in the interest of national security, including:

a. Applicants for employment or contracts.

b. Federal employees.

c. Contractors.

d. Students.

e. Interns.

f. Volunteers, and

The system also includes individuals authorized to perform or use services provided in SBA facilities (e.g., Credit Union, Fitness Center, etc.)

The system does not apply to occasional visitors or short-term guests to whom SBA will issue temporary identification and credentials.

CATEGORIES OF RECORDS IN THE SYSTEM:

Full name, social security number; date of birth; signature; image (photograph); fingerprint images and minutia templates; hair color; eye color; height; weight; organization/office of assignment; company name; telephone number; copy of background investigation form; personal addresses for past 5 years; high school and college attended (as applicable); Card Holder Unique Identification Number; Personal Identity Verification (PIV) enrollment package; PIV card issue and expiration dates; results of background investigation; PIV request form; PIV registrar approval signature; PIV card serial number; emergency responder designation; copies of documents used to verify identification or information derived from those documents; level of national security clearance and expiration date; computer system user name; user access and permission rights, public key certificates; digital signature information; National Agency Check with Written Inquiries investigation; FBI fingerprint check results; FBI National Criminal History Name Check results.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

a. 5 U.S.C. 301; Federal Information Security Act (Pub. L. 104-106, sec. 5113)

b. Electronic Government Act (Pub. L. 104-347, sec. 203)

c. Paperwork Reduction Act of 1995 (44 U.S.C. 3501)

d. Government Paperwork Elimination Act (Pub. L. 105-277, 44 U.S.C. 3504)

e. Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004

f. Federal Property and Administrative Act of 1949, as amended.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES, THESE RECORDS MAY BE USED, DISCLOSED OR REFERRED:

a. To a Congressional Office from an individual's record, when the office is inquiring on the individual's behalf with waiver; the Member's access rights are no greater than the individual's.

b. To the National Archives and Records Administration or to the General Services Administration for records management inspections conducted under 44 U.S.C. 2904 and 2906.

c. To SBA contractors, grantees, or volunteers who have been engaged to assist the SBA in the performance of a contract service, grant, cooperative agreement, or other activity related to this system of records and who need to have access to the records in order to perform their activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a.

d. To a Federal, State, local, foreign, or tribal or other public authority of the fact that this system of records contains information relevant to the retention of an employee, the retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant, or other benefit with appropriate restrictions on further disclosure.

e. To the Office of Management and Budget (OMB) when necessary to the review of private relief legislation pursuant to OMB Circular No. A-19.

f. To a Federal, State, or local agency, or other appropriate entities or individuals, or through established liaison channels to selected foreign governments, in order to enable an intelligence agency to carry out its responsibilities under the National Security Act of 1947 as amended, the CIA Act of 1949 as amended, Executive Order 12333 or any successor order, applicable national security directives, or classified implementing procedures approved by the Attorney General and promulgated pursuant to such statutes, orders or directives.

g. To notify another Federal agency when, or verify whether, a PIV card is no longer valid.

h. To a supervisor or manager in order to verify employee time and attendance record for personnel actions.

Note:

Disclosures within SBA of data pertaining to date and time of entry and exit of an agency employee working in the District of Columbia may not be made to supervisors, managers or any other persons (other than the individual to whom the information applies) to verify employee time and attendance record for personnel actions because 5 U.S.C. 6106 prohibits Federal Executive agencies (other than the Bureau of Engraving and Printing) from using a recording clock within the District of Columbia, unless used as a part of a flexible schedule program under 5 U.S.C. 6120 et seq.

i. To the Department of Justice (DOJ) when any of the following is a party to litigation or has an interest in such litigation, and the use of such records by the DOJ is deemed by the agency to be relevant and necessary to the litigation, provided, however, that in each case, the agency determines the disclosure of the records to the DOJ is a use of the information contained in the records that is compatible with the purpose for which the records were collected:

(1) The agency, or any component thereof;

(2) Any employee of the agency in his or her official capacity;

(3) Any employee of the agency in his or her individual capacity where the DOJ has agreed to represent the employee; or

(4) The United States Government, where the agency determines that Start Printed Page 58041litigation is likely to affect the agency or any of its components.

j. In a proceeding before a court, or adjudicative body, or a dispute resolution body before which the agency is authorized to appear or before which any of the following is a party to litigation or has an interest in litigation, provided, however, that the agency determines that the use of such records is relevant and necessary to the litigation, and that, in each case, the agency determines that disclosure of the records to a court or other adjudicative body is a use of the information contained in the records that is compatible with the purpose for which the records were collected:

(1) The agency, or any component thereof;

(2) Any employee of the agency in his or her official capacity;

(3) Any employee of the agency in his or her individual capacity where the DOJ has agreed to represent the employee; or

(4) The United States Government, where the agency determines that litigation is likely to affect the agency or any of its components.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS:

STORAGE:

Records are stored in electronic media and in paper files and not on the card.

RETRIEVABILITY:

Records are retrievable by name, social security number, PIV card serial number, or Card Holder Unique Identification Number.

SAFEGUARDS:

Paper records are kept in locked cabinets in secure facilities and access to them is restricted to individuals whose role requires use of the records. Access to facilities will be controlled by the PIV card. The System requires a PIV card to log on and to digitally sign transactions. The computer servers in which records are stored are located in facilities that are secured by alarm systems and off-master key access. The computer servers themselves are password-protected. Access to individuals working at guard stations is password-protected; each person granted access to the system at guard stations must be individually authorized to use the system. A Privacy Act Warning Notice appears on the monitor screen when records containing information on individuals are first displayed. Data exchanged between the servers and the client PCs at the guard stations and badging office are encrypted. Backup tapes are stored in a locked and controlled room in a secure, off-site location.

An audit trail is maintained and reviewed periodically to identify unauthorized access. Persons given roles in the PIV process must complete training specific to their roles to ensure they are knowledgeable about how to protect individually identifiable information. The system uses the high risk confidentiality and integrity security controls specified in the National Institute of Standards and Technology Special Publication 800-53.

RETENTION AND DISPOSAL:

Records relating to persons covered by this system are retained in accordance with General Records Schedule 18, Item 17. Unless retained for specific, ongoing security investigations, for maximum security facilities, records of access are maintained for five years and then destroyed by wiping hard drives and shredding paper. For other facilities, records are maintained for two years and then destroyed by wiping hard drives and shredding paper. All other records relating to employees are destroyed two years after ID security card expiration date.

In accordance with FIPS 201-1, PIV Cards are deactivated within 18 hours of cardholder separation, notification of loss of card, or expiration. The information on PIV Cards is maintained in accordance with General Records Schedule 11, Item 4. PIV Cards that are turned in for destruction are shredded within 90 days.

SYSTEM MANAGER(S) AND ADDRESSES:

Assistant Administrator/Human Capital Management, United States Small Business Administration, 409 3rd Street, SW., Washington, DC 20416. Associate Administrator for Disaster Assistance, United States Small Business Administration, 409 3rd Street, SW., Washington, DC 20416. This responsibility may be delegated.

NOTIFICATION PROCEDURES:

An individual may submit a record inquiry either in person or in writing to the System Manager or the Senior Agency Official for Privacy. When requesting notification of or access to records covered by this Notice, an individual should provide his/her full name, date of birth, and work location. An individual requesting notification of records in person must provide identity documents sufficient to satisfy the custodian of the records that the requester is entitled to access, such as a government-issued photo ID. Individuals requesting notification via mail or telephone must furnish, at minimum, name, date of birth, social security number, and home address in order to establish identity.

ACCESS PROCEDURES:

The Systems Manager or Senior Agency Official for Privacy will determine the process. Requesters should reasonably specify the record contents being sought.

CONTESTING PROCEDURES:

Same as notification procedures. Requesters should also reasonably identify the record, specify the information they are contesting, state the corrective action sought and the reasons for the correction along with supporting justification showing why the record is not accurate, timely, relevant, or complete.

SOURCE CATEGORIES:

Employee, contractor, or applicant; sponsoring SBA; former sponsoring SBA; other Federal agencies; contract employer; former employer.