AGENCY:

General Services Administration

ACTION:

Notice of proposed system of records.

SUMMARY:

The General Services Administration (GSA) proposes to establish a system of records subject to the Privacy Act of 1974, 5 U.S.C. 552a. This system of records notice is for the GSA Smart Card Program (GSA/CIO-1), which covers the Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors (HSPD-12), process after adjudication and determines if the individual can receive identification (ID) card. The records include both mandatory and optional information necessary to the request for an ID card, registration, verification, and issuance procedures, the index/database of active and invalid ID cards, and the information stored on the ID cards. The system may include records of individuals who entered and Start Printed Page 62470exited Federal facilities or accessed systems.

The GSA Smart Card Program will ensure the safety and security of Federal facilities, information systems, and their occupants and users, by verifying that all persons entering Federal facilities, using Federal information resources, or accessing classified information are authorized to do so. The system also will track and control identification ID cards issued to individuals for these purposes.

DATE:

The system of records will become effective on December 4, 2006 unless comments received on or before that date result in a contrary determination.

ADDRESSES:

Comments relating to the GSA Smart Card Program should be directed to: Director, GSA HSPD-12 Smart Card Program Management Office, Office of the Chief Information Officer, General Services Administration, 1800 F Street NW., Room G-006, Washington DC 20405-0002; telephone (202) 501-1500; fax (202) 219-5818.

FOR FURTHER INFORMATION CONTACT:

GSA Privacy Act Officer (CIB), General Services Administration, 1800 F Street NW, Washington, DC 20405; telephone (202) 501-1452.

SUPPLEMENTARY INFORMATION:

The GSA notice entitled Credentials, Passes, and Licenses (GSA/HRO-8) is cancelled. However, existing GSA forms and associated databases covered by that system will continue in effect until replaced with those covered by this notice. The existing forms include: GSA Form 48, Request and Record of Identification; GSA Form 277, Employee Identification and Authorization Credential; GSA Form 277U, Temporary Pass; GSA Form 277V, Visitor Pass; GSA Form 2941 Parking Application; as well as biometric information including photo, fingerprints and signature. The new forms and databases covered by this notice will be phased in to ensure a controlled and structured process.

GSA/CIO-1

System name: GSA Smart Card Program

System location: Data are maintained in GSA Central Office databases with access from GSA regional offices. Additionally, some access control data may be located in Federal buildings and Federally-leased facilities where staffed guard stations have been established to handle the GSA Smart Card Personal Identity Verification (PIV) process as well as the physical security and computer security offices at those locations. Contact the System Manager for additional information.

Security classification: Most identity records are not classified. However, in some cases, records of certain individuals or portions of some records may be classified in the interest of national security.

Categories of individuals covered by the system: Individuals who require regular, ongoing access to agency facilities, information technology systems, or information classified in the interest of national security, including:

a. Applicants for employment or contracts

b. Federal employees

c. Contractors

d. Students

e. Interns

f. Volunteers

g. Individuals formerly in any of these positions

Also included are individuals authorized to perform or use services provided in agency facilities (e.g., Credit Union, Fitness Center, Cafeteria, etc.).

The system does not apply to occasional visitors or short-term guests, to whom GSA will issue temporary identification and credentials.

Categories of records in the system:

a. Records maintained on individuals issued credentials by GSA include the following data fields:

• Full name,
• Social Security Number (SSN)
• Date of birth
• Signature
• Image (photograph)
• Fingerprints
• Hair color
• Eye color
• Height
• Organization / office of assignment
• Company / agency name
• Telephone number
• ID card issuance and expiration dates
• ID card request form
• Registrar approval signature
• ID card number
• Emergency responder designation
• Copies of documents used to verify identification or information derived from those documents such as document title, document issuing authority, document number, document expiration date, other document information

b. Records maintained on cardholders entering GSA facilities or using GSA systems may include:

• Name
• ID card number
• Date and Time of entry/exit
• Location of entry and exit
• Computer access dates, times, and locations

Authorities for maintenance of the system:

a. 5 U.S.C. 301;

b. Federal Information Security Management Act (Pub. L. 107-296);

c. E-Government Act (Pub. L. 107-347, Sec. 203);

d. Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et al.)

e. Government Paperwork Elimination Act (Pub. L. 105-277, 44 U.S.C. 3504);

f. Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004; and

g. Federal Property and Administrative Services Act of 1949, as amended.

Purpose: The primary purposes of the system are:

a. To ensure the safety and security of GSA facilities, systems or information, and our occupants and users;

b. To verify that all persons entering federal facilities, using federal information resources, or accessing classified information are authorized to do so; and

c. To track and control ID cards issued to persons entering and exiting the facilities, using systems, or accessing classified information.

Routine uses of the system records, including categories of users and their purpose for using the system:

Information about covered individuals may be disclosed without consent as permitted by the Privacy Act of 1974, 5 U.S.C. § 552a(b), and:

a. To the Department of Justice when: (1) GSA or any component thereof; (2) any employee of GSA in his or her official capacity; (3) any employee of GSA in his or her individual capacity where GSA or the Department of Justice (DOJ) has agreed to represent the employee; or (4) the United States Government, is a party to litigation or has an interest in such litigation, and by careful review, GSA determines that the records are both relevant and necessary to the litigation, and the use of such records by DOJ is therefore deemed by GSA to be for a purpose compatible with the purpose for which GSA collected the records.

b. To a court or adjudicative body in a proceeding when: (1) GSA or any component thereof; (2) any employee of GSA in his or her official capacity; (3) any employee of GSA in his or her Start Printed Page 62471individual capacity where GSA or the Department of Justice has agreed to represent the employee; or (4) the United States Government, is a party to litigation or has an interest in such litigation, and by careful review, GSA determines that the records are both relevant and necessary to the litigation, and the use of such records is therefore deemed by GSA to be for a purpose that is compatible with the purpose for which the agency collected the records.

c. Except as noted on Forms SF 85, 85-P, and 86, when a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, disclosure may be made to the appropriate public authority, whether Federal, foreign, State, local, or tribal, or otherwise responsible for enforcing, investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to any enforcement, regulatory, investigative or prosecutorial responsibility of the receiving entity.

d. To a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional office made at the written request of the constituent whose record is maintained.

e. To the National Archives and Records Administration for records management purposes.

f. To agency contractors, grantees, or volunteers who have been engaged to assist the agency in the performance of a contract service, grant, cooperative agreement, or other activity related to this system of records and who need to have access to the records in order to perform their activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, 5 U.S.C. § 552a.

g. To a Federal, State, local, foreign, tribal, or other public authority the fact that this system of records contains information relevant to the retention of an employee, the retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant, or other benefit. The other agency or licensing organization may then make a request supported by the written consent of the individual for the entire record if it so chooses. No disclosure will be made unless the information has been determined to be sufficiently reliable to support a referral to another office within the agency or to another Federal agency for criminal, civil, administrative, personnel, or regulatory action.

h. To the Office of Management and Budget when necessary to the review of private relief legislation pursuant to OMB Circular No. A-19.

i. To a Federal, State, or local agency, or other appropriate entities or individuals, or through established liaison channels to selected foreign governments, in order to enable an intelligence agency to carry out its responsibilities under the National Security Act of 1947 as amended, the CIA Act of 1949 as amended, Executive Order 12333 or any successor order, applicable national security directives, or classified implementing procedures approved by the Attorney General and promulgated pursuant to such statutes, orders, or directives.

j. To notify another federal agency when, or verify whether, an ID card is no longer valid.

Note: Disclosures within GSA of data pertaining to date and time of entry and exit of an agency employee working in the District of Columbia may not be made to supervisors, managers or any other persons (other than the individual to whom the information applies) to verify employee time and attendance record for personnel actions because 5 U.S.C. § 6106 prohibits Federal executive agencies (other than the Bureau of Engraving and Printing) from using a recording clock within the District of Columbia, unless used as a part of a flexible schedule program under 5 U.S.C. § 6120 et seq.

Policies and practices for storing, retrieving, accessing, retaining, and disposing of system records:

Storage: Information may be collected on paper or electronically and may be stored on paper or on electronic media, as appropriate.

Retrievability: Records are retrievable by name, Social Security Number, other ID number, ID card number, image (photograph), and fingerprint.

Safeguards: Paper records are kept in locked cabinets in secure facilities and access to them is restricted to individuals whose role requires use of the records.

The computer servers in which records are stored are located in facilities that are secured by alarm systems and off-master key access. The computer servers themselves are password-protected. Access to individuals working at guard stations is password-protected; each person granted access by the system at guard stations must be individually authorized to use the system. A Privacy Act Warning Notice appears on the monitor screen when records containing information on individuals are first displayed. Data exchanged between the servers and the client PCs at the guard stations and badging office are encrypted. Backup tapes are stored in a locked and controlled room in a secure, off-site location. Each of the component computer servers at the GSA Regions, or at the contract Card Production and Card Management Systems has been only authorized to act when it has been Certified and Accredited in accord with GSA Information Technology Security Policy and HSPD-12 criteria. This Certification is updated periodically on a 3 year basis, or less if cause to do so has become apparent.

An audit trail is maintained and reviewed periodically to identify unauthorized access. Persons given roles in the personal identity verification process must complete training specific to their roles to ensure they are knowledgeable about how to protect individually identifiable information.

Retention and disposal: Records relating to persons covered by this system are retained in accordance with General Records Schedule 18, Item 17. Unless retained for specific, ongoing security investigations for maximum security facilities, records of access are maintained for five years and then destroyed by degaussing hard drives and shredding paper. For other facilities, records are maintained for two years and then destroyed by wiping hard drives and shredding paper. All other records relating to employees are destroyed two years after the ID card expiration date.

In accordance with HSPD-12, ID cards are deactivated within 18 hours of cardholder separation, loss of card, or expiration. The information on ID cards is maintained in accordance with General Records Schedule 11, Item 4. ID cards are destroyed by shredding 90 days after deactivation. Once notification of deactivation has been received, the ID number is placed on a revocation list within no more than 2 hours, which immediately invalidates the access privileges for that card in accord with GSA policy.

System manager and address:

Director, GSA HSPD-12 Smart Card Program Management Office

Office of the Chief Information Officer

1800 F Street NW, Room G-006

Washington DC 20405-0002

Notification procedure: An individual can determine if this system contains a record pertaining to him/her by sending a request in writing, signed, to the System Manager at the above address.Start Printed Page 62472

When requesting notification of or access to records covered by this notice, an individual should provide his/her full name, date of birth, agency name, and work location. An individual requesting notification of records in person must provide identity documents sufficient to satisfy the custodian of the records that the requester is entitled to access, such as a government-issued photo ID.

Record access procedures: Same as notification procedures. Requesters also should reasonably specify the record contents being sought. Rules regarding access to Privacy Act records appear in 41 CFR part 105-64. If additional information or assistance is required, contact the GSA Privacy Act Officer (CIB), General Services Administration, 1800 F Street NW, Washington, DC 20405; telephone (202) 501-1452.

Contesting record procedures: Same as notification procedures. Requesters also should reasonably identify the record, specify the information they are contesting, state the corrective action sought and the reasons for the correction, along with supporting justification showing why the record is not accurate, timely, relevant, or complete. Rules regarding amendment of Privacy Act records appear in 41 CFR part 105-64. If additional information or assistance is required, contact the GSA Privacy Act Officer.

Record source categories: Employee, contractor, or applicant; sponsoring agency; former sponsoring agency; other Federal agencies; contract employer; former employer.

Exemptions claimed for the system: None.