AGENCY:

Environmental Protection Agency (EPA).

ACTION:

Direct final rule.

SUMMARY:

The Environmental Protection Agency (EPA or Agency) is taking direct final action to revise the Agency's Privacy Act regulations to exempt a modified system of records, EPA–83, the Personnel Security System (PSS) 2.0, from certain requirements of the Privacy Act because of the data sensitivity contained within an insider threat inquiry. A lack of protection of these data could jeopardize the insider threat inquiry or additional investigations if warranted.

DATES:

This rule is effective on January 16, 2024, without further notice unless EPA receives adverse comment by December 18, 2023. If EPA receives adverse comment, it will publish a timely withdrawal in the Federal Register informing the public that the rule will not take effect.

ADDRESSES:

Submit your comments, identified by Docket ID No. EPA–HQ–OMS–2019–0371, at https://www.regulations.gov/​. Follow the online instructions for submitting comments. Once submitted, comments cannot be edited or removed from Regulations.gov. The EPA may publish any comment received to its public docket. Do not submit electronically any information you consider to be Confidential Business Information (CBI) or other information whose disclosure is restricted by statute. Multimedia submissions (audio, video, etc.) must be accompanied by a written comment. The written comment is considered the official comment and should include discussion of all points you wish to make. The EPA will generally not consider comments or comment contents located outside of the primary submission ( i.e., on the web, cloud, or other file sharing system). For additional submission methods, the full EPA public comment policy, information about CBI or multimedia submissions, and general guidance on making effective comments, please visit https://www.epa.gov/​dockets/​commenting-epa-dockets.

FOR FURTHER INFORMATION CONTACT:

John Goldsby, Personnel Security Branch, Environmental Protection Agency, William Jefferson Clinton North Building, Mail code 3206A, 1200 Pennsylvania Avenue NW, Washington, DC 20460; telephone number, (202) 564–1569; email address, Goldsby.John@epa.gov.

SUPPLEMENTARY INFORMATION:

I. Why is EPA using a direct final rule?

The EPA is publishing this rule without a prior proposed rule because we view this as a noncontroversial action and anticipate no adverse comment. However, in the “Proposed Rules” section of this issue of the Federal Register , we are publishing a separate document that will serve as the proposed rule to exempt a new system of records, EPA–83, the Personnel Security System (PSS) 2.0, from certain requirements of the Privacy Act if adverse comments are received on this direct final rule. We will not institute a second comment period on this action. Any parties interested in commenting must do so at this time. For further information about commenting on this rule, see the ADDRESSES section of this document.

If EPA receives adverse comment, we will publish a timely withdrawal in the Federal Register informing the public that this direct final rule will not take effect. We would address all public comments in any subsequent final rule based on the proposed rule.

II. General Information

The EPA published a Privacy Act system of records notice for PSS 2.0 (85 FR 32380, May 29, 2020) to replace PSS 1.0, which was a module of the Office of Administrative Services Information System (OASIS, EPA–41), and create a stand-alone system. The Personnel Security Branch (PSB) plans to update Start Printed Page 80140 PSS with a new module focused on providing the agency with insider threat inquiry management and coordination capabilities. The PSS 2.0 supports the PSB with tracking the documentation associated with background investigations for Federal and non-Federal personnel working for EPA. This includes reporting requirements that meet the Security Executive Agent Directive (SEAD) 3, which establishes reporting requirements for all “covered individuals” who have access to classified information or who hold a sensitive position. Access to the system is restricted to authorized users and PSS is maintained in a secure, password protected computer system, in secure areas and buildings with physical access controls and environmental controls. In the performance of their official duties, EPA federal personnel must input and manage Sensitive Personally Identifiable Information (such as social security number) and Personally Identifiable Information (such as home address and email address). All personnel are required to take annual Information Technology Security and Privacy Training to ensure the proper handling and management of Sensitive Personally Identifiable Information (SPII) and Personally Identifiable Information (PII). The data is required in the system to start the onboarding process and to manage personnel through lifecycle activity at EPA (such as background investigations). PSS 2.0 displays a reminder about the appropriate PII and SPII handling procedures every time a user begins to enter data for a new background investigation. Additionally, PSS will include a module dedicated specifically for insider threat inquiry management and coordination. This module will contain details of insider threat inquiries, including the names and identifiers of personnel involved in such inquiries.

Pursuant to 5 U.S.C. 552a(k)(2) and (k)(5), an individual's request for access to his or her record may be exempt from specific access and accounting provisions of the Privacy Act where the “investigatory material [was] compiled for law enforcement purposes”. See 40 CFR 16.12. Note that the (k)(5) exemption applies only to access requests for background investigation records that would identify a confidential source. Under 5 U.S.C. 552a(k)(1), (k)(2), and (k)(5), EPA is proposing to exempt the PSS 2.0 from the following provisions of the Privacy Act of 1974 as amended; 5 U.S.C. 552a; (d); (e)(1); (e)(4) (G), (H), and (I); and (f)(2) through (5) for the following reasons:

(1) From subsection 552a(c)(3), because making available to a named individual an accounting of disclosures of records concerning him/her/them could reveal investigative interest on the part of EPA and/or the Department of Justice. This could allow record subjects to impede the investigation, e.g., destroy evidence, intimidate potential witnesses, or flee the area to avoid inquiries or apprehension by law enforcement personnel. Further, such a disclosure could reveal the identity of a confidential source and hamper the Agency's investigation.

(2) From subsection 552a(c)(4), which concerns providing notice to others regarding corrections or disputed information in accordance with subsection (d) of the Privacy Act, because no access to these records is available under subsection (d) of the Act.

(3) From subsection 552a(d), which requires an agency to permit an individual to access, contest or request amendment of records pertaining to him/her/them, because the records contained in this system relate to official Federal investigations. Individual access to these records could compromise ongoing investigations, reveal confidential informants and/or sensitive investigative techniques used in particular investigations, or constitute unwarranted invasions of the personal privacy of third parties who are involved in a certain investigation.

(4) From subsections 552a(e)(1) and (e)(5), which require an agency to collect/maintain only accurate and relevant information about an individual, because the accuracy or relevance of information obtained in the course of a law enforcement investigation is not always known when collected. Material that may seem unrelated, irrelevant, or incomplete when collected may take on added meaning or significance as the investigation progresses. Also, in the interest of effective law enforcement, it is appropriate to retain all information that may aid in establishing patterns of criminal activity. Therefore, it would impede the investigative process if it were necessary to assure the relevance, accuracy, timeliness and completeness of all information obtained.

(5) From subsections 552a(e)(4)(G) and (H), which require an agency to publish—in the Federal Register —procedures concerning access to records, because no access to these records is available under subsection (d) of the Privacy Act, for the reasons explained above in the discussion of subsection (d).

(6) From subsections 552a(f)(2), (f)(3), (f)(4), and (f)(5), concerning agency rules for obtaining access to records under subsection (d), because this system is exempt from the access and amendment provisions of subsection (d). Since EPA is claiming that this system of records is exempt from subsection (d) of the Act, concerning access to records, the requirements of subsections (f)(2) through (5) of the Act, concerning agency rules for obtaining access to such records, are inapplicable and are exempted to the extent that this system of records is exempted from subsection (d) of the Act.

(7) From subsection 552a(I), concerning agency rules for use of records from another agency under a matching program. Such documents are owned by and the responsibility of the source agency, and only that source agency can share or release the information.

Note that the (k)(5) exemption applies only to access requests for background investigation records that would identify a confidential source.

III. Statutory and Executive Order Reviews

Additional information about these statutes and Executive orders can be found at https://www.epa.gov/​laws-regulations/​laws-and-executive-orders.

A. Executive Order 12866: Regulatory Planning and Review, and Executive Order 13563: Improving Regulation and Regulatory Review

This action was submitted to the Office of Management and Budget (OMB) for review and reviewed without comment.

B. Paperwork Reduction Act (PRA)

This action does not impose an information collection burden under the PRA. This action contains no provisions constituting a collection of information under the PRA.

C. Regulatory Flexibility Act (RFA)

I certify that this action will not have a significant economic impact on a substantial number of small entities under the RFA. This action will not impose any requirements on small entities.

D. Unfunded Mandates Reform Act (UMRA)

This action does not contain any unfunded mandate as described in UMRA, 2 U.S.C. 1531–1538, and does not significantly or uniquely affect small governments. Start Printed Page 80141

E. Executive Order 13132 (Federalism)

This action does not have federalism implications. It will not have substantial direct effects on the states, on the relationship between the National Government and the states, or on the distribution of power and responsibilities among the various levels of government.

F. Executive Order 13175: Consultation and Coordination With Indian Tribal Governments

This action does not have tribal implications as specified in Executive Order 13175. Thus, Executive Order 13175 does not apply to this action.

G. Executive Order 13045: Protection of Children From Environmental Health Risks and Safety Risks

The EPA interprets Executive Order 13045 as applying only to those regulatory actions that concern environmental health or safety risks that the EPA has reason to believe may disproportionately affect children, per the definition of “covered regulatory action” in section 2–202 of the Executive order. This action is not subject to Executive Order 13045 because it does not concern an environmental health risk or safety risk.

H. Executive Order 13211: Actions Concerning Regulations That Significantly Affect Energy Supply, Distribution, or Use

This action is not subject to Executive Order 13211, because it is not a significant regulatory action under Executive Order 12866.

I. National Technology Transfer and Advancement Act

This rulemaking does not involve technical standards.

J. Executive Order 12898: Federal Actions To Address Environmental Justice in Minority Populations and Low-Income Populations

The EPA believes that this action does not have disproportionately high and adverse human health or environmental effects on minority populations, low-income populations and/or indigenous peoples, as specified in Executive Order 12898 (59 FR 7629, February 16, 1994).

K. The Congressional Review Act

This rule is exempt from the Congressional Review Act (CRA) because it is a rule of agency organization, procedure or practice that does not substantially affect the rights or obligations of non-agency parties.

List of Subjects in 40 CFR Part 16

• Environmental protection
• Administrative practice and procedure
• Confidential business information
• Government employees
• Privacy

For the reasons stated in the preamble, title 40, chapter I, part 16 of the Code of Federal Regulations is amended as follows:

PART 16—IMPLEMENTATION OF PRIVACY ACT OF 1974

1. The authority citation for part 16 continues to read as follows:

Authority: 5 U.S.C. 301, 552a (as revised).

2. Amend § 16.12 by:

a. Revising paragraphs (a)(1), (a)(4)(i) and (iii), (a)(5) introductory text, and (b)(1);

b. Adding paragraph (b)(4)(iii); and

c. Revising paragraph (b)(5) introductory text.

The revisions and additions read as follows: