AGENCY:

Department of Veterans Affairs (VA).

ACTION:

Notice of New System of Records.

SUMMARY:

The Privacy Act of 1974 (5 U.S.C. 552(e)(4)) requires that all agencies publish in the Federal Register a notice of the existence and character of their systems of records. Notice is hereby given that the Department of Veterans Affairs (VA) is establishing a new system of records entitled “Administrative Data Repository—VA” (150VA19).

DATES:

Comments on this new system of records must be received no later than December 26, 2008. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the new system will become effective December 26, 2008.

ADDRESSES:

Written comments may be submitted through http://www.Regulations.gov;​; by mail or hand-delivery to the Director, Regulations Management (02REG), Department of Veterans Affairs, 810 Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday (except holidays). Please call (202) 461-4902 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System (FDMS).

FOR FURTHER INFORMATION CONTACT:

Stephania H, Putt, Veterans Health Administration (VHA) Privacy Officer, Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, telephone (704) 245-2492.

SUPPLEMENTARY INFORMATION:Start Printed Page 72118

I. Description of Proposed Systems of Records

VHA Administrative Data Repository, ADR, is the enterprise data store for VHA persons. It includes identity, demographic and other administrative data for patients and non-patients, including employees, providers, IT users, etc.

The Administrative Data Repository (ADR) has been established to provide support for those cross-cutting administrative data elements relative to multiple categories of a person entity. Although, initially focused on the computing needs of VHA, the ADR is positioned to provide identity management and demographics support for all IT systems within the Department of Veterans Affairs. As the authoritative data store for cross cutting administrative person data, the ADR will establish and manage this data as a VHA corporate asset. State-of-the-art security methodology will be implemented to ensure the integrity and confidentiality of person data administered by the ADR.

II. Proposed Routine Use Disclosures of Data in the System

To the extent that records contained in the system include information protected by 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism, or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority permitting disclosure.

Data stored in ADR is used as the source of identity, demographic and other administrative data for VHA enterprise. The routine uses of records maintained in the system, including categories of users and the purposes of such uses are described below:

VHA is proposing the following routine use disclosures of information to be maintained in the system:

1. The record of an individual who is covered by a system of records may be disclosed to a Member of Congress, or a staff person acting for the Member, when the Member or staff person requests the record on behalf of and at the written request of the individual.

2. Disclosure may be made to National Archives and Records Administration (NARA) and the General Services Administration (GSA) in records management inspections conducted under authority of Title 44, Chapter 29, of the United States Code (U.S.C). NARA and GSA are responsible for management of old records no longer actively used, but which may be appropriate for preservation, and for the physical maintenance of the Federal government's records. VA must be able to provide the records to NARA and GSA in order to determine the proper disposition of such records.

3. Disclosure may be made to other Government agencies in support of data exchanges of electronic medical record information approved by the individual.

4. VA may disclose on its own initiative any information in this system, except the names and home addresses of veterans and their dependents, that is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. VA may also disclose on its own initiative the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.

5. VA may disclose information from this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

6. Disclosures of relevant information may be made to individuals, organizations, private or public agencies, or other entities with whom VA has a contract or agreement or where there is a subcontract to perform the services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor or subcontractor to perform the services of the contract or agreement. This routine use includes disclosures by the individual or entity performing the service for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the service to VA.

7. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

8. VA may disclose information to the Equal Employment Opportunity Commission when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or for other functions of the Commission as authorized by law or regulation. VA must be able to provide information to the Commission to assist it in fulfilling its duties to protect employee's rights, as required by statute and regulation.

9. VA may disclose to the Fair Labor Relations Authority (FLRA) (including its General Counsel) information related to the establishment of jurisdiction, the investigation and resolution of allegations of unfair labor practices, or information in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; to disclose information in matters properly before the Federal Services Impasse Panel, and to investigate representation petitions and conduct or supervise representation elections. VA must be able to provide information to FLRA to comply with the statutory mandate under which it operates.

10. VA may disclose information to officials of the Merit Systems Protection Board (MSPB), or the Office of Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law.

11. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise, Start Printed Page 72119there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency or disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

III. Compatibility of the Proposed Routine Uses

The Privacy Act permits VA to disclose information about individuals without their consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which VA collected the information. In all of the routine use disclosures described above, either the recipient of the information will use the information in connection with a matter relating to one of VA's programs, will use the information to provide a benefit to VA, or disclosure is required by law.

The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

150VA19

SYSTEM NAME:

Administrative Data Repository—VA.

SYSTEM LOCATION:

Records are maintained in the Corporate Franchise Data Center. Address locations for VA AAC are 1615 Woodward Street, Austin, Texas 78772-001. In addition, information from these records or copies of records may be maintained at the Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC, VA Data Processing Centers, VA CIO Field Offices, Veterans Integrated Service Network Offices, and Employee Education Systems.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records include information concerning current and former VHA patients, employees, providers, volunteers, trainees and contractors, as well as individuals working collaboratively with VHA.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records may include information related to:

1. Administrative assignments or categorization of duties of certain VHA personnel;

2. The record may include identifying demographic information (e.g., name, date of birth, gender, social security number, taxpayer identification number); and other demographic information such as address (e.g., home and/or mailing address, home telephone number, emergency contact information such as name, address, telephone number, and relationship); education and continuing education (e.g., name and address of schools and dates of attendance, courses attended and scheduled to attend, grades, type of degree, certificate, etc.); information related to military service and status; qualifications for employment (e.g., license, degree, registration or certification, experience); veteran enrollment and eligibility information including financial assessments.

3. Electronic messages used for network communication between VHA systems; and

4. Health care providers' social security number and National Provider Identifier.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 38, United States Code, Section 501.and Section 7304.

PURPOSE (S):

The main purpose of the Administrative Data Repository is to establish person identity throughout the VHA enterprise. The purpose of the system of records is to provide a repository for the administrative information that is used to accomplish the purposes described within this document including determining veteran benefits and eligibility. The records include information provided by patients, providers, employees, volunteers, trainees, contractors and others that receive IT access to our computer systems and information obtained in the course of routine work done including VHA patient care provided. Quality assurance information that is protected by 38 U.S.C. 7311 and 38 CFR 17.500-17.511 is not within the scope of the Privacy Act and, therefore, is not included in this system of records or filed in a manner in which the information may be retrieved by reference to an individual identifier.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

To the extent that records contained in the system include information protected by 38 U.S.C. 7332, i.e., medical treatment information related to drug abuse, alcoholism, or alcohol abuse, sickle cell anemia or infection with the human immunodeficiency virus, that information cannot be disclosed under a routine use unless there is also specific statutory authority permitting disclosure.

Data stored in ADR is used as the source of identity, demographic and other administrative data for VHA enterprise. The routine uses of records maintained in the system, including categories of users and the purposes of such uses are described below:

1. The record of an individual who is covered by a system of records may be disclosed to a Member of Congress, or a staff person acting for the Member, when the Member or staff person requests the record on behalf of and at the written request of the individual.

2. Disclosure may be made to National Archives and Records Administration (NARA) and the General Services Administration (GSA) in records management inspections conducted under authority of Title 44, Chapter 29, of the United States Code (U.S.C).

3. Disclosure may be made to other Government agencies in support of data exchanges of electronic medical record information approved by the individual.

4. VA may disclose on its own initiative any information in this system, except the names and home addresses of veterans and their dependents, that is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. VA may also disclose on its own initiative the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or Start Printed Page 72120implementing the statute, regulation, rule or order issued pursuant thereto.

5. VA may disclose information from this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

6. Disclosures of relevant information may be made to individuals, organizations, private or public agencies, or other entities with whom VA has a contract or agreement or where there is a subcontract to perform the services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor or subcontractor to perform the services of the contract or agreement.

7. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

8. VA may disclose information to the Equal Employment Opportunity Commission when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or for other functions of the Commission as authorized by law or regulation.

9. VA may disclose to the Fair Labor Relations Authority (FLRA) (including its General Counsel) information related to the establishment of jurisdiction, the investigation and resolution of allegations of unfair labor practices, or information in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; to disclose information in matters properly before the Federal Services Impasse Panel, and to investigate representation petitions and conduct or supervise representation elections.

10. VA may disclose information to officials of the Merit Systems Protection Board (MSPB), or the Office of Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions, promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law.

11. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise, there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency or disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by the Department to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Records are maintained at the Corporate Franchise Data Center which is a VA operated facility. Information is stored on disk media.

RETRIEVABILITY:

Records are retrieved by person identifying traits such as name, social security number and other assigned unique identifiers of the individuals on whom they are maintained.

SAFEGUARDS:

1. Access to VA working and storage areas is restricted to VA employees on a “need-to-know” basis; strict control measures are enforced to ensure that disclosure to these individuals is also based on this same principle. Generally, VA file areas are locked after normal duty hours and the facilities are protected from outside access by the Federal Protective Service or other security personnel.

2. Access to file information is controlled at two levels; the systems recognize authorized employees by series of individually unique passwords/codes as a part of each data message, and the employees are limited to only that information in the file which is needed in the performance of their official duties. Information that is downloaded from ADR and maintained on personal computers is afforded similar storage and access protections as the data that is maintained in the original files. Access to information stored on automated storage media at other VA locations is controlled by individually unique passwords/codes.

3. Access to the Austin Automation Center is generally restricted to Center employees, custodial personnel, Federal Protective Service and other security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other persons gaining access to computer rooms are escorted. Information stored in the computer may be accessed by authorized VA employees at remote locations including VA health care facilities, Information Systems Centers, VA Central Office, and Veteran Integrated Service Networks. Access is controlled by individually unique passwords/codes which must be changed periodically by the employee.

RETENTION AND DISPOSAL:

The records must be disposed of in accordance with the records retention standards authorized by the National Archives and Records Administration General Records Schedule 14, item 6, and published in the Veterans Health Administration Records Control Schedule 10-1, Item XLV.

SYSTEM MANAGER(S) AND ADDRESS:

Official responsible for policies and procedures; Chief Information Officer (19), Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Official maintaining this system of record: Director National Data Systems (19F-4), Corporate Franchise Center, 1615 Woodward Street, Austin, Texas 78772.

NOTIFICATION PROCEDURE:

Individuals who wish to determine whether this system of records contains information about them should contact the VA facility location at which they are or were employed or treated or made or have contact. Inquiries should include the person's full name, social security number, dates of treatment, dates of employment, date(s) of contact, and/or return address. Start Printed Page 72121

RECORD ACCESS PROCEDURE:

Individuals seeking information regarding access to and contesting of records in this system may write, call or visit the VA facility location where they are or were employed or treated or made contact.

CONTESTING RECORD PROCEDURES:

(See Record Access Procedures above.)

RECORD SOURCE CATEGORIES:

Information in this system of records is provided by patients, employees, providers, IT users, and others that work collaboratively with VHA.