AGENCY:

Debt Management Center, Department of Veterans Affairs (VA).

ACTION:

Notice of a new system of records.

SUMMARY:

The Privacy Act of 1974 (5 U.S.C. 522a(e)(4)) requires that all agencies publish in the Federal Register a notice of the existence and character of their systems of records. Notice is hereby given that the Department of Veterans Affairs (VA) is creating a new system of records entitled “PayVA (QCR) Debt Management Center System of Records Notice” (194VA189).

DATES:

Comments on this modified system of records must be received no later than 30 days after date of publication in the Federal Register. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the new system of records will become effective a minimum of 30 days after date of publication in the Federal Register. If VA receives public comments, VA shall review the comments to determine whether any changes to the notice are necessary.

ADDRESSES:

Written comments may be submitted through www.Regulations.gov;​; by mail or hand-delivery to Director, Regulation Policy and Management (00REG), Department of Veterans Affairs, 810 Vermont Ave. NW, Room 1064, Washington, DC 20420; or by fax to (202) 273-9026 (not a toll-free number). Comments should indicate that they are submitted in response to “PayVA (QCR) Debt Management Center”. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461-4902 for an appointment. (This is not a toll-free number.) In addition, comments may be viewed online at www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT:

Chief, Support Services Division, Debt Management Center (189/00), U.S. Department of Veterans Affairs, Bishop Henry Whipple Federal Building, 1 Federal Drive, Ft. Snelling, Minnesota 55111. The internet email address for Debt Management Center is: SUPPORTSER.VAVBASPL@va.gov.

SUPPLEMENTARY INFORMATION:

PayVA is a custom-developed application (which is a website; https://www.pay.va.gov) that is used by the Debt Management Center (DMC) to verify debts are active at DMC before the Veteran makes a payment to pay.gov. PayVA collects basic debt information from users, redirects them to pay.gov (Department of Treasury) for online payments and collects responses from pay.gov. The production site with a secure certificate has already been created.

Signing Authority

The Senior Agency Official for Privacy, or designee, approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. James P. Gfrerer, Assistant Secretary of Information and Technology and Chief Information Officer, approved this document on November 15, 2020 for publication.

SYSTEM NAME AND NUMBER:

PayVA (QCR) Debt Management Center System of Records Notice 194VA189.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

PayVA is a custom-developed application (which is a website; https://www.pay.va.gov) that is used by the Debt Management Center (DMC) to verify debts are active at DMC before the Veteran makes a payment. PayVA collects basic debt information from users, redirects them to pay.gov (Department of Treasury) for online payments and collects responses from pay.gov. PayVA prevents DMC from over-collecting and/or creating more refunds than necessary. The production site has a valid secure certificate. PayVA is housed in the WebOps server farm at the Capital Region Readiness Center (CRRC) in Martinsburg, WV. The system is currently owned by Enterprise Product Management Office (EPMO), Corporate Product Support (CPS) and is developing the Assessment and Authorization. DMC will take ownership of Assessment and Authorization activities once developed and in sustainment. The estimated number of Veterans whose financial information is stored in the system is 100,000 or more. PayVA receives information (a table containing PII) from the Centralized Accounts Receivable System/Central Accounts Receivable On-Line System (CARS/CAROLS) an internal VA system, via a SQL job 3 times a week. PayVA also receives information each time a payment is completed via a form submission from Pay.Gov which is owned by the Department of Treasury.

SYSTEM MANAGER(S):

Joseph Schmitt, Executive Director, Debt Management Center (189/00), U.S. Department of Veterans Affairs, Bishop Henry Whipple Federal Building, 1 Federal Drive, Ft. Snelling, MN 55111. Email: SUPPORTSER.VAVBASPL@va.gov

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 10 United States Code (U.S.C.) Chapters 106a, 510, 1606 and 1607 and Title 38, U.S.C., section 501(a) and Chapters 11, 13, 15, 18, 23, 30, 31, 32, 33, 34, 35, 36, 39, 51, 53, and 55. The following notice is provided on the PayVA website: The information you furnish on this form, including your Social Security Number, is used to associate your payment with your accounts receivable record so that we may properly credit your account. Disclosure is voluntary. However, without disclosure, a credit card transaction or direct debit transaction cannot be processed. The responses you submit are confidential and protected from unauthorized disclosure by 38 U.S.C. 5701. The information may be disclosed outside the Department of Veterans Affairs (VA) only when authorized by the Privacy Act of 1974, as amended. The routine uses for which VA may disclose the information can be found in VA systems of records, including 58VA21/22, Compensation, Pension, Education and Rehabilitation Records-VA, and 88VA244.

PURPOSE(S) OF THE SYSTEM:

The information collected from the PayVA user is needed to verify the information entered is applied to the correct debt.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Persons indebted to the United States Government as a result of their participation in benefit programs (including health care programs) administered by VA under title 38, United States Code, chapters 11, 13, 15, 17, 18, 21, 30, 31, 32, 33, 34, 35, 36 and 37, including persons indebted to the United States Government by virtue of their ownership, contractual obligation or rental of property owned by the Government or encumbered by a VA-guaranteed, insured, direct or vendee loan. The individuals covered are persons indebted to the United States Government as a result of their participation in a benefit program administered by VA, but who did not meet the requirements for receipt of such benefits or services. Persons indebted to the United States, a State or local government whose debts are referred to the Department of Veterans Affairs for Government-wide cross-servicing under 31 U.S.C. 3711(g)(4) or any valid interagency agreement. Persons indebted to the United States as the result of erroneous payment of pay or allowances or as the result of erroneous payment of travel, transportation or relocation expenses and allowances (previously and hereinafter referred to as “pay administration”) under the provisions of title 5, United States Code, part III, subpart D.

CATEGORIES OF RECORDS IN THE SYSTEM:

The following information is collected from the user: File Number (which is sometimes the SSN and sometimes the SSN, reformatted); Payee Number; Deduction Code (which can be found in a letter the user received from the DMC). PayVA then verifies the information entered by the user against a table provided by CARS/CAROLS (an internal VA system). If the information entered is correct the user is directed to the Department of Treasury's Pay.Gov where payment is made, and then a form submission with the user's partial bank account number/credit card number and payer name is provided to PayVA and stored in its database.

RECORD SOURCE CATEGORIES:

PayVA receives the following information from the user, directly, First Name, Last Name, Daytime Phone, File Number, Payee Number, Person Entitled, Deduction Code, and Payment Amount. PayVA, then checks whether the information entered by the user matches what is in the CARS/CAROLS table that is received by PayVA, 3 times a week; each time the table is refreshed the former table is deleted (no historical data from CARS/CAROLS is stored in PayVA). If the information entered by the User matches what is in the table received from CARS/CAROLS the user is transferred to Pay.Gov (which is managed by the Department of Treasury), where the payment is made. The only information PayVA shares with Pay.Gov is the first name, last name, and debt amount. The user then enters the following information to Pay.Gov, the Payment Amount, Account Type, Routing Number, and Account Number (which would be covered by the Department of Treasury's accreditation documentation). Once the payment is completed Pay.Gov passes payment results including partial bank account number, credit card number, and payer name which is stored in PayVA's Database.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

1. Congress: VA may disclose information from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

VA must be able to provide information about individuals to adequately respond to inquiries from Members of Congress at the request of constituents who have sought their assistance.

2. Data breach response and remedial efforts: VA may disclose information Start Printed Page 84125from this system to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that there has been a breach of the system of records; (2) VA has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, VA (including its information systems, programs, and operations), and (3) the Federal Government, or national security; and the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with VA's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

3. Data breach response and remedial efforts with another Federal agency: VA may disclose information from this system to another Federal agency or Federal entity, when VA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

4. Law Enforcement: VA may, disclose information in this system, except the names and home addresses of veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, state, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule or order. VA may also disclose the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule or order issued pursuant thereto.

VA must be able to provide information that pertains to a violation of laws to law enforcement authorities in order for them to investigate and enforce those laws. Under 38 U.S.C. 5701(a) and (f), VA may disclose the names and addresses of veterans and their dependents to Federal entities with law enforcement responsibilities. This is distinct from the authority to disclose records in response to a qualifying request from a law enforcement entity, as authorized by Privacy Act subsection 5 U.S.C. 552a(b)(7).

5. Litigation: VA may disclose information from this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is limited to circumstances where relevant and necessary to the litigation. VA may disclose records in this system of records in legal proceedings before a court or administrative body after determining that release of the records to the DoJ is limited to circumstances where relevant and necessary to the litigation.

To determine whether to disclose records under this routine use, VA will comply with the guidance promulgated by the Office of Management and Budget in a May 24, 1985, memorandum entitled “Privacy Act Guidance—Update,” currently posted at https://www.whitehouse.gov/​sites/​whitehouse.gov/​files/​omb/​assets/​OMB/​inforeg/​guidance1985.pdf.

VA must be able to provide information to DoJ in litigation where the United States or any of its components is involved or has an interest. A determination would be made in each instance that under the circumstances involved, the purpose is compatible with the purpose for which VA collected the information. This routine use is distinct from the authority to disclose records in response to a court order under subsection (b)(11) of the Privacy Act, 5 U.S.C. 552(b)(11), or any other provision of subsection (b), in accordance with the court's analysis in Doe v. DiGenova, 779 F.2d 74, 78-85 (D.C. Cir. 1985) and Doe v. Stephens, 851 F.2d 1457, 1465-67 (D.C. Cir. 1988).

6. Contractors: VA may disclose information from this system of records to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor, public or private agency, or other entity or individual with whom VA has a contract or agreement to perform services under the contract or agreement.

This routine use includes disclosures by an individual or entity performing services for VA to any secondary entity or individual to perform an activity that is necessary for individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to provide the service to VA.

This routine use, which also applies to agreements that do not qualify as contracts defined by Federal procurement laws and regulations, is consistent with OMB guidance in OMB Circular A-130, App. I, paragraph 5a(1)(b) that agencies promulgate routine uses to address disclosure of Privacy Act-protected information to contractors in order to perform the services contracts for the agency.

7. Equal Employment Opportunity Commission (EEOC): VA may disclose information from this system to the EEOC when requested in connection with investigations of alleged or possible discriminatory practices, examination of Federal affirmative employment programs, or other functions of the Commission as authorized by law or regulation.

VA must be able to provide information to EEOC to assist it in fulfilling its duties to protect employees' rights, as required by statute and regulation.

8. Federal Labor Relations Authority (FLRA): VA may disclose information from this system to the FLRA, including its General Counsel, information related to the establishment of jurisdiction, investigation, and resolution of allegations of unfair labor practices, or in connection with the resolution of exceptions to arbitration awards when a question of material fact is raised; for it to address matters properly before the Federal Service Impasses Panel, investigate representation petitions, and conduct or supervise representation elections.

VA must be able to provide information to FLRA to comply with the statutory mandate under which it operates.

9. Merit Systems Protection Board (MSPB): VA may disclose information from this system to the MSPB, or the Office of the Special Counsel, when requested in connection with appeals, special studies of the civil service and other merit systems, review of rules and regulations, investigation of alleged or possible prohibited personnel practices, and such other functions promulgated in 5 U.S.C. 1205 and 1206, or as authorized by law.

VA must be able to provide information to MSPB to assist it in Start Printed Page 84126fulfilling its duties as required by statute and regulation.

10. National Archives and Records Administration (NARA) and General Services Administration (GSA): VA may disclose information from this system to NARA and GSA in records management inspections conducted under title 44, U.S.C.

NARA is responsible for archiving old records which are no longer actively used but may be appropriate for preservation, and for the physical maintenance of the Federal government's records. VA must be able to provide the records to NARA in order to determine the proper disposition of such records.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Payment results are provided by Pay.Gov (system owned by the Department of Treasury) upon payment completion. The payment results contain the following PII which is stored indefinitely in PayVA's Database is: Partial bank account number/credit card number, and the payer name. PayVA also receives a table from CARS/CAROLS (an internal system to VA) 3 times a week via a SQL job that contains the following PII, File Number (which is sometimes the SSN), Payee Number and Deduction Code.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Automated records of VA claims and debts are indexed by VA claim number, Social Security account number, name and loan account number in appropriate circumstances. Paper documents, microfilm, microfiche and automated records of pay administration debts and debts referred to VA for cross servicing are indexed by Social Security account number or Taxpayer Identification Number. Records in CAIVRS may only be retrieved by Social Security number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

These records are retained and disposed of in accordance with the General Records Schedule 3.1 010-020, approved by National Archives and Records Administration (NARA) https://www.archives.gov/​files/​records-mgmt/​grs/​grs03-1.pdf. A retention policy specific to PayVA is being drafted. This PIA will be updated with that information upon completion; until that time, PayVA is retaining all records indefinitely.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

1. Physical Security:

(a) Access to working spaces and document storage areas in DMC is restricted by cipher locks and to VA employees on a need-to-know basis. Generally, document storage areas in VA offices other than DMC are restricted to VA employees on a need-to-know basis. VA offices are generally protected from outside access by the Federal Protective Service or other security personnel. Strict control measures are enforced to ensure that access to and disclosure from documents, microfilm and microfiche are limited to a need-to-know basis.

(b) Access to PayVA data telecommunications terminals is by authorization controlled by the site security officer. The security officer is assigned responsibility for privacy-security measures, especially for review of violation logs, information logs and control of password distribution.

(c) Access to data processing centers is generally restricted to center employees, custodial personnel, Federal Protective Service and other security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other personnel gaining access to computer rooms are escorted.

2. PayVA and Personal Computer Local Area Network (LAN) Security:

(a) Usage of PayVA and LAN terminal equipment is authenticated by Single-Sign-On (SSOI) Two Factor Authentication (2FA). Electronic keyboard locks are activated on security errors.

(b) At the data processing centers, identification of magnetic media containing data is rigidly enforced using labeling techniques. Automated storage media which are not in use are stored in tape libraries which are secured in locked rooms. Access to programs is controlled at three levels: Programming, auditing and operations.

(c) Department of the Treasury Security: Access to the system is on a need-to-know basis, only, as authorized by the system manager. Procedural and physical safeguards are utilized to include accountability, receipt records and specialized communications security. The data system has an internal mechanism to restrict access to authorized officials. The building is patrolled by uniformed security guards.

RECORD ACCESS PROCEDURES:

Individuals seeking information regarding access to and contesting of records maintained by VA may write, call or visit the nearest VA regional office. Address locations are listed in VA Appendix 1 of 58VA21/22/28.

CONTESTING RECORD PROCEDURES:

See record access procedures above.

NOTIFICATION PROCEDURES:

A Privacy Notice is available for the user to click on via a link entitled, “Read Important Privacy Information.” A copy of the Privacy Information is included as Appendix A.

The legal authorities are provided in the first paragraph of the PayVA Privacy Information (38.U.S.C.5701; Privacy Act of 1974; A new SORN is being drafted and its number is 194VA189. SORNs 58VA21/22 Compensation, Pension, Education and Rehabilitation Records-VA, and 88VA244, Accounts Receivable Records-VA (as can be seen below and in Appendix A).

“Privacy Act Information: The information you furnish on this form, including your Social Security Number, is used to associate your payment with your accounts receivable record so that we may properly credit your account. Disclosure is voluntary. However, without disclosure, a credit card transaction or direct debit transaction cannot be processed. The responses you submit are confidential and protected from unauthorized disclosure by 38 U.S.C. 5701. The information may be disclosed outside the Department of Veterans Affairs (VA) only when authorized by the Privacy Act of 1974, as amended. The routine uses for which VA may disclose the information can be found in VA systems of records, including 58VA21/22, Compensation, Pension, Education and Rehabilitation Records-VA, and 88VA244, Accounts Receivable Records-VA. VA systems of records and alterations to the systems are published in the Federal Register. Any information provided by you, including your Social Security Number, may be used in computer matching programs conducted in connection with any proceeding for the collection of an amount owed by virtue of your participation in any benefit program administered by VA.”

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.