AGENCY:

Department of Veterans Affairs (VA).

ACTION:

Notice of amendment to system of records.

SUMMARY:

The Privacy Act of 1974, 5 U.S.C. 522a (e), requires that all agencies publish in the Federal Register a notice of the existence and character of their systems of records. Notice is hereby given that VA is amending the system of records entitled “Center for Veterans Enterprise VA VetBiz Vendor Information Pages (VIP)” (123VA00VE) as set forth in the Federal Register 68 FR 26685. VA is amending the system by revising the System Name, Categories of Individuals Covered by the System, Categories of Records in the System, Authority for Maintenance of the System, Routine Uses of Records Maintained in the System, including Categories of Users and the Purposes of Such Uses, Retrievability, and Safeguards. VA is also adding data elements to the System Notice required by the Federal Register Document Drafting Handbook. VA is republishing the system notice in its entirety.

DATES:

Comments on the amendment of this system of records must be received no later than March 24, 2008. If no public comment is received, the amended system will become effective March 24, 2008.

ADDRESSES:

Written comments may be submitted through www.Regulations.gov;​; by mail or hand-delivery to the Director, Regulations Management (00REG), Department of Veterans Affairs, 810 Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday (except holidays). Please call (202) 461-4902 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System (FDMS).

FOR FURTHER INFORMATION CONTACT:

Kelsey Mortimer II (00VE), Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420, telephone number (202) 303-3260 ext 5246.

SUPPLEMENTARY INFORMATION:

I. Description of the Proposed Amendments to System of Records “Center for Veterans Enterprise (CVE) VA VetBiz Vendor Information Pages (VIP)” (123VA00VE)

The Department of Veterans Affairs is amending the VetBiz system of records notice to implement legal requirements that became applicable to the system since the last publication of the system notice by the Agency. The legal requirements are imposed by legislation and government-wide direction of the Office of Management and Budget (OMB), as well as paragraph 3.12 of the Federal Register Document Drafting Handbook. In December 2006, Congress enacted the Veterans Benefits, Health Care and Information Technology Act of 2006 (Act), Public Law 109-461, 120 Stat. 3403. Section 502(a)(1) of the Act created a new section 8127 of title 38, United States Code, 38 U.S.C. 8127. Start Printed Page 9621Subsection 8127 requires the Secretary of Veterans Affairs to create and maintain a database of veteran-owned small businesses. Veterans' participation in the database is voluntary. VA was maintaining such a database prior to enactment of section 8127; the contents of the database are covered by the system of records notice published at 68 FR 26685.

Section 8127 requires VA to verify specific information concerning the veteran business owners who choose to be listed in the database. VA is required to verify that the business is owned and controlled by a veteran or eligible surviving spouse, and if a veteran indicates that s/he has a service-connected disability, VA is required to verify the service-disabled status of the veteran. The term service-connected disability means a disability that the individual incurred or had it aggravated in the line of duty in active military, naval or air service. The Veterans Benefits Administration (VBA) makes these decisions, and maintains the records of the service-disabled status of individuals.

The VetBiz program will verify the three items of information in two ways. First, VA will ask the small business owners to provide certain information about the ownership and control of their businesses. VA has obtained OMB approval (2900-0675) of the form that VA intends to use to collect this information, and therefore has authority to use the form under OMB's regulations implementing the Paperwork Reduction Act. 5 CFR Part 1320. Second, the VetBiz program will verify through VBA the service-disabled status of any veteran or eligible surviving spouse who decides to participate in the program, and claims service-disabled status.

Section 8127 requires VA to make the database available to all Federal departments and agencies, and make portions of the database publicly available. However, section 8127(f)(6) states that if the Secretary determines that the public dissemination of certain types of information maintained in the database is inappropriate, the Secretary shall take such steps as are necessary to maintain such types of information in a secure and confidential manner. The database will contain information that VA needs to administer the program and assist veteran-owned small businesses. In the normal course of administering the program, VA may share limited personal data with other government entities. VA will not disclose veteran's personal information or data in the public portion of the database.

The Act also added a new subchapter III, Information Security, to Chapter 57 of title 38, United States Code. Section 5724 requires VA to conduct an independent risk analysis (IRA) when VA has experienced a data breach involving the sensitive personal information of those individuals. The section also requires VA to provide credit protection services to those individuals if VA determines after the IRA that there is a reasonable risk for potential misuse of the individuals' sensitive personal information. In order to conduct the independent risk analysis and provide credit protection services, if appropriate, VA will have to disclose the sensitive personal information of these individuals to the entities performing the IRA and providing the credit protection services. Because the sensitive personal information is contained in this system of records, VA needs to add a routine use to the system of records permitting these disclosures.

In addition to the requirements of section 5724, the Office of Management and Budget (OMB) issued OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007, which is publicly available at http://www.whitehouse.gov/​omb/​memoranda/​fy2007/​m07-16.pdf. This Memorandum requires agencies to promulgate a routine use to permit agencies to disclose information to those persons or entities that may assist in notification of individuals of a data breach or prevent or minimize the harms from a data breach. Attachment 2, section B2. The Agency is promulgating one routine use that enables VA to meet its responsibilities under both section 5724 and OMB Memorandum M-07-16.

Turning to the substantive amendments to the System Notice, VA is amending the System Name to include the abbreviation for the Vendor Information Pages (VIP) because it is the Agency's experience that individuals, agencies and vendors interacting with the system commonly use the abbreviation when referring to the program.

To comply with paragraph 3.12 of the Federal Register Document Drafting Handbook, VA is adding a statement that this system of records does not contain classified information.

The Department is amending the Categories of Individuals Covered by the System to clarify that the System Notice only covers individual veterans who have applied to have their company included in the VetBiz database, and after the veteran is deceased, their qualifying surviving spouse as provided in section 8127(h).

The Department is amending the Categories of Records covered to reflect the personal information about veteran business owners maintained in the system. The information about participating veterans and about their companies is maintained in one, combined database. However, the Privacy Act only applies to information about individuals retrieved by their names; it does not apply to information about their companies, except to the extent that the information is also personal information about them. This interpretation of the Privacy Act is consistent with the express language of the Privacy Act, and long-standing OMB guidance on this issue at 40 FR 28948, 28951 (1975). Records in the VetBiz database that are not covered by the Privacy Act and this System Notice generally may include business addresses and other business contact information, information concerning products/services offered, and information pertaining to the business, including Federal contracts. More non-covered data elements are contained in the discussion of “Retrievability” below.

VA is amending the Authority for Maintenance of the System to include 38 U.S.C. 8127, which now specifically provides for the maintenance of the VetBiz database.

The Federal Register Document Drafting Handbook, paragraph 3.12, states that agencies must include in their System Notice a statement of the purpose for maintaining the System Notice. VA is providing the statement of purpose, namely to assist veterans, including service-disabled veterans, in obtaining Federal contracts and otherwise market their companies.

The Department is deleting the section of the System Notice entitled “Compatibility of the Proposed Routine Uses” because that is not one of the data elements that the Document Drafting Handbook requires in the System Notice. However, VA is including this statement in the Report of Intent submitted to OMB and the congressional oversight committees as required in OMB Circular A-130, Appendix I.

The Department is amending the Retrievabililty data element to state that VA retrieves information in the VetBiz database covered by the Privacy Act by the names and/or social security numbers. The following information is not covered by the Privacy Act and this System Notice because it is not information about veterans. However, for general information, VA also retrieves information from the VetBiz database by other, non-personal Start Printed Page 9622elements, including the following: Business name, type, location, previous experience, certifications (e.g. HUBZone, 8(a), etc.), product identifiers (e.g., North American Industry Classification System [NAICS]), and Dun and Bradstreet's Data Universal Numbering System [DUNS] number, etc.

VA is amending the Safeguards data element to state that VA maintains the VetBiz database in accordance with applicable Federal and VA information security requirements.

The Department is adding a statement, as required by paragraph 3.12 of the Document Drafting Handbook, that it does not disclose records from this system of records at VA's initiative to consumer reporting agencies.

VA is adding a statement to the System Notice clarifying that VA has not claimed any Privacy Act exemptions under 5 U.S.C. 552a(j) and (k) for records in the system.

In addition, the Department has made minor edits to the System Notice for grammar and clarity purposes to reflect plain language. These changes are not, and are not intended to be, substantive, and are not further discussed or enumerated.

II. Proposed Routine Use Disclosures of Data in the System

VA is proposing to delete one routine use disclosure and add the following routine use disclosures of information that will be maintained in the system.

The Department is deleting routine use 3 because it states the purpose for which VA uses the data in the system and belongs in the “Purpose(s)” section of the System Notice.

The Department is promulgating a new routine use 3 required of all systems of records of all Federal agencies by the Memorandum from the Office of Management and Budget (M-07-16), dated May 22, 2007, as discussed above. Further, the disclosures allow VA to respond to a suspected or confirmed data breach, including the conduct of any independent risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

VA is promulgating a new routine use 4 that authorizes VA to disclose information to law enforcement entities when information in the system is relevant to a suspected or reasonably imminent violation of law. VA must be able to disclose information within its possession on its own initiative that pertains to a violation of law to the appropriate authorities in order for them to investigate and enforce those laws. VA may disclose the names of veterans and their dependents only to Federal entities with law enforcement responsibilities under 38 U.S.C. 5701(a) and (f). Accordingly, VA has so limited this routine use.

New routine use 5 implements guidance from OMB concerning the promulgation of a routine use permitting disclosure of information to Members of Congress acting on behalf of the record subject. Individuals sometimes request the help of a Member of Congress in resolving some issue relating to a matter before VA. When the Member of Congress writes VA, VA must be able to provide sufficient information to be responsive to the inquiry. This routine use is consistent with guidance from the Office of Management and Budget (OMB), issued on October 3, 1974, that directed all Federal agencies to insert this language in their systems of records. (http://www.whitehouse.gov/​omb/​inforeg/​lynn1975.pdf).

New routine use 6 implements the statutory requirement that VA provide information to the National Archives and Records Administration (NARA). NARA is responsible for archiving old records no longer actively used but which may be appropriate for preservation and for the physical maintenance of the Federal Government's records. VA must be able to turn records over to NARA in order to determine the proper disposition of such records, as well as permit NARA to perform its statutory records management responsibilities.

New routine use 7 permits VA to disclose information to the United States Department of Justice for use in performing its statutory duties to represent the United States, the Agency and agency officials in litigation. When VA is involved in litigation or an adjudicative or administrative process, or occasionally when another party is involved in litigation or an adjudicative or administrative process, and VA policies or operations could be affected by the outcome of the litigation or process, VA must be able to disclose information to the court, the adjudicative or administrative body, or the parties involved. A determination would be made in each instance that, under the circumstances involved, the purpose served by use of the information in the particular litigation or process is compatible with the purpose for which VA collected the information. This routine use is consistent with OMB guidance issued on May 24, 1985, directing all Federal agencies to promulgate such a routine use (http://www.whitehouse.gov/​omb/​inforeg/​guidance1985.pdf).

The Department is promulgating a new routine use 8 to permit disclosures to contractors who need to see the information in this system to perform a contract with the agency. Appendix I to OMB Circular A-130 states in paragraph 5a(1)(b) that agencies promulgate a routine use to address disclosure of Privacy Act-protected information to contractors in order to perform the contracts for the agency. VA must be able to provide information to contractors or subcontractors with which VA has a contract or agreement in order to perform the services of the contract or agreement. In these situations, safeguards are provided in the contract prohibiting the contractor or subcontractor from using or disclosing the information for any purpose other than that described in the contract.

III. Compatibility of the Proposed Routine Uses

The Privacy Act permits VA to disclose information about individuals without their consent for a routine use when the information will be used for a purpose that is compatible with the purpose for which VA collected the information. In the routine use disclosures described above, except those governed by the Department of Labor (DOL), either the recipient of the information will use the information in connection with a matter relating to one of VA's programs or to provide a benefit to VA, or disclosure is required by law.

The notice of intent to publish and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by the Privacy Act, 5 U.S.C. 552a(r), and guidelines issued by OMB, 65 FR 77677, December 12, 2000.

123VA00VE

System Name:

Center for Veterans Enterprise (CVE) VA VetBiz Vendor Information Pages (VIP) (123VA00VE).

Security Classification:

None. This system of records does not contain classified information or records.

System Location:

Records are maintained at the Center for Veterans Enterprise's office in VA Headquarters, Washington, DC. VA's Web Operations (WebOps), Third Floor, Start Printed Page 96231335 East-West Highway, Silver Spring, MD 20910, maintains the computerized database and Web site.

Categories of Individuals Covered by the System:

Veterans who have applied to have their small businesses included in the VetBiz database, and, if deceased, their surviving spouses.

Categories of Records in the System:

The records in this system include:

1. Identifying information on veterans and the surviving spouses of veterans who apply to have their businesses listed in the VetBiz database, including names and social security numbers.

2. Information documenting the eligibility of veterans to have their businesses listed in the VetBiz database, including service-connected status and information concerning ownership of the business(es) listed in VetBiz, including certifications, and security clearances held.

Authority for Maintenance of the System:

38 U.S.C. 8127 and Public Law No. 106-50, as amended.

Purpose(s):

To gather and maintain information on small businesses owned and controlled by veterans, including service-disabled veterans, to enable them to effectively compete for Federal contracts, as well as working with the Small Business Administration in its provision of services to veteran-owned businesses under the Veterans Entrepreneurship and Small Business Development Act of 1999, as amended, Public Law 106-50, 113 Stat. 233.

Routine Uses of Records Maintained in the System Including Categories of Users and the Purposes of Such Uses:

1. The Department may disclose information in the system to Federal, State, and local government personnel to assist them in finding veteran-owned businesses to contract with and for purposes of market research, in compliance with their respective procurement regulations and procedures.

2. The Department may disclose information to the general public, including companies and corporate entities, to assist them in locating potential contractors, subcontractors and/or potential teaming partners, for purposes of complying with applicable regulations concerning use of veteran-owned businesses.

3. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) the Department has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the record subjects, harm to economic or property interests, identity theft or fraud, or harm to the security, confidentiality, or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the potentially compromised information; and (3) the disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the Department's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.

4. VA may disclose on its own initiative any information in this system, except the names and addresses of veterans and their dependents, which is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal, or regulatory in nature and whether arising by general or program statute or by regulation, rule, or order issued pursuant thereto, to a Federal, State, local, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule, or order. VA may also disclose on its own initiative the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule, or order.

5. VA may disclose information to a Congressional office from the record of an individual in response to an inquiry from the Congressional office made on behalf of and at the request of that individual.

6. VA may disclose information to the National Archives and Records Administration (NARA) in records disposition and management inspections conducted under authority of Title 44 of United States Code.

7. VA may disclose information in this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

8. VA may disclose information to individuals, organizations, private or public agencies, or other entities with which VA has a contract or agreement, or where there is a subcontract to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor or subcontractor to perform the services of the contract or agreement.

Disclosures to Consumer Reporting Agencies:

None.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage:

The VetBiz VIP will be stored in a computerized database. The system will operate on servers, located at VA's Web Operations (WebOps), 822 TJ Jackson Drive, Falling Waters, WV 25419. Data backups will reside on appropriate media, according to normal system backup plans for WebOps. The system will be managed by the CVE, in VA Headquarters, Washington, DC.

Retrievability:

Automated records may be retrieved by the names of the veteran business owners and/or their social security numbers.

Safeguards:

Read access to the system is via Internet access. WebOps, CVE, and contractor personnel will have access to the system, via VA Intranet and local connections, for management and maintenance purposes and tasks. Access to the Intranet portion of the system is via user-id and password, at officially approved access points. Veteran-owned small businesses will establish and maintain user-ids and passwords for accessing their corporate information under system control. Contracting officers will establish and maintain user-ids and passwords for accessing Start Printed Page 9624non-vital business information. Policy regarding issuance of user-ids and passwords is formulated in VA by the Office of Information and Technology, Washington, DC. Security for data in the VetBiz database complies with applicable statutes, regulations and government-wide and VA policies. The system is configured so that access to the public data elements in the database does not lead to access to the non-public data elements, such as veteran social security number.

Retention and Disposal:

Records will be maintained and disposed of, in accordance with the records disposal authority approved by the Archivist of the United States, the National Archives and Records Administration, and published in Agency Records Control Schedules.

System Manager(s) and Address:

Deputy Director, Center for Veterans Enterprise (00VE), 810 Vermont Avenue, NW., Washington, DC 20420.

Notification Procedures:

Individuals wishing to inquire, whether this system of records contains information about themselves, should contact the Deputy Director, Center for Veterans Enterprise (00VE), 810 Vermont Avenue, NW., Washington, DC 20420.

Record Access Procedure:

Individuals seeking access to records about themselves, contained in this system of records, may access the records via the Internet, or submit a written request to the system manager.

Contesting Record Procedures:

An individual, who wishes to contest records maintained under his or her name or other personal identifier, may write or call the system manager. VA's rules for accessing records, contesting contents and appealing initial agency determinations are published in regulations, set forth in the Code of Federal Regulations. See 38 CFR 1.577, 1.578.

Record Source Categories:

The information in this system of records is obtained from the following source: a. Information voluntarily submitted by the business owners; and/or information extracted from CCR database.

Exemptions Claimed for the System:

None.