AGENCY:

Office of the Secretary of Defense, Department of Defense (DoD).

ACTION:

Direct final rule.

SUMMARY:

The Department of Defense (DoD or Department) is amending its Privacy Program regulation to add four routine uses to its list of blanket routine uses. These new blanket routine uses will support necessary information sharing from DoD Privacy Act systems of records in the event of a data breach, and support sharing with other government agencies for counterterrorism purposes. This rule is being published as a direct final rule as the Department does not expect to receive any adverse comments. If such comments are received, this direct final rule will be withdrawn and a proposed rule for comments will be published.

DATES:

This rule is effective May 31, 2023 unless comments are received that would result in a contrary determination. Comments will be accepted on or before May 22, 2023.

ADDRESSES:

You may submit comments, identified by docket number and title, by any of the following methods.

• Federal eRulemaking Portal:https://www.regulations.gov.

Follow the instructions for submitting comments.

• Mail: Department of Defense, Office of the Assistant to the Secretary of Defense for Privacy, Civil Liberties, and Transparency, Regulatory Directorate, 4800 Mark Center Drive, Attn: Mailbox 24, Suite 08D09, Alexandria, VA 22350–1700.

Instructions: All submissions received must include the agency name and docket number or Regulatory Identifier Number (RIN) for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the internet at https://www.regulations.gov as they are received without change, including any personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT:

Ms. Mary Fletcher, OSD.DPCLTD@mail.mil, (703) 571–0080.

SUPPLEMENTARY INFORMATION:

A “routine use” is defined in the Privacy Act of 1974 as “with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.” See5 U.S.C. 552a(a)(7). Routine uses are included in individual agency Privacy Act system of records notices (SORNs) to allow the agency to disclose records from a particular system of records to individuals or entities in accordance with the terms of the routine use. Some agencies have established a set of routine uses that apply to a wide array of published agency SORNs, sometimes referred to as blanket routine uses. Their purpose is to provide consistent information sharing authority across the SORNs for common or non-controversial purposes. Examples of typical blanket routine uses are ones that allow agencies to share information with members of Congress inquiring on behalf of a constituent, with the Department of Justice when litigation arises, and with agency contractors for purposes outlined in the contract. New or altered routine uses, including blanket routine uses, must be published in the Federal Register at least 30 days before any records may be disclosed pursuant to the terms of the routine use.

In addition to the specific routine uses established in each DoD SORN, DoD has published blanket routine uses that are applicable to a wide array of DoD systems of records. In order for the blanket routine uses to apply to a specific system of records, the DoD SORN must indicate that the blanket routine uses apply to that system. DoD's blanket routine uses are located in Appendix A to 32 CFR part 310.

This rule adds four new blanket routine uses to Appendix A. The first two blanket routine uses support information sharing in the event of a data breach to respond, remediate, or notify agencies, entities, and persons of the breach, or support other agencies in handling the breach. These routine uses are recommended for all agencies in guidance issued by the Office of Management and Budget (OMB). See OMB Memorandum M–17–12, “Preparing for and Responding to a Breach of Personally Identifiable Information,” January 3, 2017, available at https://www.whitehouse.gov/​sites/​whitehouse.gov/​files/​omb/​memoranda/​2017/​m-17-12_​0.pdf. The third blanket routine use supports information sharing of terrorism, homeland security, or law enforcement information from a DoD system of records to other domestic and international agencies for counterterrorism purposes. The fourth blanket routine use supports the Inspector General Act of 1978, as amended, to allow disclosures to perform the functions of Inspectors General in government.

This rule is being published as a direct final rule as the Department does not expect to receive any significant adverse comments concerning the addition of these four blanket routine uses. If such comments are received, this direct final rule will be withdrawn and a proposed rule for comments will be published. If no such comments are received, this direct final rule will become effective ten days after the comment period expires.

For purposes of this rulemaking, a significant adverse comment is one that explains (1) why the rule is inappropriate, including challenges to the rule's underlying premise or approach; or (2) why the direct final rule will be ineffective or unacceptable without a change. In determining whether a significant adverse comment necessitates withdrawal of this direct final rule, the Department will consider whether the comment raises an issue serious enough to warrant a substantive response had it been submitted in a standard notice-and-comment process. A comment recommending an addition to the rule will not be considered significant and adverse unless the comment explains how this direct final rule would be ineffective without the addition.

Regulatory Analysis

Executive Order 12866, “Regulatory Planning and Review” and Executive Order 13563, “Improving Regulation and Regulatory Review”

Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distribute impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. It has been determined that this rule is not a significant regulatory action under these Executive Orders.

Congressional Review Act (5 U.S.C. 804(2))

The Congressional Review Act, 5 U.S.C. 801 et seq., generally provides that before a rule may take effect, the agency promulgating the rule must submit a rule report, which includes a copy of the rule, to each House of the Congress and to the Comptroller General of the United States. DoD will submit a Start Printed Page 24477 report containing this rule and other required information to the U.S. Senate, the U.S. House of Representatives, and the Comptroller General of the United States. A major rule may take effect no earlier than 60 calendar days after Congress receives the rule report or the rule is published in the Federal Register , whichever is later. This rule is not a “major rule” as defined by 5 U.S.C. 804(2).

Section 202, Public Law 104–4, “Unfunded Mandates Reform Act”

Section 202(a) of the Unfunded Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 1532(a)) requires agencies to assess anticipated costs and benefits before issuing any rule whose mandates may result in the expenditure by State, local, and Tribal governments in the aggregate, or by the private sector, in any one year of $100 million in 1995 dollars, updated annually for inflation. This rule will not mandate any requirements for State, local, or Tribal governments, nor will it affect private sector costs.

Public Law 96–354, “Regulatory Flexibility Act” (5 U.S.C. 601 et seq.)

The Assistant to the Secretary of Defense for Privacy, Civil Liberties, and Transparency has certified that this rule is not subject to the Regulatory Flexibility Act (5 U.S.C. 601 et seq.) because it would not, if promulgated, have a significant economic impact on a substantial number of small entities. This rule is concerned only with the administration of Privacy Act systems of records within the DoD. Therefore, the Regulatory Flexibility Act, as amended, does not require DoD to prepare a regulatory flexibility analysis.

Public Law 96–511, “Paperwork Reduction Act” (44 U.S.C. 3501 et seq.)

The Paperwork Reduction Act (PRA) (44 U.S.C. 3501 et seq.) was enacted to minimize the paperwork burden for individuals; small businesses; educational and nonprofit institutions; Federal contractors; State, local, and Tribal governments; and other persons resulting from the collection of information by or for the Federal Government. The Act requires agencies obtain approval from the Office of Management and Budget before using identical questions to collect information from ten or more persons. This rule does not impose reporting or recordkeeping requirements on the public.

Executive Order 13132, “Federalism”

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a rule that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has federalism implications. This rule will not have a substantial effect on State and local governments.

Executive Order 13175, “Consultation and Coordination With Indian Tribal Governments”

Executive Order 13175 establishes certain requirements that an agency must meet when it promulgates a rule that imposes substantial direct compliance costs on one or more Indian Tribes, preempts Tribal law, or affects the distribution of power and responsibilities between the Federal Government and Indian Tribes. This rule will not have a substantial effect on Indian Tribal governments.

List of Subjects in 32 CFR Part 310

• Privacy

Accordingly, 32 CFR part 310 is amended as follows:

PART 310—PROTECTION OF PRIVACY AND ACCESS TO AND AMENDMENT OF INDIVIDUAL RECORDS UNDER THE PRIVACY ACT OF 1974

1. The authority citation for 32 CFR part 310 continues to read as follows:

Authority: 5 U.S.C. 552a.

2. Appendix A to 32 CFR part 310 is amended by adding blanket routine uses O, P, Q, and R to read as follows:

Appendix A to Part 310—DOD Blanket Routine Uses

O. Routine Use—Data Breach Response and Remediation

A record from a system of records maintained by DoD or a Component may be disclosed to appropriate agencies, entities, and persons when (1) the Component suspects or has confirmed that there has been a breach of the system of records; (2) the Component has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, DoD (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Component's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

P. Routine Use—Data Breach Inter-Agency Assistance

A record from a system of records maintained by DoD or a Component may be disclosed to another Federal agency or Federal entity, when DoD or the Component determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

Q. Routine Use—Agency Sharing To Support Counterterrorism

A record from a system of records maintained by a Component consisting of, or relating to, terrorism information (6 U.S.C. 485(a)(4)), homeland security information (6 U.S.C. 482(f)(1)), or law enforcement information (Guideline 2 Report attached to White House Memorandum, “Information Sharing Environment,” November 22, 2006) may be disclosed to a Federal, State, local, Tribal, territorial, foreign governmental and/or multinational agency, either in response to its request or upon the initiative of the Component, for purposes of sharing such information as is necessary and relevant for the agencies for the detection, prevention, disruption, preemption, and mitigation of the effects of terrorist activities against the territory, people, and interests of the United States of America as contemplated by the Intelligence Reform and Terrorism Protection Act of 2004 (Pub. L. 108–458) and Executive Order 13388 (October 25, 2005).

R. Routine Use—Office of Inspector General

A record from a system of records maintained by DoD or a Component may be disclosed to another Federal, State, or local agency for the purpose of comparing to the agency's system of records or to non-Federal records, in coordination with an Office of Inspector General, in conducting an audit, investigation, inspection, evaluation, or some other review as authorized by the Inspector General Act of 1978, as amended.