AGENCY:

General Services Administration.

ACTION:

Notice.

SUMMARY:

GSA reviewed its Privacy Act systems to ensure that they are relevant, necessary, accurate, up-to-date, covered by the appropriate legal or regulatory authority, and compliant with OMB M-07-16. This notice is an updated Privacy Act system of records notice.

DATES:

Effective July 24, 2008.

FOR FURTHER INFORMATION CONTACT:

Call or e-mail the GSA Privacy Act Officer: telephone 202-208-1317; e-mail gsa.privacyact@gsa.gov.

ADDRESSES:

GSA Privacy Act Officer (CIB), General Services Administration, 1800 F Street, NW., Washington, DC 20405.

SUPPLEMENTARY INFORMATION:

GSA undertook and completed an agency-wide review of its Privacy Act systems of records. As a result of the review, GSA is publishing an updated Privacy Act system of records notice. The revised system notice clarifies the authorities and practices regarding the collection and maintenance of information, but does not change individuals' rights to access or amend their records in the system of records. The updated system notice also Start Printed Page 35691includes the new requirement from OMB Memorandum M-07-16 regarding a new routine use that allows agencies to disclose information in connection with a response and remedial efforts in the event of a data breach.

GSA/CIO-1

SYSTEM NAME:

Enterprise Level Identity Verification System (ELIVS).

SYSTEM LOCATION:

ELIVS comprises a Web based application and data is maintained in a secure server facility at GSA Central Office, located at 1800 F Street, NW., Washington, DC 20405. Additionally, some fingerprint data may be located in GSA facilities where staffed fingerprint collection stations (Live Scan system) have been established to handle the contractor Personal Identity Verification (PIV) process. Contact the System Manager for additional information.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Individuals who require routine access to agency facilities and information technology systems, including:

a. Federal employees.

b. Contractors.

c. Child care workers and other temporary workers with similar access requirements.

The system does not apply to occasional visitors or short-term guests, to whom GSA facilities may issue local Facility Access Cards (FAC).

CATEGORIES OF RECORDS IN THE SYSTEM:

The system contains information needed for issuing and maintaining HSPD-12 credentials and also access privilege information. Records may include:

• Employee/contractor/other worker full name
• Social Security Number (SSN)
• Date of birth
• Facial Image
• Fingerprints (within the Live Scan systems)
• Organization/office of assignment
• Company/agency name
• Telephone number
• ID card issuance and expiration dates
• ID card number
• Emergency responder designation
• Home address and work location
• Contract and supervisor information

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

5 U.S.C. 301, 40 U.S.C. 121, 40 U.S.C. 582, 40 U.S.C. 3101, 44 U.S.C. 3501, 44 U.S.C. 3506, 44 U.S.C. 3602, E.O. 9397, and Homeland Security Presidential Directive 12 (HSPD-12).

PURPOSE:

The primary purposes of the system are:

To act as an authoritative source for GSA identities including employees, contractors, and other workers to verify that all persons requiring routine access to GSA facilities or using GSA information resources have sufficient background investigations and are permitted access, to track and manage HSPD-12 ID cards issued to persons who have routine access to GSA facilities and information systems, and to provide reports of identity data for administrative and staff offices to efficiently track and manage contractors.

ROUTINE USES OF THE SYSTEM RECORDS, INCLUDING CATEGORIES OF USERS AND THEIR PURPOSE FOR USING THE SYSTEM:

System information may be accessed and used by:

a. GSA Personnel when needed for official business, including the Security Office, HSPD-12 Points of Contacts, and designated analysts and managers for official business; PIV card requesting officials and Human Resource Officers to track, verify, and update identity information of GSA personnel; and Regional Credential Officers (RCOs) to issue and track PIV ID cards;

b. To verify suitability of an employee or contractor before granting access to specific resources;

c. To disclose information to agency staff and administrative offices who may restructure the data for management purposes;

d. An authoritative source of identities for Active Directory and Lotus Notes and other GSA systems;

e. In any legal proceeding, where pertinent, to which GSA is a party before a court or administrative body;

f. To authorized officials engaged in investigating or settling a grievance, complaint, or appeal filed by an individual who is the subject of the record.

g. To a Federal, state, local, foreign, or tribal agency in connection with the hiring or retention of an employee; the issuance of a security clearance; the reporting of an investigation; the letting of a contract; or the issuance of a grant, license, or other benefit to the extent that the information is relevant and necessary to a decision;

h. To the Office of Personnel Management (OPM), the Office of Management and Budget (OMB), or the Government Accountability Office (GAO) when the information is required for program evaluation purposes;

i. To a Member of Congress or staff on behalf of and at the request of the individual who is the subject of the record;

j. To an expert, consultant, or contractor of GSA in the performance of a Federal duty to which the information is relevant;

k. To the National Archives and Records Administration (NARA) for records management purposes;

l. To appropriate agencies, entities, and persons when (1) the Agency suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) the Agency has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by GSA or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with GSA's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING RECORDS IN THE SYSTEM:

STORAGE:

Computer records are stored on a secure server and accessed over the web using encryption software. Paper records, when created, are kept in file folders and cabinets in secure rooms. The Live Scan systems are kept in secure locations with limited access to authorized personnel only.

RETRIEVABILITY:

Records are retrievable by a combination of first name and last name. Group records are retrieved by organizational code.

SAFEGUARDS:

Computer records are protected by a password system. Paper records are stored in locked metal containers or in secured rooms when not in use. Information is released to authorized officials based on their need to know.

RETENTION AND DISPOSAL:

Records are disposed of as specified in the handbook, GSA Records Maintenance and Disposition System (CIO P 1820.1).Start Printed Page 35692

SYSTEM MANAGER AND ADDRESS:

Program Manager, HSPD-12 Program Management Office, General Services Administration, 1800 F Street, NW., Room 2208 Washington, DC 20405.

NOTIFICATION PROCEDURE:

An individual can determine if this system contains a record pertaining to him/her by sending a request in writing, signed, to the System Manager at the above address. When requesting notification of or access to records covered by this notice, an individual should provide his/her full name, date of birth, region/office, and work location. An individual requesting notification of records in person must provide identity documents sufficient to satisfy the custodian of the records that the requester is entitled to access, such as a government-issued photo ID.

CONTESTING RECORD PROCEDURES:

Rules for contesting the content of a record and appealing a decision are contained in 41 CFR 105-64.

RECORD SOURCES CATEGORIES:

The sources for information in the system are the individuals about whom the records are maintained, the supervisors of those individuals, existing GSA systems, sponsoring agency, former sponsoring agency, other Federal agencies, contract employer, former employer, and the U.S. Office of Personnel Management (OPM).