AGENCY:

Department of Veteran Affairs.

ACTION:

Notice of establishment of new system of records.

SUMMARY:

The Privacy Act of 1974 (5 U.S.C. 552a (e)(4)) requires that all agencies publish in the Federal Register a notice of the existence and character of their systems of records. Notice is hereby given that the Department of Veterans Affairs (VA) is establishing a new electronic system of records entitled “Veterans Affairs/Department of Defense Identity Repository (VADIR)—VA” (138VA005Q).

DATES:

Comments on this new system of records must be received no later than August 26, 2009. If no public comment is received, the new system will become effective August 26, 2009.

ADDRESSES:

Written comments may be submitted through http://www.Regulations.gov;​; by mail or hand-delivery to the Director, Regulations Management (02REG), Department of Veterans Affairs, 810 Vermont Avenue, NW., Room 1063B, Washington, DC 20420; or by fax to (202) 273-9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461-4902 for an appointment. In addition, during the comment period, comments may viewed online through the Federal Docket Management System (FDMS) at http://www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT:

David Lindsey, Program Manager, VADIR, Registration and Eligibility (005Q3), 810 Vermont Ave, NW., Washington, DC 20420; telephone (202) 245-1679.

SUPPLEMENTARY INFORMATION:

a. Description of the Proposed System of Records:

The Veterans Affairs/Department of Defense Identity Repository (VADIR) database is an electronic repository of military personnel's military history, payroll information and their dependents' data provided to VA by the Department of Defense's Defense Manpower Data Center (DMDC). The VADIR database repository is used in conjunction with other applications across VA business lines to provide an electronic consolidated view of comprehensive eligibility and benefits utilization data from across VA and Department of Defense (DoD). VA applications use the VADIR database to retrieve profile data, as well as address, military history, and information on compensation and benefits, disabilities, and dependents.

b. Proposed Routine Use Disclosures of Data in the System:

1. The record of an individual included in this system may be provided to DoD systems or offices for use in connection with matters relating to one of DoD's programs to enable delivery of healthcare or other DoD benefits to eligible beneficiaries.

2. The name, address, VA file number, effective date of compensation or pension, current and historical benefit pay amounts for compensation or pension, service information, date of birth, competency payment status, incarceration status, and social security number of veterans and their surviving spouses may be disclosed to the Department of Defense Manpower Data Center (DMDC) to reconcile the amount and/or waiver of service, department and retired pay. These records may also be disclosed as part of a computer matching program to accomplish these purposes.

3. The name, address, VA file number, date of birth, date of death, social security number, and service information may be disclosed to DoD. DoD will use this information to identify retired veterans and dependent members of their families who have entitlement to DoD benefits but who are not identified in the Department of Defense Enrollment Eligibility Reporting System (DEERS) program and to assist in determining eligibility for Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) benefits. This purpose is consistent with 38 U.S.C. 5701.

4. The name(s) and address (es) of a veteran may be disclosed to another Federal agency or to a contractor of that agency, at the written request of the head of that agency or designee of the head of that agency for the purpose of conducting government research necessary to accomplish a statutory purpose of that agency.

5. VA may disclose on its own initiative any information in this system, except the names and addresses of veterans and their dependents, that is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal, or regulatory in nature and whether arising by general or program statute or by regulation, rule, or order issued pursuant thereto, a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule, or order. VA may also disclose on its own initiative the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule, or order issued pursuant thereto.

6. VA may disclose information in the system of records to the Department of Justice (DOJ), either on VA's initiative or in response to DOJ's request for the information, after either VA or DOJ determines that such information is relevant to DOJ's representation of the United States or any of its components in legal proceeding before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of records to the DOJ is a use of information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

7. Where VA determines that there is good cause to question the legality or ethical propriety of the conduct of a person or organization representing a person in a matter before VA, a record from this system may be disclosed, on VA's initiative, to any or all of the following: (1) Applicable civil or criminal law enforcement authorities and (2) a person or entity responsible for the licensing, supervision, or professional discipline of the person or organization acting as representative. Names and home addresses of veterans and their dependents will be released on VA's initiative under this routine use only to Federal entities when VA believes that the names and addresses are required by the Federal department or agency.

8. Disclosure of relevant information may be made to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor or entity or individual with whom VA has an agreement or contract to perform the services of the contract or agreement.Start Printed Page 37094

9. VA may disclose any information or records to appropriate agencies, entities, and persons when (1) it is suspected or confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) VA has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the records subjects, harm to economic or property interest, identity theft or fraud, or harm to the security, confidentiality or integrity of this system or other systems or programs (whether maintained by VA or another agency or entity) that rely upon the potentially compromised information; and (3) the disclosure is made to such agencies, entities, and persons whom VA determines are reasonably necessary to assist or carry out VA's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.

10. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs. This routine use permits disclosures by VA to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision or credit protection services as provide in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

11. The record of an individual who is covered by a system of records may be disclosed to a Member of Congress, or a staff person acting for the member, when the member or staff person requests the record on behalf of and at the written request of the individual.

12. Disclosure may be made to the National Archives and Records Administration (NARA) or the General Services Administration (GSA) in records management inspections conducted under authority of Chapter 29 of Title 44 United States Code.

c. Design Constraints—The VADIR system sits within the Austin Automation Center (AAC) in Austin, Texas, and therefore must conform to their requirements and standards established for that environment. This includes requirements such as access control to the systems, revision/patch levels for hardware operating systems and database management systems, and use of security tools such as antivirus software, intrusion detection software and spyware. All data stored by VADIR are received from DMDC; therefore any changes requiring additional data or data format changes must be coordinated with the DMDC Database Administrator.

d. Certification & Accreditation—The VADIR database repository has gone through the Certification & Accreditation (C&A) process. During this process, the VADIR database underwent a series of risk and security assessments and had extensive documentation developed to support the integrity of the system. The VA C&A process is used to certify that the VADIR system has adequate, logical, management and technical security controls in place that minimize the system's risk to unauthorized access and disclosure.

e. Privacy Impact Assessment—The VADIR database repository system has had a comprehensive Privacy Impact Assessment (PIA) conducted on it to ensure that the privacy of the information contained within the system is adequately protected according to VA and Office of Management and Budget (OMB) privacy and security standards.

f. Internal Communications Architecture—Records are transmitted between DMDC and VA over a dedicated telecommunications circuit using approved encryption technologies. Records (or information contained in records) are maintained in electronic format in the VADIR Oracle database. These records cannot be directly accessed by any VA employee or other users. Information from VADIR is disseminated in three ways: (1) Approved VA systems electronically request and receive data from VADIR over the internal VA network, (2) data is provided over the dedicated circuit between VADIR and DMDC for reconciliation of records or to identify retired veterans and dependents who have entitlements to DoD benefits but are not identified in DEERS, and (3) periodic electronic data extracts of subsets of information contained in VADIR are provided to approved VA offices/systems over the internal VA network.

g. File Extracts—Daily extracts of subsets of data contained in VADIR are created to support VA business lines. These extracts are transmitted to approved VA office/systems over the internal VA network using approved security protocols to protect the data.

h. External Interfaces—DoD data feed that updates the primary VADIR repository is transmitted from DMDC at Auburn Hills, Michigan, to the AAC over a dedicated communications circuit; a second data feed transmits the same data from DMDC to the VADIR disaster recovery site in Hines, Illinois, over another dedicated circuit. All data transmissions are encrypted.

i. Interface Architecture—No users can access VADIR directly. Other VA systems request specific information from VADIR and that information is displayed to the user by the requesting system. VADIR also provides periodic data extracts of subsets of data contained in the VADIR database to approved VA offices/systems.

j. Compatibility of the Proposed Routine Uses—The Privacy Act permits VA to disclose information about the individuals contained in a system of records without their consent for a routine use, when the information will be used for a purpose that is compatible with the purpose for which the information was collected. In all of the routine use disclosures described above, either the recipient of the information will use the information in connection with a matter relating to one of VA's programs, to provide a benefit to the veteran, or disclosure is required by law.

The notice of intent to publish an advance copy of the system notice has been sent to the appropriate Congressional committees and to the Director of the Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

138VA005Q

SYSTEM NAME:

“Veterans Affairs Department of Defense Identity Repository (VADIR)—VA” 138VA005Q.

SYSTEM LOCATION:

The primary VADIR database containing all records is maintained at the Austin Automation Center (AAC) at 1615 East Woodward Street, Austin, Texas 78772. A second VADIR database with an identical set of records is being established as a disaster recovery site at the Data Processing Center at Hines, Illinois. The disaster recovery site will be established in CY 2009. All records are maintained electronically.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The category of the individuals covered by the VADIR database encompasses veterans, service members, and their dependents. This would include current service members, separated service members, and their dependents; as well as veterans whose Start Printed Page 37095VA military service benefits have been sought by others (e.g., burial benefits).

CATEGORIES OF RECORDS IN THE SYSTEM:

The record, or information contained in the record, may include identifying information (e.g., name, contact information, Social Security number), association to dependents, cross reference to other names used, military service participation and status information (branch of service, rank, enter on duty date, release from active duty date, military occupations, type of duty, character of service, awards), reason and nature of active duty separation (completion of commitment, disability, hardship, etc.), combat/environmental exposures (combat pay, combat awards, theater location), combat deployments (period of deployment, location/country), Guard/Reserve activations (period of activation, type of activation), military casualty/disabilities (line of duty death, physical examination board status, serious/very serious injury status, DoD rated disabilities), education benefit participation, eligibility and usage, healthcare benefit periods of eligibility (TRICARE, CHAMPVA), and VA compensation (rating, Dependency and Indemnity Compensation (DIC), award amount).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The authority for maintaining this system is Title 38 U.S.C. Section 5106.

PURPOSE:

The purpose of VADIR is to receive electronically military personnel and payroll information from the Department of Defense (DoD) in a centralized VA system and then distribute the data to other VA systems and Lines of Business who require the information for health and benefits eligibility determinations. This information is provided to VADIR by the Defense Manpower Data Center (DMDC). VADIR will also provide veterans information concerning education benefits usage and death and disability status, as well as personal and demographic information on veterans discharged prior to 1978 to DMDC for reconciliation purposes.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

1. The record of an individual included in this system may be provided to DoD systems or offices for use in connection with matters relating to one of DoD's programs to enable delivery of healthcare or other DoD benefits to eligible beneficiaries.

2. The name, address, VA file number, effective date of compensation or pension, current and historical benefit pay amounts for compensation or pension, service information, date of birth, competency payment status, incarceration status, and social security number of veterans and their surviving spouses may be disclosed to the DMDC to reconcile the amount and/or waiver of service, department and retired pay. These records may also be disclosed as part of a computer matching program to accomplish these purposes.

3. The name, address, VA file number, date of birth, date of death, social security number, and service information may be disclosed to DoD's Defense Manpower Data Center. DoD will use this information to identify retired veterans and dependent members of their families who have entitlement to Department of Defense benefits but who are not identified in the Department of Defense Enrollment Eligibility Reporting System (DEERS) program and to assist in determining eligibility for Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) benefits. This purpose is consistent with 38 U.S.C. 5701.

4. The name(s) and address(es) of a veteran may be disclosed to another Federal agency or to a contractor of that agency, at the written request of the head of that agency or designee of the head of that agency for the purpose of conducting government research necessary to accomplish a statutory purpose of that agency.

5. VA may disclose on its own initiative any information in this system, except the names and addresses of veterans and their dependents, that is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal, or regulatory in nature and whether arising by general or program statute or by regulation, rule, or order issued pursuant thereto, a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule, or order. VA may also disclose on its own initiative the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule, or order issued pursuant thereto.

6. VA may disclose information in the system of records to the Department of Justice (DOJ), either VA's initiative or in response to DOJ's request for the information, after either VA or DOJ determines that such information is relevant to DOJ's representation of the United States or any of its components in legal proceeding before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of records to the DOJ is a use of information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

7. Where VA determines that there is good cause to question the legality or ethical propriety of the conduct of a person or organization representing a person in a matter before VA, a record from this system may be disclosed, on VA's initiative, to any or all of the following: (1) Applicable civil or criminal law enforcement authorities and (2) a person or entity responsible for the licensing, supervision, or professional discipline of the person or organization acting as representative. Names and home addresses of veterans and their dependents will be released on VA's initiative under this routine use only to Federal entities when VA believes that the names and addresses are required by the Federal department or agency.

8. Disclosure of relevant information may be made to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor or entity or individual with whom VA has an agreement or contract to perform the services of the contract or agreement.

9. VA may disclose information or records to appropriate agencies, entities, and persons when (1) it is suspected or confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) VA has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the records' subjects, harm to economic or property interest, identity theft or fraud, or harm to the security, confidentiality or integrity of Start Printed Page 37096this system or other systems or programs (whether maintained by VA or another agency or entity) that rely upon the potentially compromised information; and (3) the disclosure is made to such agencies, entities, and persons whom VA determines are reasonably necessary to assist in or carry out VA's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.

10. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs. This routine use permits disclosures by VA to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision or credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

11. The record of an individual who is covered by a system of records may be disclosed to a Member of Congress, or a staff person acting for the member, when the member or staff person requests the record on behalf of and at the written request of the individual.

12. Disclosure may be made to the National Archives and Records Administration (NARA) or the General Services Administration (GSA) in records management inspections conducted under authority of Chapter 29 of Title 44 United States Code.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM STORAGE:

STORAGE:

Records are transmitted between DMDC and VA over a dedicated telecommunications circuit using approved encryption technologies. Records (or information contained in records) are maintained in electronic format in the VADIR Oracle database. These records cannot be directly accessed by any VA employee or other users. Information from VADIR is disseminated in three ways: (1) Approved VA systems electronically request and receive data from VADIR, (2) data is provided between VADIR and DMDC for reconciliation of records or to identify retired veterans and dependents who have entitlements to DoD benefits but are not identified in DEERS, and (3) periodic electronic data extracts of subsets of information contained in VADIR are provided to approved VA offices/systems. Backups of VADIR data are created regularly and stored in a secure off-site facility.

RETRIEVABILITY:

Electronic files are retrieved using various unique identifiers belonging to the individual to whom the information pertains to include such identifiers as name, claim file number, social security number and date of birth.

SAFEGUARDS:

1. Physical Security: The primary VADIR system is located in the AAC and the backup disaster recovery system is located in the Hines Data Processing Center. Access to data processing centers is generally restricted to center employees, custodial personnel, Federal Protective Service and other security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other persons needing access to computer rooms are escorted.

2. System Security: Access to the VA network is protected by the usage of “logon” identifications and passwords. Once on the VA network, separate ID and password credentials are required to gain access to the VADIR server and/or database. Access to the server and/or database is granted to only a limited number of system administrators and database administrators. In addition VADIR has undergone certification and accreditation. Based on a risk assessment that followed National Institute of Standards and Technology Vulnerability and Threat Guidelines, the system is considered stable and operational and a final Authority to Operate has been granted. The system was found to be operationally secure, with very few exceptions or recommendations for change.

RETENTION AND DISPOSAL:

VA retains selected information for purposes of making eligibility determinations for VA benefits. The information retained may be included in the VA records that are maintained and disposed of in accordance with the appropriate record disposition authority approved by the Archivist of the United States.

SYSTEM MANAGER(S) AND ADDRESSES:

The official responsible for maintaining the VADIR repository: David Lindsey, Program Manager, VADIR, Registration and Eligibility, Office of Enterprise Development, Interagency Program Executive Office (005Q3), ATTN: VADIR System of Records, 810 Vermont Avenue, NW., Washington, DC 20420.

NOTIFICATION PROCEDURES:

Individuals seeking information on the existence and content of a record pertaining to them should contact the system manager, in writing, at the above address. Requests should contain the full name, address and telephone number of the individual making the inquiry.

RECORD ACCESS PROCEDURE:

(See notification procedure above.)

CONTESTING RECORD PROCEDURES:

See Notification Procedure above. Additionally, to the extent that information contested is identified as data provided by DMDC, which is part of the Defense Logistics Agency (DLA), the DLA rules for accessing records, for contesting contents, and appealing initial agency determinations are contained in 32 CFR Part 323, or may be obtained from the Privacy Act Officer, Headquarters, Defense Logistics Agency, ATTN: DES-B, 8725 John J. Kingman Road, Stop 6220, Fort Belvoir, VA 22060-6221.

RECORD SOURCE CATEGORIES:

Information in this system of records is provided by components of the Department of Defense.