AGENCY:

Department of Veterans Affairs (VA).

ACTION:

Notice of Amendment of Systems of Records Notice “Customer User Provisioning System (CUPS)-VA” (87VA005OP).

SUMMARY:

As required by the Privacy Act of 1974 (5 U.S.C. 552a(e)(4)), notice is hereby given that the Department of Veterans Affairs (VA), is amending the system of records entitled “Customer User Provisioning System (CUPS)-VA” (87VA005OP) as set forth in 69 FR 18436. VA is amending the system of records by revising the system name, category of records, and the routine uses in the system. VA is re-publishing the system notice in its entirety.

DATES:

Comments on this amended system of records must be received no later than September 14, 2009. If no public comment is received during the period allowed for comment or unless otherwise published in the Federal Register by VA, the amended system will become effective September 14, 2009.

ADDRESSES:

Written comments may be submitted through http://Start Printed Page 41191;www.Regulations.gov;​; by mail or hand-delivery to the Director, Regulations Management (02REG), Department of Veterans Affairs, 810 Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 273-9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday (except holidays). Please call (202) 461-4902 (this is not a toll free number) for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System (FDMS).

FOR FURTHER INFORMATION CONTACT:

Alvin J. Donnell, Chief, Systems Security Division, Corporate Data Center Operations (CDCO), Department of Veterans Affairs, 1615 Woodward Street, Austin, Texas 78772, telephone (512) 326-6006.

SUPPLEMENTARY INFORMATION:

Background: CDCO is the largest data center in the Department of Veterans Affairs. In order to record and track system access to the computers operated and maintained by this organization, CDCO must maintain a current list of all VA employees, employees of other government agencies, and authorized contractor personnel who require access to this computer resources, in accordance with Federal computer security requirements.

In this system of record, the name is amended to reflect the name of the new system. The new system name is Customer User Provisioning System (CUPS). CUPS replaces the Automated Customer Registration System (ACRS) effective January 5, 2009.

The Category of Records in the System is amended to reflect the records in this system, in both paper and electronic form, will not include the social security numbers of personnel who have requested and gained access to the automated resources at CDCO. In addition to deleting the Social Security number, the individual's log-on ID for their local area network will be included in the record, which is used as the unique identifier in lieu of the Social Security number. The records will include the name, business address and telephone number, job title and information relating to data file and computer system access permissions granted to that individual.

Routine Uses numbers 8-14 have been added per the requirement of the Department and for further clarification of disclosures that VA may make to individuals, agencies and third party entities.

The Report of Intent to Amend a System of Records notice and an advance copy of the system notice have been sent to the appropriate Congressional committees and to the Director of Office of Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

SYSTEM NUMBER:

87VA005OP

SYSTEM NAME:

Customer User Provisioning System—VA.

SYSTEM LOCATION:

The automated records are maintained by the Corporate Data Center Operations, 1615 Woodward Street, Austin, TX 78772. The paper records will be maintained at each VA field station that has a responsibility for CUPS input.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

All Department of Veterans Affairs employees, employees of other government agencies, and authorized contractor personnel who have requested and have been granted access to the automated resources of the VA Corporate Data Center Operations (CDCO).

CATEGORIES OF RECORDS IN THE SYSTEM:

The records in this system, in both paper and electronic form, will include the names and network user-ID of all personnel who have requested and been granted access to the automated resources at the CDCO. The records will also include business address and telephone number, job title, and information relating to data file and computer system access permissions granted to that individual.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 38, United States Code, Section 501.

PURPOSE(S):

The purpose of this system of records is to allow the CDCO in Austin, Texas, to maintain a current list of all VA employees, employees of other government agencies, and authorized contractor personnel who require access to the computer resources of the CDCO, in accordance with Federal computer security requirements.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

1. At the initiative of VA, pertinent information may be disclosed to appropriate Federal, State or local agencies responsible for investigating, prosecuting, enforcing or implementing statutes, rules, regulations or orders, where VA becomes aware of an indication of a violation or potential violation of civil or criminal law or regulation.

2. Disclosure of specific information may be made to a Federal agency, in response to its request, to the extent that the information requested is relevant and necessary to the requesting agency's decision in connection with hiring or retaining an employee, issuing a security clearance, conducting a security or suitability investigation on an individual, classifying jobs, awarding a contract or issuing a license, grant or other benefit.

3. Disclosure of information may be made to officials of the Merit Systems Protection Board, including the Office of the Special Counsel, the Federal Labor Relations Authority and its General Counsel or the Equal Employment Opportunity Commission, when requested in performance of their authorized duties, and the request is not in connection with a law enforcement investigation.

4. The record of an individual who is covered by this system or records may be disclosed to a member of Congress, or staff person acting for the member when the member or staff person requests the record on behalf of and at the written request of that individual.

5. Disclosure may be made to the National Archives and Records Administration and General Services Administration for record management inspections conducted under Authority of Title 44 U.S.C.

6. VA may disclose information from this system of records to the Department of Justice (DoJ), either on VA's initiative or in response to DoJ's request for the information, after either VA or DoJ determines that such information is relevant to DoJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of the records to the DoJ is a use of the information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records Start Printed Page 41192in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

7. Disclosure of relevant information may be made to individuals, organizations, private or public agencies, or other entities with whom VA has a contract or agreement or where there is a subcontract to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor or subcontractor to perform the services of the contract or agreement.

8. VA may disclose on its own initiative any information in this system, except the names and home addresses of veterans and their dependents, that is relevant to a suspected violation or reasonably imminent violation of law, whether civil, criminal or regulatory in nature and whether arising by general or program statute or by regulation, rule or order issued pursuant thereto, to a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, rule, regulation or order. VA may also disclose on its own initiative the names and addresses of veterans with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations if law, or charged with enforcing or implementing the statute regulation, or order issued pursuant thereto.

9. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

10. VA may, on its own initiative, disclose any information or records to appropriate agencies, entities, and persons when (1) VA suspects or has confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) VA has determined that as a result of the suspected or confirmed compromise, there is a risk of embarrassment or harm to the reputations of the record subjects, harm to the economic or property interests, identity theft or fraud, or harm to security, confidentially, or integrity of this system or other systems or programs (whether maintained by VA or another agency or entity) that rely upon the potentially compromised information; and (3) the disclosure is to agencies, entities, or persons whom VA determines are reasonably necessary to assist or carry out the VA's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by VA to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision of credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Each field station responsible for inputting records into the system will retain the original signed paper copies of requests for system access in locked containers. Data files supporting the automated system are stored in a secure area located at the CDCO. Data files are stored on magnetic disk and, for archival purposes, on magnetic tape.

RETRIEVABILITY:

Paper records are maintained in alphabetical order by last name of the requester. Automated records are retrieved by individual name or by a specific automated resource.

SAFEGUARDS:

Paper records in progress are maintained in a manned room during working hours. Paper records maintained for archival purposes are stored in locked containers until needed. During non-working hours, the paper records are kept in a locked container in a secured area. Access to the records is on a need-to-know basis only. Access to the automated system is via computer terminal; standard security procedures, including a unique customer identification code and password combination, are used to limit access to authorized personnel only. Specifically, in order to obtain access to the automated records contained in this system of records, an individual must: 1. Have access to the automated resources of the CDCO. An individual may not self-register for this access. Formal documentation of the request for access, signed by the employee's supervisor, is required before an individual may obtain such access. Authorized customers are issued a customer identification code and one-time password.

2. Be an authorized official of the CUPS system. Only two individuals per field station may be designated CUPS officials with access to add, modify or delete records from the system. These individuals require a specific functional task code in their customer profile; this functional task can only be assigned by the CDCO. A limited number of supervisory or managerial employees throughout VA will have read-only access for the purpose of monitoring CUPS activities.

RETENTION AND DISPOSAL:

Records will be maintained and disposed of in accordance with the records disposal authority approved by the Archivist of the United States, the National Archives and Records Administration, and published in Agency Records Control Schedules. Paper records will be destroyed by shredding or other appropriate means for destroying sensitive information. Automated storage records are retained and destroyed in accordance with a disposition authorization approved by the Archivist of the United States.

SYSTEMS AND MANAGER(S) AND ADDRESS:

Officials responsible for policies and procedures; Executive Director, Corporate Data Center Operations, 1615 Woodward Street, Austin, Texas 78772. The telephone number is (512) 326-6000.

NOTIFICATION PROCEDURE:

Individuals who wish to determine whether this system of records contains information about them should contact the Executive Director, Corporate Data Center Operations, 1615 Woodward Street, Austin, Texas 78772.

RECORD ACCESS PROCEDURE:

An individual who seeks access or wishes to contest records maintained under his or her name or other personal identifier may write, call or visit the system manager.

CONTESTING RECORD PROCEDURES:

(See Record Access Procedures above.)

RECORD SOURCE CATEGORIES:

Individuals who have applied for and been granted access permission to the resources of the CDCO.