[Federal Register Volume 59, Number 178 (Thursday, September 15, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-22797]
[[Page Unknown]]
[Federal Register: September 15, 1994]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF VETERANS AFFAIRS
Privacy Act of 1974; Amendment of System Notice
AGENCY: Department of Veterans Affairs.
ACTION: Notice.
-----------------------------------------------------------------------
Notice is hereby given that the Department of Veterans Affairs (VA)
is considering adding two new routine uses to, and is amending other
parts of, a system or records entitled Current and Former Accredited
Representative, Claims Agent, and Representative and Claims Agent
Applicant and Rejected Applicant Records--VA (01VA022) as set forth in
the Federal Register 40FR38095 (8/26/75) and revised in 47FR1460 (1/13/
82) and 54FR30969 (7/25/89). VA is amending the system by revising the
System Name and the paragraphs for System Location, Categories of
Individuals Covered by the System, Categories of Records in the System,
Authority for Maintenance of the System, Routine Uses of Records
Maintained in the System, Including Categories of Users and the
Purposes of Such Uses, and Policies and Practices for Storing,
Retrieving, Accessing, Retaining, and Disposing of Records in the
System, including Storage, Retrievability and Safeguards.
VA has decided, as a matter of policy, to authorize those
individuals approved by VA to represent claimants for VA benefits under
38 CFR 14.626-.635 to have remote, on-line access to the automated
Veterans Benefits Administration (VBA) claim records of those
individuals whom they represent. In order to implement this policy, VA
has published a notice of proposed rulemaking (59 FR 37008 (7-20-94))
to add sections 38 CFR 14.640 through 14.643.
In the course of providing expanded remote access to accredited
representatives of veterans service organizations, claims agents and
attorneys approved to represent veterans under 38 CFR 14.629 and
persons recognized pursuant to 38 CFR 14.630, VA will have to maintain
certain information about these individuals. The following discussion
explains the various types of information which the Department will
create as part of the expanded remote access program, where and how it
will be maintained, and the security for it.
Each individual approved for expanded read-only remote access to
automated veterans claim records will receive several access codes from
the VBA Central Office Security Officer. (Later this responsibility
will be transferred to the VBA Regional Office of jurisdiction for the
first claims folder to which access is sought.)
The VBA Central Office Security Officer will obtain these various
codes from the following sources and provide them to each person
granted access. The Security Officer will not retain a copy of this
information. Each representative, claims agent or attorney will be
issued a user identification code and personal password for the
Department's computerized electronic communications system, IDCU
(Integrated Data Communications Utility), by the security office
responsible for IDCU in Martinsburg, West Virginia, which will retain
records of these codes in automated form. Only security personnel at
Martinsburg may access these codes.
When the individual uses these codes to access IDCU, he or she will
be routed automatically to the migration gateway to VBA's automated
Benefits Delivery Network (BDN); access to any other IDCU activity will
not be possible. At the migration gateway to the BDN, the individual
will use a ``login'' identification code, and a personal password to
obtain access to the BDN.
Initially, the VBA Central Office Security Officer will issue the
migration gateway access codes in response to requests for remote
access. These codes will be stored in automated form in Central Office.
At some point, the Security Officer for the local VBA Regional Office
of jurisdiction for the first claim to which access is sought will
assume these responsibilities to issue and store the migration gateway
codes. That Regional Office will retain the ``login'' identification
code in automated form. The security officer of the Regional Office of
jurisdiction, security personnel at the VBA automated Benefits Delivery
Center (BDC) in Hines, Illinois, and the VBA Central Office Security
Officer will be the only agency personnel who may access the ``login''
identification codes. An individual's personal password will remain in
the computer system, but no one, including system security officers or
system managers, may access it. If a person forgets his or her
migration gateway personal password, the individual will have to obtain
a new one.
After passing through the migration gateway, the individual must
then use a BDN password, also issued by the Regional Office Security
Officer, to access the BDN. The BDN password obtains access to records
concerning individuals in one of five geographical sections of the
country. One individual will be given access to more than one
geographical region when clients are located in different areas of the
United States.
Each IDCU user identification code and personal password, migration
gateway ``login'' identification code and personal password, and BDN
passwords will be unique for each individual.
To ensure the security of the various systems, Benefits Delivery
Centers in Hines, Illinois, and Philadelphia, Pennsylvania, will
monitor daily the use of BDN passwords, and will issue a daily report
in hard copy to each Regional Office of any apparent security
violations associated with any BDN password issued for whom it has
oversight responsibility. The BDCs will retain this daily security log
in automated form for thirty days; only VBA personnel located at the
Hines and Philadelphia BDC's who are cleared for access to the daily
security violation logs may access this automated information.
The daily security violation log will list the identifying
assignment code for the individual (not the individual's BDN password),
and the particular violation code(s) associated with that person's
password for that day. Each Regional Office is to retain the daily logs
for six months. Only the Regional Office Security Officer will have
access to the daily security violation logs until such time as it is
determined that further investigation may be needed. At that point, the
appropriate VA employees may receive the logs as necessary to conduct
any oversight or investigation.
VA will maintain security profiles on each individual granted
remote access privileges. The data bases for the security profiles will
be maintained in Hines, Illinois, and Philadelphia, Pennsylvania. The
security profile on each individual will contain the following
information in automated form: the individual's name, the individual's
BDN passwords; the individual's assignment code, the code identifying
their status, such as whether they are operating under a power of
attorney or as a service organization representative; whether they have
been granted the ability to read a veteran client's diagnostic codes,
their level of access to sensitive records, if a veteran, their claims
file number, and a listing of the read-only access commands they may
utilize. The security profile on an individual may be retrieved only by
the security personnel at Hines and Philadelphia, the VBA Central
Office Security Officer and the Regional Office Security Officer for
the Regional Office of jurisdiction for the first claim for which the
individual was granted remote access to the veteran's automated
benefits records.
If VA determines that an individual's access privileges should be
suspended or revoked generally, records, including possibly copies of
the records mentioned above, will be gathered in an evidence file which
will be retained in the Regional Office and in the Office of General
Counsel, both in the field and in Central Office.
As a result of the above actions, we are changing the System name
to reflect that records in the altered system will be kept on attorneys
also because of the need to retain records concerning their exercise of
remote access privileges.
We are adding to the System Location paragraph of 01VA022 the
locations at which new records in the system will be maintained.
Records concerning the authorization of individuals to access automated
veterans claim records from remote locations will be maintained in the
locations discussed above.
We are adding two new categories of individuals to the paragraph
concerning individuals covered by the system. The first category is
attorneys who have applied for, currently hold, or previously have held
the privilege of remote access to VBA automated claim records. We are
also expanding the existing category of accredited representatives to
include county veterans' service officers recommended by a recognized
state organization because VA recently recognized the national
organization of these officials under 14 CFR Sec. 14.628 for purposes
of representation of individuals on claims for title 38 benefits.
We are adding a new category of records to be maintained in the
system to the paragraph concerning the categories of records in the
system. This information will include information and correspondence
relating to the application for, evaluation of and grant or denial of a
request for remote access privileges, as well as information concerning
the individual's use of remote access privileges and information
concerning any determination whether to suspend or revoke an
individual's remote access privileges.
Because Congress enacted legislation renumbering the sections of
title 38, United States Code, we are revising the paragraph containing
the authority for maintenance of the system to reflect the renumbering.
We propose to add two new routine uses to the paragraph of 01VA022
which sets forth the routine uses for records maintained in the system.
The regulations governing the remote access activity provide that VA
will release information about individuals who have access privileges
in two circumstances for which routine uses do not currently exist.
Consequently, VA is adding the following two new routine uses as part
of the implementation of the remote access regulations.
First, if VA is considering whether to deny or suspend or revoke an
individual's access privileges generally, VA may then notify the
representative's employer or any recognized service organization with
which such a representative is affiliated. Second, if the
representative is licensed by a governmental entity, such as a state
bar association, VA will report the conduct of the representative to
that entity after revocation of access privileges if VA concludes that
the conduct which was the basis for revocation of access privileges
merits reporting.
Both routine uses satisfy the compatibility requirement of
subsection (a)(7) of the Privacy Act. VA will gather this information
for the purposes of determining whether it should grant, deny, suspend
or revoke an individual's remote access privileges to claimants'
automated claim records generally, as well as ensuring the individual's
continued compliance with the agency's requirements for exercise of the
remote access privileges. This information concerns the qualifications
and conduct of the individual, that is, the appropriateness of the
individual to have remote access privileges to represent beneficiaries
and claimants.
State licensing entities, such as bar associations, routinely
monitor and enforce the individual member's compliance with rules of
conduct which are intended, at least in part, to protect the public.
Additionally, under the rules of these organizations, these persons
normally have a responsibility to protect and preserve the
confidentiality of information concerning their clients.
VA's proposed routine use authorizing disclosures to state
licensing entities would allow VA to provide those state licensing
entities with information which is relevant to their enforcement
activities concerning compliance with those rules. VA gathered the
information, at least in part, to help ensure the confidentiality of
the VA's information on people who are, in essence, the clients of the
individuals who are licensed by the state governmental entities. The
purposes are sufficiently similar that the disclosure satisfies the
compatibility requirement of subsection (a)(7) of the Privacy Act.
Veterans service organizations and other entities represent
veterans on claims matters. To do so effectively, they must have access
to the confidential claims records of those veterans. Part of their
acceptance within the community they serve is a confidence on the
public's part that they and their accredited representatives and
employees will zealously protect the privacy of their clients. If
veterans perceive that the confidentiality of their records will not be
honored, it will limit the effectiveness of these organizations in
representing their clients. Thus, in order to effectively represent
veterans, they are concerned about ensuring that individuals whom they
use to conduct their representational activities act in a manner
consistent with the organization's goal of preserving the
confidentiality of their clients' claim records.
As we stated in regard to the routine use authorizing disclosure of
records to state licensing entities, VA gathered the information about
remote access users, at least in part, to help ensure the
confidentiality of the VA's information on it claimants who are, in
essence, the clients of the organization which uses the individual
representatives and claims agents to prosecute the veterans claims. The
purposes are sufficiently similar that the disclosure satisfies the
compatibility requirement of subsection (a)(7) of the Privacy Act.
VA has determined that release of information under the
circumstances described above is a necessary and proper use of
information in this system of records and that the specific routine
uses proposed for the transfer of this information is appropriate.
An altered system of records report and a copy of the revised
system notice have been sent to the House of Representatives Committee
on Government Operations, the Senate Committee on Governmental Affairs,
and the Office of Management and Budget (OMB) as required by 5 U.S.C.
552a(r) and guidelines issued by OMB (59 FR 37906, 37916-18 (7-25-94)).
Interested persons are invited to submit written comments,
suggestions, or objections regarding the new routine use in this system
of records to the Secretary, Department of Veterans Affairs (271A), 810
Vermont Avenue NW., Washington, DC 20420. All relevant material
received before [date thirty days after date of publication] will be
considered. All written comments received will be available for public
inspection at the above address only between the hours of 8 a.m. and
4:30 p.m., Monday through Friday, except holidays, until October 25,
1994.
If no public comment is received during the 30 day review period
allowed for public comment or unless otherwise published in the Federal
Register by VA, the routine uses included herein are effective October
17, 1994 or 40 days after the notice was approved, whichever is latest.
Other changes to the system of records notice contained herein are
effective upon publication.
Approved: September 1, 1994.
Jesse Brown,
Secretary of Veterans Affairs.
Notice of Amendment to System of Records
The system of records identifies as 01VA022, ``Current and Former
Accredited Representative, Claims Agent, and Representative and Claims
Agent Applicant and Rejected Applicant Records--VA,'' as set forth in
Federal Register publication, ``Privacy Act Issuances,'' 1991
Compilation, Volume II, pages 919-20, is amended by adding the
information and revising the entries as shown below:
01VA022
System Name
Current and Former Accredited Representative, Claims Agent,
Representative and Claims Agent Applicant and Rejected Applicant and
Attorney Records--VA.
System Location
Records are maintained in the Office of General Counsel (022), and
in the Veterans Benefits Administration (213C), Department of Veterans
Affairs Central Office, Washington, DC 20420. Records will also be
maintained in the District Counsel Offices, and the security offices of
the following components of the Veterans Benefits Administration:
Regional Offices, and the Hines, Illinois and Philadelphia,
Pennsylvania automated benefits records centers. Records also will be
maintained in the Computer security office for the Integrated Data
Communications Utility at the Department of Veterans Affairs Medical
Center in Martinsburg, West Virginia. Address locations are listed in
VA Appendix I as set forth in the Federal Register publication,
``Privacy Act Issuances,'' 1991 Compilation, Volume II, pp. 989-994.
Categories of Individuals Covered by the System
* * * (1) Individuals recommended by a recognized organization and
accredited or previously accredited by VA to represent claimants for
benefits; (2) claims agents (not attorneys) independent of a service
organization who have applied for, and/or accredited or previously
accredited by VA to represent claimants for benefits; (3) individuals
whose names have been submitted to VA by service organizations for
accreditation or who have applied to VA to become claims agents; and
(4) attorneys who have applied for, currently hold, or previously held
the privilege of remote access to Veterans Benefits Administration
automated claims records.
Categories of Records in the System
* * * (8) investigative reports, correspondence and other
information concerning the fitness of a prospective, present, or former
claims agent, accredited representative or attorney; (9) documents,
decisions, correspondence and other information relating to or
including the granting, denial, suspension or termination of
accreditation of representatives or claims agents; (10) information
concerning an individuals' exercise of remote access privileges to the
Veterans Benefits Administration automated claim records, including
identification codes and codes used to access various VA automated
communications systems and records systems, as well as security
profiles and possible security violations; and (11) information,
documents, correspondence, and decisions relating to the application
for, and the grant, denial, suspension, or revocation of an
individual's privilege of remote access to Veterans Benefits
Administration automated claim records.
Authority for Maintenance of the System
Title 38, United States Code, Sections 501(a), 5902 and 5904.
Routine Uses of Records Maintained in the System, Including Categories
of Users and the Purpose of Such Uses
* * * * *
10. The name and address of an accredited representative, claims
agent or attorney and any information concerning such individual
relating to a suspension, revocation, or potential suspension or
revocation of that individual's privilege of remote access to Veterans
Benefits Administration automated claim records, may be disclosed to
any recognized service organization with which the accredited
representative is affiliated, and to any entity employing the
individual to represent veterans on claims for veterans benefits.
11. The name and address of a former accredited representative,
claims agent or attorney, and any information concerning such
individual, except a veteran's name and home address, which is relevant
to a revocation of remote access privileges to Veterans Benefits
Administration automated claim records may be disclosed to an
appropriate governmental licensing organization where VA determines
that the individual's conduct which resulted in revocation merits
reporting.
* * * * *
Policies and Practices for Storing, Retrieving, Accessing,
Retaining, and Disposing of Records in the System
Storage
* * * Identification codes and codes used to access various VA
automated communications systems and records systems, as well as
security profiles and possible security violations, are maintained on
magnetic media in a secure environment within VA workspaces. Hard
copies are maintained in locked containers.
* * * * *
Retrievability
* * * Information concerning possible security violations
associated with exercise or remote access privileges is retrieved by
individual assignment numbers. Information concerning individual
security profiles and codes assigned to an individual for that person
to obtain access to various computer systems is retrieved by the
individual's assignment number.
* * * * *
Safeguards
3. Access to automated records concerning identification codes and
codes used to access various VA automated communications systems and
records systems, as well as security profiles and possible security
violations is limited to designated automated systems security
personnel who need to know the information in order to maintain and
monitor the security of the VA's automated communications and veterans'
claim records systems. Access to these records in automated form is
controlled by individually unique passwords/codes. Agency personnel may
have access to the information on a need to know basis when necessary
to advise agency security personnel or for use to suspend or revoke
access privileges or to make disclosures authorized by a routine use.
4. Access to VA facilities where identification codes, passwords,
security profiles and possible security violations are maintained is
controlled at all hours by the Federal Protective Service, VA or other
security personnel and security access control devices.
* * * * *
[FR Doc. 94-22797 Filed 9-14-94; 8:45 am]
BILLING CODE 8320-01-M
