SUPPLEMENTARY INFORMATION:

The Peace Corps is amending a system of records that it maintains subject to the Privacy Act of 1974 (5 U.S.C. 552a), as amended. Specifically, PC-33, entitled “Security Incident Management System (SIMS)” is being amended to reflect the new name of the system (previously “Consolidated Incident Reporting System (CIRS)”) and two new routine uses at paragraphs M and N:

“(M). Disclosure to all appropriate agencies, entities, and persons when (1) the Peace Corps suspects or has confirmed that there has been a breach of the system of records; (2) the Peace Corps has determined that as a result of the suspected or confirmed breach, there is a risk of harm to individuals, the Peace Corps (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Peace Corps' efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.”

“(N). Disclosure to another Federal agency or Federal entity, when the Peace Corps determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.”

Additionally, substantive changes have been made to the “System Location” “Categories of Individuals Covered by The System,” “Categories of Records in the System,” “System Locations,” “Routine Uses,” “Policies and Practices for Retrieval of Records,” Policies and Practices for Retention and Disposal of Records,” and “Administrative, Technical and Physical Safeguards” sections to provide greater transparency.

SYSTEM NAME AND NUMBER:

Security Incident Management System (SIMS), PC-33.

SECURITY CLASSIFICATION:

Not applicable.

SYSTEM LOCATION:

Office of Safety and Security, Peace Corps, 1275 First St., NE, Washington, DC 20002. Information may also be stored within Microsoft Dynamics 365 overseen by the Office of the Chief Information Officer.

SYSTEM MANAGER(S):

Social Science Analyst, Office Safety and Security, Peace Corps, 1275 First St. NE, Washington, DC 20002.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Peace Corps Act, 22 U.S.C. 2501 et seq.

PURPOSE(S) OF THE SYSTEM:

To provide a single central facility within the Peace Corps for tracking reported crimes against Volunteers; analyzing trends; and responding to requests from executive, legislative, and oversight bodies, as well as the public, for statistical crime data relating to criminal and other high-interest incidents. The Peace Corps provides information on past crimes to Volunteer applicants in the country in which the applicant has been invited to serve, and also uses this information for programmatic and training purposes in order to make informed decisions about potential changes in policy and/or programs. The system notifies in a timely manner Peace Corps headquarters and overseas staff who have a specific need to know when a crime has occurred against a Volunteer. Such staff makes safety and security, medical, or management decisions regarding the Volunteer victim. The system also notifies the U.S. Embassy's Regional Security Officers covering the post whenever an incident against a Volunteer occurs, so that they may initiate investigative procedures, as necessary.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Peace Corps Volunteers, Trainees, Peace Corps Response Volunteers, Returned Peace Corps Volunteers, Peace Corps Staff, alleged offenders.

CATEGORIES OF RECORDS IN THE SYSTEM:

Incident ID; incident type; classification; report type (i.e., standard, restricted); status; victim Volunteer or victim staff name; victim Volunteer or staff contact information, including phone number, and email address; victim Volunteer or staff status, race/ethnicity, gender, age, sector of assignment, marital status, training group, Entry-On-Duty date, and Projected Completion of Service date; date of incident; date type (i.e., exact, approximate); date incident was reported to post; incident submitted date; incident converted date; conversion reason; conversion approver; time of incident; country of incident; Post reporting the incident; if the incident occurred in the capital city; location type; location subtype; if property was lost, stolen, or damaged; U.S. dollar value of lost property; whether there was successful entry; if the Volunteer was alone; if the victim was targeted due to race, sexual orientation, American heritage, U.S. citizenship, and/or gender identity; threat delivery method; weapon type; if the incident occurred at a Peace Corps site; Peace Corps site the incident occurred; site location the incident occurred; city/town of incident; Designated Security Staff involvement; Victim Advocate involvement; if the victim was driving; victim's vehicle type; other vehicle type; if the Volunteer's vehicle was approved by Post; availability of safety equipment; use of safety equipment; alcohol usage by any vehicle drivers; official date of death; ransom demanded; if express kidnapping occurred; kidnapping resolution; if the victim Volunteer/staff heard about or witnessed a crime; if the victim Volunteer or staff was present; if the victim Volunteer/staff experienced injuries, harassment, sexual harassment, and/or a peeping Tom; if there is a related Stalking Report, if non-Peace Corps property was impacted; nature and details of the incident; staff names and roles that worked on the incident; ( print page 76160) tasks assigned to staff, including title, name of staff member assigning the task, name of staff member assigned the task, task status, and task assigned; involvement of intimate partner violence; alcohol use by Volunteer at time of incident; post follow up or changes to original incident report, including case update title, date, type, note, creator's role, communication method with the victim Volunteer, and associated services; name of alleged offender; age range of alleged offender; gender of alleged offender; relationship of alleged offender to victim Volunteer/Staff; alcohol use by alleged offender at time of incident; type of alleged offender; if the offender was disclosed or was a stranger; and completed assessments, including assessment type (i.e. Post Incident Assessment, Serious and Imminent Threat Assessment for Security or Medical), staff member name who completed it, date completed, and assessment responses.

RECORD SOURCE CATEGORIES:

The information sources include Peace Corps office and program officials, employees, contractors, Peace Corps Volunteers, and other individuals or entities associated with Peace Corps; subjects of an investigation; individuals, businesses, or entities with whom the subjects are or were associated (e.g., colleagues, business associates, acquaintances, or relatives); Federal, State, local, international, and foreign investigative or law enforcement agencies; other government agencies; confidential sources; complainants; witnesses; concerned citizens; and public source materials.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSE OF SUCH USERS:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, the Peace Corps may disclose all or a portion of the records or information contained in this system outside of the Peace Corps without the consent of the subject individual, if the disclosure is compatible with the purpose for which the record was collected, as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

A. Disclosure for Law Enforcement Purposes. Information may be disclosed to the appropriate Federal, State, local, or foreign agency responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation, or order, if the information indicates a violation or potential violation of civil or criminal law or regulation within the jurisdiction of the receiving entity.

B. Disclosure Incident to Requesting Information. Information may be disclosed to any source from which additional information is requested (to the extent necessary to identify the individual, inform the source of the purpose(s) of the request, or to identify the type of information requested); when necessary to obtain information relevant to a Peace Corps decision concerning retention of an employee or other personnel action (other than hiring), retention of a security clearance, the letting of a contract, or the issuance or retention of a grant or other benefit.

C. Disclosure to Requesting Agency. Information may be disclosed to a Federal, State, local, or other public authority of the fact that this system of records contains information relevant to the requesting agency's retention of an employee, the retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant, or other benefit. The other agency or licensing organization may then make a request supported by the written consent of the individual for part or all of the record if it so chooses. No disclosure will be made unless the information has been determined to be sufficiently reliable to support a referral to another office within the agency or to another Federal agency for criminal, civil, administrative, personnel, or regulatory action.

D. Disclosure to Office of Management and Budget. Information may be disclosed to the Office of Management and Budget at any stage in the legislative coordination and clearance process in connection with private relief legislation as set forth in OMB Circular No. A-19.

E. Disclosure to Congressional Offices. Information may be disclosed to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of the individual.

F. Disclosure to Department of Justice. Information may be disclosed for purposes of litigation, provided that in each case the disclosure is compatible with the purpose for which the records were collected. Disclosure for these purposes may be made to the Department of Justice, or in a proceeding before a court, adjudicative body, or other administrative body before which the Peace Corps is authorized to appear. This disclosure may be made when: 1. The Peace Corps, or any component thereof; 2. Any employee of the Peace Corps in his or her official capacity; 3. Any employee of the Peace Corps in his or her individual capacity where the Department of Justice or the Peace Corps has agreed to represent the employee; or 4. The United States (when the Peace Corps determines that litigation is likely to affect the Peace Corps or any of its components) is a party to litigation or has an interest in such litigation, and the use of such records by the Department of Justice or the Peace Corps is deemed by the Peace Corps to be relevant and necessary to the litigation.

G. Disclosure to the National Archives. Information may be disclosed to the National Archives and Records Administration in records management inspections.

H. Disclosure to Contractors, Grantees, and Others. Information may be disclosed to contractors, grantees, consultants, or Volunteers performing or working on a contract, service, grant, cooperative agreement, job, or other activity for the Peace Corps and who have a need to have access to the information in the performance of their duties or activities for the Peace Corps. When appropriate, recipients will be required to comply with the requirements of the Privacy Act of 1974 as provided in 5 U.S.C. 552a(m).

I. Disclosures for Administrative Claims, Complaints, and Appeals. Information may be disclosed to an authorized appeal grievance examiner, formal complaints examiner, equal employment opportunity investigator, arbitrator, or other person properly engaged in investigation or settlement of an administrative grievance, complaint, claim, or appeal filed by an employee, but only to the extent that the information is relevant and necessary to the proceeding, Agencies that may obtain information under this routine use include, but are not limited to: the Office of Personnel Management, Office of Special Counsel, Federal Labor Relations Authority, U.S. Equal Employment Commission, and Office of Government Ethics.

J. Disclosure to the Office of Personnel Management. Information may be disclosed to the Office of Personnel Management pursuant to that agency's responsibility for evaluation and oversight of Federal personnel management.

K. Disclosure in Connection with Litigation. Information may be disclosed in connection with litigation or settlement discussions regarding claims by or against the Peace Corps, including public filings with a court, to the extent that disclosure of the information is relevant and necessary to the litigation or discussions and except where court orders are otherwise required under section (b)(11) of the Privacy Act of 1974, 5 U.S.C. 552a(b)(11). ( print page 76161)

L. Disclosure to U.S. Ambassadors. Information from this system of records may be disclosed to a U.S. Ambassador or his or her designee in a country where the Peace Corps serves when the information is needed to perform an official responsibility, to allow the Ambassador to knowledgeably respond to official inquiries and deal with in- country situations that are within the scope of the Ambassador's responsibility.

M. Disclosure to all appropriate agencies, entities, and persons when (1) the Peace Corps suspects or has confirmed that there has been a breach of the system of records; (2) the Peace Corps has determined that as a result of the suspected or confirmed breach, there is a risk of harm to individuals, the Peace Corps (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Peace Corps' efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

N. Disclosure to another Federal agency or Federal entity, when the Peace Corps determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Incident records are maintained in electronic format. Electronic records are stored in computerized databases.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Electronic records may be retrieved by incident number, volunteer first or last name, or by any available field recorded in the system.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

As there is no records disposal schedule for this information, electronic are being retained indefinitely. Records are retained to allow for historical data and trends analysis. The Annual Report of Crimes Against Volunteers is kept on file permanently for historical reference.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

The Peace Corps safeguards records in this system in accordance with applicable laws, rules, and policies to protect personally identifiable information against unauthorized access or disclosure. The Peace Corps has imposed strict controls to minimize such risks. Administrative safeguards include but not limited to: access to the information in this system is limited to authorized personnel with official duties requiring access, and whose roles have been authorized with such access permissions. All such individuals receive the appropriate privacy and cybersecurity training on an annual basis.

The physical controls in place include the servers storing electronic data are located offsite in a locked facility with access limited to authorized personnel. The servers are maintained in accordance with a government contract that requires adherence to applicable laws, rules, and policies on protecting individual privacy. Computerized records are safeguarded in a secured environment. Security protocols meet the promulgating guidance as established by the National Institute of Standards and Technology (NIST) Security Standards from Access Control to Data Encryption and Security Assessment and Authorization.

The technical controls in place include multiple firewalls, system access, encrypted data at rest, encrypted data in motion, periodic vulnerability scans to ensure security compliance, and security access logs. Security complies with applicable Federal Information Processing Standards (FIPS) issued by NIST. Access is restricted to specific authorized Peace Corps individuals who have internet access through work computers using a Personally Identity Verification (PIV). Individual users can only access records with the proper pre-approved accreditation.

RECORD ACCESS PROCEDURES:

Any individual who wants access to his or her record should make a written request to the System Manager. Requesters will be required to provide adequate identification, such as a driver's license, employee identification card, or other identifying documentation. Additional identification may be required in some instances. Complete Peace Corps Privacy Act procedures are set out in 22 CFR part 308.

CONTESTING RECORD PROCEDURES:

Any individual who wants to contest the contents of a record should make a written request to the System Manager. Requesters will be required to provide adequate identification, such as a driver's license, employee identification card, or other identifying documentation. Additional identification may be required in some instances. Requests for correction or amendment must identify the record to be changed and the corrective action sought. Complete Peace Corps Privacy Act procedures are set out in 22 CFR part 308.

NOTIFICATION PROCEDURES:

See “Record Access Procedures.”

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

February 17, 2009, 74 FR 131