AGENCY:

National Archives and Records Administration (NARA).

ACTION:

Notice of a modified system of records.

SUMMARY:

We propose revising Appendix A of our existing Privacy Act inventory of systems subject to the Privacy Act of 1974, which contains the common routine uses that apply to some or all of our systems of records. We propose to revise routine use H, which permits sharing information when there has been a data breach and it's necessary to respond to the breach. And we propose adding a new routine use for sharing information with other agencies that experience a data breach. Both of these changes are required by an OMB memorandum and these routine uses apply to all of our systems of records. Routine use H is already included in all of our SORNs, but we are now adding routine use I to them as well. In this notice, we publish the revised routine use H and the new routine use I for public notice and comment and add routine use I to all of our SORNs.

DATES:

Submit comments on these routine uses by April 21, 2022. This revision to Appendix A is effective on May 2, 2022 unless we receive comments that necessitate revising the SORN.

ADDRESSES:

You may submit comments, identified by “SORN Appendix A” by one of the following methods:

• Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.

• Due to COVID-19 restrictions, we do not have staff at the building to receive mail, so we are temporarily suspending the mailing option. If you are not able to submit comments using the eRulemaking portal and need to make other arrangements, please email us at regulation_comments@nara.gov and we will work with you on an alternative.

Instructions: All submissions must include SORN Appendix A so we can identify what the comment is responding to. We may publish any comments we receive without changes, including any personal information you include.

FOR FURTHER INFORMATION CONTACT:

Kimberly Keravuori, Regulatory and External Policy Program Manager, by Start Printed Page 16245 email at regulation_comments@nara.gov or by phone at 301.837.3151.

SUPPLEMENTARY INFORMATION:

Appendix A is part of our system of records notices that cover systems containing information protected by the Privacy Act. Appendix A contains the routine uses that apply to all or many of our Privacy Act-covered systems and currently consists of uses A through H. Appendix A was last republished on December 20, 2013 (78 FR 77255, 77287). For the most up-to-date information, see the Appendix on our website at www.archives.gov/​privacy/​inventory.

The existing routine use H already covers disclosure of information in the system of records when necessary to facilitate responses to data breaches of the system. However, the Office of Management and Budget (OMB) issued a memorandum that included provisions relating to data breach routine uses that OMB required all agencies to incorporate into their SORNs. So we are updating routine use H to incorporate the required provisions from OMB M-17-12.

OMB M-17-12 also required agencies to incorporate provisions for another routine use, also related to data breaches, but designed to facilitate sharing information between agencies when appropriate so that another agency can better respond to its data breach. For example, this may include information that would assist the other agency in locating or contacting individuals potentially affected by a breach, or information that is related to the other agency's programs or information. So that we can disclose records in our systems of records that may reasonably be needed by another agency in responding to a breach, we are adding this routine use to all our systems of records.

The changes to routine use H will affect and be incorporated into all of our SORNs, and the new routine use I will be added to all of our SORNs based on this notice. To see the most current versions of our SORNs and Appendix A at any time, visit our website at www.archives.gov/​privacy/​inventory.

The Privacy Act of 1974, as amended (5 U.S.C. 552a) (“Privacy Act”), provides certain safeguards for an individual against an invasion of personal privacy. It requires Federal agencies that disseminate any record of personally identifiable information to do so in a manner that assures the action is for a necessary and lawful purpose, the information is current and accurate for its intended use, and the agency provides adequate safeguards to prevent misuse of such information. NARA intends to follow these principles when transferring information to another agency or individual as a “routine use,” including assuring that the information is relevant for the purposes for which it is transferred.

APPENDIX A

The following routine use statements apply to National Archives and Records Administration notices when indicated in the notice:

H. Routine Use—Data breach: A record from this system of records may be disclosed to appropriate agencies, entities, and people when (1) we suspect or confirm that there has been a breach of the system of records; (2) we determine that, as a result of the suspected or confirmed breach, there is a risk of harm to individuals, NARA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and people is reasonably necessary to assist our efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

I. Routine Use—Other agency data breach: A record from this system of records may be disclosed to another Federal agency or Federal entity, when we determine that information from this system of records is reasonably necessary to assist the recipient agency or entity to (1) respond to a suspected or confirmed breach or (2) prevent, minimize, or remedy the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

HISTORY:

Last republished in full on December 20, 2013 (78 FR 77255).