AGENCY:

Postal Service®.

ACTION:

Notice of a modified system of records; response to comments.

SUMMARY:

The United States Postal Service® (USPS) is responding to public comments regarding revisions to a Customer Privacy Act Systems of Records (SOR). These revisions were made to support the migration of emails to a cloud-based platform. The response to the comments made herein warrant revision to the original system of records; as such, a new revision to USPS 820.300 Informed Delivery will be submitted adhering to the standard revision process to affect these changes.

DATES:

The revisions to USPS 820.300, Informed Delivery, Document Citation 87 FR 15275, were originally scheduled to be effective on April 18, 2022, without further notice. After review and evaluation of comments received, the Postal Service has found that substantive changes to the system of records are required; however, these changes and only these changes will be reflected through publication of a new notice for changes to this system of records. The effective date for the implementation of the proposed revisions herein should proceed as scheduled, with revisions to the new publication subject to the dates appearing within that notice.

FOR FURTHER INFORMATION CONTACT:

Janine Castorina, Chief Privacy and Records Management Officer, Privacy and Records Management Office, 202-268-3069 or privacy@usps.gov.

SUPPLEMENTARY INFORMATION:

1. Comment 1:  ^[1] The Informed Delivery Service should have a retention period of seven (7) days versus fourteen (14) days.

Answer: The Postal Service's retention period of seven (7) days for the Informed Delivery Service was set with the publication of the original system of record, finalized December 9, 2016. See 81 FR 89157. No changes were made to this retention period in the current system of records update at issue. However, the Informed Delivery Program Office agrees to extend the retention period for mail piece images to fourteen (14) days when the application is migrated to a cloud-based infrastructure. In the interest of transparency, the Postal Service will submit an additional system of records notice to reflect this change. This new notice will supplement the existing submission for USPS 820.300 Informed Delivery by creating a new retention period specifically for mail images captured and stored within the cloud-based platform. However, no other provisions of this system of records will be affected and should be considered implemented as of the date listed above.

2. Comment 2:  ^[2] Recommending changes to Purpose 9 and the creation of two new purposes that are directly related to the United States Inspection Service and the United States Office of Inspector General.

Answer: The Office of Inspector General requests that Purpose 9 be edited to include the word mail theft. Additionally, it is requested that Purposes 16 and 17 be created specifically for the Inspection Service and the Office of Inspector General so that both entities may use the records for respective investigations.

The Privacy Act requires that an agency only maintain records that are “relevant and necessary to accomplish a purpose of the agency.” See 5 U.S.C. 552a(e)(1). Individuals are notified of the purposes for which the information is collected and used. See 5 U.S.C. 552a(e)(3) and (4). The purposes for the system and the use of the information gathered by the Informed Delivery System is to support electronic notification of mail delivery and other mail delivery purposes. No information in this system can go so far as to show mail theft. The Informed Delivery Service provides the consumer with images of mail that would be delivered that day. If the mail is not delivered, the customer can check a box in the Informed Delivery dashboard and note to USPS that a particular piece has not been received. At best that provides evidence of missing or delayed mail. Showing and identifying mail theft would be a much later determination, with more information, most of which would not be within the Informed Delivery system. We understand that the Office of Inspector General would like to use the information for that purpose. However, purposes one and two, that cover mail that customers should have received and associated reports of mail not received, suit that purpose. The Office of Inspector General may use the missing or delayed mail information to compile it with other information to determine if theft is an issue.

When requesting that additional purposes should be articulated for this system of records to allow Office of Inspector General and Inspection Service investigations, the Office of Inspector General misunderstands the Privacy Act's disclosure intent. The purpose of the Informed Delivery Service is not to allow investigations. What the Office of Inspector General seeks is, instead, to enable certain disclosures of the information within the system of records. Authorized disclosures are not found within the purposes for gathering or using the information. Instead, authorized disclosures are found in section b of the Privacy Act. 5 U.S.C. 552a(b) Conditions of Disclosure. The Privacy Act provides that “those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties” may have access. Id. In some instance, this provision may provide Inspection Service employees with access to records. In addition, other authorized disclosures already exist for this SOR that cover disclosure to the Office of Inspector General and/or the Inspection Service. The next applicable authorized disclosure of the Privacy Act allows for disclosures pursuant to routine uses. The Postal Service has a routine use to provide records for a law enforcement purpose. See AS-353, Guide to Privacy, the Freedom of Information Act, and Records Management, Appendix D.2.2. This disclosure includes customer systems because the Inspector General Act of 1978, as amended, requires certain disclosures. Another authorized disclosure of criminal or civil law enforcement activity exists within the Privacy Act. See 5 U.S.C. 552a(b)(7). Following a written request, certain information can be disclosed for law enforcement purposes. Because authorized disclosures apply to provide the information, new purposes are not necessary or appropriate in this instance.

3. Comment 3:  ^[3] The Office of Inspector General asks a question Start Printed Page 35804 regarding whether third party disclosure of information is permitted in order to pursue an investigation. Additionally, in this comment the Office of Inspector General requests a routine use allowing third party disclosure of information pursuant to an investigation.

Answer: The question posed by the Office of Inspector General is whether the disclosure of some information from this SOR to the Office of Inspector General authorizes them to “share Informed Delivery information with third parties to investigate the customer's complaint.” Unfortunately, this request is for a generalized legal opinion, absent the factual support of a scenario. Such an opinion cannot be provided.

As discussed in response to comment number 2, three authorized disclosures already exist that allow information to be shared for law enforcement purposes. However, merely being authorized to provide the data to the Office of Inspector General does not end the inquiry. An independent inquiry must be made of whether this particular third party has a need to know the information. Determining the need to know of a particular party is a fact specific determination. As a result, the need to know for a particular class of individuals, absent knowledge of the particular factual circumstances, cannot be answered in the abstract.

The request for a generalized routine use to further disclose information disclosed from a system of record pursuant to a different routine use, to a generalized class of individuals is equally untenable. It is not possible to ensure that the entire class is appropriate for disclosure. As a result, the class does not comport with the strictures required by the Privacy Act and cannot be entertained.

4. Comment 4:  ^[4] The Office of Inspector General asks two questions to ascertain whether mailpiece images are personally identifiable information as defined in the Privacy Act.

Answer: To fully respond to this question, it is necessary to discuss the exact nature of a record that would be subject to the Privacy Act. A record is subject to the Privacy Act if it is a “record which is contained in a system of records.” 5 U.S.C. 552a(b).

A record is an “item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.” 5 U.S.C. 552a(a)(4).

A system of records is “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” 5 U.S.C. 552a(a)(5) (emphasis added).

Therefore, to be subject to the Privacy Act, data must be a record and stored in a system of record.

Looking at mailpieces, the answer is two-fold. When mailpiece images are within the Informed Delivery System, those mailpiece images are records stored in a system of records. Mailpiece images are provided to the individual, with a Customer Registration and Informed Delivery account, who will be receiving the physical mailpiece. The mailpiece images are directly related to the delivery point associated to the accounts. Delivery points associated with accounts are retried by personal identifier and they are subject to the Privacy Act.

When the mailpiece images are not within the Informed Delivery Service, they are stored in bulk with the mail-processing equipment. Those images are not stored or retrieved by personal identifier. It is not until they are associated with the Informed Delivery Service that they become retrievable by personal identifier. As a result, when the mailpiece images are in bulk storage, they are not records subject to the Privacy Act.

Footnotes