Privacy Act of 1974; System of Records

Issuing agencies

Abstract

The U.S. Environmental Protection Agency's (EPA), Office of Mission Support (OMS) is giving notice that it proposes to create a new system of records pursuant to the provisions of the Privacy Act of 1974. The Public Health Emergency Workplace Response System is being created to collect workplace safety and personnel information in response to a public health emergency such as a pandemic or epidemic.

Full Text

<html>
<head>
<title>Federal Register, Volume 86 Issue 123 (Wednesday, June 30, 2021)</title>
</head>
<body><pre>
[Federal Register Volume 86, Number 123 (Wednesday, June 30, 2021)]
[Notices]
[Pages 34738-34742]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2021-13989]


-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

[FRL-10018-65-OMS]


Privacy Act of 1974; System of Records

AGENCY: Office of Mission Support (OMS), Environmental Protection 
Agency (EPA).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The U.S. Environmental Protection Agency's (EPA), Office of 
Mission Support (OMS) is giving notice that it proposes to create a new 
system of records pursuant to the provisions of

[[Page 34739]]

the Privacy Act of 1974. The Public Health Emergency Workplace Response 
System is being created to collect workplace safety and personnel 
information in response to a public health emergency such as a pandemic 
or epidemic.

DATES: Persons wishing to comment on this system of records notice must 
do so by July 30, 2021. New routine uses for this new system of records 
will be effective July 30, 2021.

ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OMS-2020-0454, by one of the following methods:
    <a href="http://Regulations.gov">Regulations.gov</a>: <a href="http://www.regulations.gov">www.regulations.gov</a>. Follow the online 
instructions for submitting comments.
    Email: <a href="/cdn-cgi/l/email-protection#9af5fff3b4fef5f9f1ffeedaffeafbb4fdf5ec"><span class="__cf_email__" data-cfemail="117e74783f757e727a7465517461703f767e67">[email&#160;protected]</span></a>.
    Fax: 202-566-1752.
    Mail: OMS Docket, Environmental Protection Agency, Mail Code: 
2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
    Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334, 
1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are 
only accepted during the Docket's normal hours of operation, and 
special arrangements should be made for deliveries of boxed 
information.
    Instructions: Direct your comments to Docket ID No. EPA-HQ-OMS-
2020-0454. The EPA policy is that all comments received will be 
included in the public docket without change and may be made available 
online at <a href="http://www.regulations.gov">www.regulations.gov</a>, including any personal information 
provided, unless the comment includes information claimed to be 
Controlled Unclassified Information (CUI) or other information for 
which disclosure is restricted by statute. Do not submit information 
that you consider to be CUI or otherwise protected through 
<a href="http://www.regulations.gov">www.regulations.gov</a>. The <a href="http://www.regulations.gov">www.regulations.gov</a> website is an ``anonymous 
access'' system for EPA, which means the EPA will not know your 
identity or contact information unless you provide it in the body of 
your comment. Each agency determines submission requirements within 
their own internal processes and standards. EPA has no requirement of 
personal information. If you send an email comment directly to the EPA 
without going through <a href="http://www.regulations.gov">www.regulations.gov</a> your email address will be 
automatically captured and included as part of the comment that is 
placed in the public docket and made available on the internet. If you 
submit an electronic comment, the EPA recommends that you include your 
name and other contact information in the body of your comment. If the 
EPA cannot read your comment due to technical difficulties and cannot 
contact you for clarification, the EPA may not be able to consider your 
comment. Electronic files should avoid the use of special characters, 
any form of encryption, and be free of any defects or viruses. For 
additional information about the EPA public docket, visit the EPA 
Docket Center homepage at <a href="http://www.epa.gov/epahome/dockets.htm">http://www.epa.gov/epahome/dockets.htm</a>.
    Docket: All documents in the docket are listed in the 
<a href="http://www.regulations.gov">www.regulations.gov</a> index. Although listed in the index, some 
information is not publicly available, e.g., CUI or other information 
for which disclosure is restricted by statute. Certain other material, 
such as copyrighted material, will be publicly available only in hard 
copy. Publicly available docket materials are available either 
electronically in <a href="http://www.regulations.gov">www.regulations.gov</a> or in hard copy at the OMS 
Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave. 
NW, Washington, DC 20460. The Public Reading Room is open from 8:30 
a.m. to 4:30 p.m., Monday through Friday excluding legal holidays. The 
telephone number for the Public Reading Room is (202) 566-1744, and the 
telephone number for the OMS Docket is (202) 566-1752.
    Out of an abundance of caution for members of the public and our 
staff, the EPA Docket Center and Reading Room are closed to the public, 
with limited exceptions, to reduce the risk of transmitting COVID-
19.Our Docket Center staff will continue to provide remote customer 
service via email, phone, and webform. We encourage the public to 
submit comments via <a href="https://www.regulations.gov/">https://www.regulations.gov/</a> or email, as there may 
be a delay in processing mail and faxes. Hand deliveries and couriers 
may be received by scheduled appointment only. For further information 
on EPA Docket Center services and the current status, please visit us 
online at <a href="https://www.epa.gov/dockets">https://www.epa.gov/dockets</a>.

FOR FURTHER INFORMATION CONTACT: Jill Smink at <a href="/cdn-cgi/l/email-protection#a2d1cfcbccc98cc8cbcecee2c7d2c38cc5cdd4"><span class="__cf_email__" data-cfemail="ccbfa1a5a2a7e2a6a5a0a08ca9bcade2aba3ba">[email&#160;protected]</span></a>, 
(202) 540-9196.

SUPPLEMENTARY INFORMATION: EPA is creating the Public Health Emergency 
Workplace Response System, EPA-89, to support the Agency's ability to 
provide a safe and healthy working environment in EPA locations (i.e., 
locations where the Agency is conducting official business) during a 
public health emergency (e.g., a Presidential declaration of a national 
public health emergency, U.S. Department of Health and Human Services 
declaration of a public health emergency, or other circumstances 
constituting a public health emergency). EPA-89 will allow the Agency 
to develop and institute safety measures in response to public health 
emergency contaminants (e.g., a pathogen or chemical) as needed, which 
may include:
    <bullet> Contact Tracing--identification, monitoring, and support 
of an affected individual (an individual in an EPA location with 
confirmed or probable exposure to a public health emergency 
contaminant), and identification and contact of a potentially affected 
individual (an individual who was in contact with an affected 
individual or exposed to a public health emergency contaminant while in 
an EPA location);
    <bullet> Medical Screening--examination of individuals entering an 
EPA location for symptoms or other indications consistent with exposure 
to a public health emergency contaminant; and
    <bullet> Workplace Access Tracking and Planning--planning and 
tracking of location and time of individuals in EPA locations for 
purposes of contact tracing, social distancing, and/or management of 
exposure to public health emergency contaminants within EPA locations.

SYSTEM NAME AND NUMBER:
    Public Health Emergency Workplace Response System, EPA-89.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are maintained at the EPA Headquarters, 1301 Constitution 
Ave. NW, Washington, DC 20460, regional offices, field offices and 
laboratories.

SYSTEM MANAGER(S):
    Willie J. Abney, Division Director of Desktop Support Services 
Division (DSSD), Office of Mission Support, 1301 Constitution Ave. NW, 
Washington, DC 20460, Email Address: <a href="/cdn-cgi/l/email-protection#8ccdeee2e9f5a2dbe5e0e0e5e9cce9fceda2ebe3fa"><span class="__cf_email__" data-cfemail="ce8faca0abb7e099a7a2a2a7ab8eabbeafe0a9a1b8">[email&#160;protected]</span></a>, Phone 
Number: 202-566-1366.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 6329c, 5 U.S.C. 7902, 29 U.S.C. 654, 29 U.S.C. 668, 42 
U.S.C. 247d, 44 U.S.C. 3101, 42 U.S.C. 12101, 5 CFR part 339, 29 CFR 
part 1602, Executive Order 12196, Occupational safety and health 
programs for Federal employees (Feb. 26, 1980), OMB Memorandum M-20-23 
Aligning Federal Agency Operations with the National Guidelines for 
Opening Up America Again (Apr. 20, 2020).

PURPOSE(S) OF THE SYSTEM:
    EPA proposes to establish a new system of records to manage the 
Agency's planning and response to a

[[Page 34740]]

public health emergency in EPA locations. EPA intends to collect 
information in the system to assist EPA with maintaining safe and 
healthy workplaces, to protect individuals in EPA locations from risks 
associated with a public health emergency, to plan and respond to 
workplace and personnel flexibilities needed during a public health 
emergency, to facilitate EPA's cooperation with public health 
authorities, and assist with contact tracing. Contact tracing is 
defined as the identification, monitoring, and support of an affected 
individual (an individual in an EPA location with confirmed or probable 
exposure to a public health emergency contaminant), and identification 
and contact of a potentially affected individual (an individual who was 
in contact with an affected individual or exposed to a public health 
emergency contaminant while in an EPA location).

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Categories of individuals covered by this system include EPA 
employees. The system also covers individuals working in EPA facilities 
or on official EPA business, including: EPA contractors, non-EPA 
government personnel or contractors, interns, grantees, fellows, and 
volunteers. Other categories of individuals covered by the system 
include: Visitors to EPA facilities; and potentially affected 
individuals at EPA locations or otherwise present during official EPA 
business. The system also covers individuals listed as emergency 
contacts for such individuals.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Information collected in the system may include but is not limited 
to: Contact information of the individuals (which may include name, 
address; phone number; email address); EPA LAN ID; EPA employee number; 
EPA staff office (e.g., organization chart structure) and supervisor 
contact information (which may include name, phone number, and email 
address); emergency contact information (which may include name, phone 
number, and email address); and Agency facility or location access 
information that includes, but is not limited to, the dates when the 
affected individual visited the facility or location, the areas that 
they visited within the facility (e.g., entrance used, office and 
cubicle number, shared spaces used) or at the location, the duration of 
time spent in the facility or location, the individuals they came in 
contact with, and security systems monitoring data; and facility 
cleaning data. The system also collects Sensitive Personal Identifiable 
Information (SPII) such as medical information, including but not 
limited to, dates and results of any: Expected or confirmed medical 
testing (e.g., temperature readings, viral or bacterial exposure 
testing, antibody testing) performed in relation to a public health 
emergency; symptoms consistent with a public health emergency; 
potential or actual exposure to a public health emergency contaminant; 
immunizations and vaccination information; or other medical history 
related to the treatment of a public health emergency contaminant. The 
system may also collect information, including but not limited to, on: 
Recent travel details (including dates, locations, carriers); EPA staff 
certifications relating to dependent care obligations or whether EPA 
staff are in a high-risk category regarding a public health emergency 
contaminant; name and contact information of EPA staff assigned to 
track and respond to an individual's case; date and time of information 
entry; contents of communications between assigned EPA staff and 
affected individuals; and case status.

RECORD SOURCE CATEGORIES:
    The information in this system is collected from the individual, 
the individual's manager, and from the individual's emergency contact. 
When necessary, for non-EPA personnel, information may also be 
collected from the individual's employer, grantee organization, other 
federal agencies, or similar designated external points of contact. 
Information is also collected from security systems monitoring access 
to Agency facilities (such as video surveillance and key card logs), 
human resources systems, emergency notification systems, and federal, 
state, and local agencies assisting with the response to a public 
health emergency.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    The following routine uses apply to this system because the use of 
the record is necessary for the efficient conduct of government 
operations. The routine uses are related to and compatible with the 
original purpose for which the information was collected. Routine uses 
I and J are required under OMB M-17-12.
    A. Disclosure for Law Enforcement Purposes.
    Information may be disclosed to the appropriate Federal, State, 
local, tribal, or foreign agency responsible for investigating, 
prosecuting, enforcing, or implementing a statute, rule, regulation, or 
order, if the information is relevant to a violation or potential 
violation of civil or criminal law or regulation within the 
jurisdiction of the receiving entity.
    B. Disclosure Incident to Requesting Information.
    Information may be disclosed to any source from which additional 
information is requested (to the extent necessary to identify the 
individual, inform the source of the purpose of the request, and to 
identify the type of information requested,) when necessary to obtain 
information relevant to an agency decision concerning retention of an 
employee or other personnel action (other than hiring,) retention of a 
security clearance, the letting of a contract, or the issuance or 
retention of a grant, or other benefit.
    C. Disclosure to Congressional Offices.
    Information may be disclosed to a congressional office from the 
record of an individual in response to an inquiry from the 
congressional office made at the request of the individual.
    D. Disclosure to Department of Justice.
    Information may be disclosed to the Department of Justice, or in a 
proceeding before a court, adjudicative body, or other administrative 
body before which the Agency is authorized to appear, when:
    <bullet> The Agency, or any component thereof;
    <bullet> Any employee of the Agency in his or her official 
capacity;
    <bullet> Any employee of the Agency in his or her individual 
capacity where the Department of Justice or the Agency have agreed to 
represent the employee; or
    The United States, if the Agency determines that litigation is 
likely to affect the Agency or any of its components, is a party to 
litigation or has an interest in such litigation, and the use of such 
records by the Department of Justice or the Agency is deemed by the 
Agency to be relevant and necessary to the litigation.
    E. Disclosure to the National Archives.
    Information may be disclosed to the National Archives and Records 
Administration in records management inspections.
    F. Disclosure to Contractors, Grantees, and Others.
    Information may be disclosed to contractors, grantees, consultants, 
or volunteers performing or working on a contract, service, grant, 
cooperative agreement, job, or other activity for the Agency and who 
have a need to have access to the information in the

[[Page 34741]]

performance of their duties or activities for the Agency.
    G. Disclosures for Administrative Claims, Complaints and Appeals.
    Information from this system of records may be disclosed to an 
authorized appeal grievance examiner, formal complaints examiner, equal 
employment opportunity investigator, arbitrator or other person 
properly engaged in investigation or settlement of an administrative 
grievance, complaint, claim, or appeal filed by an employee, but only 
to the extent that the information is relevant and necessary to the 
proceeding. Agencies that may obtain information under this routine use 
include, but are not limited to, the Office of Personnel Management, 
Office of Special Counsel, Merit Systems Protection Board, Federal 
Labor Relations Authority, Equal Employment Opportunity Commission, and 
Office of Government Ethics.
    H. Disclosure in Connection With Litigation.
    Information from this system of records may be disclosed in 
connection with litigation or settlement discussions regarding claims 
by or against the EPA, including public filing with a court, to the 
extent that disclosure of the information is relevant and necessary to 
the litigation or discussions and except where court orders are 
otherwise required under section (b)(11) of the Privacy Act of 1974, 5 
U.S.C. 552a(b)(11).
    I. Disclosure to Persons or Entities in Response to an Actual or 
Suspected Breach of Personally Identifiable Information.
    To appropriate agencies, entities, and persons when (1) the Agency 
suspects or has confirmed that there has been a breach of the system of 
records, (2) the Agency has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
the Agency (including its information systems, programs, and 
operations), the Federal Government, or national security; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with the Agency's efforts to respond 
to the suspected or confirmed breach or to prevent, minimize, or remedy 
such harm.
    J. Disclosure To Assist Another Agency in Its Efforts To Respond to 
a Breach.
    To another Federal agency or Federal entity, when the Agency 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.
    K. Disclosure to a Public Health Authority.
    To Federal agencies such as the Department of Health and Human 
Services (HHS), State and local health departments, and other public 
health or cooperating medical authorities in connection with program 
activities and related collaborative efforts to deal more effectively 
with exposures to communicable diseases, and to satisfy mandatory 
reporting requirements when applicable.
    L. Disclosure to Governmental Organization.
    To appropriate federal, state, local, tribal, or foreign 
governmental agencies or multilateral governmental organizations, to 
the extent permitted by law, and in consultation with legal counsel, 
for the purpose of protecting the vital interests of a data subject or 
other persons, including to assist such agencies or organizations in 
preventing exposure to or transmission of a communicable or 
quarantinable disease or to combat other significant public health 
threats.
    M. Disclosure to Emergency Contacts.
    To a potentially affected individual's emergency contact for 
purposes of locating the individual to communicate that they may have 
been exposed to a public health emergency contaminant in an EPA 
location or while otherwise present during official EPA business.
    N. Disclosure for Contact Tracing.
    To affected individuals and/or potentially affected individuals, 
and/or, when needed, to the (potentially) affected individual's 
employer, grantee organization, federal agency to whom the individual 
is contracted, or other similar designated external points of contact, 
information necessary for contact tracing. For example: Informing an 
individual that they were exposed to an affected individual or public 
health emergency contaminant in an EPA location or while otherwise 
present during EPA business, and the timing and location of the 
exposure; or contacting the employer of a potentially affected 
individual in the course of trying to contact the potentially affected 
individual themselves.
    Contact tracing is defined as: Identification, monitoring, and 
support of an affected individual (an individual in an EPA location 
with confirmed or probable exposure to a public health emergency 
contaminant), and identification and contact of a potentially affected 
individual (an individual who was in contact with an affected 
individual or exposed to a public health emergency contaminant while in 
an EPA location), the same definition as above in Supplemental 
Information.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    These records are maintained electronically on computer storage 
devices such as computer tapes and disks, or on paper. The computer 
storage devices are managed by the EPA, Office of Mission Support, 1301 
Constitution Ave. NW, Washington, DC 20460. Backup files will be 
maintained at a disaster recovery site. Computer records are maintained 
in a secure password-protected environment. Access to computer records 
is limited to those who have a need to know. Permission level 
assignments will allow users access only to those functions for which 
they are authorized. All records are maintained in secure, access-
controlled areas or buildings.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records may be retrieved by any data category in the system (e.g., 
name, office, supervisor, date of medical testing, assigned EPA staff). 
Records are only retrievable by authorized EPA staff (who are EPA 
employees and/or contractors) and retrieval methods are limited by 
permission levels as described below under Technical Safeguards.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    EPA will retain and dispose of these records in accordance with the 
National Archives and Records Administration General Records Schedule. 
EPA-89 follows the EPA Records Policy for retention and disposal, per 
schedule 1012 (Information and Technology Management) and schedule 1049 
(Information Access and Protection Records). The schedule provides 
disposal authorization for electronic files and hard copy printouts 
created to monitor system usage, including log-in files, audit trail 
files, and system usage files. Records in EPA-89 will be deleted or 
destroyed when the Agency determines they are no longer needed for 
administrative, legal, audit, or other purposes.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Security controls used to protect PII and SPII in EPA-89 are 
commensurate with those required for an information

[[Page 34742]]

system rated moderate for confidentiality, integrity, and availability, 
as prescribed in NIST Special Publication, 800-53, ``Recommended 
Security Controls for Federal Information Systems,'' Revision 4.
    Administrative Safeguards.
    EPA staff must complete annual agency training for Information 
Security and Privacy. EPA instructs staff to lock and secure their 
computers when unattended.
    Technical Safeguards.
    The system administrator, an EPA staff member, authorizes 
appropriate permission levels for authorized EPA staff. Permission 
level assignments allow authorized users to access only those system 
functions and records specific to their Agency work need. EPA also has 
technical security measures including restrictions on computer access 
to authorized individuals and required use of a personal identity 
verification (PIV) card and password.
    Physical Safeguards.
    EPA equipment used for EPA-89 is located in the Federal cloud space 
not connected to other federal systems. Only authorized employees have 
access to this information in the Federal space.

RECORD ACCESS PROCEDURES:
    Individuals seeking access to information in this system of records 
about themselves are required to provide adequate identification (e.g., 
driver's license, military identification card, employee badge or 
identification card). Additional identity verification procedures may 
be required, as warranted. Requests must meet the requirements of EPA 
regulations that implement the Privacy Act of 1974, at 40 CFR part 16.

CONTESTING RECORDS PROCEDURES:
    Requests for correction or amendment must identify the record to be 
changed and the corrective action sought. Complete EPA Privacy Act 
procedures are described in EPA's Privacy Act regulations at 40 CFR 
part 16.

NOTIFICATION PROCEDURES:
    Any individual who wishes to know whether this system of records 
contains a record about themselves, and to obtain a copy of any such 
record(s), should make a written request to the Attn: Agency Privacy 
Officer, MC 2831T, 1200 Pennsylvania Ave. NW, Washington, DC 20460, 
<a href="/cdn-cgi/l/email-protection#7000021906111309301500115e171f06"><span class="__cf_email__" data-cfemail="8bfbf9e2fdeae8f2cbeefbeaa5ece4fd">[email&#160;protected]</span></a>.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2021-13989 Filed 6-29-21; 8:45 am]
BILLING CODE 6560-50-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>