Privacy Act of 1974; Implementation

Issuing agencies

Abstract

The Department of Defense (Department or DoD) is giving concurrent notice of a new Department-wide system of records pursuant to the Privacy Act of 1974 for the DoD-0019, "Information Technology Access and Audit Records," system of records and this proposed rulemaking. In this proposed rulemaking, the Department proposes to exempt portions of this system of records from certain provisions of the Privacy Act of 1974, as amended, because of national security requirements and to avoid interference during the conduct of criminal, civil, or administrative actions or investigations.

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 169 (Friday, September 1, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 169 (Friday, September 1, 2023)]
[Proposed Rules]
[Pages 60411-60413]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-18681]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 310

[Docket ID: DoD-2023-OS-0060]
RIN 0790-AL64


Privacy Act of 1974; Implementation

AGENCY: Office of the Secretary of Defense (OSD), Department of Defense 
(DoD).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Defense (Department or DoD) is giving 
concurrent notice of a new Department-wide system of records pursuant 
to the Privacy Act of 1974 for the DoD-0019, ``Information Technology 
Access and Audit Records,'' system of records and this proposed 
rulemaking. In this proposed rulemaking, the Department proposes to 
exempt portions of this system of records from certain provisions of 
the Privacy Act of 1974, as amended, because of national security 
requirements and to avoid interference during the conduct of criminal, 
civil, or administrative actions or investigations.

DATES: Send comments on or before October 31, 2023.

ADDRESSES: You may submit comments, identified by docket number, 
Regulation Identifier Number (RIN), and title, by any of the following 
methods.
    * Federal Rulemaking Portal: <a href="http://www.regulations.gov">http://www.regulations.gov</a>. Follow the 
instructions for submitting comments.
    * Mail: Department of Defense, Office of the Assistant to the 
Secretary of Defense for Privacy, Civil Liberties, and Transparency, 
Regulatory Directorate, 4800 Mark Center Drive, Attn: Mailbox 24, Suite 
08D09, Alexandria, VA 22350-1700.
    Instructions: All submissions received must include the agency name 
and docket number or RIN for this Federal Register document. The 
general policy for comments and other submissions from members of the 
public is to make these submissions available for public viewing on the 
internet at <a href="https://www.regulations.gov">https://www.regulations.gov</a> as they are received without 
change, including any personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: Ms. Rahwa Keleta, <a href="/cdn-cgi/l/email-protection#a4ebf7e08ae0f4e7e8f0e0e4c9c5cdc88ac9cdc8"><span class="__cf_email__" data-cfemail="66293522482236252a3222260b070f0a480b0f0a">[email&#160;protected]</span></a>; 
(703) 571-0070.

SUPPLEMENTARY INFORMATION:

I. Background

    In accordance with the Privacy Act of 1974, the DoD is establishing 
a new Department-wide system of records titled ``Information Technology 
Access and Audit Records,'' DoD-0019. The purpose of this system of 
records is to support information systems being established within the 
DoD using the same categories of data for the same purposes. This 
system of records covers DoD's maintenance of records related to 
requests for user access, attempts to access, granting of access, 
records of user actions for DoD information technology (IT) systems, 
and user agreements. This includes details of programs, databases, 
functions, and sites accessed and/or used, and the information products 
created, received, or altered during the use of IT systems. The system 
consists of both electronic and paper records and will be used by DoD 
components and offices to maintain records about individuals who have 
user agreements, user access to and activity on networks, computer 
systems, applications, databases, or other digital technologies.

II. Privacy Act Exemption

    The Privacy Act permits Federal agencies to exempt eligible records 
in a system of records from certain provisions of the Act, including 
that provide individuals with a right to request access to and 
amendment of their own records and accountings of disclosures of such 
records. If an agency intends to exempt a particular system of records, 
it must first go through the rulemaking process pursuant to 5 U.S.C. 
553(b)(1)-(3), (c), and (e). This proposed rule explains why an 
exemption is being claimed for this system of records and invites 
public comment, which DoD will consider before the issuance of a final 
rule implementing the exemption.
    The DoD proposes to modify 32 CFR part 310 to add a new Privacy Act 
exemption rule for DoD-0019, ``Information Technology Access and Audit 
Records.'' The DoD proposes to exempt portions of this system of 
records from certain provisions of the Privacy Act because information 
in this system of records may fall within the scope of the following 
Privacy Act exemptions: (k)(1) and (k)(2).
    The DoD proposes to exempt this system of records because some of 
these records may contain classified national security information and 
providing notice, access, amendment, and disclosure of accounting of 
those records to an individual, as well as certain record-keeping 
requirements, may cause damage to national security. The Privacy Act, 
pursuant to 5 U.S.C. 552a(k)(1), authorizes agencies to claim an 
exemption for systems of records that contain information properly 
classified pursuant to executive order. DoD is proposing to claim an 
exemption from several provisions of the Privacy Act, including various 
access, amendment, disclosure of accounting, and certain record-keeping 
and notice requirements, to prevent disclosure of any information 
properly classified pursuant to executive order, as implemented by DoD 
Instruction 5200.01 and DoD Manual 5200.01, Volumes 1 and 3.
    The DoD is also proposing this exemption rule because this system 
of records may contain investigatory material compiled for law 
enforcement purposes within the scope of 5 U.S.C. 552a(k)(2). This 
exemption allows DoD entities to claim an exemption for systems of 
records that contain investigatory materials compiled for law 
enforcement purposes, other than material within the scope of 5 U.S.C. 
552a(j)(2), which describes certain material related to the enforcement 
of criminal laws maintained by principal-function criminal law 
enforcement agencies. The Department therefore is proposing to claim an 
exemption from several provisions of the Privacy Act, including various 
access, amendment, disclosure of accounting, and certain record-keeping 
and notice requirements, to prevent, among other harms, the 
identification of actual or potential subjects of investigation and/or 
sources of investigative information and to avoid frustrating the 
underlying law enforcement purpose for which the records were 
collected.
    Records in this system of records are only exempt from the Privacy 
Act to the extent the purposes underlying the exemption pertain to the 
record. A notice of a new system of records for DoD-0019, ``Information 
Technology Access and Audit Records,'' is also published in this issue 
of the Federal Register.

Regulatory Analysis

Executive Order 12866, ``Regulatory Planning and Review'' and Executive 
Order 13563, ``Improving Regulation and Regulatory Review''

    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits

[[Page 60412]]

(including potential economic, environmental, public health and safety 
effects, distribute impacts, and equity). Executive Order 13563 
emphasizes the importance of quantifying both costs and benefits, of 
reducing costs, of harmonizing rules, and of promoting flexibility. It 
has been determined that this rule is not a significant regulatory 
action.

Congressional Review Act (5 U.S.C. 804(2))

    The Congressional Review Act, 5 U.S.C. 801 et seq., generally 
provides that before a rule may take effect, the agency promulgating 
the rule must submit a rule report, which includes a copy of the rule, 
to each House of the Congress and to the Comptroller General of the 
United States. DoD will submit a report containing this rule and other 
required information to the U.S. Senate, the U.S. House of 
Representatives, and the Comptroller General of the United States. A 
major rule may take effect no earlier than 60 calendar days after 
Congress receives the rule report or the rule is published in the 
Federal Register, whichever is later. This rule is not a ``major rule'' 
as defined by 5 U.S.C. 804(2).

Section 202, Public Law 104-4, ``Unfunded Mandates Reform Act''

    Section 202(a) of the Unfunded Mandates Reform Act of 1995 (UMRA) 
(2 U.S.C. 1532(a)) requires agencies to assess anticipated costs and 
benefits before issuing any rule whose mandates may result in the 
expenditure by State, local, and tribal governments in the aggregate, 
or by the private sector, in any one year of $100 million in 1995 
dollars, updated annually for inflation. This rule will not mandate any 
requirements for State, local, or tribal governments, nor will it 
affect private sector costs.

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. 601 et 
seq.)

    The Assistant to the Secretary of Defense for Privacy, Civil 
Liberties, and Transparency has certified that this rule is not subject 
to the Regulatory Flexibility Act (5 U.S.C. 601 et seq.) because it 
would not, if promulgated, have a significant economic impact on a 
substantial number of small entities. This rule is concerned only with 
the administration of Privacy Act systems of records within the DoD. 
Therefore, the Regulatory Flexibility Act, as amended, does not require 
us to prepare a regulatory flexibility analysis.

Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. 3501 et seq.)

    The Paperwork Reduction Act (44 U.S.C. 3501 et seq.) was enacted to 
minimize the paperwork burden for individuals; small businesses; 
educational and nonprofit institutions; Federal contractors; State, 
local and tribal governments; and other persons resulting from the 
collection of information by or for the Federal Government. The Act 
requires agencies obtain approval from the Office of Management and 
Budget before using identical questions to collect information from ten 
or more persons. This rule does not impose reporting or recordkeeping 
requirements on the public.

Executive Order 13132, ``Federalism''

    It has been determined that this rule does not have federalism 
implications. This rule does not have substantial direct effects on the 
States, on the relationship between the Federal Government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government.

Executive Order 13175, ``Consultation and Coordination With Indian 
Tribal Governments''

    Executive Order 13175 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct compliance costs on one or 
more Indian tribes, preempts tribal law, or affects the distribution of 
power and responsibilities between the Federal Government and Indian 
tribes. This rule will not have a substantial effect on Indian tribal 
governments.

List of Subjects in 32 CFR Part 310

    Privacy.

    Accordingly, 32 CFR part 310 is proposed to be amended as follows:

PART 310--PROTECTION OF PRIVACY AND ACCESS TO AND AMENDEMENT OF 
INDIVIDUAL RECORDS UNDER THE PRIVACY ACT OF 1974

0
1. The authority citation for part 310 continues to read as follows:

    Authority: 5 U.S.C. 552a.

0
2. Amend Sec.  310.13 by adding paragraph (e)(14) to read as follows:


Sec.  310.13   Exemptions for DoD-wide systems.

* * * * *
    (e) * * *
    (14) System identifier and name. DoD-0019, ``Information Technology 
Access and Audit Records.''
    (i) Exemptions. This system of records is exempt from 5 U.S.C. 552a 
(c)(3); (d)(1), (2), (3), and (4); (e)(1); (e)(4)(G), (H), and (I); and 
(f).
    (ii) Authority. 5 U.S.C. 552a(k)(1) and (k)(2).
    (iii) Exemption from the particular subsections. Exemption from the 
particular subsections is justified for the following reasons:
    (A) Subsections (c)(3), (d)(1), and (d)(2).
    (1) Exemption (k)(1). Records in this system of records may contain 
information that is properly classified pursuant to executive order. 
Application of exemption (k)(1) may be necessary because access to and 
amendment of the records, or release of the accounting of disclosures 
for such records, could reveal classified information. Disclosure of 
classified records to an individual may cause damage to national 
security.
    (2) Exemption (k)(2). Records in this system of records may contain 
investigatory material compiled for law enforcement purposes other than 
material within the scope of 5 U.S.C. 552a(j)(2). Application of 
exemption (k)(2) may be necessary because access to, amendment of, or 
release of the accounting of disclosures of such records could: inform 
the record subject of an investigation of the existence, nature, or 
scope of an actual or potential law enforcement or disciplinary 
investigation, and thereby seriously impede law enforcement efforts by 
permitting the record subject and other persons to whom he might 
disclose the records or the accounting of records to avoid criminal 
penalties, civil remedies, or disciplinary measures; interfere with a 
civil or administrative action or investigation by allowing the subject 
to tamper with witnesses or evidence, and to avoid detection or 
apprehension, which may undermine the entire investigatory process; 
reveal confidential sources who might not have otherwise come forward 
to assist in an investigation and thereby hinder DoD's ability to 
obtain information from future confidential sources; and result in an 
unwarranted invasion of the privacy of others. Amendment of such 
records could also impose a highly impracticable administrative burden 
by requiring investigations to be continuously reinvestigated.
    (B) Subsections (d)(3) and (4). These subsections are inapplicable 
to the extent an exemption is claimed from subsections (d)(1) and (2). 
Accordingly, exemptions from subsections (d)(3) and

[[Page 60413]]

(d)(4) are claimed pursuant to (k)(1) and (k)(2).
    (C) Subsection (e)(1). Additionally, records within this system may 
be properly classified pursuant to executive order. The collection of 
information pertaining to the use of government information technology 
and data systems may include classified records, and it is not always 
possible to conclusively determine the relevance and necessity of such 
information in the early stages of a collection. In some instances, it 
will be only after the collected information is evaluated in light of 
other information that its relevance and necessity can be assessed. 
Further, disclosure of classified records to an individual may cause 
damage to national security. Additionally, in the collection of 
information for investigatory or law enforcement purposes it is not 
always possible to conclusively determine the relevance and necessity 
of particular information in the early stages of the investigation or 
adjudication. In some instances, it will be only after the collected 
information is evaluated in light of other information that its 
relevance and necessity for effective investigation and adjudication 
can be assessed. Collection of such information permits more informed 
decision-making by the Department when making required investigatory or 
law enforcement determinations. Accordingly, application of exemptions 
(k)(1) and (2) may be necessary.
    (D) Subsections (e)(4)(G) and (H). These subsections are 
inapplicable to the extent exemption is claimed from subsections (d)(1) 
and (2).
    (E) Subsection (e)(4)(I). To the extent that this provision is 
construed to require more detailed disclosure than the broad, generic 
information currently published in the system notice, an exemption from 
this provision is necessary to protect national security, the 
confidentiality of sources of information and to protect the privacy 
and physical safety of witnesses and informants. Accordingly, 
application of exemptions (k)(1) and (2) may be necessary.
    (F) Subsection (f). The agency's rules are inapplicable to those 
portions of the system that are exempt. Accordingly, application of 
exemptions (k)(1) and (2) may be necessary.
    (iv) Exempt records from other systems. In the course of carrying 
out the overall purpose for this system, exempt records from other 
systems of records may in turn become part of the records maintained in 
this system. To the extent that copies of exempt records from those 
other systems of records are maintained in this system, the DoD claims 
the same exemptions for the records from those other systems that are 
entered into this system, as claimed for the prior system(s) of which 
they are a part, provided the reason for the exemption remains valid 
and necessary.

    Dated: August 24, 2023.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2023-18681 Filed 8-31-23; 8:45 am]
BILLING CODE 5001-06-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>