Privacy Act of 1974; System of Records

Issuing agencies

Abstract

As required by the Privacy Act of 1974 and the Office of Management and Budget (OMB) Circulars A-108 and A-130, the Department of Energy (DOE or the Department) is publishing notice of a modification to an existing Privacy Act system of records. DOE proposes to amend System of Records DOE-18 Financial Accounting System. This System of Records Notice (SORN) is being modified to align with new formatting requirements, published by OMB, and to ensure appropriate Privacy Act coverage of business processes and Privacy Act information. While there are no substantive changes to the "Categories of Individuals" or "Categories of Records" sections covered by this SORN, substantive changes have been made to the "System Locations," "Routine Uses," and "Administrative, Technical and Physical Safeguards" sections to provide greater transparency. Changes to "Routine Uses" include new provisions related to responding to breaches of information held under a Privacy Act SORN as required by OMB's Memorandum M-17-12, "Preparing for and Responding to a Breach of Personally Identifiable Information" (January 3, 2017). Language throughout the SORN has been updated to align with applicable Federal privacy laws, policies, procedures, and best practices.

Full Text

<html>
<head>
<title>Federal Register, Volume 89 Issue 176 (Wednesday, September 11, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 176 (Wednesday, September 11, 2024)]
[Notices]
[Pages 73640-73643]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-20554]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY


Privacy Act of 1974; System of Records

AGENCY: U.S. Department of Energy.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974 and the Office of 
Management and Budget (OMB) Circulars A-108 and A-130, the Department 
of Energy (DOE or the Department) is publishing notice of a 
modification to an existing Privacy Act system of records. DOE proposes 
to amend System of Records DOE-18 Financial Accounting System. This 
System of Records Notice (SORN) is being modified to align with new 
formatting requirements, published by OMB, and to ensure appropriate 
Privacy Act coverage of business processes and Privacy Act information. 
While there are no substantive changes to the ``Categories of 
Individuals'' or ``Categories of Records'' sections covered by this 
SORN, substantive changes have been made to the ``System Locations,'' 
``Routine Uses,'' and ``Administrative, Technical and Physical 
Safeguards'' sections to provide greater transparency. Changes to 
``Routine Uses'' include new provisions related to responding to 
breaches of information held under a Privacy Act SORN as required by 
OMB's Memorandum M-17-12, ``Preparing for and Responding to a Breach of 
Personally Identifiable Information'' (January 3, 2017). Language 
throughout the SORN has been updated to align with applicable Federal 
privacy laws, policies, procedures, and best practices.

DATES: This modified SORN will become applicable following the end of 
the public comment period on September 11, 2024 unless comments are 
received that result in a contrary determination.

ADDRESSES: Written comments should be sent to the DOE Desk Officer, 
Office of Information and Regulatory Affairs, Office of Management and 
Budget, New Executive Office Building, Room 10102, 735 17th Street NW, 
Washington, DC 20503, and to Ken Hunt, Chief Privacy Officer, U.S. 
Department of Energy, 1000 Independence Avenue SW, Rm. 8H-085, 
Washington, DC 20585, by facsimile at (202) 586-8151, or by email at 
<a href="/cdn-cgi/l/email-protection#c9b9bba0bfa8aab089a1b8e7ada6ace7aea6bf"><span class="__cf_email__" data-cfemail="49393b203f282a30092138672d262c672e263f">[email&#160;protected]</span></a>.

FOR FURTHER INFORMATION CONTACT: Ken Hunt, Chief Privacy Officer, U.S. 
Department of Energy, 1000 Independence Avenue SW, Rm 8H-085, 
Washington, DC 20585, by facsimile at (202) 586-8151, by email at 
<a href="/cdn-cgi/l/email-protection#e797958e9186849ea78f96c9838882c9808891"><span class="__cf_email__" data-cfemail="b8c8cad1ced9dbc1f8d0c996dcd7dd96dfd7ce">[email&#160;protected]</span></a>, or by telephone at (240) 686-9485.

SUPPLEMENTARY INFORMATION: On January 9, 2009, DOE published a 
Compilation of its Privacy Act systems of records, which included 
System of Records DOE-18 Financial Accounting System. This notice 
proposes amendments to the system locations section of that system of 
records by removing the following system locations where DOE-18 is no 
longer applicable: Golden Field Office, National Nuclear Security 
Administration (NNSA) Service Center Albuquerque, Atlanta Regional 
Support Office, Office of Energy Efficiency and Renewable Energy, Idaho 
Operations Office, National Energy Technology Laboratory (Pittsburg), 
Naval Petroleum and Oil Shale Reserves, Naval Petroleum and Oil 
Reserves, Naval Petroleum Reserves in California, NNSA Nevada Site 
Office, Office of Scientific and Technical Information, Philadelphia 
Regional Support Office, and Seattle Regional Support Office. In the 
``Routine Uses'' section, this modified notice deletes a previous 
routine use concerning efforts responding to a suspected or confirmed 
loss of confidentiality of information as it appears in DOE's 
compilation of its Privacy Act systems of records (January 9, 2009) and 
replaces it with one to assist DOE with responding to a suspected or 
confirmed breach of its records of Personally Identifiable Information 
(PII), modeled with language from OMB's Memorandum M-17-12, ``Preparing 
for and Responding to a Breach of Personally Identifiable Information'' 
(January 3, 2017). Further, this notice adds one new routine use to 
ensure that DOE may assist another agency or entity in responding to 
the other agency's or entity's confirmed or suspected breach of PII, as 
appropriate, as aligned with OMB's Memorandum M-17-12. The ``Categories 
of Records in the System'' now includes the following: ``office 
location, business phone, business cell phone, and business email 
address.'' An administrative change required by the FOIA Improvement 
Act of 2016 extends the length of time a requestor is permitted to file 
an appeal under the Privacy Act from 30 to 90 days. Both the ``System 
Locations'' and ``Administrative, Technical and Physical Safeguards'' 
sections have been modified to reflect the Department's usage of cloud-
based services for records storage. Language throughout the SORN has 
been updated to align with applicable Federal privacy laws, policies, 
procedures, and best practices.

SYSTEM NAME AND NUMBER:
    DOE-18 Financial Accounting System.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Systems leveraging this SORN may exist in multiple locations. All 
systems storing records in a cloud-based server are required to use 
government-approved cloud services and follow National Institute of 
Standards and

[[Page 73641]]

Technology (NIST) security and privacy standards for access and data 
retention. Records maintained in a government-approved cloud server are 
accessed through secure data centers in the continental United States.
    U.S. Department of Energy, Headquarters, 1000 Independence Avenue 
SW, Washington, DC 20585.
    U.S. Department of Energy, Headquarters, 19901 Germantown Road, 
Germantown, MD 20874.
    U.S. Department of Energy, Bonneville Power Administration, P.O. 
Box 3621, Portland, OR 97208.
    U.S. Department of Energy, Carlsbad Field Office, P.O. Box 3090, 
Carlsbad, NM 88221.
    U.S. Department of Energy, Environmental Management Consolidated 
Business Center (EMCBC), 550 Main Street, Rm 7-010, Cincinnati, OH 
45202.
    U.S. Department of Energy, Office of Science, Chicago Office, 
Consolidated Service Center, 9800 South Cass Avenue, Lemont, IL 60439.
    U.S. Department of Energy, Office of Science, Consolidated Service 
Center, P.O. Box 2001, Oak Ridge, TN 37831.
    U.S. Department of Energy, NNSA Naval Reactors Field Office, 
Pittsburgh Naval Reactors, P.O. Box 109, West Mifflin, PA 15122-0109.
    U.S. Department of Energy, NNSA Naval Reactors Field Office, 
Schenectady Naval Reactors, P.O. Box 1069, Schenectady, NY 12301.
    U.S. Department of Energy, Hanford Field Office, P.O. Box 550, 
Richland, WA 99352.
    U.S. Department of Energy, Savannah River Operations Office, P.O. 
Box A, Aiken, SC 29801.
    U.S. Department of Energy, Southeastern Power Administration, 1166 
Athens Tech Road, Elberton, GA 30635-6711.
    U.S. Department of Energy, Southwestern Power Administration, One 
West Third Street, Suite 1500, Tulsa, OK 74103.
    U.S. Department of Energy, Strategic Petroleum Reserve Project 
Management Office, 900 Commerce Road East, New Orleans, LA 70123.
    U.S. Department of Energy, Western Area Power Administration, P.O. 
Box 281213, Lakewood, CO 80228-8213.

SYSTEM MANAGER(S):
    Headquarters: Director, Office of the Chief Financial Officer, U.S. 
Department of Energy, 1000 Independence Avenue SW, Washington, DC 
20585.
    Field Offices: The field Chief Financial Officers at the ``System 
Locations'' listed above are the system managers for their respective 
portions of this system.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    42 U.S.C. 7101 et seq.; 50 U.S.C. 2401 et seq.; the Government 
Accountability Office Policy and Procedures Manual; Statement of 
Federal Financial Accounting Standards published by the Government 
Accountability Office and the Office of Management and Budget; Debt 
Collection Improvement Act of 1996, 31 U.S.C. 3512; 5 U.S.C. 5701-5709; 
Federal Property Management Regulations 101-107; Treasury Financial 
Manual; Executive Order 12009, ``Providing for the Effectuation of the 
Department of Energy Organization Act''; and Executive Order 9397, 
``Numbering System for Federal Accounts Relating to Individual 
Persons.''

PURPOSE(S) OF THE SYSTEM:
    Records in this system are maintained and used by DOE to 
substantiate obligations and payments to individuals for goods and 
services received by the agency and to record and manage the 
Department's accounts receivables.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Employees, former employees, current and former contractor 
employees, vendors and others who are either due money from or owe 
money to DOE, including the National Nuclear Security Administration 
(NNSA).

CATEGORIES OF RECORDS IN THE SYSTEM:
    Name, address, Social Security numbers, telephone numbers, office 
locations, business phone numbers, business cellphones, and business 
email addresses, dates of birth, employment dates, gender, taxpayer 
identification numbers, amounts owed, and services or goods received, 
amounts due, underpayments, overpayments, or other accounting 
information, invoice numbers, servicing bank name and address, bank 
account numbers, amounts and status of claims; history of claims, 
including any collection actions taken.

RECORD SOURCE CATEGORIES:
    Subject individual, contracting officer, and accounting records.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    1. A record from this system may be disclosed as a routine use to 
the appropriate local, Tribal, State, or Federal agency when records, 
alone or in conjunction with other information, indicate a violation or 
potential violation of law whether civil, criminal, or regulatory in 
nature, and whether arising by general statute or particular program 
pursuant thereto.
    2. A record from this system may be disclosed as a routine use to a 
Federal agency to facilitate the requesting agency's decision 
concerning the hiring or retention of an employee, the issuance, 
revocation, or denial of a security clearance or other classified 
access, the reporting of an investigation of an employee, the letting 
of a contract, or the issuance of a license, grant, or other benefit, 
to the extent that the information is relevant and necessary to the 
requesting agency's decision on the matter. The Department must deem 
such disclosure to be compatible with the purpose for which the 
Department collected the information.
    3. A record from this system may be disclosed as a routine use for 
the purpose of an investigation, settlement of claims, or the 
preparation and conduct of litigation to (1) persons representing the 
Department in the investigation, settlement or litigation, and to 
individuals assisting in such representation; (2) others involved in 
the investigation, settlement, and litigation, and their 
representatives and individuals assisting those representatives; (3) 
witnesses, potential witnesses, or their representatives and 
assistants; and (4) any other persons who possess information 
pertaining to the matter when it is necessary to obtain information or 
testimony relevant to the matter.
    4. A record from this system may be disclosed as a routine use to 
other Federal agencies, consumer reporting agencies for acquiring 
credit information, and collection agencies to aid in the collection of 
outstanding debts owed to the Federal Government.
    5. A record from this system may be disclosed as a routine use to 
Defense Manpower Data Center, Department of Defense, the United States 
Postal Service, and other Federal, State, or local agencies to identify 
and locate, through computer matching, individuals indebted to DOE who 
are receiving Federal salaries or benefit payments. Information from 
the match will be used to collect the debts by voluntary repayment, by 
administrative offset, or by salary offset procedures.
    6. A record from this system may be disclosed as a routine use to 
the Internal Revenue Service (1) to collect the debt by offset against 
the debtor's tax refunds under the Federal Tax Refund Offset Program, 
and (2) to obtain the mailing address of a taxpayer to collect a debt 
owed to the DOE. Subsequent disclosure by DOE to a consumer reporting 
agency is limited to the purpose of obtaining a commercial credit 
report on the

[[Page 73642]]

particular taxpayer. The mailing address information will not be used 
for any other DOE purpose or disclosed by DOE to another Federal, 
State, or local agency which seeks to locate the same individual for 
its own debt collection purpose.
    7. A record from this system may be disclosed as a routine use to 
the Department of Treasury for the purpose of administrative offset and 
debt recovery under section 31001 (m)(1) of the Debt Collection 
Improvement Act of 1996 (Pub. L. 104-134).
    8. A record of this system may be disclosed as a routine use to the 
Department of Treasury for the purpose of paying creditors for services 
or goods provided to the Department.
    9. A record from this system may be disclosed as a routine use to a 
``consumer reporting agency'' as defined by the Fair Credit Reporting 
Act, 15 U.S.C. 1681a(f), or the Federal Claims Collections Act of 1966, 
31 U.S.C. 3701(a)(3), in accordance with 31 U.S.C. 3711(f).
    10. A record from this system may be disclosed as a routine use to 
DOE contractors in performance of their contracts, and their officers 
and employees who have a need for the record in the performance of 
their duties. Those provided information under this routine use are 
subject to the same limitations applicable to Department officers and 
employees under the Privacy Act.
    11. A record from this system may be disclosed as a routine use to 
a member of Congress submitting a request involving a constituent when 
the constituent has requested assistance from the member concerning the 
subject matter of the record. The member of Congress must provide a 
copy of the constituent's signed request for assistance.
    12. A record from this system may be disclosed as a routine use to 
appropriate agencies, entities, and persons when (1) the Department 
suspects or has confirmed that there has been a breach of the system of 
records; (2) the Department has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
DOE (including its information systems, programs, and operations), the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the Department's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    13. A record from this system may be disclosed as a routine use to 
another Federal agency or Federal entity, when the Department 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records may be stored as paper records, electronic media, or 
magnetic tapes.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by name, taxpayer identification number, 
voucher, invoice, or payment reports.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Retention and disposition of these records is in accordance with 
the National Archives and Records Administration-approved records 
disposition schedule with a retention of 6 years.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Electronic records may be secured and maintained on a cloud-based 
software server and operating system that resides in Federal Risk and 
Authorization Management Program (FedRAMP) and Federal Information 
Security Modernization Act (FISMA) hosting environment. Data located in 
the cloud-based server is firewalled and encrypted at rest and in 
transit. The security mechanisms for handling data at rest and in 
transit are in accordance with DOE encryption standards. Records are 
protected from unauthorized access through the following appropriate 
safeguards:
    <bullet> Administrative: Access to all records is limited to lawful 
government purposes only, with access to electronic records based on 
role and either two-factor authentication or password protection. The 
system requires passwords to be complex and to be changed frequently. 
Users accessing system records undergo frequent training in Privacy Act 
and information security requirements. Security and privacy controls 
are reviewed on an ongoing basis.
    <bullet> Technical: Computerized records systems are safeguarded on 
Departmental networks configured for role-based access based on job 
responsibilities and organizational affiliation. Privacy and security 
controls are in place for this system and are updated in accordance 
with applicable requirements as determined by NIST and DOE directives 
and guidance.
    <bullet> Physical: Computer servers on which electronic records are 
stored are located in secured Department facilities, which are 
protected by security guards, identification badges, and cameras. Paper 
copies of all records are locked in file cabinets, file rooms, or 
offices and are under the control of authorized personnel. Access to 
these facilities is granted only to authorized personnel and each 
person granted access to the system must be an individual authorized to 
use or administer the system.

RECORD ACCESS PROCEDURES:
    The Department follows the procedures outlined in title 10 CFR 
1008.4. Valid identification of the individual making the request is 
required before information will be processed, given, access granted, 
or a correction considered, to ensure that information is processed, 
given, corrected, or records disclosed or corrected only at the request 
of the proper person.

CONTESTING RECORD PROCEDURES:
    Any individual may submit a request to the System Manager and 
request a copy of any records relating to them. In accordance with 10 
CFR 1008.11, any individual may appeal the denial of a request made by 
him or her for information about or for access to or correction or 
amendment of records. An appeal shall be filed within 90 calendar days 
after receipt of the denial. When an appeal is filed by mail, the 
postmark is conclusive as to timeliness. The appeal shall be in writing 
and must be signed by the individual. The words ``PRIVACY ACT APPEAL'' 
should appear in capital letters on the envelope and the letter. 
Appeals relating to DOE records shall be directed to the Director, 
Office of Hearings and Appeals (OHA), 1000 Independence Avenue SW, 
Washington, DC 20585.

NOTIFICATION PROCEDURES:
    In accordance with the DOE regulation implementing the Privacy Act, 
10 CFR part 1008, a request by an individual to determine if a system 
of records contains information about themselves should be directed to 
the U.S. Department of Energy, Headquarters, Privacy Act Officer. The 
request should include the requester's

[[Page 73643]]

complete name and the time period for which records are sought.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    This SORN was last published in the Federal Register, 74 FR 1020-
1022, on January 9, 2009.

Signing Authority

    This document of the Department of Energy was signed on September 
5, 2024, by Ann Dunkin, Senior Agency Official for Privacy, pursuant to 
delegated authority from the Secretary of Energy. That document with 
the original signature and date is maintained by DOE. For 
administrative purposes only, and in compliance with requirements of 
the Office of the Federal Register, the undersigned DOE Federal 
Register Liaison Officer has been authorized to sign and submit the 
document in electronic format for publication, as an official document 
of the Department of Energy. This administrative process in no way 
alters the legal effect of this document upon publication in the 
Federal Register.

    Signed in Washington, DC, on September 6, 2024.
Jennifer Hartzell,
Alternate Federal Register Liaison Officer, U.S. Department of Energy.
[FR Doc. 2024-20554 Filed 9-10-24; 8:45 am]
BILLING CODE 6450-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>