Privacy Act of 1974; System of Records

Issuing agencies

Abstract

As required by the Privacy Act of 1974 and the Office of Management and Budget (OMB) Circulars A-108 and A-130, the Peace Corps is issuing public notice of its intent to modify a System of Records that it maintains subject to the Privacy Act of 1974, PC-33, entitled "Security Incident Management System (SIMS)". This System of Records Notice (SORN) is being modified to reflect the new name of the SORN (previously "Consolidated Incident Reporting System (CIRS)"), align with the new formatting requirements, published by the Office of Management and Budget, and to ensure appropriate Privacy Act coverage of business processes and Privacy Act information. Substantive changes have been made to the "System Location" "Categories of Individuals Covered by the System," "Categories of Records in the System," "System Locations," "Routine Uses," "Policies and Practices for Retrieval of Records," Policies and Practices for Retention and Disposal of Records," and "Administrative, Technical and Physical Safeguards" sections to provide greater transparency. Changes to "Routine Uses" include new provisions related to responding to breaches of information held under a Privacy Act SORN as required by OMB's Memorandum M-17-12, "Preparing for and Responding to a Breach of Personally Identifiable Information" (January 3, 2017).

Full Text

<html>
<head>
<title>Federal Register, Volume 89 Issue 180 (Tuesday, September 17, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 180 (Tuesday, September 17, 2024)]
[Notices]
[Pages 76158-76161]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-21071]


=======================================================================
-----------------------------------------------------------------------

PEACE CORPS


Privacy Act of 1974; System of Records

AGENCY: Peace Corps.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974 and the Office of 
Management and Budget (OMB) Circulars A-108 and A-130, the Peace Corps 
is issuing public notice of its intent to modify a System of Records 
that it maintains subject to the Privacy Act of 1974, PC-33, entitled 
``Security Incident Management System (SIMS)''. This System of Records 
Notice (SORN) is being modified to reflect the new name of the SORN 
(previously ``Consolidated Incident Reporting System (CIRS)''), align 
with the new formatting requirements, published by the Office of 
Management and Budget, and to ensure appropriate Privacy Act coverage 
of business processes and Privacy Act information. Substantive changes 
have been made to the ``System Location'' ``Categories of Individuals 
Covered by the System,'' ``Categories of Records in the System,'' 
``System Locations,'' ``Routine Uses,'' ``Policies

[[Page 76159]]

and Practices for Retrieval of Records,'' Policies and Practices for 
Retention and Disposal of Records,'' and ``Administrative, Technical 
and Physical Safeguards'' sections to provide greater transparency. 
Changes to ``Routine Uses'' include new provisions related to 
responding to breaches of information held under a Privacy Act SORN as 
required by OMB's Memorandum M-17-12, ``Preparing for and Responding to 
a Breach of Personally Identifiable Information'' (January 3, 2017).

DATES: This modified system of records is effective 30 days upon 
publication; however, comments on the Routine Uses will be accepted on 
or before October 16, 2024. The Routine Uses are effective at the close 
of the comment period.

ADDRESSES: Send written comments, identified by the docket number and 
title, to the Peace Corps, ATTN: James Olin, FOIA/Privacy Act Officer, 
1275 First Street NE, Washington, DC 20526, or by email at 
<a href="/cdn-cgi/l/email-protection#5c2c3f3a2e1c2c393d3f393f332e2c2f723b332a"><span class="__cf_email__" data-cfemail="3343505541734356525056505c4143401d545c45">[email&#160;protected]</span></a>. Email comments must be made in text and not in 
attachments.

FOR FURTHER INFORMATION CONTACT: James Olin, FOIA/Privacy Act Officer, 
1275 First Street, NE, Washington, DC 20526; <a href="/cdn-cgi/l/email-protection#7b0b181d093b0b1e1a181e1814090b08551c140d"><span class="__cf_email__" data-cfemail="8dfdeeebffcdfde8eceee8eee2fffdfea3eae2fb">[email&#160;protected]</span></a>; or 
202-692-2507.

SUPPLEMENTARY INFORMATION: The Peace Corps is amending a system of 
records that it maintains subject to the Privacy Act of 1974 (5 U.S.C. 
552a), as amended. Specifically, PC-33, entitled ``Security Incident 
Management System (SIMS)'' is being amended to reflect the new name of 
the system (previously ``Consolidated Incident Reporting System 
(CIRS)'') and two new routine uses at paragraphs M and N:
    ``(M). Disclosure to all appropriate agencies, entities, and 
persons when (1) the Peace Corps suspects or has confirmed that there 
has been a breach of the system of records; (2) the Peace Corps has 
determined that as a result of the suspected or confirmed breach, there 
is a risk of harm to individuals, the Peace Corps (including its 
information systems, programs, and operations), the Federal Government, 
or national security; and (3) the disclosure made to such agencies, 
entities, and persons is reasonably necessary to assist in connection 
with the Peace Corps' efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.''
    ``(N). Disclosure to another Federal agency or Federal entity, when 
the Peace Corps determines that information from this system of records 
is reasonably necessary to assist the recipient agency or entity in (1) 
responding to a suspected or confirmed breach or (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the recipient 
agency or entity (including its information systems, programs, and 
operations), the Federal Government, or national security, resulting 
from a suspected or confirmed breach.''
    Additionally, substantive changes have been made to the ``System 
Location'' ``Categories of Individuals Covered by The System,'' 
``Categories of Records in the System,'' ``System Locations,'' 
``Routine Uses,'' ``Policies and Practices for Retrieval of Records,'' 
Policies and Practices for Retention and Disposal of Records,'' and 
``Administrative, Technical and Physical Safeguards'' sections to 
provide greater transparency.

SYSTEM NAME AND NUMBER:
    Security Incident Management System (SIMS), PC-33.

SECURITY CLASSIFICATION:
    Not applicable.

SYSTEM LOCATION:
    Office of Safety and Security, Peace Corps, 1275 First St., NE, 
Washington, DC 20002. Information may also be stored within Microsoft 
Dynamics 365 overseen by the Office of the Chief Information Officer.

SYSTEM MANAGER(S):
    Social Science Analyst, Office Safety and Security, Peace Corps, 
1275 First St. NE, Washington, DC 20002.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Peace Corps Act, 22 U.S.C. 2501 et seq.

PURPOSE(S) OF THE SYSTEM:
    To provide a single central facility within the Peace Corps for 
tracking reported crimes against Volunteers; analyzing trends; and 
responding to requests from executive, legislative, and oversight 
bodies, as well as the public, for statistical crime data relating to 
criminal and other high-interest incidents. The Peace Corps provides 
information on past crimes to Volunteer applicants in the country in 
which the applicant has been invited to serve, and also uses this 
information for programmatic and training purposes in order to make 
informed decisions about potential changes in policy and/or programs. 
The system notifies in a timely manner Peace Corps headquarters and 
overseas staff who have a specific need to know when a crime has 
occurred against a Volunteer. Such staff makes safety and security, 
medical, or management decisions regarding the Volunteer victim. The 
system also notifies the U.S. Embassy's Regional Security Officers 
covering the post whenever an incident against a Volunteer occurs, so 
that they may initiate investigative procedures, as necessary.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Peace Corps Volunteers, Trainees, Peace Corps Response Volunteers, 
Returned Peace Corps Volunteers, Peace Corps Staff, alleged offenders.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Incident ID; incident type; classification; report type (i.e., 
standard, restricted); status; victim Volunteer or victim staff name; 
victim Volunteer or staff contact information, including phone number, 
and email address; victim Volunteer or staff status, race/ethnicity, 
gender, age, sector of assignment, marital status, training group, 
Entry-On-Duty date, and Projected Completion of Service date; date of 
incident; date type (i.e., exact, approximate); date incident was 
reported to post; incident submitted date; incident converted date; 
conversion reason; conversion approver; time of incident; country of 
incident; Post reporting the incident; if the incident occurred in the 
capital city; location type; location subtype; if property was lost, 
stolen, or damaged; U.S. dollar value of lost property; whether there 
was successful entry; if the Volunteer was alone; if the victim was 
targeted due to race, sexual orientation, American heritage, U.S. 
citizenship, and/or gender identity; threat delivery method; weapon 
type; if the incident occurred at a Peace Corps site; Peace Corps site 
the incident occurred; site location the incident occurred; city/town 
of incident; Designated Security Staff involvement; Victim Advocate 
involvement; if the victim was driving; victim's vehicle type; other 
vehicle type; if the Volunteer's vehicle was approved by Post; 
availability of safety equipment; use of safety equipment; alcohol 
usage by any vehicle drivers; official date of death; ransom demanded; 
if express kidnapping occurred; kidnapping resolution; if the victim 
Volunteer/staff heard about or witnessed a crime; if the victim 
Volunteer or staff was present; if the victim Volunteer/staff 
experienced injuries, harassment, sexual harassment, and/or a peeping 
Tom; if there is a related Stalking Report, if non-Peace Corps property 
was impacted; nature and details of the incident; staff names and roles 
that worked on the incident;

[[Page 76160]]

tasks assigned to staff, including title, name of staff member 
assigning the task, name of staff member assigned the task, task 
status, and task assigned; involvement of intimate partner violence; 
alcohol use by Volunteer at time of incident; post follow up or changes 
to original incident report, including case update title, date, type, 
note, creator's role, communication method with the victim Volunteer, 
and associated services; name of alleged offender; age range of alleged 
offender; gender of alleged offender; relationship of alleged offender 
to victim Volunteer/Staff; alcohol use by alleged offender at time of 
incident; type of alleged offender; if the offender was disclosed or 
was a stranger; and completed assessments, including assessment type 
(i.e. Post Incident Assessment, Serious and Imminent Threat Assessment 
for Security or Medical), staff member name who completed it, date 
completed, and assessment responses.

RECORD SOURCE CATEGORIES:
    The information sources include Peace Corps office and program 
officials, employees, contractors, Peace Corps Volunteers, and other 
individuals or entities associated with Peace Corps; subjects of an 
investigation; individuals, businesses, or entities with whom the 
subjects are or were associated (e.g., colleagues, business associates, 
acquaintances, or relatives); Federal, State, local, international, and 
foreign investigative or law enforcement agencies; other government 
agencies; confidential sources; complainants; witnesses; concerned 
citizens; and public source materials.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSE OF SUCH USERS:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, the Peace Corps may disclose all or a 
portion of the records or information contained in this system outside 
of the Peace Corps without the consent of the subject individual, if 
the disclosure is compatible with the purpose for which the record was 
collected, as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    A. Disclosure for Law Enforcement Purposes. Information may be 
disclosed to the appropriate Federal, State, local, or foreign agency 
responsible for investigating, prosecuting, enforcing, or implementing 
a statute, rule, regulation, or order, if the information indicates a 
violation or potential violation of civil or criminal law or regulation 
within the jurisdiction of the receiving entity.
    B. Disclosure Incident to Requesting Information. Information may 
be disclosed to any source from which additional information is 
requested (to the extent necessary to identify the individual, inform 
the source of the purpose(s) of the request, or to identify the type of 
information requested); when necessary to obtain information relevant 
to a Peace Corps decision concerning retention of an employee or other 
personnel action (other than hiring), retention of a security 
clearance, the letting of a contract, or the issuance or retention of a 
grant or other benefit.
    C. Disclosure to Requesting Agency. Information may be disclosed to 
a Federal, State, local, or other public authority of the fact that 
this system of records contains information relevant to the requesting 
agency's retention of an employee, the retention of a security 
clearance, the letting of a contract, or the issuance or retention of a 
license, grant, or other benefit. The other agency or licensing 
organization may then make a request supported by the written consent 
of the individual for part or all of the record if it so chooses. No 
disclosure will be made unless the information has been determined to 
be sufficiently reliable to support a referral to another office within 
the agency or to another Federal agency for criminal, civil, 
administrative, personnel, or regulatory action.
    D. Disclosure to Office of Management and Budget. Information may 
be disclosed to the Office of Management and Budget at any stage in the 
legislative coordination and clearance process in connection with 
private relief legislation as set forth in OMB Circular No. A-19.
    E. Disclosure to Congressional Offices. Information may be 
disclosed to a congressional office from the record of an individual in 
response to an inquiry from the congressional office made at the 
request of the individual.
    F. Disclosure to Department of Justice. Information may be 
disclosed for purposes of litigation, provided that in each case the 
disclosure is compatible with the purpose for which the records were 
collected. Disclosure for these purposes may be made to the Department 
of Justice, or in a proceeding before a court, adjudicative body, or 
other administrative body before which the Peace Corps is authorized to 
appear. This disclosure may be made when: 1. The Peace Corps, or any 
component thereof; 2. Any employee of the Peace Corps in his or her 
official capacity; 3. Any employee of the Peace Corps in his or her 
individual capacity where the Department of Justice or the Peace Corps 
has agreed to represent the employee; or 4. The United States (when the 
Peace Corps determines that litigation is likely to affect the Peace 
Corps or any of its components) is a party to litigation or has an 
interest in such litigation, and the use of such records by the 
Department of Justice or the Peace Corps is deemed by the Peace Corps 
to be relevant and necessary to the litigation.
    G. Disclosure to the National Archives. Information may be 
disclosed to the National Archives and Records Administration in 
records management inspections.
    H. Disclosure to Contractors, Grantees, and Others. Information may 
be disclosed to contractors, grantees, consultants, or Volunteers 
performing or working on a contract, service, grant, cooperative 
agreement, job, or other activity for the Peace Corps and who have a 
need to have access to the information in the performance of their 
duties or activities for the Peace Corps. When appropriate, recipients 
will be required to comply with the requirements of the Privacy Act of 
1974 as provided in 5 U.S.C. 552a(m).
    I. Disclosures for Administrative Claims, Complaints, and Appeals. 
Information may be disclosed to an authorized appeal grievance 
examiner, formal complaints examiner, equal employment opportunity 
investigator, arbitrator, or other person properly engaged in 
investigation or settlement of an administrative grievance, complaint, 
claim, or appeal filed by an employee, but only to the extent that the 
information is relevant and necessary to the proceeding, Agencies that 
may obtain information under this routine use include, but are not 
limited to: the Office of Personnel Management, Office of Special 
Counsel, Federal Labor Relations Authority, U.S. Equal Employment 
Commission, and Office of Government Ethics.
    J. Disclosure to the Office of Personnel Management. Information 
may be disclosed to the Office of Personnel Management pursuant to that 
agency's responsibility for evaluation and oversight of Federal 
personnel management.
    K. Disclosure in Connection with Litigation. Information may be 
disclosed in connection with litigation or settlement discussions 
regarding claims by or against the Peace Corps, including public 
filings with a court, to the extent that disclosure of the information 
is relevant and necessary to the litigation or discussions and except 
where court orders are otherwise required under section (b)(11) of the 
Privacy Act of 1974, 5 U.S.C. 552a(b)(11).

[[Page 76161]]

    L. Disclosure to U.S. Ambassadors. Information from this system of 
records may be disclosed to a U.S. Ambassador or his or her designee in 
a country where the Peace Corps serves when the information is needed 
to perform an official responsibility, to allow the Ambassador to 
knowledgeably respond to official inquiries and deal with in- country 
situations that are within the scope of the Ambassador's 
responsibility.
    M. Disclosure to all appropriate agencies, entities, and persons 
when (1) the Peace Corps suspects or has confirmed that there has been 
a breach of the system of records; (2) the Peace Corps has determined 
that as a result of the suspected or confirmed breach, there is a risk 
of harm to individuals, the Peace Corps (including its information 
systems, programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with the Peace 
Corps' efforts to respond to the suspected or confirmed breach or to 
prevent, minimize, or remedy such harm.
    N. Disclosure to another Federal agency or Federal entity, when the 
Peace Corps determines that information from this system of records is 
reasonably necessary to assist the recipient agency or entity in (1) 
responding to a suspected or confirmed breach or (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the recipient 
agency or entity (including its information systems, programs, and 
operations), the Federal Government, or national security, resulting 
from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Incident records are maintained in electronic format. Electronic 
records are stored in computerized databases.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Electronic records may be retrieved by incident number, volunteer 
first or last name, or by any available field recorded in the system.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    As there is no records disposal schedule for this information, 
electronic are being retained indefinitely. Records are retained to 
allow for historical data and trends analysis. The Annual Report of 
Crimes Against Volunteers is kept on file permanently for historical 
reference.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    The Peace Corps safeguards records in this system in accordance 
with applicable laws, rules, and policies to protect personally 
identifiable information against unauthorized access or disclosure. The 
Peace Corps has imposed strict controls to minimize such risks. 
Administrative safeguards include but not limited to: access to the 
information in this system is limited to authorized personnel with 
official duties requiring access, and whose roles have been authorized 
with such access permissions. All such individuals receive the 
appropriate privacy and cybersecurity training on an annual basis.
    The physical controls in place include the servers storing 
electronic data are located offsite in a locked facility with access 
limited to authorized personnel. The servers are maintained in 
accordance with a government contract that requires adherence to 
applicable laws, rules, and policies on protecting individual privacy. 
Computerized records are safeguarded in a secured environment. Security 
protocols meet the promulgating guidance as established by the National 
Institute of Standards and Technology (NIST) Security Standards from 
Access Control to Data Encryption and Security Assessment and 
Authorization.
    The technical controls in place include multiple firewalls, system 
access, encrypted data at rest, encrypted data in motion, periodic 
vulnerability scans to ensure security compliance, and security access 
logs. Security complies with applicable Federal Information Processing 
Standards (FIPS) issued by NIST. Access is restricted to specific 
authorized Peace Corps individuals who have internet access through 
work computers using a Personally Identity Verification (PIV). 
Individual users can only access records with the proper pre-approved 
accreditation.

RECORD ACCESS PROCEDURES:
    Any individual who wants access to his or her record should make a 
written request to the System Manager. Requesters will be required to 
provide adequate identification, such as a driver's license, employee 
identification card, or other identifying documentation. Additional 
identification may be required in some instances. Complete Peace Corps 
Privacy Act procedures are set out in 22 CFR part 308.

CONTESTING RECORD PROCEDURES:
    Any individual who wants to contest the contents of a record should 
make a written request to the System Manager. Requesters will be 
required to provide adequate identification, such as a driver's 
license, employee identification card, or other identifying 
documentation. Additional identification may be required in some 
instances. Requests for correction or amendment must identify the 
record to be changed and the corrective action sought. Complete Peace 
Corps Privacy Act procedures are set out in 22 CFR part 308.

NOTIFICATION PROCEDURES:
    See ``Record Access Procedures.''

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    February 17, 2009, 74 FR 131

    Dated: September 12, 2024
James Olin,
FOIA/Privacy Act Officer.
[FR Doc. 2024-21071 Filed 9-16-24; 8:45 am]
BILLING CODE 6051-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>