Privacy Act of 1974; System of Records

Issuing agencies

Abstract

The Privacy Act of 1974 and Office of Management and Budget (OMB) Circular No. A-108 requires that each agency publish notice of a new or modified system of records that it maintains. Section 523 of the Employee Retirement Income Security Act (ERISA), as added by the SECURE 2.0 Act of 2022, requires the Department of Labor (DOL) to create an online searchable database called the "Retirement Savings Lost and Found." This notice proposes a new system of records for the Retirement Savings Lost and Found that contains information about individuals who are or were participants in certain workplace-sponsored retirement plans. The system is designed to help individuals who may have lost track of their retirement plan search for the contact information of the appropriate plan administrator and make a claim for benefits owed to them.

Full Text

<html>
<head>
<title>Federal Register, Volume 89 Issue 212 (Friday, November 1, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 212 (Friday, November 1, 2024)]
[Notices]
[Pages 87424-87426]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-25405]


-----------------------------------------------------------------------

DEPARTMENT OF LABOR


Privacy Act of 1974; System of Records

AGENCY: Employee Benefit Security Administration (EBSA), Department of 
Labor.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 and Office of Management and Budget 
(OMB) Circular No. A-108 requires that each agency publish notice of a 
new or modified system of records that it maintains. Section 523 of the 
Employee Retirement Income Security Act (ERISA), as added by the SECURE 
2.0 Act of 2022, requires the Department of Labor (DOL) to create an 
online searchable database called the ``Retirement Savings Lost and 
Found.'' This notice proposes a new system of records for the 
Retirement Savings Lost and Found that contains information about 
individuals who are or were participants in certain workplace-sponsored 
retirement plans. The system is designed to help individuals who may 
have lost track of their retirement plan search for the contact 
information of the appropriate plan administrator and make a claim for 
benefits owed to them.

DATES: Comments must be received no later than December 2, 2024. This 
new SORN is effective upon publication of this Notice. If no public 
comments are received, the routine uses will be effective beginning 
December 2, 2024. If the DOL receives public comments, the DOL will 
review the comments to determine whether any changes to the notice are 
necessary.

ADDRESSES: We invite you to submit comments on this notice. You may 
submit comments by any of the following methods:
    <bullet> Email: <a href="/cdn-cgi/l/email-protection#c6a3a4b5a7e8a9b6b486a2a9aae8a1a9b0"><span class="__cf_email__" data-cfemail="ceabacbdafe0a1bebc8eaaa1a2e0a9a1b8">[email&#160;protected]</span></a>.
    <bullet> Mail, hand delivery, or courier: U.S. Department of Labor, 
Employee Benefits Security Administration, Office of Research and 
Analysis, Attention: PRA Officer, 200 Constitution Avenue NW, Room N-
5718. In your comment, specify RSLF SORN.

FOR FURTHER INFORMATION CONTACT: To submit general questions about the 
system of records, contact Stephen Sklenar by email at 
<a href="/cdn-cgi/l/email-protection#2c5f474049424d5e025f58495c44494202416c484340024b435a"><span class="__cf_email__" data-cfemail="780b13141d16190a560b0c1d08101d165615381c1714561f170e">[email&#160;protected]</span></a> or by phone at (202) 693-8500.

SUPPLEMENTARY INFORMATION: Section 523 of the Employee Retirement 
Income Security Act (ERISA), as added by the SECURE 2.0 Act of 2022,\1\ 
requires the Department of Labor (DOL) to create an online searchable 
database called the ``Retirement Savings Lost and Found'' (RSLF). The 
RSLF is designed to help individuals who may have lost track of a 
retirement plan to search for the

[[Page 87425]]

contact information of the plan administrator in order to make a claim 
with the plan administrator for benefits owed to them.
---------------------------------------------------------------------------

    \1\ See Consolidated Appropriations Act, 2023, Public Law 117-
328, division T, title III--Simplification and Clarification of 
Retirement Plan Rules, section 303; 136 Stat. 4459.
---------------------------------------------------------------------------

    The RSLF is a secure online database that contains information 
about individuals who are, or were, participants in certain workplace-
sponsored retirement plans. It has two portals: a public portal and an 
intake portal. The public portal allows individuals to search for 
information that enables them to locate the administrator of any plan 
with respect to which they are or were a participant. The intake portal 
allows plan administrators or authorized plan record keepers, to upload 
data into the database. Plan administrators or authorized plan record 
keepers are not required to submit this information to DOL. Uploading 
any such data is strictly voluntary.
    Both portals use <a href="http://Login.gov">Login.gov</a> to grant and manage user access. The 
public portal requires users to enter their Social Security number 
(SSN) as the search parameter. If positive results are found in plan 
administrator-provided data, the name and contact information of the 
plan administrator holding the benefits is displayed to authenticated 
users. No other information will be displayed. If no results are found, 
a negative results message is displayed.
    In addition to data received directly from plan administrators, DOL 
will also receive benefit data on plan participants from the Social 
Security Administration (SSA) that is reported to SSA annually via the 
8955-SSA Form. The SSA data will be extracted by SSA from its 8955-SSA 
database and securely delivered to EBSA as structured/tabular data in a 
common (e.g., CSV) file format. If positive results are found in SSA-
provided data, the name and contact information of the plan 
administrator holding the benefits and benefit information (e.g., year 
reported, amount, type of annuity (if applicable), payment frequency, 
units/shares and account value(s)) is displayed to authenticated users. 
If no results are found, a negative results message is displayed.
    Individuals will also be able to opt-out of having their data 
searchable. Limited information (e.g., name, last 4 digits of SSN) used 
to match the opt-out request to any data in the RSLF, will be collected 
from individuals and stored in a separate opt-out table.

SYSTEM NAME AND NUMBER:
    Retirement Savings Lost and Found, DOL/EBSA-16.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The address of the agency component responsible for the system of 
records is Employee Benefits Security Administration, 200 Constitution 
Ave. NW, Washington, DC. The system resides on DOL's secure cloud and 
data center computing infrastructure.

SYSTEM MANAGER(S):
    Director, Office of Program Planning and Performance Evaluation 
(OPPEM), Employee Benefits Security Administration, 200 Constitution 
Ave. NW, Washington, DC, 20210.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Section 523 of ERISA (29 U.S.C. 1153).

PURPOSE(S) OF THE SYSTEM:
    The RSLF is an online searchable database designed to help 
individuals who may have lost track of retirement plan assets to search 
for the contact information of the associated plan administrator and 
make a claim with the plan administrator for benefits owed to them.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals who are or were a participant or beneficiary who may 
have vested, unclaimed retirement benefits with a plan to which the 
vesting standards of section 203 of ERISA (29 U.S.C. 1053) apply.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system contains information about individuals who have vested 
retirement benefits with a plan to which the vesting standards of 
section 203 of ERISA (29 U.S.C. 1053) apply. The records include the 
participant's first name, middle initial, last name, Social Security 
number, the name of the plan, plan number, plan sponsor name, plan 
sponsor Employer Identification Number (EIN), plan sponsor phone 
number, plan administrator name, plan administrator EIN, plan 
administrator phone number, plan administrator address, participant 
Social Security Number (SSN), and participant name. The records also 
include benefit data on plan participants from the Social Security 
Administration (SSA) that is reported to SSA annually via the 8955-SSA 
Form including: benefit information--e.g., year reported, amount, type 
of annuity (if applicable), payment frequency, units/shares and account 
value(s).
    Individual who opt-out of the RSLF will have their first name, last 
name, and last 4 digits of SSN stored by DOL in an opt-out table.

RECORD SOURCE CATEGORIES:
    The Social Security Administration (SSA) will provide DOL with 
information from IRS Form 8955-SSA filings, which plans are required to 
file each year.
    The administrator of a plan described in 29 U.S.C. 1053 may 
voluntarily provide information about individuals who are 65 or older 
directly to DOL through the intake portal.
    Individuals will provide information to DOL if they elect to opt-
out of the RSLF.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974 at 5 U.S.C. 552a(b) and 
the uses described in section 523 of ERISA (29 U.S.C. 1153), under 
which DOL may disclose information from this system of records without 
the consent of the individual.
    1. To appropriate agencies, entities, and persons when (a) DOL 
suspects or has confirmed that there has been a breach of the system of 
records; (b) DOL has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, DOL (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and (c) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with DOL's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    2. To another Federal agency or Federal entity, when DOL determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (a) responding to a suspected 
or confirmed breach or (b) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    3. To contractors and employees of contractors who have been 
engaged to assist the agency in the performance of or working on a 
contract or other activity or service for the RSLF. However, no 
disclosure of data provided to DOL by SSA (from IRS Form 8955-SSA 
filings) will be made to contractors or employees of contractors. 
Disclosure will be limited to plan administrator-provided data.


[[Page 87426]]


    Note:  Recipients will be required to comply with the 
requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a; 
see also 5 U.S.C. 552a(m).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The records are stored within secure databases that reside within 
the U.S. Department of Labor's secure cloud and data center computing 
infrastructure.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Individuals searching for lost retirement benefits retrieve data 
from the system through the uses of a web-based search form which 
queries the databases, but must use <a href="http://Login.gov">Login.gov</a> to obtain a credential 
that verifies that the individual is properly identity-proofed. EBSA 
Benefit Advisors will have access to RSLF data through searching on 
transaction number that public users will receive in (1) search of RSLF 
search (both successful and unsuccessful searches) and (2) opting-out 
from data being included in Lost & Found Search through the Ask EBSA 
webform. Members of the application support team will have the ability 
to retrieve information from the databases in order to perform data 
validation and integrity checks.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records received from SSA will be retained in accordance with 
statutory requirements and consistent with SSA's own records schedules 
associated with this data. These SSA retention policies include:
    1. Master Files of Social Security Number (SSN) Holders and SSN 
Applications, 60-0058 which classifies the records as ``TEMPORARY, [to] 
destroy 300 years after date of enumeration, or when no longer needed 
for Agency business, whichever is later.''
    2. Earnings Recording and Self-Employment Income System, 60-0059 
which classifies the records as ``Temporary [to] delete/destroy the 
Earnings Recording and Self-Employment Income System record on an 
individual's SSN 300 years after the number holder's date of birth.''
    If required, DOL will establish its own NARA Records Schedule apart 
from the above SSA schedules to remain consistent with their 
requirements. Plan administrator-provided data will adhere to the same 
retention timeframes.
    All records will be disposed of in accordance with the DOL 
guidelines, NARA records retention schedule(s), and IRS Publication 
1075, as applicable. For the 1075-covered data (i.e., data received 
from SSA), DOL will dispose of data according to guidance in IRS 
Publication 1075.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Records in this system are safeguarded in accordance with 
applicable rules and policies, including all applicable DOL systems 
security and privacy policies. All DOL users are subject to a Code of 
Conduct that includes the requirement for confidentiality. DOL 
Personnel (employees, contractors, interns, volunteers) receive annual 
training on privacy and confidentiality policies and practices. Access 
to the PII is restricted to authorized personnel only. Appropriate NIST 
security and privacy controls for protecting PII are imposed. DOL users 
access the portal using government furnished computers which require a 
Personal Identity Verification card to login. Public users (IAL2-level 
identity authenticated) and Plan Administrator users rely upon 
<a href="http://Login.gov">Login.gov</a> credentials for access. All data is encrypted at rest and in 
transit.

RECORD ACCESS PROCEDURES:
    If an individual wishes to access their own data in the system, the 
individual should contact EBSA directly and follow the instructions for 
making a Privacy Act Request on the DOL's web page at: <a href="https://www.dol.gov/general/privacy/instructions">https://www.dol.gov/general/privacy/instructions</a>. The DOL also describes its 
process for requesting records under the Privacy Act in regulations at 
29 CFR 71.2. Individuals who need additional assistance may also reach 
out to the DOL's Privacy Office by email at <a href="/cdn-cgi/l/email-protection#0676746f7067657f4662696a28616970"><span class="__cf_email__" data-cfemail="f787859e8196948eb793989bd9909881">[email&#160;protected]</span></a>.

CONTESTING RECORD PROCEDURES:
    If an individual wishes to request a correction or amendment of a 
record, the individual should send their request to EBSA directly. The 
request must be in writing and must identify:
    <bullet> The name of the individual making the request,
    <bullet> The particular record in question,
    <bullet> The correction or amendment sought,
    <bullet> The justification for the change, and
    <bullet> Any other pertinent information to help identify the file.
    Additional information can be found on the DOL's web page at: 
<a href="https://www.dol.gov/general/privacy/instructions">https://www.dol.gov/general/privacy/instructions</a>. The DOL also 
describes its process for requesting a correction or amendment at 29 
CFR 71.9. Individuals who need additional assistance may also reach out 
to the DOL's Privacy Office by email at <a href="/cdn-cgi/l/email-protection#38484a514e595b41785c5754165f574e"><span class="__cf_email__" data-cfemail="7a0a08130c1b19033a1e1516541d150c">[email&#160;protected]</span></a>.

NOTIFICATION PROCEDURES:
    If an individual wishes to know if a system contains information 
about the individual, the individual should contact EBSA directly and 
follow the instructions for making a Privacy Act Request on the DOL's 
web page at: <a href="https://www.dol.gov/general/privacy/instructions">https://www.dol.gov/general/privacy/instructions</a>. The DOL 
also describes its process for requesting records under the Privacy Act 
in regulations at 29 CFR 71.2. Individuals who need additional 
assistance may also reach out to the DOL's Privacy Office by email at 
<a href="/cdn-cgi/l/email-protection#8dfdffe4fbeceef4cde9e2e1a3eae2fb"><span class="__cf_email__" data-cfemail="ed9d9f849b8c8e94ad898281c38a829b">[email&#160;protected]</span></a>.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

Carolyn Angus-Hornbuckle,
Assistant Secretary for Administration and Management.
[FR Doc. 2024-25405 Filed 10-31-24; 8:45 am]
BILLING CODE 4510-29-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>