Privacy Act of 1974; System of Records

AGENCY:

Office of Mission Support (OMS), Environmental Protection Agency (EPA).

ACTION:

Notice of a new system of records.

SUMMARY:

The U.S. Environmental Protection Agency's (EPA), Office of Mission Support (OMS) is giving notice that it proposes to create a new system of records pursuant to the provisions of the Privacy Act of 1974. The Public Health Emergency Workplace Response System is being created to collect workplace safety and personnel information in response to a public health emergency such as a pandemic or epidemic.

DATES:

Persons wishing to comment on this system of records notice must do so by July 30, 2021. New routine uses for this new system of records will be effective July 30, 2021.

ADDRESSES:

Submit your comments, identified by Docket ID No. EPA-HQ-OMS-2020-0454, by one of the following methods:

Regulations.gov: www.regulations.gov . Follow the online instructions for submitting comments.

Email: oei.docket@epa.gov.

Fax: 202-566-1752.

Mail: OMS Docket, Environmental Protection Agency, Mail Code: 2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.

Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are only accepted during the Docket's normal hours of operation, and special arrangements should be made for deliveries of boxed information.

Instructions: Direct your comments to Docket ID No. EPA-HQ-OMS-2020-0454. The EPA policy is that all comments received will be included in the public docket without change and may be made available online at www.regulations.gov,, including any personal information provided, unless the comment includes information claimed to be Controlled Unclassified Information (CUI) or other information for which disclosure is restricted by statute. Do not submit information that you consider to be CUI or otherwise protected through www.regulations.gov. The www.regulations.gov website is an “anonymous access” system for EPA, which means the EPA will not know your identity or contact information unless you provide it in the body of your comment. Each agency determines submission requirements within their own internal processes and standards. EPA has no requirement of personal information. If you send an email comment directly to the EPA without going through www.regulations.gov your email address will be automatically captured and included as part of the comment that is placed in the public docket and made available on the internet. If you submit an electronic comment, the EPA recommends that you include your name and other contact information in the body of your comment. If the EPA cannot read your comment due to technical difficulties and cannot contact you for clarification, the EPA may not be able to consider your comment. Electronic files should avoid the use of special characters, any form of encryption, and be free of any defects or viruses. For additional information about the EPA public docket, visit the EPA Docket Center homepage at http://www.epa.gov/epahome/dockets.htm.

Docket: All documents in the docket are listed in the www.regulations.gov index. Although listed in the index, some information is not publicly available, e.g., CUI or other information for which disclosure is restricted by statute. Certain other material, such as copyrighted material, will be publicly available only in hard copy. Publicly available docket materials are available either electronically in www.regulations.gov or in hard copy at the OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave. NW, Washington, DC 20460. The Public Reading Room is open from 8:30 a.m. to 4:30 p.m., Monday through Friday excluding legal holidays. The telephone number for the Public Reading Room is (202) 566-1744, and the telephone number for the OMS Docket is (202) 566-1752.

Out of an abundance of caution for members of the public and our staff, the EPA Docket Center and Reading Room are closed to the public, with limited exceptions, to reduce the risk of transmitting COVID-19.Our Docket Center staff will continue to provide remote customer service via email, phone, and webform. We encourage the public to submit comments via https://www.regulations.gov/ or email, as there may be a delay in processing mail and faxes. Hand deliveries and couriers may be received by scheduled appointment only. For further information on EPA Docket Center services and the current status, please visit us online at https://www.epa.gov/dockets.

FOR FURTHER INFORMATION CONTACT:

Jill Smink at smink.jill@epa.gov, (202) 540-9196.

SUPPLEMENTARY INFORMATION:

EPA is creating the Public Health Emergency Workplace Response System, EPA-89, to support the Agency's ability to provide a safe and healthy working environment in EPA locations (i.e., locations where the Agency is conducting official business) during a public health emergency (e.g., a Presidential declaration of a national public health emergency, U.S. Department of Health and Human Services declaration of a public health emergency, or other circumstances constituting a public health emergency). EPA-89 will allow the Agency to develop and institute safety measures in response to public health emergency contaminants (e.g., a pathogen or chemical) as needed, which may include:

• Contact Tracing—identification, monitoring, and support of an affected individual (an individual in an EPA location with confirmed or probable exposure to a public health emergency contaminant), and identification and contact of a potentially affected individual (an individual who was in contact with an affected individual or exposed to a public health emergency contaminant while in an EPA location);
• Medical Screening—examination of individuals entering an EPA location for symptoms or other indications consistent with exposure to a public health emergency contaminant; and
• Workplace Access Tracking and Planning—planning and tracking of location and time of individuals in EPA locations for purposes of contact tracing, social distancing, and/or management of exposure to public health emergency contaminants within EPA locations.

SYSTEM NAME AND NUMBER:

Public Health Emergency Workplace Response System, EPA-89.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Records are maintained at the EPA Headquarters, 1301 Constitution Ave. NW, Washington, DC 20460, regional offices, field offices and laboratories.

SYSTEM MANAGER(S):

Willie J. Abney, Division Director of Desktop Support Services Division (DSSD), Office of Mission Support, 1301 Constitution Ave. NW, Washington, DC 20460, Email Address: Abney.Willie@epa.gov, Phone Number: 202-566-1366.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

5 U.S.C. 6329c, 5 U.S.C. 7902, 29 U.S.C. 654, 29 U.S.C. 668, 42 U.S.C. 247d, 44 U.S.C. 3101, 42 U.S.C. 12101, 5 CFR part 339, 29 CFR part 1602, Executive Order 12196, Occupational safety and health programs for Federal employees (Feb. 26, 1980), OMB Memorandum M-20-23 Aligning Federal Agency Operations with the National Guidelines for Opening Up America Again (Apr. 20, 2020).

PURPOSE(S) OF THE SYSTEM:

EPA proposes to establish a new system of records to manage the Agency's planning and response to a public health emergency in EPA locations. EPA intends to collect information in the system to assist EPA with maintaining safe and healthy workplaces, to protect individuals in EPA locations from risks associated with a public health emergency, to plan and respond to workplace and personnel flexibilities needed during a public health emergency, to facilitate EPA's cooperation with public health authorities, and assist with contact tracing. Contact tracing is defined as the identification, monitoring, and support of an affected individual (an individual in an EPA location with confirmed or probable exposure to a public health emergency contaminant), and identification and contact of a potentially affected individual (an individual who was in contact with an affected individual or exposed to a public health emergency contaminant while in an EPA location).

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Categories of individuals covered by this system include EPA employees. The system also covers individuals working in EPA facilities or on official EPA business, including: EPA contractors, non-EPA government personnel or contractors, interns, grantees, fellows, and volunteers. Other categories of individuals covered by the system include: Visitors to EPA facilities; and potentially affected individuals at EPA locations or otherwise present during official EPA business. The system also covers individuals listed as emergency contacts for such individuals.

CATEGORIES OF RECORDS IN THE SYSTEM:

Information collected in the system may include but is not limited to: Contact information of the individuals (which may include name, address; phone number; email address); EPA LAN ID; EPA employee number; EPA staff office (e.g., organization chart structure) and supervisor contact information (which may include name, phone number, and email address); emergency contact information (which may include name, phone number, and email address); and Agency facility or location access information that includes, but is not limited to, the dates when the affected individual visited the facility or location, the areas that they visited within the facility (e.g., entrance used, office and cubicle number, shared spaces used) or at the location, the duration of time spent in the facility or location, the individuals they came in contact with, and security systems monitoring data; and facility cleaning data. The system also collects Sensitive Personal Identifiable Information (SPII) such as medical information, including but not limited to, dates and results of any: Expected or confirmed medical testing (e.g., temperature readings, viral or bacterial exposure testing, antibody testing) performed in relation to a public health emergency; symptoms consistent with a public health emergency; potential or actual exposure to a public health emergency contaminant; immunizations and vaccination information; or other medical history related to the treatment of a public health emergency contaminant. The system may also collect information, including but not limited to, on: Recent travel details (including dates, locations, carriers); EPA staff certifications relating to dependent care obligations or whether EPA staff are in a high-risk category regarding a public health emergency contaminant; name and contact information of EPA staff assigned to track and respond to an individual's case; date and time of information entry; contents of communications between assigned EPA staff and affected individuals; and case status.

RECORD SOURCE CATEGORIES:

The information in this system is collected from the individual, the individual's manager, and from the individual's emergency contact. When necessary, for non-EPA personnel, information may also be collected from the individual's employer, grantee organization, other federal agencies, or similar designated external points of contact. Information is also collected from security systems monitoring access to Agency facilities (such as video surveillance and key card logs), human resources systems, emergency notification systems, and federal, state, and local agencies assisting with the response to a public health emergency.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

The following routine uses apply to this system because the use of the record is necessary for the efficient conduct of government operations. The routine uses are related to and compatible with the original purpose for which the information was collected. Routine uses I and J are required under OMB M-17-12.

A. Disclosure for Law Enforcement Purposes.

Information may be disclosed to the appropriate Federal, State, local, tribal, or foreign agency responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation, or order, if the information is relevant to a violation or potential violation of civil or criminal law or regulation within the jurisdiction of the receiving entity.

B. Disclosure Incident to Requesting Information.

Information may be disclosed to any source from which additional information is requested (to the extent necessary to identify the individual, inform the source of the purpose of the request, and to identify the type of information requested,) when necessary to obtain information relevant to an agency decision concerning retention of an employee or other personnel action (other than hiring,) retention of a security clearance, the letting of a contract, or the issuance or retention of a grant, or other benefit.

C. Disclosure to Congressional Offices.

Information may be disclosed to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of the individual.

D. Disclosure to Department of Justice.

Information may be disclosed to the Department of Justice, or in a proceeding before a court, adjudicative body, or other administrative body before which the Agency is authorized to appear, when:

• The Agency, or any component thereof;
• Any employee of the Agency in his or her official capacity;
• Any employee of the Agency in his or her individual capacity where the Department of Justice or the Agency have agreed to represent the employee; or

The United States, if the Agency determines that litigation is likely to affect the Agency or any of its components, is a party to litigation or has an interest in such litigation, and the use of such records by the Department of Justice or the Agency is deemed by the Agency to be relevant and necessary to the litigation.

E. Disclosure to the National Archives.

Information may be disclosed to the National Archives and Records Administration in records management inspections.

F. Disclosure to Contractors, Grantees, and Others.

Information may be disclosed to contractors, grantees, consultants, or volunteers performing or working on a contract, service, grant, cooperative agreement, job, or other activity for the Agency and who have a need to have access to the information in the performance of their duties or activities for the Agency.

G. Disclosures for Administrative Claims, Complaints and Appeals.

Information from this system of records may be disclosed to an authorized appeal grievance examiner, formal complaints examiner, equal employment opportunity investigator, arbitrator or other person properly engaged in investigation or settlement of an administrative grievance, complaint, claim, or appeal filed by an employee, but only to the extent that the information is relevant and necessary to the proceeding. Agencies that may obtain information under this routine use include, but are not limited to, the Office of Personnel Management, Office of Special Counsel, Merit Systems Protection Board, Federal Labor Relations Authority, Equal Employment Opportunity Commission, and Office of Government Ethics.

H. Disclosure in Connection With Litigation.

Information from this system of records may be disclosed in connection with litigation or settlement discussions regarding claims by or against the EPA, including public filing with a court, to the extent that disclosure of the information is relevant and necessary to the litigation or discussions and except where court orders are otherwise required under section (b)(11) of the Privacy Act of 1974, 5 U.S.C. 552a(b)(11).

I. Disclosure to Persons or Entities in Response to an Actual or Suspected Breach of Personally Identifiable Information.

To appropriate agencies, entities, and persons when (1) the Agency suspects or has confirmed that there has been a breach of the system of records, (2) the Agency has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Agency (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Agency's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

J. Disclosure To Assist Another Agency in Its Efforts To Respond to a Breach.

To another Federal agency or Federal entity, when the Agency determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

K. Disclosure to a Public Health Authority.

To Federal agencies such as the Department of Health and Human Services (HHS), State and local health departments, and other public health or cooperating medical authorities in connection with program activities and related collaborative efforts to deal more effectively with exposures to communicable diseases, and to satisfy mandatory reporting requirements when applicable.

L. Disclosure to Governmental Organization.

To appropriate federal, state, local, tribal, or foreign governmental agencies or multilateral governmental organizations, to the extent permitted by law, and in consultation with legal counsel, for the purpose of protecting the vital interests of a data subject or other persons, including to assist such agencies or organizations in preventing exposure to or transmission of a communicable or quarantinable disease or to combat other significant public health threats.

M. Disclosure to Emergency Contacts.

To a potentially affected individual's emergency contact for purposes of locating the individual to communicate that they may have been exposed to a public health emergency contaminant in an EPA location or while otherwise present during official EPA business.

N. Disclosure for Contact Tracing.

To affected individuals and/or potentially affected individuals, and/or, when needed, to the (potentially) affected individual's employer, grantee organization, federal agency to whom the individual is contracted, or other similar designated external points of contact, information necessary for contact tracing. For example: Informing an individual that they were exposed to an affected individual or public health emergency contaminant in an EPA location or while otherwise present during EPA business, and the timing and location of the exposure; or contacting the employer of a potentially affected individual in the course of trying to contact the potentially affected individual themselves.

Contact tracing is defined as: Identification, monitoring, and support of an affected individual (an individual in an EPA location with confirmed or probable exposure to a public health emergency contaminant), and identification and contact of a potentially affected individual (an individual who was in contact with an affected individual or exposed to a public health emergency contaminant while in an EPA location), the same definition as above in Supplemental Information.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

These records are maintained electronically on computer storage devices such as computer tapes and disks, or on paper. The computer storage devices are managed by the EPA, Office of Mission Support, 1301 Constitution Ave. NW, Washington, DC 20460. Backup files will be maintained at a disaster recovery site. Computer records are maintained in a secure password-protected environment. Access to computer records is limited to those who have a need to know. Permission level assignments will allow users access only to those functions for which they are authorized. All records are maintained in secure, access-controlled areas or buildings.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records may be retrieved by any data category in the system (e.g., name, office, supervisor, date of medical testing, assigned EPA staff). Records are only retrievable by authorized EPA staff (who are EPA employees and/or contractors) and retrieval methods are limited by permission levels as described below under Technical Safeguards.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

EPA will retain and dispose of these records in accordance with the National Archives and Records Administration General Records Schedule. EPA-89 follows the EPA Records Policy for retention and disposal, per schedule 1012 (Information and Technology Management) and schedule 1049 (Information Access and Protection Records). The schedule provides disposal authorization for electronic files and hard copy printouts created to monitor system usage, including log-in files, audit trail files, and system usage files. Records in EPA-89 will be deleted or destroyed when the Agency determines they are no longer needed for administrative, legal, audit, or other purposes.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Security controls used to protect PII and SPII in EPA-89 are commensurate with those required for an information system rated moderate for confidentiality, integrity, and availability, as prescribed in NIST Special Publication, 800-53, “Recommended Security Controls for Federal Information Systems,” Revision 4.

Administrative Safeguards.

EPA staff must complete annual agency training for Information Security and Privacy. EPA instructs staff to lock and secure their computers when unattended.

Technical Safeguards.

The system administrator, an EPA staff member, authorizes appropriate permission levels for authorized EPA staff. Permission level assignments allow authorized users to access only those system functions and records specific to their Agency work need. EPA also has technical security measures including restrictions on computer access to authorized individuals and required use of a personal identity verification (PIV) card and password.

Physical Safeguards.

EPA equipment used for EPA-89 is located in the Federal cloud space not connected to other federal systems. Only authorized employees have access to this information in the Federal space.

RECORD ACCESS PROCEDURES:

Individuals seeking access to information in this system of records about themselves are required to provide adequate identification (e.g., driver's license, military identification card, employee badge or identification card). Additional identity verification procedures may be required, as warranted. Requests must meet the requirements of EPA regulations that implement the Privacy Act of 1974, at 40 CFR part 16.

CONTESTING RECORDS PROCEDURES:

Requests for correction or amendment must identify the record to be changed and the corrective action sought. Complete EPA Privacy Act procedures are described in EPA's Privacy Act regulations at 40 CFR part 16.

NOTIFICATION PROCEDURES:

Any individual who wishes to know whether this system of records contains a record about themselves, and to obtain a copy of any such record(s), should make a written request to the Attn: Agency Privacy Officer, MC 2831T, 1200 Pennsylvania Ave. NW, Washington, DC 20460, privacy@epa.gov.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.