Privacy Act of 1974: System of Records

AGENCY:

National Credit Union Administration (NCUA)

ACTION:

Notice of a new system of records.

SUMMARY:

Pursuant to the Privacy Act of 1974, the National Credit Union Administration (NCUA) is proposing to establish a new system of records, and add three routine uses to NCUA's Standard Routine Uses.

DATES:

This action will be effective without further notice on January 3, 2017 unless comments are received that would result in a contrary determination.

ADDRESSES:

You may submit comments to NCUA by any of the following methods:

• Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
• NCUA Web site: http://www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/proposed_regs.html. Follow the instructions for submitting comments.
• Email: Address to regcomments@ncua.gov. Include “[Your name]—Comments on NCUA 19 SORN” in the email subject line.
• Fax: (703) 518-6319. Use the subject line described above for email.
• Mail: Address to Gerard Poliquin, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.
• Hand Delivery/Courier: Same as mail address.

FOR FURTHER INFORMATION CONTACT:

Michael Mcneill, Office of the Chief Financial Officer, Division of Financial Control, Director, 1775 Duke Street St. Alexandria, VA 22314, or telephone: (703) 518-6572, or Linda Dent, Senior Agency Official for Privacy, Office of General Counsel, at the National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314, or telephone: (703) 518-6567.

SUPPLEMENTARY INFORMATION:

(1) NCUA Is Proposing To Establish a New System of Records

In accordance with the Privacy Act of 1974 (5 U.S.C. 552a), as amended, NCUA is issuing public notice of its intent to establish a new system of records, NCUA Financial and Acquisition Management System, NCUA-19. The system of records described in this notice maintains records related to NCUA's core financial and acquisition system, and is used to ensure that all of NCUA's obligations and expenditures conform with laws, existing rules and regulations, and good business practices.

(2) NCUA Is Proposing To Add Three Routine Uses to its Standard Routine Uses

As a part of NCUA's ongoing privacy program efforts, NCUA has determined that its Standard Routine Uses should be updated to include three new routine uses. The first new routine use, which will be Standard Routine Use #10, will permit NCUA to share information with contractors, grantees, and interns, when necessary to accomplish an agency function. Individuals provided information under this routine use will be subject to the same Privacy Act requirements and limitations on disclosure as are applicable to NCUA employees.

The second new routine use, which will be Standard Routine Use #11, will permit NCUA to share information with appropriate parties in response to a federal data breach. The addition of this routine use increases NCUA's compliance with OMB M-07-16.

The third routine use, which will be Standard Routine Use #12, will permit NCUA to share information with the Office of Management and Budget pursuant to OMB Circular A-19.

For convenience, the proposed new system of records, “NCUA Financial and Acquisition Management System, NCUA-19,” and NCUA's Standard Routine Uses, with the proposed new routine uses italicized, are published below.

SYSTEM NAME AND NUMBER:

NCUA Financial and Acquisition Management System, NCUA-19

SECURITY CLASSIFICATION:

None.

SYSTEM LOCATION:

Enterprise Services Center, 6500 South MacArthur Blvd., Oklahoma City, OK 73169; NCUA, 1775 Duke Street, Alexandria, VA 22314.

SYSTEM MANAGER(S):

Chief Financial Officer, Office of the Chief Financial Officer, NCUA, 1775 Duke Street, Alexandria, VA 22314.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

12 U.S.C. 1751; 31 U.S.C. 3501, et seq. and 31 U.S.C. 7701(c). Where the employee identification number is the social security number, collection of this information is authorized by Executive Order 9397.

PURPOSE(S) OF THE SYSTEM:

This system serves as the core financial and acquisition system and integrates program, financial, and budgetary information. Records are collected to ensure that all obligations and expenditures (other than those in the pay and leave system) are in conformance with laws, existing rules and regulations, and good business practices, and to maintain subsidiary records at the proper account and/or organizational level where responsibility for control of costs exists.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

NCUA employees, contractors, suppliers, vendors, interns, and customers.

CATEGORIES OF RECORDS IN THE SYSTEM:

Employee personnel information: Limited to current and former NCUA employees, and includes name, address, Social Security number (SSN). Business-related information: Limited to contractors/vendors, customers, and credit unions (but not their members), and includes name of the company/agency, point of contact, telephone number, mailing address, email address, contract number, vendor number (system unique identifier), DUNS number, and TIN, which could be a SSN in the case of individuals set up as sole proprietors, and total assets and insured shares. Financial information: Includes financial institution name, lockbox number, routing transit number, deposit account number, account type, debts (e.g., unpaid bills/invoices, overpayments, etc.), and remittance address.

RECORD SOURCE CATEGORIES:

The information maintained in Department of Transportation, (DOT)/Enterprise Service Center (ESC) systems including: Purchase orders, contracts, vouchers, invoices, contracts, disbursements, receipts/collections, Pay.Gov transactions, and related records; U.S. General Services Administration (GSA) Federal personnel payroll system (for payroll disbursement postings): Concur (for travel disbursements); JPMorgan Chase (for charge card payments; travel advance applications; other records submitted by individuals, employees, vendors, and other sources.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

1. NCUA's Standard Routine Uses apply to this system of records (see below).

2. Records may be shared with a vendor that NCUA is doing business with if a dispute about payments or amounts due arises. In such a situation, only the minimum amount of information need to resolve the dispute will be shared with the vendor.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are maintained in paper and/or electronic form. Records are also maintained on NCUA's network back-up tapes. Electronic records are stored in computerized databases. Records are stored in locked file rooms and/or file cabinets.

POLICIES AND PRACTICES FOR RETRIEVABILITY OF RECORDS:

Records are retrieved by any one or more of the following: Records may be retrieved by a name of employee, employee ID, employee NCUA email address, social security number (SSN) for employees, SSN/Tax Identification Number (TIN) for vendors doing business with the NCUA, name for both employees and vendors, supplier number (system unique) for both employees and vendors, DUNS and DUNS + 4.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records are maintained in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA) or a NCUA records disposition schedule approved by NARA.

Records existing on paper are destroyed beyond recognition. Records existing on computer storage media are destroyed according to the applicable NCUA media sanitization practice.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

NCUA has adopted appropriate administrative, technical, and physical controls in accordance with NCUA's information security policies to protect the security, integrity, and availability of the information, and to ensure that records are not disclosed to or accessed by unauthorized individuals.

Records are safeguarded in a secured environment. Buildings where records are stored have security cameras and 24 hour security guard service. The records are kept in limited access areas during duty hours and in locked file cabinets and/or locked offices or file rooms at all other times. Access is limited to those personnel whose official duties require access. Computerized records are safeguarded through use of access codes and information technology security. Contractors and other recipients providing supplies and/or services to the NCUA are contractually obligated to maintain equivalent safeguards.

RECORD ACCESS PROCEDURES:

Individuals should submit a written request to the Privacy Officer, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

a. Full name.

b. Any available information regarding the type of record involved, and the name of the system containing the record.

c. The address to which the record information should be sent.

d. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Individuals requesting access must also comply with NCUA's Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

CONTESTING RECORD PROCEDURES:

Individuals wishing to request an amendment to their records should submit a written request to the Privacy Officer, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

a. Full name.

b. Any available information regarding the type of record involved.

c. A statement specifying the changes to be made in the records and the justification therefor.

d. The address to which the response should be sent.

e. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

NOTIFICATION PROCEDURE:

Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Privacy Officer, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

a. Full name.

b. Any available information regarding the type of record involved.

c. The address to which the record information should be sent.

d. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Individuals requesting access must also comply with NCUA's Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

NCUA's STANDARD ROUTINE USES:

1. If a record in a system of records indicates a violation or potential violation of civil or criminal law or a regulation, and whether arising by general statute or particular program statute, or by regulation, rule, or order, the relevant records in the system or records may be disclosed as a routine use to the appropriate agency, whether federal, state, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto.

2. A record from a system of records may be disclosed as a routine use to a federal, state, or local agency which maintains civil, criminal, or other relevant enforcement information or other pertinent information, such as current licenses, if necessary, to obtain information relevant to an agency decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit.

3. A record from a system of records may be disclosed as a routine use to a federal agency, in response to its request, for a matter concerning the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision in the matter.

4. A record from a system of records may be disclosed as a routine use to an authorized appeal grievance examiner, formal complaints examiner, equal employment opportunity investigator, arbitrator or other duly authorized official engaged in investigation or settlement of a grievance, complaint, or appeal filed by an employee. Further, a record from any system of records may be disclosed as a routine use to the Office of Personnel Management in accordance with the agency's responsibility for evaluation and oversight of federal personnel management.

5. A record from a system of records may be disclosed as a routine use to officers and employees of a federal agency for purposes of audit.

6. A record from a system of records may be disclosed as a routine use to a member of Congress or to a congressional staff member in response to an inquiry from the congressional office made at the request of the individual about whom the record is maintained.

7. A record from a system of records may be disclosed as a routine use to the officers and employees of the General Services Administration (GSA) in connection with administrative services provided to this Agency under agreement with GSA.

8. Records in a system of records may be disclosed as a routine use to the Department of Justice, when: (a) NCUA, or any of its components or employees acting in their official capacities, is a party to litigation; or (b) Any employee of NCUA in his or her individual capacity is a party to litigation and where the Department of Justice has agreed to represent the employee; or (c) The United States is a party in litigation, where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation, provided, however, that in each case, NCUA determines that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which the records were collected.

9. Records in a system of records may be disclosed as a routine use in a proceeding before a court or adjudicative body before which NCUA is authorized to appear (a) when NCUA or any of its components or employees are acting in their official capacities; (b) where NCUA or any employee of NCUA in his or her individual capacity has agreed to represent the employee; or (c) where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation, provided, however, NCUA determines that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which the records were collected.

10. A record from a system of records may be disclosed to contractors, experts, consultants, and the agents thereof, and others performing or working on a contract, service, cooperative agreement, or other assignment for NCUA when necessary to accomplish an agency function or administer an employee benefit program. Individuals provided information under this routine use are subject to the same Privacy Act requirements and limitations on disclosure as are applicable to NCUA employees.

11. A record from a system of records may be disclosed to appropriate agencies, entities, and persons when (1) NCUA suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) NCUA has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by NCUA or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with NCUA's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.

12. A record from a system of records may be shared with the Office of Management and Budget (OMB) in connection with the review of private relief legislation as set forth in OMB Circular A-19 at any stage of the legislative coordination and clearance process as set forth in that circular.