Privacy Act of 1974, System of Records

AGENCY:

Postal Service.

ACTION:

Notice of new system of records.

SUMMARY:

The purpose of this document is to publish notice of a new Privacy Act system of records, USPS 040.060, Customer Programs-Customer Electronic Bill Presentment and Payment Records. The new system contains records about individuals who use the Postal Service's electronic bill presentment and payment (EBP) service.

DATES:

This proposal will become effective without further notice on February 5, 2001, unless comments received on or before that date result in a contrary determination.

COMMENTS DUE BY:

February 5, 2001.

ADDRESSES:

Any interested party may submit written comments on the proposed new system of records. Written comments on this proposal should be mailed or delivered to: Finance Administration/FOIA, United States Postal Service, 475 L'Enfant Plaza SW., RM 8141, Washington, DC 20260-5202. Copies of all written comments will be available at the above address for public inspection and photocopying between 8 a.m. and 4:45 p.m., Monday through Friday.

FOR FURTHER INFORMATION CONTACT:

Robert J. Faruq, 202-268-2608.

SUPPLEMENTARY INFORMATION:

The Postal Service is offering an electronic bill presentment and payment (EBP) service that allows customers to conveniently and securely register, access, and pay their bills through the Postal Service's WEB site (http://www.usps.com). This notice establishes a new Privacy Act system of records, USPS 040.060, Customer Programs-Customer Electronic Bill Presentment and Payment Records, to cover individuals' records that are collected and maintained as a result of providing that service.

To use the EBP service, a customer registers once by providing identifying information, such as name, address, date of birth, telephone numbers, and e-mail address, that will be maintained in the system for that customer's transactions. Confirmation of registration and verification of the accuracy of information collected is sent by mail. Once registered, the customer can view all of his or her bill summaries that are registered with the service and navigate where applicable to the provider's or biller's site to obtain details of a particular bill. The customer then can return to the EBP service to pay that bill or any bills listed on the bill summary page. The EBP service also allows a customer to order the payment of a bill not registered with the service by providing the limited information needed for payment.

General routine use statements b, e, f, and j listed in the prefatory statement at the beginning of the Postal Service's published system notices apply to this system in that they are disclosures routinely necessary to conduct business. These include the need to disclose in litigation involving the Postal Service; to a contractor fulfilling an agency function; to a congressional office at the request of the record's subject; and to outside auditors in connection with an audit of Postal Service finances. These general routine uses were last published in the Federal Register on October 26, 1989 (54 FR 43654-43655).

In addition, five routine uses have been added. Routine use No. 1 permits disclosure to the Postal Service contractor who is providing bill payment and customer support services for EBP. Routine use No. 2 permits disclosure to a payee or financial institution to resolve payment-posting problems. Routine use No. 3 permits disclosure to an authorized credit bureau for the purpose of identity verification. Routine use No. 4 permits disclosure for law enforcement purposes only pursuant to a federal search warrant. Routine use No. 5 permits disclosure pursuant to a federal court order.

The new system is not expected to have an adverse effect on individual privacy rights. The contractor that maintains information collected by this system is made subject to the Privacy Act in accordance with subsection (m) of the Act (which applies when the agency provides by contract for the operation of a system of records to accomplish an agency function) and is required to apply appropriate protections subject to audit and inspection by the Postal Inspection Service. Procedures are in place to verify identity of individuals, the accuracy of information maintained, and the security of information maintained and transmitted.

Customers using the EBP service must agree to the following terms and conditions:

• The Postal Service can deny enrollment to a customer if the customer's identity or other information cannot be verified.
• The Postal Service requires customers to protect their bill payment password and not to share it with others.
• The Postal Service requires customers to report any suspected compromise of the password quickly to ensure minimal financial loss.

To register, a customer must provide a unique user name and password. Confirmation of registration is currently sent by mail to ensure the customer's identity and the accuracy of information collected by the use of a one-time payment activation code assigned to the customer, which must be entered before a payment can be initiated. The code is entered only once. In the near future, identity confirmation will be conducted online.

Security controls have been applied to protect the information during transmission and physical maintenance. The system will be housed in a restricted area with access controlled by an installed security software package, the use of logon identifications and passwords, and operating system controls. Information is transmitted in a secure session established by Secure Socket Layer or equivalent technology. These technologies encrypt or scramble the transmitted information so it is virtually impossible for anyone other than the Postal Service and its provider or biller to read it.

Pursuant to 5 U.S.C. 552a(e)(11), interested persons are invited to submit written comments on this notice. A report of the following new system of records has been sent to Congress and to the Office of Management and Budget for their evaluation.

USPS 040.060

SYSTEM NAME:

Customer Programs-Customer Electronic Bill Presentment and Payment Records, USPS 040.060.

SYSTEM LOCATION:

Postal Service Headquarters and contractor site.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Customers who use the Postal Service's electronic bill presentment and payment (EBP) service.

CATEGORIES OF RECORDS IN THE SYSTEM:

Registration information includes customer name, address, date of birth, driver's license number, home and work phone numbers, e-mail address, EBP service billing information (checking account number and bank routing number), EBP service user name/ID and password, consumer's billers registered with service, bill detail, and bill summaries. Customer social security numbers are collected but not retained by the Postal Service; they are used to confirm customer identity at time of registration.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

39 U.S.C. 401 and 404.

PURPOSE(S):

Information in this system is used to provide electronic bill presentment and payment services to Postal Service customers.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

General routine use statements b, e, f, and j listed in the prefatory statement at the beginning of the Postal Service's published system notices apply to this system. Other routine uses are as follows:

1. Information from this system may be disclosed to a service provider under contract with the Postal Service for the purpose of providing electronic bill presentment and payment service and customer service support services.

2. Information from this system may be disclosed to a payee or financial institution for purposes of resolving payment-posting questions or discrepancies and questions regarding status of electronic bill payments.

3. Information from this system may be disclosed to an authorized credit bureau for the purpose of verifying identity and for determining the risk limits to be applied to each subscriber.

4. Information from this system may be disclosed for law enforcement purposes to a government agency, either federal, state, local, or foreign, only pursuant to a federal warrant duly issued under Rule 41 of the Federal Rules of Criminal Procedure. See Administrative Support Manual (ASM) 274.6 for procedures relating to search warrants.

5. Information from this system may be disclosed pursuant to the order of a federal court of competent jurisdiction.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Automated database, computer storage media, and microfiche.

RETRIEVABILITY:

The service provider retrieves information by customer identification number. The Postal Service retrieves information by customer name and address.

SAFEGUARDS:

Computer storage tapes and disks are maintained in locked filing cabinets in controlled-access areas or under general scrutiny of the service provider program personnel. Computers containing information are located in controlled-access areas with personnel access controlled by a cipher lock system, card key system, or other physical access control method, as appropriate. Authorized persons must be identified by a badge. Computer systems are protected with an installed security software package, computer logon identifications and operating system controls including access controls, terminal and user identifications, and file management. Online data transmission is protected by encryption. Contractors must provide similar protection subject to an operational security compliance review by the Postal Inspection Service.

RETENTION AND DISPOSAL:

1. For active subscribers, the personal enrollment data (e.g., name and address) is retained as long as the subscriber's account is active, and is archived for seven (7) years after the subscriber's account ceases to be active. For non-active subscribers, the personal enrollment data collected at the time of enrollment is archived for seven (7) years after the service is canceled.

2. Payment History includes paid, canceled, and failed payments. Account Banking data includes Demand Deposit Account (DDA) number and routing number. This information is maintained for six (6) months online and is then archived to magnetic tape for seven (7) years from the date of processing.

3. Billing summary data includes bill due date, bill amount, biller information, biller representation of account number, and the various status indicators (scheduled, in progress, etc.). This information is stored on magnetic tape for two (2) years from the date of processing.

4. At the end of each record retention period, the data on tape is destroyed by over-recording.

SYSTEM MANAGER(S) AND ADDRESS:

Senior Vice President, Corporate and Business Development, United States Postal Service, 475 L'Enfant Plaza SW., Washington DC 20260-5130.

NOTIFICATION PROCEDURE:

Individuals wanting to know whether information about them is maintained in this system of records must address inquiries in writing to the system manager(s). Inquiries must contain name and address or other identifying information.

RECORD ACCESS PROCEDURES:

Requests for access must be made in accordance with the Notification Procedure above and the Postal Service Privacy Act regulations regarding access to records and verification of identity under 39 CFR 266.6.

CONTESTING RECORD PROCEDURES:

See Notification Procedures and Record Access Procedures above.

RECORD SOURCE CATEGORIES:

Information is furnished by record subjects and billers.