Privacy Act of 1974, System of Records

AGENCY:

Postal Service.

ACTION:

Notice of modification to an existing system of records.

SUMMARY:

This document publishes notice of modification to Privacy Act System of Records USPS 150.030, Records and Information Management Records—Computer Logon ID Records, 150.030. The proposed modification reflects changes to the system name, system location, categories of individuals covered by the system, categories of records in the system, purpose, storage, retrievability, safeguards, retention and disposal, system manager(s) and address, notification procedures, and records source categories.

DATES:

Any interested party may submit written comments on the proposed modification. This proposal will become effective without further notice on March 30, 2004, unless comments received on or before that date result in a contrary determination.

ADDRESSES:

Written comments on this proposal should be mailed or delivered to the Records Office, United States Postal Service, 475 L'Enfant Plaza, SW., Room 5846, Washington, DC 20260-5825. Copies of all written comments will be available at the above address for public inspection and photocopying between 8 a.m. and 4 p.m., Monday through Friday.

FOR FURTHER INFORMATION CONTACT:

Rowena Dufford at (202) 268-2608.

SUPPLEMENTARY INFORMATION:

The Postal Service^TM is proposing to modify system of records, USPS 150.030, Records and Information Management Records—Computer Logon ID Records. The system contains identifying information about users who request access to Postal Service computers and information resources and the access rights authorized or denied, including the computer logon ID assigned to those users and the level of access granted to them. The computer logon ID is a code that identifies an individual as an authorized user, programmer, or operator of a computer system for use in conducting Postal Service business. This system of records is being modified to include an automated method of requesting, authorizing, denying, and/or revoking user access to Postal Service computers and information resources.

Automating computer access will enable the Postal Service to more effectively and securely manage access to computers and information resources. The paper process will be phased out over time as Postal Service systems and computer users are registered in the automated system.

The automated method provides for the request, review, approval, and tracking of computer system access for Postal Service computer systems users nationwide and enables online access request generation in lieu of completing hard copies of PS Form 1357, Request for Computer Access, and IS Form 1357-A, Request for Inspection Service Computer ID. Hard copy forms will continue to be used for access to Postal Service computers and information resources not managed electronically. Eventually, user access for all Postal Service computers and information resources will be automated, and hard copy forms will no longer be generated. Hard copy forms will continue to be retained in a secure environment at various Postal Service facilities for 1 year after access privileges are cancelled and then destroyed by shredding. Future developments may allow the Postal Service to scan and store the hard copy forms in an electronic format.

Under the automated method, a unique identifier (UID) is provided for each user, to be used throughout his or her Postal Service career or other involvement with the Postal Service as a logon ID for computers and information resources. User profiles contain summary information about all access authorizations, including both of the following:

• A complete view of all authorizations for a given user based on multiple access request submissions over a period of time.
• The status of access transactions in the authorization and approval process.

Information from the user profile is used to formulate computer access requirements and assignments. Access assignments are used to protect against unauthorized access to Postal Service computer data and resources. Approval authorities are responsible for maintaining the currency of information in the user profile. Approved electronic requests are stored in a centralized, secure operating environment, updated as corresponding access requests are superceded or cancelled, and are deleted 1 year after access is cancelled.

The Postal Service does not expect modification of this system to have any effect on individual privacy rights. The amendment does not change the kinds of personal information about employees that are collected and maintained. Other information maintained about the individual relates to his or her official duty status and level of access permitted. Protection of the privacy interests of individuals covered by the system will be enhanced by eliminating much of the hard copy storage and the security of the automated system.

Pursuant to 5 U.S.C. 552a(e)(11), interested persons are invited to submit written data, views, or arguments on the proposed part of this notice. A report of the proposed system change has been sent to Congress and to the Office of Management and Budget for their evaluation.

Privacy Act System of Records USPS 150.030 was last published in its entirety in the Federal Register on October 10, 1990 (55 FR 41282-41283) and was amended on February 23, 1999 (64 FR 8876-8892). The Postal Service proposes amending the system as shown below:

USPS 150.030

System Name:

[CHANGE TO READ:]

Computer Access Records, 150.030.

System Location:

[CHANGE TO READ:]

All Postal Service facilities; Information System Service Centers; Accounting Service Centers; Inspection Service facilities; and contractor sites.

Categories of Individuals Covered by the System:

[CHANGE TO READ:]

Individuals who have access to Postal Service computers and information resources, including Postal Service employees, contractor employees, and non-Postal Service individuals.

Categories of Records in the System: [CHANGE TO READ:]

This system contains identifying information about computer users and the corresponding authorizing managers such as name; logon ID; employee identification number, unique identifier, and/or Social Security number; work-related information such as job title, BA Code, finance number, and work telephone number and address; the application(s) that the user may access; and the level(s) of access granted. Additionally, the system contains information related to contractors such as verification of status of contractor employee, screening, and/or security clearances.

Purpose:

[CHANGE TO READ:]

To ensure access to data and/or files of computer systems is limited to authorized individuals through the use of computer security access control systems. Used by computer security officers in maintaining access controls, and by postal inspectors and authorized personnel in monitoring compliance with access rules. The logon IDs are also used as a positive user identifier in resolving access problems by telephone.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage:

[CHANGE TO READ:]

Automated databases, computer storage media, and paper.

Retrievability:

[CHANGE TO READ:]

Name, logon ID, employee ID, and unique identifier.

Safeguards:

[CHANGE TO READ:]

Paper records, computers, and computer storage tapes and disks are maintained in controlled-access areas or under general supervision of program personnel. Computers are protected by a cipher lock system, card key system, or other physical access control methods. Computer systems and electronic records are also protected with security software and operating system controls, including logon and password identifications, firewalls, terminal and use identifications, and file management. Online data transmissions are protected by encryption. Access to these records is limited to authorized personnel. Contractors must provide similar protection subject to a security compliance review by the Postal Inspection Service.

Retention and Disposal:

[CHANGE TO READ:]

Paper records are retained for 1 year after computer access privileges are cancelled and then destroyed by shredding. Electronic records are updated as corresponding access requests are superceded or cancelled, and are deleted 1 year after access is cancelled.

System Manager(s) and Address:

[CHANGE TO READ:]

VICE PRESIDENT, CHIEF TECHNOLOGY OFFICER, UNITED STATES POSTAL SERVICE, 475 L'ENFANT PLZ SW, WASHINGTON DC 20260-1500

CHIEF POSTAL INSPECTOR, INSPECTION SERVICE, UNITED STATES POSTAL SERVICE, 475 L'ENFANT PLZ SW, WASHINGTON DC 20260-2100

Notification Procedure:

[CHANGE TO READ:]

Individuals wishing to know whether information about them is maintained in this system of records should address inquiries containing full name and logon ID, employee identification number, unique identifier and/or Social Security number to the following:

For hard copy PS Form 1357, Request for Computer Access: Individuals assigned to Headquarters should submit requests to the Manager, Headquarters Computing Infrastructure Services, 475 L'Enfant Plaza, SW, Washington, DC 20260.

Individuals assigned to other facilities should submit requests to the head of the facility that manages the information systems.

For electronic records to access Postal Service computers: Address requests to the Manager, Information Security Services, 4200 Wake Forest Rd., Raleigh, NC 27668-9500.

For U.S. Inspection Service computer access records: Address requests to the Inspector in Charge, Information Technology Division, 2111 Wilson Blvd., Suite 500, Arlington, VA 22201-3036

Records Source Categories:

[CHANGE TO READ:]

Individuals requesting and/or approving access to Postal Service computers or information resources and Postal Service personnel charged with information systems security responsibilities.