Privacy Act of 1974; System of Records

AGENCY:

Office of Mission Support (OMS), Environmental Protection Agency (EPA).

ACTION:

Notice of a modified system of records.

SUMMARY:

The U.S. Environmental Protection Agency's (EPA), Office of Mission Support is giving notice that it proposes to publish a modified system of records pursuant to the provisions of the Privacy Act of 1974. FOIAonline, EPA's Freedom of Information Act (FOIA) Request and Appeal File system of records is being modified to include all information and data elements that are being collected by the EPA and participating agencies as it relates to FOIA requests, appeals consultations and referrals. The purpose of this modification is to provide notice that; the FOIA Request and Appeal File system has been upgraded and deployed to a cloud hosted Amazon Web Services environment; the FOIA Request and Appeal File system of records is being modified to add additional routine uses and to change its name to FOIAonline. to change its name to FOIAonline.

DATES:

Persons wishing to comment on this system of records notice must do so by May 24, 2021. New routine uses for this new system of records will be effective May 24, 2021.

ADDRESSES:

Submit your comments, identified by Docket ID No. EPA-HQ-OMS-2020-0231, by one of the following methods:

Regulations.gov: www.regulations.gov Follow the online instructions for submitting comments.

Email: oei.docket@epa.gov.

Fax: 202-566-1752.

Mail: OMS Docket, Environmental Protection Agency, Mail Code: 2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.

Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are only accepted during the Docket's normal hours of operation, and special arrangements should be made for deliveries of boxed information.

Instructions: Direct your comments to Docket ID No. EPA-HQ-OMS-2020-0231. The EPA policy is that all comments received will be included in the public docket without change and may be made available online at www.regulations.gov,, including any personal information provided, unless the comment includes information claimed to be Controlled Unclassified Information (CUI) or other information for which disclosure is restricted by statute. Do not submit information that you consider to be CUI or otherwise protected through www.regulations.gov. The www.regulations.gov website is an “anonymous access” system for EPA, which means the EPA will not know your identity or contact information unless you provide it in the body of your comment. Each agency determines submission requirements within their own internal processes and standards. EPA has no requirement for personal information. If you send an email comment directly to the EPA without going through www.regulations.gov your email address will be automatically captured and included as part of the comment that is placed in the public docket and made available on the internet. If you submit an electronic comment, the EPA recommends that you include your name and other contact information in the body of your comment. If the EPA cannot read your comment due to technical difficulties and cannot contact you for clarification, the EPA may not be able to consider your comment. Electronic files should avoid the use of special characters, any form of encryption, and be free of any defects or viruses. For additional information about the EPA public docket, visit the EPA Docket Center homepage at http://www.epa.gov/epahome/dockets.htm.

Docket: All documents in the docket are listed in the www.regulations.gov index. Although listed in the index, some information is not publicly available, e.g., CUI or other information for which disclosure is restricted by statute. Certain other material, such as copyrighted material, will be publicly available only in hard copy. Publicly available docket materials are available either electronically on www.regulations.gov or in hard copy at the OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave. NW, Washington. DC 20460. The Public Reading Room is open from 8:30 a.m. to 4:30 p.m., Monday through Friday excluding legal holidays. The telephone number for the Public Reading Room is (202) 566-1744, and the telephone number for the OMS Docket is (202) 566-1752.

Temporary Hours During COVID-19

Out of an abundance of caution for members of the public and our staff, the EPA Docket Center and Reading Room are closed to the public, with limited exceptions, to reduce the risk of transmitting COVID-19. Our Docket Center staff will continue to provide remote customer service via email, phone, and webform. We encourage the public to submit comments via www.regulations.gov or email, as there may be a delay in processing mail and faxes. Hand deliveries and couriers may be received by scheduled appointment only. For further information on EPA Docket Center services and the current status, please visit us online at www.epa.gov/dockets. The telephone number for the Public Reading Room is (202) 566-1744, and the telephone number for the OMS Docket is (202) 566-1752.

FOR FURTHER INFORMATION CONTACT:

Tim Crawford, eDiscovery Division, Office of Mission Support, Office, (202) 566-1574, U.S. EPA, Office of Environmental Information, MC 2282T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.

SUPPLEMENTARY INFORMATION:

The FOIAonline (EPA-9) system contains a copy of each FOIA request, appeal, consultation, and referral received by the EPA and a copy of related correspondence, including name, affiliation address, telephone numbers, and other information about a requester. FOIAonline is managed and used by the EPA and other agencies to process, track and respond to FOIA requests, appeals, consultations, and referrals. The FOIAonline system provides the EPA and partner agencies with a secure and protected website to electronically receive, process, track, and store requests and appeals from the public for federal records; post responsive records to a website; collect data for annual reporting requirements to the Department of Justice and manage internal FOIA administration activities. In addition, the FOIAonline system allows the public to submit and track FOIA requests and appeals; access requests and responsive records online and obtain the status of requests filed with the EPA and partner agencies. Social security numbers and other types of personally identifiable information may be provided in requests submitted by the public or may appear in responsive documents. With the exception of a requester's name, any other personally identifiable information (e.g., home addresses, email address, and other contact information) provided by a requester during the process of completing the online request form or creating an online account will not be posted to the public-facing version of the website, nor will it be searchable by the public. Personally identifiable information determined to be publicly releasable and contained in documents released to the public under FOIA (e.g., the names and official contact information of government employees) will be publicly available and searchable by the public if posted by a participating agency. Individuals accessing the system are government employees and members of the public.

SYSTEM NAME AND NUMBER:

FOIAonline EPA-09.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Amazon Web Service US East (Northern Virginia) and Amazon Web Service US East (Ohio).

SYSTEM MANAGER(S):

Tim Crawford, crawford.tim@epa.gov, U.S. EPA, Office of Environmental Information, MC 2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Freedom of Information Act, 5 U.S.C 552.

PURPOSE OF THE SYSTEM:

To provide the public a single location to submit and track FOIA requests appeals, consultations and referrals filed with the EPA and participating agencies, to manage EPA FOIA administration activities and to collect data for annual reporting requirements to the Department of Justice.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

All persons filing FOIA requests, appeals, consultations or referrals and those whose personally identifiable information may appear in records collected for FOIA request responses.

CATEGORIES OF RECORDS IN THE SYSTEM:

Freedom of Information Act (FOIA) requests, appeals, consultations and referrals received by the EPA and other participating agencies, and correspondence related to the request, which may include individuals' names, mailing addresses, email addresses, phone numbers, social security numbers, dates of birth, alias(es) used by the requester, alien numbers assigned to travelers crossing national borders, requesters' parents' names, FOIA tracking numbers, dates requests are submitted and received, related appeals and agency responses. Records also include EPA FOIA administrative documents and responsive records.

RECORD SOURCE CATEGORIES:

Records maintained by federal agencies subject to the Freedom of Information Act.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

The following routine uses apply to this system because the use of the record is necessary for the efficient conduct of government operations. General routine uses A, E, F, G, H, K, and L apply to this system. Records may also be disclosed to:

1. Another federal agency (a) with an interest in the record in connection with a referral of a Freedom of Information Act (FOIA) request to that agency for its views or decision on disclosure, or (b) in order to obtain advice and recommendations concerning matters on which the agency has specialized experience or particular competence that may be useful to an agency in making required determinations under the FOIA.

2. To the National Archives and Records Administration, Office of Government Information Services (OGIS), to the extent necessary to fulfill its responsibilities in 5 U.S.C. 552(h), to review administrative agency policies, procedures and compliance with the Freedom of Information Act (FOIA), and to facilitate OGIS' offering of mediation services to resolve disputes between persons making FOIA requests and administrative agencies.

In addition, the two routine uses below (L and M) are required by OMB M-17-12. The routine uses are related to and compatible with the original purpose for which the information was collected.

L. Disclosure to Persons or Entities in Response to an Actual or Suspected Breach of Personally Identifiable Information. To appropriate agencies, entities, and persons when (1) the Agency suspects or has confirmed that there has been a breach of the system of records, (2) the Agency has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Agency (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Agency's efforts to respond to the actual or suspected breach or to prevent, minimize, or remedy such harm.

M. Disclosure to assist another agency in its efforts to respond to a breach. To another Federal agency or Federal entity, when the Agency determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a actual or suspected breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a actual or suspected breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored in file folders in lockable file cabinets. Records are also stored in a secure, password protected electronic system that utilizes security hardware and software to include multiple firewalls, active intruder protection and role-based access controls. Additional safeguards vary by participating agencies.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Requests are retrieved from the system by numerous data elements and key word searches, including name, agency, dates, subject, FOIA tracking number and other information retrievable with full-text searching capability.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Each federal agency handles its records in accordance with its records schedule as approved by the National Archives and Records Administration (NARA). FOIA records are covered under NARA General Record Schedule 14—Information Services Records that includes a retention period of six years unless a participating agency's records are managed under other record schedules approved by NARA.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Security controls used to protect personally identifiable information in FOIAonline are commensurate with those required for an information system rated moderate for confidentiality, integrity, and availability, as prescribed in the National Institute of Standards and Technology (NIST) Special Publication, 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.”

1. Administrative Safeguards: EPA and partner agency users follow annual security training requirements of their organization. Annually, EPA and partner agencies acknowledge and accept “Rules of Behavior” that describe user responsibilities and expected behavior regarding information system usage. Each agency administrator is responsible for ensuring account requests are approved before accounts are created. Each agency administrator is responsible for establishing, activating, modifying, disabling, and removing accounts for their agency and ensuring their established account management protocols are followed. Each agency administrator is responsible for monitoring agency accounts. Each agency administrator is responsible for disabling accounts when accounts are no longer required; when users are terminated or transferred; and when individual information system usage or need-to-know changes. Each agency administrator is responsible for granting access to the system based on: (i) A valid access authorization; (ii) intended system usage; and (iii) other attributes as required by the respective agency.

2. Technical Safeguards: All NIST 800-53 moderate baseline technical safeguards are built into the FOIAonline application and supporting infrastructure including automated account management locks and reset protocols due to inactivity or cyclical renewals. Accounts must be refreshed after 30 business days of inactivity and are disabled after one year of inactivity. Disabled accounts require reactivation by the FOIAonline Help Desk after approval by the agency's Point of Contact. System administration and technical support accounts include the ability to reinstate accounts that have been disabled. System administration and technical support users are required to follow the system's rules of behavior and confidentiality requirements defined in contract conditions renewed annually.

3. Physical Safeguards: The Physical Environment control is fully inherited from the Amazon Web Service (AWS) physical data center. AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

RECORD ACCESS PROCEDURES:

Individuals seeking access to their own personal information in this system of records may be required to provide adequate identification (e.g., driver's license, military identification card, employee badge or identification card) as dictated by the request receiving agency. Individuals who create accounts in the system have the ability to edit the contact information they provided when submitting a request. Additional identity verification procedures may be required as warranted. Requests must meet the requirements of EPA regulations at 40 CFR part 16.

CONTESTING RECORD PROCEDURES:

Requests for correction or amendment must identify the record to be changed and the corrective action sought. Complete EPA Privacy Act procedures are described in EPA's Privacy Act regulations at 40 CFR part 16.

NOTIFICATION PROCEDURE:

Any individual who wants to know whether this system of records contains a record about him or her, should make a written request to the Attn: Agency Privacy Officer, MC 2831T, 1200 Pennsylvania Ave. NW, Washington, DC 20460, or electronically to privacy@epa.gov.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

[FRL-9955-30-OEI]; FR./Vol. 81, Nov. 22/Thursday November 17, 2016. P 81096.