Privacy Act of 1974; System of Records; Amendment of a General Routine Use

AGENCY:

Office of the Secretary of Transportation, Department of Transportation.

ACTION:

Amendment to existing Privacy Act general routine use.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, as amended, the Department of Transportation's Office of the Secretary of Transportation (DOT/OST) is amending an existing general routine use for all DOT systems of records. The amended routine use is consistent with a recommendation in a memorandum issued by the Office of Management and Budget (OMB) on January 3, 2017 (Memorandum M-17-12 “Preparing for and Responding to a Breach of Personally Identifiable Information”). OMB's memorandum recommends that all Federal agencies publish two routine uses for their systems allowing for the disclosure of personally identifiable information to the appropriate parties in the course of responding to a breach or suspected breach of data maintained in a system of records.

DATES:

Submit comments on or before November 14, 2019. Changes to this system will be effective November 14, 2019.

ADDRESSES:

You may submit comments, identified by Docket Number DOT-OST-2019-0140, by one of the following methods:

• Federal e-Rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
• Fax: (202) 493-2251.
• Mail: Claire Barrett, Departmental Chief Privacy Officer, Office of the Chief Information Officer, U.S. Department of Transportation, 1200 New Jersey Ave. SE, Washington, DC 20590.
• Instructions: All submissions received must include the agency name and docket number DOT-OST-2019-0140, for this notice. All comments received will be posted without change to http://www.regulations.gov,, including any personal information provided.
• Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT:

Claire Barrett, Departmental Chief Privacy Officer, Office of the Chief Information Officer, U.S. Department of Transportation, 1200 New Jersey Ave. SE, Washington, DC 20590 or privacy@dot.gov or (202) 366-8135. For legal questions, contact Evan Baylor, Honors Attorney, Office of General Counsel, at evan.baylor@dot.gov.

SUPPLEMENTARY INFORMATION:

The Privacy Act of 1974, as amended, 5 U.S.C. 552a, governs the means by which the United States Government collects, maintains, and uses personally identifiable information (PII) in a system of records. A “system of records” is a group of any records under the control of a Federal agency from which information about individuals is retrieved by name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register, for public notice and comment, a system of records notice (SORN) identifying and describing each system of records the agency maintains, including the purposes for which the agency uses PII in the system and the routine uses for which the agency discloses such information outside the agency. As provided in “Privacy Act Guidelines” issued by the Office of Management and Budget (OMB) on July 1, 1975 (see 40 FR 28966), once an agency has published a routine use that will apply to all of its systems of record (i.e., a general routine use) in the Federal Register for public notice and comment, the agency may thereafter incorporate the publication by reference in each system's SORN without inviting further public comment on that use. To date, DOT has published 15 general routine uses (see 65 FR 19476 published April 11, 2000; 68 FR 8647 published February 23, 2003; 75 FR 82132 published December 29, 2010; and 77 FR 42796 published July 20, 2012).

The amended general routine use reflects a non-substantive change to an existing DOT general routine use (see 75 FR 82132, published December 29, 2010). The amended general routine use implemented by this Notice reflects the two pieces of the existing general routine use in two parts: (a) A general routine use for disclosure of records in response to a breach or suspected breach of DOT's systems of records and (b) a general routine use for disclosure of records in response to breach or suspected breach of another agency's systems of records.

The amended general routine uses are compatible with the purposes for which the information to be disclosed under these general routine uses was originally collected. Individuals whose personally identifiable information is in DOT systems expect their information to be secured. Sharing their information with appropriate parties in the course of responding to a confirmed or suspected breach of a DOT system, or another agency's system, will help DOT and all Federal agencies protect them against potential misuse of their information by unauthorized persons.

For the reasons above, the existing general routine use 11 is amended to reflect the OMB guidance, reflected in a new 11a and 11b, as follows:

11a. To appropriate agencies, entities, and persons when (1) DOT suspects or has confirmed that there has been a breach of the system of records; (2) DOT has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, DOT (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with DOT's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

11b. To another Federal agency or Federal entity, when DOT determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.