Privacy Act Regulations; Exemption for the Insider Threat Program

AGENCY:

Office of the Secretary, Interior.

ACTION:

Notice of proposed rulemaking.

SUMMARY:

The Department of the Interior is proposing to amend its regulations to exempt certain records in the INTERIOR/DOI-50, Insider Threat Program, system of records from one or more provisions of the Privacy Act of 1974 because of criminal, civil, and administrative law enforcement requirements.

DATES:

Submit comments on or before November 15, 2021.

ADDRESSES:

You may submit comments, identified by docket number [DOI-2018-0012] or [Regulatory Information Number (RIN) 1090-AB15], by any of the following methods:

• Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for sending comments.
• Email: DOI_Privacy@ios.doi.gov. Include docket number [DOI-2018-0012] or RIN 1090-AB15 in the subject line of the message.
• U.S. mail or hand-delivery: Teri Barnett, Departmental Privacy Officer, U.S. Department of the Interior, 1849 C Street NW, Room 7112, Washington, DC 20240.

Instructions: All submissions received must include the agency name and docket number [DOI-2018-0012] or RIN 1090-AB15 for this rulemaking. All comments received will be posted without change to http://www.regulations.gov,, including any personal information provided.

Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT:

Teri Barnett, Departmental Privacy Officer, U.S. Department of the Interior, 1849 C Street NW, Room 7112, Washington, DC 20240, DOI_Privacy@ios.doi.gov or (202) 208-1605.

SUPPLEMENTARY INFORMATION:

Background

The Privacy Act of 1974, as amended, 5 U.S.C. 552a, governs the means by which the U.S. Government collects, maintains, uses and disseminates personally identifiable information. The Privacy Act applies to records about individuals that are maintained in a “system of records.” A system of records is a group of any records under the control of an agency from which information about an individual is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. See 5 U.S.C. 552a(a)(4) and (5).

An individual may request access to records containing information about him or herself, 5 U.S.C. 552a(b), (c) and (d). However, the Privacy Act authorizes Federal agencies to exempt systems of records from access by individuals under certain circumstances, such as where the access or disclosure of such information would impede national security or law enforcement efforts. Exemptions from Privacy Act provisions must be established by regulation, 5 U.S.C. 552a(j) and (k).

The Department of the Interior (DOI) Office of Law Enforcement and Security published the INTERIOR/DOI-50, Insider Threat Program, system of records notice in the Federal Register at 79 FR 52033 on September 2, 2014, in accordance with Presidential Executive Order 13587, issued October 7, 2011, which required Federal agencies to establish an insider threat detection and prevention program to ensure the security of classified networks and the responsible sharing and safeguarding of classified information consistent with appropriate protections for privacy and civil liberties. This system of records facilitates management of counterintelligence and insider threat investigations and activities associated with counterintelligence complaints, inquiries and investigations; identification of potential threats to DOI resources and information assets; and referrals of potential insider threats to internal and external partners. Insider threats include attempted or actual espionage, subversion, sabotage, terrorism or extremist activities directed against the DOI and its personnel, facilities, resources, and activities; unauthorized use of or intrusion into automated information systems; unauthorized disclosure of classified, controlled unclassified, sensitive, or proprietary-information or technology; indicators of potential insider threats or other incidents that may indicate activities of an insider threat.

The system contains classified and unclassified intelligence and investigatory records related to counterintelligence and insider threat activities that are exempt from certain provisions of the Privacy Act, 5 U.S.C. 552a(j) and (k). The DOI previously published a final rule in the Federal Register at 79 FR 68799 (November 19, 2014) to amend DOI Privacy Act regulations at 43 CFR 2.254 to exempt certain records in this system from subsections (c)(3), (c)(4), (d), (e)(1) through (e)(3), (e)(4)(G) through (e)(4)(I), (e)(5), (e)(8), (e)(12), (f), and (g) of the Privacy Act pursuant to 5 U.S.C. 552a(j)(2) and (k)(2). In this notice of proposed rulemaking (NPRM), DOI is proposing to claim additional exemptions from certain provisions of the Privacy Act pursuant to 5 U.S.C. 552a(k)(1) and (k)(5).

DOI previously published an NPRM in the Federal Register at 85 FR 7515 (February 10, 2020) to claim exemptions for the INTERIOR/DOI-46, Physical Security Access Files, system of records that proposed a revision of the DOI Privacy Act regulations at 43 CFR 2.254 to redesignate the existing paragraphs and add new paragraphs for additional exemptions under 5 U.S.C. 552a(k). A new paragraph (b) was reserved for exemptions claimed under 5 U.S.C. 552a(k)(1) as indicated in this NPRM for the INTERIOR/DOI-50, Insider Threat Program. The previous paragraph (c) for investigatory records exempt under 5 U.S.C. 552a(k)(5) was redesignated to paragraph (e) to allow for a new paragraph (d) for exemptions claimed under 5 U.S.C. 552(k)(3) related to records maintained in connection with providing protective services. The new and redesignated paragraphs proposed for section 2.254 will be effective upon publication of the INTERIOR/DOI-46 final rule in the Federal Register and will align with the exemptions proposed in this NPRM for the INTERIOR/DOI-50, Insider Threat Program.

Under 5 U.S.C. 552a(k)(1), the head of a Federal agency may promulgate rules to exempt a system of records from certain provisions of the Privacy Act of 1974, 5 U.S.C. 552a, if the system of records is subject to the provisions of 5 U.S.C. 552(b)(1) where the records are (A) specifically authorized under criteria established by an Executive Order to be kept secret in the interest of national defense or foreign policy, and (B) are in fact properly classified pursuant to such Executive Order. Some records in this system are deemed classified and subject to Executive Orders for the maintenance of records that must be kept secret in the interest of national security, such as Executive Order 12333, United States Intelligence Activities (as amended); Executive Order 12829, National Industrial Security Program; Executive Order 12968, Access to Classified Information; Executive Order 13526, Classified National Security Information; and Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. Additionally, records in this system may be related to investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, military service, Federal contracts, or access to classified information that are exempt from one or more provisions of the Privacy Act pursuant to 5 U.S.C. 552a(k)(5).

Because this system of records contains classified and investigative material within the provisions of 5 U.S.C. 552a(k)(1) and (k)(5), the DOI proposes to exempt the system of records from one or more of the following provisions: 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G) through (e)(4)(I), and (f). Where a release would not interfere with or adversely affect investigations or law enforcement activities, including but not limited to revealing sensitive information or compromising confidential sources, the exemption may be waived on a case-by-case basis. Exemptions from these particular subsections are justified for the following reasons:

1. 5 U.S.C. 552a(c)(3). This section requires an agency to make the accounting of each disclosure of records available to the individual named in the record upon request. Release of accounting of disclosures would alert the subjects of an investigation to the existence of the investigation and the fact that they are subjects of the investigation. The release of such information to the subjects of an investigation would provide them with significant information concerning the nature of the investigation, and could seriously impede or compromise the investigation, endanger the physical safety of confidential sources, witnesses and their families, and lead to the improper influencing of witnesses, the destruction of evidence, or the fabrication of testimony.

2. 5 U.S.C. 552a(d); (e)(4)(G) and (e)(4)(H); and (f). These sections require an agency to provide notice and disclosure to individuals that a system contains records pertaining to the individual, as well as providing rights of access and amendment. Granting access to records in the Insider Threat Program system could inform the subject of an investigation of an actual or potential criminal violation of the existence of that investigation, of the nature and scope of the information and evidence obtained, of the identity of confidential sources, witnesses, and law enforcement personnel, and could provide information to enable the subject to avoid detection or apprehension. Granting access to such information could seriously impede or compromise an investigation; endanger the physical safety of confidential sources, witnesses, and law enforcement personnel, as well as their families; lead to the improper influencing of witnesses, the destruction of evidence, or the fabrication of testimony; and disclose investigative techniques and procedures. In addition, granting access to such information could disclose classified, security-sensitive, or confidential information and could constitute an unwarranted invasion of the personal privacy of others.

3. 5 U.S.C. 552a(e)(1). This section requires the agency to maintain information about an individual only to the extent that such information is relevant or necessary. The application of this provision could impair investigations and law enforcement, because it is not always possible to determine the relevance or necessity of specific information in the early stages of an investigation. Relevance and necessity are often questions of judgment and timing, and it is only after the information is evaluated that the relevance and necessity of such information can be established. In addition, during the course of the investigation, the investigator may obtain information that is incidental to the main purpose of the investigation but which may relate to matters under the investigative jurisdiction of another agency. Such information cannot readily be segregated. Furthermore, during the course of the investigation, an investigator may obtain information concerning the violation of laws outside the scope of the investigator's jurisdiction. In the interest of effective law enforcement, DOI investigators should retain this information, since it can aid in establishing patterns of criminal activity and can provide valuable leads for other law enforcement agencies.

4. 5 U.S.C. 552a(e)(4)(I). This section requires an agency to provide public notice of the categories of sources of records in the system. The application of this section could disclose investigative techniques and procedures and cause sources to refrain from giving such information because of fear of reprisal, or fear of breach of promise(s) of anonymity and confidentiality. This could compromise DOI's ability to conduct investigations and to identify, detect and apprehend violators.

Procedural Requirements

1. Regulatory Planning and Review (E.O. 12866 and E.O. 13563)

Executive Order 12866 provides that the Office of Information and Regulatory Affairs in the Office of Management and Budget will review all significant rules. The Office of Information and Regulatory Affairs has determined that this rule is not significant.

Executive Order 13563 reaffirms the principles of Executive Order 12866 while calling for improvements in the nation's regulatory system to promote predictability, to reduce uncertainty, and to use the best, most innovative, and least burdensome tools for achieving regulatory ends. The executive order directs agencies to consider regulatory approaches that reduce burdens and maintain flexibility and freedom of choice for the public where these approaches are relevant, feasible, and consistent with regulatory objectives. Executive Order 13563 emphasizes further that regulations must be based on the best available science and that the rulemaking process must allow for public participation and an open exchange of ideas. We have developed this rule in a manner consistent with these requirements.

2. Regulatory Flexibility Act

The Department of the Interior certifies that this document will not have a significant economic effect on a substantial number of small entities under the Regulatory Flexibility Act (5 U.S.C. 601, et seq.). This rule does not impose a requirement for small businesses to report or keep records on any of the requirements contained in this rule. The exemptions to the Privacy Act apply to individuals, and individuals are not covered entities under the Regulatory Flexibility Act.

3. Small Business Regulatory Enforcement Fairness Act (SBREFA)

This rule is not a major rule under 5 U.S.C. 804(2), the Small Business Regulatory Enforcement Fairness Act. This rule:

(a) Does not have an annual effect on the economy of $100 million or more.

(b) Will not cause a major increase in costs or prices for consumers, individual industries, Federal, State, or local government agencies, or geographic regions.

(c) Does not have significant adverse effects on competition, employment, investment, productivity, innovation, or the ability of United States-based enterprises to compete with foreign-based enterprises.

4. Unfunded Mandates Reform Act

This rule does not impose an unfunded mandate on State, local, or tribal governments in the aggregate, or on the private sector, of more than $100 million per year. The rule does not have a significant or unique effect on State, local, or tribal governments or the private sector. This rule makes only minor changes to 43 CFR part 2. A statement containing the information required by the Unfunded Mandates Reform Act (2 U.S.C. 1531 et seq.) is not required.

5. Takings (E.O. 12630)

In accordance with Executive Order 12630, the rule does not have significant takings implications. This rule makes only minor changes to 43 CFR part 2. A takings implication assessment is not required.

6. Federalism (E.O. 13132)

In accordance with Executive Order 13132, this rule does not have any federalism implications to warrant the preparation of a Federalism Assessment. The rule is not associated with, nor will it have substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government. A Federalism Assessment is not required.

7. Civil Justice Reform (E.O. 12988)

This rule complies with the requirements of Executive Order 12988. Specifically, this rule:

(a) Does not unduly burden the judicial system.

(b) Meets the criteria of section 3(a) requiring that all regulations be reviewed to eliminate errors and ambiguity and be written to minimize litigation; and

(c) Meets the criteria of section 3(b)(2) requiring that all regulations be written in clear language and contain clear legal standards.

8. Consultation With Indian Tribes (E.O. 13175)

In accordance with Executive Order 13175, the Department of the Interior has evaluated this rule and determined that it would have no substantial effects on federally recognized Indian Tribes.

9. Paperwork Reduction Act

This rule does not require an information collection from 10 or more parties and a submission under the Paperwork Reduction Act is not required.

10. National Environmental Policy Act

This rule does not constitute a major Federal Action significantly affecting the quality for the human environment. A detailed statement under the National Environmental Policy Act of 1969 (NEPA) is not required because the rule is covered by a categorical exclusion. We have determined the rule is categorically excluded under 43 CFR 46.210(i) because it is administrative, legal, and technical in nature. We also have determined the rule does not involve any of the extraordinary circumstances listed in 43 CFR 46.215 that would require further analysis under NEPA.

11. Effects on Energy Supply (E.O. 13211)

This rule is not a significant energy action under the definition in Executive Order 13211. A Statement of Energy Effects is not required.

12. Clarity of This Regulation

We are required by Executive Order 12866 and 12988, the Plain Writing Act of 2010 (Pub. L. 111-274), and the Presidential Memorandum of June 1, 1998, to write all rules in plain language. This means each rule we publish must:

—Be logically organized;

—Use the active voice to address readers directly;

—Use clear language rather than jargon;

—Be divided into short sections and sentences; and

—Use lists and table wherever possible.

List of Subjects in 43 CFR Part 2

• Administrative practice and procedure
• Confidential information
• Courts
• Freedom of Information Act
• Privacy Act

For the reasons stated in the preamble, the Department of the Interior proposes to amend 43 CFR part 2 as follows:

PART 2—FREEDOM OF INFORMATION ACT; RECORDS AND TESTIMONY

1. The authority citation for part 2 continues to read as follows:

Authority: 5 U.S.C. 301, 552, 552a, 553; 31 U.S.C. 3717; 43 U.S.C. 1460, 1461.

2. Amend § 2.254 by:

a. Revising paragraphs (b) introductory text and (b)(1);

b. Reserving paragraph (b)(2);

c. Revising paragraph (c) introductory text;

d. Reserving paragraph (c)(5); and

e. Adding paragraph (c)(6).

The revisions and additions read as follows: