AGENCY:
Office of the Secretary of Defense (OSD), Department of Defense (DoD).
ACTION:
Proposed rule.
SUMMARY:
The Department of Defense (Department or DoD) is giving concurrent notice of a new Department-wide system of records pursuant to the Privacy Act of 1974 for the DoD–0019, “Information Technology Access and Audit Records,” system of records and this proposed rulemaking. In this proposed rulemaking, the Department proposes to exempt portions of this system of records from certain provisions of the Privacy Act of 1974, as amended, because of national security requirements and to avoid interference during the conduct of criminal, civil, or administrative actions or investigations.
DATES:
Send comments on or before October 31, 2023.
ADDRESSES:
You may submit comments, identified by docket number, Regulation Identifier Number (RIN), and title, by any of the following methods.
* Federal Rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
* Mail: Department of Defense, Office of the Assistant to the Secretary of Defense for Privacy, Civil Liberties, and Transparency, Regulatory Directorate, 4800 Mark Center Drive, Attn: Mailbox 24, Suite 08D09, Alexandria, VA 22350–1700.
Instructions: All submissions received must include the agency name and docket number or RIN for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the internet at https://www.regulations.gov as they are received without change, including any personal identifiers or contact information.
FOR FURTHER INFORMATION CONTACT:
Ms. Rahwa Keleta, OSD.DPCLTD@mail.mil; (703) 571–0070.
SUPPLEMENTARY INFORMATION:
I. Background
In accordance with the Privacy Act of 1974, the DoD is establishing a new Department-wide system of records titled “Information Technology Access and Audit Records,” DoD–0019. The purpose of this system of records is to support information systems being established within the DoD using the same categories of data for the same purposes. This system of records covers DoD's maintenance of records related to requests for user access, attempts to access, granting of access, records of user actions for DoD information technology (IT) systems, and user agreements. This includes details of programs, databases, functions, and sites accessed and/or used, and the information products created, received, or altered during the use of IT systems. The system consists of both electronic and paper records and will be used by DoD components and offices to maintain records about individuals who have user agreements, user access to and activity on networks, computer systems, applications, databases, or other digital technologies.
II. Privacy Act Exemption
The Privacy Act permits Federal agencies to exempt eligible records in a system of records from certain provisions of the Act, including that provide individuals with a right to request access to and amendment of their own records and accountings of disclosures of such records. If an agency intends to exempt a particular system of records, it must first go through the rulemaking process pursuant to 5 U.S.C. 553(b)(1)–(3), (c), and (e). This proposed rule explains why an exemption is being claimed for this system of records and invites public comment, which DoD will consider before the issuance of a final rule implementing the exemption.
The DoD proposes to modify 32 CFR part 310 to add a new Privacy Act exemption rule for DoD–0019, “Information Technology Access and Audit Records.” The DoD proposes to exempt portions of this system of records from certain provisions of the Privacy Act because information in this system of records may fall within the scope of the following Privacy Act exemptions: (k)(1) and (k)(2).
The DoD proposes to exempt this system of records because some of these records may contain classified national security information and providing notice, access, amendment, and disclosure of accounting of those records to an individual, as well as certain record-keeping requirements, may cause damage to national security. The Privacy Act, pursuant to 5 U.S.C. 552a(k)(1), authorizes agencies to claim an exemption for systems of records that contain information properly classified pursuant to executive order. DoD is proposing to claim an exemption from several provisions of the Privacy Act, including various access, amendment, disclosure of accounting, and certain record-keeping and notice requirements, to prevent disclosure of any information properly classified pursuant to executive order, as implemented by DoD Instruction 5200.01 and DoD Manual 5200.01, Volumes 1 and 3.
The DoD is also proposing this exemption rule because this system of records may contain investigatory material compiled for law enforcement purposes within the scope of 5 U.S.C. 552a(k)(2). This exemption allows DoD entities to claim an exemption for systems of records that contain investigatory materials compiled for law enforcement purposes, other than material within the scope of 5 U.S.C. 552a(j)(2), which describes certain material related to the enforcement of criminal laws maintained by principal-function criminal law enforcement agencies. The Department therefore is proposing to claim an exemption from several provisions of the Privacy Act, including various access, amendment, disclosure of accounting, and certain record-keeping and notice requirements, to prevent, among other harms, the identification of actual or potential subjects of investigation and/or sources of investigative information and to avoid frustrating the underlying law enforcement purpose for which the records were collected.
Records in this system of records are only exempt from the Privacy Act to the extent the purposes underlying the exemption pertain to the record. A notice of a new system of records for DoD–0019, “Information Technology Access and Audit Records,” is also published in this issue of the Federal Register .
Regulatory Analysis
Executive Order 12866, “Regulatory Planning and Review” and Executive Order 13563, “Improving Regulation and Regulatory Review”
Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distribute impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. It has been determined that this rule is not a significant regulatory action.
Congressional Review Act (5 U.S.C. 804(2))
The Congressional Review Act, 5 U.S.C. 801 et seq., generally provides that before a rule may take effect, the agency promulgating the rule must submit a rule report, which includes a copy of the rule, to each House of the Congress and to the Comptroller General of the United States. DoD will submit a report containing this rule and other required information to the U.S. Senate, the U.S. House of Representatives, and the Comptroller General of the United States. A major rule may take effect no earlier than 60 calendar days after Congress receives the rule report or the rule is published in the Federal Register , whichever is later. This rule is not a “major rule” as defined by 5 U.S.C. 804(2).
Section 202, Public Law 104–4, “Unfunded Mandates Reform Act”
Section 202(a) of the Unfunded Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 1532(a)) requires agencies to assess anticipated costs and benefits before issuing any rule whose mandates may result in the expenditure by State, local, and tribal governments in the aggregate, or by the private sector, in any one year of $100 million in 1995 dollars, updated annually for inflation. This rule will not mandate any requirements for State, local, or tribal governments, nor will it affect private sector costs.
Public Law 96–354, “Regulatory Flexibility Act” (5 U.S.C. 601 et seq.)
The Assistant to the Secretary of Defense for Privacy, Civil Liberties, and Transparency has certified that this rule is not subject to the Regulatory Flexibility Act (5 U.S.C. 601 et seq.) because it would not, if promulgated, have a significant economic impact on a substantial number of small entities. This rule is concerned only with the administration of Privacy Act systems of records within the DoD. Therefore, the Regulatory Flexibility Act, as amended, does not require us to prepare a regulatory flexibility analysis.
Public Law 96–511, “Paperwork Reduction Act” (44 U.S.C. 3501 et seq.)
The Paperwork Reduction Act (44 U.S.C. 3501 et seq.) was enacted to minimize the paperwork burden for individuals; small businesses; educational and nonprofit institutions; Federal contractors; State, local and tribal governments; and other persons resulting from the collection of information by or for the Federal Government. The Act requires agencies obtain approval from the Office of Management and Budget before using identical questions to collect information from ten or more persons. This rule does not impose reporting or recordkeeping requirements on the public.
Executive Order 13132, “Federalism”
It has been determined that this rule does not have federalism implications. This rule does not have substantial direct effects on the States, on the relationship between the Federal Government and the States, or on the distribution of power and responsibilities among the various levels of government.
Executive Order 13175, “Consultation and Coordination With Indian Tribal Governments”
Executive Order 13175 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct compliance costs on one or more Indian tribes, preempts tribal law, or affects the distribution of power and responsibilities between the Federal Government and Indian tribes. This rule will not have a substantial effect on Indian tribal governments.
List of Subjects in 32 CFR Part 310
- Privacy
Accordingly, 32 CFR part 310 is proposed to be amended as follows:
PART 310—PROTECTION OF PRIVACY AND ACCESS TO AND AMENDEMENT OF INDIVIDUAL RECORDS UNDER THE PRIVACY ACT OF 1974
1. The authority citation for part 310 continues to read as follows:
Authority: 5 U.S.C. 552a.
2. Amend § 310.13 by adding paragraph (e)(14) to read as follows:
(e) * * *
(14) System identifier and name. DoD–0019, “Information Technology Access and Audit Records.”
(i) Exemptions. This system of records is exempt from 5 U.S.C. 552a (c)(3); (d)(1), (2), (3), and (4); (e)(1); (e)(4)(G), (H), and (I); and (f).
(ii) Authority. 5 U.S.C. 552a(k)(1) and (k)(2).
(iii) Exemption from the particular subsections. Exemption from the particular subsections is justified for the following reasons:
(A) Subsections (c)(3), (d)(1), and (d)(2).
(1) Exemption (k)(1). Records in this system of records may contain information that is properly classified pursuant to executive order. Application of exemption (k)(1) may be necessary because access to and amendment of the records, or release of the accounting of disclosures for such records, could reveal classified information. Disclosure of classified records to an individual may cause damage to national security.
( 2) Exemption (k)(2). Records in this system of records may contain investigatory material compiled for law enforcement purposes other than material within the scope of 5 U.S.C. 552a(j)(2). Application of exemption (k)(2) may be necessary because access to, amendment of, or release of the accounting of disclosures of such records could: inform the record subject of an investigation of the existence, nature, or scope of an actual or potential law enforcement or disciplinary investigation, and thereby seriously impede law enforcement efforts by permitting the record subject and other persons to whom he might disclose the records or the accounting of records to avoid criminal penalties, civil remedies, or disciplinary measures; interfere with a civil or administrative action or investigation by allowing the subject to tamper with witnesses or evidence, and to avoid detection or apprehension, which may undermine the entire investigatory process; reveal confidential sources who might not have otherwise come forward to assist in an investigation and thereby hinder DoD's ability to obtain information from future confidential sources; and result in an unwarranted invasion of the privacy of others. Amendment of such records could also impose a highly impracticable administrative burden by requiring investigations to be continuously reinvestigated.
(B) Subsections (d)(3) and (4). These subsections are inapplicable to the extent an exemption is claimed from subsections (d)(1) and (2). Accordingly, exemptions from subsections (d)(3) and (d)(4) are claimed pursuant to (k)(1) and (k)(2).
(C) Subsection (e)(1). Additionally, records within this system may be properly classified pursuant to executive order. The collection of information pertaining to the use of government information technology and data systems may include classified records, and it is not always possible to conclusively determine the relevance and necessity of such information in the early stages of a collection. In some instances, it will be only after the collected information is evaluated in light of other information that its relevance and necessity can be assessed. Further, disclosure of classified records to an individual may cause damage to national security. Additionally, in the collection of information for investigatory or law enforcement purposes it is not always possible to conclusively determine the relevance and necessity of particular information in the early stages of the investigation or adjudication. In some instances, it will be only after the collected information is evaluated in light of other information that its relevance and necessity for effective investigation and adjudication can be assessed. Collection of such information permits more informed decision-making by the Department when making required investigatory or law enforcement determinations. Accordingly, application of exemptions (k)(1) and (2) may be necessary.
(D) Subsections (e)(4)(G) and (H). These subsections are inapplicable to the extent exemption is claimed from subsections (d)(1) and (2).
(E) Subsection (e)(4)(I). To the extent that this provision is construed to require more detailed disclosure than the broad, generic information currently published in the system notice, an exemption from this provision is necessary to protect national security, the confidentiality of sources of information and to protect the privacy and physical safety of witnesses and informants. Accordingly, application of exemptions (k)(1) and (2) may be necessary.
(F) Subsection (f). The agency's rules are inapplicable to those portions of the system that are exempt. Accordingly, application of exemptions (k)(1) and (2) may be necessary.
(iv) Exempt records from other systems. In the course of carrying out the overall purpose for this system, exempt records from other systems of records may in turn become part of the records maintained in this system. To the extent that copies of exempt records from those other systems of records are maintained in this system, the DoD claims the same exemptions for the records from those other systems that are entered into this system, as claimed for the prior system(s) of which they are a part, provided the reason for the exemption remains valid and necessary.
Dated: August 24, 2023.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2023–18681 Filed 8–31–23; 8:45 am]
BILLING CODE 5001–06–P