[Federal Register Volume 86, Number 157 (Wednesday, August 18, 2021)]
[Notices]
[Pages 46243-46246]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-17639]


-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

[FRL-8719-01-OMS]


Privacy Act of 1974; System of Records

AGENCY: Office of Mission Support (OMS), Environmental Protection 
Agency (EPA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: The U.S. Environmental Protection Agency's (EPA), Office of 
Information Management (OIM) is giving notice that it proposes to 
modify a system of records pursuant to the provisions of the Privacy 
Act of 1974. Central Data Exchange-Customer Registration Subsystem 
(CDX-CRS) is being modified to officially change from Central Data 
Exchange Customer Registration Subsystem (CDX-CRS). The new name for 
the system will be called Central Data Exchange (CDX). Additionally, 
CDX will leverage cloud resources.

DATES: Persons wishing to comment on this system of records notice must 
do so by September 17, 2021. Modified routine uses for this modified 
system of records will be effective September 17, 2021.

ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OMS-2020-0139, by one of the following methods:
    Federal eRulemaking Portal: www.regulations.gov. Follow the online 
instructions for submitting comments.
    Email: docket_oms@epa.gov. Include the Docket ID number in the 
subject line of the message.
    Fax: 202-566-1752.
    Mail: OMS Docket, Environmental Protection Agency, Mail Code: 
2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
    Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334, 
1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are 
only accepted during the Docket's normal hours of operation, and 
special arrangements should be made for deliveries of boxed 
information.
    Instructions: Direct your comments to Docket ID No. EPA-HQ-OMS-
2020-0139. The EPA's policy is that all comments received will be 
included in the public docket without change and may be made available 
online at https://www.regulations.gov, including any personal 
information provided, unless the comment includes information claimed 
to be Controlled Unclassified Information (CUI) or other information 
for which disclosure is restricted by statute. Do not submit 
information that you consider to be CUI or otherwise protected through 
https://www.regulations.gov. The https://www.regulations.gov website is 
an ``anonymous access'' system for the EPA, which means the EPA will 
not know your identity or contact information. If you submit an 
electronic comment, the EPA recommends that you include your name and 
other contact information in the body of your comment. If the EPA 
cannot read your comment due to technical difficulties and cannot 
contact you for clarification, the EPA may not be able to consider your 
comment. If you send an email comment directly to the EPA without going 
through https://www.regulations.gov, your email address will be 
automatically captured and included as part of the comment that is 
placed in the public docket and made available on the internet. 
Electronic files should avoid the use of special characters, any form 
of encryption, and be free of any defects or viruses. For additional 
information about the EPA public docket, visit the EPA Docket Center 
homepage at https://www.epa.gov/dockets.
    Docket: All documents in the docket are listed in the https://www.regulations.gov index. Although listed in the index, some 
information is not publicly available, e.g., CUI or other information 
for which disclosure is restricted by statute. Certain other material, 
such as copyrighted material, will be publicly available only in hard 
copy. Publicly available docket materials are available either 
electronically in https://www.regulations.gov or in hard copy at the 
OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution 
Ave. NW, Washington, DC 20460. The Public Reading Room is normally open 
from 8:30 a.m. to 4:30 p.m., Monday through Friday excluding legal 
holidays. The telephone number for the Public Reading Room is (202) 
566-1744, and the telephone number for the OMS Docket is (202) 566-
1752.

Temporary Hours During COVID-19

    Out of an abundance of caution for members of the public and our 
staff, the EPA Docket Center and Reading Room are closed to the public, 
with limited exceptions, to reduce the risk of transmitting COVID-19. 
Our Docket Center staff will continue to provide remote customer 
service via email, phone, and webform. We encourage the public to 
submit comments via https://www.regulations.gov/ or email, as there may 
be a delay in processing mail and faxes. Hand deliveries and couriers 
may be received by scheduled appointment only. For further information 
on EPA Docket Center services and the current status, please visit us 
online at https://www.epa.gov/dockets.

FOR FURTHER INFORMATION CONTACT: U.S. EPA, Attn: Joe Carioti, U.S. EPA, 
Information Exchange Services Branch, 1200 Pennsylvania Ave. NW (Mail 
Code 2824T), Washington, DC 20460, Tel: 202-564-6413, Email: 
carioti.joe@epa.gov.

SUPPLEMENTARY INFORMATION: The information contained in records 
maintained in the CDX system are used to verify the identity of the 
individual,

[[Page 46244]]

inform users of the conditions and terms of using CDX, allow individual 
users to establish an account on CDX, provide individual users access 
to their CDX account for electronically filing compliance data or 
exchanging other forms of environmental data, allow individual users to 
customize, update or terminate their account with CDX, renew or revoke 
an individual user's account on CDX, support the CDX help desk 
functions, investigate possible fraud and verify compliance with 
program regulations, and initiate legal action against an individual 
involved in program fraud, abuse, or noncompliance. CDX records will be 
used to facilitate registering CDX system users, issuing a username and 
password, and subsequently, verifying an individual's identity as he/
she seeks to gain routine access to his/her account. In some cases, the 
user verification process will require EPA to contact the employer, 
based on the registration information provided by the user. The system 
has secondary uses that include using the established username to 
facilitate tracking service calls or emails from the user in the event 
that there is a change in registration status or the user has a problem 
with CDX; offering the user new CDX service options, and facilitating 
the retrieval of user actions (e.g., historical submissions and help 
tickets); and events while on the CDX system.
    The records may also be subsequently used for auditing or other 
internal purposes of the EPA, including but not limited to instances 
where enforcement of the conditions of using CDX are necessary; 
investigation of possible fraud involving a registered user; litigation 
purposes related to information reported to the agency; contacting the 
individual in the event of a system modification; a change to CDX; or 
modification, revocation or termination of user's access privileges to 
CDX.

SYSTEM NAME AND NUMBER:
    Central Data Exchange (CDX), EPA-52.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The CDX system is located at U.S. EPA National Computer Center, 109 
T.W. Alexander Drive, Research Triangle Park, NC 27711; additional 
locations include cloud environments located in Microsoft Azure East US 
1, East US 2 and Central US along with other partner sites in Virginia.

SYSTEM MANAGER(S):
    Joe Carioti, Branch Chief, U.S. EPA, Information Exchange Services 
Branch, 1200 Pennsylvania Ave. NW (Mail Code 2824T), Washington, DC 
20460. Tel: 202-564-6413, Email: carioti.joe@epa.gov.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    In accordance with the Government Paperwork Elimination Act (44 
U.S.C. 3504), EPA's electronic compliance filing and environmental data 
exchange system will enable the ``acquisition and use of information 
technology, including alternative information technologies that provide 
for electronic submission, maintenance, or disclosure of information as 
a substitute for paper and for the use and acceptance of electronic 
signatures.'' Section 3504(a)(1)(B)(vi) of Title 44, United States 
Code. Authority is additionally regulated by the CROss-Media Electronic 
Reporting Rule (40 CFR part 3), as a regulatory alternative to paper 
reporting.

PURPOSE(S) OF THE SYSTEM:
    CDX is EPA's portal for electronically exchanging environmental 
data with external customers. Users with CDX accounts may choose to 
engage in secure, electronic filing of environmental documents as 
permitted under the Government Paperwork Elimination Act (GPEA).The 
information is also used to provide authenticated, protected access to 
the CDX system, thereby protecting CDX and CDX users from potential 
harm caused by individuals with malicious intentions gaining 
unauthorized access to the system.

CATEGORIES OF INDIVIDUALS COVERED BY SYSTEM:
    This system contains records on all individuals that have either 
attempted to register or have registered to obtain an account to use 
CDX for electronically exchanging data with EPA. Registered users of 
CDX may include representatives of industry, government or laboratories 
exchanging information with EPA through CDX.

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system contains records for individuals' name, self- assigned 
username and security question, work title, work address and related 
work contact information (e.g., phone numbers, email address), 
supervisors' name and related contact information, information related 
to the EPA reporting program the individual is planning to 
electronically file or report under (e.g., EPA program ID # and EPA 
program role), and the method of reporting (e.g., web browser, file 
exchange). In cases where individuals are asked to electronically 
``sign'' certain EPA forms, CDX may request additional information 
items from an individual in order to safeguard their account and create 
secret questions/answers that only the individual should know.

RECORD SOURCE CATEGORIES:
    Information is obtained from individuals who have had or seek to 
have their identity authenticated.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    The routine uses below are both related to and compatible with the 
original purpose for which the information was collected. The following 
general routine uses apply to this system (73 FR 2245):
    A. Disclosure for Law Enforcement Purposes: Information may be 
disclosed to the appropriate Federal, State, local, tribal, or foreign 
agency responsible for investigating, prosecuting, enforcing, or 
implementing a statute, rule, regulation, or order, if the information 
is relevant to a violation or potential violation of civil or criminal 
law or regulation within the jurisdiction of the receiving entity.
    B. Disclosure Incident to Requesting Information: Information may 
be disclosed to any source from which additional information is 
requested (to the extent necessary to identify the individual, inform 
the source of the purpose of the request, and to identify the type of 
information requested,) when necessary to obtain information relevant 
to an agency decision concerning retention of an employee or other 
personnel action (other than hiring,) retention of a security 
clearance, the letting of a contract, or the issuance or retention of a 
grant, or other benefit.
    C. Disclosure to Requesting Agency: Disclosure may be made to a 
Federal, State, local, foreign, or tribal or other public authority of 
the fact that this system of records contains information relevant to 
the retention of an employee, the retention of a security clearance, 
the letting of a contract, or the issuance or retention of a license, 
grant, or other benefit. The other agency or licensing organization may 
then make a request supported by the written consent of the individual 
for the entire record if it so chooses. No disclosure will be made 
unless the information has been determined to be sufficiently reliable 
to support a referral to another office within the agency or to another 
Federal agency for criminal, civil,

[[Page 46245]]

administrative, personnel, or regulatory action.
    D. Disclosure to Office of Management and Budget: Information may 
be disclosed to the Office of Management and Budget at any stage in the 
legislative coordination and clearance process in connection with 
private relief legislation as set forth in OMB Circular No. A-19.
    E. Disclosure to Congressional Offices: Information may be 
disclosed to a congressional office from the record of an individual in 
response to an inquiry from the congressional office made at the 
request of the individual.
    F. Disclosure to Department of Justice: Information may be 
disclosed to the Department of Justice, or in a proceeding before a 
court, adjudicative body, or other administrative body before which the 
Agency is authorized to appear, when:
    1. The Agency, or any component thereof;
    2. Any employee of the Agency in his or her official capacity;
    3. Any employee of the Agency in his or her individual capacity 
where the Department of Justice or the Agency have agreed to represent 
the employee; or
    4. The United States, if the Agency determines that litigation is 
likely to affect the Agency or any of its components,
    Is a party to litigation or has an interest in such litigation, and 
the use of such records by the Department of Justice or the Agency is 
deemed by the Agency to be relevant and necessary to the litigation 
provided, however, that in each case it has been determined that the 
disclosure is compatible with the purpose for which the records were 
collected.
    G. Disclosure to the National Archives: Information may be 
disclosed to the National Archives and Records Administration in 
records management inspections.
    H. Disclosure to Contractors, Grantees, and Others: Information may 
be disclosed to contractors, grantees, consultants, or volunteers 
performing or working on a contract, service, grant, cooperative 
agreement, job, or other activity for the Agency and who have a need to 
have access to the information in the performance of their duties or 
activities for the Agency. When appropriate, recipients will be 
required to comply with the requirements of the Privacy Act of 1974 as 
provided in 5 U.S.C. 552a(m).
    I. Disclosures for Administrative Claims, Complaints and Appeals: 
Information from this system of records may be disclosed to an 
authorized appeal grievance examiner, formal complaints examiner, equal 
employment opportunity investigator, arbitrator or other person 
properly engaged in investigation or settlement of an administrative 
grievance, complaint, claim, or appeal filed by an employee, but only 
to the extent that the information is relevant and necessary to the 
proceeding. Agencies that may obtain information under this routine use 
include, but are not limited to, the Office of Personnel Management, 
Office of Special Counsel, Merit Systems Protection Board, Federal 
Labor Relations Authority, Equal Employment Opportunity Commission, and 
Office of Government Ethics.
    J. Disclosure to the Office of Personnel Management: Information 
from this system of records may be disclosed to the Office of Personnel 
Management pursuant to that agency's responsibility for evaluation and 
oversight of Federal personnel management.
    K. Disclosure in Connection With Litigation: Information from this 
system of records may be disclosed in connection with litigation or 
settlement discussions regarding claims by or against the Agency, 
including public filing with a court, to the extent that disclosure of 
the information is relevant and necessary to the litigation or 
discussions and except where court orders are otherwise required under 
section (b)(11) of the Privacy Act of 1974, 5 U.S.C. 552a(b)(11).
    The two routine uses below (L and M) are required by OMB Memorandum 
M-17-12.
    L. Disclosure to Persons or Entities in Response to an Actual or 
Suspected Breach of Personally Identifiable Information: To appropriate 
agencies, entities, and persons when (1) the Agency suspects or has 
confirmed that there has been a breach of the system of records, (2) 
the Agency has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, the Agency 
(including its information systems, programs, and operations), the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the Agency's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    M. Disclosure To Assist Another Agency in Its Efforts To Respond to 
a Breach of Personally Identifiable Information: To another Federal 
agency or Federal entity, when the Agency determines that information 
from this system of records is reasonably necessary to assist the 
recipient agency or entity in (1) responding to a suspected or 
confirmed breach or (2) preventing, minimizing, or remedying the risk 
of harm to individuals, the recipient agency or entity (including its 
information systems, programs, and operations), the Federal Government, 
or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    These records are maintained electronically on computer storage 
devices such as computer disks. The computer storage devices are 
located at U.S. EPA National Computer Center, 109 T.W. Alexander Drive, 
Research Triangle Park, NC 27711, on cloud resources and partner sites. 
Backups will be maintained at a disaster recovery site.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrievable by the CDX username, program ID number, all 
or part of the individual's name, phone number, and email address.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The EPA will retain and dispose of these records in accordance with 
National Archives and Records Administration General Records Schedule 
20, Item 1.c. This 0097 schedule provides disposal authorization for 
electronic files and hard copy printouts created to monitor system 
usage, including but not limited to log-in files, audit trail files, 
system usage files, and cost-back files used to access charges for 
system use. Records will be deleted or destroyed according to EPA 
Records Schedule 0097.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Security controls used to protect personal sensitive data in 
Central Data Exchange (CDX) are commensurate with those required for an 
information system rated moderate for confidentiality, integrity, and 
availability, as prescribed in NIST Special Publication, 800-53, 
``Security and Privacy Controls for Information Systems and 
Organizations,'' Revision 4.
    1. Administrative Safeguards: The system will be operated and 
maintained by EPA or organizations under contract with the EPA 
(henceforth referred to as ``EPA''). EPA has minimized the risk of 
unauthorized access to the system by establishing a secure environment 
for exchanging electronic information.
    3. Physical Safeguards: Physical access to the data system housed 
within the facility is controlled by a

[[Page 46246]]

computerized badge reading system, and the entire complex is patrolled 
by security during non-business hours. The computer system offers a 
high degree of resistance to tampering and circumvention. Multiple 
levels of security are maintained with the computer system control 
program.
    4. Logical Access Safeguards (Technical): The individual 
registering for CDX will generate a self-assigned passwords that will 
be stored in CDX, but it will only be accessible to the registering 
individual. To restore passwords additional secrets will be provided by 
individual and validated along with email or other out-of-band factor 
such as registered mobile phone using a 1-time passphrase.

RECORD ACCESS PROCEDURES:
    Individuals seeking access to information in this system of records 
about themselves are required to provide adequate identification (e.g., 
driver's license, military identification card, employee badge or 
identification card). Additional identity verification procedures may 
be required, as warranted. Requests must meet the requirements of EPA 
regulations that implement the Privacy Act of 1974, at 40 CFR part 16.

CONTESTING RECORDS PROCEDURES:
    Requests for correction or amendment must identify the record to be 
changed and the corrective action sought. Complete EPA Privacy Act 
procedures are described in EPA's Privacy Act regulations at 40 CFR 
part 16.

NOTIFICATION PROCEDURE:
    Any individual who wants to know whether this system of records 
contains a record about him or her, should make a written request to 
the Attn: Agency Privacy Officer, MC 2831T, 1200 Pennsylvania Ave., NW, 
Washington, DC 20460, privacy@epa.gov.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    Notice of a New System of Records [Federal Register Vol 67, No. 52 
(Monday, March 18, 2002)] Amendment to System of Records Notice 
[Federal Register Vol 68, No. 235 (Monday, December 8, 2003)].

Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2021-17639 Filed 8-17-21; 8:45 am]
BILLING CODE 6560-50-P


