[Federal Register Volume 86, Number 77 (Friday, April 23, 2021)]
[Notices]
[Pages 21727-21729]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-08486]


=======================================================================
-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

[FRL-10022-45-OMS]


Privacy Act of 1974; System of Records

AGENCY: Office of Mission Support (OMS), Environmental Protection 
Agency (EPA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: The U.S. Environmental Protection Agency's (EPA), Office of 
Mission Support is giving notice that it proposes to publish a modified 
system of records pursuant to the provisions of the Privacy Act of 
1974. FOIAonline, EPA's Freedom of Information Act (FOIA) Request and 
Appeal File system of records is being modified to include all 
information and data elements that are being collected by the EPA and 
participating agencies as it relates to FOIA requests, appeals 
consultations and referrals. The purpose of this modification is to 
provide notice that; the FOIA Request and Appeal File system has been 
upgraded and deployed to a cloud hosted Amazon Web Services 
environment; the FOIA Request and Appeal File system of records is 
being modified to add additional routine uses and to change its name to 
FOIAonline. to change its name to FOIAonline.

DATES: Persons wishing to comment on this system of records notice must 
do so by May 24, 2021. New routine uses for this new system of records 
will be effective May 24, 2021.

ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OMS-2020-0231, by one of the following methods:
    Regulations.gov: www.regulations.gov Follow the online instructions 
for submitting comments.
    Email: oei.docket@epa.gov.
    Fax: 202-566-1752.
    Mail: OMS Docket, Environmental Protection Agency, Mail Code: 
2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
    Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334, 
1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are 
only accepted during the Docket's normal hours of operation, and 
special arrangements should be made for deliveries of boxed 
information.
    Instructions: Direct your comments to Docket ID No. EPA-HQ-OMS-
2020-0231. The EPA policy is that all comments received will be 
included in the public docket without change and may be made available 
online at www.regulations.gov, including any personal information 
provided, unless the comment includes information claimed to be 
Controlled Unclassified Information (CUI) or other information for 
which disclosure is restricted by statute. Do not submit information 
that you consider to be CUI or otherwise protected through 
www.regulations.gov. The www.regulations.gov website is an ``anonymous 
access'' system for EPA, which means the EPA will not know your 
identity or contact information unless you provide it in the body of 
your comment. Each agency determines submission requirements within 
their own internal processes and standards. EPA has no requirement for 
personal information. If you send an email comment directly to the EPA 
without going through www.regulations.gov your email address will be 
automatically captured and included as part of the comment that is 
placed in the public docket and made available on the internet. If you 
submit an electronic comment, the EPA recommends that you include your 
name and other contact information in the body of your comment. If the 
EPA cannot read your comment due to technical difficulties and cannot 
contact you for clarification, the EPA may not be able to consider your 
comment. Electronic files should avoid the use of special characters, 
any form of encryption, and be free of any defects or viruses. For 
additional information about the EPA public docket, visit the EPA 
Docket Center homepage at http://www.epa.gov/epahome/dockets.htm.
    Docket: All documents in the docket are listed in the 
www.regulations.gov index. Although listed in the index, some 
information is not publicly available, e.g., CUI or other information 
for which disclosure is restricted by statute. Certain other material, 
such as copyrighted material, will be publicly available only in hard 
copy. Publicly available docket materials are available either 
electronically on www.regulations.gov or in hard copy at the OMS 
Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave. 
NW, Washington. DC 20460. The Public Reading Room is open from 8:30 
a.m. to 4:30 p.m., Monday through Friday excluding legal holidays. The 
telephone number for the Public Reading Room is (202) 566-1744, and the 
telephone number for the OMS Docket is (202) 566-1752.

Temporary Hours During COVID-19

    Out of an abundance of caution for members of the public and our 
staff, the EPA Docket Center and Reading Room are closed to the public, 
with limited exceptions, to reduce the risk of transmitting COVID-19. 
Our Docket Center staff will continue to provide remote customer 
service via email, phone, and webform. We encourage the public to 
submit comments via www.regulations.gov or email, as there may be a 
delay in processing mail and faxes. Hand deliveries and couriers may be 
received by scheduled appointment only. For further information on EPA 
Docket Center services and the current status, please visit us online 
at www.epa.gov/dockets. The telephone number for the Public Reading 
Room is (202) 566-1744, and the telephone number for the OMS Docket is 
(202) 566-1752.

FOR FURTHER INFORMATION CONTACT: Tim Crawford, eDiscovery Division, 
Office of Mission Support, Office, (202) 566-1574, U.S. EPA, Office of 
Environmental Information, MC 2282T, 1200 Pennsylvania Ave. NW, 
Washington, DC 20460.

SUPPLEMENTARY INFORMATION: The FOIAonline (EPA-9) system contains a 
copy of each FOIA request, appeal, consultation, and referral received 
by the EPA and a copy of related correspondence, including name, 
affiliation address, telephone numbers, and other information about a 
requester. FOIAonline is managed and used by the EPA and other agencies 
to process, track and respond to FOIA requests, appeals, consultations, 
and referrals. The FOIAonline system provides the EPA and partner 
agencies with a secure and protected website to electronically receive, 
process, track, and store requests and appeals from the public for 
federal records; post responsive records to a website; collect data for 
annual reporting requirements to the Department of Justice and manage 
internal FOIA administration activities. In addition, the FOIAonline 
system allows the public to submit and track

[[Page 21728]]

FOIA requests and appeals; access requests and responsive records 
online and obtain the status of requests filed with the EPA and partner 
agencies. Social security numbers and other types of personally 
identifiable information may be provided in requests submitted by the 
public or may appear in responsive documents. With the exception of a 
requester's name, any other personally identifiable information (e.g., 
home addresses, email address, and other contact information) provided 
by a requester during the process of completing the online request form 
or creating an online account will not be posted to the public-facing 
version of the website, nor will it be searchable by the public. 
Personally identifiable information determined to be publicly 
releasable and contained in documents released to the public under FOIA 
(e.g., the names and official contact information of government 
employees) will be publicly available and searchable by the public if 
posted by a participating agency. Individuals accessing the system are 
government employees and members of the public.
SYSTEM NAME AND NUMBER:
    FOIAonline EPA-09.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Amazon Web Service US East (Northern Virginia) and Amazon Web 
Service US East (Ohio).

SYSTEM MANAGER(S):
    Tim Crawford, crawford.tim@epa.gov, U.S. EPA, Office of 
Environmental Information, MC 2822T, 1200 Pennsylvania Ave. NW, 
Washington, DC 20460.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Freedom of Information Act, 5 U.S.C 552.

PURPOSE OF THE SYSTEM:
    To provide the public a single location to submit and track FOIA 
requests appeals, consultations and referrals filed with the EPA and 
participating agencies, to manage EPA FOIA administration activities 
and to collect data for annual reporting requirements to the Department 
of Justice.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    All persons filing FOIA requests, appeals, consultations or 
referrals and those whose personally identifiable information may 
appear in records collected for FOIA request responses.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Freedom of Information Act (FOIA) requests, appeals, consultations 
and referrals received by the EPA and other participating agencies, and 
correspondence related to the request, which may include individuals' 
names, mailing addresses, email addresses, phone numbers, social 
security numbers, dates of birth, alias(es) used by the requester, 
alien numbers assigned to travelers crossing national borders, 
requesters' parents' names, FOIA tracking numbers, dates requests are 
submitted and received, related appeals and agency responses. Records 
also include EPA FOIA administrative documents and responsive records.

RECORD SOURCE CATEGORIES:
    Records maintained by federal agencies subject to the Freedom of 
Information Act.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    The following routine uses apply to this system because the use of 
the record is necessary for the efficient conduct of government 
operations. General routine uses A, E, F, G, H, K, and L apply to this 
system. Records may also be disclosed to:
    1. Another federal agency (a) with an interest in the record in 
connection with a referral of a Freedom of Information Act (FOIA) 
request to that agency for its views or decision on disclosure, or (b) 
in order to obtain advice and recommendations concerning matters on 
which the agency has specialized experience or particular competence 
that may be useful to an agency in making required determinations under 
the FOIA.
    2. To the National Archives and Records Administration, Office of 
Government Information Services (OGIS), to the extent necessary to 
fulfill its responsibilities in 5 U.S.C. 552(h), to review 
administrative agency policies, procedures and compliance with the 
Freedom of Information Act (FOIA), and to facilitate OGIS' offering of 
mediation services to resolve disputes between persons making FOIA 
requests and administrative agencies.
    In addition, the two routine uses below (L and M) are required by 
OMB M-17-12. The routine uses are related to and compatible with the 
original purpose for which the information was collected.
    L. Disclosure to Persons or Entities in Response to an Actual or 
Suspected Breach of Personally Identifiable Information. To appropriate 
agencies, entities, and persons when (1) the Agency suspects or has 
confirmed that there has been a breach of the system of records, (2) 
the Agency has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, the Agency 
(including its information systems, programs, and operations), the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the Agency's efforts to respond to the actual 
or suspected breach or to prevent, minimize, or remedy such harm.
    M. Disclosure to assist another agency in its efforts to respond to 
a breach. To another Federal agency or Federal entity, when the Agency 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a actual or suspected breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a actual 
or suspected breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored in file folders in lockable file cabinets. 
Records are also stored in a secure, password protected electronic 
system that utilizes security hardware and software to include multiple 
firewalls, active intruder protection and role-based access controls. 
Additional safeguards vary by participating agencies.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Requests are retrieved from the system by numerous data elements 
and key word searches, including name, agency, dates, subject, FOIA 
tracking number and other information retrievable with full-text 
searching capability.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Each federal agency handles its records in accordance with its 
records schedule as approved by the National Archives and Records 
Administration (NARA). FOIA records are covered under NARA General 
Record Schedule 14--Information Services Records that includes a 
retention period of six years unless a participating agency's records 
are managed under other record schedules approved by NARA.

[[Page 21729]]

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Security controls used to protect personally identifiable 
information in FOIAonline are commensurate with those required for an 
information system rated moderate for confidentiality, integrity, and 
availability, as prescribed in the National Institute of Standards and 
Technology (NIST) Special Publication, 800-53, ``Security and Privacy 
Controls for Federal Information Systems and Organizations.''
    1. Administrative Safeguards: EPA and partner agency users follow 
annual security training requirements of their organization. Annually, 
EPA and partner agencies acknowledge and accept ``Rules of Behavior'' 
that describe user responsibilities and expected behavior regarding 
information system usage. Each agency administrator is responsible for 
ensuring account requests are approved before accounts are created. 
Each agency administrator is responsible for establishing, activating, 
modifying, disabling, and removing accounts for their agency and 
ensuring their established account management protocols are followed. 
Each agency administrator is responsible for monitoring agency 
accounts. Each agency administrator is responsible for disabling 
accounts when accounts are no longer required; when users are 
terminated or transferred; and when individual information system usage 
or need-to-know changes. Each agency administrator is responsible for 
granting access to the system based on: (i) A valid access 
authorization; (ii) intended system usage; and (iii) other attributes 
as required by the respective agency.
    2. Technical Safeguards: All NIST 800-53 moderate baseline 
technical safeguards are built into the FOIAonline application and 
supporting infrastructure including automated account management locks 
and reset protocols due to inactivity or cyclical renewals. Accounts 
must be refreshed after 30 business days of inactivity and are disabled 
after one year of inactivity. Disabled accounts require reactivation by 
the FOIAonline Help Desk after approval by the agency's Point of 
Contact. System administration and technical support accounts include 
the ability to reinstate accounts that have been disabled. System 
administration and technical support users are required to follow the 
system's rules of behavior and confidentiality requirements defined in 
contract conditions renewed annually.
    3. Physical Safeguards: The Physical Environment control is fully 
inherited from the Amazon Web Service (AWS) physical data center. AWS 
provides physical data center access only to approved employees. All 
employees who need data center access must first apply for access and 
provide a valid business justification. These requests are granted 
based on the principle of least privilege, where requests must specify 
to which layer of the data center the individual needs access and are 
time-bound. Requests are reviewed and approved by authorized personnel, 
and access is revoked after the requested time expires. Once granted 
admittance, individuals are restricted to areas specified in their 
permissions.

RECORD ACCESS PROCEDURES:
    Individuals seeking access to their own personal information in 
this system of records may be required to provide adequate 
identification (e.g., driver's license, military identification card, 
employee badge or identification card) as dictated by the request 
receiving agency. Individuals who create accounts in the system have 
the ability to edit the contact information they provided when 
submitting a request. Additional identity verification procedures may 
be required as warranted. Requests must meet the requirements of EPA 
regulations at 40 CFR part 16.

CONTESTING RECORD PROCEDURES:
    Requests for correction or amendment must identify the record to be 
changed and the corrective action sought. Complete EPA Privacy Act 
procedures are described in EPA's Privacy Act regulations at 40 CFR 
part 16.

NOTIFICATION PROCEDURE:
    Any individual who wants to know whether this system of records 
contains a record about him or her, should make a written request to 
the Attn: Agency Privacy Officer, MC 2831T, 1200 Pennsylvania Ave. NW, 
Washington, DC 20460, or electronically to privacy@epa.gov.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    [FRL-9955-30-OEI]; FR./Vol. 81, Nov. 22/Thursday November 17, 2016. 
P 81096.

Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2021-08486 Filed 4-22-21; 8:45 am]
BILLING CODE 6560-50-P


