[Federal Register Volume 87, Number 213 (Friday, November 4, 2022)]
[Notices]
[Pages 66692-66694]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-24102]


-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

[FRL-10149-01-OMS]


Privacy Act of 1974; System of Records

AGENCY: Office of Mission Support (OMS), Environmental Protection 
Agency (EPA).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The U.S. Environmental Protection Agency's (EPA) Office of 
Mission Support is giving notice that it proposes to create a new 
system of records pursuant to the provisions of the Privacy Act of 
1974. The Data Management and Analytics Platform (DMAP) is an existing 
analytical tool that EPA uses to store data and to create data maps, 
pie charts, and run statistics. EPA intends to expand DMAP to include 
personally identifiable information already collected by the EPA from 
databases recording drinking water intake locations; EPA property 
databases; and EPA personnel information databases.

DATES: Persons wishing to comment on this system of records notice must 
do so by December 5, 2022. New routine uses for this new system of 
records will be effective December 5, 2022.

ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OMS-2022-0383, by one of the following methods:
    Federal eRulemaking Portal: https://www.regulations.gov. Follow the 
online instructions for submitting comments.
    Email: [email protected]. Include the Docket ID number in the 
subject line of the message.
    Fax: (202) 566-1752.
    Mail: OMS Docket, Environmental Protection Agency, Mail Code: 
2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
    Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334, 
1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are 
only accepted during the Docket's normal hours of operation, and 
special arrangements should be made for deliveries of boxed 
information.
    Instructions: Direct your comments to Docket ID No. EPA-HQ-OMS-
2022-0383. The EPA's policy is that all comments received will be 
included in the public docket without change and may be made available 
online at https://www.regulations.gov, including any personal 
information provided, unless the comment includes information claimed 
to be Controlled Unclassified Information (CUI) or other information 
for which disclosure is restricted by statute. Do not submit 
information that you consider to be CUI or otherwise protected through 
https://www.regulations.gov. The https://www.regulations.gov website is 
an ``anonymous access'' system for the EPA, which means the EPA will 
not know your identity or contact information. If you submit an 
electronic comment, the EPA recommends that you include your name and 
other contact information in the body of your comment. If the EPA 
cannot read your comment due to technical difficulties and cannot 
contact you for clarification, the EPA may not be able to consider your 
comment. If you send an email comment directly to the EPA without going 
through https://www.regulations.gov, your email address will be 
automatically captured and included as part of the comment that is 
placed in the public docket and made available on the internet. 
Electronic files should avoid the use of special characters, any form 
of encryption, and be free of any defects or viruses. For additional 
information about the EPA public docket, visit the EPA Docket Center 
homepage at https://www.epa.gov/dockets.
    Docket: All documents in the docket are listed in the https://www.regulations.gov index. Although listed in the index, some 
information is not publicly available, e.g., CUI or other information 
for which disclosure is restricted by statute. Certain other material, 
such as copyrighted material, will be publicly available only in hard 
copy. Publicly available docket materials are available either 
electronically in https://www.regulations.gov or in hard copy at the 
OMS Docket, EPA/DC, WJC West

[[Page 66693]]

Building, Room 3334, 1301 Constitution Ave. NW, Washington, DC 20460. 
The Public Reading Room is normally open from 8:30 a.m. to 4:30 p.m., 
Monday through Friday excluding legal holidays. The telephone number 
for the Public Reading Room is (202) 566-1744, and the telephone number 
for the OMS Docket is (202) 566-1752. Further information about EPA 
Docket Center services and current operating status is available at 
https://www.epa.gov/dockets.

FOR FURTHER INFORMATION CONTACT: [email protected], to the 
attention of DMAP System Owner: Shane Knipschild.

SUPPLEMENTARY INFORMATION: EPA's Data Management and Analytics Platform 
(DMAP) is designed to help users better understand environmental data 
by allowing them to visualize them in graphics, like maps and pie 
charts, and combine them together across data systems. DMAP is 
available to EPA agency employees and partners who have a mission-based 
need to access the data therein. DMAP users maintain control over the 
workspaces created for them and may use the system to develop analytic 
products as needed to support mission needs. DMAP is populated by data 
from other EPA systems as well as data purchased under commercial 
license. EPA intends to expand DMAP to include personally identifiable 
information already collected by the EPA from these sources.

SYSTEM NAME AND NUMBER:
    Data Management and Analytics Platform (DMAP), EPA-97.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The system is managed by the Office of Mission Support, 
Environmental Protection Agency, 1301 Constitution Ave. NW, Washington, 
DC 20460. Electronically stored information is hosted at Amazon Web 
Services US East (Northern Virginia).

SYSTEM MANAGER(S):
    Shane Knipschild, Program Analyst, 1301 Constitution Avenue NW 
Washington, DC 20460, 202-566-2712, [email protected].

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    44 U.S.C. 3506, Federal Agency Responsibilities; 5 U.S.C. 301, 
Departmental Regulations; 40 U.S.C. 1401, the Clinger-Cohen Act; and 44 
U.S.C. 3541 et seq., Federal Information Security Modernization Act of 
2014; Public Law 107-347.

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to provide EPA staff and partners 
with a platform to access and analyze data sets collected from other 
EPA managed systems and purchased commercial sources. DMAP allows EPA 
staff and contractors to combine these data in analytic views such as 
maps and dashboards. EPA intends to use DMAP for administrative 
purposes, such as provision of information technology services in EPA 
facilities and to use DMAP in support of its programmatic activities, 
such as to facilitate other statistical analysis of the data across the 
source systems.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The categories of individuals on whom records will be maintained 
include federal employees, contractors and members of the public.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records maintained in the system will include contact email, 
contact extension, contact name, and contact phone number, property 
owner name, property address and coordinate location information.

RECORD SOURCE CATEGORIES:
    The categories of sources of the records in the system include data 
from internal EPA systems, such as ServiceNow (EPA-78) and Emergency 
Response (EPA-74) as well as data purchased under commercial license.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    The routine uses below are both related to and compatible with the 
original purpose for which the information was collected. The following 
general routine uses apply to this system (86 FR 62527): A, D, E, F, G, 
H, I, J, K, L, M.
    Additional routine uses that apply to this system are:
    1. Records may be disclosed to federal, state, local, and tribal 
authorities in conformity with federal, state, local, and tribal laws 
when necessary to protect the environment or public health or safety, 
including carrying out an investigation or response.
    2. In case of emergency, EPA may share information with members of 
the public to assure protection of the environment or public health and 
safety.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    These records are maintained electronically via EPA-managed cloud-
based storage services. The cloud storage services are located at 
Amazon Web Services East (Northern Virginia), and are managed by Office 
of Mission Support, Office of Information Management, Information 
Access and Analysis Division. Backup files will be maintained according 
to EPA backup protocols as documented in FISMA compliant DMAP system 
security plan. Digital records are maintained in a secure password 
protected environment and are encrypted. Access to digital records is 
limited to those who have a need to know. Permission level assignments 
will allow users access only to those functions for which they are 
authorized. All records are maintained in encrypted formats and in 
restricted folders.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Personal information will be retrieved by contact name, contact 
email, contact extension, contact phone number, or address.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    DMAP follows the EPA Records Policy for retention and disposal, per 
schedule 1012 (Information and Technology Management) and schedule 1049 
(Information Access and Protection Records). https://www.epa.gov/records/epa-records-policy-and-guidance.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Security controls used to protect personal sensitive data in DMAP 
are commensurate with those required for an information system rated 
MODERATE for confidentiality, integrity, and availability, as 
prescribed in National Institute of Standards and Technology (NIST) 
Special Publication, 800-53, ``Security and Privacy Controls for 
Information Systems and Organizations,'' Revision 5.
    1. Administrative Safeguards: Those accessing the DMAP system are 
required to complete annual privacy and security trainings. Background 
checks and PIV cards are required for system administrators.
    2. Technical Safeguards: Information is maintained in a secure 
username/password protected environment. Permission-level assignments 
allow users access only to those functions for which they are 
authorized. Audit logs are reviewed on a monthly basis to identify 
system access outside of normal business hours, anomalous user accounts 
or server names, or login failures. No external access to DMAP is

[[Page 66694]]

available without formal onboarding through system administrators.
    3. Physical Safeguards: Access to all information and hardware is 
maintained in a secure, access-controlled facility managed under 
conditions specified in EPA's AWS cloud provider agreement.

RECORD ACCESS PROCEDURES:
    All requests for access to personal records should cite the Privacy 
Act of 1974 and reference the type of request being made (i.e., 
access). Requests must include: (1) the name and signature of the 
individual making the request; (2) the name of the Privacy Act system 
of records to which the request relates; (3) a statement whether a 
personal inspection of the records or a copy of them by mail is 
desired; and (4) proof of identity. A full description of EPA's Privacy 
Act procedures for requesting access to records is included in EPA's 
Privacy Act regulations at 40 CFR part 16.

CONTESTING RECORD PROCEDURES:
    Requests for correction or amendment must include: (1) the name and 
signature of the individual making the request; (2) the name of the 
Privacy Act system of records to which the request relates; (3) a 
description of the information sought to be corrected or amended and 
the specific reasons for the correction or amendment; and (4) proof of 
identity. A full description of EPA's Privacy Act procedures for the 
correction or amendment of a record is included in EPA's Privacy Act 
regulations at 40 CFR part 16.

NOTIFICATION PROCEDURES:
    Individuals who wish to be informed whether a Privacy Act system of 
records maintained by EPA contains any record pertaining to them, 
should make a written request to the EPA, Attn: Agency Privacy Officer, 
MC 2831T, 1200 Pennsylvania Ave. NW, Washington, DC 20460, or by email 
at: [email protected]. A full description of EPA's Privacy Act procedures 
is included in EPA's Privacy Act regulations at 40 CFR part 16.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2022-24102 Filed 11-3-22; 8:45 am]
BILLING CODE 6560-50-P


