Skip to Content

Notice

Privacy Act; Systems of Records

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Department of Veteran Affairs (VA).

ACTION:

Notice of establishment of new system of records.

SUMMARY:

The Privacy Act of 1974 (5 U.S.C. 552a (e) (4)) requires that all agencies publish in the Federal Register a notice of the existence and character of their system of records. Notice is hereby given that the Department of Veterans Affairs (VA) is establishing a new system of records entitled “Veterans Information Solution (VIS)—VA” (137VA005Q).

DATES:

Comments on this new system of records must be received no later than August 27, 2009. If no public comment is received, the new system will become effective August 27, 2009.

ADDRESSES:

Written comments may be submitted through http://www.Regulations.gov;​ by mail or hand-delivery to the Director, Regulations Management (00REG), Department of Veterans Affairs, 810 Vermont Avenue, NW., Room 1063B, Washington, DC 20420; or by fax to (202) 273-9026. Copies of comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours of 8 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461-4902 for an appointment. In addition, during the comment period, comments may be viewed online through the Federal Docket Management System (FDMS).

Start Further Info

FOR FURTHER INFORMATION CONTACT:

David Lindsey, Program Manager, VADIR, Registration and Eligibility (005Q3), 810 Vermont Avenue, NW., Washington, DC 20420; telephone (202) 245-1679.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

a. Description of Proposed System of Records

VIS is an Intranet-based application that provides a consolidated view of information gathered from the Beneficiary Identification and Record Locator Subsystem (BIRLS), the Veterans Affairs/Department of Defense Identity Repository (VADIR), the Benefits Delivery Network (BDN), and the Rating Board Automation (RBA2000) corporate database for determination of eligibility for veteran's benefits. VIS provides a read only view of a subset of the data contained within these databases listed; VIS does not provide updates to any of these systems, nor does it retain any of the data gathered from these systems. Once the user request has been fulfilled, the data is expunged from the system.

b. Proposed Routine Use Disclosures of Data in the System

VA is proposing to establish the following Routine Use disclosures of data accessed by the VIS application from the identified data sources:

1. The record of an individual included in this system may be provided to Department of Defense (DoD) systems or offices for use in connection with matters relating to one of DoD's programs to enable delivery of healthcare or other DoD benefit to eligible beneficiaries.

2. The name, address, VA file number, effective date of compensation or pension, current and historical benefit pay amounts for compensation or pension, service information, date of birth, competency payment status, incarceration status, and social security number of veterans and their surviving spouses may be disclosed to the Department of Defense Manpower Data Center (DMDC) to reconcile the amount and/or waiver of service, department and retired pay. These records may also be disclosed as part of a computer matching program to accomplish these purposes.

3. The name, address, VA file number, date of birth, date of death, social security number, and service information may be disclosed to DoD's DMDC. DoD will use this information to identify retired veterans and dependent members of their families who have entitlement to Department of Defense benefits but who are not identified in the Department of Defense Enrollment Eligibility Reporting System (DEERS) program and to assist in determining eligibility for Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) benefits. This purpose is consistent with 38 U.S.C. 5701.

4. VA may disclose on its own initiative any information in this system, except the names and addresses of veterans and their dependents, that is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal, or regulatory in nature and whether arising by general or program statute or by regulation, rule, or order issued pursuant thereto, a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule, or order. VA may also disclose on its own initiative the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule, or order issued pursuant thereto.

5. VA may disclose any information or records to appropriate agencies, entities, and persons when (1) it is suspected or confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) VA has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the records subjects, harm to economic or property interest, identity theft or fraud, or harm to the security, confidentiality or integrity of this system or other systems or programs (whether maintained by VA or another agency or entity) that rely upon the potentially compromised information; and (3) the disclosure is made to such agencies, entities, and persons whom VA determines are reasonably necessary to assist or carry out VA's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by VA to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision or credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

6. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

7. The record of an individual who is covered by a system of records may be disclosed to a Member of Congress, or a staff person acting for the member, when the member or staff person requests the record on behalf of and at the written request of the individual.

8. The name(s) and address(es) of a veteran may be disclosed to another Federal agency or to a contractor of that agency, at the written request of the Start Printed Page 37310head of that agency or designee of the head of that agency for the purpose of conducting government research necessary to accomplish a statutory purpose of that agency.

9. VA may disclose information in the system of records to the Department of Justice (DOJ), either on VA's initiative or in response to DOJ's request for the information, after either VA or DOJ determines that such information is relevant to DOJ's representation of the United States or any of its components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines prior to disclosure that release of records to the DOJ is a use of information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

10. Where VA determines that there is good cause to question the legality or ethical propriety of the conduct of a person or organization representing a person in a matter before VA, a record from this system may be disclosed, on VA's initiative, to any or all of the following: (1) Applicable civil or criminal law enforcement authorities and (2) a person or entity responsible for the licensing, supervision, or professional discipline of the person or organization acting as representative. Name and home addresses of veterans and their dependents will be released on VA's initiative under this routine use only to Federal entities when VA believes that the names and addresses are required by the Federal department or agency.

11. Disclosure of relevant information may be made to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor or entity or individual with whom VA has an agreement or contract to perform the services of the contract or agreement.

12. Disclosure may be made to the National Archives and Records Administration or the General Services Administration in records management inspections conducted under authority of Title 44 U.S.C.

c. Search Capability—Users may only gain access to the VIS application if they provide a valid user ID, password, and station number. Upon successful login and authentication to the VIS application, users are provided a search screen. Search criteria may include either name or one of the following numeric entries: SSN, File Number, and Service Number.

d. Sensitive Records—The VIS application notifies users when an attempt is made in violation of sensitivity levels. These notifications occur when an authorized user attempts to view the veteran information that has a higher sensitivity level ranking than he or she has been granted.

e. Design Constraints—The VIS system sits within the Austin Automation Center in Austin, Texas; therefore it must conform to the requirements and standards established for those environments. This includes requirements such as access control to the systems, revision/patch levels for hardware operating systems and database management systems, and use of security tools such as antivirus software, intrusion detection software and spyware.

f. Certification & Accreditation—The VIS system has gone through the Certification & Accreditation (C&A) process. During this process, the system underwent a series of risk and security assessments and had extensive documentation developed to support the integrity of the system. The VA C&A process is used to certify that the VIS system has adequate logical, management and technical security controls in place that minimize the system's risk to unauthorized access and disclosure.

g. Privacy Impact Assessment—The VIS system has had a comprehensive Privacy Impact Assessment conducted on it to ensure that the privacy of the information contained within the system is adequately protected according to VA and Office of Management and Budget (OMB) privacy and security standards.

h. Internal Communications Architecture—Information is requested by VIS from the VADIR, BIRLS, BDN and RBA2000 systems and displayed for the requestor. All data transmissions associated with these data requests are over the internal VA network using approved security protocols to protect the data.

i. Compatibility of the Proposed Routine Uses—The Privacy Act permits the VA to disclose information about the individuals contained in a system of records without their consent for a routine use, when the information will be used for a purpose that is compatible with the purpose for which the information was collected. In all of the routine use disclosures described above, either the recipient of the information will use the information in connection with a matter relating to one of VA's programs, to provide a benefit to the veteran, or disclosure is required by law. The notice of intent to publish an advance copy of the system notice has been sent to the appropriate Congressional committees and to the Director of OMB as required by 5 U.S.C. 552a(r) (Privacy Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Start Signature

Approved: July 10, 2009.

John R. Gingrich,

Chief of Staff, Department of Veterans Affairs.

End Signature

137VA005Q

SYSTEM NAME:

“Veterans Information Solution (VIS)—VA” (137VA005Q).

SYSTEM LOCATION:

The VIS application is located in the Austin Automation Center (AAC), 1615 East Woodward Street, Austin, Texas 78772. A second VIS disaster recovery site is planned to be stood up in FY09 at the Veterans Affairs (VA) data center in Hines, Illinois.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The category of the individuals covered by the VIS application include Veterans and their dependents whose information is provided to VIS via the Beneficiary Identification and Record Locator Subsystem (BIRLS), the Veterans Affairs/Department of Defense Identity Repository (VADIR), the Benefits Delivery Network (BDN), and the Rating Board Automation (RBA2000) corporate database.

CATEGORIES OF RECORDS IN THE SYSTEM:

The record, or information contained in the record, may include identifying information (e.g., name, address, social security number); military service and active duty separation information (e.g., name, service number, date of birth, rank, sex, total amount of active service, branch of service, character of service, pay grade, assigned separation reason, whether Veteran was discharged with a disability, types of disabilities, served in Vietnam Conflict, reenlisted, received a Purple Heart or other military decoration); personal information (e.g., marital status, name and address of dependents, occupation, amount of education of a Veteran or a dependent, dependent's relationship to Veteran).Start Printed Page 37311

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title 38, United States Code, Part II, Chapters 11, 13, 15, 17, 18, 19 and 23.

PURPOSE:

VIS is an Intranet-based application that provides a consolidated view of information gathered from the BIRLS, VADIR, BDN, and RBA2000 systems for determination of eligibility for Veteran's benefits. VIS provides a read only view of a subset of the data contained within these databases listed; VIS does not provide updates to any of these systems, nor does it retain any of the data gathered from these systems. Once the user request has been fulfilled, the data is expunged from the system.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

1. The record of an individual included in this system may be provided to Department of Defense (DoD) systems or offices for use in connection with matters relating to one of DoD's programs to enable delivery of healthcare or other DoD benefit to eligible beneficiaries.

2. The name, address, VA file number, effective date of compensation or pension, current and historical benefit pay amounts for compensation or pension, service information, date of birth, competency payment status, incarceration status, and social security number of Veterans and their surviving spouses may be disclosed to the Department of Defense Manpower Data Center (DMDC) to reconcile the amount and/or waiver of service, department and retired pay. These records may also be disclosed as part of a computer matching program to accomplish these purposes.

3. The name, address, VA file number, date of birth, date of death, social security number, and service information may be disclosed to DoD's DMDC. DoD will use this information to identify retired Veterans and dependent members of their families who have entitlement to Department of Defense benefits but who are not identified in the Department of Defense Enrollment Eligibility Reporting System (DEERS) program and to assist in determining eligibility for Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) benefits. This purpose is consistent with 38 U.S.C. 5701.

4. VA may disclose on its own initiative any information in this system, except the names and addresses of Veterans and their dependents, that is relevant to a suspected or reasonably imminent violation of law, whether civil, criminal, or regulatory in nature and whether arising by general or program statute or by regulation, rule, or order issued pursuant thereto, a Federal, State, local, tribal, or foreign agency charged with the responsibility of investigating or prosecuting such violation, or charged with enforcing or implementing the statute, regulation, rule, or order. VA may also disclose on its own initiative the names and addresses of veterans and their dependents to a Federal agency charged with the responsibility of investigating or prosecuting civil, criminal, or regulatory violations of law, or charged with enforcing or implementing the statute, regulation, rule, or order issued pursuant thereto.

5. VA may disclose any information or records to appropriate agencies, entities, and persons when (1) it is suspected or confirmed that the integrity or confidentiality of information in the system of records has been compromised; (2) VA has determined that as a result of the suspected or confirmed compromise there is a risk of embarrassment or harm to the reputations of the records subjects, harm to economic or property interest, identity theft or fraud, or harm to the security, confidentiality or integrity of this system or other systems or programs (whether maintained by VA or another agency or entity) that rely upon the potentially compromised information; and (3) the disclosure is made to such agencies, entities, and persons whom VA determines are reasonably necessary to assist or carry out VA's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. This routine use permits disclosures by VA to respond to a suspected or confirmed data breach, including the conduct of any risk analysis or provision or credit protection services as provided in 38 U.S.C. 5724, as the terms are defined in 38 U.S.C. 5727.

6. Disclosure to other Federal agencies may be made to assist such agencies in preventing and detecting possible fraud or abuse by individuals in their operations and programs.

7. The record of an individual who is covered by a system of records may be disclosed to a Member of Congress, or a staff person acting for the member, when the member or staff person requests the record on behalf of and at the written request of the individual.

8. The name(s) and address (es) of a veteran may be disclosed to another Federal agency or to a contractor of that agency, at the written request of the head of that agency or designee of the head of that agency for the purpose of conducting government research necessary to accomplish a statutory purpose of that agency.

9. VA may disclose information in the system of records to the Department of Justice (DOJ), either on VA's initiative or in response to DOJ's request for information, after either VA or DOJ determines that such information is relevant to DOJ's representation of the United States or any of its components in legal, or in a proceedings before a court or adjudicative body provided that, in each case, the agency also determines prior to disclosure that release of records to the DOJ is a use of information contained in the records that is compatible with the purpose for which VA collected the records. VA, on its own initiative, may disclose records in this system of records in legal proceedings before a court or administrative body after determining that the disclosure of the records to the court or administrative body is a use of the information contained in the records that is compatible with the purpose for which VA collected the records.

10. Where VA determines that there is good cause to question the legality or ethical propriety of the conduct of a person or organization representing a person in a matter before VA, a record from this system may be disclosed, on VA's initiative, to any or all of the following: (1) Applicable civil or criminal law enforcement authorities and (2) a person or entity responsible for the licensing, supervision, or professional discipline of the person or organization acting as representative. Name and home addresses of Veterans and their dependents will be released on VA's initiative under this routine use only to Federal entities when VA believes that the names and addresses are required by the Federal department or agency.

11. Disclosure of relevant information may be made to individuals, organizations, private or public agencies, or other entities or individuals with whom VA has a contract or agreement to perform such services as VA may deem practicable for the purposes of laws administered by VA, in order for the contractor, subcontractor or entity or individual with whom VA has an agreement or contract to perform the services of the contract or agreement.

12. Disclosure may be made to the National Archives and Records Administration or the General Services Administration in records management inspections conducted under authority of Title 44 U.S.C.Start Printed Page 37312

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

The VIS application electronically stores personal information on veterans only long enough to fulfill a user's request for information; once the user's request is fulfilled, the data is expunged from the system.

RETRIEVABILITY:

The VIS application queries the BIRLS, the VADIR, the BDN, and the RBA2000 corporate database to populate user requests for data. The data is retrieved using name, social security number, and/or other unique personal identifier.

SAFEGUARDS:

1. Physical Security: The VIS system is located in the AAC in Texas; a backup disaster recovery system will be installed at the Hines Data Processing Center in Illinois. Access to data processing centers is generally restricted to center employees, custodial personnel, Federal Protective Service and other security personnel. Access to computer rooms is restricted to authorized operational personnel through electronic locking devices. All other persons needing access to computer rooms are escorted.

2. System Security: Access to the VA network is protected by the usage of “logon” identifications and passwords. Once on the VA network, separate ID and password credentials are required to gain access to the VIS server and/or database. Access to the server and/or database is granted to a limited number of users, system administrators and database administrators. In addition VIS has undergone certification and accreditation. Based on a risk assessment that followed National Institute of Standards and Technology Vulnerability and Threat Guidelines, the system is considered stable and operational and an Authority to Operate has been granted. The system was found to be operationally secure, with very few exceptions or recommendations for change.

RETENTION AND DISPOSAL:

The VIS Application does not retain veteran's personal data in the application system. VIS queries four data systems (BIRLS, VADIR, BDN and RBA2000) to meet user requests for data; once the user request has been satisfied, the data is expunged from the system.

SYSTEM MANAGER(S) AND ADDRESSES:

The official responsible for maintaining the VADIR repository: Program Manager, Registration and Eligibility, Office of Enterprise Development, Interagency Program Executive Office (005Q3), ATTN: VIS System of Records, 810 Vermont Avenue, NW., Washington, DC 20420.

NOTIFICATION PROCEDURES:

Individuals seeking information on the existence and content of a record pertaining to them should contact the system manager, in writing, at the above address. Requests should contain the full name, address and telephone number of the individual making the inquiry.

RECORD ACCESS PROCEDURE:

See Notification Procedure above.

CONTESTING RECORD PROCEDURES:

See Notification Procedure above.

RECORD SOURCE CATEGORIES:

The VIS data sources are: VADIR, the BIRLS, the BDN, and the RBA2000 corporate database.

End Supplemental Information

[FR Doc. E9-17910 Filed 7-27-09; 8:45 am]

BILLING CODE 8320-01-P