Years > 2023 > July, 2023 > Thursday, July 6, 2023
Next Article Next
Next Previous Article
88 FR 128 pgs. 43152-43155 - Privacy Act of 1974: Systems of Records

Type: NOTICEVolume: 88Number: 128Pages: 43152 - 43155
FR document: [FR Doc. 2023-14274 Filed 7-5-23; 8:45 am]
Agency: National Credit Union Administration
Official PDF Version:  PDF Version
Pages: 43152, 43153, 43154, 43155

[top] page 43152

NATIONAL CREDIT UNION ADMINISTRATION

Privacy Act of 1974: Systems of Records

AGENCY:

National Credit Union Administration (NCUA).

ACTION:

Notice of a modified system of records.

SUMMARY:

Pursuant to the Privacy Act of 1974, the National Credit Union Administration (NCUA) gives notice of a proposed modified Privacy Act system of records titled NCUA-11, "Office of Inspector General (OIG) Investigative Records." The OIG Investigative Records system of records documents the investigative work of the OIG, including complaints received through the OIG Hotline, OIG mail, and otherwise, enabling the OIG to secure and maintain necessary investigative information and to coordinate with other law enforcement agencies as appropriate.

DATES:

Submit comments on or before August 7, 2023. This modification will be effective immediately, and new routine uses will be effective on August 7, 2023.

ADDRESSES:

You may submit comments by any of the following methods, but please send comments by one method only:

Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.

NCUA website: http://www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/proposed_regs.html. Follow the instructions for submitting comments.

Fax: (703) 518-6319. Use the subject line described above for email.

Mail: Address to Melane Conyers-Ausbrooks, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.

Hand Delivery/Courier: Same as mail address.

FOR FURTHER INFORMATION CONTACT:


[top] Marta Erceg, Counsel to the Inspector General/Assistant Inspector General, Office of the Inspector General, (703) 518-6350, or Jennifer Harrison, Attorney-Advisor, Office of General page 43153 Counsel, (703) 518-6540, 1775 Duke Street, Alexandria, VA 22314.

SUPPLEMENTARY INFORMATION:

The NCUA has made the following substantive changes to this System of Records Notice:

1. NCUA has updated the Purpose(s) of the System to provide additional details of why records are being collected.

2. NCUA has updated the Categories of Records in the System to provide additional details of what types of records are being collected.

3. NCUA has updated its Routine Uses. NCUA has added a routine use relating to obtaining legal advice from the Department of Justice and other prosecutors. NCUA has added a routine use to entities responsible for the oversight of Federal funds. NCUA has added a routine use for disclosure records relating to suspension and debarment actions. NCUA has added a routine use for disclosure of records to the Council of the Inspectors General for Integrity and Efficiency. NCUA has added a routine use to allow the OIG to disclose records to a complainant's employer who at the time of the alleged reprisal was an NCUA contractor, subcontractor, grantee, or subgrantee, without requiring the complainant's consent, to comply with the requirements of 41 U.S.C. 4712(b)(1). NCUA has also added text of the routine uses that had been previously contained in the agency's "Standard Routine Uses." Finally, NCUA has added two routine uses relating to the disclosure of records in the event of a suspected or actual privacy breach.

4. NCUA has updated Policies and Practices for Storage of Records to reflect that records are electronically maintained.

5. NCUA has updated Policies and Practices for Retention and Disposal of Records to reflect that NCUA uses National Archives and Records Administration-approved records schedules.

6. NCUA has updated Administrative, Technical, and Physical Safeguards to accurately reflect how these records are protected.

7. NCUA has updated Record Access, Contesting Record, and Notification Procedures to accurately reflect the NCUA procedures as detailed in 12 CFR 792.55.

8. NCUA has updated History to accurately reflect the SORN's publication history. Non-substantive modifications have also been made to ensure that the format NCUA-11 aligns with the guidance set forth in Office of Management and Budget Circular A-108.

By the National Credit Union Administration Board on June 30, 2023.

Melane Conyers-Ausbrooks,

Secretary of the Board.

SYSTEM NAME AND NUMBER:

NCUA-11, Office of Inspector General (OIG) Investigative Records.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Office of Inspector General, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428.

SYSTEM MANAGER(S):

Counsel to the Inspector General/Assistant Inspector General for Investigations, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Federal Credit Union Act, 12 U.S.C. 1751, et seq., and the Inspector General Act of 1978, 5 U.S.C. 401, et seq.

PURPOSE(S) OF THE SYSTEM:

This system is maintained for the purposes of:

1. Conducting and documenting investigations by the OIG or other investigative agencies regarding NCUA programs, operations, personnel, and contractors, and reporting the results of investigations to NCUA management, other Federal agencies, and other public authorities or professional organizations that have the authority to bring criminal prosecutions or civil or administrative actions, or to impose disciplinary sanctions;

2. Documenting the outcome of OIG investigations;

3. Maintaining a record of the activities that were the subject of investigations;

4. Reporting investigative findings for use in operating and evaluating NCUA programs or operations and in the imposition of sanctions;

5. Maintaining a record of complaints and allegations received regarding NCUA programs, operations, and personnel, and documenting the outcome of OIG reviews and disposition of those complaints and allegations;

6. Coordinating relationships with other Federal agencies, State and local governmental agencies, and nongovernmental entities in matters relating to the statutory responsibilities of the OIG and reporting to such entities on government-wide efforts pursuant to the oversight of Federal funds;

7. Acting as a repository and source for information necessary to fulfill the reporting requirements of the Inspector General Act, 5 U.S.C. 401-424;

8. Reporting on OIG activities to the Council of Inspectors General for Integrity and Efficiency (CIGIE); and

9. Participating in CIGIE's investigative qualitative assessment review process.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Subjects of investigation, complainants, and witnesses referred to in complaints or investigative cases, reports, accompanying documents, and correspondence prepared by, compiled by, or referred to the OIG.

CATEGORIES OF RECORDS IN THE SYSTEM:

The system is comprised of OIG investigation files and complaint files. These files include reports of investigations with related exhibits, statements, affidavits, or other pertinent documents. Files may contain memoranda; computer-generated background information; location information; payroll, time sheets, and travel records; correspondence, including call, text, and email records; and reports from or to other law enforcement bodies pertaining to violations or potential violations of criminal laws, fraud, or abuse with respect to administration of NCUA programs and operations, and violations of employee and contractor standards of conduct. Records in this system may contain personally identifiable information such as names, Social Security numbers, dates of birth, and addresses. This system may also contain such information as employment history, bank account information, driver's licenses, vehicle registration, educational records, criminal history, photographs, voice recordings, and other information of a personal nature provided or obtained in connection with an investigation.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside the NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:


[top] 1. If a record in a system of records indicates a violation or potential violation of civil or criminal law or a regulation, and whether arising by general statute or particular program statute, or by regulation, rule, or order, the relevant records in the system of records may be disclosed as a routine use to the appropriate agency, whether page 43154 Federal, State, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto;

2. A record in a system of records may be disclosed as a routine use to a member of Congress or to a congressional staff member in response to an inquiry from the congressional office made at the request of the individual about whom the record is maintained;

3. A record in a system of records may be disclosed as a routine use to the Department of Justice, when: (a) NCUA, or any of its components or employees acting in their official capacities, is a party to litigation; or (b) Any employee of NCUA in his or her individual capacity is a party to litigation and where the Department of Justice has agreed to represent the employee; or (c) The United States is a party in litigation, where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation;

4. A record in a system of records may be disclosed as a routine use in a proceeding before a court or adjudicative body before which NCUA is authorized to appear (a) when NCUA or any of its components or employees are acting in their official capacities; (b) where NCUA or any employee of NCUA in his or her individual capacity has agreed to represent the employee; or (c) where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation;

5. A record from a system of records may be disclosed as a routine use to contractors, experts, consultants, and the agents thereof, and others performing or working on a contract, service, cooperative agreement, or other assignment for NCUA when necessary to accomplish an agency function or administer an employee benefit program. Individuals provided information under this routine use are subject to the same Privacy Act requirements and limitations on disclosure as are applicable to NCUA employees;

6. A record from a system of records may be disclosed as a routine use to the Department of Justice, including its U.S. Attorney's Offices, and State and local prosecutors, to the extent necessary to obtain legal advice on any matter relevant to an OIG investigation, audit, inspection, or other inquiry related to the responsibilities of the OIG;

7. A record from a system of records may be disclosed as a routine use to any Federal agency, entity, or board responsible for coordinating and conducting oversight of Federal funds, in order to prevent fraud, waste, and abuse related to Federal funds, or for assisting in the enforcement, investigation, prosecution, or oversight of violations of administrative, civil, or criminal law or regulation, if that information is relevant to any enforcement, regulatory, investigative, prosecutorial, or oversight responsibility of the NCUA or of the receiving entity;

8. A record from a system of records may be disclosed as a routine use to another Federal agency considering suspension or debarment action if the information is relevant to the suspension or debarment action. The OIG also may disclose information to another agency to gain information in support of the NCUA's own debarment and suspension actions;

9. A record from a system of records may be disclosed as a routine use to the Council of the Inspectors General on Integrity and Efficiency (CIGIE) to assist in its preparation of reports, analysis, surveys, coordination of investigations, and other CIGIE activities;

10. A record from a system of records may be disclosed as a routine use to other Federal entities, such as other Offices of Inspector General, to the Government Accountability Office, or to a private party with which the OIG or the NCUA has contracted or with which it contemplates contracting, for the purpose of auditing or reviewing the performance or internal management of the OIG's audit or investigative programs.

11. A record from a system of records may be disclosed as a routine use to a complainant alleging whistleblower reprisal and the complainant's employer (current or former) that at the time of the alleged reprisal was a grantee, subgrantee, contractor, or subcontractor of the NCUA, to fulfill the whistleblower reprisal investigation reporting requirements of 41 U.S.C. 4712(b)(1) or any other whistleblower reprisal law requiring a disclosure to a complainant or an entity that employs or employed the complainant;

12. A record from a system of records may be disclosed to appropriate agencies, entities, and persons when (1) NCUA suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) NCUA has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by NCUA or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with NCUA's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm; and

13. A record from a system of records may be disclosed to another Federal agency or Federal entity, when the NCUA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Electronic records and backups are stored on secure servers, approved by NCUA's Office of the Chief Information Officer (OCIO), within a FedRAMP-authorized commercial Cloud Service Provider's (CSP) Software-as-a-Service solution hosting environment and accessed only by authorized personnel.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Information is retrieved by case number, general subject matter, or name of the subject of investigation.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records are maintained and disposed in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA) or an NCUA records disposition schedule approved by NARA.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:


[top] NCUA and the Cloud Service Provider have implemented the appropriate administrative, technical, and physical controls in accordance with the Federal Information Security Modernization Act of 2014, Public Law 113-283, S. 2521, and NCUA's information security policies to protect the confidentiality, integrity, and availability of the page 43155 information system and the information contained therein. Access is limited only to individuals authorized through NIST-compliant Identity, Credential, and Access Management policies and procedures. The records are maintained behind a layered defensive posture consistent with all applicable Federal laws and regulations, including OMB Circular A-130 and NIST Special Publication 800-37.

RECORD ACCESS PROCEDURES:

Individuals wishing access to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

1. Full name.

2. Any available information regarding the type of record involved.

3. The address to which the record information should be sent.

4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA's Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

CONTESTING RECORD PROCEDURES:

Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

1. Full name.

2. Any available information regarding the type of record involved.

3. A statement specifying the changes to be made in the records and the justification therefore.

4. The address to which the response should be sent.

5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

NOTIFICATION PROCEDURES:

Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

1. Full name.

2. Any available information regarding the type of record involved.

3. The address to which the record information should be sent.

4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA's Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

Pursuant to 5 U.S.C. 552a(j)(2), this system of records is exempt from subsections (c)(3) and (4), (d), (e)(1), (e)(2), (e)(3), (e)(4)(G), (e)(4)(H), (e)(4)(I), (e)(5), (e)(8), (f) and (g) of the Act. This exemption applies to information in the system that relates to criminal law enforcement and meets the criteria of the (j)(2) exemption. Pursuant to 5 U.S.C. 552a(k)(2), to the extent that the system contains investigative material compiled for law enforcement purposes, other than material within the scope of subsection (j)(2), this system of records is exempt from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I), and (f). The exemption rule is contained in 12 CFR 792.66 of the NCUA regulations.

HISTORY:

This SORN was published originally as NCUA-20, "Investigation Files," at 53 FR 37372 (Sept. 26, 1988); renamed to "Office of Inspector General Investigative Records" at 60 FR 18149 (April 10, 1995); and renumbered as NCUA-11 at 65 FR 3486 (Feb. 20, 2000). Subsequent modifications were published at 71 FR 77807 (Dec. 27, 2006) and 75 FR 41539 (July 16, 2010).

[FR Doc. 2023-14274 Filed 7-5-23; 8:45 am]

BILLING CODE 7535-01-P