[Federal Register Volume 81, Number 17 (Wednesday, January 27, 2016)]
[Notices]
[Pages 4736-4738]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-01648]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF STATE
[Public Notice: 9425]
Privacy Act; System of Records: Digital Outreach and
Communications, State-79
SUMMARY: Notice is hereby given that the Department of State proposes
to amend an existing system of records, Digital Outreach and
Communications, State-79, pursuant to the provisions of the Privacy Act
of 1974, as amended (5 U.S.C. 552a) and Office of Management and Budget
Circular No. A-130, Appendix I.
DATES: This system of records will be effective on March 7, 2016,
unless we receive comments that will result in a contrary
determination.
ADDRESSES: Any persons interested in commenting on the amended system
of records may do so by writing to the Director; Office of Information
Programs and Services, A/GIS/IPS; Department of State, SA-2; 515 22nd
Street NW.; Washington, DC 20522-8100.
FOR FURTHER INFORMATION CONTACT: John Hackett, Director; Office of
Information Programs and Services, A/GIS/IPS; Department of State, SA-
2; 515 22nd Street NW.; Washington, DC 20522-8100, or at
[email protected].
SUPPLEMENTARY INFORMATION: The Department of State proposes that the
current system retain the name ``Digital Outreach and Communications''
(previously published at 78 FR 54946). The purpose of the system is to
extend outreach, engagement, and collaboration efforts with the public,
and to facilitate transparency and accountability with regard to
Department activities; to conduct and administer contests, challenges,
and other competitions; and to track aggregate activity and analytics
to determine the effectiveness of email campaigns. The proposed system
will include modifications to the following sections: System location,
Categories of individuals, Categories of records, Authority for
maintenance of the system, Purpose, Routine uses, Retrievability,
Safeguards, and Notification procedure. The modifications will allow
the contact information to be stored in a FEDRAMP Certified Cloud
provider, and will allow the Department to collect aggregate activity
and analytics of email campaigns.
The Department's report was filed with the Office of Management and
Budget. The amended system description, ``Digital Outreach and
Communications, State-79,'' will read as set forth below.
Joyce A. Barr,
Assistant Secretary for Administration, U.S. Department of State.
STATE-79
SYSTEM NAME:
Digital Outreach and Communications.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Department of State domestic locations, posts abroad, and within a
government cloud, implemented by State Department as a cloud-based
cloud software as a service (SaaS) provider.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Individuals who interact with the Department through a social media
outlet, or other electronic means including by submitting feedback,
subscription (RSS), email, requesting more information from the
Department. Individuals participating in a contest, challenge, or other
competition.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system may contain information passed through a social media
site or cloud service provider to facilitate interaction with the
Department such as, but not limited to the following: Name, username,
email address, home or work address, contact information, phone
numbers, date of birth, age, security questions, IP addresses, login
credentials, topical interests, and educational, business, or volunteer
affiliation. The system will also contain information on the topics
about which users wish to receive communications, as well as input and
feedback from the public, such as comments, emails, videos, and images,
which may include tags, geotags, or geographical metadata. The system
may also include information that does not meet the definition of a
``record'' under the Privacy Act, such as aggregate metrics on user
click rates, open rates, non-read rates, unsubscribes, and link
activity.
In addition to the information listed above, individuals who enter
a contest, challenge, or other competition may be asked to provide
certain specific information including financial data, passport and
visa information, and other information necessary to authenticate
qualifications for participation or for prize issuance.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Presidential Memorandum to the Heads of Executive Departments and
Agencies on Transparency and Open Government, January 21, 2009. OMB M-
10-06, Open Government Directive, December 8, 2009. OMB M-10-23,
Guidance for Agency Use of Third-Party Web sites and Applications, June
25, 2010. 5 U.S.C. 301, Management of Executive Agencies. 22 U.S.C.
2651a, Organization of the Department of State.
[[Page 4737]]
PURPOSE:
To extend outreach, engagement, and collaboration efforts with the
public, and to facilitate transparency and accountability with regard
to Department activities. To conduct and administer contests,
challenges, and other competitions. To track aggregate activity and
analytics to determine the effectiveness of email campaigns.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
Information in this system may be shared with the news media and
the public, with the approval of the Chief of Mission or Bureau
Assistant Secretary who supervises the office responsible for the
outreach effort, except to the extent that release of the information
would constitute an unwarranted invasion of personal privacy;
To Government agencies and the White House for purposes of planning
and coordinating public engagement activities;
To a contractor of the Department having need for the information
in the performance of the contract, but not operating a system of
records within the meaning of 5 U.S.C. 552a(m);
And to Federal, state, and city governments which are issued tax
reports, the Internal Revenue Service and the Social Security
Administration which are sent tax and withholding data.
The Department of State periodically publishes in the Federal
Register its standard routine uses which apply to all of its Privacy
Act systems of records. These notices appear in the form of a Prefatory
Statement. These standard routine uses apply to Digital Outreach and
Communications, State-79.
DISCLOSURE TO CONSUMER REPORTING AGENCIES:
None.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
Electronic media.
RETRIEVABILITY:
Username; email; name.
SAFEGUARDS:
All users are given cyber security awareness training which covers
the procedures for handling Sensitive But Unclassified (SBU)
information, including personally identifiable information (PII).
Annual refresher training is mandatory. In addition, all Foreign
Service and Civil Service employees and those Locally Engaged Staff who
handle PII are required to take the Foreign Service Institute distance
learning course, PA 459, instructing employees on privacy and security
requirements, including the rules of behavior for handling PII and the
potential consequences if it is handled improperly.
Access to the Department of State, its annexes and posts abroad is
controlled by security guards and admission is limited to those
individuals possessing a valid identification card or individuals under
proper escort. All paper records containing personal information are
maintained in secured file cabinets in restricted areas, access to
which is limited to authorized personnel only. Access to computerized
files is password-protected and under the direct supervision of the
system manager. The system manager has the capability of printing audit
trails of access from the computer media, thereby permitting regular
and ad hoc monitoring of computer usage. When it is determined that a
user no longer needs access, the user account is disabled.
Before being granted access to Protocol Records, a user must first
be granted access to the Department of State computer system. Remote
access to the Department of State network from non-Department owned
systems is authorized only to unclassified systems and only through a
Department approved access program. Remote access to the network is
configured with the Office of Management and Budget Memorandum M-07-16
security requirements which include but are not limited to two-factor
authentication and time out function. All Department of State employees
and contractors with authorized access have undergone a thorough
background security investigation.
The safeguards in the following paragraphs apply only to records
that are maintained in cloud systems. All cloud systems that provide IT
services and process Department of State information must be: (1)
Provisionally authorized to operate by the Federal Risk and
Authorization Management Program (FedRAMP), and (2) specifically
authorized by the Department of State Authorizing Official and Senior
Agency Official for Privacy. Only information that conforms with
Department-specific definitions for Federal Information Security
Management Act (FISMA) low or moderate categorization are permissible
for cloud usage. Specific security measures and safeguards will depend
on the FISMA categorization of the information in a given cloud system.
In accordance with Department policy, systems that process more
sensitive information will require more stringent controls and review
by Department cybersecurity experts prior to approval. Prior to
operation, all Cloud systems must comply with applicable security
measures that are outlined in FISMA, FedRAMP, OMB regulations, NIST
Federal Information Processing Standards (FIPS) and Special Publication
(SP), and Department of State policy and standards.
All data stored in cloud environments categorized above a low FISMA
impact risk level must be encrypted at rest and in-transit using a
federally approved encryption mechanism. The encryption keys shall be
generated, maintained, and controlled in a Department data center by
the Department key management authority. Deviations from these
encryption requirements must be approved in writing by the Authorizing
Official.
RETENTION AND DISPOSAL:
Records are retired and destroyed in accordance with published
Department of State Records Disposition Schedules as approved by the
National Archives and Records Administration (NARA). More specific
information may be obtained by writing to the Director; Office of
Information Programs and Services, A/GIS/IPS; SA-2, Department of
State; 515 22nd Street NW.; Washington, DC 20522-8100.
SYSTEM MANAGER(S) AND ADDRESS:
The Under Secretary for Public Diplomacy and Public Affairs;
Department of State; 2201 C Street NW.; Washington, DC 20520.
NOTIFICATION PROCEDURE:
Individuals who have cause to believe that the Department may have
outreach records pertaining to him or her should write to the Director;
Office of Information Programs and Services, A/GIS/IPS; SA-2,
Department of State; 515 22nd Street NW.; Washington, DC 20522-8100.
The individual must specify that he or she wishes the outreach records
of the Department to be checked. At a minimum, the individual must
include the following: Name; email address; current mailing address and
zip code; signature; and other information helpful in identifying the
record.
RECORD ACCESS PROCEDURES:
Individuals who wish to gain access to or amend records pertaining
to themselves should write to the Director; Office of Information
Programs and Services (address above).
[[Page 4738]]
CONTESTING RECORD PROCEDURES:
Individuals who wish to contest records pertaining to themselves
should write to the Director; Office of Information Programs and
Services (address above).
RECORD SOURCE CATEGORIES:
These records contain information obtained directly from
individuals who interact with the Department of State through social
media sites or who communicate electronically with the Department in
response to public outreach.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
None.
[FR Doc. 2016-01648 Filed 1-26-16; 8:45 am]
BILLING CODE 4710-45-P