64417
Federal Register / Vol. 80, No. 205 / Friday, October 23, 2015 / Notices
decisions to determine whether to issue
PIV cards and require prerequisite
background checks for short-term
employees and contractors. The system
does not apply to occasional visitors or
short-term guests. GSA and
participating agencies will issue
temporary identification and credentials
for this purpose.
CATEGORIES OF RECORDS IN THE SYSTEM
:
Enrollment records maintained in the
PIV IDMS on individuals applying for
the PIV program and a PIV credential
through the GSA HSPD–12 managed
service include the following data
fields: Full name; Social Security
Number; Applicant ID number, date of
birth; current address; digital color
photograph; fingerprints; biometric
template (two fingerprints);
organization/office of assignment;
employee affiliation; work email
address; work telephone number(s);
office address; copies of identity source
documents; employee status; military
status; foreign national status; federal
emergency response official status; law
enforcement official status; results of
background check; Government agency
code; and PIV card issuance location.
Records in the PIV IDMS needed for
credential management for enrolled
individuals in the PIV program include:
PIV card serial number; digital
certificate(s) serial number; PIV card
issuance and expiration dates; PIV card
PIN; Cardholder Unique Identifier
(CHUID); and card management keys.
Agencies may also choose to collect the
following data at PIV enrollment which
would also be maintained in the PIV
IDMS: Physical characteristics (e.g.,
height, weight, and eye and hair color).
Individuals enrolled in the PIV managed
service will be issued a PIV card. The
PIV card contains the following
mandatory visual personally identifiable
information: Name, photograph,
employee affiliation, organizational
affiliation, PIV card expiration date,
agency card serial number, and color-
coding for employee affiliation.
Agencies may choose to have the
following optional personally
identifiable information printed on the
card: Cardholder physical
characteristics (height, weight, and eye
and hair color). The card also contains
an integrated circuit chip which is
encoded with the following mandatory
data elements which comprise the
standard data model for PIV logical
credentials: PIV card PIN, cardholder
unique identifier (CHUID), PIV
authentication digital certificate, and
two fingerprint biometric templates. The
PIV data model may be optionally
extended by agencies to include the
following logical credentials: Digital
certificate for digital signature, digital
certificate for key management, card
authentication keys, and card
management system keys. All PIV
logical credentials can only be read by
machine.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM
:
5 U.S.C. 301; Federal Information
Security Management Act of 2002 (44
U.S.C. 3554); E-Government Act of 2002
(Pub. L. 107–347, Sec. 203); Paperwork
Reduction Act of 1995 (44 U.S.C. 3501
et al.) and Government Paperwork
Elimination Act (Pub. L. 105–277, 44
U.S.C. 3504 note); Homeland Security
Presidential Directive 12 (HSPD–12),
Policy for a Common Identification
Standard for Federal Employees and
Contractors, August 27, 2004.
PURPOSES
:
The primary purposes of the system
are: To ensure the safety and security of
Federal facilities, systems, or
information, and of facility occupants
and users; to provide for interoperability
and trust in allowing physical access to
individuals entering Federal facilities;
and to allow logical access to Federal
information systems, networks, and
resources on a government-wide basis.
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM INCLUDING CATEGORIES OF USERS AND
THE PURPOSES OF SUCH USES
:
In addition to those disclosures
generally permitted under 5 U.S.C.
Section 552a(b) of the Privacy Act, all or
a portion of the records or information
contained in this system may be
disclosed outside GSA as a routine use
pursuant to 5 U.S.C. 552a(b)(3) as
follows:
a. To the Department of Justice (DOJ)
when: (1) The agency or any component
thereof; or (2) any employee of the
agency in his or her official capacity; (3)
any employee of the agency in his or her
individual capacity where agency or the
Department of Justice has agreed to
represent the employee; or (4) the
United States Government is a party to
litigation or has an interest in such
litigation, and by careful review, the
agency determines that the records are
both relevant and necessary to the
litigation and the use of such records by
DOJ and is therefore deemed by the
agency to be for a purpose compatible
with the purpose for which the agency
collected the records.
b. To a court or adjudicative body in
a proceeding when: (1) The agency or
any component thereof; (2) any
employee of the agency in his or her
official capacity; (3) any employee of the
agency in his or her individual capacity
where the agency or the Department of
Justice has agreed to represent the
employee; or (4) the United States
Government is a party to litigation or
has an interest in such litigation, and by
careful review, the agency determines
that the records are both relevant and
necessary to the litigation and the use of
such records and is therefore deemed by
the agency to be for a purpose that is
compatible with the purpose for which
the agency collected the records.
c. Except as noted on Forms SF 85, SF
85–P, and SF 86, when a record on its
face, or in conjunction with other
records, indicates a violation or
potential violation of law, whether civil,
criminal, or regulatory in nature, and
whether arising by general statute or
particular program statute, or by
regulation, rule, or order issued
pursuant thereto, disclosure may be
made to the appropriate public
authority, whether Federal, foreign,
State, local, or tribal, or otherwise,
responsible for enforcing, investigating
or prosecuting such violation or charged
with enforcing or implementing the
statute, or rule, regulation, or order
issued pursuant thereto, if the
information disclosed is relevant to any
enforcement, regulatory, investigative or
prosecutorial responsibility of the
receiving entity.
d. To a Member of Congress or to a
Congressional staff member in response
to an inquiry of the Congressional office
made at the written request of the
constituent about whom the record is
maintained.
e. To the National Archives and
Records Administration (NARA) or to
the General Services Administration for
records management inspections
conducted under 44 U.S.C. 2904 and
2906.
f. To agency contractors, grantees, or
volunteers who have been engaged to
assist the agency in the performance of
a contract, service, grant, cooperative
agreement, or other activity related to
this system of records and who need to
have access to the records in order to
perform their activity. Recipients shall
be required to comply with the
requirements of the Privacy Act of 1974,
as amended, 5 U.S.C. 552a, the Federal
Information Security Management Act
(Pub. L. 107–296), and associated OMB
policies, standards and guidance from
the National Institute of Standards and
Technology, and the General Services
Administration.
g. To a Federal agency, State, local,
foreign, or tribal or other public
authority, on request, in connection
with the hiring or retention of an
employee, the issuance or retention of a
security clearance, the letting of a
VerDate Sep<11>2014 18:05 Oct 22, 2015 Jkt 238001 PO 00000 Frm 00033 Fmt 4703 Sfmt 4703 E:\FR\FM\23OCN1.SGM 23OCN1
mstockstill on DSK4VPTVN1PROD with NOTICES