Privacy Act of 1974: Implementation of Exemptions

<RULE> DEPARTMENT OF ENERGY <CFR>10 CFR Part 1008</CFR> <DEPDOC>[DOE-HQ-2024-0085]</DEPDOC> <RIN>RIN 1903-AA18</RIN> <SUBJECT>Privacy Act of 1974: Implementation of Exemptions</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> U.S. Department of Energy. <HD SOURCE="HED">ACTION:</HD> Final rule. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Department of Energy (DOE or Department) is revising its regulations to exempt certain records maintained under a newly established system of records—DOE-85, Research, Technology, and Economic Security Due Diligence Review Records—from the notification and access provisions of the Privacy Act of 1974. The Department is exempting portions of this system of records from these subsections of the Privacy Act because of requirements related to classified information. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> This final rule is effective on January 16, 2025. </EFFDATE> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Kyle David, U.S. Department of Energy, 1000 Independence Avenue SW, Office 8H-085, Washington, DC, 20585; facsimile: (202) 586-8151; email: <E T="03">kyle.david@hq.doe.gov,</E> telephone: (240) 686-9485. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">Table of Contents</HD> <EXTRACT> <FP SOURCE="FP-2">I. Authority and Background</FP> <FP SOURCE="FP1-2">A. Authority</FP> <FP SOURCE="FP1-2">B. Background</FP> <FP SOURCE="FP-2">II. Discussion</FP> <FP SOURCE="FP-2">III. Summary of Public Comments</FP> <FP SOURCE="FP-2">IV. Section 1008.12 Analysis</FP> <FP SOURCE="FP-2">V. Procedural Issues and Regulatory Review</FP> <FP SOURCE="FP1-2">A. Review Under Executive Orders 12866, 13563, and 14094</FP> <FP SOURCE="FP1-2">B. Review Under the Regulatory Flexibility Act</FP> <FP SOURCE="FP1-2">C. Review Under the Paperwork Reduction Act of 1995</FP> <FP SOURCE="FP1-2">D. Review Under the National Environmental Policy Act of 1969</FP> <FP SOURCE="FP1-2">E. Review Under Executive Order 12988</FP> <FP SOURCE="FP1-2">F. Review Under Executive Order 13132</FP> <FP SOURCE="FP1-2">G. Review Under Executive Order 13175</FP> <FP SOURCE="FP1-2">H. Review Under the Unfunded Mandates Reform Act of 1995</FP> <FP SOURCE="FP1-2">I. Review Under Executive Order 12360</FP> <FP SOURCE="FP1-2">J. Review Under Executive Order 13211</FP> <FP SOURCE="FP1-2">K. Review Under the Treasury and General Government Appropriations Act, 1999</FP> <FP SOURCE="FP1-2">L. Review Under the Treasury and General Government Appropriations Act, 2001</FP> <FP SOURCE="FP1-2">M. Congressional Notification</FP> <FP SOURCE="FP-2">VI. Approval by the Office of the Secretary of Energy</FP> </EXTRACT> <HD SOURCE="HD1">I. Authority and Background</HD> <HD SOURCE="HD2">A. Authority</HD> DOE has broad authority to manage the agency's collection, use, processing, maintenance, storage, and disclosure of Personally Identifiable Information (PII) pursuant to the following authorities: 42 United States Code (U.S.C.) 7101 <E T="03">et seq.,</E> 50 U.S.C. 2401 <E T="03">et seq.,</E> 5 U.S.C. 1104, 5 U.S.C. 552, 5 U.S.C. 552a, 42 U.S.C. 7254, 5 U.S.C. 301, and 42 U.S.C. 405 note. <HD SOURCE="HD2">B. Background</HD> The Privacy Act of 1974 (the Act) (5 U.S.C. 552a) embodies fair information practice principles in a statutory framework governing the means by which the U.S. Government collects, maintains, uses, and disseminates personally identifiable information. The Privacy Act applies to information that is maintained in a “system of records.” A “system of records” is a group of any records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. In the Privacy Act, an individual is defined to encompass U.S. citizens and lawful permanent residents. The Privacy Act includes two sets of provisions that allow agencies to claim exemptions from certain requirements in the statute. These provisions allow agencies in certain circumstances to promulgate rules to exempt a system of records from certain provisions of the Privacy Act. For this system of records, pursuant to 5 U.S.C. 552a(k)(1), the Department exempts this system of records from subsections (c)(3); (d); (e)(1), (e)(4)(G), (4)(H), and (4)(I); and (f) of the Privacy Act. This exemption is needed to protect information relating to DOE activities from disclosure to subjects or others related to these activities. Specifically, the exemption is required to safeguard classified information. Pursuant to the Privacy Act and Office of Management and Budget (OMB) Circular A-108, <E T="03">Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act,</E> DOE is issuing this Rule to make clear to the public the reasons why this particular exemption is being applied. <HD SOURCE="HD1">II. Discussion</HD> The Department is exempting portions of a newly established system of records—DOE-85, Research, Technology, and Economic Security Due Diligence Review Records—from subsections (c)(3); (d); (e)(1), (e)(4)(G), (4)(H), and (4)(I); and (f) of the Privacy Act of 1974. To claim this exemption, DOE is amending 10 CFR 1008.12 by adding a new paragraph, (b)(1)(ii)(N). The Department exempts portions of this system of records from these subsections of the Privacy Act because of requirements related to classified information. The purpose of this system is to enhance DOE's capabilities to aggregate, link, analyze, and maintain information used by the Department to assess research, technology, and economic security (RTES) risk. RTES risks may include risk of foreign government interference and exploitation, intellectual property (IP) loss, national security risk, conflicts of interest, and conflicts of commitment, and other parameters defined in DOE/National Nuclear Security Administration (NNSA) policy. The RTES analysis builds on pre-existing information provided by individuals and organizations that interact with DOE/NNSA, paired with public records, and in some cases, classified information. Consistent with National Security Presidential Memorandum-33  <SU>1</SU> <FTREF/> (NSPM-33), applicable law, and existing DOE/NNSA policies, the system records may be shared as appropriate with other Federal funding agencies and internally within DOE/NNSA to help ensure a coordinated and consistent approach to risk assessment. <FTNT> <SU>1</SU>  National Security Presidential Memorandum on United States Government-Supported Research and Development National Security Policy 33, issued January 14, 2021. </FTNT> For this system of records, the system is exempted from subsections (c)(3); (d); (e)(1), (e)(4)(G), (4)(H), and (4)(I); and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(1). This exemption is needed to protect information relating to DOE activities from disclosure to subjects or others related to these activities. Specifically, the exemption is required to safeguard classified information. This exemption is a standard national security exemption exercised by many Federal intelligence agencies. Although the RTES Office is not an intelligence agency, the system of records utilized by the RTES Office may include classified information obtained from Federal intelligence sources. Exemptions for DOE-85 Research, Technology, and Economic Security Due Diligence Review Records from this particular subsection of the Privacy Act are justified on a case-by-case basis to be determined at the time a request is made for the following reasons: From 5 U.S.C. 552a subsection (k)(1) because providing individuals access to classified information could cause serious damage to the national defense or foreign policy. On September 10, 2024, DOE published a notice of proposed rulemaking (NOPR) (89 FR 73312). This NOPR claimed the 5 U.S.C. 552a(k)(1) exemption listed in the preceding paragraph. As a result of this NOPR, DOE received one comment, discussed in section III of this document. <HD SOURCE="HD1">III. Summary of Public Comments</HD> As mentioned in previously, DOE received one comment in response to the NOPR (DOE-HQ-2023-0058-0005). The commenter requested a clearer explanation of how conflicts of interest and commitment necessitate exemptions from the Privacy Act and for DOE to consider narrowing the scope of Privacy Act exemptions, particularly the exemption from 5 U.S.C. 552a(e)(1). The commenter points out that the exemption from 5 U.S.C. 522a(e)(1) is too broad and could result in the accumulation of unnecessary information, creating unintended consequences such as the misuse of personal information. Finally, the commenter also stated that Freedom of Information Act (FOIA) liability may also be triggered from people trying to get information they believe is held under exemption. As to the issue regarding conflicts of interest and commitment, DOE would like to clarify that the justification for exempting the system is based on the extent to which the system contains classified information. This is consistent with 10 CFR 1008.12(b)(1), where 5 U.S.C. 552a(k)(1) applies to the system only “to the extent [that the system] contain[s] classified information, in order to prevent serious damage to the national defense or foreign policy that could arise from providing individuals access to classified information.” Determining if something is exempt will be done on a case-by-case basis, and if there is no classified information or national security information, then included information under 5 U.S.C. 552a(k)(1) would not be exempt. As to the commenters concerns that the exemption from 5 U.S.C. 522a(e)(1) is too broad and could result in collection of irrelevant information, risking misuse of personal information, as well as concerns that the regulation could lead to legal challenges to w ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 28k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━