Privacy Act System of Records: Human Resources Line of Business (HR LoB), EPA-93

[excerpted from: Federal Register: December 10, 2021 (Volume 86, Number 235)]

System Name: Human Resources Line of Business (HR LoB)

Security Classification: Unclassified.

System Location: EPA OHR, 1200 Pennsylvania Ave. NW, Washington, DC 20460. Records hosted by DOI/IBC are located at 7301 West Mansfield Ave., MS D-2400, Denver, CO 80235-2230, and are also located at Departmental, bureau and office systems and locations that prepare and provide input documents and information for data processing and administrative actions for this system.

Categories of Individuals Covered by the System: Current and former EPA employees, including Health and Human Services Public Health Service Commissioned Officers assigned to EPA, grantees, intergovernmental detailees, interagency agreement detailees, and contractors, and family members of these individuals.

Categories of Records in the System: HR LoB collects the following employee data elements: Name, Citizenship, Gender, Birth Date, Group Affiliation, Marital Status, Other Names Used, Legal Status, Place of Birth, Security Clearance, Spouse Information, Financial Information, Medical Information, Disability Information, Education Information, Driver's License State and Number, Race/Ethnicity, Social Security Number (SSN) and truncated SSN, Personal Cell Telephone Number, Personal Email Address, Home Telephone Number, Family member, Child or Dependent Information, Employment Information, Military Status/Service, Mailing/Home Address, Taxpayer Identification Number, Bank Account information such as Routing and Account Numbers, Beneficiary Information, Bond Co-owner Name(s) and Information, Professional Licensing and Credentials, Family Relationships, Age, Involuntary Debt (Garnishments or Child Support Payments), Court Order Information, Back Pay Information, User ID, Time and Attendance data, Leave Time Information, Employee Common Identifier (ECI), Person Number (a unique number that identifies a person within HR LoB, and Person Number-Emergency (a unique number identifying an individual within HR LoB for a Leave Share Occurrence).

Authority for Maintenance of the System (includes any revisions or amendments): 5 U.S.C. 5101, et seq; 31 U.S.C. 3512; 31 U.S.C. Chapter 11; 5 CFR part 297; The Office of Management and Budget Circular A-127, Revised, Financial Management Systems; this Circular is issued pursuant to the Chief Financial Officers Act (CFOs Act) of 1990, P.L. 101-576).

Purpose(s): EPA maintains records in HR LoB to administer EPA's HR activities, including: pay and leave requirements, processing, accounting, learning and development, and reporting requirements. The records also provide the basic source of factual data about a person's employment while in federal service and after his or her separation from federal service in accordance with applicable records policies. Records in HR LoB have various uses by Agency personnel offices, including screening qualifications of employees; determining status, eligibility, and employee's rights and benefits under pertinent laws and regulations governing federal employment; computing length of service; and other information needed to provide personnel services.

Routine Uses of Records Maintained in the System, Including Categories of Users, and the Purposes of Such Uses:

The routine uses below are both related to and compatible with the original purpose for which the information was collected. The following general routine uses apply to this system:

A. Disclosure for Law Enforcement Purposes: Information may be disclosed to the appropriate Federal, State, local, tribal, or foreign agency responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation, or order, if the information is relevant to a violation or potential violation of civil or criminal law or regulation within the jurisdiction of the receiving entity.

B. Disclosure Incident to Requesting Information: Information may be disclosed to any source from which additional information is requested (to the extent necessary to identify the individual, inform the source of the purpose of the request, and to identify the type of information requested,) when necessary to obtain information relevant to an agency decision concerning retention of an employee or other personnel action (other than hiring,) retention of a security clearance, the letting of a contract, or the issuance or retention of a grant, or other benefit.

C. Disclosure to Requesting Agency: Disclosure may be made to a Federal, State, local, foreign, or tribal or other public authority of the fact that this system of records contains information relevant to the retention of an employee, the retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant, or other benefit. The other agency or licensing organization may then make a request supported by the written consent of the individual for the entire record if it so chooses. No disclosure will be made unless the information has been determined to be sufficiently reliable to support a referral to another office within the agency or to another Federal agency for criminal, civil, administrative, personnel, or regulatory action.

D. Disclosure to Office of Management and Budget: Information may be disclosed to the Office of Management and Budget at any stage in the legislative coordination and clearance process in connection with private relief legislation as set forth in OMB Circular No. A-19.

E. Disclosure to Congressional Offices: Information may be disclosed to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of the individual.

F. Disclosure to Department of Justice: Information may be disclosed to the Department of Justice, or in a proceeding before a court, adjudicative body, or other administrative body before which the Agency is authorized to appear, when:

1. The Agency, or any component thereof;

2. Any employee of the Agency in his or her official capacity;

3. Any employee of the Agency in his or her individual capacity where the Department of Justice or the Agency have agreed to represent the employee; or

4. The United States, if the Agency determines that litigation is likely to affect the Agency or any of its components, is a party to litigation or has an interest in such litigation, and the use of such records by the Department of Justice or the Agency is deemed by the Agency to be relevant and necessary to the litigation provided, however, that in each case it has been determined that the disclosure is compatible with the purpose for which the records were collected.

G. Disclosure to the National Archives: Information may be disclosed to the National Archives and Records Administration in records management inspections.

H. Disclosure to Contractors, Grantees, and Others: Information may be disclosed to contractors, grantees, consultants, or volunteers performing or working on a contract, service, grant, cooperative agreement, job, or other activity for the Agency and who have a need to have access to the information in the performance of their duties or activities for the Agency. When appropriate, recipients will be required to comply with the requirements of the Privacy Act of 1974 as provided in 5 U.S.C. 552a(m).

I. Disclosures for Administrative Claims, Complaints and Appeals: Information from this system of records may be disclosed to an authorized appeal grievance examiner, formal complaints examiner, equal employment opportunity investigator, arbitrator or other person properly engaged in investigation or settlement of an administrative grievance, complaint, claim, or appeal filed by an employee, but only to the extent that the information is relevant and necessary to the proceeding. Agencies that may obtain information under this routine use include, but are not limited to, the Office of Personnel Management, Office of Special Counsel, Merit Systems Protection Board, Federal Labor Relations Authority, Equal Employment Opportunity Commission, and Office of Government Ethics.

J. Disclosure to the Office of Personnel Management: Information from this system of records may be disclosed to the Office of Personnel Management pursuant to that agency's responsibility for evaluation and oversight of Federal personnel management.

K. Disclosure in Connection With Litigation: Information from this system of records may be disclosed in connection with litigation or settlement discussions regarding claims by or against the Agency, including public filing with a court, to the extent that disclosure of the information is relevant and necessary to the litigation or discussions and except where court orders are otherwise required under section (b)(11) of the Privacy Act of 1974, 5 U.S.C. 552a(b)(11). The two routine uses below (L and M) are required by OMB Memorandum M-17-12.

L. Disclosure to Persons or Entities in Response to an Actual of Suspected Breach of Personally Identifiable Information: To appropriate agencies, entities, and persons when (1) the Agency suspects or has confirmed that there has been a breach of the system of records, (2) the Agency has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Agency (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Agency's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

1. M. Disclosure to Assist Another Agency in Its Efforts to Respond to a Breach of Personally Identifiable Information: To another Federal agency or Federal entity, when the Agency determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

Policies and procedures for storing, retrieving, accessing, retaining and Disposing of Records in the System:

• Storage: Electronic records are stored in computers, removable drives, storage devices, electronic databases, and other electronic media hosted by DOI/IBC.

• Retrievability: HR LoB authorized users may retrieve information on an individual employee using full name, SSN, and Employee Common Identifier (ECI)—unique number identifying employees across Federal automated systems.

• Safeguards: Security controls used to protect personally identifiable information (PII) in HR LoB are commensurate with those required for an information system rated MODERATE for confidentiality, integrity, and availability, as prescribed in National Institute of Standards and Technology (NIST) Special Publication, 800-53, “Security and Privacy Controls for Information Systems and Organizations,” Revision 5.

  1. Administrative Safeguards: EPA personnel are required to complete annual agency Information Security and Privacy training. EPA personnel are instructed to lock their computers when they leave their desks.

  2. Technical Safeguards: Electronic records are maintained in a secure password protected environment. Access to records is limited to those who have a need to know. Electronic records are restricted to authorized users with appropriate security privileges, including the use of 2-factor PIV Card authentication and permission level assignments. Web-based connections are Tier3 VPN encrypted sessions between EPA and DOI. The database is maintained behind a firewall. WTTS/EOD, FedTalent, OBIEE, and FPPS have multiple levels of role-based access controls that protect the privacy of information in HR LoB. The level of these access controls determines the security privileges of HR LoB users. There are three levels of role-based security (User, Security, Administrator) and they follow the separation of duties outlined in NIST guidance.

  3. Physical Safeguards: These records are maintained in controlled access areas. Identification cards are verified to ensure that only authorized personnel can access.

• Retention and Disposal: The retention of data in the system is in accordance with applicable EPA Records Schedules 1005, 1006, 1026, and 1029 as approved by the National Archives and Records Administration (NARA).

System Manager(s) and Address: Mara Kamen, kamen.mara@epa.gov, 202-564-7159, Director, OHR, U.S. Environmental Protection Agency, 1200 Pennsylvania Avenue NW, Washington, DC 20460.

Notification Procedures: Any individual who wants to know whether this system of records contains a record about themself, should make a written request to: Attn: Agency Privacy Officer, MC 2831T, 1200 Pennsylvania Ave. NW, Washington, DC 20460, or to privacy@epa.gov.

Access Procedure: Individuals seeking access to information in this system of records about themselves are required to provide adequate identification ( e.g., driver's license, military identification card, employee badge or identification card). Additional identity verification procedures may be required, as warranted. Requests must meet the requirements of EPA regulations that implement the Privacy Act of 1974, at 40 CFR part 16.

Contesting Procedure: Requests for correction or amendment must identify the record to be changed and the corrective action sought. Complete EPA Privacy Act procedures are described in EPA's Privacy Act regulations at 40 CFR part 16.

Record Source Categories: Information is obtained from individuals on whom the records are maintained, official personnel records of individuals on whom the records are maintained, supervisors, timekeepers, previous employers, the Internal Revenue Service and state tax agencies, the Department of the Treasury, other Federal agencies, courts, state child support agencies, employing agency accounting offices, and third-party benefit providers.