Privacy Act of 1974: New System of Records

AGENCY:

Foreign Agricultural Service, USDA.

ACTION:

Notice of a new system of records.

SUMMARY:

The U.S. Department of Agriculture, Foreign Agricultural Service, proposes a new system of records USDA/FAS-10, Foreign Agricultural Service International Fellowship and Exchanges Database System (FAS-IFEDS). This system is being developed for Global Programs to store crucial fellowship information and to document the relationship of a fellow with USDA. In accordance with the Privacy Act of 1974, and Office of Management and Budget (OMB) Circular No. A-108, the U.S. Department of Agriculture, Foreign Agricultural Service, proposes a new system of records entitled “Department of Agriculture, Foreign Agricultural Service, International Fellowship and Exchanges Database System”. This system is maintained by Global Programs and centralizes data from all constituent groups across all fellowships, in a single system.

DATES:

In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is effective upon publication, subject to a 30-day notice and comment period in which to comment on the routine uses described in the routine uses section of this system of records notice. Please submit your comments by August 11, 2022.

ADDRESSES:

You may submit comments by either of the following methods:

• Federal eRulemaking Portal: Go to www.regulations.gov and follow the directions in the instructions paragraph.

• Mail: Please send one copy of your comment to USDA/FAS-10, to Assistant Chief Information Officer, FAS, USDA 1400 Independence Avenue SW, Mail Stop 1063, Washington, DC 20250-0002. Supporting documents and any comments we receive on this docket may be viewed at http://www.regulations.gov/.

• Email: FAS-IFEDS-SORN@usda.gov. Include USDA/FAS-10 in the subject line of the message.

Instructions: All submissions received must include the agency name and docket number FAS 2021-0001 for this notice of proposed rulemaking (“NPRM” or “proposed rule”). All properly completed comments received will be posted without change to the Federal eRulemaking portal, www.regulations.gov, including any personal information provided.

FOR FURTHER INFORMATION CONTACT:

Christopher Wood, Assistant Chief Information Officer, FAS, USDA, christopher.wood@usda.gov, 202-369-5946.

Docket: Access to the rulemaking docket associated with this document can be obtained through the Federal eRulemaking Portal at www.regulations.gov.

SUPPLEMENTARY INFORMATION:

The Privacy Act of 1974, (5 U.S.C. 552a), requires the Department to publish in the Federal Register this notice of a new system of records maintained by the Department. The Department's Regulations implementing the Privacy Act are contained in the Code of Federal Regulations in 7 CFR 1, subpart G. USDA/Foreign Agricultural Service system of records was last published in the Federal Register in +FR FAS 9 (November 19, 2019). The Foreign Agricultural Service International Fellowship and Exchanges Database System (FAS-IFEDS) serves a Global Programs need under the authority of Congress in Section 3306 of the Agriculture Improvement Act of 2018, Public Law 115-334, amending Section 1473G of the National Agricultural Research, Extension, and Teaching Policy Act of 1977, to leverage alumni engagement. FAS is initiating the SORN to include, all fellows and alumni, and all USDA Fellowship Programs.

The Foreign Agricultural Service International Fellowship and Exchanges Database System (FAS-IFEDS) is primarily a personal database and is used to collect information concerning fellows and alumni that includes the personally-identifiable information (PII) related to fellows and alumni, in addition to the information pertaining to the institution, implementer, and fellowship. The FAS-IFEDS system collects the following information (that may be considered PII ): first name, middle name, last name, gender, salutation, birth date, birth city, citizenship country, country of residence, work phone, permanent home address, work address, personal email, work email, emergency contact information (US implementer), and emergency contact information (family contact: name, relationship, home phone, cell phone, and email).

FAS will share information from the system in accordance with the requirements of the Privacy Act. A full list of routine uses is included in the routine uses section of the document published with this notice.

A report on the new system of records, required by 5 U.S.C. 552a(r), as implemented by Office of Management and Budget Circular A-108, was sent to the Chairman, Committee on Homeland Security and Government Affairs, United States Senate; the Chairwoman, Committee on Oversight and Reform, House of Representatives; and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget.

In accordance with 5 U.S.C. 552a(r), USDA has provided a report of this system of records to the Office of Management and Budget and to Congress.

SYSTEM NAME AND NUMBER:

USDA/FAS-10, USDA/FAS, Foreign Agricultural Service International Fellowship and Exchanges Database System, (FAS-IFEDS). USDA/FAS-10 is also referred to as the Foreign Agricultural Service International Fellowship and Exchange Database System (FAS-IFEDS).

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The system owner is USDA/FAS, 1400 Independence Avenue SW, Mail Stop 1063, Washington, DC 20250-0002. The electronic record system is maintained on servers that are physically hosted in the Salesforce Government Cloud. Salesforce is located at The Landmark @On Market Street, Suite 300, San Francisco, California 94105. The physical location and technical operation of the system is at the Salesforce Government Cloud's Chicago (Elk Grove, IL) and Washington (Ashburn, VA) data centers. The HubSpot application uses cloud storage and computes services from Amazon Web Services (AWS) and Google Cloud Platform (GCP). HubSpot's production infrastructure is centralized in AWS and GCP cloud hosting facilities and is managed by the HubSpot engineering team.

SYSTEM MANAGER(S):

Information Technology Project Manager, FAS, USDA, 1400 Independence Avenue SW, Mail Stop 1063, Washington DC 20250-0002, 202-843-3857.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

7 U.S.C. 2.601

PURPOSE(S) OF THE SYSTEM:

The USDA Foreign Agricultural Service International Fellowship and Exchange Database System (IFEDS) is a database used by the FAS' Fellowship Programs Division to record relevant data pertaining to individuals and organizations that have taken part in the various programs and exchanges the division coordinates. As a system of record, IFEDS will better enable Fellowship Programs staff by enabling accurate and efficient data input as well as timely data retrieval. Records contained withing IFEDS will be used to satisfy statistical inquiries, communicate with Fellows and alumni, and associate multiple relevant datapoints with each other. IFEDS will not be accessible to the public, the data will be shared on a need-to-know basis with partners in other agencies, universities, or other affiliated organizations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Categories of individuals covered by this system include, individuals who are referenced or identified in records created or compiled as part of the process of documenting the USDA Fellowship Programs including, but not limited to, fellows, fellowships, institutions, implementors, or alumni. All individuals, even if they are not users of the FAS-IFEDS, who are mentioned or referenced in any documents entered into FAS-IFEDS by a user are also covered. This group may include, but is not limited to, vendors, agents, and other business personnel.

CATEGORIES OF RECORDS IN THE SYSTEM:

Categories of records in the system are created or compiled as part of the process of documenting the USDA Fellowship Program. Such records include: first name, middle name, last name, gender, salutation, birth date, birth city, citizenship country, country of residence, work phone, permanent home address, work address, personal email, work email, emergency contract information (US implementer), and emergency contact information (family contact: name, relationship, home phone, cell phone, and email). This information is collected from the applicant process that occurs prior to acceptance into the fellowship program. Information is updated with fellows and alumni, after the application process to reflect current information.

RECORD SOURCE CATEGORIES:

Information in this system of records is obtained from, but not limited to, fellows, fellowships, institutions, implementors, or alumni as well as other individuals or groups. This group may include, but is not limited to, vendors, agents, and other business personnel.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, records contained in this system may be disclosed outside of USDA as a routine use pursuant to 5 U.S.C. 552a(b)(3), to the extent that such uses are compatible with the purposes for which the information was collected. Such permitted routine uses include the following:

a. To the Department of Justice when: (a) USDA or any component thereof; or (b) any employee of USDA in his or her official capacity, or any employee of the agency in his or her official capacity where the Department of Justice has agreed to represent the employee; or (c) the United States Government, is a party to litigation or has an interest in such litigation, and USDA determines that the records are both relevant and necessary to the litigation and the use of such records by the Department of Justice is deemed by USDA to be for a purpose that is compatible with the purpose for which USDA collected the records.

b. To a congressional office in response to an inquiry from that congressional office made at the written request of the individual about whom the records pertains.

c. Disclosure may be made to the United States Civil Rights Commission in response to its request for information, per 42 U.S.C. 1975a.

d. To the National Archives and Records Administration (NARA) or other Federal government agencies pursuant to records management activities being conducted under 44 U.S.C. 2904 and 2906.

e. To appropriate agencies, entities, and persons when (1) USDA suspects or has confirmed that there has been a breach of the system of records; (2) USDA has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, USDA (including its information system, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with USDA's efforts to respond to the suspected or confirmed compromise and to prevent, minimize, or remedy such harm.

f. To another Federal agency or Federal entity, when information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

g. When a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, USDA may disclose the record to the appropriate agency, whether Federal, foreign, State, local, tribal, or other public authority responsible for enforcing, investigating, or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to any enforcement, regulatory, investigative, or prosecutive responsibility of the receiving entity.

h. In an appropriate proceeding before a court, grand jury, or administrative or adjudicative body or official, when the USDA or other agency representing the USDA determines that the records are both relevant and necessary to the proceeding; or in an appropriate proceeding before an administrative or adjudicative body when the adjudicator determines the records to be relevant to the proceeding.

i. To contractors and their agents, grantees, experts, consultants, and other performing or working on a contract, service, grant, cooperative agreement, or other assignment for the USDA, when necessary to accomplish an agency function related to this system of records.

j. To the news media and the public, with the approval of the Chief Privacy Officer, the Office of Communications and in consultation with counsel, unless it is determined that release of the specific information in the context of a particular case would constitute an unwarranted invasion of personal privacy.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

FAS is responsible for maintaining the storage of FAS-IFEDS records. Electronic records are stored within Salesforce Government Cloud, who maintains the physical aspects of the system and records storage. The physical location and technical operation of the system is at the Salesforce Government Cloud's Chicago (Elk Grove, IL) and Washington (Ashburn, VA) data centers. FAS requires users to take specific measures to safeguard authenticators. FAS manages authenticators by requiring individuals to take and have devices implement authentication protection measures. All user roles safeguard authenticators by not divulging or posting PIN data and protecting authentication devices. Device authenticators use safeguarding by restricting access to devices based on the principle of least privilege and separation of duties. Use of control enhancement prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards and countermeasures. Electronic storage is on and maintained through a storage area network (SAN) at the Salesforce Government Cloud. Records are maintained on storage arrays occurring through the redundant SAN fabrics built using Cisco MDS 9513 switches. A contingency plan is in place that maintains, full restoration without deterioration of the security safeguards originally planned and implemented. Use of an alternate storage maintains security safeguards equivalent to the primary site. Salesforce uses IPsec to encrypt the SAN replication between Production data centers. Storage arrays send encrypted data between data centers using AES-256 via a FIPS 140-2 validated encryption module. The storage array includes high-speed Fiber Channel disks with large caches. DataGuard servers protect against data corruption of the records at the SAN layer. Maintenance and use of user and admin roles protect against data corruption of the records at the application layer.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Access to and use of FAS-IFEDS records are limited to individuals with appropriate clearance or permission who need to know for the performance of official duties. Users complete security awareness training, covering procedures for handling sensitive information, including personally identifiable information (PII). Annual refresher training is mandatory. All USDA employees and contractors with authorized access undergo thorough background security investigation. FAS-IFEDS does not interface or connect directly with Salesforce Government Cloud for personnel data. USDA personnel with user or administrative role access may enter data into FAS-IFEDS, on a periodic basis. USDA personnel with user or administrative role access may search and retrieve records by (1) date of birth, (2) country, (3) region, (4) institution, (5) subject matter expertise, (6) gender, (7) fellowship, (8) program, (9) fellowship start date, (10) fellowship end date, or (11) agricultural topic. An individual record search can occur by name using the global search. Users are limited to conducting searches electronically from within the FAS-IFEDS application. Search results are displayed through the graphical user interface (GUI) and in the form of reports. Salesforce Government Cloud is the retrieval location of electronic records.

FAS-IFEDS access and authentication meets USDA policies and practices for the retrievability of records including the use of identification cards, network access, and electronic authentication methods. FAS-IFEDS user access is role, responsibility, and privilege based; centralized on a need to know. Documented in a user guide are the policies and procedures of user access. User access is managed by the FAS-IFEDS administrator.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records are retained and disposed of in accordance with National Archives and Records Administration (NARA) General Record Schedule (GRS) 2.3.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

The administrative, technical, and physical safeguards implemented for FCRMS meet the policy and control requirements set forth in system security plan documentation and subject to monitoring consistent with applicable laws, regulations, agency policies, procedures, and practices. Access to and use of FAS-IFEDS records are limited to individuals with appropriate clearances or permissions who need to know the information for performance of official duties. Users complete security awareness training, covering procedures for handling sensitive information, including personally identifiable information (PII). Annual refresher training is mandatory. All USDA employees and contractors with authorized access undergo thorough background security investigation. Personnel retain paper records, when applicable, in a locked or secured office or office building that can only be accessed by authorized FAS employees. Electronic records are stored within Salesforce, who maintains the system. FAS requires users to take specific measures to safeguard authenticators. Manages authenticators by requiring individuals to take and have devices implement authentication protection measures. All user roles safeguard authenticators by not divulging or posting PIN data and protecting authentication devices. Device authenticators use safeguarding by restricting access to devices based on the principle of least privilege and separation of duties. Use of control enhancement prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards and countermeasures. Implements a contingency plan that maintains full restoration without deterioration of the security safeguards originally planned and implemented. Use of an alternate storage provides security safeguards equivalent to the primary site. Enforcing physical access authorizations at entry and exit points to the facility where the system resides by verifying individual access; controlling ingress and egress; maintaining physical access audit logs; controlling areas designated as publicly accessible; escorting visitors and monitoring visitor activity; securing keys, combinations, and other physical access devices; conducting inventories, at least annually; and changing combinations and keys, at least annually and, or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

RECORD ACCESS PROCEDURES:

Individuals seeking notification of and access to any record contained in this system of records, or seeking to contest its content, may submit a request in writing to the Foreign Agricultural Service FOIA/Privacy Act Officer, whose contact information can be found at https://www.dm.usda.gov/foia/poc.htm. If an individual believes more than one component maintains Privacy Act records concerning him or her, the individual may submit the request to the Chief FOIA Officer, Department of Agriculture, 1400 Independence Avenue SW, South Building Room 4104, Washington, DC 20250-0706, email: USDAFOIA@ocio.usda.gov.

The request should include a daytime phone number and email. Provide as much information as possible about the subject matter of the records you are requesting. This will help facilitate the search process.

When seeking records about yourself from this FAS-IFEDS system of records, or any other Department system of records, your request must conform with the Privacy Act regulations set forth in 7 CFR 1.112 (Procedures for requests pertaining to individual records in a record system.) You must submit a written request in accordance with the instructions set forth in the system of records.

Provide your full name, date, name of system of records, and either: (1) have your signature witnessed by a notary; or (2) include the following statement immediately above the signature on your request letter: “I declare under penalty of perjury that the foregoing is true and correct. Executed on [date].” Requests that do not contain the required declaration will be processed under the Freedom of Information Act (FOIA) and, if records are found, you may not receive as much information, including information about you. If additional information is required to fulfill a Privacy Act request, you will be notified. If you want records about yourself to be released to a third party (such as an academic institution, foreign government entity, or other organization requesting records on your behalf), the third party may receive greater access if they have permission from you. You will need a signed and dated statement that the Foreign Agricultural Service may release records pertaining to you. Include your name; date of birth; name of the person or organization to whom you want your records disclosed (where applicable); their contact information; list of records that may be released (all, emails, contact records, etc.). The person about whom the records will be released should include a statement indicating that they understand that knowingly or willingly seeking records about another person under false pretenses and or without their consent is punishable by a fine of up to $5,000.

When the request if for one of access, the request should include the full name of the individual making the request, the name of the system of records, a statement of whether the requester desires to make a personal inspection of the records or to be supplied with copies by mail or email. In accordance with 7 CFR 1.113, prior to inspection of the records, the requester shall present sufficient identification ( e.g. driver's license, employee identification card, social security card, credit cards) to establish that the requester is the individual to whom the records pertain. No identification shall be required, however, if the records are required by 5 U.S.C. 552 to be released. If FAS determines to grant the requested access, fees may be charge in accordance with § 1.120 before making the necessary copies. In place of a notarization, your signature may be submitted under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury as a substitute for notarization.

CONTESTING RECORDS PROCEDURES:

Individuals seeking to contest or amend records maintained in this system of records must direct their request to the address indicated in the “RECORD ACCESS PROCEDURES” paragraph, above and must follow the procedures set forth in 7 CFR part 1, subpart G, 1.116 (Request for correction or amendment to record). All request must state clearly and concisely what records is being contested, the reasons for contesting it, and the proposed amendment to the record. A determination whether a record may be amended will be made within 10 days of its receipt.

NOTIFICATION PROCEDURES:

Individuals may be notified if a record in this system of records pertains to them when the individuals request information utilizing the same procedures as those identified in the “RECORD ACCESS PROCEDURES” paragraph, above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None