Privacy Act of 1974; System of Records

AGENCY:

National Science Foundation (NSF).

ACTION:

Notice of a new system of records.

SUMMARY:

In accordance with the Privacy Act of 1974, NSF proposes to establish a new agency system of records, entitled Freedom of Information Act and Privacy Act Request and Appeal Records, NSF–81. This system comprises records of requests and administrative appeals filed by individuals seeking access to agency records under the Freedom of Information Act, and requests and appeals by individuals seeking to access or amend agency records, if any, that NSF may maintain about them under the Privacy Act. System records about individual requesters, and their attorneys or representatives, if applicable, include the original request for access, amendment, and any administrative appeal, and other supporting documentation, which can include memoranda, correspondence, notes, copies of records released to the requester, and other file materials compiled or generated in the processing and disposition of the individual's request or appeal.

DATES:

This system of records shall be effective December 8, 2023, except for the “Routine Use” section of this document, which shall not become effective until January 8, 2024. Public comments on such Routine Uses or any other aspect of this notice will be accepted until January 8, 2024.

ADDRESSES:

Submit comments, identified by “FOIA/PA SORN,” by any of the following methods:

• Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.

• Email: Dorothy Aronson, Senior Agency Official for Privacy, daronson@nsf.gov. Include “FOIA/PA SORN” in the subject line of the message.

• Mail: Dorothy Aronson, Senior Agency Official for Privacy, Office of Information and Resource Management, NSF, 2415 Eisenhower Ave., Alexandria, VA 22314.

Instructions: NSF intends to post all comments on the NSF's website ( https://www.nsf.gov ). All comments submitted in response to this Notice will become a matter of public record. Therefore, you should submit only information that you wish to make publicly available.

FOR FURTHER INFORMATION CONTACT:

Sandra Evans, FOIA/PA Officer, NSF, Office of General Counsel, 2415 Eisenhower Avenue, Alexandria, VA 22314, foia@nsf.gov, (703) 292–8060.

SUPPLEMENTARY INFORMATION:

As required by the Privacy Act of 1974, 5 U.S.C. 552a, NSF is publishing this notice of the establishment of an agency system of records ( i.e., system of records notice or SORN) pertaining to access requests and administrative appeals filed with NSF under the Freedom of Information Act (FOIA), and access and amendment requests and administrative appeals under the Privacy Act. This system (Freedom of Information Act and Privacy Act Request and Appeal Records, NSF–81) is being established due to NSF's acquisition of third-party commercial cloud-based services and software to track and manage electronically the receipt and processing of FOIA and Privacy Act requests and appeals.

The system will be used by NSF to maintain records about individuals who submit FOIA access requests, Privacy Act access and amendment requests, administrative appeals to NSF under either the FOIA or Privacy Act, and FOIA and Privacy Act requests referred to NSF by other agencies. These records, which may be created or submitted in electronic and paper format, include the individual's request for access, amendment, or administrative appeal, and other supporting documentation to include related internal memoranda, correspondence with the requester or third parties about the request, notes of NSF personnel or contractors assigned to handle the request or appeal, logs or other data automatically generated by the system ( e.g., estimated deadline for the agency's response), copies of records, if any, released to the requester, and other file materials compiled or generated in the processing and disposition of the individual's request or appeal. The system does not duplicate any other existing NSF or Government-wide systems of records under the Privacy Act.

In accordance with subsection (r) the Privacy Act, at 5 U.S.C. 552a(r), and Office of Management and Budget (OMB) Circular No. A–108, in addition to publication in the Federal Register , NSF has also submitted notice of the establishment of this system of records to OMB and to the appropriate Congressional committees. All NSF SORNs, including this one, may be viewed at www.nsf.gov/privacy.

SYSTEM NAME AND NUMBER:

Freedom of Information Act and Privacy Act Request and Appeal Records, NSF–81.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

NSF, 2415 Eisenhower Avenue, Alexandria, VA 22314. Information may also be maintained for NSF by third-party provider(s) in cloud-based storage, subject to applicable Federal information security and privacy controls.

SYSTEM MANAGER(S):

FOIA/PA Officer, NSF, Office of General Counsel, 2415 Eisenhower Avenue, Alexandria, VA 22314.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Freedom of Information Act, as amended, 5 U.S.C. 552; Privacy Act of 1974, as amended, 5 U.S.C. 552a; 45 CFR parts 612 and 613 (NSF FOIA and PA regulations); OMB Circular Nos. A–130 and A–108.

PURPOSE(S) OF THE SYSTEM:

To report, track, and process access requests and administrative appeals under the FOIA, and access and amendment requests and administrative appeals under the Privacy Act; to participate in and support litigation that may arise from a FOIA and/or Privacy Act access request, amendment request, or administrative appeal; and to assist NSF in carrying out any other responsibilities under the FOIA or the access or amendment provisions of the Privacy Act.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Individuals who submit access requests and appeals to NSF for records under the FOIA and/or the Privacy Act; individuals who submit access requests to other Federal agencies whose requests have been referred to NSF for processing or consultation; individuals who request amendment of their records in an NSF system of records under the Privacy Act; and attorneys or other representatives of the individuals listed above who make an authorized FOIA or PA request on behalf of such individuals.

CATEGORIES OF RECORDS IN THE SYSTEM:

This system comprises records created or compiled by NSF in response to FOIA access and Privacy Act access and amendment requests, and administrative appeals, including initial requests and administrative appeals, and related FOIA or Privacy Act litigation, if any. System records include:

1. Identifying data about the requester or the request or appeal, including, but not limited to, the requester's name, mailing address, telephone numbers, email addresses, tracking number, date and subject of the request, and may include other information ( e.g., Social Security number) voluntarily submitted or on behalf of the individual in support of their request or appeal, as well as other system-generated data pertaining to the processing of the request or appeal ( e.g., estimated date for agency's response, extensions);

2. The agency's response to the individual's request or appeal (including copies of responsive records, if any, that were released to the requester), copies of emails, correspondence, and other communications with the requester or others ( e.g., third-party submitters of responsive records) generated or compiled in the course of processing a request or appeal;

3. Intra- or interagency memoranda, referrals, correspondence, notes, fee schedules, assessments, cost calculations, and other documentation related to the processing of the FOIA and/or Privacy Act request or appeal, including correspondence or data related to fee determinations and collection of fees owed under the FOIA or Privacy Act;

4. Memoranda, correspondence, notes, statements of disagreement following a denial of an appeal of a Privacy Act record amendment request, and other related or supporting Privacy Act documentation, which may include a signed certification, SSN, drivers' license ID, or other information submitted by the individual or authorized representative as proof of the requester's identity (or, in lieu thereof, identity verification data from login.gov or other non-NSF third-party agent used to establish the individual's identity); and

5. If a FOIA or PA request or appeal is litigated, information and materials relating to such litigation, including, but not limited to, affidavits, exhibits, record indexes, certifications, or other materials filed by or obtained from the Department of Justice (DOJ) and other government attorneys, personnel, and contractors.

Consistent with para. 2, records responsive to an individual's FOIA request, if they have not been released to the individual, are not treated as records maintained about that individual, or accessible to that individual, in this system under the Privacy Act. Such records may be part of one or more other NSF Privacy Act systems of records, see NSF SORNs at www.nsf.gov/privacy, and remain protected by applicable exemptions if disclosure is requested under the Privacy Act and/or the FOIA by the subject individual, or by any other requester under the FOIA.

RECORD SOURCE CATEGORIES:

Individuals who submit initial access requests and administrative appeals pursuant to the FOIA, and individuals submitting access or amendment requests and administrative appeals under the Privacy Act, and attorneys or other authorized representatives acting on behalf of such individuals with respect to such requests and appeals.

1. NSF personnel and contractors who may be assigned to handle or assist with such requests and appeals, or related litigation arising therefrom.

2. Other agencies that have referred a FOIA or Privacy Act request to NSF or with whom NSF consults or assists in processing a FOIA or Privacy Act request received by or referred to NSF, or the litigation of such a request or appeal ( e.g., Department of Justice).

3. Third-party individuals or entities who have been consulted or notified regarding their proprietary or other interest in records responsive to a FOIA or Privacy Act request or appeal ( e.g., as the submitter or source of such records).

4. Governmental ( e.g., shared service) or non-Governmental third-party providers performing fee collection ( e.g., pay.gov), identity verification ( e.g., login.gov), or other administrative or other functions incidental to the processing of FOIA and Privacy Act requests and appeals.

5. Metadata routinely or automatically generated by the system software, relating to the tracking and processing of FOIA and Privacy Act requests and appeals ( e.g., date that the FOIA request was received or logged, estimated date for agency response, NSF staff assigned to process the request).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to the disclosures expressly permitted under subsections (b)(1)–(2) and (b)(4)–(12) of the Privacy Act of 1974, as amended, see 5 U.S.C. 552a(b)(1)–(2) and (b)(4)–(12), all or a portion of the records or information contained in this system are subject to the following NSF standard routine uses, pursuant to 5 U.S.C. 552a(b)(3):

1. Members of Congress. Information from a system may be disclosed to congressional offices in response to inquiries from the congressional offices made at the request of the individual to whom the record pertains.

2. Freedom of Information Act/Privacy Act Compliance. Information from a system may be disclosed to the Department of Justice or the Office of Management and Budget in order to obtain advice regarding NSF's obligations under the Freedom of Information Act and the Privacy Act.

3. Counsel. Information from a system may be disclosed to NSF's legal representatives, including the Department of Justice and other outside counsel, where the agency is a party in litigation or has an interest in litigation and the information is relevant and necessary to such litigation, including when any of the following is a party to the litigation or has an interest in such litigation: (a) NSF, or any component thereof; (b) any NSF employee in his or her official capacity; (c) any NSF employee in his or her individual capacity, where the Department of Justice has agreed to, or is considering a request to, represent the employee; or (d) the United States, where NSF determines that litigation is likely to affect the agency or any of its components.

4. National Archives, General Services Administration. Information from a system may be disclosed to representatives of the General Services Administration and the National Archives and Records Administration (NARA) during the course of records management inspections conducted under the authority of 44 U.S.C. 2904 and 2906.

5. Response to an Actual or Suspected Compromise or Breach of Personally Identifiable Information. NSF may disclose information from the system to appropriate agencies, entities, and persons when: (a) NSF suspects or has confirmed that there has been a breach of the system of records; (b) NSF has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals; NSF (including its information systems, programs, and operations); the Federal Government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with NSF efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. Furthermore, NSF may disclose information from the system to another Federal agency or Federal entity, when NSF determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in: responding to a suspected or confirmed breach; or preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

6. Courts. Information from a system may be disclosed to the Department of Justice or other agencies in the event of a pending court or formal administrative proceeding, when the information is relevant and necessary to that proceeding, for the purpose of representing the government, or in the course of presenting evidence, or the information may be produced to parties or counsel involved in the proceeding in the course of pre-trial discovery.

7. Contractors. Information from a system may be disclosed to contractors, agents, experts, consultants, or others performing work on a contract, service, cooperative agreement, job, or other activity for NSF and who have a need to access the information in the performance of their duties or activities for NSF.

8. Audit. Information from a system may be disclosed to government agencies and other entities authorized to perform audits, including financial and other audits, of the agency and its activities.

9. Law Enforcement. Information from a system may be disclosed, where the information indicates a violation or potential violation of civil or criminal law, including any rule, regulation or order issued pursuant thereto, to appropriate Federal, State, or local agencies responsible for investigating, prosecuting, enforcing, or implementing such statute, rule, regulation, or order.

10. Disclosure When Requesting Information. Information from a system may be disclosed to Federal, State, or local agencies which maintain civil, criminal, or other relevant enforcement information or other pertinent information, such as current licenses, if necessary, to obtain information relevant to an agency decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit.

11. To the news media and the public when: (a) A matter has become public knowledge, (b) the NSF Office of the Director determines that disclosure is necessary to preserve confidence in the integrity of NSF or is necessary to demonstrate the accountability of NSF's officers, employees, or individuals covered by this system, or (c) the Office of the Director determines that there exists a legitimate public interest in the disclosure of the information, except to the extent that the Office of the Director determines in any of these situations that disclosure of specific information in the context of a particular case would constitute an unwarranted invasion of personal privacy.

Furthermore, records (or portions thereof) in this system may be routinely used and disclosed, pursuant to 5 U.S.C. 552a(b)(3), for the following purposes relating to FOIA and Privacy Act requests, appeals, and litigation, if any:

12. To NARA, Office of Government Information Services (OGIS), to the extent necessary to fulfill its responsibilities in 5 U.S.C. 552(h), to review administrative agency policies, procedures and compliance with the FOIA, and to facilitate OGIS's offering of mediation services to resolve disputes between persons making FOIA requests and administrative agencies.

13. To a Federal agency or other Federal entity that furnished the record or information for the purpose of permitting that agency or entity to make a decision regarding access to or correction of the record or information, or to a Federal agency or entity for purposes of providing guidance or advice regarding the handling of particular requests.

14. To facilitate, at NSF's discretion, the placement of FOIA request and appeal letters, and agency letters responding thereto, on the agency's public record ( e.g., www.nsf.gov ) to be made available to the public for routine inspection and copying, including where records have been “frequently requested” and disclosed under the FOIA within the meaning of that Act, as determined by the NSF.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Official copies of system records are accessed electronically through secured NSF systems and principally maintained by NSF or on its behalf in electronic cloud storage by third-party service provider(s). Records may be collected for processing and storage via online portals or other electronic platforms or means operated by NSF, by other Government shared-service provider(s) ( e.g., FOIA.gov), or by other (non-Government) third-party service providers on behalf of NSF. Paper records, such as copies of FOIA or Privacy Act requests and appeals received through postal mail, may be scanned and stored electronically, so that the paper copies need not be maintained and may be securely destroyed. NSF personnel or contractors may download or print non-official copies of records or data from electronic system storage for temporary use or reference in processing a FOIA request or appeal, provided such copies are handled and stored under secure conditions ( e.g., locked drawers, offices, and facilities).

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records may be retrieved by full name of requester; FOIA or Privacy Act tracking number pertaining to the request or appeal; date and/or year of request or appeal; subject matter; or by other searchable or indexed data elements pertaining to an individual's request or appeal in the electronic system used to manage and stored the records.

Note: System records may also be electronically retrieved by the name or other personally assigned identifier of individual NSF personnel or contractors who may be responsible for or otherwise involved in the processing of FOIA and PA requests. Because the records pertain to the individuals who filed the request, and are not about the NSF personnel or contractors handling such requests, these third-party individuals are not included in the categories of individuals covered by this system for access, amendment, or other Privacy Act purposes.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Retention and disposal of records in this system of records is governed by National Archives and Records Administration (NARA) General Records Schedule 4.2, Information Access and Protection Records, as follows:

1. Access request files. Case files created in response to requests for records under the FOIA and Privacy Act, including administrative appeals, are destroyed six years after final agency action (initial response or appeal) or three years after final adjudication by the courts if applicable, whichever is later. Longer retention is authorized if required for business use.

2. Privacy Act amendment request files. Files relating to an individual's request to amend a record subject to the Privacy Act and any appeal or civil action that follows are destroyed with the records for which amendment was requested or four years after the final determination by agency or final adjudication by the courts if applicable, whichever is later. Longer retention is authorized if required for business use.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

NSF safeguards records in this system of records according to applicable Federal and NSF rules, policies, and procedures, including all applicable NSF automated systems security and access policies. Controls include mandatory information assurance and privacy training for individuals who will have access; identification, marking, and safeguarding of PII; physical access safeguards including multifactor identification physical access controls, detection and electronic alert systems for access to servers and other network infrastructure; and electronic intrusion detection systems in NSF facilities.

The third-party provider that provides cloud-based management has developed a comprehensive computer security handbook that includes an overarching organization-wide information security policy and associated procedures for each NIST family of security controls, including, for example, awareness and training policies and procedures. The third-party provider, to the extent it provides cloud-based storage and other services for this system, follows FedRAMP guidance when preparing security authorization and security-related assessment documentation, and it follows FedRAMP policies to meet all relevant associated security assessment and authorization controls. The Security Assessment and Authorization policy and procedures are reviewed annually.

RECORD ACCESS PROCEDURES:

You may seek access to records about you in this Privacy Act system ( i.e., NSF records maintained about your FOIA or PA request(s)) by following the procedures in 45 CFR part 613 for making a Privacy Act access request. You may submit your request in person, via postal mail, via www.FOIA.gov, via the email address listed on the FOIA page at www.nsf.gov, or via the public access link (PAL) or other online portal, if any, provided by the agency or on its behalf by its contractor(s). (You do not need to submit such a request to check the status of your FOIA or PA request(s) in the system, which you can do online through the PAL portal.)

To request access to your records under the Privacy Act, your request must be in writing, signed, and notarized, as detailed below. It should contain the name and number of the relevant Privacy Act records system to which you are seeking access—in this case, FOIA/PA Request and Appeal Records, NSF–81—along with your full name, current address, email address, and telephone number. Also include the assigned FOIA/PA tracking number, if any, for your FOIA or PA request(s) or appeal(s) maintained in this system, or other means of identifying records about you and your requests or appeals in this system.

Before processing a Privacy Act access request, NSF also requires that you verify your identity in an appropriate fashion. Individuals appearing in person to submit a Privacy Act request should be prepared to show reasonable picture identification, such as driver's license, government or other employment identification card, or passport. Your Privacy Act request also must be notarized, or submitted by you under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury as a substitute for notarization, as provided below:

• If executed outside the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).”

• If executed within the United States, its territories, possessions, or commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).”

In addition, your Privacy Act request should include a statement that you understand that knowingly or willfully seeking or obtaining access to Privacy Act records under false pretenses is punishable by a fine of up to $5,000. See5 U.S.C. 552a(i)(3).

CONTESTING RECORD PROCEDURES:

Individuals seeking to amend or correct the content of records about themselves should follow the procedures in 45 CFR part 613.

NOTIFICATION PROCEDURES:

Individuals seeking to determine whether information about themselves is contained in this system of records should follow the instructions for Record Access Procedures above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.