From: <Saved by Windows Internet Explorer 8>
Subject: Federal Register, Volume 76 Issue 212 (Wednesday, November 2, 2011)
Date: Mon, 11 Jun 2012 16:31:08 -0400
MIME-Version: 1.0
Content-Type: text/html;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://www.gpo.gov/fdsys/pkg/FR-2011-11-02/html/2011-28406.htm
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157

=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Federal Register, Volume 76 Issue 212 (Wednesday, =
November 2, 2011)</TITLE>
<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type>
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.19222"></HEAD>
<BODY><PRE>[Federal Register Volume 76, Number 212 (Wednesday, November =
2, 2011)]
[Notices]
[Pages 67755-67758]
From the Federal Register Online via the Government Printing Office [<A =
href=3D"http://www.gpo.gov/">http://www.gpo.gov/</A>]
[FR Doc No: 2011-28406]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

[Docket No. DHS-2011-0102]


Privacy Act of 1974; Department of Homeland Security U.S. Customs=20
and Border Protection DHS/CBP-003 Credit/Debit Card Data System of=20
Records

AGENCY: Privacy Office, DHS.

ACTION: Notice of Privacy Act system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974 the Department of=20
Homeland Security proposes to establish a new Department of Homeland=20
Security system of records notice titled ``Department of Homeland=20
Security/U.S Customs and Border Protection--003 Credit/Debit Card Data=20
System of Records.'' This system allows U.S. Customs and Border=20
Protection to collect, use, and maintain records

[[Page 67756]]

related to any credit and debit card transactions with it has with=20
individuals. Additionally, the Department of Homeland Security is=20
issuing a Notice of Proposed Rulemaking to exempt this system of=20
records from certain provisions of the Privacy Act, concurrent with=20
this system of records elsewhere in the Federal Register. This newly=20
established system will be included in the Department of Homeland=20
Security's inventory of record systems.

DATES: Submit comments on or before December 2, 2011. This new system=20
will be effective December 2, 2011.

ADDRESSES: You may submit comments, identified by docket number DHS-
2011-0102 by one of the following methods:
    <BULLET> Federal e-Rulemaking Portal: http://;<A =
href=3D"http://www.regulations.gov/">http://www.regulations.gov/</A>.=20
Follow the instructions for submitting comments.
    <BULLET> Fax: (703) 483-2999.
    <BULLET> Mail: Mary Ellen Callahan, Chief Privacy Officer, Privacy=20
Office, Department of Homeland Security, Washington, DC 20528.
    <BULLET> Instructions: All submissions received must include the=20
agency name and docket number for this rulemaking. All comments=20
received will be posted without change to <A =
href=3D"http://www.regulations.gov/">http://www.regulations.gov/</A>,=20
including any personal information provided.
    <BULLET> Docket: For access to the docket to read background=20
documents or comments received go to <A =
href=3D"http://www.regulations.gov/">http://www.regulations.gov/</A>.

FOR FURTHER INFORMATION CONTACT: For general questions please contact:=20
Laurence E. Castelli (202) 325-0280) Privacy Officer, Office of=20
International Trade, U.S. Customs and Border Protection, Mint Annex,=20
799 Ninth Street NW., Washington, DC 20229. For privacy issues please=20
contact: Mary Ellen Callahan (703) 235-0780, Chief Privacy Officer,=20
Privacy Office, U.S. Department of Homeland Security, Washington, DC=20
20528.

SUPPLEMENTARY INFORMATION:

I. Background

    In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, the=20
Department of Homeland Security (DHS) U.S. Customs and Border=20
Protection (CBP) proposes to establish a new DHS system of records=20
notice titled, ``DHS/CBP-003 Credit/Debit Card Data System of=20
Records.''
    This system collects, uses, and maintains records related to any=20
credit and debit card transactions with CBP. CBP is providing notice to=20
the public regarding the collection, use, and dissemination of any=20
credit and debit card transaction information provided to CBP. Many=20
programs administered by CBP require an individual or business to=20
provide payment for various purposes, including services, applications,=20
fees, and duties, among others. As CBP expands methods of payment, many=20
of these transactions will permit use of credit and debit cards, which=20
will require the collection of the card data, disseminating that data=20
to process the transaction, and maintaining the data for recordkeeping=20
purposes. Information from this system will be shared with the=20
Department of Treasury, banks, and credit and debit card processors as=20
necessary. The data will not be used for law enforcement or=20
intelligence purposes unless the individual's underlying transaction=20
becomes associated with a law enforcement or intelligence action.
    The purpose of this system is to provide payment processing and=20
recordkeeping of credit and debit card transactions with CBP. Authority=20
for maintenance of this system is given by The Homeland Security Act of=20
2002, Public Law 107-296; 5 U.S.C. 301; 8 U.S.C. 1101, et seq.; 19=20
U.S.C. 1, et seq.; Section 711 of the Implementing Recommendations of=20
the 9/11 Commission Act of 2007 (9/11 Act), (Pub. L. 110-53); and the=20
Travel Promotion Act (Pub. L. 111-145).
    This newly established system will allow CBP to collect credit and/
or debit card payment information from individuals providing payment to=20
CBP for services, applications, fees, duties, and other official=20
activities. Records in this system are safeguarded in accordance with=20
applicable rules and policies, including all applicable DHS automated=20
systems security and access policies. Strict controls have been imposed=20
to minimize the risk of compromising the information that is being=20
stored. Access to the computer system containing the records in this=20
system is limited to those individuals who have a need to know the=20
information for the performance of their official duties and who have=20
appropriate clearances or permissions. All routine uses proposed are=20
compatible with the purpose for which the information was collected and=20
CBP's mission.
    Consistent with DHS's information sharing mission, information=20
stored in the Credit/Debit Card Data system of records may be shared=20
with other DHS components, as well as appropriate federal, state,=20
local, foreign, or international or tribal government agencies. This=20
sharing will only take place after DHS determines that the receiving=20
component or agency has a need to know the information to carry out=20
national security, law enforcement, immigration, intelligence, or other=20
functions consistent with the routine uses set forth in this system of=20
records notice.
    Additionally, the Department of Homeland Security is issuing a=20
Notice of Proposed Rulemaking to exempt this system of records from=20
certain provisions of the Privacy Act, concurrent with this system of=20
records elsewhere in the Federal Register. DHS is not exempting any=20
data in the system regarding an individual's credit or debit card=20
transaction. This system, however, may contain records or information=20
pertaining to the accounting of disclosures made from this system to=20
other law enforcement or intelligence agencies (federal, state, local,=20
foreign, international or tribal) in accordance with the published=20
routine uses or statutory basis for disclosure under 5 U.S.C. 552a(b).=20
For the accounting of these disclosures only, in accordance with 5=20
U.S.C. 552a (j)(2), and (k)(2), DHS will claim exemptions for these=20
records or information.

II. Privacy Act

    The Privacy Act embodies fair information principles in a statutory=20
framework governing the means by which the United States Government=20
collects, maintains, uses, and disseminates individuals' records. The=20
Privacy Act applies to information that is maintained in a ``system of=20
records.'' A ``system of records'' is a group of any records under the=20
control of an agency for which information is retrieved by the name of=20
an individual or by some identifying number, symbol, or other=20
identifying particular assigned to the individual. In the Privacy Act,=20
an individual is defined to encompass United States citizens and lawful=20
permanent residents. As a matter of policy, DHS extends administrative=20
Privacy Act protections to all individuals where systems of records=20
maintain information on U.S. citizens, lawful permanent residents, and=20
visitors. Individuals may request access to their own records that are=20
maintained in a system of records in the possession or under the=20
control of DHS by complying with DHS Privacy Act regulations, 6 CFR=20
part 5.
    The Privacy Act requires each agency to publish in the Federal=20
Register a description denoting the type and character of each system=20
of records that the agency maintains, and the routine uses that are=20
contained in each system in order to make agency record keeping=20
practices transparent, to notify individuals regarding the uses to=20
their records are put, and to assist individuals to more easily find=20
such files within the

[[Page 67757]]

agency. Below is the description of the U.S. Customs and Border=20
Protection DHS/CBP-003 Credit/Debit Card Data system of records.
    In accordance with 5 U.S.C. 552a(r), DHS has provided a report of=20
this system of records to the Office of Management and Budget and to=20
Congress.
System of Records
    Department of Homeland Security (DHS)/U.S. Customs and Border=20
Protection (CBP)--003

System name:
    DHS/CBP--003 Credit/Debit Card Data System.

Security classification:
    Unclassified.

System location:
    Records are maintained in the Automated Commercial System at the=20
CBP Headquarters in Washington, DC and field offices.

Categories of individuals covered by the system:
    Categories of individuals covered by this system include any=20
individuals that provide credit or debit card information as a means of=20
payment to CBP.

Categories of records in the system:
    Categories of records in this system include:
    <BULLET> Individual's Name;
    <BULLET> Address;
    <BULLET> Billing Name;
    <BULLET> Billing Address;
    <BULLET> Credit or Debit Card Number;
    <BULLET> Card Expiration Date;
    <BULLET> Charge Amount;
    <BULLET> Authorization Number; and
    <BULLET> Tracking numbers.

Authority for maintenance of the system:
    The Homeland Security Act of 2002, Public Law 107-296; 5 U.S.C.=20
301; 8 U.S.C. 1101, et seq.; 19 U.S.C. 1, et seq.; Section 711 of the=20
Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11=20
Act), (Pub. L. 110-53); and the Travel Promotion Act (Pub. L. 111-145).

Purpose(s):
    The purpose of this system is to provide payment processing and=20
recordkeeping of credit and debit card transactions with CBP.

Routine uses of records maintained in the system, including categories=20
of users and the purposes of such uses:
    In addition to those disclosures generally permitted under 5 U.S.C.=20
552a(b) of the Privacy Act, all or a portion of the records or=20
information contained in this system may be disclosed outside DHS as a=20
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    A. To the Department of Justice (including United States Attorney=20
Offices) or other federal agency conducting litigation or in=20
proceedings before any court, adjudicative or administrative body, when=20
it is relevant and necessary to the litigation and one of the following=20
is a party to the litigation or has an interest in such litigation:
    1. DHS or any component thereof;
    2. any employee of DHS in his/her official capacity;
    3. any employee of DHS in his/her individual capacity where DOJ or=20
DHS has agreed to represent the employee; or
    4. the United States or any agency thereof, is a party to the=20
litigation or has an interest in such litigation, and DHS determines=20
that the records are both relevant and necessary to the litigation and=20
the use of such records is compatible with the purpose for which DHS=20
collected the records.
    B. To a congressional office from the record of an individual in=20
response to an inquiry from that congressional office made at the=20
request of the individual to whom the record pertains.
    C. To the National Archives and Records Administration or other=20
Federal government agencies pursuant to records management inspections=20
being conducted under the authority of 44 U.S.C. 2904 and 2906.
    D. To an agency, organization, or individual for the purpose of=20
performing audit or oversight operations as authorized by law, but only=20
such information as is necessary and relevant to such audit or=20
oversight function.
    E. To appropriate agencies, entities, and persons when:
    1. DHS suspects or has confirmed that the security or=20
confidentiality of information in the system of records has been=20
compromised;
    2. The Department has determined that as a result of the suspected=20
or confirmed compromise there is a risk of harm to economic or property=20
interests, identity theft or fraud, or harm to the security or=20
integrity of this system or other systems or programs (whether=20
maintained by DHS or another agency or entity) or harm to the=20
individual that rely upon the compromised information; and
    3. The disclosure made to such agencies, entities, and persons is=20
reasonably necessary to assist in connection with DHS's efforts to=20
respond to the suspected or confirmed compromise and prevent, minimize,=20
or remedy such harm.
    F. To contractors and their agents, grantees, experts, consultants,=20
and others performing or working on a contract, service, grant,=20
cooperative agreement, or other assignment for DHS, when necessary to=20
accomplish an agency function related to this system of records.=20
Individuals provided information under this routine use are subject to=20
the same Privacy Act requirements and limitations on disclosure as are=20
applicable to DHS officers and employees.
    G. To an appropriate federal, state, local, foreign, international=20
or tribal law enforcement agency or other appropriate authority charged=20
with investigating or prosecuting a violation or enforcing or=20
implementing a law, rule, regulation, or order, where a record, either=20
on its face or in conjunction with other information, indicates a=20
violation or potential violation of law, which includes criminal,=20
civil, or regulatory violations and such disclosure is proper and=20
consistent with the official duties of the person making the=20
disclosure.
    H. To the Department of Treasury's <A =
href=3D"http://www.gpo.gov/fdsys/pkg/FR-2011-11-02/html/Pay.gov">Pay.gov<=
/A>, banks, and credit and=20
debit card processors, for payment processing and payment=20
reconciliation purposes.

Disclosure to consumer reporting agencies:
    None.

Policies and practices for storing, retrieving, accessing, retaining,=20
and disposing of records in the system:
Storage:
    Records in this system are stored electronically or on paper in=20
secure facilities in a locked drawer behind a locked door. The records=20
are stored on magnetic disc, tape, digital media, and CD-ROM.

Retrievability:
    Records may be retrieved by any of the data elements listed in=20
categories of records, above.

Safeguards:
    Records in this system are safeguarded in accordance with=20
applicable rules and policies, including all applicable DHS automated=20
systems security and access policies. Strict controls have been imposed=20
to minimize the risk of compromising the information that is being=20
stored. Access to the computer system containing the records in this=20
system is limited to those individuals who have a need to know the=20
information for the performance of their official duties and who have=20
appropriate clearances or permissions.

[[Page 67758]]

Retention and disposal:
    Payment information will be maintained in this system for nine=20
months in an active state to reconcile accounts and six years and three=20
months in an archived state in conformance with NARA General Schedule 6=20
Item 1 Financial Records management requirements. The nine month active=20
status is necessary to handle reconciliation issues (including=20
chargeback requests and retrievals). CBP must respond to these issues=20
within 10 to 15 days or lose the payment.

System Manager and address:
    Director, Office of Automated Systems, U.S. Customs and Border=20
Protection Headquarters, 1300 Pennsylvania Avenue NW., Washington, DC=20
20229.

Notification procedure:
    The Secretary of Homeland Security has exempted portions of this=20
system from the notification, access, and amendment procedures of the=20
Privacy Act because it is a law enforcement system. However, CBP will=20
consider individual requests to determine whether or not information=20
may be released. Thus, Individuals seeking notification of and access=20
to any record contained in this system of records, or seeking to=20
contest its content, may submit a request in writing to the=20
Headquarters or component's FOIA Officer, whose contact information can=20
be found at <A =
href=3D"http://www.dhs.gov/foia">http://www.dhs.gov/foia</A> under =
``contacts.'' If an=20
individual believes more than one component maintains Privacy Act=20
records concerning him or her the individual may submit the request to=20
the Chief Privacy Officer, Department of Homeland Security, 245 Murray=20
Drive SW., Building 410, STOP-0655, Washington, DC 20528.
    When seeking records about yourself from this system of records or=20
any other Departmental system of records your request must conform with=20
the Privacy Act regulations set forth in 6 CFR Part 5. You must first=20
verify your identity, meaning that you must provide your full name,=20
current address and date and place of birth. You must sign your=20
request, and your signature must either be notarized or submitted under=20
28 U.S.C. 1746, a law that permits statements to be made under penalty=20
of perjury as a substitute for notarization. While no specific form is=20
required, you may obtain forms for this purpose from the Director,=20
Disclosure and FOIA, <A =
href=3D"http://www.dhs.gov/">http://www.dhs.gov/</A> or 1-(866) =
431-0486. In=20
addition you should provide the following:
    <BULLET> An explanation of why you believe the Department would=20
have information on you,
    <BULLET> Identify which component(s) of the Department you believe=20
may have the information about you,
    <BULLET> Specify when you believe the records would have been=20
created,
    <BULLET> Provide any other information that will help the FOIA=20
staff determine which DHS component agency may have responsive records,
    <BULLET> If your request is seeking records pertaining to another=20
living individual, you must include a statement from that individual=20
certifying his/her agreement for you to access his/her records.
    Without this bulleted information the component(s) may not be able=20
to conduct an effective search, and your request may be denied due to=20
lack of specificity or lack of compliance with applicable regulations.

Record access procedures:
    See ``Notification procedure'' above.

Contesting record procedures:
    See ``Notification procedure'' above.

Record source categories:
    Records are obtained from individuals directly in the course of=20
collecting payment for various purposes, including services,=20
applications, fees, and duties, among others.

Exemptions claimed for the system:
    No exemption shall be asserted with respect to information=20
maintained in the system as it relates to data submitted by or on=20
behalf of a person who provided payment information. Information in the=20
system may be shared with law enforcement and/or intelligence agencies=20
pursuant to the above routine uses. The Privacy Act requires DHS=20
maintain an accounting of the disclosures made pursuant to all routines=20
uses. Disclosing the fact that a law enforcement or intelligence=20
agencies has sought particular records may affect ongoing law=20
enforcement or intelligence activity. As such, pursuant to 5 U.S.C. 552=20
a (j)(2) and (k)(2), DHS will claim exemption from (c)(3), (d), (e)(8),=20
and (g) of the Privacy Act of 1974, as amended, as is necessary and=20
appropriate to protect this information.

    Dated: October 3, 2011.
Mary Ellen Callahan,
Chief Privacy Officer, Department of Homeland Security.
[FR Doc. 2011-28406 Filed 11-1-11; 8:45 am]
BILLING CODE 9110-06-P


</PRE></BODY></HTML>
