Privacy Act System of Records: EPA Central Data Exchange Customer Registration Subsystem, EPA-52
[excerpted from: Federal Register: December 8, 2003 (Volume 68, Number 235)]
System Name: EPA Central Data Exchange--Customer Registration Subsystem (CDX-CRS)
System Location: The system will be operated and maintained by EPA or organizations under contract with the EPA (henceforth referred to as "EPA") at their place of business. The operational CDX CRS, which performs the routine functions of registering CDX users, is maintained at U.S. EPA National Computer Center, 109 T.W. Alexander Drive, Research Triangle Park, NC 27711. A testing facility which includes a test version of the CDX-CRS which is used to validate any changes to the CDX-CRS system before they become operational, is maintained at Computer Sciences Corporation, 8400 Corporate Drive, New Carrollton, MD 20785.
Categories of Individuals Covered by the System: This system contains records on all individuals that have either attempted to register or have registered to obtain an account to use CDX for electronically exchanging data with EPA. Registered users of EPA's CDX-CRS may include representatives of industry, government or laboratories exchanging information with EPA through CDX.
Categories of Records in the System: This system contains records including individual's name, self- assigned user name and security question, work title, work address and related work contact information (e.g., phone and fax numbers, E-mail address), supervisor's name and related contact information, and information related to the EPA reporting program the individual is planning to electronically file or report under (e.g., EPA program ID # and EPA program role), and the method of reporting (web browser, file exchange). In cases where individuals are asked to electronically "sign" certain EPA forms, CDX may request additional information items from an individual such as date of birth, mother's maiden name, high school graduation date, and similar personal identifiers. The individual registering for CDX will generate a self- assigned password that will be stored on the CDX-CRS, but it will only be accessible to the registering individual. The system will also store other system-generated data such as the registration date and time, digital certificate identifier, and other identifiers for internal tracking. Upon assignment of the password and ID code, the user may subsequently access the CDX system by entering these data and CDX will use this information to authenticate the individual's access to CDX.
Authority for Maintenance of System: In accordance with the Government Paperwork Elimination Act (44 U.S.C. 3504), EPA's electronic compliance filing and environmental data exchange system will enable the "acquisition and use of information technology, including alternative information technologies that provide for electronic submission, maintenance, or disclosure of information as a substitute for paper and for the use and acceptance of electronic signatures." Section 3504(a)(1)(B)(vi) of Title 44, United States Code.
Purpose(s): Central Data Exchange is EPA's portal for electronically exchanging environmental data with our external customers. Individual external users with CDX accounts may choose to engage in secure, electronic filing of environmental documents as permitted under the Government Paperwork Elimination Act (GPEA), and as required under appropriate environmental statutes. CDX-CRS was developed to protect the EPA and CDX system users from individuals seeking to gain unauthorized access to user accounts on CDX. While compliance reporting to EPA may be a mandatory requirement, the use of CDX to file information electronically to EPA is optional. At any time during the CDX registration process the individual may opt out of registering with CDX to file information electronically, and may revert back to existing paper or diskette filings with EPA.
The information contained in records maintained in the CDX-CRS system is used for the purposes of verifying the identity of the individual, informing users of the conditions and terms of using CDX, allowing individual users to establish an account on CDX, providing individual users access to their CDX account for electronically filing compliance data or exchanging other forms of environmental data, allowing individual users to customize, update or terminate their account with CDX, renewing or revoking an individual user's account on CDX, supporting the CDX help desk functions, investigating possible fraud and verifying compliance with program regulations, and initiating legal action against an individual involved in program fraud, abuse, or noncompliance. The information is also used to provide authenticated, protected access to the CDX system, thereby protecting CDX and CDX users from potential harm caused by individuals with malicious intentions gaining unauthorized access to the system.
Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses: CDX-CRS records will be used to facilitate registering CDX system users, issuing a username and password, and subsequently, verifying an individual's identity as he/she seeks to gain routine access to his/her account. In some cases, the user verification process will require EPA to contact the employer, based on the registration information provided by the user. The system has secondary uses that include: using the established username to facilitate tracking service calls or e-mails from the user in the event that there is a change in registration status or a problem the user has with CDX; offering the user new CDX service options, and facilitating the retrieval of user actions (e.g., historical submissions and help tickets); and events while on the CDX system. The records may also be subsequently used for auditing or other internal purposes of the EPA, including but not limited to: instances where enforcement of the conditions of using CDX are necessary; investigation of possible fraud involving a registered user; litigation purposes related to information reported to the agency; contacting the individual in the event of a system modification; a change to CDX; or modification, revocation or termination of user's access privileges to CDX.
EPA may disclose information contained in a record in this system of records under the routine uses listed in this notice without the consent of the individual if the disclosure is compatible with the purposes for which the record was collected. These disclosures may be made on a case-by-case basis or under a computer matching agreement if the Agency has complied with the computer matching requirements of the Act.
The General Routine Uses for EPA's CDX are listed as follows: A, B, C, D, E, F, G, H, I, and K apply. A detailed description of these routine uses can be found in the Federal Register Notice (at 66 FR 49947 (2001)) and also on the National Archives and Records Administration website, Privacy Act Issuances--1999 Compilation at: http://www.access.gpo.gov/su_docs/aces/PrivacyAct.shtml
In addition, the following routine uses may also apply:
Program Disclosures: The Agency may disclose information from this system to Federal, State, or local agencies, private parties such as relatives, present and former employers and business and personal associates, and hearing officials for the following purposes:
- To verify the identity of the individual;
- To enforce the conditions or terms of Agency program regulations;
- To investigate possible fraud and verify compliance with Agency program regulations;
- To prepare for litigation or to litigate collection service and audit;
- To initiate a limitation, suspension and termination (LS&T), debarment, or suspension action;
- To investigate complaints, update files, and correct errors.
Litigation and Alternative Dispute Resolution (ADR) Disclosures:
- In the event that one of the parties listed below is involved in litigation or ADR, or has an interest in litigation or ADR, the Agency may disclose certain records to the parties described in paragraphs (b), (c), and (d) of this routine use under the conditions specified in those paragraphs:
- The Environmental Protection Agency, or any component of the Agency; or
- Any Agency employee in his or her official capacity; or
- Any Agency employee in his or her individual capacity if the Department of Justice (DOJ) has agreed to provide or arrange for representation for the employee;
- Any Agency employee in his or her individual capacity where the agency has agreed to represent the employee; or
- The United States where the Agency determines that the litigation is likely to affect the Agency or any of its components.
- Disclosure to the DOJ. If the Agency determines that disclosure of certain records to the DOJ is relevant and necessary to litigation or ADR, the Agency may disclose those records as a routine use to the DOJ.
- Administrative Disclosures. Agencies that may obtain information under this routine use include, but are not limited to, the Office of Personnel Management, Office of Special Counsel, Merit Systems Protection Board, Federal Labor Relations Authority, Equal Employment Opportunity Commission, and Office of Government Ethics.
- Parties, counsels, representatives and witnesses. If the Agency determines that disclosure of certain records to a party, counsel, representative or witness in an administrative proceeding is relevant and necessary to the litigation, the Agency may disclose those records as a routine use to the party, counsel, representative or witness.
Research Disclosure: The Agency may disclose records to a researcher if an appropriate official of the Agency determines that the individual or organization to which the disclosure would be made is qualified to carry out specific research related to functions or purposes of this system of records. The official may disclose records from this system of records to that researcher solely for the purpose of carrying out that research related to the functions or purposes of this system of records. The researcher shall be required to maintain Privacy Act safeguards with respect to the disclosed records.
Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:
Storage: The CDX is a system for which the Agency is in the process of establishing a records schedule. The CDX will be taking e-transactions and preserving them in accordance with applicable EPA and other Federal policy and regulations. The CDX currently stores records on magnetic and/or digital formats. All record storage procedures are in accordance with current applicable regulations.
Retrievability: Records are retrievable by the CDX user name, program ID number, or all or part of the individual's name.
Safeguards: EPA has minimized the risk of unauthorized access to the system by establishing a secure environment for exchanging electronic information. Physical access to the data system housed within the facility is controlled by a computerized badge reading system, and the entire complex is patrolled by security during non-business hours. The computer system offers a high degree of resistance to tampering and circumvention. Multiple levels of security are maintained with the computer system control program. This system limits data access to EPA and contract staff on a need to know basis, and controls individuals ability to access and alter records with the system. All users of the system of records are given a unique user identification (ID) with personal identifiers. All interactions between the system and the authorized individual users are recorded.
Retention and Disposal: The EPA will retain and dispose of these records in accordance with National Archives and Records Administration General Records Schedule 20, Item 1.c. This schedule provides disposal authorization for electronic files and hard copy printouts created to monitor system usage, including but not limited to log-in files, audit trail files, system usage files, and cost-back files used to access charges for system use. Records will be deleted or destroyed when the Agency determines they are no longer needed for administrative, legal, audit, or other program purposes.
System Managers and Address: USEPA, Office of Environmental Information, (MS2823), 1200 Pennsylvania Ave. NW., Washington, DC 20460, Attn: Chief, Central Receiving Branch.
Notification Procedure: Requests to determine whether this system of records contains a record pertaining to the requesting individual should be sent to the USEPA, Office of Environmental Information, (MS2823T), 1200 Pennsylvania Ave. NW., Washington, D.C. 20460, Attn: Chief, Central Receiving Branch. To send a fax request: 202-566-1684. To determine whether a record exists regarding you in the system of records, provide the system manager with your name and username. Requests must meet the requirements of the regulations at 40 CFR part 16.
Record Access Procedures: A request for record access shall follow the directions described under Notification Procedure and will be addressed to the system manager at the address listed above.
Contesting Records Procedures: If you wish to contest a record in the system of records, contact the system manager with the information described under Notification Procedure, identify the specific items you are contesting, and provide a written justification for each item.
Record Source Categories: Information is obtained from individuals who have had or seek to have their identity authenticated except that a password and a username are explicitly self-assigned by the user registering to gain access to CDX.
System Exempted From Certain Provisions of the Act: None.