Posted: 1:55 am ET
We just stumbled into a December 12, 2017 announcement on the Federal Register about a “New System of Records” signed by Mary R. Avery, the Senior Agency Official for Privacy in the Office of Global Information Services of the State Department’s Bureau of Administration. The notice says that the “purpose of the Email Archive Management Records system is to capture all emails and attachments that interact with a Department of State email account and to store them in a secure repository that allows for search, retrieval, and view when necessary.”
In accordance with 5 U.S.C. 552a(e)(4) and (11), this system of records takes effect upon publication, with the exception of the routine uses that are subject to a 30-day period during which interested persons may submit comments to the Department.
The individuals covered by this new system? All State Department folks with state.gov emails, including people with interactions to those state.gov accounts, or mentioned in those email accounts:
“Individuals who maintain a Department of State email account that is archived in the system. The system may also include information about individuals who interact with a Department of State email account, as well as individuals who are mentioned in a Department of State email message or attachment.”
“The records in this system include email messages and attachments associated with a Department of State email account, including any information that may be included in such messages or attachments. The system may also include biographic and contact information of individuals who maintain a Department of State email account, including name, address, email address, and phone number.”
The location of this new system is reportedly at the State Department or annexes and post overseas but also that information “may also be stored within a government-certified cloud, implemented, and overseen by the Department’s Messaging Systems Office (MSO.”
Does anyone know if this new system is managed by a specific contractor or contractors, and if so, which one/s?
Note that the new system does not just capture “record” emails for federal record purposes, but “all” emails. The hunt for leakers starts here? Although if you read carefully item #f below, it looks like emails will also be shared and screened for potential insider attacks, not just on networks, but for “for terrorist screening, threat-protection and other homeland security purposes.”
And item #h… oh, my … for people with planned or ongoing litigations! It has always been said that employees should have no expectation of privacy when using government systems; this new system clarifies it for everyone on how the State Department intends to use and share information in its email system.
Information in this new system may be shared with the following:
(a) Other federal agencies, foreign governments, and private entities where relevant and necessary for them to review or consult on documents that implicate their equities;
(b) a contractor of the Department having need for the information in the performance of the contract, but not operating a system of records within the meaning of 5 U.S.C. 552a(m).
(c) appropriate agencies, entities, and persons when (1) the Department of State suspects or has confirmed that there has been a breach of the system of records; (2) the Department of State has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Department of State (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Department of State efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
(d) another Federal agency or Federal entity, when the Department of State determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.
(e) an agency, whether federal, state, local or foreign, where a record indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, so that the recipient agency can fulfill its responsibility to investigate or prosecute such violation or enforce or implement the statute, rule, regulation, or order.
(f) the Federal Bureau of Investigation, the Department of Homeland Security, the National Counter-Terrorism Center (NCTC), the Terrorist Screening Center (TSC), or other appropriate federal agencies, for the integration and use of such information to protect against terrorism, if that record is about one or more individuals known, or suspected, to be or to have been involved in activities constituting, in preparation for, in aid of, or related to terrorism. Such information may be further disseminated by recipient agencies to Federal, State, local, territorial, tribal, and foreign government authorities, and to support private sector processes as contemplated in Homeland Security Presidential Directive/HSPD-6 and other relevant laws and directives, for terrorist screening, threat-protection and other homeland security purposes.
(g) a congressional office from the record of an individual in response to an inquiry from the Congressional office made at the request of that individual.
(h) a court, adjudicative body, or administrative body before which the Department is authorized to appear when (a) the Department; (b) any employee of the Department in his or her official capacity; (c) any employee of the Department in his or her individual capacity where the U.S. Department of Justice (“DOJ”) or the Department has agreed to represent the employee; or (d) the Government of the United States, when the Department determines that litigation is likely to affect the Department, is a party to litigation or has an interest in such litigation, and the use of such records by the Department is deemed to be relevant and necessary to the litigation or administrative proceeding.
(i) the Department of Justice (“DOJ”) for its use in providing legal advice to the Department or in representing the Department in a proceeding before a court, adjudicative body, or other administrative body before which the Department is authorized to appear, where the Department deems DOJ’s use of such information relevant and necessary to the litigation, and such proceeding names as a party or interests:
(a) The Department or any component of it;
(b) Any employee of the Department in his or her official capacity;
(c) Any employee of the Department in his or her individual capacity where DOJ has agreed to represent the employee; or
(d) The Government of the United States, where the Department determines that litigation is likely to affect the Department or any of its components.
(j) the National Archives and Records Administration and the General Services Administration: For records management inspections, surveys and studies; following transfer to a Federal records center for storage; and to determine whether such records have sufficient historical or other value to warrant accessioning into the National Archives of the United States.