System of Records Notices

Effective Date: November 24, 2008

COMMERCE/PAT-TM-18

SYSTEM NAME:

USPTO Personal Identification Verification (PIV) and Security Access Control Systems.

SECURITY CLASSIFICATION:

Sensitive but unclassified.

SYSTEM LOCATIONS:

Office of Corporate Services, Office of Security and Safety, United States Patent and Trademark Office, 600 Dulany Street, Alexandria, VA 22314.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

All agency employees, contractors, consultants, and volunteers who require routine, long-term access (180 days or more) to USPTO facilities, information technology systems, and networks. At its discretion, the USPTO may include short-term employees and contractors in the PIV ID program and, therefore, inclusion into the USPTO Personal Identification Verification and Security Access Control System (PIVSACS). The system does not apply to occasional visitors or short-term guests. The USPTO will issue temporary identification and credentials for those purposes.

CATEGORIES OF RECORDS IN THE SYSTEM:

Enrollment records maintained in the PIVSACS and on individuals applying for the PIV program and a PIV credential through the USPTO HSPD-12 system contained within the PIVSACS include the following data fields: Full name; Social Security number; employee ID number, date of birth; current address; digital color photograph; fingerprints; biometric template (two fingerprints); organization; employee affiliation; work e-mail address; work telephone number(s); copies of identity source documents; employee status; foreign national status; federal emergency response official status; results of background check; Government agency code; and PIV card issuance location. Records in the PIV ID Management System (IDMS) needed for credential management for enrolled individuals in the PIV program include: PIV card serial number; digital certificate(s) serial number; PIV card issuance and expiration dates; PIV card PIN; Cardholder Unique Identifier (CHUID); and card management keys.

Individuals enrolled in the USPTO PIVSACS will be issued a PIV card. The PIV card contains the following mandatory visual personally identifiable information: Name, photograph, employee affiliation, PIV card issue and expiration date, agency card serial number, and color-coding for employee affiliation. The card also contains an integrated circuit chip which is encoded with the following mandatory data elements which comprise the standard data model for PIV logical credentials: PIV card PIN, cardholder unique identifier (CHUID), PIV authentication digital certificate, and two fingerprint biometric templates. The PIV data model may be optionally extended to include the following logical credentials: Digital certificate for digital signature, digital certificate for key management, card authentication keys, and card management system keys. All PIV logical credentials can only be read by machine.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

5 U.S.C. 301; 35 U.S.C. 2; E.O. 9397; Federal Information Security Management Act (Pub. L. 107-296, Sec. 3544); E-Government Act (Pub. L. 107-347, Sec. 203); Government Paperwork Elimination Act (Pub. L. 105-277, 44 U.S.C. 3504); Homeland Security Presidential Directive 12 (HSPD-12) “Policy for a Common Identification Standard for Federal Employees and Contractors” (August 27, 2004).

PURPOSES:

The primary purposes of the system are to ensure the safety and security of USPTO facilities, systems, or information, and of facility occupants and users; to provide for interoperability and trust in allowing physical access to individuals entering other Federal facilities; and to allow logical access to USPTO information systems, networks, and resources.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside the USPTO as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

a. To the Department of Justice when: (1) The agency or any component thereof; (2) any employee of the agency in his or her official capacity; (3) any employee of the agency in his or her individual capacity where the agency or the Department of Justice has agreed to represent the employee; or (4) the United States Government is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records by the Department of Justice is therefore deemed by the agency to be for a purpose compatible with the purpose for which the agency collected the records.

b. To a court or adjudicative body in a proceeding when: (1) The agency or any component thereof; (2) any employee of the agency in his or her official capacity; (3) any employee of the agency in his or her individual capacity where the agency or the Department of Justice has agreed to represent the employee; or (4) the United States Government is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records is therefore deemed by the agency to be for a purpose that is compatible with the purpose for which the agency collected the records.

c. Except as noted on Forms SF 85, SF 85-P, and SF 86, when a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, disclosure may be made to the appropriate public authority, whether Federal, foreign, State, local, or tribal, or otherwise, responsible for enforcing, investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to any enforcement, regulatory, investigative or prosecutorial responsibility of the receiving entity.

d. To a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional office made at the written request of the constituent about whom the record is maintained.

e. To the National Archives and Records Administration or to the General Services Administration for records management inspections conducted under 44 U.S.C. 2904 and 2906.

f. To agency contractors, grantees, or volunteers who have been engaged to assist the agency in the performance of a contract service, grant, cooperative agreement, or other activity related to this system of records and who need to have access to the records in order to perform their activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended (5 U.S.C. 552a), the Federal Information Security Management Act (Pub. L. 107-296), and associated Office of Management and Budget (OMB) policies, standards and guidance from the National Institute of Standards and Technology, and the General Services Administration.

g. To a Federal, state, local, or international agency, or tribal or other public authority, on request, in connection with the hiring or retention of an employee, the issuance or retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant, or other benefit, to the extent that the information is relevant and necessary to the requesting agency's decision.

h. To the OMB when necessary to the review of private relief legislation pursuant to OMB Circular No. A-19.

i. To a Federal, State, or local agency, or other appropriate entities or individuals, or through established liaison channels to selected foreign governments, in order to enable an intelligence agency to carry out its responsibilities under the National Security Act of 1947, as amended; the CIA Act of 1949, as amended; Executive Order 12333 or any successor order; and applicable national security directives, or classified implementing procedures approved by the Attorney General and promulgated pursuant to such statutes, orders, or directives.

j. To designated agency personnel for controlled access to specific records for the purposes of performing authorized audit or authorized oversight and administrative functions. All access is controlled systematically through authentication using PIV credentials based on access and authorization rules for specific audit and administrative functions.

k. To the Office of Personnel Management in accordance with the agency's responsibility for evaluation of Federal personnel management.

l. To the Federal Bureau of Investigation for the National Criminal History check.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:

Not applicable.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Records are stored in electronic files.

RETRIEVABILITY:

Records may be retrieved by name of the individual, Cardholder Unique Identification Number, employee ID, and/or by any other unique individual identifier.

SAFEGUARDS:

Consistent with the requirements of the Federal Information Security Management Act (Pub. L. 107-296) and associated OMB policies, standards and guidance from the National Institute of Standards and Technology, and the General Services Administration, the USPTO Office of Security and Safety protects all records from unauthorized access through appropriate administrative, physical, and technical safeguards. Access is restricted on a “need to know” basis, utilization of PIV card access, secure network access, and card readers on doors and approved storage containers. The building has security guards and secured doors. All entrances are monitored through electronic surveillance equipment. The hosting facility is supported by 24/7 onsite hosting and network monitoring by trained technical staff. Physical security controls include indoor and outdoor security monitoring and surveillance; badge and picture ID access screening; and pincode access screening. Personally identifiable information is safeguarded and protected in conformance with all Federal statutory and OMB guidance requirements. All access has role-based restrictions, and individuals with access privileges have undergone vetting and suitability screening. All data is encrypted in transit. The USPTO will maintain an audit trail and perform random periodic reviews to identify unauthorized access. Persons given roles in the PIV process must be approved by the USPTO and complete training specific to their roles to ensure they are knowledgeable about how to protect personally identifiable information.

RETENTION AND DISPOSAL:

Records retention and disposal is in accordance with the series records schedules. The records on government employees and contractor employees are retained for the duration of their employment at the USPTO. Other individuals' records are kept for the duration of their affiliation with the USPTO and then treated as employee records. The records on separated employees are destroyed or sent to the Federal Records Center in accordance with General Records Schedule 18.

SYSTEM MANAGER(S) AND ADDRESS:

Director, Office of Security and Safety, United States Patent and Trademark Office, P.O. Box 1450, Alexandria, VA 22313-1450.

NOTIFICATION PROCEDURE:

Information about the records contained in this system may be obtained by sending a request in writing, signed, to the system manager at the address above. When requesting notification of or access to records covered by this notice, requesters should provide the appropriate information in accordance with the inquiry provisions appearing in 37 CFR part 102, subpart B.

RECORD ACCESS PROCEDURES:

Requests from individuals should be addressed to the system manager at the address above. Individuals must furnish their full names for their records to be located and identified. See “Notification procedure” above.

CONTESTING RECORD PROCEDURES:

The general provisions for access, contesting contents, and appealing initial determinations by the individual concerned appear in 37 CFR part 102, subpart B. Requests from individuals should be addressed to the system manager at the address above. Individuals must furnish their full names for their records to be located and identified. See “Notification procedure” above.

RECORD SOURCE CATEGORIES:

Employees, contractors, and other applicants, and those authorized by the subject individuals to furnish information.

SYSTEM EXEMPTIONS FROM CERTAIN PROVISIONS OF THE ACT:

None.

FEDERAL REGISTER HISTORY:
73 FR 63135 October 23, 2008 Notice of Proposed Amendment of Privacy Act System of Records
69 FR 74502 December 14, 2004 Notice of Proposed New Privacy Act System of Records

Return to top

Questions and Comments

Send Questions or Comments on the Commerce Office of Privacy and Open Government programs to PrivacyAct@doc.gov.

Office of Privacy and Open Government
Office of the Chief Financial Officer and Assistant Secretary for Administration
U.S. Department of Commerce

 

Page last updated: July 28, 2016->