CIA Privacy Act New System of Records Notice

Content

ACTION:

Notice of a new system of records.

SUMMARY:

Pursuant to the Privacy Act of 1974, as amended, and Office of Management and Budget (OMB) Circular No. A-108, notice is hereby
given that the Central Intelligence Agency (“CIA”) is submitting to the
Federal Register
one new System of Records Notice (SORN), CIA-44 Business Analytics Records. This new SORN covers CIA's collection, curation,
exploration, and objective analysis of CIA business data used to inform business decisions related to the CIA workforce, facilities,
and processes.

DATES:

In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable upon publication and incorporates the CIA's 19
Routine Uses published November 28, 2022 at 87 FR 73198.

ADDRESSES:

Comments may be submitted by the following methods: By mail to Mark Mouser, Privacy and Civil Liberties Officer, Central Intelligence
Agency, Washington, DC 20505; or by email to FedRegComments@ucia.gov. Please include “NOTICE NEW CIA SORN” in the subject line of the message.

FOR FURTHER INFORMATION CONTACT:

Mark Mouser, Privacy and Civil Liberties Officer, Central Intelligence Agency, Washington, DC 20505, (571) 280-2700.

SUPPLEMENTARY INFORMATION:

CIA relies on reliable, repeatable, and comparable data to, among other purposes, inform decisions and track progress in achieving
CIA priorities. This data, which the CIA refers to as “business data,” is captured by, or created from the use and operations
of, CIA facilities, IT systems, and applications in the normal course of CIA activities and processes. The CIA's collection,
curation, exploration, and objective analysis of business data has proven significantly beneficial to the CIA. For example,
business data has allowed CIA leadership to recommend adjustments to CIA resource allocations, develop applications to assist
the CIA workforce in completing their administrative responsibilities, and generate statistical information to inform CIA
leadership decision-making on its business needs.

The CIA proposes a new System of Record Notice, CIA-44 Business Analytics Records, to further enable its business data analytic
activities and identify opportunities for efficiencies in Agency services, tools, reports, properties, and facilities.

Nothing in the new SORN indicates any change in the Agency's authorities or practices regarding the collection and maintenance
of information about citizens and lawful permanent residents of the United States, nor does the new SORN change any individual's
rights to access or to amend their records in accordance with the Privacy Act.

In accordance with 5 U.S.C. 552a(r), the Agency has provided a report to OMB and Congress on the new system of records.

Dated: November 4, 2024. Mark Mouser, Privacy and Civil Liberties Officer, Central Intelligence Agency.

PRIVACY ACT SYSTEM OF RECORDS NOTICE CIA-44

SYSTEM NAME AND NUMBER:

Business Analytics Records (CIA-44)

SECURITY CLASSIFICATION:

The classification of records in this system can range from UNCLASSIFIED to TOP SECRET.

SYSTEM LOCATION:

Central Intelligence Agency, Washington, DC 20505.

SYSTEM MANAGER(S):

Chief Strategy Officer (CSO), Central Intelligence Agency, Washington, DC 20505, and the heads of component-level offices
charged with business analytic functional responsibilities.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The National Security Act of 1947, as amended, 50 U.S.C. 3036 et seq.; the Central Intelligence Agency Act of 1949, as amended, 50 U.S.C. 3501 et seq.; Executive Order 12333, as amended, 73 FR 45325.

PURPOSE(S) OF THE SYSTEM:

Records in this system are used by authorized personnel to ensure process integrity; enable the CIA and the Director of the
CIA to carry out their lawful and authorized responsibilities; and collect, create, centralize and disseminate CIA business
data to: evaluate the utilization of, and identify opportunities for efficiencies in, CIA services, tools, reports, properties,
and facilities; evaluate adjustments to CIA resource allocations, processes, and business lines; develop applications and
information systems to assist CIA personnel in conducting official CIA business; and perform other analyses of CIA business
processes and systems as identified by authorized CIA officials.

Records in this system are also used by authorized personnel to collect, create, centralize and disseminate CIA business data
to monitor, report on, and make recommendations relating to: CIA's utilization of contracts and contractors to promote the
efficient use of CIA resources; CIA vacancies, hiring, compensation, awards, promotions, training, employee development, employee
benefits, internal transfers, resignations, and retirements; spending by CIA components and programs; work hours and activities
of CIA personnel to determine alignment of CIA activity with CIA priorities; workforce health, wellbeing status, and perceptions
to allow for a more comprehensive understanding of the workforce and allow for the ability for CIA stakeholders to take action
to improve the workplace, environment, and organizational processes; location and workplace presence of CIA-affiliated persons,
to support commuting, alternative work, and facility location studies; official travel performed by CIA-affiliated persons;
and former staff employees who retain an alumni relationship with the CIA.

CIA employees and contractors may use established business analytic methods to query, analyze, and summarize CIA business
data. These methods include using programming language(s) (e.g., structured query language (SQL)), data visualization, statistical analysis, natural language processing, network analysis,
and artificial intelligence/machine learning techniques.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Current and former CIA employees, employees of other IC agencies detailed to the CIA, applicants or prospective applicants
for employment with the CIA, individuals under contract with the CIA, individuals visiting CIA-managed facilities, individuals
physically present in, or using, CIA-controlled facilities, United States Government personnel reading or consuming CIA-produced
products, and individuals using CIA-managed information technology systems.

CATEGORIES OF RECORDS IN THE SYSTEM:

This system contains CIA “business data,” which is data captured by, created by, or derived from the use and operations of
CIA facilities, IT systems, and applications, that is used by authorized CIA officers for the purposes outlined in the “PURPOSE(S)
OF THE SYSTEM” paragraph, above. CIA business data includes, but is not limited to:

A. Human resource, biographic, and personnel security information on the individuals listed in the “CATEGORIES OF INDIVIDUALS
COVERED BY THE SYSTEM” paragraph, above, such as: names of individuals; organizational affiliation; physical work location
of personnel; internal contact information; personal home address and contact information; voluntarily-provided biographical
information; demographic data; employment data; applicant and prospective applicant information, such as CIA position vacancies,
applications, and internal and external hiring data; employee performance and promotion, retention, and resignation attributes;
personnel security dispositions and clearances; personnel official travel records; voluntarily-provided information on workforce
health, wellbeing status, and perceptions, utilization of employee health and wellness services, and responses to workforce
surveys.

B. Financial and appropriations information, such as: CIA budget allocations and fiscal transactions; contracts and contractor
personnel data; and procurement, inventory, movement, and disposition of goods and services; and

C. CIA-managed products, facilities, IT system, and application information, such as: internal communications metadata; activity
records on CIA-managed information technology systems; metadata relating to CIA-produced or -consumed analyses, reporting,
and content; and capacity, configuration, maintenance, and utilization data of CIA-managed and CIA-affiliated facilities.

RECORD SOURCE CATEGORIES:

Information may be provided by individuals covered by this system; derived from other CIA IT systems and Privacy Act systems
of records; and other U.S. Government departments and agencies.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

In addition to the disclosures generally permitted under 5 U.S.C. 552a(b), this information is set forth in the “Statement
of General Routine Uses for the Central Intelligence Agency,” set out at 87 FR 73198, November 28, 2022, which is incorporated
herein by reference.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Paper and other hard-copy records are stored in secured areas within the CIA or in CIA-controlled facilities. Electronic records
are stored in secure file-servers located within CIA-controlled facilities or in CIA-contracted facilities subject to CIA
supervision.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records in this system may be retrieved by name, chart number, social security number, CIA employee number, or other unique
personal identifier by automated or hand search based on extant indices and automated capabilities utilized in the normal
course of business. Under applicable law and regulations, all searches of this system of records will be performed in CIA
offices by CIA personnel.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

All records are maintained and disposed of in accordance with applicable Records Control Schedules issued or approved by the
National Archives and Records Administration.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Records are maintained in secure, restricted areas and are accessed only by personnel who have a need for the records in the
performance of their official duties and have been authorized for such access. Electronic authorization and authentication
access controls are required to prevent against unauthorized access, use, and disclosure.

RECORD ACCESS PROCEDURES:

Requests from individuals should be addressed as indicated in the notification procedures section below. Regulations for access
to individual records or for appealing an initial determination by CIA concerning the access to records are published in the

  Federal Register
  (32 CFR 1901.11-.45).

CONTESTING RECORD PROCEDURES:

Requests from individuals to correct or amend records should be addressed as indicated in the notification procedures section
below. CIA's regulations regarding requests for amendments to, or disputing the contents of, individual records or for appealing
an initial determination by CIA concerning these matters are published in the
Federal Register
(32 CFR 1901.21-32, 32 CFR 1901.42).

NOTIFICATION PROCEDURES:

Individuals seeking to learn if this system of records contains information about them should direct their inquiries to: Information
and Privacy Coordinator, Central Intelligence Agency, Washington, DC 20505. Identification requirements are specified in the
CIA rules published in the
Federal Register
(32 CFR 1901.12-.14). Individuals must comply with these rules in order for their request to be processed.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

Certain records contained within this system of records may be exempted from certain provisions of the Privacy Act, 5 U.S.C.
552a, pursuant to 5 U.S.C. 552a(d)(5), (j)(1), and (k).

HISTORY:

None.

[FR Doc. 2024-26134 Filed 11-22-24; 8:45 am] BILLING CODE 6310-02-P

Download File

Download