Privacy Act of 1974; New System of Records, 70867-70872 [E7-24142]

Download as PDF 70867 Federal Register / Vol. 72, No. 239 / Thursday, December 13, 2007 / Notices days, (4) action—people institute environmental changes and change their overt behavior, and (5) maintenance— people continue the gains obtained during the action stage for longer than 6 months. Small business entrepreneurship is a vital component of the U.S. economy. OSH activities, including research, regulation, enforcement, and intervention historically have not focused on small businesses despite their predominance and relatively large numbers of employees overall. Few small business establishments provide on-site occupational health units, medical screening tests, pre-placement physicals, or employ or use industrial hygiene or safety personnel/consultants. As a consequence, prevention of occupational injury and illness is often difficult in small business establishments because they generally have few safety and health resources, do not hire staff devoted to safety and health activities, and often lack the ability to identify occupational hazards and conduct surveillance. The pallet manufacturing industry has higher injury rates than general industry. The incidence rate for nonfatal injuries in the wood pallet and skid (SIC 2448) manufacturing industry was 226% greater than that for general industry. The type of injuries sustained at wood pallet manufacturers and their rates of increase [2002] compared to general industry included amputations (2220% higher), cuts and punctures (378% higher), fractures (237% higher), bruises (221% higher) sprains and strains (133% higher) and back pain (305% higher). Through this study, NIOSH will evaluate the feasibility and effectiveness of providing carefully constructed OSH information to one segment of small business pallet makers. The informational manual will be divided into eight chapters targeting specific hazards relevant to pallet work and will provide the owners/managers with suggestions for controlling those hazards. Chapters were selected based on prior NIOSH site visits to a sample of pallet makers and in consultation with the National Wood Pallet and Container Association. The chapters include: An introduction to OSH, developing a site-specific safety program, controlling noise, improving ventilation, saw safety, forklift safety, preventing build up of carbon monoxide, and prevention of musculoskeletal injury through ergonomics. This project will utilize two groups— a treatment group and a control group— in a pre-post design. One hundred eighty pallet companies will be randomly selected and assigned to two groups from a list of small pallet businesses in the United States that was provided by a market research firm. Both groups will participate in a baseline survey conducted by telephone. The treatment group will then receive the NIOSH informational manual by mail and the control group will not receive the manual until the conclusion of the study. Five months after the mailing, both groups will participate in a follow-up telephone survey designed to assess whether receipt and use of the material encouraged owners/managers to contemplate, plan, or initiate OSH changes at their facility. The questionnaire will determine whether owners/managers have progressed from baseline along the stage of change continuum because of receipt and use of the NIOSH material, or if some other factor is influencing their safety and health actions. It is possible that improvements in OSH may occur due to other influences and not from the informational manual. For example, it is possible that some event will occur that will make the entire industry more aware of OSH. Use of a similar control group will help in this determination. Data collection will occur within a 12 month period. However, the entire NIOSH study will occur over a two-year period. There will be no cost to respondents except their time to participate in the telephone survey. The total estimated annualized burden hours are 40. ESTIMATED ANNUALIZED BURDEN TABLE Type of respondents Form name Pallet company safety and health managers Initial Questionnaire (screening only) ............. Initial Questionnaire (complete) ..................... Follow-up Questionnaire ................................ Initial Questionnaire (screening only) ............. Initial Questionnaire (complete) ..................... Follow-up Questionnaire* ............................... Treatment Group ............................................ Pallet company safety and health managers Control Group ................................................. Number of respondents Dated: December 6, 2007. Maryam I. Daneshvar, Acting Reports Clearance Officer, Centers for Disease Control and Prevention. [FR Doc. E7–24140 Filed 12–12–07; 8:45 am] DEPARTMENT OF HEALTH AND HUMAN SERVICES BILLING CODE 4163–18–P Privacy Act of 1974; New System of Records Centers for Disease Control and Prevention Department of Health and Human Services (HHS), Centers for Disease Control and Prevention (CDC). ACTION: Notice of a New System of Records. mstockstill on PROD1PC66 with NOTICES AGENCY: SUMMARY: In accordance with the requirements of the Privacy Act, the Centers for Disease Control and VerDate Aug<31>2005 17:10 Dec 12, 2007 Jkt 214001 PO 00000 Frm 00052 Fmt 4703 Sfmt 4703 9 48 45 9 48 45 Number of responses per respondent 1 1 1 1 1 1 Average burden per response (in hours) 3/60 12/60 15/60 3/60 12/60 9/60 Prevention (CDC) is proposing to establish a new system of records (SOR), 09–20–0171, ‘‘Quarantine and TravelerRelated Activities, Including Records for Contact Tracing Investigation and Notification Under 42 CFR Parts 70 and 71, HHS/CDC/CCID.’’ The purpose of the system is to maintain records on the conduct of activities (e.g., quarantine, isolation) that fulfill HHS’s and CDC’s statutory authority under sections 311 and 361–368 of the Public Health Service Act: To prevent the introduction, transmission and spread of serious communicable diseases from persons arriving into the United States from foreign countries or engaged in E:\FR\FM\13DEN1.SGM 13DEN1 mstockstill on PROD1PC66 with NOTICES 70868 Federal Register / Vol. 72, No. 239 / Thursday, December 13, 2007 / Notices interstate or international movement. Identifiable records are collected when an individual known or suspected to have been exposed to such communicable diseases arrives in the U.S. from a foreign country or travels from one state or possession to another state or possession. These records are used to: (1) Document reports of illness on airplanes, maritime vessels, and at land-border crossings of persons that may pose a public health risk and who are arriving from foreign countries or traveling between states; (2) perform contact tracing investigations and notifications of passengers and crew when known or suspected exposures to serious communicable diseases occur on board a conveyance arriving in the United States from a foreign country or while traveling from one state or possession to another; (3) inform state or local public health authorities so that these authorities may act to protect public health or safety; and (4) take actions (e.g., quarantine or isolation) as necessary to prevent the introduction, transmission, and spread of serious communicable diseases from persons arriving into the United States from foreign countries or persons engaged in interstate or international movement. Additional background information about the new system is included in the SUPPLEMENTARY INFORMATION section below. DATES: Effective Date: CDC filed a new SOR report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Homeland Security and Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on December 7, 2007. CDC invites interested parties to submit comments on the proposed routine uses. To ensure that all parties have adequate time in which to comment, the new system will be effective 30 days from the publication of this notice, or 40 days from the date it was submitted to OMB and the Congress, whichever is later, unless CDC receives comments that persuade CDC to defer implementation. ADDRESSES: Address comments to HHS Privacy Act Officer, Room 5416, Mary E. Switzer Building, Department of Health and Human Services, 330 ‘‘C’’ Street, SW., Washington, DC 20201, or via electronic mail to MAGGIE.BLACKWELL@hhs.gov. Comments will be available for public viewing in the public reading room located at the same address, or on the HHS Web site at https://www.hhs.gov. To review comments in person, please call VerDate Aug<31>2005 17:10 Dec 12, 2007 Jkt 214001 the Division of Freedom of Information and Privacy at 202–690–7453 for an appointment. FOR FURTHER INFORMATION CONTACT: Maggie Blackwell, HHS Privacy Act Officer, Department of Health and Human Services, Room 5416, Mary E. Switzer Building, 330 ‘‘C’’ Street, SW., Washington, DC 20201, (202) 690–7453. CDC proposes to establish a new system of records: 09–20–0171, ‘‘Quarantine and Traveler-Related Activities, Including Records for Contact Tracing Investigation and Notification under 42 CFR Parts 70 and 71, HHS/CDC/CCID.’’ The CDC Division of Global Migration and Quarantine (DGMQ), the agency component responsible for quarantineand isolation-related activities, is located within the National Center for Preparedness, Detection and Control of Infectious Diseases, the Coordinating Center for Infectious Diseases (CCID). In addition to the contact tracing investigations and notification of travelers who may have been exposed to a communicable disease, this record system supports the mission of DGMQ in meeting public health, scientific, and regulatory responsibilities. The overall DGMQ mission is to decrease morbidity and mortality from infectious diseases among mobile populations (immigrants, refugees, migrant workers, international travelers, etc.) crossing international borders to come into the United States, and to decrease the risk of importation and spread of infectious diseases via humans, animals, and cargo. This new Privacy Act system of records is focused on decreasing the spread of infectious diseases via humans. These records concern activities (e.g., quarantine, isolation) fulfilling HHS’s statutory authority under Sections 311 and 361– 368 of the Public Health Service Act to prevent the spread of serious communicable diseases among persons arriving from foreign countries into the United States or engaged in interstate or international movement. A related purpose is to collect individually identified records so that contact tracing investigations and notifications of passengers and crew can be made when known or suspected exposures to serious communicable diseases occur on board a conveyance arriving in the United States from a foreign country or while traveling from one state or possession to another state or possession. SUPPLEMENTARY INFORMATION: PO 00000 Frm 00053 Fmt 4703 Sfmt 4703 I. Description of the Proposed System of Records Statutory and Regulatory Basis for SOR. Sections 311 and 361–368 of the Public Health Service Act provides authorities related to preventing the introduction, transmission, and spread of serious communicable diseases from foreign countries into the United States or from one state or possession into another. These sections of the Act delineate the various quarantine- and isolation-related activities that CDC may be required to conduct. Individually identified records must be maintained for CDC to effectively conduct many of its major quarantineand isolation-related activities, including screening arriving international or interstate travelers for symptoms of illness that may pose a public health risk; informing state or local health authorities so that these authorities may act to protect public health or safety; and other activities required to fulfill CDC’s regulatory responsibility in this area. Examples of other CDC quarantineand isolation-related activities that require the maintenance of individually identified records include, but are not limited to, the following: • Responding to reports of illnesses on airplanes, maritime vessels, and at land-border crossings of persons that may pose a public health risk and who are arriving from foreign countries or traveling between states; • Taking quarantine-related actions (e.g., quarantine, isolation) as necessary to prevent the spread of serious communicable diseases from persons arriving from foreign countries into the United States or engaged in interstate or international movement. Collection and Maintenance of Data in the System. CDC will collect only the minimum amount of personal data necessary to achieve the purpose of this system, which is to maintain records on the conduct of quarantine-related activities that fulfill HHS’s and CDC’s statutory authority under Sections 311 and 361–368 of the Public Health Service Act: To prevent the introduction, transmission and spread of serious communicable diseases from persons who arrive into the United States from foreign countries or are engaged in interstate or international movement. To effectively do contact tracing investigations and notifications of passengers and crew when known or suspected exposures of serious communicable diseases occur on board of conveyance, individually identified data, such as name of traveler, country of residence, address and phone at E:\FR\FM\13DEN1.SGM 13DEN1 Federal Register / Vol. 72, No. 239 / Thursday, December 13, 2007 / Notices which they can be contacted, travel documents (e.g., passport), and seat number must be obtained. CDC collects only the minimal amount of information needed to perform contact tracing and other follow-up activities. mstockstill on PROD1PC66 with NOTICES II. Agency Policies, Procedures, and Restrictions on the Routine Use The Privacy Act permits CDC to disclose information without an individual’s consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible disclosure of data is known as a ‘‘routine use.’’ The government will only release quarantine- and traveler-related information that can be associated with an individual as provided for under ‘‘Section III. Proposed Routine Use Disclosures of Data in the System,’’ collecting only the minimum personal data necessary to achieve the purpose of this system. CDC has the following policies and procedures concerning disclosures of information that will be maintained in the system. Disclosure of information from the SOR will be approved only to the extent necessary to accomplish the purpose of the disclosure and only after CDC: A. Determines that: 1. The use or disclosure is consistent with the reason that the data are being collected, e.g., to maintain records on the conduct of quarantine- and travelerrelated activities that fulfill HHS’s and CDC’s statutory authority to prevent the introduction, transmission and spread of communicable diseases. 2. The purpose for which the disclosure is to be made can only be accomplished if the record is provided in individually identifiable form; 3. The purpose for which the disclosure is to be made is of sufficient importance to warrant the effect on and/ or risk to the privacy of the individual that additional exposure of the record might bring; 4. There is a strong probability that the proposed use of the data would in fact accomplish the stated purpose(s); and 5. The data are valid and reliable. B. Requires the information recipient to: 1. Establish administrative, technical, and physical safeguards to prevent unauthorized use of disclosure of the record; 2. Remove or destroy at the earliest time all identifiable information; and 3. Agree not to use or disclose the information for any purpose other than VerDate Aug<31>2005 17:10 Dec 12, 2007 Jkt 214001 the stated purpose under which the information was disclosed. III. Proposed Routine Use Disclosures of Data in the System The Privacy Act permits CDC to disclose information without an individual’s consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected and CDC complies with administrative requirements including publishing a notice in the Federal Register and allowing 30 days for public comment regarding any such new ‘‘routine use.’’ The proposed routine uses in this system meet the compatibility requirement of the Privacy Act. CDC is proposing to establish the following routine use disclosures of information maintained in the system: A. Records may be disclosed to contractors who will perform many of the same duties as Full Time Equivalents (FTEs) within DGMQ in situations where additional staff are required. Contractors are required to maintain Privacy Act safeguards with respect to such records. These functions may include collating, analyzing, aggregating, or otherwise refining records. DGMQ contracts out certain functions when doing so would contribute to efficient and effective operations of the agency. DGMQ must be able to give a contractor the information necessary for the contractor to fulfill their duties. Safeguards are provided in the contract prohibiting the contractor from using or disclosing the information for any purpose other than that described in the Statement of Work and requires the contractor to return or destroy all information at the contract’s completion. B. Records may be disclosed to state and local health departments and cooperating public health or medical authorities and their counsel to more effectively deal with outbreaks and conditions of public health significance. CDC works closely with state and local health partners to investigate possible outbreaks or other conditions of public health significance. CDC’s ability to share information could prove beneficial to the health department’s investigation. C. Personal information from this system may be disclosed as a routine use to appropriate conveyance personnel, Federal agencies, state and local health departments, Department of State and embassy personnel (U.S. and foreign), and health authorities in foreign countries. These agencies and departments (U.S. and foreign) need the information to perform contact tracing PO 00000 Frm 00054 Fmt 4703 Sfmt 4703 70869 investigations and to notify individuals exposed to an ill traveler that they were possibly exposed to a disease or condition of public health significance. This is compatible with the overall purpose of the system—to prevent the spread of communicable diseases. D. Records may be disclosed to the Department of Homeland Security (DHS) to enable DHS to restrict the travel of persons who pose a public health risk and to aid in its investigations of domestic or international terrorism. This routine use helps prevent the introduction, transmission, and spread of communicable disease, particularly where terrorism is involved. E. Identifiable information may need to be shared with medical personnel to evaluate or care for ill or exposed persons, including travelers, with the ultimate goal of protecting the public’s health and safety. F. Records may also be shared with the World Health Organization in accordance with U.S. responsibilities to ensure that CDC is in compliance with its obligations under the International Health Regulations and other international agreements—a use in line with CDC’s statutory authority with regard to quarantine- and isolationrelated activities. G. Also in line with the overriding purpose of protecting public health and safety by preventing the introduction, transmission, or spread of communicable diseases, personal information may be disclosed to federal, state, and local authorities to enable them to take actions needed to place someone under quarantine or isolation, or to enforce quarantine regulations. This is again in line with CDC’s statutory authority to take quarantine and isolation related actions to restrict movement if someone poses a significant health risk to others. H. Identifiable information may be disclosed to cooperating state and local legal departments enforcing concurrent legal authority relevant to quarantineand isolation-related activities. This is in accord with the federal government’s statutory authority to cooperate with and aid state and local authorities in the enforcement of their quarantine and other health regulations. I. Identifiable records may be referred to the appropriate agency, whether federal, foreign, state or local charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation or order issued pursuant thereto when records collected within this SOR for quarantine activities indicate a violation or E:\FR\FM\13DEN1.SGM 13DEN1 70870 Federal Register / Vol. 72, No. 239 / Thursday, December 13, 2007 / Notices mstockstill on PROD1PC66 with NOTICES potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto. This routine use is compatible in that this disclosure is being done to allow for effective enforcement of quarantine- and isolation-related requirements at various levels of government. J. Disclosure may be made to a congressional office from the record of an individual in response to a verified inquiry from the congressional office made at the written request of that individual. When a constituent requests a congressional office to facilitate obtaining information from this CDC system, it is compatible to provide such information, since this is in line with the overall purpose of the Privacy Act, which is to provide access to the subject individual of the records the government has on him or her. K. In the event of litigation in which the defendant is: (a) the Department, any component of the Department, or any employee of the Department in his or her official capacity; (b) the United States, where the Department determines that the claim, if successful, is likely to directly affect the operations of the Department or any of its components; or (c) any Department employee in his or her individual capacity, when the Justice Department has agreed to represent such employee, disclosure may be made to the Department of Justice to enable that Department to present an effective defense, provided that such disclosure is compatible with the purpose for which the records were collected. Whenever CDC is involved in litigation dealing with quarantine- or isolation-related activities and CDC policies or operations could be affected by the outcome of the litigation, CDC must be able to disclose identifiable information to the Department of Justice so that an effective defense can be presented. IV. Safeguards The CDC/DGMQ has safeguards in place for authorized users and monitors such users to ensure against unauthorized use. Access to quarantine records is restricted to protect the privacy of the individuals involved, and personnel with such access have been trained in Privacy Act and information security requirements. CDC/DGMQ maintains very stringent administrative, procedural and technical safeguards for the entire system of records. Access will be limited to authorized CDC/DGMQ FTEs and contractor staff VerDate Aug<31>2005 17:10 Dec 12, 2007 Jkt 214001 who have a bona fide need for the identifiable information to perform official job-related duties. DGMQ staff are required to have supervisory approval to access identifiable data and receive ongoing training in how to protect sensitive data. A database security package on computers controls unauthorized access to the systems. Data administrators continually review the database to ensure privacy provisions are in place and only appropriate personnel have access to the data. Attempts by unauthorized individuals are automatically recorded and reviewed regularly. Employees maintaining records are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access. This system will conform to all applicable Federal laws and regulations and Federal and HHS policies and standards as they relate to information security and data privacy. These laws and regulations may apply but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the EGovernment Act of 2002; the ClingerCohen Act of 1996, and the corresponding implementing regulations. OMB Circular A–130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS and CDC policies and standards include but are not limited to: all pertinent National Institute of Standards and Technology publications and the HHS Information Systems Program Handbook. V. Effects of the Proposed System of Records on Individual Rights CDC proposes to establish this system in accordance with the principles and requirements of the Privacy Act and will collect, use, and disseminate information only as prescribed therein. Data in this system will be subject to the authorized releases in accordance with the routine uses identified in this system of records. CDC will take precautionary measures to minimize the risks of unauthorized access to the records and the potential harm to individual privacy or other personal or property rights of individuals whose data are maintained in the system. CDC will collect only that information necessary to perform the system’s purpose. In addition, CDC will PO 00000 Frm 00055 Fmt 4703 Sfmt 4703 make disclosures from the system only with consent of the subject individual, or his/her legal representative, or in accordance with an applicable exception provision of the Privacy Act. CDC, therefore, does not anticipate an unfavorable effect on individual privacy as a result of information relating to individuals. Dated: December 6, 2007. James D. Seligman, Chief Information Officer, Office of the Director, Centers for Disease Control and Prevention. Privacy Act System of Records Notice; No. 09–20–0171 SYSTEM NAME: Quarantine- and Traveler-Related Activities, Including Records for Contact Tracing Investigation and Notification under 42 CFR Parts 70 and 71, HHS/CDC/CCID. SECURITY CLASSIFICATION: None. SYSTEM LOCATION: Division of Global Migration and Quarantine, National Center for the Preparedness, Detection, and Control of Infectious Disease (NCPDCID), Coordinating Center for Infectious Diseases (CCID), Centers for Disease Control and Prevention, 1600 Clifton Road, NE., Building 16; MS E03, Atlanta, GA 30333. Records may occasionally be stored at Quarantine Stations located at key ports of entry and at contractor sites. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: Individuals subject to quarantine or isolation orders, ill travelers (i.e., passengers and crew), contacts of ill travelers, and/or individuals exposed or suspected of being exposed to serious communicable diseases. CATEGORIES OF RECORDS IN THE SYSTEM: Passenger and crew manifests from conveyances carrying individuals subject to 42 CFR parts 70 and 71, case reports, illness response forms, medical assessments, medical records (including but not limited to clinical, hospital and laboratory data and data from other relevant tests), name, address, date of birth, and related information and documents collected for the purpose of carrying out agency responsibilities under sections 311 and 361–368 of the Public Health Services Act. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Sections 311, 361–368 of the Public Health Service Act. E:\FR\FM\13DEN1.SGM 13DEN1 Federal Register / Vol. 72, No. 239 / Thursday, December 13, 2007 / Notices PURPOSE(S): This system maintains records on the conduct of activities (e.g., quarantine, isolation) that fulfill HHS’s and CDC’s statutory authority under sections 311, 361–368 of the Public Health Service Act to prevent the introduction, transmission and spread of communicable diseases. Records are collected when individual known or suspected to have been exposed to serious communicable diseases arrives into the United States from foreign countries or is engaged in interstate or international movement These records are used to (1) document reports of illness that may pose a public health risk occurring while on board airplanes, maritime vessels, and at landborder crossings of persons arriving from foreign countries or traveling between states; (2) perform contact tracing investigations and notifications of passengers and crew when known or suspected exposures to serious communicable diseases occur on board a conveyance arriving in the United States from a foreign country or traveling from one state or possession to another; (3) inform international, federal, state or local public health authorities so that these authorities may act to protect public health or safety; and (4) take such actions (e.g., quarantine or isolation) as necessary to prevent the introduction, transmission, and spread of serious communicable diseases from persons arriving into the United States from foreign countries or persons engaged in interstate or international movement. mstockstill on PROD1PC66 with NOTICES ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: (1) Records may be disclosed to contractors to handle program work duties, performing many of the same functions as FTEs within DGMQ in situations where additional staff is required. Contractors are required to maintain Privacy Act safeguards with respect to such records. (2) Records may be disclosed to state and local health departments and other cooperating medical and public health authorities and their counsel to more effectively deal with outbreaks and other significant public health conditions. (3) Personal information from this system may be disclosed as a routine use to appropriate conveyance personnel, Federal agencies, state and local health departments, Department of State and embassy personnel (U.S. and foreign), and health authorities in foreign countries for contact tracing investigations and notifications of VerDate Aug<31>2005 17:10 Dec 12, 2007 Jkt 214001 possible exposures to serious communicable diseases in connection with travel. (4) Records may be disclosed to the Department of Homeland Security to restrict travel of persons who pose a public health risk and in the instance of suspected domestic or international terrorism. (5) Disclosure may be made to medical personnel providing evaluation and care for ill or exposed persons, including travelers. (6) Records may be disclosed to the World Health Organization in accordance with U.S. responsibilities as a signatory to the International Health Regulations or other international agreements. (7) Personal information may be disclosed to federal, state, and local authorities for taking necessary actions to place someone under quarantine or isolation, for enforcement of other quarantine regulations, or to protect the public’s health and safety. (8) Records may be disclosed to cooperating state and local legal departments enforcing concurrent legal authority related to quarantine or isolation activities. (9) In the event that a system of records maintained by this agency to carry out its functions indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the appropriate agency, whether federal, foreign, state or local, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation or order issued pursuant thereto. (10) Disclosure may be made to a congressional office from the record of an individual in response to a verified inquiry from the congressional office made at the written request of that individual (11) In the event of litigation where the defendant is: (a) The Department, any component of the Department, or any employee of the Department in his or her official capacity; (b) the United States where the Department determines that the claim, if successful, is likely to directly affect the operations of the Department or any of its components; or (c) any Department employee in his or her individual capacity where the Justice Department has agreed to represent such employee, disclosure may be made to the Department of PO 00000 Frm 00056 Fmt 4703 Sfmt 4703 70871 Justice to enable that Department to present an effective defense. POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM: STORAGE: Electronic media and file folders for hard-copy records. RETRIEVABILITY: By name of individual or other identifying particulars. SAFEGUARDS: 1. Authorized Users: A database security package is implemented on CDC’s computer systems to control unauthorized access to the system. Attempts to gain access by unauthorized individuals are automatically recorded and reviewed on a regular basis. Access is granted to only a limited number of physicians, scientists, statisticians, and designated support staff of the Centers for Disease Control and Prevention (CDC), or its contractors, as authorized by the system manager to accomplish the stated purposes for which the data in this system have been collected. 2. Physical Safeguards: Access to the CDC Clifton Road facility where the mainframe computer is located is controlled by a cardkey system. Access to the computer room is controlled by a cardkey and security code (numeric keypad) system. Access to the data entry area is also controlled by a cardkey system. Guard service in buildings provides personnel screening of visitors. The local fire department is located directly next door to the Clifton Road facility. The computer room is protected by an automatic sprinkler system, numerous automatic sensors (e.g., water, heat, smoke, etc.) are installed, and a proper mix of portable fire extinguishers is located throughout the computer room. Computer files are backed up on a routine basis. Hard-copy records are stored in locked cabinets at CDC headquarters and CDC Quarantine stations which are located in a secure area of the airport. 3. Procedural Safeguards: Protection for computerized records, both on the mainframe and the National Center Local Area Network (LAN), includes programmed verification of valid user identification code and password prior to logging on to the system, mandatory password changes, limited log-ins, virus protection, and user rights/file attribute restrictions. Password protection imposes user name and password log-in requirements to prevent unauthorized access. Each user name is assigned limited access rights to files and directories at varying levels to control E:\FR\FM\13DEN1.SGM 13DEN1 70872 Federal Register / Vol. 72, No. 239 / Thursday, December 13, 2007 / Notices file sharing. There are routine daily back-up procedures, and secure off-site storage is available. To avoid inadvertent data disclosure, measures are taken to ensure that all data are removed from electronic media containing Privacy Act information. Additional safeguards may be built into the program by the system analyst, as warranted by the sensitivity of the data. CDC and contractor employees who maintain records are instructed to check with the system manager prior to making disclosures of data. When individually identified data are being used in a room, admittance at either CDC or contractor sites is restricted to specifically authorized personnel. Privacy Act provisions are included in contracts, and the CDC Project Director, contract officers and project officers oversee compliance with these requirements. Upon completion of the contract, all data will be either returned to CDC or destroyed, as specified by the contract. Implementation Guidelines: The safeguards outlined above are in accordance with the HHS Information Security Program Policy and FIPS Pub 200, ‘‘Minimum Security Requirements for Federal Information and Information Systems.’’ Data maintained on CDC’s Mainframe and the National Centers’ LANs are in compliance with OMB Circular A–130, Appendix III. Security is provided for information collection, processing, transmission, storage, and dissemination in general support systems and major applications. RETENTION AND DISPOSAL: Contact tracing records will be maintained in the agency until the contact investigation is complete or no longer than twelve months, in accordance with proposed retention schedules; remaining quarantine records would be maintained 10 or 20 years, based on the applicable CDC records control schedule. Disposal methods include wiping electronic media and macerating paper materials. SYSTEM MANAGER(S) AND ADDRESS: Director, NCPDCID, Coordinating Center for Infectious Diseases, Bldg. 1, Rm. 6013, MS C12, Centers for Disease Control and Prevention, 1600 Clifton Road, NE., Atlanta, GA 30333. mstockstill on PROD1PC66 with NOTICES An individual may learn if a record exists about himself or herself by contacting the system manager at the address listed above. Requesters in person must provide driver’s license or other positive identification. Individuals who do not appear in person must 17:10 Dec 12, 2007 RECORD ACCESS PROCEDURES: Same as notification procedures. Requesters should also reasonably specify the record contents being sought. An accounting of disclosures that have been made of the record, if any, may be requested. CONTESTING RECORD PROCEDURES: Contact the official at the address specified under System Manager above, reasonably identify the record and specify the information being contested, the corrective action sought, and the reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant. RECORD SOURCE CATEGORIES: Individuals, private physicians, state and local health departments, other health-care providers, conveyance personnel, cooperating public health agencies, foreign governments including ministries of health, and other federal agencies. SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT: NOTIFICATION PROCEDURE: VerDate Aug<31>2005 either: (1) Submit a notarized request to verify their identity; or (2) certify that they are the individuals they claim to be and that they understand that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense under the Privacy Act subject to a $5,000 fine. An individual who requests notification of or access to medical records shall, at the time the request is made, designate in writing a responsible representative who is willing to review the record and inform the subject individual of its contents at the representative’s discretion. A parent or guardian who requests notification of, or access to, a child’s medical record shall designate a family physician or other health professional (other than a family member) to whom the record, if any, will be sent. The parent or guardian must verify relationship to the child by means of a birth certificate or court order, as well as verify that he or she is who he or she claims to be. Jkt 214001 None. [FR Doc. E7–24142 Filed 12–12–07; 8:45 am] BILLING CODE 4163–18–P PO 00000 Frm 00057 Fmt 4703 Sfmt 4703 DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration [Docket No. 2007N–0200] Agency Information Collection Activities; Submission for Office of Management and Budget Review; Comment Request; Health and Diet Survey AGENCY: Food and Drug Administration, HHS. ACTION: Notice. SUMMARY: The Food and Drug Administration (FDA) is announcing that a proposed collection of information has been submitted to the Office of Management and Budget (OMB) for review and clearance under the Paperwork Reduction Act of 1995. DATES: Fax written comments on the collection of information by January 14, 2008. ADDRESSES: To ensure that comments on the information collection are received, OMB recommends that written comments be faxed to the Office of Information and Regulatory Affairs, OMB, Attn: FDA Desk Officer, FAX: 202–395–6974, or e-mailed to baguilar@omb.eop.gov. All comments should be identified with the OMB control number 0910–0545. Also include the FDA docket number found in brackets in the heading of this document. FOR FURTHER INFORMATION CONTACT: Jonna Capezzuto, Office of the Chief Information Officer (HFA–250), Food and Drug Administration, 5600 Fishers Lane, Rockville, MD 20857,301–827– 4659. SUPPLEMENTARY INFORMATION: In compliance with 44 U.S.C. 3507, FDA has submitted the following proposed collection of information to OMB for review and clearance. Health and Diet Survey—(OMB Control Number 0910–0545)—Extension FDA is seeking extension of OMB approval for the Health and Diet Survey, which is a voluntary consumer survey intended to gauge and track consumer attitudes, awareness, knowledge, and behavior regarding various topics related to health, nutrition, and physical activity. The authority for FDA to collect the information derives from the Commissioner of Food and Drugs’ authority provided in section 903(d)(2) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 393(d)(2)). The survey consists of two independent data collection activities. E:\FR\FM\13DEN1.SGM 13DEN1

Agencies

[Federal Register Volume 72, Number 239 (Thursday, December 13, 2007)]
[Notices]
[Pages 70867-70872]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-24142]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Disease Control and Prevention


Privacy Act of 1974; New System of Records

AGENCY: Department of Health and Human Services (HHS), Centers for 
Disease Control and Prevention (CDC).

ACTION: Notice of a New System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act, the 
Centers for Disease Control and Prevention (CDC) is proposing to 
establish a new system of records (SOR), 09-20-0171, ``Quarantine and 
Traveler-Related Activities, Including Records for Contact Tracing 
Investigation and Notification Under 42 CFR Parts 70 and 71, HHS/CDC/
CCID.'' The purpose of the system is to maintain records on the conduct 
of activities (e.g., quarantine, isolation) that fulfill HHS's and 
CDC's statutory authority under sections 311 and 361-368 of the Public 
Health Service Act: To prevent the introduction, transmission and 
spread of serious communicable diseases from persons arriving into the 
United States from foreign countries or engaged in

[[Page 70868]]

interstate or international movement. Identifiable records are 
collected when an individual known or suspected to have been exposed to 
such communicable diseases arrives in the U.S. from a foreign country 
or travels from one state or possession to another state or possession. 
These records are used to: (1) Document reports of illness on 
airplanes, maritime vessels, and at land-border crossings of persons 
that may pose a public health risk and who are arriving from foreign 
countries or traveling between states; (2) perform contact tracing 
investigations and notifications of passengers and crew when known or 
suspected exposures to serious communicable diseases occur on board a 
conveyance arriving in the United States from a foreign country or 
while traveling from one state or possession to another; (3) inform 
state or local public health authorities so that these authorities may 
act to protect public health or safety; and (4) take actions (e.g., 
quarantine or isolation) as necessary to prevent the introduction, 
transmission, and spread of serious communicable diseases from persons 
arriving into the United States from foreign countries or persons 
engaged in interstate or international movement. Additional background 
information about the new system is included in the SUPPLEMENTARY 
INFORMATION section below.

DATES: Effective Date: CDC filed a new SOR report with the Chair of the 
House Committee on Government Reform and Oversight, the Chair of the 
Senate Committee on Homeland Security and Governmental Affairs, and the 
Administrator, Office of Information and Regulatory Affairs, Office of 
Management and Budget (OMB) on December 7, 2007. CDC invites interested 
parties to submit comments on the proposed routine uses. To ensure that 
all parties have adequate time in which to comment, the new system will 
be effective 30 days from the publication of this notice, or 40 days 
from the date it was submitted to OMB and the Congress, whichever is 
later, unless CDC receives comments that persuade CDC to defer 
implementation.

ADDRESSES: Address comments to HHS Privacy Act Officer, Room 5416, Mary 
E. Switzer Building, Department of Health and Human Services, 330 ``C'' 
Street, SW., Washington, DC 20201, or via electronic mail to 
MAGGIE.BLACKWELL@hhs.gov. Comments will be available for public viewing 
in the public reading room located at the same address, or on the HHS 
Web site at https://www.hhs.gov. To review comments in person, please 
call the Division of Freedom of Information and Privacy at 202-690-7453 
for an appointment.

FOR FURTHER INFORMATION CONTACT: Maggie Blackwell, HHS Privacy Act 
Officer, Department of Health and Human Services, Room 5416, Mary E. 
Switzer Building, 330 ``C'' Street, SW., Washington, DC 20201, (202) 
690-7453.

SUPPLEMENTARY INFORMATION: CDC proposes to establish a new system of 
records: 09-20-0171, ``Quarantine and Traveler-Related Activities, 
Including Records for Contact Tracing Investigation and Notification 
under 42 CFR Parts 70 and 71, HHS/CDC/CCID.'' The CDC Division of 
Global Migration and Quarantine (DGMQ), the agency component 
responsible for quarantine- and isolation-related activities, is 
located within the National Center for Preparedness, Detection and 
Control of Infectious Diseases, the Coordinating Center for Infectious 
Diseases (CCID). In addition to the contact tracing investigations and 
notification of travelers who may have been exposed to a communicable 
disease, this record system supports the mission of DGMQ in meeting 
public health, scientific, and regulatory responsibilities.
    The overall DGMQ mission is to decrease morbidity and mortality 
from infectious diseases among mobile populations (immigrants, 
refugees, migrant workers, international travelers, etc.) crossing 
international borders to come into the United States, and to decrease 
the risk of importation and spread of infectious diseases via humans, 
animals, and cargo. This new Privacy Act system of records is focused 
on decreasing the spread of infectious diseases via humans. These 
records concern activities (e.g., quarantine, isolation) fulfilling 
HHS's statutory authority under Sections 311 and 361-368 of the Public 
Health Service Act to prevent the spread of serious communicable 
diseases among persons arriving from foreign countries into the United 
States or engaged in interstate or international movement.
    A related purpose is to collect individually identified records so 
that contact tracing investigations and notifications of passengers and 
crew can be made when known or suspected exposures to serious 
communicable diseases occur on board a conveyance arriving in the 
United States from a foreign country or while traveling from one state 
or possession to another state or possession.

I. Description of the Proposed System of Records

    Statutory and Regulatory Basis for SOR. Sections 311 and 361-368 of 
the Public Health Service Act provides authorities related to 
preventing the introduction, transmission, and spread of serious 
communicable diseases from foreign countries into the United States or 
from one state or possession into another. These sections of the Act 
delineate the various quarantine- and isolation-related activities that 
CDC may be required to conduct.
    Individually identified records must be maintained for CDC to 
effectively conduct many of its major quarantine- and isolation-related 
activities, including screening arriving international or interstate 
travelers for symptoms of illness that may pose a public health risk; 
informing state or local health authorities so that these authorities 
may act to protect public health or safety; and other activities 
required to fulfill CDC's regulatory responsibility in this area.
    Examples of other CDC quarantine- and isolation-related activities 
that require the maintenance of individually identified records 
include, but are not limited to, the following:
     Responding to reports of illnesses on airplanes, maritime 
vessels, and at land-border crossings of persons that may pose a public 
health risk and who are arriving from foreign countries or traveling 
between states;
     Taking quarantine-related actions (e.g., quarantine, 
isolation) as necessary to prevent the spread of serious communicable 
diseases from persons arriving from foreign countries into the United 
States or engaged in interstate or international movement.
    Collection and Maintenance of Data in the System. CDC will collect 
only the minimum amount of personal data necessary to achieve the 
purpose of this system, which is to maintain records on the conduct of 
quarantine-related activities that fulfill HHS's and CDC's statutory 
authority under Sections 311 and 361-368 of the Public Health Service 
Act: To prevent the introduction, transmission and spread of serious 
communicable diseases from persons who arrive into the United States 
from foreign countries or are engaged in interstate or international 
movement. To effectively do contact tracing investigations and 
notifications of passengers and crew when known or suspected exposures 
of serious communicable diseases occur on board of conveyance, 
individually identified data, such as name of traveler, country of 
residence, address and phone at

[[Page 70869]]

which they can be contacted, travel documents (e.g., passport), and 
seat number must be obtained. CDC collects only the minimal amount of 
information needed to perform contact tracing and other follow-up 
activities.

II. Agency Policies, Procedures, and Restrictions on the Routine Use

    The Privacy Act permits CDC to disclose information without an 
individual's consent if the information is to be used for a purpose 
that is compatible with the purpose(s) for which the information was 
collected. Any such compatible disclosure of data is known as a 
``routine use.'' The government will only release quarantine- and 
traveler-related information that can be associated with an individual 
as provided for under ``Section III. Proposed Routine Use Disclosures 
of Data in the System,'' collecting only the minimum personal data 
necessary to achieve the purpose of this system.
    CDC has the following policies and procedures concerning 
disclosures of information that will be maintained in the system. 
Disclosure of information from the SOR will be approved only to the 
extent necessary to accomplish the purpose of the disclosure and only 
after CDC:
    A. Determines that:
    1. The use or disclosure is consistent with the reason that the 
data are being collected, e.g., to maintain records on the conduct of 
quarantine- and traveler-related activities that fulfill HHS's and 
CDC's statutory authority to prevent the introduction, transmission and 
spread of communicable diseases.
    2. The purpose for which the disclosure is to be made can only be 
accomplished if the record is provided in individually identifiable 
form;
    3. The purpose for which the disclosure is to be made is of 
sufficient importance to warrant the effect on and/or risk to the 
privacy of the individual that additional exposure of the record might 
bring;
    4. There is a strong probability that the proposed use of the data 
would in fact accomplish the stated purpose(s); and
    5. The data are valid and reliable.
    B. Requires the information recipient to:
    1. Establish administrative, technical, and physical safeguards to 
prevent unauthorized use of disclosure of the record;
    2. Remove or destroy at the earliest time all identifiable 
information; and
    3. Agree not to use or disclose the information for any purpose 
other than the stated purpose under which the information was 
disclosed.

III. Proposed Routine Use Disclosures of Data in the System

    The Privacy Act permits CDC to disclose information without an 
individual's consent if the information is to be used for a purpose 
that is compatible with the purpose(s) for which the information was 
collected and CDC complies with administrative requirements including 
publishing a notice in the Federal Register and allowing 30 days for 
public comment regarding any such new ``routine use.'' The proposed 
routine uses in this system meet the compatibility requirement of the 
Privacy Act. CDC is proposing to establish the following routine use 
disclosures of information maintained in the system:
    A. Records may be disclosed to contractors who will perform many of 
the same duties as Full Time Equivalents (FTEs) within DGMQ in 
situations where additional staff are required. Contractors are 
required to maintain Privacy Act safeguards with respect to such 
records. These functions may include collating, analyzing, aggregating, 
or otherwise refining records. DGMQ contracts out certain functions 
when doing so would contribute to efficient and effective operations of 
the agency. DGMQ must be able to give a contractor the information 
necessary for the contractor to fulfill their duties. Safeguards are 
provided in the contract prohibiting the contractor from using or 
disclosing the information for any purpose other than that described in 
the Statement of Work and requires the contractor to return or destroy 
all information at the contract's completion.
    B. Records may be disclosed to state and local health departments 
and cooperating public health or medical authorities and their counsel 
to more effectively deal with outbreaks and conditions of public health 
significance. CDC works closely with state and local health partners to 
investigate possible outbreaks or other conditions of public health 
significance. CDC's ability to share information could prove beneficial 
to the health department's investigation.
    C. Personal information from this system may be disclosed as a 
routine use to appropriate conveyance personnel, Federal agencies, 
state and local health departments, Department of State and embassy 
personnel (U.S. and foreign), and health authorities in foreign 
countries. These agencies and departments (U.S. and foreign) need the 
information to perform contact tracing investigations and to notify 
individuals exposed to an ill traveler that they were possibly exposed 
to a disease or condition of public health significance. This is 
compatible with the overall purpose of the system--to prevent the 
spread of communicable diseases.
    D. Records may be disclosed to the Department of Homeland Security 
(DHS) to enable DHS to restrict the travel of persons who pose a public 
health risk and to aid in its investigations of domestic or 
international terrorism. This routine use helps prevent the 
introduction, transmission, and spread of communicable disease, 
particularly where terrorism is involved.
    E. Identifiable information may need to be shared with medical 
personnel to evaluate or care for ill or exposed persons, including 
travelers, with the ultimate goal of protecting the public's health and 
safety.
    F. Records may also be shared with the World Health Organization in 
accordance with U.S. responsibilities to ensure that CDC is in 
compliance with its obligations under the International Health 
Regulations and other international agreements--a use in line with 
CDC's statutory authority with regard to quarantine- and isolation-
related activities.
    G. Also in line with the overriding purpose of protecting public 
health and safety by preventing the introduction, transmission, or 
spread of communicable diseases, personal information may be disclosed 
to federal, state, and local authorities to enable them to take actions 
needed to place someone under quarantine or isolation, or to enforce 
quarantine regulations. This is again in line with CDC's statutory 
authority to take quarantine and isolation related actions to restrict 
movement if someone poses a significant health risk to others.
    H. Identifiable information may be disclosed to cooperating state 
and local legal departments enforcing concurrent legal authority 
relevant to quarantine- and isolation-related activities. This is in 
accord with the federal government's statutory authority to cooperate 
with and aid state and local authorities in the enforcement of their 
quarantine and other health regulations.
    I. Identifiable records may be referred to the appropriate agency, 
whether federal, foreign, state or local charged with the 
responsibility of investigating or prosecuting such violation or 
charged with enforcing or implementing the statute, or rule, regulation 
or order issued pursuant thereto when records collected within this SOR 
for quarantine activities indicate a violation or

[[Page 70870]]

potential violation of law, whether civil, criminal or regulatory in 
nature, and whether arising by general statute or particular program 
statute, or by regulation, rule or order issued pursuant thereto. This 
routine use is compatible in that this disclosure is being done to 
allow for effective enforcement of quarantine- and isolation-related 
requirements at various levels of government.
    J. Disclosure may be made to a congressional office from the record 
of an individual in response to a verified inquiry from the 
congressional office made at the written request of that individual. 
When a constituent requests a congressional office to facilitate 
obtaining information from this CDC system, it is compatible to provide 
such information, since this is in line with the overall purpose of the 
Privacy Act, which is to provide access to the subject individual of 
the records the government has on him or her.
    K. In the event of litigation in which the defendant is: (a) the 
Department, any component of the Department, or any employee of the 
Department in his or her official capacity; (b) the United States, 
where the Department determines that the claim, if successful, is 
likely to directly affect the operations of the Department or any of 
its components; or (c) any Department employee in his or her individual 
capacity, when the Justice Department has agreed to represent such 
employee, disclosure may be made to the Department of Justice to enable 
that Department to present an effective defense, provided that such 
disclosure is compatible with the purpose for which the records were 
collected.
    Whenever CDC is involved in litigation dealing with quarantine- or 
isolation-related activities and CDC policies or operations could be 
affected by the outcome of the litigation, CDC must be able to disclose 
identifiable information to the Department of Justice so that an 
effective defense can be presented.

IV. Safeguards

    The CDC/DGMQ has safeguards in place for authorized users and 
monitors such users to ensure against unauthorized use. Access to 
quarantine records is restricted to protect the privacy of the 
individuals involved, and personnel with such access have been trained 
in Privacy Act and information security requirements. CDC/DGMQ 
maintains very stringent administrative, procedural and technical 
safeguards for the entire system of records.
    Access will be limited to authorized CDC/DGMQ FTEs and contractor 
staff who have a bona fide need for the identifiable information to 
perform official job-related duties. DGMQ staff are required to have 
supervisory approval to access identifiable data and receive ongoing 
training in how to protect sensitive data. A database security package 
on computers controls unauthorized access to the systems. Data 
administrators continually review the database to ensure privacy 
provisions are in place and only appropriate personnel have access to 
the data. Attempts by unauthorized individuals are automatically 
recorded and reviewed regularly.
    Employees maintaining records are instructed not to release data 
until the intended recipient agrees to implement appropriate 
management, operational and technical safeguards sufficient to protect 
the confidentiality, integrity and availability of the information and 
information systems and to prevent unauthorized access.
    This system will conform to all applicable Federal laws and 
regulations and Federal and HHS policies and standards as they relate 
to information security and data privacy. These laws and regulations 
may apply but are not limited to: the Privacy Act of 1974; the Federal 
Information Security Management Act of 2002; the Computer Fraud and 
Abuse Act of 1986; the E-Government Act of 2002; the Clinger-Cohen Act 
of 1996, and the corresponding implementing regulations. OMB Circular 
A-130, Management of Federal Resources, Appendix III, Security of 
Federal Automated Information Resources also applies. Federal, HHS and 
CDC policies and standards include but are not limited to: all 
pertinent National Institute of Standards and Technology publications 
and the HHS Information Systems Program Handbook.

V. Effects of the Proposed System of Records on Individual Rights

    CDC proposes to establish this system in accordance with the 
principles and requirements of the Privacy Act and will collect, use, 
and disseminate information only as prescribed therein. Data in this 
system will be subject to the authorized releases in accordance with 
the routine uses identified in this system of records.
    CDC will take precautionary measures to minimize the risks of 
unauthorized access to the records and the potential harm to individual 
privacy or other personal or property rights of individuals whose data 
are maintained in the system. CDC will collect only that information 
necessary to perform the system's purpose. In addition, CDC will make 
disclosures from the system only with consent of the subject 
individual, or his/her legal representative, or in accordance with an 
applicable exception provision of the Privacy Act. CDC, therefore, does 
not anticipate an unfavorable effect on individual privacy as a result 
of information relating to individuals.

    Dated: December 6, 2007.
James D. Seligman,
Chief Information Officer, Office of the Director, Centers for Disease 
Control and Prevention.
Privacy Act System of Records Notice; No. 09-20-0171

SYSTEM NAME:
    Quarantine- and Traveler-Related Activities, Including Records for 
Contact Tracing Investigation and Notification under 42 CFR Parts 70 
and 71, HHS/CDC/CCID.

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    Division of Global Migration and Quarantine, National Center for 
the Preparedness, Detection, and Control of Infectious Disease 
(NCPDCID), Coordinating Center for Infectious Diseases (CCID), Centers 
for Disease Control and Prevention, 1600 Clifton Road, NE., Building 
16; MS E03, Atlanta, GA 30333.
    Records may occasionally be stored at Quarantine Stations located 
at key ports of entry and at contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals subject to quarantine or isolation orders, ill 
travelers (i.e., passengers and crew), contacts of ill travelers, and/
or individuals exposed or suspected of being exposed to serious 
communicable diseases.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Passenger and crew manifests from conveyances carrying individuals 
subject to 42 CFR parts 70 and 71, case reports, illness response 
forms, medical assessments, medical records (including but not limited 
to clinical, hospital and laboratory data and data from other relevant 
tests), name, address, date of birth, and related information and 
documents collected for the purpose of carrying out agency 
responsibilities under sections 311 and 361-368 of the Public Health 
Services Act.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Sections 311, 361-368 of the Public Health Service Act.

[[Page 70871]]

PURPOSE(S):
    This system maintains records on the conduct of activities (e.g., 
quarantine, isolation) that fulfill HHS's and CDC's statutory authority 
under sections 311, 361-368 of the Public Health Service Act to prevent 
the introduction, transmission and spread of communicable diseases.
    Records are collected when individual known or suspected to have 
been exposed to serious communicable diseases arrives into the United 
States from foreign countries or is engaged in interstate or 
international movement These records are used to (1) document reports 
of illness that may pose a public health risk occurring while on board 
airplanes, maritime vessels, and at land-border crossings of persons 
arriving from foreign countries or traveling between states; (2) 
perform contact tracing investigations and notifications of passengers 
and crew when known or suspected exposures to serious communicable 
diseases occur on board a conveyance arriving in the United States from 
a foreign country or traveling from one state or possession to another; 
(3) inform international, federal, state or local public health 
authorities so that these authorities may act to protect public health 
or safety; and (4) take such actions (e.g., quarantine or isolation) as 
necessary to prevent the introduction, transmission, and spread of 
serious communicable diseases from persons arriving into the United 
States from foreign countries or persons engaged in interstate or 
international movement.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    (1) Records may be disclosed to contractors to handle program work 
duties, performing many of the same functions as FTEs within DGMQ in 
situations where additional staff is required. Contractors are required 
to maintain Privacy Act safeguards with respect to such records.
    (2) Records may be disclosed to state and local health departments 
and other cooperating medical and public health authorities and their 
counsel to more effectively deal with outbreaks and other significant 
public health conditions.
    (3) Personal information from this system may be disclosed as a 
routine use to appropriate conveyance personnel, Federal agencies, 
state and local health departments, Department of State and embassy 
personnel (U.S. and foreign), and health authorities in foreign 
countries for contact tracing investigations and notifications of 
possible exposures to serious communicable diseases in connection with 
travel.
    (4) Records may be disclosed to the Department of Homeland Security 
to restrict travel of persons who pose a public health risk and in the 
instance of suspected domestic or international terrorism.
    (5) Disclosure may be made to medical personnel providing 
evaluation and care for ill or exposed persons, including travelers.
    (6) Records may be disclosed to the World Health Organization in 
accordance with U.S. responsibilities as a signatory to the 
International Health Regulations or other international agreements.
    (7) Personal information may be disclosed to federal, state, and 
local authorities for taking necessary actions to place someone under 
quarantine or isolation, for enforcement of other quarantine 
regulations, or to protect the public's health and safety.
    (8) Records may be disclosed to cooperating state and local legal 
departments enforcing concurrent legal authority related to quarantine 
or isolation activities.
    (9) In the event that a system of records maintained by this agency 
to carry out its functions indicates a violation or potential violation 
of law, whether civil, criminal or regulatory in nature, and whether 
arising by general statute or particular program statute, or by 
regulation, rule or order issued pursuant thereto, the relevant records 
in the system of records may be referred, as a routine use, to the 
appropriate agency, whether federal, foreign, state or local, charged 
with the responsibility of investigating or prosecuting such violation 
or charged with enforcing or implementing the statute, or rule, 
regulation or order issued pursuant thereto.
    (10) Disclosure may be made to a congressional office from the 
record of an individual in response to a verified inquiry from the 
congressional office made at the written request of that individual
    (11) In the event of litigation where the defendant is: (a) The 
Department, any component of the Department, or any employee of the 
Department in his or her official capacity; (b) the United States where 
the Department determines that the claim, if successful, is likely to 
directly affect the operations of the Department or any of its 
components; or (c) any Department employee in his or her individual 
capacity where the Justice Department has agreed to represent such 
employee, disclosure may be made to the Department of Justice to enable 
that Department to present an effective defense.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Electronic media and file folders for hard-copy records.

RETRIEVABILITY:
    By name of individual or other identifying particulars.

SAFEGUARDS:
    1. Authorized Users: A database security package is implemented on 
CDC's computer systems to control unauthorized access to the system. 
Attempts to gain access by unauthorized individuals are automatically 
recorded and reviewed on a regular basis. Access is granted to only a 
limited number of physicians, scientists, statisticians, and designated 
support staff of the Centers for Disease Control and Prevention (CDC), 
or its contractors, as authorized by the system manager to accomplish 
the stated purposes for which the data in this system have been 
collected.
    2. Physical Safeguards: Access to the CDC Clifton Road facility 
where the mainframe computer is located is controlled by a cardkey 
system. Access to the computer room is controlled by a cardkey and 
security code (numeric keypad) system. Access to the data entry area is 
also controlled by a cardkey system. Guard service in buildings 
provides personnel screening of visitors. The local fire department is 
located directly next door to the Clifton Road facility. The computer 
room is protected by an automatic sprinkler system, numerous automatic 
sensors (e.g., water, heat, smoke, etc.) are installed, and a proper 
mix of portable fire extinguishers is located throughout the computer 
room. Computer files are backed up on a routine basis. Hard-copy 
records are stored in locked cabinets at CDC headquarters and CDC 
Quarantine stations which are located in a secure area of the airport.
    3. Procedural Safeguards: Protection for computerized records, both 
on the mainframe and the National Center Local Area Network (LAN), 
includes programmed verification of valid user identification code and 
password prior to logging on to the system, mandatory password changes, 
limited log-ins, virus protection, and user rights/file attribute 
restrictions. Password protection imposes user name and password log-in 
requirements to prevent unauthorized access. Each user name is assigned 
limited access rights to files and directories at varying levels to 
control

[[Page 70872]]

file sharing. There are routine daily back-up procedures, and secure 
off-site storage is available. To avoid inadvertent data disclosure, 
measures are taken to ensure that all data are removed from electronic 
media containing Privacy Act information. Additional safeguards may be 
built into the program by the system analyst, as warranted by the 
sensitivity of the data.
    CDC and contractor employees who maintain records are instructed to 
check with the system manager prior to making disclosures of data. When 
individually identified data are being used in a room, admittance at 
either CDC or contractor sites is restricted to specifically authorized 
personnel. Privacy Act provisions are included in contracts, and the 
CDC Project Director, contract officers and project officers oversee 
compliance with these requirements. Upon completion of the contract, 
all data will be either returned to CDC or destroyed, as specified by 
the contract.
    Implementation Guidelines: The safeguards outlined above are in 
accordance with the HHS Information Security Program Policy and FIPS 
Pub 200, ``Minimum Security Requirements for Federal Information and 
Information Systems.'' Data maintained on CDC's Mainframe and the 
National Centers' LANs are in compliance with OMB Circular A-130, 
Appendix III. Security is provided for information collection, 
processing, transmission, storage, and dissemination in general support 
systems and major applications.

Retention and disposal:
    Contact tracing records will be maintained in the agency until the 
contact investigation is complete or no longer than twelve months, in 
accordance with proposed retention schedules; remaining quarantine 
records would be maintained 10 or 20 years, based on the applicable CDC 
records control schedule. Disposal methods include wiping electronic 
media and macerating paper materials.

System manager(s) and address:
    Director, NCPDCID, Coordinating Center for Infectious Diseases, 
Bldg. 1, Rm. 6013, MS C12, Centers for Disease Control and Prevention, 
1600 Clifton Road, NE., Atlanta, GA 30333.

Notification procedure:
    An individual may learn if a record exists about himself or herself 
by contacting the system manager at the address listed above. 
Requesters in person must provide driver's license or other positive 
identification. Individuals who do not appear in person must either: 
(1) Submit a notarized request to verify their identity; or (2) certify 
that they are the individuals they claim to be and that they understand 
that the knowing and willful request for or acquisition of a record 
pertaining to an individual under false pretenses is a criminal offense 
under the Privacy Act subject to a $5,000 fine.
    An individual who requests notification of or access to medical 
records shall, at the time the request is made, designate in writing a 
responsible representative who is willing to review the record and 
inform the subject individual of its contents at the representative's 
discretion. A parent or guardian who requests notification of, or 
access to, a child's medical record shall designate a family physician 
or other health professional (other than a family member) to whom the 
record, if any, will be sent. The parent or guardian must verify 
relationship to the child by means of a birth certificate or court 
order, as well as verify that he or she is who he or she claims to be.

Record access procedures:
    Same as notification procedures. Requesters should also reasonably 
specify the record contents being sought. An accounting of disclosures 
that have been made of the record, if any, may be requested.

Contesting record procedures:
    Contact the official at the address specified under System Manager 
above, reasonably identify the record and specify the information being 
contested, the corrective action sought, and the reasons for requesting 
the correction, along with supporting information to show how the 
record is inaccurate, incomplete, untimely, or irrelevant.

Record source categories:
    Individuals, private physicians, state and local health 
departments, other health-care providers, conveyance personnel, 
cooperating public health agencies, foreign governments including 
ministries of health, and other federal agencies.

Systems exempted from certain provisions of the act:
    None.

[FR Doc. E7-24142 Filed 12-12-07; 8:45 am]
BILLING CODE 4163-18-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.