Privacy Act of 1974; New System of Records, 70867-70872 [E7-24142]
Download as PDF
70867
Federal Register / Vol. 72, No. 239 / Thursday, December 13, 2007 / Notices
days, (4) action—people institute
environmental changes and change their
overt behavior, and (5) maintenance—
people continue the gains obtained
during the action stage for longer than
6 months.
Small business entrepreneurship is a
vital component of the U.S. economy.
OSH activities, including research,
regulation, enforcement, and
intervention historically have not
focused on small businesses despite
their predominance and relatively large
numbers of employees overall. Few
small business establishments provide
on-site occupational health units,
medical screening tests, pre-placement
physicals, or employ or use industrial
hygiene or safety personnel/consultants.
As a consequence, prevention of
occupational injury and illness is often
difficult in small business
establishments because they generally
have few safety and health resources, do
not hire staff devoted to safety and
health activities, and often lack the
ability to identify occupational hazards
and conduct surveillance.
The pallet manufacturing industry has
higher injury rates than general
industry. The incidence rate for nonfatal injuries in the wood pallet and skid
(SIC 2448) manufacturing industry was
226% greater than that for general
industry. The type of injuries sustained
at wood pallet manufacturers and their
rates of increase [2002] compared to
general industry included amputations
(2220% higher), cuts and punctures
(378% higher), fractures (237% higher),
bruises (221% higher) sprains and
strains (133% higher) and back pain
(305% higher).
Through this study, NIOSH will
evaluate the feasibility and effectiveness
of providing carefully constructed OSH
information to one segment of small
business pallet makers. The
informational manual will be divided
into eight chapters targeting specific
hazards relevant to pallet work and will
provide the owners/managers with
suggestions for controlling those
hazards. Chapters were selected based
on prior NIOSH site visits to a sample
of pallet makers and in consultation
with the National Wood Pallet and
Container Association. The chapters
include: An introduction to OSH,
developing a site-specific safety
program, controlling noise, improving
ventilation, saw safety, forklift safety,
preventing build up of carbon
monoxide, and prevention of
musculoskeletal injury through
ergonomics.
This project will utilize two groups—
a treatment group and a control group—
in a pre-post design. One hundred
eighty pallet companies will be
randomly selected and assigned to two
groups from a list of small pallet
businesses in the United States that was
provided by a market research firm.
Both groups will participate in a
baseline survey conducted by
telephone. The treatment group will
then receive the NIOSH informational
manual by mail and the control group
will not receive the manual until the
conclusion of the study. Five months
after the mailing, both groups will
participate in a follow-up telephone
survey designed to assess whether
receipt and use of the material
encouraged owners/managers to
contemplate, plan, or initiate OSH
changes at their facility. The
questionnaire will determine whether
owners/managers have progressed from
baseline along the stage of change
continuum because of receipt and use of
the NIOSH material, or if some other
factor is influencing their safety and
health actions. It is possible that
improvements in OSH may occur due to
other influences and not from the
informational manual. For example, it is
possible that some event will occur that
will make the entire industry more
aware of OSH. Use of a similar control
group will help in this determination.
Data collection will occur within a 12
month period. However, the entire
NIOSH study will occur over a two-year
period. There will be no cost to
respondents except their time to
participate in the telephone survey. The
total estimated annualized burden hours
are 40.
ESTIMATED ANNUALIZED BURDEN TABLE
Type of
respondents
Form name
Pallet company safety and health managers
Initial Questionnaire (screening only) .............
Initial Questionnaire (complete) .....................
Follow-up Questionnaire ................................
Initial Questionnaire (screening only) .............
Initial Questionnaire (complete) .....................
Follow-up Questionnaire* ...............................
Treatment Group ............................................
Pallet company safety and health managers
Control Group .................................................
Number of
respondents
Dated: December 6, 2007.
Maryam I. Daneshvar,
Acting Reports Clearance Officer, Centers for
Disease Control and Prevention.
[FR Doc. E7–24140 Filed 12–12–07; 8:45 am]
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
BILLING CODE 4163–18–P
Privacy Act of 1974; New System of
Records
Centers for Disease Control and
Prevention
Department of Health and
Human Services (HHS), Centers for
Disease Control and Prevention (CDC).
ACTION: Notice of a New System of
Records.
mstockstill on PROD1PC66 with NOTICES
AGENCY:
SUMMARY: In accordance with the
requirements of the Privacy Act, the
Centers for Disease Control and
VerDate Aug<31>2005
17:10 Dec 12, 2007
Jkt 214001
PO 00000
Frm 00052
Fmt 4703
Sfmt 4703
9
48
45
9
48
45
Number of
responses per
respondent
1
1
1
1
1
1
Average
burden per
response
(in hours)
3/60
12/60
15/60
3/60
12/60
9/60
Prevention (CDC) is proposing to
establish a new system of records (SOR),
09–20–0171, ‘‘Quarantine and TravelerRelated Activities, Including Records for
Contact Tracing Investigation and
Notification Under 42 CFR Parts 70 and
71, HHS/CDC/CCID.’’ The purpose of
the system is to maintain records on the
conduct of activities (e.g., quarantine,
isolation) that fulfill HHS’s and CDC’s
statutory authority under sections 311
and 361–368 of the Public Health
Service Act: To prevent the
introduction, transmission and spread
of serious communicable diseases from
persons arriving into the United States
from foreign countries or engaged in
E:\FR\FM\13DEN1.SGM
13DEN1
mstockstill on PROD1PC66 with NOTICES
70868
Federal Register / Vol. 72, No. 239 / Thursday, December 13, 2007 / Notices
interstate or international movement.
Identifiable records are collected when
an individual known or suspected to
have been exposed to such
communicable diseases arrives in the
U.S. from a foreign country or travels
from one state or possession to another
state or possession. These records are
used to: (1) Document reports of illness
on airplanes, maritime vessels, and at
land-border crossings of persons that
may pose a public health risk and who
are arriving from foreign countries or
traveling between states; (2) perform
contact tracing investigations and
notifications of passengers and crew
when known or suspected exposures to
serious communicable diseases occur on
board a conveyance arriving in the
United States from a foreign country or
while traveling from one state or
possession to another; (3) inform state or
local public health authorities so that
these authorities may act to protect
public health or safety; and (4) take
actions (e.g., quarantine or isolation) as
necessary to prevent the introduction,
transmission, and spread of serious
communicable diseases from persons
arriving into the United States from
foreign countries or persons engaged in
interstate or international movement.
Additional background information
about the new system is included in the
SUPPLEMENTARY INFORMATION section
below.
DATES: Effective Date: CDC filed a new
SOR report with the Chair of the House
Committee on Government Reform and
Oversight, the Chair of the Senate
Committee on Homeland Security and
Governmental Affairs, and the
Administrator, Office of Information
and Regulatory Affairs, Office of
Management and Budget (OMB) on
December 7, 2007. CDC invites
interested parties to submit comments
on the proposed routine uses. To ensure
that all parties have adequate time in
which to comment, the new system will
be effective 30 days from the
publication of this notice, or 40 days
from the date it was submitted to OMB
and the Congress, whichever is later,
unless CDC receives comments that
persuade CDC to defer implementation.
ADDRESSES: Address comments to HHS
Privacy Act Officer, Room 5416, Mary E.
Switzer Building, Department of Health
and Human Services, 330 ‘‘C’’ Street,
SW., Washington, DC 20201, or via
electronic mail to
MAGGIE.BLACKWELL@hhs.gov.
Comments will be available for public
viewing in the public reading room
located at the same address, or on the
HHS Web site at https://www.hhs.gov. To
review comments in person, please call
VerDate Aug<31>2005
17:10 Dec 12, 2007
Jkt 214001
the Division of Freedom of Information
and Privacy at 202–690–7453 for an
appointment.
FOR FURTHER INFORMATION CONTACT:
Maggie Blackwell, HHS Privacy Act
Officer, Department of Health and
Human Services, Room 5416, Mary E.
Switzer Building, 330 ‘‘C’’ Street, SW.,
Washington, DC 20201, (202) 690–7453.
CDC
proposes to establish a new system of
records: 09–20–0171, ‘‘Quarantine and
Traveler-Related Activities, Including
Records for Contact Tracing
Investigation and Notification under 42
CFR Parts 70 and 71, HHS/CDC/CCID.’’
The CDC Division of Global Migration
and Quarantine (DGMQ), the agency
component responsible for quarantineand isolation-related activities, is
located within the National Center for
Preparedness, Detection and Control of
Infectious Diseases, the Coordinating
Center for Infectious Diseases (CCID). In
addition to the contact tracing
investigations and notification of
travelers who may have been exposed to
a communicable disease, this record
system supports the mission of DGMQ
in meeting public health, scientific, and
regulatory responsibilities.
The overall DGMQ mission is to
decrease morbidity and mortality from
infectious diseases among mobile
populations (immigrants, refugees,
migrant workers, international travelers,
etc.) crossing international borders to
come into the United States, and to
decrease the risk of importation and
spread of infectious diseases via
humans, animals, and cargo. This new
Privacy Act system of records is focused
on decreasing the spread of infectious
diseases via humans. These records
concern activities (e.g., quarantine,
isolation) fulfilling HHS’s statutory
authority under Sections 311 and 361–
368 of the Public Health Service Act to
prevent the spread of serious
communicable diseases among persons
arriving from foreign countries into the
United States or engaged in interstate or
international movement.
A related purpose is to collect
individually identified records so that
contact tracing investigations and
notifications of passengers and crew can
be made when known or suspected
exposures to serious communicable
diseases occur on board a conveyance
arriving in the United States from a
foreign country or while traveling from
one state or possession to another state
or possession.
SUPPLEMENTARY INFORMATION:
PO 00000
Frm 00053
Fmt 4703
Sfmt 4703
I. Description of the Proposed System of
Records
Statutory and Regulatory Basis for
SOR. Sections 311 and 361–368 of the
Public Health Service Act provides
authorities related to preventing the
introduction, transmission, and spread
of serious communicable diseases from
foreign countries into the United States
or from one state or possession into
another. These sections of the Act
delineate the various quarantine- and
isolation-related activities that CDC may
be required to conduct.
Individually identified records must
be maintained for CDC to effectively
conduct many of its major quarantineand isolation-related activities,
including screening arriving
international or interstate travelers for
symptoms of illness that may pose a
public health risk; informing state or
local health authorities so that these
authorities may act to protect public
health or safety; and other activities
required to fulfill CDC’s regulatory
responsibility in this area.
Examples of other CDC quarantineand isolation-related activities that
require the maintenance of individually
identified records include, but are not
limited to, the following:
• Responding to reports of illnesses
on airplanes, maritime vessels, and at
land-border crossings of persons that
may pose a public health risk and who
are arriving from foreign countries or
traveling between states;
• Taking quarantine-related actions
(e.g., quarantine, isolation) as necessary
to prevent the spread of serious
communicable diseases from persons
arriving from foreign countries into the
United States or engaged in interstate or
international movement.
Collection and Maintenance of Data
in the System. CDC will collect only the
minimum amount of personal data
necessary to achieve the purpose of this
system, which is to maintain records on
the conduct of quarantine-related
activities that fulfill HHS’s and CDC’s
statutory authority under Sections 311
and 361–368 of the Public Health
Service Act: To prevent the
introduction, transmission and spread
of serious communicable diseases from
persons who arrive into the United
States from foreign countries or are
engaged in interstate or international
movement. To effectively do contact
tracing investigations and notifications
of passengers and crew when known or
suspected exposures of serious
communicable diseases occur on board
of conveyance, individually identified
data, such as name of traveler, country
of residence, address and phone at
E:\FR\FM\13DEN1.SGM
13DEN1
Federal Register / Vol. 72, No. 239 / Thursday, December 13, 2007 / Notices
which they can be contacted, travel
documents (e.g., passport), and seat
number must be obtained. CDC collects
only the minimal amount of information
needed to perform contact tracing and
other follow-up activities.
mstockstill on PROD1PC66 with NOTICES
II. Agency Policies, Procedures, and
Restrictions on the Routine Use
The Privacy Act permits CDC to
disclose information without an
individual’s consent if the information
is to be used for a purpose that is
compatible with the purpose(s) for
which the information was collected.
Any such compatible disclosure of data
is known as a ‘‘routine use.’’ The
government will only release
quarantine- and traveler-related
information that can be associated with
an individual as provided for under
‘‘Section III. Proposed Routine Use
Disclosures of Data in the System,’’
collecting only the minimum personal
data necessary to achieve the purpose of
this system.
CDC has the following policies and
procedures concerning disclosures of
information that will be maintained in
the system. Disclosure of information
from the SOR will be approved only to
the extent necessary to accomplish the
purpose of the disclosure and only after
CDC:
A. Determines that:
1. The use or disclosure is consistent
with the reason that the data are being
collected, e.g., to maintain records on
the conduct of quarantine- and travelerrelated activities that fulfill HHS’s and
CDC’s statutory authority to prevent the
introduction, transmission and spread
of communicable diseases.
2. The purpose for which the
disclosure is to be made can only be
accomplished if the record is provided
in individually identifiable form;
3. The purpose for which the
disclosure is to be made is of sufficient
importance to warrant the effect on and/
or risk to the privacy of the individual
that additional exposure of the record
might bring;
4. There is a strong probability that
the proposed use of the data would in
fact accomplish the stated purpose(s);
and
5. The data are valid and reliable.
B. Requires the information recipient
to:
1. Establish administrative, technical,
and physical safeguards to prevent
unauthorized use of disclosure of the
record;
2. Remove or destroy at the earliest
time all identifiable information; and
3. Agree not to use or disclose the
information for any purpose other than
VerDate Aug<31>2005
17:10 Dec 12, 2007
Jkt 214001
the stated purpose under which the
information was disclosed.
III. Proposed Routine Use Disclosures
of Data in the System
The Privacy Act permits CDC to
disclose information without an
individual’s consent if the information
is to be used for a purpose that is
compatible with the purpose(s) for
which the information was collected
and CDC complies with administrative
requirements including publishing a
notice in the Federal Register and
allowing 30 days for public comment
regarding any such new ‘‘routine use.’’
The proposed routine uses in this
system meet the compatibility
requirement of the Privacy Act. CDC is
proposing to establish the following
routine use disclosures of information
maintained in the system:
A. Records may be disclosed to
contractors who will perform many of
the same duties as Full Time
Equivalents (FTEs) within DGMQ in
situations where additional staff are
required. Contractors are required to
maintain Privacy Act safeguards with
respect to such records. These functions
may include collating, analyzing,
aggregating, or otherwise refining
records. DGMQ contracts out certain
functions when doing so would
contribute to efficient and effective
operations of the agency. DGMQ must
be able to give a contractor the
information necessary for the contractor
to fulfill their duties. Safeguards are
provided in the contract prohibiting the
contractor from using or disclosing the
information for any purpose other than
that described in the Statement of Work
and requires the contractor to return or
destroy all information at the contract’s
completion.
B. Records may be disclosed to state
and local health departments and
cooperating public health or medical
authorities and their counsel to more
effectively deal with outbreaks and
conditions of public health significance.
CDC works closely with state and local
health partners to investigate possible
outbreaks or other conditions of public
health significance. CDC’s ability to
share information could prove
beneficial to the health department’s
investigation.
C. Personal information from this
system may be disclosed as a routine
use to appropriate conveyance
personnel, Federal agencies, state and
local health departments, Department of
State and embassy personnel (U.S. and
foreign), and health authorities in
foreign countries. These agencies and
departments (U.S. and foreign) need the
information to perform contact tracing
PO 00000
Frm 00054
Fmt 4703
Sfmt 4703
70869
investigations and to notify individuals
exposed to an ill traveler that they were
possibly exposed to a disease or
condition of public health significance.
This is compatible with the overall
purpose of the system—to prevent the
spread of communicable diseases.
D. Records may be disclosed to the
Department of Homeland Security
(DHS) to enable DHS to restrict the
travel of persons who pose a public
health risk and to aid in its
investigations of domestic or
international terrorism. This routine use
helps prevent the introduction,
transmission, and spread of
communicable disease, particularly
where terrorism is involved.
E. Identifiable information may need
to be shared with medical personnel to
evaluate or care for ill or exposed
persons, including travelers, with the
ultimate goal of protecting the public’s
health and safety.
F. Records may also be shared with
the World Health Organization in
accordance with U.S. responsibilities to
ensure that CDC is in compliance with
its obligations under the International
Health Regulations and other
international agreements—a use in line
with CDC’s statutory authority with
regard to quarantine- and isolationrelated activities.
G. Also in line with the overriding
purpose of protecting public health and
safety by preventing the introduction,
transmission, or spread of
communicable diseases, personal
information may be disclosed to federal,
state, and local authorities to enable
them to take actions needed to place
someone under quarantine or isolation,
or to enforce quarantine regulations.
This is again in line with CDC’s
statutory authority to take quarantine
and isolation related actions to restrict
movement if someone poses a
significant health risk to others.
H. Identifiable information may be
disclosed to cooperating state and local
legal departments enforcing concurrent
legal authority relevant to quarantineand isolation-related activities. This is
in accord with the federal government’s
statutory authority to cooperate with
and aid state and local authorities in the
enforcement of their quarantine and
other health regulations.
I. Identifiable records may be referred
to the appropriate agency, whether
federal, foreign, state or local charged
with the responsibility of investigating
or prosecuting such violation or charged
with enforcing or implementing the
statute, or rule, regulation or order
issued pursuant thereto when records
collected within this SOR for quarantine
activities indicate a violation or
E:\FR\FM\13DEN1.SGM
13DEN1
70870
Federal Register / Vol. 72, No. 239 / Thursday, December 13, 2007 / Notices
mstockstill on PROD1PC66 with NOTICES
potential violation of law, whether civil,
criminal or regulatory in nature, and
whether arising by general statute or
particular program statute, or by
regulation, rule or order issued pursuant
thereto. This routine use is compatible
in that this disclosure is being done to
allow for effective enforcement of
quarantine- and isolation-related
requirements at various levels of
government.
J. Disclosure may be made to a
congressional office from the record of
an individual in response to a verified
inquiry from the congressional office
made at the written request of that
individual. When a constituent requests
a congressional office to facilitate
obtaining information from this CDC
system, it is compatible to provide such
information, since this is in line with
the overall purpose of the Privacy Act,
which is to provide access to the subject
individual of the records the
government has on him or her.
K. In the event of litigation in which
the defendant is: (a) the Department,
any component of the Department, or
any employee of the Department in his
or her official capacity; (b) the United
States, where the Department
determines that the claim, if successful,
is likely to directly affect the operations
of the Department or any of its
components; or (c) any Department
employee in his or her individual
capacity, when the Justice Department
has agreed to represent such employee,
disclosure may be made to the
Department of Justice to enable that
Department to present an effective
defense, provided that such disclosure
is compatible with the purpose for
which the records were collected.
Whenever CDC is involved in
litigation dealing with quarantine- or
isolation-related activities and CDC
policies or operations could be affected
by the outcome of the litigation, CDC
must be able to disclose identifiable
information to the Department of Justice
so that an effective defense can be
presented.
IV. Safeguards
The CDC/DGMQ has safeguards in
place for authorized users and monitors
such users to ensure against
unauthorized use. Access to quarantine
records is restricted to protect the
privacy of the individuals involved, and
personnel with such access have been
trained in Privacy Act and information
security requirements. CDC/DGMQ
maintains very stringent administrative,
procedural and technical safeguards for
the entire system of records.
Access will be limited to authorized
CDC/DGMQ FTEs and contractor staff
VerDate Aug<31>2005
17:10 Dec 12, 2007
Jkt 214001
who have a bona fide need for the
identifiable information to perform
official job-related duties. DGMQ staff
are required to have supervisory
approval to access identifiable data and
receive ongoing training in how to
protect sensitive data. A database
security package on computers controls
unauthorized access to the systems.
Data administrators continually review
the database to ensure privacy
provisions are in place and only
appropriate personnel have access to the
data. Attempts by unauthorized
individuals are automatically recorded
and reviewed regularly.
Employees maintaining records are
instructed not to release data until the
intended recipient agrees to implement
appropriate management, operational
and technical safeguards sufficient to
protect the confidentiality, integrity and
availability of the information and
information systems and to prevent
unauthorized access.
This system will conform to all
applicable Federal laws and regulations
and Federal and HHS policies and
standards as they relate to information
security and data privacy. These laws
and regulations may apply but are not
limited to: the Privacy Act of 1974; the
Federal Information Security
Management Act of 2002; the Computer
Fraud and Abuse Act of 1986; the EGovernment Act of 2002; the ClingerCohen Act of 1996, and the
corresponding implementing
regulations. OMB Circular A–130,
Management of Federal Resources,
Appendix III, Security of Federal
Automated Information Resources also
applies. Federal, HHS and CDC policies
and standards include but are not
limited to: all pertinent National
Institute of Standards and Technology
publications and the HHS Information
Systems Program Handbook.
V. Effects of the Proposed System of
Records on Individual Rights
CDC proposes to establish this system
in accordance with the principles and
requirements of the Privacy Act and will
collect, use, and disseminate
information only as prescribed therein.
Data in this system will be subject to the
authorized releases in accordance with
the routine uses identified in this
system of records.
CDC will take precautionary measures
to minimize the risks of unauthorized
access to the records and the potential
harm to individual privacy or other
personal or property rights of
individuals whose data are maintained
in the system. CDC will collect only that
information necessary to perform the
system’s purpose. In addition, CDC will
PO 00000
Frm 00055
Fmt 4703
Sfmt 4703
make disclosures from the system only
with consent of the subject individual,
or his/her legal representative, or in
accordance with an applicable
exception provision of the Privacy Act.
CDC, therefore, does not anticipate an
unfavorable effect on individual privacy
as a result of information relating to
individuals.
Dated: December 6, 2007.
James D. Seligman,
Chief Information Officer, Office of the
Director, Centers for Disease Control and
Prevention.
Privacy Act System of Records Notice;
No. 09–20–0171
SYSTEM NAME:
Quarantine- and Traveler-Related
Activities, Including Records for
Contact Tracing Investigation and
Notification under 42 CFR Parts 70 and
71, HHS/CDC/CCID.
SECURITY CLASSIFICATION:
None.
SYSTEM LOCATION:
Division of Global Migration and
Quarantine, National Center for the
Preparedness, Detection, and Control of
Infectious Disease (NCPDCID),
Coordinating Center for Infectious
Diseases (CCID), Centers for Disease
Control and Prevention, 1600 Clifton
Road, NE., Building 16; MS E03,
Atlanta, GA 30333.
Records may occasionally be stored at
Quarantine Stations located at key ports
of entry and at contractor sites.
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:
Individuals subject to quarantine or
isolation orders, ill travelers (i.e.,
passengers and crew), contacts of ill
travelers, and/or individuals exposed or
suspected of being exposed to serious
communicable diseases.
CATEGORIES OF RECORDS IN THE SYSTEM:
Passenger and crew manifests from
conveyances carrying individuals
subject to 42 CFR parts 70 and 71, case
reports, illness response forms, medical
assessments, medical records (including
but not limited to clinical, hospital and
laboratory data and data from other
relevant tests), name, address, date of
birth, and related information and
documents collected for the purpose of
carrying out agency responsibilities
under sections 311 and 361–368 of the
Public Health Services Act.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Sections 311, 361–368 of the Public
Health Service Act.
E:\FR\FM\13DEN1.SGM
13DEN1
Federal Register / Vol. 72, No. 239 / Thursday, December 13, 2007 / Notices
PURPOSE(S):
This system maintains records on the
conduct of activities (e.g., quarantine,
isolation) that fulfill HHS’s and CDC’s
statutory authority under sections 311,
361–368 of the Public Health Service
Act to prevent the introduction,
transmission and spread of
communicable diseases.
Records are collected when
individual known or suspected to have
been exposed to serious communicable
diseases arrives into the United States
from foreign countries or is engaged in
interstate or international movement
These records are used to (1) document
reports of illness that may pose a public
health risk occurring while on board
airplanes, maritime vessels, and at landborder crossings of persons arriving
from foreign countries or traveling
between states; (2) perform contact
tracing investigations and notifications
of passengers and crew when known or
suspected exposures to serious
communicable diseases occur on board
a conveyance arriving in the United
States from a foreign country or
traveling from one state or possession to
another; (3) inform international,
federal, state or local public health
authorities so that these authorities may
act to protect public health or safety;
and (4) take such actions (e.g.,
quarantine or isolation) as necessary to
prevent the introduction, transmission,
and spread of serious communicable
diseases from persons arriving into the
United States from foreign countries or
persons engaged in interstate or
international movement.
mstockstill on PROD1PC66 with NOTICES
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OF USERS AND
THE PURPOSES OF SUCH USES:
(1) Records may be disclosed to
contractors to handle program work
duties, performing many of the same
functions as FTEs within DGMQ in
situations where additional staff is
required. Contractors are required to
maintain Privacy Act safeguards with
respect to such records.
(2) Records may be disclosed to state
and local health departments and other
cooperating medical and public health
authorities and their counsel to more
effectively deal with outbreaks and
other significant public health
conditions.
(3) Personal information from this
system may be disclosed as a routine
use to appropriate conveyance
personnel, Federal agencies, state and
local health departments, Department of
State and embassy personnel (U.S. and
foreign), and health authorities in
foreign countries for contact tracing
investigations and notifications of
VerDate Aug<31>2005
17:10 Dec 12, 2007
Jkt 214001
possible exposures to serious
communicable diseases in connection
with travel.
(4) Records may be disclosed to the
Department of Homeland Security to
restrict travel of persons who pose a
public health risk and in the instance of
suspected domestic or international
terrorism.
(5) Disclosure may be made to
medical personnel providing evaluation
and care for ill or exposed persons,
including travelers.
(6) Records may be disclosed to the
World Health Organization in
accordance with U.S. responsibilities as
a signatory to the International Health
Regulations or other international
agreements.
(7) Personal information may be
disclosed to federal, state, and local
authorities for taking necessary actions
to place someone under quarantine or
isolation, for enforcement of other
quarantine regulations, or to protect the
public’s health and safety.
(8) Records may be disclosed to
cooperating state and local legal
departments enforcing concurrent legal
authority related to quarantine or
isolation activities.
(9) In the event that a system of
records maintained by this agency to
carry out its functions indicates a
violation or potential violation of law,
whether civil, criminal or regulatory in
nature, and whether arising by general
statute or particular program statute, or
by regulation, rule or order issued
pursuant thereto, the relevant records in
the system of records may be referred,
as a routine use, to the appropriate
agency, whether federal, foreign, state or
local, charged with the responsibility of
investigating or prosecuting such
violation or charged with enforcing or
implementing the statute, or rule,
regulation or order issued pursuant
thereto.
(10) Disclosure may be made to a
congressional office from the record of
an individual in response to a verified
inquiry from the congressional office
made at the written request of that
individual
(11) In the event of litigation where
the defendant is: (a) The Department,
any component of the Department, or
any employee of the Department in his
or her official capacity; (b) the United
States where the Department determines
that the claim, if successful, is likely to
directly affect the operations of the
Department or any of its components; or
(c) any Department employee in his or
her individual capacity where the
Justice Department has agreed to
represent such employee, disclosure
may be made to the Department of
PO 00000
Frm 00056
Fmt 4703
Sfmt 4703
70871
Justice to enable that Department to
present an effective defense.
POLICIES AND PRACTICES FOR STORING,
RETRIEVING, ACCESSING, RETAINING, AND
DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
Electronic media and file folders for
hard-copy records.
RETRIEVABILITY:
By name of individual or other
identifying particulars.
SAFEGUARDS:
1. Authorized Users: A database
security package is implemented on
CDC’s computer systems to control
unauthorized access to the system.
Attempts to gain access by unauthorized
individuals are automatically recorded
and reviewed on a regular basis. Access
is granted to only a limited number of
physicians, scientists, statisticians, and
designated support staff of the Centers
for Disease Control and Prevention
(CDC), or its contractors, as authorized
by the system manager to accomplish
the stated purposes for which the data
in this system have been collected.
2. Physical Safeguards: Access to the
CDC Clifton Road facility where the
mainframe computer is located is
controlled by a cardkey system. Access
to the computer room is controlled by
a cardkey and security code (numeric
keypad) system. Access to the data entry
area is also controlled by a cardkey
system. Guard service in buildings
provides personnel screening of visitors.
The local fire department is located
directly next door to the Clifton Road
facility. The computer room is protected
by an automatic sprinkler system,
numerous automatic sensors (e.g., water,
heat, smoke, etc.) are installed, and a
proper mix of portable fire extinguishers
is located throughout the computer
room. Computer files are backed up on
a routine basis. Hard-copy records are
stored in locked cabinets at CDC
headquarters and CDC Quarantine
stations which are located in a secure
area of the airport.
3. Procedural Safeguards: Protection
for computerized records, both on the
mainframe and the National Center
Local Area Network (LAN), includes
programmed verification of valid user
identification code and password prior
to logging on to the system, mandatory
password changes, limited log-ins, virus
protection, and user rights/file attribute
restrictions. Password protection
imposes user name and password log-in
requirements to prevent unauthorized
access. Each user name is assigned
limited access rights to files and
directories at varying levels to control
E:\FR\FM\13DEN1.SGM
13DEN1
70872
Federal Register / Vol. 72, No. 239 / Thursday, December 13, 2007 / Notices
file sharing. There are routine daily
back-up procedures, and secure off-site
storage is available. To avoid
inadvertent data disclosure, measures
are taken to ensure that all data are
removed from electronic media
containing Privacy Act information.
Additional safeguards may be built into
the program by the system analyst, as
warranted by the sensitivity of the data.
CDC and contractor employees who
maintain records are instructed to check
with the system manager prior to
making disclosures of data. When
individually identified data are being
used in a room, admittance at either
CDC or contractor sites is restricted to
specifically authorized personnel.
Privacy Act provisions are included in
contracts, and the CDC Project Director,
contract officers and project officers
oversee compliance with these
requirements. Upon completion of the
contract, all data will be either returned
to CDC or destroyed, as specified by the
contract.
Implementation Guidelines: The
safeguards outlined above are in
accordance with the HHS Information
Security Program Policy and FIPS Pub
200, ‘‘Minimum Security Requirements
for Federal Information and Information
Systems.’’ Data maintained on CDC’s
Mainframe and the National Centers’
LANs are in compliance with OMB
Circular A–130, Appendix III. Security
is provided for information collection,
processing, transmission, storage, and
dissemination in general support
systems and major applications.
RETENTION AND DISPOSAL:
Contact tracing records will be
maintained in the agency until the
contact investigation is complete or no
longer than twelve months, in
accordance with proposed retention
schedules; remaining quarantine records
would be maintained 10 or 20 years,
based on the applicable CDC records
control schedule. Disposal methods
include wiping electronic media and
macerating paper materials.
SYSTEM MANAGER(S) AND ADDRESS:
Director, NCPDCID, Coordinating
Center for Infectious Diseases, Bldg. 1,
Rm. 6013, MS C12, Centers for Disease
Control and Prevention, 1600 Clifton
Road, NE., Atlanta, GA 30333.
mstockstill on PROD1PC66 with NOTICES
An individual may learn if a record
exists about himself or herself by
contacting the system manager at the
address listed above. Requesters in
person must provide driver’s license or
other positive identification. Individuals
who do not appear in person must
17:10 Dec 12, 2007
RECORD ACCESS PROCEDURES:
Same as notification procedures.
Requesters should also reasonably
specify the record contents being
sought. An accounting of disclosures
that have been made of the record, if
any, may be requested.
CONTESTING RECORD PROCEDURES:
Contact the official at the address
specified under System Manager above,
reasonably identify the record and
specify the information being contested,
the corrective action sought, and the
reasons for requesting the correction,
along with supporting information to
show how the record is inaccurate,
incomplete, untimely, or irrelevant.
RECORD SOURCE CATEGORIES:
Individuals, private physicians, state
and local health departments, other
health-care providers, conveyance
personnel, cooperating public health
agencies, foreign governments including
ministries of health, and other federal
agencies.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS
OF THE ACT:
NOTIFICATION PROCEDURE:
VerDate Aug<31>2005
either: (1) Submit a notarized request to
verify their identity; or (2) certify that
they are the individuals they claim to be
and that they understand that the
knowing and willful request for or
acquisition of a record pertaining to an
individual under false pretenses is a
criminal offense under the Privacy Act
subject to a $5,000 fine.
An individual who requests
notification of or access to medical
records shall, at the time the request is
made, designate in writing a responsible
representative who is willing to review
the record and inform the subject
individual of its contents at the
representative’s discretion. A parent or
guardian who requests notification of, or
access to, a child’s medical record shall
designate a family physician or other
health professional (other than a family
member) to whom the record, if any,
will be sent. The parent or guardian
must verify relationship to the child by
means of a birth certificate or court
order, as well as verify that he or she is
who he or she claims to be.
Jkt 214001
None.
[FR Doc. E7–24142 Filed 12–12–07; 8:45 am]
BILLING CODE 4163–18–P
PO 00000
Frm 00057
Fmt 4703
Sfmt 4703
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Food and Drug Administration
[Docket No. 2007N–0200]
Agency Information Collection
Activities; Submission for Office of
Management and Budget Review;
Comment Request; Health and Diet
Survey
AGENCY:
Food and Drug Administration,
HHS.
ACTION:
Notice.
SUMMARY: The Food and Drug
Administration (FDA) is announcing
that a proposed collection of
information has been submitted to the
Office of Management and Budget
(OMB) for review and clearance under
the Paperwork Reduction Act of 1995.
DATES: Fax written comments on the
collection of information by January 14,
2008.
ADDRESSES: To ensure that comments on
the information collection are received,
OMB recommends that written
comments be faxed to the Office of
Information and Regulatory Affairs,
OMB, Attn: FDA Desk Officer, FAX:
202–395–6974, or e-mailed to
baguilar@omb.eop.gov. All comments
should be identified with the OMB
control number 0910–0545. Also
include the FDA docket number found
in brackets in the heading of this
document.
FOR FURTHER INFORMATION CONTACT:
Jonna Capezzuto, Office of the Chief
Information Officer (HFA–250), Food
and Drug Administration, 5600 Fishers
Lane, Rockville, MD 20857,301–827–
4659.
SUPPLEMENTARY INFORMATION: In
compliance with 44 U.S.C. 3507, FDA
has submitted the following proposed
collection of information to OMB for
review and clearance.
Health and Diet Survey—(OMB Control
Number 0910–0545)—Extension
FDA is seeking extension of OMB
approval for the Health and Diet Survey,
which is a voluntary consumer survey
intended to gauge and track consumer
attitudes, awareness, knowledge, and
behavior regarding various topics
related to health, nutrition, and physical
activity. The authority for FDA to
collect the information derives from the
Commissioner of Food and Drugs’
authority provided in section 903(d)(2)
of the Federal Food, Drug, and Cosmetic
Act (21 U.S.C. 393(d)(2)).
The survey consists of two
independent data collection activities.
E:\FR\FM\13DEN1.SGM
13DEN1
Agencies
[Federal Register Volume 72, Number 239 (Thursday, December 13, 2007)]
[Notices]
[Pages 70867-70872]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-24142]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Disease Control and Prevention
Privacy Act of 1974; New System of Records
AGENCY: Department of Health and Human Services (HHS), Centers for
Disease Control and Prevention (CDC).
ACTION: Notice of a New System of Records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act, the
Centers for Disease Control and Prevention (CDC) is proposing to
establish a new system of records (SOR), 09-20-0171, ``Quarantine and
Traveler-Related Activities, Including Records for Contact Tracing
Investigation and Notification Under 42 CFR Parts 70 and 71, HHS/CDC/
CCID.'' The purpose of the system is to maintain records on the conduct
of activities (e.g., quarantine, isolation) that fulfill HHS's and
CDC's statutory authority under sections 311 and 361-368 of the Public
Health Service Act: To prevent the introduction, transmission and
spread of serious communicable diseases from persons arriving into the
United States from foreign countries or engaged in
[[Page 70868]]
interstate or international movement. Identifiable records are
collected when an individual known or suspected to have been exposed to
such communicable diseases arrives in the U.S. from a foreign country
or travels from one state or possession to another state or possession.
These records are used to: (1) Document reports of illness on
airplanes, maritime vessels, and at land-border crossings of persons
that may pose a public health risk and who are arriving from foreign
countries or traveling between states; (2) perform contact tracing
investigations and notifications of passengers and crew when known or
suspected exposures to serious communicable diseases occur on board a
conveyance arriving in the United States from a foreign country or
while traveling from one state or possession to another; (3) inform
state or local public health authorities so that these authorities may
act to protect public health or safety; and (4) take actions (e.g.,
quarantine or isolation) as necessary to prevent the introduction,
transmission, and spread of serious communicable diseases from persons
arriving into the United States from foreign countries or persons
engaged in interstate or international movement. Additional background
information about the new system is included in the SUPPLEMENTARY
INFORMATION section below.
DATES: Effective Date: CDC filed a new SOR report with the Chair of the
House Committee on Government Reform and Oversight, the Chair of the
Senate Committee on Homeland Security and Governmental Affairs, and the
Administrator, Office of Information and Regulatory Affairs, Office of
Management and Budget (OMB) on December 7, 2007. CDC invites interested
parties to submit comments on the proposed routine uses. To ensure that
all parties have adequate time in which to comment, the new system will
be effective 30 days from the publication of this notice, or 40 days
from the date it was submitted to OMB and the Congress, whichever is
later, unless CDC receives comments that persuade CDC to defer
implementation.
ADDRESSES: Address comments to HHS Privacy Act Officer, Room 5416, Mary
E. Switzer Building, Department of Health and Human Services, 330 ``C''
Street, SW., Washington, DC 20201, or via electronic mail to
MAGGIE.BLACKWELL@hhs.gov. Comments will be available for public viewing
in the public reading room located at the same address, or on the HHS
Web site at https://www.hhs.gov. To review comments in person, please
call the Division of Freedom of Information and Privacy at 202-690-7453
for an appointment.
FOR FURTHER INFORMATION CONTACT: Maggie Blackwell, HHS Privacy Act
Officer, Department of Health and Human Services, Room 5416, Mary E.
Switzer Building, 330 ``C'' Street, SW., Washington, DC 20201, (202)
690-7453.
SUPPLEMENTARY INFORMATION: CDC proposes to establish a new system of
records: 09-20-0171, ``Quarantine and Traveler-Related Activities,
Including Records for Contact Tracing Investigation and Notification
under 42 CFR Parts 70 and 71, HHS/CDC/CCID.'' The CDC Division of
Global Migration and Quarantine (DGMQ), the agency component
responsible for quarantine- and isolation-related activities, is
located within the National Center for Preparedness, Detection and
Control of Infectious Diseases, the Coordinating Center for Infectious
Diseases (CCID). In addition to the contact tracing investigations and
notification of travelers who may have been exposed to a communicable
disease, this record system supports the mission of DGMQ in meeting
public health, scientific, and regulatory responsibilities.
The overall DGMQ mission is to decrease morbidity and mortality
from infectious diseases among mobile populations (immigrants,
refugees, migrant workers, international travelers, etc.) crossing
international borders to come into the United States, and to decrease
the risk of importation and spread of infectious diseases via humans,
animals, and cargo. This new Privacy Act system of records is focused
on decreasing the spread of infectious diseases via humans. These
records concern activities (e.g., quarantine, isolation) fulfilling
HHS's statutory authority under Sections 311 and 361-368 of the Public
Health Service Act to prevent the spread of serious communicable
diseases among persons arriving from foreign countries into the United
States or engaged in interstate or international movement.
A related purpose is to collect individually identified records so
that contact tracing investigations and notifications of passengers and
crew can be made when known or suspected exposures to serious
communicable diseases occur on board a conveyance arriving in the
United States from a foreign country or while traveling from one state
or possession to another state or possession.
I. Description of the Proposed System of Records
Statutory and Regulatory Basis for SOR. Sections 311 and 361-368 of
the Public Health Service Act provides authorities related to
preventing the introduction, transmission, and spread of serious
communicable diseases from foreign countries into the United States or
from one state or possession into another. These sections of the Act
delineate the various quarantine- and isolation-related activities that
CDC may be required to conduct.
Individually identified records must be maintained for CDC to
effectively conduct many of its major quarantine- and isolation-related
activities, including screening arriving international or interstate
travelers for symptoms of illness that may pose a public health risk;
informing state or local health authorities so that these authorities
may act to protect public health or safety; and other activities
required to fulfill CDC's regulatory responsibility in this area.
Examples of other CDC quarantine- and isolation-related activities
that require the maintenance of individually identified records
include, but are not limited to, the following:
Responding to reports of illnesses on airplanes, maritime
vessels, and at land-border crossings of persons that may pose a public
health risk and who are arriving from foreign countries or traveling
between states;
Taking quarantine-related actions (e.g., quarantine,
isolation) as necessary to prevent the spread of serious communicable
diseases from persons arriving from foreign countries into the United
States or engaged in interstate or international movement.
Collection and Maintenance of Data in the System. CDC will collect
only the minimum amount of personal data necessary to achieve the
purpose of this system, which is to maintain records on the conduct of
quarantine-related activities that fulfill HHS's and CDC's statutory
authority under Sections 311 and 361-368 of the Public Health Service
Act: To prevent the introduction, transmission and spread of serious
communicable diseases from persons who arrive into the United States
from foreign countries or are engaged in interstate or international
movement. To effectively do contact tracing investigations and
notifications of passengers and crew when known or suspected exposures
of serious communicable diseases occur on board of conveyance,
individually identified data, such as name of traveler, country of
residence, address and phone at
[[Page 70869]]
which they can be contacted, travel documents (e.g., passport), and
seat number must be obtained. CDC collects only the minimal amount of
information needed to perform contact tracing and other follow-up
activities.
II. Agency Policies, Procedures, and Restrictions on the Routine Use
The Privacy Act permits CDC to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected. Any such compatible disclosure of data is known as a
``routine use.'' The government will only release quarantine- and
traveler-related information that can be associated with an individual
as provided for under ``Section III. Proposed Routine Use Disclosures
of Data in the System,'' collecting only the minimum personal data
necessary to achieve the purpose of this system.
CDC has the following policies and procedures concerning
disclosures of information that will be maintained in the system.
Disclosure of information from the SOR will be approved only to the
extent necessary to accomplish the purpose of the disclosure and only
after CDC:
A. Determines that:
1. The use or disclosure is consistent with the reason that the
data are being collected, e.g., to maintain records on the conduct of
quarantine- and traveler-related activities that fulfill HHS's and
CDC's statutory authority to prevent the introduction, transmission and
spread of communicable diseases.
2. The purpose for which the disclosure is to be made can only be
accomplished if the record is provided in individually identifiable
form;
3. The purpose for which the disclosure is to be made is of
sufficient importance to warrant the effect on and/or risk to the
privacy of the individual that additional exposure of the record might
bring;
4. There is a strong probability that the proposed use of the data
would in fact accomplish the stated purpose(s); and
5. The data are valid and reliable.
B. Requires the information recipient to:
1. Establish administrative, technical, and physical safeguards to
prevent unauthorized use of disclosure of the record;
2. Remove or destroy at the earliest time all identifiable
information; and
3. Agree not to use or disclose the information for any purpose
other than the stated purpose under which the information was
disclosed.
III. Proposed Routine Use Disclosures of Data in the System
The Privacy Act permits CDC to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected and CDC complies with administrative requirements including
publishing a notice in the Federal Register and allowing 30 days for
public comment regarding any such new ``routine use.'' The proposed
routine uses in this system meet the compatibility requirement of the
Privacy Act. CDC is proposing to establish the following routine use
disclosures of information maintained in the system:
A. Records may be disclosed to contractors who will perform many of
the same duties as Full Time Equivalents (FTEs) within DGMQ in
situations where additional staff are required. Contractors are
required to maintain Privacy Act safeguards with respect to such
records. These functions may include collating, analyzing, aggregating,
or otherwise refining records. DGMQ contracts out certain functions
when doing so would contribute to efficient and effective operations of
the agency. DGMQ must be able to give a contractor the information
necessary for the contractor to fulfill their duties. Safeguards are
provided in the contract prohibiting the contractor from using or
disclosing the information for any purpose other than that described in
the Statement of Work and requires the contractor to return or destroy
all information at the contract's completion.
B. Records may be disclosed to state and local health departments
and cooperating public health or medical authorities and their counsel
to more effectively deal with outbreaks and conditions of public health
significance. CDC works closely with state and local health partners to
investigate possible outbreaks or other conditions of public health
significance. CDC's ability to share information could prove beneficial
to the health department's investigation.
C. Personal information from this system may be disclosed as a
routine use to appropriate conveyance personnel, Federal agencies,
state and local health departments, Department of State and embassy
personnel (U.S. and foreign), and health authorities in foreign
countries. These agencies and departments (U.S. and foreign) need the
information to perform contact tracing investigations and to notify
individuals exposed to an ill traveler that they were possibly exposed
to a disease or condition of public health significance. This is
compatible with the overall purpose of the system--to prevent the
spread of communicable diseases.
D. Records may be disclosed to the Department of Homeland Security
(DHS) to enable DHS to restrict the travel of persons who pose a public
health risk and to aid in its investigations of domestic or
international terrorism. This routine use helps prevent the
introduction, transmission, and spread of communicable disease,
particularly where terrorism is involved.
E. Identifiable information may need to be shared with medical
personnel to evaluate or care for ill or exposed persons, including
travelers, with the ultimate goal of protecting the public's health and
safety.
F. Records may also be shared with the World Health Organization in
accordance with U.S. responsibilities to ensure that CDC is in
compliance with its obligations under the International Health
Regulations and other international agreements--a use in line with
CDC's statutory authority with regard to quarantine- and isolation-
related activities.
G. Also in line with the overriding purpose of protecting public
health and safety by preventing the introduction, transmission, or
spread of communicable diseases, personal information may be disclosed
to federal, state, and local authorities to enable them to take actions
needed to place someone under quarantine or isolation, or to enforce
quarantine regulations. This is again in line with CDC's statutory
authority to take quarantine and isolation related actions to restrict
movement if someone poses a significant health risk to others.
H. Identifiable information may be disclosed to cooperating state
and local legal departments enforcing concurrent legal authority
relevant to quarantine- and isolation-related activities. This is in
accord with the federal government's statutory authority to cooperate
with and aid state and local authorities in the enforcement of their
quarantine and other health regulations.
I. Identifiable records may be referred to the appropriate agency,
whether federal, foreign, state or local charged with the
responsibility of investigating or prosecuting such violation or
charged with enforcing or implementing the statute, or rule, regulation
or order issued pursuant thereto when records collected within this SOR
for quarantine activities indicate a violation or
[[Page 70870]]
potential violation of law, whether civil, criminal or regulatory in
nature, and whether arising by general statute or particular program
statute, or by regulation, rule or order issued pursuant thereto. This
routine use is compatible in that this disclosure is being done to
allow for effective enforcement of quarantine- and isolation-related
requirements at various levels of government.
J. Disclosure may be made to a congressional office from the record
of an individual in response to a verified inquiry from the
congressional office made at the written request of that individual.
When a constituent requests a congressional office to facilitate
obtaining information from this CDC system, it is compatible to provide
such information, since this is in line with the overall purpose of the
Privacy Act, which is to provide access to the subject individual of
the records the government has on him or her.
K. In the event of litigation in which the defendant is: (a) the
Department, any component of the Department, or any employee of the
Department in his or her official capacity; (b) the United States,
where the Department determines that the claim, if successful, is
likely to directly affect the operations of the Department or any of
its components; or (c) any Department employee in his or her individual
capacity, when the Justice Department has agreed to represent such
employee, disclosure may be made to the Department of Justice to enable
that Department to present an effective defense, provided that such
disclosure is compatible with the purpose for which the records were
collected.
Whenever CDC is involved in litigation dealing with quarantine- or
isolation-related activities and CDC policies or operations could be
affected by the outcome of the litigation, CDC must be able to disclose
identifiable information to the Department of Justice so that an
effective defense can be presented.
IV. Safeguards
The CDC/DGMQ has safeguards in place for authorized users and
monitors such users to ensure against unauthorized use. Access to
quarantine records is restricted to protect the privacy of the
individuals involved, and personnel with such access have been trained
in Privacy Act and information security requirements. CDC/DGMQ
maintains very stringent administrative, procedural and technical
safeguards for the entire system of records.
Access will be limited to authorized CDC/DGMQ FTEs and contractor
staff who have a bona fide need for the identifiable information to
perform official job-related duties. DGMQ staff are required to have
supervisory approval to access identifiable data and receive ongoing
training in how to protect sensitive data. A database security package
on computers controls unauthorized access to the systems. Data
administrators continually review the database to ensure privacy
provisions are in place and only appropriate personnel have access to
the data. Attempts by unauthorized individuals are automatically
recorded and reviewed regularly.
Employees maintaining records are instructed not to release data
until the intended recipient agrees to implement appropriate
management, operational and technical safeguards sufficient to protect
the confidentiality, integrity and availability of the information and
information systems and to prevent unauthorized access.
This system will conform to all applicable Federal laws and
regulations and Federal and HHS policies and standards as they relate
to information security and data privacy. These laws and regulations
may apply but are not limited to: the Privacy Act of 1974; the Federal
Information Security Management Act of 2002; the Computer Fraud and
Abuse Act of 1986; the E-Government Act of 2002; the Clinger-Cohen Act
of 1996, and the corresponding implementing regulations. OMB Circular
A-130, Management of Federal Resources, Appendix III, Security of
Federal Automated Information Resources also applies. Federal, HHS and
CDC policies and standards include but are not limited to: all
pertinent National Institute of Standards and Technology publications
and the HHS Information Systems Program Handbook.
V. Effects of the Proposed System of Records on Individual Rights
CDC proposes to establish this system in accordance with the
principles and requirements of the Privacy Act and will collect, use,
and disseminate information only as prescribed therein. Data in this
system will be subject to the authorized releases in accordance with
the routine uses identified in this system of records.
CDC will take precautionary measures to minimize the risks of
unauthorized access to the records and the potential harm to individual
privacy or other personal or property rights of individuals whose data
are maintained in the system. CDC will collect only that information
necessary to perform the system's purpose. In addition, CDC will make
disclosures from the system only with consent of the subject
individual, or his/her legal representative, or in accordance with an
applicable exception provision of the Privacy Act. CDC, therefore, does
not anticipate an unfavorable effect on individual privacy as a result
of information relating to individuals.
Dated: December 6, 2007.
James D. Seligman,
Chief Information Officer, Office of the Director, Centers for Disease
Control and Prevention.
Privacy Act System of Records Notice; No. 09-20-0171
SYSTEM NAME:
Quarantine- and Traveler-Related Activities, Including Records for
Contact Tracing Investigation and Notification under 42 CFR Parts 70
and 71, HHS/CDC/CCID.
SECURITY CLASSIFICATION:
None.
SYSTEM LOCATION:
Division of Global Migration and Quarantine, National Center for
the Preparedness, Detection, and Control of Infectious Disease
(NCPDCID), Coordinating Center for Infectious Diseases (CCID), Centers
for Disease Control and Prevention, 1600 Clifton Road, NE., Building
16; MS E03, Atlanta, GA 30333.
Records may occasionally be stored at Quarantine Stations located
at key ports of entry and at contractor sites.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Individuals subject to quarantine or isolation orders, ill
travelers (i.e., passengers and crew), contacts of ill travelers, and/
or individuals exposed or suspected of being exposed to serious
communicable diseases.
CATEGORIES OF RECORDS IN THE SYSTEM:
Passenger and crew manifests from conveyances carrying individuals
subject to 42 CFR parts 70 and 71, case reports, illness response
forms, medical assessments, medical records (including but not limited
to clinical, hospital and laboratory data and data from other relevant
tests), name, address, date of birth, and related information and
documents collected for the purpose of carrying out agency
responsibilities under sections 311 and 361-368 of the Public Health
Services Act.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Sections 311, 361-368 of the Public Health Service Act.
[[Page 70871]]
PURPOSE(S):
This system maintains records on the conduct of activities (e.g.,
quarantine, isolation) that fulfill HHS's and CDC's statutory authority
under sections 311, 361-368 of the Public Health Service Act to prevent
the introduction, transmission and spread of communicable diseases.
Records are collected when individual known or suspected to have
been exposed to serious communicable diseases arrives into the United
States from foreign countries or is engaged in interstate or
international movement These records are used to (1) document reports
of illness that may pose a public health risk occurring while on board
airplanes, maritime vessels, and at land-border crossings of persons
arriving from foreign countries or traveling between states; (2)
perform contact tracing investigations and notifications of passengers
and crew when known or suspected exposures to serious communicable
diseases occur on board a conveyance arriving in the United States from
a foreign country or traveling from one state or possession to another;
(3) inform international, federal, state or local public health
authorities so that these authorities may act to protect public health
or safety; and (4) take such actions (e.g., quarantine or isolation) as
necessary to prevent the introduction, transmission, and spread of
serious communicable diseases from persons arriving into the United
States from foreign countries or persons engaged in interstate or
international movement.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
(1) Records may be disclosed to contractors to handle program work
duties, performing many of the same functions as FTEs within DGMQ in
situations where additional staff is required. Contractors are required
to maintain Privacy Act safeguards with respect to such records.
(2) Records may be disclosed to state and local health departments
and other cooperating medical and public health authorities and their
counsel to more effectively deal with outbreaks and other significant
public health conditions.
(3) Personal information from this system may be disclosed as a
routine use to appropriate conveyance personnel, Federal agencies,
state and local health departments, Department of State and embassy
personnel (U.S. and foreign), and health authorities in foreign
countries for contact tracing investigations and notifications of
possible exposures to serious communicable diseases in connection with
travel.
(4) Records may be disclosed to the Department of Homeland Security
to restrict travel of persons who pose a public health risk and in the
instance of suspected domestic or international terrorism.
(5) Disclosure may be made to medical personnel providing
evaluation and care for ill or exposed persons, including travelers.
(6) Records may be disclosed to the World Health Organization in
accordance with U.S. responsibilities as a signatory to the
International Health Regulations or other international agreements.
(7) Personal information may be disclosed to federal, state, and
local authorities for taking necessary actions to place someone under
quarantine or isolation, for enforcement of other quarantine
regulations, or to protect the public's health and safety.
(8) Records may be disclosed to cooperating state and local legal
departments enforcing concurrent legal authority related to quarantine
or isolation activities.
(9) In the event that a system of records maintained by this agency
to carry out its functions indicates a violation or potential violation
of law, whether civil, criminal or regulatory in nature, and whether
arising by general statute or particular program statute, or by
regulation, rule or order issued pursuant thereto, the relevant records
in the system of records may be referred, as a routine use, to the
appropriate agency, whether federal, foreign, state or local, charged
with the responsibility of investigating or prosecuting such violation
or charged with enforcing or implementing the statute, or rule,
regulation or order issued pursuant thereto.
(10) Disclosure may be made to a congressional office from the
record of an individual in response to a verified inquiry from the
congressional office made at the written request of that individual
(11) In the event of litigation where the defendant is: (a) The
Department, any component of the Department, or any employee of the
Department in his or her official capacity; (b) the United States where
the Department determines that the claim, if successful, is likely to
directly affect the operations of the Department or any of its
components; or (c) any Department employee in his or her individual
capacity where the Justice Department has agreed to represent such
employee, disclosure may be made to the Department of Justice to enable
that Department to present an effective defense.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
Electronic media and file folders for hard-copy records.
RETRIEVABILITY:
By name of individual or other identifying particulars.
SAFEGUARDS:
1. Authorized Users: A database security package is implemented on
CDC's computer systems to control unauthorized access to the system.
Attempts to gain access by unauthorized individuals are automatically
recorded and reviewed on a regular basis. Access is granted to only a
limited number of physicians, scientists, statisticians, and designated
support staff of the Centers for Disease Control and Prevention (CDC),
or its contractors, as authorized by the system manager to accomplish
the stated purposes for which the data in this system have been
collected.
2. Physical Safeguards: Access to the CDC Clifton Road facility
where the mainframe computer is located is controlled by a cardkey
system. Access to the computer room is controlled by a cardkey and
security code (numeric keypad) system. Access to the data entry area is
also controlled by a cardkey system. Guard service in buildings
provides personnel screening of visitors. The local fire department is
located directly next door to the Clifton Road facility. The computer
room is protected by an automatic sprinkler system, numerous automatic
sensors (e.g., water, heat, smoke, etc.) are installed, and a proper
mix of portable fire extinguishers is located throughout the computer
room. Computer files are backed up on a routine basis. Hard-copy
records are stored in locked cabinets at CDC headquarters and CDC
Quarantine stations which are located in a secure area of the airport.
3. Procedural Safeguards: Protection for computerized records, both
on the mainframe and the National Center Local Area Network (LAN),
includes programmed verification of valid user identification code and
password prior to logging on to the system, mandatory password changes,
limited log-ins, virus protection, and user rights/file attribute
restrictions. Password protection imposes user name and password log-in
requirements to prevent unauthorized access. Each user name is assigned
limited access rights to files and directories at varying levels to
control
[[Page 70872]]
file sharing. There are routine daily back-up procedures, and secure
off-site storage is available. To avoid inadvertent data disclosure,
measures are taken to ensure that all data are removed from electronic
media containing Privacy Act information. Additional safeguards may be
built into the program by the system analyst, as warranted by the
sensitivity of the data.
CDC and contractor employees who maintain records are instructed to
check with the system manager prior to making disclosures of data. When
individually identified data are being used in a room, admittance at
either CDC or contractor sites is restricted to specifically authorized
personnel. Privacy Act provisions are included in contracts, and the
CDC Project Director, contract officers and project officers oversee
compliance with these requirements. Upon completion of the contract,
all data will be either returned to CDC or destroyed, as specified by
the contract.
Implementation Guidelines: The safeguards outlined above are in
accordance with the HHS Information Security Program Policy and FIPS
Pub 200, ``Minimum Security Requirements for Federal Information and
Information Systems.'' Data maintained on CDC's Mainframe and the
National Centers' LANs are in compliance with OMB Circular A-130,
Appendix III. Security is provided for information collection,
processing, transmission, storage, and dissemination in general support
systems and major applications.
Retention and disposal:
Contact tracing records will be maintained in the agency until the
contact investigation is complete or no longer than twelve months, in
accordance with proposed retention schedules; remaining quarantine
records would be maintained 10 or 20 years, based on the applicable CDC
records control schedule. Disposal methods include wiping electronic
media and macerating paper materials.
System manager(s) and address:
Director, NCPDCID, Coordinating Center for Infectious Diseases,
Bldg. 1, Rm. 6013, MS C12, Centers for Disease Control and Prevention,
1600 Clifton Road, NE., Atlanta, GA 30333.
Notification procedure:
An individual may learn if a record exists about himself or herself
by contacting the system manager at the address listed above.
Requesters in person must provide driver's license or other positive
identification. Individuals who do not appear in person must either:
(1) Submit a notarized request to verify their identity; or (2) certify
that they are the individuals they claim to be and that they understand
that the knowing and willful request for or acquisition of a record
pertaining to an individual under false pretenses is a criminal offense
under the Privacy Act subject to a $5,000 fine.
An individual who requests notification of or access to medical
records shall, at the time the request is made, designate in writing a
responsible representative who is willing to review the record and
inform the subject individual of its contents at the representative's
discretion. A parent or guardian who requests notification of, or
access to, a child's medical record shall designate a family physician
or other health professional (other than a family member) to whom the
record, if any, will be sent. The parent or guardian must verify
relationship to the child by means of a birth certificate or court
order, as well as verify that he or she is who he or she claims to be.
Record access procedures:
Same as notification procedures. Requesters should also reasonably
specify the record contents being sought. An accounting of disclosures
that have been made of the record, if any, may be requested.
Contesting record procedures:
Contact the official at the address specified under System Manager
above, reasonably identify the record and specify the information being
contested, the corrective action sought, and the reasons for requesting
the correction, along with supporting information to show how the
record is inaccurate, incomplete, untimely, or irrelevant.
Record source categories:
Individuals, private physicians, state and local health
departments, other health-care providers, conveyance personnel,
cooperating public health agencies, foreign governments including
ministries of health, and other federal agencies.
Systems exempted from certain provisions of the act:
None.
[FR Doc. E7-24142 Filed 12-12-07; 8:45 am]
BILLING CODE 4163-18-P