Privacy Act of 1974; Report of Modified or Altered System of Records, 4471-4474 [2010-33023]
Download as PDF
<![CDATA[
Federal Register / Vol. 76, No. 16 / Tuesday, January 25, 2011 / Notices
mstockstill on DSKH9S0YB1PROD with NOTICES2
purpose of the System and support the
agency’s mission:
An individual may learn if a record
exists about himself or herself by
contacting the system manager at the
address above. Requesters in person
must provide driver’s license or other
positive identification. Individuals who
do not appear in person must either: (1)
Submit a notarized request to verify
their identity; or (2) certify that they are
the individuals they claim to be and that
they understand that the knowing and
willful request for or acquisition of a
record pertaining to an individual under
false pretenses is a criminal offense
under the Privacy Act subject to a
$5,000 fine.
An individual who requests
notification of or access to medical
records shall, at the time the request is
made, designate in writing a responsible
representative who is willing to review
the record and inform the subject
individual of its contents.
The following information must be
provided when requesting notification:
(1) Full name; (2) the approximate date
and place of the study, if known; and (3)
nature of the questionnaire or study in
which the requester participated.
Same as notification procedures.
Requesters should also reasonably
specify the record contents being
sought. An accounting of disclosures
that have been made of the record, if
any, may be requested.
Individuals may contact the official at
the address specified under System
Manager above, and reasonably identify
the record and specify the information
being contested, the corrective action
sought, and the reasons for requesting
the correction, along with supporting
information to show how the record is
inaccurate, incomplete, untimely, or
irrelevant.
V. Safeguards
The records in this System have the
following safeguards in place to
maintain and protect the information as
it relates to Authorized users, physical
and procedural safeguards:
Authorized users—Access is granted
to physicians, scientists, statisticians,
and designated support staff of the
Centers for Disease Control and
Prevention (CDC), or its contractors, as
authorized by the system manager to
accomplish the stated purposes for
which the data in this system have been
collected.
Physical Safeguards—Access to the
facility is monitored, and controlled
after hours, by security guard service.
Hard copy records are kept in locked
cabinets in locked rooms. Access to the
LAN computer room is controlled by a
VerDate Mar<15>2010
22:02 Jan 24, 2011
Jkt 223001
punch lock system. The local fire
department is one mile from the facility,
which is of structural steel and cement
block construction, with pre-cast
cement panels on the envelope. No
combustible materials are used in the
building construction, including all
interior walls. Heat sensors are
installed, and portable fire extinguishers
are located throughout the computer
room. The active system files are backed
up on a weekly basis. The entire system
is backed up, with copies of the files
stored in a secure, fireproof safe in a
separate location within the facility.
Procedural Safeguards—The NIOSH
Local Area Network (LAN) computer
system, located within the Morgantown
facility, uses a security package to
control unauthorized access to the
system. Attempts to gain access by
unauthorized individuals are
automatically recorded and reviewed on
a daily basis. Protection for
computerized records both on the
mainframe and the NIOSH Local Area
Network (LAN) includes programmed
verification of valid user identification
code and password prior to logging on
to the system, mandatory password
changes, limited log-ins, virus
protection, and user rights/file attribute
restrictions. Password protection
imposes user name and password log-in
requirements to prevent unauthorized
access. Each user name is assigned
limited access rights to files and
directories at varying levels to control
file sharing. There are routine daily
backup procedures and secure off-site
storage is available for backup tapes.
Additional safeguards may be built into
the program by the system analyst as
warranted by the sensitivity of the data.
Implementation Guidelines: The
safeguards outlined above are in
accordance with the HHS Information
Security Program Policy and FIPS Pub
200, ‘‘Minimum Security Requirements
for Federal Information and Information
Systems.’’ Data maintained on CDC’s
Mainframe and the NIOSH LAN are in
compliance with OMB Circular A–130,
Appendix III. Security is provided for
information collection, processing,
transmission, storage, and
dissemination in general support
systems and major applications.
The records in this System are
retained and disposed of in the
following way: Master records for
completed studies are maintained in
agency until transferred to the National
Archives. Source documents for
computer data are disposed of when no
longer needed in the study, as
determined by the system manager, and
as provided in the signed consent form,
as appropriate. Disposal methods
PO 00000
Frm 00041
Fmt 4701
Sfmt 4703
4471
include erasing computer tapes, burning
or shredding paper materials or
transferring records to the Federal
Records Center when no longer needed
for evaluation and analysis. Electronic
records are maintained according to the
provisions of the Records Control
Schedule for NIOSH Electronic Records,
which is consistent with the records
maintenance requirements for other
forms of records. Copies of notifications
to workers/private physicians of needed
medical attention and/or medical
treatment are destroyed when no longer
needed for administrative purposes, but
may be retained for as long as seventy
years. Paper records are destroyed by
paper recycling process when 20 years
old, unless needed for further study.
VI. OMB Control Numbers, Expiration
Dates, and Titles of Information
Collection
A. Full Title: ‘‘Mortality Studies in
Coal Mining, Metal and Non-metal
Mining and General Industry, HHS/
CDC/NIOSH.’’
OMB Control Number: 09–20–0153.
Expiration Date: TBD.
VII. Supporting Documentation
A. Preamble and Proposed Notice of
System for publication in the Federal
Register.
B. Agency Rules: None.
C. Exemption Requested: None.
D. Computer Matching Report: The
new system does not require a matching
report in accordance with the computer
matching provisions of the Privacy Act.
[FR Doc. 2010–33022 Filed 1–24–11; 8:45 am]
BILLING CODE 4163–18–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Disease Control and
Prevention
Privacy Act of 1974; Report of Modified
or Altered System of Records
Division of Respiratory Disease
Studies (DRDS), National Institute for
Occupational Safety and Health
(NIOSH), Centers for Disease Control
and Prevention (CDC), Department of
Health and Human Services (DHHS).
ACTION: Notification of proposed altered
System of Records.
AGENCY:
The Department of Health and
Human Services proposes to alter
System of Records, 09–20–0154,
‘‘Medical and Laboratory Studies, HHS/
CDC/NIOSH.’’ HHS is proposing to add
the following Breach Response Routine
Use Language to comply with the Office
of Management and Budget (OMB)
SUMMARY:
E:\FR\FM\25JAN2.SGM
25JAN2
mstockstill on DSKH9S0YB1PROD with NOTICES2
4472
Federal Register / Vol. 76, No. 16 / Tuesday, January 25, 2011 / Notices
Memoranda (M) 07–16, Safeguarding
Against and responding to the Breach of
Personally Identifiable Information:
To appropriate federal agencies and
Department contractors that have a need
to know the information for the purpose
of assisting the Department’s efforts to
respond to a suspected or confirmed
breach of the security or confidentiality
of information disclosed is relevant and
necessary for that assistance.
These records will be maintained by
the National Institute for Occupational
Safety and Health (NIOSH).
DATES: Comments must be received on
or before February 24, 2011. The
proposed altered System of Records will
be effective 40 days from the date
submitted to the OMB, unless NIOSH
receives comments that would result in
a contrary determination.
ADDRESSES: You may submit comments,
identified by the Privacy Act System of
Record Number 09–20–0154:
• Federal eRulemaking Portal: https://
regulations.gov. Follow the instructions
for submitting comments.
• E-mail: Include PA SOR number
09–20–0154 in the subject line of the
message.
• Phone: 770/488–8660 (not a tollfree number).
• Fax: 770/488–8659.
• Mail: HHS/CDC Senior Official for
Privacy (SOP), Office of the Chief
Information Security Officer (OCISO),
4770 Buford Highway—M/S: F–35,
Chamblee, GA 30341.
• Hand Delivery/Courier: HHS/CDC
Senior Official for Privacy (SOP), Office
of the Chief Information Security Officer
(OCISO), 4770 Buford Highway—M/S:
F–35, Chamblee, GA 30341.
• Comments received will be
available for inspection and copying at
this same address from 9 a.m. to 3 p.m.,
Monday through Friday, Federal
holidays excepted.
SUPPLEMENTARY INFORMATION: NIOSH
proposes to alter System of Records, No.
09–20–0154, ‘‘Medical and Laboratory
Studies, HHS/CDC/NIOSH.’’ The
purpose of this system is to perform
medical and epidemiological research,
statistical analysis, and to identify early
indicators of occupationally related
diseases (biochemical indices); data is
given to other NIOSH units for
biochemical and epidemiological
studies.
This System of Record Notice is being
altered to add the Breach Response
Routine Use Language to comply with
the Office of Management and Budget
(OMB) memorandum dated May 22,
2007.
The following notice is written in the
present tense, rather than the future
VerDate Mar<15>2010
22:02 Jan 24, 2011
Jkt 223001
tense, in order to avoid the unnecessary
expenditure of public funds to republish
the notice after the System has become
effective.
Dated: December 11, 2009.
James D. Seligman,
Chief Information Officer, Centers for Disease
Control and Prevention.
Editorial Note: This document was
received at the Office of the Federal Register
on December 27, 2010.
Department of Health and Human
Services (HHS)
Centers for Disease Control and
Prevention (CDC)
National Institute for Occupational
Safety and Health (NIOSH)
Medical and Laboratory Studies
Report of Modified or Altered System of
Records
Narrative Statement
I. Background and Purpose of the
System
A. Background
The Department of Health and Human
Services proposes to alter System of
Records, No. 09–20–0154 ‘‘Medical and
Laboratory Studies, HHS/CDC/NIOSH.’’
HHS is proposing to add the following
Breach Response Routine Use Language
to comply with the Office of
Management and Budget (OMB)
Memoranda (M) 07–16, Safeguarding
Against and responding to the Breach of
Personally Identifiable Information:
To appropriate federal agencies and
Department contractors that have a need
to know the information for the purpose
of assisting the Department’s efforts to
respond to a suspected or confirmed
breach of the security or confidentiality
of information disclosed is relevant and
necessary for that assistance.
B. Purpose
The purpose of this system is to
perform medical and epidemiological
research, statistical analysis, and to
identify early indicators of
occupationally related diseases
(biochemical indices); data is given to
other NIOSH units for biochemical and
epidemiological studies.
II. Authority for Maintenance of the
System
Federal Mine Safety and Health Act of
1977, Section 501, ‘‘Research’’ (30 U.S.C.
951); and the Occupational Safety and
Health Act, Section 20, ‘‘Research and
Related Activities’’ and Section 22(d),
‘‘Authority of Director, National Institute
for Occupational Safety and Health’’ (29
U.S.C. 669, 671 (d)).
PO 00000
Frm 00042
Fmt 4701
Sfmt 4703
III. Proposed Routine Use Disclosures
of Data in the System
The Privacy Act allows us to disclose
information without an individual’s
consent if the information is to be used
for a purpose that is compatible with the
purpose(s) for which the information
was collected. Any such compatible use
of data is known as a ‘‘routine use’’. The
routine uses proposed for this System
are compatible with the stated purpose
of the System and support the agency’s
mission:
Data may be sent to State Vital
Statistics Divisions to obtain death
certificates and to missing person
location agencies to find those
individuals who cannot otherwise be
located.
Disclosure may be made to a
congressional office from the record of
an individual in response to a verified
inquiry from the congressional office
made at the written request of that
individual.
In the event of litigation where the
defendant is: (a) The Department, any
component of the Department, or any
employee of the Department in his or
her official capacity; (b) the United
States where the Department determines
that the claim, if successful, is likely to
directly affect the operations of the
Department or any of its components; or
(c) any Department employee in his or
her individual capacity where the
Department of Justice has agreed to
represent such employee, for example,
in defending a claim against the Public
Health Service based upon an
individual’s mental or physical
condition and alleged to have arisen
because of activities of the Public Health
Service in connection with such
individual, disclosure may be made to
the Department of Justice to enable that
Department to present an effective
defense, provided that such disclosure
is compatible with the purpose for
which the records were collected.
Records subject to the Privacy Act are
disclosed to private firms for data entry,
computer systems analysis and
computer programming services. The
contractors promptly return data entry
records after the contracted work is
completed. The contractors are required
to maintain Privacy Act safeguards.
Certain communicable diseases may
be reported to State and/or local health
departments where the State has a
legally constituted reporting program for
communicable diseases and which
provides for the confidentiality of the
information.
In the event of litigation initiated at
the request of NIOSH, the Institute may
disclose such records as it deems
E:\FR\FM\25JAN2.SGM
25JAN2
Federal Register / Vol. 76, No. 16 / Tuesday, January 25, 2011 / Notices
desirable or necessary to the Department
of Justice and to the Department of
Labor, Office of the Solicitor, where
appropriate, to enable the Departments
to effectively represent the Institute,
provided such disclosure is compatible
with the purpose for which the records
were collected. The only types of
litigative proceedings that NIOSH is
authorized to request are: (1)
enforcement of a subpoena issued to an
employer to provide relevant
information; or (2) contempt citation
against an employer for failure to
comply with a warrant obtained by the
Institute.
Disclosure may be made to NIOSH
collaborating researchers (NIOSH
contractors, grantees, cooperative
agreement holders, or other Federal or
State scientists) in order to accomplish
the research purpose for which the
records are collected. The collaborating
researchers must agree in writing to
comply with the confidentiality
provisions of the Privacy Act and
NIOSH must have determined that the
researchers’ data security procedures
will protect confidentiality.
Records may be disclosed by CDC in
connection with public health activities
to the Social Security Administration
for sources of locating information to
accomplish the research or program
purposes for which the records were
collected.
Records may be disclosed to
appropriate federal agencies and
Department contractors that have a need
to know the information for the purpose
of assisting the Department’s efforts to
respond to a suspected or confirmed
breach of the security or confidentiality
of information disclosed is relevant and
necessary for that assistance.
mstockstill on DSKH9S0YB1PROD with NOTICES2
IV. Effects of the Proposed System of
Records on Individual Rights
The routine uses proposed for this
System are compatible with the stated
purpose of the System and support the
agency’s mission:
An individual may learn if a record
exists about himself or herself by
contacting the system manager at the
address above. Requesters in person
must provide driver’s license or other
positive identification. Individuals who
do not appear in person must either: (1)
submit a notarized request to verify
their identity; or (2) certify that they are
the individuals they claim to be and that
they understand that the knowing and
willful request for or acquisition of a
record pertaining to an individual under
false pretenses is a criminal offense
under the Privacy Act subject to a
$5,000 fine.
VerDate Mar<15>2010
22:02 Jan 24, 2011
Jkt 223001
An individual who requests
notification of or access to medical
records shall, at the time the request is
made, designate in writing a responsible
representative who is willing to review
the record and inform the subject
individual of its contents.
The following information must be
provided when requesting notification:
(1) Full name; (2) the approximate date
and place of the study, if known; and (3)
nature of the questionnaire or study in
which the requester participated.
Same as notification procedures.
Requesters should also reasonably
specify the record contents being
sought. An accounting of disclosures
that have been made of the record, if
any, may be requested.
Individuals should contact the official
at the address specified under System
Manager above, reasonably identify the
record and specify the information
being contested, the corrective action
sought, and the reasons for requesting
the correction, along with supporting
information to show how the record is
inaccurate, incomplete, untimely, or
irrelevant.
V. Safeguards
The records in this System are stored
in computer tapes/disks and printouts,
CD ROMs, microfilm, microfiche, and
hard copy files, and the records in this
System are retrieved by Name and case
number are the indices used to retrieve
records from this system.
The records in this System have the
following safeguards in place to
maintain and protect the information as
it relates to Authorized users, physical
and procedural safeguards:
Authorized users—Access is granted
to only a limited number of physicians,
scientists, statisticians, and designated
support staff of the Centers for Disease
Control and Prevention (CDC), as
authorized by the system manager to
accomplish the stated purposes for
which the data in this system have been
collected.
Physical Safeguards—Access to the
facility is monitored, and controlled
after hours, by security guard service.
Hard copy records are kept in locked
cabinets in locked rooms. Access to the
LAN computer room is controlled by a
punch lock system. The local fire
department is one mile from the facility,
which is of structural steel and cement
block construction, with pre-cast
cement panels on the envelope. No
combustible materials are used in the
building construction, including all
interior walls. Heat sensors are
installed, and portable fire extinguishers
are located throughout the computer
room. The active system files are backed
PO 00000
Frm 00043
Fmt 4701
Sfmt 4703
4473
up on a weekly basis. The entire system
is backed up, with copies of the files
stored in a secure, fireproof safe in a
separate location within the facility.
Procedural Safeguards—The NIOSH
Local Area Network (LAN) computer
system, located within the Morgantown
facility, uses a security package to
control unauthorized access to the
system. Attempts to gain access by
unauthorized individuals are
automatically recorded and reviewed on
a daily basis. Protection for
computerized records both on the
mainframe and the NIOSH Local Area
Network (LAN) includes programmed
verification of valid user identification
code and password prior to logging on
to the system, mandatory password
changes, limited log-ins, virus
protection, and user rights/file attribute
restrictions. Password protection
imposes user name and password log-in
requirements to prevent unauthorized
access. Each user name is assigned
limited access rights to files and
directories at varying levels to control
file sharing. There are routine daily
backup procedures and secure off-site
storage is available for backup tapes.
Additional safeguards may be built into
the program by the system analyst as
warranted by the sensitivity of the data.
CDC and contractor employees who
maintain records are instructed to check
with the system manager prior to
making disclosures of data. When
individually identified data are being
used in a room, admittance at either
CDC or contractor sites is restricted to
specifically authorized personnel.
Privacy Act provisions are included in
contracts, and the CDC Project Director,
contract officers and project officers
oversee compliance with these
requirements. Upon completion of the
contract, all data will be either returned
to CDC or destroyed, as specified by the
contract.
Implementation Guidelines: The
safeguards outlined above are in
accordance with the the HHS
Information Security Program Policy
and FIPS Pub 200, ‘‘Minimum Security
Requirements for Federal Information
and Information Systems.’’ Data
maintained on CDC’s Mainframe and
the NIOSH LAN are in compliance with
OMB Circular A–130, Appendix III.
Security is provided for information
collection, processing, transmission,
storage, and dissemination in general
support systems and major applications
The records in this System are
retained and disposed of in the
following way: Master records for
completed studies are maintained in
agency until transferred to the National
Archives. Source documents for
E:\FR\FM\25JAN2.SGM
25JAN2
4474
Federal Register / Vol. 76, No. 16 / Tuesday, January 25, 2011 / Notices
computer data are disposed of when no
longer needed in the study, as
determined by the system manager, and
as provided in the signed consent form,
as appropriate. Disposal methods
include erasing computer tapes, burning
or shredding paper materials or
transferring records to the Federal
Records Center when no longer needed
for evaluation and analysis. Electronic
records, if any, are maintained
according to the provisions of the
records control schedule for NIOSH
electronic records, which is consistent
with the records maintenance
requirements for other forms of records.
Copies of notifications to workers/
private physicians of needed medical
attention and/or medical treatment are
destroyed when no longer needed for
administrative purposes, but may be
retained for as long as seventy (70)
years. Paper records are destroyed by
paper recycling process when 20 years
old, unless needed for further study.
VI. OMB Control Numbers, Expiration
Dates, and Titles of Information
Collection
A. Full Title: ‘‘Medical and Laboratory
Studies, HHS/CDC/NIOSH.’’
OMB Control Number: 09–20–0154.
Expiration Date: TBD.
VII. Supporting Documentation
A. Preamble and Proposed Notice of
System for publication in the Federal
Register.
B. Agency Rules: None.
C. Exemption Requested: None.
D. Computer Matching Report: The
new system does not require a matching
report in accordance with the computer
matching provisions of the Privacy Act.
[FR Doc. 2010–33023 Filed 1–24–11; 8:45 am]
BILLING CODE 4163–18–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Disease Control and
Prevention
Privacy Act of 1974; Report of Modified
or Altered System of Records
National Personal Protective
Technology Laboratory (NPPTL),
National Institute for Occupational
Safety and Health (NIOSH), Centers for
Disease Control and Prevention (CDC),
Department of Health and Human
Services (DHHS).
ACTION: Notification of Proposed Altered
System of Records.
mstockstill on DSKH9S0YB1PROD with NOTICES2
AGENCY:
The Department of Health and
Human Services proposes to alter
System of Records, 09–20–0159,
SUMMARY:
VerDate Mar<15>2010
22:02 Jan 24, 2011
Jkt 223001
‘‘Records of Subject in Certification,
Testing, Studies of Personal Protective
Devices, and Accident Investigations,
HHS/CDC/NIOSH.’’ HHS is proposing to
add the following Breach Response
Routine Use Language to comply with
the Office of Management and Budget
(OMB) Memoranda (M) 07–16,
Safeguarding Against and responding to
the Breach of Personally Identifiable
Information:
To appropriate Federal agencies and
Department contractors that have a need
to know the information for the purpose
of assisting the Department’s efforts to
respond to a suspected or confirmed
breach of the security or confidentiality
of information disclosed is relevant and
necessary for that assistance.
These records will be maintained by
the National Institute for Occupational
Safety and Health (NIOSH), National
Personal Protective Technology
Laboratory (NPPTL).
DATES: Comments must be received on
or before February 24, 2011. The
proposed altered System of Records will
be effective 40 days from the date
submitted to the OMB, unless NIOSH
receives comments that would result in
a contrary determination.
ADDRESSES: You may submit comments,
identified by the Privacy Act System of
Record Number 09–20–0159:
• Federal eRulemaking Portal: https://
regulations.gov. Follow the instructions
for submitting comments.
• E-mail: Include PA SOR number
09–20–0159 in the subject line of the
message.
• Phone: 770/488–8660 (not a tollfree number).
• Fax: 770/488–8659.
• Mail: HHS/CDC Senior Official for
Privacy (SOP), Office of the Chief
Information Security Officer (OCISO),
4770 Buford Highway—M/S: F–35,
Chamblee, GA 30341.
• Hand Delivery/Courier: HHS/CDC
Senior Official for Privacy (SOP), Office
of the Chief Information Security Officer
(OCISO), 4770 Buford Highway—M/S:
F–35, Chamblee, GA 30341.
• Comments received will be
available for inspection and copying at
this same address from 9 a.m. to 3 p.m.,
Monday through Friday, Federal
holidays excepted.
SUPPLEMENTARY INFORMATION: NIOSH
proposes to alter System of Records, No.
09–20–0159, ‘‘Records of Subject in
Certification, Testing, Studies of
Personal Protective Devices, and
Accident Investigations, HHS/CDC/
NIOSH.’’ The purpose of this system is
to permit acquisition of information
related to certification and performance
of personal protective equipment, and
safety research studies.
PO 00000
Frm 00044
Fmt 4701
Sfmt 4703
This System of Record Notice is being
altered to add the Breach Response
Routine Use Language to comply with
the Office of Management and Budget
(OMB) memorandum dated May 22,
2007.
The following notice is written in the
present tense, rather than the future
tense, in order to avoid the unnecessary
expenditure of public funds to republish
the notice after the System has become
effective.
Dated: December 11, 2009.
James D. Seligman,
Chief Information Officer, Centers for Disease
Control and Prevention.
Editorial Note: This document was
received at the Office of the Federal Register
on December 27, 2010.
Department of Health and Human
Services (HHS)
Centers for Disease Control and
Prevention (CDC)
National Institute for Occupational
Safety and Health (NIOSH)
Records of Subject in Certification,
Testing, Studies of Personal Protective
Devices, and Accident Investigations
Report of Modified or Altered System of
Records
Narrative Statement
I. Background and Purpose of the
System
A. Background
The Department of Health and Human
Services proposes to alter System of
Records, No. 09–20–0159 ‘‘Records of
Subject in Certification, Testing, Studies
of Personal Protective Devices, and
Accident Investigations, HHS/CDC/
NIOSH.’’ HHS is proposing to add the
following Breach Response Routine Use
Language to comply with the Office of
Management and Budget (OMB)
Memoranda (M) 07–16, Safeguarding
Against and responding to the Breach of
Personally Identifiable Information:
To appropriate Federal agencies and
Department contractors that have a need
to know the information for the purpose
of assisting the Department’s efforts to
respond to a suspected or confirmed
breach of the security or confidentiality
of information disclosed is relevant and
necessary for that assistance.
B. Purpose
The purpose of this system is to
permit acquisition of information
related to certification and performance
of personal protective equipment, and
safety research studies.
E:\FR\FM\25JAN2.SGM
25JAN2
]]>Agencies
[Federal Register Volume 76, Number 16 (Tuesday, January 25, 2011)]
[Notices]
[Pages 4471-4474]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-33023]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Disease Control and Prevention
Privacy Act of 1974; Report of Modified or Altered System of
Records
AGENCY: Division of Respiratory Disease Studies (DRDS), National
Institute for Occupational Safety and Health (NIOSH), Centers for
Disease Control and Prevention (CDC), Department of Health and Human
Services (DHHS).
ACTION: Notification of proposed altered System of Records.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services proposes to alter
System of Records, 09-20-0154, ``Medical and Laboratory Studies, HHS/
CDC/NIOSH.'' HHS is proposing to add the following Breach Response
Routine Use Language to comply with the Office of Management and Budget
(OMB)
[[Page 4472]]
Memoranda (M) 07-16, Safeguarding Against and responding to the Breach
of Personally Identifiable Information:
To appropriate federal agencies and Department contractors that
have a need to know the information for the purpose of assisting the
Department's efforts to respond to a suspected or confirmed breach of
the security or confidentiality of information disclosed is relevant
and necessary for that assistance.
These records will be maintained by the National Institute for
Occupational Safety and Health (NIOSH).
DATES: Comments must be received on or before February 24, 2011. The
proposed altered System of Records will be effective 40 days from the
date submitted to the OMB, unless NIOSH receives comments that would
result in a contrary determination.
ADDRESSES: You may submit comments, identified by the Privacy Act
System of Record Number 09-20-0154:
Federal eRulemaking Portal: https://regulations.gov. Follow
the instructions for submitting comments.
E-mail: Include PA SOR number 09-20-0154 in the subject
line of the message.
Phone: 770/488-8660 (not a toll-free number).
Fax: 770/488-8659.
Mail: HHS/CDC Senior Official for Privacy (SOP), Office of
the Chief Information Security Officer (OCISO), 4770 Buford Highway--M/
S: F-35, Chamblee, GA 30341.
Hand Delivery/Courier: HHS/CDC Senior Official for Privacy
(SOP), Office of the Chief Information Security Officer (OCISO), 4770
Buford Highway--M/S: F-35, Chamblee, GA 30341.
Comments received will be available for inspection and
copying at this same address from 9 a.m. to 3 p.m., Monday through
Friday, Federal holidays excepted.
SUPPLEMENTARY INFORMATION: NIOSH proposes to alter System of Records,
No. 09-20-0154, ``Medical and Laboratory Studies, HHS/CDC/NIOSH.'' The
purpose of this system is to perform medical and epidemiological
research, statistical analysis, and to identify early indicators of
occupationally related diseases (biochemical indices); data is given to
other NIOSH units for biochemical and epidemiological studies.
This System of Record Notice is being altered to add the Breach
Response Routine Use Language to comply with the Office of Management
and Budget (OMB) memorandum dated May 22, 2007.
The following notice is written in the present tense, rather than
the future tense, in order to avoid the unnecessary expenditure of
public funds to republish the notice after the System has become
effective.
Dated: December 11, 2009.
James D. Seligman,
Chief Information Officer, Centers for Disease Control and Prevention.
Editorial Note: This document was received at the Office of the
Federal Register on December 27, 2010.
Department of Health and Human Services (HHS)
Centers for Disease Control and Prevention (CDC)
National Institute for Occupational Safety and Health (NIOSH)
Medical and Laboratory Studies
Report of Modified or Altered System of Records
Narrative Statement
I. Background and Purpose of the System
A. Background
The Department of Health and Human Services proposes to alter
System of Records, No. 09-20-0154 ``Medical and Laboratory Studies,
HHS/CDC/NIOSH.'' HHS is proposing to add the following Breach Response
Routine Use Language to comply with the Office of Management and Budget
(OMB) Memoranda (M) 07-16, Safeguarding Against and responding to the
Breach of Personally Identifiable Information:
To appropriate federal agencies and Department contractors that
have a need to know the information for the purpose of assisting the
Department's efforts to respond to a suspected or confirmed breach of
the security or confidentiality of information disclosed is relevant
and necessary for that assistance.
B. Purpose
The purpose of this system is to perform medical and
epidemiological research, statistical analysis, and to identify early
indicators of occupationally related diseases (biochemical indices);
data is given to other NIOSH units for biochemical and epidemiological
studies.
II. Authority for Maintenance of the System
Federal Mine Safety and Health Act of 1977, Section 501,
``Research'' (30 U.S.C. 951); and the Occupational Safety and Health
Act, Section 20, ``Research and Related Activities'' and Section 22(d),
``Authority of Director, National Institute for Occupational Safety and
Health'' (29 U.S.C. 669, 671 (d)).
III. Proposed Routine Use Disclosures of Data in the System
The Privacy Act allows us to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected. Any such compatible use of data is known as a ``routine
use''. The routine uses proposed for this System are compatible with
the stated purpose of the System and support the agency's mission:
Data may be sent to State Vital Statistics Divisions to obtain
death certificates and to missing person location agencies to find
those individuals who cannot otherwise be located.
Disclosure may be made to a congressional office from the record of
an individual in response to a verified inquiry from the congressional
office made at the written request of that individual.
In the event of litigation where the defendant is: (a) The
Department, any component of the Department, or any employee of the
Department in his or her official capacity; (b) the United States where
the Department determines that the claim, if successful, is likely to
directly affect the operations of the Department or any of its
components; or (c) any Department employee in his or her individual
capacity where the Department of Justice has agreed to represent such
employee, for example, in defending a claim against the Public Health
Service based upon an individual's mental or physical condition and
alleged to have arisen because of activities of the Public Health
Service in connection with such individual, disclosure may be made to
the Department of Justice to enable that Department to present an
effective defense, provided that such disclosure is compatible with the
purpose for which the records were collected.
Records subject to the Privacy Act are disclosed to private firms
for data entry, computer systems analysis and computer programming
services. The contractors promptly return data entry records after the
contracted work is completed. The contractors are required to maintain
Privacy Act safeguards.
Certain communicable diseases may be reported to State and/or local
health departments where the State has a legally constituted reporting
program for communicable diseases and which provides for the
confidentiality of the information.
In the event of litigation initiated at the request of NIOSH, the
Institute may disclose such records as it deems
[[Page 4473]]
desirable or necessary to the Department of Justice and to the
Department of Labor, Office of the Solicitor, where appropriate, to
enable the Departments to effectively represent the Institute, provided
such disclosure is compatible with the purpose for which the records
were collected. The only types of litigative proceedings that NIOSH is
authorized to request are: (1) enforcement of a subpoena issued to an
employer to provide relevant information; or (2) contempt citation
against an employer for failure to comply with a warrant obtained by
the Institute.
Disclosure may be made to NIOSH collaborating researchers (NIOSH
contractors, grantees, cooperative agreement holders, or other Federal
or State scientists) in order to accomplish the research purpose for
which the records are collected. The collaborating researchers must
agree in writing to comply with the confidentiality provisions of the
Privacy Act and NIOSH must have determined that the researchers' data
security procedures will protect confidentiality.
Records may be disclosed by CDC in connection with public health
activities to the Social Security Administration for sources of
locating information to accomplish the research or program purposes for
which the records were collected.
Records may be disclosed to appropriate federal agencies and
Department contractors that have a need to know the information for the
purpose of assisting the Department's efforts to respond to a suspected
or confirmed breach of the security or confidentiality of information
disclosed is relevant and necessary for that assistance.
IV. Effects of the Proposed System of Records on Individual Rights
The routine uses proposed for this System are compatible with the
stated purpose of the System and support the agency's mission:
An individual may learn if a record exists about himself or herself
by contacting the system manager at the address above. Requesters in
person must provide driver's license or other positive identification.
Individuals who do not appear in person must either: (1) submit a
notarized request to verify their identity; or (2) certify that they
are the individuals they claim to be and that they understand that the
knowing and willful request for or acquisition of a record pertaining
to an individual under false pretenses is a criminal offense under the
Privacy Act subject to a $5,000 fine.
An individual who requests notification of or access to medical
records shall, at the time the request is made, designate in writing a
responsible representative who is willing to review the record and
inform the subject individual of its contents.
The following information must be provided when requesting
notification: (1) Full name; (2) the approximate date and place of the
study, if known; and (3) nature of the questionnaire or study in which
the requester participated.
Same as notification procedures. Requesters should also reasonably
specify the record contents being sought. An accounting of disclosures
that have been made of the record, if any, may be requested.
Individuals should contact the official at the address specified
under System Manager above, reasonably identify the record and specify
the information being contested, the corrective action sought, and the
reasons for requesting the correction, along with supporting
information to show how the record is inaccurate, incomplete, untimely,
or irrelevant.
V. Safeguards
The records in this System are stored in computer tapes/disks and
printouts, CD ROMs, microfilm, microfiche, and hard copy files, and the
records in this System are retrieved by Name and case number are the
indices used to retrieve records from this system.
The records in this System have the following safeguards in place
to maintain and protect the information as it relates to Authorized
users, physical and procedural safeguards:
Authorized users--Access is granted to only a limited number of
physicians, scientists, statisticians, and designated support staff of
the Centers for Disease Control and Prevention (CDC), as authorized by
the system manager to accomplish the stated purposes for which the data
in this system have been collected.
Physical Safeguards--Access to the facility is monitored, and
controlled after hours, by security guard service. Hard copy records
are kept in locked cabinets in locked rooms. Access to the LAN computer
room is controlled by a punch lock system. The local fire department is
one mile from the facility, which is of structural steel and cement
block construction, with pre-cast cement panels on the envelope. No
combustible materials are used in the building construction, including
all interior walls. Heat sensors are installed, and portable fire
extinguishers are located throughout the computer room. The active
system files are backed up on a weekly basis. The entire system is
backed up, with copies of the files stored in a secure, fireproof safe
in a separate location within the facility.
Procedural Safeguards--The NIOSH Local Area Network (LAN) computer
system, located within the Morgantown facility, uses a security package
to control unauthorized access to the system. Attempts to gain access
by unauthorized individuals are automatically recorded and reviewed on
a daily basis. Protection for computerized records both on the
mainframe and the NIOSH Local Area Network (LAN) includes programmed
verification of valid user identification code and password prior to
logging on to the system, mandatory password changes, limited log-ins,
virus protection, and user rights/file attribute restrictions. Password
protection imposes user name and password log-in requirements to
prevent unauthorized access. Each user name is assigned limited access
rights to files and directories at varying levels to control file
sharing. There are routine daily backup procedures and secure off-site
storage is available for backup tapes. Additional safeguards may be
built into the program by the system analyst as warranted by the
sensitivity of the data.
CDC and contractor employees who maintain records are instructed to
check with the system manager prior to making disclosures of data. When
individually identified data are being used in a room, admittance at
either CDC or contractor sites is restricted to specifically authorized
personnel. Privacy Act provisions are included in contracts, and the
CDC Project Director, contract officers and project officers oversee
compliance with these requirements. Upon completion of the contract,
all data will be either returned to CDC or destroyed, as specified by
the contract.
Implementation Guidelines: The safeguards outlined above are in
accordance with the the HHS Information Security Program Policy and
FIPS Pub 200, ``Minimum Security Requirements for Federal Information
and Information Systems.'' Data maintained on CDC's Mainframe and the
NIOSH LAN are in compliance with OMB Circular A-130, Appendix III.
Security is provided for information collection, processing,
transmission, storage, and dissemination in general support systems and
major applications
The records in this System are retained and disposed of in the
following way: Master records for completed studies are maintained in
agency until transferred to the National Archives. Source documents for
[[Page 4474]]
computer data are disposed of when no longer needed in the study, as
determined by the system manager, and as provided in the signed consent
form, as appropriate. Disposal methods include erasing computer tapes,
burning or shredding paper materials or transferring records to the
Federal Records Center when no longer needed for evaluation and
analysis. Electronic records, if any, are maintained according to the
provisions of the records control schedule for NIOSH electronic
records, which is consistent with the records maintenance requirements
for other forms of records. Copies of notifications to workers/private
physicians of needed medical attention and/or medical treatment are
destroyed when no longer needed for administrative purposes, but may be
retained for as long as seventy (70) years. Paper records are destroyed
by paper recycling process when 20 years old, unless needed for further
study.
VI. OMB Control Numbers, Expiration Dates, and Titles of Information
Collection
A. Full Title: ``Medical and Laboratory Studies, HHS/CDC/NIOSH.''
OMB Control Number: 09-20-0154.
Expiration Date: TBD.
VII. Supporting Documentation
A. Preamble and Proposed Notice of System for publication in the
Federal Register.
B. Agency Rules: None.
C. Exemption Requested: None.
D. Computer Matching Report: The new system does not require a
matching report in accordance with the computer matching provisions of
the Privacy Act.
[FR Doc. 2010-33023 Filed 1-24-11; 8:45 am]
BILLING CODE 4163-18-P
