Privacy Act of 1974; Report of Modified or Altered System of Records, 4480-4482 [2010-33027]

Agencies

• Centers for Disease Control and Prevention
• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 76, Number 16 (Tuesday, January 25, 2011)]
[Notices]
[Pages 4480-4482]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-33027]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Disease Control and Prevention


Privacy Act of 1974; Report of Modified or Altered System of 
Records

AGENCY: National Center for Environmental Health (NCEH), Coordinating 
Center for Environmental Health and Injury Prevention (CCEHIP), 
Department of Health and Human Services (DHHS).

ACTION: Notification of proposed altered System of Records.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services proposes to alter 
System of Records, 09-20-0162, ``Records of Subjects in Agent Orange, 
Vietnam Experience, and Selected Cancers Studies, HHS/CDC/CCEHIP/
NCEH.'' HHS is proposing to add the following Breach Response Routine 
Use Language to comply with the Office of Management and Budget (OMB) 
Memoranda (M) 07-16, Safeguarding Against and responding to the Breach 
of Personally Identifiable Information:
    To appropriate Federal agencies and Department contractors that 
have a need to know the information for the purpose of assisting the 
Department's efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information disclosed is relevant 
and necessary for that assistance.
    These records will be maintained by the Coordinating Center for 
Environmental Health and Injury Prevention (CCEHIP), National Center 
for Environmental Health (NCEH).

DATES: Comments must be received on or before February 24, 2011. The 
proposed altered System of Records will be effective 40 days from the 
date submitted to the OMB, unless CCEHIP/NCEH receives comments that 
would result in a contrary determination.

ADDRESSES: You may submit comments, identified by the Privacy Act 
System of Record Number 09-20-0162:
     Federal eRulemaking Portal: https://regulations.gov. Follow 
the instructions for submitting comments.
     E-mail: Include PA SOR number 09-20-0162 in the subject 
line of the message.
     Phone: 770/488-8660 (not a toll-free number).
     Fax: 770/488-8659.
     Mail: HHS/CDC Senior Official for Privacy (SOP), Office of 
the Chief Information Security Officer (OCISO), 4770 Buford Highway--M/
S: F-35, Chamblee, GA 30341.
     Hand Delivery/Courier: HHS/CDC Senior Official for Privacy 
(SOP), Office

[[Page 4481]]

of the Chief Information Security Officer (OCISO), 4770 Buford 
Highway--M/S: F-35, Chamblee, GA 30341.
     Comments received will be available for inspection and 
copying at this same address from 9 a.m. to 3 p.m., Monday through 
Friday, Federal holidays excepted.

SUPPLEMENTARY INFORMATION: CCEHIP/NCEH proposes to alter System of 
Records, No. 09-20-0162, ``Records of Subjects in Agent Orange, Vietnam 
Experience, and Selected Cancers Studies, HHS/CDC/CCEHIP/NCEH.'' 
Records in this system are used to support studies to assess the health 
of Vietnam veterans relative to the health of other men of similar age. 
Specifically this information should enable the Centers for Disease 
Control and Prevention (CDC) to:
    1. Evaluate the relationship of documented exposure to herbicides 
used in Vietnam (primarily Agent Orange) to possible adverse health 
consequences. Such possible effects to be evaluated include 
dermatologic, neurological, psychological, immunological, carcinogenic, 
reproductive, gastrointestinal, and others.
    2. Assess the health effects of service in Vietnam (including 
factors other than herbicide exposure) as opposed to the experiences of 
veterans who served in other countries.
    3. Evaluate the risk of selected cancers among Vietnam veterans in 
contrast to men of similar age who did not serve in Vietnam.
    This System of Record Notice is being altered to add the Breach 
Response Routine Use Language to comply with the Office of Management 
and Budget (OMB) memorandum dated May 22, 2007.
    The following notice is written in the present tense, rather than 
the future tense, in order to avoid the unnecessary expenditure of 
public funds to republish the notice after the System has become 
effective.

    Dated: December 11, 2009.
James D. Seligman,
Chief Information Officer, Centers for Disease Control and Prevention.

    Editorial Note: This document was received at the Office of the 
Federal Register on December 27, 2010.

Department of Health and Human Services (HHS)

Centers for Disease Control and Prevention (CDC)

Coordinating Center for Environmental Health and Injury Prevention 
(CCEHIP)

Records of Subjects in Agent Orange, Vietnam Experience, and Selected 
Cancers Studies

Report of Modified or Altered System of Records

Narrative Statement

I. Background and Purpose of the System

A. Background

    The Department of Health and Human Services proposes to alter 
System of Records, No. 09-20-0162, ``Records of Subjects in Agent 
Orange, Vietnam Experience, and Selected Cancers Studies, HHS/CDC/
CCEHIP/NCEH.'' HHS is proposing to add the following Breach Response 
Routine Use Language to comply with the Office of Management and Budget 
(OMB) Memoranda (M) 07-16, Safeguarding Against and Responding to the 
Breach of Personally Identifiable Information:
    To appropriate Federal agencies and Department contractors that 
have a need to know the information for the purpose of assisting the 
Department's efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information disclosed is relevant 
and necessary for that assistance.

B. Purpose

    Records in this system are used to support studies to assess the 
health of Vietnam veterans relative to the health of other men of 
similar age. Specifically this information should enable the Centers 
for Disease Control and Prevention (CDC) to:
    1. Evaluate the relationship of documented exposure to herbicides 
used in Vietnam (primarily Agent Orange) to possible adverse health 
consequences. Such possible effects to be evaluated include 
dermatologic, neurological, psychological, immunological, carcinogenic, 
reproductive, gastrointestinal, and others.
    2. Assess the health effects of service in Vietnam (including 
factors other than herbicide exposure) as opposed to the experiences of 
veterans who served in other countries.
    3. Evaluate the risk of selected cancers among Vietnam veterans in 
contrast to men of similar age who did not serve in Vietnam.
    Portions of records (i.e., name, Social Security number or military 
service number, date of birth) may be disclosed to the National Center 
for Health Statistics, CDC for obtaining a determination of vital 
status. Death certificates stating the cause of death will then be 
obtained from the appropriate Federal, State, or local agency to enable 
CDC to evaluate whether excess mortality is occurring among Vietnam 
veterans.

II. Authority for Maintenance of the System

    The Public Health Service Act, Section 301, Research and 
Investigations (42 U.S.C. 241); and the Public Health Service Act, 
Sections 304, 306, and 308(d), which discuss authority to maintain data 
and to provide assurances of confidentiality for health research and 
related activities (42 U.S.C. 242b, 242k, and 242m(d)).

III. Proposed Routine Use Disclosures of Data in the System

    The Privacy Act allows us to disclose information without an 
individual's consent if the information is to be used for a purpose 
that is compatible with the purpose(s) for which the information was 
collected. Any such compatible use of data is known as a ``routine 
use''. The routine uses proposed for this System are compatible with 
the stated purpose of the System:
    Records have been disclosed to Department of Health and Human 
Services contractors to locate veterans, cancer cases and controls, 
conduct interviews, perform medical examinations, analyze pathology 
specimens, and similar medical services, so that the research purposes 
for which the records were collected could be accomplished. The 
contractor was required to comply with the Privacy Act and to follow 
Section 308(d) of the Public Health Service Act with respect to such 
records.
    Portions of records (i.e., name, Social Security number or military 
service number) have been disclosed to other Federal agencies such as 
the Veterans Administration, Internal Revenue Service, and Social 
Security Administration only to obtain information to aid in locating 
veterans involved in the study. These disclosures would have been made 
to update locating information provided by the Army and Joint Services 
Environmental Support Group.
    Records may be disclosed to appropriate Federal agencies and 
Department contractors that have a need to know the information for the 
purpose of assisting the Department's efforts to

[[Page 4482]]

respond to a suspected or confirmed breach of the security or 
confidentiality of information disclosed is relevant and necessary for 
that assistance.

IV. Effects of the Proposed System of Records on Individual Rights

    An individual may learn if a record exists about himself or herself 
by contacting the system manager at the above address. Persons who 
knowingly and willfully request or acquire a record pertaining to an 
individual under false pretenses are subject to a $5,000 fine for this 
criminal offense. Requesters in person must provide photo 
identification (such as driver's license) or other positive 
identification (i.e., place of birth, etc.) that would authenticate the 
identity of the individual making the request. Individuals who do not 
appear in person must submit a notarized request to verify their 
identity. A guardian who requests notification of, or access to, a 
mentally incompetent or severely physically impaired person's record 
must provide a birth certificate (or notarized copy), court order, or 
other appropriate evidence of guardianship. An individual who requests 
notification of or access to, a medical record shall at the time the 
request is made, designate in writing a responsible representative (who 
may be a physician, other health professional, or other responsible 
individual) who will be willing to review the record and inform the 
subject individual of its contents.
    In addition, the following information must be provided when 
requesting notification: (1) Full name and Social Security or military 
service number; and; (2) nature of the study in which the requester 
participated.
    Same as notification procedures. Requesters should also reasonably 
specify the record contents being sought. An accounting of disclosures 
that have been made of the record, if any, may be requested.

V. Safeguards

    The records in this System are stored in hard copy records, 
microfilm, computer tapes/disks, CD-ROMs, and printouts. The records 
are retrieved by the name, Social Security number or military service 
number (when supplied voluntarily or contained in existing records used 
in studies under this system), or other identifying number.
    Records in this system are collected under an assurance of 
confidentiality authorized by Section 308(d) of the Public Health 
Service Act. To comply with this assurance, the following special 
safeguards are necessary:
    Authorized Users: A database security package is implemented on 
CDC's mainframe computer to control unauthorized access to the system. 
Attempts to gain access by unauthorized individuals are automatically 
recorded and reviewed on a regular basis. Access is granted to only a 
limited number of physicians, scientists, statisticians, and designated 
support staff of the Centers for Disease Control and Prevention (CDC), 
as authorized by the system manager to accomplish the stated purpose 
for which the data in this system have been collected.
    Physical Safeguards: Access to the CDC Clifton Road facility where 
the mainframe computer is located is controlled by a cardkey system. 
Access to the computer room is controlled by a cardkey and security 
code (numeric keypad) system. The local fire department is located 
directly next door to the Clifton Road facility. The computer room is 
protected by an automatic sprinkler system, numerous automatic sensors 
(e.g., water, heat, smoke, etc.) are installed, and a proper mix of 
portable fire extinguishers is located throughout the computer room. 
Hard copy records are kept in locked cabinets in locked rooms. Security 
guard service in buildings provides personnel screening of visitors.
    Procedural Safeguards: Protection for computerized records on the 
mainframe includes programmed verification of valid user identification 
code and password prior to logging on to the system; mandatory password 
changes, limited log-ins, virus protection, and user rights/file 
attribute restrictions. Password protection imposes user name and 
password log-in requirements to prevent unauthorized access. Each user 
name is assigned limited access rights to files and directories at 
varying levels to control file sharing. There are routine daily backup 
procedures and secure off-site storage is available for backup tapes. 
To avoid inadvertent data disclosure, when erasing computer tapes and/
or other magnetic media, an additional procedure is performed to ensure 
that all Privacy Act data are removed. Additional safeguards may be 
built into the program by the system analyst as warranted by the 
sensitivity of the data.
    Access to highly sensitive systems is limited to users obtaining 
prior supervisory approval. Names and other details necessary to 
identify individuals are not included in data files used for analysis. 
These files are indexed by code numbers which are linked with complete 
identifiers only if there is a specific need. Keys which link 
identification numbers to names are stored separately with access 
limited to CDC project officers and authorized staff.
    CDC employees who process the records are instructed in specific 
rules of conduct to protect the security and confidentiality of records 
in accordance with Section 308(d) of the Public Health Service Act.
    Implementation Guidelines: The safeguards outlined above are in 
accordance with the HHS Information Security Program Policy and FIPS 
Pub 200, ``Minimum Security Requirements for Federal Information and 
Information Systems.'' Data maintained on CDC's Mainframe are in 
compliance with OMB Circular A-130, Appendix III. Security is provided 
for information collection, processing, transmission, storage, and 
dissemination in general support systems and major applications.
    The records are retained and disposed of in accordance with the CDC 
Records Control Schedule, which allows the system manager to maintain 
the records for 20 years unless needed for future reference. Because 
five-year mortality updates are planned until the study population 
expires, and health information from the questionnaire will be 
correlated with the mortality data, the computerized records to which 
questionnaire data were converted may be kept as long as research needs 
dictate. Records have been transferred to the Federal Records Center 
for storage and will be retained there subject to statutory 
confidentiality requirements.

VI. OMB Control Numbers, Expiration Dates, and Titles of Information 
Collection

    A. Full Title: ``Records of Subjects in Agent Orange, Vietnam 
Experience, and Selected Cancers Studies, HHS/CDC/CCEHIP/NCEH.''
    OMB Control Number: 09-20-0162.
    Expiration Date: TBD.

VII. Supporting Documentation

    A. Preamble and Proposed Notice of System for publication in the 
Federal Register.
    B. Agency Rules: None.
    C. Exemption Requested: None.
    D. Computer Matching Report: The new system does not require a 
matching report in accordance with the computer matching provisions of 
the Privacy Act.
[FR Doc. 2010-33027 Filed 1-24-11; 8:45 am]
BILLING CODE 4163-18-P