Privacy Act of 1974; Report of a New System of Records; Food and Drug Administration User Fee System, 67820-67823 [2012-27580]

Agencies

• Food and Drug Administration
• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 77, Number 220 (Wednesday, November 14, 2012)]
[Notices]
[Pages 67820-67823]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2012-27580]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Food and Drug Administration

[Docket No. FDA-2012-N-0911]


Privacy Act of 1974; Report of a New System of Records; Food and 
Drug Administration User Fee System

AGENCY: Food and Drug Administration, HHS.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 1974 
and the Food and Drug Administration's (FDA) regulations for the 
protection of privacy, FDA is publishing notice of a Privacy Act system 
of records entitled, ``FDA User Fee System, HHS/FDA,'' System Number 
09-10-0021. FDA utilizes the User Fee System (UFS) to collect fees 
pursuant to Federal law and FDA's implementing regulations. The records 
kept in this system relate to fees assessed under the Freedom of 
Information Act (FOIA), the Prescription Drug User Fee Act, the Medical 
Device User Fee and Modernization Act, the Animal Drug User Fee Act, 
the Animal Generic Drug User Fee Act, the Mammography Quality Standards 
Act, the Family Smoking Prevention and Tobacco Control Act, the Food 
Safety Modernization Act, the Biosimilar User Fee Act, the Generic Drug 
User Fee Act, and other fees assessed by FDA under its Federal Food, 
Drug and Cosmetic Act authority such as color additive certification 
fees and export certificate fees. For purposes of this notice, these 
fees are collectively referred to as user fees.

DATES: Effective Date: The new system of records will be effective on 
November 14, 2012, with the exception of the routine uses. The routine 
uses will become effective on December 31, 2012. Submit either 
electronic or written comments by December 31, 2012.

ADDRESSES: You may submit comments, identified by Docket No. FDA-2012-
N-0911, by any of the following methods:

Electronic Submissions

    Submit electronic comments in the following way:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.

Written Submissions

    Submit written submissions in the following ways:
     Fax: 301-827-6870.
     Mail/Hand delivery/Courier (for paper or CD-ROM 
submissions): Division of Dockets Management (HFA-305), Food and Drug 
Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852.
    Instructions: All submissions received must include the Agency name 
and Docket No. FDA-2012-N-0911 for this notice. All comments received 
may be posted without change to https://www.regulations.gov, including 
any personal information provided. For additional information on 
submitting comments, see the ``Comments'' heading of the SUPPLEMENTARY 
INFORMATION section of this document.
    Docket: For access to the docket to read background documents or 
comments received, go to https://www.regulations.gov and insert the 
docket number, found in brackets in the heading of this document, into 
the ``Search'' box and follow the prompts and/or go to the Division of 
Dockets Management, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852.

FOR FURTHER INFORMATION CONTACT: Lisa Berry, Office of Financial 
Management,

[[Page 67821]]

Food and Drug Administration, 1350 Piccard Dr., suite 200A, Rockville, 
MD 20850, 301-796-7225.

SUPPLEMENTARY INFORMATION: 

I. Description of the System of Records

    The UFS is a billing and collections system that maintains 
information about the individuals, organizations, and companies 
required to pay user fees. Information maintained in the UFS includes:
     Contact person's name, phone number, fax number, and email 
address;
     Federal Employer Identification Number (FEIN) for entity 
remitters;
     Taxpayer Identification Number (TIN) for individual 
remitters, which is encrypted with only the last four characters 
visible (in some circumstances individual remitters may use a Social 
Security Number as the TIN);
     Company name or the Organization name; and
     Data Universal Numbering System (DUNS) number and business 
address.
    The UFS also stores application details as the fee remitter 
(submitter) creates coversheets to pay user fees. These details 
include, but are not limited to, the type of application, waiver and 
exemption status, and Small Business Decision (SBD) Number. When a 
submitter generates a coversheet the UFS will only print the last four 
characters of the FEIN/TIN along with the organization name and 
address.
    Additionally, the UFS stores billing details, adjustments to 
invoices, and payment receipt information including date, mode, and 
amount of payment.

II. Routine Use Disclosures of Information in the System

    The Privacy Act allows FDA to disclose information without an 
individual's consent if the information is to be used for a purpose 
that is compatible with the purpose(s) for which the information was 
collected. Any such compatible use of data is known as a ``routine 
use.'' The routine uses in this system meet the compatibility 
requirement of the Privacy Act.
    A number of the routine uses listed in the System of Records Notice 
below are common to systems across the government. These include 
routine uses allowing disclosure to Federal Agencies as necessary in 
order to respond to a confirmed or suspected breach of system security 
or confidentiality (routine use number 1); to the Department of Justice 
(DOJ) to obtain DOJ advice on producing user fee records in response to 
a FOIA request (routine use 2); to DOJ when DOJ represents the Agency 
in litigation (routine use 7); in response to a subpoena issued by a 
duly empowered Federal Agency (routine use 3); to a court or tribunal 
when the records are relevant and necessary to a proceeding involving 
the Agency or an employee (routine use 8); to contractors and others 
who perform services for the Agency related to the UFS (routine use 9); 
to the National Archives and Records Administration (NARA) and General 
Services Administration as needed in the course of records management 
inspections (routine use 10); and to the Department of Homeland 
Security (DHS) in circumstances where system records are captured in an 
intrusion detection program and made accessible to DHS (routine use 
11).
    Additional routine uses specific to the UFS allow disclosure to 
entities as permitted under the Debt Collection Improvement Act 
(routine use 4); to banks in order to process payment made by credit 
card (routine use 5); and to Dun and Bradstreet to validate submitter 
contact information (routine use 6).

SYSTEM NUMBER:
    09-10-0021.

SYSTEM NAME:
    FDA User Fee System, HHS/FDA.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    This system is located at FDA's Data Center in Ashburn, VA.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    This system contains records about individuals and companies that 
are required to submit user fee payments to the FDA. This includes 
organizations registered in the UFS, those billed through the system, 
as well as those submitting applications for review or otherwise 
assessed fees under the User Fee Program.
    Privacy Act notification, access, and amendment rights relative to 
the UFS are available only to individuals who are the subject of 
records in this system. User fee record subjects are individuals 
required to pay a user fee, including individual FOIA requestors and 
individuals who are sole proprietors of an entity required to pay a 
user fee. Although records in the system may contain personally 
identifiable information (PII) related to other individuals, only the 
specified fee submitters are considered subjects of records in this 
system.

CATEGORIES OF RECORDS IN THE SYSTEM:
    1. The UFS maintains information about individuals, companies and 
organizations that pay user fees. This includes: (a) For an entity 
remitter, a FEIN, and for an individual remitter, a TIN; (b) company or 
organization name and address; (c) DUNS number; and (d) contact 
person's name, phone number, Fax number, and email address.
    2. The UFS also stores application information collected when the 
fee remitter (submitter) creates coversheets in order to pay user fees. 
This information includes the type of application, waiver and exemption 
status, and SBD number.
    3. The UFS stores fee processing information including: Billing 
details; adjustments to invoices including credit and debit memos; and 
receipt information including date, mode, and amount of payment.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    21 U.S.C. 371, 379, 379e, 379h, 379h-1, 379j, 379j-12, 379j-21, 
379j-31, 387s, and 393(d)(2); 42 U.S.C. 263b(r)(1); 5 U.S.C. 301, 552; 
and 44 U.S.C. 3101.

PURPOSE(S):
    FDA personnel and any contractors assisting them will use 
information in the system, on a need-to-know basis, for the following 
purposes:
    1. To assess and collect user fees.
    2. To provide an electronic payment and receipt mechanism that is 
integrated with the U.S. Department of Treasury's https://www.Pay.gov 
Web site and the various FDA Centers.
    3. To provide Web-based capabilities including transactional 
inquiries and information on payment status.
    4. To facilitate debt collection activities in accordance with the 
Debt Collection Improvement Act of 1996 and the HHS regulations for 
claims collections (45 CFR Part 30).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING THE PURPOSES 
OF SUCH USES AND CATEGORIES OF USERS:
    Permitted disclosures include those made in accordance with routine 
uses that are listed in the notice of the system of records. 5 U.S.C. 
552a(b)(3). The Privacy Act defines ``routine use'' as ``with respect 
to the disclosure of a record, the use of such record for a purpose 
which is compatible with the purpose for which it was collected.'' See 
also FDA's Privacy Act regulations, defining ``routine use'' as ``use 
outside the Department of Health and Human Services that is compatible 
with the purpose for which the records were collected and described in 
the [System of Records] notice * * *'' 21 CFR 21.20(b)(5).

[[Page 67822]]

    Records in this system that contain information about record 
subjects and nonsubjects (such as FDA employees who operate the system) 
may be disclosed to recipients outside HHS in accordance with the 
following routine uses:
    1. Records may be disclosed to appropriate Federal Agencies and 
Department contractors that have a need to know the information for the 
purpose of assisting the Department's efforts to respond to a suspected 
or confirmed breach of the security or confidentiality of information 
maintained in this system of records.
    2. In the event HHS deems it desirable or necessary, in determining 
whether particular records are required to be disclosed under the FOIA, 
disclosure may be made to the DOJ for the purpose of obtaining its 
advice.
    3. Where Federal Agencies having the power to subpoena other 
Federal Agencies' records, such as the Internal Revenue Service, issue 
a subpoena to HHS for records in this system of records, HHS will make 
such records available, provided however, that in each case, HHS 
determines that such disclosure is compatible with the purpose for 
which the records were collected.
    4. A record from this system may be disclosed to entities as 
provided for in the Debt Collection Improvement Act of 1996 (Pub. L. 
104-134).
    5. A record may be disclosed to banks enrolled in the Treasury 
Credit Card Network to collect a payment or debt when the person has 
given his/her credit card number for this purpose.
    6. UFS submitter data (name, address, DUNS number) may be provided 
to Dun and Bradstreet for validation for the purpose of maintaining 
database integrity.
    7. Disclosure may be made to the Department of Justice (DOJ) when: 
(a) The Agency or any component thereof; (b) any employee of the Agency 
in his or her official capacity; (c) any employee of the Agency in his 
or her individual capacity where the DOJ has agreed to represent the 
employee; or (d) the U.S. Government is a party to litigation or has an 
interest in such litigation, and by careful review, the Agency 
determines that the records are both relevant and necessary to the 
litigation and the use of such records by the DOJ is therefore deemed 
by the Agency to be for a purpose that is compatible with the purpose 
for which the Agency collected the records.
    8. Disclosure may be made to a court or other tribunal, when: (a) 
The Agency or any component thereof; (b) any employee of the Agency in 
his or her official capacity; (c) any employee of the Agency in his or 
her individual capacity where the DOJ has agreed to represent the 
employee; or (d) the U.S. Government is a party to the proceeding or 
has an interest in such proceeding, and by careful review, the Agency 
determines that the records are both relevant and necessary to the 
proceeding and the use of such records is therefore deemed by the 
Agency to be for a purpose that is compatible with the purpose for 
which the Agency collected the records.
    9. Disclosure may be made to contractors and other individuals who 
perform services for the Agency related to this system of records, and 
who need access to the records in order to perform such services. 
Recipients shall be required to comply with the requirements of the 
Privacy Act of 1974, as amended, 5 U.S.C. 552a.
    10. Disclosure may be made to NARA and/or the General Services 
Administration for the purpose of records management inspections 
conducted under authority of 44 U.S.C. 2904 and 2906.
    11. Records may become accessible to U.S. Department of Homeland 
Security (DHS) cyber security personnel, if captured in an intrusion 
detection system used by HHS/FDA and DHS pursuant to the DHS Einstein 2 
program. Under Einstein 2, DHS uses intrusion detection systems to 
monitor Internet traffic to and from Federal computer networks to 
prevent malicious computer code from reaching the networks. According 
to DHS' Privacy Impact Assessment for Einstein 2 (available on the DHS 
Cybersecurity privacy Web site, https://www.dhs.gov), only PII that is 
directly related to a malicious code security incident is captured by 
and accessible to DHS, and DHS does not access PII unless the PII is 
part of the malicious code.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records may be maintained in hard copy files and on computer disks, 
hard drives, file servers, and other types of data storage devices.

RETRIEVABILITY:
    Records may be retrieved by computer search using name, address, 
contact information, system identifiable numbers (party/organization, 
submitter numbers), DUNS Number, and payment information (for refunds).

SAFEGUARDS:
    1. Authorized users: Access is restricted to FDA employees and 
contractors with a Level 5 or higher clearance who have a need for the 
records in the performance of their duties.
    2. Procedural and technical safeguards: Technical controls include 
identification and authentication, access control, audit and 
accountability, system and communication protection, timely account 
disablement/deletion, configuration management, maintenance, system and 
information integrity, media protection, and incident response. These 
controls extend to remote users as well. Additionally, when a remitter 
(submitter) generates a coversheet the UFS will only print the last 
four characters of the FEIN/TIN along with the Organization name and 
address.
    3. Physical safeguards: Physical security safeguards include 
controlled-access buildings where all records (CDs, computer listings, 
and paper documents) are maintained in secured areas, locked buildings, 
locked rooms, and locked cabinets.

RETENTION AND DISPOSAL:
    UFS records are maintained in accordance with FDA's Records Control 
Schedule, and with the applicable General Records Schedule (GRS) and 
disposition schedule approved by NARA. UFS records fall under GRS 20, 
Items 2a(4) (hard copy input records), 12 and 16 (Output records and 
reports), and NARA approved citation N1-088-09-11, Items 1.1 (files 
maintained in the Office of Financial Management), 1.2 (data maintained 
by FDA Centers), and 1.3.2 (database records).

SYSTEM MANAGER AND ADDRESS:
    George Brindza, Division of Systems, FDA Office of Information 
Management (OIM), 2094 Gaither Rd., rm. 131, Rockville, MD 20850; 301-
796-7845.

NOTIFICATION PROCEDURES:
    In accordance with 21 CFR part 21, subpart D, an individual may 
submit a request to the FDA Privacy Act Coordinator, with a notarized 
signature, to confirm whether records exist about him or her. Requests 
should be directed to the FDA Privacy Act Coordinator, Division of 
Freedom of Information, 12420 Parklawn Dr., ELEM-1036, Rockville, MD 
20857. An individual requesting notification via mail should certify in 
his or her request that he or she is the individual who he or she 
claims to be and that he or she understands that the knowing and 
willful request for or acquisition of a

[[Page 67823]]

record pertaining to an individual under false pretenses is a criminal 
offense under the Act subject to a $5,000 fine, and indicate on the 
envelope and in a prominent manner in the request letter that he or she 
is making a ``Privacy Act Request.'' Additional details regarding 
notification request procedures appear in 21 CFR part 21, subpart D.

RECORD ACCESS PROCEDURES:
    Procedures are the same as above, in Notification Procedures. 
Requesters should also reasonably specify the record contents being 
sought. Some records may be exempt from access under 5 U.S.C. 
552a(d)(5), if they are ``compiled in reasonable anticipation of a 
civil action or proceeding.'' If access to requested records is denied, 
the requester may appeal the denial to the FDA Commissioner. Additional 
details regarding record access procedures and identity verification 
requirements appear in 21 CFR part 21, subpart D.

CONTESTING RECORD PROCEDURES:
    In addition to the procedures described above, requesters should 
reasonably identify the record, specify the information they are 
contesting, state the corrective action sought and the reasons for the 
correction, and provide justifying information showing why the record 
is not accurate, complete, timely, or relevant. Rules and procedures 
regarding amendment of Privacy Act records appear in 21 CFR part 21, 
subpart E.

RECORD SOURCE CATEGORIES:
    Information in this system is obtained from many sources, 
including: (1) Directly from the individual, company or organization 
that is required to submit user fees to FDA; (2) from materials 
supplied by the submitter or individual acting on his/her behalf; (3) 
from FDA Centers such as the Center for Drug Evaluation and Research, 
Center for Devices and Radiological Health, Center for Biologics 
Evaluation and Research, Center for Veterinary Medicine, Center for 
Tobacco Products, Center for Food Safety and Applied Nutrition, and the 
Office of Financial Management; and (4) from any other relevant source.

RECORDS EXEMPTED FROM CERTAIN PROVISIONS OF THE PRIVACY ACT:
    None.

    Dated: November 7, 2012.
Leslie Kux,
Assistant Commissioner for Policy.
[FR Doc. 2012-27580 Filed 11-13-12; 8:45 am]
BILLING CODE 4160-01-P