Privacy Act of 1974; System of Records, 48654-48658 [2024-12468]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 89, Number 111 (Friday, June 7, 2024)]
[Notices]
[Pages 48654-48658]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-12468]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; System of Records

AGENCY: National Institutes of Health (NIH), Department of Health and 
Human Services (HHS).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended (Privacy Act, or Act), the Department of Health and 
Human Services (HHS) is establishing a new System of Records (SOR), 09-
25-0224, ``NIH Police Records,'' to be maintained by the National 
Institutes of Health (NIH). The new system of records will contain 
records about individuals who are the subject of investigations of 
crime, civil disturbances, and traffic accidents occurring on or 
otherwise affecting the protection of life and property on NIH 
property. Because the records will constitute law enforcement 
investigatory material, elsewhere in the Federal Register the agency 
has published a notice of proposed rulemaking (NPRM) to exempt this 
system of records from certain requirements of the Privacy Act based on 
subsections (j)(2) and (k)(2) of the Act. The system of records is more 
fully described in the system of records notice (SORN) published in 
this notice.

DATES: The comment period for this SORN is co-extensive with the 60-day 
comment period provided in the NPRM; i.e., written comments on the SORN 
should be submitted by August 6, 2024. The new system of records, 
including the routine uses and the exemptions, will become effective 
when NIH publishes a Final Rule, which will not occur until the 60-day 
comment period provided in the NPRM has expired and any comments 
received on the NPRM (or on this SORN) have been addressed.

ADDRESSES: The public should address written comments, identified by 
the Privacy Act System of Records (PA SOR) Number 09-25-0224, by any of 
the following methods:
     Federal eRulemaking Portal: https://regulations.gov. 
Follow the instructions for submitting comments.
     Email: [email protected] and include PA SOR number 09-
25-0224 in the subject line of the message.
     Phone: (301) 402-6469 (not a toll-free number).
     Fax: (301) 402-0169.
     Mail: NIH Privacy Act Officer, Office of Management 
Assessment, National Institutes of Health, 6705 Rockledge Drive (RK1) 
601, Rockville, MD 20892-7901.
     Hand Delivery/Courier: 6705 Rockledge Drive (RK1) 601, 
Rockville, MD 20892-7901.
    Comments received will be available for inspection and copying at 
this same address from 9:00 a.m. to 3:00 p.m., Monday through Friday, 
Federal holidays excepted.

FOR FURTHER INFORMATION CONTACT: General questions about the system of 
records may be submitted to Dustin Close, NIH Privacy Act Officer, by 
email at [email protected] or mail at the Office of Management 
Assessment (OMA), Office of the Director (OD), National Institutes of 
Health (NIH), 6705 Rockledge Drive (RK1) 601, Rockville, MD 20892-7901. 
Telephone: 301-402-6469.

SUPPLEMENTARY INFORMATION: The Privacy Act (5 U.S.C. 552a) governs the 
means by which the United States Government collects, maintains, and 
uses records in a system of records. A ``system of records'' is a group 
of any records under the control of a federal agency from which 
information about individuals is retrieved by name or other personal 
identifier. The Privacy Act requires each agency to publish in the 
Federal Register a SORN identifying and describing each system of 
records the agency maintains, including the purposes for which the 
agency uses records in the system of records, the routine uses for 
which the agency discloses, or may disclose, such information outside 
the agency without the subject individual's prior written consent, and 
procedures explaining how subject individuals can exercise their rights 
under the Privacy Act (e.g., to

[[Page 48655]]

determine if the system of records contains information about them). At 
least 30 days prior to publication of this Notice in the Federal 
Register, the Department submitted a report on the proposed system of 
records to the Office of Management and Budget, the Committee on 
Government Reform and Oversight of the House of Representatives, and 
the Committee on Governmental Affairs of the Senate as required by 5 
U.S.C. 552a(r) and in the form and manner required by Office of 
Management and Budget (OMB) Circular A-108.
    The NIH Division of Police, which is within the Office of Research 
Services (ORS) in the NIH Office of the Director, was established to 
provide an immediate and primary law enforcement program for NIH. The 
NIH Division of Police derives its authority from 40 U.S.C. 1315, the 
law enforcement authority of the Secretary of Homeland Security for the 
protection of public property, and General Administrative Delegation of 
Authority Number 08, Control of Violations of Law at Certain NIH 
Facilities (September 1, 2020). Based on this establishing authority, 
the NIH Division of Police performs criminal law enforcement activity 
as its principal function. However, the NIH Division of Police conducts 
both criminal and non-criminal (e.g., civil, administrative, 
regulatory) law enforcement investigations.
    The NIH Division of Police is directly responsible for the 
provision of daily law enforcement and criminal and civil investigative 
activities required to protect the life, safety, and property of NIH 
employees, contractors, patients, and visitors. To perform these 
responsibilities, the NIH Division of Police compiles and maintains 
records of complaints of incidents, inquiries, investigative findings, 
arrest records, and court dispositions which are retrieved by personal 
identifiers and therefore constitute a ``system of records'' as defined 
by the Privacy Act at 5 U.S.C. 552a(a)(5). The records are used 
primarily to: (1) record incidents of crime, civil disturbance, and 
traffic accidents on the NIH enclave, and the investigation of such 
incidents; (2) maintain information essential to the protection of 
life, safety, and property at NIH; (3) provide official records of law 
enforcement investigative efforts for use in administrative, criminal, 
and civil proceedings; and (4) document criminal and civil law 
enforcement investigations.
    All of the routine uses published in the SORN are compatible with 
the original purpose for which criminal and non-criminal (e.g., civil, 
administrative, regulatory) law enforcement investigatory records are 
collected. Specifically:
     Routine use 1 will permit disclosures to HHS contractors 
who need access to the records in this system of records.
     Routine use 2 will permit HHS to disclose records to the 
Department of Justice or to a court or other adjudicative body in 
limited circumstances that are necessary to the conduct of legal 
proceedings.
     Routine use 3 will permit HHS to refer records to other 
appropriate law enforcement entities that have jurisdiction over a 
matter that NIH discovers.
     Where HHS has determined records to be sufficiently 
reliable to support a referral, routine use 4 will permit disclosures 
to another government agency or public authority of the fact that this 
system of records contains information relevant to decisions about an 
individual's employment, licensing, investigation, procurement, or 
other decision of that agency or public authority to help determine 
suitability as a contractor, licensee, grantee, or beneficiary. The 
receiving entity may then make a request to HHS supported by the 
written consent of the individual for further information if it so 
chooses.
     Routine use 5 will permit disclosures to the news media 
and general public when the information is in the public interest and 
would be required to be disclosed under the Freedom of Information Act, 
but where no FOIA request has been received.
     Routine use 6 is included as a courtesy to Members of 
Congress acting in their capacity as constituent representatives. Under 
normal circumstances, HHS would require any third party to present 
written consent of the record subject to obtain records about the 
record subject. However, if a record subject writes to a Member of 
Congress for assistance, and the Member writes to HHS showing a copy of 
the constituent's correspondence, HHS will recognize that request as if 
it were a formal authorization and respond in order to allow the Member 
of Congress to provide prompt service to the constituent.
     Routine use 7 will permit HHS to disclose records about 
accidents or traffic violations to the people involved so they can 
defend themselves or manage insurance claims.
     Routine uses 8 and 9 will authorize disclosures at the 
recommendation of OMB to help us reduce and manage data breaches.

Alfred C. Johnson,
Deputy Director for Management, National Institutes of Health.

SYSTEM NAME AND NUMBER:
    NIH Police Records, 09-25-0224.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The address of the agency component responsible for the system of 
records is: Division of Police, Office of Research Services (ORS), 
National Institutes of Health (NIH), Building 31, Room B3B17, 31 Center 
Drive, Bethesda, MD 20892-2012.

SYSTEM MANAGER(S):
    Chief, Division of Police, Office of Research Services (ORS), 
National Institutes of Health, Building 31, Room B3B17, 31 Center Dr., 
Bethesda, MD 20892-2012. [email protected], telephone (301) 
496-2387.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    40 U.S.C. 1315 Law enforcement authority of Secretary of Homeland 
Security for protection of public property; Memorandum from the 
Assistant Secretary for Administration, OS, to the Director, NIH, June 
13, 1968; Memorandum from the Assistant Secretary for Administration, 
OS, to the Director, NIH, June 13, 1968, entitled: Delegation of 
Authority to Assist in Controlling Violations of Law at Certain HEW 
Facilities Located in Montgomery County, Maryland; and NIH General 
Administrative Delegation of Authority Number 08, Control of Violations 
of Law at Certain NIH Facilities (September 1, 2020). Collection of 
Social Security Numbers (SSN) is authorized by Executive Order (E.O.) 
9397, as amended by E.O. 13478, to be used as the enumerator when 40 
U.S.C. 1315, as implemented by NIH General Administrative Delegation of 
Authority Number 08 authorizes use of enumerators or an indexing system 
or other method to identify individuals and maintain accurate records 
about them.

PURPOSE(S) OF THE SYSTEM:
    The primary purposes for which the records are used are to: (1) 
record incidents of crime, civil disturbance, and traffic accidents on 
the NIH enclave, and the investigation of such incidents; (2) maintain 
information essential to the protection of life, safety, and property 
at NIH; (3) provide official records of law enforcement investigative

[[Page 48656]]

efforts for use in administrative, criminal and/or civil proceedings; 
and (4) document criminal and civil law enforcement investigations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Records will pertain to the following individuals: owners or 
operators of vehicles entering or attempting to enter NIH property; 
individuals who are involved in motor vehicle accidents; individuals 
arrested on the NIH property; individuals suspected of posing a threat 
to the safety of NIH visitors, personnel, and property; individuals who 
report or provide information about any of the above referenced 
activities; and individuals against whom criminal or civil penalties 
have been sought or imposed for any of the above-referenced activities.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records will consist of (as applicable) reports of moving and non-
moving traffic violations, accident reports, missing property reports, 
and similar documents and files, containing data elements such as 
names, descriptions, and contact information for subjects of 
investigation and witnesses, Social Security Number (SSN), date of 
birth, and vehicle license plate number, brand or model information; 
and, if applicable, reports of criminal investigations, including 
indicia of arrests (e.g., arrest reports fingerprints, photographs, and 
other items of evidence), and criminal intelligence reports.

RECORD SOURCE CATEGORIES:
    The records in this system of records are obtained directly from 
the subject individual, or from interviews conducted by or are recorded 
by the NIH Police Officer based on their observation, including 
observation of camera footage, or statements made or given to them by 
witnesses or other involved individuals, or are obtained by the NIH 
Police Officer from sources such as the Federal Bureau of Instigation, 
Department of Motor Vehicles, the individual's employer, criminal 
database, local police, NIH Human Resources database, NIH Visitor Log 
records, and reports of investigation.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974 at 5 U.S.C. 552a(b), 
under which HHS may disclose information from this system of records to 
non-HHS officers and employees without the consent of the subject 
individual.
    1. Information may be disclosed to an HHS contractor engaged by HHS 
to assist in accomplishment of an HHS function relating to the purposes 
of this system of records who needs to have access to the record to 
assist HHS in performing the activity. Any contractor will be required 
to comply with the requirements of the Privacy Act of 1974, as amended.
    2. Information may be disclosed to the Department of Justice (DOJ) 
or to a court or other tribunal in litigation or other proceedings 
when: (a) HHS, or any component thereof; (b) any HHS employee in his/
her official capacity; (c) any HHS employee in his/her individual 
capacity where DOJ (or HHS, where it is authorized to do so) has agreed 
to represent the employee; or (d) the United States Government, is a 
party to the proceedings and, by careful review, HHS determines that 
the records are both relevant and necessary to the proceedings.
    3. Information may be disclosed to another federal agency or any 
foreign, state, local, or Tribal government agency responsible for 
enforcing, investigating, or prosecuting violations of administrative, 
civil, or criminal law or regulation where that information is relevant 
to an enforcement proceeding, investigation, or prosecution within the 
agency's jurisdiction.
    4. Information may be disclosed to a federal, foreign, state, 
local, Tribal, or other public authority (e.g., a licensing 
organization) of the fact that this system of records contains 
information relevant to the hiring or retention of an employee, the 
issuance or retention of a security clearance, the reporting of an 
investigation of an individual, the letting of a contract, or the 
issuance or retention of a license, grant, or other benefit. The other 
agency or licensing organization may then make a request supported by 
the written consent of the individual for further information if it so 
chooses. HHS will not make an initial disclosure unless the information 
has been determined to be sufficiently reliable to support a referral 
to another office within the agency or to another federal agency for 
criminal, civil, administrative, personnel, or regulatory action.
    5. Information may be disclosed to the news media and general 
public when there is a legitimate public interest (for example, to 
provide information on events in the criminal process such as 
indictments, and that would be required to be publicly disclosed under 
FOIA if HHS received a request), or when necessary to protect the 
public from an imminent threat to life or property.
    6. Information may be disclosed to a congressional office in 
response to a written inquiry from the congressional office made at the 
written request of the individual record subject.
    7. An accident report, or records concerning an accident or moving 
or non-moving traffic violation, may be disclosed to any individual 
allegedly involved or injured in the accident or traffic violation.
    8. Information may be disclosed to appropriate agencies, entities, 
and persons when (1) HHS suspects or has confirmed that there has been 
a breach of the system of records; (2) HHS has determined that as a 
result of the suspected or confirmed breach there is a risk of harm to 
individuals, HHS (including its information systems, programs, and 
operations), the federal government, or national security; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with HHS's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    9. Information may be disclosed to another federal agency or 
federal entity, when HHS determines that information from this system 
of records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the federal government, or national 
security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored in various electronic media and in paper form.
    In accordance with federal security requirements, policies, and 
controls, as implemented by NIH and HHS, records may be located on 
approved portable devices designed to hold any kind of digital, 
optical, or other data including: laptops, tablets, personal data 
assistants, Universal Serial Bus (USB) drives, media cards, portable 
hard drives, Smartphones, compact discs (CDs), digital versatile discs 
(DVDs), or other mobile storage devices.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by the subject individual's name or other 
personal identifier, such as date of birth-or Social Security Number.

[[Page 48657]]

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    NIH Police Records are currently unscheduled and will be retained 
indefinitely until authorized for disposition under a schedule approved 
by the National Archives and Records Administration.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Measures to prevent unauthorized disclosures of NIH Police Records 
are implemented as appropriate for each location or form of storage and 
for the types of records maintained. Safeguards conform to the HHS 
Information Security and Privacy Program, https://www.hhs.gov/ocio/securityprivacy/. Site(s) implement personnel and procedural 
safeguards such as the following:
    Authorized Users: Access is strictly limited to authorized 
personnel whose duties require such access (i.e., valid, business need-
to-know).
    Administrative Safeguards: Administrative controls include the 
completion of a Security Assessment and Authorization (SA&A) package 
and a Privacy Impact Assessment (PIA) for information technology (IT) 
systems used to maintain the records, and mandatory completion of 
annual NIH Information Security and Privacy Awareness training for 
personnel authorized to access the records. The SA&A package consists 
of a Security Categorization, e-Authentication Risk Assessment, System 
Security Plan, evidence of Security Control Testing, Plan of Action and 
Milestones, Contingency Plan, and evidence of Contingency Plan Testing. 
When the design, development, or operation of a system of records is 
required to accomplish an agency function and the agency engages an 
outside contractor to support that operation, the applicable Privacy 
Act Federal Acquisition Regulation (FAR) clauses are inserted in 
solicitations and contracts.
    Physical Safeguards: Controls to secure the data and protect paper 
and electronic records, buildings, and related infrastructure against 
threats associated with their physical environment include the use of 
the HHS Employee ID or other badge, NIH key cards, security guards, 
cipher locks, biometrics, and closed-circuit TV. Paper records are 
secured in locked file cabinets, offices, and facilities. Electronic 
media are kept on secure servers or computer systems. Access to the 
restricted office area containing the rooms where records are stored is 
controlled through the use of limited access proximity cards. Only 
authorized users have access to these cards. Individuals who enter the 
restricted area without a limited access proximity card are under 
escort at all times. During regular business hours, rooms in this 
restricted area are unlocked but entry is controlled by on-site 
personnel. Rooms where records are stored are locked when not in use. 
Individually identifiable records are kept in locked file cabinets or 
in rooms under the direct control of the System Manager. Contractor 
interaction with records covered by this system of records will occur 
on-site and no physical records (paper or electronic) will be allowed 
to be removed from the NIH Division of Police unless authorized. All 
authorized users of personal information in connection with the 
performance of their jobs protect information from public view and from 
unauthorized personnel entering an unsupervised area/office.
    Police incident and other sensitive reports and information are 
kept in a limited access locked room with live video surveillance. 
Intelligence reports containing investigations of criminal intelligence 
matters are kept in a safe in the offices of the Supervisor, 
Intelligence Section.
    Technical Safeguards: Controls are generally executed by the 
computer system and are employed to minimize the possibility of 
unauthorized access, use, or dissemination of the data in the system. 
They include user identification, password protection, firewalls, 
virtual private network, encryption, intrusion detection system, common 
access cards, smart cards, biometrics and public key infrastructure. 
Computer records are accessible only through a series of code or 
keyword commands available from and under the direct control of the 
System Manager or delegated employees. These records are secured by a 
multi-level security system which is capable of controlling access to 
the individual data field level. Persons having access to the computer 
database can be restricted to a confined application which permits only 
a narrow ``view'' of the data.

RECORD ACCESS PROCEDURES:
    This system of records will be exempt from access by subject 
individuals to the extent permitted by 5 U.S.C. 552(j)(2) or (k)(2). 
However, consideration will be given to any access request addressed to 
the System Manager listed above. Most records pertaining to traffic 
investigations will be accessible to any individual involved or injured 
in the traffic violation or accident without interfering with or 
compromising the integrity of an investigation. Individual record 
subjects seeking access to records about themselves must submit a 
written access request to the System Manager identified in the ``System 
Manager(s)'' section above, at the postal or electronic mail address 
indicated in that section. The request must reasonably specify the 
record contents being sought and contain the requester's full name, 
address, telephone number and/or email address, date of birth, and 
signature, and should identify the approximate date(s) the information 
was collected, and the types of information collected. So that HHS may 
verify the requester's identity, the requester's signature must be 
notarized, or the request must include the requester's written, signed 
certification that the requester is the individual who the requester 
claims to be and that the requester understands that the knowing and 
willful request of a record pertaining to an individual under false 
pretenses is a misdemeanor offense under the Privacy Act and subject to 
fine of up to five thousand dollars. If records are requested on behalf 
of a minor or legally incompetent individual, evidence of the 
requester's parental or guardianship relationship to the individual 
must be included and the identity of both the subject individual and 
the requesting parent or guardian must be verified.

CONTESTING RECORD PROCEDURES:
    This system of records will be exempt from amendment to the extent 
permitted by 5 U.S.C. 552(j)(2) or (k)(2). However, consideration will 
be given to any amendment request addressed to the System Manager 
listed above. Individuals seeking to amend records about them in this 
system of records must submit a written amendment request to the System 
Manager, containing the same information required for an access 
request. The amendment request must include verification of identity in 
the same manner required for an access request; must reasonably 
identify the record and specify the information contested, the 
corrective action sought, and the reason(s) for requesting the 
amendment and should include supporting information. The right to 
contest records is limited to information that is factually inaccurate, 
incomplete, irrelevant, or untimely (obsolete).

NOTIFICATION PROCEDURES:
    This system of records will be exempt from notification to the 
extent permitted by 5 U.S.C. 552(j)(2) or (k)(2). However, 
consideration will be given to any notification request addressed to 
the System Manager listed above.

[[Page 48658]]

Individuals who want to know whether this system of records contains 
records about them must submit a written notification request to the 
System Manager. The notification request must contain the same 
information required for an access request and must include 
verification of identity in the same manner required for an access 
request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    As provided in the Department's notice of proposed rulemaking, upon 
publication of a Final Rule, law enforcement investigatory material in 
this system of records will be exempt from certain requirements of the 
Privacy Act as follows:
     Based on 5 U.S.C. 552a(j)(2) and (k)(2), all criminal and 
non-criminal (e.g., civil, administrative, regulatory) law enforcement 
investigatory material will be exempt from the requirements in 
subsections (c)(3), (d)(1) through (4), (e)(1), (e)(4)(G) through (I), 
and (f) of the Privacy Act; provided, however, that for investigative 
material compiled for law enforcement purposes other than material 
within the scope of 5 U.S.C. 552a(j)(2), if maintenance of the records 
causes a subject individual to be denied a federal right, privilege, or 
benefit to or for which the individual would otherwise be entitled or 
eligible, the exemption based on 5 U.S.C. 552a(k)(2) will be limited to 
material that would reveal the identity of a source who furnished 
information to the Government under an express promise that the 
identity of the source would be held in confidence.
     Because the NIH Division of Police is a component which 
performs criminal law enforcement as its principal function, based on 5 
U.S.C. 552a(j)(2), criminal law enforcement investigatory material will 
be exempt from the additional requirements in these subsections of the 
Privacy Act: (c)(4), (e)(2) and (3), (e)(5), and (g).
     If any law enforcement investigatory material compiled in 
this system of records 09-25-0224 is from another system of records in 
which such material was exempted from access and other requirements of 
the Privacy Act based on (j)(2), it will be exempt in system of records 
09-25-0224 on the same basis (5 U.S.C. 552a(j)(2)) and from the same 
requirements as in the source system of records.

HISTORY:
    None.

[FR Doc. 2024-12468 Filed 6-6-24; 8:45 am]
BILLING CODE 4140-01-P