Privacy Act of 1974; Notice To Establish an Exempt System of Records

AGENCY:

National Institutes of Health (NIH), Department of Health and Human Services (HHS).

ACTION:

Notice to establish an exempt system of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, as amended, the National Institutes of Health (NIH) proposes to establish a new system of records, to be numbered and titled: SORN 09-25-0225 “NIH Electronic Research Administration (eRA) Records, HHS/NIH/OD/OER,” which will be related to, but separate from, the system of records covered in SORN 09-25-0036 “NIH Extramural Awards and Chartered Advisory Committee (IMPAC II), Contract Information (DCIS), and Cooperative Agreement Information, HHS/NIH.” The new system of records will cover records used by NIH throughout the research and development award lifecycle, from application to scientific peer review, post-award monitoring, and close-out.

Elsewhere in today's Federal Register, NIH has published a Notice of Proposed Rulemaking (NPRM) proposing to exempt confidential source-identifying material in the new system of records (i.e., material that would inappropriately reveal the identities of referees who provide letters of recommendation and peer reviewers who provide written evaluative input and recommendations to NIH about particular funding applications under an express promise by the government that their identities in association with the written work products they authored and provided to the government will be kept confidential) from certain requirements of the Privacy Act, specifically, from the provisions pertaining to providing an accounting of disclosures, access and amendment and notification. The exemptions and the promises of confidentiality are necessary to protect the integrity of NIH extramural peer review and award processes and ensure that NIH efforts to obtain accurate and objective assessments and evaluations of funding applications from referees and peer reviewers is not hindered. The exemptions will become effective when NIH publishes a Final Rule, which will not occur until the 60-day comment period provided in the NPRM has expired and any comments received on the NPRM (or on this System of Records Notice) have been addressed.

DATES:

The comment period for this System of Records Notice (SORN) is co-extensive with the 60-day comment period provided in the NPRM; i.e., written comments on the SORN should be submitted within 60 days from today's publication date. The new system, including the routine uses and the exemptions, will become effective when NIH publishes a Final Rule, which will not occur until the 60-day comment period provided in the NPRM has expired and any comments received on the NPRM (or on this SORN) have been addressed.

ADDRESSES:

You may submit comments, identified by the Privacy Act System of Records Number (09-25-0225), by any of the following methods: Email: privacy@mail.nih.gov and include PA SOR number (09-25-0225) in the subject line of the message. Phone: (301) 402-6201. Fax: (301) 402-0169. Mail or hand-delivery: NIH Privacy Act Officer, Office of Management Assessment, National Institutes of Health, 6011 Executive Boulevard, Suite 601, MSC 7669, Rockville, Maryland 20852. Comments received will be available for public inspection at this same address from 9:00 a.m. to 3:00 p.m., Monday through Friday, except Federal holidays. Please call 301-496-4606 for an appointment.

FOR FURTHER INFORMATION CONTACT:

NIH Privacy Act Officer, Office of Management Assessment (OMA), Office of the Director (OD), National Institutes of Health (NIH), 6011 Executive Boulevard, Suite 601, MSC 7669, Rockville, Maryland 20852, or telephone (301) 402-6201.

SUPPLEMENTARY INFORMATION:

I. Background on the NIH Electronic Research Administration (eRA) Records System

The new system of records established in this Notice, “NIH Electronic Research Administration (eRA) Records, HHS/NIH/OD/OER” (hereinafter referred to as the “NIH eRA Records” system), will cover records used throughout the research and development award lifecycle, including pre-award stages of application submission, scientific peer review, award processing, post-award monitoring, and close-out. Many of the records in the system will contain information about more than one individual or type of individual (e.g., applicants, awardees, faculty members of applicant and awardee entities, application reviewers). By design, any of the records can be (and in practice will be) retrieved using the name or other personal identifier of any of the individuals whose information is contained in the records, to the extent required to help ensure that award proceedings are carried out by the NIH in accordance with all applicable federal statutes and regulations.

The eRA information technology (IT) system associated with this system of records is an HHS-designated Center of Excellence, and is used as a grants management line of business system by other federal agencies to manage their award records. Records pertaining to awards of other agencies in the eRA IT system are not covered under SORN 09-25-0225, but would be covered under SORN(s) those agencies publish, if their records require a SORN.

II. The Privacy Act

The Privacy Act governs the collection, maintenance, use, and dissemination of certain information about individuals by agencies of the Federal Government.

A System of Records (SOR) is a group of any records under the control of a Federal agency from which information about an individual is retrieved by the individual's name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register notice of the existence and character of each SOR that the agency maintains. The System of Records Notice (SORN) identifies or describes the laws authorizing the system to be maintained; the types and sources of records in the system; the categories of individuals to whom the records pertain; the purposes for which the records are used within the agency; the routine uses for which a record maybe disclosed to parties outside the agency without the individual's prior, written consent; agency policies and procedures for safeguarding, storing, retrieving, accessing, retaining, and disposing of the records; the procedures for an individual to follow to make notification, access, and amendment requests to the System Manager; and whether the SOR is exempt from certain Privacy Act requirements.

System Number: 09-25-0225

SYSTEM NAME:

Electronic Research Administration (eRA) Records, HHS/NIH/OD/OER.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Records will be located at:

• The Office of Extramural Research (OER), Office of the Director (OD), National Institutes of Health (NIH), Building 1, Room 144, 1 Center Drive, Bethesda, MD 20892; and
• any Federal Records Center where records from this system of records are archived and stored.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records contained within this system will pertain to the following categories of individuals:

1. Applicants for or Awardees of biomedical and behavioral research and development, training, career development, or loan repayment grant awards; cooperative agreement awards; and research and development contract awards;

2. Individuals who are named in applications, or awards; or individuals named on NIH intramural projects; e.g., program directors, key personnel, trainees, collaborators, consultants;

3. Peer Reviewers who review and provide evaluative input to the government about particular applications, in records such as reviewer critiques, preliminary or final individual overall impact/priority scores, and/or assignment of peer reviewers to an application;

4. Referees who, in association with a particular trainee application, supply a reference or letter of recommendation for an applicant;

5. Individual awardees and sub-awardees who are required to report inventions, patents, and utilization of subject invention(s) associated with NIH awards; and

6. Academic medical faculty, medical students and resident physicians (e.g., faculty of Association of American Medical Colleges of member institutions).

CATEGORIES OF RECORDS IN THE SYSTEM:

This system will include a variety of pre-award and award management records that contain information needed to process applications and manage grant awards across the award lifecycle. Listed below are the categories of individuals mentioned above, matched with pre-award and award management records collected about them.

1. Applicants for or Awardees of awards—pre-award and award management (awardees) information;

2. Individuals named in applications, or awards—pre-award and award management (awardees) information;

3. Referees—pre-award information;

4. Peer Reviewers—pre-award information;

5. Individuals required to report inventions, etc.—award management information; and,

6. Academic medical faculty, medical students and resident physicians—award management information.

Pre-award information includes the (1) application and related materials, and (2) documents related to the composition and function of chartered advisory committees (i.e., rosters). A record may consist of name, institution address, professional degree, demographic information, education and employment records and identifiers used by eRA Commons (i.e., user name and an IMPAC II system-assigned, unique personal identification number).

Award management information consists of materials submitted in support of an award such as (1) recommendation letters; (2) peer review related information such as application scores, reviewer critiques, summary statements and express promises of confidentiality of any information concerning applications, scores, or critiques; (3) financial information such as obligated award amounts and awardee financial reports; (4) financial conflict of interest records; (5) inventions, utilization data, patent applications, and patents; (6) publications or other scholarly products reported as associated with awards; (7) reports related to management of awards; and (8) records and reports related to data querying, reporting, tracking, compliance, evaluation, audit, and communications activities. For the academic medical faculty category, records are used to support special studies, including research and policy evaluations and to complete biomedical workforce statistical reports and include (1) faculty name, (2) employing institution and institutional address; (3) degree and year obtained; (4) demographic information; (5) field of study; (6) appointment information; and (7) employment history. For the purpose of peer review, the eRA system contains limited information on loan repayment applications (which are managed through a different System of Records, NIH SORN 09-25-0165, Division of Loan Repayment Records) and research and development contract award information for purposes of complying with statutory requirements related to research and development awards at NIH such as reporting on the inclusion of minorities, women, and children in clinical research; obtaining approval for foreign grant components from the Department of State; and to satisfy research conditions, and disease categorization reporting requirements.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The legal authority to operate and maintain this Privacy Act records system is 42 U.S.C. 217a, 241, 242, 248, 281, 282, 284, 284a, 285, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285k, 285l, 285m, 285n, 285o, 285p, 285q, 285r, 285s, 285t, 286, 287, 287b, 287c-21, 287d, 288, 35 U.S.C. 200-212, 48 CFR Subpart 15.3 and 37 CFR 401.1-16.

PURPOSE:

Records about individuals will be used within the agency for these purposes:

1. To support NIH award programs and related processes, including (1) application preparation, receipt, referral, and assignment; (2) initial peer and council reviews; (3) award processing, funding, monitoring, and close-out; and (4) data querying, reporting, tracking, compliance, evaluation, audit, and communications.

2. To track individual trainees who receive support from NIH through grants such as fellowship or career awards or who are supported through institutional training grant awards. Included are individuals in training for research and development supported in an investigator's laboratory which has an NIH-funded award (e.g., R01); these trainees are defined as “closely associated trainees”.

3. To communicate matters related to agency award programs with (1) applicant organizations, including associated systems or system providers; (2) applicant persons such as the authorized institutional representatives, principal investigator(s), trainees, or foreign collaborators; (3) peer reviewers; or (4) other entities such as Congress; federal departments or agencies, non-federal agencies or entities, or the general public.

4. To monitor the operation of review and award processes to detect and deal appropriately with any instances of real or apparent inequities.

5. To provide mandated and other requested reports to Congress and in compliance with statutory, regulatory, and policy requirements.

6. To maintain communication with former fellows and trainees who have incurred a payback obligation through the National Research Service Award Program and other federal research training programs.

7. To maintain official administrative files of agency-funded research programs.

8. To manage research portfolios.

9. To document inventions, patents, and utilization data and protect the government's right to patents made with NIH support.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

Records about an individual may be disclosed from this system of records to the following parties outside HHS, without the individual's prior written consent, for the following purposes:

1. To a congressional office from the record of an individual in response to a written inquiry from the congressional office made at the written request of the individual.

2. To the Department of Justice (DOJ) or to a court or other adjudicative body when:

• HHS or any component thereof or participating agencies; or
• any employee of HHS or participating agencies in the employee's official capacity; or
• any employee of HHS agencies in the employee's individual capacity where the DOJ, HHS, or the participating agency has agreed to represent the employee; or
• the United States,

is a party to litigation or has a direct and substantial interest in the proceeding and the disclosure of such records is deemed by the agency to be relevant and necessary to the proceeding; provided, however, that in each case, it has been determined that the disclosure is compatible with the purpose for which the records were collected.

3. When a record on its face, or in combination with other records, indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, disclosure may be made to the appropriate public authority, whether federal, foreign, state, local, tribal, or otherwise responsible for enforcing, investigating, or prosecuting the violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to the enforcement, regulatory, investigative, or prosecutorial responsibility of the receiving entity.

4. To appropriate federal agencies and HHS contractors, grantees, consultants, or volunteers who have been engaged by HHS to assist in the accomplishment of an HHS function relating to the purposes of this system of records and that need to have access to the records in order to assist HHS in performing the activity. Any contractor will be required to comply with the Privacy Act of 1974, as amended.

5. To appropriate federal agencies and HHS contractors with a need to know the information for the purpose of assisting agency efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, if the information disclosed is relevant and necessary for that assistance.

6. To a party for a research purpose when NIH: (A) Has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; (B) has determined that the research purpose (1) cannot be reasonably accomplished unless the record is provided in individually identifiable form, and (2) warrants the risk to the privacy of the individual; (C) has required the recipient to (1) establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, (2) remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the recipient has presented adequate justification of the research, and (3) makes no further use or disclosure of the record except when required by law, and reports results of the research in de-identified or aggregate form; and (D) has secured a written statement attesting to the recipient's understanding of and willingness to abide by these provisions (i.e., signed data access agreement for system data) in which the data may relate to reports of the composition of biomedical and/or research and development workforce; authors of publications attributable to federally-funded awards; information made available through third-party systems as permitted by applicants or awardees for agency awards; information related to agency research integrity investigations; or award payment information reported to federal databases.

7. A record from this system may be disclosed to a federal, foreign, state, local, tribal or other public authority of the fact that this system of records contains information relevant to the hiring or retention of an employee, the issuance or retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant or other benefit. The other agency or licensing organization may then make a request supported by the written consent of the individual for further information if it so chooses. HHS will not make an initial disclosure unless the information has been determined to be sufficiently reliable to support a referral to another office within the agency or to another federal agency for criminal, civil, administrative, personnel, or regulatory action.

8. To qualified experts not within the definition of agency employees as prescribed in agency regulations or policies to obtain their opinions on applications for grants, CRADAs, inventions, or other awards as a part of the peer review process.

9. To the National Archives and Records Administration (NARA), General Services Administration (GSA), or other federal government agencies pursuant to records management inspections conducted under the authority of 44 U.S.C. 2904 and 2906.

NIH may also disclose information about an individual, without the individual's prior written consent, from this system of records to parties outside HHS for any of the purposes authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and (b)(4)-(11).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, SAFEGUARDING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Records are stored in various electronic media and paper form, and maintained under secure conditions in areas with limited and/or controlled access. Only authorized users whose official duties require the use of this information will have regular access to the records in this system. In accordance with established NIH, HHS and other federal security requirements, policies, and controls, records may also be located, maintained and accessed from secure servers wherever feasible or located on approved portable/mobile devices designed to hold any kind of digital data including, but not limited to laptops, tablets, PDAs, USB drives, media cards, portable hard drives, smartphones, optical storage (CDs and DVDs), and/or other mobile storage devices. Records are stored on portable/mobile storage devices only for valid business purposes and with prior approval.

RETRIEVABILITY:

Records are retrieved by the name or other personal identifier (e.g., Commons user ID) of a subject individual.

ACCESSIBILITY:

Authorized Users:

Access is strictly limited according to the principle of least privilege which means giving a user only those privileges which are essential to that user's work.

SAFEGUARDS:

Measures to prevent unauthorized disclosures are implemented as appropriate for each location or form of storage and for the types of records maintained. Safeguards conform to the HHS Information Security and Privacy Program, http://www.hhs.gov/ocio/securityprivacy/index.html. Site(s) implement personnel and procedural safeguards such as the following:

Administrative Safeguards:

Controls to ensure proper protection of information and information technology systems include, but are not limited to, the completion of a Security Assessment and Authorization (SA&A) package and a Privacy Impact Assessment (PIA) and mandatory completion of annual NIH Information Security and Privacy Awareness training or comparable specific in-kind training offered by participating agencies that has been reviewed and accepted by the NIH eRA Information Systems Security Officer (ISSO). The SA&A package consists of a Security Categorization, e-Authentication Risk Assessment, System Security Plan, evidence of Security Control Testing, Plan of Action and Milestones, Contingency Plan, and evidence of Contingency Plan Testing. When the design, development, or operation of a system of records on individuals is required to accomplish an agency function, the applicable Privacy Act Federal Acquisition Regulation (FAR) clauses are inserted in solicitations and contracts.

Physical Safeguards:

Controls to secure the data and protect paper and electronic records, buildings, and related infrastructure against threats associated with their physical environment include, but are not limited to, the use of the HHS Employee ID and/or badge number and NIH key cards, security guards, cipher locks, biometrics, and closed-circuit TV. Paper records are secured under conditions that require at least two locks to access, such as in locked file cabinets that are contained in locked offices or facilities. Electronic media are kept on secure servers or computer systems.

Technical Safeguards:

Controls executed by the computer system are employed to minimize the possibility of unauthorized access, use, or dissemination of the data in the system. They include, but are not limited to user identification, password protection, firewalls, virtual private network, encryption, intrusion detection system, common access cards, smart cards, biometrics and public key infrastructure.

Alleged or Confirmed Security Incidents:

The NIH will report and take action to remediate security incidents involving the unauthorized access or disclosure of personally identifiable and sensitive information according to applicable law, regulations, OMB guidance, HHS and NIH policies.

RETENTION AND DISPOSAL:

Records are retained and disposed of in accordance with the NIH Records Control Schedule contained in NIH Manual Chapter 1743, “Keeping and Destroying Records,” which provides these disposition periods:

• Item E-0001 (DAA-0443-2013-0004-0001)—Official case files of construction, renovation, endowment and similar grants.

Disposition: Temporary. Cut off annually following completion of final grant-related activity that represents closing of the case file (e.g., project period ended). Destroy 20 years after cut-off;

• Item E-0002 (DAA-0443-2013-0004-0002)—Official case files of funded grants, unfunded grants, and award applications, appeals and litigation records.

Disposition: Temporary. Cut off annually following completion of final grant-related activity that represents closing of the case file (e.g., end of project period, completed final peer review, litigation or appeal proceeding concluded). Destroy 10 years after cut-off;

• Item E-0003 (DAA-0443-2013-0004-0003)—Animal welfare assurance files.

Disposition: Temporary. Cut off annually following closing of the case file. Destroy 4 years after cut-off; and,

• Item E-0004 (DAA-0443-2013-0004-0004)—Extramural program and grants management oversight records.

Disposition: Temporary. Cut off annually. Destroy 3 years after cut-off.

Refer to the NIH Manual Chapter for specific retention and disposition instructions: http://www1.od.nih.gov/oma/manualchapters/management/1743.

SYSTEM MANAGER AND ADDRESS:

OER Privacy Coordinator, Office of Extramural Research (OER), Office of the Director (OD), National Institutes of Health (NIH), 1 Center Drive, Room 144, Bethesda, MD 20814.

NOTIFICATION PROCEDURE:

Certain material will be exempt from notification; however, consideration will be given to all notification requests addressed to the System Manager. Any individual who wants to know whether this system of records contains a record about him or her must make a written request to the System Manager identified above. The requester should provide either a notarization of the request or a written certification that the requester is who he or she claims to be and understands that the knowing and willful request of a record pertaining to an individual under false pretenses is a criminal offense under the Privacy Act, subject to a five thousand dollar fine. The request should include the requester's full name and address, and should also include the following information, if known: The approximate date(s) the information was collected, the type(s) of information collected, and the office(s) or official(s) responsible for the collection of information.

RECORD ACCESS PROCEDURE:

Certain material will be exempt from access; however, consideration will be given to all access requests addressed to the System Manager. To request access to a record about you, write to the System Manager identified above, and provide the information described under “Notification Procedure”. Individuals may also request an accounting of disclosures that have been made of their records, if any.

CONTESTING RECORD PROCEDURE (REDRESS):

Certain material will be exempt from amendment; however, consideration will be given to all amendment requests addressed to the System Manager. To contest information in a record about you, write to the System Manager identified above, reasonably identify the record and specify the information being contested, state the corrective action sought and the reason(s) for requesting the correction, and provide supporting information. The right to contest records is limited to information that is factually inaccurate, incomplete, irrelevant, or untimely (obsolete).

RECORD SOURCE CATEGORIES:

Information in records retrieved by a particular individual's identifier will be obtained directly from that individual or from other individuals and entities named in, contacted about, or involved in processing the records, including applicant institutions; NIH and customer agency acquisition personnel; educational, trainee and awardee institutions; and third parties that provide references or recommendations concerning the subject individual.

SYSTEM EXEMPTED FROM CERTAIN PROVISIONS OF THE PRIVACY ACT:

Pursuant to 5 U.S.C. 552a(k)(5), the following subset of records in this system of records qualifies as investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal contracts, and will be exempted from the Privacy Act requirements pertaining to providing an accounting of disclosures, access and amendment, and notification (5 U.S.C. 552a (c)(3) and (d)):

Material that would inappropriately reveal the identities of referees who provide letters of recommendation and peer reviewers who provide written evaluative input and recommendations to NIH about particular funding applications under an express promise by the government that their identities in association with the written work products they authored and provided to the government will be kept confidential; this includes only material that would reveal a particular referee or peer reviewer as the author of a specific work product (e.g., reference or recommendation letters, reviewer critiques, preliminary or final individual overall impact/priority scores, and/or assignment of peer reviewers to an application and other evaluative materials and data compiled by NIH/OER); it includes not only an author's name but any content that could enable the author to be identified from context.

The exemptions will be effective upon publication of a final rule in the Federal Register, promulgating the exemptions as an amendment to HHS' Privacy Act regulations at 45 CFR 5b.11. To the extent that records in System No. 09-25-0225 are retrieved by personal identifiers for individuals other than referees and peer reviewers (for example, individual funding applicants, and other individuals who are the subject of assessment or evaluation), the exemptions will enable the agency to prevent, when appropriate, those individual record subjects from having access to, and other rights under the Privacy Act with respect to, the above-described confidential source-identifying material in the records.