AGENCY:
Office of the Assistant Secretary for Administration and Management.
ACTION:
Notice of a New Privacy Act System of Records.
SUMMARY:
In accordance with the requirements of the Privacy Act of 1974, the Department of Health and Human Services is establishing a new system of records entitled, “Facility and Resource Access Control Records,” System No. 09-90-0777. This notice implements in part Homeland Security Presidential Directive 12 (HSPD-12), “Policy for a Common Identification Standard for Federal Employees and Contractors” of August 27, 2004. HSPD-12 requires all employees, contractors, and others who will be granted regular access to federal facilities for more than six months to undergo a background investigation to determine suitability and to be issued a Personal Identity Verification (PIV) Card (i.e. an identification badge). The purpose of the program is to enhance access controls to federal facilities to improve security. The badge stores the individual's name, employing organization, the badge issuer, the badge serial number, the expiration date, a picture of the badge holder, two fingerprints, and four encryption keys that may be used by the PIV card holder, when properly activated, in association with federal information technology resources. The Facility and Resource Access Control Records comprise information about the issuance of Personal Identity Verification (PIV) cards, PIV card holders (e.g. employees, contractors), other individuals who require regular access to HHS facilities or resources, and the use of PIV cards to access facilities or resources. The Facility and Resource Access Control Records also include information about occasional visitors and short-term guests who do not carry PIV cards but to whom HHS will issue temporary credentials.
DATES:
Effective Date: The new system of records will be effective on the date of publication of this notice, with the exception of the routine uses, which will become effective on September 8, 2010. We may defer implementation of this system or one or more of the routine use statements listed below if we receive comments that persuade us to do so.
DATES:
Comments are due by September 8, 2010.
ADDRESSES:
Address comments to HHS Privacy Act Officer, Mary E. Switzer Building, Department of Health and Human Services, 330 “C” Street, SW., Washington, DC 20201, or via electronic mail to HSPD12-privacy at hhs.gov. Comments will be available for public viewing in the public reading room located at the same address, or on our Web site at http://www.hhs.gov. To review comments in person, please call the Division of Freedom of Information and Privacy at 202-690-7453 for an appointment.
FOR FURTHER INFORMATION CONTACT:
Ms. Maya A. Bernstein, Office of the Assistant Secretary for Planning and Evaluation, 200 Independence Avenue, SW., Room 434E, Washington, DC 20201, via e-mail at maya.bernstein@hhs.gov, or via telephone at 202/690-7100.
SUPPLEMENTARY INFORMATION:
The Facility and Resource Access Control Records enhance HHS' security and permit the Department to comply with Homeland Security Presidential Directive 12 (HSPD-12), “Policy for a Common Identification Standard for Federal Employees and Contractors.” This Presidential mandate requires all government employees, contractors, and certain other individuals to use new identification badges, known as Personal Identity Verification (PIV) cards, as their singular form of identification when accessing government buildings, facilities, or information technology systems. The PIV card will enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy.
Before obtaining a PIV card, each employee or contractor must undergo a standardized security credentialing process, including background investigations, to ensure safety of HHS facilities and the people who work in them. The PIV card system places modern card readers at the entrances of HHS facilities that allow interoperability with all federal agencies and ensure that entry of employees, contractors, and other regular visitors is strictly authorized. Leveraging cutting-edge technologies such as fingerprint recognition and single sign-on capabilities, this technology will reduce identity fraud and ensure only authorized users can access essential information. Finally, by protecting employees, facilities, and information, the PIV card guards the government resources that provide critical services to the American people.
The PIV card will store the holder's name, employing organization, the badge issuer, the badge serial number, the expiration date, a picture of the badge holder, two fingerprints, and encryption keys that may be activated for access to information technology resources, if needed. It will not store other identifying information such as social security number or birth date. An associated database will store similar information in order to verify that individuals entering federal buildings or using other federal resources, such as information technology (IT) systems, are properly authorized for that access. In addition, the database will be used to verify the ability of other agencies' PIV card holders to enter HHS facilities or use HHS resources.
Although HHS will not issue PIV cards to occasional visitors, information about occasional visitors will be maintained as part of the Facility and Resource Access Control Records. Some of these visitors may be required to undergo brief criminal history checks, depending on the reason for their visit and how often they enter our facilities or use our (IT) systems. The Facility and Resource Access Control Records includes that information.
Routine Uses
In addition to the collection, use, and disclosure of information described in the statute itself, the Privacy Act permits HHS to establish disclosures to non-HHS entities that are not already identified by statute, and do not require the individual record subject's consent, by using an administrative process. These disclosures are known as “routine uses,” and are permitted to be established if they are “compatible with the purpose” for which the information was collected, and if the agency publishes them in the Federal Register for 30 days in advance. Both identifiable and non-identifiable data may be disclosed under a routine use. This notice includes routine uses for the new system, and they are described below.
Most of the routine uses fall into standard categories that are common to most systems of records across the government. These include (1) disclosure to the Department of Justice (DOJ) when DOJ represents HHS, our employees, or the government in litigation, and they need to have access to the records to perform that function. If such a case goes to court, another routine use (2) permits the records to be disclosed in evidence before a federal court or appropriate adjudicative body. There is a disclosure (3) permitted when a record in this system of records or in combination with other records indicates a violation of law — we turn them over to the appropriate law enforcement entity in order to maintain the integrity of the program and ensure trust in the system. Another routine use (4) permits disclosure for intelligence and national security purposes, especially since the system manages information about persons that have access to federal facilities and federal information technology systems that has been recognized by the President as a homeland security issue.
The routine use disclosure to an individual Member of Congress (5) permits the Department to cooperate with a Member of Congress seeking information on behalf of a constituent (as opposed to the Committees of jurisdiction performing oversight) with a matter that involves these records. If the request is in writing, and we obtain a copy of the request, we will assume the constituent's consent for the Member to obtain records on a constituent's behalf even if a formal authorization is not included, so that the Department and the Member can better serve our citizens. However, the Member would get no more access to the record than that to which the constituent is entitled.
The sixth routine use (6) permits the National Archives and Records Administration to carry out records management functions.
Where HHS engages a contractor to carry out a function related to this system of records, routine use (7) permits disclosure to those individuals who require access to the records in order to perform the contracted work, and we will require the contractor to comply with the Privacy Act. Another routine use (8) permits disclosure to contractors or other agencies for the purpose of assisting the Department in responding to a suspected or confirmed data breach.
When an individual submits an application for a background investigation, the individual normally signs an authorization permitting records to be obtained by the investigator from almost any source. Occasionally, after an individual has moved to another job or contract, if negative information should come to light relevant to another entity's decision about the suitability of the individual, a routine use (9) allows HHS to notify the other entity merely that we have relevant information. It is expected that the other entity, if interested in pursuing the matter, would present a written authorization on which HHS could rely to disclose more detailed records. However, the disclosed information will be limited to that which is reliable enough for such a referral.
Finally, one routine use is particular to the PIV card system and allows the program to function as it is intended. HSPD-12 directs that, eventually, all PIV card holders should, in most cases, be able to visit other federal facilities and, if appropriate, use other agencies' computer resources, by presenting the PIV card. This system of records also describes information about visitors to HHS who have a PIV card from another agency. Therefore, this system of records also comprises information about those visitors, their entry and exit times, and summary information about them. A routine use (10) permits HHS to notify another federal agency if a PIV card is expired or no longer valid.
Safeguards
HHS has safeguards in place for authorized users and monitors such users to ensure against excessive or unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access.
This system will conform to all applicable federal laws and regulations and federal and HHS policies and standards as they relate to information security and data privacy. These laws and regulations may apply but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, and the Clinger-Cohen Act of 1996 Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, and HHS policies and standards include but are not limited to: all pertinent National Institute of Standards and Technology publications and the HHS Information Systems Program Handbook.
Dated: July 26, 2010.
RADM Arthur J. Lawrence,
Director, Office of Security and Strategic Information.
SYSTEM NO. 09-90-0777
SYSTEM NAME:
“Facility and Resource Access Control Records”.
SECURITY CLASSIFICATION:
Most identity records are not classified. However, in some cases, records of certain individuals, or portions of some records, may be classified in the interest of national security.
SYSTEM LOCATION:
Data covered by this system are maintained at the following locations: Department of Health and Human Services (HHS), Office of the Secretary, 200 Independence Avenue, SW., Washington, DC 20201; HHS Operating Divisions and regional offices around the country; Qwest Datacenter in Sterling, Virginia; and the Qwest CyberCenter in Highlands Ranch, Colorado. Some data covered by this system will be accessed at HHS locations, both federal buildings and federally-leased space, and at the physical security office(s) or computer security offices of those locations.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
(1) Individuals who require or are under consideration to obtain regular, ongoing access to HHS facilities, information technology systems, or information classified in the interest of national security, such as applicants for employment or contracts with HHS, federal employees, tribal members, contractors, students, interns, volunteers, affiliates such as individuals authorized to perform or use services provided in HHS facilities (e.g., HEW Credit Union, fitness center, etc.) and individuals formerly in any of these positions. (2) PIV card holders from other agencies who visit HHS facilities or use HHS computer systems. (3) Occasional visitors or short-term employees or guests who do not carry PIV cards and do not require certificates for using encryption with a Public Key Infrastructure (PKI), to whom HHS will issue temporary identification and low assurance credentials.
CATEGORIES OF RECORDS IN THE SYSTEM:
(1) Records maintained on individuals issued credentials by HHS include the following: Full name, Social Security number; date and place of birth; citizenship; signature; image (photograph); fingerprints; hair color; eye color; height; weight; sex; race; scars, marks, or tattoos; organization/office of assignment, location and contact information; PIV card issue and expiration dates; personal identification number (PIN); PIV request form; PIV sponsor, enrollment, registrar and issuance information; PIV card serial number; emergency responder designation; foreign national designator; contractor designator; information derived from documents used to verify identity such as document title, issuing authority, or expiration date; position sensitivity; level of national security clearance and expiration date; computer system user name; user access and permission rights; authentication certificates; digital signature information; employment category; position title; dates, times, and locations of entries and exits.
(2) HHS maintains the following categories of records about PIV card holders from other agencies entering HHS facilities or using HHS systems: Name, PIV card serial number; dates, times, and locations of entries and exits; organization name; level of national security clearance and expiration date; digital signature information; computer networks, applications, and data accessed.
(3) HHS maintains the following categories of records about occasional visitors and short term guests: name, photograph, date and time of entry and exit, facility to which admitted, and name of person visiting.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
5 U.S.C. 301; Information Technology Management Reform Act of 1996 (Pub. L. 104-106, sec. 5113); Electronic Government Act (Pub. L. 104-347, sec. 203); Paperwork Reduction Act of 1995 (44 U.S.C. ch. 35); Government Paperwork Elimination Act (Pub. L. 105-277, sec. 1701, 44 U.S.C. 3504); Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors, Aug. 27, 2004; Federal Property and Administrative Act of 1949, as amended.
PURPOSE(S) OF THE SYSTEM:
The primary purposes of the system of records are to (1) Ensure the safety and security of HHS facilities, systems, or information, and our occupants and users; (2) to verify that all persons entering federal facilities, using federal information resources, or accessing classified information are authorized to do so; and (3) to track and control PIV cards and other identity credentials issued to persons entering and exiting the facilities, using systems, or accessing classified information.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES:
Information about covered individuals may be disclosed without consent as permitted by the Privacy Act of 1974, 5 U.S.C. 552a(b), and:
(1) To the Department of Justice when: (a) The agency or any component thereof; or (b) any employee of the agency in his or her official capacity; (c) any employee of the agency in his or her individual capacity where agency or the Department of Justice has agreed to represent the employee; or (d) the United States government, is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records by DOJ is therefore deemed by the agency to be for a purpose compatible with the purpose for which the agency collected the records.
(2) To a court or adjudicative body in a proceeding when: (a) The agency or any component thereof; (b) any employee of the agency in his or her official capacity; (c) any employee of the agency in his or her individual capacity where agency or the Department of Justice has agreed to represent the employee; or (d) the United States government, is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records is therefore deemed by the agency to be for a purpose that is compatible with the purpose for which the agency collected the records.
(3) Except as noted on Forms SF 85, 85-P, and 86, when a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, disclosure may be made to the appropriate public authority, whether federal, foreign, state, local, or tribal, or otherwise, responsible for enforcing, investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to any enforcement, regulatory, investigative or prosecutorial responsibility of the receiving entity.
(4) To a federal, state, or local agency, or other appropriate entities or individuals, or through established liaison channels to selected foreign governments, in order to enable an intelligence agency to carry out its responsibilities under the National Security Act of 1947 as amended, the CIA Act of 1949 as amended, Executive Order 12333 or any successor order, applicable national security directives, or classified implementing procedures approved by the Attorney General and promulgated pursuant to such statutes, orders or directives.
(5) To a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional office made at the written request of the constituent about whom the record is maintained.
(6) To the National Archives and Records Administration or to the General Services Administration for records management inspections conducted under 44 U.S.C. 2904 and 2906.
(7) To agency contractors who have been engaged to assist the agency in the performance of a contract service, grant, cooperative agreement, or other activity related to this system of records and who need to have access to the records in order to perform the activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a.
(8) To appropriate federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.
(9) To a federal, state, local, foreign, or tribal or other public authority the fact that this system of records contains information relevant to the retention of an employee, the retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant, or other benefit. The other agency or licensing organization may then make a request supported by the written consent of the individual for the entire record if it so chooses. No disclosure will be made unless the information has been determined to be sufficiently reliable to support a referral to another office within the agency or to another federal agency for criminal, civil, administrative personnel or regulatory action.
(10) To another federal agency to notify that agency when, or verify whether, a PIV card is no longer valid.
Note:
Disclosures of data pertaining to date and time of entry and exit of an agency employee working in the District of Columbia may not be made to supervisors, managers or any other persons (other than the individual to whom the information applies) to verify employee time and attendance record for personnel actions because 5 U.S.C. 6106 prohibits federal Executive agencies (other than the Bureau of Engraving and Printing) from using a recording clock within the District of Columbia, unless used as a part of a flexible schedule program under 5 U.S.C. 6120 et seq.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
Records are stored in electronic media and in paper files.
RETRIEVABILITY:
Records are retrievable by name, date of birth, Social Security number, photographic identifiers, biometric identifiers, HHS Identification Number, and PIV card serial numbers.
SAFEGUARDS:
HHS has safeguards in place for authorized users and monitors such users to ensure against excessive or unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access.
This system will conform to all applicable federal laws and regulations and federal and HHS policies and standards as they relate to information security and data privacy. These laws and regulations may apply but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, and HHS policies and standards include but are not limited to: All pertinent National Institute of Standards and Technology publications and the HHS Information Systems Program Handbook.
Paper records are kept in locked cabinets in secure facilities and access to them is restricted to individuals whose role requires use of the records. The computer servers in which records are stored are located in facilities that are secured by alarm systems and off-master key access. The computer servers themselves are two-factor protected with Public Key Infrastructure (PKI) credentials, Personal Identification Numbers (PINs) and passwords. Access to individuals working at guard stations, operating enrollment stations, issuance stations, or the portal for sponsorship and adjudication will be two-factor protected using PKI and PIN; each person granted access to the system at guard stations, enrollment stations, issuance stations or through the portal must be individually authorized to use the system. A notice warning users that they are responsible for protecting the information in accordance with the Privacy Act, the Computer Security Act, and the Federal Information Security Management Act appears on the monitor screen when records containing information on individuals are first displayed. Data exchanged between the servers and the personal computers at the guard stations and badging office are encrypted. Backup tapes are stored in a locked and controlled room in a secure, off-site location.
An audit trail is maintained and reviewed periodically to identify unauthorized access. Persons given roles in the PIV process must complete training specific to their roles to ensure they are knowledgeable about how to protect individually identifiable information.
RETENTION AND DISPOSAL:
Records relating to persons' access covered by this system are retained in accordance with General Records Schedule 18, Item 17 approved by the National Archives and Records Administration (NARA). Unless retained for specific, ongoing security investigations, for maximum security facilities, records of access are maintained for five years and then destroyed. For other facilities, records are maintained for two years and then destroyed.
All other records relating to individuals are retained and disposed of in accordance with General Records Schedule 18, item 22, approved by NARA. In accordance with HSPD-12, PIV cards are deactivated within 18 hours of cardholder separation, loss of card, or expiration. PIV cards are destroyed by cross-cut shredding no later than 90 days after deactivation.
SYSTEM MANAGER AND ADDRESS:
Ken Calabrese, HHS Chief Technology Officer, Office of the HHS Chief Information Officer, Department of Health and Human Services, 200 Independence Avenue, SW., Washington, DC 20201.
NOTIFICATION PROCEDURE:
An individual can determine if this system contains a record pertaining to himself or herself by sending a request in writing, signed, to HHS Privacy Act Officer, Room 2221, Mary E. Switzer Building, Department of Health and Human Services, 330 “C” Street, SW., Washington, DC 20201. When requesting notification of or access to records covered by this Notice, an individual should provide his/her full name, date of birth, agency name, and work location. An individual requesting notification of records in person must provide identity documents sufficient to satisfy the custodian of the records that the requester is entitled to access, such as a government-issued photo ID. Individuals requesting notification via telephone must furnish, at a minimum, name, date of birth, social security number, and home address in order to establish identity. Individuals requesting notification via mail shall submit a notarized request to the responsible Department official to verify his or her identity or shall certify in his or her request that he or she is the individual who he or she claims to be and that he or she understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense under the Act subject to a $5,000 fine.
RECORD ACCESS PROCEDURE:
In addition to the procedures above, requesters should reasonably specify the record contents being sought. If additional information or assistance is required, contact the HHS Privacy Act Officer, Room 2221, Mary E. Switzer Building, Department of Health and Human Services, 330 “C” Street, SW., Washington, DC 20201. Write the words “Privacy Act Request” on the envelope and on the letter. For purpose of access, use the same procedures outlined in the Notification Procedures above. (These procedures are in accordance with Department regulation 45 CFR 5b.5 (a) (2).)
CONTESTING RECORDS PROCEDURES:
In addition to the procedures above, requesters should also reasonably identify the record, specify the information they are contesting, state the corrective action sought and the reasons for the correction along with supporting justification showing why the record is not accurate, timely, relevant, or complete. Rules regarding amendment of Privacy Act records appear in 45 CFR part 5a. If additional information or assistance is required, contact the HHS Privacy Act Officer, Room 2221, Mary E. Switzer Building, Department of Health and Human Services, 330 “C” Street, SW., Washington, DC 20201. Write the words “Privacy Act Request” on the envelope and on the letter.
RECORDS SOURCE CATEGORIES:
Employee, contractor, or applicant; sponsoring agency; former sponsoring agency; other federal agencies; contract employer; former employer.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
None.
[FR Doc. 2010-19536 Filed 8-6-10; 8:45 am]
BILLING CODE 4150-03-P