Privacy Act of 1974; Report of a New System of Records; FDA Records Related to Research Misconduct Proceedings

AGENCY:

Food and Drug Administration, HHS.

ACTION:

Notice of a Privacy Act system of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974 (the Privacy Act) and the Food and Drug Administration's (FDA's) regulations for the protection of privacy, FDA is publishing notice of a new Privacy Act system of records entitled “FDA Records Related to Research Misconduct Proceedings, HHS/FDA/OC” System No. 09-10-0020. Under the Department of Health and Human Services' (HHS' or the Department's) Public Health Service Policies on Research Misconduct, FDA has responsibilities for addressing research integrity and misconduct issues related to FDA supported activities. This system contains records related to the processing and reviewing of allegations of scientific research misconduct levied against an individual (the respondent) who is an agent of, or affiliated by contract or agreement with, FDA, or an FDA employee involved in intramural research. Research misconduct proceedings include allegation assessments, inquiries, investigations, oversight reviews by HHS' Office of Research Integrity (ORI), hearings, and administrative appeals.

DATES:

Effective Date: The new system of records will be effective on August 28, 2012, with the exception of the routine uses and the requested exemptions. The routine uses will become effective on October 12, 2012. As detailed in the companion rulemaking documents published elsewhere in this issue of the Federal Register, unless revised or withdrawn in response to comments, the requested exemptions will become effective 135 days after publication of the companion rulemaking documents. Submit either electronic or written comments regarding this document by October 12, 2012.

ADDRESSES:

You may submit comments, identified by Docket No. FDA-2011-N-0253, by any of the following methods:

Electronic Submissions

Submit electronic comments in the following way:

• Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.

Written Submissions

Submit written submissions in the following ways:

• FAX: 301-827-6870.
• Mail/Hand delivery/Courier (for paper or CD-ROM submissions): Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.

Instructions: All submissions received must include the Agency name and docket number for this document. All comments received may be posted without change to http://www.regulations.gov,, including any personal information provided. For additional information on submitting comments, see the “Comments” heading of the SUPPLEMENTARY INFORMATION section of this document.

Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov and insert the docket number, found in brackets in the heading of this document, into the “Search” box and follow the prompts and/or go to the Division of Dockets Management, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.

FOR FURTHER INFORMATION CONTACT:

Eileen Parish, Office of the Chief Scientist, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 32, Rm. 4214, Silver Spring, MD 20993, 301-796-8522, Eileen.Parish@fda.hhs.gov.

SUPPLEMENTARY INFORMATION:

I. New System of Records

A. Description of the System of Records

1. Collection and Maintenance of Data in the System

This system will collect and maintain personally identifiable information (PII) and other data collected during the research misconduct process. The collected information will include, but is not limited to: Name, address, telephone number, education, professional experience, employment address, and training of an individual(s) who is (are) the subject of allegations. In addition, the system will contain records of complaints received, including the identity of the complainant, and how complaints were received and resolved. Also included will be information of witnesses and members of research misconduct committees.

2. Agency Procedures

FDA's procedures for disclosures of information maintained in this system of records are set forth in 21 CFR part 21.

B. Routine Use Disclosures of Information in the System

In accordance with the Privacy Act (5 U.S.C. 552a), FDA is providing notice of the “routine uses” of the records contained in the system of records. Disclosure of such records is permitted without the written consent of the individual to whom the record pertains, if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected (5 U.S.C. 552a(b)(3)). Any such compatible use of data is known as a “routine use.” The routine uses in this system meet the compatibility requirement of the Privacy Act.

The first two routine uses permit FDA to share information from this system with the individual or entity submitting an allegation; witnesses; pertinent Federal, State, and local agencies; and third parties that can provide information related to the allegation or proceeding.

In the event of a suspected or confirmed breach of security or confidentiality of the system, the third routine use allows disclosures to Federal Agencies as necessary in order to respond to the breach. Likewise, where a record indicates a violation of law, FDA may share information with the responsible enforcement authority under the fifth routine use, and may provide information to the Department of Homeland Security (DHS) in circumstances where system records are captured in an intrusion detection program and made accessible to DHS as described in routine use 15.

When health implications are evident based on information developed in the course of a proceeding, the fourth routine use permits disclosure to research subjects, institutional review boards, and collaborating institutions.

When FDA finds research misconduct has occurred, routine uses 6 through 10 describe disclosures FDA may make to FDA supported entities (routine use 6), to the respondent's supervisor or employer (routine use 7 and 8), to publications as needed to retract research results (routine use 9), and licensing authorities (routine use 10). Similarly, routine use 12 permits disclosure of information to the parties and related institutions when FDA does not find research misconduct.

Additional routine uses common to Federal records systems provide for disclosure to contractors and others who perform services for FDA related to this system (routine use 11), to the Department of Justice (DOJ) as related to the DOJ's representation of FDA or Agency employees (routine use 13), to courts when the records are relevant in legal actions involving the U.S. Government, FDA, or Agency employees (routine use 14), and, to the National Archives and Records Administration and General Services Administration as needed in the course of records management inspections (routine use 16).

As specified in section I.K of this document (see Routine Uses of Records Maintained in the System Including the Purposes of Such Uses and Categories of Users), many of these routine use disclosures will be restricted and subject to confidentiality or similar nondisclosure agreements in order to protect privacy.

Because this is a law enforcement investigatory system, HHS and FDA intend to amend their Privacy Act regulations (45 CFR 5b.11 and 21 CFR 21.61, respectively) to exempt records in this system related to ongoing investigations or that would reveal a confidential source from the notification, access, and amendments provisions of the Privacy Act. These exemptions are necessary to maintain the integrity of research misconduct proceedings and allow FDA to obtain essential information. The proposed exemptions would ensure that the records related to ongoing investigations will not be disclosed inappropriately and that the identities of confidential sources will be protected. FDA and HHS are publishing companion rulemaking documents regarding these exemptions elsewhere in this issue of the Federal Register.

C. System Number

The system number is: 09-10-0020.

D. System Name

The system name is: FDA Records Related to Research Misconduct Proceedings, HHS/FDA/OC.

E. Security Classification

The security classification for the system is: Unclassified.

F. System Location

System records are located in the Office of the Chief Scientist, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 32, rm. 4214, Silver Spring, MD 20993. Some records may reside in the Agency component offices during the time that an allegation is under review.

G. Categories of Individuals Covered by the System

This system includes records related to the processing and reviewing of allegations of research misconduct levied against an individual (the respondent) who is an agent of, or affiliated by contract or agreement with FDA, or an FDA employee involved in intramural research. The records contain personally identifiable information (PII) and non-PII about respondents, complainants, witnesses and other individuals affiliated with entities that are contacted by or provide information to FDA.

Privacy Act notification, access, and amendment rights (described in this document) relative to this system are available to individuals who are subjects of records in the system, that is, respondents. Although records in the system may contain PII related to other individuals, only respondents are considered subjects of records in this system.

“Respondents” is defined as “the person against whom an allegation of research misconduct is directed or who is the subject of a research misconduct proceeding.” The term “research misconduct” is defined in 42 CFR 93.103 to mean “fabrication, falsification, or plagiarism in proposing, performing, or reviewing research, or in reporting research results.” These and other definitions are set out in 42 CFR part 93.

This system notice applies to an allegation of research misconduct involving the following: (1) Applications or proposals for FDA support for biomedical or behavioral extramural or intramural research or research training, or activities related to that research or research training; (2) FDA supported biomedical or behavioral extramural or intramural research; (3) FDA supported extramural or intramural research training programs; (4) FDA supported extramural or intramural activities that are related to biomedical or behavioral research or research training; and (5) plagiarism of research records produced in the course of FDA supported research, research training, or activities related to that research or research training.

H. Categories of Records in the System

The records in the system include information that must be submitted to ORI by FDA under 42 CFR part 93 and information that FDA obtains while conducting research misconduct proceedings. This information may include, but is not limited to:

• PII about respondents such as name, date of birth, employment information, educational background, social security number, personal and professional phone numbers, mailing address, and email address;
• PII regarding complainants and witnesses such as name, and personal or work contact information;
• The nature and substance of allegations;
• Data regarding FDA funding related to the research and/or respondent, including grants numbers;
• The organization(s) and officials responsible for conducting the action that are part of the research misconduct proceeding;
• The documentation used in the inquiry and investigation, including relevant research data and materials, which may include relevant information on study subjects;
• Applications, proposals, and documentation related to review and award actions;
• Reports, abstracts, manuscripts, and publications by the respondent(s);
• Other relevant reports, abstracts, manuscripts, and publications;
• Correspondence and memoranda of telephone calls;
• Summaries of interviews and transcripts or recordings of interviews;
• Statistical, scientific, and forensic analyses;
• Interim and final FDA reports; and
• Records of Agency findings, administrative actions, and appeal proceedings, if any.

The system also contains general administrative and oversight records regarding ORI actions. This includes information related to the following: (1) ORI reviews of the research misconduct proceedings, ORI findings of research misconduct, and ORI proposals for administrative action or for settlement of the case; (2) a respondent's opportunity to contest ORI findings of research misconduct and proposed HHS administrative actions; (3) final HHS findings of research misconduct and final decisions regarding administrative actions and their implementation; and (4) FDA and ORI coordination with other Federal, State, and local offices or agencies, including the DOJ.

I. Authority for Maintenance of the System

The authorities for maintaining this system are: 21 U.S.C. 371, 375, 393(d)(2), 394, 397, and 399a; 42 U.S.C. 216(b), 241, 289b; 5 U.S.C. 301; 44 U.S.C. 3101; and 42 CFR part 93.

J. Purpose

The purposes of this system are to do the following:

1. Enable FDA, ORI, HHS, and the Federal Government to protect the health and safety of the public, to promote the integrity of FDA supported research, and to conserve public funds.

2. Enable FDA to implement its authority relating to research misconduct proceedings as set forth in 42 CFR part 93 and to document FDA activities in implementing that authority.

3. Ensure that research misconduct proceedings, including FDA's implementation of the Agency's and other HHS administrative actions, are carried out in accordance with FDA policy, 42 CFR part 93, and other applicable Federal statutes and regulations.

4. Enable FDA to inform Agency officials and other HHS officials who have a need for the records in the performance of their duties of the status and results of research misconduct proceedings.

5. Enable FDA to notify, consult with, and provide assistance to ORI, and other Federal, State, or local agencies to permit them to take action to protect the health and safety of the public, to promote the integrity of FDA supported research, to conserve public funds, or to pursue potential violations of civil and criminal statutes.

K. Routine Uses of Records Maintained in the System Including the Purposes of Such Uses and Categories of Users

The Privacy Act lists the conditions for disclosure under 5 U.S.C. 552a(b). Among the permitted disclosures is disclosure “to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties” (5 U.S.C. 552a(b)(1)). For this system of records, this condition would include disclosure to the appropriate FDA, ORI, and other HHS officers and employees.

Permitted disclosures also include routine uses that are listed in the notice of the system of records (5 U.S.C. 552a(b)(3)). The Privacy Act defines “routine use” as “with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.” See also FDA's Privacy Act regulations, defining “routine use” as “use outside the Department of Health and Human Services that is compatible with the purpose for which the records were collected and described in the [System of Records] notice)” (21 CFR 21.20(b)(5)).

Records in this system that contain information about record subjects (respondents) and nonsubjects (witnesses, complainants, and other individuals affiliated with entities that are contacted by or provide information to FDA) may be disclosed to recipients outside HHS in accordance with the following routine uses:

1. Disclosure may be made to any individual or entity able to obtain information or provide information or assistance in a research misconduct proceeding or related proceeding. Recipients of disclosures under this routine use may include experts asked to perform statistical, forensic, or other analyses; the relevant FDA supported institution(s); institutions with which the respondent(s) was previously affiliated; Federal, State and local agencies; the respondent(s); the complainant(s); witnesses; and organizations or individuals acting on behalf of those agencies, institutions, and individuals; provided, however, that in each case FDA determines whether limited disclosures or confidentiality agreements are needed to protect the privacy of respondent(s), complainant(s), witnesses, research subjects, or others who may be identified in the records to be disclosed.

2. Disclosure may be made to other Federal, State, or local agencies and offices, if FDA has reason to believe that a research misconduct proceeding may involve that agency or office.

3. Disclosure may be made to appropriate Federal Agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.

4. Disclosure may be made to Institutional Review Boards, collaborating institutions, and individual research subjects, regarding information obtained or developed through a research misconduct proceeding that, in FDA's judgment, may have implications for individuals' health or for their participation in a research study.

5. When a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, disclosure may be made to the appropriate agency, whether Federal, foreign, State, local, or tribal, or other public authority responsible for enforcing, investigating, or prosecuting such violation, if the information disclosed is relevant to the responsibilities of the agency or public authority.

6. After FDA makes a finding of research misconduct and has informed ORI of this finding, disclosure may be made to responsible officials of FDA supported institutions or organizations, when in connection with a research misconduct proceeding concerning a respondent previously or currently employed by, or affiliated with the institution or organization, or when FDA, ORI, or HHS makes a finding or takes an action potentially affecting the agency or organization or its FDA support for research, research training, or related activities.

7. After FDA makes a finding of research misconduct and has informed ORI of this finding, disclosure may be made to the respondent's supervisor because research will be a significant part of many employee jobs, and performance is an important element of information to help the supervisor determine employee assignments as well as the level of supervision needed. If an individual moves to another job or contract, FDA may notify the other entity that we have relevant information with regard to that individual.

8. After FDA makes a finding of research misconduct and has informed ORI of this finding, disclosure may be made to a Federal Agency in connection with the hiring or retention of the respondent, the issuance of a security clearance, the reporting of an investigation of an employee, or the issuance of a license or other benefit by the Agency, to the extent that the record is relevant to the Agency's decision on the matter.

9. After FDA makes a finding of research misconduct and has informed ORI of this finding, disclosure may be made to professional journals, other publications, news media, and the public concerning research misconduct findings and the need to correct or retract research results or reports that have been affected by research misconduct, unless it is determined that release of the specific information in the context of a particular case would constitute a clearly unwarranted invasion of personal privacy. No information will be released that would reveal a confidential source.

10. After FDA makes a finding of research misconduct and has informed ORI of this finding, disclosure may be made to a State licensing board, certifying body, or other similar entity conducting a review of the respondent to aid the entity in meeting its responsibility to protect the health of the population in its jurisdiction or the integrity of the profession.

11. Disclosure may be made to contractors and other individuals or entities who perform services for the Agency related to this system of records and who have access to the records in order to perform such services, including individuals appointed to serve on FDA research misconduct inquiry committees or investigation committees if such individuals need access to the records to perform their assigned task. Provided, however, in each case FDA determines whether limited disclosures or confidentiality agreements are needed to protect the privacy of respondent(s), complainants(s), witnesses, research subjects, or others who may be identified in the records to be disclosed; and FDA determines that the disclosure is for a purpose compatible with the purpose for which the Agency collected the records.

12. When FDA closes a case without a settlement or finding of research misconduct, disclosure may be made to the respondent, relevant institution, and complainant(s); provided, however, that in each case FDA determines whether limited disclosures or confidentiality agreements are needed to protect the privacy of respondent(s), complainant(s), witnesses, research subjects, or others who may be identified in the records to be disclosed.

13. Disclosure may be made to the DOJ when: (1) The Agency or any component thereof; or (2) any employee of the Agency in his or her official capacity; or (3) any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee; or (4) the U.S. Government is a party to litigation or has an interest in such litigation, and by careful review, the Agency determines that the records are both relevant and necessary to the litigation and the use of such records by the DOJ is therefore deemed by the Agency to be for a purpose that is compatible with the purpose for which the Agency collected the records.

14. Disclosure may be made to a court or other tribunal when: (1) The Agency or any component thereof; or (2) any employee of the Agency in his or her official capacity; or (3) any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee; or (4) the U.S. Government is a party to the proceeding or has an interest in such proceeding, and by careful review, the Agency determines that the records are both relevant and necessary to the proceeding and the use of such records is therefore deemed by the Agency to be for a purpose that is compatible with the purpose for which the Agency collected the records.

15. Einstein 2 Cyber Security Monitoring: Records may become accessible to U.S. Department of Homeland Security (DHS) cyber security personnel, if captured in an intrusion detection system used by HHS and DHS pursuant to the Einstein 2 program. Under Einstein 2, DHS uses intrusion detection systems to monitor Internet traffic to and from federal computer networks to prevent malicious computer code from reaching the networks. According to DHS' Privacy Impact Assessment for Einstein 2 (available on the DHS Cybersecurity privacy Web site, http://www.dhs.gov ), only PII that is directly related to a malicious code security incident is captured by and accessible to DHS, and DHS does not access PII unless the PII is part of the malicious code.

16. Disclosure may be made to the National Archives and Records Administration and/or the General Services Administration for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906.

L. Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System

1. Storage

Records may be maintained in hard copy files and on computer disks, hard drive, and file servers, and other types of data storage devices.

2. Retrievability

Records may be retrieved by manual or computer search of the case-tracking system using the name of the respondent(s).

3. Safeguards

a. Authorized users. Records in FDA's system are available to the Commissioner of Food and Drugs, the Agency's Chief Scientist and Deputy Commissioner for Science and Public Health, the Agency's Research Integrity Officer (System Manager), and to other appropriate FDA staff when they have a need for the records in the performance of their duties. Records are also available to the Director of ORI and other appropriate ORI staff, and to other appropriate HHS officials that are involved in the research misconduct proceeding, when there is a need to know in the performance of their duties. All authorized users are informed that the records are confidential and are not to be further disclosed.

b. Procedural safeguards. Access is strictly controlled by the Research Integrity Officer (System Manager) in compliance with the Privacy Act and this system notice. Access to the records is limited to ensure confidentiality. All questions and inquiries from any party should be addressed to the Research Integrity Officer (System Manager).

c. Physical safeguards. All records (such as diskettes, computer listings, or documents) are kept in a secured area, locked rooms, and locked building. The facility has a 24-hour guard service, and access to the building is further controlled by an operational card key system. Access to the files, which are generally hard copy, is limited to a subset of individuals with general access to the building.

Access to individual offices is controlled by simplex locks. Records are kept in locked file cabinets in a room that is locked during non-working hours. Access to this room is restricted to specific personnel. Access to computer files is strictly limited through passwords and user-invisible encryption. Special measures commensurate with the sensitivity of the record are taken to prevent unauthorized copying or disclosure of the records.

M. Retention and Disposal

The records are maintained for 7 years in accordance with 42 CFR part 93, FDA's Records Control Schedule, and with the applicable General Records Schedule and disposition schedule approved by the National Archives and Records Administration.

N. System Manager and Address

FDA Research Integrity Officer, Office of the Chief Scientist, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 32, Rm. 4214, Silver Spring, MD 20993.

O. Notification Procedure

In accordance with 21 CFR part 21, subpart D, an individual may find out whether a record exists about him or her by submitting a written request, with notarized signature if request is made by mail, or with identification if request is made in person, directed to: FDA Privacy Act Coordinator, Division of Freedom of Information (ELEM-1029), Food and Drug Administration, 12420 Parklawn Dr., Element Building, Rockville, MD 20857. HHS/FDA is exempting all records related to research misconduct proceedings from this provision (see section I.S of this document Records Exempted from Certain Provisions of the Privacy Act). However, consideration will be given to requests addressed to the Privacy Act Coordinator as described previously in this document. In addition, some records may be exempt under 5 U.S.C 552a(d)(5), if they are “compiled in reasonable anticipation of a civil action or proceeding.” See also 21 CFR 21.41(e).

P. Record Access Procedures

Procedures are the same as those in section I.O of this document (Notification Procedure). Requests should also reasonably specify the record contents being sought and may also request an accounting of disclosures that have been made of the record, if any. As stated previously in this document, HHS/FDA is exempting all records related to research misconduct proceedings from this provision (see section I.S of this document, Records Exempted from Certain Provisions of the Privacy Act), and some records may be exempt under 5 U.S.C. 552a(d)(5). However, consideration will be given to access requests addressed to the Privacy Act Coordinator as described in section I.O of this document (Notification Procedure).

Q. Contesting Record Procedures

In accordance with 21 CFR 21.50, contact the Privacy Act Coordinator, Food and Drug Administration (see FOR FURTHER INFORMATION CONTACT or section I.O of this document). Reasonably identify the record and specify the information being contested, the corrective action sought, and your reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant. As stated previously in this document, HHS/FDA is exempting all records related to research misconduct proceedings from this provision (see section I.S of this document, Records Exempted from Certain Provisions of the Privacy Act), and some records may be exempt under 5 U.S.C. 552a(d)(5).

R. Record Source Categories

Information in this system is obtained from many sources, including the following: (1) Directly from the respondent or complainant or his/her representative; (2) derived from materials supplied by the respondent or complainant or his/her representative; (3) from information supplied by the institutions, witnesses, scientific publications, and other nongovernmental sources; (4) from observation and analysis made by FDA and ORI staff and scientific experts; (5) from departmental and other Federal, State, and local government records; (6) from hearings and other administrative proceedings; and (7) from any other relevant source.

S. Records Exempted From Certain Provisions of the Privacy Act

FDA records related to research misconduct proceedings will be exempt from the Privacy Act requirements pertaining to providing an accounting of disclosures, access and amendment, notification, and Agency procedures and rules under sections 552a(k)(2) and (k)(5) of the Privacy Act.

Elsewhere in this issue of the Federal Register, FDA is publishing a notice of proposed rulemaking and direct final rule to apply these exemptions to records in this system related to ongoing investigations or that would reveal a confidential source. These exemptions are necessary to safeguard the integrity of the research misconduct proceedings and to ensure that FDA's efforts to obtain accurate and objective information will not be hindered. In the course of investigations of allegations of research misconduct, it is often necessary to give an express promise to withhold the identity of an individual who has provided relevant information. Sources of information necessary to complete an effective investigation may be reluctant to provide sensitive information unless they can be assured that their identities will not be revealed. The proposed exemptions will ensure that the records related to ongoing investigations will not be disclosed inappropriately and that the identities of confidential sources will be protected.

The notice of proposed rulemaking and direct final rule provide additional detail regarding the bases for these exemptions.

II. Comments

FDA invites comments on all parts of the systems notice. Interested persons may submit to the Division of Dockets Management (see ADDRESSES) either electronic or written comments regarding this document. It is only necessary to send one set of comments. Identify comments with the docket number found in brackets in the heading of this document. Received comments may be seen in the Division of Dockets Management between 9 a.m. and 4 p.m., Monday through Friday.