Privacy Act of 1974; System of Records

AGENCY:

National Institutes of Health (NIH), Department of Health and Human Services (HHS).

ACTION:

Notice of a Modified System of Records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, as amended, the Department of Health and Human Services is updating and renaming an existing system of records maintained by the National Institutes of Health (NIH), 09-25-0165, “National Institutes of Health (NIH) Office of Loan Repayment and Scholarship (OLRS) Record System, HHS/NIH/OD” (to be renamed “NIH Loan Repayment Records”). In a separate Notice of Proposed Rulemaking (NPRM) published elsewhere in today's Federal Register, HHS/NIH is proposing to exempt a subset of records in the system of records from certain requirements of the Privacy Act, based on subsection (k)(5) of the Privacy Act.

DATES:

The comment period for this modified System of Records Notice (SORN) is co-extensive with the 60-day comment period provided in the companion NPRM also published in today's Federal Register. Written comments on the SORN should be submitted on or before March 15, 2021. The modified SORN will be applicable when the proposed exemptions are made effective by publication of a Final Rule, which will not occur until after the 60-day comment period ends and any comments received on the NPRM (or on this SORN) have been addressed.

ADDRESSES:

You may submit comments, identified by the Privacy Act System of Records Number (09-25-0165), by any of the following methods: Email: privacy@mail.nih.gov and include Privacy Act System of Record (PA SOR) number (09-25-0165) in the subject line of the message. Phone: (301) 402-6201. Fax: (301) 402-0169. Mail or hand-delivery: NIH Privacy Act Officer, Office of Management Assessment, National Institutes of Health, 6011 Executive Blvd., Suite 601, MSC 7669, Rockville, MD 20852. Comments received will be available for public inspection at this same address from 9 a.m. to 3 p.m., Monday through Friday, except federal holidays. Please call 301-496-4606 for an appointment.

FOR FURTHER INFORMATION CONTACT:

General questions about the proposed modified system of records may be submitted to Celeste Dade-Vinson, NIH Privacy Act Officer, Office of Management Assessment, Office of the Director, National Institutes of Health (NIH), 6011 Executive Blvd., Suite 601, MSC 7669, Rockville, MD 20852, or telephone 301 402-6201.

SUPPLEMENTARY INFORMATION:

This system of records (hereafter referred to as the “NIH Loan Repayment Records”), covers records maintained in a particular NIH information technology (IT) system managed by NIH's Division of Loan Repayment (DLR) that are used to manage and evaluate the intramural and extramural educational Loan Repayment Programs (LRP) at NIH. As of the date of this publication, there are eight such programs that provide student loan repayments for qualified individuals who agree to conduct biomedical and behavioral research; recipients include NIH employee researchers as well as scientists conducting research at non-profit organizations outside NIH. Scholarship program records at NIH are now covered by the following NIH SORNs, so are omitted from modified SORN 09-25-0165:

• 09-25-0014—Clinical Research: Student Records, HHS/NIH/OD/OIR/OE
• 09-25-0108—Personnel: Guest Researchers, Special Volunteers, and Scientists Emeriti, HHS/NIH/OHRM
• 09-25-0140—International Scientific Researchers in Intramural Laboratories, ORS/DIRS
• 09-25-0158—Administration Records of Applicants and Awardees of the Intramural Research Training Awards Program, HHS/NIH/OD/OE

The System of Records Notice (SORN) for System 09-25-0165 has been reformatted in accordance with OMB Circular A-108 and updated with these changes:

• System name. The system name has been changed from “National Institutes of Health (NIH) Office of Loan Repayment and Scholarship Records system, HHS/NIH/OD” to “NIH Loan Repayment Records.”
• Throughout the SORN. References to scholarship program records have been omitted; for example, the abbreviation “LRSPs” is now “LRPs.”
• System Location and System Manager. Office names and addresses have been updated.
• Authority. This section has been updated to remove all authorities previously cited, except 42 U.S.C. 288-1 and 288-2, and to cite 31 U.S.C. 7701 as authorizing collection of applicants' social security numbers (SSNs).
• Purposes. The purpose descriptions have been reorganized, so that the three purposes in the previously published SORN are now within the first purpose description in the modified SORN. The first purpose description is now more detailed. Two new purposes have been added to indicate that records are used to evaluate the long-term impact of the LRP on scientists' research career development and to execute LRP ambassador and alumni activities.
• Categories of Individuals. This section now includes more categories of individuals. In addition to loan applicants and awardees, it now also includes appointees to the LRP ambassador program, alumni of the LRP, and NIH staff. A note has been added at the end of this section explaining that reviewers who make recommendations to DLR about applicants for loan repayment are not included as subject individuals because their personal identifiers are not used to retrieve records in this system of records.
• Categories of Records. Information compiled in the NIH Loan Repayment system remains the same, but the records description in the SORN is now separated into two categories of records (award information and pre-award information) and arranged to indicate whether one or both categories apply to each type of individual. A sentence has been added to clarify the scope of the SORN, so that it does not duplicate related SORNs.
• Routine Uses.

○ No substantive changes were made to the first three routine uses.

○ Routine use 4 (authorizing disclosures to contractors and subcontractors) has been revised to include additional recipients—consultants, volunteers, awardees, and other agencies engaged by HHS—and to describe more broadly the purposes for which they might be engaged by HHS and require access to records in this system of records. The previous description was limited to “collecting, compiling, aggregating, analyzing, or refining records in the system.”

○ Routine use 5's language has been updated for clarity, but the scope has not been substantively changed.

○ Routine use 6 still authorizes disclosures to the National Student Clearinghouse, but no longer covers disclosures to consumer reporting agencies for purposes of vetting loan applications, because such disclosures are inapplicable to this system of records.

○ Debt collection related routine uses (numbered 7 through 15 in the previously published SORN) and a separate section titled “Disclosure to Consumer Reporting Agencies” have been deleted because they are no longer applicable to this system of records.

○ The routine use that was numbered as 16 in the previously published SORN (authorizing disclosures to officials or representatives of grantee institutions) is now numbered as 7 in the modified SORN and has not been changed.

○ The routine use that was numbered as 17 in the previously published SORN (pertaining to the scholarship programs) is no longer relevant to this system of records and has been deleted.

○ The routine use that was numbered as 18 in the previously-published SORN (authorizing disclosures to HHS contractors and subcontractors for the purpose of recruiting, screening, and matching health professionals for NIH employment in qualified research positions under the loan and scholarship programs) is now encompassed within the scope of revised routine use 4.

○ Routine uses 8 through 11 are new.

○ The two breach response-related routine uses which were added by a partial modification published at 83 FR 6591 (Feb. 14, 2018) are now numbered as 12 and 13.

• Storage. This section has been updated to provide examples of electronic media currently used for storage such as mobile or portable storage devices like laptops, smart phones, and DVDs, and to omit microfiche, tape, and discs.
• Retrieval. This section has been updated to include an additional personal identifier, NIH Electronic Research Administration (eRA) Commons identification number, which can be used to retrieve records about individuals registered in Commons (an online interface where signing officials, principal investigators, trainees and Postdoctoral researchers at institutions/organizations can access and share administrative information relating to research grants).
• Retention. This section has been updated to identify National Archives and Records Administration (NARA) General Records Schedules 1.1.010 and 2.4.090, instead of an NIH records control schedule, as the applicable disposition authority. The disposition periods and practices remain the same, except that two additional retention periods have been added: “Grantee applicant case files are destroyed six years after disapproval or withdrawal of the associated application” and “NIH is authorized to retain electronic records of applicants until the agency's business needs cease, to help facilitate follow up assessment regardless of award status.”
• Safeguards. This section has been updated to reflect current safeguards.
• Exemptions. This section now reflects that the system of records is exempt from the access, amendment, and accounting of disclosures requirements of the Privacy Act to the extent that compliance with those requirements would reveal the identity of a source who furnished information to the Federal Government under an express promise that the identity of the source would be held in confidence. The exemptions protect reviewers who make recommendations to DLR about loan repayment applicants from being subject to threats, bribery, intimidation, retaliation, and any other form of improper influence that may cause bias during the review and award processes. Reviewers include peer reviewers, referees, and other recommenders.

Because these changes are significant, a report on the modified system of records has been sent to the Office of Management and Budget (OMB) and Congress in accordance with 5 U.S.C. 552a(r).

SYSTEM NAME AND NUMBER:

NIH Loan Repayment Records, 09-25-0165.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Division of Loan Repayment, Office of Extramural Research, Office of the Director (OD), National Institutes of Health (NIH), 6700B Rockledge Drive, Suite 2300, Bethesda, MD, 20892.

SYSTEM MANAGER(S):

Director, Division of Loan Repayment, Office of Extramural Research, Office of the Director, National Institutes of Health, 6700B Rockledge Drive, Suite 2300, Bethesda, MD, 20892. Telephone number: 866-849-4047. Email: lrp@nih.gov.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The legal authority to maintain these records is 42 U.S.C. 288-1 and 288-2. Section 7701 of Title 31 U.S.C. authorizes collection of Social Security Numbers.

PURPOSE(S) OF THE SYSTEM:

The records are used by NIH's Division of Loan Repayment for the following purposes:

(1) To manage intramural and extramural educational Loan Repayment Programs (LRPs) at NIH; specifically to:

• Identify and select applicants for the NIH LRPs;
• Verify applicants' information and program eligibility;
• Select LRP awardees and administer their LRP contracts or awards, including checking research service verifications (receiving institutional certifications that awardees are performing the research project/work proposed in their application), continued employment, and continued financial and program eligibility; and
• Monitor loan repayment activities, such as payment tracking, payment verifications, loan statuses, and loan default.

(2) To evaluate the LRP programmatic goals and the long-term impact of the LRP on scientists' research career development.

(3) To execute LRP ambassador and alumni activities, the three goals of which are to a) advocate to interested parties about the benefits of choosing a biomedical research career, b) advise current and future potential LRP applicants and policy makers regarding the benefits of the LRP, and c) mentor current and future potential LRP applicants regarding strategies for applying to the LRP.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records are about the following categories of individuals (these are the only individuals whose personal identifiers are used to retrieve records from this system of records):

1. Applicants for, or awardees of, the NIH Loan Repayment Programs (LRPs).

2. Applicants for, or appointees as, ambassador of the NIH LRP.

3. Alumni of the NIH LRP.

Reviewers who provide materials and recommendations to DLR about applicants are not included as subject individuals, because records are not retrieved by their names or other personal identifiers.

CATEGORIES OF RECORDS IN THE SYSTEM:

This system includes a variety of pre-award and award management records that contain information needed to process applications and manage loan repayment awards across the award lifecycle. Listed below are the categories of individuals mentioned above, matched with the records collected about them:

1. Applicants to the NIH LRP—pre-award information;

2. Awardees of NIH LRPs—pre-award and post-award information;

3. LRP applicants and awardees as appointees to the LRP ambassador program—pre-award and post-award information;

4. Appointees to the LRP ambassador program or LRP Ambassadors- professional description and contact information;

5. Alumni of the NIH LRP—pre-award and post-award information.

Note that NIH may maintain some of the same records in more than one IT system and has opted to create a separate SORN for each IT system. This SORN covers records in the NIH IT system managed by NIH's Division of Loan Repayment.

Pre-award information includes the (1) LRP application and (2) associated forms. It consists of name; address; Social Security Numbers; NIH Commons ID Number; non-LRP-program service pay-back obligations; employment data; personal, professional, and demographic background information; academic and research descriptions and progress reports (which can include related data, correspondence, and professional performance information such as continuing education, performance awards, and adverse or disciplinary actions); financial data including account names and financial account numbers, loan balances, deferment, forbearance, and payment status information; commercial credit reports; recommendation letters; and peer review-related information such as application scores, reviewer critiques, summary statements, and express promises of confidentiality to reviewers who render scores or critiques.

Award management information consists of items such as (1) certifications and verifications of continued employment status; (2) financial information such as obligated award amounts, awardee financial reports, ongoing loan balances, loan repayment tracking and verifications, and any financial or credit information that represents a change from that reported in the application that occurs during the award or contract; (3) quarterly research service certifications; and (4) any change in award/contract management or status.

RECORD SOURCE CATEGORIES:

Information included in this system of records is collected directly from the applicants and awardees, and from reviewers, mentors, supervisors, institutional business officials, participating lending and loan servicing institutions, educational and awardee institutions, other federal agencies, consumer reporting agencies, credit bureaus, the National Student Clearinghouse, third parties that provide references concerning applicants, and commercial residential address databases which are used to find or verify current home addresses.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

Records about an individual may be disclosed from this system of records to parties outside HHS, without the individual's prior written consent, for the following purposes:

1. To a congressional office from the record of an individual in response to an inquiry from the congressional office made at the written request of the individual.

2. To the Department of Justice (DOJ) or to a court or other adjudicative body in litigation or other proceedings when:

• HHS or any component thereof or another participating agency; or
• any employee of HHS or of another participating agency in the employee's official capacity; or
• any employee of HHS in the employee's individual capacity where the DOJ, HHS, or participating agency has agreed to represent the employee; or
• the United States, if it is a party to or has a direct and substantial interest in the proceeding and the disclosure of such records is deemed by HHS to be relevant and necessary to the proceeding.

3. When a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, disclosure may be made to the appropriate public authority, whether federal, foreign, state, local, tribal, or otherwise responsible for enforcing, investigating, or prosecuting the violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto.

4. To appropriate federal agencies and HHS contractors, awardees, consultants, or volunteers who have been engaged by HHS to assist in the accomplishment of an HHS function relating to the purposes of this system of records and that need to have access to the records in order to assist HHS in performing the activity. Any contractor will be required to comply with the Privacy Act of 1974, as amended.

5. To present and former employers, references listed on applications and associated forms, other references, and educational institutions to evaluate an individual's professional and academic accomplishments, plans, performance, credentials, and educational background, and to determine if an applicant is suitable for participation in a LRP.

6. To the National Student Clearinghouse using the Loan Locator internet System or similar system to assist in the verification of loan data submitted by LRP applicants. Disclosures are limited to the applicant's name, address, social security number, and other information necessary to identify the applicant; locate all student loans; verify payment addresses; identify the funding being sought or amount and status of the debt; and identify the program under which the applicant or claim is being processed.

7. To institution officials or representatives that serve in a supervisory role to the awardee to support the review of an LRP application, or to carry out performance or administration under the terms and conditions of the LRP award, or to monitor, manage, and resolve problems that might arise in performance or administration of the LRP contract.

8. To the National Archives and Records Administration (NARA) in records management inspections conducted under the authority of 44 U.S.C. 2904 and 2906.

9. To a federal, state, local or tribal agency in response to its request in connection with the hiring or retention of an employee, the issuance or retention of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance or retention of a license, grant, cooperative agreement, loan repayment, or other benefit by the requesting agency, to the extent that the record is relevant and necessary to the requesting agency's decision in the matter. The other agency or licensing organization may then make a request supported by the written consent of the individual for further information if it so chooses. HHS will not make an initial disclosure unless the information has been determined to be sufficiently reliable to support a referral to another office within the agency or to another federal agency for criminal, civil, administrative, personnel, or regulatory action.

10. To qualified experts, not within the definition of agency employees as prescribed in agency regulations or policies, to obtain their opinions on applications for loans or other awards as part of the peer review process.

11. To the Department of the Treasury (Treasury) for purposes of verifying payment eligibility affecting loan reimbursement payments, including under a computer matching agreement between HHS and Treasury for disbursement-related purposes authorized by 31 U.S.C. 3321 note and Executive Order 13520, if the matching program requires data from this system of records.

12. To appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

13. To another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.

NIH may also disclose information about an individual, without the individual's prior written consent, from this system of records to parties outside HHS for any of the purposes authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and (b)(4)-(11).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored in various electronic media (secure servers and mobile/portable storage devices, such as laptops, tablets, Universal Serial Bus (USB) drives, media cards, portable hard drives, smart phones, Compact Disc (CD)s and Digital Versatile Disc (DVD)s) and in paper form.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by the subject individual's name, social security number, loan repayment number, or NIH eRA Commons ID number for LRP awardees.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records are retained and disposed of under the authority of NARA General Records Schedules 1.1.010, Financial transactions records related to procuring goods and services, paying bills, collecting debts, and accounting; and 2.4.090, Incentive package records. Participant case files are transferred to a federal records center one year after closeout and destroyed five years later. Closeout is the process by which it is determined that all applicable administrative actions and disbursements of benefits have been completed by the NIH's DLR and that all service obligations have been completed by the participant. NIH staff case files are destroyed three years after disapproval or withdrawal of the application. Applicant case files are destroyed six years after disapproval or withdrawal of the application. In accordance with both NARA General Records Schedules 1.1.010 and 2.4.090, NIH may retain certain electronic records about applicants indefinitely, until the agency's business needs cease, to help facilitate follow up assessment of applicants regardless of their award status.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Measures to prevent unauthorized disclosures are implemented as appropriate for each location or form of storage and for the types of records maintained. Safeguards conform to the HHS Information Security and Privacy Program, https://www.hhs.gov/ocio/securityprivacy/index.html. Site(s) implement personnel and procedural safeguards such as the following:

Authorized Users: Access is strictly limited according to the principle of least privilege which means giving a user only those privileges which are essential to that user's work.

Administrative Safeguards: Controls to ensure proper protection of information and information technology systems include the completion of a Security Assessment and Authorization (SA&A), a Privacy Impact Assessment (PIA), and completion of annual NIH Information Security and Privacy Awareness training. The SA&A consists of a Security Categorization, e-Authentication Risk Assessment, System Security Plan, evidence of Security Control Testing, Plan of Action and Milestones, Contingency Plan, and evidence of Contingency Plan Testing. When the design, development, or operation of a system of records about individuals is required to accomplish an agency function, DLR includes the applicable Privacy Act Federal Acquisition Regulation (FAR) clauses in the solicitations and contracts.

Physical Safeguards: Controls to secure the data and protect paper and electronic records, buildings, and related infrastructure against threats associated with their physical environment include the use of the HHS Employee ID or badge number and NIH key cards, security guards, cipher locks, biometrics, and closed-circuit TV. Paper records are secured in locked file cabinets, offices and facilities. Electronic media are kept on secure servers or computer systems.

Technical Safeguards: Controls executed by the computer system are employed to minimize the possibility of unauthorized access, use, or dissemination of the data in the system. Examples include user identification, password protection, firewalls, virtual private network, encryption, intrusion detection system, common access cards, smart cards, biometrics and public key infrastructure.

RECORD ACCESS PROCEDURES:

This system of records is exempt from access under the Privacy Act to the extent that providing access to a subject individual would reveal the identity of a source who furnished information to the Federal Government under an express promise that the identity of the source would be held in confidence. However, DLR will consider all access requests addressed to the System Manager. To request access to a record about you, write to the System Manager at the address identified above, and reasonably specify the record contents sought. The request should include (a) your full name, (b) your address, (c) the approximate date(s) the information was collected, (d) the type(s) of information collected, and (e) the office(s) or official(s) responsible for the collection of information. You may also request an accounting of disclosures, if any, that have been made of any records maintained about you.

You must verify your identity by providing either (a) a notarization of your signed request or (b) a written statement certifying under penalty of perjury that you are the individual who you claim to be, and that you understand that the knowing and willful request for a record pertaining to an individual under false pretenses is a criminal offense under the Privacy Act, subject to a fine of up to five thousand dollars.

CONTESTING RECORD PROCEDURES:

This system of records is exempt from the amendment provisions of the Privacy Act to the extent that responding to an amendment request would reveal the identity of a source who furnished information to the Federal Government under an express promise that the identity of the source would be held in confidence. However, DLR will consider all amendment requests addressed to the System Manager. To contest information in a record about you, write to the System Manager identified above, provide the same information required for an access request, and verify your identity in the manner required for an access request. Reasonably identify the record and specify the information contested, state the corrective action sought and the reason(s) for requesting the correction, and include any supporting documentation. The right to contest records is limited to information that is factually inaccurate, incomplete, irrelevant, or untimely (obsolete).

NOTIFICATION PROCEDURES:

This system of records is not exempt from the notification provisions of the Privacy Act. To request notification of whether this system of records contains a record about you, you must make a written request to System Manager identified above, provide the same information required for an access request, verify your identity in the manner required for an access request, and include the name and number of this system of records.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

The records in this system of records constitute investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal contracts pursuant to 5 U.S.C. 552a(k)(5). The system of records is exempt from the access, amendment, and accounting of disclosures requirements of the Privacy Act, at 5 U.S.C. 552a(c)(3) and (d)(1) through (4), to the extent that compliance with those requirements would reveal the identity of a source who furnished information to the Federal Government under an express promise that the identity of the source would be held in confidence.

HISTORY:

67 FR 6043 (Feb. 8, 2002), 83 FR 6591 (Feb. 14, 2018).