§Why CasetextPricing

Privacy Act of 1974; System of Records

86 Fed. Reg. 12699 (Mar. 4, 2021)

Privacy Act of 1974; System of Records

Download PDF
Federal RegisterMar 4, 2021
86 Fed. Reg. 12699 (Mar. 4, 2021)

AGENCY:

Department of Health and Human Services.

ACTION:

Notice of a modified system of records.

SUMMARY:

In accordance with the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is modifying a department-wide system of records titled HHS Correspondence, Customer Service, and Contact List Records, system no. 09-90-1901, to make certain updates and to more clearly include records about individuals who provide comments and supporting documents to HHS in response to HHS rulemakings and other docketed proceedings. The modifications include changing the name of the system of records to HHS Correspondence, Comment, Customer Service, and Contact List Records.

DATES:

In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable March 4, 2021, subject to a 30-day period in which to comment on the new and revised routine uses, described below. Please submit any comments by April 5, 2021.

ADDRESSES:

The public should submit written comments on this notice, by mail or email, to Beth Kramer, HHS Privacy Act Officer, 200 Independence Ave. SW, Suite 729H, Washington, DC 20201, or beth.kramer@hhs.gov. Comments will be available for public viewing at the same location. To review comments in person, please contact Beth Kramer at beth.kramer@hhs.gov or 202-690-6941.

FOR FURTHER INFORMATION CONTACT:

General questions may be submitted to Beth Kramer, HHS Privacy Act Officer, at 200 Independence Ave. SW, Suite 729H, Washington, DC 20201, or beth.kramer@hhs.gov, or 202-690-6941.

SUPPLEMENTARY INFORMATION:

I. Background on System of Records Notice (SORN) 09-90-1901

This department-wide system of records covers records about individuals within or outside HHS which are used in managing HHS correspondence, public comments in docketed proceedings, and customer service functions, including help desk and call center activities, dissemination of publications, studies, opinions, unrestricted datasets, and other information, and mailing and contact lists. SORN 09-90-1901 applies to such records if they are retrieved by personal identifier and are not covered by a more specific SORN.

Examples of the records covered in SORN 09-90-1901 include:

  • Telephone and email directories containing office contact records about HHS employees, contractor personnel, and other personnel working at HHS, which are retrieved by the individuals' names and used to locate them, route mail to them, and communicate with them regarding work matters.
  • Official correspondence records about individuals who contact, or are contacted by, the Secretary or Deputy Secretary of HHS or another HHS official, or are the subject of the correspondence, which are retrieved by the correspondent's or subject's name and used to control, track, and ensure timely and appropriate attention to and documentation of the correspondence. Particular subsets of these records include, for example:

○ Records about individuals who submit comments and supporting documents in response to HHS rulemakings and other docketed proceedings and public notices, which are retrieved by commenter name;

○ Correspondence notifying members of Congress of grants and other contracts that HHS has awarded to individual recipients in their districts, which are retrieved by awardee name; and

○ Records of requests about individual constituents received from members of Congress, which are retrieved by constituent name and used to track and respond to the requests.

  • Mailing and contact list records used to track and respond to requests from, or otherwise interact with, individual members of the public, when the records are retrieved by personal identifier. Examples include:

○ Email lists and other contact lists about individuals who ask to receive health information from HHS in print form, or to be notified of new and upcoming publications or web postings, or to subscribe to an online newsletter issued by HHS.

○ Customer engagement workflow platform records containing account records (i.e., contact information) and case records (e.g., request processing records) about frequent customers of particular HHS offices, such as sole proprietor members of the media who are frequent customers of HHS public affairs offices.

  • Contact records about individuals who volunteer to serve as resource persons to provide pro bono technical assistance to community organizations and government agencies working on particular health-related matters or campaigns

Examples of more specific SORNs, which will continue to apply to particular types of correspondence records, contact list records, and customer service records, include:

  • Debt collection correspondence: SORN 09-40-0012, Debt Management and Collection System.
  • Correspondence about complaints filed with the HHS Office of Civil Rights: SORN 09-90-0052, Program Information Management System (PIMS).
  • Freedom of Information Act and Privacy Act Correspondence: SORN 09-90-0058, Tracking Records and Case Files for FOIA and Privacy Act Requests and Appeals.
  • Medicare Customer Service records: SORN 09-70-0535, 1-800 Medicare (HELPLINE).
  • List(s) of individuals ordering provider educational materials or registering for computer/Web-based training courses, satellite broadcasts and train-the-trainer sessions: SORN 09-70-0542, Medicare Learning Network (MLN).
  • List of consultants available for use in evaluation of National Heart, Lung, and Blood Institute special grants and contracts: SORN 09-25-0078, Administration: Consultant File.

II. Modifications to SORN 09-90-1901

HHS is modifying the SORN to update it and to ensure that it clearly and adequately covers records about individuals who submit comments and supporting documents to HHS in response to HHS rulemakings and other docketed proceedings. HHS is also expressly including customer engagement platform records. The modifications include:

  • Including the word “Comment” in the name of the system of records.
  • Referring to “comments” or “commenters” in the Categories of Individuals, Categories of Records, Purpose(s), and Retrieval sections, and referring to “customer engagement” records in the System Manager(s) and Categories of Records sections.
  • Including the General Services Administration (GSA) in the System Location section as the shared services provider that operates systems HHS uses to manage certain docket records.
  • Indicating which System Managers apply to comment records and customer engagement records.
  • Citing additional statutes (5 U.S.C. 553 and 44 U.S.C. 1505) in the Authority section which, in addition to 5 U.S.C. 301, apply to docket records.
  • Revising routine use 1, which authorizes disclosures to agency contractors, to indicate that such contractors include “another federal agency functioning as a shared service provider or other contractor to HHS.”
  • Adding a new routine use, numbered as routine use 4, authorizing comment records to be made public, to the extent of information that would be required to be released to a requester under the Freedom of Information Act (FOIA), e.g., that would not result in a clearly unwarranted invasion of privacy.
  • Adding a new routine use, numbered as routine use 5, authorizing work contact information for HHS personnel to be made public, e.g., in a public directory or on relevant HHS websites, limited to information that would be required to be released to a requester under the FOIA.
  • Adding the explanatory phrase “e.g., would not result in a clearly unwarranted invasion of privacy” to routine use 6 (formerly numbered as routine use 4), which authorizes the names of and biographical information about individuals who author, create, appear in, or are the subjects of information products HHS disseminates to be disclosed with the products and in publicizing the products to the extent that the information would be required to be released to a requester under the FOIA.
  • Citing additional or different disposition schedules for certain correspondence records, comment records, and staff locator records, in the Retention section.
  • Adding one security control (i.e., “reviewing security controls on a periodic basis”) to the Safeguards section.

Because some of these changes are significant, HHS provided advance notice of the modified system of records to the Office of Management and Budget (OMB) and Congress as required by 5 U.S.C. 552a(r) and OMB Circular A-108.

Brandon Gaylord,

Director, FOIA/Privacy Act Division, Office of the Assistant Secretary for Public Affairs.

SYSTEM NAME AND NUMBER:

HHS Correspondence, Comment, Customer Service, and Contact List Records, 09-90-1901.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The address of each HHS component responsible for this system of records is as shown in the System Manager(s) section below. The General Services Administration (GSA), 1800 F St. NW, Washington, DC 20006, serves as system administrator for shared services systems (the Federal Docket Management System (FDMS) and www.regulations.gov ) which contain comment records for HHS rulemakings and certain other docketed proceedings.

SYSTEM MANAGER(S):

The System Managers are as follows:

  • Congressional correspondence: HHS Assistant Secretary for Legislation, Congressional Liaison Office, Rm. 406G, 200 Independence Ave. SW, Washington, DC 20201, (202) 690-7627.
  • HHS Secretarial and Deputy Secretary correspondence, and docket records for the Office of the Secretary (OS): HHS Executive Secretariat, Rm. 603H, 200 Independence Ave. SW, Washington, DC 20201, (202) 690-7000.
  • Other correspondence and docket records:

a. Administration for Children and Families (ACF) Executive Secretariat Office, Director, 330 C St. SW, Washington, DC 20201, linda.hitt@acf.hhs.gov.

b. Administration for Community Living (ACL) Executive Secretariat Office, Chief of Staff/Executive Secretariat, 330 C St. SW, Rm. 1004B, Washington, DC 20201, (202) 795-7415.

c. Agency for Healthcare Research and Quality (AHRQ) Executive Secretariat Office, Director, 5600 Fishers Ln., Rm. 07N90C, Rockville, MD 20857, (301) 427-1216.

d. Centers for Disease Control and Prevention/Agency for Toxic Substances and Disease Registry (CDC/ATSDR) Executive Secretariat Office, Executive Secretariat, 1600 Clifton Rd., MS H21-10, Atlanta, GA 30329, (404) 639-7483, RCC@cdc.gov.

e. Centers for Medicare & Medicaid Services (CMS) Office of Strategic Operations and Regulatory Affairs, Director, 7500 Security Blvd., Baltimore, MD 21244-1850, (410) 786-3200.

f. FDA Privacy Act Coordinator, Food and Drug Administration, 5630 Fishers Ln., Rm. 1035, Rockville, MD 20857, (301) 796-3900.

g. Health Resources and Services Administration (HRSA) Executive Secretariat Office, Director, 5600 Fishers Ln., Rm. 13N82, Rockville, MD 20857 (301) 443-1785.

h. Indian Health Service (IHS), Executive Secretariat Office, Director, 5600 Fishers Ln., Rm. 08E86, Rockville, MD, (301) 443-1011.

i. National Institutes of Health (NIH), Executive Secretariat Office, Director, Shannon Bldg (Bldg. 1), Room B1-56, 1 Center Drive, Bethesda, MD 20892-0122, (301) 496-1461.

j. Substance Abuse and Mental Health Services Administration (SAMHSA) Executive Secretariat Office, Branch Chief, 5600 Fishers Ln., Rockville, MD 20857, (877) 726-4727.

  • Information product ordering and distribution records:

a. AHRQ: Director, Office of Communications and Knowledge Transfer, Agency for Healthcare Research and Quality, 5600 Fishers Ln., 7th Floor, Rockville, MD 20857, (301) 427-1364.

b. CMS: Director, Office of Communications, Centers for Medicare & Medicaid Services, 7500 Security Blvd., Baltimore, MD 21244, (410) 786-1338.

c. FDA Privacy Act Coordinator, Food and Drug Administration, 5630 Fishers Ln., Rm. 1035, Rockville, MD 20857, (301) 796-3900.

d. SAMHSA: Director, Office of Communications, Substance Abuse and Mental Health Services Administration, 5600 Fishers Ln., Rockville, MD 20857, (240) 276-2201.

  • Call center, ombudsman, and help desk records:

a. ONE-DHHS: FedResponse Service Director, Program Support Center, 7700 Wisconsin Ave., Bethesda, MD 20814, (877) 696-6775.

b. FDA Call Centers: FDA Privacy Act Coordinator, Food and Drug Administration, 5630 Fishers Ln., Rm. 1035, Rockville, MD 20857, (301) 796-3900.

  • Mailing list and contact list records:

a. HHS Employee Directory: Same as ONE-DHHS contact information, under Call center, above.

b. OASH/OMH mailing and contact list records: Office of Minority Health, The Tower Building, 1101 Wootton Pkwy., Suite 600, Rockville, MD 20852, (240) 453-2882.

c. FDA mailing and contact list records: FDA Privacy Act Coordinator, Food and Drug Administration, 5630 Fishers Ln., Rm. 1035, Rockville, MD 20857, (301) 796-3900.

  • Customer engagement workflow platform records:

a. The Office of the Chief Product Officer (OCPO), 2501 Ardennes Ave., Rockville, MD 20852, (202) 945-2152.

  • Any other records not accounted for above: See ONE-DHHS contact information, under Call center, above.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

5 U.S.C. 301, 305, 553; 21 U.S.C. 301 et seq.; 31 U.S.C. 1115(b)(6); 40 U.S.C. 11313; 42 U.S.C. 201 et seq.; 44 U.S.C. 3101, 1505; E.O. 11583; E.O. 13571.

PURPOSE(S) OF THE SYSTEM:

The records in this system of records are used for the purpose of managing HHS correspondence, information dissemination, and customer service functions; i.e., to maintain, track, control, route, and locate information and documents created, received, requested, and used in managing those functions, in order to provide timely and appropriate actions, responses, notices, services, coordination, referrals, or other follow-up, avoid duplicate entries, and ensure consistency. Correspondence, information dissemination, and customer service functions include, for example, managing comments received on rulemakings and other public notices; non-law enforcement-related help desk and call center activities; handling of consumer complaints; dissemination of publications, unrestricted datasets, and other information; and maintenance of mailing and contact lists. The records may also be used to compile aggregate statistics for the purpose of evaluating and improving these functions.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records are about individuals within and outside HHS who contact HHS to request or offer information, information products, comments, suggestions, or services or to communicate a complaint or other information, or who receive correspondence from HHS, or who are the author or subject of such publications, communications, or correspondence by or with HHS, or who are included in mailing and contact lists maintained by HHS, when the records are used to support HHS correspondence, information dissemination, and/or customer service functions and are retrieved by the individuals' names or other personal identifiers (unless the records are covered by a more specific system of records notice (SORN)).

CATEGORIES OF RECORDS IN THE SYSTEM:

The categories of records include:

  • Secretarial and other official correspondence, docket records, congressional correspondence, and other correspondence. These records include copies of requests, comments, or other communications addressed or routed to an HHS official for response or other follow-up; copies of correspondence initialed or signed by an HHS official; tracking and control records (indicating, e.g., the date and subject of the correspondence; the name of the correspondent and/or other individual record subject—for example, a constituent identified in congressional correspondence; the action required; the organization drafting the response); and associated work papers.
  • Records used in disseminating or filling orders for publications, stock photographs, audio visual productions, unrestricted datasets, and other information products. These include indexes to repositories of informational materials, request records, and order fulfilment records. Indexes may contain names of individuals (such as authors or subjects) used to retrieve materials when needed for distribution or to fulfill a request. Request records identify the date of the request, the product requested, the requester, and the address to use for delivery. Order fulfillment records contain proof of delivery, including the delivery date and address used for delivery, which may be a mailing address or email address if delivery was through a public access web portal or link. Any associated payment records (if a fee is charged for the information product) are covered by system of records 09-90-0024 HHS Financial Management System Records.
  • Call center and help desk records. These include contact records (containing the name of the individual who contacted the call center or help desk, his or her contact information, and location information if relevant, unless the individual wishes to be anonymous) and request records (containing the date and nature of the request, complaint, or report, the name of the call center staff member who handled the request, complaint, or report, and actions taken, such as providing an answer from a call center script, documenting the report, or assigning and routing the request to the appropriate program office to handle). Note that recordings of ONE-DHHS telephone calls are destroyed after 90 days and are not retrieved by personal identifier so are not covered by this SORN.
  • Mailing list records. These include the lists and any records used to compile and maintain the lists (e.g., existing contact lists; invitations to join and requests to be added to or removed from a list; address changes) containing an individual's contact information (e.g., mailing address or email address) and indicating the particular information or notices the individual would receive or would like to receive from HHS (e.g., publications on particular health topics; an electronic newsletter; notice of upcoming training courses; notice when new material is added to a website). The records may also include information that the particular program requires or requests individuals to provide about themselves (e.g., characteristics such as profession, employing organization, educational level, practice setting, geographic location, age, ethnicity) to enable the agency to aggregate or organize the information or compile statistics on the types of individuals receiving the information distributed through the list.
  • Contact list records. These include the lists and any records used to compile and maintain the lists, containing names, contact information, and any other relevant information (e.g., expertise type, primary language, geographic region) for individuals who HHS regularly contacts or otherwise interacts with (such as, authors; sole proprietor media stakeholders; HHS personnel) and/or individuals who have agreed to be included on or have asked to be removed from a particular list of contacts HHS maintains and may in some cases distribute or post for HHS and/or non-HHS parties to use to obtain assistance from or share information with the individuals on the list (for example, outside medical and research experts who wish to exchange knowledge and best practices and share studies, opinions, and training materials with each other); and any written consents from subject individuals permitting HHS to disclose their contact or other information to specific types of non-HHS parties, or to the public, for specific purposes.
  • Customer engagement workflow platform records. These include account records containing the same types of information as contact lists, described above, and case records containing request processing records, which are used to track and respond to requests from or otherwise interact with frequent customers or business partners of particular HHS offices. The case files are linked to the applicable account record and contain information describing the customer's requests or interactions and any supporting information the customer provided.

RECORD SOURCE CATEGORIES:

Most information is obtained directly from the subject individual. Information may also be obtained from a third party who contacts HHS about or on behalf of a subject individual, or from records HHS compiles or persons HHS consults in order to provide a response, provide assistance, or otherwise follow up on the request or communication.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(1) and (2) and (b)(4) through (11), information about an individual may be disclosed from this system of records to parties outside HHS without the individual's prior, written consent, for these routine uses:

1. Records may be disclosed to agency contractors (including another federal agency functioning as a shared service provider or other contractor to HHS) and to student volunteers, interns, and other individuals who do not have the status of agency employees but have been engaged by HHS to assist in accomplishment of an HHS function relating to the purposes of this system of records and who need to have access to the records in order to assist HHS. Such individuals and contractors will be required to comply with the requirements of the Privacy Act.

2. Records may be disclosed to other federal agencies and HHS partner agencies and organizations for the purpose of referring a request or issue to them for handling or obtaining their assistance with a response or issue.

3. Notice of an award that HHS has made to an individual awardee in a particular congressional district may be disclosed to the member of Congress serving that district.

4. HHS makes publicly available the name(s), contact information, comments, and any supporting documents provided by individuals who comment on docketed proceedings (provided that the information would be required to be released to a requester under the Freedom of Information Act (FOIA); e.g., would not result in a clearly unwarranted invasion of privacy). For rulemaking proceedings, HHS makes the information publicly available in www.regulations.gov. For other docketed proceedings, HHS makes the information publicly available in www.regulations.gov or available for public inspection at an HHS location specified in the applicable notice, by appointment or as otherwise specified in the notice.

5. HHS makes certain work contact information for HHS personnel publicly available (for example, in a searchable public directory, and on relevant HHS websites), but only to the extent that the information would be required to be released to a requester under the FOIA.

6. Names of and biographical information about the individuals who authored, created, appear in, or are the subjects of information products may be disclosed with the products or in descriptions of the products used to publicize them, but would be disclosed without consent only if and to the extent that the names and biographical information would be required to be released to a requester under the FOIA (e.g., would not result in a clearly unwarranted invasion of privacy).

7. Records may be disclosed to a member of Congress or a congressional staff member in response to a written inquiry of the congressional office made at the written request of the constituent about whom the record is maintained. The congressional office does not have any greater authority to obtain records than the individual would have if requesting the records directly.

8. Records may be disclosed to representatives of the National Archives and Records Administration during records management inspections conducted pursuant to 44 U.S.C. 2904 and 2906.

9. Information may be disclosed to the Department of Justice (DOJ) or to a court or other adjudicative body in litigation or other proceedings, when:

a. HHS or any of its component thereof, or

b. any employee of HHS acting in the employee's official capacity, or

c. any employee of HHS acting in the employee's individual capacity where the DOJ or HHS has agreed to represent the employee, or

d. the United States Government, is a party to the proceeding or has an interest in such proceeding and, by careful review, HHS determines that the records are both relevant and necessary to the proceeding.

10. Where a record, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or by regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the agency concerned, whether federal, state, local, tribal, territorial, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or the rule, regulation, or order issued pursuant thereto.

11. Records may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records, (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the Federal Government, or national security, and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

12. Records may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

13. Records may be disclosed to the Department of Homeland Security (DHS) if captured in an intrusion detection system used by HHS and DHS pursuant to a DHS cybersecurity program that monitors internet traffic to and from federal government computer networks to prevent a variety of types of cybersecurity incidents.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

The records are stored in hard-copy files and/or electronic systems or media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by the individual requester's, correspondent's, commenter's, author's, or other record subject's name or by another personal identifier contained in the records (such as-email address, request tracking number, user ID number). Call center records may be retrieved by the name of the individual who contacted the call center.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

I. Permanently retained official correspondence (including significant White House and congressional correspondence):

Official correspondence and tracking records are retained by HHS while needed for agency business and are then transferred to the custody of the National Archives and permanently retained. See these schedules:

A. Office of the Secretary (OS): DAA-0468-2011-0006-0003 (IOS); N1-468-10-0001 (DAB); DAA-0468-2012-0003 (OMHA); DAA-0468-2011-0007 (ONC); N1-514-92-1 (OASH); DAA-0468-2013-009 (other OS Staff Divisions).

B. Other Operating Divisions: DAA-0292-2016-0008 and DAA-0292-2016-0014-0008 (ACF); N1-439-06-001, Item 1.a; a new schedule is pending (ACL); DAA-0510-2017-0003 (AHRQ); N1-442-93-001, Item 27.A (CDC/ATSDR); DAA-0440-2015-0001, Item 1.2.2 (CMS); N1-088-06-03, Items 4.1 and 4.2 (FDA); DAA-0512-2014-004, Item 6.3 (HRSA); N1-513-92-005, Items 6-1 and 6-12 (IHS); DAA-0443-2017-0003, Item 0001 (NIH); NC1-090-76-5, Item 11 (SAMHSA).

II. Other correspondence:

A. OS:

a. OASH: N1-514-92-1, Item 9.b.2. ASH General Correspondence: Cut off annually, and destroy when 5 years old. N1-514-92-1, Item 9.b.3 Routine Correspondence: Destroy when 5 years old.

b. ONC: DAA-0468-2011-0007-003. Administrative correspondence files: Destroy 5 years after cutoff.

c. OMHA: DAA-0468-2012-0003-0003. Working correspondence files: Destroy 3 years after cutoff.

d. All Other OS Staff Divisions: DAA-0468-2013-0009-0002. Routine files: Cut off at the close of calendar year in which created or received, and destroy 5 years after cutoff.

B. Other Operating Divisions:

a. ACF: DAA-0292-2016-0014, Item 1, Routine Correspondence: Cut off at the end of the fiscal year, and destroy 5 years after cutoff. NC1-292-84-7, Item B.33, OCSE Public Inquiry Correspondence: Destroy after 2 years.

b. ACL: N1-439-06-001, Item 2; a new schedule is pending.

c. AHRQ: Not scheduled separately from official correspondence.

d. CDC/ATSDR: NC1-090-82-4, Item 1.a, Routine Administrative Files: Destroy when 5 years old. NC1-090-78-1, Item 7, Congressional Correspondence: Destroy when 10 years old. NC1-090-78-1, Item 8, General Correspondence: Destroy after 1 year.

e. CMS: DAA-0440-2015-0002-0002. Cut off at end of calendar year, and destroy no sooner than 3 years after cutoff; longer retention is authorized.

f. FDA: N1-088-06-03. Cut off at end of calendar year, and destroy 10 years after cutoff (Item 1.1.2) or 5 years after cutoff (Item 1.2.2).

g. HRSA: DAA-0512-2014-004, Items 6.3.1.2 and 6.3.1.3, Correspondence: Cut off at end of calendar year, and destroy 7 years after cutoff. Tracking records: Retain permanently.

h. IHS: N1-513-92-005, Items 6-1 b., 6-1 c., 6-12 b., and 11-12: Destroy when 6 years old if at the division level or higher; destroy when 2 years old if below the division level.

i. NIH: DAA-0443-2012-0007, Item 0003. Cut off annually at termination of project/program, and destroy 7 years after cutoff.

j. SAMHSA: NC1-90-76-5, Item 21, Controlled Correspondence Files: Cut off at the end of each calendar year, retain for 5 years, and then destroy. NC1-90-76-5, Item 47, Executive Secretariat Files: Withdraw pertinent material and destroy when 10 years old; destroy other material when 2 years old; and destroy control forms when 1 year old.

III. Comment records:

  • Individual comments on proposed and final rules: See GRS 6.6 Item 030 and these agency-specific schedules:

ACF: DAA-0292-2016-0005, Items 0001 and 0002, Adopted Rules and Rules Not Adopted: Cut off adopted regulations at end of FY after publication of the final rule, and destroy 10 years after cutoff. Cut off regulations not adopted at end of FY after decision not to adopt proposed rule, and destroy 3 years after cutoff. NC1-292-84-7, Item B.7, OCSE Regulation Files: Review annually and destroy when no longer needed for reference.

IHS: DAA-0513-2013-0001, Items 0001 and 0002, Adopted Rules and Rules Not Adopted: Cut off adopted rules at end of FY after publication of final rule, and destroy 10 years after cutoff. Cut off rules not adopted at end of FY after decision not to adopt proposed rule, and destroy 3 years after cutoff.

SAMHSA: NC1-90-76-5, Item 27, Regulation Files: Destroy when 10 years old; destroy duplicate and reference material when no longer needed.

  • Individual comments on other Federal Register notices: See GRS 6.6 Item 040 and other General Records Schedules listed therein.

IV. Call center, help desk, and similar customer service records:

  • FDA Ombudsman records: N1-088-05-001, Item 2. Case files maintained by the Center Ombudsman Office (Item 2.3): Cut off 3 months after the end of the calendar year in which the case is closed or the appeal is completed, and destroy 3 years after cutoff. All other case files (Item 2.1) and finding aids (Item 2.2): Cut off at the end of the calendar year in which the final action is taken or the appeal is completed, and destroy 10 years after cutoff.
  • Other customer service operations records: GRS 6.5 Item 010 and GRS 5.8 Item 010. Destroy 1 year after resolved or when no longer needed for business use, whichever is appropriate.

V. Mailing and contact list records:

  • GRS 5.1 Item 010, Staff locator records: Destroy when business use ceases.
  • GRS 6.5 Item 020, Customer/client records: Delete when superseded or obsolete or when the customer requests that the agency remove the records.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Safeguards conform to the HHS Information Security and Privacy Program, https://www.hhs.gov/ocio/securityprivacy/index.html. Information is safeguarded in accordance with applicable laws, rules and policies, including the HHS Information Technology Security Program Handbook; all pertinent National Institutes of Standards and Technology (NIST) publications, and OMB Circular A-130, Managing Information As a Strategic Resource. Records are protected from unauthorized access through appropriate administrative, physical, and technical safeguards. These safeguards include protecting the facilities where records are stored or accessed with security guards, badges and cameras, securing hard-copy records in locked file cabinets, file rooms or offices during off-duty hours, limiting access to electronic databases to authorized users based on roles and either two-factor authentication or user ID and password (as appropriate), using a secured operating system protected by encryption, firewalls, and intrusion detection systems, requiring encryption for records stored on removable media, training personnel in Privacy Act and information security requirements, and reviewing security controls on a periodic basis. Records that are eligible for destruction are disposed of using destruction methods prescribed by NIST SP 800-88.

RECORD ACCESS PROCEDURES:

An individual seeking access to records about the individual in this system of records must submit a written request to the relevant System Manager indicated above. An access request must contain the requesting individual's name and address, email address or other identifying information, and signature. To verify the requester's identity, the signature must be notarized or the request must include the requester's written certification that the requester is the person the requester claims to be and understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a fine of up to $5,000. To access the records in person, the requester should request an appointment, and may be accompanied by a person of the requester's choosing if the requester provides written authorization for agency personnel to discuss the records in that person's presensce. An individual may also request an accounting of disclosures that have been made of the records about the individual, if any.

CONTESTING RECORD PROCEDURES:

An individual seeking to amend a record about the individual in this system of records must submit a written request to the relevant System Manager indicated above. An amendment request must include verification of the requester's identity in the same manner required for an access request, and must reasonably identify the record and specify the information being contested, the corrective action sought, and the reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.

NOTIFICATION PROCEDURES:

An individual who wishes to know if this system of records contains records about the individual must submit a written request to the relevant System Manager indicated above and verify identity in the same manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

84 FR 28823 (June 20, 2019).

[FR Doc. 2021-04463 Filed 3-3-21; 8:45 am]

BILLING CODE 4150-25-P