Privacy Act of 1974; System of Records

AGENCY:

Administration for Children and Families, Department of Health and Human Services.

ACTION:

Notice of a New Systems of Records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is establishing a new system of records to be maintained by the Administration for Children and Families (ACF), Office of Child Support Enforcement (OCSE) that will support state child support agencies' enforcement of child support obligations System Number 09-80-0389, “OCSE Data Center General Support System, HHS/ACF/OCSE.”

DATES:

This Notice is applicable December 21, 2021, subject to a 30-day period in which to comment on the routine uses, described below. Please submit any comments by January 20, 2022.

ADDRESSES:

The public should address written comments by mail or email to Anita Alford, Senior Official for Privacy, Administration for Children and Families, 330 C St. SW, Washington, DC 20201, or anita.alford@acf.hhs.gov.

FOR FURTHER INFORMATION CONTACT:

General questions about the new system of records should be submitted by mail or email to Linda Boyer, Deputy Commissioner, Office of Child Support Enforcement, at 330 C St. SW, 5th Floor, Washington, DC 20201, 202-401-5410, or linda.boyer@acf.hhs.gov.

SUPPLEMENTARY INFORMATION:

The new system of records will consist of information maintained in a secure gateway system (the OCSE Data Center General Support System) established by OCSE. OCSE and (at their option) external partners will use the system to facilitate electronic exchanges of information between (1) a state child support enforcement agency and (2) another external child support program partner, such as an employer, a health plan administrator, or a financial institution, through OCSE. The information will be about individual participants in child support cases and will include income withholding order information, medical support information, financial institution account information, and levy file information.

The external partners will provide information to and receive information from the secure gateway system but will not have access to the information within the system. Before the new gateway system was established, the information was exchanged directly between external partners via the U.S. mail, without passing through OCSE, and that will continue to be an option.

OCSE will maintain the records in the gateway system, receiving them from one party and transmitting them to another party, in order to control the data flow and secure and protect the records and the transfer of information. OCSE will not use the information for its purposes, but will directly receive, retrieve (including by personal identifier), and disclose the information to facilitate the information exchanges. Some of the same information may exist in other OCSE systems of records, but other systems of records will not be sources of the records in this system of records. All information exchanged will originate with the external partners.

SYSTEM NAME AND NUMBER:

OCSE Data Center General Support System, HHS/ACF/OCSE, 09-80-0389.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The address of the agency component responsible for the system of records is Office of Child Support Enforcement, Administration for Children and Families, 330 C St. SW, 5th Floor, Washington, DC 20201.

SYSTEM MANAGER(S):

Deputy Commissioner, Office of Child Support Enforcement, Administration for Children and Families, Department of Health and Human Services, 330 C St. SW, 5th Floor, Washington, DC 20201, or linda.boyer@acf.hhs.gov.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

42 U.S.C. 652, 659, 666, 669a.

PURPOSE(S) OF THE SYSTEM:

The purpose of the system of records is to support the enforcement of child support obligations by providing a secure gateway (the OCSE Data Center General Support System, or any successor system) that OCSE will use to facilitate electronic exchanges of information about individual participants in child support cases between state child support enforcement agencies and other external partners such as employers, health plan administrators, and financial institutions. The child support enforcement agencies and other external partners will use the gateway system to electronically submit information to and receive information from each other through OCSE.

The gateway system will support, for example:

• The Electronic Income Withholding Order (e-IWO) program, which provides the means to electronically exchange income withholding order information between state child support enforcement agencies and employers.
• The Electronic National Medical Support Notice (e-NMSN) program, which allows state child support enforcement agencies, employers, and health plan administrators to electronically send and receive National Medical Support Notices used to enroll children in medical insurance plans pursuant to child support orders.
• The Federally Assisted State Transmitted (FAST) Levy program, which allows states and financial institutions to exchange information about levy actions through an electronic process.

Multiple child support program partners will utilize the gateway system to electronically send and receive information:

• State child support enforcement agencies will use the system to transmit e-IWOs to employers and e-NMSNs to employers and health plan administrators. State child support enforcement agencies will also use the system to create levy actions for distribution to multiple financial institutions.
• Employers will use the system to respond to state child support enforcement agencies regarding e-IWOs and to provide information about health insurance coverage provided by the employer. Employers and health plan administrators will use the system to respond to state child support enforcement agencies regarding e-NMSNs.
• Financial institutions will use the system to receive and respond to levy actions from multiple state child support enforcement agencies.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records in the system of records are about custodial and noncustodial parents, legal guardians, and third-party caretakers who are participants in child support program cases and whose names and Social Security numbers (SSNs) are used to retrieve the records. Children's personal identifiers are not used to retrieve records in this system of records, so children are not subject individuals for purposes of this system of records.

CATEGORIES OF RECORDS IN THE SYSTEM:

The categories of records exchanged in the gateway system include:

1. Child support case information used to populate an e-IWO, which may include:

a. Name of state, tribe, territory, or private individual entity issuing an e-IWO;

b. Order ID and Case ID;

c. Remittance ID;

d. Employer/income withholder name, address, federal employer identification number (FEIN), telephone number, FAX number, email, or website;

e. Employee/obligor's name, SSN, date of birth;

f. Custodial parent's/obligee's name;

g. Child(ren)'s name(s) and date(s) of birth;

h. Income withholding amounts for current child support, past-due child support, current cash medical support, past-due cash medical support, current spousal support, past-due spousal support;

i. Child support state disbursement unit or tribal order payee name and address;

j. Judge/issuing official's name, title, and signature; and

k. Employee/obligor termination date, last known telephone number, last known address, new employer/income withholder's name and address.

2. Child support case information used to populate an e-NMSN, and medical insurance information included in e-NMSN responses from employers and health plan administrators, which may include:

a. Custodial parent/obligee's name and mailing address;

b. Substituted official/agency name and address (if custodial parent/obligee's address is left blank);

c. Name, telephone number, and mailing address of representative of child(ren);

d. Child(ren)'s name(s), gender, date of birth, and SSN;

e. Employee's name, SSN, and mailing address;

f. Plan administrator name, contact person, FAX number, and telephone number;

g. Employer and/or employer representative name, FEIN, and telephone number;

h. Date of medical support termination, reason for termination, and child(ren) to be terminated from medical support;

i. Medical insurance provider name, group number, policy number, address;

j. Dental insurance provider name, group number, policy number, address;

k. Vision insurance provider name, group number, policy number, address;

l. Prescription drug insurance provider name, group number, policy number, address;

m. Mental health insurance provider name, group number, policy number, address;

n. Other insurance, specified by name, group number, policy number, address; and

o. Plan administrator name, title, telephone number, and address.

3. Child support case information used to administer the FAST Levy program, which includes:

a. Requesting state agency name, address, and state Federal Information Processing Standard (FIPS) code;

b. Financial institution's name and FEIN;

c. Obligor's name, SSN, and date of birth;

d. Account number of account from which to withhold funds;

e. Withholding amount; and

f. Contact name, phone number, and email for point of contact in requesting state.

RECORD SOURCE CATEGORIES:

The sources of the information in the system of records include:

• State child support enforcement agencies initiating e-IWO, e-NMSN, and FAST Levy program transactions.
• Employers or authorized third parties responding to e-IWOs and e-NMSNs.
• Health plan administrators responding to e-NMSNs.
• Financial institutions responding to FAST Levy requests.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to the disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(1)-(b)(2) and (b)(4)-(b)(11), these routine uses specify circumstances under which the agency may disclose information from this system of records to a non-HHS officer or employee without the consent of the data subject. ACF will prohibit redisclosures, or may permit only certain redisclosures, as required or authorized by law. Each proposed disclosure or redisclosure of information permitted directly in the Privacy Act or under these routine uses will be evaluated to ensure that the disclosure or redisclosure is legally permissible.

Any information defined as “return” or “return information” under 26 U.S.C. 6103 (Internal Revenue Code) is not disclosed unless authorized by a statute, the Internal Revenue Service (IRS), or IRS regulations.

1. Disclosure to Financial Institution to Collect Past-Due Support. Pursuant to 42 U.S.C. 652(l), information pertaining to an individual owing past-due child support may be disclosed to a financial institution doing business in two or more states to identify an individual who maintains an account at the institution for the purpose of collecting past-due support. Information pertaining to requests by the state child support enforcement agencies for the placement of a lien or levy of such accounts may also be disclosed.

2. Disclosure of Financial Institution Information to State Child Support Enforcement Agency for Assistance in Collecting Past-Due Support. Pursuant to 42 U.S.C. 652(l), the results of a comparison between information pertaining to an individual owing past-due child support and information provided by multistate financial institutions may be disclosed to a state child support enforcement agency for the purpose of assisting the state agency in collecting past-due support. Information pertaining to responses to requests by a state child support enforcement agency for the placement of a lien or levy of such accounts may also be disclosed.

3. Disclosure to Employer to Enforce Child Support Obligations. Pursuant to 42 U.S.C. 666(b), information pertaining to an individual owing current or past-due child support may be disclosed to an employer for the purpose of collecting current or past-due support by way of an e-IWO.

4. Disclosure of Employer Information to State Child Support Enforcement Agency in Response to an e-IWO. Information pertaining to a response by an employer to an e-IWO issued by a state child support enforcement agency for the collection of child support may be disclosed to the state child support enforcement agency.

5. Disclosure to Employer and Health Plan Administrator to Enforce Medical Support Obligations. Pursuant to 42 U.S.C. 666(a)(19), information pertaining to participants in a child support case may be disclosed to an employer or a health plan administrator for the purpose of enforcing medical support for a child by way of an e-NMSN.

6. Disclosure of Employer and Health Plan Administrator Information to State Child Support Enforcement Agency in Response to an e-NMSN. Information pertaining to a response by an employer or a health plan administrator to an e-NMSN issued by a state child support enforcement agency for the enforcement of medical support may be disclosed to the state child support enforcement agency.

7. Disclosure to Department of Justice or in Proceedings. Records may be disclosed to the Department of Justice (DOJ) or to a court or other adjudicative body in litigation or other proceedings when HHS or any of its components, or any employee of HHS acting in the employee's official capacity, or any employee of HHS acting in the employee's individual capacity where the DOJ or HHS has agreed to represent the employee, or the United States Government, is a party to the proceedings or has an interest in the proceedings and, by careful review, HHS determines that the records are both relevant and necessary to the proceedings.

8. Disclosure to Congressional Office. Information may be disclosed to a congressional office from the record of an individual in response to a written inquiry from the congressional office made at the written request of the individual.

9. Disclosure to Contractor to Perform Duties. Records may be disclosed to a contractor performing or working on a contract for HHS and who has a need to have access to the information in the performance of its duties or activities for HHS in accordance with law and with the contract.

10. Disclosure in the Event of a Security Breach. a. Information may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

b. Information may be disclosed to another federal agency or federal entity when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

The records are stored electronically.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by the parent's, guardian's, or third-party caretaker's name or SSN.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Upon approval of a disposition schedule by the National Archives and Records Administration (NARA), the records will be deleted when eligible for destruction under the schedule, if the records are no longer needed for administrative, audit, legal, or operational purposes. ACF anticipates requesting NARA's approval of retention periods of approximately 60 days for the information contained in the transmission files ( i.e., long enough to confirm receipt or to resend if necessary) and up to 7 years for the audit log records. Approved disposal methods for electronic records and media include overwriting, degaussing, erasing, disintegration, pulverization, burning, melting, incineration, shredding, or sanding.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

The system leverages cloud service providers that maintain an authority to operate in accordance with applicable laws, rules, and policies, including Federal Risk and Authorization Management Program (FedRAMP) requirements. Specific administrative, technical, and physical controls are in place to ensure that the records collected, maintained, and transmitted using the OCSE Data Center General Support System are secure from unauthorized access. Access to the records within the system is restricted to authorized personnel who are advised of the confidentiality of the records and the civil and criminal penalties for misuse, and who sign a nondisclosure oath to that effect. Agency personnel are provided privacy and security training before being granted access to the records and annually thereafter. Additional safeguards include protecting the facilities where records are stored or accessed with security guards, badges, and cameras; limiting access to electronic databases to authorized users based on roles and either two-factor authentication or user ID and password (as appropriate); using a secured operating system protected by encryption, firewalls, and intrusion detection systems; reviewing security controls on a periodic basis; and using secure destruction methods prescribed in NIST SP 800-88 to dispose of eligible records. All safeguards conform to the HHS Information Security and Privacy Program, https://www.hhs.gov/ocio/securityprivacy/index.html.

RECORD ACCESS PROCEDURES:

To request access to a record about you in this system of records, submit a written access request to the System Manager identified in the “System Manager” section of this System of Records Notice (SORN). The request must reasonably describe the record sought and must include (for contact purposes and identity verification purposes) your full name, current address, telephone number and/or email address, date and place of birth, and signature, and (if needed by the agency) sufficient particulars contained in the records (such as your SSN) to enable the System Manager to distinguish between records on subject individuals with the same name. In addition, to verify your identity, your signature must be notarized or the request must include your written certification that you are the individual who you claim to be and that you understand that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a fine of up to $5,000. You may request that copies of the records be sent to you, or you may request an appointment to review the records in person (including with a person of your choosing, if you provide written authorization for agency personnel to discuss the records in that person's presence). You may also request an accounting of disclosures that have been made of records about you, if any.

CONTESTING RECORD PROCEDURES:

To request correction of a record about you in this system of records, submit a written amendment request to the System Manager identified in the “System Manager” section of this SORN. The request must contain the same information required for an access request and include verification of your identity in the same manner required for an access request. In addition, the request must reasonably identify the record and specify the information contested, the corrective action sought, and the reasons for requesting the correction; and should include supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.

NOTIFICATION PROCEDURES:

To find out if the system of records contains a record about you, submit a written notification request to the System Manager identified in the “System Manager” section of this SORN. The request must identify this system of records, contain the same information required for an access request, and include verification of your identity in the same manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.