Privacy Act of 1974; System of Records Notice

AGENCY:

Assistant Secretary for Public Affairs (ASPA), Office of the Secretary (OS), Department of Health and Human Services (HHS).

ACTION:

Notice of an altered system of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, as amended (5 U.S.C. 552a), HHS is updating a department-wide system of records, System No. 09-90-0058, currently titled “Freedom of Information Case Files and Correspondence Control Log, HHS/OS/ASPA/FOIA.” This system of records was established prior to 1979 (see 44 FR 58144) and was previously revised in 1989 and 1994 (see 54 FR 41684 and 59 FR 55845). Due to the length of time since the last revision, the updates published in this Notice affect most sections of the System of Records Notice (SORN). The updates include changing the system name to “Tracking Records and Case Files for FOIA and Privacy Act Requests and Appeals;” expanding the scope of the system to include tracking records and case files pertaining to not only FOIA and Privacy Act requests processed in agency FOIA offices, but Privacy Act requests and appeals handled by System Managers for Privacy Act systems and related privacy personnel, when those records are retrieved by personal identifier; adding several new routine uses; and clarifying that some of the records in this system of records may be exempt from certain Privacy Act requirements. The updates are more fully explained in the SUPPLEMENTARY INFORMATION section of this Notice.

DATES:

This Notice is effective on publication, with the exception of the new and revised routine uses. The new and revised routine uses will be effective 30 days after publication of this Notice, unless comments are received that warrant a revision to this Notice. Written comments on the routine uses should be submitted within 30 days. Until the new and revised routine uses are effective, the routine uses previously published for the system will remain in effect.

ADDRESSES:

You may submit comments to Beth Kramer, HHS Privacy Act Officer, FOIA/PA Division, by email to: HHS.ACFO@hhs.gov.

FOR FURTHER INFORMATION CONTACT:

Beth Kramer, HHS Privacy Act Officer, FOIA/PA Division, Hubert H. Humphrey Building—Suite 729H, 200 Independence Avenue SW., Washington, DC 20201. Ms. Kramer can also be reached by telephone at 202-690-7453.

SUPPLEMENTARY INFORMATION:

I. Explanation of Revisions to System No. 09-90-0058

The revised System of Records Notice (SORN) published in this Notice for System No. 09-90-0058 includes the following significant changes, in addition to minor wording changes throughout:

• The system name and scope have been revised to cover not only tracking records and case files used by HHS Freedom of Information Act (FOIA) offices to process FOIA and Privacy Act requests and appeals (which typically involve only “access” to agency records), but tracking records and case files used by System Managers of Privacy Act systems and related privacy personnel to process any type of Privacy Act request or appeal (e.g., seeking access, notification, correction and amendment, or an accounting of disclosures), when those tracking records and case files are retrieved by personal identifier.
• The Categories of Individuals section has been revised to omit organizations (because the Privacy Act applies only to individuals, not entities), but not to add any additional categories of individuals besides individual FOIA and Privacy Act requesters and appellants. The result is that only an individual FOIA or Privacy Act requester or appellant may make a Privacy Act request under this SORN for access to, correction of, notification as to, or an accounting of disclosures with respect to tracking records and/or case files used by HHS to process a FOIA and/or Privacy Act request in which that individual was the requester or appellant. Further, because agency records processed in response to a third-party FOIA request are not about the requester or appellant, a provision has been added to make clear that Privacy Act rights are afforded to an individual requester or appellant only to the extent that the information in the tracking record and case file retrieved by that individual's identifier is, in fact, about that individual requester or appellant. The intent is to include in the Categories of Individuals section only individual requesters and appellants (not, for example, individual representatives who requested records under FOIA on behalf of an entity).

○ Note: Privacy Act case files and tracking records are about individual requesters and appellants only, because Privacy Act requests can only be made by an individual record subject personally, not by a third party or through a representative (unless the representative is the parent of or court-appointed guardian for a minor or legally-declared incompetent who is the record subject). The agency's position is that FOIA case files and tracking records, likewise, are about requesters and appellants only, not other individuals who may be identified in the agency records sought by FOIA requesters and appellants. This is because HHS' FOIA case files and tracking records are not keyed or indexed to individuals mentioned in records requested under FOIA, but are keyed to requesters and appellants, and because the purpose for which records are processed under FOIA is to release information about the agency (not to release information about individuals mentioned in the records to third party FOIA requesters, except as required to shed light on conduct of the agency).

• The Categories of Records section has been rewritten, to reflect two distinct categories (tracking records and case files); to describe the contents in more detail; to clarify that any classified records responsive to a FOIA request or appeal are considered part of the case file for that request or appeal, even if the classified records must be maintained in a security office instead of in the FOIA office; and to specifically exclude related categories of records covered by other SORNs, to avoid duplicating other systems of records.
• The Purposes section has been rewritten to provide a broader description of uses and users of the records within HHS. (The prior description mentioned only “FOIA correspondence and processing,” “Freedom of Information staff,” and “appeals officials and members of the Office of General Counsel.”)
• An existing routine use authorizing disclosures to contractors (routine use 2) has been revised to be more accurate in reflecting the broad purposes for which contractors may be engaged to assist HHS and require access to records in the system. (The former description was limited to “collating, aggregating, analyzing, or otherwise refining records in this system.”)
• Four new routine uses have been added (see routine uses 6 through 9).
• The System Locations and System Manager sections have been updated with current information and expanded to be consistent with the scope of the system.
• The Policies and Practices section has been revised. Specifically, the Storage and Safeguards descriptions have been revised to reflect that any of the records (not just tracking records) may be maintained electronically, and to include safeguards applicable to classified records. The Retention description has been updated to refer to new General Records Schedule (GRS) 4.2, issued August 2015 (superseding GRS 14).
• The Exemptions section has been changed from stating “none” to including an explanation that certain records in this system may be exempt if they are from other Privacy Act systems that have promulgated exemptions.

Because the revised SORN includes significant changes, a report on the altered system has been sent to Congress and OMB in accordance with 5 U.S.C. 552a(r).

II. Background on the Privacy Act Requirement To Publish a System of Records Notice

The Privacy Act governs the means by which the U.S. Government collects, maintains, and uses information about individuals in a system of records. A “system of records” is a group of any records under the control of a federal agency from which records about individuals are retrieved by the individuals' names or other personal identifiers. While FOIA entitles any person to seek access to agency records, an individual has a right of access under the Privacy Act, in addition to FOIA, with respect to agency records about him that are maintained in a Privacy Act system of records. The Privacy Act requires each agency to publish in the Federal Register a system of records notice (SORN) identifying and describing each system of records the agency maintains, including the purposes for which the agency uses information about individuals in the system, the routine uses for which the agency discloses such information to parties outside the agency, and how an individual record subject can exercise his rights under the Privacy Act (e.g., to request notification of whether the system contains records about him, or to request access to or correction or amendment of his records).

SYSTEM NUMBER:

09-90-0058

SYSTEM NAME:

Tracking Records and Case Files for FOIA and Privacy Act Requests and Appeals.

SECURITY CLASSIFICATION:

Classified and Unclassified.

SYSTEM LOCATIONS:

Physical locations for the case files and tracking records covered by this SORN include:

• The HHS Freedom of Information/Privacy Acts Division within the Office of the Assistant Secretary for Public Affairs (ASPA) in Washington, DC;
• HHS FOIA Requester Service Centers in Washington, DC; Baltimore, MD; Bethesda, MD; Research Triangle, NC; Rockville, MD; and Atlanta, GA;
• Any contractor locations that support FOIA and/or Privacy Act request processing (for example, the Centers for Medicare & Medicaid Services (CMS) uses contractors located near its Regional Offices in Boston, MA; New York, NY; Philadelphia, PA; Atlanta, GA; Chicago, IL; Dallas, TX; Kansas City, MO; Denver, CO; San Francisco, CA; and Seattle, WA);
• Server locations for electronic systems used by HHS FOIA offices, System Managers, and/or related privacy personnel (for example, server locations for agency-developed FOIA systems include Bethesda, MD for the system used by National Institutes of Health; White Oak, MD and Ashburn, VA for the system used by the Food and Drug Administration; and Baltimore, MD for the system used by CMS and PSC; locations for commercial off-the-shelf FOIA systems include Gaithersburg, MD for FOIAXpress and Washington, DC for the Request Management System);
• Security office locations where classified records responsive to FOIA and Privacy Act requests may be stored, including the Office of Security and Strategic Information (OSSI) in Washington, DC; and
• System Manager locations identified in each SORN posted at http://www.hhs.gov/foia/privacy/sorns.html , where any tracking records and case files used by System Managers and related privacy personnel to process Privacy Act requests and appeals would be maintained.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records in this system of records pertain to individual FOIA and Privacy Act requesters and appellants only. Individual FOIA and Privacy Act requesters and appellants include:

• Any individual who the agency treated as the requester or appellant for an access request or appeal that was received in or referred to a HHS FOIA office for processing under FOIA (and under the Privacy Act, if applicable), excluding individual representatives who requested records under FOIA on behalf of an entity; and
• Any individual who made any type of Privacy Act request or appeal that was received by or referred to the System Manager (or related privacy personnel) for the relevant HHS Privacy Act system of records for handling—but only if the System Manager's (or related privacy personnel's) Privacy Act tracking records and case files are retrieved by requester or appellant identifier.

For a FOIA request or appeal involving non-Privacy Act records, the individual treated as the requester or appellant may have made the FOIA request or appeal personally, through a representative, or as a representative for another individual. For a Privacy Act request or appeal, the individual requester or appellant may have made the request or appeal personally, or as the parent of or court-appointed guardian for a minor or legally-declared incompetent who is the subject of the records, or with the prior, written consent of the record subject. When any of the aforementioned individual requesters or appellants seeks to exercise Privacy Act rights under this SORN with respect to the tracking record and case file pertaining to his or her FOIA or Privacy Act request or appeal, the information in the tracking record and case file must be about him, as required by 5 U.S.C. 552a(a)(4) (i.e., not merely be retrieved by his identifier), for the individual to be afforded Privacy Act rights with respect to those records.

CATEGORIES OF RECORDS IN THE SYSTEM:

Records consist of tracking records and case files for FOIA and Privacy Act requests and appeals made by individuals. This system of records excludes tracking records and case files for FOIA requests and appeals made by or on behalf of entities.

Tracking records typically include the requester/appellant's name and contact information, case tracking number, date of request or appeal, a brief description of the request or appeal, processing status, and response date or appeal decision date. A tracking record for a FOIA request may include additional information, such as the requester's fee category and whether expedited processing or a fee waiver or reduction was sought and was granted or denied.

A case file typically includes a copy of the request and any appeal, which would include the requester/appellant's name; contact information; a description of the records that were the subject of the access, correction, or other request; issues raised on appeal; copies of any documents included with the request or appeal; the case tracking number; the agency's response letter and any appeal decision letter; copies of records responsive to the request; correspondence about the request or appeal with the requester and with other involved parties and agencies; and any fee-related information. A case file also may include identity verification documents and information (such as photocopies of the requester's driver's license, passport, alien or voter registration card, or union card; identifying particulars about the records sought, such as an account number; or a statement certifying that the requester is the individual who he or she claims to be) if the case file pertains to a first-party request; a consent form signed by an individual record subject, authorizing HHS to provide records about that individual to a third party; and photocopies of documents establishing a parent, guardian, or other legal relationship (such as a court order or birth certificate) if the request or appeal was made by a legal representative. Any classified records responsive to a FOIA request or appeal are considered to be part of the FOIA case file, even if maintained in a security office instead of in the FOIA case file.

Note that the scope of this system of records excludes the following related records:

• Litigation files maintained in the HHS Office of General Counsel related to requests covered in this system of records (see instead the SORN for System No. 09-90-0064 “Litigation Files, Administrative Complaints and Adverse Personnel Actions”);
• Records pertaining to Privacy Act violation claims (see instead the SORNs for System Nos. 09-90-0062 “Administrative Claims” and 09-90-0064 “Litigation Files, Administrative Complaints and Adverse Personnel Actions”); and
• Records about agency personnel who process FOIA and Privacy Act requests (see instead SORNs covering personnel records; e.g., 09-90-0018 “Personnel Records in Operating Offices,” 09-40-0001 “Public Health Service (PHS) Commissioned Corps General Personnel Records,” and OPM/GOVT-2 “Employee Performance File System Records”).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

5 U.S.C. 552, 552a; 44 U.S.C. 3301.

PURPOSE(S) OF THE SYSTEM:

FOIA and Privacy Act tracking records and case files are used on a need-to-know basis within the agency, primarily by FOIA office personnel, FOIA Coordinators and subject matter experts in program offices who locate and provide records responsive to requests, attorneys in the Office of General Counsel, Privacy Officers, and System Managers for Privacy Act systems of records. HHS uses the tracking records and case files to:

• Track, process, and respond to the requests and any related administrative appeals, litigation, and mediation actions and communicate with the requesters and appellants;
• locate records responsive to requests and appeals and verify the identity of first-party requesters and appellants;
• identify related requests and records frequently requested under FOIA and generate publicly-releasable versions of FOIA request logs;
• provide aggregate and statistical data for reports and facilitate management and oversight reviews of FOIA and Privacy Act operations; and
• share relevant information with other HHS offices that manage related matters arising from processing FOIA and Privacy Act requests and appeals, such as investigating erroneous release incidents and responding to lawsuits alleging Privacy Act violation claims or other claims. (Records used for such purposes, if retrieved by personal identifier, would be covered under other SORNs.)

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

The Privacy Act allows us to disclose information without an individual's consent to parties outside the agency if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a “routine use.” The proposed routine uses in this system meet the compatibility requirement of the Privacy Act. To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation “Standards for Privacy of Individually Identifiable Health Information” (45 CFR parts 160 and 164, 65 FR 82462 (December 28, 2000), Subparts A and E), disclosures of such PHI that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the “Standards for Privacy of Individually Identifiable Health Information.” This system may make the following routine use disclosures:

1. Records may be disclosed to the Department of Justice (DOJ) for the purpose of obtaining DOJ's advice as to whether or not records are required to be disclosed under FOIA and/or the Privacy Act in response to an access request.

2. Records may be disclosed to federal agencies and Department contractors that have been engaged by HHS to assist in accomplishing an HHS function related to the purposes of the system and that need to have access to the records in order to assist HHS. Any contractor will be required to comply with the requirements of the Privacy Act of 1974 and appropriately safeguard the records. These safeguards are explained in the “Safeguards” section.

3. Records may be disclosed to student volunteers and other individuals performing functions for the Department but technically not having the status of agency employees, if they need access to the records in order to perform their assigned agency functions.

4. Records may be disclosed to a Member of Congress or to a congressional staff member in response to a written inquiry of the congressional office made at the written request of the constituent about whom the record is maintained. The Member of Congress does not have any greater authority to obtain records than the individual would have if requesting the records directly.

5. Records may be disclosed to the Department of Justice (DOJ) or to a court or other tribunal when:

a. The agency or any component thereof, or

b. any employee of the agency in his or her official capacity, or

c. any employee of the agency in his or her individual capacity where DOJ has agreed to represent the employee, or

d. the United States Government, is a party to litigation or has an interest in such litigation and, by careful review, HHS determines that the records are both relevant and necessary to the litigation and that, therefore, the use of such records by the DOJ, court, or other tribunal is deemed by HHS to be compatible with the purpose for which the agency collected the records.

6. Records may be disclosed to another federal, foreign, state, local, tribal, or other public agency with an interest in or control over information in records responsive to or otherwise related to an access or amendment request, for the following purposes:

a. Consulting the other agency for its views about providing access to the information or assistance in verifying the identity of an individual or the accuracy of information sought to be amended or corrected;

b. informing the other agency of HHS' response or intended response to the request; or

c. referring the request to the most appropriate federal agency for response.

7. The identity of the requester or appellant may be disclosed to a submitter of business records that are sought by that requester or appellant, when obtaining the submitter's views concerning release of the submitter's business information under FOIA.

8. Records may be disclosed to the National Archives and Records Administration, Office of Government Information Services (OGIS), to the extent necessary to fulfill its responsibilities under 5 U.S.C. 552(h) to review administrative agency policies, procedures, and compliance with FOIA, and to facilitate OGIS' offering of mediation services to resolve disputes between persons making FOIA requests and administrative agencies.

9. Records may be disclosed to appropriate federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, when the information disclosed is relevant and necessary for that assistance.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM—

STORAGE:

Electronic records are stored in secure electronic tracking and/or storage applications, and on compact disks, DVDs, and network drives. Hard-copy files are stored at office locations, in file rooms, shelves, safes, cabinets, bookcases or desks.

RETRIEVAL:

Records are retrieved by personal identifier (i.e., requester or appellant name).

SAFEGUARDS:

Safeguards conform to the HHS Information Security and Privacy Program, http://www.hhs.gov/ocio/securityprivacy/index.html and HHS Office of Security and Strategic Information (OSSI) policies regarding classified information, and include the following:

Administrative Safeguards: Authorized users are limited to HHS employees and officials who are responsible for processing FOIA and Privacy Act requests and appeals, authorized personnel of any contractors or federal agencies assisting HHS with those functions, and any other authorized individuals who work for HHS and assist HHS with those functions but technically do not have the status of agency employees. Only personnel with a “need to know” and appropriate security clearances issued by OSSI or the Office of Inspector General (OIG) regarding OIG personnel are allowed to access classified records. Each user's access is limited, based on the user's role, to the records that are essential to the user's duties. Security safeguards are imposed on contractors through inclusion of Privacy Act-required clauses in contracts and through monitoring by contract and project officers.

Technical Safeguards: Access to electronic systems and records is controlled and protected by a secure log-in method (using passwords that are unique, complex, and frequently changed), time-out features, NSA and/or NIST-approved encryption methods, firewalls, intrusion detection systems, and cybersecurity monitoring systems.

Physical Safeguards: Hard-copy records and records displayed on computer screens are protected from the view of unauthorized individuals while the records are in use by an authorized employee. Hard-copy records and electronic storage media are secured during nonbusiness hours in locked file cabinets, locked desk drawers, locked offices, or locked storage areas. Office buildings are protected by cameras and uniformed guards. When records are photocopied, printed, scanned, or faxed for authorized purposes, care is taken to ensure that no copies are left where they can be read by unauthorized individuals. When eligible for destruction, records are securely disposed of using destruction methods prescribed by NSA and/or NIST SP 800-88.

RETENTION AND DISPOSAL:

Records are retained and disposed of in accordance with General Records Schedule (GRS) 4.2 “Information Access and Protection Records” (superseding GRS 14 “Information Services Records”), which prescribes retention periods ranging from approximately two years to six years after final agency action or adjudication by a court, date of closure, or last entry. For specific periods, see GRS 4.2 Items 020 access and disclosure request files; 030 general administrative (tracking) records; 050 Privacy Act accounting of disclosure files; and 090 Privacy Act amendment request files.

SYSTEM MANAGER(S) AND ADDRESS(ES):

HHS Privacy Act Officer, Freedom of Information/Privacy Acts Division, OS/ASPA, Hubert H. Humphrey Building—Suite 729H, 200 Independence Avenue SW., Washington, DC 20201.

NOTIFICATION PROCEDURE:

An individual who wishes to know if this system contains tracking records and case files for FOIA and Privacy Act requests or appeals in which he was the requester or appellant must submit a written request to the System Manager identified above. The request should include the full name of the individual, information to verify the individual's identity, and the individual's current address.

RECORD ACCESS PROCEDURE:

An individual requester or appellant may request access to tracking records and case files about his FOIA or Privacy Act request or appeal by making a written request to the System Manager identified above, and by identifying or describing the records sought, providing information to verify his identity, and including his current address.

CONTESTING RECORD PROCEDURES:

An individual may contest information in tracking records and case files about his FOIA or Privacy Act request or appeal by contacting the System Manager identified above, and by identifying the information contested, the corrective action sought, and the reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.

RECORD SOURCE CATEGORIES:

Information is obtained from individual requesters and appellants, responsive records, program offices that provide responsive records, and personnel at HHS, other agencies, and outside organizations (e.g., consultants and business submitters) who provide information relevant to processing the requests.

EXEMPTIONS CLAIMED FOR THIS SYSTEM:

This system of records is not a type of system eligible to promulgate exemptions under subsections (j) and (k) of the Privacy Act (5 U.S.C. 552a(j), (k)); however, any record in this system that is from another Privacy Act system of records that has promulgated exemptions will be exempt from access and other requirements of the Privacy Act if and to the same extent that the record is exempt from such requirements in the source system. Records in this system that are from a system described in 5 U.S.C. 552a(j)(2) may be exempt from the requirements in these subsections of the Privacy Act: (c)(3), (c)(4), (d), (e)(1), (e)(2), (e)(3), (e)(4)G), (e)(4)(H), (e)(4)(I), (e)(5), (e)(8), (e)(12), (f), (g), and (h). Records in this system that are from a system described in 5 U.S.C. 552a(k) may be exempt from the requirements in these subsections of the Privacy Act: (c)(3), (d), (e)(1), (e)(4)G), (e)(4)(H), (e)(4)(I), and (f). Any records compiled in reasonable anticipation of a civil action or proceeding are excluded from the Privacy Act access requirement in all systems of records, as provided in 5 U.S.C. 552a(d)(5).