Privacy Act of 1974; System of Records Revision

AGENCY:

Food and Nutrition Service (FNS), USDA.

ACTION:

Notice of a proposed modified system of records.

SUMMARY:

Pursuant to the provisions of the Privacy Act of 1974, and Office of Management and Budget (OMB) Circular No. A-108, notice is given that a component agency, the Food and Nutrition Service (FNS) of the U.S. Department of Agriculture (USDA) is proposing to modify the system of records, currently titled USDA/FNS-11, “Information on Persons Identified as Responsible for Serious Deficiencies, Proposed for Disqualification, or Disqualified to Participate as Principals or Family Day Care Home Operators in the Child and Adult Care Food Program (CACFP),” 69 FR 6933, published February 12, 2004, to include unaffiliated centers and responsible individuals of unaffiliated centers terminated or otherwise disqualified from participating in the Child and Adult Care Food Program, and service institutions and responsible individuals that have been terminated or otherwise disqualified from participation in the Summer Food Service Program (SFSP). The system of records will continue to include the records of institutions, day care home providers, and responsible individuals who have been terminated or otherwise disqualified from participation in the Child and Adult Care Food Program.

DATES:

In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is effective upon publication, subject to a 30-day notice and comment period in which to comment on the routine uses described in the routine uses section of this system of records notice. Please submit your comments by October 1, 2021.

ADDRESSES:

You may submit comments, USDA/FNS-11, by one of the following methods:

• Federal eRulemaking Portal: http://www.regulations.gov provides the ability to type short comments directly into the comment field on this web page or attach a file for lengthier comments. Follow the online instructions at that site for submitting comments.
• Ms. Andrea Farmer, Chief, Community Meals Program Monitoring Branch, Child Nutrition Programs, Food and Nutrition Service, Braddock Metro Center II, 1320 Braddock Place, Alexandria, VA 22314.
• Instructions: All submissions received must include the agency name and docket number for this rulemaking. All comments received will be posted without change to http://www.regulations.gov,, including any personal information provided.
• Docket: For access to the docket to read background documents or comments received go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT:

For general questions please contact Stephanie Means via telephone at 312-353-7270 or via email at SM.fn.Privacy-FNS@usda.gov.

SUPPLEMENTARY INFORMATION:

FNS maintains a list of institutions and individuals who have been disqualified from participating in CACFP and/or SFSP. The State agencies access the list to ensure that no one participating in either Program in their state has been disqualified.

State agencies provide the information about the disqualifications they impose by submitting the information to the NDL. FNS reviews and approves the information. This information is then accessible to all State agencies that participate in this matching program to help determine CACFP and/or SFSP eligibility.

In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, the Department of Agriculture's (“Department” or “USDA”) Food and Nutrition Service (FNS) proposes to modify the system of records titled, USDA/FNS-11, “Information on Persons Identified as Responsible for Serious Deficiencies, Proposed for Disqualification, or Disqualified to Participate as Principals or Family Day Care Home Operators in the Child and Adult Care Food Program (CACFP).” This includes modifying the title to “USDA/FNS-11, National Disqualified List (NDL)—Information on Entities Disqualified from Participation in the Child and Adult Care Food Program (CACFP) and Summer Food Service Program (SFSP).”

The NDL system of records currently contains a list of institutions, responsible individuals, and family day care home providers that have been disqualified by State agencies from participating in CACFP. The NDL system of records is being modified to include unaffiliated centers and responsible individuals of unaffiliated centers terminated or otherwise disqualified from participating in the CACFP. The NDL system of records is also being revised to include service institutions and responsible individuals of service institutions that have been terminated or otherwise disqualified from participating in the SFSP as required by Section 322 of the Healthy, Hunger-Free Kids Act of 2010 (HHFKA), Public Law 111-296 (requiring the Secretary to maintain a list of service institutions and individuals that have been terminated or disqualified from SFSP and to make this list available to State agencies for use in approving or renewing service institutions' applications for SFSP participation).

Responsible individual means: A principal, whether compensated or uncompensated, who the State agency or FNS determines to be responsible for a serious deficiency; any other individual employed by, or under contract with, a sponsoring organization who the State agency or FNS determines to be responsible a serious deficiency; or an uncompensated individual who the State agency or FNS determines to be responsible for a serious deficiency.

FNS will share information from the system in accordance with the requirements of the Privacy Act. A full list of routine uses is included in the routine uses section of the document published with this notice.

In accordance with 5 U.S.C. 552a(r), USDA has provided a report of this system of records to the Office of Management and Budget and to Congress.

SYSTEM NAME AND NUMBER:

USDA/FNS-11, “Information on Persons Identified as Responsible for Serious Deficiencies, Proposed for Disqualification, or Disqualified to Participate as Principals or Family Day Care Home Operators in the Child and Adult Care Food Program (CACFP),” and also referred to as the National Disqualified List or NDL.

This notice proposes to modify the system name to: “National Disqualified List (NDL)—Information on Entities Disqualified from participation in the Child and Adult Care Food Program (CACFP) and Summer Food Service Program (SFSP).”

SECURITY CLASSIFICATION:

None.

SYSTEM LOCATION:

This system of records is under the control of the Deputy Administrator, Child Nutrition Programs, FNS, USDA, 1320 Braddock Pl., Alexandria, Virginia 22314.

The data on institutions, service institutions, unaffiliated centers, day care home providers, and responsible individuals who have been disqualified from participation in the CACFP and/or SFSP will be maintained within the NDL system of records.

SYSTEM MANAGER(S):

Branch Chief, Community Meals Program Monitoring Branch, Child Nutrition Programs, Food and Nutrition Service, USDA, (703)305-2470, 1320 Braddock Pl., Alexandria, Virginia 22314.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Section 243(c) of Public Law 106-224, the Agricultural Risk Protection Act of 2000, which amended section (42 U.S.C. 1766(d)(5)(E)(i) and (ii)) of the Richard B. Russell National School Lunch Act

PURPOSE(S) OF THE SYSTEM:

The purpose of modifying the system of records is to continue to promote integrity in the CACFP and SFSP (“Program(s)”) by providing Program-administering States and CACFP sponsoring organizations with the names of institutions, service institutions, responsible individuals, unaffiliated centers, and family day care home providers that have been terminated or otherwise disqualified from participating in either Program. Once disqualified, these institutions, service institutions, responsible individuals, unaffiliated centers, and family day care home providers are prohibited from participating in either Program for seven years from the effective date of the disqualification, and until any debt under either Program is paid.

Institutions, service institutions, responsible individuals, unaffiliated centers, and family day care home providers may be removed from the NDL system of records before seven years if the Program-administering States and FNS concur that any Program violation that caused their placement on the NDL system of records has been corrected. However, no institution, service institution, responsible individual, unaffiliated center, or family day care home provider may be removed from the NDL system of records if they owe a debt under either Program. Program-administering States and CACFP sponsoring organizations must verify that Program applicants are not on the NDL system of records prior to approval or renewal of participation in the Program. Similarly, CACFP sponsoring organizations must check the NDL system of records to verify that any new employee that will be paid for using Program funds or that will be working in either Program is not on the NDL before hiring.

Maintaining the NDL system of records and making it available to Program-administering States and CACFP sponsoring organizations provides them with a tool for promoting Program integrity by preventing several situations from occurring. First, it prevents institutions, service institutions, or unaffiliated centers whose Program agreements were terminated for cause in one State from reapplying for Program participation in another State. Second, it prevents responsible individuals disqualified from either Program from continuing to be involved in Program administration by forming a new corporate entity and entering the Program under a different organizational name. Third, it prevents responsible individuals associated with a disqualified institution, service institution, or unaffiliated center from re-entering the Program as a family day care home provider, or as a responsible individual with another institution, service institution, or sponsored center. Finally, it prevents family day care home providers terminated for cause by one sponsoring organization from re-entering the Program under the auspices of a different sponsoring organization.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Categories of individuals covered by this system include, but not limited to, responsible individuals and principals of centers and day care home providers that have been terminated or otherwise disqualified from participation in the CACFP. The system also contains information on responsible individuals and principals of service institutions that have been terminated or otherwise disqualified from participation in the SFSP. All individuals, even if they are not users of the USDA/FNS-11, who are mentioned or referenced in any documents entered into USDA/FNS-11 by a user are also covered. This group may include, but is not limited to: Vendors, agents and other business personnel.

CATEGORIES OF RECORDS IN THE SYSTEM:

Categories of records in the system will be modified to include the following information from unaffiliated centers and responsible individuals of unaffiliated centers that have been terminated or otherwise disqualified from participation in the CACFP, and service institutions and responsible individuals of service institutions that have been terminated or otherwise disqualified from participation in the SFSP:

• Full name, previously used names;
• date of birth;
• state and locality in which the disqualification occurred;
• addresses of businesses and individuals;
• disqualification start date;
• reason for disqualification;
• Federal Employer Identification Number (FEIN) or Dun and Bradstreet Data Universal Numbering System (DUNS);
• disqualifying State agency;
• any debt owed;
• supporting documentation such as notices of proposed termination and disqualification; and,
• for records of institutions, service institutions, unaffiliated centers, or individuals requesting early removal, corrective action plans to correct Program violations that led to placement on the NDL system of records.

RECORD SOURCE CATEGORIES:

Information in this system of records is provided to FNS by Program-administering State agencies. The FNS appropriate regional office will approve the information and can assist the State agency in entering or correcting the information. The FNS national office can also alter information in the system as needed.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records contained in this system may be disclosed outside USDA as a routine use pursuant to 5 U.S.C. 552a(b)(3), to the extent that such uses are compatible with the purposes for which the information was collected. Such permitted routine uses include the following:

(1) To the Department of Justice when: (a) USDA or any component thereof; or (b) any employee of USDA in his or her official capacity, or any employee of the agency in his or her individual capacity where the Department of Justice has agreed to represent the employee; or (c) the United States Government, is a party to litigation or has an interest in such litigation, and USDA determines that the records are both relevant and necessary to the litigation and the use of such records by the Department of Justice is deemed by USDA to be for a purpose that is compatible with the purpose for which USDA collected the records.

(2) In an appropriate proceeding before a court, grand jury, or administrative or adjudicative body or official, when the USDA or other Agency representing the USDA determines that the records are both relevant and necessary to the proceeding; or in an appropriate proceeding before an administrative or adjudicative body when the adjudicator determines the records to be relevant to the proceeding.

(3) To a congressional office in response to an inquiry from that congressional office made at the written request of the individual about whom the record pertains.

(4) To the National Archives and Records Administration or other Federal government agencies pursuant to records management activities being conducted under 44 U.S.C. 2904 and 2906.

(5) To an agency, organization, or individual for the purpose of performing audit or oversight operations as authorized by law, but only such information as is necessary and relevant to such audit or oversight function.

(6) To other Federal agencies or non-Federal entities under approved computer matching efforts, limited to only those data elements considered relevant to determine eligibility under particular benefit programs administered by those agencies or entities or by USDA or any component thereof, to improve program integrity, and to collect debts and other monies owed under those programs.

(7) To another Federal agency or Federal entity, when information from this system of records is reasonably necessary to assist the recipient agency or entity in: (1) Responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

(8) To appropriate agencies, entities, and persons when: (1) USDA suspects or has confirmed that there has been a breach of the system of records; (2) USDA has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, USDA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with USDA's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.

(9) To contractors and their agents, grantees, experts, consultants, and other performing or working on a contract, service, grant, cooperative agreement, or other assignment for the USDA, when necessary to accomplish an agency function related to this system of records.

(10) When a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, USDA may disclose the record to the appropriate agency, whether Federal, foreign, State, local, or tribal, or other public authority responsible for enforcing, investigating, or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to any enforcement, regulatory, investigative or prosecutive responsibility of the receiving entity.

(11) USDA/FNS may disclose information from this system of records on individuals who have been disqualified from participation in the CACFP and/or SFSP to every agency that administers the CACFP and/or SFSP directly in the States and to every sponsoring organization participating in CACFP. The information will be available to the State agency directors and staff members, who make decisions about application approval or termination from participation in the program or, in the case of sponsoring organizations, make hiring decisions or submit applications for approval of day care home providers to the State agency.

(12) To the news media and the public, with the approval of the Chief Privacy Officer, the Office of Communications and in consultation with counsel, unless it is determined that release of the specific information in the context of a particular case would constitute an unwarranted invasion of personal privacy.

(13) USDA will disclose information about individuals from this system of records in accordance with the Federal Funding Accountability and Transparency Act of 2006 (Pub. L. 109-282; codified at 31 U.S.C. 6101, et seq.); section 204 of the E-Government Act of 2002 (Pub. L. 107-347; 44 U.S.C. 3501 note), and the Office of Federal Procurement Policy Act (41 U.S.C. 403 et seq.), or similar statutes requiring agencies to make available publicly information concerning Federal financial assistance, including grants, subgrants, loan awards, cooperative agreements and other financial assistance; and contracts, subcontracts, purchase orders, task orders, and delivery orders.

(14) Disclosures pursuant to 5 U.S.C. 552a(b)(12). Disclosures may be made from this system to “consumer reporting agencies” as defined in the Fair Credit Reporting Act (15 U.S.C. 1681a(f)) or the Debt Collection Act of 1982 (31 U.S.C. 3711(d)(4)).

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

State agencies and FNS can view records in the NDL. eAuthentication level 2 clearance is required to enter, change or view records in the system. Records are maintained electronically. The NDL also contains three notices for each disqualification. These paper notices were mailed to the disqualified individuals and uploaded in the NDL as PDFs. Although NDL records are electronic, State agencies and FNS Regional Offices keep paper copies of the uploaded notices.

For FNS and Program-administering States, records may be retrieved by the individual's name and date of birth for responsible individuals and day care home providers, in addition to FEIN or DUNS number for institutions, service institutions, and unaffiliated centers.

CACFP sponsoring organizations identify records for retrieval using name and state.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Currently, records remain in the NDL after the disqualification expires with a changes status of removed. This process will change to delete all records three years after disqualification expires.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

NDL system of records Username/Password: NDL user IDs and passwords are used to limit access to the application. Access is controlled through USDA eAuthentication service. NDL requires a Level 1 or Level 2 access. Level 1 users are automatically provided restricted access to the application. Level 2 users have managed access within the application.

The NDL system accomplishes this functionality by requiring that a specific role be assigned to each user. Sponsoring organizations have e-Authentication level 1 clearance allowing them to view individuals' names, other legal names, state, termination date, disqualified status, whether a debt is owed, and pending status. For institutions, they may view institutions' names and previous names, full address, termination date, disqualified status, whether a debt is owed, and pending status.

State agency and FNS users have e-Authentication level 2 clearance, which allows them to view the information listed above, in addition to date of birth and individuals' full addresses. Currently, all States and four territories have access to the NDL with e-Authentication level 2 clearance. Once identified, the system uses the existing functionality within the FNS General Support System platform to selectively control permissions by role. As mentioned, controls for e-Authentication level 1 users include restricting information view privileges by removing dates of birth and individuals' full addresses from view. e-Authentication level 2 can view all the data.

NDL Application software roles: Users with eAuthentication level 2 credentials are assigned roles which determine the level of access they have within NDL.

Server to Server and Client to/from Server communications encryption: Secure Socket Layer (SSL) with 128-bit encryption has been applied to all the application servers, which are only available through FNS Intranet connection. In addition, all communications between servers will be encrypted.

Vulnerabilities and anti-virus: Known vulnerabilities are regularly identified and resolved. Many tools, such as Tenable and Splunk are used scan resources. The sources for these scan services include vendors and the National Vulnerability Database. Industry best practices are followed to resolution. Users on client machines do not have local administrative rights, which maintain low vulnerability. Users have the ability to intentionally or accidentally download and install malicious code. This risk is mitigated using a multi-layered approach. First, anti-virus applications are deployed to all client machines and virus definitions are automatically updated daily using a centrally managed update server. Second, all systems are monitored and randomly inspected for unauthorized software. DISC EDC employs Retina for daily scans of VMs and configured environments to identify vulnerabilities and alert appropriate personnel.

RECORD ACCESS PROCEDURES:

Individuals seeking notification of and access to any record contained in this system of records, or seeking to contest its content, may submit a request in writing to the Headquarters or component's FOIA Officer, whose contact information can be found at https://www.dm.usda.gov/foia/poc.htm. If an individual believes more than one component maintains Privacy Act records concerning him or her, the individual may submit the request to the Chief FOIA Officer, Department of Agriculture, 1400 Independence Avenue SW, Washington, DC 20250.

The request should include a daytime phone number and email. Provide as much information as possible about the subject matter of the records you are requesting. This will help facilitate the search process.

When seeking records about yourself from this NDL system of records, or any other Departmental system of records, your request must conform with the Privacy Act regulations set forth in 7 CFR 1.112 (Procedures for requests pertaining to individual records in a record system). You must submit a written request in accordance with the instructions set forth in the system of records.

Provide your full name, date, name of system of records, and either (1) have your signature witnessed by a notary; or (2) include the following statement immediately above the signature on your request letter: “I declare under penalty of perjury that the foregoing is true and correct. Executed on [date].” Requests that do not contain the required declaration will be processed under the Freedom of Information Act (FOIA), and, if records are found, you may not receive as much information, including information about you. If additional information is required to fulfill a Privacy Act request, you will be notified.

When the request is for one of access, the request should include the full name of the individual making the request, the name of the system of records, and a statement of whether the requester desires to make a personal inspection of the records or to be supplied with copies by mail or email.

In accordance with 7 CFR 1.113, prior to inspection of the records, the requester shall present sufficient identification (e.g., driver's license, employee identification card, social security card, credit cards) to establish that the requester is the individual to whom the records pertain. No identification shall be required, however, if the records are required by 5 U.S.C. 552 to be released. If FNS determines to grant the requested access, fees may be charged in accordance with § 1.120 before making the necessary copies. In place of a notarization, your signature may be submitted under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury as a substitute for notarization.

CONTESTING RECORD PROCEDURES:

Individuals seeking to contest or amend records maintained in this system of records must direct their request to the address indicated in the “RECORD ACCESS PROCEDURES” paragraph, above and must follow the procedures set forth in 7 CFR part 1, subpart G, § 1.116 (Request for correction or amendment to record). All requests must state clearly and concisely what record is being contested, the reasons for contesting it, and the proposed amendment to the record. A determination whether a record may be amended will be made within 10 days of its receipt.

NOTIFICATION PROCEDURES:

Individuals may be notified if a record in this system of records pertains to them when the individuals request information utilizing the same procedures as those identified in the “RECORD ACCESS PROCEDURES” paragraph, above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

https://www.federalregister.gov/documents/2004/02/12/04-3116/privacy-act-proposed-new-system-of-records.