Privacy Act of 1974; System of Records
| Published date | 27 August 2020 |
| Citation | 85 FR 53004 |
| Record Number | 2020-18805 |
| Section | Notices |
| Court | Centers For Disease Control And Prevention,Health And Human Services Department |
Federal Register, Volume 85 Issue 167 (Thursday, August 27, 2020)
[Federal Register Volume 85, Number 167 (Thursday, August 27, 2020)]
[Notices]
[Pages 53004-53007]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-18805]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Disease Control and Prevention
[Docket No. CDC-2020-0088]
Privacy Act of 1974; System of Records
AGENCY: Centers for Disease Control and Prevention (CDC), Department of
Health and Human Services (HHS).
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, as amended, the Department of Health and Human Services (HHS) is
establishing a new system of records to be maintained by the Centers
for Disease Control and Prevention, 09-20-0180, ``Electronic Import
Permit Program Portal (eIPP Portal).'' The system of records will be
used by CDC to monitor the importation of infectious biological agents,
infectious substances, and vectors of human disease.
DATES: The modified system of records is applicable August 27, 2020,
subject to a 30-day period in which to comment on the routine uses.
Written comments must be received on or before September 28, 2020.
ADDRESSES: You may submit comments, identified by Docket No. CDC-2020-
0088 by any of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Mail: Beverly Walker, Chief Privacy Officer, CDC Privacy
Unit, CyberSecurity Program Office (CSPO), Centers for Disease Control
and Prevention, 4770 Buford Hwy., Mailstop S101, Atlanta, GA 30341.
Instructions: All submissions received must include the agency name
and Docket Number. All relevant comments received will be posted
without change to https://regulations.gov, including any personal
information provided. Therefore, do not include any information in your
comment or supporting materials that you consider confidential or
inappropriate for public disclosure. For access to the docket to read
background documents or comments received, go to https://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Beverly Walker, Chief Privacy Officer,
CDC Privacy Unit, CyberSecurity Program Office (CSPO), Centers for
Disease Control and Prevention, 4770 Buford Hwy., Mailstop S101,
Atlanta, GA 30341. Telephone: 770-488-8524.
SUPPLEMENTARY INFORMATION:
I. Background on the CDC Import Permit Program
Under the authority of Section 361 of the Public Health Service Act
(PHS Act) (42 U.S.C. 264), the HHS Secretary makes and enforces such
regulations as in his/her judgment are necessary to prevent the
introduction, transmission, or spread of communicable diseases from
foreign countries into the U.S. states or territories. For purposes of
carrying out and enforcing such regulations, the HHS Secretary may
authorize a variety of public health measures, including inspection,
fumigation, disinfection, sanitation, pest extermination, destruction
of animals or articles found to be sources of dangerous infection to
human beings, and other measures. The Foreign Quarantine regulations
(42 CFR part 71) set forth provisions to prevent the introduction,
transmission, and spread of communicable disease from foreign countries
into the United States. Part 71, Subpart F (Importations) contains
provisions governing the importation of infectious biological agents,
infectious substances, and vectors (42 CFR 71.54), including requiring
persons to obtain a permit issued by the CDC before importing, or
distributing after import, any of these materials. The purpose of the
import permit requirement and permitting process is to prevent the
introduction, transmission, or spread of communicable diseases from
foreign countries into the U.S. states or territories. Before issuing
an import permit, the CDC Division of Select Agents and Toxins, Import
Permit Program (CDC/IPP) reviews the application to ensure the
applicant has appropriate safety measures in place for importing and
working safely with the applicable infectious biological agent(s),
substance(s), and/or vector(s). Regulations of the U.S. Department of
Transportation apply to such materials while in transit in the U.S.
states and territories.
II. New System of Records 09-20-0180
The proposed new system of records, ``Electronic Import Permit
Program Portal (eIPP Portal),'' will cover records about individual
applicants, which the CDC/IPP maintains in the new eIPP Portal
information technology (IT) system for the purpose of overseeing--and
issuing permits allowing--the importation of infectious biological
agents, infectious substances, and vectors of human disease as outlined
in the import permit regulations at 42 CFR 71.54. The eIPP Portal IT
system is a single web-based information
[[Page 53005]]
management system that will track permit applications submitted to and
permits issued by CDC/IPP. It will allow the regulated community to
submit the applications and engage in related information exchanges
with CDC/IPP electronically via a single web portal. This will enable
the regulated community to interact with CDC/IPP more efficiently,
allow for faster processing of permit applications, and reduce program
burdens and reliance on labor-intensive and paper-based processes.
A report on the new system of records was sent to Congress and OMB
in accordance with 5 U.S.C. 552a(r).
Dated: August 21, 2020.
Suzi Connor,
Chief Information Officer, Centers for Disease Control and Prevention.
SYSTEM NAME AND NUMBER:
Electronic Import Permit Program Portal (eIPP Portal), 09-20-0180.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
The address of the HHS component responsible for this system of
records is: Division of Select Agents and Toxins (DSAT), Center for
Preparedness and Response, Centers for Disease Control and Prevention
(CDC), 1600 Clifton Rd. NE, Atlanta, GA 30329.
SYSTEM MANAGER(S):
The System Manager is: Director, Division of Select Agents and
Toxins (DSAT), Center for Preparedness and Response, MS A-46, CDC, 1600
Clifton Rd. NE, Atlanta, GA 30329, (404) 718-2000, [email protected].
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Public Health Service Act, Section 361, ``Regulations to Control
Communicable Diseases'' (42 U.S.C. 264).
PURPOSE(S) OF THE SYSTEM:
The purpose of this system of records is to support CDC/IPP's
oversight of, and permitting process for, the importation and any
subsequent distribution of infectious biological agents, infectious
substances, and vectors of human disease into the United States, the
purpose of which is to prevent the introduction, transmission, or
spread of communicable diseases from foreign countries into the states
or possessions.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The records in the system will cover those individuals who apply
for an import permit from CDC/IPP under 42 CFR 71.54.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system of records will include the following categories of
records. The three applications are forms approved by the Office of
Management and Budget (OMB).
Application for Permit to Import Biological Agents and
Vectors of Human Disease into the United States. An applicant submits
this application to CDC/IPP to request a permit for the importation,
and any subsequent distribution after importation, of infectious
biological agents, infectious substances, or vectors of human disease.
Application for Permit to Import or Transfer Live Bats. An
applicant submits this application to CDC/IPP to request a permit for
the importation, and any subsequent distribution after importation, of
live bats.
Application for Permit to Import Infectious Human Remains
into the United States. An applicant submits this application to CDC/
IPP to request a permit for the importation of human remains or body
parts that contain biological agents, infectious substances, or vectors
of human disease.
Import Permit. CDC/IPP issues a permit on an approved
application, allowing the applicant to import biological agents and
vectors of human disease human remains or body parts that contain
biological agents, infectious substances, or vectors of human disease
or live bats.
Documentation of Inspection. CDC/IPP may inspect an
applicant's or importer's premises to ensure compliance with the import
permit regulations. As part of the inspection process, the applicant
may need to respond to written requests from DSAT. DSAT has not
developed standardized forms for this documentation.
RECORD SOURCE CATEGORIES:
The applicant will be the source of most information in the
records. CDC/IPP will be the source of certain information in the
permits, tracking records, and inspection records.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
In addition to other disclosures authorized directly in the Privacy
Act at 5 U.S.C. 552a(b)(1) and (2) and (4) through (11), HHS may
disclose records about a subject individual from this system of records
to parties outside HHS as described in these routine uses, without the
individual's prior written consent.
1. Records may be disclosed to contractors engaged to assist CDC/
IPP with performing the functions listed in the Purpose section above.
Contractors are required to maintain Privacy Act safeguards with
respect to such records.
2. Records may be disclosed to state health departments, other
public health agencies, cooperating medical authorities, or federal law
enforcement agencies to effectively manage outbreaks and conditions of
public health significance.
3. Information may be disclosed to the Department of Justice (DOJ)
or to a court or other adjudicative body in litigation or other
proceedings when:
a. HHS or any of its component thereof, or
b. any employee of HHS acting in the employee's official capacity,
or
c. any employee of HHS acting in the employee's individual capacity
where the DOJ or HHS has agreed to represent the employee, or
d. the United States Government, is a party to the proceeding or
has an interest in such proceeding and, by careful review, HHS
determines that the records are both relevant and necessary to the
proceeding.
4. Disclosure may be made to a congressional office from the record
of an individual in response to a verified inquiry from the
congressional office made at the written request of that individual.
5. Where a record, either alone or in conjunction with other
information, indicates a violation or potential violation of law,
whether civil, criminal, or regulatory in nature, and whether arising
by general statute or by regulation, rule, or order issued pursuant
thereto, the relevant records in the system of records may be referred,
as a routine use, to agency concerned, whether federal, state, Tribal,
local, territorial, or foreign, charged with the responsibility of
investigating or prosecuting such violation or charged with enforcing
or implementing the statute, rule, regulation, or order issued pursuant
thereto.
6. For the purpose of combatting fraud, waste, and abuse, records
may be disclosed to a relevant federal agency or instrumentality of any
governmental jurisdiction within or under the control of the United
States for the purpose of investigating potential fraud, waste, or
abuse.
7. Records may be disclosed to representatives of the National
Archives and Records Administration (NARA) in records management
inspections conducted pursuant to 44 U.S.C. 2904 and 2906.
[[Page 53006]]
8. Records may be disclosed to appropriate agencies, entities, and
persons when (1) HHS suspects or has confirmed that there has been a
breach of the system of records, (2) HHS has determined that as a
result of the suspected or confirmed breach there is a risk of harm to
individuals, HHS (including its information systems, programs, and
operations), the federal government, or national security, and (3) the
disclosure made to such agencies, entities, and persons is reasonably
necessary to assist in connection with HHS's efforts to respond to the
suspected or confirmed breach or to prevent, minimize, or remedy such
harm.
9. Records may be disclosed to another federal agency or federal
entity, when HHS determines that information from this system of
records is reasonably necessary to assist the recipient agency or
entity in (1) responding to a suspected or confirmed breach or (2)
preventing, minimizing, or remedying the risk of harm to individuals,
the recipient agency or entity (including its information systems,
programs, and operations), the federal government, or national
security, resulting from a suspected or confirmed breach.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
The records will be maintained electronically, but paper printouts
may be generated.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
The records will be retrieved by the applicant's name or assigned
permit number.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
The records will be retained for 10 years in compliance with the
records retention schedule requirements, or until such time as the
records are no longer needed for litigation or other records purposes,
in accordance with CDC/IPP disposition schedule DAA-0441-2019-0001.
Records will be transferred to a Federal Records Center for storage
when no longer in active use. Final disposition of records stored
offsite at the Federal Records Center will be accomplished by a
controlled process requesting final disposition approval from the HHS
record owner prior to any destruction to ensure the records are not
needed for litigation or other records purposes.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Safeguards will conform to the HHS Information Security and Privacy
Program, https://www.hhs.gov/ocio/securityprivacy/index.html, the HHS
Information Security and Privacy Policy (IS2P), and applicable federal
laws, rules and policies, including: The E-Government Act of 2002,
which includes the Federal Information Security Management Act of 2002
(FISMA), 44 U.S.C. 3541-3549, as amended by the Federal Information
Security Modernization Act of 2014, 44 U.S.C. 3551-3558; all pertinent
National Institutes of Standards and Technology (NIST) publications;
and OMB Circular A-130, Managing Information as a Strategic Resource.
ADMINISTRATIVE AND TECHNICAL SAFEGUARDS:
Security measures will be implemented on government
computers to control unauthorized access to the system. Attempts to
gain access by unauthorized individuals will be automatically recorded
and reviewed by IPP on a regular basis. The individuals permitted to
access these records will be limited to staff (FTEs and contractors
having security clearances at T3 (Non-Critical Sensitive positions
requiring Secret clearance) or T4 (Non-Sensitive High Risk (Public
Trust)) levels) who have responsibility for conducting regulatory
oversight.
Protection for computerized records will include
programmed verification of valid user identification code and password
prior to logging on to the system; mandatory password changes, limited
log-ins, virus protection, encryption, firewalls, and intrusion
detection systems, and user rights/file attribute restrictions. The
password protection will impose username and password log-in
requirements to prevent unauthorized access. Each user name will be
assigned limited access rights to files and directories at varying
levels to control file sharing. There will be routine daily backup
procedures, and backup files will be securely stored off-site. Security
controls will be reviewed on an ongoing basis.
Knowledge of individual tape passwords will be required to
access backups, and access to the system will be limited to users
obtaining prior supervisory approval. To avoid inadvertent data
disclosure, a special additional procedure will be performed to ensure
that all Privacy Act data are removed from computer hard drives.
Additional safeguards may also be built into the program by the system
analyst as warranted by the sensitivity of the data set.
FTEs and contractor employees who maintain records will be
instructed in specific procedures to protect the security of records,
and will be required to check with the system manager prior to making
disclosure of data. When individually identifiable data are being used
in a room, admittance at either federal or contractor sites will be
restricted to specifically authorized personnel.
Appropriate Privacy Act provisions and breach notification
provisions will be included in applicable contracts, and the CDC
Project Director, contract officers, and project officers will oversee
compliance with these requirements. Upon completion of a contract, all
data will be either returned to federal government or destroyed, as
specified by the contract.
Records that are eligible for destruction will be disposed
of using destruction methods prescribed by NIST SP 800-88. Hard copy
records will be placed in a locked container or designated secure
storage area while awaiting destruction. Records will be destroyed in a
manner that precludes its reconstruction, such as secured cross
shredding. Utilizing the HHS Security Rule Guidance Material found at
https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html, electronic information will be deleted or overwritten using
Department of Defense National Institute of Standards and Technology/
General Services Administration (NIST/GSA) approved overwriting
software that wipes the entire physical disk and not just the virtual
disk. In addition, the physical destruction will be obtained by using a
National Security Agency/Central Security Service (NSA/CSS) approved
degaussing device.
PHYSICAL SAFEGUARDS:
Paper records (i.e., hard copy printouts) will be
maintained in locked cabinets in secured rooms through electronic
access in a restricted access location that is controlled by an
electronic cardkey system that is limited to staff who have
responsibility for conducting regulatory oversight. Electronic data
files will be encrypted using Federal Information Processing Standards
Publication (FIPS) 140-2, and will be stored in a restricted access
location. The computer room will be protected by an automatic sprinkler
system and numerous automatic sensors (e.g., water, heat, smoke, etc.)
which will be monitored, and a proper mix of portable fire
extinguishers will be located throughout the computer room. Computer
workstations, lockable
[[Page 53007]]
personal computers, and automated records will be located in secured
areas.
RECORD ACCESS PROCEDURES:
An individual seeking access to records about that individual in
this system of records must submit a written access request to the
System Manager, identified in the ``System Manager'' section of this
SORN. The request must contain the requester's full name, address, and
signature, and permit number if known. To verify the requester's
identity, the signature must be notarized or the request must include
the requester's written certification that the requester is the
individual who the requester claims to be and that the requester
understands that the knowing and willful request for or acquisition of
a record pertaining to an individual under false pretenses is a
criminal offense subject to a fine of up to $5,000. An accounting of
disclosures that have been made of the record, if any, may also be
requested.
CONTESTING RECORD PROCEDURES:
An individual seeking to amend a record about that individual in
this system of records must submit an amendment request to the System
Manager identified in the ``System Manager'' section of this SORN,
containing the same information required for an access request. The
request must include verification of the requester's identity in the
same manner required for an access request; must reasonably identify
the record and specify the information contested, the corrective action
sought, and the reasons for requesting the correction; and should
include supporting information to show how the record is inaccurate,
incomplete, untimely, or irrelevant.
NOTIFICATION PROCEDURES:
An individual who wishes to know if this system of records contains
records about that individual should submit a notification request to
the System Manager identified in the ``System Manager'' section of this
SORN. The request must contain the same information required for an
access request, and must include verification of the requester's
identity in the same manner required for an access request.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
None.
[FR Doc. 2020-18805 Filed 8-26-20; 8:45 am]
BILLING CODE 4163-18-P
