Privacy Act of 1974; System of Records
Published date | 27 August 2020 |
Citation | 85 FR 53004 |
Record Number | 2020-18805 |
Section | Notices |
Court | Centers For Disease Control And Prevention,Health And Human Services Department |
Federal Register, Volume 85 Issue 167 (Thursday, August 27, 2020)
[Federal Register Volume 85, Number 167 (Thursday, August 27, 2020)] [Notices] [Pages 53004-53007] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2020-18805] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Disease Control and Prevention [Docket No. CDC-2020-0088] Privacy Act of 1974; System of Records AGENCY: Centers for Disease Control and Prevention (CDC), Department of Health and Human Services (HHS). ACTION: Notice of a new system of records. ----------------------------------------------------------------------- SUMMARY: In accordance with the requirements of the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is establishing a new system of records to be maintained by the Centers for Disease Control and Prevention, 09-20-0180, ``Electronic Import Permit Program Portal (eIPP Portal).'' The system of records will be used by CDC to monitor the importation of infectious biological agents, infectious substances, and vectors of human disease. DATES: The modified system of records is applicable August 27, 2020, subject to a 30-day period in which to comment on the routine uses. Written comments must be received on or before September 28, 2020. ADDRESSES: You may submit comments, identified by Docket No. CDC-2020- 0088 by any of the following methods: Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Mail: Beverly Walker, Chief Privacy Officer, CDC Privacy Unit, CyberSecurity Program Office (CSPO), Centers for Disease Control and Prevention, 4770 Buford Hwy., Mailstop S101, Atlanta, GA 30341. Instructions: All submissions received must include the agency name and Docket Number. All relevant comments received will be posted without change to https://regulations.gov, including any personal information provided. Therefore, do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure. For access to the docket to read background documents or comments received, go to https://www.regulations.gov. FOR FURTHER INFORMATION CONTACT: Beverly Walker, Chief Privacy Officer, CDC Privacy Unit, CyberSecurity Program Office (CSPO), Centers for Disease Control and Prevention, 4770 Buford Hwy., Mailstop S101, Atlanta, GA 30341. Telephone: 770-488-8524. SUPPLEMENTARY INFORMATION: I. Background on the CDC Import Permit Program Under the authority of Section 361 of the Public Health Service Act (PHS Act) (42 U.S.C. 264), the HHS Secretary makes and enforces such regulations as in his/her judgment are necessary to prevent the introduction, transmission, or spread of communicable diseases from foreign countries into the U.S. states or territories. For purposes of carrying out and enforcing such regulations, the HHS Secretary may authorize a variety of public health measures, including inspection, fumigation, disinfection, sanitation, pest extermination, destruction of animals or articles found to be sources of dangerous infection to human beings, and other measures. The Foreign Quarantine regulations (42 CFR part 71) set forth provisions to prevent the introduction, transmission, and spread of communicable disease from foreign countries into the United States. Part 71, Subpart F (Importations) contains provisions governing the importation of infectious biological agents, infectious substances, and vectors (42 CFR 71.54), including requiring persons to obtain a permit issued by the CDC before importing, or distributing after import, any of these materials. The purpose of the import permit requirement and permitting process is to prevent the introduction, transmission, or spread of communicable diseases from foreign countries into the U.S. states or territories. Before issuing an import permit, the CDC Division of Select Agents and Toxins, Import Permit Program (CDC/IPP) reviews the application to ensure the applicant has appropriate safety measures in place for importing and working safely with the applicable infectious biological agent(s), substance(s), and/or vector(s). Regulations of the U.S. Department of Transportation apply to such materials while in transit in the U.S. states and territories. II. New System of Records 09-20-0180 The proposed new system of records, ``Electronic Import Permit Program Portal (eIPP Portal),'' will cover records about individual applicants, which the CDC/IPP maintains in the new eIPP Portal information technology (IT) system for the purpose of overseeing--and issuing permits allowing--the importation of infectious biological agents, infectious substances, and vectors of human disease as outlined in the import permit regulations at 42 CFR 71.54. The eIPP Portal IT system is a single web-based information [[Page 53005]] management system that will track permit applications submitted to and permits issued by CDC/IPP. It will allow the regulated community to submit the applications and engage in related information exchanges with CDC/IPP electronically via a single web portal. This will enable the regulated community to interact with CDC/IPP more efficiently, allow for faster processing of permit applications, and reduce program burdens and reliance on labor-intensive and paper-based processes. A report on the new system of records was sent to Congress and OMB in accordance with 5 U.S.C. 552a(r). Dated: August 21, 2020. Suzi Connor, Chief Information Officer, Centers for Disease Control and Prevention. SYSTEM NAME AND NUMBER: Electronic Import Permit Program Portal (eIPP Portal), 09-20-0180. SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: The address of the HHS component responsible for this system of records is: Division of Select Agents and Toxins (DSAT), Center for Preparedness and Response, Centers for Disease Control and Prevention (CDC), 1600 Clifton Rd. NE, Atlanta, GA 30329. SYSTEM MANAGER(S): The System Manager is: Director, Division of Select Agents and Toxins (DSAT), Center for Preparedness and Response, MS A-46, CDC, 1600 Clifton Rd. NE, Atlanta, GA 30329, (404) 718-2000, [email protected]. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Public Health Service Act, Section 361, ``Regulations to Control Communicable Diseases'' (42 U.S.C. 264). PURPOSE(S) OF THE SYSTEM: The purpose of this system of records is to support CDC/IPP's oversight of, and permitting process for, the importation and any subsequent distribution of infectious biological agents, infectious substances, and vectors of human disease into the United States, the purpose of which is to prevent the introduction, transmission, or spread of communicable diseases from foreign countries into the states or possessions. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The records in the system will cover those individuals who apply for an import permit from CDC/IPP under 42 CFR 71.54. CATEGORIES OF RECORDS IN THE SYSTEM: The system of records will include the following categories of records. The three applications are forms approved by the Office of Management and Budget (OMB). Application for Permit to Import Biological Agents and Vectors of Human Disease into the United States. An applicant submits this application to CDC/IPP to request a permit for the importation, and any subsequent distribution after importation, of infectious biological agents, infectious substances, or vectors of human disease. Application for Permit to Import or Transfer Live Bats. An applicant submits this application to CDC/IPP to request a permit for the importation, and any subsequent distribution after importation, of live bats. Application for Permit to Import Infectious Human Remains into the United States. An applicant submits this application to CDC/ IPP to request a permit for the importation of human remains or body parts that contain biological agents, infectious substances, or vectors of human disease. Import Permit. CDC/IPP issues a permit on an approved application, allowing the applicant to import biological agents and vectors of human disease human remains or body parts that contain biological agents, infectious substances, or vectors of human disease or live bats. Documentation of Inspection. CDC/IPP may inspect an applicant's or importer's premises to ensure compliance with the import permit regulations. As part of the inspection process, the applicant may need to respond to written requests from DSAT. DSAT has not developed standardized forms for this documentation. RECORD SOURCE CATEGORIES: The applicant will be the source of most information in the records. CDC/IPP will be the source of certain information in the permits, tracking records, and inspection records. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES: In addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(1) and (2) and (4) through (11), HHS may disclose records about a subject individual from this system of records to parties outside HHS as described in these routine uses, without the individual's prior written consent. 1. Records may be disclosed to contractors engaged to assist CDC/ IPP with performing the functions listed in the Purpose section above. Contractors are required to maintain Privacy Act safeguards with respect to such records. 2. Records may be disclosed to state health departments, other public health agencies, cooperating medical authorities, or federal law enforcement agencies to effectively manage outbreaks and conditions of public health significance. 3. Information may be disclosed to the Department of Justice (DOJ) or to a court or other adjudicative body in litigation or other proceedings when: a. HHS or any of its component thereof, or b. any employee of HHS acting in the employee's official capacity, or c. any employee of HHS acting in the employee's individual capacity where the DOJ or HHS has agreed to represent the employee, or d. the United States Government, is a party to the proceeding or has an interest in such proceeding and, by careful review, HHS determines that the records are both relevant and necessary to the proceeding. 4. Disclosure may be made to a congressional office from the record of an individual in response to a verified inquiry from the congressional office made at the written request of that individual. 5. Where a record, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or by regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to agency concerned, whether federal, state, Tribal, local, territorial, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto. 6. For the purpose of combatting fraud, waste, and abuse, records may be disclosed to a relevant federal agency or instrumentality of any governmental jurisdiction within or under the control of the United States for the purpose of investigating potential fraud, waste, or abuse. 7. Records may be disclosed to representatives of the National Archives and Records Administration (NARA) in records management inspections conducted pursuant to 44 U.S.C. 2904 and 2906. [[Page 53006]] 8. Records may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records, (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security, and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. 9. Records may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach. POLICIES AND PRACTICES FOR STORAGE OF RECORDS: The records will be maintained electronically, but paper printouts may be generated. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: The records will be retrieved by the applicant's name or assigned permit number. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: The records will be retained for 10 years in compliance with the records retention schedule requirements, or until such time as the records are no longer needed for litigation or other records purposes, in accordance with CDC/IPP disposition schedule DAA-0441-2019-0001. Records will be transferred to a Federal Records Center for storage when no longer in active use. Final disposition of records stored offsite at the Federal Records Center will be accomplished by a controlled process requesting final disposition approval from the HHS record owner prior to any destruction to ensure the records are not needed for litigation or other records purposes. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: Safeguards will conform to the HHS Information Security and Privacy Program, https://www.hhs.gov/ocio/securityprivacy/index.html, the HHS Information Security and Privacy Policy (IS2P), and applicable federal laws, rules and policies, including: The E-Government Act of 2002, which includes the Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. 3541-3549, as amended by the Federal Information Security Modernization Act of 2014, 44 U.S.C. 3551-3558; all pertinent National Institutes of Standards and Technology (NIST) publications; and OMB Circular A-130, Managing Information as a Strategic Resource. ADMINISTRATIVE AND TECHNICAL SAFEGUARDS: Security measures will be implemented on government computers to control unauthorized access to the system. Attempts to gain access by unauthorized individuals will be automatically recorded and reviewed by IPP on a regular basis. The individuals permitted to access these records will be limited to staff (FTEs and contractors having security clearances at T3 (Non-Critical Sensitive positions requiring Secret clearance) or T4 (Non-Sensitive High Risk (Public Trust)) levels) who have responsibility for conducting regulatory oversight. Protection for computerized records will include programmed verification of valid user identification code and password prior to logging on to the system; mandatory password changes, limited log-ins, virus protection, encryption, firewalls, and intrusion detection systems, and user rights/file attribute restrictions. The password protection will impose username and password log-in requirements to prevent unauthorized access. Each user name will be assigned limited access rights to files and directories at varying levels to control file sharing. There will be routine daily backup procedures, and backup files will be securely stored off-site. Security controls will be reviewed on an ongoing basis. Knowledge of individual tape passwords will be required to access backups, and access to the system will be limited to users obtaining prior supervisory approval. To avoid inadvertent data disclosure, a special additional procedure will be performed to ensure that all Privacy Act data are removed from computer hard drives. Additional safeguards may also be built into the program by the system analyst as warranted by the sensitivity of the data set. FTEs and contractor employees who maintain records will be instructed in specific procedures to protect the security of records, and will be required to check with the system manager prior to making disclosure of data. When individually identifiable data are being used in a room, admittance at either federal or contractor sites will be restricted to specifically authorized personnel. Appropriate Privacy Act provisions and breach notification provisions will be included in applicable contracts, and the CDC Project Director, contract officers, and project officers will oversee compliance with these requirements. Upon completion of a contract, all data will be either returned to federal government or destroyed, as specified by the contract. Records that are eligible for destruction will be disposed of using destruction methods prescribed by NIST SP 800-88. Hard copy records will be placed in a locked container or designated secure storage area while awaiting destruction. Records will be destroyed in a manner that precludes its reconstruction, such as secured cross shredding. Utilizing the HHS Security Rule Guidance Material found at https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html, electronic information will be deleted or overwritten using Department of Defense National Institute of Standards and Technology/ General Services Administration (NIST/GSA) approved overwriting software that wipes the entire physical disk and not just the virtual disk. In addition, the physical destruction will be obtained by using a National Security Agency/Central Security Service (NSA/CSS) approved degaussing device. PHYSICAL SAFEGUARDS: Paper records (i.e., hard copy printouts) will be maintained in locked cabinets in secured rooms through electronic access in a restricted access location that is controlled by an electronic cardkey system that is limited to staff who have responsibility for conducting regulatory oversight. Electronic data files will be encrypted using Federal Information Processing Standards Publication (FIPS) 140-2, and will be stored in a restricted access location. The computer room will be protected by an automatic sprinkler system and numerous automatic sensors (e.g., water, heat, smoke, etc.) which will be monitored, and a proper mix of portable fire extinguishers will be located throughout the computer room. Computer workstations, lockable [[Page 53007]] personal computers, and automated records will be located in secured areas. RECORD ACCESS PROCEDURES: An individual seeking access to records about that individual in this system of records must submit a written access request to the System Manager, identified in the ``System Manager'' section of this SORN. The request must contain the requester's full name, address, and signature, and permit number if known. To verify the requester's identity, the signature must be notarized or the request must include the requester's written certification that the requester is the individual who the requester claims to be and that the requester understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a fine of up to $5,000. An accounting of disclosures that have been made of the record, if any, may also be requested. CONTESTING RECORD PROCEDURES: An individual seeking to amend a record about that individual in this system of records must submit an amendment request to the System Manager identified in the ``System Manager'' section of this SORN, containing the same information required for an access request. The request must include verification of the requester's identity in the same manner required for an access request; must reasonably identify the record and specify the information contested, the corrective action sought, and the reasons for requesting the correction; and should include supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant. NOTIFICATION PROCEDURES: An individual who wishes to know if this system of records contains records about that individual should submit a notification request to the System Manager identified in the ``System Manager'' section of this SORN. The request must contain the same information required for an access request, and must include verification of the requester's identity in the same manner required for an access request. EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. HISTORY: None. [FR Doc. 2020-18805 Filed 8-26-20; 8:45 am] BILLING CODE 4163-18-P