[Federal Register Volume 60, Number 197 (Thursday, October 12, 1995)]
[Notices]
[Pages 53188-53191]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 95-25310]



-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES
Public Health Service


Food and Drug Administration; Privacy Act of 1974; New System of 
Records

AGENCY: Public Health Service, HHS.

ACTION: Notification of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act, the 
Public Health Service (PHS) is publishing a notice of a proposal to 
establish a new system of records, 09-10-0019, ``Mammography Quality 
Standards Act (MQSA) Training Records, HHS/FDA/CDRH.'' The purpose of 
the system is to provide the Food and Drug Administration (FDA) with 
information about the training and certification of inspectors of 
mammography facilities. We are also proposing routine uses for this new 
system.

DATES: PHS invites interested parties to submit comments on the 
proposed internal and routine uses on or before November 21, 1995. PHS 
has sent a report of a New System to the Congress and to the Office of 
Management and Budget (OMB) on August 31, 1995. This system of records 
will be effective 40 days from the date submitted to OMB unless PHS 
receives comments on the routine uses which would result in a contrary 
determination.

ADDRESSES: Please submit comments to: FDA Privacy Act Coordinator (HFI-
30), Food and Drug Administration, 5600 Fishers Lane, Room 12A-30, 
Rockville, MD 20857, (301) 443-1813.
    Comments received will be available for inspection at this same 
address from 9 a.m. to 4 p.m., Monday through Friday.


[[Page 53189]]


FOR FURTHER INFORMATION CONTACT:

Director, Division of Mammography Quality and Radiation Programs (HFZ-
240), Office of Health and Industry Programs, Center for Devices and 
Radiological Health, Food and Drug Administration, 1350 Piccard Drive, 
Rockville, MD 20850, (301) 594-3332.
    The numbers listed above are not toll free.

SUPPLEMENTARY INFORMATION: The Food and Drug Administration proposes to 
establish a New System of Records: 09-10-0019, ``Mammography Quality 
Standards Act (MQSA) Training Records, HHS/FDA/CDRH.'' This system of 
records will be used to provide FDA with information about the 
training, certification, and recertification of MQSA inspectors for the 
purpose of implementing the Mammography Quality Standards Act of 1992.
    The system will be comprised of records that contain the names, 
dates of birth, education, professional experience, employment 
addresses, dates of mammography training, test scores, and an analysis 
of those scores, dates of certification of the inspectors, dates of 
renewal or withdrawal of certification, and evaluations of the 
inspectors' field performances (records of complaints received and how 
the complaints were resolved.) The amount of information recorded on 
each individual will be only that which is necessary to accomplish the 
purpose of the system. Records must be retrieved by individual name for 
effective monitoring of training, certification, recertification, and 
withdrawal of certification. Each record is established from a one-page 
data sheet which is completed by each student. Records of test scores, 
dates of renewal or withdrawal of certification, and an evaluation of 
inspector's field performance are added as the information becomes 
available.
    The records in this system will be maintained in a secure manner 
compatible with their content and use. FDA staff will be required to 
adhere to the provisions of the Privacy Act and the HHS Privacy Act 
Regulations. Only authorized users whose official duties require the 
use of such information will have regular access to the records in this 
system. Authorized users are FDA employees and contractors responsible 
for training the individuals who will inspect mammography facilities, 
and personnel in the Division of Mammography Quality and Radiation 
Programs (DMQRP) who will compile and analyze the test and personal 
data of the students.
    All records (such as diskettes, computer listings, or documents) 
are kept in a secured area, locked rooms, and locked building. The 
facility has 24-hour guard service, and access to the building is 
further controlled by an operational card key system. Access to 
individual offices is controlled by simplex locks. Manual and 
computerized records will be maintained in accordance with the 
standards of Chapter 45-13 of the HHS General Administration Manual, 
``Safeguarding Records Contained in Systems of Records,'' supplementary 
Chapter PHS hf: 45-13 of the Department's General Administration 
Manual, and the Department's Automated Information Systems Security 
Handbook.
    Users will receive regular training in information systems security 
for this application and in accordance with the Privacy Act. Users will 
be required to sign an agreement indicating their cooperation with FDA 
systems security and Privacy Act policies.
    Data stored in computers will be accessed through the use of 
regularly expiring passwords and individual IDS known only to 
authorized users. All users will be assigned specific levels of 
database control based on their needs and authority. All uses of valid 
IDS and passwords will be monitored. Upon job change, the user's 
authorization will be reviewed and updated as necessary. All changes to 
data, as well as the time of change and the user's ID, will be captured 
in a file as part of the database design. The system's intrusion 
alarms, which list all logins and their source, will be monitored daily 
by the Information Systems Security Officer. All systems in support of 
this database are under the control of CDRH and meet the same security 
standards.
    The routine uses proposed for this system are compatible with the 
stated purposes of the system. The first routine use proposed for this 
system, permitting disclosure to a congressional office, allows subject 
individuals to obtain assistance from their representatives in 
Congress, should they so desire. Such disclosure would be made only 
pursuant to a request of the individual. The second routine use allows 
disclosure to the Department of Justice or a court in the event of 
litigation. The third routine use allows disclosure to be made to the 
individual's supervisor since MQSA inspections will be a significant 
part of many inspectors' jobs; therefore, performance in the training 
courses is an important element of information to help the supervisor 
determine employee assignments as well as the level of supervision 
needed. The fourth routine use allows disclosure to be made to 
contractors for the purpose of processing or refining records in the 
system.
    The following notice is written in the present, rather than future 
tense, in order to avoid the unnecessary expenditure of public funds to 
republish the notice after the system has become effective.

    Dated: October 2, 1995.
Ellen Wormser,
Director, Office of Organization and Management Systems.
09-10-0019
    Mammography Quality Standards Act (MQSA) Training Records, HHS/FDA/
CDRH.
    None.
    Division of Mammography Quality and Radiation Programs (HFZ-240), 
Center for Devices and Radiological Health, 1350 Piccard Drive, 
Rockville, Maryland 20850. A current list of contractor sites is 
available by writing to the system manager, indicated below, at this 
address.
    All individuals who receive training for the purpose of 
implementing the Mammography Quality Standards Act of 1992; individuals 
who successfully complete the training will become certified to conduct 
inspections and audits of mammography facilities.
    Contains name; date of birth; education; professional experience; 
employment address; dates of mammography training; participant's test 
scores, class grades, and an analysis of those scores; date of 
certification of the inspector; dates of renewal or withdrawal of 
certification; and an evaluation of the inspector's field performance 
(records of complaints received and how the complaints were resolved).
    Pub. L. 102-539, the Mammography Quality Standards Act (MQSA) of 
1992 (42 U.S.C. 263b).
    To provide the Food and Drug Administration (FDA) with information 
about the training, certification, and recertification of MQSA 
inspectors for the purpose of implementing the 

[[Page 53190]]
Mammography Quality Standards Act of 1992.
    1. Disclosure may be made to a congressional office from the record 
of an individual, in response to an inquiry from the congressional 
office made at the request of that individual.
    2. The Department of Health and Human Services (HHS) may disclose 
information from this system of records to the Department of Justice, 
or to a court or other tribunal, when
    (a) HHS, or any component thereof; or
    (b) Any HHS employee in his or her official capacity; or
    (c) Any HHS employee in his or her official capacity where the 
Department of Justice (or HHS, where it is authorized to do so) has 
agreed to represent the employee; or
    (d) The United States or any agency thereof where HHS determines 
that the litigation is likely to affect HHS or any of its components,

is a party to litigation or has an interest in such litigation, and HHS 
determines that the use of such records by the Department of Justice, 
the court or other tribunal, is relevant and necessary to the 
litigation and would help in the effective representation of the 
governmental party, provided, however, that in each case, HHS 
determines that such disclosure is compatible with the purpose for 
which the records were collected.
    3. Disclosure may be made with the individual's supervisor since 
MQSA inspections will be a significant part of many inspectors' jobs; 
therefore, performance in the training courses is an important element 
of information to help the supervisor determine employee assignments as 
well as the level of supervision needed.
    4. Disclosure may be made to contractors for the purpose of 
collecting, compiling, aggregating, analyzing, or refining records in 
the system. Contractors will be required to maintain Privacy Act 
safeguards with respect to such records.
    Data are maintained in hard copy files and on computer disks, hard 
drives, and file servers.
    Indexed by name, state, specific courses, training dates, grades, 
date of certification, and date of withdrawal of certification.
    1. Authorized users: Personnel of the Division of Mammography 
Quality Reporting Program who are engaged in training the individuals 
who inspect mammography facilities, and personnel in the Division who 
compile and analyze the test and personal data of the students.
    2. Physical safeguards: All records (such as disketts, computer 
listings, or documents) are kept in a secured area, locked rooms, and 
locked building.
    The facility has 24-hour guard service, and access to the building 
is further controlled by an operational card key system. Access to the 
computer room is limited to a subset of persons with general access to 
the building. Access to individual offices is controlled by simplex 
locks. The building has smoke/fire detectors; the computer room has 
additional smoke/fire detectors plus water, temperature, and humidity 
sensors. The computers room has an uninterruptible power supply and a 
power conditioning system.
    3. Procedural safeguards: End users and system professionals 
continue to receive regular training in information systems security 
and have signed an agreement indicating their cooperation with FDA 
policies. Users are further instructed on system security during 
training sessions for this application and in accordance with the 
Privacy Act. Users of personal information in the performance of their 
duties have been instructed to protect personal information from public 
view and from unauthorized personnel.
    All reports containing confidential data are marked 
``confidential'' and placed in the developer's or system manager's mail 
slot, which is located in an access-controlled room. CDRH SOP requires 
that all reports containing confidential information be shredded before 
disposal.
    4. Technical safeguards: All users have individual IDS and 
regularly expiring passwords at least 6 characters long. All users are 
assigned specific levels of database control based on their needs and 
authority. All users of valid IDs and passwords will be monitored. Upon 
job change, the user's authorization is reviewed and updated as 
necessary.
    All changes to data, as well as the time of change and the 
operator's ID are captured in a file as part of the database design. 
All data entered online is edit checked.
    The system's intrusion alarms, which list all logins and their 
source, are monitored daily by the information Systems Security 
Officer. In addition, CDRH maintains commercial auditing software that 
permits logging of keystrokes by individual accounts.
    CDRH maintains three audit trails for this system:
    1. System-wide intrusion alarms and file access notices
    2. Application-dependent logging of all data transactions
    3. Commercial software that permits capturing all keystrokes from 
suspicious accounts and terminals.
    All systems in support of this database are under the control of 
CDRH and meet the same security standards as the application.
    5. Implementation guidelines: Safeguards are established in 
accordance with Chapter 45-13 and PHS hf:45-13 of the Department's 
General Administration Manual and the Department's Automated 
Information Systems Security Handbook.
    Records are retained for five years after the certified MQSA 
Inspector leaves government service. At the end of five years, in 
individual's paper records are shredded and automated records are 
erased.
    Director, Division of Mammography Quality and Radiation Programs 
(HFZ-240), Center for Devices and Radiological Health, 1350 Piccard 
Drive, Rockville, Maryland 20850.
    An individual may learn if a record exists about him or her upon 
written request, with notarized signature if request is made by mail, 
or with identification if request is made in person, directed to:
    FDA Privacy Act Coordinator (HFI-30), Food and Drug Administration, 
5600 Fishers Lane, Rockville, MD 20857.
    Same as notification procedure. Requests should also reasonably 
specify the record contents being sought. You may also request an 
accounting of disclosures that have been made of your record, if any.
    Contact the official at the address specified under notification 
procedure above and reasonably identify the record, specify the 
information being contested, the corrective action sought, and your 
reasons for requesting the correction, along with supporting 
information to show how the record is inaccurate, incomplete, untimely, 
or irrelevant.

[[Page 53191]]

    Individual on whom the record is maintained and training records 
pertaining to that individual. Information about certification renewal 
or withdrawal is generated in-house by the Division of Mammography 
Quality and Radiation Programs. Sources of information about field 
performance could include the inspector's supervisor, as well as any 
investigation of an inspector's performance as a result of complaints 
by a mammography facility.
    None.
[FR Doc. 95-25310 Filed 10-11-95; 8:45 am]
BILLING CODE 4160-01-M