[Federal Register Volume 72, Number 126 (Monday, July 2, 2007)]
[Notices]
[Pages 35993-35997]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-12682]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Disease Control and Prevention


Privacy Act of 1974; New System of Records

AGENCY: Department of Health and Human Services (HHS), Centers for 
Disease Control and Prevention (CDC).

ACTION: Notice of a New System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act, the 
Centers for Disease Control and Prevention (CDC) is proposing to 
establish a new system of records (SOR), 09-20-0170, ``National Select 
Agent Registry (NSAR)/Select Agent Transfer and Entity Registration 
Information System (SATERIS), HHS/CDC/COTPER.'' The purpose of the 
system is to limit access to those biological agents and toxins listed 
in 42 CFR Part 73, 9 CFR Part 121, and 7 CFR Part 331, to those 
individuals who have a legitimate need to handle or use such agents or 
toxins, and who are not identified as restricted persons by the U.S. 
Attorney General. NSAR is a single web-based information management 
system shared by CDC and the U.S. Department of Agriculture (USDA)/
Animal and Plant Health Inspection Service (APHIS) that tracks the 
possession, use and transfer of select agents and toxins that could 
pose a severe threat to public health and safety, to the health and 
safety of animals, and to the safety of plants or animal and plant 
products. We have provided background information about the new system 
in the SUPPLEMENTARY INFORMATION section below.

DATES: Effective Date: CDC filed a new SOR report with the Chair of the 
House Committee on Government Reform and Oversight, the Chair of the 
Senate Committee on Homeland Security & Governmental Affairs, and the 
Administrator, Office of Information and Regulatory Affairs, Office of 
Management and Budget (OMB) on June 25, 2007. CDC invites interested 
parties to submit comments on the proposed routine uses. To ensure that 
all parties have adequate time in which to comment, the new system will 
be effective 30 days from the publication of this notice, or 40 days 
from the date it was submitted to OMB and the Congress, whichever is 
later, unless CDC receives comments that persuade us to defer 
implementation.

ADDRESSES: Comments should be addressed to the CDC Privacy Act Officer 
at the address listed below. Comments received will be available for 
review at this location by appointment during regular business hours 
from 8 a.m. to 4:30 p.m., Monday through Friday in the CDC Roybal 
Facility, Building 21, Room 8125, Atlanta, Georgia.

FOR FURTHER INFORMATION CONTACT: Betsey S. Dunaway, Privacy Act 
Officer, Office of the Chief Science Officer, Centers for Disease 
Control and Prevention, 1600 Clifton Road, NE., Building 21, Room 8125, 
Mailstop D-74, Atlanta, Georgia 30333, (404) 639-4642.

SUPPLEMENTARY INFORMATION: CDC proposes to establish a new system of 
records within its Coordinating Office for Terrorism Preparedness and 
Emergency Response (COTPER): 09-20-0170, ``National Select Agent 
Registry (NSAR)/ Select Agent Transfer and Entity Registration 
Information System (SATERIS), HHS/CDC/COTPER.'' An important component 
of the nation's overall terrorism deterrence policy, the Division of 
Select Agents and Toxins (DSAT) in the Coordinating Office for 
Terrorism Preparedness and Emergency Response (COTPER) within the CDC 
regulates the possession, use, and transfer of biological agents and 
toxins (select agents) that could pose a severe threat to public health 
and safety. A select agent is defined as a virus, bacteria, fungus or 
toxin that could pose a severe threat to public health and safety, to 
animal or plant health; or animal or plant products.

I. Description of the Proposed System of Records

    A. Statutory and Regulatory Basis for SOR. The Public Health 
Security and Bioterrorism Preparedness and Response Act of 2002 
requires entities to register with the U.S. Department of Health and 
Human Services (HHS) if they possess, use, or transfer select agents 
that could pose a severe threat to public health and safety. The 
Agricultural Bioterrorism Protection Act of 2002 requires that 
facilities handling select agents that could pose a severe threat to 
animal or plant health; or animal or plant products register with the 
USDA. Within HHS, the DSAT is responsible for registering entities and 
personnel who either possess or are applying for approval to possess, 
use or transfer select agents that could pose a severe threat to public 
health and safety. Within the USDA, APHIS has a similar responsibility 
for registering entities and personnel handling agents that pose a 
severe threat to animal or plant health; or animal or plant products.
    The Acts require safeguards and security measures that will 
adequately protect these agents. This includes controlling access and 
screening of entities and personnel through security risk assessments 
conducted by the U.S. Attorney General. The Acts also require the 
establishment of a national database of registered entities. While some 
entities register for select agents regulated only by HHS, others for 
select agents regulated only by USDA, there are a number of entities 
registering for select agents that can pose a severe threat to public 
health and safety, to animal health, or to animal products (``overlap'' 
select agents). Since DSAT and APHIS coordinate regulatory activities 
for those overlap select agents that would be regulated by both 
agencies, the Acts require that a single national database be 
established. This new Privacy Act system of records notice (SORN) 
describes the records and processes that enable DSAT to fulfill HHS' 
requirements; APHIS will be publishing a similar SORN to address how 
USDA will fulfill theirs.

B. Collection and Maintenance of Data in the System

    CDC will only collect the minimum amount of personal data necessary 
to achieve the purpose of this system, which is to limit access to the 
select agents listed in 42 CFR Part 73, 9 CFR Part 121, and 7 CFR Part 
331, to those individuals who have a legitimate need to handle or use 
such agents, and who are not identified as a restricted person by the 
U.S. Attorney General. The data elements required are: name, address, 
date of birth, job title, and the name of the institution that would be 
housing the select agent(s).
    Entities handling select agents must appoint a Responsible Official 
within their organization who certifies that the entity meets federal 
requirements for handling select agents such as having security 
measures in place to protect the select agents they possess from theft, 
loss and unauthorized access, and safety measures to prevent the 
release of agents. DSAT's SOR includes personal information on those 
individuals who have access or who have applied to have access to 
select agents, and the list of select agents to which they have access 
or would have access.

[[Page 35994]]

II. Agency Policies, Procedures, and Restrictions on the Routine Use

    The Privacy Act permits us to disclose information without an 
individual's consent if the information is to be used for a purpose 
that is compatible with the purpose(s) for which the information was 
collected. Any such compatible disclosure of data is known as a 
``routine use.'' The government will only release select agent 
information that can be associated with an individual as provided for 
under ``Section III. Proposed Routine Use Disclosures of Data in the 
System.'' We will only collect the minimum personal data necessary to 
achieve the purpose of this system.
    CDC has the following policies and procedures concerning 
disclosures of information that will be maintained in the system. 
Disclosure of information from the SOR will be approved only to the 
extent necessary to accomplish the purpose of the disclosure and only 
after CDC:
    A. Determines that the use or disclosure is consistent with the 
reason that the data are being collected, e.g., to limit access to 
select agents to those individuals who have a legitimate need to handle 
or use select agents and who are not identified as a restricted person 
by the U.S. Attorney General.
    B. DETERMINES THAT:
    1. The purpose for which the disclosure is to be made can only be 
accomplished if the record is provided in individually identifiable 
form;
    2. The purpose for which the disclosure is to be made is of 
sufficient importance to warrant the effect and/or risk on the privacy 
of the individual that additional exposure of the record might bring; 
and
    3. There is a strong probability that the proposed use of the data 
would in fact accomplish the stated purpose(s).
    C. Requires the information recipient to:
    1. Establish administrative, technical, and physical safeguards to 
prevent unauthorized use of disclosure of the record;
    2. Remove or destroy at the earliest time all identifiable 
information; and
    3. Agree to not use or disclose the information for any purpose 
other than the stated purpose under which the information was 
disclosed.
    D. Determines that the data are valid and reliable.

III. Proposed Routine Use Disclosures of Data in the System

    The Privacy Act permits us to disclose information without an 
individual's consent if the information is to be used for a purpose 
that is compatible with the purpose(s) for which the information was 
collected. Any such compatible disclosure of data is known as a 
``routine use.'' The proposed routine uses in this system meet the 
compatibility requirement of the Privacy Act. We are proposing to 
establish the following routine use disclosures of information 
maintained in the system:
    A. Records may be disclosed to contractors to handle program work 
overflow duties, performing many of the same functions as DSAT 
employees. Contractors are required to maintain Privacy Act safeguards 
with respect to such records. These functions include conducting 
regulatory oversight of individuals and entities that possess, use, or 
transfer select agents, including the review of registration 
applications, conducting inspections of registered facilities or 
facilities requesting registration, and maintaining this information 
pertaining to individuals and entities that possess, use, and/or 
transfer select agents. DSAT contracts out certain functions when doing 
so would contribute to efficient and effective operations of the 
agency. DSAT must be able to give a contractor the information 
necessary for the contractor to fulfill its duties. Safeguards are 
provided in the contract prohibiting the contractor from using or 
disclosing the information for any purpose other than that described in 
the Statement of Work and requires the contractor to return or destroy 
all information at the contract's completion.
    B. Records may be disclosed to health departments and other public 
health or cooperating medical authorities to deal more effectively with 
outbreaks and conditions of public health significance. When outbreaks 
or other conditions of public health significance that might have been 
caused by exposure to select agents (either accidental or otherwise) 
occur, CDC's sharing of information on those individuals and 
organizations registered to possess select agents could prove 
beneficial to the health department's investigation.
    C. Personal information from this system may be disclosed as a 
routine use to assist the recipient Federal agency in making a 
determination concerning an individual's trustworthiness to access 
select agents; to any Federal or State agency where the purpose in 
making the disclosure is to prevent access to select agents for use in 
domestic or international terrorism or for any criminal purpose; or to 
any Federal or State agency to protect the public health and safety 
with regard to the possession, use, or transfer of select agents.
    Based on the provisions of the Acts, the Attorney General has the 
authority and responsibility to conduct electronic database checks 
(i.e., the security risk assessments) on the Responsible Official, 
alternate Responsible Official, owners of non-governmental entities, 
and individuals requesting access to select agents. The Federal Bureau 
of Investigation, Criminal Justice Information Services Division 
(CJIS), has been delegated authority for conducting these security risk 
assessments. Therefore, the information must be shared with the CJIS 
for them to conduct a security risk assessment to ensure that 
individuals requesting access to select agents are not identified as a 
restricted person based on criteria established in the U.S.A. Patriot 
Act. This is compatible with the overall purpose of the system--that 
only trustworthy individuals are granted access.
    Other Federal or State agencies may require the information DSAT 
possesses on individuals with access to select agents and the 
institutions at which those agents are housed to aid in their 
investigations of domestic or international terrorism or for any other 
criminal purpose. The purpose of the system is to be certain that only 
individuals who have a legitimate need to handle or use such select 
agents have access to them; this routine use is compatible in that this 
disclosure is done to prevent access to select agents for terrorism or 
other criminal purposes. State emergency planners may need this 
identifiable information to fulfill their responsibilities.
    The overall purpose of this SOR is to protect the public health and 
safety. Federal and State agency emergency responders may require 
DSAT's identifiable information if select agents are accidentally 
released or otherwise used inappropriately with the ultimate goal of 
protecting the public's health and safety. Records may also be shared 
with the Department of Transportation to ensure that the transfer of 
select agents is done safely and in compliance with their regulations--
a use in line with CDC's purpose of safely transferring select agents 
for which it has responsibility.
    D. Disclosure may be made to a congressional office from the record 
of an individual in response to a verified inquiry from the 
congressional office made at the written request of that individual. 
When a constituent requests a congressional office to facilitate 
obtaining information from this CDC system, it is compatible to provide 
such information, since this is in line with the overall purpose of the 
Privacy Act

[[Page 35995]]

which is to provide access to the subject individual of the records the 
government has on him or her.
    E. In the event of litigation where the defendant is: (a) The 
Department, any component of the Department, or any employee of the 
Department in his or her official capacity; (b) the United States where 
the Department determines that the claim, if successful, is likely to 
directly affect the operations of the Department or any of its 
components; or (c) any Department employee in his or her individual 
capacity where the Justice Department has agreed to represent such 
employee, disclosure may be made to the Department of Justice to enable 
that Department to present an effective defense, provided that such 
disclosure is compatible with the purpose for which the records were 
collected.
    Whenever CDC is involved in litigation dealing with the DSAT, and 
CDC policies or operations could be affected by the outcome of the 
litigation, CDC must be able to disclose identifiable information to 
the Department of Justice so that an effective defense could be 
presented.

IV. Safeguards

    The CDC/DSAT has safeguards in place for authorized users and 
monitors such users to ensure against unauthorized use. Personnel with 
access to the system have been trained in Privacy Act and information 
security requirements. Employees maintaining records are instructed not 
to release data until the intended recipient agrees to implement 
appropriate management, operational and technical safeguards sufficient 
to protect the confidentiality, integrity and availability of the 
information and information systems and to prevent unauthorized access.
    This system will conform to all applicable Federal laws and 
regulations and Federal and HHS policies and standards as they relate 
to information security and data privacy. These laws and regulations 
may apply but are not limited to: the Privacy Act of 1974; the Federal 
Information Security Management Act of 2002; the Computer Fraud and 
Abuse Act of 1986; the E-Government Act of 2002; the Clinger-Cohen Act 
of 1996; the Medicare Modernization Act of 2003, and the corresponding 
implementing regulations. OMB Circular A-130, Management of Federal 
Resources, Appendix III, Security of Federal Automated Information 
Resources also applies. Federal, HHS and CDC policies and standards 
include but are not limited to: all pertinent National Institute of 
Standards and Technology publications and the HHS Information Systems 
Program Handbook.

V. Effects of the Proposed System of Records on Individual Rights

    CDC proposes to establish this system in accordance with the 
principles and requirements of the Privacy Act and will collect, use, 
and disseminate information only as prescribed therein. Data in this 
system will be subject to the authorized releases in accordance with 
the routine uses identified in this system of records.
    CDC will take precautionary measures to minimize the risks of 
unauthorized access to the records and the potential harm to individual 
privacy or other personal or property rights of individuals whose data 
are maintained in the system. CDC will collect only that information 
necessary to perform the system's purpose. In addition, CDC will make 
disclosures from the system only with consent of the subject 
individual, or his/her legal representative, or in accordance with an 
applicable exception provision of the Privacy Act. CDC, therefore, does 
not anticipate an unfavorable effect on individual privacy as a result 
of information relating to individuals.

    Dated: June 22, 2007.
James D. Seligman,
Chief Information Officer, Office of the Director, Centers for Disease 
Control and Prevention.

Privacy Act System

NO. 09-20-0170

System Name:
    National Select Agent Registry (NSAR)/Select Agent Transfer and 
Entity Registration Information System (SATERIS), HHS/CDC/COTPER.

Security Classification:
    Unclassified.

System Location:
    Division of Select Agents and Toxins (DSAT), Coordinating Office 
for Terrorism Preparedness and Emergency Response (COTPER), Bldg. 20, 
Centers for Disease Control and Prevention (CDC), 1600 Clifton Road, 
NE., Atlanta, GA 30333 and Federal Records Center, 4712 Southpark 
Blvd., Ellenwood, GA 30294.

Categories of Individuals Covered By the System:
    The Responsible Official, alternate Responsible Official, owners of 
non-governmental entities, and individuals requesting access to select 
agents under the provisions of Part 73, of Title 42 of the Code of 
Federal Regulations (42 CFR part 73), Part 121 of Title 9 of the Code 
of Federal Regulations (9 CFR Part 121), and Part 331 of Title 7 of the 
Code of Federal Regulations (7 CFR part 331).

Categories of Records in the System:
    The DSAT maintains records which include the names of the 
Responsible Official, alternate Responsible Official, owners of non-
governmental entities, and individuals who have access, or who have 
applied to have access to select agents (defined as a virus, bacteria, 
fungus or toxin that could pose a severe threat to public health and 
safety, to animal or plant health; or animal or plant products), and 
the list of select agents to which they have access. The Responsible 
Official, alternate Responsible Official, owners of non-governmental 
entities, and individuals requesting access to select agents are 
required to provide their name, address, date of birth, and job title 
and the name of the institution that would be housing the select 
agent(s).

Authority For Maintenance of the System:
    Public Health Security and Bioterrorism Preparedness and Response 
Act of 2002 and The Agricultural Bioterrorism Protection Act of 2002 
(Pub. L. 107-188).

Purpose(s):
    Records maintained in the National Select Agent Registry (NSAR)--a 
joint DSAT and U.S. Department of Agriculture/Animal and Plant Health 
Inspection Service (APHIS) information management system--are accessed 
by DSAT through the Select Agent Transfer and Entity Registration 
Information System (SATERIS) which is an user interface for data entry, 
data query, and routine reporting activities. The purpose of this 
system of records is to limit access to those select agents listed in 
42 CFR Part 73, 9 CFR Part 121, and 7 CFR Part 331 to those individuals 
who have a legitimate need to handle or use such select agents, and who 
are not identified as a restricted person by the U.S. Attorney General. 
The NSAR is also used to track the possession, use, and transfer of 
select agents and is a single Web-based system shared by DSAT and 
APHIS.
    DSAT conducts regulatory oversight of individuals and entities that 
possess, use, or transfer select agents. This includes the review of 
registration applications, conducting inspections of registered 
facilities or facilities requesting registration, processing requests 
to import select agents, processing all reports and requests received 
from individuals or entities regarding a select agent, and

[[Page 35996]]

maintaining this information pertaining to individuals and entities 
that possess, use, and/or transfer select agents.

Routine Uses of Records Maintained In the System, Including Categories 
of Users and the Purposes of Such Uses
    1. Records may be disclosed to contractors to handle program work 
overflow duties, performing many of the same functions (listed in the 
Purpose section above) as DSAT employees. Contractors are required to 
maintain Privacy Act safeguards with respect to such records.
    2. Records may be disclosed to health departments and other public 
health or cooperating medical authorities to deal more effectively with 
outbreaks and conditions of public health significance.
    3. Personal information from this system may be disclosed as a 
routine use to assist the recipient Federal agency in making a 
determination concerning an individual's trustworthiness to access 
select agents; to any Federal or State agency where the purpose in 
making the disclosure is to prevent access to select agents for use in 
domestic or international terrorism or for any criminal purpose; or to 
any Federal or State agency to protect the public health and safety 
with regard to the possession, use, or transfer of select agents.
    4. Disclosure may be made to a congressional office from the record 
of an individual in response to a verified inquiry from the 
congressional office made at the written request of that individual.
    5. In the event of litigation where the defendant is: (a) The 
Department, any component of the Department, or any employee of the 
Department in his or her official capacity; (b) the United States where 
the Department determines that the claim, if successful, is likely to 
directly affect the operations of the Department or any of its 
components; or (c) any Department employee in his or her individual 
capacity where the Justice Department has agreed to represent such 
employee, disclosure may be made to the Department of Justice to enable 
that Department to present an effective defense, provided that such 
disclosure is compatible with the purpose for which the records were 
collected.

Policies and Practices For Storing, Retrieving, Accessing, Retaining, 
and Disposing of Records In the System
Storage:
    File folders, computer tapes and disks, CD-ROMs.

Retrievability:
    By name or DOJ identifier number.

Safeguards:
    The following special safeguards are provided to protect the 
records from inadvertent disclosure:
    1. Authorized Users: A database security package is implemented on 
CDC computers to control unauthorized access to the system. Attempts to 
gain access by unauthorized individuals are automatically recorded and 
reviewed on a regular basis. Individuals who have routine access to 
these records are limited to Select Agent Program staff (DSAT FTEs and 
contractors) who have responsibility for conducting regulatory 
oversight of individuals and entities that possess, use, or transfer 
select agents.
    2. Physical Safeguards: Paper records are maintained in locked 
cabinets in locked rooms in a restricted access location that is 
controlled by a cardkey system, and security guard service provides 
personnel screening of visitors. Electronic data files are password 
protected and stored in a restricted access location. The computer room 
is protected by an automatic sprinkler system, numerous automatic 
sensors (e.g., water, heat, smoke, etc.) are installed, and a proper 
mix of portable fire extinguishers is located throughout the computer 
room. The system is backed up on a nightly basis with copies of the 
files stored off site in a secure location. Computer workstations, 
lockable personal computers, and automated records are located in 
secured areas.
    3. Procedural Safeguards: Protection for computerized records 
includes programmed verification of valid user identification code and 
password prior to logging on to the system; mandatory password changes, 
limited log-ins, virus protection, and user rights/file attribute 
restrictions. Password protection imposes user name and password log-in 
requirements to prevent unauthorized access. Each user name is assigned 
limited access rights to files and directories at varying levels to 
control file sharing. There are routine daily backup procedures and 
secure off-site storage is available for backup files.
    Knowledge of individual tape passwords is required to access tapes, 
and access to the system is limited to users obtaining prior 
supervisory approval. To avoid inadvertent data disclosure, a special 
additional procedure is performed to ensure that all Privacy Act data 
are removed from computer tapes and/or other magnetic media. When 
possible, a backup copy of data is stored at an offsite location and a 
log kept of all changes to each file and all persons reviewing the 
file. Additional safeguards may also be built into the program by the 
system analyst as warranted by the sensitivity of the data set.
    The DSAT and contractor employees who maintain records are 
instructed in specific procedures to protect the security of records, 
and are to check with the system manager prior to making disclosure of 
data. When individually identified data are being used in a room, 
admittance at either CDC or contractor sites is restricted to 
specifically authorized personnel.
    Appropriate Privacy Act provisions are included in contracts and 
the CDC Project Director, contract officers, and project officers 
oversee compliance with these requirements. Upon completion of the 
contract, all data will be either returned to CDC or destroyed, as 
specified by the contract.
    The USDA/APHIS maintains similarly stringent safeguards that are 
discussed within that agency's Select Agent system of records notice.
    4. Implementation Guidelines: The safeguards outlined above are in 
accordance with the HHS Information Security Program Policy and FIPS 
Pub 200, ``Minimum Security Requirements for Federal Information and 
Information Systems.'' Data maintained on CDC's Mainframe and the 
COTPER LAN are in compliance with OMB Circular A-130, Appendix III. 
Security is provided for information collection, processing, 
transmission, storage, and dissemination in general support systems and 
major applications.

Retention and Disposal:
    The DSAT records and associated information are retained and 
dispositioned in accordance with DSAT records retention schedule, N1-
442-06-1, pending approval by the National Archives and Records 
Administration. The DSAT records will be retained for 10 years in 
compliance with the records retention schedule requirements or until 
such time as no longer needed for litigation or other records purposes. 
Records will be transferred to a Federal Records Center for storage 
when no longer in active use. Final disposition of records stored 
offsite at the Federal Records Center will be accomplished by a 
controlled process requesting final disposition approval from the 
record owner prior to any destruction to ensure records are not needed 
for litigation or other records purposes. Hard copy records and 
Sensitive But Unclassified (SBU) information designated for local 
disposition will be placed in a locked container or designated secure 
storage area while awaiting destruction. All SBU data will be destroyed 
in a manner that precludes its reconstruction, such as shredding. 
Electronic information

[[Page 35997]]

will be deleted or overwritten using overwriting software that wipes 
the entire physical disk and not just the virtual disk. Overwriting is 
required for the destruction of all electronic SBU information.

System manager(s) and Address:
    Director, Division of Select Agents and Toxins, Coordinating Office 
for Terrorism Preparedness and Emergency Response, Bldg. 20, Rm. 4100, 
MS A46, Centers for Disease Control and Prevention, 1600 Clifton Road, 
NE., Atlanta, GA 30333.

Notification Procedure:
    An individual may learn if a record exists about himself or herself 
by contacting the system manager at the above address. Requesters in 
person must provide driver's license or other positive identification. 
Individuals who do not appear in person must submit a notarized request 
on institutional letterhead to verify their identity. The knowing and 
willful request for or acquisition of a record pertaining to an 
individual under false pretenses is a criminal offense under the 
Privacy Act subject to a $5,000 fine and/or imprisonment.

Record Access Procedures:
    Same as notification procedures. Requestors should also reasonably 
specify the record contents being sought. An accounting of disclosures 
that have been made of the record, if any, may also be requested.

Contesting Record Procedures:
    Contact the system manager at the address specified above, 
reasonably identify the record and specify the information being 
contested, the corrective action sought, and the reasons for requesting 
the correction, along with supporting information to show how the 
record is inaccurate, incomplete, untimely, or irrelevant.

Record Source Categories:
    Applicants registering for possession, use, and transfer of select 
agents and the U.S. Attorney General.

 [FR Doc. E7-12682 Filed 6-29-07; 8:45 am]
BILLING CODE 4163-18-P