[Federal Register Volume 75, Number 152 (Monday, August 9, 2010)]
[Notices]
[Pages 47812-47817]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-19536]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Security and Strategic Information


Privacy Act of 1974; Report of a New System of Records

AGENCY: Office of the Assistant Secretary for Administration and 
Management.

[[Page 47813]]


ACTION: Notice of a New Privacy Act System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, the Department of Health and Human Services is establishing a new 
system of records entitled, ``Facility and Resource Access Control 
Records,'' System No. 09-90-0777. This notice implements in part 
Homeland Security Presidential Directive 12 (HSPD-12), ``Policy for a 
Common Identification Standard for Federal Employees and Contractors'' 
of August 27, 2004. HSPD-12 requires all employees, contractors, and 
others who will be granted regular access to federal facilities for 
more than six months to undergo a background investigation to determine 
suitability and to be issued a Personal Identity Verification (PIV) 
Card (i.e. an identification badge). The purpose of the program is to 
enhance access controls to federal facilities to improve security. The 
badge stores the individual's name, employing organization, the badge 
issuer, the badge serial number, the expiration date, a picture of the 
badge holder, two fingerprints, and four encryption keys that may be 
used by the PIV card holder, when properly activated, in association 
with federal information technology resources. The Facility and 
Resource Access Control Records comprise information about the issuance 
of Personal Identity Verification (PIV) cards, PIV card holders (e.g. 
employees, contractors), other individuals who require regular access 
to HHS facilities or resources, and the use of PIV cards to access 
facilities or resources. The Facility and Resource Access Control 
Records also include information about occasional visitors and short-
term guests who do not carry PIV cards but to whom HHS will issue 
temporary credentials.

DATES: Effective Date: The new system of records will be effective on 
the date of publication of this notice, with the exception of the 
routine uses, which will become effective on September 8, 2010. We may 
defer implementation of this system or one or more of the routine use 
statements listed below if we receive comments that persuade us to do 
so.

DATES: Comments are due by September 8, 2010.

ADDRESSES: Address comments to HHS Privacy Act Officer, Mary E. Switzer 
Building, Department of Health and Human Services, 330 ``C'' Street, 
SW., Washington, DC 20201, or via electronic mail to HSPD12-privacy at 
hhs.gov. Comments will be available for public viewing in the public 
reading room located at the same address, or on our Web site at http://www.hhs.gov. To review comments in person, please call the Division of 
Freedom of Information and Privacy at 202-690-7453 for an appointment.

FOR FURTHER INFORMATION CONTACT: Ms. Maya A. Bernstein, Office of the 
Assistant Secretary for Planning and Evaluation, 200 Independence 
Avenue, SW., Room 434E, Washington, DC 20201, via e-mail at 
hhs.gov">maya.bernstein@hhs.gov, or via telephone at 202/690-7100.

SUPPLEMENTARY INFORMATION: The Facility and Resource Access Control 
Records enhance HHS' security and permit the Department to comply with 
Homeland Security Presidential Directive 12 (HSPD-12), ``Policy for a 
Common Identification Standard for Federal Employees and Contractors.'' 
This Presidential mandate requires all government employees, 
contractors, and certain other individuals to use new identification 
badges, known as Personal Identity Verification (PIV) cards, as their 
singular form of identification when accessing government buildings, 
facilities, or information technology systems. The PIV card will 
enhance security, increase government efficiency, reduce identity 
fraud, and protect personal privacy.
    Before obtaining a PIV card, each employee or contractor must 
undergo a standardized security credentialing process, including 
background investigations, to ensure safety of HHS facilities and the 
people who work in them. The PIV card system places modern card readers 
at the entrances of HHS facilities that allow interoperability with all 
federal agencies and ensure that entry of employees, contractors, and 
other regular visitors is strictly authorized. Leveraging cutting-edge 
technologies such as fingerprint recognition and single sign-on 
capabilities, this technology will reduce identity fraud and ensure 
only authorized users can access essential information. Finally, by 
protecting employees, facilities, and information, the PIV card guards 
the government resources that provide critical services to the American 
people.
    The PIV card will store the holder's name, employing organization, 
the badge issuer, the badge serial number, the expiration date, a 
picture of the badge holder, two fingerprints, and encryption keys that 
may be activated for access to information technology resources, if 
needed. It will not store other identifying information such as social 
security number or birth date. An associated database will store 
similar information in order to verify that individuals entering 
federal buildings or using other federal resources, such as information 
technology (IT) systems, are properly authorized for that access. In 
addition, the database will be used to verify the ability of other 
agencies' PIV card holders to enter HHS facilities or use HHS 
resources.
    Although HHS will not issue PIV cards to occasional visitors, 
information about occasional visitors will be maintained as part of the 
Facility and Resource Access Control Records. Some of these visitors 
may be required to undergo brief criminal history checks, depending on 
the reason for their visit and how often they enter our facilities or 
use our (IT) systems. The Facility and Resource Access Control Records 
includes that information.

Routine Uses

    In addition to the collection, use, and disclosure of information 
described in the statute itself, the Privacy Act permits HHS to 
establish disclosures to non-HHS entities that are not already 
identified by statute, and do not require the individual record 
subject's consent, by using an administrative process. These 
disclosures are known as ``routine uses,'' and are permitted to be 
established if they are ``compatible with the purpose'' for which the 
information was collected, and if the agency publishes them in the 
Federal Register for 30 days in advance. Both identifiable and non-
identifiable data may be disclosed under a routine use. This notice 
includes routine uses for the new system, and they are described below.
    Most of the routine uses fall into standard categories that are 
common to most systems of records across the government. These include 
(1) disclosure to the Department of Justice (DOJ) when DOJ represents 
HHS, our employees, or the government in litigation, and they need to 
have access to the records to perform that function. If such a case 
goes to court, another routine use (2) permits the records to be 
disclosed in evidence before a federal court or appropriate 
adjudicative body. There is a disclosure (3) permitted when a record in 
this system of records or in combination with other records indicates a 
violation of law -- we turn them over to the appropriate law 
enforcement entity in order to maintain the integrity of the program 
and ensure trust in the system. Another routine use (4) permits 
disclosure for intelligence and national security purposes, especially 
since the system manages information about persons that have access to 
federal facilities and federal information technology systems that has

[[Page 47814]]

been recognized by the President as a homeland security issue.
    The routine use disclosure to an individual Member of Congress (5) 
permits the Department to cooperate with a Member of Congress seeking 
information on behalf of a constituent (as opposed to the Committees of 
jurisdiction performing oversight) with a matter that involves these 
records. If the request is in writing, and we obtain a copy of the 
request, we will assume the constituent's consent for the Member to 
obtain records on a constituent's behalf even if a formal authorization 
is not included, so that the Department and the Member can better serve 
our citizens. However, the Member would get no more access to the 
record than that to which the constituent is entitled.
    The sixth routine use (6) permits the National Archives and Records 
Administration to carry out records management functions.
    Where HHS engages a contractor to carry out a function related to 
this system of records, routine use (7) permits disclosure to those 
individuals who require access to the records in order to perform the 
contracted work, and we will require the contractor to comply with the 
Privacy Act. Another routine use (8) permits disclosure to contractors 
or other agencies for the purpose of assisting the Department in 
responding to a suspected or confirmed data breach.
    When an individual submits an application for a background 
investigation, the individual normally signs an authorization 
permitting records to be obtained by the investigator from almost any 
source. Occasionally, after an individual has moved to another job or 
contract, if negative information should come to light relevant to 
another entity's decision about the suitability of the individual, a 
routine use (9) allows HHS to notify the other entity merely that we 
have relevant information. It is expected that the other entity, if 
interested in pursuing the matter, would present a written 
authorization on which HHS could rely to disclose more detailed 
records. However, the disclosed information will be limited to that 
which is reliable enough for such a referral.
    Finally, one routine use is particular to the PIV card system and 
allows the program to function as it is intended. HSPD-12 directs that, 
eventually, all PIV card holders should, in most cases, be able to 
visit other federal facilities and, if appropriate, use other agencies' 
computer resources, by presenting the PIV card. This system of records 
also describes information about visitors to HHS who have a PIV card 
from another agency. Therefore, this system of records also comprises 
information about those visitors, their entry and exit times, and 
summary information about them. A routine use (10) permits HHS to 
notify another federal agency if a PIV card is expired or no longer 
valid.

Safeguards

    HHS has safeguards in place for authorized users and monitors such 
users to ensure against excessive or unauthorized use. Personnel having 
access to the system have been trained in the Privacy Act and 
information security requirements. Employees who maintain records in 
this system are instructed not to release data until the intended 
recipient agrees to implement appropriate management, operational and 
technical safeguards sufficient to protect the confidentiality, 
integrity and availability of the information and information systems 
and to prevent unauthorized access.
    This system will conform to all applicable federal laws and 
regulations and federal and HHS policies and standards as they relate 
to information security and data privacy. These laws and regulations 
may apply but are not limited to: the Privacy Act of 1974; the Federal 
Information Security Management Act of 2002; the Computer Fraud and 
Abuse Act of 1986; the Health Insurance Portability and Accountability 
Act of 1996; the E-Government Act of 2002, and the Clinger-Cohen Act of 
1996 Circular A-130, Management of Federal Resources, Appendix III, 
Security of Federal Automated Information Resources also applies. 
Federal, and HHS policies and standards include but are not limited to: 
all pertinent National Institute of Standards and Technology 
publications and the HHS Information Systems Program Handbook.

    Dated: July 26, 2010.
RADM Arthur J. Lawrence,
Director, Office of Security and Strategic Information.
SYSTEM NO. 09-90-0777

SYSTEM NAME:
    ``Facility and Resource Access Control Records''.

SECURITY CLASSIFICATION:
    Most identity records are not classified. However, in some cases, 
records of certain individuals, or portions of some records, may be 
classified in the interest of national security.

SYSTEM LOCATION:
    Data covered by this system are maintained at the following 
locations: Department of Health and Human Services (HHS), Office of the 
Secretary, 200 Independence Avenue, SW., Washington, DC 20201; HHS 
Operating Divisions and regional offices around the country; Qwest 
Datacenter in Sterling, Virginia; and the Qwest CyberCenter in 
Highlands Ranch, Colorado. Some data covered by this system will be 
accessed at HHS locations, both federal buildings and federally-leased 
space, and at the physical security office(s) or computer security 
offices of those locations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    (1) Individuals who require or are under consideration to obtain 
regular, ongoing access to HHS facilities, information technology 
systems, or information classified in the interest of national 
security, such as applicants for employment or contracts with HHS, 
federal employees, tribal members, contractors, students, interns, 
volunteers, affiliates such as individuals authorized to perform or use 
services provided in HHS facilities (e.g., HEW Credit Union, fitness 
center, etc.) and individuals formerly in any of these positions. (2) 
PIV card holders from other agencies who visit HHS facilities or use 
HHS computer systems. (3) Occasional visitors or short-term employees 
or guests who do not carry PIV cards and do not require certificates 
for using encryption with a Public Key Infrastructure (PKI), to whom 
HHS will issue temporary identification and low assurance credentials.

CATEGORIES OF RECORDS IN THE SYSTEM:
    (1) Records maintained on individuals issued credentials by HHS 
include the following: Full name, Social Security number; date and 
place of birth; citizenship; signature; image (photograph); 
fingerprints; hair color; eye color; height; weight; sex; race; scars, 
marks, or tattoos; organization/office of assignment, location and 
contact information; PIV card issue and expiration dates; personal 
identification number (PIN); PIV request form; PIV sponsor, enrollment, 
registrar and issuance information; PIV card serial number; emergency 
responder designation; foreign national designator; contractor 
designator; information derived from documents used to verify identity 
such as document title, issuing authority, or expiration date; position 
sensitivity; level of national security clearance and expiration date; 
computer system user name; user access and

[[Page 47815]]

permission rights; authentication certificates; digital signature 
information; employment category; position title; dates, times, and 
locations of entries and exits.
    (2) HHS maintains the following categories of records about PIV 
card holders from other agencies entering HHS facilities or using HHS 
systems: Name, PIV card serial number; dates, times, and locations of 
entries and exits; organization name; level of national security 
clearance and expiration date; digital signature information; computer 
networks, applications, and data accessed.
    (3) HHS maintains the following categories of records about 
occasional visitors and short term guests: name, photograph, date and 
time of entry and exit, facility to which admitted, and name of person 
visiting.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301; Information Technology Management Reform Act of 1996 
(Pub. L. 104-106, sec. 5113); Electronic Government Act (Pub. L. 104-
347, sec. 203); Paperwork Reduction Act of 1995 (44 U.S.C. ch. 35); 
Government Paperwork Elimination Act (Pub. L. 105-277, sec. 1701, 44 
U.S.C. 3504); Homeland Security Presidential Directive (HSPD) 12, 
Policy for a Common Identification Standard for Federal Employees and 
Contractors, Aug. 27, 2004; Federal Property and Administrative Act of 
1949, as amended.

PURPOSE(S) OF THE SYSTEM:
    The primary purposes of the system of records are to (1) Ensure the 
safety and security of HHS facilities, systems, or information, and our 
occupants and users; (2) to verify that all persons entering federal 
facilities, using federal information resources, or accessing 
classified information are authorized to do so; and (3) to track and 
control PIV cards and other identity credentials issued to persons 
entering and exiting the facilities, using systems, or accessing 
classified information.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
    Information about covered individuals may be disclosed without 
consent as permitted by the Privacy Act of 1974, 5 U.S.C. 552a(b), and:
    (1) To the Department of Justice when: (a) The agency or any 
component thereof; or (b) any employee of the agency in his or her 
official capacity; (c) any employee of the agency in his or her 
individual capacity where agency or the Department of Justice has 
agreed to represent the employee; or (d) the United States government, 
is a party to litigation or has an interest in such litigation, and by 
careful review, the agency determines that the records are both 
relevant and necessary to the litigation and the use of such records by 
DOJ is therefore deemed by the agency to be for a purpose compatible 
with the purpose for which the agency collected the records.
    (2) To a court or adjudicative body in a proceeding when: (a) The 
agency or any component thereof; (b) any employee of the agency in his 
or her official capacity; (c) any employee of the agency in his or her 
individual capacity where agency or the Department of Justice has 
agreed to represent the employee; or (d) the United States government, 
is a party to litigation or has an interest in such litigation, and by 
careful review, the agency determines that the records are both 
relevant and necessary to the litigation and the use of such records is 
therefore deemed by the agency to be for a purpose that is compatible 
with the purpose for which the agency collected the records.
    (3) Except as noted on Forms SF 85, 85-P, and 86, when a record on 
its face, or in conjunction with other records, indicates a violation 
or potential violation of law, whether civil, criminal, or regulatory 
in nature, and whether arising by general statute or particular program 
statute, or by regulation, rule, or order issued pursuant thereto, 
disclosure may be made to the appropriate public authority, whether 
federal, foreign, state, local, or tribal, or otherwise, responsible 
for enforcing, investigating or prosecuting such violation or charged 
with enforcing or implementing the statute, or rule, regulation, or 
order issued pursuant thereto, if the information disclosed is relevant 
to any enforcement, regulatory, investigative or prosecutorial 
responsibility of the receiving entity.
    (4) To a federal, state, or local agency, or other appropriate 
entities or individuals, or through established liaison channels to 
selected foreign governments, in order to enable an intelligence agency 
to carry out its responsibilities under the National Security Act of 
1947 as amended, the CIA Act of 1949 as amended, Executive Order 12333 
or any successor order, applicable national security directives, or 
classified implementing procedures approved by the Attorney General and 
promulgated pursuant to such statutes, orders or directives.
    (5) To a Member of Congress or to a Congressional staff member in 
response to an inquiry of the Congressional office made at the written 
request of the constituent about whom the record is maintained.
    (6) To the National Archives and Records Administration or to the 
General Services Administration for records management inspections 
conducted under 44 U.S.C. 2904 and 2906.
    (7) To agency contractors who have been engaged to assist the 
agency in the performance of a contract service, grant, cooperative 
agreement, or other activity related to this system of records and who 
need to have access to the records in order to perform the activity. 
Recipients shall be required to comply with the requirements of the 
Privacy Act of 1974, as amended, 5 U.S.C. 552a.
    (8) To appropriate federal agencies and Department contractors that 
have a need to know the information for the purpose of assisting the 
Department's efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information maintained in this 
system of records, and the information disclosed is relevant and 
necessary for that assistance.
    (9) To a federal, state, local, foreign, or tribal or other public 
authority the fact that this system of records contains information 
relevant to the retention of an employee, the retention of a security 
clearance, the letting of a contract, or the issuance or retention of a 
license, grant, or other benefit. The other agency or licensing 
organization may then make a request supported by the written consent 
of the individual for the entire record if it so chooses. No disclosure 
will be made unless the information has been determined to be 
sufficiently reliable to support a referral to another office within 
the agency or to another federal agency for criminal, civil, 
administrative personnel or regulatory action.
    (10) To another federal agency to notify that agency when, or 
verify whether, a PIV card is no longer valid.


[[Page 47816]]


    Note: Disclosures of data pertaining to date and time of entry 
and exit of an agency employee working in the District of Columbia 
may not be made to supervisors, managers or any other persons (other 
than the individual to whom the information applies) to verify 
employee time and attendance record for personnel actions because 5 
U.S.C. 6106 prohibits federal Executive agencies (other than the 
Bureau of Engraving and Printing) from using a recording clock 
within the District of Columbia, unless used as a part of a flexible 
schedule program under 5 U.S.C. 6120 et seq.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are stored in electronic media and in paper files.

RETRIEVABILITY:
    Records are retrievable by name, date of birth, Social Security 
number, photographic identifiers, biometric identifiers, HHS 
Identification Number, and PIV card serial numbers.

SAFEGUARDS:
    HHS has safeguards in place for authorized users and monitors such 
users to ensure against excessive or unauthorized use. Personnel having 
access to the system have been trained in the Privacy Act and 
information security requirements. Employees who maintain records in 
this system are instructed not to release data until the intended 
recipient agrees to implement appropriate management, operational and 
technical safeguards sufficient to protect the confidentiality, 
integrity and availability of the information and information systems 
and to prevent unauthorized access.
    This system will conform to all applicable federal laws and 
regulations and federal and HHS policies and standards as they relate 
to information security and data privacy. These laws and regulations 
may apply but are not limited to: the Privacy Act of 1974; the Federal 
Information Security Management Act of 2002; the Computer Fraud and 
Abuse Act of 1986; the Health Insurance Portability and Accountability 
Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 
1996; the Medicare Modernization Act of 2003, and the corresponding 
implementing regulations. OMB Circular A-130, Management of Federal 
Resources, Appendix III, Security of Federal Automated Information 
Resources also applies. Federal, and HHS policies and standards include 
but are not limited to: All pertinent National Institute of Standards 
and Technology publications and the HHS Information Systems Program 
Handbook.
    Paper records are kept in locked cabinets in secure facilities and 
access to them is restricted to individuals whose role requires use of 
the records. The computer servers in which records are stored are 
located in facilities that are secured by alarm systems and off-master 
key access. The computer servers themselves are two-factor protected 
with Public Key Infrastructure (PKI) credentials, Personal 
Identification Numbers (PINs) and passwords. Access to individuals 
working at guard stations, operating enrollment stations, issuance 
stations, or the portal for sponsorship and adjudication will be two-
factor protected using PKI and PIN; each person granted access to the 
system at guard stations, enrollment stations, issuance stations or 
through the portal must be individually authorized to use the system. A 
notice warning users that they are responsible for protecting the 
information in accordance with the Privacy Act, the Computer Security 
Act, and the Federal Information Security Management Act appears on the 
monitor screen when records containing information on individuals are 
first displayed. Data exchanged between the servers and the personal 
computers at the guard stations and badging office are encrypted. 
Backup tapes are stored in a locked and controlled room in a secure, 
off-site location.
    An audit trail is maintained and reviewed periodically to identify 
unauthorized access. Persons given roles in the PIV process must 
complete training specific to their roles to ensure they are 
knowledgeable about how to protect individually identifiable 
information.

RETENTION AND DISPOSAL:
    Records relating to persons' access covered by this system are 
retained in accordance with General Records Schedule 18, Item 17 
approved by the National Archives and Records Administration (NARA). 
Unless retained for specific, ongoing security investigations, for 
maximum security facilities, records of access are maintained for five 
years and then destroyed. For other facilities, records are maintained 
for two years and then destroyed.
    All other records relating to individuals are retained and disposed 
of in accordance with General Records Schedule 18, item 22, approved by 
NARA. In accordance with HSPD-12, PIV cards are deactivated within 18 
hours of cardholder separation, loss of card, or expiration. PIV cards 
are destroyed by cross-cut shredding no later than 90 days after 
deactivation.

SYSTEM MANAGER AND ADDRESS:
    Ken Calabrese, HHS Chief Technology Officer, Office of the HHS 
Chief Information Officer, Department of Health and Human Services, 200 
Independence Avenue, SW., Washington, DC 20201.

NOTIFICATION PROCEDURE:
    An individual can determine if this system contains a record 
pertaining to himself or herself by sending a request in writing, 
signed, to HHS Privacy Act Officer, Room 2221, Mary E. Switzer 
Building, Department of Health and Human Services, 330 ``C'' Street, 
SW., Washington, DC 20201. When requesting notification of or access to 
records covered by this Notice, an individual should provide his/her 
full name, date of birth, agency name, and work location. An individual 
requesting notification of records in person must provide identity 
documents sufficient to satisfy the custodian of the records that the 
requester is entitled to access, such as a government-issued photo ID. 
Individuals requesting notification via telephone must furnish, at a 
minimum, name, date of birth, social security number, and home address 
in order to establish identity. Individuals requesting notification via 
mail shall submit a notarized request to the responsible Department 
official to verify his or her identity or shall certify in his or her 
request that he or she is the individual who he or she claims to be and 
that he or she understands that the knowing and willful request for or 
acquisition of a record pertaining to an individual under false 
pretenses is a criminal offense under the Act subject to a $5,000 fine.

RECORD ACCESS PROCEDURE:
    In addition to the procedures above, requesters should reasonably 
specify the record contents being sought. If additional information or 
assistance is required, contact the HHS Privacy Act Officer, Room 2221, 
Mary E. Switzer Building, Department of Health and Human Services, 330 
``C'' Street, SW., Washington, DC 20201. Write the words ``Privacy Act 
Request'' on the envelope and on the letter. For purpose of access, use 
the same procedures outlined in the Notification Procedures above. 
(These procedures are in accordance with Department regulation 45 CFR 
5b.5 (a) (2).)

CONTESTING RECORDS PROCEDURES:
    In addition to the procedures above, requesters should also 
reasonably

[[Page 47817]]

identify the record, specify the information they are contesting, state 
the corrective action sought and the reasons for the correction along 
with supporting justification showing why the record is not accurate, 
timely, relevant, or complete. Rules regarding amendment of Privacy Act 
records appear in 45 CFR part 5a. If additional information or 
assistance is required, contact the HHS Privacy Act Officer, Room 2221, 
Mary E. Switzer Building, Department of Health and Human Services, 330 
``C'' Street, SW., Washington, DC 20201. Write the words ``Privacy Act 
Request'' on the envelope and on the letter.

RECORDS SOURCE CATEGORIES:
    Employee, contractor, or applicant; sponsoring agency; former 
sponsoring agency; other federal agencies; contract employer; former 
employer.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

[FR Doc. 2010-19536 Filed 8-6-10; 8:45 am]
BILLING CODE 4150-03-P