[Federal Register Volume 77, Number 158 (Wednesday, August 15, 2012)]
[Notices]
[Pages 48984-48985]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2012-19951]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; System of Records Notice

AGENCY: Department of Health and Human Services (HHS).

ACTION: Notice to alter existing systems of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, HHS gives notice of a proposed alteration to two existing systems 
of records covering payroll records: 09-40-0006 entitled ``Public 
Health Service (PHS) Commissioned Corps Payroll Records, HHS/PSC/HRS,'' 
and 09-40-0010 entitled ``Pay, Leave and Attendance Records, HHS/PSC/
HRS.'' The systems are being amended to revise an existing routine use 
covering disclosures to contractors and to add a new routine use 
pertaining to system security. The routine use changes are described in 
more detail in the Supplementary Information section below.

DATES: The routine use changes described in this notice will become 
effective without further notice 30 days after publication of this 
notice in the Federal Register, unless comments received on or before 
that date result in revisions to this notice.

ADDRESSES: The public should address written comments to: Office of the 
Surgeon General (OSG), Division of Systems Integration (DSI), Tower 
Oaks Building, Plaza Level 100, 1101 Wootton Parkway, Rockville, 
Maryland 20852. Comments will be available for public viewing at that 
location. To review comments in person, please contact the Office of 
the Surgeon General (OSG), Division of Systems Integration, at 240-453-
6085.

FOR FURTHER INFORMATION CONTACT: For system 09-40-0006, contact CAPT 
Eric Shih, Office of the Surgeon General (OSG), Division of Systems 
Integration (DSI) Tower Oaks Building, Plaza Level 100, 1101 Wootton 
Parkway, Rockville, Maryland 20852, 240-453-6085, [email protected]. 
For system 09-40-0010, contact Charles Dietz, Program Support Center 
(PSC), Payroll Services Division, 5600 Fishers Lane, Room 17-01, 
Rockville, Maryland 20857, 301-504-3219, [email protected].

SUPPLEMENTARY INFORMATION:

I. The Privacy Act

    The Privacy Act (5 USC 552a) governs the means by which the U.S. 
Government collects, maintains, and uses information about individuals 
in a system of records. A ``system of records'' is a group of any 
records under the control of a Federal agency from which information 
about an individual is retrieved by the individual's name or other 
personal identifier. The Privacy Act requires each agency to publish in 
the Federal Register a system of records notice (SORN) identifying and 
describing each system of records the agency maintains, including the 
purposes for which the agency uses information about individuals in the 
system, the routine uses for which the agency discloses such 
information outside the agency, and how individual record subjects can 
exercise their rights under the Privacy Act (e.g., to determine if the 
system contains information about them).

I. The Proposed Routine Use Changes

    The payroll systems proposed to be altered are described in System 
of Records Notices (SORNs) published on December 11, 1998 (see 63 FR 
68596). System 09-40-0006 covers payroll records for HHS Commissioned 
Corps personnel, and system 09-40-0010 covers payroll records for HHS 
civilian personnel. In reviewing the SORNs, it was determined that the 
following changes in routine uses should be made for both systems. Both 
changes are compatible with the purposes for which personally 
identifiable information (PII) is collected in each system, as 
explained below:
     Contractor routine use: The routine use authorizing 
disclosures to contractors (numbered as routine use 7 in system number 
09-40-0006 and as routine use 6 in system number 09-40-0010) should be 
revised to state that records may be disclosed to ``federal agencies 
and Department contractors that have been engaged by HHS to assist in 
accomplishment of an HHS function relating to the purposes of the 
system (i.e., providing payroll services) and that need to have access 
to the records in order to assist HHS.'' As currently worded, the 
routine use includes ``contractors'' but not ``federal agencies'' and 
describes the purposes for which a contractor would be engaged as 
``collating, analyzing, aggregating or otherwise refining records in 
the system.'' Disclosing PII to a federal agency or Department 
contractor assisting HHS in providing payroll services is compatible 
with the purposes for which PII is collected in the system, because the 
PII is collected in the system for payroll-related purposes and the 
contractor, private firm or other federal agency would be using the PII 
for such purposes.
     Breach response routine use: A new routine use should be 
added (as routine use 13 in system number 09-40-0006 and as routine use 
26 in system number 09-40-0010) to authorize HHS to disclose PII from 
the system to appropriate parties in the course of responding to a data 
security breach incident involving the system. Disclosing PII to 
appropriate parties in the course of responding to a data security 
breach incident involving the system is compatible with the purposes 
for which PII is collected in the system, because individuals whose PII 
is in the system expect their information to be secured, and the 
routine use will help HHS protect the security of the system. The 
Office of Management and Budget (OMB) has recommended that federal 
agencies publish such a routine use for their Privacy Act systems, to 
facilitate their ability to respond to data security breach incidents 
(see OMB Memorandum M-07-16 ``Safeguarding Against and Responding to 
the Breach of Personally Identifiable Information,'' issued May 22, 
2007).
    Because they represent significant changes to the systems, a report 
on these proposed routine use changes was sent

[[Page 48985]]

to Congress and to OMB in accordance with 5 U.S.C. 552a(r).
    For the reasons set forth above, HHS is establishing the following 
routine uses for these systems:

1. Public Health Service (PHS) Commissioned Corps Payroll Records, HHS/
PSC/HRS (09-40-0006)

    Revised Routine Use 7: Records may be disclosed to federal agencies 
and Department contractors that have been engaged by HHS to assist in 
accomplishment of an HHS function relating to the purposes of the 
system (i.e., providing payroll services) and that need to have access 
to the records in order to assist HHS. Any contractor will be required 
to maintain Privacy Act safeguards with respect to such records. These 
safeguards are explained in the section entitled ``Safeguards.''
    New Routine Use 13: Records may be disclosed to appropriate federal 
agencies and Department contractors that have a need to know the 
information for the purpose of assisting the Department's efforts to 
respond to a suspected or confirmed breach of the security or 
confidentiality of the information maintained in this system of 
records, if the information disclosed is relevant and necessary for 
that assistance.

2. Pay, Leave and Attendance Records, HHS/PSC/HRS (09-40-0010)

    Revised Routine Use 6: Records may be disclosed to federal agencies 
and Department contractors that have been engaged by HHS to assist in 
accomplishment of an HHS function relating to the purposes of the 
system (i.e., providing payroll services) and that need to have access 
to the records in order to assist HHS. Any contractor will be required 
to maintain Privacy Act safeguards with respect to such records. These 
safeguards are explained in the section entitled ``Safeguards.''
    New Routine Use 26: Records may be disclosed to appropriate federal 
agencies and Department contractors that have a need to know the 
information for the purpose of assisting the Department's efforts to 
respond to a suspected or confirmed breach of the security or 
confidentiality of the information maintained in this system of 
records, if the information disclosed is relevant and necessary for 
that assistance.

    Dated: July 24, 2012.
Eric Shih,
USPHS, Acting Director, Division of Systems Integration, Office of the 
Surgeon General.
[FR Doc. 2012-19951 Filed 8-14-12; 8:45 am]
BILLING CODE 4150-28-P