[Federal Register Volume 82, Number 109 (Thursday, June 8, 2017)]
[Notices]
[Pages 26702-26705]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-11937]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT

[Docket No. FR-6009-N-02]


Privacy Act of 1974: Enterprise Data Management (EDM) System of 
Records

AGENCY: Office of Administration, HUD.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: HUD proposes to add a new system of records to its inventory 
of systems of records, subject to the Privacy Act of 1974, as amended. 
This action is necessary to meet the requirements of the Privacy Act to 
publish in the Federal Register notice of the existence and character 
of records maintained by HUD. This system of records notice authorizes 
HUD's Enterprise Data Management (EDM) to collect and maintain 
information. HUD's goal is to upgrade HUD's data management, data 
warehousing, data mining and data security capabilities from current 
outdated legacy database to a more advanced warehouse model.

DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), the public is 
given a 30-day period in which to comment. Therefore, submit comments 
on or before July 10, 2017.

ADDRESSES: You may submit comments, identified by docket number and 
title, by one of the following methods:
     Federal e-Rulemaking Portal: http://www.regulations.gov. 
Follow the instructions provided on that Site to submit comments 
electronically.
     Fax: 202-619-8365.
     Email: [email protected].
     Mail: Attention: Housing and Urban Development, Privacy 
Office, Marcus Smallwood, The Executive Secretariat, 451 Seventh Street 
SW., Room 10139, Washington, DC 20410.
    Instructions: All submission received must include the agency name 
and docket number for this Federal Register document. The general 
policy for comments and other submission from members of the public is 
make three submissions available for public viewing on the Internet at 
http://www.regulations.gov, as they are received without change, 
including any personal identifiers or contact information.
    Docket: For access to the docket to read background documents or 
comments received, please visit http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Marcus Smallwood, Chief Privacy 
Officer, 451 Seventh Street SW., Room 10139, Washington, DC 20410, 
telephone number 202-708-3054. Individuals who are hearing- and speech-
impaired may access this number via TTY by calling the Federal Relay 
Service at 800-877-8339 (this is a toll-free number).

SUPPLEMENTARY INFORMATION: In accordance with the Privacy Act of 1974, 
5 U.S.C. 552a, the Department of Housing and Urban Development (HUD) 
Office of Chief Information Officer (OCIO) proposes to establish a new 
HUD system of records titled, ``Enterprise Data Management (EDM) System 
of Records.'' This system of records is operated by HUD's OCIO, and it 
will be developed in several phases. The initial phase includes 
personally identifiable information (PII) about borrowers of Federal 
Housing Administration (FHA)-insured single-family mortgages, employees 
of FHA-approved lending institutions, third-parties associated with 
FHA/HUD transactions such as appraisers and HUD personnel associated 
with single family transactions.
    OCIO is establishing an EDM environment. The EDM environment 
includes a modern ``Data Lake''; which is a centralized data 
environment to onboard HUD data for use in analytical reporting. The 
EDM also serves as the centralized environment for systems to consume 
data from HUD systems (eliminating point to point interfaces). In 
accordance with Section 203, National Housing Act, Public Law 73-479; 
and 42 U.S.C. 3543, titled ``Preventing fraud and abuse in Department 
of Housing and Urban Development programs'' enacted as part of the 
Housing and Community Development Act of 1987, the EDM and data lake 
enables HUD data consumers to gain new insights that will allow HUD to 
better identify trends and previously unknown risk drivers, thus

[[Page 26703]]

strengthening its risk management and fraud prevention framework.
    EDM extracts data from multiple source systems for analysis and 
reporting. The EDM will provide query and reporting tools that aid in 
supporting HUD's oversight activities, market and economic assessment, 
public and stakeholder communication, planning and performance 
evaluation, policies and guidelines promulgation, monitoring and 
enforcement. Making data available from the HUD source systems will 
involve Data Extraction, Transformation, and Load (ETL) into the EDM 
environment. The type of HUD source system (e.g., mainframe, relational 
database management system (RDBMS), hierarchical) will determine the 
approach and the tools that will be used to extract the data. EDM 
extracts data from multiple source systems for analysis and reporting. 
The EDM will provide query and reporting tools that aid in supporting 
HUD's oversight activities, market and economic assessment, public and 
stakeholder communication, planning and performance evaluation, 
policies and guidelines promulgation, monitoring and enforcement. The 
following lists the type of information collected from Source Systems 
for the initial phase of EDM:
     Mortgagors: Name, addresses, date of birth, social 
security number, and racial/ethnic background (if disclosed) which are 
supplied by lenders through Automated Underwriting Systems during the 
mortgage application and underwriting process.
     Parties Involved with Transaction: Name, addresses, and 
identifying numbers which are supplied by the lender or the individual.
     Mortgage Details: Data regarding current and former FHA 
insured mortgages which includes underwriting data, such as: Loan-to-
value ratios and expense ratios; original terms, such as: Mortgage 
amount, interest rate, term in months; status of the mortgage 
insurance; and history of payment defaults, if any. This information is 
provided by the lender at the time of closing, and also maintained by 
the loan servicer.
     HUD Employees: Names and identification of all HUD 
employees who have access to the system records. Also, identification 
information is stored for employees who work with mortgage applications 
through FHA Connection.
     Aggregated measures of the data stated above to enable 
statistical reporting and analysis of trends.

II. Privacy Act

    The Privacy Act embodies fair information practice principles in a 
statutory framework governing how the Federal Government collects, 
maintains, uses, and disseminates individuals' records. The Privacy Act 
applies to information that is maintained in a ``system of records.'' A 
``system of records'' is a group of any records under the control of an 
agency from which information is retrieved by the name of an individual 
or by some identifying number, symbol, or other identifying particular 
assigned to the individual. In the Privacy Act, an individual is 
defined to encompass U.S. citizens and lawful permanent residents. As a 
matter of policy, HUD extends administrative Privacy Act protections to 
all individuals, excluding persons who are not United States citizens 
or lawful permanent residents from the protections of the Privacy Act 
regarding personally identifiable information, when systems of records 
maintain information on U.S. citizens, lawful permanent residents, and 
visitors.
    This new public notice allows HUD to organize and re-publish up-to-
date and accurate information about this system of records. The notice 
correction incorporates Federal privacy requirements, and HUD policy 
requirements. The Privacy Act provides certain safeguards for an 
individual against an invasion of personal privacy by requiring Federal 
agencies to protect records contained in an agency system of records 
from unauthorized disclosure, ensure that information is current for 
its intended use, and that adequate safeguards are provided to prevent 
misuse of such information. Additionally, the updates reflect the 
Department's focus on industry best practices in protecting the 
personal privacy of the individuals covered by each system 
notification.
    In accordance with 5 U.S.C. 552a(r), HUD has provided a report of 
this system of records to the Office of Management and Budget (OMB) and 
to Congress, the Senate Committee on Homeland Security and Governmental 
Affairs, and the House Committee on Government Reform and Oversight as 
instructed by Paragraph 7b of OMB Circular No. A-108, ``Federal Agency 
Responsibilities for Review, Reporting, and Publication under the 
Privacy Act,'' December 23, 2016.
SYSTEM NAME AND NUMBER:

HUD/OCIO--01 Enterprise Data Management (EDM)

SECURITY CLASSIFICATION:
    Unclassified, but sensitive.

SYSTEM LOCATION:
    EDM is hosted at the Department of Housing and Urban Development, 
451 Seventh Street SW., Washington, DC 20410, or at the locations of 
the service providers under contract with HUD.

SYSTEM MANAGER(S):
    Mark Hayes, Chief Technology Officer, Department of Housing and 
Urban Development, 451 Seventh Street SW., Room 4166, Washington, DC 
20410, 202-402-5526.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The system is maintained in accordance with Section 203, National 
Housing Act, Public Law 73-479, and 42 U.S.C. 3543 titled ``Preventing 
fraud and abuse in Department of Housing and Urban Development 
programs,'' enacted as part of the Housing and Community Development 
Act of 1987 which permits the collection of Social Security Numbers.

PURPOSE(S) OF THE SYSTEM:
    EDM replaces HUD's current data storage, retrieval and warehousing 
capabilities. EDM will be implemented in phases across HUD, and the 
first phase is to directly support the new Loan Review System (LRS). It 
will collect data from certain specified source systems and return it 
to LRS. Subsequent phases will collect data from other source systems, 
and ultimately will replace all existing data warehouses across HUD.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The initial phase of EDM will cover individuals who have obtained a 
mortgage insured under FHA's single family mortgage insurance programs, 
individuals who have assumed such a mortgage, and individuals involved 
in appraising, underwriting, or servicing the mortgage (commonly 
referred to as ``mortgagee/lender'').

CATEGORIES OF RECORDS IN THE SYSTEM:
    The initial categories of records maintained by the system include:
     Appraiser: First Name, Last Name, Middle Name, Suffix.
     Case Borrower(s): Borrower(s) Full Name, Borrower(s) 
Social Security number, Non-Borrowing Spouse Social Security number.
     Loan Officer: First Name, Last Name, Middle Name.
     Case Property: Basement Code, Neighborhood Percentage 
Owned,

[[Page 26704]]

Neighborhood Predominate, Price, Subdivision Indicator, Property 
Acquisition Date, Property Street, Property Conversion Type, Rural 
Neighborhood Code, Neighborhood Single Family Home Percentage, 
Subdivision Lot Indicator, Building Type, Date of Sale or Transfer, 
Sale Amount, Year Built, City, Zip, Geocode Flag, Underserved 
Indicator, Block, Lot, House Number, Street Number.
     FHA Case Information: Federal Housing Administration (FHA) 
Case Number, Case Established Date, Case Reinstatement Date, Case Type, 
Originating Mortgagee ID, Sponsor Mortgagee ID, Loan Officer Nationwide 
Multistate Licensing System (NMLS) ID, Underwriter Name, Underwriter 
ID.
     Mortgagee (Lender) Branch: Branch Type, Branch ID, 
Mortgagee Institution ID, Mortgagee Institution Name, Mortgagee 
Institution Type, Mortgagee Nationwide Multistate Licensing System 
(NMLS) ID, Mortgagee Status.
     HUD Employees: Names and identification of all HUD 
employees who have access to the system records. Also, identification 
information is stored for employees who work with mortgage applications 
through FHA Connection.
     Servicing Status: Servicing Status, Claims, and 
Indemnification Agreement.

RECORD SOURCE CATEGORIES:
    Mortgagors, appraisers, mortgagee staff, underwriters, and HUD 
employees provide data to the originating source systems. The following 
originating source systems then pass their data to the Enterprise Data 
Warehouse used in EDM:
     A43--Single Family Insurance System (SFIS)
     A43C--Single Family Claims Subsystem (SFCS)
     F17--Computerized Homes Underwriting Management System 
(CHUMS)
     F17C--FHA Connection (FHAC)
     F17T--TOTAL Mortgage Scorecard (TOTAL)
     F42D--Single Family Default Monitoring System (SFDMS)
     P271--Home Equity Reverse Mortgage Information System 
(HERMIT)
     P278--Lender Electronic Assessment Portal (LEAP)
     P303--Loan Review System (LRS)

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
Section 552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside HUD as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    1. To appropriate agencies, entities, and persons to the extent 
such disclosures are compatible with the purpose for which the records 
in this system were collected, as set forth by Appendix I--HUD's 
Routine Use Inventory Notice published in 80 FR 81837.
    2. To appropriate agencies, entities, and persons when:
    (a) HUD suspects or has confirmed that the security or 
confidentiality of information in a system of records has been 
compromised;
    (b) HUD has determined that because of the suspected, or confirmed 
compromise there is a risk of harm to economic or property interests, 
identity theft or fraud, or harm to the security or integrity of 
systems or programs (whether maintained by HUD or another agency or 
entity) that rely upon the compromised information; and
    (c) The disclosure made to such agencies, entities, and persons is 
reasonably necessary to assist in connection with HUD's efforts to 
respond to the suspected or confirmed compromise and prevent, minimize, 
or remedy such harm for purposes of facilitating responses and 
remediation efforts in the event of a data breach.
    3. To appropriate agencies, entities, and persons when (1) HUD 
suspects or has confirmed that there has been a breach of the system of 
records, (2) HUD has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, HUD (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with HUD's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    4. To another Federal agency or Federal entity, when HUD determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    5. To the National Archives and Records Administration (NARA) or 
General Services Administration pursuant to records management 
inspections being conducted under the authority of 44 U.S.C. 2904 and 
2906.
    6. To a congressional office from the record of an individual in 
response to an inquiry from that congressional office made at the 
request of the individual to whom the record pertains.
    7. To appropriate agencies, entities, and persons when:
    (a) HUD suspects or has confirmed that the security or 
confidentiality of information in the system of records has been 
compromised;
    (b) HUD has determined that as a result of the suspected or 
confirmed compromise, there is a risk of identity theft or fraud, harm 
to economic or property interests, harm to an individual, or harm to 
the security or integrity of this system or other systems or programs 
(whether maintained by HUD or another agency or entity) that rely upon 
the compromised information; and
    (c) The disclosure made to such agencies, entities, and persons is 
reasonably necessary to assist in connection with HUD's efforts to 
respond to the suspected or confirmed compromise and prevent, minimize, 
or remedy such harm.
    8. To contractors and their agents, grantees, experts, consultants, 
and others performing or working on a contract, service, grant, 
cooperative agreement, or other assignment for HUD, when necessary to 
accomplish an agency, function related to this system of records. 
Individuals provided information under this routine use are subject to 
the same Privacy Act requirements and limitations on disclosure as are 
applicable to HUD officers and employees.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    EDM will be stored in compliance with 36 CFR 1236.10 regulations on 
recordkeeping management controls in a Federal Risk and Authorization 
Management Program (FedRAMP) compliant network. There are no paper 
records associated with EDM.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    In this initial phase of EDM, information is retrieved from EDM by 
FHA Case Number as the key identifier. User access to query information 
in the EDM does not exist. EDM supports only system-to-system 
interfaces.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Electronic information maintained in EDM is retrieved from 
originating recordkeeping systems and is retained

[[Page 26705]]

indefinitely for future access. This information does not meet the 
federal definition of a record as it is not evidence of the 
organization, functions, policies, decisions, procedures, operations, 
or other activities. This information is duplicated copies of record 
content preserved for convenience to facilitate new record creation 44 
U.S.C. 3301. As subsequent phases of EDM are completed, the applicable 
data retention policies for those records will be evaluated and 
maintained for associated systems.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    HUD has developed a system security plan of controls for ensuring 
and protecting Microsoft Azure Government Cloud in accordance with 
applicable laws. End users cannot directly access the Enterprise Master 
Data Warehouse used in EDM. Data exchange with other HUD systems is 
precisely specified and occurs only through secure interfaces. 
Encryption of data both at rest and in motion is enabled on a selective 
basis. EDM is subject to compliance with all Federal requirements and 
adheres to its approved system security plan (SSP).

RECORD ACCESS PROCEDURES:
    HUD allows persons (including foreign nationals) to seek 
administrative access under the Privacy Act to information maintained 
in EDM. Individuals seeking notification of and access to any record 
contained in this system of records, or seeking to contest its content, 
may submit a request in writing to the HUD Chief Freedom of Information 
Act (FOIA) Officer or OCIO FOIA Officer. If an individual believes more 
than one component maintains Privacy Act records that concern him or 
her, the individual may submit the request to Helen Goff Foster, Chief 
Privacy Officer/Senior Agency Official for Privacy, 451 Seventh Street 
SW., Room 10139, Washington, DC 20410, telephone number (202) 402-6838.
    When seeking records about yourself from this system of records or 
any other HUD system of records, your request must conform with the 
Privacy Act regulations set forth in 24 CFR part 16. You must first 
verify your identity, meaning that you must provide your full name, 
current address, and date and place of birth. You must sign your 
request, and your signature must either be notarized or submitted under 
28 U.S.C. 1746, a law that permits statements to be made under penalty 
of perjury as a substitute for notarization. In addition, your request 
should:
    (a) Explain why you believe HUD would have information on you.
    (b) Identify which Office of HUD you believe has the records about 
you.
    (c) Specify when you believe the records would have been created.
    (d) Provide any other information that will help the FOIA staff 
determine which HUD office may have responsive records.
    If your request is seeking records pertaining to another living 
individual, you must include a statement from that individual 
certifying their agreement for you to access their records. Without the 
above information, the HUD FOIA Office may not be able to conduct an 
effective search, and your request may be denied due to lack of 
specificity or lack of compliance with applicable regulations.

CONTESTING RECORD PROCEDURES:
    The Department's rules for contesting contents of records and 
appealing initial denials appear in 24 CFR part 16, Procedures for 
Inquiries. Additional assistance may be obtained by contacting Helen 
Goff Foster, Senior Agency Official for Privacy/Chief Privacy Officer, 
451 Seventh Street SW., Room 10139, Washington, DC 20410, or the HUD 
Departmental Privacy Appeals Officers, Office of General Counsel, 
Department of Housing and Urban Development, 451 Seventh Street SW., 
Washington, DC 20410.

NOTIFICATION PROCEDURES:
    See ``Records Access Procedures'' above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    Not Applicable.

    Dated: May 4, 2017.
Helen Goff Foster,
Senior Agency Official for Privacy.
[FR Doc. 2017-11937 Filed 6-7-17; 8:45 am]
 BILLING CODE 4210-67-P