[Federal Register Volume 82, Number 246 (Tuesday, December 26, 2017)]
[Notices]
[Pages 61020-61023]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-27767]


-----------------------------------------------------------------------

DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT

[Docket No. FR-6009-N-06]


Privacy Act of 1974; System of Records: Understanding Rapid Re-
Housing Study

AGENCY: Office of Policy Development and Research, HUD.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: For the Understanding Rapid Re-housing Study, the Department 
of Housing and Urban Development's (HUD) Office of Policy Development 
and Research (PD&R) is partnering with an external research team to 
collect new data to analyze the current status of the rapid re-housing 
(RRH) programs and the experiences of RRH participants. The project 
will provide HUD with a deeper understanding of how RRH programs 
operate and the experiences of households that use them. The 
Understanding Rapid Re-housing Study will synthesize existing research 
on RRH programs, extend the analysis of data from the Family Options 
Study (2016), provide a detailed examination of all rapid re-housing 
programs nationwide, and conduct qualitative research with a small 
sample of families and individuals who receive RRH. The study will 
collect contact information from Continuums of Care (CoCs) for RRH 
programs, as well as personal information from participating RRH 
households.
    In accordance with the Privacy Act of 1974, HUD/PD&R proposes to 
establish a new system of records titled, ``HUD/Understanding Rapid Re-
housing.'' This system of records allows HUD/PD&R to collect and 
maintain records on rapid re-housing program participants who volunteer 
to participate in the study as well as Continuums of Care and rapid re-
housing program staff. This newly established system will be included 
in HUD's inventory of systems.

DATES: January 25, 2018.

ADDRESSES: Interested persons are invited to submit comments regarding 
this notice to the Rules Docket Clerk, Office of General Counsel, 
Department of Housing and Urban Development, 451 Seventh Street SW, 
Room 10276, Washington, DC 20410. Comments may be filed electronically 
by accessing: www.regulations.gov. Regulations.gov provides clear 
instructions on how to submit a public comment on a rule. 
Communications should refer to the above docket number and title. Faxed 
comments are not accepted. A copy of each communication submitted will 
be available for public inspection and copying between 8 a.m. and 5 
p.m. weekdays at the above address.

FOR FURTHER INFORMATION CONTACT: For general questions please contact: 
The Privacy Office, 451 Seventh Street SW, Room 10139, Washington, DC 
20410, telephone number 202-708-3054. Individuals who are hearing- and 
speech-impaired may access this number via TTY by calling the Federal 
Relay Service at 800-877-8339 (this is a toll-free number).

SUPPLEMENTARY INFORMATION:

I. Background

    In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, HUD/PD&R 
proposes to establish a new HUD system of records titled ``HUD/
Understanding Rapid Re-housing.''
    The new system--the Understanding Rapid Re-housing study--is not 
required by a new rulemaking being published.
    The Understanding Rapid Re-housing (RRH) Study is being conducted 
by Abt Associates, an independent research firm, under the authority of 
the Secretary of HUD, through the Office of Policy Development and 
Research. The study is meant to undertake programs of research, 
studies, testing, and demonstration related to HUD's mission and 
programs (12 U.S.C. 1701z-1 et seq.).
    This study provides an opportunity to address unanswered questions 
about RRH assistance and to gain an understanding of the status of RRH 
programs nationwide, as well as the experiences of RRH participants. At 
the program level, the new data collection and analysis will assess the 
current scale of RRH, document the predominant models in place for RRH 
programs, determine the extent to which programs use progressive 
engagement service approaches, and examine the way RRH programs 
function in rental markets with varying costs and vacancy rates.
    Researchers will collect program-level data from Continuums of Care 
(CoCs) and RRH programs via a web-based survey and will subsequently 
collect further data through in-depth telephone interviews with several 
RRH programs. This data will be analyzed by Abt Associates and reported 
to HUD in a final report. Abt study staff will conduct in-person 
interviews and meetings with 16 RRH program participants. Data from 
these meetings will be collected via electronic recordings and paper 
protocols, and analyzed and reported by the researchers in the final 
report to HUD. All data will be de-identified for reporting purposes, 
so no person or program will be able to be identified in the final 
published study.
    This study has undergone Institutional Review Board (IRB) and 
Information Security reviews to identify privacy risks, compliance, and 
legal risks to HUD.
    Consistent with HUD's information-sharing mission, information 
stored in the HUD/Understanding Rapid Re-housing system may be shared 
with other HUD components that have a need to know the information to 
carry out their national security, law enforcement, immigration, 
intelligence, or other homeland security functions. In addition, 
information may be shared with appropriate federal, state, local, 
tribal, territorial, foreign, or international government agencies 
consistent with the routine uses set forth in this system of records 
notice.

SYSTEM NAME AND NUMBER:
    HUD/Understanding Rapid Re-housing--

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Abt Associates, 4550 Montgomery Avenue, Suite 800 North, Bethesda, 
MD. A list of additional contractor sites where records under this 
system are maintained is available upon request to the system manager.

SYSTEM MANAGER(S):
    Mindy Ault, Social Science Analyst, Program Evaluation Division, 
U.S. Department of Housing and Urban Development, 451 7th St. SW, Room 
8120, Washington, DC 20410.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The authority for the collection of the data and the maintenance of 
this system can be found at Sec. 501, 502, Housing and Urban 
Development Act of 1970 (Pub. L. 91-609), 12 U.S.C. 1701z-1, 1701z-2. 
One part of HUD's established mission and responsibilities is to

[[Page 61021]]

monitor family housing conditions and options. To evaluate the 
effectiveness of the programs that affect the conditions and options, 
HUD needs to collect participant data over time which includes the 
necessary contact and tracking information.

PURPOSE(S) OF THE SYSTEM:
    This system is meant to provide HUD with a more in-depth 
understanding of the efficacy of RRH programs nationwide at both the 
program and participant levels.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered by the system are voluntary participants in 
HUD-funded rapid re-housing programs and Continuums of Care and rapid 
re-housing program staff.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The specific types of records collected from study participants and 
maintained will include: Names, birth dates, home addresses, telephone 
numbers, personal email addresses, demographic information, income 
information, housing history, mental and physical health, and family 
status information.

RECORD SOURCE CATEGORIES:
    This project includes five instruments for data collection: (1) Web 
Census for CoCs and Rapid Re-Housing Programs, (2) Interview Guide for 
Rapid Re-Housing Programs, (3) Rapid Re-housing Participant Interview 
Guide, (4) Rapid Re-housing Participant Follow-up Interview Guide, and 
(5) Quarterly Household Tracking Guide for Ethnographic Panel. Of 
these, the first two are program-level data collections and as such 
will include minimal personally identifiable information (PII), 
including only the name and contact information for the CoC 
Collaborative Applicant and RRH program staff person completing the 
survey. The Rapid Re-Housing Participant Interview Guide, Rapid Re-
housing Participant Follow-up Interview Guide, and Quarterly Household 
Tracking Guide will collect information from participants via interview 
questions asked in person and recorded for this study. This information 
will be collected after obtaining written consent regarding 
participation and will be de-identified in the report. All of the data 
collection records containing PII will be destroyed at the end of the 
study period.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
Section 552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside HUD as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    To appropriate agencies, entities, and persons for disclosures 
compatible with the purpose for which the records in this system were 
collected, as set forth by Appendix I--HUD's Routine Use Inventory 
Notice, 80 FR 81837 (December 31, 2015).
    1. To the National Archives and Records Administration or to the 
General Services Administration for records having enough historical or 
other value to warrant continued preservation by the United States 
Government, or for inspection under Title 44 U.S.C. 2904 and 2906.
    2. To a congressional office from the record of an individual, in 
response to an inquiry from that congressional office made at the 
request of that individual.
    3. To contractors performing or working under a contract with HUD, 
when necessary to accomplish an agency function related to this system 
of records. Disclosure requirements are limited to only those data 
elements considered relevant to accomplishing an agency function. 
Individuals provided information under these routine use conditions are 
subject to Privacy Act requirements and disclosure limitations imposed 
on the Department.
    4. To the Department of Justice (DOJ) when seeking legal advice for 
a HUD initiative or in response to DOJ's request for the information, 
after either HUD or DOJ determine that such information relates to 
DOJ's representation of the United States or any other components in 
legal proceedings before a court or adjudicative body, provided that, 
in each case, the agency also determines prior to disclosure that 
disclosure of the records to DOJ is a use of the information in the 
records that is compatible with the purpose for which HUD collected the 
records. HUD on its own may disclose records in this system of records 
in legal proceedings before a court or administrative body after 
determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which HUD collected the 
records.
    5. To contractors, grantees, experts, consultants, Federal 
agencies, and non-Federal entities including but not limited to state 
and local governments, with whom HUD has a contract, service agreement, 
grant, or cooperative agreement for statistical analysis to advance the 
goals of the nation's federal strategic plan to prevent and end 
homelessness. The records may not be used to make decisions concerning 
the rights, benefits, or privileges of specific individuals, or 
providers of services with respect to a homeless individual's efforts.
    6. To appropriate agencies, entities, and persons when: (a) HUD 
suspects or has confirmed that the security or confidentiality of 
information in a system of records has been compromised; (b) HUD has 
determined that, as a result of the suspected or confirmed compromise, 
there is a risk of harm to economic or property interests, identity 
theft or fraud, or harm to the security or integrity of systems or 
programs (whether maintained by HUD or another agency or entity) that 
rely upon the compromised information; and (c) the disclosure made to 
such agencies, entities, and persons is reasonably necessary to assist 
in connection with HUD's efforts to respond to the suspected or 
confirmed compromise and prevent, minimize, or remedy such harm for 
purposes of facilitating responses and remediation efforts in the event 
of a data breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Abt has implemented full disk encryption (FIPS 140-2 compliant) 
software in our environment to protect the storage of data, as well as 
a file transfer application (also FIPS 140-2 compliant), Huddle, for 
the secure, encrypted transmission of sensitive data such as PII and 
PHI to and from our clients and subcontractors. Huddle offers secure 
content collaboration to share data and is FedRAMP certified. Huddle 
encrypts data in-transit using TLS (128-bit or 256-bit encryption) and 
at rest with 256-bit AES.
    Abt has also implemented anti-malware software in its environment 
and updates definitions daily on each workstation. For boundary 
protection, Abt has implemented Cisco ASA Firewalls.
    Hard copy notes and other materials that are collected as part of 
the ethnographic work in Task 8 will be securely stored in locked file 
cabinets when not in use.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    During the course of the study, program-level records may be 
retrieved by program name or assigned unique identifier; participant-
level records may be retrieved by assigned unique identifier.

[[Page 61022]]

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Abt Associates will retain all data collected over the life of the 
study and any analysis files generated with those data under conditions 
specified in the study protocol. At the end of the contract, Abt will 
destroy all PII per the contract terms. The retention and disposal 
procedures are in keeping with HUD's records management policies as 
described in 44 U.S.C. 3101 and 44 U.S.C. 3303. Abt Associates will 
submit all de-identified data to HUD at the end of the contract. The 
retention and disposal procedures are in keeping with HUD's records 
management policies as described in 44 U.S.C. 3101 and 44 U.S.C. 3303. 
Study participant PII to be retained for the length of the study (and 
then destroyed at the end of the contract period, in October 2019) 
includes the following:

 Name
 Birth date
 Home address
 Telephone number
 Personal email address

    The retention and disposal procedures are in keeping with HUD's 
records management policies as described in section below: 2225.6 REV-
1, Appendix 67, Records Disposition Schedule 67 PD&R, Item No. 5.
    Disposition: Project case files reflecting a complete history of 
each project from initiation through research, development, design, 
testing, and demonstration will be retired to a Federal Records Center 
three years after satisfactory close of the project. Files will be 
destroyed six years after satisfactory close of the project (NARA Job 
NCl-207-78-6, Item 5). https://portal.hud.gov/hudportal/documents/huddoc?id=22256x67ADMH.pdf.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    The contractor, Abt Associates, has a dedicated Analytic Computing 
Environment (ACE3) for storing ONLY sensitive information such as PII 
and PHI. Only authorized personnel can access this environment through 
a Virtual Private Network (VPN). Authentication to the system is done 
via Active Directory and DUO multi-factor authentication. Users connect 
to the system via remote desktop sessions (RDS). ACE3 is FISMA and FIPS 
140-2 compliant.
    To ensure data privacy and security, the Abt Confirmit Horizons web 
survey platform that will be used for the CoC and RRH program web 
survey allows for tight control over sampling, respondent recruitment, 
and data acquisition while addressing both data security and 
confidentiality concerns. Confirmit invests considerable time updating 
the software to ensure it has the latest technologies to boost 
security, performance, and reliability. Respondents will access the RRH 
web survey through Abt's website, where they are protected by Abt's 
strict data security system. HTTPS is enforced for transmission of all 
Confirmit Horizons credentials by Abt at the user level. All user 
accounts are named users linked to individual email addresses except 
for a translation account with extremely limited rights that is 
provided by the software vendor. Strong password policies are enforced, 
including minimum length, mixed case, special characters, and a 
password expiry after a set number of days. A password history is also 
kept to prevent passwords from being continuously reused. Accounts are 
locked by the system after 5 consecutive failed login attempts. Upon 
entering the 7-digit PIN assigned by the software, the respondent moves 
to a non-public directory inaccessible through the internet.
    As data are entered, they are stored on a second non-public 
directory accessible only to the Abt system administrator. Partial 
responses are saved in this way. Once respondents finish the census and 
press the ``Submit'' button on the screen, the ID number used to access 
the survey becomes invalid and the instrument cannot be accessed again 
with that number. The SQL server databases that store respondent/
response data are behind the firewall and data can only be accessed 
through the Horizons application by our named users. No application 
users can access the database directly, the servers are only accessible 
by our database administrators. Confirmit surveys are stateless and 
session-less. No user identifiable information is required when 
transmitting information between page submissions. A combination of 
hidden form fields and system generated identifiers can identify a 
respondent and the correct state when moving from page to page. Pages 
use metadata code to prevent them from being cached, and no information 
is stored on a respondent's computer when the browser is closed.
    Abt takes every precaution to ensure that data collected on the 
internet remain both secure and confidential. All Abt data collection 
servers are housed in an AT&T Network Operations Center (NOC) with 
redundant power, expandable bandwidth, and a high level of physical 
security. All study staff are required to sign a confidentiality pledge 
stating that no data will be released to unauthorized personnel. In 
addition, all electronic data for the study are stored on the ACE3 
system (described above).
    Abt complies with the Privacy Act of 1974, Health Insurance 
Portability and Accountability Act of 1996 (HIPAA), and the E-
Government Act of 2002, including Title III: Federal Information 
Security Management Act (FISMA), which covers site security, security 
control documentation, access control, change management, incident 
response, and risk management. Abt has implemented full disk encryption 
(FIPS 140-2 compliant) software in its environment to protect the 
storage of data, as well as a file transfer application (also FIPS 140-
2 compliant), Huddle, for the secure, encrypted transmission of 
sensitive data such as PII and PHI to and from our clients and 
subcontractors. Huddle offers secure content collaboration to share 
data and is FedRAMP certified. Huddle encrypts data in-transit using 
TLS (128-bit or 256-bit encryption) and at rest with 256-bit AES.
    Abt has also implemented anti-malware software in its environment 
and update definitions daily on each workstation. For boundary 
protection, Abt has implemented Cisco ASA Firewalls.
    Hard copy notes and other materials that are collected as part of 
the ethnographic work in Task 8 will be securely stored in locked file 
cabinets when not in use.

RECORD ACCESS PROCEDURES:
    For information, assistance, or inquiry about records, contact 
Marcus Smallwood, Acting, Chief Privacy Officer 451 Seventh Street SW, 
Room 10139, Washington, DC 20410, telephone number (202) 708-3054. When 
seeking records about yourself from this system of records or any other 
Housing and Urban Development (HUD) system of records, your request 
must conform with the Privacy Act regulations set forth in 24 CFR part 
16. You must first verify your identity, meaning that you must provide 
your full name, address, and date and place of birth. You must sign 
your request, and your signature must either be notarized or submitted 
under 28 U.S.C. 1746, a law that permits statements to be made under 
penalty of perjury as a substitute for notarization. In addition, your 
request should:
    a. Explain why you believe HUD would have information on you.
    b. Identify which Office of HUD you believe has the records about 
you.
    c. Specify when you believe the records would have been created.

[[Page 61023]]

    d. Provide any other information that will help the Freedom of 
Information Act (FOIA), staff determine which HUD office may have 
responsive records.
    If your request is seeking records pertaining to another living 
individual, you must include a statement from that individual 
certifying their agreement for you to access their records. Without the 
above information, the HUD FOIA Office may not conduct an effective 
search, and your request may be denied due to lack of specificity or 
lack of compliance with regulations.

CONTESTING RECORD PROCEDURES:
    The Department's rules for contesting contents of records and 
appealing initial denials appear in 24 CFR part 16, Implementation of 
the Privacy Act of 1974. Additional assistance may be obtained by 
contacting Helen Goff Foster, Chief Privacy Officer, 451 Seventh Street 
SW, Room number 10139, Washington, DC 20410. Individuals desiring to 
contest records may also refer to the HUD Privacy Act Handbook 
available on the website: https://portal.hud.gov/hudportal/HUD?src=/program_offices/administration/hudclips/handbooks/admh/1325.1.

NOTIFICATION PROCEDURES:
    Individuals wishing to determine whether this system of records 
contains information about them may do so by contacting HUD's Privacy 
Office or Freedom of Information Act Office at the addresses above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None

HISTORY:
    Not applicable. This is a new SORN.

    Dated: December 11, 2017.
Helen Goff Foster
Senior Agency Official for Privacy.
[FR Doc. 2017-27767 Filed 12-22-17; 8:45 am]
 BILLING CODE 4210-67-P