[Federal Register Volume 83, Number 51 (Thursday, March 15, 2018)]
[Notices]
[Pages 11489-11492]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-05280]
-----------------------------------------------------------------------
DEPARTMENT OF AGRICULTURE
[Docket No. FSIS-2015-0015]
Privacy Act of 1974; New System of Records
AGENCY: Food Safety and Inspection Service, U.S. Department of
Agriculture.
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the Privacy Act of 1974, as amended, the
Department of Agriculture (USDA) proposes a new Food Safety and
Inspection Service (FSIS) system of records entitled: USDA/FSIS-0004,
Public Health Information System (PHIS). PHIS is a Web-based system
that collects information generated from FSIS inspection, compliance
verification, notification and monitoring activities regarding the
slaughter, processing, import and export of meat, and poultry and egg
products. Within PHIS, FSIS maintains contact and other identifying
information about employees and contractors of USDA, government
officials, representatives of regulated establishments, and third
parties.
DATES: Applicable date: April 16, 2018. Written comments must be
received on or before the above date. The proposed system will be
adopted on the above date, without further notice, unless it is
modified in response to comments, in which case the notice will be re-
published.
ADDRESSES: Send written comments to: Docket Clerk, FSIS, Patriots Plaza
3, 355 E Street SW, Mailstop 3782, Room 8-163B, Washington, DC 20250-
3700 or fax to (202) 245-4793. Comments may also be posted on: https://www.regulations.gov/. All comments must include the Agency's name and
docket number, FSIS-2015-0015, and will be publicly posted, including
any personal information submitted, on https://www.regulations.gov.
Docket: To obtain a copy of, or to view, the docket, visit FSIS Docket
Room, Patriots Plaza 3, 355 E Street SW, Room 164-A, Washington, DC
20250-3700, 8:00 a.m. to 4:30 p.m., Monday to Friday.
FOR FURTHER INFORMATION CONTACT: Roberta Wagner, Assistant
Administrator, Office of Policy and Program Development (OPPD), FSIS,
Room 350-E, Jamie Whitten Building, 1400 Independence Ave. SW,
Washington, DC 20250, or Neal Westgerdes, PHIS System Owner/Manager,
OPPD, FSIS, Room 2925-South, 1400 Independence Ave. SW Washington, DC
20250, (202) 205-4233.
For Privacy Questions: Marj Leaming, USDA Privacy Officer, Policy,
E-Government and Fair Information Practices, Office of the Chief
Information Officer, USDA, 1400 Independence Ave. SW, Room 450-W,
Washington, DC 20250; telephone 202-205-0926.
SUPPLEMENTARY INFORMATION: The Privacy Act requires agencies to publish
in the Federal Register (FR) a notice of any new or revised system of
records. A ``system of records'' is a group of any records under the
control of an agency from which information is retrievable by the name
of the individual or by some unique identifier assigned to the
individual. USDA is proposing to establish a new system of records,
entitled USDA/FSIS-04, Public Health Information System (PHIS). The
primary purpose of PHIS is to collect information gathered by USDA
Personnel from their inspection, compliance verification and
notification activities at regulated establishments, and to assess data
entered by Business Personnel. PHIS enhances USDA's ability to predict
hazards and vulnerabilities in the food supply and thus prevent or
mitigate food safety-related threats to the public health in a timely
manner. Additionally, in regard to imports and exports, PHIS provides
USDA and other domestic and foreign regulatory authorities with
information to monitor the movement of meat, poultry and egg products
in advance of a shipment's arrival.
USDA grants PHIS access to and collect information from the
following user groups: (1) Employees and contractors of USDA (``USDA
Personnel''); (2) government officials (domestic and foreign) (``Other
Government Officials''); and (3) representatives of the regulated
establishments and businesses, such as importers and exporters of food
products, who require access to PHIS (``Business Personnel''). PHIS
collects from all three user groups basic identifying contact
information. The system also collects identifying information about
individuals who are not PHIS users, but whose names may appear in
records entered by a user, for contact purposes.
PHIS obtains and stores the identifying information for USDA
Personnel, including: the user's and supervisor's full names, titles,
duty stations, business contact information, assigned PHIS role(s), and
USDA eAuthentication numbers. This information is used for contacting
personnel, shipping documents and supplies, inspection assignment
scheduling and for security and access control purposes. In addition to
this basic identifying contact information, the system receives
employee profile information for USDA Personnel from the National
Finance Center, including, but not limited to: Social security numbers
(stored in masked formats); hire dates; organizational level; pay plan;
and locality and pay code. This employee profile data are used to
verify USDA Personnel employment status.
For Other Government Officials and Business Personnel, the system
collects information including the name and title of the user, business
contact information, and PHIS roles and USDA eAuthentication
information. From Business Personnel, it collects the user's entity
name and associated business or tax identification numbers, as
applicable. Only basic contact information is collected about
individuals who are not PHIS users, but whose names appear in records
entered by a user.
USDA Personnel enter records in connection with their inspection,
compliance verification, and notification activities at regulated
establishments. The records entered by Other Government Officials
include documents concerning the equivalence of foreign inspection
systems, documents concerning State program inspection verification and
activities, responses to USDA decisions, and requests for information
from USDA. Business Personnel enter records in connection with, or in
response to, USDA Personnel's activities and decisions, and requests
for services from USDA. Examples include records supporting compliance
with FSIS regulations, such as applications for
[[Page 11490]]
export certificates and Meat and Poultry Export Certificate of
Wholesomeness, as well as appeals of USDA compliance decisions
regarding regulated establishments and products.
A Privacy Impact Assessment is posted on https://www.usda.gov/wps/portal/usda/usdahome?navid=PRIVACY_POLICY_ES.
No Privacy Act exemption is claimed.
In accordance with the Privacy Act, as implemented by the Office of
Management and Budget (OMB) Circular A-108, USDA has provided a report
of this proposed new system of records to the Chair of the Committee on
Homeland Security and Governmental Affairs, United States Senate; the
Chair of the Committee on Oversight and Government Reform, House of
Representatives; and the Administrator of the Office of Information and
Regulatory Affairs, OMB.
Done in Washington, DC, March 12, 2018.
Paul Kiecker,
Acting Administrator.
SYSTEM NAME AND NUMBER
Public Health Information System (PHIS), USDA/FSIS-04.
Security Classification:
Unclassified.
System Location:
USDA National Information Technology Center (NITC), 8930 Ward
Parkway, Kansas City, MO, 64114, and NITC, 4300 Goodfellow Blvd., St.
Louis, MO 63120.
System Manager:
PHIS System Owner, Office of Policy and Program Development Food
Safety and Inspection Service, USDA, Room 2925-South, 1400 Independence
Ave. SW, Washington, DC 20250. (202) 205-4233.
Authority for Maintenance of the System:
Poultry Products Inspection Act (21 U.S.C. 451 et seq.); Federal
Meat Inspection Act (21 U.S.C. 601 et seq.); Egg Products Inspection
Act (21 U.S.C. 1031 et seq.); Humane Methods of Livestock Slaughter Act
of 1978 (7 U.S.C. 1901-1906); Authority to Operate (ATO), dated 03/23/
2017.
Purpose of the System:
The primary role of this Web-based electronic system is to assist
FSIS in accomplishing its food safety mission of conducting inspections
and compliance verification activities at regulated establishments to
confirm that meat, poultry and egg products are safe, wholesome, not
adulterated, and correctly labeled, packaged and distributed.
Supplementary purposes include the verification of product eligibility
for moving in and out of the United States.
PHIS maintains FSIS inspection, compliance verification and
sampling program results and business profile information. PHIS also
maintains data about State and foreign food safety programs. PHIS
maintains information about individuals: to allow users access to the
system; to schedule and assess inspection and compliance verification
activities; to track requests for USDA services; and to allow responses
to appeal of USDA Personnel's decisions.
Categories of Individuals Covered by the System:
All individuals granted access to the PHIS are covered: (1)
Employees and contractors of USDA (``USDA Personnel''); (2) government
officials (domestic and foreign) (``Other Government Officials''); and
(3) representatives of the regulated establishments and businesses,
such as importers and exporters of food products, who require access to
PHIS (``Business Personnel''). All individuals, even if they are not
users of the PHIS, who are mentioned or referenced in any documents
entered into PHIS by a user are also covered. This group may include,
but is not limited to: Plant workers, vendors, agents, and
interviewees.
Categories of Records in the System:
PHIS obtains and stores identifying information for the three
categories of individuals as follows:
For USDA Personnel, PHIS stores the user's and supervisor's full
names, titles, duty stations, business contact information, assigned
PHIS role(s) and eAuthentication numbers. This information is used for
contacting personnel, shipping documents and supplies, inspection
assignment scheduling and for security and access control purposes. In
addition to this basic identifying contact information, the system
receives employee profile information for USDA Personnel from the
National Finance Center, including, but not limited to: Social security
numbers (stored in masked formats); hire dates; organizational level;
pay plan; and locality and pay code. This employee profile data is used
to verify USDA Personnel employment status.
For Other Government Officials and Business Personnel, the system
collects information including the name and title of the user, business
contact information, PHIS roles and e-Authentication information. From
Business Personnel, it also collects the user's entity name and
associated business or tax identification numbers, as applicable. Only
basic contact information is collected about individuals who are not
PHIS users, but whose names appear in records entered by a user.
Records Source Categories:
Basic identifying contact information of all user groups (USDA
Personnel, Other Government Officials and Business Personnel) is
obtained directly from the user. In addition, employment verification
information about USDA Personnel is obtained from the NFC through a
secure data feed.
Records entered by USDA Personnel or Other Government Officials in
connection with their official duties are obtained directly from them.
Business Personnel records, including appeals, requests for
services and requests for grants of inspection or updates to their
entities' business profiles, are entered into PHIS directly by Business
Personnel or are given in paper form to USDA Personnel for input into
PHIS on behalf of the Business Personnel. Business records can also be
obtained from a foreign country's Central Competent Authority
(``CCA'').
USDA Personnel can also obtain some types of information about the
other groups of users from USDA's electronic interface with other
Federal agencies involved in tracking cross-border movement of the
regulated establishments' products, including but not limited to the
U.S. Customs and Border Protection Automated Commercial Environment
(ACE). Business records from foreign countries are obtained from the
respective foreign officials and typically, the CCA assigned the
responsibility for maintaining a country's food safety systems reports
in PHIS. Information about third parties referenced in the records
entered by a user is obtained directly from the user entering or
modifying the record.
Routine Uses of Records Maintained in the System, Including Categories
of Users and the Purposes of Such Uses:
In addition to those disclosures generally permitted under 5 U.S.C.
552a(b) of the Privacy Act of 1974, all or a portion of the records or
information contained in this system may be disclosed outside of USDA
as a routine use under 5 U.S.C. 552a(b)(3), as follows:
1. To the U.S. Department of Justice (DOJ) or other Federal agency
conducting litigation or in proceedings before any court, adjudicative
or administrative body, when it is
[[Page 11491]]
necessary for the litigation and one of the following is a party to the
litigation or has an interest in the litigation:
a. USDA or any component thereof;
b. Any employee of USDA in his/her official capacity;
c. Any employee of USDA in his/her individual capacity where DOJ or
USDA has agreed to represent the employee; or
d. The United States or any agency thereof and if the USDA
determines that the records are both relevant and necessary to the
litigation and the use of such records is compatible with the purpose
for which USDA collected the records.
2. To a Congressional office from the record of an individual in
response to an inquiry from that Congressional office made at the
written request of the individual to whom the record pertains.
3. To the National Archives and Records Administration (NARA) or
other Federal government agencies pursuant to records management
inspections being conducted under the authority of 44 U.S.C. 2904 and
2906.
4. To an agency, organization, or individual for the purpose of
performing audit or oversight operations as authorized by law, but only
such information as is necessary and relevant to such audit or
oversight function. This would include, but not be limited to, the
Comptroller General or any of his authorized representatives in the
course of the performance of the duties of the Government
Accountability Office, or USDA's Office of the Inspector General or any
authorized representatives of that office.
5. To appropriate agencies, entities, and persons when:
a. USDA suspects or has confirmed that there has been a breach of
the system of records;
b. USDA has determined that as a result of the suspected or
confirmed breach, there is a risk of harm to individuals, USDA
(including its information systems, programs, and operations), the
Federal Government, or national security; and
c. the disclosure made to such agencies, entities, and persons is
reasonably necessary to assist in connection with USDA's efforts to
respond to the suspected or confirmed breach or to prevent, minimize,
or remedy such harm; and
6. To contractors and their agents, grantees, experts, consultants,
and others performing or working on a contract, service, grant,
cooperative agreement, or other assignment for USDA, when necessary to
accomplish an agency function related to this system of records.
Individuals who provided information under this routine use are subject
to the same Privacy Act requirements and limitations on disclosure as
are applicable to USDA officers and employees.
7. To an appropriate Federal, State, tribal, local, international,
or foreign law enforcement agency or other appropriate authority
charged with investigating or prosecuting a violation or enforcing or
implementing a law, rule, regulation, or order, where a record, either
on its face or in conjunction with other information, indicates a
violation or potential violation of law, which includes criminal,
civil, or regulatory violations, and such disclosure is proper and
consistent with the official duties of the person making the
disclosure.
8. To an appropriate Federal, State, tribal, local, international,
or foreign law enforcement agency or appropriate authority responsible
for protecting public health, preventing or monitoring disease or
illness outbreaks, or ensuring the safety of the food supply. This
includes the Department of Health and Human Services and its agencies,
including the Centers for Disease Control and Prevention and the Food
and Drug Administration, other Federal agencies, and State, tribal, and
local health departments.
9. To another federal agency or federal entity when USDA determines
that information from this system of records is reasonably necessary to
assist the recipient agency or entity in (1) responding to a suspected
or confirmed breach or (2) preventing, minimizing, or remedying the
risk of harm to individuals, the recipient agency or entity (including
its information systems, programs and operations), the federal
government or national security, resulting from a suspected or
confirmed breach.
Policies and Practices for Storage of Records:
The system includes a database, electronic documents and paper
records. The storage for the database records is a dedicated virtual
server located in the USDA NITC facility in Kansas City, MO. Duplicate
records are maintained at the USDA NITC facility in St. Louis, MO. The
primary storage for the electronic documents is a records management
system managed and hosted by USDA at their Enterprise Data Centers.
Paper records are maintained in the USDA offices where they were
created. Records backup storage is maintained by NITC Personnel in a
virtual tape library at the USDA NITC facility in Kansas City, MO.
Copies of the backup records are maintained at the USDA NITC facility
in St. Louis, MO. Each USDA laboratory stores data in the local
internal storage on each server. Paper records from establishments that
do not wish to use the Web-based PHIS, and communication records, such
as PHIS-related emails, are stored in a dedicated, secured location at
FSIS field offices to which USDA Personnel are assigned.
Policies and Practices for Retrieval of Records:
Retrieval is by user profile object information, which is created
during the user authorization process and includes the following data
elements: User identification, role, permission, organization
identification, and assigned place of work. Information can also be
retrieved by a unique eAuthentication identification number assigned to
all users.
Policies and Practices for Retention and Disposal of Records:
A master file backup is created at the end of the calendar year and
maintained in St. Louis, MO. The St. Louis offsite storage site is
located approximately 250 miles from the primary data facility and is
not susceptible to the same hazards.
Administrative, Technical, and Physical Safeguards:
Records in this system are safeguarded by restricting
accessibility, in accordance with USDA security and access policies.
The safeguarding includes: Firewall(s), network protection, and an
encrypted password. All users are assigned a level of role-based
access, which is strictly controlled and granted through USDA-approved,
secure application (Level 2 eAuthentication) after the user
successfully completes Government National Agency Check with Inquiries
(NACI). Controls are in place to preclude anonymous usage and browsing.
Records Access Procedures:
Any individual may request a copy of records in PHIS by submitting
a written request, with reasonable specificity, to FSIS Freedom of
Information Act (FOIA) Office at: 1400 Independence Ave. SW, Room 2168-
South, Mail Stop No. 3713, Washington, DC 20250. Under the Privacy Act
(PA), 5 U.S.C. 552a, an individual United States citizen or legal
permanent resident may seek access to records that are retrieved by
his/her own name or other personal identifier, such as social security
number or employee identification number. Such records will be made
available unless they fall within the exemptions of the PA and the
FOIA. Your Privacy Act request for records must be in writing and
addressed to the FOIA office. For
[[Page 11492]]
more information about how to make a FOIA or a Privacy Act request to
obtain records, please see: http://www.fsis.usda.gov/wps/portal/footer/policies-and-links/freedom-of-information-act/foia-requests
An individual United States citizen or legal permanent resident may
also seek to correct or to amend his or her own records in PHIS that
are retrieved by name or other personal identifier, such as one's
social security number (SSN) or employee number. Such Privacy Act
requests for correction or amendment will be processed in accordance
with applicable legal requirements and exemptions under the governing
regulations and statutes such as the FOIA, 5 U.S.C. 552, the PA, 5
U.S.C. 552a, and 7 CFR part 1, subpart G.
Contesting Records Procedures:
See ``Records Access Procedures'' above.
Notification Procedures:
See ``Records Access Procedures'' above.
Exemptions Promulgated for the System:
None.
[FR Doc. 2018-05280 Filed 3-14-18; 8:45 am]
BILLING CODE 3410-DM-P