[Federal Register Volume 84, Number 183 (Friday, September 20, 2019)]
[Notices]
[Pages 49540-49544]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-20423]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; System of Records

AGENCY: National Institutes of Health (NIH), Department of Health and 
Human Services (HHS).

ACTION: Notice of a Modified System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended, the Department of Health and Human Services is 
modifying a system of records maintained by the National Institutes of 
Health (NIH), 09-25-0225 ``NIH Electronic Research Administration (eRA) 
Records, HHS/NIH/OD/OER,'' to include a new routine use allowing NIH to 
disclose information to applicant organizations for the purpose of 
communicating with the applicants about matters related to agency award 
programs.

DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is 
applicable September 20, 2019, subject to a 30-day period in which to 
comment on the new routine use, described below. Please submit any 
comments by October 21, 2019.

ADDRESSES: The public should submit written comments on this notice, by 
mail or email, to Celeste Dade-Vinson, NIH Privacy Act Officer, Office 
of Management Assessment, National Institutes of Health, 6011 Executive 
Blvd., Suite 601, MSC 7669, Rockville, MD 20852, or [email protected]. Comments will be available for public viewing at the 
same location. To review comments in person, please contact Celeste 
Dade-Vinson at [email protected] or 301-402-6201.

FOR FURTHER INFORMATION CONTACT: General questions may be submitted to 
Celeste Dade-Vinson, NIH Privacy Act Officer, Office of Management 
Assessment (OMA), Office of the Director (OD), National Institutes of 
Health (NIH), 6011 Executive Blvd., Suite 601, MSC 7669, Rockville, MD 
20852, or telephone (301) 402-6201.

SUPPLEMENTARY INFORMATION: 

I. Background on the NIH Electronic Research Administration (eRA) 
Records System

    The system of records modified in this Notice, ``NIH Electronic 
Research Administration (eRA) Records, HHS/NIH/OD/OER'' (hereinafter 
referred to as the ``NIH eRA Records'' system), covers records used 
throughout the research and development award lifecycle, including pre-
award stages of application submission, scientific peer review, award 
processing, post-award monitoring, and close-out. Many of the records 
in the system contain information about more than one individual or 
type of individual (e.g., applicants, awardees, faculty members of 
applicant and awardee entities, application reviewers). By design, any 
of the records can be (and in practice are) retrieved using the name or 
other personal identifier of any of the individuals whose information 
is contained in the records, to the extent required to help ensure that 
award proceedings are carried out by the NIH in accordance with all 
applicable federal statutes and regulations.
    The eRA information technology (IT) system associated with this 
system of records is an HHS-designated Center of Excellence, and is 
used as a shared service provider by other federal agencies to manage 
their award records. Records pertaining to awards of other agencies in 
the eRA IT system are not covered under SORN 09-25-0225, but would be 
covered under SORN(s) those agencies publish, if their records require 
a SORN.

II. Explanation of Changes

    To facilitate award management and NIH communications with 
applicant organizations via authorized organization representative(s), 
applicant program director(s)/principal investigator(s), and other 
senior officials at applicant organizations, NIH is modifying this 
system of records by adding a new routine use, numbered as routine use 
5, to clarify that information may be shared with applicant 
organizations and persons. The new

[[Page 49541]]

routine use is compatible with the purposes for which PII is collected 
in the affected system of records. One express purpose of the system is 
``[t]o communicate matters to agency award programs with (1) applicant 
organizations, including associated systems or system providers . . .'' 
The new routine use would further that purpose and is consistent with 
the expectations of individuals named in grant applications.
    The breach response-related routine use which was previously 
numbered as routine use 5, and which was revised February 14, 2018 (see 
83 FR 6591), is now numbered as routine use 10; and a second breach 
response-related routine use which was added in that same notice on 
February 14, 2018 is now numbered as routine use 11.
    Unnecessary wording (``provided, however, that in each case, it has 
been determined that the disclosure is compatible with the purpose for 
which the records were collected'') has been removed from routine use 
2. The wording is redundant because a routine use is defined in the 
Privacy Act at 5 U.S.C. 552a(a)(7) as a disclosure for a purpose which 
is compatible with the purpose for which the record was collected.
    In the ``Purposes'' section, a note has been added to the last 
purpose description, to clarify that records in this system of records 
would be used to ``document'' inventions, patents, and utilization data 
to protect the government's right to patents made with NIH support, but 
that other systems of records would cover the records used to 
``manage'' invention and patent-related functions.
    The ``Exemptions'' section now omits wording indicating when the 
exemptions will become effective, because the exemptions were rendered 
effective by publication of a Final Rule on April 3, 2018 (see 83 FR 
14183). The ``Record Access Procedures,'' ``Contesting Record 
Procedures,'' and ``Notification Procedures'' sections, which stated 
that certain material ``will be'' exempt from access, amendment, and 
notification requirements now state that certain material ``is'' exempt 
from those requirements.
    In addition to these changes, the modified SORN includes formatting 
changes to comply with OMB Circular A-108.

    Dated: September 17, 2019.
Alfred C. Johnson,
Deputy Director for Management, NIH.

SYSTEM NAME AND NUMBER:
    Electronic Research Administration (eRA) Records, HHS/NIH/OD/OER, 
09-25-0225.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The address of the agency component responsible for this system of 
records is as shown in the System Manager(s) section below.

SYSTEM MANAGER(S):
    Director, Office of Extramural Research (OER), Office of the 
Director (OD), National Institutes of Health (NIH), Building 1, Room 
144, 1 Center Drive, Bethesda, MD 20892, [email protected].

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    42 U.S.C. secs. 217a, 241, 242, 248, 281, 282, 284, 284a, 285, 
285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285k, 285l, 285m, 
285n, 285o, 285p, 285q, 285r, 285s, 285t, 286, 287, 287b, 287c-21, 
287d, 288, 35 U.S.C. 200-212, 48 CFR Subpart 15.3 and 37 CFR 401.1-16.

PURPOSE(S) OF THE SYSTEM:
    The records about individuals covered by this system of records are 
used within the agency for these purposes:
    1. To support NIH award programs and related process, including (1) 
application preparation, receipt, referral, and assignment; (2) initial 
peer and council reviews; (3) award processing, funding, monitoring, 
and close-out; and (4) data querying, reporting, tracking, compliance, 
evaluation, audit, and communications.
    2. To track individual trainees who receive support from NIH 
through grants such as fellowship or career awards or who are supported 
through institutional training grant awards. Included are individuals 
in training for research and development supported in an investigator's 
laboratory which has an NIH-funded award (e.g., R01); these trainees 
are defined as ``closely associated trainees.''
    3. To communicate matters related to agency award programs with (1) 
applicant organizations, including associated systems or system 
providers; (2) applicant persons such as the authorized institutional 
representatives, principal investigator(s) or trainees; (3) peer 
reviewers; or (4) other entities such as Congress; federal departments 
or agencies, non-federal agencies or entities, or the general public.
    4. To monitor the operation of review and award processes to detect 
and deal appropriately with any instances of real or apparent 
inequities.
    5. To provide mandated and other requested reports to Congress and 
in compliance with statutory, regulatory, and policy requirements.
    6. To maintain communication with former fellows and trainees who 
have incurred a payback obligation through the National Research 
Service Award Program and other federal research training programs.
    7. To maintain official administrative files of agency-funded 
research programs.
    8. To manage research portfolios.
    9. To document inventions, patents, and utilization data to protect 
the government's right to patents made with NIH support. Note that 
records used to manage invention and patent-related functions are 
covered under a separate system of records.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records contained within this system pertain to the following 
categories of individuals:
    1. Applicants for or Awardees of biomedical and behavioral research 
and development, training, career development, or loan repayment grant 
awards; cooperative agreement awards; and research and development 
contract awards;
    2. Individuals who are named in applications, or awards; or 
individuals named on NIH intramural projects; e.g., program directors, 
key personnel, trainees, collaborators, consultants;
    3. Peer Reviewers who review and provide evaluative input to the 
government about particular applications, in records such as reviewer 
critiques, preliminary or final individual overall impact/priority 
scores, and/or assignment of peer reviewers to an application;
    4. Referees who, in association with a particular trainee 
application, supply a reference or letter of recommendation for an 
applicant;
    5. Individual awardees and sub-awardees who are required to report 
inventions, patents, and utilization of subject invention(s) associated 
with NIH awards; and
    6. Academic medical faculty, medical students and resident 
physicians (e.g., faculty of Association of American Medical Colleges 
of member institutions).

[[Page 49542]]

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system includes a variety of pre-award and award management 
records that contain information needed to process applications and 
manage grant awards across the award lifecycle. Listed below are the 
categories of individuals mentioned above, matched with pre-award and 
award management records collected about them.
    1. Applicants for or Awardees of awards--pre-award and award 
management (awardees) information;
    2. Individuals named in applications, or awards--pre-award and 
award management (awardees) information;
    3. Referees--pre-award information;
    4. Peer Reviewers--pre-award information;
    5. Individuals required to report inventions, etc.--award 
management information; and,
    6. Academic medical faculty, medical students and resident 
physicians--award management information.
    Pre-award information includes the (1) application and related 
materials, and (2) documents related to the composition and function of 
chartered advisory committees (i.e., rosters). A record may consist of 
name, institution address, professional degree, demographic 
information, education and employment records and identifiers used by 
eRA Commons (i.e., user name and an IMPAC II system-assigned, unique 
personal identification number).
    Award management information consists of materials submitted in 
support of an award such as (1) recommendation letters; (2) peer review 
related information such as application scores, reviewer critiques, 
summary statements and express promises of confidentiality of any 
information concerning applications, scores, or critiques; (3) 
financial information such as obligated award amounts and awardee 
financial reports; (4) financial conflict of interest records; (5) 
inventions, utilization data, patent applications, and patents; (6) 
publications or other scholarly products reported as associated with 
awards; (7) reports related to management of awards; and (8) records 
and reports related to data querying, reporting, tracking, compliance, 
evaluation, audit, and communications activities. For the academic 
medical faculty category, records are used to support special studies, 
including research and policy evaluations and to complete biomedical 
workforce statistical reports and include (1) faculty name, (2) 
employing institution and institutional address; (3) degree and year 
obtained; (4) demographic information; (5) field of study; (6) 
appointment information; and (7) employment history. For the purpose of 
peer review, the eRA system contains limited information on loan 
repayment applications (which are managed through a different System of 
Records, NIH SORN 09-25-0165, Division of Loan Repayment Records) and 
research and development contract award information for purposes of 
complying with statutory requirements related to research and 
development awards at NIH such as reporting on the inclusion of 
minorities, women, and children in clinical research; obtaining 
approval for foreign grant components from the Department of State; and 
to satisfy research conditions, and disease categorization reporting 
requirements.

RECORD SOURCE CATEGORIES:
    Information in records retrieved by a particular individual's 
identifier will be obtained directly from that individual or from other 
individuals and entities named in, contacted about, or involved in 
processing the records, including applicant institutions; NIH and 
customer agency acquisition personnel; educational, trainee and awardee 
institutions; and third parties that provide references or 
recommendations concerning the subject individual.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Records about an individual may be disclosed from this system of 
records to the following parties outside HHS, without the individual's 
prior written consent, for the following purposes:
    1. To a congressional office from the record of an individual in 
response to a written inquiry from the congressional office made at the 
written request of the individual.
    2. To the Department of Justice (DOJ) or to a court or other 
adjudicative body when:
--HHS or any component thereof or participating agencies; or
--any employee of HHS or participating agencies in the employee's 
official capacity; or
--any employee of HHS in the employee's individual capacity where the 
DOJ, HHS, or the participating agency has agreed to represent the 
employee; or
--The United States,

is a party to litigation or has a direct and substantial interest in 
the proceedings and the disclosure of such records is deemed by the 
agency to be relevant and necessary to the proceedings.
    3. When a record on its face, or in combination with other records, 
indicates a violation or potential violation of law, whether civil, 
criminal or regulatory in nature, and whether arising by general 
statute or particular program statute, or by regulation, rule, or order 
issued pursuant thereto, disclosure may be made to the appropriate 
public authority, whether federal, foreign, state, local, tribal, or 
otherwise responsible for enforcing, investigating, or prosecuting the 
violation or charged with enforcing or implementing the statute, rule, 
regulation, or order issued pursuant thereto, if the information 
disclosed is relevant to the enforcement, regulatory, investigative, or 
prosecutorial responsibility of the receiving entity.
    4. To appropriate federal agencies and HHS contractors, grantees, 
consultants, or volunteers who have been engaged by HHS to assist in 
the accomplishment of an HHS function relating to the purposes of this 
system of records and that need to have access to the records in order 
to assist HHS in performing the activity. Any contractor will be 
required to comply with the Privacy Act of 1974, as amended.
    5. To applicant organizations, via authorized organization 
representative(s), applicant program director(s)/principal 
investigator(s), and other senior officials at applicant organizations 
(including but not limited to deans, presidents, vice presidents, 
research integrity officers, and compliance officials), to communicate 
matters related to agency award programs. Only matters that are 
relevant to a particular applicant organization would be communicated 
to that organization.
    6. To a party for a research purpose when NIH: (A) Has determined 
that the use or disclosure does not violate legal or policy limitations 
under which the record was provided, collected, or obtained; (B) has 
determined that the research purpose (1) cannot be reasonably 
accomplished unless the record is provided in individually identifiable 
form, and (2) warrants the risk to the privacy of the individual; (C) 
has required the recipient to (1) establish reasonable administrative, 
technical, and physical safeguards to prevent unauthorized use or 
disclosure of the record, (2) remove or destroy the information that 
identifies the individual at the earliest time at which removal or 
destruction can be accomplished consistent with the purpose of the 
research project, unless the recipient has presented adequate 
justification of the research, and (3) makes no further use or 
disclosure of the record except when required by law, and reports 
results of the research in de-identified or aggregate form; and (D) has 
secured a written statement attesting to

[[Page 49543]]

the recipient's understanding of and willingness to abide by these 
provisions (i.e., signed data access agreement for system data) in 
which the data may relate to reports of the composition of biomedical 
and/or research and development workforce; authors of publications 
attributable to federally-funded awards; information made available 
through third-party systems as permitted by applicants or awardees for 
agency awards; information related to agency research integrity 
investigations; or award payment information reported to federal 
databases.
    7. A record from this system may be disclosed to a federal, 
foreign, state, local, tribal or other public authority of the fact 
that this system of records contains information relevant to the hiring 
or retention of an employee, the issuance or retention of a security 
clearance, the letting of a contract, or the issuance or retention of a 
license, grant or other benefit. The other agency or licensing 
organization may then make a request supported by the written consent 
of the individual for further information if it so chooses. HHS will 
not make an initial disclosure unless the information has been 
determined to be sufficiently reliable to support a referral to another 
office within the agency or to another federal agency for criminal, 
civil, administrative, personnel, or regulatory action.
    8. To qualified experts not within the definition of agency 
employees as prescribed in agency regulations or policies to obtain 
their opinions on applications for grants, CRADAs, inventions, or other 
awards as a part of the peer review process.
    9. To the National Archives and Records Administration (NARA), 
General Services Administration (GSA), or other federal government 
agencies pursuant to records management inspections conducted under the 
authority of 44 U.S.C. secs. 2904 and 2906.
    10. To appropriate agencies, entities, and persons when (1) HHS 
suspects or has confirmed that there has been a breach of the system of 
records; (2) HHS has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, HHS (including 
its information systems, programs, and operations), the federal 
government, or national security; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with HHS's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm
    11. To another federal agency or federal entity, when HHS 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the federal government, or national security, resulting from a 
suspected or confirmed breach.
    NIH may also disclose information about an individual, without the 
individuals' prior written consent, from this system of records to 
parties outside HHS for any of the purposes authorized directly in the 
Privacy Act at 5 U.S.C. 552a(b)(2) and (b)(4)-(11).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored in various electronic media and paper form, and 
maintained under secure conditions in areas with limited and/or 
controlled access. Only authorized users whose official duties require 
the use of this information will have regular access to the records in 
this system. In accordance with established NIH, HHS and other federal 
security requirements, policies, and controls, records may also be 
located, maintained and accessed from secure servers wherever feasible 
or located on approved portable/mobile devices designed to hold any 
kind of digital data including, but not limited to laptops, tablets, 
PDAs, USB drives, media cards, portable hard drives, smartphones, 
optical storage (CDs and DVDs), and/or other mobile storage devices. 
Records are stored on portable/mobile storage devices only for valid 
business purposes and with prior approval.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by the name or other personal identifier 
(e.g., Commons user ID) of a subject individual.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are retained and disposed of in accordance with the NIH 
Records Control Schedule contained in NIH Manual Chapter 1743, 
``Keeping and Destroying Records,'' which provides these disposition 
periods:
     Item E-0001 (DAA-0443-2013-0004-0001)--Official case files 
of construction, renovation, endowment and similar grants.
    Disposition: Temporary. Cut off annually following completion of 
final grant-related activity that represents closing of the case file 
(e.g., project period ended). Destroy 20 years after cut-off;
     Item E-0002 (DAA-0443-2013-0004-0002)--Official case files 
of funded grants, unfunded grants, and award applications, appeals and 
litigation records.
    Disposition: Temporary. Cut off annually following completion of 
final grant-related activity that represents closing of the case file 
(e.g., end of project period, completed final peer review, litigation 
or appeal proceeding concluded). Destroy 10 years after cut-off;
     Item E-0003 (DAA-0443-2013-0004-0003)--Animal welfare 
assurance files.
    Disposition: Temporary. Cut off annually following closing of the 
case file. Destroy 4 years after cut-off; and,
     Item E-0004 (DAA-0443-2013-0004-0004)--Extramural program 
and grants management oversight records.
    Disposition: Temporary. Cut off annually. Destroy 3 years after 
cut-off.
    Refer to the NIH Manual Chapter for specific retention and 
disposition instructions: http://www1.od.nih.gov/oma/manualchapters/management/1743.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Measures to prevent unauthorized disclosures are implemented as 
appropriate for each location or form of storage and for the types of 
records maintained. Safeguards conform to the HHS Information Security 
and Privacy Program, http://www.hhs.gov/ocio/securityprivacy/index.html. Site(s) implement personnel and procedural safeguards such 
as the following:
    Administrative Safeguards:
    Controls to ensure proper protection of information and information 
technology systems include, but are not limited to, the completion of a 
Security Assessment and Authorization (SA&A) package and a Privacy 
Impact Assessment (PIA) and mandatory completion of annual NIH 
Information Security and Privacy Awareness training or comparable 
specific in-kind training offered by participating agencies that has 
been reviewed and accepted by the NIH eRA Information Systems Security 
Officer (ISSO). The SA&A package consists of a Security Categorization, 
e-Authentication Risk Assessment, System Security Plan, evidence of 
Security Control Testing, Plan of Action and Milestones, Contingency 
Plan, and evidence of Contingency Plan Testing. When the design, 
development, or operation of a system of records on individuals is

[[Page 49544]]

required to accomplish an agency function, the applicable Privacy Act 
Federal Acquisition Regulation (FAR) clauses are inserted in 
solicitations and contracts.
    Technical Safeguards:
    Controls executed by the computer system are employed to minimize 
the possibility of unauthorized access, use, or dissemination of the 
data in the system. They include, but are not limited to, user 
identification, password protection, firewalls, virtual private 
network, encryption, intrusion detection system, common access cards, 
smart cards and public key infrastructure.
    Physical Safeguards:
    Controls to secure the data and protect paper and electronic 
records, buildings, and related infrastructure against threats 
associated with their physical environment include, but are not limited 
to, the use of the HHS Employee ID and/or badge number and NIH key 
cards, security guards, cipher locks, and closed-circuit TV. Paper 
records are secured under conditions that require at least two locks to 
access, such as in locked file cabinets that are contained in locked 
offices or facilities. Electronic media are kept on secure servers or 
computer systems.

RECORD ACCESS PROCEDURES:
    Certain material is exempt from access; however, consideration will 
be given to all access requests addressed to the System Manager. To 
request access to a record about you, write to the System Manager 
identified above, and provide the information described under 
``Notification Procedure''. Individuals may also request an accounting 
of disclosures that have been made of their records, if any.

CONTESTING RECORD PROCEDURES:
    Certain material is exempt from amendment; however, consideration 
will be given to all amendment requests addressed to the System 
Manager. To contest information in a record about you, write to the 
System Manager identified above, reasonably identify the record and 
specify the information being contested, state the corrective action 
sought and the reason(s) for requesting the correction, and provide 
supporting information. The right to contest records is limited to 
information that is factually inaccurate, incomplete, irrelevant, or 
untimely (obsolete).

NOTIFICATION PROCEDURES:
    Certain material is exempt from notification; however, 
consideration will be given to all notification requests addressed to 
the System Manager. Any individual who wants to know whether this 
system of records contains a record about him or her must make a 
written request to the System Manager identified above. The requester 
should provide either a notarization of the request or a written 
certification that the requester is who he or she claims to be and 
understands that the knowing and willful request of a record pertaining 
to an individual under false pretenses is a criminal offense under the 
Privacy Act, subject to a five thousand dollar fine. The request should 
include the requester's full name and address, and should also include 
the following information, if known: The approximate date(s) the 
information was collected, the type(s) of information collected, and 
the office(s) or official(s) responsible for the collection of 
information.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    Pursuant to 5 U.S.C. 552a(k)(5), the following subset of records in 
this system of records qualifies as investigatory material compiled 
solely for the purpose of determining suitability, eligibility, or 
qualifications for federal contracts, and is exempt from the Privacy 
Act requirements pertaining to providing an accounting of disclosures, 
access and amendment, notification, and agency procedures and rules (5 
U.S.C. 552a (c)(3), and (d)(1)-(4)):
    Material that would inappropriately reveal the identities of 
referees who provide letters of recommendation and peer reviewers who 
provide written evaluative input and recommendations to NIH about 
particular funding applications under an express promise by the 
government that their identities in association with the written work 
products they authored and provided to the government will be kept 
confidential; this includes only material that would reveal a 
particular referee or peer reviewer as the author of a specific work 
product (e.g., reference or recommendation letters, reviewer critiques, 
preliminary or final individual overall impact/priority scores, and/or 
assignment of peer reviewers to an application and other evaluative 
materials and data compiled by NIH/OER); it includes not only an 
author's name but any content that could enable the author to be 
identified from context.
    To the extent that records in System No. 09-25-0225 are retrieved 
by personal identifiers for individuals other than referees and peer 
reviewers (for example, individual funding applicants, and other 
individuals who are the subject of assessment or evaluation), the 
exemptions enable the agency to prevent, when appropriate, those 
individual record subjects from having access to, and other rights 
under the Privacy Act with respect to, the above-described confidential 
source-identifying material in the records.

HISTORY:
    81 FR 88690 (Dec. 8, 2016), 83 FR 6591 (Feb.14, 2018).

[FR Doc. 2019-20423 Filed 9-19-19; 8:45 am]
 BILLING CODE 4150-28-P