[Federal Register Volume 84, Number 183 (Friday, September 20, 2019)] [Notices] [Pages 49540-49544] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2019-20423] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Privacy Act of 1974; System of Records AGENCY: National Institutes of Health (NIH), Department of Health and Human Services (HHS). ACTION: Notice of a Modified System of Records. ----------------------------------------------------------------------- SUMMARY: In accordance with the requirements of the Privacy Act of 1974, as amended, the Department of Health and Human Services is modifying a system of records maintained by the National Institutes of Health (NIH), 09-25-0225 ``NIH Electronic Research Administration (eRA) Records, HHS/NIH/OD/OER,'' to include a new routine use allowing NIH to disclose information to applicant organizations for the purpose of communicating with the applicants about matters related to agency award programs. DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable September 20, 2019, subject to a 30-day period in which to comment on the new routine use, described below. Please submit any comments by October 21, 2019. ADDRESSES: The public should submit written comments on this notice, by mail or email, to Celeste Dade-Vinson, NIH Privacy Act Officer, Office of Management Assessment, National Institutes of Health, 6011 Executive Blvd., Suite 601, MSC 7669, Rockville, MD 20852, or [email protected]. Comments will be available for public viewing at the same location. To review comments in person, please contact Celeste Dade-Vinson at [email protected] or 301-402-6201. FOR FURTHER INFORMATION CONTACT: General questions may be submitted to Celeste Dade-Vinson, NIH Privacy Act Officer, Office of Management Assessment (OMA), Office of the Director (OD), National Institutes of Health (NIH), 6011 Executive Blvd., Suite 601, MSC 7669, Rockville, MD 20852, or telephone (301) 402-6201. SUPPLEMENTARY INFORMATION: I. Background on the NIH Electronic Research Administration (eRA) Records System The system of records modified in this Notice, ``NIH Electronic Research Administration (eRA) Records, HHS/NIH/OD/OER'' (hereinafter referred to as the ``NIH eRA Records'' system), covers records used throughout the research and development award lifecycle, including pre- award stages of application submission, scientific peer review, award processing, post-award monitoring, and close-out. Many of the records in the system contain information about more than one individual or type of individual (e.g., applicants, awardees, faculty members of applicant and awardee entities, application reviewers). By design, any of the records can be (and in practice are) retrieved using the name or other personal identifier of any of the individuals whose information is contained in the records, to the extent required to help ensure that award proceedings are carried out by the NIH in accordance with all applicable federal statutes and regulations. The eRA information technology (IT) system associated with this system of records is an HHS-designated Center of Excellence, and is used as a shared service provider by other federal agencies to manage their award records. Records pertaining to awards of other agencies in the eRA IT system are not covered under SORN 09-25-0225, but would be covered under SORN(s) those agencies publish, if their records require a SORN. II. Explanation of Changes To facilitate award management and NIH communications with applicant organizations via authorized organization representative(s), applicant program director(s)/principal investigator(s), and other senior officials at applicant organizations, NIH is modifying this system of records by adding a new routine use, numbered as routine use 5, to clarify that information may be shared with applicant organizations and persons. The new [[Page 49541]] routine use is compatible with the purposes for which PII is collected in the affected system of records. One express purpose of the system is ``[t]o communicate matters to agency award programs with (1) applicant organizations, including associated systems or system providers . . .'' The new routine use would further that purpose and is consistent with the expectations of individuals named in grant applications. The breach response-related routine use which was previously numbered as routine use 5, and which was revised February 14, 2018 (see 83 FR 6591), is now numbered as routine use 10; and a second breach response-related routine use which was added in that same notice on February 14, 2018 is now numbered as routine use 11. Unnecessary wording (``provided, however, that in each case, it has been determined that the disclosure is compatible with the purpose for which the records were collected'') has been removed from routine use 2. The wording is redundant because a routine use is defined in the Privacy Act at 5 U.S.C. 552a(a)(7) as a disclosure for a purpose which is compatible with the purpose for which the record was collected. In the ``Purposes'' section, a note has been added to the last purpose description, to clarify that records in this system of records would be used to ``document'' inventions, patents, and utilization data to protect the government's right to patents made with NIH support, but that other systems of records would cover the records used to ``manage'' invention and patent-related functions. The ``Exemptions'' section now omits wording indicating when the exemptions will become effective, because the exemptions were rendered effective by publication of a Final Rule on April 3, 2018 (see 83 FR 14183). The ``Record Access Procedures,'' ``Contesting Record Procedures,'' and ``Notification Procedures'' sections, which stated that certain material ``will be'' exempt from access, amendment, and notification requirements now state that certain material ``is'' exempt from those requirements. In addition to these changes, the modified SORN includes formatting changes to comply with OMB Circular A-108. Dated: September 17, 2019. Alfred C. Johnson, Deputy Director for Management, NIH. SYSTEM NAME AND NUMBER: Electronic Research Administration (eRA) Records, HHS/NIH/OD/OER, 09-25-0225. SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: The address of the agency component responsible for this system of records is as shown in the System Manager(s) section below. SYSTEM MANAGER(S): Director, Office of Extramural Research (OER), Office of the Director (OD), National Institutes of Health (NIH), Building 1, Room 144, 1 Center Drive, Bethesda, MD 20892, [email protected]. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 42 U.S.C. secs. 217a, 241, 242, 248, 281, 282, 284, 284a, 285, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285k, 285l, 285m, 285n, 285o, 285p, 285q, 285r, 285s, 285t, 286, 287, 287b, 287c-21, 287d, 288, 35 U.S.C. 200-212, 48 CFR Subpart 15.3 and 37 CFR 401.1-16. PURPOSE(S) OF THE SYSTEM: The records about individuals covered by this system of records are used within the agency for these purposes: 1. To support NIH award programs and related process, including (1) application preparation, receipt, referral, and assignment; (2) initial peer and council reviews; (3) award processing, funding, monitoring, and close-out; and (4) data querying, reporting, tracking, compliance, evaluation, audit, and communications. 2. To track individual trainees who receive support from NIH through grants such as fellowship or career awards or who are supported through institutional training grant awards. Included are individuals in training for research and development supported in an investigator's laboratory which has an NIH-funded award (e.g., R01); these trainees are defined as ``closely associated trainees.'' 3. To communicate matters related to agency award programs with (1) applicant organizations, including associated systems or system providers; (2) applicant persons such as the authorized institutional representatives, principal investigator(s) or trainees; (3) peer reviewers; or (4) other entities such as Congress; federal departments or agencies, non-federal agencies or entities, or the general public. 4. To monitor the operation of review and award processes to detect and deal appropriately with any instances of real or apparent inequities. 5. To provide mandated and other requested reports to Congress and in compliance with statutory, regulatory, and policy requirements. 6. To maintain communication with former fellows and trainees who have incurred a payback obligation through the National Research Service Award Program and other federal research training programs. 7. To maintain official administrative files of agency-funded research programs. 8. To manage research portfolios. 9. To document inventions, patents, and utilization data to protect the government's right to patents made with NIH support. Note that records used to manage invention and patent-related functions are covered under a separate system of records. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The records contained within this system pertain to the following categories of individuals: 1. Applicants for or Awardees of biomedical and behavioral research and development, training, career development, or loan repayment grant awards; cooperative agreement awards; and research and development contract awards; 2. Individuals who are named in applications, or awards; or individuals named on NIH intramural projects; e.g., program directors, key personnel, trainees, collaborators, consultants; 3. Peer Reviewers who review and provide evaluative input to the government about particular applications, in records such as reviewer critiques, preliminary or final individual overall impact/priority scores, and/or assignment of peer reviewers to an application; 4. Referees who, in association with a particular trainee application, supply a reference or letter of recommendation for an applicant; 5. Individual awardees and sub-awardees who are required to report inventions, patents, and utilization of subject invention(s) associated with NIH awards; and 6. Academic medical faculty, medical students and resident physicians (e.g., faculty of Association of American Medical Colleges of member institutions). [[Page 49542]] CATEGORIES OF RECORDS IN THE SYSTEM: This system includes a variety of pre-award and award management records that contain information needed to process applications and manage grant awards across the award lifecycle. Listed below are the categories of individuals mentioned above, matched with pre-award and award management records collected about them. 1. Applicants for or Awardees of awards--pre-award and award management (awardees) information; 2. Individuals named in applications, or awards--pre-award and award management (awardees) information; 3. Referees--pre-award information; 4. Peer Reviewers--pre-award information; 5. Individuals required to report inventions, etc.--award management information; and, 6. Academic medical faculty, medical students and resident physicians--award management information. Pre-award information includes the (1) application and related materials, and (2) documents related to the composition and function of chartered advisory committees (i.e., rosters). A record may consist of name, institution address, professional degree, demographic information, education and employment records and identifiers used by eRA Commons (i.e., user name and an IMPAC II system-assigned, unique personal identification number). Award management information consists of materials submitted in support of an award such as (1) recommendation letters; (2) peer review related information such as application scores, reviewer critiques, summary statements and express promises of confidentiality of any information concerning applications, scores, or critiques; (3) financial information such as obligated award amounts and awardee financial reports; (4) financial conflict of interest records; (5) inventions, utilization data, patent applications, and patents; (6) publications or other scholarly products reported as associated with awards; (7) reports related to management of awards; and (8) records and reports related to data querying, reporting, tracking, compliance, evaluation, audit, and communications activities. For the academic medical faculty category, records are used to support special studies, including research and policy evaluations and to complete biomedical workforce statistical reports and include (1) faculty name, (2) employing institution and institutional address; (3) degree and year obtained; (4) demographic information; (5) field of study; (6) appointment information; and (7) employment history. For the purpose of peer review, the eRA system contains limited information on loan repayment applications (which are managed through a different System of Records, NIH SORN 09-25-0165, Division of Loan Repayment Records) and research and development contract award information for purposes of complying with statutory requirements related to research and development awards at NIH such as reporting on the inclusion of minorities, women, and children in clinical research; obtaining approval for foreign grant components from the Department of State; and to satisfy research conditions, and disease categorization reporting requirements. RECORD SOURCE CATEGORIES: Information in records retrieved by a particular individual's identifier will be obtained directly from that individual or from other individuals and entities named in, contacted about, or involved in processing the records, including applicant institutions; NIH and customer agency acquisition personnel; educational, trainee and awardee institutions; and third parties that provide references or recommendations concerning the subject individual. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: Records about an individual may be disclosed from this system of records to the following parties outside HHS, without the individual's prior written consent, for the following purposes: 1. To a congressional office from the record of an individual in response to a written inquiry from the congressional office made at the written request of the individual. 2. To the Department of Justice (DOJ) or to a court or other adjudicative body when: --HHS or any component thereof or participating agencies; or --any employee of HHS or participating agencies in the employee's official capacity; or --any employee of HHS in the employee's individual capacity where the DOJ, HHS, or the participating agency has agreed to represent the employee; or --The United States, is a party to litigation or has a direct and substantial interest in the proceedings and the disclosure of such records is deemed by the agency to be relevant and necessary to the proceedings. 3. When a record on its face, or in combination with other records, indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, disclosure may be made to the appropriate public authority, whether federal, foreign, state, local, tribal, or otherwise responsible for enforcing, investigating, or prosecuting the violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to the enforcement, regulatory, investigative, or prosecutorial responsibility of the receiving entity. 4. To appropriate federal agencies and HHS contractors, grantees, consultants, or volunteers who have been engaged by HHS to assist in the accomplishment of an HHS function relating to the purposes of this system of records and that need to have access to the records in order to assist HHS in performing the activity. Any contractor will be required to comply with the Privacy Act of 1974, as amended. 5. To applicant organizations, via authorized organization representative(s), applicant program director(s)/principal investigator(s), and other senior officials at applicant organizations (including but not limited to deans, presidents, vice presidents, research integrity officers, and compliance officials), to communicate matters related to agency award programs. Only matters that are relevant to a particular applicant organization would be communicated to that organization. 6. To a party for a research purpose when NIH: (A) Has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; (B) has determined that the research purpose (1) cannot be reasonably accomplished unless the record is provided in individually identifiable form, and (2) warrants the risk to the privacy of the individual; (C) has required the recipient to (1) establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, (2) remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the recipient has presented adequate justification of the research, and (3) makes no further use or disclosure of the record except when required by law, and reports results of the research in de-identified or aggregate form; and (D) has secured a written statement attesting to [[Page 49543]] the recipient's understanding of and willingness to abide by these provisions (i.e., signed data access agreement for system data) in which the data may relate to reports of the composition of biomedical and/or research and development workforce; authors of publications attributable to federally-funded awards; information made available through third-party systems as permitted by applicants or awardees for agency awards; information related to agency research integrity investigations; or award payment information reported to federal databases. 7. A record from this system may be disclosed to a federal, foreign, state, local, tribal or other public authority of the fact that this system of records contains information relevant to the hiring or retention of an employee, the issuance or retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant or other benefit. The other agency or licensing organization may then make a request supported by the written consent of the individual for further information if it so chooses. HHS will not make an initial disclosure unless the information has been determined to be sufficiently reliable to support a referral to another office within the agency or to another federal agency for criminal, civil, administrative, personnel, or regulatory action. 8. To qualified experts not within the definition of agency employees as prescribed in agency regulations or policies to obtain their opinions on applications for grants, CRADAs, inventions, or other awards as a part of the peer review process. 9. To the National Archives and Records Administration (NARA), General Services Administration (GSA), or other federal government agencies pursuant to records management inspections conducted under the authority of 44 U.S.C. secs. 2904 and 2906. 10. To appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm 11. To another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach. NIH may also disclose information about an individual, without the individuals' prior written consent, from this system of records to parties outside HHS for any of the purposes authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and (b)(4)-(11). POLICIES AND PRACTICES FOR STORAGE OF RECORDS: Records are stored in various electronic media and paper form, and maintained under secure conditions in areas with limited and/or controlled access. Only authorized users whose official duties require the use of this information will have regular access to the records in this system. In accordance with established NIH, HHS and other federal security requirements, policies, and controls, records may also be located, maintained and accessed from secure servers wherever feasible or located on approved portable/mobile devices designed to hold any kind of digital data including, but not limited to laptops, tablets, PDAs, USB drives, media cards, portable hard drives, smartphones, optical storage (CDs and DVDs), and/or other mobile storage devices. Records are stored on portable/mobile storage devices only for valid business purposes and with prior approval. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: Records are retrieved by the name or other personal identifier (e.g., Commons user ID) of a subject individual. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: Records are retained and disposed of in accordance with the NIH Records Control Schedule contained in NIH Manual Chapter 1743, ``Keeping and Destroying Records,'' which provides these disposition periods:Item E-0001 (DAA-0443-2013-0004-0001)--Official case files of construction, renovation, endowment and similar grants. Disposition: Temporary. Cut off annually following completion of final grant-related activity that represents closing of the case file (e.g., project period ended). Destroy 20 years after cut-off; Item E-0002 (DAA-0443-2013-0004-0002)--Official case files of funded grants, unfunded grants, and award applications, appeals and litigation records. Disposition: Temporary. Cut off annually following completion of final grant-related activity that represents closing of the case file (e.g., end of project period, completed final peer review, litigation or appeal proceeding concluded). Destroy 10 years after cut-off; Item E-0003 (DAA-0443-2013-0004-0003)--Animal welfare assurance files. Disposition: Temporary. Cut off annually following closing of the case file. Destroy 4 years after cut-off; and, Item E-0004 (DAA-0443-2013-0004-0004)--Extramural program and grants management oversight records. Disposition: Temporary. Cut off annually. Destroy 3 years after cut-off. Refer to the NIH Manual Chapter for specific retention and disposition instructions: http://www1.od.nih.gov/oma/manualchapters/management/1743. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: Measures to prevent unauthorized disclosures are implemented as appropriate for each location or form of storage and for the types of records maintained. Safeguards conform to the HHS Information Security and Privacy Program, http://www.hhs.gov/ocio/securityprivacy/index.html. Site(s) implement personnel and procedural safeguards such as the following: Administrative Safeguards: Controls to ensure proper protection of information and information technology systems include, but are not limited to, the completion of a Security Assessment and Authorization (SA&A) package and a Privacy Impact Assessment (PIA) and mandatory completion of annual NIH Information Security and Privacy Awareness training or comparable specific in-kind training offered by participating agencies that has been reviewed and accepted by the NIH eRA Information Systems Security Officer (ISSO). The SA&A package consists of a Security Categorization, e-Authentication Risk Assessment, System Security Plan, evidence of Security Control Testing, Plan of Action and Milestones, Contingency Plan, and evidence of Contingency Plan Testing. When the design, development, or operation of a system of records on individuals is [[Page 49544]] required to accomplish an agency function, the applicable Privacy Act Federal Acquisition Regulation (FAR) clauses are inserted in solicitations and contracts. Technical Safeguards: Controls executed by the computer system are employed to minimize the possibility of unauthorized access, use, or dissemination of the data in the system. They include, but are not limited to, user identification, password protection, firewalls, virtual private network, encryption, intrusion detection system, common access cards, smart cards and public key infrastructure. Physical Safeguards: Controls to secure the data and protect paper and electronic records, buildings, and related infrastructure against threats associated with their physical environment include, but are not limited to, the use of the HHS Employee ID and/or badge number and NIH key cards, security guards, cipher locks, and closed-circuit TV. Paper records are secured under conditions that require at least two locks to access, such as in locked file cabinets that are contained in locked offices or facilities. Electronic media are kept on secure servers or computer systems. RECORD ACCESS PROCEDURES: Certain material is exempt from access; however, consideration will be given to all access requests addressed to the System Manager. To request access to a record about you, write to the System Manager identified above, and provide the information described under ``Notification Procedure''. Individuals may also request an accounting of disclosures that have been made of their records, if any. CONTESTING RECORD PROCEDURES: Certain material is exempt from amendment; however, consideration will be given to all amendment requests addressed to the System Manager. To contest information in a record about you, write to the System Manager identified above, reasonably identify the record and specify the information being contested, state the corrective action sought and the reason(s) for requesting the correction, and provide supporting information. The right to contest records is limited to information that is factually inaccurate, incomplete, irrelevant, or untimely (obsolete). NOTIFICATION PROCEDURES: Certain material is exempt from notification; however, consideration will be given to all notification requests addressed to the System Manager. Any individual who wants to know whether this system of records contains a record about him or her must make a written request to the System Manager identified above. The requester should provide either a notarization of the request or a written certification that the requester is who he or she claims to be and understands that the knowing and willful request of a record pertaining to an individual under false pretenses is a criminal offense under the Privacy Act, subject to a five thousand dollar fine. The request should include the requester's full name and address, and should also include the following information, if known: The approximate date(s) the information was collected, the type(s) of information collected, and the office(s) or official(s) responsible for the collection of information. EXEMPTIONS PROMULGATED FOR THE SYSTEM: Pursuant to 5 U.S.C. 552a(k)(5), the following subset of records in this system of records qualifies as investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal contracts, and is exempt from the Privacy Act requirements pertaining to providing an accounting of disclosures, access and amendment, notification, and agency procedures and rules (5 U.S.C. 552a (c)(3), and (d)(1)-(4)): Material that would inappropriately reveal the identities of referees who provide letters of recommendation and peer reviewers who provide written evaluative input and recommendations to NIH about particular funding applications under an express promise by the government that their identities in association with the written work products they authored and provided to the government will be kept confidential; this includes only material that would reveal a particular referee or peer reviewer as the author of a specific work product (e.g., reference or recommendation letters, reviewer critiques, preliminary or final individual overall impact/priority scores, and/or assignment of peer reviewers to an application and other evaluative materials and data compiled by NIH/OER); it includes not only an author's name but any content that could enable the author to be identified from context. To the extent that records in System No. 09-25-0225 are retrieved by personal identifiers for individuals other than referees and peer reviewers (for example, individual funding applicants, and other individuals who are the subject of assessment or evaluation), the exemptions enable the agency to prevent, when appropriate, those individual record subjects from having access to, and other rights under the Privacy Act with respect to, the above-described confidential source-identifying material in the records. HISTORY: 81 FR 88690 (Dec. 8, 2016), 83 FR 6591 (Feb.14, 2018). [FR Doc. 2019-20423 Filed 9-19-19; 8:45 am] BILLING CODE 4150-28-P