[Federal Register Volume 87, Number 19 (Friday, January 28, 2022)]
[Notices]
[Pages 4604-4607]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-01771]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Administration for Children and Families


Privacy Act of 1974; System of Records

AGENCY: Administration for Children and Families (ACF), Department of 
Health and Human Services (HHS).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

[[Page 4605]]

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended, the Department of Health and Human Services (HHS) is 
modifying an existing system of records maintained by the 
Administration for Children and Families (ACF), Office of Child Care 
(OCC): System Number 09-80-0371, OCC Federal Child Care Monthly Case 
Records. The system of records covers case-level information on low-
income working families receiving child care financial assistance 
through the Child Care and Development Fund (CCDF), which is provided 
in aggregate, non-identifiable format to Congress for empirical 
assessment, and to researchers and the public. Only certain pre-October 
2015, case records (i.e., those that include Social Security Number 
(SSN) as a case identifier) are included in this system of records, 
because only those are retrieved by a personal identifier.

DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this Notice is 
applicable January 28, 2022, subject to a 30-day period in which to 
comment on the new routine use, described below. Please submit any 
comments by February 28, 2022.

ADDRESSES: The public should address written comments by mail or email 
to: Anita Alford, Senior Official for Privacy, Administration for 
Children and Families, 330 C St. SW, Washington, DC 20201, or 
[email protected].

FOR FURTHER INFORMATION CONTACT: General questions about this system of 
records should be submitted by mail or email to Helen Papadopoulos, 
Information Technology Specialist, at 330 C St. SW, Washington, DC 
20201, 202-205-8455 or [email protected].

SUPPLEMENTARY INFORMATION: The following modifications have been made 
to System of Records Notice (SORN) 09-80-0371 to update and improve it:
     The Categories of Records section has been revised to 
limit the system of records to pre-October 2015, records that include 
SSN as a case identifier and to list more examples of data elements 
contained in the records.
     The Routine Uses section has been updated to remove the 
statement ``Disclosure to Consumer Reporting Agencies: None'' that was 
formerly included in the Routine Uses section and numbered as routine 
use 11 (but isn't a routine use). Routine use 3, that authorizes 
disclosures to members of Congress and their office staff for purposes 
of responding to constituent inquiries, has been revised to require 
that the constituent requests be ``written.'' The two-breach response-
related routine uses that were revised and added February 14, 2018, 
(see 83 FR 6591) are now numbered as 10a.and 10b.
     The Retrieval section has been revised to clarify that SSN 
is the only personal identifier used for retrieval, because other 
unique case identifiers assigned by states and territories are not 
personal identifiers (other case identifiers identify a family without 
also identifying a particular individual).
     The Retention and Disposal section has been updated to 
identify the applicable records disposition authority, DAA-0292-2018-
0004, item 1.

Ruth Friedman,
Director, Office of Child Care, Administration for Children and 
Families.

SYSTEM NAME AND NUMBER:
    OCC Federal Child Care Monthly Case Records, 09-80-0371.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The component responsible for this system of records is the Office 
of Child Care, Administration for Children and Families, 330 C St. SW, 
Washington, DC 20201.

SYSTEM MANAGERS:
    Information Technology Specialist, Office of Child Care, 
Administration for Children and Families, 330 C St. SW, Washington, DC 
20201, (202) 690-6782, [email protected].

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    42 U.S.C. 9858i, 9858j.

PURPOSE(S) OF THE SYSTEM:
    The system of records contains OCC federal child care monthly case-
level data which states and territories regularly collect and are 
required to provide to OCC about families receiving CCDF services and 
the environments where those services are provided. The Child Care and 
Development Block Grant (CCDBG) Act of 1990 requires states and 
territories to submit specific information to OCC, so that OCC can in 
turn report it (in aggregate form) to Congress, to give Congress an 
empirical basis for assessing the program (see 42 U.S.C. 9858i, 9858j). 
OCC also makes non-identifiable records available to researchers and 
the public.
    The records in this system of records are pre-October 2015, records 
that are not intended to be personally-identifying and are not used for 
any purpose that involves identifying particular individuals; however, 
they contain, and are retrieved by, SSN, that states and territories 
used as a case identifier prior to October 2015. The purpose of the 
case identifier is to accurately count the number of families served 
over time and ensure that data reported at different times about the 
same case (i.e., the same family) is associated with the correct case 
for research purposes.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records in this system of records are about low-income working 
families receiving child care financial assistance through the CCDF 
whose information was reported on form ACF-801, prior to October 2015, 
by states and territories that used SSN as a case identifier.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records consist of pre-October 2015, case-level information 
about families receiving CCDF services. They contain SSN as a case 
identifier and data elements such as state and county, reason for 
receiving care, total monthly copayment, total monthly income, sources 
of income, date assistance began, and specific data elements about 
children, such as race and ethnicity, birth month and year, type of 
child care, total monthly amount paid to child care provider, total 
hours of child care provided, and characteristics of the environment 
where the child was served, such as accreditation status or standards 
met. Names are not collected, and the records are not intended to 
include other personal identifiers. However, prior to October 2015, 
case-level information reported by states and territories included 
Social Security Numbers (SSNs) as a state- or territory-assigned case 
identifier (instead of another unique but non-personally identifying 
case identifier), for families based on requirements of the states and 
territories.

RECORD SOURCE CATEGORIES:
    Information in the system is obtained by the states and territories 
receiving funds from the Child Care and Development Fund.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    These routine uses specify circumstances, in addition to others 
provided by statute in subsection (b) of the Privacy Act of 1974 (5 
U.S.C. 552a(b)), under which ACF may release information from this 
system of records without the consent of the data subject. Each 
proposed disclosure of information under these routine uses will be 
evaluated to ensure that the disclosure is legally permissible.

[[Page 4606]]

    1. Disclosure for Law Enforcement Purpose. Information may be 
disclosed to the appropriate federal, state, local, tribal, or foreign 
agency responsible for investigating, prosecuting, enforcing, or 
implementing a statute, rule, regulation, or order, if the information 
is relevant to a violation or potential violation of civil or criminal 
law or regulation within the jurisdiction of the receiving entity.
    2. Disclosure for Private Relief Legislation. Information may be 
disclosed to the Office of Management and Budget at any stage in the 
legislative coordination and clearance process in connection with 
private relief legislation as set forth in OMB Circular No. A-19.
    3. Disclosure to Congressional Office. Information may be disclosed 
to a congressional office from the record of an individual in response 
to a written inquiry from the congressional office made at the written 
request of the individual.
    4. Disclosure to Department of Justice or in Proceedings. 
Information may be disclosed to the Department of Justice, or in a 
proceeding before a court, adjudicative body, or other administrative 
body before which HHS is authorized to appear, when:
     HHS, or any component thereof; or
     Any employee of HHS in his or her official capacity; or
     Any employee of HHS in his or her individual capacity 
where the Department of Justice or HHS has agreed to represent the 
employee; or
     The United States, if HHS determines that litigation is 
likely to affect HHS or any of its components,
    is a party to litigation or has an interest in such litigation, and 
the use of such records by the Department of Justice or HHS is deemed 
by HHS to be relevant and necessary to the litigation provided, 
however, that in each case it has been determined that the disclosure 
is compatible with the purpose for which the records were collected.
    5. Disclosure to the National Archives and Records Administration 
(NARA). Information may be disclosed to NARA in records management 
inspections.
    6. Disclosure to Contractors, Grantees, and Others. Information may 
be disclosed to contractors, grantees, consultants, or volunteers 
performing or working on a contract, service, grant, cooperative 
agreement, job, or other activity for HHS and who have a need to have 
access to the information in the performance of their duties or 
activities for HHS.
    7. Disclosure for Administrative Claim, Complaint, and Appeal. 
Information may be disclosed to an authorized appeal grievance 
examiner, formal complaints examiner, equal employment opportunity 
investigator, arbitrator or other person properly engaged in 
investigation or settlement of an administrative grievance, complaint, 
claim, or appeal filed by an employee, but only to the extent that the 
information is relevant and necessary to the proceeding. Agencies that 
may obtain information under this routine use include, but are not 
limited to, the Office of Personnel Management, Office of Special 
Counsel, Merit Systems Protection Board, Federal Labor Relations 
Authority, Equal Employment Opportunity Commission, and Office of 
Government Ethics.
    8. Disclosure to Office of Personnel Management. Information may be 
disclosed to the Office of Personnel Management pursuant to that 
agency's responsibility for evaluation and oversight of Federal 
personnel management.
    9. Disclosure in Connection with Litigation. Information may be 
disclosed in connection with litigation or settlement discussions 
regarding claims by or against HHS, including public filing with a 
court, to the extent that disclosure of the information is relevant and 
necessary to the litigation or discussions and except where court 
orders are otherwise required under section (b)(11) of the Privacy Act 
of 1974, 5 U.S.C. 552a(b)(11).
    10. Disclosure in the Event of a Security Breach.
    a. Information may be disclosed to appropriate agencies, entities, 
and persons when (1) HHS suspects or has confirmed that there has been 
a breach of the system of records; (2) HHS has determined that as a 
result of the suspected or confirmed breach there is a risk of harm to 
individuals, HHS (including its information systems, programs, and 
operations), the federal government, or national security; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with HHS's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    b. Information may be disclosed to another federal agency or 
federal entity, when HHS determines that information from this system 
of records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the federal government, or national 
security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Case-level records are stored on a computer network/database. 
Servers for the database are currently located at the National 
Institutes of Health Center for Information Technology (NIHCIT) in 
Bethesda, MD.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    The records are retrieved by SSN.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records on families and children receiving child care subsidies 
funded by the Child Care and CCDF are destroyed eight years after the 
end of the fiscal year in which the data was reported (e.g., the cutoff 
for Fiscal Year 2015 data is September 30, 2015), per records 
disposition authority DAA-0292-2018-0004, item 1 approved by the 
National Archives and Records Administration (NARA).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Safeguards conform to the HHS Information Security and Privacy 
Program, https://www.hhs.gov/ocio/securityprivacy/index.html. 
Information is safeguarded in accordance with applicable laws, rules 
and policies, including the HHS Information Technology Security Program 
Handbook, all pertinent National Institutes of Standards and Technology 
(NIST) publications; and OMB Circular A-130, Managing Information as a 
Strategic Resource.
     Administrative Safeguards: Access to records is limited to 
persons authorized to update, view, or maintain Federal Child Care 
Monthly Case Records. Authorized users include internal users such as 
government and contractor personnel and federal researchers. Federal 
employees and direct contractor users must attend general computer 
security training and sign a Rules of Behavior, that is renewed 
annually. Additionally, direct contractors are required to sign a non-
disclosure agreement. All users are given role-based access to the 
system on a limited need-to-know basis. Approved users' access to 
system records is controlled by two factor authentications. Physical 
and logical access to the system is removed upon termination of 
employment or other change in the user's role.
     Technical Safeguards: Electronic records are protected 
from unauthorized

[[Page 4607]]

access by user authentication controls, intrusion detection, and 
firewalls. Routine system security scans are run to detect web and 
architecture vulnerabilities.
     Physical Safeguards: The facility housing OCC information 
systems is a secure data center and can only be accessed by authorized 
infrastructure staff from HHS and NIH. The facility maintains fire 
suppression and detection devices/systems (e.g., sprinkler systems, 
handheld fire extinguishers, fixed fire hoses, and/or smoke detectors) 
that are activated in the event of a fire. Servers and other computer 
equipment used to process identifiable data are located in secured 
areas and use physical access devices (e.g., keys, locks, combinations, 
and card readers) and/or security guards to control entries into the 
facility.

RECORD ACCESS PROCEDURES:
    An individual seeking access to records about him or her in this 
system of records must submit a written request to the System Manager/
Policy Coordinating Official at the address specified in the ``System 
Manager'' section above. The requester must verify his or her identity 
by providing either a notarization of the request or a written 
certification that the requester is who or she claims to be and 
understands that the knowing and willful request for access to a record 
pertaining to an individual from an agency under false pretenses is a 
criminal offense under the Privacy Act, subject to a fine of up to five 
thousand dollars. Requesters may also ask for an accounting of 
disclosures that have been made of their records, if any.

CONTESTING RECORD PROCEDURES:
    An individual seeking to amend a record about him or her in this 
system of records must submit a written request to the System Manager 
indicated above, verify his or her identity in the same manner as is 
required for an access request, and reasonably identify the record and 
specify the information being contested, the corrective action sought, 
and the reasons for requesting the correction, along with any 
supporting documentation. The right to contest records is limited to 
information that is incomplete, incorrect, untimely, or irrelevant.

NOTIFICATION PROCEDURES:
    An individual who wishes to know if this system of records contains 
records about him or her must submit a written request to the System 
Manager indicated above, and must verify his or her identity in the 
same manner as is required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    80 FR 17893 (Apr. 2, 2015), 83 FR 6591 (Feb. 14, 2018).

[FR Doc. 2022-01771 Filed 1-27-22; 8:45 am]
BILLING CODE 4184-81-P