[Federal Register Volume 88, Number 36 (Thursday, February 23, 2023)]
[Notices]
[Pages 11403-11406]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-03706]


 ========================================================================
 Notices
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains documents other than rules 
 or proposed rules that are applicable to the public. Notices of hearings 
 and investigations, committee meetings, agency decisions and rulings, 
 delegations of authority, filing of petitions and applications and agency 
 statements of organization and functions are examples of documents 
 appearing in this section.
 
 ========================================================================
 

  Federal Register / Vol. 88, No. 36 / Thursday, February 23, 2023 / 
Notices  

[[Page 11403]]



DEPARTMENT OF AGRICULTURE

Food and Nutrition Service


Privacy Act; Proposed New System of Records

AGENCY: Food and Nutrition Service (FNS), USDA.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the provisions of the Privacy Act of 1974, and 
Office of Management and Budget (OMB) Circular No. A-108, notice is 
given that the Food and Nutrition Service (FNS) of the U.S. Department 
of Agriculture (USDA) is proposing to add a new system of records, 
entitled USDA/FNS-14, National Accuracy Clearinghouse (NAC) System to 
Detect Duplicate Participation. The NAC will enhance program integrity 
in the Supplemental Nutrition Assistance Program (SNAP) by providing a 
secure method for State agencies that administer SNAP (State agencies) 
to share information to prevent and detect duplicate participation.

DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11) this notice is 
effective upon publication, subject to a 30-day notice and comment 
period in which to comment on the routine uses described in the routine 
uses section of this system of records notice. Please submit any 
comments by March 27, 2023.

ADDRESSES: Interested parties may submit written comments by one of the 
following methods:
     Preferred: Federal eRulemaking Portal at http://www.regulations.gov provides the ability to type short comments 
directly into the comment field on this web page or attach a file for 
lengthier comments. Follow the online instructions at that site for 
submitting comments.
     By email: FNS, SNAP, State Administration Branch (SAB) at 
[email protected].
     By mail: Maribelle Balbes, Branch Chief, SAB, SNAP, FNS, 
1320 Braddock Place, Alexandria, VA 22314.
     Instructions: All comment submissions must include the 
agency name and docket number for this rulemaking. All comments 
received will be posted without change to http://www.regulations.gov, 
including any personal information provided.
     Docket: For access to the docket to read background 
documents or comments received go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: For general questions, please contact 
the above individual, Maribelle Balbes, Branch Chief, SAB, SNAP, FNS at 
[email protected] or 703-605-4272.
    For Privacy Act questions concerning this system of records notice, 
please contact Mr. Michael Bjorkman, Privacy Officer, USDA, FNS, 
Information Management Branch, Braddock Metro Center II, 1320 Braddock 
Place, Alexandria, VA 22314; (703) 305-1627.
    For general USDA Privacy Act questions, please contact the USDA 
Chief Privacy Officer, Information Security Center, Office of Chief 
Information Officer, USDA, Jamie L. Whitten Building, 1400 Independence 
Ave. SW, Washington, DC 20250; email: [email protected].

SUPPLEMENTARY INFORMATION:

Statutory Basis

    The Agriculture Improvement Act of 2018 (Pub. L. 115-334, ``the 
2018 Farm Bill''), amended Section 11 of the Food and Nutrition Act of 
2008 (7 U.S.C. 2020, ``the Act'') to require FNS to establish an 
interstate data system to be known as the National Accuracy 
Clearinghouse (NAC) and to promulgate regulations to set requirements 
for use of the NAC. The Act requires State agencies to participate in 
the NAC matching program as both providers of data to the NAC and users 
of the information in the NAC that has been provided by the other State 
agencies to prevent individuals from receiving SNAP benefits in more 
than one State agency simultaneously, commonly referred to as duplicate 
participation.

Background

    FNS is promulgating regulations to codify the NAC implementation 
requirements pursuant to the amendments to the Act and to ensure 
compliance and alignment with existing statutory and regulatory 
requirements, including the Privacy Act (5 U.S.C. 552a) requirements 
for computer matching programs.
    Under existing regulations, an individual may not receive SNAP 
benefits from more than one State agency in the same benefit month. 
However, States are limited in their ability to access timely 
information to enforce this requirement because State agencies maintain 
the records for SNAP participants in their own States. The NAC will 
assist State agencies in preventing and detecting duplicate 
participation by providing a secure method for sharing current 
information with each other for this purpose.
    Each State agency will provide information about current SNAP 
participants to the NAC. State agencies will then conduct matches 
against the NAC to determine if someone is already receiving SNAP 
benefits in any other State as part of the process of determining an 
individual's eligibility for SNAP. The NAC will also compare 
information provided by State agencies to detect existing duplicate 
participation and will notify State agencies when such matches are 
found.

Privacy Act

    The Privacy Act of 1974 (the Privacy Act), 5 U.S.C. 552a, embodies 
fair information principles in a statutory framework governing the 
means by which the United States Government collects, maintains, uses, 
and disseminates personally identifiable information. The Privacy Act 
applies to information that is maintained in a system of records (SOR). 
A SOR is a group of any records under the control of an agency for 
which information is retrieved by the name of an individual or by some 
identifying number, symbol, or other identifying particular assigned to 
the individual. In the Privacy Act, an individual is defined to 
encompass United States citizens and legal permanent residents.
    The Privacy Act requires each agency to publish in the Federal 
Register a description denoting the type and character of each system 
of records that

[[Page 11404]]

the agency maintains, the routine uses that are contained in each 
system in order to make agency record keeping practices transparent, to 
notify individuals regarding the uses to which personally identifiable 
information is put, and to assist individuals to more easily find such 
records within the agency. Below is the description of the NAC system 
of records.
    In accordance with 5 U.S.C. 552a(r), USDA has provided a report of 
this new system to the Office of Management and Budget and to Congress.

SYSTEM NAME AND NUMBER:
    USDA/FNS-14, Supplemental Nutrition Assistance Program (SNAP), 
National Accuracy Clearinghouse (NAC) System to Detect Duplicate 
Participation.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The NAC is maintained in the USDA Azure cloud infrastructure 
environment that is used only by Federal employees and contractors and 
State agency employees and contractors. The data is processed and 
stored solely within the continental United States. The agency, U.S. 
Department of Agriculture, address is 1400 Independence Ave. SW, 
Washington, DC 20250 and the address of the third-party service 
provider is Microsoft, 1 Microsoft Way, Redmond, Washington 98052-6399.

SYSTEM MANAGER(S):
    Director, Portfolio Management Division, Office of Information 
Technology, Food and Nutrition Service, 1320 Braddock Road, Alexandria, 
Virginia 22314. Telephone: (703) 305-2504.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Section 11(x) of the Food and Nutrition Act of 2008, as amended (7 
U.S.C. 2020(x)).

PURPOSE(S) OF THE SYSTEM:
    The NAC will improve program access and customer experience by 
facilitating state to state communication to help State agencies 
promptly and accurately process SNAP recipient moves from one state to 
another and to enhance program integrity by providing State agencies 
with a tool to screen for duplicate participation to allow timely 
action to reduce improper payments.
    Disclosure of Information:
    Data protection requirements in section 11 of the Act (7 U.S.C. 
2020(x)(2)(C)) restrict the disclosure of information made available by 
State agencies to the NAC. The data in the NAC shall only be used for 
the purpose of preventing duplicate participation in SNAP, shall only 
be retained as long as necessary to meet that need, shall be used in a 
manner that protects the identity and location of vulnerable 
individuals, and is exempt from the disclosure requirements of section 
552(a) of title 5 pursuant to section 552(b)(3) of title 5. 
Accordingly, the information shall only be disclosed to persons 
directly connected with the administration or enforcement of the 
provisions of the Act or SNAP regulations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Categories of individuals covered by this system are individuals 
who are currently receiving SNAP benefits and applicants for SNAP 
benefits.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system contains the following categories of records: 
information on SNAP participants and applicants, SNAP case information, 
and match resolution information. SNAP participant and applicant names, 
social security numbers, and dates of birth are used by the State 
agencies to find a positive match. However, these identifiers are not 
uploaded directly to the NAC. In order to protect participant 
information, State agencies will use a privacy-preserving record 
linkage (PPRL) process to convert these data elements to a secure 
cryptographic hash before sharing the information to the NAC. The PPRL 
process allows the NAC to accurately match individuals, while 
preventing the collection and storage of the names, social security 
numbers, and dates of birth in the NAC system. A positive match is 
identified by the NAC when two or more hashes match. State agencies are 
also required to provide a participant ID to the NAC to allow the State 
agency to connect the match in the NAC to an individual in the State 
agency's system. In other words, the participant ID is used to help the 
State agency resolve a match. When a match is found, the NAC will 
create a match record with a unique system-generated match ID and 
notify the affected State agencies of the match. State agencies will 
use the participant ID they provided previously, now included in the 
match record, to find the matched individual in the State agency's 
eligibility system. Additionally, there is a vulnerable individual flag 
that must be used, if applicable, to denote an individual that needs 
their identity and location protected when resolving the match.
    Furthermore, information about SNAP cases are provided to assist 
State agencies with communication in determining the appropriate 
actions to take in resolving a NAC match. This case information for 
communication may include case number, recent certification dates, and 
participant closing date. To enhance program integrity and provide 
program oversight, the system may also contain information about the 
resolution of NAC matches.

RECORD SOURCE CATEGORIES:
    Information in this system is provided by State agencies that 
administer SNAP.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    Records created in this system may be disclosed, as part of a 
computer matching program, to Federal and State agency personnel 
responsible for monitoring duplicate participation in SNAP, as required 
by section 11(x) of the FNA (7 U.S.C. 2020(x)). Disclosure of records 
in this system may also be made for the permitted routine uses outlined 
below as long as such uses are also authorized by section 11(x) of the 
FNA (7 U.S.C. 2020(x)).
    Permitted routine uses include the following:
    (1) To the Department of Justice when: (a) USDA/FNS or any 
component thereof; or (b) any employee of USDA in his or her official 
capacity, or any employee of the agency in his or her individual 
capacity where the Department of Justice has agreed to represent the 
employee; or (c) the United States Government, is a party to litigation 
or has an interest in such litigation, and USDA determines that the 
records are both relevant and necessary to the litigation and the use 
of such records by the Department of Justice is deemed by USDA to be 
for a purpose that is compatible with the purpose for which USDA 
collected the records.
    (2) In an appropriate proceeding before a court, grand jury, or 
administrative or adjudicative body or official, when the USDA/FNS or 
other Agency representing the USDA, determines that the records are 
both relevant and necessary to the proceeding; or in an appropriate 
proceeding before an administrative or adjudicative body when the 
adjudicator determines the records to be relevant and necessary to the 
proceeding.
    (3) To a congressional office in response to an inquiry from that 
congressional office made at the written request of the individual 
about whom the record pertains.

[[Page 11405]]

    (4) To the National Archives and Records Administration or other 
Federal government agencies pursuant to records management activities 
being conducted under 44 U.S.C. 2904 and 2906.
    (5) To an agency, organization, or individual for the purpose of 
performing audit or oversight operations as authorized by law, but only 
such information as is necessary and relevant to such audit or 
oversight function.
    (6) To another Federal agency or Federal entity, when USDA/FNS 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in: (1) responding 
to a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.
    (7) To appropriate agencies, entities, and persons when: (1) USDA/
FNS suspects or has confirmed that there has been a breach of the 
system of records; (2) USDA/FNS has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
USDA (including its information systems, programs, and operations), the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist in connection with USDA's efforts to respond to the suspected or 
confirmed compromise and prevent, minimize, or remedy such harm.
    (8) To contractors and their agents, grantees, experts, 
consultants, and other performing or working on a contract, service, 
grant, cooperative agreement, or other assignment for the USDA/FNS, 
when necessary to accomplish an agency function related to this system 
of records.
    (9) When a record on its face, or in conjunction with other 
records, indicates a violation or potential violation of law, whether 
civil, criminal or regulatory in nature, and whether arising by general 
statute or particular program statute, or by regulation, rule, or order 
issued pursuant thereto, USDA/FNS may disclose the record to the 
appropriate agency, whether Federal, foreign, State, local, or tribal, 
or other public authority responsible for enforcing, investigating, or 
prosecuting such violation or charged with enforcing or implementing 
the statute, or rule, regulation, or order issued pursuant thereto, if 
the information disclosed is relevant to any enforcement, regulatory, 
investigative or prosecutive responsibility of the receiving entity.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The NAC will be hosted in the USDA Azure Cloud infrastructure 
environment, which is FedRAMP certified. These records are electronic.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    User permission levels provide users with access to only the 
features and data needed within their assigned role. State agency 
workers who are granted access to the NAC can conduct matches against 
the NAC through a real-time query from the State agency's eligibility 
system or from directly within the NAC. The individual's name, Social 
Security number, and date of birth are converted to a secure 
cryptographic hash before the information is compared against the NAC 
for interstate matching. When a positive match is found, based on 
matching hashes, the NAC creates a match record with a unique system-
generated match ID. Match records in the NAC can be retrieved by the 
match ID. Both State agency users and FNS staff members who are granted 
access to the NAC will have access to the match records to perform 
program administration and oversight duties. FNS staff members will 
also have access to monitor system metrics. Only FNS staff members with 
system administrator-level access to maintain the NAC system will have 
the ability to access the secure cryptographic hashes.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    State agencies will generally provide SNAP participant records to 
the NAC daily and new submissions will replace prior submissions to 
ensure matching is conducted against the most current, accurate 
information possible. When positive matches are found, indicating 
potential or actual duplicate participation, the match records created 
by the NAC will be retained for up to three years for program 
administration, oversight, and audit purposes. Summary or aggregate 
data maintained for reporting and oversight purposes will be retained 
in the system indefinitely.
    The NAC does not yet have a NARA-approved records schedule. The 
proposed schedule provided to NARA for review and approval, dictates 
that the different information sets will be retained for different 
periods of time, as described above. All NAC system records except the 
files provided daily by State agencies will be kept indefinitely until 
NARA has approved the proposed records schedule for the NAC.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Administrative Safeguards: USDA safeguards records in this system 
according to applicable rules and policies, including all applicable 
USDA automated systems security and access policies. USDA has imposed 
strict controls to minimize the risk of compromising information in the 
system. Access to the computer system containing the records in this 
system is limited to those individuals who have a need to know the 
information for the performance of their official duties and who have 
appropriate clearances or permissions.
    Technical Safeguards: The NAC will utilize a robust collection of 
technical safeguards to ensure the integrity of the platform. The NAC 
is designed to meet all technical safeguards required by its system 
categorization in NIST 800-53. The NAC will be hosted in a secure 
server environment that uses a firewall to prevent interference or 
access from outside intruders. When accessing the NAC, Secure Socket 
Layer (SSL) technology protects the user's information by using both 
server authentication and data encryption. The NAC administrators will 
have a suite of security tools that can be used to increase the 
security of the system.
    To protect sensitive participant and applicant data, names, dates 
of birth, and social security numbers will go through a PPRL process. 
This process includes the data elements being combined and masked by a 
SHA-512 hash by States prior to sharing that data with the NAC. To 
mitigate against the risk of incoming participant data files being 
exfiltrated, the entire message will be encrypted before it is sent to 
the NAC. To mitigate against the risk of PII saved in the NAC databases 
being exfiltrated (e.g., the State ID and the hash of name, date of 
birth, and SSN), that data will be additionally encrypted at the 
database column level.
    Physical Safeguards: The servers that host the NAC are stored in a 
FedRAMP authorized data center with strict physical access control 
procedures in place to prevent unauthorized access.

RECORD ACCESS PROCEDURES:
    Personal information contained in this system is provided by the 
State agency where the individual is a SNAP participant or applicant. 
Individuals may obtain information about records in the system 
pertaining to them by submitting a written request to the system 
manager listed above. The

[[Page 11406]]

envelope and the letter should be marked ``Privacy Act Request,'' and 
should include the name of the individual making the request, the name 
of the system of records, any other information specified in the system 
notice and a statement of whether the requester desires to be supplied 
with copies by mail or email. Individuals may also directly contact the 
applicable State agency or local SNAP office.
    Requests to the system manager must also include sufficient data 
for FNS to verify your identity. If the sensitivity of the records 
warrants it, FNS may require that you submit a signed, notarized 
statement indicating that you are the individual to whom the records 
pertain and stipulating that you understand that knowingly or willfully 
seeking or obtaining access to records about another individual under 
false pretenses is a misdemeanor punishable by fine up to $5,000. No 
identification shall be required, unless the records are required by 5 
U.S.C. 552 to be released. If FNS determines to grant the requested 
access, fees may be charged in accordance with 7 CFR part 1, subpart G, 
1.120 before making the necessary copies. In place of a notarization, 
your signature may be submitted under 28 U.S.C. 1746, a law that 
permits statements to be made under penalty of perjury as a substitute 
for notarization.

CONTESTING RECORD PROCEDURES:
    Individuals desiring to contest or amend information maintained in 
the system should direct their requests to the System Manager listed 
above or to the State agency that provided the data. The request should 
identify each record in question, state the amendment or correction 
desired, and state why the individual believes that the record is not 
accurate, relevant, timely, or complete. The individual may submit any 
documentation that would be helpful. Requests sent to the system 
manager will be shared to the State agency that provided the data for 
resolution. This request must follow the procedures set forth in 7 CFR 
part 1, subpart G, 1.116 (Request for correction or amendment to 
record).
    FNS is not able to change information about individuals within the 
NAC. State agencies serve as the authoritative source for the 
information they provide and are accountable for providing accurate 
information from their system to the NAC.

NOTIFICATION PROCEDURES:
    Any individual may request information regarding this system of 
records, or information as to whether the system contains records 
pertaining to the individual, from the System Manager listed above: See 
RECORD ACCESS PROCEDURES.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

Cynthia Long,
Administrator, Food and Nutrition Service.
[FR Doc. 2023-03706 Filed 2-22-23; 8:45 am]
BILLING CODE 3410-30-P