[Federal Register Volume 89, Number 111 (Friday, June 7, 2024)]
[Notices]
[Pages 48654-48658]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-12468]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Privacy Act of 1974; System of Records
AGENCY: National Institutes of Health (NIH), Department of Health and
Human Services (HHS).
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, as amended (Privacy Act, or Act), the Department of Health and
Human Services (HHS) is establishing a new System of Records (SOR), 09-
25-0224, ``NIH Police Records,'' to be maintained by the National
Institutes of Health (NIH). The new system of records will contain
records about individuals who are the subject of investigations of
crime, civil disturbances, and traffic accidents occurring on or
otherwise affecting the protection of life and property on NIH
property. Because the records will constitute law enforcement
investigatory material, elsewhere in the Federal Register the agency
has published a notice of proposed rulemaking (NPRM) to exempt this
system of records from certain requirements of the Privacy Act based on
subsections (j)(2) and (k)(2) of the Act. The system of records is more
fully described in the system of records notice (SORN) published in
this notice.
DATES: The comment period for this SORN is co-extensive with the 60-day
comment period provided in the NPRM; i.e., written comments on the SORN
should be submitted by August 6, 2024. The new system of records,
including the routine uses and the exemptions, will become effective
when NIH publishes a Final Rule, which will not occur until the 60-day
comment period provided in the NPRM has expired and any comments
received on the NPRM (or on this SORN) have been addressed.
ADDRESSES: The public should address written comments, identified by
the Privacy Act System of Records (PA SOR) Number 09-25-0224, by any of
the following methods:
Federal eRulemaking Portal: https://regulations.gov.
Follow the instructions for submitting comments.
Email: [email protected] and include PA SOR number 09-
25-0224 in the subject line of the message.
Phone: (301) 402-6469 (not a toll-free number).
Fax: (301) 402-0169.
Mail: NIH Privacy Act Officer, Office of Management
Assessment, National Institutes of Health, 6705 Rockledge Drive (RK1)
601, Rockville, MD 20892-7901.
Hand Delivery/Courier: 6705 Rockledge Drive (RK1) 601,
Rockville, MD 20892-7901.
Comments received will be available for inspection and copying at
this same address from 9:00 a.m. to 3:00 p.m., Monday through Friday,
Federal holidays excepted.
FOR FURTHER INFORMATION CONTACT: General questions about the system of
records may be submitted to Dustin Close, NIH Privacy Act Officer, by
email at [email protected] or mail at the Office of Management
Assessment (OMA), Office of the Director (OD), National Institutes of
Health (NIH), 6705 Rockledge Drive (RK1) 601, Rockville, MD 20892-7901.
Telephone: 301-402-6469.
SUPPLEMENTARY INFORMATION: The Privacy Act (5 U.S.C. 552a) governs the
means by which the United States Government collects, maintains, and
uses records in a system of records. A ``system of records'' is a group
of any records under the control of a federal agency from which
information about individuals is retrieved by name or other personal
identifier. The Privacy Act requires each agency to publish in the
Federal Register a SORN identifying and describing each system of
records the agency maintains, including the purposes for which the
agency uses records in the system of records, the routine uses for
which the agency discloses, or may disclose, such information outside
the agency without the subject individual's prior written consent, and
procedures explaining how subject individuals can exercise their rights
under the Privacy Act (e.g., to
[[Page 48655]]
determine if the system of records contains information about them). At
least 30 days prior to publication of this Notice in the Federal
Register, the Department submitted a report on the proposed system of
records to the Office of Management and Budget, the Committee on
Government Reform and Oversight of the House of Representatives, and
the Committee on Governmental Affairs of the Senate as required by 5
U.S.C. 552a(r) and in the form and manner required by Office of
Management and Budget (OMB) Circular A-108.
The NIH Division of Police, which is within the Office of Research
Services (ORS) in the NIH Office of the Director, was established to
provide an immediate and primary law enforcement program for NIH. The
NIH Division of Police derives its authority from 40 U.S.C. 1315, the
law enforcement authority of the Secretary of Homeland Security for the
protection of public property, and General Administrative Delegation of
Authority Number 08, Control of Violations of Law at Certain NIH
Facilities (September 1, 2020). Based on this establishing authority,
the NIH Division of Police performs criminal law enforcement activity
as its principal function. However, the NIH Division of Police conducts
both criminal and non-criminal (e.g., civil, administrative,
regulatory) law enforcement investigations.
The NIH Division of Police is directly responsible for the
provision of daily law enforcement and criminal and civil investigative
activities required to protect the life, safety, and property of NIH
employees, contractors, patients, and visitors. To perform these
responsibilities, the NIH Division of Police compiles and maintains
records of complaints of incidents, inquiries, investigative findings,
arrest records, and court dispositions which are retrieved by personal
identifiers and therefore constitute a ``system of records'' as defined
by the Privacy Act at 5 U.S.C. 552a(a)(5). The records are used
primarily to: (1) record incidents of crime, civil disturbance, and
traffic accidents on the NIH enclave, and the investigation of such
incidents; (2) maintain information essential to the protection of
life, safety, and property at NIH; (3) provide official records of law
enforcement investigative efforts for use in administrative, criminal,
and civil proceedings; and (4) document criminal and civil law
enforcement investigations.
All of the routine uses published in the SORN are compatible with
the original purpose for which criminal and non-criminal (e.g., civil,
administrative, regulatory) law enforcement investigatory records are
collected. Specifically:
Routine use 1 will permit disclosures to HHS contractors
who need access to the records in this system of records.
Routine use 2 will permit HHS to disclose records to the
Department of Justice or to a court or other adjudicative body in
limited circumstances that are necessary to the conduct of legal
proceedings.
Routine use 3 will permit HHS to refer records to other
appropriate law enforcement entities that have jurisdiction over a
matter that NIH discovers.
Where HHS has determined records to be sufficiently
reliable to support a referral, routine use 4 will permit disclosures
to another government agency or public authority of the fact that this
system of records contains information relevant to decisions about an
individual's employment, licensing, investigation, procurement, or
other decision of that agency or public authority to help determine
suitability as a contractor, licensee, grantee, or beneficiary. The
receiving entity may then make a request to HHS supported by the
written consent of the individual for further information if it so
chooses.
Routine use 5 will permit disclosures to the news media
and general public when the information is in the public interest and
would be required to be disclosed under the Freedom of Information Act,
but where no FOIA request has been received.
Routine use 6 is included as a courtesy to Members of
Congress acting in their capacity as constituent representatives. Under
normal circumstances, HHS would require any third party to present
written consent of the record subject to obtain records about the
record subject. However, if a record subject writes to a Member of
Congress for assistance, and the Member writes to HHS showing a copy of
the constituent's correspondence, HHS will recognize that request as if
it were a formal authorization and respond in order to allow the Member
of Congress to provide prompt service to the constituent.
Routine use 7 will permit HHS to disclose records about
accidents or traffic violations to the people involved so they can
defend themselves or manage insurance claims.
Routine uses 8 and 9 will authorize disclosures at the
recommendation of OMB to help us reduce and manage data breaches.
Alfred C. Johnson,
Deputy Director for Management, National Institutes of Health.
SYSTEM NAME AND NUMBER:
NIH Police Records, 09-25-0224.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
The address of the agency component responsible for the system of
records is: Division of Police, Office of Research Services (ORS),
National Institutes of Health (NIH), Building 31, Room B3B17, 31 Center
Drive, Bethesda, MD 20892-2012.
SYSTEM MANAGER(S):
Chief, Division of Police, Office of Research Services (ORS),
National Institutes of Health, Building 31, Room B3B17, 31 Center Dr.,
Bethesda, MD 20892-2012. [email protected], telephone (301)
496-2387.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
40 U.S.C. 1315 Law enforcement authority of Secretary of Homeland
Security for protection of public property; Memorandum from the
Assistant Secretary for Administration, OS, to the Director, NIH, June
13, 1968; Memorandum from the Assistant Secretary for Administration,
OS, to the Director, NIH, June 13, 1968, entitled: Delegation of
Authority to Assist in Controlling Violations of Law at Certain HEW
Facilities Located in Montgomery County, Maryland; and NIH General
Administrative Delegation of Authority Number 08, Control of Violations
of Law at Certain NIH Facilities (September 1, 2020). Collection of
Social Security Numbers (SSN) is authorized by Executive Order (E.O.)
9397, as amended by E.O. 13478, to be used as the enumerator when 40
U.S.C. 1315, as implemented by NIH General Administrative Delegation of
Authority Number 08 authorizes use of enumerators or an indexing system
or other method to identify individuals and maintain accurate records
about them.
PURPOSE(S) OF THE SYSTEM:
The primary purposes for which the records are used are to: (1)
record incidents of crime, civil disturbance, and traffic accidents on
the NIH enclave, and the investigation of such incidents; (2) maintain
information essential to the protection of life, safety, and property
at NIH; (3) provide official records of law enforcement investigative
[[Page 48656]]
efforts for use in administrative, criminal and/or civil proceedings;
and (4) document criminal and civil law enforcement investigations.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Records will pertain to the following individuals: owners or
operators of vehicles entering or attempting to enter NIH property;
individuals who are involved in motor vehicle accidents; individuals
arrested on the NIH property; individuals suspected of posing a threat
to the safety of NIH visitors, personnel, and property; individuals who
report or provide information about any of the above referenced
activities; and individuals against whom criminal or civil penalties
have been sought or imposed for any of the above-referenced activities.
CATEGORIES OF RECORDS IN THE SYSTEM:
Records will consist of (as applicable) reports of moving and non-
moving traffic violations, accident reports, missing property reports,
and similar documents and files, containing data elements such as
names, descriptions, and contact information for subjects of
investigation and witnesses, Social Security Number (SSN), date of
birth, and vehicle license plate number, brand or model information;
and, if applicable, reports of criminal investigations, including
indicia of arrests (e.g., arrest reports fingerprints, photographs, and
other items of evidence), and criminal intelligence reports.
RECORD SOURCE CATEGORIES:
The records in this system of records are obtained directly from
the subject individual, or from interviews conducted by or are recorded
by the NIH Police Officer based on their observation, including
observation of camera footage, or statements made or given to them by
witnesses or other involved individuals, or are obtained by the NIH
Police Officer from sources such as the Federal Bureau of Instigation,
Department of Motor Vehicles, the individual's employer, criminal
database, local police, NIH Human Resources database, NIH Visitor Log
records, and reports of investigation.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
These routine uses specify circumstances, in addition to those
provided by statute in the Privacy Act of 1974 at 5 U.S.C. 552a(b),
under which HHS may disclose information from this system of records to
non-HHS officers and employees without the consent of the subject
individual.
1. Information may be disclosed to an HHS contractor engaged by HHS
to assist in accomplishment of an HHS function relating to the purposes
of this system of records who needs to have access to the record to
assist HHS in performing the activity. Any contractor will be required
to comply with the requirements of the Privacy Act of 1974, as amended.
2. Information may be disclosed to the Department of Justice (DOJ)
or to a court or other tribunal in litigation or other proceedings
when: (a) HHS, or any component thereof; (b) any HHS employee in his/
her official capacity; (c) any HHS employee in his/her individual
capacity where DOJ (or HHS, where it is authorized to do so) has agreed
to represent the employee; or (d) the United States Government, is a
party to the proceedings and, by careful review, HHS determines that
the records are both relevant and necessary to the proceedings.
3. Information may be disclosed to another federal agency or any
foreign, state, local, or Tribal government agency responsible for
enforcing, investigating, or prosecuting violations of administrative,
civil, or criminal law or regulation where that information is relevant
to an enforcement proceeding, investigation, or prosecution within the
agency's jurisdiction.
4. Information may be disclosed to a federal, foreign, state,
local, Tribal, or other public authority (e.g., a licensing
organization) of the fact that this system of records contains
information relevant to the hiring or retention of an employee, the
issuance or retention of a security clearance, the reporting of an
investigation of an individual, the letting of a contract, or the
issuance or retention of a license, grant, or other benefit. The other
agency or licensing organization may then make a request supported by
the written consent of the individual for further information if it so
chooses. HHS will not make an initial disclosure unless the information
has been determined to be sufficiently reliable to support a referral
to another office within the agency or to another federal agency for
criminal, civil, administrative, personnel, or regulatory action.
5. Information may be disclosed to the news media and general
public when there is a legitimate public interest (for example, to
provide information on events in the criminal process such as
indictments, and that would be required to be publicly disclosed under
FOIA if HHS received a request), or when necessary to protect the
public from an imminent threat to life or property.
6. Information may be disclosed to a congressional office in
response to a written inquiry from the congressional office made at the
written request of the individual record subject.
7. An accident report, or records concerning an accident or moving
or non-moving traffic violation, may be disclosed to any individual
allegedly involved or injured in the accident or traffic violation.
8. Information may be disclosed to appropriate agencies, entities,
and persons when (1) HHS suspects or has confirmed that there has been
a breach of the system of records; (2) HHS has determined that as a
result of the suspected or confirmed breach there is a risk of harm to
individuals, HHS (including its information systems, programs, and
operations), the federal government, or national security; and (3) the
disclosure made to such agencies, entities, and persons is reasonably
necessary to assist in connection with HHS's efforts to respond to the
suspected or confirmed breach or to prevent, minimize, or remedy such
harm.
9. Information may be disclosed to another federal agency or
federal entity, when HHS determines that information from this system
of records is reasonably necessary to assist the recipient agency or
entity in (1) responding to a suspected or confirmed breach or (2)
preventing, minimizing, or remedying the risk of harm to individuals,
the recipient agency or entity (including its information systems,
programs, and operations), the federal government, or national
security, resulting from a suspected or confirmed breach.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Records are stored in various electronic media and in paper form.
In accordance with federal security requirements, policies, and
controls, as implemented by NIH and HHS, records may be located on
approved portable devices designed to hold any kind of digital,
optical, or other data including: laptops, tablets, personal data
assistants, Universal Serial Bus (USB) drives, media cards, portable
hard drives, Smartphones, compact discs (CDs), digital versatile discs
(DVDs), or other mobile storage devices.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records are retrieved by the subject individual's name or other
personal identifier, such as date of birth-or Social Security Number.
[[Page 48657]]
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
NIH Police Records are currently unscheduled and will be retained
indefinitely until authorized for disposition under a schedule approved
by the National Archives and Records Administration.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Measures to prevent unauthorized disclosures of NIH Police Records
are implemented as appropriate for each location or form of storage and
for the types of records maintained. Safeguards conform to the HHS
Information Security and Privacy Program, https://www.hhs.gov/ocio/securityprivacy/index.html. Site(s) implement personnel and procedural
safeguards such as the following:
Authorized Users: Access is strictly limited to authorized
personnel whose duties require such access (i.e., valid, business need-
to-know).
Administrative Safeguards: Administrative controls include the
completion of a Security Assessment and Authorization (SA&A) package
and a Privacy Impact Assessment (PIA) for information technology (IT)
systems used to maintain the records, and mandatory completion of
annual NIH Information Security and Privacy Awareness training for
personnel authorized to access the records. The SA&A package consists
of a Security Categorization, e-Authentication Risk Assessment, System
Security Plan, evidence of Security Control Testing, Plan of Action and
Milestones, Contingency Plan, and evidence of Contingency Plan Testing.
When the design, development, or operation of a system of records is
required to accomplish an agency function and the agency engages an
outside contractor to support that operation, the applicable Privacy
Act Federal Acquisition Regulation (FAR) clauses are inserted in
solicitations and contracts.
Physical Safeguards: Controls to secure the data and protect paper
and electronic records, buildings, and related infrastructure against
threats associated with their physical environment include the use of
the HHS Employee ID or other badge, NIH key cards, security guards,
cipher locks, biometrics, and closed-circuit TV. Paper records are
secured in locked file cabinets, offices, and facilities. Electronic
media are kept on secure servers or computer systems. Access to the
restricted office area containing the rooms where records are stored is
controlled through the use of limited access proximity cards. Only
authorized users have access to these cards. Individuals who enter the
restricted area without a limited access proximity card are under
escort at all times. During regular business hours, rooms in this
restricted area are unlocked but entry is controlled by on-site
personnel. Rooms where records are stored are locked when not in use.
Individually identifiable records are kept in locked file cabinets or
in rooms under the direct control of the System Manager. Contractor
interaction with records covered by this system of records will occur
on-site and no physical records (paper or electronic) will be allowed
to be removed from the NIH Division of Police unless authorized. All
authorized users of personal information in connection with the
performance of their jobs protect information from public view and from
unauthorized personnel entering an unsupervised area/office.
Police incident and other sensitive reports and information are
kept in a limited access locked room with live video surveillance.
Intelligence reports containing investigations of criminal intelligence
matters are kept in a safe in the offices of the Supervisor,
Intelligence Section.
Technical Safeguards: Controls are generally executed by the
computer system and are employed to minimize the possibility of
unauthorized access, use, or dissemination of the data in the system.
They include user identification, password protection, firewalls,
virtual private network, encryption, intrusion detection system, common
access cards, smart cards, biometrics and public key infrastructure.
Computer records are accessible only through a series of code or
keyword commands available from and under the direct control of the
System Manager or delegated employees. These records are secured by a
multi-level security system which is capable of controlling access to
the individual data field level. Persons having access to the computer
database can be restricted to a confined application which permits only
a narrow ``view'' of the data.
RECORD ACCESS PROCEDURES:
This system of records will be exempt from access by subject
individuals to the extent permitted by 5 U.S.C. 552(j)(2) or (k)(2).
However, consideration will be given to any access request addressed to
the System Manager listed above. Most records pertaining to traffic
investigations will be accessible to any individual involved or injured
in the traffic violation or accident without interfering with or
compromising the integrity of an investigation. Individual record
subjects seeking access to records about themselves must submit a
written access request to the System Manager identified in the ``System
Manager(s)'' section above, at the postal or electronic mail address
indicated in that section. The request must reasonably specify the
record contents being sought and contain the requester's full name,
address, telephone number and/or email address, date of birth, and
signature, and should identify the approximate date(s) the information
was collected, and the types of information collected. So that HHS may
verify the requester's identity, the requester's signature must be
notarized, or the request must include the requester's written, signed
certification that the requester is the individual who the requester
claims to be and that the requester understands that the knowing and
willful request of a record pertaining to an individual under false
pretenses is a misdemeanor offense under the Privacy Act and subject to
fine of up to five thousand dollars. If records are requested on behalf
of a minor or legally incompetent individual, evidence of the
requester's parental or guardianship relationship to the individual
must be included and the identity of both the subject individual and
the requesting parent or guardian must be verified.
CONTESTING RECORD PROCEDURES:
This system of records will be exempt from amendment to the extent
permitted by 5 U.S.C. 552(j)(2) or (k)(2). However, consideration will
be given to any amendment request addressed to the System Manager
listed above. Individuals seeking to amend records about them in this
system of records must submit a written amendment request to the System
Manager, containing the same information required for an access
request. The amendment request must include verification of identity in
the same manner required for an access request; must reasonably
identify the record and specify the information contested, the
corrective action sought, and the reason(s) for requesting the
amendment and should include supporting information. The right to
contest records is limited to information that is factually inaccurate,
incomplete, irrelevant, or untimely (obsolete).
NOTIFICATION PROCEDURES:
This system of records will be exempt from notification to the
extent permitted by 5 U.S.C. 552(j)(2) or (k)(2). However,
consideration will be given to any notification request addressed to
the System Manager listed above.
[[Page 48658]]
Individuals who want to know whether this system of records contains
records about them must submit a written notification request to the
System Manager. The notification request must contain the same
information required for an access request and must include
verification of identity in the same manner required for an access
request.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
As provided in the Department's notice of proposed rulemaking, upon
publication of a Final Rule, law enforcement investigatory material in
this system of records will be exempt from certain requirements of the
Privacy Act as follows:
Based on 5 U.S.C. 552a(j)(2) and (k)(2), all criminal and
non-criminal (e.g., civil, administrative, regulatory) law enforcement
investigatory material will be exempt from the requirements in
subsections (c)(3), (d)(1) through (4), (e)(1), (e)(4)(G) through (I),
and (f) of the Privacy Act; provided, however, that for investigative
material compiled for law enforcement purposes other than material
within the scope of 5 U.S.C. 552a(j)(2), if maintenance of the records
causes a subject individual to be denied a federal right, privilege, or
benefit to or for which the individual would otherwise be entitled or
eligible, the exemption based on 5 U.S.C. 552a(k)(2) will be limited to
material that would reveal the identity of a source who furnished
information to the Government under an express promise that the
identity of the source would be held in confidence.
Because the NIH Division of Police is a component which
performs criminal law enforcement as its principal function, based on 5
U.S.C. 552a(j)(2), criminal law enforcement investigatory material will
be exempt from the additional requirements in these subsections of the
Privacy Act: (c)(4), (e)(2) and (3), (e)(5), and (g).
If any law enforcement investigatory material compiled in
this system of records 09-25-0224 is from another system of records in
which such material was exempted from access and other requirements of
the Privacy Act based on (j)(2), it will be exempt in system of records
09-25-0224 on the same basis (5 U.S.C. 552a(j)(2)) and from the same
requirements as in the source system of records.
HISTORY:
None.
[FR Doc. 2024-12468 Filed 6-6-24; 8:45 am]
BILLING CODE 4140-01-P