[Federal Register Volume 76, Number 16 (Tuesday, January 25, 2011)]
[Notices]
[Pages 4480-4482]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-33027]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Disease Control and Prevention
Privacy Act of 1974; Report of Modified or Altered System of
Records
AGENCY: National Center for Environmental Health (NCEH), Coordinating
Center for Environmental Health and Injury Prevention (CCEHIP),
Department of Health and Human Services (DHHS).
ACTION: Notification of proposed altered System of Records.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services proposes to alter
System of Records, 09-20-0162, ``Records of Subjects in Agent Orange,
Vietnam Experience, and Selected Cancers Studies, HHS/CDC/CCEHIP/
NCEH.'' HHS is proposing to add the following Breach Response Routine
Use Language to comply with the Office of Management and Budget (OMB)
Memoranda (M) 07-16, Safeguarding Against and responding to the Breach
of Personally Identifiable Information:
To appropriate Federal agencies and Department contractors that
have a need to know the information for the purpose of assisting the
Department's efforts to respond to a suspected or confirmed breach of
the security or confidentiality of information disclosed is relevant
and necessary for that assistance.
These records will be maintained by the Coordinating Center for
Environmental Health and Injury Prevention (CCEHIP), National Center
for Environmental Health (NCEH).
DATES: Comments must be received on or before February 24, 2011. The
proposed altered System of Records will be effective 40 days from the
date submitted to the OMB, unless CCEHIP/NCEH receives comments that
would result in a contrary determination.
ADDRESSES: You may submit comments, identified by the Privacy Act
System of Record Number 09-20-0162:
Federal eRulemaking Portal: http://regulations.gov. Follow
the instructions for submitting comments.
E-mail: Include PA SOR number 09-20-0162 in the subject
line of the message.
Phone: 770/488-8660 (not a toll-free number).
Fax: 770/488-8659.
Mail: HHS/CDC Senior Official for Privacy (SOP), Office of
the Chief Information Security Officer (OCISO), 4770 Buford Highway--M/
S: F-35, Chamblee, GA 30341.
Hand Delivery/Courier: HHS/CDC Senior Official for Privacy
(SOP), Office
[[Page 4481]]
of the Chief Information Security Officer (OCISO), 4770 Buford
Highway--M/S: F-35, Chamblee, GA 30341.
Comments received will be available for inspection and
copying at this same address from 9 a.m. to 3 p.m., Monday through
Friday, Federal holidays excepted.
SUPPLEMENTARY INFORMATION: CCEHIP/NCEH proposes to alter System of
Records, No. 09-20-0162, ``Records of Subjects in Agent Orange, Vietnam
Experience, and Selected Cancers Studies, HHS/CDC/CCEHIP/NCEH.''
Records in this system are used to support studies to assess the health
of Vietnam veterans relative to the health of other men of similar age.
Specifically this information should enable the Centers for Disease
Control and Prevention (CDC) to:
1. Evaluate the relationship of documented exposure to herbicides
used in Vietnam (primarily Agent Orange) to possible adverse health
consequences. Such possible effects to be evaluated include
dermatologic, neurological, psychological, immunological, carcinogenic,
reproductive, gastrointestinal, and others.
2. Assess the health effects of service in Vietnam (including
factors other than herbicide exposure) as opposed to the experiences of
veterans who served in other countries.
3. Evaluate the risk of selected cancers among Vietnam veterans in
contrast to men of similar age who did not serve in Vietnam.
This System of Record Notice is being altered to add the Breach
Response Routine Use Language to comply with the Office of Management
and Budget (OMB) memorandum dated May 22, 2007.
The following notice is written in the present tense, rather than
the future tense, in order to avoid the unnecessary expenditure of
public funds to republish the notice after the System has become
effective.
Dated: December 11, 2009.
James D. Seligman,
Chief Information Officer, Centers for Disease Control and Prevention.
Editorial Note: This document was received at the Office of the
Federal Register on December 27, 2010.
Department of Health and Human Services (HHS)
Centers for Disease Control and Prevention (CDC)
Coordinating Center for Environmental Health and Injury Prevention
(CCEHIP)
Records of Subjects in Agent Orange, Vietnam Experience, and Selected
Cancers Studies
Report of Modified or Altered System of Records
Narrative Statement
I. Background and Purpose of the System
A. Background
The Department of Health and Human Services proposes to alter
System of Records, No. 09-20-0162, ``Records of Subjects in Agent
Orange, Vietnam Experience, and Selected Cancers Studies, HHS/CDC/
CCEHIP/NCEH.'' HHS is proposing to add the following Breach Response
Routine Use Language to comply with the Office of Management and Budget
(OMB) Memoranda (M) 07-16, Safeguarding Against and Responding to the
Breach of Personally Identifiable Information:
To appropriate Federal agencies and Department contractors that
have a need to know the information for the purpose of assisting the
Department's efforts to respond to a suspected or confirmed breach of
the security or confidentiality of information disclosed is relevant
and necessary for that assistance.
B. Purpose
Records in this system are used to support studies to assess the
health of Vietnam veterans relative to the health of other men of
similar age. Specifically this information should enable the Centers
for Disease Control and Prevention (CDC) to:
1. Evaluate the relationship of documented exposure to herbicides
used in Vietnam (primarily Agent Orange) to possible adverse health
consequences. Such possible effects to be evaluated include
dermatologic, neurological, psychological, immunological, carcinogenic,
reproductive, gastrointestinal, and others.
2. Assess the health effects of service in Vietnam (including
factors other than herbicide exposure) as opposed to the experiences of
veterans who served in other countries.
3. Evaluate the risk of selected cancers among Vietnam veterans in
contrast to men of similar age who did not serve in Vietnam.
Portions of records (i.e., name, Social Security number or military
service number, date of birth) may be disclosed to the National Center
for Health Statistics, CDC for obtaining a determination of vital
status. Death certificates stating the cause of death will then be
obtained from the appropriate Federal, State, or local agency to enable
CDC to evaluate whether excess mortality is occurring among Vietnam
veterans.
II. Authority for Maintenance of the System
The Public Health Service Act, Section 301, Research and
Investigations (42 U.S.C. 241); and the Public Health Service Act,
Sections 304, 306, and 308(d), which discuss authority to maintain data
and to provide assurances of confidentiality for health research and
related activities (42 U.S.C. 242b, 242k, and 242m(d)).
III. Proposed Routine Use Disclosures of Data in the System
The Privacy Act allows us to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected. Any such compatible use of data is known as a ``routine
use''. The routine uses proposed for this System are compatible with
the stated purpose of the System:
Records have been disclosed to Department of Health and Human
Services contractors to locate veterans, cancer cases and controls,
conduct interviews, perform medical examinations, analyze pathology
specimens, and similar medical services, so that the research purposes
for which the records were collected could be accomplished. The
contractor was required to comply with the Privacy Act and to follow
Section 308(d) of the Public Health Service Act with respect to such
records.
Portions of records (i.e., name, Social Security number or military
service number) have been disclosed to other Federal agencies such as
the Veterans Administration, Internal Revenue Service, and Social
Security Administration only to obtain information to aid in locating
veterans involved in the study. These disclosures would have been made
to update locating information provided by the Army and Joint Services
Environmental Support Group.
Records may be disclosed to appropriate Federal agencies and
Department contractors that have a need to know the information for the
purpose of assisting the Department's efforts to
[[Page 4482]]
respond to a suspected or confirmed breach of the security or
confidentiality of information disclosed is relevant and necessary for
that assistance.
IV. Effects of the Proposed System of Records on Individual Rights
An individual may learn if a record exists about himself or herself
by contacting the system manager at the above address. Persons who
knowingly and willfully request or acquire a record pertaining to an
individual under false pretenses are subject to a $5,000 fine for this
criminal offense. Requesters in person must provide photo
identification (such as driver's license) or other positive
identification (i.e., place of birth, etc.) that would authenticate the
identity of the individual making the request. Individuals who do not
appear in person must submit a notarized request to verify their
identity. A guardian who requests notification of, or access to, a
mentally incompetent or severely physically impaired person's record
must provide a birth certificate (or notarized copy), court order, or
other appropriate evidence of guardianship. An individual who requests
notification of or access to, a medical record shall at the time the
request is made, designate in writing a responsible representative (who
may be a physician, other health professional, or other responsible
individual) who will be willing to review the record and inform the
subject individual of its contents.
In addition, the following information must be provided when
requesting notification: (1) Full name and Social Security or military
service number; and; (2) nature of the study in which the requester
participated.
Same as notification procedures. Requesters should also reasonably
specify the record contents being sought. An accounting of disclosures
that have been made of the record, if any, may be requested.
V. Safeguards
The records in this System are stored in hard copy records,
microfilm, computer tapes/disks, CD-ROMs, and printouts. The records
are retrieved by the name, Social Security number or military service
number (when supplied voluntarily or contained in existing records used
in studies under this system), or other identifying number.
Records in this system are collected under an assurance of
confidentiality authorized by Section 308(d) of the Public Health
Service Act. To comply with this assurance, the following special
safeguards are necessary:
Authorized Users: A database security package is implemented on
CDC's mainframe computer to control unauthorized access to the system.
Attempts to gain access by unauthorized individuals are automatically
recorded and reviewed on a regular basis. Access is granted to only a
limited number of physicians, scientists, statisticians, and designated
support staff of the Centers for Disease Control and Prevention (CDC),
as authorized by the system manager to accomplish the stated purpose
for which the data in this system have been collected.
Physical Safeguards: Access to the CDC Clifton Road facility where
the mainframe computer is located is controlled by a cardkey system.
Access to the computer room is controlled by a cardkey and security
code (numeric keypad) system. The local fire department is located
directly next door to the Clifton Road facility. The computer room is
protected by an automatic sprinkler system, numerous automatic sensors
(e.g., water, heat, smoke, etc.) are installed, and a proper mix of
portable fire extinguishers is located throughout the computer room.
Hard copy records are kept in locked cabinets in locked rooms. Security
guard service in buildings provides personnel screening of visitors.
Procedural Safeguards: Protection for computerized records on the
mainframe includes programmed verification of valid user identification
code and password prior to logging on to the system; mandatory password
changes, limited log-ins, virus protection, and user rights/file
attribute restrictions. Password protection imposes user name and
password log-in requirements to prevent unauthorized access. Each user
name is assigned limited access rights to files and directories at
varying levels to control file sharing. There are routine daily backup
procedures and secure off-site storage is available for backup tapes.
To avoid inadvertent data disclosure, when erasing computer tapes and/
or other magnetic media, an additional procedure is performed to ensure
that all Privacy Act data are removed. Additional safeguards may be
built into the program by the system analyst as warranted by the
sensitivity of the data.
Access to highly sensitive systems is limited to users obtaining
prior supervisory approval. Names and other details necessary to
identify individuals are not included in data files used for analysis.
These files are indexed by code numbers which are linked with complete
identifiers only if there is a specific need. Keys which link
identification numbers to names are stored separately with access
limited to CDC project officers and authorized staff.
CDC employees who process the records are instructed in specific
rules of conduct to protect the security and confidentiality of records
in accordance with Section 308(d) of the Public Health Service Act.
Implementation Guidelines: The safeguards outlined above are in
accordance with the HHS Information Security Program Policy and FIPS
Pub 200, ``Minimum Security Requirements for Federal Information and
Information Systems.'' Data maintained on CDC's Mainframe are in
compliance with OMB Circular A-130, Appendix III. Security is provided
for information collection, processing, transmission, storage, and
dissemination in general support systems and major applications.
The records are retained and disposed of in accordance with the CDC
Records Control Schedule, which allows the system manager to maintain
the records for 20 years unless needed for future reference. Because
five-year mortality updates are planned until the study population
expires, and health information from the questionnaire will be
correlated with the mortality data, the computerized records to which
questionnaire data were converted may be kept as long as research needs
dictate. Records have been transferred to the Federal Records Center
for storage and will be retained there subject to statutory
confidentiality requirements.
VI. OMB Control Numbers, Expiration Dates, and Titles of Information
Collection
A. Full Title: ``Records of Subjects in Agent Orange, Vietnam
Experience, and Selected Cancers Studies, HHS/CDC/CCEHIP/NCEH.''
OMB Control Number: 09-20-0162.
Expiration Date: TBD.
VII. Supporting Documentation
A. Preamble and Proposed Notice of System for publication in the
Federal Register.
B. Agency Rules: None.
C. Exemption Requested: None.
D. Computer Matching Report: The new system does not require a
matching report in accordance with the computer matching provisions of
the Privacy Act.
[FR Doc. 2010-33027 Filed 1-24-11; 8:45 am]
BILLING CODE 4163-18-P