Privacy Act of 1974; System of Records Notice

AGENCY:

Department of Health and Human Services (HHS).

ACTION:

Notice to alter existing systems of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, HHS gives notice of a proposed alteration to two existing systems of records covering payroll records: 09-40-0006 entitled “Public Health Service (PHS) Commissioned Corps Payroll Records, HHS/PSC/HRS,” and 09-40-0010 entitled “Pay, Leave and Attendance Records, HHS/PSC/HRS.” The systems are being amended to revise an existing routine use covering disclosures to contractors and to add a new routine use pertaining to system security. The routine use changes are described in more detail in the Supplementary Information section below.

DATES:

The routine use changes described in this notice will become effective without further notice 30 days after publication of this notice in the Federal Register, unless comments received on or before that date result in revisions to this notice.

ADDRESSES:

The public should address written comments to: Office of the Surgeon General (OSG), Division of Systems Integration (DSI), Tower Oaks Building, Plaza Level 100, 1101 Wootton Parkway, Rockville, Maryland 20852. Comments will be available for public viewing at that location. To review comments in person, please contact the Office of the Surgeon General (OSG), Division of Systems Integration, at 240-453-6085.

FOR FURTHER INFORMATION CONTACT:

For system 09-40-0006, contact CAPT Eric Shih, Office of the Surgeon General (OSG), Division of Systems Integration (DSI) Tower Oaks Building, Plaza Level 100, 1101 Wootton Parkway, Rockville, Maryland 20852, 240-453-6085, Eric.Shih@hhs.gov. For system 09-40-0010, contact Charles Dietz, Program Support Center (PSC), Payroll Services Division, 5600 Fishers Lane, Room 17-01, Rockville, Maryland 20857, 301-504-3219, Charles.Dietz@hhs.gov.

SUPPLEMENTARY INFORMATION:

I. The Privacy Act

The Privacy Act (5 USC 552a) governs the means by which the U.S. Government collects, maintains, and uses information about individuals in a system of records. A “system of records” is a group of any records under the control of a Federal agency from which information about an individual is retrieved by the individual's name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a system of records notice (SORN) identifying and describing each system of records the agency maintains, including the purposes for which the agency uses information about individuals in the system, the routine uses for which the agency discloses such information outside the agency, and how individual record subjects can exercise their rights under the Privacy Act (e.g., to determine if the system contains information about them).

I. The Proposed Routine Use Changes

The payroll systems proposed to be altered are described in System of Records Notices (SORNs) published on December 11, 1998 (see 63 FR 68596). System 09-40-0006 covers payroll records for HHS Commissioned Corps personnel, and system 09-40-0010 covers payroll records for HHS civilian personnel. In reviewing the SORNs, it was determined that the following changes in routine uses should be made for both systems. Both changes are compatible with the purposes for which personally identifiable information (PII) is collected in each system, as explained below:

• Contractor routine use: The routine use authorizing disclosures to contractors (numbered as routine use 7 in system number 09-40-0006 and as routine use 6 in system number 09-40-0010) should be revised to state that records may be disclosed to “federal agencies and Department contractors that have been engaged by HHS to assist in accomplishment of an HHS function relating to the purposes of the system (i.e., providing payroll services) and that need to have access to the records in order to assist HHS.” As currently worded, the routine use includes “contractors” but not “federal agencies” and describes the purposes for which a contractor would be engaged as “collating, analyzing, aggregating or otherwise refining records in the system.” Disclosing PII to a federal agency or Department contractor assisting HHS in providing payroll services is compatible with the purposes for which PII is collected in the system, because the PII is collected in the system for payroll-related purposes and the contractor, private firm or other federal agency would be using the PII for such purposes.
• Breach response routine use: A new routine use should be added (as routine use 13 in system number 09-40-0006 and as routine use 26 in system number 09-40-0010) to authorize HHS to disclose PII from the system to appropriate parties in the course of responding to a data security breach incident involving the system. Disclosing PII to appropriate parties in the course of responding to a data security breach incident involving the system is compatible with the purposes for which PII is collected in the system, because individuals whose PII is in the system expect their information to be secured, and the routine use will help HHS protect the security of the system. The Office of Management and Budget (OMB) has recommended that federal agencies publish such a routine use for their Privacy Act systems, to facilitate their ability to respond to data security breach incidents (see OMB Memorandum M-07-16 “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,” issued May 22, 2007).

Because they represent significant changes to the systems, a report on these proposed routine use changes was sent to Congress and to OMB in accordance with 5 U.S.C. 552a(r).

For the reasons set forth above, HHS is establishing the following routine uses for these systems:

1. Public Health Service (PHS) Commissioned Corps Payroll Records, HHS/PSC/HRS (09-40-0006)

Revised Routine Use 7: Records may be disclosed to federal agencies and Department contractors that have been engaged by HHS to assist in accomplishment of an HHS function relating to the purposes of the system (i.e., providing payroll services) and that need to have access to the records in order to assist HHS. Any contractor will be required to maintain Privacy Act safeguards with respect to such records. These safeguards are explained in the section entitled “Safeguards.”

New Routine Use 13: Records may be disclosed to appropriate federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of the information maintained in this system of records, if the information disclosed is relevant and necessary for that assistance.

2. Pay, Leave and Attendance Records, HHS/PSC/HRS (09-40-0010)

Revised Routine Use 6: Records may be disclosed to federal agencies and Department contractors that have been engaged by HHS to assist in accomplishment of an HHS function relating to the purposes of the system (i.e., providing payroll services) and that need to have access to the records in order to assist HHS. Any contractor will be required to maintain Privacy Act safeguards with respect to such records. These safeguards are explained in the section entitled “Safeguards.”

New Routine Use 26: Records may be disclosed to appropriate federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of the information maintained in this system of records, if the information disclosed is relevant and necessary for that assistance.