Privacy Act of 1974; Report of a New System of Records; Food and Drug Administration User Fee System
Nov 14, 2012 (FIND, Inc. via COMTEX) --
SUMMARY: In accordance with the requirements of the Privacy Act of 1974 and the Food and Drug Administration's (FDA) regulations for the protection of privacy, FDA is publishing notice of a Privacy Act system of records entitled, "FDA User Fee System, HHS/FDA," System Number 09-10-0021. FDA utilizes the User Fee System (UFS) to collect fees pursuant to Federal law and FDA's implementing regulations. The records kept in this system relate to fees assessed under the Freedom of Information Act (FOIA), the Prescription Drug User Fee Act, the Medical Device User Fee and Modernization Act, the Animal Drug User Fee Act, the Animal Generic Drug User Fee Act, the Mammography Quality Standards Act, the Family Smoking Prevention and Tobacco Control Act, the Food Safety Modernization Act, the Biosimilar User Fee Act, the Generic Drug User Fee Act, and other fees assessed by FDA under its Federal Food, Drug and Cosmetic Act authority such as color additive certification fees and export certificate fees. For purposes of this notice, these fees are collectively referred to as user fees.
DATES: Effective Date: The new system of records will be effective on November 14, 2012, with the exception of the routine uses. The routine uses will become effective on December 31, 2012. Submit either electronic or written comments by December 31, 2012.
ADDRESSES: You may submit comments, identified by Docket No. FDA-2012-N- 0911, by any of the following methods:
Submit electronic comments in the following way:
. Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
Submit written submissions in the following ways:
. Fax: 301-827-6870.
. Mail/Hand delivery/Courier (for paper or CD-ROM submissions): Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852.
Instructions: All submissions received must include the Agency name and Docket No. FDA-2012-N-0911 for this notice. All comments received may be posted without change to http://www.regulations.gov, including any personal information provided. For additional information on submitting comments, see the "Comments" heading of the SUPPLEMENTARY INFORMATION section of this document.
Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov and insert the docket number, found in brackets in the heading of this document, into the "Search" box and follow the prompts and/or go to the Division of Dockets Management, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852.
FOR FURTHER INFORMATION CONTACT: Lisa Berry, Office of Financial Management,
[Page Number 67821]
Food and Drug Administration, 1350 Piccard Dr., suite 200A, Rockville, MD 20850, 301-796-7225.
I. Description of the System of Records
The UFS is a billing and collections system that maintains information about the individuals, organizations, and companies required to pay user fees. Information maintained in the UFS includes:
. Contact person's name, phone number, fax number, and email address;
. Federal Employer Identification Number (FEIN) for entity remitters;
. Taxpayer Identification Number (TIN) for individual remitters, which is encrypted with only the last four characters visible (in some circumstances individual remitters may use a Social Security Number as the TIN);
. Company name or the Organization name; and
. Data Universal Numbering System (DUNS) number and business address.
The UFS also stores application details as the fee remitter (submitter) creates coversheets to pay user fees. These details include, but are not limited to, the type of application, waiver and exemption status, and Small Business Decision (SBD) Number. When a submitter generates a coversheet the UFS will only print the last four characters of the FEIN/TIN along with the organization name and address.
Additionally, the UFS stores billing details, adjustments to invoices, and payment receipt information including date, mode, and amount of payment.
II. Routine Use Disclosures of Information in the System
The Privacy Act allows FDA to disclose information without an individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a "routine use." The routine uses in this system meet the compatibility requirement of the Privacy Act.
A number of the routine uses listed in the System of Records Notice below are common to systems across the government. These include routine uses allowing disclosure to Federal Agencies as necessary in order to respond to a confirmed or suspected breach of system security or confidentiality (routine use number 1); to the Department of Justice (DOJ) to obtain DOJ advice on producing user fee records in response to a FOIA request (routine use 2); to DOJ when DOJ represents the Agency in litigation (routine use 7); in response to a subpoena issued by a duly empowered Federal Agency (routine use 3); to a court or tribunal when the records are relevant and necessary to a proceeding involving the Agency or an employee (routine use 8); to contractors and others who perform services for the Agency related to the UFS (routine use 9); to the National Archives and Records Administration (NARA) and General Services Administration as needed in the course of records management inspections (routine use 10); and to the Department of Homeland Security (DHS) in circumstances where system records are captured in an intrusion detection program and made accessible to DHS (routine use 11).
Additional routine uses specific to the UFS allow disclosure to entities as permitted under the Debt Collection Improvement Act (routine use 4); to banks in order to process payment made by credit card (routine use 5); and to Dun and Bradstreet to validate submitter contact information (routine use 6).
FDA User Fee System, HHS/FDA.
This system is located at FDA's Data Center in Ashburn, VA.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
This system contains records about individuals and companies that are required to submit user fee payments to the FDA. This includes organizations registered in the UFS, those billed through the system, as well as those submitting applications for review or otherwise assessed fees under the User Fee Program.
Privacy Act notification, access, and amendment rights relative to the UFS are available only to individuals who are the subject of records in this system. User fee record subjects are individuals required to pay a user fee, including individual FOIA requestors and individuals who are sole proprietors of an entity required to pay a user fee. Although records in the system may contain personally identifiable information (PII) related to other individuals, only the specified fee submitters are considered subjects of records in this system.
CATEGORIES OF RECORDS IN THE SYSTEM:
1. The UFS maintains information about individuals, companies and organizations that pay user fees. This includes: (a) For an entity remitter, a FEIN, and for an individual remitter, a TIN; (b) company or organization name and address; (c) DUNS number; and (d) contact person's name, phone number, Fax number, and email address.
2. The UFS also stores application information collected when the fee remitter (submitter) creates coversheets in order to pay user fees. This information includes the type of application, waiver and exemption status, and SBD number.
3. The UFS stores fee processing information including: Billing details; adjustments to invoices including credit and debit memos; and receipt information including date, mode, and amount of payment.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
21 U.S.C. 371, 379, 379e, 379h, 379h-1, 379j, 379j-12, 379j-21, 379j-31, 387s, and 393(d)(2); 42 U.S.C. 263b(r)(1); 5 U.S.C. 301, 552; and 44 U.S.C. 3101.
FDA personnel and any contractors assisting them will use information in the system, on a need-to-know basis, for the following purposes:
1. To assess and collect user fees.
2. To provide an electronic payment and receipt mechanism that is integrated with the U.S. Department of Treasury's http://www.Pay.gov Web site and the various FDA Centers.
3. To provide Web-based capabilities including transactional inquiries and information on payment status.
4. To facilitate debt collection activities in accordance with the Debt Collection Improvement Act of 1996 and the HHS regulations for claims collections (45 CFR Part 30).
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING THE PURPOSES OF SUCH USES AND CATEGORIES OF USERS:
Permitted disclosures include those made in accordance with routine uses that are listed in the notice of the system of records. 5 U.S.C. 552a(b)(3). The Privacy Act defines "routine use" as "with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected." See also FDA's Privacy Act regulations, defining "routine use" as "use outside the Department of Health and Human Services that is compatible with the purpose for which the records were collected and described in the [System of Records] notice * * *" 21 CFR 21.20(b)(5).
[Page Number 67822]
Records in this system that contain information about record subjects and nonsubjects (such as FDA employees who operate the system) may be disclosed to recipients outside HHS in accordance with the following routine uses:
1. Records may be disclosed to appropriate Federal Agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records.
2. In the event HHS deems it desirable or necessary, in determining whether particular records are required to be disclosed under the FOIA, disclosure may be made to the DOJ for the purpose of obtaining its advice.
3. Where Federal Agencies having the power to subpoena other Federal Agencies' records, such as the Internal Revenue Service, issue a subpoena to HHS for records in this system of records, HHS will make such records available, provided however, that in each case, HHS determines that such disclosure is compatible with the purpose for which the records were collected.
4. A record from this system may be disclosed to entities as provided for in the Debt Collection Improvement Act of 1996 (Pub. L. 104-134).
5. A record may be disclosed to banks enrolled in the Treasury Credit Card Network to collect a payment or debt when the person has given his/her credit card number for this purpose.
6. UFS submitter data (name, address, DUNS number) may be provided to Dun and Bradstreet for validation for the purpose of maintaining database integrity.
7. Disclosure may be made to the Department of Justice (DOJ) when: (a) The Agency or any component thereof; (b) any employee of the Agency in his or her official capacity; (c) any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee; or (d) the U.S. Government is a party to litigation or has an interest in such litigation, and by careful review, the Agency determines that the records are both relevant and necessary to the litigation and the use of such records by the DOJ is therefore deemed by the Agency to be for a purpose that is compatible with the purpose for which the Agency collected the records.
8. Disclosure may be made to a court or other tribunal, when: (a) The Agency or any component thereof; (b) any employee of the Agency in his or her official capacity; (c) any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee; or (d) the U.S. Government is a party to the proceeding or has an interest in such proceeding, and by careful review, the Agency determines that the records are both relevant and necessary to the proceeding and the use of such records is therefore deemed by the Agency to be for a purpose that is compatible with the purpose for which the Agency collected the records.
9. Disclosure may be made to contractors and other individuals who perform services for the Agency related to this system of records, and who need access to the records in order to perform such services. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a.
10. Disclosure may be made to NARA and/or the General Services Administration for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906.
11. Records may become accessible to U.S. Department of Homeland Security (DHS) cyber security personnel, if captured in an intrusion detection system used by HHS/FDA and DHS pursuant to the DHS Einstein 2 program. Under Einstein 2, DHS uses intrusion detection systems to monitor Internet traffic to and from Federal computer networks to prevent malicious computer code from reaching the networks. According to DHS' Privacy Impact Assessment for Einstein 2 (available on the DHS Cybersecurity privacy Web site, http://www.dhs.gov), only PII that is directly related to a malicious code security incident is captured by and accessible to DHS, and DHS does not access PII unless the PII is part of the malicious code.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:
Records may be maintained in hard copy files and on computer disks, hard drives, file servers, and other types of data storage devices.
Records may be retrieved by computer search using name, address, contact information, system identifiable numbers (party/organization, submitter numbers), DUNS Number, and payment information (for refunds).
1. Authorized users: Access is restricted to FDA employees and contractors with a Level 5 or higher clearance who have a need for the records in the performance of their duties.
2. Procedural and technical safeguards: Technical controls include identification and authentication, access control, audit and accountability, system and communication protection, timely account disablement/deletion, configuration management, maintenance, system and information integrity, media protection, and incident response. These controls extend to remote users as well. Additionally, when a remitter (submitter) generates a coversheet the UFS will only print the last four characters of the FEIN/TIN along with the Organization name and address.
3. Physical safeguards: Physical security safeguards include controlled- access buildings where all records (CDs, computer listings, and paper documents) are maintained in secured areas, locked buildings, locked rooms, and locked cabinets.
RETENTION AND DISPOSAL:
UFS records are maintained in accordance with FDA's Records Control Schedule, and with the applicable General Records Schedule (GRS) and disposition schedule approved by NARA. UFS records fall under GRS 20, Items 2a(4) (hard copy input records), 12 and 16 (Output records and reports), and NARA approved citation N1-088-09-11, Items 1.1 (files maintained in the Office of Financial Management), 1.2 (data maintained by FDA Centers), and 1.3.2 (database records).
SYSTEM MANAGER AND ADDRESS:
George Brindza, Division of Systems, FDA Office of Information Management (OIM), 2094 Gaither Rd., rm. 131, Rockville, MD 20850; 301-796-7845.
In accordance with 21 CFR part 21, subpart D, an individual may submit a request to the FDA Privacy Act Coordinator, with a notarized signature, to confirm whether records exist about him or her. Requests should be directed to the FDA Privacy Act Coordinator, Division of Freedom of Information, 12420 Parklawn Dr., ELEM-1036, Rockville, MD 20857. An individual requesting notification via mail should certify in his or her request that he or she is the individual who he or she claims to be and that he or she understands that the knowing and willful request for or acquisition of a
[Page Number 67823]
record pertaining to an individual under false pretenses is a criminal offense under the Act subject to a $5,000 fine, and indicate on the envelope and in a prominent manner in the request letter that he or she is making a "Privacy Act Request." Additional details regarding notification request procedures appear in 21 CFR part 21, subpart D.
RECORD ACCESS PROCEDURES:
Procedures are the same as above, in Notification Procedures. Requesters should also reasonably specify the record contents being sought. Some records may be exempt from access under 5 U.S.C. 552a(d)(5), if they are "compiled in reasonable anticipation of a civil action or proceeding." If access to requested records is denied, the requester may appeal the denial to the FDA Commissioner. Additional details regarding record access procedures and identity verification requirements appear in 21 CFR part 21, subpart D.
CONTESTING RECORD PROCEDURES:
In addition to the procedures described above, requesters should reasonably identify the record, specify the information they are contesting, state the corrective action sought and the reasons for the correction, and provide justifying information showing why the record is not accurate, complete, timely, or relevant. Rules and procedures regarding amendment of Privacy Act records appear in 21 CFR part 21, subpart E.
RECORD SOURCE CATEGORIES:
Information in this system is obtained from many sources, including: (1) Directly from the individual, company or organization that is required to submit user fees to FDA; (2) from materials supplied by the submitter or individual acting on his/her behalf; (3) from FDA Centers such as the Center for Drug Evaluation and Research, Center for Devices and Radiological Health, Center for Biologics Evaluation and Research, Center for Veterinary Medicine, Center for Tobacco Products, Center for Food Safety and Applied Nutrition, and the Office of Financial Management; and (4) from any other relevant source.
RECORDS EXEMPTED FROM CERTAIN PROVISIONS OF THE PRIVACY ACT:
Dated: November 7, 2012.
Assistant Commissioner for Policy.
[FR Doc. 2012-27580 Filed 11-13-12; 8:45 am]
BILLING CODE 4160-01-P
Vol. 77, No. 220
[Docket No. FDA-2012-N-0911]
[ InfoTech Spotlight's Homepage ]