87 FR 19 pgs. 4604-4607 - Privacy Act of 1974; System of Records
Type: NOTICEVolume: 87Number: 19Pages: 4604 - 4607
Pages: 4604, 4605, 4606, 4607FR document: [FR Doc. 2022-01771 Filed 1-27-22; 8:45 am]
Agency: Health and Human Services Department
Sub Agency: Children and Families Administration
Official PDF Version: PDF Version
[top]
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Administration for Children and Families
Privacy Act of 1974; System of Records
AGENCY:
Administration for Children and Families (ACF), Department of Health and Human Services (HHS).
ACTION:
Notice of a modified system of records.
[top]
SUMMARY:
In accordance with the requirements of the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is modifying an existing system of records maintained by the Administration for Children and Families (ACF), Office of Child Care (OCC): System Number 09-80-0371, OCC Federal Child Care Monthly Case Records. The system of records covers case-level information on low-income working families receiving child care financial assistance through the Child Care and Development Fund (CCDF), which is provided in aggregate, non-identifiable format to Congress for empirical assessment, and to researchers and the public. Only certain pre-October 2015, case records ( i.e., those that include Social Security Number (SSN) as a case identifier) are included in this system of records, because only those are retrieved by a personal identifier.
DATES:
In accordance with 5 U.S.C. 552a(e)(4) and (11), this Notice is applicable January 28, 2022, subject to a 30-day period in which to comment on the new routine use, described below. Please submit any comments by February 28, 2022.
ADDRESSES:
The public should address written comments by mail or email to: Anita Alford, Senior Official for Privacy, Administration for Children and Families, 330 C St. SW, Washington, DC 20201, or anita.alford@acf.hhs.gov.
FOR FURTHER INFORMATION CONTACT:
General questions about this system of records should be submitted by mail or email to Helen Papadopoulos, Information Technology Specialist, at 330 C St. SW, Washington, DC 20201, 202-205-8455 or helen.papadopoulos@acf.hhs.gov.
SUPPLEMENTARY INFORMATION:
The following modifications have been made to System of Records Notice (SORN) 09-80-0371 to update and improve it:
• The Categories of Records section has been revised to limit the system of records to pre-October 2015, records that include SSN as a case identifier and to list more examples of data elements contained in the records.
• The Routine Uses section has been updated to remove the statement "Disclosure to Consumer Reporting Agencies: None" that was formerly included in the Routine Uses section and numbered as routine use 11 (but isn't a routine use). Routine use 3, that authorizes disclosures to members of Congress and their office staff for purposes of responding to constituent inquiries, has been revised to require that the constituent requests be "written." The two-breach response-related routine uses that were revised and added February 14, 2018, (see 83 FR 6591) are now numbered as 10a.and 10b.
• The Retrieval section has been revised to clarify that SSN is the only personal identifier used for retrieval, because other unique case identifiers assigned by states and territories are not personal identifiers (other case identifiers identify a family without also identifying a particular individual).
• The Retention and Disposal section has been updated to identify the applicable records disposition authority, DAA-0292-2018-0004, item 1.
Ruth Friedman,
Director, Office of Child Care, Administration for Children and Families.
SYSTEM NAME AND NUMBER:
OCC Federal Child Care Monthly Case Records, 09-80-0371.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
The component responsible for this system of records is the Office of Child Care, Administration for Children and Families, 330 C St. SW, Washington, DC 20201.
SYSTEM MANAGERS:
Information Technology Specialist, Office of Child Care, Administration for Children and Families, 330 C St. SW, Washington, DC 20201, (202) 690-6782, occ@acf.hhs.gov.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
42 U.S.C. 9858i, 9858j.
PURPOSE(S) OF THE SYSTEM:
The system of records contains OCC federal child care monthly case-level data which states and territories regularly collect and are required to provide to OCC about families receiving CCDF services and the environments where those services are provided. The Child Care and Development Block Grant (CCDBG) Act of 1990 requires states and territories to submit specific information to OCC, so that OCC can in turn report it (in aggregate form) to Congress, to give Congress an empirical basis for assessing the program (see 42 U.S.C. 9858i, 9858j). OCC also makes non-identifiable records available to researchers and the public.
The records in this system of records are pre-October 2015, records that are not intended to be personally-identifying and are not used for any purpose that involves identifying particular individuals; however, they contain, and are retrieved by, SSN, that states and territories used as a case identifier prior to October 2015. The purpose of the case identifier is to accurately count the number of families served over time and ensure that data reported at different times about the same case ( i.e., the same family) is associated with the correct case for research purposes.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The records in this system of records are about low-income working families receiving child care financial assistance through the CCDF whose information was reported on form ACF-801, prior to October 2015, by states and territories that used SSN as a case identifier.
CATEGORIES OF RECORDS IN THE SYSTEM:
The records consist of pre-October 2015, case-level information about families receiving CCDF services. They contain SSN as a case identifier and data elements such as state and county, reason for receiving care, total monthly copayment, total monthly income, sources of income, date assistance began, and specific data elements about children, such as race and ethnicity, birth month and year, type of child care, total monthly amount paid to child care provider, total hours of child care provided, and characteristics of the environment where the child was served, such as accreditation status or standards met. Names are not collected, and the records are not intended to include other personal identifiers. However, prior to October 2015, case-level information reported by states and territories included Social Security Numbers (SSNs) as a state- or territory-assigned case identifier (instead of another unique but non-personally identifying case identifier), for families based on requirements of the states and territories.
RECORD SOURCE CATEGORIES:
Information in the system is obtained by the states and territories receiving funds from the Child Care and Development Fund.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:
[top] These routine uses specify circumstances, in addition to others provided by statute in subsection (b) of the Privacy Act of 1974 (5 U.S.C. 552a(b)), under which ACF may release information from this system of records without the consent of the data subject. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible.
1. Disclosure for Law Enforcement Purpose. Information may be disclosed to the appropriate federal, state, local, tribal, or foreign agency responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation, or order, if the information is relevant to a violation or potential violation of civil or criminal law or regulation within the jurisdiction of the receiving entity.
2. Disclosure for Private Relief Legislation. Information may be disclosed to the Office of Management and Budget at any stage in the legislative coordination and clearance process in connection with private relief legislation as set forth in OMB Circular No. A-19.
3. Disclosure to Congressional Office. Information may be disclosed to a congressional office from the record of an individual in response to a written inquiry from the congressional office made at the written request of the individual.
4. Disclosure to Department of Justice or in Proceedings. Information may be disclosed to the Department of Justice, or in a proceeding before a court, adjudicative body, or other administrative body before which HHS is authorized to appear, when:
• HHS, or any component thereof; or
• Any employee of HHS in his or her official capacity; or
• Any employee of HHS in his or her individual capacity where the Department of Justice or HHS has agreed to represent the employee; or
• The United States, if HHS determines that litigation is likely to affect HHS or any of its components,
is a party to litigation or has an interest in such litigation, and the use of such records by the Department of Justice or HHS is deemed by HHS to be relevant and necessary to the litigation provided, however, that in each case it has been determined that the disclosure is compatible with the purpose for which the records were collected.
5. Disclosure to the National Archives and Records Administration (NARA). Information may be disclosed to NARA in records management inspections.
6. Disclosure to Contractors, Grantees, and Others. Information may be disclosed to contractors, grantees, consultants, or volunteers performing or working on a contract, service, grant, cooperative agreement, job, or other activity for HHS and who have a need to have access to the information in the performance of their duties or activities for HHS.
7. Disclosure for Administrative Claim, Complaint, and Appeal. Information may be disclosed to an authorized appeal grievance examiner, formal complaints examiner, equal employment opportunity investigator, arbitrator or other person properly engaged in investigation or settlement of an administrative grievance, complaint, claim, or appeal filed by an employee, but only to the extent that the information is relevant and necessary to the proceeding. Agencies that may obtain information under this routine use include, but are not limited to, the Office of Personnel Management, Office of Special Counsel, Merit Systems Protection Board, Federal Labor Relations Authority, Equal Employment Opportunity Commission, and Office of Government Ethics.
8. Disclosure to Office of Personnel Management. Information may be disclosed to the Office of Personnel Management pursuant to that agency's responsibility for evaluation and oversight of Federal personnel management.
9. Disclosure in Connection with Litigation. Information may be disclosed in connection with litigation or settlement discussions regarding claims by or against HHS, including public filing with a court, to the extent that disclosure of the information is relevant and necessary to the litigation or discussions and except where court orders are otherwise required under section (b)(11) of the Privacy Act of 1974, 5 U.S.C. 552a(b)(11).
10. Disclosure in the Event of a Security Breach.
a. Information may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
b. Information may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Case-level records are stored on a computer network/database. Servers for the database are currently located at the National Institutes of Health Center for Information Technology (NIHCIT) in Bethesda, MD.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
The records are retrieved by SSN.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Records on families and children receiving child care subsidies funded by the Child Care and CCDF are destroyed eight years after the end of the fiscal year in which the data was reported ( e.g., the cutoff for Fiscal Year 2015 data is September 30, 2015), per records disposition authority DAA-0292-2018-0004, item 1 approved by the National Archives and Records Administration (NARA).
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Safeguards conform to the HHS Information Security and Privacy Program, https://www.hhs.gov/ocio/securityprivacy/index.html. Information is safeguarded in accordance with applicable laws, rules and policies, including the HHS Information Technology Security Program Handbook, all pertinent National Institutes of Standards and Technology (NIST) publications; and OMB Circular A-130, Managing Information as a Strategic Resource.
• Administrative Safeguards: Access to records is limited to persons authorized to update, view, or maintain Federal Child Care Monthly Case Records. Authorized users include internal users such as government and contractor personnel and federal researchers. Federal employees and direct contractor users must attend general computer security training and sign a Rules of Behavior, that is renewed annually. Additionally, direct contractors are required to sign a non-disclosure agreement. All users are given role-based access to the system on a limited need-to-know basis. Approved users' access to system records is controlled by two factor authentications. Physical and logical access to the system is removed upon termination of employment or other change in the user's role.
[top] • Technical Safeguards: Electronic records are protected from unauthorized
• Physical Safeguards: The facility housing OCC information systems is a secure data center and can only be accessed by authorized infrastructure staff from HHS and NIH. The facility maintains fire suppression and detection devices/systems ( e.g., sprinkler systems, handheld fire extinguishers, fixed fire hoses, and/or smoke detectors) that are activated in the event of a fire. Servers and other computer equipment used to process identifiable data are located in secured areas and use physical access devices ( e.g., keys, locks, combinations, and card readers) and/or security guards to control entries into the facility.
RECORD ACCESS PROCEDURES:
An individual seeking access to records about him or her in this system of records must submit a written request to the System Manager/Policy Coordinating Official at the address specified in the "System Manager" section above. The requester must verify his or her identity by providing either a notarization of the request or a written certification that the requester is who or she claims to be and understands that the knowing and willful request for access to a record pertaining to an individual from an agency under false pretenses is a criminal offense under the Privacy Act, subject to a fine of up to five thousand dollars. Requesters may also ask for an accounting of disclosures that have been made of their records, if any.
CONTESTING RECORD PROCEDURES:
An individual seeking to amend a record about him or her in this system of records must submit a written request to the System Manager indicated above, verify his or her identity in the same manner as is required for an access request, and reasonably identify the record and specify the information being contested, the corrective action sought, and the reasons for requesting the correction, along with any supporting documentation. The right to contest records is limited to information that is incomplete, incorrect, untimely, or irrelevant.
NOTIFICATION PROCEDURES:
An individual who wishes to know if this system of records contains records about him or her must submit a written request to the System Manager indicated above, and must verify his or her identity in the same manner as is required for an access request.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
80 FR 17893 (Apr. 2, 2015), 83 FR 6591 (Feb. 14, 2018).
[FR Doc. 2022-01771 Filed 1-27-22; 8:45 am]
BILLING CODE 4184-81-P