[Federal Register Volume 77, Number 220 (Wednesday, November 14, 2012)]
[Notices]
[Pages 67820-67823]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2012-27580]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA-2012-N-0911]
Privacy Act of 1974; Report of a New System of Records; Food and
Drug Administration User Fee System
AGENCY: Food and Drug Administration, HHS.
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of 1974
and the Food and Drug Administration's (FDA) regulations for the
protection of privacy, FDA is publishing notice of a Privacy Act system
of records entitled, ``FDA User Fee System, HHS/FDA,'' System Number
09-10-0021. FDA utilizes the User Fee System (UFS) to collect fees
pursuant to Federal law and FDA's implementing regulations. The records
kept in this system relate to fees assessed under the Freedom of
Information Act (FOIA), the Prescription Drug User Fee Act, the Medical
Device User Fee and Modernization Act, the Animal Drug User Fee Act,
the Animal Generic Drug User Fee Act, the Mammography Quality Standards
Act, the Family Smoking Prevention and Tobacco Control Act, the Food
Safety Modernization Act, the Biosimilar User Fee Act, the Generic Drug
User Fee Act, and other fees assessed by FDA under its Federal Food,
Drug and Cosmetic Act authority such as color additive certification
fees and export certificate fees. For purposes of this notice, these
fees are collectively referred to as user fees.
DATES: Effective Date: The new system of records will be effective on
November 14, 2012, with the exception of the routine uses. The routine
uses will become effective on December 31, 2012. Submit either
electronic or written comments by December 31, 2012.
ADDRESSES: You may submit comments, identified by Docket No. FDA-2012-
N-0911, by any of the following methods:
Electronic Submissions
Submit electronic comments in the following way:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Written Submissions
Submit written submissions in the following ways:
Fax: 301-827-6870.
Mail/Hand delivery/Courier (for paper or CD-ROM
submissions): Division of Dockets Management (HFA-305), Food and Drug
Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852.
Instructions: All submissions received must include the Agency name
and Docket No. FDA-2012-N-0911 for this notice. All comments received
may be posted without change to http://www.regulations.gov, including
any personal information provided. For additional information on
submitting comments, see the ``Comments'' heading of the SUPPLEMENTARY
INFORMATION section of this document.
Docket: For access to the docket to read background documents or
comments received, go to http://www.regulations.gov and insert the
docket number, found in brackets in the heading of this document, into
the ``Search'' box and follow the prompts and/or go to the Division of
Dockets Management, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852.
FOR FURTHER INFORMATION CONTACT: Lisa Berry, Office of Financial
Management,
[[Page 67821]]
Food and Drug Administration, 1350 Piccard Dr., suite 200A, Rockville,
MD 20850, 301-796-7225.
SUPPLEMENTARY INFORMATION:
I. Description of the System of Records
The UFS is a billing and collections system that maintains
information about the individuals, organizations, and companies
required to pay user fees. Information maintained in the UFS includes:
Contact person's name, phone number, fax number, and email
address;
Federal Employer Identification Number (FEIN) for entity
remitters;
Taxpayer Identification Number (TIN) for individual
remitters, which is encrypted with only the last four characters
visible (in some circumstances individual remitters may use a Social
Security Number as the TIN);
Company name or the Organization name; and
Data Universal Numbering System (DUNS) number and business
address.
The UFS also stores application details as the fee remitter
(submitter) creates coversheets to pay user fees. These details
include, but are not limited to, the type of application, waiver and
exemption status, and Small Business Decision (SBD) Number. When a
submitter generates a coversheet the UFS will only print the last four
characters of the FEIN/TIN along with the organization name and
address.
Additionally, the UFS stores billing details, adjustments to
invoices, and payment receipt information including date, mode, and
amount of payment.
II. Routine Use Disclosures of Information in the System
The Privacy Act allows FDA to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected. Any such compatible use of data is known as a ``routine
use.'' The routine uses in this system meet the compatibility
requirement of the Privacy Act.
A number of the routine uses listed in the System of Records Notice
below are common to systems across the government. These include
routine uses allowing disclosure to Federal Agencies as necessary in
order to respond to a confirmed or suspected breach of system security
or confidentiality (routine use number 1); to the Department of Justice
(DOJ) to obtain DOJ advice on producing user fee records in response to
a FOIA request (routine use 2); to DOJ when DOJ represents the Agency
in litigation (routine use 7); in response to a subpoena issued by a
duly empowered Federal Agency (routine use 3); to a court or tribunal
when the records are relevant and necessary to a proceeding involving
the Agency or an employee (routine use 8); to contractors and others
who perform services for the Agency related to the UFS (routine use 9);
to the National Archives and Records Administration (NARA) and General
Services Administration as needed in the course of records management
inspections (routine use 10); and to the Department of Homeland
Security (DHS) in circumstances where system records are captured in an
intrusion detection program and made accessible to DHS (routine use
11).
Additional routine uses specific to the UFS allow disclosure to
entities as permitted under the Debt Collection Improvement Act
(routine use 4); to banks in order to process payment made by credit
card (routine use 5); and to Dun and Bradstreet to validate submitter
contact information (routine use 6).
SYSTEM NUMBER:
09-10-0021.
SYSTEM NAME:
FDA User Fee System, HHS/FDA.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
This system is located at FDA's Data Center in Ashburn, VA.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
This system contains records about individuals and companies that
are required to submit user fee payments to the FDA. This includes
organizations registered in the UFS, those billed through the system,
as well as those submitting applications for review or otherwise
assessed fees under the User Fee Program.
Privacy Act notification, access, and amendment rights relative to
the UFS are available only to individuals who are the subject of
records in this system. User fee record subjects are individuals
required to pay a user fee, including individual FOIA requestors and
individuals who are sole proprietors of an entity required to pay a
user fee. Although records in the system may contain personally
identifiable information (PII) related to other individuals, only the
specified fee submitters are considered subjects of records in this
system.
CATEGORIES OF RECORDS IN THE SYSTEM:
1. The UFS maintains information about individuals, companies and
organizations that pay user fees. This includes: (a) For an entity
remitter, a FEIN, and for an individual remitter, a TIN; (b) company or
organization name and address; (c) DUNS number; and (d) contact
person's name, phone number, Fax number, and email address.
2. The UFS also stores application information collected when the
fee remitter (submitter) creates coversheets in order to pay user fees.
This information includes the type of application, waiver and exemption
status, and SBD number.
3. The UFS stores fee processing information including: Billing
details; adjustments to invoices including credit and debit memos; and
receipt information including date, mode, and amount of payment.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
21 U.S.C. 371, 379, 379e, 379h, 379h-1, 379j, 379j-12, 379j-21,
379j-31, 387s, and 393(d)(2); 42 U.S.C. 263b(r)(1); 5 U.S.C. 301, 552;
and 44 U.S.C. 3101.
PURPOSE(S):
FDA personnel and any contractors assisting them will use
information in the system, on a need-to-know basis, for the following
purposes:
1. To assess and collect user fees.
2. To provide an electronic payment and receipt mechanism that is
integrated with the U.S. Department of Treasury's http://www.Pay.gov
Web site and the various FDA Centers.
3. To provide Web-based capabilities including transactional
inquiries and information on payment status.
4. To facilitate debt collection activities in accordance with the
Debt Collection Improvement Act of 1996 and the HHS regulations for
claims collections (45 CFR Part 30).
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING THE PURPOSES
OF SUCH USES AND CATEGORIES OF USERS:
Permitted disclosures include those made in accordance with routine
uses that are listed in the notice of the system of records. 5 U.S.C.
552a(b)(3). The Privacy Act defines ``routine use'' as ``with respect
to the disclosure of a record, the use of such record for a purpose
which is compatible with the purpose for which it was collected.'' See
also FDA's Privacy Act regulations, defining ``routine use'' as ``use
outside the Department of Health and Human Services that is compatible
with the purpose for which the records were collected and described in
the [System of Records] notice * * *'' 21 CFR 21.20(b)(5).
[[Page 67822]]
Records in this system that contain information about record
subjects and nonsubjects (such as FDA employees who operate the system)
may be disclosed to recipients outside HHS in accordance with the
following routine uses:
1. Records may be disclosed to appropriate Federal Agencies and
Department contractors that have a need to know the information for the
purpose of assisting the Department's efforts to respond to a suspected
or confirmed breach of the security or confidentiality of information
maintained in this system of records.
2. In the event HHS deems it desirable or necessary, in determining
whether particular records are required to be disclosed under the FOIA,
disclosure may be made to the DOJ for the purpose of obtaining its
advice.
3. Where Federal Agencies having the power to subpoena other
Federal Agencies' records, such as the Internal Revenue Service, issue
a subpoena to HHS for records in this system of records, HHS will make
such records available, provided however, that in each case, HHS
determines that such disclosure is compatible with the purpose for
which the records were collected.
4. A record from this system may be disclosed to entities as
provided for in the Debt Collection Improvement Act of 1996 (Pub. L.
104-134).
5. A record may be disclosed to banks enrolled in the Treasury
Credit Card Network to collect a payment or debt when the person has
given his/her credit card number for this purpose.
6. UFS submitter data (name, address, DUNS number) may be provided
to Dun and Bradstreet for validation for the purpose of maintaining
database integrity.
7. Disclosure may be made to the Department of Justice (DOJ) when:
(a) The Agency or any component thereof; (b) any employee of the Agency
in his or her official capacity; (c) any employee of the Agency in his
or her individual capacity where the DOJ has agreed to represent the
employee; or (d) the U.S. Government is a party to litigation or has an
interest in such litigation, and by careful review, the Agency
determines that the records are both relevant and necessary to the
litigation and the use of such records by the DOJ is therefore deemed
by the Agency to be for a purpose that is compatible with the purpose
for which the Agency collected the records.
8. Disclosure may be made to a court or other tribunal, when: (a)
The Agency or any component thereof; (b) any employee of the Agency in
his or her official capacity; (c) any employee of the Agency in his or
her individual capacity where the DOJ has agreed to represent the
employee; or (d) the U.S. Government is a party to the proceeding or
has an interest in such proceeding, and by careful review, the Agency
determines that the records are both relevant and necessary to the
proceeding and the use of such records is therefore deemed by the
Agency to be for a purpose that is compatible with the purpose for
which the Agency collected the records.
9. Disclosure may be made to contractors and other individuals who
perform services for the Agency related to this system of records, and
who need access to the records in order to perform such services.
Recipients shall be required to comply with the requirements of the
Privacy Act of 1974, as amended, 5 U.S.C. 552a.
10. Disclosure may be made to NARA and/or the General Services
Administration for the purpose of records management inspections
conducted under authority of 44 U.S.C. 2904 and 2906.
11. Records may become accessible to U.S. Department of Homeland
Security (DHS) cyber security personnel, if captured in an intrusion
detection system used by HHS/FDA and DHS pursuant to the DHS Einstein 2
program. Under Einstein 2, DHS uses intrusion detection systems to
monitor Internet traffic to and from Federal computer networks to
prevent malicious computer code from reaching the networks. According
to DHS' Privacy Impact Assessment for Einstein 2 (available on the DHS
Cybersecurity privacy Web site, http://www.dhs.gov), only PII that is
directly related to a malicious code security incident is captured by
and accessible to DHS, and DHS does not access PII unless the PII is
part of the malicious code.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
Records may be maintained in hard copy files and on computer disks,
hard drives, file servers, and other types of data storage devices.
RETRIEVABILITY:
Records may be retrieved by computer search using name, address,
contact information, system identifiable numbers (party/organization,
submitter numbers), DUNS Number, and payment information (for refunds).
SAFEGUARDS:
1. Authorized users: Access is restricted to FDA employees and
contractors with a Level 5 or higher clearance who have a need for the
records in the performance of their duties.
2. Procedural and technical safeguards: Technical controls include
identification and authentication, access control, audit and
accountability, system and communication protection, timely account
disablement/deletion, configuration management, maintenance, system and
information integrity, media protection, and incident response. These
controls extend to remote users as well. Additionally, when a remitter
(submitter) generates a coversheet the UFS will only print the last
four characters of the FEIN/TIN along with the Organization name and
address.
3. Physical safeguards: Physical security safeguards include
controlled-access buildings where all records (CDs, computer listings,
and paper documents) are maintained in secured areas, locked buildings,
locked rooms, and locked cabinets.
RETENTION AND DISPOSAL:
UFS records are maintained in accordance with FDA's Records Control
Schedule, and with the applicable General Records Schedule (GRS) and
disposition schedule approved by NARA. UFS records fall under GRS 20,
Items 2a(4) (hard copy input records), 12 and 16 (Output records and
reports), and NARA approved citation N1-088-09-11, Items 1.1 (files
maintained in the Office of Financial Management), 1.2 (data maintained
by FDA Centers), and 1.3.2 (database records).
SYSTEM MANAGER AND ADDRESS:
George Brindza, Division of Systems, FDA Office of Information
Management (OIM), 2094 Gaither Rd., rm. 131, Rockville, MD 20850; 301-
796-7845.
NOTIFICATION PROCEDURES:
In accordance with 21 CFR part 21, subpart D, an individual may
submit a request to the FDA Privacy Act Coordinator, with a notarized
signature, to confirm whether records exist about him or her. Requests
should be directed to the FDA Privacy Act Coordinator, Division of
Freedom of Information, 12420 Parklawn Dr., ELEM-1036, Rockville, MD
20857. An individual requesting notification via mail should certify in
his or her request that he or she is the individual who he or she
claims to be and that he or she understands that the knowing and
willful request for or acquisition of a
[[Page 67823]]
record pertaining to an individual under false pretenses is a criminal
offense under the Act subject to a $5,000 fine, and indicate on the
envelope and in a prominent manner in the request letter that he or she
is making a ``Privacy Act Request.'' Additional details regarding
notification request procedures appear in 21 CFR part 21, subpart D.
RECORD ACCESS PROCEDURES:
Procedures are the same as above, in Notification Procedures.
Requesters should also reasonably specify the record contents being
sought. Some records may be exempt from access under 5 U.S.C.
552a(d)(5), if they are ``compiled in reasonable anticipation of a
civil action or proceeding.'' If access to requested records is denied,
the requester may appeal the denial to the FDA Commissioner. Additional
details regarding record access procedures and identity verification
requirements appear in 21 CFR part 21, subpart D.
CONTESTING RECORD PROCEDURES:
In addition to the procedures described above, requesters should
reasonably identify the record, specify the information they are
contesting, state the corrective action sought and the reasons for the
correction, and provide justifying information showing why the record
is not accurate, complete, timely, or relevant. Rules and procedures
regarding amendment of Privacy Act records appear in 21 CFR part 21,
subpart E.
RECORD SOURCE CATEGORIES:
Information in this system is obtained from many sources,
including: (1) Directly from the individual, company or organization
that is required to submit user fees to FDA; (2) from materials
supplied by the submitter or individual acting on his/her behalf; (3)
from FDA Centers such as the Center for Drug Evaluation and Research,
Center for Devices and Radiological Health, Center for Biologics
Evaluation and Research, Center for Veterinary Medicine, Center for
Tobacco Products, Center for Food Safety and Applied Nutrition, and the
Office of Financial Management; and (4) from any other relevant source.
RECORDS EXEMPTED FROM CERTAIN PROVISIONS OF THE PRIVACY ACT:
None.
Dated: November 7, 2012.
Leslie Kux,
Assistant Commissioner for Policy.
[FR Doc. 2012-27580 Filed 11-13-12; 8:45 am]
BILLING CODE 4160-01-P