System Name: "Facility and Resource Access Control Records".
Security Classification: Most identity records are not classified. However, in some cases, records of certain individuals, or portions of some records, may be classified in the interest of national security.
System Location: Data covered by this system are maintained at the following locations: Department of Health and Human Services (HHS), Office of the Secretary, 200 Independence Avenue, SW., Washington, DC 20201; HHS Operating Divisions and regional offices around the country; Qwest Datacenter in Sterling, Virginia; and the Qwest CyberCenter in Highlands Ranch, Colorado. Some data covered by this system will be accessed at HHS locations, both federal buildings and federally-leased space, and at the physical security office(s) or computer security offices of those locations.
Categories Of Individuals Covered By The System: (1) Individuals who require or are under consideration to obtain regular, ongoing access to HHS facilities, information technology systems, or information classified in the interest of national security, such as applicants for employment or contracts with HHS, federal employees, tribal members, contractors, students, interns, volunteers, affiliates such as individuals authorized to perform or use services provided in HHS facilities (e.g., HEW Credit Union, fitness center, etc.) and individuals formerly in any of these positions. (2) PIV card holders from other agencies who visit HHS facilities or use HHS computer systems. (3) Occasional visitors or short-term employees or guests who do not carry PIV cards and do not require certificates for using encryption with a Public Key Infrastructure (PKI), to whom HHS will issue temporary identification and low assurance credentials.
Categories Of Records In The System: (1) Records maintained on individuals issued credentials by HHS include the following: Full name, Social Security number; date and place of birth; citizenship; signature; image (photograph); fingerprints; hair color; eye color; height; weight; sex; race; scars, marks, or tattoos; organization/office of assignment, location and contact information; PIV card issue and expiration dates; personal identification number (PIN); PIV request form; PIV sponsor, enrollment, registrar and issuance information; PIV card serial number; emergency responder designation; foreign national designator; contractor designator; information derived from documents used to verify identity such as document title, issuing authority, or expiration date; position sensitivity; level of national security clearance and expiration date; computer system user name; user access and permission rights; authentication certificates; digital signature information; employment category; position title; dates, times, and locations of entries and exits. (2) HHS maintains the following categories of records about PIV card holders from other agencies entering HHS facilities or using HHS systems: Name, PIV card serial number; dates, times, and locations of entries and exits; organization name; level of national security clearance and expiration date; digital signature information; computer networks, applications, and data accessed. (3) HHS maintains the following categories of records about occasional visitors and short term guests: name, photograph, date and time of entry and exit, facility to which admitted, and name of person visiting.
Authority For Maintenance Of The System: 5 U.S.C. 301; Information Technology Management Reform Act of 1996 (Pub. L. 104-106, sec. 5113); Electronic Government Act (Pub. L. 104- 347, sec. 203); Paperwork Reduction Act of 1995 (44 U.S.C. ch. 35); Government Paperwork Elimination Act (Pub. L. 105-277, sec. 1701, 44 U.S.C. 3504); Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors, Aug. 27, 2004; Federal Property and Administrative Act of 1949, as amended.
Purpose(s) Of The System: The primary purposes of the system of records are to (1) Ensure the safety and security of HHS facilities, systems, or information, and our occupants and users; (2) to verify that all persons entering federal facilities, using federal information resources, or accessing classified information are authorized to do so; and (3) to track and control PIV cards and other identity credentials issued to persons entering and exiting the facilities, using systems, or accessing classified information.
Routine Uses Of Records Maintained In The System, Including Categories Or Users And The Purposes Of Such Uses: Information about covered individuals may be disclosed without consent as permitted by the Privacy Act of 1974, 5 U.S.C. 552a(b), and:
(1) To the Department of Justice when:
(a) The agency or any component thereof; or
(b) any employee of the agency in his or her official capacity;
(c) any employee of the agency in his or her individual capacity where agency or the Department of Justice has agreed to represent the employee; or
(d) the United States government, is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records by DOJ is therefore deemed by the agency to be for a purpose compatible with the purpose for which the agency collected the records.
(2) To a court or adjudicative body in a proceeding when:
(a) The agency or any component thereof;
(b) any employee of the agency in his or her official capacity;
(c) any employee of the agency in his or her individual capacity where agency or the Department of Justice has agreed to represent the employee; or
(d) the United States government, is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records is therefore deemed by the agency to be for a purpose that is compatible with the purpose for which the agency collected the records.
(3) Except as noted on Forms SF 85, 85-P, and 86, when a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, disclosure may be made to the appropriate public authority, whether federal, foreign, state, local, or tribal, or otherwise, responsible for enforcing, investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to any enforcement, regulatory, investigative or prosecutorial responsibility of the receiving entity.
(4) To a federal, state, or local agency, or other appropriate entities or individuals, or through established liaison channels to selected foreign governments, in order to enable an intelligence agency to carry out its responsibilities under the National Security Act of 1947 as amended, the CIA Act of 1949 as amended, Executive Order 12333 or any successor order, applicable national security directives, or classified implementing procedures approved by the Attorney General and promulgated pursuant to such statutes, orders or directives.
(5) To a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional office made at the written request of the constituent about whom the record is maintained.
(6) To the National Archives and Records Administration or to the General Services Administration for records management inspections conducted under 44 U.S.C. 2904 and 2906.
(7) To agency contractors who have been engaged to assist the agency in the performance of a contract service, grant, cooperative agreement, or other activity related to this system of records and who need to have access to the records in order to perform the activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a.
(8) To appropriate federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.
(9) To a federal, state, local, foreign, or tribal or other public authority the fact that this system of records contains information relevant to the retention of an employee, the retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant, or other benefit. The other agency or licensing organization may then make a request supported by the written consent of the individual for the entire record if it so chooses. No disclosure will be made unless the information has been determined to be sufficiently reliable to support a referral to another office within the agency or to another federal agency for criminal, civil, administrative personnel or regulatory action.
(10) To another federal agency to notify that agency when, or verify whether, a PIV card is no longer valid. Page 47816 Note: Disclosures of data pertaining to date and time of entry and exit of an agency employee working in the District of Columbia may not be made to supervisors, managers or any other persons (other than the individual to whom the information applies) to verify employee time and attendance record for personnel actions because 5 U.S.C. 6106 prohibits federal Executive agencies (other than the Bureau of Engraving and Printing) from using a recording clock within the District of Columbia, unless used as a part of a flexible schedule program under 5 U.S.C. 6120 et seq.
Policies And Practices For Storing, Retrieving, Accessing, Retaining, And Disposing Of Records In The System:
Storage: Records are stored in electronic media and in paper files.
Retrievability: Records are retrievable by name, date of birth, Social Security number, photographic identifiers, biometric identifiers, HHS Identification Number, and PIV card serial numbers.
Safeguards: HHS has safeguards in place for authorized users and monitors such users to ensure against excessive or unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access. This system will conform to all applicable federal laws and regulations and federal and HHS policies and standards as they relate to information security and data privacy. These laws and regulations may apply but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, and HHS policies and standards include but are not limited to: All pertinent National Institute of Standards and Technology publications and the HHS Information Systems Program Handbook. Paper records are kept in locked cabinets in secure facilities and access to them is restricted to individuals whose role requires use of the records. The computer servers in which records are stored are located in facilities that are secured by alarm systems and off-master key access. The computer servers themselves are two-factor protected with Public Key Infrastructure (PKI) credentials, Personal Identification Numbers (PINs) and passwords. Access to individuals working at guard stations, operating enrollment stations, issuance stations, or the portal for sponsorship and adjudication will be two- factor protected using PKI and PIN; each person granted access to the system at guard stations, enrollment stations, issuance stations or through the portal must be individually authorized to use the system. A notice warning users that they are responsible for protecting the information in accordance with the Privacy Act, the Computer Security Act, and the Federal Information Security Management Act appears on the monitor screen when records containing information on individuals are first displayed. Data exchanged between the servers and the personal computers at the guard stations and badging office are encrypted. Backup tapes are stored in a locked and controlled room in a secure, off-site location. An audit trail is maintained and reviewed periodically to identify unauthorized access. Persons given roles in the PIV process must complete training specific to their roles to ensure they are knowledgeable about how to protect individually identifiable information.
Retention And Disposal: Records relating to persons' access covered by this system are retained in accordance with General Records Schedule 18, Item 17 approved by the National Archives and Records Administration (NARA). Unless retained for specific, ongoing security investigations, for maximum security facilities, records of access are maintained for five years and then destroyed. For other facilities, records are maintained for two years and then destroyed. All other records relating to individuals are retained and disposed of in accordance with General Records Schedule 18, item 22, approved by NARA. In accordance with HSPD-12, PIV cards are deactivated within 18 hours of cardholder separation, loss of card, or expiration. PIV cards are destroyed by cross-cut shredding no later than 90 days after deactivation.
System Manager And Address: Ken Calabrese, HHS Chief Technology Officer, Office of the HHS Chief Information Officer, Department of Health and Human Services, 200 Independence Avenue, SW., Washington, DC 20201.
Notification Procedure: An individual can determine if this system contains a record pertaining to himself or herself by sending a request in writing, signed, to HHS Privacy Act Officer, Room 2221, Mary E. Switzer Building, Department of Health and Human Services, 330 C Street, SW., Washington, DC 20201. When requesting notification of or access to records covered by this Notice, an individual should provide his/her full name, date of birth, agency name, and work location. An individual requesting notification of records in person must provide identity documents sufficient to satisfy the custodian of the records that the requester is entitled to access, such as a government-issued photo ID. Individuals requesting notification via telephone must furnish, at a minimum, name, date of birth, social security number, and home address in order to establish identity. Individuals requesting notification via mail shall submit a notarized request to the responsible Department official to verify his or her identity or shall certify in his or her request that he or she is the individual who he or she claims to be and that he or she understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense under the Act subject to a $5,000 fine.
Record Access Procedure: In addition to the procedures above, requesters should reasonably specify the record contents being sought. If additional information or assistance is required, contact the HHS Privacy Act Officer, Room 2221, Mary E. Switzer Building, Department of Health and Human Services, 330 "C" Street, SW., Washington, DC 20201. Write the words "Privacy Act Request" on the envelope and on the letter. For purpose of access, use the same procedures outlined in the Notification Procedures above. (These procedures are in accordance with Department regulation 45 CFR 5b.5 (a) (2).)
Contesting Records Procedures: In addition to the procedures above, requesters should also reasonably identify the record, specify the information they are contesting, state the corrective action sought and the reasons for the correction along with supporting justification showing why the record is not accurate, timely, relevant, or complete. Rules regarding amendment of Privacy Act records appear in 45 CFR part 5a. If additional information or assistance is required, contact the HHS Privacy Act Officer, Room 2221, Mary E. Switzer Building, Department of Health and Human Services, 330 "C" Street, SW., Washington, DC 20201. Write the words "Privacy Act Request" on the envelope and on the letter.
Records Source Categories: Employee, contractor, or applicant; sponsoring agency; former sponsoring agency; other federal agencies; contract employer; former employer.
Systems Exempted From Certain Provisions Of The Act: None.