[Federal Register Volume 60, Number 197 (Thursday, October 12, 1995)] [Notices] [Pages 53188-53191] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 95-25310] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Public Health Service Food and Drug Administration; Privacy Act of 1974; New System of Records AGENCY: Public Health Service, HHS. ACTION: Notification of a new system of records. ----------------------------------------------------------------------- SUMMARY: In accordance with the requirements of the Privacy Act, the Public Health Service (PHS) is publishing a notice of a proposal to establish a new system of records, 09-10-0019, ``Mammography Quality Standards Act (MQSA) Training Records, HHS/FDA/CDRH.'' The purpose of the system is to provide the Food and Drug Administration (FDA) with information about the training and certification of inspectors of mammography facilities. We are also proposing routine uses for this new system. DATES: PHS invites interested parties to submit comments on the proposed internal and routine uses on or before November 21, 1995. PHS has sent a report of a New System to the Congress and to the Office of Management and Budget (OMB) on August 31, 1995. This system of records will be effective 40 days from the date submitted to OMB unless PHS receives comments on the routine uses which would result in a contrary determination. ADDRESSES: Please submit comments to: FDA Privacy Act Coordinator (HFI- 30), Food and Drug Administration, 5600 Fishers Lane, Room 12A-30, Rockville, MD 20857, (301) 443-1813. Comments received will be available for inspection at this same address from 9 a.m. to 4 p.m., Monday through Friday. [[Page 53189]] FOR FURTHER INFORMATION CONTACT: Director, Division of Mammography Quality and Radiation Programs (HFZ- 240), Office of Health and Industry Programs, Center for Devices and Radiological Health, Food and Drug Administration, 1350 Piccard Drive, Rockville, MD 20850, (301) 594-3332. The numbers listed above are not toll free. SUPPLEMENTARY INFORMATION: The Food and Drug Administration proposes to establish a New System of Records: 09-10-0019, ``Mammography Quality Standards Act (MQSA) Training Records, HHS/FDA/CDRH.'' This system of records will be used to provide FDA with information about the training, certification, and recertification of MQSA inspectors for the purpose of implementing the Mammography Quality Standards Act of 1992. The system will be comprised of records that contain the names, dates of birth, education, professional experience, employment addresses, dates of mammography training, test scores, and an analysis of those scores, dates of certification of the inspectors, dates of renewal or withdrawal of certification, and evaluations of the inspectors' field performances (records of complaints received and how the complaints were resolved.) The amount of information recorded on each individual will be only that which is necessary to accomplish the purpose of the system. Records must be retrieved by individual name for effective monitoring of training, certification, recertification, and withdrawal of certification. Each record is established from a one-page data sheet which is completed by each student. Records of test scores, dates of renewal or withdrawal of certification, and an evaluation of inspector's field performance are added as the information becomes available. The records in this system will be maintained in a secure manner compatible with their content and use. FDA staff will be required to adhere to the provisions of the Privacy Act and the HHS Privacy Act Regulations. Only authorized users whose official duties require the use of such information will have regular access to the records in this system. Authorized users are FDA employees and contractors responsible for training the individuals who will inspect mammography facilities, and personnel in the Division of Mammography Quality and Radiation Programs (DMQRP) who will compile and analyze the test and personal data of the students. All records (such as diskettes, computer listings, or documents) are kept in a secured area, locked rooms, and locked building. The facility has 24-hour guard service, and access to the building is further controlled by an operational card key system. Access to individual offices is controlled by simplex locks. Manual and computerized records will be maintained in accordance with the standards of Chapter 45-13 of the HHS General Administration Manual, ``Safeguarding Records Contained in Systems of Records,'' supplementary Chapter PHS hf: 45-13 of the Department's General Administration Manual, and the Department's Automated Information Systems Security Handbook. Users will receive regular training in information systems security for this application and in accordance with the Privacy Act. Users will be required to sign an agreement indicating their cooperation with FDA systems security and Privacy Act policies. Data stored in computers will be accessed through the use of regularly expiring passwords and individual IDS known only to authorized users. All users will be assigned specific levels of database control based on their needs and authority. All uses of valid IDS and passwords will be monitored. Upon job change, the user's authorization will be reviewed and updated as necessary. All changes to data, as well as the time of change and the user's ID, will be captured in a file as part of the database design. The system's intrusion alarms, which list all logins and their source, will be monitored daily by the Information Systems Security Officer. All systems in support of this database are under the control of CDRH and meet the same security standards. The routine uses proposed for this system are compatible with the stated purposes of the system. The first routine use proposed for this system, permitting disclosure to a congressional office, allows subject individuals to obtain assistance from their representatives in Congress, should they so desire. Such disclosure would be made only pursuant to a request of the individual. The second routine use allows disclosure to the Department of Justice or a court in the event of litigation. The third routine use allows disclosure to be made to the individual's supervisor since MQSA inspections will be a significant part of many inspectors' jobs; therefore, performance in the training courses is an important element of information to help the supervisor determine employee assignments as well as the level of supervision needed. The fourth routine use allows disclosure to be made to contractors for the purpose of processing or refining records in the system. The following notice is written in the present, rather than future tense, in order to avoid the unnecessary expenditure of public funds to republish the notice after the system has become effective. Dated: October 2, 1995. Ellen Wormser, Director, Office of Organization and Management Systems. 09-10-0019 Mammography Quality Standards Act (MQSA) Training Records, HHS/FDA/ CDRH. None. Division of Mammography Quality and Radiation Programs (HFZ-240), Center for Devices and Radiological Health, 1350 Piccard Drive, Rockville, Maryland 20850. A current list of contractor sites is available by writing to the system manager, indicated below, at this address. All individuals who receive training for the purpose of implementing the Mammography Quality Standards Act of 1992; individuals who successfully complete the training will become certified to conduct inspections and audits of mammography facilities. Contains name; date of birth; education; professional experience; employment address; dates of mammography training; participant's test scores, class grades, and an analysis of those scores; date of certification of the inspector; dates of renewal or withdrawal of certification; and an evaluation of the inspector's field performance (records of complaints received and how the complaints were resolved). Pub. L. 102-539, the Mammography Quality Standards Act (MQSA) of 1992 (42 U.S.C. 263b). To provide the Food and Drug Administration (FDA) with information about the training, certification, and recertification of MQSA inspectors for the purpose of implementing the [[Page 53190]] Mammography Quality Standards Act of 1992. 1. Disclosure may be made to a congressional office from the record of an individual, in response to an inquiry from the congressional office made at the request of that individual. 2. The Department of Health and Human Services (HHS) may disclose information from this system of records to the Department of Justice, or to a court or other tribunal, when (a) HHS, or any component thereof; or (b) Any HHS employee in his or her official capacity; or (c) Any HHS employee in his or her official capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) The United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation or has an interest in such litigation, and HHS determines that the use of such records by the Department of Justice, the court or other tribunal, is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case, HHS determines that such disclosure is compatible with the purpose for which the records were collected. 3. Disclosure may be made with the individual's supervisor since MQSA inspections will be a significant part of many inspectors' jobs; therefore, performance in the training courses is an important element of information to help the supervisor determine employee assignments as well as the level of supervision needed. 4. Disclosure may be made to contractors for the purpose of collecting, compiling, aggregating, analyzing, or refining records in the system. Contractors will be required to maintain Privacy Act safeguards with respect to such records. Data are maintained in hard copy files and on computer disks, hard drives, and file servers. Indexed by name, state, specific courses, training dates, grades, date of certification, and date of withdrawal of certification. 1. Authorized users: Personnel of the Division of Mammography Quality Reporting Program who are engaged in training the individuals who inspect mammography facilities, and personnel in the Division who compile and analyze the test and personal data of the students. 2. Physical safeguards: All records (such as disketts, computer listings, or documents) are kept in a secured area, locked rooms, and locked building. The facility has 24-hour guard service, and access to the building is further controlled by an operational card key system. Access to the computer room is limited to a subset of persons with general access to the building. Access to individual offices is controlled by simplex locks. The building has smoke/fire detectors; the computer room has additional smoke/fire detectors plus water, temperature, and humidity sensors. The computers room has an uninterruptible power supply and a power conditioning system. 3. Procedural safeguards: End users and system professionals continue to receive regular training in information systems security and have signed an agreement indicating their cooperation with FDA policies. Users are further instructed on system security during training sessions for this application and in accordance with the Privacy Act. Users of personal information in the performance of their duties have been instructed to protect personal information from public view and from unauthorized personnel. All reports containing confidential data are marked ``confidential'' and placed in the developer's or system manager's mail slot, which is located in an access-controlled room. CDRH SOP requires that all reports containing confidential information be shredded before disposal. 4. Technical safeguards: All users have individual IDS and regularly expiring passwords at least 6 characters long. All users are assigned specific levels of database control based on their needs and authority. All users of valid IDs and passwords will be monitored. Upon job change, the user's authorization is reviewed and updated as necessary. All changes to data, as well as the time of change and the operator's ID are captured in a file as part of the database design. All data entered online is edit checked. The system's intrusion alarms, which list all logins and their source, are monitored daily by the information Systems Security Officer. In addition, CDRH maintains commercial auditing software that permits logging of keystrokes by individual accounts. CDRH maintains three audit trails for this system: 1. System-wide intrusion alarms and file access notices 2. Application-dependent logging of all data transactions 3. Commercial software that permits capturing all keystrokes from suspicious accounts and terminals. All systems in support of this database are under the control of CDRH and meet the same security standards as the application. 5. Implementation guidelines: Safeguards are established in accordance with Chapter 45-13 and PHS hf:45-13 of the Department's General Administration Manual and the Department's Automated Information Systems Security Handbook. Records are retained for five years after the certified MQSA Inspector leaves government service. At the end of five years, in individual's paper records are shredded and automated records are erased. Director, Division of Mammography Quality and Radiation Programs (HFZ-240), Center for Devices and Radiological Health, 1350 Piccard Drive, Rockville, Maryland 20850. An individual may learn if a record exists about him or her upon written request, with notarized signature if request is made by mail, or with identification if request is made in person, directed to: FDA Privacy Act Coordinator (HFI-30), Food and Drug Administration, 5600 Fishers Lane, Rockville, MD 20857. Same as notification procedure. Requests should also reasonably specify the record contents being sought. You may also request an accounting of disclosures that have been made of your record, if any. Contact the official at the address specified under notification procedure above and reasonably identify the record, specify the information being contested, the corrective action sought, and your reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant. [[Page 53191]] Individual on whom the record is maintained and training records pertaining to that individual. Information about certification renewal or withdrawal is generated in-house by the Division of Mammography Quality and Radiation Programs. Sources of information about field performance could include the inspector's supervisor, as well as any investigation of an inspector's performance as a result of complaints by a mammography facility. None. [FR Doc. 95-25310 Filed 10-11-95; 8:45 am] BILLING CODE 4160-01-M