80 FR 68568 - Privacy Act of 1974; Privacy Act System of Records

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

Federal Register Volume 80, Issue 214 (November 5, 2015)

Pursuant to the provisions of the Privacy Act of 1974 (5 U.S.C. 552a), the National Aeronautics and Space Administration is issuing public notice of its proposal to modify its previously noticed system of records. This notice publishes updates to health related systems of records as set forth below under the caption SUPPLEMENTARY INFORMATION.

[Federal Register Volume 80, Number 214 (Thursday, November 5, 2015)]
[Notices]
[Pages 68568-68572]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2015-28254]


-----------------------------------------------------------------------

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

[Notice (15-101)]


Privacy Act of 1974; Privacy Act System of Records

AGENCY: National Aeronautics and Space Administration (NASA).

ACTION: Notice of proposed revisions to existing Privacy Act systems of 
records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the provisions of the Privacy Act of 1974 (5 
U.S.C. 552a), the National Aeronautics and Space Administration is 
issuing public notice of its proposal to modify its previously noticed 
system of records. This notice publishes updates to health related 
systems of records as set forth below under the caption SUPPLEMENTARY 
INFORMATION.

DATES: Submit comments within 30 calendar days from the date of this 
publication. The changes will take effect at the end of that period, if 
no adverse comments are received.

ADDRESSES: Patti F. Stockman, Privacy Act Officer, Office of the Chief 
Information Officer, National Aeronautics and Space Administration 
Headquarters, Washington, DC 20546-0001, (202) 358-4787, [email protected].

FOR FURTHER INFORMATION CONTACT: NASA Privacy Act Officer, Patti F. 
Stockman, (202) 358-4787, [email protected].

SUPPLEMENTARY INFORMATION: Pursuant to the provisions of the Privacy 
Act of 1974, 5 U.S.C. 552a, and as part of its biennial System of 
Records review, NASA is making minor modifications of its systems of 
records including: Update of Locations of Records; revision of 
Categories of Records to reflect reduced information collected; updates 
of System and Subsystem Managers; and clarification of Routine Uses. 
Changes for specific NASA systems of records are set forth below:
    Human Experimental and Research Data Records/NASA 10HERD: Include a 
purpose section; provide minor wording

[[Page 68569]]

refinements of Categories of Records and Individuals; update the 
Routine Uses and Safeguards sections.
    Health Information Management System/NASA 10HIMS: Update System 
Locations; provide minor wording refinements of Categories of Records 
and Individuals, Routine Uses, and Subsystem Managers; and update the 
Safeguards section.
    Occupational Radiation Information System/NASA 10ORIS: Update 
System Location and Safeguards sections to be more complete.

Renee P. Wynn,
NASA Chief Information Officer.
NASA 10HERD

SYSTEM NAME:
    Human Experimental and Research Data Records.

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    Locations 2, 5, 6, and 8, as set forth in Appendix A.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Information in this system of records is maintained on individuals 
who have been involved in space flight, aeronautical research flight, 
and/or participated in NASA tests or experimental or research programs. 
Categories of individuals covered include civil service and military 
employees, employees of other government agencies, contractor 
employees, students, International Space Partner personnel, volunteers, 
and other human research subjects on whom information is collected as 
part of an experiment or study.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Record categories in this system include data obtained in the 
course of an experiment, test, or research medical data from in-flight 
records, and other information collected in connection with an 
experiment, test, or research.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    51 U.S.C. 20113(a) and 44 U.S.C. 3101.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Any disclosures of information will be compatible with the purpose 
for which the Agency collected the information. Records and information 
in this system may be disclosed: (1) To other individuals or 
organizations, including Federal, State, or local agencies, and 
nonprofit, educational, or private entities, who are participating in 
NASA programs or are otherwise furthering the understanding or 
application of biological, physiological, and behavioral phenomena as 
reflected in the data contained in this system of records; (2) to 
external biomedical professionals and independent entities to support 
internal and external reviews for purposes of research quality 
assurance; (3) to international partners for research activities 
pursuant to NASA Space Act agreements; (4) to external professionals 
conducting research, studies, or other activities through arrangements 
or agreements with NASA and for mutual benefit; and (5) in accordance 
with standard routine uses set forth in Appendix B.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, AND 
DISPOSITIONING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records in this system are stored as paper documents, electronic 
media, micrographic media, photographs, or motion picture film, and 
various medical recordings such as electrocardiograph tapes, 
stripcharts, and x-rays.

RETRIEVABILITY:
    Records are retrieved by the individual's name, experiment or test; 
arbitrary experimental subject number; flight designation; or 
crewmember designation on a particular space or aeronautical flight.

SAFEGUARDS:
    Records are maintained on secure NASA servers and protected in 
accordance with all Federal standards and those established in NASA 
regulations at 14 CFR 1212.605. Additionally, server and data 
management environments employ infrastructure encryption technologies 
both in data transmission and at rest on servers. Electronic messages 
sent within and outside of the Agency that convey sensitive data are 
encrypted and transmitted by staff via pre-approved electronic 
encryption systems as required by NASA policy. Approved security plans 
are in place for information systems containing the records in 
accordance with the Federal Information Security Management Act of 2002 
(FISMA) and OMB Circular A-130, Management of Federal Information 
Resources. Only authorized personnel requiring information in the 
official discharge of their duties are authorized access to records 
through approved access or authentication methods. Access to electronic 
records is achieved only from workstations within the NASA Intranet, or 
remotely via a secure Virtual Private Network (VPN) connection 
requiring two-factor token authentication or via employee PIV badge 
authentication from NASA-issued computers. Non-electronic records are 
secured in locked rooms or files.

RETENTION AND DISPOSAL:
    Records are maintained in Agency files for varying periods of time 
depending on the need for use of the records and destroyed when no 
longer needed in accordance with NASA Records Retention Schedules, 
Schedule 7 Item 16.

SYSTEM MANAGER(S) AND ADDRESS(ES):
    Chief Health and Medical Officer, Location 1.
    Subsystem Managers: Director Life Sciences Directorate, Chief Space 
Medicine Division, and Program Scientist Human Research Program, both 
at Location 5; and Institutional Review Board (IRB) Chairs at Locations 
2, 6, and 8, as set forth in Appendix A.

NOTIFICATION PROCEDURE:
    Information may be obtained by contacting the cognizant system or 
subsystem manager listed above. Requests must contain the identifying 
data concerning the requester, e.g., first, middle and last name; date 
of birth; and Social Security Number.

RECORD ACCESS PROCEDURES:
    Requests from individuals should be addressed to the same address 
as stated above.

CONTESTING RECORD PROCEDURES:
    The NASA regulations for access to records and for contesting and 
appealing initial determinations by the individual concerned appear at 
14 CFR part 1212.

RECORD SOURCE CATEGORIES:
    Information in this system is obtained from experimental test 
subjects, physicians and other health care providers, principal 
investigators and other researchers, and previous experimental test or 
research records.

EXEMPTIONS CLAIMED FOR THE SYSTEM:
    None.
NASA 10HIMS

SYSTEM NAME:
    Health Information Management System.

SECURITY CLASSIFICATION:
    None.

[[Page 68570]]

PURPOSE:
    Information in this system of records is maintained on anyone 
receiving health or medical care in or through a NASA clinic or 
healthcare activity.

SYSTEM LOCATION:
    Paper-based records of Medical Clinics/Units and Environmental 
Health Offices are held at NASA Locations 1, 9, 11, 14, and 19, as set 
forth in Appendix A. Electronic records are hosted on secure NASA 
servers in Locations 5 and 6, as set forth in Appendix A, and at the 
Medgate Chicago Data Center, 341 Haynes Drive, in Wood Dale, Illinois 
60191, which is a secure, redundant, Tier III, SAS 70 certified 
facility.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    This system contains information on (1) NASA civil service 
employees and applicants; (2) other Agency civil service and military 
employees working at NASA; (3) active or retired astronauts and active 
astronaut family members; (4) International Space Station Partner 
personnel, their families, or other space flight personnel on temporary 
or extended duty at NASA; (5) onsite contractor personnel who receive 
job-related examinations under the NASA Occupational Health Program, 
have work-related mishaps or accidents, or visit clinics for emergency 
or first-aid treatment; and (6) visitors to NASA Centers who use 
clinics for emergency or first-aid treatment.

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system contains:
    (1) General medical records of routine health care, first aid, 
emergency treatment, examinations (e.g., surveillance, hazardous 
workplace, certification, flight, special purpose and health 
maintenance), exposures (e.g., hazardous materials and ionizing 
radiation), and consultations by non-NASA physicians.
    (2) Information resulting from physical examinations, laboratory 
and other tests, and medical history forms; treatment records; 
screening examination results; immunization records; administration of 
medications prescribed by private/personal or NASA flight surgeon 
physicians; consultation records; and hazardous exposure and other 
health hazard/abatement data.
    (3) Medical records, behavioral health records, and physical 
examination records of Astronauts and their families.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 7901; 51 U.S.C. 20113(a); 44 U.S.C. 3101; 42 CFR part 2.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES
    Any disclosures of information will be compatible with the purpose 
for which the Agency collected the information. The records and 
information in this system may be disclosed: (1) To external medical 
professionals and independent entities to support internal and external 
reviews for purposes of medical quality assurance; (2) to private or 
other government health care providers for consultation or referral; 
(3) to the Office of Personnel Management, Occupational Safety and 
Health Administration, and other Federal or State agencies as required 
in accordance with the Federal agency's special program 
responsibilities; (4) to insurers for referrals or reimbursement; (5) 
to employers of non-NASA personnel in support of the Mission Critical 
Space Systems Personnel Reliability Program; (6) to international 
partners for mission support and continuity of care for their employees 
pursuant to NASA Space Act agreements; (7) to non-NASA personnel 
performing research, studies, or other activities through arrangements 
or agreements with NASA and for mutual benefit; (8) to the public of 
pre-space flight information having mission impact concerning an 
individual crewmember, limited to the crewmember's name and the fact 
that a medical condition exists; (9) to the public, limited to the 
crewmember's name and the fact that a medical condition exists, if a 
flight crewmember is, for medical reasons, unable to perform a 
scheduled public event following a space flight mission/landing; (10) 
to the public to advise of medical conditions arising from accidents, 
consistent with NASA regulations; and (11) in accordance with standard 
routine uses as set forth in Appendix B.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, AND 
DISPOSITIONING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are stored in multiple formats including paper, digital, 
micrographic, photographic, and as medical recordings such as 
electrocardiograph tapes, x-rays and strip charts.

RETRIEVABILITY:
    Records are retrieved from the system by the individual's name, 
date of birth, and/or Social Security or other assigned Number.

SAFEGUARDS:
    Records are maintained on secure NASA servers and protected in 
accordance with all Federal standards and those established in NASA 
regulations at 14 CFR 1212.605. Additionally, server and data 
management environments employ infrastructure encryption technologies 
both in data transmission and at rest on servers. Electronic messages 
sent within and outside of the Agency that convey sensitive data are 
encrypted and transmitted by staff via pre-approved electronic 
encryption systems as required by NASA policy. Approved security plans 
are in place for information systems containing the records in 
accordance with the Federal Information Security Management Act of 2002 
(FISMA) and OMB Circular A-130, Management of Federal Information 
Resources. Only authorized personnel requiring information in the 
official discharge of their duties are authorized access to records 
through approved access or authentication methods. Access to electronic 
records is achieved only from workstations within the NASA Intranet, or 
remotely via a secure Virtual Private Network (VPN) connection 
requiring two-factor token authentication using NASA-issued computers 
or via employee PIV badge authentication from NASA-issued computers. 
The Medgate Chicago Data Center maintains documentation and 
verification of commensurate safeguards in accordance with FISMA, NASA 
Procedural Requirements (NPR) 2810.1A, and NASA ITS-HBK-2810.02-05. 
Non-electronic records are secured in locked rooms or files.

RETENTION AND DISPOSAL:
    Records are maintained in Agency files and destroyed by series in 
accordance with NASA Records Retention Schedule 1, Item 126, and NASA 
Records Retention Schedule 8, Item 57.

SYSTEM MANAGER(S) AND ADDRESS(ES):
    Chief Health and Medical Officer at Location 1.
    Subsystem Managers: Director, Health and Medical Systems, 
Occupational Health at Location 1; Chief, Space Medicine Division at 
Location 5; Occupational Health Contracting Officer Representatives at 
Locations 2-4, 6-14, and 19. Locations are as set forth in Appendix A.

NOTIFICATION PROCEDURE:
    Information may be obtained by contacting the cognizant system or 
subsystem manager listed above. Requests must contain the identifying

[[Page 68571]]

data concerning the requester, e.g., first, middle and last name; date 
of birth; and Social Security Number.

RECORD ACCESS PROCEDURES:
    Individual written requests for information shall be addressed to 
the System Manager at Location 1 or the subsystem manager at the 
appropriate NASA Center.

CONTESTING RECORD PROCEDURES:
    The NASA regulations for access to records and for contesting 
contents and appealing initial determinations by the individual 
concerned appear in 14 CFR part 1212.

RECORD SOURCE PROCEDURES:
    The information in this system of records is obtained from 
individuals, physicians, and previous medical records of individuals.

EXEMPTIONS CLAIMED FOR THE SYSTEM:
    None.
NASA 1OORIS

SYSTEM NAME:
    Occupational Radiation Information System.

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    NASA's electronic health records are hosted at the Medgate Chicago 
Data Center, 341 Haynes Drive, in Wood Dale, Illinois 60191. Paper-
based records and non-medical electronic records are located in NASA 
facilities in Locations 2 through 14 as set forth in Appendix A.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    This system maintains information on NASA civil service employees 
and applicants; other Agency civil service and military employees 
working at NASA; International Space Station Partner personnel who use 
NASA space or aeronautical vehicles; principal investigators or other 
visitors to NASA Centers; onsite contractor personnel who handle, use, 
or are exposed to ionizing or non-ionizing radiation sources and/or 
devices.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records in the system include, but are not limited to name, date of 
birth, and social security number contained in: (1) Work history 
questionnaires and training records, including Nuclear Regulatory 
Commission (NRC) training and experience documents; (2) Radiation 
producing source and/or device use authorizing forms; (3) Personnel 
licenses and/or certifications; (4) Employee radiation levels including 
medical, background and space radiation exposure and/or calculated 
radiation levels from Medical records and patient histories; and (5) 
Prenatal exposure counseling and pregnancy declarations.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    51 U.S.C. 20113(a); 10 CFR part 20, 29 CFR 1910.1096; and State law 
and/or State agreement.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Any disclosures of information will be compatible with the purpose 
for which the Agency collected the information. Records and information 
in this system may be disclosed: (1) To State oversight agencies, the 
NRC, and/or Occupational Safety and Health Administration (OSHA) for 
verification and evidence of regulatory compliance; (2) to agency 
contractors, grantees, or volunteers who have been engaged to assist 
the agency in the performance of a contract service, grant, cooperative 
agreement, or other activity related to this system of records and who 
need to have access to the records in order to perform their activity; 
(3) to International Space Agencies (as appropriate) for data obtained 
on their national employees who are assigned, detailed and/or 
participating at a NASA Center or spacecraft; (4) to other Federal 
agencies including, but not limited to, the Air Force, Environmental 
Protection Agency (EPA), and Food and Drug Administration (FDA), as 
evidence of regulatory compliance; and (5) in accordance with standard 
routine uses set forth in Appendix B.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, AND 
DISPOSITIONING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records in this system are kept under controlled conditions in both 
physical form in file cabinets and electronic form on NASA work 
stations and servers.

RETRIEVABILITY:
    Records are retrieved from the system by the individual's name.

SAFEGUARDS:
    Records are maintained on secure NASA servers and protected in 
accordance with all Federal standards and those established in NASA 
regulations at 14 CFR 1212.605. Additionally, server and data 
management environments employ infrastructure encryption technologies 
both in data transmission and at rest on servers. Electronic messages 
sent within and outside of the Agency that convey sensitive data are 
encrypted and transmitted by staff via pre-approved electronic 
encryption systems as required by NASA policy. Approved security plans 
are in place for information systems containing the records in 
accordance with the Federal Information Security Management Act of 2002 
(FISMA) and OMB Circular A-130, Management of Federal Information 
Resources. Only authorized personnel requiring information in the 
official discharge of their duties are authorized access to records 
through approved access or authentication methods. Access to electronic 
records is achieved only from workstations within the NASA Intranet, or 
remotely via computers using a secure Virtual Private Network (VPN) 
connection requiring two-factor NASA-issued token authentication or via 
employee PIV badge authentication using NASA-issued computers. The 
Medgate Chicago Data Center is a secure, redundant, Tier III, SAS 70 
certified facility that maintains documentation and verification of 
commensurate safeguards in accordance with FISMA, NASA Procedural 
Requirements (NPR) 2810.1A, and NASA ITS-HBK-2810.02-05. Physical 
records are secured under locked conditions when not in use.

RETENTION AND DISPOSAL:
    Records are maintained and destroyed in accordance with NASA 
Records Retention Schedules (NRRS), Schedule 1 Item 130; and Schedule 8 
Item 57, or individual State, NRC or OSHA requirements if longer than 
those in the NRRS.

SYSTEM MANAGER(S) AND ADDRESS(ES):
    Chief Health and Medical Officer, Location 1.
    Subsystem Managers: NASA and Contractor Radiation Safety Officers 
at Locations 2 through 14 as set forth in Appendix A.

NOTIFICATION PROCEDURE:
    Information may be obtained from the subsystem managers listed 
above.

RECORD ACCESS PROCEDURES:
    Requests from individuals should be addressed to the same address 
as stated in the Notification section above.

RECORD AMENDMENT PROCEDURES:
    The NASA regulations for access to records and for contesting 
contents and appealing initial determinations by the individual 
concerned appear in 14 CFR part 1212.

[[Page 68572]]

RECORD SOURCE CATEGORIES:
    Individuals themselves, mishap reports, field surveys, licensing 
and certification authorities, and monitoring device laboratories.

EXEMPTIONS CLAIMED FOR THE SYSTEM:
    None.

[FR Doc. 2015-28254 Filed 11-4-15; 8:45 am]
 BILLING CODE 7510-13-P