81 FR 88690 - Privacy Act of 1974; Notice To Establish an Exempt System of Records

DEPARTMENT OF HEALTH AND HUMAN SERVICES
National Institutes of Health

Federal Register Volume 81, Issue 236 (December 8, 2016)

In accordance with the requirements of the Privacy Act of 1974, as amended, the National Institutes of Health (NIH) proposes to establish a new system of records, to be numbered and titled: SORN 09- 25-0225 ``NIH Electronic Research Administration (eRA) Records, HHS/ NIH/OD/OER,'' which will be related to, but separate from, the system of records covered in SORN 09-25-0036 ``NIH Extramural Awards and Chartered Advisory Committee (IMPAC II), Contract Information (DCIS), and Cooperative Agreement Information, HHS/NIH.'' The new system of records will cover records used by NIH throughout the research and development award lifecycle, from application to scientific peer review, post-award monitoring, and close-out. Elsewhere in today's Federal Register, NIH has published a Notice of Proposed Rulemaking (NPRM) proposing to exempt confidential source- identifying material in the new system of records (i.e., material that would inappropriately reveal the identities of referees who provide letters of recommendation and peer reviewers who provide written evaluative input and recommendations to NIH about particular funding applications under an express promise by the government that their identities in association with the written work products they authored and provided to the government will be kept confidential) from certain requirements of the Privacy Act, specifically, from the provisions pertaining to providing an accounting of disclosures, access and amendment and notification. The exemptions and the promises of confidentiality are necessary to protect the integrity of NIH extramural peer review and award processes and ensure that NIH efforts to obtain accurate and objective assessments and evaluations of funding applications from referees and peer reviewers is not hindered. The exemptions will become effective when NIH publishes a Final Rule, which will not occur until the 60-day comment period provided in the NPRM has expired and any comments received on the NPRM (or on this System of Records Notice) have been addressed.

[Federal Register Volume 81, Number 236 (Thursday, December 8, 2016)]
[Notices]
[Pages 88690-88694]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2016-29059]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

National Institutes of Health


Privacy Act of 1974; Notice To Establish an Exempt System of 
Records

AGENCY:  National Institutes of Health (NIH), Department of Health and 
Human Services (HHS).

ACTION:  Notice to establish an exempt system of records.

-----------------------------------------------------------------------

SUMMARY:  In accordance with the requirements of the Privacy Act of 
1974, as amended, the National Institutes of Health (NIH) proposes to 
establish a new system of records, to be numbered and titled: SORN 09-
25-0225 ``NIH Electronic Research Administration (eRA) Records, HHS/
NIH/OD/OER,'' which will be related to, but separate from, the system 
of records covered in SORN 09-25-0036 ``NIH Extramural Awards and 
Chartered Advisory Committee (IMPAC II), Contract Information (DCIS), 
and Cooperative Agreement Information, HHS/NIH.'' The new system of 
records will cover records used by NIH throughout the research and 
development award lifecycle, from application to scientific peer 
review, post-award monitoring, and close-out.
    Elsewhere in today's Federal Register, NIH has published a Notice 
of Proposed Rulemaking (NPRM) proposing to exempt confidential source-
identifying material in the new system of records (i.e., material that 
would inappropriately reveal the identities of referees who provide 
letters of recommendation and peer reviewers who provide written 
evaluative input and recommendations to NIH about particular funding 
applications under an express promise by the government that their 
identities in association with the written work products they authored 
and provided to the government will be kept confidential) from certain 
requirements of the Privacy Act, specifically, from the provisions 
pertaining to providing an accounting of disclosures, access and 
amendment and notification. The exemptions and the promises of 
confidentiality are necessary to protect the integrity of NIH 
extramural peer review and award processes and ensure that NIH efforts 
to obtain accurate and objective assessments and evaluations of funding 
applications from referees and peer reviewers is not hindered. The 
exemptions will become effective when NIH publishes a Final Rule, which 
will not occur until the 60-day comment period provided in the NPRM has 
expired and any comments received on the NPRM (or on this System of 
Records Notice) have been addressed.

DATES:  The comment period for this System of Records Notice (SORN) is 
co-extensive with the 60-day comment period provided in the NPRM; i.e., 
written comments on the SORN should be submitted within 60 days from 
today's publication date. The new system, including the routine uses 
and the exemptions, will become effective when NIH publishes a Final 
Rule, which will not occur until the 60-day comment period provided in 
the NPRM has expired and any comments received on the NPRM (or on this 
SORN) have been addressed.

ADDRESSES:  You may submit comments, identified by the Privacy Act 
System of Records Number (09-25-0225), by any of the following methods: 
Email: [email protected] and include PA SOR number (09-25-0225) in 
the subject line of the message. Phone: (301) 402-6201. Fax: (301) 402-
0169. Mail or hand-delivery: NIH Privacy Act Officer, Office of 
Management Assessment, National Institutes of Health, 6011 Executive 
Boulevard, Suite 601, MSC 7669, Rockville, Maryland 20852. Comments 
received will be available for public inspection at this same address 
from 9:00 a.m. to 3:00 p.m., Monday through Friday, except Federal 
holidays. Please call 301-496-4606 for an appointment.

FOR FURTHER INFORMATION CONTACT:  NIH Privacy Act Officer, Office of 
Management Assessment (OMA), Office of the Director (OD), National 
Institutes of Health (NIH), 6011 Executive Boulevard, Suite 601, MSC 
7669, Rockville, Maryland 20852, or telephone (301) 402-6201.

SUPPLEMENTARY INFORMATION: 

I. Background on the NIH Electronic Research Administration (eRA) 
Records System

    The new system of records established in this Notice, ``NIH 
Electronic Research Administration (eRA) Records, HHS/NIH/OD/OER'' 
(hereinafter referred to as the ``NIH eRA Records'' system), will cover 
records used throughout the research and development award lifecycle, 
including pre-award stages of application submission, scientific peer 
review, award processing, post-award monitoring, and close-out. Many of 
the records in the system will contain information about more than one 
individual or type of individual (e.g., applicants, awardees, faculty 
members of applicant and awardee entities, application reviewers). By 
design, any of the records can be (and in practice will be) retrieved 
using the name or other personal identifier of any of the individuals 
whose information is contained in the records, to the extent required 
to help ensure that award proceedings are carried out by the NIH in 
accordance with all applicable federal statutes and regulations.
    The eRA information technology (IT) system associated with this 
system of records is an HHS-designated Center of Excellence, and is 
used as a grants management line of business system by other federal 
agencies to manage their award records. Records pertaining to awards of 
other agencies in the eRA IT system are not covered under SORN 09-25-
0225, but would be covered under SORN(s) those agencies publish, if 
their records require a SORN.

II. The Privacy Act

    The Privacy Act governs the collection, maintenance, use, and

[[Page 88691]]

dissemination of certain information about individuals by agencies of 
the Federal Government.
    A System of Records (SOR) is a group of any records under the 
control of a Federal agency from which information about an individual 
is retrieved by the individual's name or other personal identifier. The 
Privacy Act requires each agency to publish in the Federal Register 
notice of the existence and character of each SOR that the agency 
maintains. The System of Records Notice (SORN) identifies or describes 
the laws authorizing the system to be maintained; the types and sources 
of records in the system; the categories of individuals to whom the 
records pertain; the purposes for which the records are used within the 
agency; the routine uses for which a record maybe disclosed to parties 
outside the agency without the individual's prior, written consent; 
agency policies and procedures for safeguarding, storing, retrieving, 
accessing, retaining, and disposing of the records; the procedures for 
an individual to follow to make notification, access, and amendment 
requests to the System Manager; and whether the SOR is exempt from 
certain Privacy Act requirements.

    Dated: September 29, 2016.
 Alfred C. Johnson,
Acting Deputy Director for Management, NIH.
System Number: 09-25-0225

SYSTEM NAME:
    Electronic Research Administration (eRA) Records, HHS/NIH/OD/OER.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records will be located at:
     The Office of Extramural Research (OER), Office of the 
Director (OD), National Institutes of Health (NIH), Building 1, Room 
144, 1 Center Drive, Bethesda, MD 20892; and
     any Federal Records Center where records from this system 
of records are archived and stored.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records contained within this system will pertain to the 
following categories of individuals:
    1. Applicants for or Awardees of biomedical and behavioral research 
and development, training, career development, or loan repayment grant 
awards; cooperative agreement awards; and research and development 
contract awards;
    2. Individuals who are named in applications, or awards; or 
individuals named on NIH intramural projects; e.g., program directors, 
key personnel, trainees, collaborators, consultants;
    3. Peer Reviewers who review and provide evaluative input to the 
government about particular applications, in records such as reviewer 
critiques, preliminary or final individual overall impact/priority 
scores, and/or assignment of peer reviewers to an application;
    4. Referees who, in association with a particular trainee 
application, supply a reference or letter of recommendation for an 
applicant;
    5. Individual awardees and sub-awardees who are required to report 
inventions, patents, and utilization of subject invention(s) associated 
with NIH awards; and
    6. Academic medical faculty, medical students and resident 
physicians (e.g., faculty of Association of American Medical Colleges 
of member institutions).

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system will include a variety of pre-award and award 
management records that contain information needed to process 
applications and manage grant awards across the award lifecycle. Listed 
below are the categories of individuals mentioned above, matched with 
pre-award and award management records collected about them.
    1. Applicants for or Awardees of awards--pre-award and award 
management (awardees) information;
    2. Individuals named in applications, or awards--pre-award and 
award management (awardees) information;
    3. Referees--pre-award information;
    4. Peer Reviewers--pre-award information;
    5. Individuals required to report inventions, etc.--award 
management information; and,
    6. Academic medical faculty, medical students and resident 
physicians--award management information.
    Pre-award information includes the (1) application and related 
materials, and (2) documents related to the composition and function of 
chartered advisory committees (i.e., rosters). A record may consist of 
name, institution address, professional degree, demographic 
information, education and employment records and identifiers used by 
eRA Commons (i.e., user name and an IMPAC II system-assigned, unique 
personal identification number).
    Award management information consists of materials submitted in 
support of an award such as (1) recommendation letters; (2) peer review 
related information such as application scores, reviewer critiques, 
summary statements and express promises of confidentiality of any 
information concerning applications, scores, or critiques; (3) 
financial information such as obligated award amounts and awardee 
financial reports; (4) financial conflict of interest records; (5) 
inventions, utilization data, patent applications, and patents; (6) 
publications or other scholarly products reported as associated with 
awards; (7) reports related to management of awards; and (8) records 
and reports related to data querying, reporting, tracking, compliance, 
evaluation, audit, and communications activities. For the academic 
medical faculty category, records are used to support special studies, 
including research and policy evaluations and to complete biomedical 
workforce statistical reports and include (1) faculty name, (2) 
employing institution and institutional address; (3) degree and year 
obtained; (4) demographic information; (5) field of study; (6) 
appointment information; and (7) employment history. For the purpose of 
peer review, the eRA system contains limited information on loan 
repayment applications (which are managed through a different System of 
Records, NIH SORN 09-25-0165, Division of Loan Repayment Records) and 
research and development contract award information for purposes of 
complying with statutory requirements related to research and 
development awards at NIH such as reporting on the inclusion of 
minorities, women, and children in clinical research; obtaining 
approval for foreign grant components from the Department of State; and 
to satisfy research conditions, and disease categorization reporting 
requirements.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The legal authority to operate and maintain this Privacy Act 
records system is 42 U.S.C. 217a, 241, 242, 248, 281, 282, 284, 284a, 
285, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285k, 285l, 
285m, 285n, 285o, 285p, 285q, 285r, 285s, 285t, 286, 287, 287b, 287c-
21, 287d, 288, 35 U.S.C. 200-212, 48 CFR Subpart 15.3 and 37 CFR 401.1-
16.

PURPOSE:
    Records about individuals will be used within the agency for these 
purposes:
    1. To support NIH award programs and related processes, including 
(1) application preparation, receipt, referral, and assignment; (2) 
initial peer and council reviews; (3) award processing, funding, 
monitoring, and close-out; and (4) data querying,

[[Page 88692]]

reporting, tracking, compliance, evaluation, audit, and communications.
    2. To track individual trainees who receive support from NIH 
through grants such as fellowship or career awards or who are supported 
through institutional training grant awards. Included are individuals 
in training for research and development supported in an investigator's 
laboratory which has an NIH-funded award (e.g., R01); these trainees 
are defined as ``closely associated trainees''.
    3. To communicate matters related to agency award programs with (1) 
applicant organizations, including associated systems or system 
providers; (2) applicant persons such as the authorized institutional 
representatives, principal investigator(s), trainees, or foreign 
collaborators; (3) peer reviewers; or (4) other entities such as 
Congress; federal departments or agencies, non-federal agencies or 
entities, or the general public.
    4. To monitor the operation of review and award processes to detect 
and deal appropriately with any instances of real or apparent 
inequities.
    5. To provide mandated and other requested reports to Congress and 
in compliance with statutory, regulatory, and policy requirements.
    6. To maintain communication with former fellows and trainees who 
have incurred a payback obligation through the National Research 
Service Award Program and other federal research training programs.
    7. To maintain official administrative files of agency-funded 
research programs.
    8. To manage research portfolios.
    9. To document inventions, patents, and utilization data and 
protect the government's right to patents made with NIH support.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Records about an individual may be disclosed from this system of 
records to the following parties outside HHS, without the individual's 
prior written consent, for the following purposes:
    1. To a congressional office from the record of an individual in 
response to a written inquiry from the congressional office made at the 
written request of the individual.
    2. To the Department of Justice (DOJ) or to a court or other 
adjudicative body when:
     HHS or any component thereof or participating agencies; or
     any employee of HHS or participating agencies in the 
employee's official capacity; or
     any employee of HHS agencies in the employee's individual 
capacity where the DOJ, HHS, or the participating agency has agreed to 
represent the employee; or
     the United States,
    is a party to litigation or has a direct and substantial interest 
in the proceeding and the disclosure of such records is deemed by the 
agency to be relevant and necessary to the proceeding; provided, 
however, that in each case, it has been determined that the disclosure 
is compatible with the purpose for which the records were collected.
    3. When a record on its face, or in combination with other records, 
indicates a violation or potential violation of law, whether civil, 
criminal or regulatory in nature, and whether arising by general 
statute or particular program statute, or by regulation, rule, or order 
issued pursuant thereto, disclosure may be made to the appropriate 
public authority, whether federal, foreign, state, local, tribal, or 
otherwise responsible for enforcing, investigating, or prosecuting the 
violation or charged with enforcing or implementing the statute, rule, 
regulation, or order issued pursuant thereto, if the information 
disclosed is relevant to the enforcement, regulatory, investigative, or 
prosecutorial responsibility of the receiving entity.
    4. To appropriate federal agencies and HHS contractors, grantees, 
consultants, or volunteers who have been engaged by HHS to assist in 
the accomplishment of an HHS function relating to the purposes of this 
system of records and that need to have access to the records in order 
to assist HHS in performing the activity. Any contractor will be 
required to comply with the Privacy Act of 1974, as amended.
    5. To appropriate federal agencies and HHS contractors with a need 
to know the information for the purpose of assisting agency efforts to 
respond to a suspected or confirmed breach of the security or 
confidentiality of information maintained in this system of records, if 
the information disclosed is relevant and necessary for that 
assistance.
    6. To a party for a research purpose when NIH: (A) Has determined 
that the use or disclosure does not violate legal or policy limitations 
under which the record was provided, collected, or obtained; (B) has 
determined that the research purpose (1) cannot be reasonably 
accomplished unless the record is provided in individually identifiable 
form, and (2) warrants the risk to the privacy of the individual; (C) 
has required the recipient to (1) establish reasonable administrative, 
technical, and physical safeguards to prevent unauthorized use or 
disclosure of the record, (2) remove or destroy the information that 
identifies the individual at the earliest time at which removal or 
destruction can be accomplished consistent with the purpose of the 
research project, unless the recipient has presented adequate 
justification of the research, and (3) makes no further use or 
disclosure of the record except when required by law, and reports 
results of the research in de-identified or aggregate form; and (D) has 
secured a written statement attesting to the recipient's understanding 
of and willingness to abide by these provisions (i.e., signed data 
access agreement for system data) in which the data may relate to 
reports of the composition of biomedical and/or research and 
development workforce; authors of publications attributable to 
federally-funded awards; information made available through third-party 
systems as permitted by applicants or awardees for agency awards; 
information related to agency research integrity investigations; or 
award payment information reported to federal databases.
    7. A record from this system may be disclosed to a federal, 
foreign, state, local, tribal or other public authority of the fact 
that this system of records contains information relevant to the hiring 
or retention of an employee, the issuance or retention of a security 
clearance, the letting of a contract, or the issuance or retention of a 
license, grant or other benefit. The other agency or licensing 
organization may then make a request supported by the written consent 
of the individual for further information if it so chooses. HHS will 
not make an initial disclosure unless the information has been 
determined to be sufficiently reliable to support a referral to another 
office within the agency or to another federal agency for criminal, 
civil, administrative, personnel, or regulatory action.
    8. To qualified experts not within the definition of agency 
employees as prescribed in agency regulations or policies to obtain 
their opinions on applications for grants, CRADAs, inventions, or other 
awards as a part of the peer review process.
    9. To the National Archives and Records Administration (NARA), 
General Services Administration (GSA), or other federal government 
agencies pursuant to records management inspections conducted under the 
authority of 44 U.S.C. 2904 and 2906.
    NIH may also disclose information about an individual, without the 
individual's prior written consent, from

[[Page 88693]]

this system of records to parties outside HHS for any of the purposes 
authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and 
(b)(4)-(11).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, 
SAFEGUARDING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are stored in various electronic media and paper form, and 
maintained under secure conditions in areas with limited and/or 
controlled access. Only authorized users whose official duties require 
the use of this information will have regular access to the records in 
this system. In accordance with established NIH, HHS and other federal 
security requirements, policies, and controls, records may also be 
located, maintained and accessed from secure servers wherever feasible 
or located on approved portable/mobile devices designed to hold any 
kind of digital data including, but not limited to laptops, tablets, 
PDAs, USB drives, media cards, portable hard drives, smartphones, 
optical storage (CDs and DVDs), and/or other mobile storage devices. 
Records are stored on portable/mobile storage devices only for valid 
business purposes and with prior approval.

RETRIEVABILITY:
    Records are retrieved by the name or other personal identifier 
(e.g., Commons user ID) of a subject individual.

ACCESSIBILITY:
    Authorized Users:
    Access is strictly limited according to the principle of least 
privilege which means giving a user only those privileges which are 
essential to that user's work.

SAFEGUARDS:
    Measures to prevent unauthorized disclosures are implemented as 
appropriate for each location or form of storage and for the types of 
records maintained. Safeguards conform to the HHS Information Security 
and Privacy Program, http://www.hhs.gov/ocio/securityprivacy/index.html. Site(s) implement personnel and procedural safeguards such 
as the following:
    Administrative Safeguards:
    Controls to ensure proper protection of information and information 
technology systems include, but are not limited to, the completion of a 
Security Assessment and Authorization (SA&A) package and a Privacy 
Impact Assessment (PIA) and mandatory completion of annual NIH 
Information Security and Privacy Awareness training or comparable 
specific in-kind training offered by participating agencies that has 
been reviewed and accepted by the NIH eRA Information Systems Security 
Officer (ISSO). The SA&A package consists of a Security Categorization, 
e-Authentication Risk Assessment, System Security Plan, evidence of 
Security Control Testing, Plan of Action and Milestones, Contingency 
Plan, and evidence of Contingency Plan Testing. When the design, 
development, or operation of a system of records on individuals is 
required to accomplish an agency function, the applicable Privacy Act 
Federal Acquisition Regulation (FAR) clauses are inserted in 
solicitations and contracts.
    Physical Safeguards:
    Controls to secure the data and protect paper and electronic 
records, buildings, and related infrastructure against threats 
associated with their physical environment include, but are not limited 
to, the use of the HHS Employee ID and/or badge number and NIH key 
cards, security guards, cipher locks, biometrics, and closed-circuit 
TV. Paper records are secured under conditions that require at least 
two locks to access, such as in locked file cabinets that are contained 
in locked offices or facilities. Electronic media are kept on secure 
servers or computer systems.
    Technical Safeguards:
    Controls executed by the computer system are employed to minimize 
the possibility of unauthorized access, use, or dissemination of the 
data in the system. They include, but are not limited to user 
identification, password protection, firewalls, virtual private 
network, encryption, intrusion detection system, common access cards, 
smart cards, biometrics and public key infrastructure.
    Alleged or Confirmed Security Incidents:
    The NIH will report and take action to remediate security incidents 
involving the unauthorized access or disclosure of personally 
identifiable and sensitive information according to applicable law, 
regulations, OMB guidance, HHS and NIH policies.

RETENTION AND DISPOSAL:
    Records are retained and disposed of in accordance with the NIH 
Records Control Schedule contained in NIH Manual Chapter 1743, 
``Keeping and Destroying Records,'' which provides these disposition 
periods:
     Item E-0001 (DAA-0443-2013-0004-0001)--Official case files 
of construction, renovation, endowment and similar grants.
    Disposition: Temporary. Cut off annually following completion of 
final grant-related activity that represents closing of the case file 
(e.g., project period ended). Destroy 20 years after cut-off;
     Item E-0002 (DAA-0443-2013-0004-0002)--Official case files 
of funded grants, unfunded grants, and award applications, appeals and 
litigation records.
    Disposition: Temporary. Cut off annually following completion of 
final grant-related activity that represents closing of the case file 
(e.g., end of project period, completed final peer review, litigation 
or appeal proceeding concluded). Destroy 10 years after cut-off;
     Item E-0003 (DAA-0443-2013-0004-0003)--Animal welfare 
assurance files.
    Disposition: Temporary. Cut off annually following closing of the 
case file. Destroy 4 years after cut-off; and,
     Item E-0004 (DAA-0443-2013-0004-0004)--Extramural program 
and grants management oversight records.
    Disposition: Temporary. Cut off annually. Destroy 3 years after 
cut-off.
    Refer to the NIH Manual Chapter for specific retention and 
disposition instructions: http://www1.od.nih.gov/oma/manualchapters/management/1743.

SYSTEM MANAGER AND ADDRESS:
    OER Privacy Coordinator, Office of Extramural Research (OER), 
Office of the Director (OD), National Institutes of Health (NIH), 1 
Center Drive, Room 144, Bethesda, MD 20814.

NOTIFICATION PROCEDURE:
    Certain material will be exempt from notification; however, 
consideration will be given to all notification requests addressed to 
the System Manager. Any individual who wants to know whether this 
system of records contains a record about him or her must make a 
written request to the System Manager identified above. The requester 
should provide either a notarization of the request or a written 
certification that the requester is who he or she claims to be and 
understands that the knowing and willful request of a record pertaining 
to an individual under false pretenses is a criminal offense under the 
Privacy Act, subject to a five thousand dollar fine. The request should 
include the requester's full name and address, and should also include 
the following information, if known: The approximate date(s) the 
information was collected, the type(s) of information collected, and 
the office(s) or official(s) responsible for the collection of 
information.

[[Page 88694]]

RECORD ACCESS PROCEDURE:
    Certain material will be exempt from access; however, consideration 
will be given to all access requests addressed to the System Manager. 
To request access to a record about you, write to the System Manager 
identified above, and provide the information described under 
``Notification Procedure''. Individuals may also request an accounting 
of disclosures that have been made of their records, if any.

CONTESTING RECORD PROCEDURE (REDRESS):
    Certain material will be exempt from amendment; however, 
consideration will be given to all amendment requests addressed to the 
System Manager. To contest information in a record about you, write to 
the System Manager identified above, reasonably identify the record and 
specify the information being contested, state the corrective action 
sought and the reason(s) for requesting the correction, and provide 
supporting information. The right to contest records is limited to 
information that is factually inaccurate, incomplete, irrelevant, or 
untimely (obsolete).

RECORD SOURCE CATEGORIES:
    Information in records retrieved by a particular individual's 
identifier will be obtained directly from that individual or from other 
individuals and entities named in, contacted about, or involved in 
processing the records, including applicant institutions; NIH and 
customer agency acquisition personnel; educational, trainee and awardee 
institutions; and third parties that provide references or 
recommendations concerning the subject individual.

SYSTEM EXEMPTED FROM CERTAIN PROVISIONS OF THE PRIVACY ACT:
    Pursuant to 5 U.S.C. 552a(k)(5), the following subset of records in 
this system of records qualifies as investigatory material compiled 
solely for the purpose of determining suitability, eligibility, or 
qualifications for federal contracts, and will be exempted from the 
Privacy Act requirements pertaining to providing an accounting of 
disclosures, access and amendment, and notification (5 U.S.C. 552a 
(c)(3) and (d)):

    Material that would inappropriately reveal the identities of 
referees who provide letters of recommendation and peer reviewers who 
provide written evaluative input and recommendations to NIH about 
particular funding applications under an express promise by the 
government that their identities in association with the written work 
products they authored and provided to the government will be kept 
confidential; this includes only material that would reveal a 
particular referee or peer reviewer as the author of a specific work 
product (e.g., reference or recommendation letters, reviewer critiques, 
preliminary or final individual overall impact/priority scores, and/or 
assignment of peer reviewers to an application and other evaluative 
materials and data compiled by NIH/OER); it includes not only an 
author's name but any content that could enable the author to be 
identified from context.

    The exemptions will be effective upon publication of a final rule 
in the Federal Register, promulgating the exemptions as an amendment to 
HHS' Privacy Act regulations at 45 CFR 5b.11. To the extent that 
records in System No. 09-25-0225 are retrieved by personal identifiers 
for individuals other than referees and peer reviewers (for example, 
individual funding applicants, and other individuals who are the 
subject of assessment or evaluation), the exemptions will enable the 
agency to prevent, when appropriate, those individual record subjects 
from having access to, and other rights under the Privacy Act with 
respect to, the above-described confidential source-identifying 
material in the records.

[FR Doc. 2016-29059 Filed 12-7-16; 8:45 am]
 BILLING CODE 4140-01-P