83 FR 11489 - Privacy Act of 1974; New System of Records

DEPARTMENT OF AGRICULTURE

Federal Register Volume 83, Issue 51 (March 15, 2018)

In accordance with the Privacy Act of 1974, as amended, the Department of Agriculture (USDA) proposes a new Food Safety and Inspection Service (FSIS) system of records entitled: USDA/FSIS-0004, Public Health Information System (PHIS). PHIS is a Web-based system that collects information generated from FSIS inspection, compliance verification, notification and monitoring activities regarding the slaughter, processing, import and export of meat, and poultry and egg products. Within PHIS, FSIS maintains contact and other identifying information about employees and contractors of USDA, government officials, representatives of regulated establishments, and third parties.

[Federal Register Volume 83, Number 51 (Thursday, March 15, 2018)]
[Notices]
[Pages 11489-11492]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2018-05280]


-----------------------------------------------------------------------

DEPARTMENT OF AGRICULTURE

[Docket No. FSIS-2015-0015]


Privacy Act of 1974; New System of Records

AGENCY: Food Safety and Inspection Service, U.S. Department of 
Agriculture.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended, the 
Department of Agriculture (USDA) proposes a new Food Safety and 
Inspection Service (FSIS) system of records entitled: USDA/FSIS-0004, 
Public Health Information System (PHIS). PHIS is a Web-based system 
that collects information generated from FSIS inspection, compliance 
verification, notification and monitoring activities regarding the 
slaughter, processing, import and export of meat, and poultry and egg 
products. Within PHIS, FSIS maintains contact and other identifying 
information about employees and contractors of USDA, government 
officials, representatives of regulated establishments, and third 
parties.

DATES: Applicable date: April 16, 2018. Written comments must be 
received on or before the above date. The proposed system will be 
adopted on the above date, without further notice, unless it is 
modified in response to comments, in which case the notice will be re-
published.

ADDRESSES: Send written comments to: Docket Clerk, FSIS, Patriots Plaza 
3, 355 E Street SW, Mailstop 3782, Room 8-163B, Washington, DC 20250-
3700 or fax to (202) 245-4793. Comments may also be posted on: https://www.regulations.gov/. All comments must include the Agency's name and 
docket number, FSIS-2015-0015, and will be publicly posted, including 
any personal information submitted, on https://www.regulations.gov. 
Docket: To obtain a copy of, or to view, the docket, visit FSIS Docket 
Room, Patriots Plaza 3, 355 E Street SW, Room 164-A, Washington, DC 
20250-3700, 8:00 a.m. to 4:30 p.m., Monday to Friday.

FOR FURTHER INFORMATION CONTACT: Roberta Wagner, Assistant 
Administrator, Office of Policy and Program Development (OPPD), FSIS, 
Room 350-E, Jamie Whitten Building, 1400 Independence Ave. SW, 
Washington, DC 20250, or Neal Westgerdes, PHIS System Owner/Manager, 
OPPD, FSIS, Room 2925-South, 1400 Independence Ave. SW Washington, DC 
20250, (202) 205-4233.
    For Privacy Questions: Marj Leaming, USDA Privacy Officer, Policy, 
E-Government and Fair Information Practices, Office of the Chief 
Information Officer, USDA, 1400 Independence Ave. SW, Room 450-W, 
Washington, DC 20250; telephone 202-205-0926.

SUPPLEMENTARY INFORMATION: The Privacy Act requires agencies to publish 
in the Federal Register (FR) a notice of any new or revised system of 
records. A ``system of records'' is a group of any records under the 
control of an agency from which information is retrievable by the name 
of the individual or by some unique identifier assigned to the 
individual. USDA is proposing to establish a new system of records, 
entitled USDA/FSIS-04, Public Health Information System (PHIS). The 
primary purpose of PHIS is to collect information gathered by USDA 
Personnel from their inspection, compliance verification and 
notification activities at regulated establishments, and to assess data 
entered by Business Personnel. PHIS enhances USDA's ability to predict 
hazards and vulnerabilities in the food supply and thus prevent or 
mitigate food safety-related threats to the public health in a timely 
manner. Additionally, in regard to imports and exports, PHIS provides 
USDA and other domestic and foreign regulatory authorities with 
information to monitor the movement of meat, poultry and egg products 
in advance of a shipment's arrival.
    USDA grants PHIS access to and collect information from the 
following user groups: (1) Employees and contractors of USDA (``USDA 
Personnel''); (2) government officials (domestic and foreign) (``Other 
Government Officials''); and (3) representatives of the regulated 
establishments and businesses, such as importers and exporters of food 
products, who require access to PHIS (``Business Personnel''). PHIS 
collects from all three user groups basic identifying contact 
information. The system also collects identifying information about 
individuals who are not PHIS users, but whose names may appear in 
records entered by a user, for contact purposes.
    PHIS obtains and stores the identifying information for USDA 
Personnel, including: the user's and supervisor's full names, titles, 
duty stations, business contact information, assigned PHIS role(s), and 
USDA eAuthentication numbers. This information is used for contacting 
personnel, shipping documents and supplies, inspection assignment 
scheduling and for security and access control purposes. In addition to 
this basic identifying contact information, the system receives 
employee profile information for USDA Personnel from the National 
Finance Center, including, but not limited to: Social security numbers 
(stored in masked formats); hire dates; organizational level; pay plan; 
and locality and pay code. This employee profile data are used to 
verify USDA Personnel employment status.
    For Other Government Officials and Business Personnel, the system 
collects information including the name and title of the user, business 
contact information, and PHIS roles and USDA eAuthentication 
information. From Business Personnel, it collects the user's entity 
name and associated business or tax identification numbers, as 
applicable. Only basic contact information is collected about 
individuals who are not PHIS users, but whose names appear in records 
entered by a user.
    USDA Personnel enter records in connection with their inspection, 
compliance verification, and notification activities at regulated 
establishments. The records entered by Other Government Officials 
include documents concerning the equivalence of foreign inspection 
systems, documents concerning State program inspection verification and 
activities, responses to USDA decisions, and requests for information 
from USDA. Business Personnel enter records in connection with, or in 
response to, USDA Personnel's activities and decisions, and requests 
for services from USDA. Examples include records supporting compliance 
with FSIS regulations, such as applications for

[[Page 11490]]

export certificates and Meat and Poultry Export Certificate of 
Wholesomeness, as well as appeals of USDA compliance decisions 
regarding regulated establishments and products.
    A Privacy Impact Assessment is posted on https://www.usda.gov/wps/portal/usda/usdahome?navid=PRIVACY_POLICY_ES.
    No Privacy Act exemption is claimed.
    In accordance with the Privacy Act, as implemented by the Office of 
Management and Budget (OMB) Circular A-108, USDA has provided a report 
of this proposed new system of records to the Chair of the Committee on 
Homeland Security and Governmental Affairs, United States Senate; the 
Chair of the Committee on Oversight and Government Reform, House of 
Representatives; and the Administrator of the Office of Information and 
Regulatory Affairs, OMB.

    Done in Washington, DC, March 12, 2018.
Paul Kiecker,
Acting Administrator.
SYSTEM NAME AND NUMBER
    Public Health Information System (PHIS), USDA/FSIS-04.

Security Classification:
    Unclassified.

System Location:
    USDA National Information Technology Center (NITC), 8930 Ward 
Parkway, Kansas City, MO, 64114, and NITC, 4300 Goodfellow Blvd., St. 
Louis, MO 63120.

System Manager:
    PHIS System Owner, Office of Policy and Program Development Food 
Safety and Inspection Service, USDA, Room 2925-South, 1400 Independence 
Ave. SW, Washington, DC 20250. (202) 205-4233.

Authority for Maintenance of the System:
    Poultry Products Inspection Act (21 U.S.C. 451 et seq.); Federal 
Meat Inspection Act (21 U.S.C. 601 et seq.); Egg Products Inspection 
Act (21 U.S.C. 1031 et seq.); Humane Methods of Livestock Slaughter Act 
of 1978 (7 U.S.C. 1901-1906); Authority to Operate (ATO), dated 03/23/
2017.

Purpose of the System:
    The primary role of this Web-based electronic system is to assist 
FSIS in accomplishing its food safety mission of conducting inspections 
and compliance verification activities at regulated establishments to 
confirm that meat, poultry and egg products are safe, wholesome, not 
adulterated, and correctly labeled, packaged and distributed. 
Supplementary purposes include the verification of product eligibility 
for moving in and out of the United States.
    PHIS maintains FSIS inspection, compliance verification and 
sampling program results and business profile information. PHIS also 
maintains data about State and foreign food safety programs. PHIS 
maintains information about individuals: to allow users access to the 
system; to schedule and assess inspection and compliance verification 
activities; to track requests for USDA services; and to allow responses 
to appeal of USDA Personnel's decisions.

Categories of Individuals Covered by the System:
    All individuals granted access to the PHIS are covered: (1) 
Employees and contractors of USDA (``USDA Personnel''); (2) government 
officials (domestic and foreign) (``Other Government Officials''); and 
(3) representatives of the regulated establishments and businesses, 
such as importers and exporters of food products, who require access to 
PHIS (``Business Personnel''). All individuals, even if they are not 
users of the PHIS, who are mentioned or referenced in any documents 
entered into PHIS by a user are also covered. This group may include, 
but is not limited to: Plant workers, vendors, agents, and 
interviewees.

Categories of Records in the System:
    PHIS obtains and stores identifying information for the three 
categories of individuals as follows:
    For USDA Personnel, PHIS stores the user's and supervisor's full 
names, titles, duty stations, business contact information, assigned 
PHIS role(s) and eAuthentication numbers. This information is used for 
contacting personnel, shipping documents and supplies, inspection 
assignment scheduling and for security and access control purposes. In 
addition to this basic identifying contact information, the system 
receives employee profile information for USDA Personnel from the 
National Finance Center, including, but not limited to: Social security 
numbers (stored in masked formats); hire dates; organizational level; 
pay plan; and locality and pay code. This employee profile data is used 
to verify USDA Personnel employment status.
    For Other Government Officials and Business Personnel, the system 
collects information including the name and title of the user, business 
contact information, PHIS roles and e-Authentication information. From 
Business Personnel, it also collects the user's entity name and 
associated business or tax identification numbers, as applicable. Only 
basic contact information is collected about individuals who are not 
PHIS users, but whose names appear in records entered by a user.

Records Source Categories:
    Basic identifying contact information of all user groups (USDA 
Personnel, Other Government Officials and Business Personnel) is 
obtained directly from the user. In addition, employment verification 
information about USDA Personnel is obtained from the NFC through a 
secure data feed.
    Records entered by USDA Personnel or Other Government Officials in 
connection with their official duties are obtained directly from them.
    Business Personnel records, including appeals, requests for 
services and requests for grants of inspection or updates to their 
entities' business profiles, are entered into PHIS directly by Business 
Personnel or are given in paper form to USDA Personnel for input into 
PHIS on behalf of the Business Personnel. Business records can also be 
obtained from a foreign country's Central Competent Authority 
(``CCA'').
    USDA Personnel can also obtain some types of information about the 
other groups of users from USDA's electronic interface with other 
Federal agencies involved in tracking cross-border movement of the 
regulated establishments' products, including but not limited to the 
U.S. Customs and Border Protection Automated Commercial Environment 
(ACE). Business records from foreign countries are obtained from the 
respective foreign officials and typically, the CCA assigned the 
responsibility for maintaining a country's food safety systems reports 
in PHIS. Information about third parties referenced in the records 
entered by a user is obtained directly from the user entering or 
modifying the record.

Routine Uses of Records Maintained in the System, Including Categories 
of Users and the Purposes of Such Uses:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act of 1974, all or a portion of the records or 
information contained in this system may be disclosed outside of USDA 
as a routine use under 5 U.S.C. 552a(b)(3), as follows:
    1. To the U.S. Department of Justice (DOJ) or other Federal agency 
conducting litigation or in proceedings before any court, adjudicative 
or administrative body, when it is

[[Page 11491]]

necessary for the litigation and one of the following is a party to the 
litigation or has an interest in the litigation:
    a. USDA or any component thereof;
    b. Any employee of USDA in his/her official capacity;
    c. Any employee of USDA in his/her individual capacity where DOJ or 
USDA has agreed to represent the employee; or
    d. The United States or any agency thereof and if the USDA 
determines that the records are both relevant and necessary to the 
litigation and the use of such records is compatible with the purpose 
for which USDA collected the records.
    2. To a Congressional office from the record of an individual in 
response to an inquiry from that Congressional office made at the 
written request of the individual to whom the record pertains.
    3. To the National Archives and Records Administration (NARA) or 
other Federal government agencies pursuant to records management 
inspections being conducted under the authority of 44 U.S.C. 2904 and 
2906.
    4. To an agency, organization, or individual for the purpose of 
performing audit or oversight operations as authorized by law, but only 
such information as is necessary and relevant to such audit or 
oversight function. This would include, but not be limited to, the 
Comptroller General or any of his authorized representatives in the 
course of the performance of the duties of the Government 
Accountability Office, or USDA's Office of the Inspector General or any 
authorized representatives of that office.
    5. To appropriate agencies, entities, and persons when:
    a. USDA suspects or has confirmed that there has been a breach of 
the system of records;
    b. USDA has determined that as a result of the suspected or 
confirmed breach, there is a risk of harm to individuals, USDA 
(including its information systems, programs, and operations), the 
Federal Government, or national security; and
    c. the disclosure made to such agencies, entities, and persons is 
reasonably necessary to assist in connection with USDA's efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm; and
    6. To contractors and their agents, grantees, experts, consultants, 
and others performing or working on a contract, service, grant, 
cooperative agreement, or other assignment for USDA, when necessary to 
accomplish an agency function related to this system of records. 
Individuals who provided information under this routine use are subject 
to the same Privacy Act requirements and limitations on disclosure as 
are applicable to USDA officers and employees.
    7. To an appropriate Federal, State, tribal, local, international, 
or foreign law enforcement agency or other appropriate authority 
charged with investigating or prosecuting a violation or enforcing or 
implementing a law, rule, regulation, or order, where a record, either 
on its face or in conjunction with other information, indicates a 
violation or potential violation of law, which includes criminal, 
civil, or regulatory violations, and such disclosure is proper and 
consistent with the official duties of the person making the 
disclosure.
    8. To an appropriate Federal, State, tribal, local, international, 
or foreign law enforcement agency or appropriate authority responsible 
for protecting public health, preventing or monitoring disease or 
illness outbreaks, or ensuring the safety of the food supply. This 
includes the Department of Health and Human Services and its agencies, 
including the Centers for Disease Control and Prevention and the Food 
and Drug Administration, other Federal agencies, and State, tribal, and 
local health departments.
    9. To another federal agency or federal entity when USDA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs and operations), the federal 
government or national security, resulting from a suspected or 
confirmed breach.

Policies and Practices for Storage of Records:
    The system includes a database, electronic documents and paper 
records. The storage for the database records is a dedicated virtual 
server located in the USDA NITC facility in Kansas City, MO. Duplicate 
records are maintained at the USDA NITC facility in St. Louis, MO. The 
primary storage for the electronic documents is a records management 
system managed and hosted by USDA at their Enterprise Data Centers. 
Paper records are maintained in the USDA offices where they were 
created. Records backup storage is maintained by NITC Personnel in a 
virtual tape library at the USDA NITC facility in Kansas City, MO. 
Copies of the backup records are maintained at the USDA NITC facility 
in St. Louis, MO. Each USDA laboratory stores data in the local 
internal storage on each server. Paper records from establishments that 
do not wish to use the Web-based PHIS, and communication records, such 
as PHIS-related emails, are stored in a dedicated, secured location at 
FSIS field offices to which USDA Personnel are assigned.

Policies and Practices for Retrieval of Records:
    Retrieval is by user profile object information, which is created 
during the user authorization process and includes the following data 
elements: User identification, role, permission, organization 
identification, and assigned place of work. Information can also be 
retrieved by a unique eAuthentication identification number assigned to 
all users.

Policies and Practices for Retention and Disposal of Records:
    A master file backup is created at the end of the calendar year and 
maintained in St. Louis, MO. The St. Louis offsite storage site is 
located approximately 250 miles from the primary data facility and is 
not susceptible to the same hazards.

Administrative, Technical, and Physical Safeguards:
    Records in this system are safeguarded by restricting 
accessibility, in accordance with USDA security and access policies. 
The safeguarding includes: Firewall(s), network protection, and an 
encrypted password. All users are assigned a level of role-based 
access, which is strictly controlled and granted through USDA-approved, 
secure application (Level 2 eAuthentication) after the user 
successfully completes Government National Agency Check with Inquiries 
(NACI). Controls are in place to preclude anonymous usage and browsing.

Records Access Procedures:
    Any individual may request a copy of records in PHIS by submitting 
a written request, with reasonable specificity, to FSIS Freedom of 
Information Act (FOIA) Office at: 1400 Independence Ave. SW, Room 2168-
South, Mail Stop No. 3713, Washington, DC 20250. Under the Privacy Act 
(PA), 5 U.S.C. 552a, an individual United States citizen or legal 
permanent resident may seek access to records that are retrieved by 
his/her own name or other personal identifier, such as social security 
number or employee identification number. Such records will be made 
available unless they fall within the exemptions of the PA and the 
FOIA. Your Privacy Act request for records must be in writing and 
addressed to the FOIA office. For

[[Page 11492]]

more information about how to make a FOIA or a Privacy Act request to 
obtain records, please see: http://www.fsis.usda.gov/wps/portal/footer/policies-and-links/freedom-of-information-act/foia-requests
    An individual United States citizen or legal permanent resident may 
also seek to correct or to amend his or her own records in PHIS that 
are retrieved by name or other personal identifier, such as one's 
social security number (SSN) or employee number. Such Privacy Act 
requests for correction or amendment will be processed in accordance 
with applicable legal requirements and exemptions under the governing 
regulations and statutes such as the FOIA, 5 U.S.C. 552, the PA, 5 
U.S.C. 552a, and 7 CFR part 1, subpart G.

Contesting Records Procedures:
    See ``Records Access Procedures'' above.

Notification Procedures:
    See ``Records Access Procedures'' above.

Exemptions Promulgated for the System:

    None.

[FR Doc. 2018-05280 Filed 3-14-18; 8:45 am]
 BILLING CODE 3410-DM-P