Privacy Act System Notice 09-20-0169

This page contains several links to PDF files which may require a browser plug-in to view correctly. If you do not have the most recent version of Adobe Acrobat Reader, or are having difficulty viewing the PDF, download the plug-in here.

System name: Users of Health Statistics. HHS/CDC/NCHS.

Security classification: None.

System location: National Center for Health Statistics, Coordinating Center for Health Information and Service (CCHIS), Prince George’s Metro IV Bldg., Room 7209, Centers for Disease Control and Prevention, 3311 Toledo Road, Hyattsville, MD 20782.

Categories of individuals covered by the system: Persons who are past, present, or potential users of health statistics and would therefore have special interests in the programs conducted by the National Center for Health Statistic (NCHS), such as: (1) persons who subscribe to NCHS publication series; (2) persons who purchase NCHS public use data tapes or publications; (3) persons who contact NCHS to request data or information on health statistics; (4) persons who attend health statistics conferences; and (5) persons known from their publications or otherwise to have a research, legislative, policy, or administrative interest in data produced by NCHS.

Categories of records in the system: This system consists of information relating to the professional interests of health statistics users, such as their: name, address, position, organization, education, memberships in professional organizations, special committee and task force assignments, offices held in organizations, publications, health statistics meetings attended, uses made of health statistics, health statistics projects, purchases of NCHS tapes or publications, and expressions of interest and concern about health statistics.

Authority for maintenance of the system: Public Health Service Act, Section 308(g)(2) (42 U.S.C. 242m(g)(2)), which authorizes the Secretary to take necessary action to assure that appropriate, high quality data are disseminated on as wide a basis as is practicable.

Purpose(s): NCHS uses the data in determining how improvements can be made in: (1) the content and methodology of its data programs; (2) its data publications; (3) dissemination of health statistics; and (4) meetings or other means for soliciting users' concerns and knowledge sharing.

Routine uses of records maintained in the system, including categories of users and the purposes of such uses: The Department occasionally contracts with a private firm for the purpose of conducting surveys or collecting, analyzing, aggregating, otherwise refining, or evaluating data in this system. Relevant records are disclosed to such a contractor. The contractor is required to maintain Privacy Act safeguards with respect to such records.

Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

The Department of Health and Human Services (HHS) may disclose information from this system of records to the Department of Justice, or to a court or other tribunal, when: (a) HHS, or any component thereof; or (b) any HHS employee in his or her official capacity; or (c) any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) the United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation or has an interest in such litigation, and HHS determines that the use of such records by the Department of Justice, the court or other tribunal is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case, HHS determines that such disclosure is compatible with the purpose for which the records were collected.

Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:

Storage: The information is contained on paper records, computer tapes and disks, and CD-roms.

Retrievability: Information is retrieved by name, and may also be retrieved by unique identifying number, address, specialty, and other identifying characteristics.

Safeguards: Measures to prevent unauthorized disclosures are implemented as appropriate for the particular records maintained in each project. NCHS and its contractors implement personnel, physical, and procedural safeguards such as follows:

1. Authorized Users: Employees who maintain records in this system are instructed to grant regular access only to authorized contractor personnel, the NCHS Project Officer, and NCHS employees whose job duties require the use of such information. One-time and special access to the data is controlled by the system manager, the NCHS Project Officer, and the Contract and/or Project Director. Furthermore, all employees of NCHS and contractor personnel with access to NCHS records are required, as a condition of employment, to sign an affidavit binding them to nondisclosure of identifiable individuals' information.

2. Physical Safeguards: Records are stored in locked files or secured areas. Computer workstations are in secured areas. Building security in Hyattsville, MD includes the use of identification badges by employees and a card key system used to enter NCHS occupied space.

3. Procedural Safeguards: Protection for computerized records both on the mainframe and the National Center Local Area Network (LAN) includes programmed verification of valid user identification code and password prior to logging on to the system, mandatory password changes, limited log-ins, virus protection, and user rights/file attribute restrictions. Password protection imposes user name and password log-in requirements to prevent unauthorized access. Each user name is assigned limited access rights to files and directories at varying levels to control file sharing. There are routine daily backup procedures and secure off-site storage is available for backup tapes. Additional safeguards may be built into the program by the system analyst as warranted by the sensitivity of the data.

Contractors who maintain records in this system are instructed to make no further disclosure of the records except as authorized by the system manager and permitted by the Privacy Act. Privacy Act requirements are specifically included in contracts for research activities related to this system. The HHS Project Directors, contract officers, and project officers oversee compliance with these requirements.

4. Implementation Guidelines: The safeguards outlined above are in accordance with the HHS Information Security Program Policy and FIPS Pub 200, “Minimum Security Requirements for Federal Information and Information Systems,” and the NCHS Staff Manual on Confidentiality. Data maintained on CDC’s Mainframe and the National Center LAN are in compliance with OMB Circular A-130, Appendix III. Security is provided for information collection, processing, transmission, storage, and dissemination in general support systems and major applications.

Retention and disposal: Records are retained and disposed of in accordance with the CDC Records Control Schedule for NCHS records. Records are retained for various periods of time depending upon how useful they are considered to be, in accordance with NCHS policy. Some records of users may be maintained indefinitely. Disposal methods include burning or shredding hard copy and erasing computer tapes and disks.

System manager(s) and address: Director, National Center for Health Statistics, CCHIS,  Prince George’s Metro IV Bldg., Rm. 7209, MS P08, Centers for Disease Control and Prevention, 3311 Toledo Road, Hyattsville, MD 20782.

Notification procedure: To determine if a record exists, write to the system manager. Information needed consists of name and address of the individual.

Record access procedures: Same as notification procedures. Requesters should also reasonably specify the record contents being sought. Positive identification is required from anyone seeking access. An individual may also request an accounting of disclosures of his or her record, if any.

Contesting record procedures: Write to the official at the address specified under notification procedures above, and reasonably identify the record and specify the information being contested, the corrective action sought, and your reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.

Record source categories: Records may be obtained from: (1) order forms for publications or public use data tapes; (2) mailing lists; (3) registration forms of meetings; (4) author information in books and journals; (5) reference citations; and (6) reports of colleagues.

Systems exempted from certain provisions of the act: None.

[Federal Register: November 24, 1986 (Volume 51, Number 226)] [Notices] [Page 42371-42372] (PDF - 593 Kb)