[Federal Register Volume 60, Number 197 (Thursday, October 12, 1995)]
[Notices]
[Pages 53188-53191]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 95-25310]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Public Health Service
Food and Drug Administration; Privacy Act of 1974; New System of
Records
AGENCY: Public Health Service, HHS.
ACTION: Notification of a new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act, the
Public Health Service (PHS) is publishing a notice of a proposal to
establish a new system of records, 09-10-0019, ``Mammography Quality
Standards Act (MQSA) Training Records, HHS/FDA/CDRH.'' The purpose of
the system is to provide the Food and Drug Administration (FDA) with
information about the training and certification of inspectors of
mammography facilities. We are also proposing routine uses for this new
system.
DATES: PHS invites interested parties to submit comments on the
proposed internal and routine uses on or before November 21, 1995. PHS
has sent a report of a New System to the Congress and to the Office of
Management and Budget (OMB) on August 31, 1995. This system of records
will be effective 40 days from the date submitted to OMB unless PHS
receives comments on the routine uses which would result in a contrary
determination.
ADDRESSES: Please submit comments to: FDA Privacy Act Coordinator (HFI-
30), Food and Drug Administration, 5600 Fishers Lane, Room 12A-30,
Rockville, MD 20857, (301) 443-1813.
Comments received will be available for inspection at this same
address from 9 a.m. to 4 p.m., Monday through Friday.
[[Page 53189]]
FOR FURTHER INFORMATION CONTACT:
Director, Division of Mammography Quality and Radiation Programs (HFZ-
240), Office of Health and Industry Programs, Center for Devices and
Radiological Health, Food and Drug Administration, 1350 Piccard Drive,
Rockville, MD 20850, (301) 594-3332.
The numbers listed above are not toll free.
SUPPLEMENTARY INFORMATION: The Food and Drug Administration proposes to
establish a New System of Records: 09-10-0019, ``Mammography Quality
Standards Act (MQSA) Training Records, HHS/FDA/CDRH.'' This system of
records will be used to provide FDA with information about the
training, certification, and recertification of MQSA inspectors for the
purpose of implementing the Mammography Quality Standards Act of 1992.
The system will be comprised of records that contain the names,
dates of birth, education, professional experience, employment
addresses, dates of mammography training, test scores, and an analysis
of those scores, dates of certification of the inspectors, dates of
renewal or withdrawal of certification, and evaluations of the
inspectors' field performances (records of complaints received and how
the complaints were resolved.) The amount of information recorded on
each individual will be only that which is necessary to accomplish the
purpose of the system. Records must be retrieved by individual name for
effective monitoring of training, certification, recertification, and
withdrawal of certification. Each record is established from a one-page
data sheet which is completed by each student. Records of test scores,
dates of renewal or withdrawal of certification, and an evaluation of
inspector's field performance are added as the information becomes
available.
The records in this system will be maintained in a secure manner
compatible with their content and use. FDA staff will be required to
adhere to the provisions of the Privacy Act and the HHS Privacy Act
Regulations. Only authorized users whose official duties require the
use of such information will have regular access to the records in this
system. Authorized users are FDA employees and contractors responsible
for training the individuals who will inspect mammography facilities,
and personnel in the Division of Mammography Quality and Radiation
Programs (DMQRP) who will compile and analyze the test and personal
data of the students.
All records (such as diskettes, computer listings, or documents)
are kept in a secured area, locked rooms, and locked building. The
facility has 24-hour guard service, and access to the building is
further controlled by an operational card key system. Access to
individual offices is controlled by simplex locks. Manual and
computerized records will be maintained in accordance with the
standards of Chapter 45-13 of the HHS General Administration Manual,
``Safeguarding Records Contained in Systems of Records,'' supplementary
Chapter PHS hf: 45-13 of the Department's General Administration
Manual, and the Department's Automated Information Systems Security
Handbook.
Users will receive regular training in information systems security
for this application and in accordance with the Privacy Act. Users will
be required to sign an agreement indicating their cooperation with FDA
systems security and Privacy Act policies.
Data stored in computers will be accessed through the use of
regularly expiring passwords and individual IDS known only to
authorized users. All users will be assigned specific levels of
database control based on their needs and authority. All uses of valid
IDS and passwords will be monitored. Upon job change, the user's
authorization will be reviewed and updated as necessary. All changes to
data, as well as the time of change and the user's ID, will be captured
in a file as part of the database design. The system's intrusion
alarms, which list all logins and their source, will be monitored daily
by the Information Systems Security Officer. All systems in support of
this database are under the control of CDRH and meet the same security
standards.
The routine uses proposed for this system are compatible with the
stated purposes of the system. The first routine use proposed for this
system, permitting disclosure to a congressional office, allows subject
individuals to obtain assistance from their representatives in
Congress, should they so desire. Such disclosure would be made only
pursuant to a request of the individual. The second routine use allows
disclosure to the Department of Justice or a court in the event of
litigation. The third routine use allows disclosure to be made to the
individual's supervisor since MQSA inspections will be a significant
part of many inspectors' jobs; therefore, performance in the training
courses is an important element of information to help the supervisor
determine employee assignments as well as the level of supervision
needed. The fourth routine use allows disclosure to be made to
contractors for the purpose of processing or refining records in the
system.
The following notice is written in the present, rather than future
tense, in order to avoid the unnecessary expenditure of public funds to
republish the notice after the system has become effective.
Dated: October 2, 1995.
Ellen Wormser,
Director, Office of Organization and Management Systems.
09-10-0019
Mammography Quality Standards Act (MQSA) Training Records, HHS/FDA/
CDRH.
None.
Division of Mammography Quality and Radiation Programs (HFZ-240),
Center for Devices and Radiological Health, 1350 Piccard Drive,
Rockville, Maryland 20850. A current list of contractor sites is
available by writing to the system manager, indicated below, at this
address.
All individuals who receive training for the purpose of
implementing the Mammography Quality Standards Act of 1992; individuals
who successfully complete the training will become certified to conduct
inspections and audits of mammography facilities.
Contains name; date of birth; education; professional experience;
employment address; dates of mammography training; participant's test
scores, class grades, and an analysis of those scores; date of
certification of the inspector; dates of renewal or withdrawal of
certification; and an evaluation of the inspector's field performance
(records of complaints received and how the complaints were resolved).
Pub. L. 102-539, the Mammography Quality Standards Act (MQSA) of
1992 (42 U.S.C. 263b).
To provide the Food and Drug Administration (FDA) with information
about the training, certification, and recertification of MQSA
inspectors for the purpose of implementing the
[[Page 53190]]
Mammography Quality Standards Act of 1992.
1. Disclosure may be made to a congressional office from the record
of an individual, in response to an inquiry from the congressional
office made at the request of that individual.
2. The Department of Health and Human Services (HHS) may disclose
information from this system of records to the Department of Justice,
or to a court or other tribunal, when
(a) HHS, or any component thereof; or
(b) Any HHS employee in his or her official capacity; or
(c) Any HHS employee in his or her official capacity where the
Department of Justice (or HHS, where it is authorized to do so) has
agreed to represent the employee; or
(d) The United States or any agency thereof where HHS determines
that the litigation is likely to affect HHS or any of its components,
is a party to litigation or has an interest in such litigation, and HHS
determines that the use of such records by the Department of Justice,
the court or other tribunal, is relevant and necessary to the
litigation and would help in the effective representation of the
governmental party, provided, however, that in each case, HHS
determines that such disclosure is compatible with the purpose for
which the records were collected.
3. Disclosure may be made with the individual's supervisor since
MQSA inspections will be a significant part of many inspectors' jobs;
therefore, performance in the training courses is an important element
of information to help the supervisor determine employee assignments as
well as the level of supervision needed.
4. Disclosure may be made to contractors for the purpose of
collecting, compiling, aggregating, analyzing, or refining records in
the system. Contractors will be required to maintain Privacy Act
safeguards with respect to such records.
Data are maintained in hard copy files and on computer disks, hard
drives, and file servers.
Indexed by name, state, specific courses, training dates, grades,
date of certification, and date of withdrawal of certification.
1. Authorized users: Personnel of the Division of Mammography
Quality Reporting Program who are engaged in training the individuals
who inspect mammography facilities, and personnel in the Division who
compile and analyze the test and personal data of the students.
2. Physical safeguards: All records (such as disketts, computer
listings, or documents) are kept in a secured area, locked rooms, and
locked building.
The facility has 24-hour guard service, and access to the building
is further controlled by an operational card key system. Access to the
computer room is limited to a subset of persons with general access to
the building. Access to individual offices is controlled by simplex
locks. The building has smoke/fire detectors; the computer room has
additional smoke/fire detectors plus water, temperature, and humidity
sensors. The computers room has an uninterruptible power supply and a
power conditioning system.
3. Procedural safeguards: End users and system professionals
continue to receive regular training in information systems security
and have signed an agreement indicating their cooperation with FDA
policies. Users are further instructed on system security during
training sessions for this application and in accordance with the
Privacy Act. Users of personal information in the performance of their
duties have been instructed to protect personal information from public
view and from unauthorized personnel.
All reports containing confidential data are marked
``confidential'' and placed in the developer's or system manager's mail
slot, which is located in an access-controlled room. CDRH SOP requires
that all reports containing confidential information be shredded before
disposal.
4. Technical safeguards: All users have individual IDS and
regularly expiring passwords at least 6 characters long. All users are
assigned specific levels of database control based on their needs and
authority. All users of valid IDs and passwords will be monitored. Upon
job change, the user's authorization is reviewed and updated as
necessary.
All changes to data, as well as the time of change and the
operator's ID are captured in a file as part of the database design.
All data entered online is edit checked.
The system's intrusion alarms, which list all logins and their
source, are monitored daily by the information Systems Security
Officer. In addition, CDRH maintains commercial auditing software that
permits logging of keystrokes by individual accounts.
CDRH maintains three audit trails for this system:
1. System-wide intrusion alarms and file access notices
2. Application-dependent logging of all data transactions
3. Commercial software that permits capturing all keystrokes from
suspicious accounts and terminals.
All systems in support of this database are under the control of
CDRH and meet the same security standards as the application.
5. Implementation guidelines: Safeguards are established in
accordance with Chapter 45-13 and PHS hf:45-13 of the Department's
General Administration Manual and the Department's Automated
Information Systems Security Handbook.
Records are retained for five years after the certified MQSA
Inspector leaves government service. At the end of five years, in
individual's paper records are shredded and automated records are
erased.
Director, Division of Mammography Quality and Radiation Programs
(HFZ-240), Center for Devices and Radiological Health, 1350 Piccard
Drive, Rockville, Maryland 20850.
An individual may learn if a record exists about him or her upon
written request, with notarized signature if request is made by mail,
or with identification if request is made in person, directed to:
FDA Privacy Act Coordinator (HFI-30), Food and Drug Administration,
5600 Fishers Lane, Rockville, MD 20857.
Same as notification procedure. Requests should also reasonably
specify the record contents being sought. You may also request an
accounting of disclosures that have been made of your record, if any.
Contact the official at the address specified under notification
procedure above and reasonably identify the record, specify the
information being contested, the corrective action sought, and your
reasons for requesting the correction, along with supporting
information to show how the record is inaccurate, incomplete, untimely,
or irrelevant.
[[Page 53191]]
Individual on whom the record is maintained and training records
pertaining to that individual. Information about certification renewal
or withdrawal is generated in-house by the Division of Mammography
Quality and Radiation Programs. Sources of information about field
performance could include the inspector's supervisor, as well as any
investigation of an inspector's performance as a result of complaints
by a mammography facility.
None.
[FR Doc. 95-25310 Filed 10-11-95; 8:45 am]
BILLING CODE 4160-01-M
