AGENCY:

Food Safety and Inspection Service, U.S. Department of Agriculture.

ACTION:

Notice of a new system of records.

SUMMARY:

In accordance with the Privacy Act of 1974, as amended, the Department of Agriculture (USDA) proposes a new Food Safety and Inspection Service (FSIS) system of records entitled: USDA/FSIS-0004, Public Health Information System (PHIS). PHIS is a Web-based system that collects information generated from FSIS inspection, compliance verification, notification and monitoring activities regarding the slaughter, processing, import and export of meat, and poultry and egg products. Within PHIS, FSIS maintains contact and other identifying information about employees and contractors of USDA, government officials, representatives of regulated establishments, and third parties.

DATES:

Applicable date: April 16, 2018. Written comments must be received on or before the above date. The proposed system will be adopted on the above date, without further notice, unless it is modified in response to comments, in which case the notice will be re-published.

ADDRESSES:

Send written comments to: Docket Clerk, FSIS, Patriots Plaza 3, 355 E Street SW, Mailstop 3782, Room 8-163B, Washington, DC 20250-3700 or fax to (202) 245-4793. Comments may also be posted on: https://www.regulations.gov/​. All comments must include the Agency's name and docket number, FSIS-2015-0015, and will be publicly posted, including any personal information submitted, on https://www.regulations.gov. Docket: To obtain a copy of, or to view, the docket, visit FSIS Docket Room, Patriots Plaza 3, 355 E Street SW, Room 164-A, Washington, DC 20250-3700, 8:00 a.m. to 4:30 p.m., Monday to Friday.

FOR FURTHER INFORMATION CONTACT:

Roberta Wagner, Assistant Administrator, Office of Policy and Program Development (OPPD), FSIS, Room 350-E, Jamie Whitten Building, 1400 Independence Ave. SW, Washington, DC 20250, or Neal Westgerdes, PHIS System Owner/Manager, OPPD, FSIS, Room 2925-South, 1400 Independence Ave. SW Washington, DC 20250, (202) 205-4233.

For Privacy Questions: Marj Leaming, USDA Privacy Officer, Policy, E-Government and Fair Information Practices, Office of the Chief Information Officer, USDA, 1400 Independence Ave. SW, Room 450-W, Washington, DC 20250; telephone 202-205-0926.

SUPPLEMENTARY INFORMATION:

The Privacy Act requires agencies to publish in the Federal Register (FR) a notice of any new or revised system of records. A “system of records” is a group of any records under the control of an agency from which information is retrievable by the name of the individual or by some unique identifier assigned to the individual. USDA is proposing to establish a new system of records, entitled USDA/FSIS-04, Public Health Information System (PHIS). The primary purpose of PHIS is to collect information gathered by USDA Personnel from their inspection, compliance verification and notification activities at regulated establishments, and to assess data entered by Business Personnel. PHIS enhances USDA's ability to predict hazards and vulnerabilities in the food supply and thus prevent or mitigate food safety-related threats to the public health in a timely manner. Additionally, in regard to imports and exports, PHIS provides USDA and other domestic and foreign regulatory authorities with information to monitor the movement of meat, poultry and egg products in advance of a shipment's arrival.

USDA grants PHIS access to and collect information from the following user groups: (1) Employees and contractors of USDA (“USDA Personnel”); (2) government officials (domestic and foreign) (“Other Government Officials”); and (3) representatives of the regulated establishments and businesses, such as importers and exporters of food products, who require access to PHIS (“Business Personnel”). PHIS collects from all three user groups basic identifying contact information. The system also collects identifying information about individuals who are not PHIS users, but whose names may appear in records entered by a user, for contact purposes.

PHIS obtains and stores the identifying information for USDA Personnel, including: the user's and supervisor's full names, titles, duty stations, business contact information, assigned PHIS role(s), and USDA eAuthentication numbers. This information is used for contacting personnel, shipping documents and supplies, inspection assignment scheduling and for security and access control purposes. In addition to this basic identifying contact information, the system receives employee profile information for USDA Personnel from the National Finance Center, including, but not limited to: Social security numbers (stored in masked formats); hire dates; organizational level; pay plan; and locality and pay code. This employee profile data are used to verify USDA Personnel employment status.

For Other Government Officials and Business Personnel, the system collects information including the name and title of the user, business contact information, and PHIS roles and USDA eAuthentication information. From Business Personnel, it collects the user's entity name and associated business or tax identification numbers, as applicable. Only basic contact information is collected about individuals who are not PHIS users, but whose names appear in records entered by a user.

USDA Personnel enter records in connection with their inspection, compliance verification, and notification activities at regulated establishments. The records entered by Other Government Officials include documents concerning the equivalence of foreign inspection systems, documents concerning State program inspection verification and activities, responses to USDA decisions, and requests for information from USDA. Business Personnel enter records in connection with, or in response to, USDA Personnel's activities and decisions, and requests for services from USDA. Examples include records supporting compliance with FSIS regulations, such as applications for Start Printed Page 11490export certificates and Meat and Poultry Export Certificate of Wholesomeness, as well as appeals of USDA compliance decisions regarding regulated establishments and products.

A Privacy Impact Assessment is posted on https://www.usda.gov/​wps/​portal/​usda/​usdahome?​navid=​PRIVACY_​POLICY_​ES.

No Privacy Act exemption is claimed.

In accordance with the Privacy Act, as implemented by the Office of Management and Budget (OMB) Circular A-108, USDA has provided a report of this proposed new system of records to the Chair of the Committee on Homeland Security and Governmental Affairs, United States Senate; the Chair of the Committee on Oversight and Government Reform, House of Representatives; and the Administrator of the Office of Information and Regulatory Affairs, OMB.

SYSTEM NAME AND NUMBER

Public Health Information System (PHIS), USDA/FSIS-04.

Security Classification:

Unclassified.

System Location:

USDA National Information Technology Center (NITC), 8930 Ward Parkway, Kansas City, MO, 64114, and NITC, 4300 Goodfellow Blvd., St. Louis, MO 63120.

System Manager:

PHIS System Owner, Office of Policy and Program Development Food Safety and Inspection Service, USDA, Room 2925-South, 1400 Independence Ave. SW, Washington, DC 20250. (202) 205-4233.

Authority for Maintenance of the System:

Poultry Products Inspection Act (21 U.S.C. 451 et seq.); Federal Meat Inspection Act (21 U.S.C. 601 et seq.); Egg Products Inspection Act (21 U.S.C. 1031 et seq.); Humane Methods of Livestock Slaughter Act of 1978 (7 U.S.C. 1901-1906); Authority to Operate (ATO), dated 03/23/2017.

Purpose of the System:

The primary role of this Web-based electronic system is to assist FSIS in accomplishing its food safety mission of conducting inspections and compliance verification activities at regulated establishments to confirm that meat, poultry and egg products are safe, wholesome, not adulterated, and correctly labeled, packaged and distributed. Supplementary purposes include the verification of product eligibility for moving in and out of the United States.

PHIS maintains FSIS inspection, compliance verification and sampling program results and business profile information. PHIS also maintains data about State and foreign food safety programs. PHIS maintains information about individuals: to allow users access to the system; to schedule and assess inspection and compliance verification activities; to track requests for USDA services; and to allow responses to appeal of USDA Personnel's decisions.

Categories of Individuals Covered by the System:

All individuals granted access to the PHIS are covered: (1) Employees and contractors of USDA (“USDA Personnel”); (2) government officials (domestic and foreign) (“Other Government Officials”); and (3) representatives of the regulated establishments and businesses, such as importers and exporters of food products, who require access to PHIS (“Business Personnel”). All individuals, even if they are not users of the PHIS, who are mentioned or referenced in any documents entered into PHIS by a user are also covered. This group may include, but is not limited to: Plant workers, vendors, agents, and interviewees.

Categories of Records in the System:

PHIS obtains and stores identifying information for the three categories of individuals as follows:

For USDA Personnel, PHIS stores the user's and supervisor's full names, titles, duty stations, business contact information, assigned PHIS role(s) and eAuthentication numbers. This information is used for contacting personnel, shipping documents and supplies, inspection assignment scheduling and for security and access control purposes. In addition to this basic identifying contact information, the system receives employee profile information for USDA Personnel from the National Finance Center, including, but not limited to: Social security numbers (stored in masked formats); hire dates; organizational level; pay plan; and locality and pay code. This employee profile data is used to verify USDA Personnel employment status.

For Other Government Officials and Business Personnel, the system collects information including the name and title of the user, business contact information, PHIS roles and e-Authentication information. From Business Personnel, it also collects the user's entity name and associated business or tax identification numbers, as applicable. Only basic contact information is collected about individuals who are not PHIS users, but whose names appear in records entered by a user.

Records Source Categories:

Basic identifying contact information of all user groups (USDA Personnel, Other Government Officials and Business Personnel) is obtained directly from the user. In addition, employment verification information about USDA Personnel is obtained from the NFC through a secure data feed.

Records entered by USDA Personnel or Other Government Officials in connection with their official duties are obtained directly from them.

Business Personnel records, including appeals, requests for services and requests for grants of inspection or updates to their entities' business profiles, are entered into PHIS directly by Business Personnel or are given in paper form to USDA Personnel for input into PHIS on behalf of the Business Personnel. Business records can also be obtained from a foreign country's Central Competent Authority (“CCA”).

USDA Personnel can also obtain some types of information about the other groups of users from USDA's electronic interface with other Federal agencies involved in tracking cross-border movement of the regulated establishments' products, including but not limited to the U.S. Customs and Border Protection Automated Commercial Environment (ACE). Business records from foreign countries are obtained from the respective foreign officials and typically, the CCA assigned the responsibility for maintaining a country's food safety systems reports in PHIS. Information about third parties referenced in the records entered by a user is obtained directly from the user entering or modifying the record.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act of 1974, all or a portion of the records or information contained in this system may be disclosed outside of USDA as a routine use under 5 U.S.C. 552a(b)(3), as follows:

1. To the U.S. Department of Justice (DOJ) or other Federal agency conducting litigation or in proceedings before any court, adjudicative or administrative body, when it is Start Printed Page 11491necessary for the litigation and one of the following is a party to the litigation or has an interest in the litigation:

a. USDA or any component thereof;

b. Any employee of USDA in his/her official capacity;

c. Any employee of USDA in his/her individual capacity where DOJ or USDA has agreed to represent the employee; or

d. The United States or any agency thereof and if the USDA determines that the records are both relevant and necessary to the litigation and the use of such records is compatible with the purpose for which USDA collected the records.

2. To a Congressional office from the record of an individual in response to an inquiry from that Congressional office made at the written request of the individual to whom the record pertains.

3. To the National Archives and Records Administration (NARA) or other Federal government agencies pursuant to records management inspections being conducted under the authority of 44 U.S.C. 2904 and 2906.

4. To an agency, organization, or individual for the purpose of performing audit or oversight operations as authorized by law, but only such information as is necessary and relevant to such audit or oversight function. This would include, but not be limited to, the Comptroller General or any of his authorized representatives in the course of the performance of the duties of the Government Accountability Office, or USDA's Office of the Inspector General or any authorized representatives of that office.

5. To appropriate agencies, entities, and persons when:

a. USDA suspects or has confirmed that there has been a breach of the system of records;

b. USDA has determined that as a result of the suspected or confirmed breach, there is a risk of harm to individuals, USDA (including its information systems, programs, and operations), the Federal Government, or national security; and

c. the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with USDA's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm; and

6. To contractors and their agents, grantees, experts, consultants, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for USDA, when necessary to accomplish an agency function related to this system of records. Individuals who provided information under this routine use are subject to the same Privacy Act requirements and limitations on disclosure as are applicable to USDA officers and employees.

7. To an appropriate Federal, State, tribal, local, international, or foreign law enforcement agency or other appropriate authority charged with investigating or prosecuting a violation or enforcing or implementing a law, rule, regulation, or order, where a record, either on its face or in conjunction with other information, indicates a violation or potential violation of law, which includes criminal, civil, or regulatory violations, and such disclosure is proper and consistent with the official duties of the person making the disclosure.

8. To an appropriate Federal, State, tribal, local, international, or foreign law enforcement agency or appropriate authority responsible for protecting public health, preventing or monitoring disease or illness outbreaks, or ensuring the safety of the food supply. This includes the Department of Health and Human Services and its agencies, including the Centers for Disease Control and Prevention and the Food and Drug Administration, other Federal agencies, and State, tribal, and local health departments.

9. To another federal agency or federal entity when USDA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs and operations), the federal government or national security, resulting from a suspected or confirmed breach.

Policies and Practices for Storage of Records:

The system includes a database, electronic documents and paper records. The storage for the database records is a dedicated virtual server located in the USDA NITC facility in Kansas City, MO. Duplicate records are maintained at the USDA NITC facility in St. Louis, MO. The primary storage for the electronic documents is a records management system managed and hosted by USDA at their Enterprise Data Centers. Paper records are maintained in the USDA offices where they were created. Records backup storage is maintained by NITC Personnel in a virtual tape library at the USDA NITC facility in Kansas City, MO. Copies of the backup records are maintained at the USDA NITC facility in St. Louis, MO. Each USDA laboratory stores data in the local internal storage on each server. Paper records from establishments that do not wish to use the Web-based PHIS, and communication records, such as PHIS-related emails, are stored in a dedicated, secured location at FSIS field offices to which USDA Personnel are assigned.

Policies and Practices for Retrieval of Records:

Retrieval is by user profile object information, which is created during the user authorization process and includes the following data elements: User identification, role, permission, organization identification, and assigned place of work. Information can also be retrieved by a unique eAuthentication identification number assigned to all users.

Policies and Practices for Retention and Disposal of Records:

A master file backup is created at the end of the calendar year and maintained in St. Louis, MO. The St. Louis offsite storage site is located approximately 250 miles from the primary data facility and is not susceptible to the same hazards.

Administrative, Technical, and Physical Safeguards:

Records in this system are safeguarded by restricting accessibility, in accordance with USDA security and access policies. The safeguarding includes: Firewall(s), network protection, and an encrypted password. All users are assigned a level of role-based access, which is strictly controlled and granted through USDA-approved, secure application (Level 2 eAuthentication) after the user successfully completes Government National Agency Check with Inquiries (NACI). Controls are in place to preclude anonymous usage and browsing.

Records Access Procedures:

Any individual may request a copy of records in PHIS by submitting a written request, with reasonable specificity, to FSIS Freedom of Information Act (FOIA) Office at: 1400 Independence Ave. SW, Room 2168-South, Mail Stop No. 3713, Washington, DC 20250. Under the Privacy Act (PA), 5 U.S.C. 552a, an individual United States citizen or legal permanent resident may seek access to records that are retrieved by his/her own name or other personal identifier, such as social security number or employee identification number. Such records will be made available unless they fall within the exemptions of the PA and the FOIA. Your Privacy Act request for records must be in writing and addressed to the FOIA office. For Start Printed Page 11492more information about how to make a FOIA or a Privacy Act request to obtain records, please see: http://www.fsis.usda.gov/​wps/​portal/​footer/​policies-and-links/​freedom-of-information-act/​foia-requests

An individual United States citizen or legal permanent resident may also seek to correct or to amend his or her own records in PHIS that are retrieved by name or other personal identifier, such as one's social security number (SSN) or employee number. Such Privacy Act requests for correction or amendment will be processed in accordance with applicable legal requirements and exemptions under the governing regulations and statutes such as the FOIA, 5 U.S.C. 552, the PA, 5 U.S.C. 552a, and 7 CFR part 1, subpart G.

Contesting Records Procedures:

See “Records Access Procedures” above.

Notification Procedures:

See “Records Access Procedures” above.

Exemptions Promulgated for the System:

None.