AGENCY:

National Institutes of Health (NIH), Department of Health and Human Services (HHS).

ACTION:

Notice of a new system of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, as amended (Privacy Act, or Act), the Department of Health and Human Services (HHS) is establishing a new System of Records (SOR), 09-25-0224, “NIH Police Records,” to be maintained by the National Institutes of Health (NIH). The new system of records will contain records about individuals who are the subject of investigations of crime, civil disturbances, and traffic accidents occurring on or otherwise affecting the protection of life and property on NIH property. Because the records will constitute law enforcement investigatory material, elsewhere in the Federal Register the agency has published a notice of proposed rulemaking (NPRM) to exempt this system of records from certain requirements of the Privacy Act based on subsections (j)(2) and (k)(2) of the Act. The system of records is more fully described in the system of records notice (SORN) published in this notice.

DATES:

The comment period for this SORN is co-extensive with the 60-day comment period provided in the NPRM; i.e., written comments on the SORN should be submitted by August 6, 2024. The new system of records, including the routine uses and the exemptions, will become effective when NIH publishes a Final Rule, which will not occur until the 60-day comment period provided in the NPRM has expired and any comments received on the NPRM (or on this SORN) have been addressed.

ADDRESSES:

The public should address written comments, identified by the Privacy Act System of Records (PA SOR) Number 09-25-0224, by any of the following methods:

• Federal eRulemaking Portal: https://regulations.gov. Follow the instructions for submitting comments.
• Email: privacy@mail.nih.gov and include PA SOR number 09-25-0224 in the subject line of the message.
• Phone: (301) 402-6469 (not a toll-free number).
• Fax: (301) 402-0169.
• Mail: NIH Privacy Act Officer, Office of Management Assessment, National Institutes of Health, 6705 Rockledge Drive (RK1) 601, Rockville, MD 20892-7901.
• Hand Delivery/Courier: 6705 Rockledge Drive (RK1) 601, Rockville, MD 20892-7901.

Comments received will be available for inspection and copying at this same address from 9:00 a.m. to 3:00 p.m., Monday through Friday, Federal holidays excepted.

FOR FURTHER INFORMATION CONTACT:

General questions about the system of records may be submitted to Dustin Close, NIH Privacy Act Officer, by email at privacy@mail.nih.gov or mail at the Office of Management Assessment (OMA), Office of the Director (OD), National Institutes of Health (NIH), 6705 Rockledge Drive (RK1) 601, Rockville, MD 20892-7901. Telephone: 301-402-6469.

SUPPLEMENTARY INFORMATION:

The Privacy Act (5 U.S.C. 552a) governs the means by which the United States Government collects, maintains, and uses records in a system of records. A “system of records” is a group of any records under the control of a federal agency from which information about individuals is retrieved by name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a SORN identifying and describing each system of records the agency maintains, including the purposes for which the agency uses records in the system of records, the routine uses for which the agency discloses, or may disclose, such information outside the agency without the subject individual's prior written consent, and procedures explaining how subject individuals can exercise their rights under the Privacy Act ( e.g., to Start Printed Page 48655 determine if the system of records contains information about them). At least 30 days prior to publication of this Notice in the Federal Register , the Department submitted a report on the proposed system of records to the Office of Management and Budget, the Committee on Government Reform and Oversight of the House of Representatives, and the Committee on Governmental Affairs of the Senate as required by 5 U.S.C. 552a(r) and in the form and manner required by Office of Management and Budget (OMB) Circular A-108.

The NIH Division of Police, which is within the Office of Research Services (ORS) in the NIH Office of the Director, was established to provide an immediate and primary law enforcement program for NIH. The NIH Division of Police derives its authority from 40 U.S.C. 1315, the law enforcement authority of the Secretary of Homeland Security for the protection of public property, and General Administrative Delegation of Authority Number 08, Control of Violations of Law at Certain NIH Facilities (September 1, 2020). Based on this establishing authority, the NIH Division of Police performs criminal law enforcement activity as its principal function. However, the NIH Division of Police conducts both criminal and non-criminal ( e.g., civil, administrative, regulatory) law enforcement investigations.

The NIH Division of Police is directly responsible for the provision of daily law enforcement and criminal and civil investigative activities required to protect the life, safety, and property of NIH employees, contractors, patients, and visitors. To perform these responsibilities, the NIH Division of Police compiles and maintains records of complaints of incidents, inquiries, investigative findings, arrest records, and court dispositions which are retrieved by personal identifiers and therefore constitute a “system of records” as defined by the Privacy Act at 5 U.S.C. 552a(a)(5). The records are used primarily to: (1) record incidents of crime, civil disturbance, and traffic accidents on the NIH enclave, and the investigation of such incidents; (2) maintain information essential to the protection of life, safety, and property at NIH; (3) provide official records of law enforcement investigative efforts for use in administrative, criminal, and civil proceedings; and (4) document criminal and civil law enforcement investigations.

All of the routine uses published in the SORN are compatible with the original purpose for which criminal and non-criminal ( e.g., civil, administrative, regulatory) law enforcement investigatory records are collected. Specifically:

• Routine use 1 will permit disclosures to HHS contractors who need access to the records in this system of records.
• Routine use 2 will permit HHS to disclose records to the Department of Justice or to a court or other adjudicative body in limited circumstances that are necessary to the conduct of legal proceedings.
• Routine use 3 will permit HHS to refer records to other appropriate law enforcement entities that have jurisdiction over a matter that NIH discovers.
• Where HHS has determined records to be sufficiently reliable to support a referral, routine use 4 will permit disclosures to another government agency or public authority of the fact that this system of records contains information relevant to decisions about an individual's employment, licensing, investigation, procurement, or other decision of that agency or public authority to help determine suitability as a contractor, licensee, grantee, or beneficiary. The receiving entity may then make a request to HHS supported by the written consent of the individual for further information if it so chooses.
• Routine use 5 will permit disclosures to the news media and general public when the information is in the public interest and would be required to be disclosed under the Freedom of Information Act, but where no FOIA request has been received.
• Routine use 6 is included as a courtesy to Members of Congress acting in their capacity as constituent representatives. Under normal circumstances, HHS would require any third party to present written consent of the record subject to obtain records about the record subject. However, if a record subject writes to a Member of Congress for assistance, and the Member writes to HHS showing a copy of the constituent's correspondence, HHS will recognize that request as if it were a formal authorization and respond in order to allow the Member of Congress to provide prompt service to the constituent.
• Routine use 7 will permit HHS to disclose records about accidents or traffic violations to the people involved so they can defend themselves or manage insurance claims.
• Routine uses 8 and 9 will authorize disclosures at the recommendation of OMB to help us reduce and manage data breaches.

SYSTEM NAME AND NUMBER:

NIH Police Records, 09-25-0224.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The address of the agency component responsible for the system of records is: Division of Police, Office of Research Services (ORS), National Institutes of Health (NIH), Building 31, Room B3B17, 31 Center Drive, Bethesda, MD 20892-2012.

SYSTEM MANAGER(S):

Chief, Division of Police, Office of Research Services (ORS), National Institutes of Health, Building 31, Room B3B17, 31 Center Dr., Bethesda, MD 20892-2012. NIHPoliceDepartment@nih.gov, telephone (301) 496-2387.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

40 U.S.C. 1315 Law enforcement authority of Secretary of Homeland Security for protection of public property; Memorandum from the Assistant Secretary for Administration, OS, to the Director, NIH, June 13, 1968; Memorandum from the Assistant Secretary for Administration, OS, to the Director, NIH, June 13, 1968, entitled: Delegation of Authority to Assist in Controlling Violations of Law at Certain HEW Facilities Located in Montgomery County, Maryland; and NIH General Administrative Delegation of Authority Number 08, Control of Violations of Law at Certain NIH Facilities (September 1, 2020). Collection of Social Security Numbers (SSN) is authorized by Executive Order (E.O.) 9397, as amended by E.O. 13478, to be used as the enumerator when 40 U.S.C. 1315, as implemented by NIH General Administrative Delegation of Authority Number 08 authorizes use of enumerators or an indexing system or other method to identify individuals and maintain accurate records about them.

PURPOSE(S) OF THE SYSTEM:

The primary purposes for which the records are used are to: (1) record incidents of crime, civil disturbance, and traffic accidents on the NIH enclave, and the investigation of such incidents; (2) maintain information essential to the protection of life, safety, and property at NIH; (3) provide official records of law enforcement investigative Start Printed Page 48656 efforts for use in administrative, criminal and/or civil proceedings; and (4) document criminal and civil law enforcement investigations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Records will pertain to the following individuals: owners or operators of vehicles entering or attempting to enter NIH property; individuals who are involved in motor vehicle accidents; individuals arrested on the NIH property; individuals suspected of posing a threat to the safety of NIH visitors, personnel, and property; individuals who report or provide information about any of the above referenced activities; and individuals against whom criminal or civil penalties have been sought or imposed for any of the above-referenced activities.

CATEGORIES OF RECORDS IN THE SYSTEM:

Records will consist of (as applicable) reports of moving and non-moving traffic violations, accident reports, missing property reports, and similar documents and files, containing data elements such as names, descriptions, and contact information for subjects of investigation and witnesses, Social Security Number (SSN), date of birth, and vehicle license plate number, brand or model information; and, if applicable, reports of criminal investigations, including indicia of arrests ( e.g., arrest reports fingerprints, photographs, and other items of evidence), and criminal intelligence reports.

RECORD SOURCE CATEGORIES:

The records in this system of records are obtained directly from the subject individual, or from interviews conducted by or are recorded by the NIH Police Officer based on their observation, including observation of camera footage, or statements made or given to them by witnesses or other involved individuals, or are obtained by the NIH Police Officer from sources such as the Federal Bureau of Instigation, Department of Motor Vehicles, the individual's employer, criminal database, local police, NIH Human Resources database, NIH Visitor Log records, and reports of investigation.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974 at 5 U.S.C. 552a(b), under which HHS may disclose information from this system of records to non-HHS officers and employees without the consent of the subject individual.

1. Information may be disclosed to an HHS contractor engaged by HHS to assist in accomplishment of an HHS function relating to the purposes of this system of records who needs to have access to the record to assist HHS in performing the activity. Any contractor will be required to comply with the requirements of the Privacy Act of 1974, as amended.

2. Information may be disclosed to the Department of Justice (DOJ) or to a court or other tribunal in litigation or other proceedings when: (a) HHS, or any component thereof; (b) any HHS employee in his/her official capacity; (c) any HHS employee in his/her individual capacity where DOJ (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) the United States Government, is a party to the proceedings and, by careful review, HHS determines that the records are both relevant and necessary to the proceedings.

3. Information may be disclosed to another federal agency or any foreign, state, local, or Tribal government agency responsible for enforcing, investigating, or prosecuting violations of administrative, civil, or criminal law or regulation where that information is relevant to an enforcement proceeding, investigation, or prosecution within the agency's jurisdiction.

4. Information may be disclosed to a federal, foreign, state, local, Tribal, or other public authority ( e.g., a licensing organization) of the fact that this system of records contains information relevant to the hiring or retention of an employee, the issuance or retention of a security clearance, the reporting of an investigation of an individual, the letting of a contract, or the issuance or retention of a license, grant, or other benefit. The other agency or licensing organization may then make a request supported by the written consent of the individual for further information if it so chooses. HHS will not make an initial disclosure unless the information has been determined to be sufficiently reliable to support a referral to another office within the agency or to another federal agency for criminal, civil, administrative, personnel, or regulatory action.

5. Information may be disclosed to the news media and general public when there is a legitimate public interest (for example, to provide information on events in the criminal process such as indictments, and that would be required to be publicly disclosed under FOIA if HHS received a request), or when necessary to protect the public from an imminent threat to life or property.

6. Information may be disclosed to a congressional office in response to a written inquiry from the congressional office made at the written request of the individual record subject.

7. An accident report, or records concerning an accident or moving or non-moving traffic violation, may be disclosed to any individual allegedly involved or injured in the accident or traffic violation.

8. Information may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

9. Information may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored in various electronic media and in paper form.

In accordance with federal security requirements, policies, and controls, as implemented by NIH and HHS, records may be located on approved portable devices designed to hold any kind of digital, optical, or other data including: laptops, tablets, personal data assistants, Universal Serial Bus (USB) drives, media cards, portable hard drives, Smartphones, compact discs (CDs), digital versatile discs (DVDs), or other mobile storage devices.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by the subject individual's name or other personal identifier, such as date of birth-or Social Security Number. Start Printed Page 48657

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

NIH Police Records are currently unscheduled and will be retained indefinitely until authorized for disposition under a schedule approved by the National Archives and Records Administration.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Measures to prevent unauthorized disclosures of NIH Police Records are implemented as appropriate for each location or form of storage and for the types of records maintained. Safeguards conform to the HHS Information Security and Privacy Program, https://www.hhs.gov/​ocio/​securityprivacy/​index.html. Site(s) implement personnel and procedural safeguards such as the following:

Authorized Users: Access is strictly limited to authorized personnel whose duties require such access ( i.e., valid, business need-to-know).

Administrative Safeguards: Administrative controls include the completion of a Security Assessment and Authorization (SA&A) package and a Privacy Impact Assessment (PIA) for information technology (IT) systems used to maintain the records, and mandatory completion of annual NIH Information Security and Privacy Awareness training for personnel authorized to access the records. The SA&A package consists of a Security Categorization, e-Authentication Risk Assessment, System Security Plan, evidence of Security Control Testing, Plan of Action and Milestones, Contingency Plan, and evidence of Contingency Plan Testing. When the design, development, or operation of a system of records is required to accomplish an agency function and the agency engages an outside contractor to support that operation, the applicable Privacy Act Federal Acquisition Regulation (FAR) clauses are inserted in solicitations and contracts.

Physical Safeguards: Controls to secure the data and protect paper and electronic records, buildings, and related infrastructure against threats associated with their physical environment include the use of the HHS Employee ID or other badge, NIH key cards, security guards, cipher locks, biometrics, and closed-circuit TV. Paper records are secured in locked file cabinets, offices, and facilities. Electronic media are kept on secure servers or computer systems. Access to the restricted office area containing the rooms where records are stored is controlled through the use of limited access proximity cards. Only authorized users have access to these cards. Individuals who enter the restricted area without a limited access proximity card are under escort at all times. During regular business hours, rooms in this restricted area are unlocked but entry is controlled by on-site personnel. Rooms where records are stored are locked when not in use. Individually identifiable records are kept in locked file cabinets or in rooms under the direct control of the System Manager. Contractor interaction with records covered by this system of records will occur on-site and no physical records (paper or electronic) will be allowed to be removed from the NIH Division of Police unless authorized. All authorized users of personal information in connection with the performance of their jobs protect information from public view and from unauthorized personnel entering an unsupervised area/office.

Police incident and other sensitive reports and information are kept in a limited access locked room with live video surveillance. Intelligence reports containing investigations of criminal intelligence matters are kept in a safe in the offices of the Supervisor, Intelligence Section.

Technical Safeguards: Controls are generally executed by the computer system and are employed to minimize the possibility of unauthorized access, use, or dissemination of the data in the system. They include user identification, password protection, firewalls, virtual private network, encryption, intrusion detection system, common access cards, smart cards, biometrics and public key infrastructure. Computer records are accessible only through a series of code or keyword commands available from and under the direct control of the System Manager or delegated employees. These records are secured by a multi-level security system which is capable of controlling access to the individual data field level. Persons having access to the computer database can be restricted to a confined application which permits only a narrow “view” of the data.

RECORD ACCESS PROCEDURES:

This system of records will be exempt from access by subject individuals to the extent permitted by 5 U.S.C. 552(j)(2) or (k)(2). However, consideration will be given to any access request addressed to the System Manager listed above. Most records pertaining to traffic investigations will be accessible to any individual involved or injured in the traffic violation or accident without interfering with or compromising the integrity of an investigation. Individual record subjects seeking access to records about themselves must submit a written access request to the System Manager identified in the “System Manager(s)” section above, at the postal or electronic mail address indicated in that section. The request must reasonably specify the record contents being sought and contain the requester's full name, address, telephone number and/or email address, date of birth, and signature, and should identify the approximate date(s) the information was collected, and the types of information collected. So that HHS may verify the requester's identity, the requester's signature must be notarized, or the request must include the requester's written, signed certification that the requester is the individual who the requester claims to be and that the requester understands that the knowing and willful request of a record pertaining to an individual under false pretenses is a misdemeanor offense under the Privacy Act and subject to fine of up to five thousand dollars. If records are requested on behalf of a minor or legally incompetent individual, evidence of the requester's parental or guardianship relationship to the individual must be included and the identity of both the subject individual and the requesting parent or guardian must be verified.

CONTESTING RECORD PROCEDURES:

This system of records will be exempt from amendment to the extent permitted by 5 U.S.C. 552(j)(2) or (k)(2). However, consideration will be given to any amendment request addressed to the System Manager listed above. Individuals seeking to amend records about them in this system of records must submit a written amendment request to the System Manager, containing the same information required for an access request. The amendment request must include verification of identity in the same manner required for an access request; must reasonably identify the record and specify the information contested, the corrective action sought, and the reason(s) for requesting the amendment and should include supporting information. The right to contest records is limited to information that is factually inaccurate, incomplete, irrelevant, or untimely (obsolete).

NOTIFICATION PROCEDURES:

This system of records will be exempt from notification to the extent permitted by 5 U.S.C. 552(j)(2) or (k)(2). However, consideration will be given to any notification request addressed to the System Manager listed above. Start Printed Page 48658 Individuals who want to know whether this system of records contains records about them must submit a written notification request to the System Manager. The notification request must contain the same information required for an access request and must include verification of identity in the same manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

As provided in the Department's notice of proposed rulemaking, upon publication of a Final Rule, law enforcement investigatory material in this system of records will be exempt from certain requirements of the Privacy Act as follows:

• Based on5 U.S.C. 552a(j)(2) and (k)(2), all criminal and non-criminal ( e.g., civil, administrative, regulatory) law enforcement investigatory material will be exempt from the requirements in subsections (c)(3), (d)(1) through (4), (e)(1), (e)(4)(G) through (I), and (f) of the Privacy Act; provided, however, that for investigative material compiled for law enforcement purposes other than material within the scope of 5 U.S.C. 552a(j)(2), if maintenance of the records causes a subject individual to be denied a federal right, privilege, or benefit to or for which the individual would otherwise be entitled or eligible, the exemption based on 5 U.S.C. 552a(k)(2) will be limited to material that would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence.
• Because the NIH Division of Police is a component which performs criminal law enforcement as its principal function, based on5 U.S.C. 552a(j)(2), criminal law enforcement investigatory material will be exempt from the additional requirements in these subsections of the Privacy Act: (c)(4), (e)(2) and (3), (e)(5), and (g).
• If any law enforcement investigatory material compiled in this system of records 09-25-0224 is from another system of records in which such material was exempted from access and other requirements of the Privacy Act based on (j)(2), it will be exempt in system of records 09-25-0224 on the same basis (5 U.S.C. 552a(j)(2)) and from the same requirements as in the source system of records.

HISTORY:

None.