Privacy Act of 1974; System of Records

#  Privacy Act of 1974; System of Records

**AGENCY:**

National Institutes of Health, Department of Health and Human Services.

**ACTION:**

Notice of a new system of records, and rescindment of system of records notices.

**SUMMARY:**

In accordance with the requirements of the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is establishing a new department-wide system of records titled Personnel (Employee and Non-Employee) Recruitment Program Records Not Covered by Other Notices, system number 09-90-2301. HHS is also rescinding two related systems of records: OGC Attorney Applicant Files, system number 09-90-0066; and Fellowship Program and Guest Researcher Records, system number 09-20-0112.

**DATES:**

In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable April 4, 2023, subject to a 30-day period in which to comment on the routine uses, described below. Please submit any comments by May 4, 2023.

**ADDRESSES:**

The public should submit written comments, by mail or email, to Beth Kramer, HHS Privacy Act Officer, 200 Independence Ave. SW, Suite 729H, Washington, DC 20201, or *[email protected].* Comments received will be available for review at this location without redaction, unless otherwise advised by the commenter. To review comments in person, please contact Beth Kramer at *[email protected]* or (202) 690-6941.

**FOR FURTHER INFORMATION CONTACT:**

General questions about the system of records should be submitted by mail, email, or phone to Beth Kramer, HHS Privacy Act Officer, 200 Independence Ave. SW, Suite 729H, Washington, DC 20201, or *[email protected],* or (202) 690-6941.

**SUPPLEMENTARY INFORMATION:**

**I. Background on New System of Records 09-90-2301**

This new department-wide system of records will cover (1) recruitment and related records about individuals recruited or identified for possible recruitment for fellowship and other non-employee positions at HHS, including those who become applicants and those who do not become applicants; and (2) recruitment records about individuals recruited or identified for possible recruitment for employee positions at HHS who do not become applicants. Recruitment records about individuals who apply for employee positions at HHS are excluded, because they are covered by other system of records notices (SORNs); specifically:

• Records about Public Health Service Commissioned Corps applicants are covered by 09-40-0001 Public Health Service (PHS) Commissioned Corps General Personnel Records; and

• Records about applicants for other HHS positions are covered by OPM/GOVT-5 Recruiting, Examining, and Placement Records (however, OPM/GOVT-5 does not include records about non-applicant recruitees and recruitment candidates).

Only records for recruitment programs that retrieve records by subject individuals' names or other personal identifiers constitute Privacy Act records and are covered by the new system of records. Currently, only HHS' National Institutes of Health (NIH) and Centers for Disease Control and Prevention (CDC) maintain recruitment program records that need to be covered by the new system of records. A report on the new system of records was sent to the Office of Managaement and Budget (OMB) and the two Congressional committees that over see privacy, in accordance with 5 U.S.C. 552a(r).

**II. Rescindment of Systems of Records 09-90-0066 and 09-20-0112**

HHS is rescinding two related System of Records Notices (SORNs):

• HHS is rescinding HHS Office of the General Counsel SORN 09-90-0066, titled OGC Attorney Applicant Files, as duplicative of OPM/GOVT-5. SORN 09-90-0066 includes only records about individuals who have applied for an employment position with the HHS Office of General Counsel (OGC), and those records are entirely within the scope of OPM/GOVT-5. The records covered by SORN 09-90-0066 are still maintained by OGC, but will now be covered only by OPM/GOVT-5.

• HHS is rescinding Centers for Disease Control and Prevention SORN 09-20-0012, titled Fellowhip Program and Guest Researcher Records, HHS/CDC/PMO, as replaced by and duplicative of new department-wide SORN 09-90-2301. SORN 09-20-0012 includes only records used to recruit individuals for nonemployee positions, so those records are entirely within the scope of new SORN 09-90-2301.

Dated: March 27, 2023.

Alfred C. Johnson,

Deputy Director for Management, National Institutes of Health.

**SYSTEM NAME AND NUMBER:**

Personnel (Employee and Non-Employee) Recruitment Program Records Not Covered by Other Notices, 09-90-2301.

**SECURITY CLASSIFICATION:**

Unclassified.

**SYSTEM LOCATION:**

The address of each agency component responsible for this system of records is as shown in the System Manager(s) section below.

**SYSTEM MANAGER(S):**

The system managers are as follows:

• *For National Institutes of Health (NIH) records:* NIH Chief Officer for Scientific Workforce Diversity, 1 Center Dr., Bldg. 1, Rm. 316, Bethesda, MD 20892; Telephone: (301) 451-4296.

• *For Centers for Disease Control and Prevention (CDC) records:* Deputy Director, Division of Scientific Education and Professional Development, Mail Stop V24-5, Centers for Disease Control and Prevention, 1600 Clifton Rd. NE, Atlanta, GA 30333; Email: *[email protected]* .

**AUTHORITY FOR MAINTENANCE OF THE SYSTEM:**

5 U.S.C. 1302, 2301(b)(1), 3301 *et seq.;* 42 U.S.C. 209(g) and (h), 241, 247b-8, and 284(b).

**PURPOSE(S) OF THE SYSTEM:**

Records about individuals recruited or considered for recruitment for employee positions at HHS are used to fulfill particular candidate sourcing requests directed at meeting specific HHS workforce recruiting goals and to respond to reporting requests.

Records about recruitment candidates, recruitees, and applicants for non-employee positions at HHS are used to administer fellowship, guest researcher, internship, and similar programs, the goals of which vary by program. The goals may include increasing students' interest in particular health professions and providing them with real world experience; providing early career individuals with leadership skills and professional development opportunities in specific health areas such as cultural competency, to help address underrepresentation of minorities in health care management and leadership positions; or enabling guest researchers or visiting scientists from universities and organizations to work collaboratively with HHS personnel on projects of mutual interest and benefit to HHS and to them.

To fulfill current and future candidate sourcing requests, data is collected (primarily, by searching publicly available data sources or retained, previously-received applications and recommendation materials) and aggregated into a searchable list about individuals identified as potential candidates to recruit for specific positions advertised in HHS job announcements. The resulting list is then made available to search committees to use to recruit applicants for those positions; *i.e.,* to encourage individuals on the list to apply for the position(s) sought to be filled.

**CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:**

The records are about the following categories of individuals:

• Individuals who HHS recruits or identifies for possible recruitment for employee positions at HHS but who do not become applicants.

• Individuals who apply, or are recruited or identified for possible recruitment, for fellowship, guest researcher, internship, or other non-employee positions at HHS.

**CATEGORIES OF RECORDS IN THE SYSTEM:**

Records about individuals recruited for fellowhip and other non-employment positions include recruitment records, and may also include application, selection, and award and placement records. Records about individuals recruited for employment positions, who do not become applicants, consist of recruitment records only.

Recruitment records consist of a searchable list or spreadsheet of candidates containing data elements such as the following about each candidate: first and last name; gender and race/ethnicity; contact information (email address, telephone number, mailing address); LinkedIn page; faculty page; current institution and position title(s) (general and detailed titles); degree type, year, and school; area(s) of expertise, research focus, specialization, or interest; grant or other funding award history; publication record (citations, citing articles, citations per publication); and other notes/comments.

Application records may include a completed application, request for appointment, resume or curriculum vitae, and letter(s) of recommendation containing data elements such as those listed above about each applicant.

Selection and placement records include internal memoranda and forms used to vet and make decisions on applications; notices to selectees and agreements with selectees; and onboarding documents (including, for foreign nationals, immigration and work authorization records).

**RECORD SOURCE CATEGORIES:**

Most information about recruitment candidates and recruitees is obtained from public data sources, such as Yahoo, Bing, Google, Google scholar, Web of Science, PubMed, iCite, LinkedIn, ResearchGate, Loop, Elsevier, Academia, NIH RePORTER, and institutional websites ( *e.g.,* websites of universities and societies or other organizations; personnel or faculty websites; lab websites). A list of recruitment candidates may include information from retained, previously received applications and recommendation materials, or may include no information obtained directly from the individual record subject. The applicant and the applicant's references are the sources of information in application records. Agency personnel are the source of information in internal selection and placement records, and agency personnel and the applicant are the source of information in the agreement and onboarding documents.

**ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:**

Information about a subject individual may be disclosed from this system of records to parties outside HHS without the individual's prior, written consent, for any of these routine uses:

1. Disclosures tailored to particular positions may be made to relevant external search committees for use in outreach, but would be limited to publicly available information about individuals.

2. Disclosures, such as of sample printouts, may be made to various scientific societies in the course of collaborating to develop an external facing system (such as, to share the protocol and key fields for data collection), but would be limited to publicly available information about individuals.

3. Disclosures limited to publicly available information about individuals may be made to external search committee chairs at universities for their outreach efforts to enhance the diversity of their applicant pools.

4. Disclosures may be made to other federal agencies and HHS contractors that have been engaged by HHS to assist in accomplishing an HHS function relating to the purposes of this system of records (including ancillary functions, such as compiling reports and evaluating program effectiveness) and that have a need to have access to the records in order to assist HHS in performing the activity. Any contractor will be required to comply with the requirements of the Privacy Act.

5. Information may be disclosed to the U.S. Department of Justice (DOJ) or to a court or other tribunal in litigation or other proceedings, when:

a. The agency or any component thereof, or

b. Any employee of the agency in his or her official capacity, or

c. Any employee of the agency in his or her individual capacity where DOJ has agreed to represent the employee, or

d. The United States Government,

is a party to the proceedings or has an interest in the proceedings and, by careful review, HHS determines that the records are both relevant and necessary to the proceedings.

6. Information may be disclosed to a member of Congress or a congressional staff member in response to a written inquiry of the congressional office made at the written request of the constituent about whom the record is maintained. The congressional office does not have any greater authority to obtain records than the individual would have if requesting the records directly.

7. HHS may disclose records from this system of records to the National Archives and Records Administration (NARA), General Services Administration (GSA), or other relevant Federal Government agencies in connection with records management inspections conducted under the authority of 44 U.S.C. 2904 and 2906.

8. Disclosure may be made to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is  a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

9. Disclosure may be made to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.

HHS-may also disclose information about a recruitment candidate or recruitee from this system of records to parties outside HHS, without the individual's prior written consent, for any of the purposes authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and (b)(4)-(11).

**POLICIES AND PRACTICES FOR STORAGE OF RECORDS:**

Records are stored in electronic form, on secure servers whenever feasible, or on approved portable/mobile devices.

**POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:**

Records are retrieved by the individual's name.

**POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:**

• *Recruitment records for employment positions (about individuals who do not become applicants):* Retention and disposal will follow General Records Schedule 2.1, item 051 (job vacancy case files), DAA-GRS-2017-0011-0002 (records of standing register competitive files for multiple positions filled over a period of time), which provides for records to be destroyed two years after the register of candidates is terminated.

• *Recruitment records for non-employment positions:*

○ NIH recruitment records are disposed of in accordance with DAA-0443-2020-0001 (non-employee fellowship records) and DAA-0443-2020-0002 (immigration and work authorization records for foreign nationals), which provide for records to be destroyed three years after completion of fellowship, termination of agreement, or non-acceptance of application, but state that the records may be retained longer if required for business use.

○ CDC recruitment records are currently unscheduled and must be retained indefinitely until authorized for destruction under a dispoisition schedule approved by the National Archives and Records Administration (NARA).

**ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:**

Records are safeguarded in accordance with applicable laws, rules, and policies, including the HHS Information Technology Security Program Handbook, pertinent National Institutes of Standards and Technology (NIST) publications, and OMB Circular A-130, Managing Information as a Strategic Resource. Records are protected from unauthorized access through appropriate administrative, physical, and technical safeguards. Safeguards conform to the HHS Information Security and Privacy Program, *https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/information-security-privacy-program/index.html.*

Electronically stored information is protected by encryption, firewalls, and intrusion detection systems, to which access is controlled by either password protection or two-factor authentication. Files that NIH shares with subject individuals by email are also password protected and are shared only by using a secure email service, such as Secure Email and File Transfer (SEFT). If a printout or other paper records is created, it is stored in a locked cabinet or placed in a confidential, secured paper shredder cabinet when not in use and during non-business hours. Agency staff who use the records, and any contractor staff assisting them, are required to complete annual privacy and security awareness training. Security controls are reviewed on a periodic basis.

**RECORD ACCESS PROCEDURES:**

Individuals may request access to records about them in this system of records by submitting a written access request to the relevant System Manager at the address specified in the “System Manager” section, above, in accordance with the Department's Privacy Act implementation regulations in 45 CFR. The request must contain the requester's full name, address, and signature, and a description of the requested records (including the approximate date(s) the information was collected, the type(s) of information collected, and the office(s) or official(s) responsible for the collection of information, if known). To verify the requester's identity, the signature must be notarized or the request must include the requester's written certification that the requester is the individual he or she claims to be and understands that the knowing and willful request of a record pertaining to an individual under false pretenses is a criminal offense under the Privacy Act, subject to a fine of up to $5,000. To access the records in person, the requester should request an appointment, and may be accompanied by a person of the requester's choosing if the requester provides written authorization for agency personnel to discuss the records in that person's presence. Individuals may also request an accounting of disclosures that have been made of records about them.

**CONTESTING RECORD PROCEDURES:**

Individuals may seek to amend records about them in this system of records by submitting a written amendment request to the relevant System Manager at the address specified in the “System Manager” section, above, in accordance with the Department's Privacy Act implementation regulations in 45 CFR. The request must include verification of the requester's identity in the same manner required for an access request. The request must reasonably identify the record(s) and specify the information being contested, the corrective action sought, and the reason(s) for requesting the correction, and include any supporting documentation. The right to contest records is limited to information that is factually inaccurate, incomplete, irrelevant, or untimely (obsolete).

**NOTIFICATION PROCEDURES:**

Individuals who wish to know if this system of records contains a record about them should submit a written notification request to the relevan System Manager at the address specified in the “System Manager” section above, in accordance with the Department's Privacy Act implementation regulations in 45 CFR. The request must provide the information described under “Record Access Procedure” and include verification of the requester's identity in the same manner required for an access request

**EXEMPTIONS PROMULGATED FOR THE SYSTEM:**

None.

**HISTORY:**

None.

**Notice of Rescindment**

For the reasons explained in the Supplementary Information section at II., the following systems of records are rescinded:

**SYSTEM NAME AND NUMBER:**

OGC Attorney Applicant Files, 09-90-0066.

**HISTORY:**

47 FR 45514 (Oct. 13, 1982); 59 FR 55845 (Nov. 9, 1994); 83 FR 6591 (Feb. 14, 2018).

**SYSTEM NAME AND NUMBER:**

Fellowship Program and Guest Researcher Records, 09-20-0112.

**HISTORY:**

51 FR 42449 (Nov. 24, 1986); 54 FR 47904 (Nov. 17, 1989); 56 FR 1324 (Jan. 11, 1991); 56 FR 66733 (Dec. 24, 1991); 57 FR 62811 (Dec. 31, 1992); 58 FR 69048 (Dec. 29, 1993); 59 FR 48331 (Sept. 7, 1994); 59 FR 67080 (Dec. 28, 1994) 76 FR 4451 (Jan. 25, 2011); 83 FR 6591 (Feb. 14, 2018).