# Privacy Act of 1974; System of Records
**AGENCY:**
National Science Foundation.
**ACTION:**
Notice of a new system of records.
**SUMMARY:**
The U.S. National Science Foundation (NSF) is establishing a new agency system of records in connection with its online Standard Application Process (SAP) for collecting and maintaining requests from researchers or other individuals applying for access to confidential data assets from participating federal agencies and units for evidence-building, statistical purposes.
**DATES:**
This system notice is effective as of December 5, 2025. The routine uses described in this notice will take effect on January 5, 2026, unless modified by a subsequent notice to incorporate comments received from the public. Submit comments on or before January 5, 2026.
**ADDRESSES:**
U.S. National Science Foundation (NSF), National Center for Science and Engineering Statistics (NCSES), 2415 Eisenhower Ave., Alexandria, VA 22314.
You may submit comments, identified by docket number “NSF-2025-OGC-0004” by any one of the following methods:
• *Federal eRulemaking Portal: https://www.regulations.gov.* Follow the instructions for submitting comments.
• *Email:* John Finamore, Chief Statistician for the National Center for Science and Engineering Statistics, NSF, *[email protected].* Include “NSF-2025-OGC-0004” in the subject line of the message.
• *Mail:* John Finamore, Chief Statistician for the National Center for Science and Engineering Statistics, NSF, 2415 Eisenhower Ave., Alexandria, VA 22314.
*Instructions:* NSF will post all in-scope comments on the NSF's website ( *https://www.nsf.gov* ). All comments submitted in response to this Notice will become a matter of public record. Therefore, you should submit only information that you wish to make publicly available.
**FOR FURTHER INFORMATION CONTACT:**
If you wish to submit general questions about this new system of records, please contact John Finamore, Chief Statistician for the National Center for Science and Engineering Statistics, NSF, at *[email protected]* or by telephone at 703-292-2258. You may also contact the NSF acting Senior Agency Office for Privacy (SAOP), Tom Boger, *[email protected].*
**SUPPLEMENTARY INFORMATION:**
NSF is publishing this new system of records notice (SORN) for the system entitled, “Standard Application Process (NSF-83),” to support the collection and maintenance of requests submitted by researchers and other individuals for access to confidential data assets held by certain federal agencies and units comprising the United States Federal Statistical System, as required by section 303(a) of the Foundations for Evidence-Based Policymaking Act of 2018 (the Act), 44 U.S.C. 3583. [^1] In December 2022, the Office of Management and Budget (OMB) fulfilled the Act's requirement to establish a standard application process (SAP), including a SAP program management office (PMO), which serves to standardize project-related governance processes and facilitate sharing of resources, information, and tools between SAP working groups and the portal developers.
[^1] The current participating member agencies and units of the U.S. Federal Statistical System are listed but non-participating agencies, including those not in the United States Federal Statistical System have the ability to apply to participate: Federal Bureau of Economic Analysis (Department of Commerce); Bureau of Justice Statistics (Department of Justice); Bureau of Labor Statistics (Department of Labor); Bureau of Transportation Statistics (Department of Transportation); Census Bureau (Department of Commerce); Center for Behavioral Health Statistics and Quality (Department of Health and Human Services); Economic Research Service (Department of Agriculture); Energy Information Administration (Department of Energy); Microeconomic Surveys Unit (Federal Reserve Board); National Agricultural Statistics Service (Department of Agriculture); National Animal Health Monitoring System (Department of Agriculture); National Center for Education Statistics (Department of Education); National Center for Health Statistics (Department of Health and Human Services); National Center for Science and Engineering Statistics (National Science Foundation); Office of Research, Evaluation, and Statistics (Social Security Administration); and Statistics of Income Division (Internal Revenue Service). These agencies shall be responsible for publishing their own SORNs if they choose to establish and maintain any additional or separate agency system(s) of records to track or evaluate requests (applications) received through the SAP by NSF.
The NSF National Center for Science and Engineering Statistics (NCSES), as one of the Federal Statistical System agencies, has been designated by OMB to carry out the PMO responsibilities for the SAP, which includes the establishment of this Privacy Act system of records to support the SAP. The SAP marks an important milestone for the federal statistical system. For the first time, primary statistical agencies and units have coordinated and agreed to use the same application ( *i.e.,* common form) for access to their restricted-use data assets.
Applications with the SAP must be for a statistical purpose and will be reviewed by the agency or agencies with ownership of the data. Applicants can use the SAP to apply for access to data from multiple agencies for the same project and track the application as it moves through the review process. The SAP collects information about individuals, as needed to assess or determine whether their requests for access to data can be granted, consistent with applicable privacy and confidentiality restrictions under Federal law, which will vary from agency to agency (for example, an agency may need to know citizenship status in cases where data access is legally limited to U.S. citizens). Participating agencies each have their own data security training which covers the handling of Personally Identifiable Information within their agencies. For questions about specific programs, datasets, or data files, applicants are asked to contact the data-owning agency or agencies. When an application is approved, the authorizing agency will guide the user through the process of gaining access. Users with questions about existing applications or arrangements for use of restricted-use data should contact the relevant agency directly.
This SORN describes below what records about individuals are to be collected and maintained in the system ( *e.g.,* applications for access to data assets, system account information, and other system records documenting the review and grant or denial of such applications), and how these records are to be used, shared, and secured. Application data to be collected through the SAP is limited to information that is relevant and reasonably necessary for a participating statistical agency or unit to determine whether to grant or deny access to data assets, consistent with applicable law, regulation, and policy governing such access. The collection of these records through the SAP online portal has already been approved by OMB under the Paperwork Reduction Act ( *see* OMB Control No. 3145-0271).
The system does not duplicate any other existing NSF or Government-wide systems of records under the Privacy Act. In accordance with subsection (r) the Privacy Act, at 5 U.S.C. 552a(r), and Office of Management and Budget (OMB) Circular No. A-108, in addition to publication in the *Federal Register* , NSF has also submitted notice of the establishment of this system of records to OMB and to the appropriate Congressional committees. All NSF SORNs, including this one may be viewed at *www.nsf.gov/privacy.*
**SYSTEM NAME AND NUMBER:**
Standard Application Process (SAP), NSF-83.
**SECURITY CLASSIFICATION:**
Unclassified.
**SYSTEM LOCATION:**
U.S. National Science Foundation, National Center for Science and Engineering Statistics, 2415 Eisenhower Ave., Alexandria, VA 22314. System records may be stored by NSF's SAP Portal contractor location(s) and/or government-certified cloud storage.
**SYSTEM MANAGER(S):**
Division Director, NCSES, NSF.
**AUTHORITY FOR MAINTENANCE OF THE SYSTEM:**
Confidential Information Protection and Statistical Efficiency Act (CIPSEA), Public Law 107-347, t. V, as amended by the Foundations for Evidence-Based Policymaking Act of 2018, codified in relevant part at 44 U.S.C. 3583; NSF Act of 1950, as amended, 42 U.S.C. 1861 *et seq.;* Off. of Mgt. & Budget (OMB) Memorandum M-23-04. In addition, participating agencies may have legal authorities not specifically listed. For a current list of participating agencies, please refer to the standard application process web pages, located on the NCSES website.
**PURPOSE(S) OF THE SYSTEM:**
The information contained within the SAP Portal is used by participating agencies for the purposes listed below:
1. To evaluate and make determinations on applications requesting access to confidential data assets held by participating agencies.
2. To collect information to conduct an initial evaluation of applicant suitability for access to confidential data assets.
3. To contact applicants for additional information related to their applications and suitability evaluations.
4. To fulfill the public reporting obligations set forth in 44 U.S.C. 3583(a)(6), as described further in Routine Use 15 below.
**CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:**
This system contains information about individuals who have requested access to confidential data assets held by federal agencies participating in the SAP and federal agency personnel involved in the application review process.
**CATEGORIES OF RECORDS IN THE SYSTEM:**
1. Application Data—Application information including, but not limited to, personal information and demographics, such as name, email address, phone number, institutional affiliations, citizenship status, U.S. residency status, security clearance status, and information about the purpose for which the applicant will use the data (project proposals).
2. Application Review Data—Evaluations from agency and other required reviewers, as listed in the SAP application; application determination (approve or reject).
3. Appeals Review Data—Evaluations from agency reviewers and an appeals determination.
**RECORD SOURCE CATEGORIES:**
Application information is obtained from the applicant. Records relating to application and appeal determinations are obtained from the reviewing agencies.
**ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:**
The following NSF standard routine uses apply:
1. Members of Congress. Information from a system may be disclosed to congressional offices in response to inquiries from the congressional offices made at the request of the individual to whom the record pertains.
2. Freedom of Information Act/Privacy Act Compliance. Information from a system may be disclosed to the Department of Justice or the Office of Management and Budget in order to obtain advice regarding NSF's obligations under the Freedom of Information Act and the Privacy Act.
3. Counsel. Information from a system may be disclosed to NSF's legal representatives, including the Department of Justice and other outside counsel, where the agency is a party in litigation or has an interest in litigation and the information is relevant and necessary to such litigation, including when any of the following is a party to the litigation or has an interest in such litigation: (a) NSF, or any component thereof; (b) any NSF employee in his or her official capacity; (c) any NSF employee in his or her individual capacity, where the Department of Justice has agreed to, or is considering a request to, represent the employee; or (d) the United States, where NSF determines that litigation is likely to affect the agency or any of its components.
4. National Archives, General Services Administration. Information from a system may be disclosed to representatives of the General Services Administration and the National Archives and Records Administration (NARA) during the course of records management inspections conducted under the authority of 44 U.S.C. 2904 and 2906.
5. Response to an Actual or Suspected Compromise or Breach of Personally Identifiable Information. NSF may disclose information from the system to appropriate agencies, entities, and persons when: (1) NSF suspects or has confirmed that there has been a breach of the system of records; (2) NSF has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals; NSF (including its information systems, programs, and operations); the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with NSF efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. Furthermore, NSF may disclose information from the system to another Federal agency or Federal entity, when NSF determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in: (1) Responding to a suspected or confirmed breach; or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.
6. Courts. Information from a system may be disclosed to the Department of Justice or other agencies in the event of a pending court or formal administrative proceeding, when the information is relevant and necessary to that proceeding, for the purpose of representing the government, or in the course of presenting evidence, or the information may be produced to parties or counsel involved in the proceeding in the course of pre-trial discovery.
7. Contractors. Information from a system may be disclosed to contractors, agents, experts, consultants, or others performing work on a contract, service, cooperative agreement, job, or other activity for NSF and who have a need to access the information in the performance of their duties or activities for NSF.
8. Audit. Information from a system may be disclosed to government agencies and other entities authorized to perform audits, including financial and other audits, of the agency and its activities.
9. Law Enforcement. Information from a system may be disclosed, where the information indicates a violation or potential violation of civil or criminal law, including any rule, regulation or order issued pursuant thereto, to appropriate Federal, State, or local agencies responsible for investigating, prosecuting, enforcing, or implementing such statute, rule, regulation, or order.
10. Disclosure When Requesting Information. Information from a system may be disclosed to Federal, State, or local agencies which maintain civil, criminal, or other relevant enforcement information or other pertinent information, such as current licenses, if necessary, to obtain information relevant to an agency decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit.
11. To the news media and the public when: (1) A matter has become public knowledge, (2) the NSF Office of the Director determines that disclosure is necessary to preserve confidence in the integrity of NSF or is necessary to demonstrate the accountability of NSF's officers, employees, or individuals covered by this system, or (3) the Office of the Director determines that there exists a legitimate public interest in the disclosure of the information, except to the extent that the Office of the Director determines in any of these situations that disclosure of specific information in the context of a particular case would constitute an unwarranted invasion of personal privacy.
In addition to the above standard routine uses, information may be routinely disclosed to:
12. Application reviewers. Records may be disclosed to designated reviewers from participating federal agencies for the evaluation of applicants and project proposals as part of individual agency application review processes. Records may also be disclosed to other federal agencies or other entities needing information regarding applicants and project proposals as part of joint application review processes.
13. Confidential data program staff. Records may be disclosed to staff from participating federal agencies responsible for managing their confidential data program in order to administer the program and fulfill data security requirements for providing data access to approved applicants in accordance with their agency policies and procedures.
14. Participating agency contractors. Records may be disclosed to contractor staff both at NSF and other participating federal agencies responsible for maintaining and operating the SAP Portal and/or involved in conducting reviews.
15. Public reporting. Records may be disclosed to the extent necessary and appropriate to fulfill the public reporting requirements set forth at 44 U.S.C. 3583(a)(6), which include:
a. For each application, the statistical agencies or units involved, the requested data assets, the project proposed duration (where applicable), and the requested method of access, along with an application number.
b. For each approved application, the title, abstract, approval data, and proposed duration of the project, and the name of the principal investigator and other persons requesting access.
c. For each application, whether it was approved or rejected, and the rationale for the determination, except for portions, if any, exempt from public disclosure under the Freedom of Information Act (FOIA), 5 U.S.C. 552.
**POLICIES AND PRACTICES FOR STORAGE OF RECORDS:**
Records are stored in electronic digital media.
**POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:**
Records are retrieved by the applicant's name or by an application number.
**POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:**
This System of Records is governed by one or more general and/or NSF-specific records retention schedules approved by NARA. These schedules can be found at *https://archives.gov.* The SAP portal is covered under General Records Schedule GRS 4.2. This records schedule provides for disposal after two (2) years, with longer retention authorized as business needs of the individual agencies require.
**ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:**
Records are protected by administrative, technical, and physical safeguards administered by the SAP Portal contractor with oversight and management by NSF. The following auditing measures/controls and technical safeguards are in place to prevent exposure or misuse of information by authorized users ( *e.g.,* records browsing, extraction):
a. The user interface application logs all actions ( *e.g.,* login, logout, session termination)
b. The ingest application logs all user actions, along with their email address and user trace information.
c. These logs are read-only and are backed up to prevent tampering.
**RECORD ACCESS PROCEDURES:**
For access to any system records not routinely available to subject individuals through the SAP portal, such individuals must follow the procedures found at 45 CFR part 613.
**CONTESTING RECORD PROCEDURES:**
Follow the procedures found at 45 CFR part 613.
**NOTIFICATION PROCEDURES:**
See 45 CFR part 613.
**EXEMPTIONS PROMULGATED FOR THIS SYSTEM:**
None.
**HISTORY:**
None.
Dated: December 3, 2025.
Thomas A. Boger,
Acting Senior Agency Official for Privacy, National Science Foundation.