System of Record Notice 09-90-1901

SYSTEM NUMBER: 09-90-1901 (included as part of the HHS Correspondence, Comment, Customer Service, and Contact List Records, references to HHS are inclusive of HRSA).

SYSTEM NAME: Strategic Work Information and Folder Transfer System (SWIFT), HHS/HRSA/OO/OM.

SECURITY CLASSIFICATION: None

SYSTEM LOCATION: Health Resources and Services Administration (HRSA) Executive Secretariat Office, Director, 5600 Fishers Ln., Rm. 13N82, Rockville, MD 20857 (301) 443-1785.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The records are about individuals within and outside HHS who contact HHS to request or offer information, information products, comments, suggestions, or services or to communicate a complaint or other information, or who receive correspondence from HHS, or who are the author or subject of such publications, communications, or correspondence by or with HHS, or who are included in mailing and contact lists maintained by HHS, when the records are used to support HHS correspondence, information dissemination, and/or customer service functions and are retrieved by the individuals' names or other personal identifiers (unless the records are covered by a more specific system of records notice (SORN)).

CATEGORIES OF RECORDS IN THE SYSTEM: Correspondence includes copies of requests, comments, or other communications addressed or routed to an HHS official for response or other follow-up; copies of correspondence initialed or signed by an HHS official; tracking and control records (indicating, e.g., the date and subject of the correspondence; the name of the correspondent and/or other individual record subject—for example, a constituent identified in congressional correspondence; the action required; the organization drafting the response); and associated work papers and documents (e.g., Reports to Congress, Regulations, Federal Register notices, and records management schedules).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 5 U.S.C. 301, Departmental Regulations.

PURPOSE(S) FOR RECORDS IN THIS SYSTEM: The records in this system of records are used for the purpose of managing HRSA correspondence, information dissemination, and customer service functions; i.e., to maintain, track, control, route, and locate information and documents created, received, requested, and used in managing those functions, in order to provide timely and appropriate actions, responses, notices, services, coordination, referrals, or other follow-up, avoid duplicate entries, and ensure consistency. Correspondence, information dissemination, and customer service functions include, for example, managing comments received on rulemakings and other public notices; non-law enforcement-related help desk and call center activities; handling of consumer complaints; dissemination of publications, unrestricted datasets, and other information; and maintenance of mailing and contact lists. The records may also be used to compile aggregate statistics for the purpose of evaluating and improving these functions.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

In addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(1) and (2) and (b)(4) through (11), information about an individual may be disclosed from this system of records to parties outside HHS without the individual's prior, written consent, for these routine uses:

  1. Records may be disclosed to agency contractors (including another federal agency functioning as a shared service provider or other contractor to HHS) and to student volunteers, interns, and other individuals who do not have the status of agency employees but have been engaged by HHS to assist in accomplishment of an HHS function relating to the purposes of this system of records and who need to have access to the records in order to assist HHS. Such individuals and contractors will be required to comply with the requirements of the Privacy Act.
  2. Records may be disclosed to other federal agencies and HHS partner agencies and organizations for the purpose of referring a request or issue to them for handling or obtaining their assistance with a response or issue.
  3. Notice of an award that HHS has made to an individual awardee in a particular congressional district may be disclosed to the member of Congress serving that district.
  4. HHS makes publicly available the name(s), contact information, comments, and any supporting documents provided by individuals who comment on docketed proceedings (provided that the information would be required to be released to a requester under the Freedom of Information Act (FOIA); e.g., would not result in a clearly unwarranted invasion of privacy). For rulemaking proceedings, HHS makes the information publicly available in regulations.gov. For other docketed proceedings, HHS makes the information publicly available in www.regulations.gov or available for public inspection at an HHS location specified in the applicable notice, by appointment or as otherwise specified in the notice.
  5. HHS makes certain work contact information for HHS personnel publicly available (for example, in a searchable public directory, and on relevant HHS websites), but only to the extent that the information would be required to be released to a requester under the FOIA.
  6. Names of and biographical information about the individuals who authored, created, appear in, or are the subjects of information products may be disclosed with the products or in descriptions of the products used to publicize them, but would be disclosed without consent only if and to the extent that the names and biographical information would be required to be released to a requester under the FOIA (e.g., would not result in a clearly unwarranted invasion of privacy).
  7. Records may be disclosed to a member of Congress or a congressional staff member in response to a written inquiry of the congressional office made at the written request of the constituent about whom the record is maintained. The congressional office does not have any greater authority to obtain records than the individual would have if requesting the records directly.
  8. Records may be disclosed to representatives of the National Archives and Records Administration during records management inspections conducted pursuant to 44 U.S.C. 2904 and 2906.
  9. Information may be disclosed to the Department of Justice (DOJ) or to a court or other adjudicative body in litigation or other proceedings, when:
    1. HHS or any of its component thereof, or
    2. any employee of HHS acting in the employee's official capacity, or
    3. any employee of HHS acting in the employee's individual capacity where the DOJ or HHS has agreed to represent the employee, or the United States Government, is a party to the proceeding or has an interest in such proceeding and, by careful review, HHS determines that the records are both relevant and necessary to the proceeding.
  10. Where a record, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or by regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the agency concerned, whether federal, state, local, tribal, territorial, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or the rule, regulation, or order issued pursuant thereto.
  11. Records may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records, (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the Federal Government, or national security, and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
  12. Records may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.
  13. Records may be disclosed to the Department of Homeland Security (DHS) if captured in an intrusion detection system used by HHS and DHS pursuant to a DHS cybersecurity program that monitors internet traffic to and from federal government computer networks to prevent a variety of types of cybersecurity incidents.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

  1. STORAGE: The records are stored in hard-copy files and/or electronic systems or media.
  2. RETRIEVABILITY: Records are retrieved by the individual requester's, correspondent's, commenter's, authors, or other record subject's name or by another personal identifier contained in the records (such as-email address, request tracking number, user ID number). Call center records may be retrieved by the name of the individual who contacted the call center.
  3. SAFEGUARDS: Safeguards conform to the HHS Information Security and Privacy Program, https://www.hhs.gov/ocio/securityprivacy/index.html. Information is safeguarded in accordance with applicable laws, rules and policies, including the HHS Information Technology Security Program Handbook; all pertinent National Institutes of Standards and Technology (NIST) publications, and OMB Circular A-130, Managing Information As a Strategic Resource. Records are protected from unauthorized access through appropriate administrative, physical, and technical safeguards. These safeguards include protecting the facilities where records are stored or accessed with security guards, badges and cameras, securing hard-copy records in locked file cabinets, file rooms or offices during off-duty hours, limiting access to electronic databases to authorized users based on roles and either two-factor authentication or user ID and password (as appropriate), using a secured operating system protected by encryption, firewalls, and intrusion detection systems, requiring encryption for records stored on removable media, training personnel in Privacy Act and information security requirements, and reviewing security controls on a periodic basis. Records that are eligible for destruction are disposed of using destruction methods prescribed by NIST SP 800-88.

RETENTION AND DISPOSAL: DAA-0512-2014-004, Items 6.3.1.2 and 6.3.1.3, Correspondence: Cut off at end of calendar year, and destroy 7 years after cutoff. Tracking records: Retain permanently.

SYSTEM MANAGER AND ADDRESS: HRSA Executive Secretariat Office, Director, 5600 Fishers Ln., Rm. 13N82, Rockville, MD 20857 (301) 443-1785.

NOTIFICATION PROCEDURE: An individual who wishes to know if this system of records contains records about the individual must submit a written request to the relevant System Manager indicated above and verify identity in the same manner required for an access request below.

RECORDS ACCESS PROCEDURES: An individual seeking access to records about the individual in this system of records must submit a written request to the relevant System Manager indicated above. An access request must contain the requesting individual's name and address, email address or other identifying information, and signature. To verify the requester's identity, the signature must be notarized, or the request must include the requester's written certification that the requester is the person the requester claims to be and understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a fine of up to $5,000. To access the records in person, the requester should request an appointment and may be accompanied by a person of the requester's choosing if the requester provides written authorization for agency personnel to discuss the records in that person's presence. An individual may also request an accounting of disclosures that have been made of the records about the individual, if any.

CONTESTING RECORDS PROCEDURES: An individual seeking to amend a record about the individual in this system of records must submit a written request to the relevant System Manager indicated above. An amendment request must include verification of the requester's identity in the same manner required for an access request and must reasonably identify the record and specify the information being contested, the corrective action sought, and the reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.

RECORD SOURCE CATEGORIES: Most information is obtained directly from the subject individual. Information may also be obtained from a third party who contacts HHS about or on behalf of a subject individual, or from records HHS compiles or persons HHS consults in order to provide a response, provide assistance, or otherwise follow up on the request or communication.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE PRIVACY ACT: None.

Date Last Reviewed: