U.S. flag An official website of the United States government
  1. Home
  2. Regulatory Information
  3. Freedom of Information
  4. Privacy Act
  5. 09-10-0021 FDA User Fee System, HHS/FDA
  1. Privacy Act

09-10-0021 FDA User Fee System, HHS/FDA

09-10-0021 FDA User Fee System, HHS/FDA

SYSTEM NAME

FDA User Fee System, HHS/FDA.

SECURITY CLASSIFICATION

Unclassified.

SYSTEM LOCATION

This system is located at FDA’s Data Center in Ashburn, VA.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM

This system contains records about individuals and companies that are required to submit user fee payments to the FDA.  This includes organizations registered in the User Fee System (UFS), those billed through the system, as well as those submitting applications for review or otherwise assessed fees under the User Fee Program.

Privacy Act notification, access, and amendment rights relative to the UFS are available only to individuals who are the subject of records in this system. User fee record subjects are individuals required to pay a user fee, including individual FOIA requestors and individuals who are sole proprietors of an entity required to pay a user fee. Although records in the system may contain personally identifiable information (PII) related to other individuals, only the specified fee submitters are considered subjects of records in this system.

CATEGORIES OF RECORDS IN THE SYSTEM

1. The UFS maintains information about individuals, companies and organizations that pay user fees.  This includes: (a) For an entity remitter, a FEIN, and for an individual remitter, a TIN; (b) company or organization name and address; (c) DUNS number; and (d) contact person’s name, phone number, FAX number, and email address.

2. The UFS also stores application information collected when the fee remitter (submitter) creates coversheets in order to pay user fees.  This information includes the type of application, waiver and exemption status, and SBD number.

3. The UFS stores fee processing information including: Billing details; adjustments to invoices including credit and debit memos; and receipt information including date, mode, and amount of payment.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM

21 U.S.C. 371, 379, 379e, 379h, 379h-1, 379j, 379j-12, 379j-21, 379j-31, 387s, and 393(d)(2); 42 U.S.C. 263b(r)(1); 5 U.S.C. 301, 552; and 44 U.S.C. 3101.

PURPOSES

FDA personnel and any contractors assisting them will use information in the system, on a need-to-know basis, for the following purposes:

1.  To assess and collect user fees.

2.  To provide an electronic payment and receipt mechanism that is integrated with the U.S. Department of Treasury’s http://www.Pay.gov Web site and the various FDA Centers.

3.  To provide Web-based capabilities including transactional inquiries and information on payment status.

4.  To facilitate debt collection activities in accordance with the Debt Collection Improvement Act of 1996 and the HHS regulations for claims collections (45 CFR Part 30).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING THE PURPOSES OF SUCH USES AND CATEGORIES OF USERS 1

Permitted disclosures include those made in accordance with routine uses that are listed in the notice of the system of records.  5 U.S.C. 552a(b)(3).  The Privacy Act defines “routine use” as “with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.”  See also FDA’s Privacy Act regulations, defining “routine use” as “use outside the Department of Health and Human Services that is compatible with the purpose for which the records were collected and described in the [System of Records] notice…”  21 CFR 21.20(b)(5).

Records in this system that contain information about record subjects and nonsubjects (such as FDA employees who operate the system) may be disclosed to recipients outside HHS in accordance with the following routine uses:

1.  Records may be disclosed to appropriate Federal Agencies and Department contractors that have a need to know the information for the purpose of assisting the Department’s efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records.

2.  In the event HHS deems it desirable or necessary, in determining whether particular records are required to be disclosed under the FOIA, disclosure may be made to the DOJ for the purpose of obtaining its advice.

3.  Where Federal Agencies having the power to subpoena other Federal Agencies’ records, such as the Internal Revenue Service, issue a subpoena to HHS for records in this system of records, HHS will make such records available, provided however, that in each case, HHS determines that such disclosure is compatible with the purpose for which the records were collected.

4.  A record from this system may be disclosed to entities as provided for in the Debt Collection Improvement Act of 1996 (Public Law 104-134).

5.  A record may be disclosed to banks enrolled in the Treasury Credit Card Network to collect a payment or debt when the person has given his/her credit card number for this purpose. 

6.  UFS submitter data (name, address, DUNS number) may be provided to Dun and Bradstreet for validation for the purpose of maintaining database integrity.

7.  Disclosure may be made to the Department of Justice (DOJ) when: (a) The Agency or any component thereof; (b) any employee of the Agency in his or her official capacity; (c) any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee; or (d) the U.S. Government is a party to litigation or has an interest in such litigation, and by careful review, the Agency determines that the records are both relevant and necessary to the litigation and the use of such records by the DOJ is therefore deemed by the Agency to be for a purpose that is compatible with the purpose for which the Agency collected the records. 

8.  Disclosure may be made to a court or other tribunal, when: (a) The Agency or any component thereof; (b) any employee of the Agency in his or her official capacity; (c) any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee; or (d) the U.S. Government is a party to the proceeding or has an interest in such proceeding, and by careful review, the Agency determines that the records are both relevant and necessary to the proceeding and the use of such records is therefore deemed by the Agency to be for a purpose that is compatible with the purpose for which the Agency collected the records.

9.  Disclosure may be made to contractors and other individuals who perform services for the Agency related to this system of records, and who need access to the records in order to perform such services. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a.

10. Disclosure may be made to NARA and/or the General Services Administration for the purpose of records management inspections conducted under authority of 44 U.S.C. 2904 and 2906.

11. Records may become accessible to U.S. Department of Homeland Security (DHS) cyber security personnel, if captured in an intrusion detection system used by HHS/FDA and DHS pursuant to the DHS Einstein 2 program.  Under Einstein 2, DHS uses intrusion detection systems to monitor Internet traffic to and from Federal computer networks to prevent malicious computer code from reaching the networks.  According to DHS’ Privacy Impact Assessment for Einstein 2 (available on the DHS Cybersecurity privacy Web site, http://www.dhs.gov), only PII that is directly related to a malicious code security incident is captured by and accessible to DHS, and DHS does not access PII unless the PII is part of the malicious code.

12. When a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, disclosure may be made to the appropriate public authority, whether federal, foreign, state, local, or tribal, or otherwise, responsible for enforcing, investigating or prosecuting such violation, if the information disclosed is relevant to the responsibilities of the agency or public authority. 

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM
STORAGE:

Records may be maintained in hard copy files and on computer disks, hard drives, file servers, and other types of data storage devices.

RETRIEVABILITY:

Records may be retrieved by computer search using name, address, contact information, system identifiable numbers (party/organization, submitter numbers), DUNS Number, and payment information (for refunds).

SAFEGUARDS:
1. Authorized users: Access is restricted to FDA employees and contractors with a Level 5 or higher clearance who have a need for the records in the performance of their duties.

2. Procedural and technical safeguards: Technical controls include identification and authentication, access control, audit and accountability, system and communication protection, timely account disablement/deletion, configuration management, maintenance, system and information integrity, media protection, and incident response.  These controls extend to remote users as well.  Additionally, when a remitter (submitter) generates a coversheet the UFS will only print the last four characters of the FEIN/TIN along with the Organization name and address.

3. Physical safeguards: Physical security safeguards include controlled-access buildings where all records (CDs, computer listings, and paper documents) are maintained in secured areas, locked buildings, locked rooms, and locked cabinets.

RETENTION AND DISPOSAL:

UFS records are maintained in accordance with FDA’s Records Control Schedule, and with the applicable General Records Schedule (GRS) and disposition schedule approved by NARA. UFS records fall under GRS 20, Items 2a(4) (hard copy input records), 12 and 16 (Output records and reports), and NARA approved citation N1-088-09-11, Items 1.1 (files maintained in the Office of Financial Management), 1.2 (data maintained by FDA Centers), and 1.3.2 (database records).

SYSTEM MANAGER AND ADDRESS:

George Brindza, Division of Systems, FDA Office of Information Management (OIM), 2094 Gaither Rd., rm. 131, Rockville, MD 20850; 301-796-7845.

NOTIFICATION PROCEDURES:

In accordance with 21 CFR Part 21, Subpart D, an individual may submit a request to the FDA Privacy Act Coordinator, with a notarized signature, to confirm whether records exist about himself or herself.  Requests should be directed to the FDA Privacy Act Coordinator, Division of Freedom of Information, 12420 Parklawn Dr., ELEM-1036, Rockville, MD, 20857.  An individual requesting notification via mail should certify in his or her request that he or she is the individual who he or she claims to be and that he or she understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense under the Act subject to a $5,000 fine, and indicate on the envelope and in a prominent manner in the request letter that he or she is making a “Privacy Act Request.”  Additional details regarding notification request procedures appear in 21 CFR Part 21, Subpart D.

RECORD ACCESS PROCEDURES:

Procedures are the same as above, in Notification Procedures. Requesters should also reasonably specify the record contents being sought. Some records may be exempt from access under 5 U.S.C. 552a(d)(5), if they are “compiled in reasonable anticipation of a civil action or proceeding.” If access to requested records is denied, the requester may appeal the denial to the FDA Commissioner.  Additional details regarding record access procedures and identity verification requirements appear in 21 CFR Part 21, Subpart D.

CONTESTING RECORD PROCEDURES:

In addition to the procedures described above, requesters should reasonably identify the record, specify the information they are contesting, state the corrective action sought and the reasons for the correction, and provide justifying information showing why the record is not accurate, complete, timely, or relevant.  Rules and procedures regarding amendment of Privacy Act records appear in 21 CFR Part 21, Subpart E.

RECORD SOURCE CATEGORIES:

Information in this system is obtained from many sources, including: (1) Directly from the individual, company or organization that is required to submit user fees to FDA; (2) from materials supplied by the submitter or individual acting on his/her behalf; (3) from FDA Centers such as the Center for Drug Evaluation and Research, Center for Devices and Radiological Health, Center for Biologics Evaluation and Research, Center for Veterinary Medicine, Center for Tobacco Products, Center for Food Safety and Applied Nutrition, and the Office of Financial Management; and (4) from any other relevant source.

RECORDS EXEMPTED FROM CERTAIN PROVISIONS OF THE PRIVACY ACT:

None.
________________
Note: FDA published a Notice of a new Privacy Act system of records for the User Fee System in the Federal Register, Vol. 77, No. 220, Wednesday, November 14, 2012 (pages 67820-67823). As specified in that publication, this new system of records is effective on the date of publication, November 14, 2012, with the exception of the routine uses which are effective December 31, 2012. The publication is available online at http://www.gpo.gov/fdsys/pkg/FR-2012-11-14/pdf/2012-27580.pdf.

Related resources:

FDA Division of Freedom of Information (DFOI) (administers the Agency’s Privacy Act program): http://www.fda.gov/RegulatoryInformation/FOI/default.htm.

______________________ 

 1 In a June 27, 2014 Federal Register Notice FDA added certain standard routine uses to this and other FDA SORNs. The Federal Register Notice of this action describes the routine uses in more detail and is available online at http://www.gpo.gov/fdsys/pkg/FR-2014-06-27/pdf/2014-15022.pdf. The routine uses added to this SORN appear as routine uses number 12 below.

 

 

 

 

Back to Top