Issued 07/26/94; Effective 07/18/94 Last Reviewed: In Process
SECTION 1. PURPOSE.
.01 This Order:
a. prescribes policies and procedures for protecting the confidentiality of data submitted to and collected by the National Oceanic and Atmospheric Administration (NOAA)/National Marine Fisheries Service (NMFS) as authorized or required by law;
b. informs authorized users of their obligations for maintaining the confidentiality of data received by NMFS;
c. provides for operational safeguards to maintain the security of data; and
d. states the penalties provided by law for disclosure of confidential data.
SECTION 2. SCOPE.
This Order covers all confidential data received, collected, maintained, or used by NMFS.
SECTION 3. DEFINITIONS.
.01 Access to data means the freedom or ability to use data, conditioned by a statement of nondisclosure and penalties for unauthorized use.
.02 Aggregate or summary form means data structured so that the identity of the submitter cannot be determined either from the present release of the data or in combination with other releases.
.03 Agreement refers to all binding forms of mutual commitment under a stated set of conditions to achieve a specific objective.
.04 Assistant Administrator means the Assistant Administrator for Fisheries, NOAA, or a designee authorized to have access to confidential data.
.05 Authorized Use/User.
a. Authorized use is that specific use authorized under the governing statute, regulation, order, contract or agreement.
b. An authorized user is any person who, having the need to collect or use confidential data in the performance of an official activity, has read this Order and has signed a statement of nondisclosure affirming the user's understanding of NMFS obligations with respect to confidential data and the penalties for unauthorized use and disclosure.
.06 Confidential data means data that are identifiable with any person, accepted by the Secretary, and prohibited by law from being disclosed to the public. The term "as used" does not convey data sensitivity for national security purposes [See Executive Order (E.O.) 12356 dated April 2, 1982].
.07 Data refers to information used as a basis for reasoning, discussion, or calculation that a person may submit, either voluntarily or as required by statute or regulation.
.08 GC means the Office of General Counsel, NOAA.
.09 Person means any individual (whether or not a citizen or national of the United States), any corporation, partnership, association, or other entity (whether or not organized or existing under the laws of any State), and any Federal, State, local, or foreign government or any entity of such governments, including Regional Fishery Management Councils (Councils).
.10 Public means any person who is not an authorized user.
.11 Region means NMFS Regional field offices, Fisheries Science Centers, and associated laboratories.
.12 Source document means the document, paper, or electronic format on which data are originally recorded.
.13 State employee means any member of a State agency responsible for developing and monitoring the State's program for fisheries or Marine Mammal Protection Act (MMPA) program.
.14 Submitter means any person or the agent of any person who provides data to NMFS either voluntarily or as required by statute or regulation.
SECTION 4. POLICY.
For data subject to this Order, it is NMFS policy that:
a. confidential data shall only be disclosed to the public if required by the Freedom of Information Act (FOIA), 5 U.S.C. 552, the Privacy Act, 5 U.S.C. 552a, or by court order. Disclosure of data pursuant to a subpoena issued by an agency of competent jurisdiction is a lawful disclosure. Disclosure pursuant to a subpoena must be approved by GC;
b. individual identifiers shall be retained with data, unless the permanent deletion is consistent with the needs of NMFS and good scientific practice [See Section 6.02c]; and
c. a notice is required on all report forms requesting data and must comply with 5 U.S.C. 552a(e)(3) and Paperwork Reduction Act requirements in NAO 216-8, Information Collections and Requirements Needing Office of Management and Budget Clearance. [See E.O. 12600 of June 23, 1987, for additional information regarding the rights of submitters to designate commercial confidential data at the time of submission.]
SECTION 5. OPERATIONAL RESPONSIBILITIES.
.01 The Regional Director of each region (or, in the case of headquarters, each Office Director) has the responsibility to maintain the confidentiality of all data collected, maintained, and disclosed by the respective region.
.02 Each region shall submit to the Assistant Administrator specific procedures governing the collection, maintenance, and disclosure of confidential data. These documents shall be compiled as regional handbooks following the guidelines and standards:
a. handbooks are to be developed in detail to ensure the maintenance of confidential data on a functional basis in each region; and
b. handbooks shall be coordinated through the National Data Management Committee (a NMFS group established by the Assistant Administrator to develop data management policies and procedures) and reviewed annually. The regional handbooks will address, at minimum, the contents of Sections 6-7.
SECTION 6. PROCEDURES.
.01 Data Collection. To collect data, the Secretary may use Federal employees, contractor employees, or, pursuant to an agreement, State employees.
a. General Requirements.
1. Personnel authorized to collect Federal data must maintain all documents containing confidential data in secure facilities; and
2. may not disclose confidential data, whether recorded or not, to anyone not authorized to receive and handle such data.
b. Specific Requirements.
1. Each Federal or contractor employee collecting or processing confidential data will be required to read, date, and sign a statement of nondisclosure, that affirms the employee's understanding of NMFS obligations with respect to confidential data and the penalties for unauthorized use and disclosure of the data. Upon signature, the employee's name will be placed on record as an "authorized user," and the employee will be issued certification.
2. Data collected by a contractor must be transferred timely to authorized Federal employees; no copies of these data may be retained by the contractor. NMFS may permit contractors to retain aggregated data. A data return clause shall be included in the agreement. All procedures applicable to Federal employees must be followed by contractor employees collecting data with Federal authority.
3. Under agreements with the State, each State data collector collecting confidential data will sign a statement at least as protective as the one signed by Federal employees, which affirms that the signer understands the applicable procedures and regulations and the penalties for unauthorized disclosure.
a. Maintenance is defined as the procedures required to keep confidential data secure from the time the source documents are received by NMFS to their ultimate disposition, regardless of format. [See National Institute of Standards and Technology "Computer Security Publications, List 91" for guidance.]
b. Specific procedures in regional handbooks must deal with the following minimum security requirements, as well as any others that may be necessary because of the specific data, equipment, or physical facilities:
1. the establishment of an office or person responsible for evaluating requests for access to data;
2. the identifications of all persons certified as authorized users. These lists shall be kept current and reviewed on an annual basis;
3. the issuance of employee security rules that emphasize the confidential status of certain data and the consequences of unauthorized removal or disclosure;
4. the description of the security procedures used to prevent unauthorized access to and/or removal of confidential data;
5. the development of a catalog/inventory system of all confidential data received including: the type of source docume nt; the authority under which each item of data was collected; any statutory or regulatory restriction(s) which may apply; and routing from the time of receipt until final disposition; and
6. The development of an appropriate coding system for each set of confidential data so that access to data that identifies, or could be used to identify, the person or business of the submitter is controlled by the use of one or more coding system(s). Lists that contain the codes shall be kept secure.
c. The permanent deletion of individual identifiers from a database shall be addressed on a case-by-case basis. Identifiers may only be deleted after:
1. future uses of data have thoroughly been evaluated, e.g., the need for individual landings records for allocating shares under an individual transferable quota program;
2. consultation with the agency(s) collecting data (if other than NMFS), the relevant Council(s), and NMFS Senior Scientist; and
3. concurrence by the Assistant Administrator has been received prior to deletion.
.03 Access to Data Subject to This Order.
a. General Requirements. In determining whether to grant a request for access to confidential data, the following information shall be taken into consideration:
1. the specific types of data required;
2. the relevance of the data to the intended uses;
3. whether access will be continuous, infrequent, or one-time;
4. an evaluation of the requester's statement of why aggregate or non-confidential summaries of data would not satisfy the requested needs; and
5. the legal framework for the disclosure, in accordance with GC and this Order.
b. Within NMFS. NMFS employees requesting confidential data must have certification as being authorized users for the particular type of data requested.
c. Councils. Upon written request by the Council Executive Director:
1. "authorized user" status for confidential data collected under the Magnuson Fishery Conservation and Management Act (Magnuson Act) may be granted to a Council for use by the Council for conservation and management purposes consistent with the approval of the Assistant Administrator as described in 50 CFR 603.5;
2. "authorized user" status for confidential data, collected under the Magnuson Act and MMPA, will be granted to Council employees who are responsible for Fishery Management Plan development and monitoring; and
3. Councils that request access to confidential data must submit, on an annual basis, a copy of their procedures for ensuring the confidentiality of data to the region, or in the case of intercouncil fisheries, regions. The procedures will be evaluated for their effectiveness and, if necessary, changes may be recommended. As part of this procedure, an updated statement of nondisclosure will be included for each employee and member who requires access to confidential data.
1. Requests from States for confidential data shall be directed in writing to the NMFS office that maintains the source data.
2. Each request will be processed in accordance with any agreement NMFS may have with the State:
(a) confidential data collected solely under Federal authority will be provided to a State by NMFS only if the Assistant Administrator finds that the State has authority to protect the confidentiality of the data comparable to, or more stringent than, NMFS' requirements; and
(b) the State will exercise its authority to limit subsequent access and use of the data to those uses allowed by authorities under which the data was collected.
3. If the State has no agreement with NMFS for the collection and exchange of confidential data, the request shall be treated as a public request and disclosure may be denied subject to FOIA or the Privacy Act.
4. Where a State has entered into a cooperative exchange agreement with another State(s), NMFS will facilitate transfer or exchange of State-collected data in its possession if:
(a) NMFS has written authorization for data transfer from the head of the collecting State agency; and
(b) the collecting State has provided NMFS a list of authorized users in the recipient State(s); and
(c) the collecting State agrees to hold the United States Government harmless for any suit that may arise from the misuse of the data.
1. Pursuant to an agreement with NMFS, a NMFS contractor (including universities, Sea Grant investigators, etc.) may be granted "authorized user" status consistent with this Order if the use furthers the mission of NMFS.
2. The region will notify the contractor of its decision on access in writing within 30 calendar days after receipt of the request.
3. Contingent upon approval, the contractor will be provided with details regarding conditions of data access, any costs involved, formats, timing, and security procedures. If the request is denied, the reason(s) for denial will be given by the NMFS office involved. The denial will not preclude NMFS consideration of future requests from the contractor.
4. If access is granted, language in the agreement specifically dealing with confidentiality of data will be required. The language shall include all of the relevant portions of this Order and shall prohibit the further disclosure of the data. No data may be retained beyond the termination date of the agreement; and any disclosure of data derived from the accessed confidential data must be approved by NMFS.
5. Each agreement shall be reviewed by GC prior to its execution, and shall, to the extent possible, be consistent with the model agreement contained in Appendix D (Not included --WebEd).
f. Submitters. The Privacy Act allows for data to be released back to the submitter upon receipt and verification of a written request stating the data required.
04. Requests for Confidential Data. NMFS is authorized to collect data under various statutes [See Appendix A (Not include --WebEd)]. Two types of statutes govern the disclosure of confidential data collected by the Federal Government, those that contain specific and non-discretionary language within the Act, and those that provide overall guidance to the Federal Government. Sections of these Acts that deal with exceptions to disclosure may be found in Appendix B (Not included -- WebEd).
a. Magnuson Act and MMPA.
1. Data collected under 16 U.S.C. 1853 (a) or (b), and 16 U.S.C. 1383a(c),(d),(e),(f),or (h) will be handled in the following manner:
(a) data will only be disclosed to Federal employees and Council employees who are responsible for management plan development and monitoring; State employees pursuant to an agreement with the Secretary that prevents public disclosure of the identity or business of any person; a Council for conservation and management purposes [not applicable for MMPA data] or when required by court order. [See 50 CFR 229.10 and part 603];
(b) Council advisory groups are not permitted access to such confidential data [See 50 CFR 601.27(b)];
(c) requests from States that do not have an agreement with the Secretary will be processed in accordance with the Privacy Act or FOIA; and
(d) data collected by an observer under 16 U.S.C. 1853 (a) or (b) are not considered to have been "submitted to the Secretary by any person," and therefore are not confidential under Section 6.04.a of this Order. Data collected by an observer may be withheld from disclosure under the Privacy Act, or subsections (b)(3),(4),(5),(6), or (7) of FOIA.
2. Confidential data submitted to the Secretary under other Sections of the Magnuson Act or MMPA may only be disclosed in accordance with the Privacy Act or FOIA. Types of data and the collection authority may include among others:
(a) Processed Product Data -- 16 U.S.C. 1854(e);
(b) Fish Meal and Oil, Monthly -- 16 U.S.C. 1854(e);
(c) Data Collected Under State Authority and Provided to NMFS -- 16 U.S.C. 1854(e); and
(d) Tuna-Dolphin Observer Program -- 16 U.S.C. 1361 et seq.
b. South Pacific Tuna Act. Data collected under South Pacific Tuna Act 16 U.S.C. 973j is protected from disclosure to the public in accordance with section 973j(b).
c. Other Statutes. Confidential data collected under other NMFS programs as authorized by statutes other than South Pacific Tuna Act (16 U.S.C 973j), MMPA (16 U.S.C. 1361 et seq.), and Magnuson Act (16 U.S.C. 1801 et seq.), may only be disclosed to the public in accordance with the Privacy Act and FOIA. Types of data and the collection authority may include among others:
(1) Monthly Cold Storage Fish Report -- 16 U.S.C. 742(a);
(2) Market News Data -- 16 U.S.C. 742(a); and
(3) Seafood Inspection Data -- 7 U.S.C. 1621 et seq.
d. Special Procedures.
1. Cold Storage Summary Reports. NMFS publishes monthly cold storage holdings of fishery products. Advance knowledge of the content of these reports could give those who trade in the products an opportunity to gain competitive advantage. Therefore, in addition to the confidential protection provided to individual reports, the monthly summary report will not be disclosed to the public until 3:00 p.m. Eastern Time of the official release date. Release dates for these data are published 1 year in advance in November, and can be obtained from the NMFS Fisheries Statistics Division.
2. Surplus commodity purchases by USDA. NMFS and the Department of Agriculture (USDA) have an interagency agreement relating to the purchase of surplus fishery products. NMFS is responsible for providing confidential data and recommendations to the USDA regarding these purchases. Advance knowledge of these data could cause a competitive advantage or disadvantage to the general public, fishing industry, and the program. Therefore, all NMFS personnel engaged in the surplus commodity purchase program will be required to sign a specific "USDA Responsibility Statement." A copy will be maintained in the Office of Trade Services.
3. Agreements for Disclosure of Confidential Data. A letter of agreement may authorize the disclosure of confidential data when both the Government and the submitter agree to disclosure of the data. The need to provide security for the data will vary depending on the type of data collected and the form of the disclosure. Disclosure can be undertaken if all the following conditions are met:
(a) the person has agreed in writing to the disclosure and is aware that disclosure is irrevocable;
(b) the recipient has been informed in writing of the sensitivity of the data; and
(c) the wording of the agreement has been approved by GC.
.05 Disposal. NAO 205-1, NOAA Records Management Program, shall govern the disposition of records covered under this Order.
SECTION 7. PENALTIES.
.01 Civil and Criminal. Persons who make unauthorized disclosure of confidential data may be subject to civil penalties or criminal prosecution under:
a. Trade Secrets Act (18 U.S.C. 1905);
b. Privacy Act (5 U.S.C. 552a(i)(1));
c. Magnuson Act (16 U.S.C. 1858); and
d. MMPA (16 U.S.C. 1375).
.02 Conflict of Interest. Employees are prohibited by Department of Commerce employee conduct regulations [15 CFR part 0] and by ethics regulations applicable to the Executive Branch [5 CFR 2635.703] from using nonpublic information subject to this Order for personal gain, whether or not there is a disclosure to a third party.
.03 Disciplinary Action. Persons may be subject to disciplinary action, including removal, for failure to comply with this Order. Prohibited activities include, but are not limited to, unlawful disclosure or use of the data, and failure to comply with implementing regulations or statutory prohibitions relating to the collection, maintenance, use and disclosure of data covered by this Order.
SECTION 8. EFFECT ON OTHER ISSUANCES.
Director, Office of Administration
Office of Primary Interest:
National Marine Fisheries Service
Office of Research and Environmental Information
Fisheries Statistics Division (F/RE1)