Skip to Content

Notice

Privacy Act of 1974: Enterprise Data Management (EDM) System of Records

Document Details

Information about this document as published in the Federal Register.

Enhanced Content

Relevant information about this document from Regulations.gov provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Office of Administration, HUD.

ACTION:

Notice of a new system of records.

SUMMARY:

HUD proposes to add a new system of records to its inventory of systems of records, subject to the Privacy Act of 1974, as amended. This action is necessary to meet the requirements of the Privacy Act to publish in the Federal Register notice of the existence and character of records maintained by HUD. This system of records notice authorizes HUD's Enterprise Data Management (EDM) to collect and maintain information. HUD's goal is to upgrade HUD's data management, data warehousing, data mining and data security capabilities from current outdated legacy database to a more advanced warehouse model.

DATES:

In accordance with 5 U.S.C. 552a(e)(4) and (11), the public is given a 30-day period in which to comment. Therefore, submit comments on or before July 10, 2017.

ADDRESSES:

You may submit comments, identified by docket number and title, by one of the following methods:

  • Federal e-Rulemaking Portal: http://www.regulations.gov. Follow the instructions provided on that Site to submit comments electronically.
  • Fax: 202-619-8365.
  • Email: privacy@hud.gov.
  • Mail: Attention: Housing and Urban Development, Privacy Office, Marcus Smallwood, The Executive Secretariat, 451 Seventh Street SW., Room 10139, Washington, DC 20410.

Instructions: All submission received must include the agency name and docket number for this Federal Register document. The general policy for comments and other submission from members of the public is make three submissions available for public viewing on the Internet at http://www.regulations.gov, as they are received without change, including any personal identifiers or contact information.

Docket: For access to the docket to read background documents or comments received, please visit http://www.regulations.gov.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Marcus Smallwood, Chief Privacy Officer, 451 Seventh Street SW., Room 10139, Washington, DC 20410, telephone number 202-708-3054. Individuals who are hearing- and speech-impaired may access this number via TTY by calling the Federal Relay Service at 800-877-8339 (this is a toll-free number).

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, the Department of Housing and Urban Development (HUD) Office of Chief Information Officer (OCIO) proposes to establish a new HUD system of records titled, “Enterprise Data Management (EDM) System of Records.” This system of records is operated by HUD's OCIO, and it will be developed in several phases. The initial phase includes personally identifiable information (PII) about borrowers of Federal Housing Administration (FHA)-insured single-family mortgages, employees of FHA-approved lending institutions, third-parties associated with FHA/HUD transactions such as appraisers and HUD personnel associated with single family transactions.

OCIO is establishing an EDM environment. The EDM environment includes a modern “Data Lake”; which is a centralized data environment to onboard HUD data for use in analytical reporting. The EDM also serves as the centralized environment for systems to consume data from HUD systems (eliminating point to point interfaces). In accordance with Section 203, National Housing Act, Public Law 73-479; and 42 U.S.C. 3543, titled “Preventing fraud and abuse in Department of Housing and Urban Development programs” enacted as part of the Housing and Community Development Act of 1987, the EDM and data lake enables HUD data consumers to gain new insights that will allow HUD to better identify trends and previously unknown risk drivers, thus Start Printed Page 26703strengthening its risk management and fraud prevention framework.

EDM extracts data from multiple source systems for analysis and reporting. The EDM will provide query and reporting tools that aid in supporting HUD's oversight activities, market and economic assessment, public and stakeholder communication, planning and performance evaluation, policies and guidelines promulgation, monitoring and enforcement. Making data available from the HUD source systems will involve Data Extraction, Transformation, and Load (ETL) into the EDM environment. The type of HUD source system (e.g., mainframe, relational database management system (RDBMS), hierarchical) will determine the approach and the tools that will be used to extract the data. EDM extracts data from multiple source systems for analysis and reporting. The EDM will provide query and reporting tools that aid in supporting HUD's oversight activities, market and economic assessment, public and stakeholder communication, planning and performance evaluation, policies and guidelines promulgation, monitoring and enforcement. The following lists the type of information collected from Source Systems for the initial phase of EDM:

  • Mortgagors: Name, addresses, date of birth, social security number, and racial/ethnic background (if disclosed) which are supplied by lenders through Automated Underwriting Systems during the mortgage application and underwriting process.
  • Parties Involved with Transaction: Name, addresses, and identifying numbers which are supplied by the lender or the individual.
  • Mortgage Details: Data regarding current and former FHA insured mortgages which includes underwriting data, such as: Loan-to-value ratios and expense ratios; original terms, such as: Mortgage amount, interest rate, term in months; status of the mortgage insurance; and history of payment defaults, if any. This information is provided by the lender at the time of closing, and also maintained by the loan servicer.
  • HUD Employees: Names and identification of all HUD employees who have access to the system records. Also, identification information is stored for employees who work with mortgage applications through FHA Connection.
  • Aggregated measures of the data stated above to enable statistical reporting and analysis of trends.

II. Privacy Act

The Privacy Act embodies fair information practice principles in a statutory framework governing how the Federal Government collects, maintains, uses, and disseminates individuals' records. The Privacy Act applies to information that is maintained in a “system of records.” A “system of records” is a group of any records under the control of an agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the individual. In the Privacy Act, an individual is defined to encompass U.S. citizens and lawful permanent residents. As a matter of policy, HUD extends administrative Privacy Act protections to all individuals, excluding persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information, when systems of records maintain information on U.S. citizens, lawful permanent residents, and visitors.

This new public notice allows HUD to organize and re-publish up-to-date and accurate information about this system of records. The notice correction incorporates Federal privacy requirements, and HUD policy requirements. The Privacy Act provides certain safeguards for an individual against an invasion of personal privacy by requiring Federal agencies to protect records contained in an agency system of records from unauthorized disclosure, ensure that information is current for its intended use, and that adequate safeguards are provided to prevent misuse of such information. Additionally, the updates reflect the Department's focus on industry best practices in protecting the personal privacy of the individuals covered by each system notification.

In accordance with 5 U.S.C. 552a(r), HUD has provided a report of this system of records to the Office of Management and Budget (OMB) and to Congress, the Senate Committee on Homeland Security and Governmental Affairs, and the House Committee on Government Reform and Oversight as instructed by Paragraph 7b of OMB Circular No. A-108, “Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act,” December 23, 2016.

SYSTEM NAME AND NUMBER:

HUD/OCIO—01 Enterprise Data Management (EDM)

SECURITY CLASSIFICATION:

Unclassified, but sensitive.

SYSTEM LOCATION:

EDM is hosted at the Department of Housing and Urban Development, 451 Seventh Street SW., Washington, DC 20410, or at the locations of the service providers under contract with HUD.

SYSTEM MANAGER(S):

Mark Hayes, Chief Technology Officer, Department of Housing and Urban Development, 451 Seventh Street SW., Room 4166, Washington, DC 20410, 202-402-5526.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The system is maintained in accordance with Section 203, National Housing Act, Public Law 73-479, and 42 U.S.C. 3543 titled “Preventing fraud and abuse in Department of Housing and Urban Development programs,” enacted as part of the Housing and Community Development Act of 1987 which permits the collection of Social Security Numbers.

PURPOSE(S) OF THE SYSTEM:

EDM replaces HUD's current data storage, retrieval and warehousing capabilities. EDM will be implemented in phases across HUD, and the first phase is to directly support the new Loan Review System (LRS). It will collect data from certain specified source systems and return it to LRS. Subsequent phases will collect data from other source systems, and ultimately will replace all existing data warehouses across HUD.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The initial phase of EDM will cover individuals who have obtained a mortgage insured under FHA's single family mortgage insurance programs, individuals who have assumed such a mortgage, and individuals involved in appraising, underwriting, or servicing the mortgage (commonly referred to as “mortgagee/lender”).

CATEGORIES OF RECORDS IN THE SYSTEM:

The initial categories of records maintained by the system include:

  • Appraiser: First Name, Last Name, Middle Name, Suffix.
  • Case Borrower(s): Borrower(s) Full Name, Borrower(s) Social Security number, Non-Borrowing Spouse Social Security number.
  • Loan Officer: First Name, Last Name, Middle Name.
  • Case Property: Basement Code, Neighborhood Percentage Owned, Start Printed Page 26704Neighborhood Predominate, Price, Subdivision Indicator, Property Acquisition Date, Property Street, Property Conversion Type, Rural Neighborhood Code, Neighborhood Single Family Home Percentage, Subdivision Lot Indicator, Building Type, Date of Sale or Transfer, Sale Amount, Year Built, City, Zip, Geocode Flag, Underserved Indicator, Block, Lot, House Number, Street Number.
  • FHA Case Information: Federal Housing Administration (FHA) Case Number, Case Established Date, Case Reinstatement Date, Case Type, Originating Mortgagee ID, Sponsor Mortgagee ID, Loan Officer Nationwide Multistate Licensing System (NMLS) ID, Underwriter Name, Underwriter ID.
  • Mortgagee (Lender) Branch: Branch Type, Branch ID, Mortgagee Institution ID, Mortgagee Institution Name, Mortgagee Institution Type, Mortgagee Nationwide Multistate Licensing System (NMLS) ID, Mortgagee Status.
  • HUD Employees: Names and identification of all HUD employees who have access to the system records. Also, identification information is stored for employees who work with mortgage applications through FHA Connection.
  • Servicing Status: Servicing Status, Claims, and Indemnification Agreement.

RECORD SOURCE CATEGORIES:

Mortgagors, appraisers, mortgagee staff, underwriters, and HUD employees provide data to the originating source systems. The following originating source systems then pass their data to the Enterprise Data Warehouse used in EDM:

  • A43—Single Family Insurance System (SFIS)
  • A43C—Single Family Claims Subsystem (SFCS)
  • F17—Computerized Homes Underwriting Management System (CHUMS)
  • F17C—FHA Connection (FHAC)
  • F17T—TOTAL Mortgage Scorecard (TOTAL)
  • F42D—Single Family Default Monitoring System (SFDMS)
  • P271—Home Equity Reverse Mortgage Information System (HERMIT)
  • P278—Lender Electronic Assessment Portal (LEAP)
  • P303—Loan Review System (LRS)

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. Section 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside HUD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

1. To appropriate agencies, entities, and persons to the extent such disclosures are compatible with the purpose for which the records in this system were collected, as set forth by Appendix I—HUD's Routine Use Inventory Notice published in 80 FR 81837.

2. To appropriate agencies, entities, and persons when:

(a) HUD suspects or has confirmed that the security or confidentiality of information in a system of records has been compromised;

(b) HUD has determined that because of the suspected, or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of systems or programs (whether maintained by HUD or another agency or entity) that rely upon the compromised information; and

(c) The disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HUD's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm for purposes of facilitating responses and remediation efforts in the event of a data breach.

3. To appropriate agencies, entities, and persons when (1) HUD suspects or has confirmed that there has been a breach of the system of records, (2) HUD has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HUD (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HUD's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

4. To another Federal agency or Federal entity, when HUD determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

5. To the National Archives and Records Administration (NARA) or General Services Administration pursuant to records management inspections being conducted under the authority of 44 U.S.C. 2904 and 2906.

6. To a congressional office from the record of an individual in response to an inquiry from that congressional office made at the request of the individual to whom the record pertains.

7. To appropriate agencies, entities, and persons when:

(a) HUD suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised;

(b) HUD has determined that as a result of the suspected or confirmed compromise, there is a risk of identity theft or fraud, harm to economic or property interests, harm to an individual, or harm to the security or integrity of this system or other systems or programs (whether maintained by HUD or another agency or entity) that rely upon the compromised information; and

(c) The disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HUD's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.

8. To contractors and their agents, grantees, experts, consultants, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for HUD, when necessary to accomplish an agency, function related to this system of records. Individuals provided information under this routine use are subject to the same Privacy Act requirements and limitations on disclosure as are applicable to HUD officers and employees.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

EDM will be stored in compliance with 36 CFR 1236.10 regulations on recordkeeping management controls in a Federal Risk and Authorization Management Program (FedRAMP) compliant network. There are no paper records associated with EDM.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

In this initial phase of EDM, information is retrieved from EDM by FHA Case Number as the key identifier. User access to query information in the EDM does not exist. EDM supports only system-to-system interfaces.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Electronic information maintained in EDM is retrieved from originating recordkeeping systems and is retained Start Printed Page 26705indefinitely for future access. This information does not meet the federal definition of a record as it is not evidence of the organization, functions, policies, decisions, procedures, operations, or other activities. This information is duplicated copies of record content preserved for convenience to facilitate new record creation 44 U.S.C. 3301. As subsequent phases of EDM are completed, the applicable data retention policies for those records will be evaluated and maintained for associated systems.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

HUD has developed a system security plan of controls for ensuring and protecting Microsoft Azure Government Cloud in accordance with applicable laws. End users cannot directly access the Enterprise Master Data Warehouse used in EDM. Data exchange with other HUD systems is precisely specified and occurs only through secure interfaces. Encryption of data both at rest and in motion is enabled on a selective basis. EDM is subject to compliance with all Federal requirements and adheres to its approved system security plan (SSP).

RECORD ACCESS PROCEDURES:

HUD allows persons (including foreign nationals) to seek administrative access under the Privacy Act to information maintained in EDM. Individuals seeking notification of and access to any record contained in this system of records, or seeking to contest its content, may submit a request in writing to the HUD Chief Freedom of Information Act (FOIA) Officer or OCIO FOIA Officer. If an individual believes more than one component maintains Privacy Act records that concern him or her, the individual may submit the request to Helen Goff Foster, Chief Privacy Officer/Senior Agency Official for Privacy, 451 Seventh Street SW., Room 10139, Washington, DC 20410, telephone number (202) 402-6838.

When seeking records about yourself from this system of records or any other HUD system of records, your request must conform with the Privacy Act regulations set forth in 24 CFR part 16. You must first verify your identity, meaning that you must provide your full name, current address, and date and place of birth. You must sign your request, and your signature must either be notarized or submitted under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury as a substitute for notarization. In addition, your request should:

(a) Explain why you believe HUD would have information on you.

(b) Identify which Office of HUD you believe has the records about you.

(c) Specify when you believe the records would have been created.

(d) Provide any other information that will help the FOIA staff determine which HUD office may have responsive records.

If your request is seeking records pertaining to another living individual, you must include a statement from that individual certifying their agreement for you to access their records. Without the above information, the HUD FOIA Office may not be able to conduct an effective search, and your request may be denied due to lack of specificity or lack of compliance with applicable regulations.

CONTESTING RECORD PROCEDURES:

The Department's rules for contesting contents of records and appealing initial denials appear in 24 CFR part 16, Procedures for Inquiries. Additional assistance may be obtained by contacting Helen Goff Foster, Senior Agency Official for Privacy/Chief Privacy Officer, 451 Seventh Street SW., Room 10139, Washington, DC 20410, or the HUD Departmental Privacy Appeals Officers, Office of General Counsel, Department of Housing and Urban Development, 451 Seventh Street SW., Washington, DC 20410.

NOTIFICATION PROCEDURES:

See “Records Access Procedures” above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

Not Applicable.

Start Signature

Dated: May 4, 2017.

Helen Goff Foster,

Senior Agency Official for Privacy.

End Signature End Supplemental Information

[FR Doc. 2017-11937 Filed 6-7-17; 8:45 am]

BILLING CODE 4210-67-P