U.S. Department of Health & Human Services
External User Management System
Privacy Act Statement

This Statement is provided pursuant to 5 U.S.C. § 552a(e)(3) (the Privacy Act): The U.S. Department of Health and Human Services’ (HHS) NextGen External User Management System (XMS) collects access control records about each external user who accesses an HHS information technology (IT) resource leveraging one of the following authentication methods:

  • A federally issued PIV or CAC card and PIN associated with the user’s email address.
  • A log-in credential that the user created with a Credential Service Provider (CSP) by entering email address, name, telephone number, and password in the CSP.

External users are defined for purposes of XMS as relevant employees of federal agencies other than HHS, and relevant members of the public including state and local users, who need the services provided by the HHS IT resource.

When you use one of the above authentication methods to access an HHS IT resource, the information that HHS collects about you in XMS consists of your email address, which XMS receives from your PIV or CAC card, or from the CSP with your consent (see https://www.login.gov/policy/ or https://www.id.me/privacy respectively), and the date and time you accessed the HHS IT resource. (Note that XMS does not receive your password, PIN for your PIV or CAC card, or other identity verification information from the CSP.) The collection of this information in XMS is authorized by 6 U.S.C. § 1523(b)(1)(A)-(E); chapter 35 of title 44, U.S. Code; 40 U.S.C. §§ 11301 et seq.; and Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors, Aug. 27, 2004.

The principal purpose for which HHS uses the information in XMS is to control access to and document the accessing of the HHS IT resource(s) you use, in order to safeguard the availability, integrity, and (if applicable) confidentiality of the information resource(s). HHS may also use your email address for the secondary purpose of informing you of system changes to XMS. HHS may disclose an access control record about you from XMS to non-HHS parties, without your consent, for any of the routine uses published in the following System of Records Notice (SORN), and as otherwise authorized by the Privacy Act at 5 U.S.C. § 552a(b): 09-90-0777 Facility and Resource Access Control Records; SORN history: 75 FR 47812 (8/9/10), updated 83 FR 6591 (2/14/18). Disclosures authorized by the routine uses published in this SORN include:

  • To the Department of Justice or a court or other adjudicative body in litigation or other proceedings when HHS or an HHS employee is a party to the proceedings and HHS determines that the record is relevant and necessary to the proceedings.
  • To the appropriate agency when a violation or potential violation of law is indicated in the system of records.
  • To an intelligence agency to enable it to carry out its responsibility to safeguard classified information.
  • To a member of Congress or a Congressional staff member for the purpose of responding to a written constituent request.
  • To the National Archives and Records Administration in records management inspections.
  • To a contractor engaged to assist HHS in performing activities related to the system of records who need access to the records to perform the activities.
  • To inform another government agency or public authority (including a licensing authority) of the fact that this system of records contains information relevant to its decision to retain an employee, retain a security clearance, award a contract, or issue or retain a license, grant, or other benefit.
  • To another federal agency to confirm or determine whether a PIV card is no longer valid.
  • To provide relevant and necessary information to appropriate agencies and other parties assisting HHS in responding to a privacy incident or to assist another agency experiencing a privacy incident.

The information collected about you in XMS when you use your PIV or CAC card and PIN or CSP credentials to access an HHS IT resource, and when you use the HHS IT resource, is either voluntary or mandatory to provide, depending on whether the HHS IT resource you access is optional or mandatory for you to use. If the HHS IT resource is optional for you to use, failing to use one of the authentication methods to access and use the resource will limit you to obtaining equivalent services from HHS by other means, which may delay provision of services to you. If the HHS IT resource is mandatory for you to use, failing to use one of the authentication methods to access and use the resource will prevent you from obtaining the services.