MEMORANDUM OF UNDERSTANDING BETWEEN
U.S. DEPARTMENT OF HOMELAND SECURITY,
U.S. CUSTOMS AND BORDER PROTECTION AND THE
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES,
U.S. FOOD AND DRUG ADMINISTRATION REGARDING THE EXCHANGE OF
DATA THROUGH THE AUTOMATED COMMERCIAL ENVIRONMENT
The Parties to this Memorandum of Understanding (MOU) are the U.S. Department of Homeland Security (OHS), through U.S. Customs and Border Protection (CBP), and the U.S. Department of Health and Human Services (HHS), through the U.S. Food and Drug Administration (FDA) (collectively referred to as "the Parties"). Pursuant to authority delegated to him, the Commissioner of CBP is entering into this MOU on behalf of OHS.
This MOU is authorized pursuant to Section 405 of the Security and Accountability For Every Port Act of 2006 (SAFE Port Act) (Pub. L. No. 109-347), the Homeland Security Act of 2002 (Pub. L. No. 107-296), Establishing an lnteragency Working Group on Import Safety, Executive Order 13439 (July 18, 2007), Streamlining the Export/Import Process for America's Businesses, Executive Order 13659 (February 19, 2014), the Federal Food, Drug, and Cosmetic Act (FD&C Act) (Pub. L. No. 75-715, as amended), Fair Packaging and Labeling Act (FPLA) (Pub. L. No. 89-755), Nutrition Labeling and Education Act of 1990 (NLEA) (Pub. L. No.101-535), the Federal Import Milk Act (44 Stat.1101), Filled Milk Act (42 Stat. 1486), Federal Caustic Poison Act (44 Stat. 1406, as amended), and Public Health Service Act (PHSA), Part F, Subpart 1, Biological Products (58 Stat. 702, codified as 42 U.S.C. § 262).
FDA is responsible for ensuring that FDA-regulated foods, drugs, cosmetics, medical devices, biologics, tobacco products, and radiation-emitting electronic products imported or offered for import into the United States meet the requirements of the FD&C Act (Pub. L. No. 75-715, as amended), as well as certain provisions of other statutes. For example, Section 801 of the FD&C Act authorizes examination of foods, drugs, cosmetics, devices, and tobacco products offered for import into the United States. If, among other circumstances, a product appears to be adulterated, misbranded, or an unapproved new drug, based on examination of samples or otherwise, it is subject to refusal of admission into the United States. Section 801 of the FD&C Act also requires that FDA receive notice, in advance of arrival, of food imported or offered for import into the United States. The prior notice information is used by FDA to target and make food defense/security risk assessment decisions related to the imported food.
The objective of this MOU is to establish procedures and guidelines to accommodate and facilitate the exchange of applicable data through CBP's Automated Commercial Environment (ACE) (including any successor system). Another objective of this MOU is to consolidate the exchange of commercial trade and transportation data and other similar information sharing between CBP and FDA under a single agreement, which will replace prior agreements between the Parties as access to such data is made available through ACE. The consolidation of the transfer of data through ACE intends to conserve resources, reduce duplication, curtail expenses, and ensure compliance with the SAFE Port Act and other applicable laws.
Relevant trade and transportation data maintained in other systems is expected to be migrated to ACE or made available through the ACE Portal or a System-to System exchange, as applicable, at which time the terms of this MOU shall become applicable to the exchange of such data. Until such data is migrated from the original commercial systems to be maintained in ACE, or access to such data is facilitated through the ACE Portal, existing MOUs providing for the exchange of information from each of those systems, including the Memorandum of Understanding Between the U.S. Department of the Treasury, U.S. Customs Service and the U.S. Department of Health and Human Services, Food and Drug Administration (FDA MOU# 225-91-4003, August 9, 1991)1, will remain in effect. Notifications will be provided by CSP when a data set is officially covered by ACE.
To accomplish the objectives of the MOU, the Parties will refer to the Standard Data Set (SOS) of ACE to define the data elements containing information subject to this exchange. Such data is referred to herein as "ACE data" or "data exchanged through ACE" and is set forth in Appendix A.
4.1 CSP Agrees:
4.1.1 To provide FDA with access, via a direct, system-to-system interface to ACE and ACE data, consistent with this MOU, in particular ACE data that assists FDA in carrying out its functions and responsibilities pursuant to its legal authorities, including those listed in section 2 above (AUTHORITY).
FDA will be granted access to information in the ACE Portal if it is the information owner (i.e., has independent authority to collect such information). FDA will also be granted access to third party information in the ACE Portal to the extent specifically authorized in writing by a partner government agency (PGA) that is the information owner, with written notification to CBP.
4.1.2 To develop a mechanism for the electronic transfer of ACE data to FDA related to the importation of products regulated by FDA, as listed in Appendix B.
4.1.3 To notify FDA, as soon as practicable, of any discrepancies and inaccuracies identified in applicable ACE data of which CBP becomes aware.
4.1.4 To engage in timely exchanges with FDA of security-related information owned by CBP and maintained in ACE or accessible through the ACE Portal related to critical infrastructure vulnerabilities, threat intelligence, and commercial security activities.
4.1.5 To ensure that adequate safeguards are in place and utilized for protecting ACE data.
4.2 FDA Agrees:
4.2.1 To access and use ACE data consistent with this MOU, to assist in carrying out its functions and responsibilities pursuant to its legal authorities, including those listed in section 2 (AUTHORITY) above.
4.2.2 To assist CBP in the development of a mechanism for the electronic transfer of ACE data to FDA from CBP related to the importation and exportation of products regulated by FDA, as listed in Appendix B. Such assistance includes, but is not limited to, the provision of sufficient information to CBP to permit it to identify the relevant product-specific data elements to be included as ACE data under this MOU (Appendix A).
4.2.3 To notify CBP, as soon as practicable, of discrepancies and inaccuracies identified in applicable ACE data of which FDA becomes aware.
4.2.4 To provide CBP with an annually updated list of FDA field locations, employees, and contractors having access to ACE and the information contained within ACE, either via the ACE Portal or system-to-system access.
4.2.5 To ensure that all FDA employees and contractors who have access to ACE and the information contained within the ACE, either via the ACE Portal or system-to-system access,have a qualified background investigation in accordance with Appendix C.
4.2.6 To ensure that adequate safeguards are in place and utilized for protecting ACE data.
4.2.7 To allow CBP, following advance notice, to periodically audit security measures utilized by FDA for accessing ACE (directly or through the ACE Portal, as applicable) and maintaining ACE data (see Appendix C).
4.2.8 To engage in timely exchanges with CBP of security-related information owned by FDA and maintained in ACE or accessible through the ACE Portal related to critical infrastructure vulnerabilities, threat intelligence, and commercial security activities.
5. OTHER PROVISIONS
5.1 Treatment of Data:
5.1.1 Each Party must ensure, in accordance with the Privacy Act of 1974 (Privacy Act), as amended (5 U.S.C. § 552a), that, if applicable, a System of Records Notice (SORN) will be timely published or amended for any system(s) that will maintain data received from the other Party under this MOU. Furthermore, in accordance with the E-Government Act of 2002 (E-Government Act) (Pub. L. No. 107-347, 116 Stat. 2899), each Party is to ensure that a Privacy Impact Assessment (PIA) is published, if appropriate.
5.1.2 Each Party is responsible for ensuring the integrity of data transferred to it and maintained in its systems pursuant to this MOU (i.e., properly maintaining the data and ensuring it is not compromised), for maintaining adequate safeguards for preventing unauthorized disclosure of the data to third parties, and for ensuring that data is only provided to its employees and contractors who have an official need-to know. Disclosure of the data to third parties must be consistent with applicable laws and policies, including this MOU, the Federal Information Security Management Act of 2002 (FISMA) (44 U.S.C. § 3541, et seq.), the Privacy Act, as amended (5 U.S.C. § 552a), the Freedom of Information Act (FOIA) (5 U.S.C. § 552), and E-Government Act (Pub. L. No. 107-347, 116 Stat. 2899).
5.1.3 Each Party is responsible for ensuring that any data
provided to it under this MOU, including data that is maintained in its systems(s), is in compliance with the moderate system security categorization for FISMA requirements regarding information security for such data and the relevant systems in which the data are maintained.
5.1.4 If the receiving Party is not the information owner, that Party is responsible for ensuring that any data provided to it under this MOU, including data that is maintained in its system(s), is properly marked as being derived from the originating agency to ensure appropriate handling consistent with this MOU.
5.1.5 The Parties agree that the information received pursuant to this MOU will only be used for purposes consistent with this MOU and will not be disseminated to third parties without specific prior written authorization from the information owner. However, nothing in this MOU is intended to restrict a Party's authority to use and disseminate information for which it is the information owner pursuant to its applicable laws and regulations.
5.1.6 The Parties understand and acknowledge that information exchanged pursuant to this MOU may include highly sensitive commercial, financial, and proprietary information exempt or restricted from disclosure by law, such as by FOIA (5 U.S.C. § 552a) and the Trade Secrets Act (18 U.S.C. §1905).
5.1.7 The Parties understand that the collection, sharing, storage, and use of some data exchanged through ACE under this MOU may be subject to additional restrictions, which shall be set forth in a separate appendix to this MOU, as appropriate. Reference to the applicable appendix containing such restrictions shall be noted in Appendix A, adjacent to the relevant data element.
5.1.8 In the event a Party is named in a civil action involving allegations of unlawful release of data provided to it under this MOU, each Party, as appropriate, is responsible for assisting the U.S. Department of Justice in defending such lawsuit. Each Party acknowledges that it, including its employees and contractors, may be subject to liability or penalties under applicable law for the unlawful disclosure of information provided to it under this MOU.
5.1.9 Public release of any data relating to the value or volume of imports, exports, and balance of trade is subject to the requirements of the Office of Management and Budget (0MB) Statistical Policy Directive Number 3 (September 25, 1985). The Parties are responsible for ensuring that no data covered by the 0MB Directive, in any form, is released prior to the official release of the international trade statistics without the approval of 0 MB.
5.1.10 Each Party shall refer to the other Party any and all requests made under FOIA and the Privacy Act for information provided to it pursuant to this MOU for which it is not the information owner. Specifically, FDA will refer such requests concerning CBP owned ACE data or other PGA owned ACE data to CBP, Office of the Commissioner, Office of Privacy and Diversity, FOIA Division, (http://FOIAonline.regulations.gov/) for handling or referral, as appropriate. CBP will refer such requests concerning FDA owned ACE data to FDA, Office of the Executive Secretariat, Division of Freedom of Information.
5.2 It is Mutually Understood and Agreed That:
5.2.1 For purposes of this MOU, OHS and each of its components are not considered third parties, and, therefore, transfers of information to OHS and any of its components are not considered third party disclosures.
5.2.2 Nothing in this MOU is intended to serve as the authority or means to acquire or procure goods or services, exchange funds or property, or transfer or assign personnel. Additional contracts, documents, or agreements may be necessary to execute the activities contemplated under the MOU.
5.2.3 This MOU is not an obligation or commitment of funds, nor a basis for the transfer of funds. Unless otherwise agreed to in writing, each Party shall bear its own costs in relation to this MOU. Expenditures by each Party will be subject to its budgetary processes and to the availability of funds and resources pursuant to applicable laws, regulations, and policies. The Parties expressly acknowledge that this in no way implies that Congress will appropriate funds for such expenditures.
5.2.4 Any necessary transfers of funds between the Parties will be effectuated through separate lnteragency Agreement(s). Applicable lnteragency Agreement(s) are to be attached hereto in Appendix D.
6.1 Nothing in this MOU is intended to conflict with statutes, regulations, or policies applicable to each Party. If a term of this MOU is inconsistent with such authority, then that term shall be invalid, but the remaining terms and conditions of this MOU shall remain in full force and effect.
6.2 Except as otherwise provided herein, the terms of this MOU and its appendices may be modified upon the mutual written agreement of both Parties.
6.3 Requests to amend the PGA-specific SOS (Appendix A) shall be made by submitting a proposal in writing to the CBP Liaison Office listed in this document. If that element currently exists in the SOS, the request to add the data element may be submitted to the CBP Liaison Office, and Appendix A will be updated accordingly, if appropriate. If the data element is not in the SOS, the PGA may submit a proposal in writing to the CBP Liaison Office, and the SOS will be updated, if appropriate, based on sufficient information submitted in support of the request for addition of the data element, including, but not limited to, the relevant legal authorities. In other situations, the International Trade Data System (ITDS) Data Harmonization Committee, chartered by the ITDS Board of Directors, or its successor entity, will consider the request and determine whether to add the data element on the basis of the legal authorities, if any, and other information submitted in support of the request for the addition of the data element.
6.4 Requests to amend Appendix B may be made at any time by
submitting a proposal to the CBP Liaison Office listed in this document.
6.5 The Parties acknowledge that amendments to this MOU and its Appendices may require approval by the International Trade Data System (ITDS) Board of Directors or its successor entity, if required by this MOU or if the Parties agree that such approval is required. While it is understood that any issues relating to this MOU should be resolved between the Parties, in the event the Parties cannot agree, the Parties acknowledge that resolution of such issues may require approval by the ITDS Board of Directors.
6.6 The general guidelines of this MOU may be supplemented by specific guidelines in accordance with local needs, subject to approval by both Parties hereto, and, to the degree applicable, in accordance with the guidance of the ITDS Board of Directors or its successor entity.
7. DATE EFFECTIVE
This MOU shall become effective upon the date of signature by the Parties and is intended to be in force until terminated by either Party. Except as provided in 6.3 and 6.4, any amendment or modification is effective upon mutual written agreement of the Parties, unless otherwise indicated in such amendment or modification.
Either party may terminate this MOU upon one hundred twenty (120) days prior written notice to the other Party. In the event the MOU is terminated, each Party shall continue to apply the terms of this MOU with regard to any data received pursuant to this MOU.
9. SEVERABILITY CLAUSE
Nothing in this MOU is intended to conflict with the current laws, regulations, or directives of OHS and CSP or FDA. If a term of this MOU is inconsistent with such authority, then that term shall be invalid, but the remaining terms and conditions of this MOU shall remain in full force and effect.
10. EMERGENCY SITUATIONS
10.1 In the event that a national or regional disaster disrupts communications between FDA and CSP, an emergency contingency plan shall become operational. The procedures of that plan are to be developed in consultation with the PGAs, and it is to be set forth in Appendix E to this MOU.
10.2 Both Parties reserve the right to suspend, interrupt, or modify, as necessary, any information sharing operations that are the result of this MOU during times of national emergency, including as indicated by changes in the National Terrorism Advisory System (NTAS), or any successor system. A Party will give the other Party notice as soon as practicable regarding the suspension, interruption, or modification of any information sharing operations pursuant to this paragraph
11. NO PRIVATE RIGHT OF ACTION CREATED
This MOU is an internal government agreement and does not explicitly or impliedly create, confer, grant, or authorize any rights, privileges or obligations, substantive or procedura,l enforceable at law or otherwise by either Party against the other, or by any third party against the Parties, their parent agencies, the United States, or the officers, employees, agents, or other associated personnel thereof and is not intended, nor should be construed, as creating any such right, privilege, benefit, or obligation.
12. CONTACT INFORMATION FOR LIAISON OFFICES
12.1 The following offices will act as liaisons between FDA and CSP for the purpose of coordinating the implementation, or the modification, if any, of this MOU:
12.1.1 Contact for FDA:
Director, Division of Import Operations (301) 796-0356
Director, Division of Compliance Systems
12.1.2 Contact for CBP:
Director, Interagency Collaboration Office of International Trade
12.2 In the event a Party to this MOU changes its liaison, that Party will provide notice as soon as practicable of the new liaison and his/her contact information.
The undersigned approve the terms and conditions of this MOU and represent that they have the requisite authority to enter into it.
Stephen M. Ostroff, M.D.
U.S. Food and Drug Administration Department of Health and Human Services
Date: June 8, 2015
R. Gil Kerhkowske Commissioner
U.S. Customs and Border Protection Department of Homeland Security
Date: May 15, 2015
Appendix A = PGA Authorized Data
Appendix B = List of Products for which ACE data is to be provided to the other Party (List should include HTSUS Number with accompanying Description)
Appendix C = ACE Systems Security- ITDS Security Implementation for Use of ACE
Appendix D = lnteragency Agreement(s) for the Transfer of Funds [Reserved]
Appendix E = Emergency Situations [Reserved]
Appendix F = Glossary of Terms
Appendix G = United States Census Bureau's National Interest Determination (NID) [Reserved]
Note: Because of the length of the appendices to this MOU, they have not been posted online. Please contact the ACE team for more information at: firstname.lastname@example.org