skip to content
Site Navigation
Home
About CSOS
Policies
Enroll in CSOS
Certificate Mangement
Reporting
Developer Utilities
Contact Support

Quick Links

External Links

Drug Enforcement Administration (DEA)
Office of Diversion Control
Controlled Substance Ordering System (CSOS)
Privacy Policy
Revision 7, July 12, 2005



This privacy policy was developed in accordance with the Privacy Act of 1974 (5.U.S.C. §, as amended and the Paperwork Reduction Act of 1980. This notice applies only to the information you submit to DEA to obtain a CSOS certificate. DEA will not sell your personal data to third parties, or utilize it for marketing or other purposes directly unrelated to the issuance, verification, use, and administration of the CSOS certificates, or otherwise use or intentionally disclose the information to third parties other than in accordance with this Privacy Policy without your prior written consent. The information you submit to DEA is considered private and personal. Your private information will not be sold, rented, leased, or intentionally disclosed in any manner to any person without your prior written consent, unless otherwise required by law, or except as may be necessary for the performance of CSOS services.

1. Authority

The information requested is being collected to certify registration status of a DEA Registration Certificate Holders or a Powers of Attorney (POA) representing aforementioned holders who desire to participate within CSOS.

2. Purpose

The purpose is to establish and maintain an electronic system to facilitate secure, electronic communication between controlled substance suppliers, customers and DEA Registration Certificate Holders or POAs using digital signature technologies to authenticate and verify purchaser’s identity. This Privacy Policy, together with the DEA Diversion Control E-Commerce System Certificate Policy (CP) and CSOS Certificate Practice Statement (CPS), describes the CSOS practices regarding the types of individual information collected by the DEA, its use and permissible disclosures, along with the rights of individuals concerning their personal information. You are not required to provide any of the information requested by this form because your participation in CSOS is completely voluntary. Should you decide to participate in CSOS, certain information is required in order to process your CSOS certificate request. Furnishing incomplete information may lead to your CSOS certificate application being denied. The foregoing notice is intended for informational purposes only and has no effect whatsoever regarding any CSOS certificate that you may or may not receive. The information collected by the DEA from the forms on the website will include your name, your social security number, your business address, the DEA registration number, the DEA registration name, your business telephone number, and your e-mail address. This information will be retained by the DEA throughout the life of the CSOS certificate and for any additional period required by the CSOS Certificate Policy. The purpose of this data collection is to enable the DEA to issue a CSOS digital certificate that will be accepted by qualified relying parties as authentication of your identity.

3. Routine Uses of System Records, Including Categories of Users and Purposes for Using the System

Information from this system may be disclosed to the following parties:

a) To DEA’s CSOS contractors to compile and maintain documentation on applicants for proofing applicants' identity and their authority to handle controlled substances.

b) To DEA’s CSOS contractors to establish and maintain documentation on information sources for verifying applicants' identities.

c) To DEA personnel participating in CSOS to determine the validity of applicants' digital signature certificates in an on-line, near real time environment.

d) To DEA personnel and CSOS contractors, for ensuring proper management, ensuring data accuracy, and evaluation of the system.

e) To federal, state or local agencies along with state medical and licensing boards responsible for investigating, prosecuting, enforcing, or carrying out a statute, rule, regulation, or order when the DEA Office of Diversion Control becomes aware of a violation or potential violation of civil or criminal law or regulation.

f) To a member of Congress or to a congressional staff member in response to a request from the person who is the subject of the record.

g) To a DEA employee, an expert consultant, or contractor of DEA in the performance of a federal duty to which the information is relevant.

h) Persons registered under the Controlled Substances Act (P.L. 91-513) for the purpose of verifying the registration of customers and practitioners.

4. Policies and Practices for Storing, Monitoring, Retrieving, Retaining, Disposing, and Changing of System Records


4.1 Storage

All records are stored by DEA as hard copy documents and/or on electronic media. DEA will not compile, maintain, or disseminate any information describing how you use your CSOS certificate except to those individuals outlined in Section 3 of this Privacy Policy. The information will be disposed of in accordance with National Archives' records management rules.

4.2 Monitoring

The CSOS website does not utilize “cookies,” banner ads, or otherwise collect or track your personal information, except through the application process, and for purposes of administering the CSOS program and CSOS certificates. The CSOS website is not set up to track, collect or distribute personal information about you, other than information gathered through the application for and use of CSOS certificates, or provided in connection with emails, comments, or other communications with DEA. DEA may track aggregated information about visits to the CSOS website, such as statistics that show the daily number of visitors and the daily requests received for particular files or information. These aggregated statistics are used internally to better provide services to the public, and may also be provided to others, but these statistics contain no personal information about you and cannot be used to gather such information.

We make no attempts to identify individual users of this site unless we suspect illegal behavior. To keep this service available and secure, we monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage to the website. By using this website you consent to such monitoring. Unauthorized attempts to upload information and/or change information on this website are strictly prohibited and are subject to prosecution under the Computer Fraud and Abuse Act of 1986 and Title 18 USC Sections 1001 and 1030.

4.3 Retrieval

Records are retrievable by a personal identifier or by other appropriate type of designation approved by DEA and made available to CSOS PKI participants at the time of their application for CSOS PKI services. The DEA will make available to CSOS participants all information it has collected following an appropriate request for information or correction if necessary. However, information provided by the DEA to conduct CSOS business contained within your CSOS certificate along with related status information is not considered to be private. Should you wish a copy of any records subject to these confidentiality requirements, please submit a request, in writing, to

Drug Enforcement Administration
ODR Mailrooom/CSOS
Attn: Chair, Policy Management Authority
Washington, DC 20537

4.4 Safeguards

System records are safeguarded in accordance with the requirements of the Privacy Act of 1974, OMB Circular A-130, Appendices I and III and section 2.8 of the CSOS CPS. Technical, administrative, and personnel security measures are implemented to ensure confidentiality and integrity of the system data stored, processed, and transmitted. The CSOS System Security Plan, which was approved by DEA, provides for inspections, testing, continuity of operations, and technical certification of security safeguards. An authorized accrediting firm accredits and annually re-accredits the CSOS system. Accrediting standards are outlined in the CP.

4.5 Retention

System records are retained according to CSOS records maintenance and disposition schedules outlined in the CP.

4.6 Disclosure

DEA may disclose such certificate-related identification information to Qualified Relying Parties. Disclosure of system records to consumer reporting systems is not permitted.

4.7 Information Change

Only the individual subscriber whose information pertains to them is allowed to make a request for information change except cases of POAs where the Registrant must approve the information change. Information that may be reviewed includes only that information pertaining to the individual subscriber submitting the request that is maintained by the DEA in a system of records. A system of records is a grouping of records under the control of the DEA from which information can be retrieved by means of the individual subscriber’s name or an identifying number assigned to the individual subscriber.

Detailed instructions for making requests for access to records are provided on the CSOS website. In response to a proper request for access, CSOS will notify the requesting individual subscriber whether the CSOS system of records contains any records pertaining to him or her, and if so, the manner in which those records may be reviewed.

The following discusses how a request to amend a CSOS record is processed. Requests for an amendment must include:

a) The name of the individual subscriber requesting the amendment,

b) A description of the item or items to be amended,

c) The specific reason for the amendment,

d) The type of amendment action sought (e.g., deletion, correction or addition), and

e) Copies of available documentary evidence supporting the request.

DEA maintains a record of each request for amendment that it receives, including the date and time the request was received, the name of the record, and information provided in support of the request.

DEA will provide to the requesting individual subscriber written or e-mail acknowledgment of the receipt of his/her request for amendment within ten (10) working days of the date of receipt of that request. DEA will also notify the CSOS CA of the receipt of a request for amendment of a record, in writing or by e-mail, within ten (10) working days of the date of receipt of that request. A copy of the acknowledgment and the notice to the CSOS CA will be made a part of the record of the request for amendment.

DEA will make any appropriate corrections to any record or portion thereof that are required to ensure that the record is accurate, relevant, timely, and/or complete, within twenty (20) working days of the date of receipt of a request for amendment of that record. A copy of the corrections made, if any, will be made a part of the record of the request for amendment and a copy of which will be forwarded to the CSOS RA. Written or e-mail notification of the correction will also be provided within (10) days to any person or agency to whom that record was previously disclosed, and a copy of that notification will be made a part of the record. CSOS will notify the individual Subscriber making the request in writing or by e-mail of any amendments that are made to the record. A copy of the notification will be made a part of the record of the request for amendment.

5. Effect

Failure to accept the Privacy Policy will preclude processing of the CSOS application.

Return to previous screen
Printer Friendly Version
Download PDF Version
Return to previous screen