ML17270A079

From kanterella
Jump to navigation Jump to search
E-FOIA Tracking System (Foiaonline) Pia
ML17270A079
Person / Time
Issue date: 03/14/2018
From: Anna Mcgowan
NRC/OCIO
To:
References
Download: ML17270A079 (15)
v  d  e


Text

ADAMS ML17270A079 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

E-FOIA Tracking System (FOIAonline)

Date: September 26, 2017 A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system:

FOIAonline is a cloud platform managed and revised by Environmental Protection Agency (EPA), and resides on the NRC LAN server. FOIAonline is a subsystem of the Federal Docket Management System (FDMS). EPA will maintain the security plan and has its own Privacy Impact Assessment identifying the system operations and controls. FOIAonline will collect the name and mail addresses of Freedom of Information Act (FOIA) requesters. Requesters also provide fax numbers and email addresses, but this information is not required.

Routine correspondence with the requester, along with responsive records from the agency will be maintained in the system. Responsive records that exceed the system security categorization of moderate will be maintained at NRC in a secure restricted access location (safe or secure restricted drive).

2. What agency function does it support?

NRCs Freedom of Information Act/Privacy Act Program.

3. Describe any modules or subsystems, where relevant, and their functions.

FOIAonline is a subsystem of the FDMS, fulfills the tracking and reporting requirements under the Freedom of Information Act (5 U.S.C. § 552, as Amended by Public Law No.104-231, 110 Stat. 3048).

What legal authority authorizes the purchase or development of this system?

Clinger Cohen (40 U.S.C 11318) 1

The Economy Act (31 U.S.C. §1535, 1536)

The Freedom of Information Act (5 U.S.C. § 552. as amended by P.L. 104-231.

110 Stat. 3048) and the FOIA Improvement Act of 2016 (P.L. 114-185 (June 30, 2016))

Memorandum for the Heads of Executive Departments and Agencies: Open Government Directive, M10-06 (December 8, 2009)

4. What is the purpose of the system and the data to be collected?

To process FOIA requests and FOIA appeals. To allow the public to submit and the agency to process FOIA requests and FOIA appeals. Collecting site usage activity is a common practice and the only means to determine how the public is actually using features on any given web site.

5. Points of

Contact:

Project Manager Office/Division/Branch Telephone Stephanie Blaney OCIO/GEMS/ISB 301-415-6975 Business Project Manager Office/Division/Branch Telephone OCIO/GEMS/ISB Stephanie Blaney 301-415-6975 Technical Project Manager Office/Division/Branch Telephone Anna McGowan OCIO/GEMS/ISB 301-415-7204 Executive Sponsor Office/Division/Branch Telephone David Nelson OCIO 301-415-8700

6. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a. X New System Modify Existing System Other (Explain)
b. If modifying an existing system, has a PIA been prepared before?

No, replacing former FOIAXpress.

(1) If yes, provide the date approved and ADAMS accession number.

(2) If yes, provide a summary of modifications to the existing system.

2

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS
a. Does this system maintain information about individuals?

Yes.

(1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public).

Any person who submits a FOIA/PA Request.

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific)?

Name, home address, business name, business address, home phone number, business phone number, mobile phone number, fax number, home e-mail address, business e-mail address.

c. Is information being collected from the subject individual?

Yes, through voluntary submittal of a FOIA/PA request.

(1) If yes, what information is being collected?

Person making the FOIA/PA is required to provide NRC with their name and contact information such as home address, business name, business address, home phone number, business phone number, mobile phone number, fax number, home e-mail address, or business e-mail address.

d. Will the information be collected from 10 or more individuals who are not Federal employees?

Yes.

3

(1) If yes, does the information collection have OMB approval?

Yes.

(a) If yes, indicate the OMB approval number:

3150-0043

e. Is the information being collected from existing NRC files, databases, or systems?

No.

(1) If yes, identify the files/databases/systems and the information being collected.

f. Is the information being collected from external sources (any source outside of the NRC)?

No.

(1) If yes, identify the source and what type of information is being collected?

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

FOIA/PA Team only verifies the ability to contact a requestor, whether it is by telephone, mail, e-mail, or fax, but do not verify whether the information provided is in fact their home address or home phone number.

h. How will the information be collected (e.g. form, data transfer)?

FOIA/PA requests can be submitted in a paper or electronic format.

2. INFORMATION NOT ABOUT INDIVIDUALS
a. Will information not about individuals be maintained in this system?

Yes .

(1) If yes, identify the type of information (be specific).

4

Offices assigned cases, assigned caseworker, fee category, fee estimates, multi-track type, received date, closed date, target date, perfected date of request, fee waiver request, expedited processing request, final fees due or owed to requester, requester type, identification of exemptions used for denied records.

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

Information identified in a. is determined by the FOIA/PA Team.

Exemptions used for denied records are determined by the program offices and verified by the FOIA/PA Team and the Office of the General Counsel.

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

The system is used to track all FOIA/PA requests received by the NRC in both paper and electronic form. The information is used to communicate with the requestor, to generate the FOIA Annual Report to the Department of Justice (DOJ), to generate correspondence to the FOIA requesters, reports required by regulation, and ad hoc reports as needed. The system also calculates fees for the requests and is used as an archival system to locate previous similar requests and requesters.

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes.

3. Who will ensure the proper use of the data in this system?

Members of the NRCs FOIA/PA Team.

4. Are the data elements described in detail and documented?

Yes.

a. If yes, what is the name of the document that contains this information and where is it located?

Software owned and managed by EPA, for use by Federal agencies.

Licenses purchased from EPA, who provides a users manual and 5

training as needed. Hard copy of users manual located with FOIA/PA team as well as EPA.

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a. If yes, how will aggregated data be maintained, filed, and utilized?

N/A

b. How will aggregated data be validated for relevance and accuracy?

N/A

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?

N/A

6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier? (Be specific.)

Data can be retrieved through queries or reports using any of the fields in the database such as names of requesters, types of requesters, request number, subject matter of requests, exemptions used for denied records, multi-track type, payment status, fee waiver status, expedited status, closed between dates, caseworker name, etc.

7. Will this system provide the capability to identify, locate, and monitor (e.g.,

track, observe) individuals?

No.

a. If yes, explain.

6

(1) What controls will be used to prevent unauthorized monitoring?

8. List the report(s) that will be produced from this system.

FOIA Quarterly and Annual Reports to DOJ describes the NRCs response to FOIA requests. Statistical data only. Report is available through NRCs public Web site.

A report for a previous request will provide data to the caseworker such as which offices were assigned the case, received date, closed date, perfected date, exemptions used for denied records, fees charged, etc.

Ad hoc statistical reports, for example, how many cases are open, how many cases were closed, uses of particular exemptions, response times, backlogs, etc.

a. What are the reports used for?

The FOIA Quarterly and Annual Reports for DOJ, which oversees all Government FOIA programs, provides DOJ the statistical data needed to gauge our success in responding to FOIA/PA requests in a timely manner.

A report on a previous request can assist the review in handling a newer request for similar records.

A report on how many requests by a particular requester type are received can be provided to a FOIA/PA requester.

Management and oversight of the FOIA/PA program.

b. Who has access to these reports?

FOIA/PA Team members.

D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

FOIA/PA Team, Office of the General Counsel Legislation and Special Projects Branch, and the FOIA Coordinator for the Office of Inspector General.

(1) For what purpose?

a. FOIA Quarterly and Annual Reports to DOJ.

7

b. Archival data to review previous cases/requesters.
c. Data input to correct information in system, fees, owed, etc.
d. Input case closing information such as closed date, exemptions used.
e. Review FOIA/PA cases.

(2) Will access be limited?

Access will be based on individuals need to know.

2. Will other NRC systems share data with or have access to the data in the system?

No.

(1) If yes, identify the system(s).

(2) How will the data be transmitted or disclosed?

3. Will external agencies/organizations/public have access to the data in the system?

Yes.

(1) If yes, who?

Agencies, organizations and the public.

(2) Will access be limited?

Yes.

(3) What data will be accessible and for what purpose/use?

Only access to their data/info which they have provided through the FOIAonline account for tracking their FOIA/PA requests.

(4) How will the data be transmitted or disclosed?

Online through FOIAonline requestor user account or via e-mail or regular U.S. mail for non FOIAonline users.

E. RECORDS RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for 8

destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and are required under 36 CFR 1234.10. The following questions are intended to determine whether the records in the system have an approved records retention schedule or if one will be needed.

1. Can you map this system to an applicable retention schedule in NUREG-0910, or the General Records Schedules at http://www.archives.gov/records-mgmt/grs ?

Yes.

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished. For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to a file for transfer based on their approved disposition?

General Records Schedule (GRS 4.2) Information Access and Protection Records.

b. If the answer to question E.1 is yes, skip to F.1. If the response is no, complete question E.2 through question E.7.
2. If the records cannot be mapped to an approved records retention schedule, how long do you need the records? Please explain.
3. Would these records be of value to another organization or entity at some point in time? Please explain.
4. How are actions taken on the records? For example, is new data added or updated by replacing older data on a daily, weekly, or monthly basis?
5. What is the event or action that will serve as the trigger for updating, deleting, removing, or replacing information in the system? For example, does the information reside in the system for three years after it is created and then is it deleted?
6. Is any part of the record an output, such as a report, or other data placed in ADAMS or stored in any other location, such as a shared drive or MS SharePoint?
7. Does this system allow for the deletion or removal of records no longer needed and how will that be accomplished?

F. TECHNICAL ACCESS AND SECURITY 9

1. Describe the security controls used to limit access to the system (e.g.,

passwords).

Each NRC approved user with access to FOIAonline has a username and password. Responsive records that exceed the system security categorization of moderate will be maintained in a secure restricted access location (safe or secure restricted drive).

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

Each user has an individual user name and password and access rights are provided based on their need to know.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes.

(1) If yes, where?

In the signed Memorandum of Understanding between EPA and NRC.

4. Will the system be accessed or operated at more than one location (site)?

Yes. The FOIAonline system can be accessed remotely through VPN and CITRIX.

a. If yes, how will consistent use be maintained at all sites?

Consistent use will be through NRC offices, VPN and CITRIX only.

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

FOIA/PA Team members and contractors, OGC, FOIA Coordinators and OIG.

6. Will a record of their access to the system be captured?

No.

a. If yes, what will be collected?
7. Will contractors be involved with the design, development, or maintenance of the system?

10

No, EPA is responsible for the design, maintenance and development of FOIAonline.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses are inserted in their contracts.

  • FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
  • PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.
8. What auditing measures and technical safeguards are in place to prevent misuse of data?

No auditing measures. Access is only by the FOIA/PA Team members and contractors, OGC, FOIA Coordinators and OIG.

9. Are the data secured in accordance with FISMA requirements?

Yes.

a. If yes, when was Certification and Accreditation last completed?

Maintained by EPA 11

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMS Staff)

System Name: E-FOIA Tracking System (FOIAonline)

Submitting Office: Office of Chief Information Officer (OCIO)

A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

This system contains personally identifiable information and is currently covered under NRCs Privacy Action System of Records, NRC-10, Freedom of Information Act (FOIA) and Privacy Act (PA) Request Records. No modification to the system notice is required.

Reviewers Name Title Date Sally A. Hardy Privacy Officer 10/25/2017 B. INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed.

OMB clearance is needed.

X Currently has OMB Clearance. Clearance No. 3150-0043 Comments:

Information provided by requestors when making a request for records under the FOIA is covered under NRCs clearance, 10 CFR Part 9, Public Records and NRC Form 509, (OMB Clearance 3150-0043). The OMB Clearance needs to be revised to reflect any new collection tool associated with the use of FOIAonline.

Reviewers Name Title Date David C Cullison Agency Clearance Officer 10/10/17 12

C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION X No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

These records are scheduled under General Records Schedule GRS 4.2 Information Access and Protection Records.

Adherence to the GRS retention schedule is mandatory under 44 U.S.C.3303a(d). Although this does not prevent further development, retention functionality or a manual process must be developed to meet this requirement. A recommended approach is to develop minimal record related fields in the system to enable retention. This may be accomplished by including a termination date for the records in order to delete or destroy the information as required.

Reviewers Name Title Date Marna B. Dove Sr. Program Analyst, Electronic Records 10/19/2017 Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

/RA/ Date March 14, 2018 Anna McGowan, Branch Chief Information Services Branch Governance & Enterprise Management Services Division Office of Chief Information Officer 13

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: David Nelson, Director, Office of Chief Information Officer Name of System: E-FOIA Tracking System (FOIAonline)

Date GEMS received PIA for review: Date GEMS completed PIA review:

September 27, 2017 October 25, 2017 Noted Issues:

This system is maintained as part of NRCs Privacy Act system of records NRC-10, Freedom of Information Act (FOIA) and Privacy Act (PA) Requests Records.

EPAs Privacy Impact Assessment -

https://www.federalregister.gov/documents/2016/11/17/2016-27669/privacy-act-of-1974-system-of-records Anna McGowan, Branch Chief Signature/Date:

Information Services Branch Governance & Enterprise Management /RA/ March 14, 2018 Services Division Office of Chief Information Officer Copies of this PIA will be provided to:

Thomas Rich, Director IT Services Development & Operations Division Office of the Chief Information Officer Jonathon Feibus, Deputy Division Director Senior IT Security Officer (SITSO)

Governance & Enterprise Management Services Division Office of the Chief Information Officer 14

Retrieved from "https://kanterella.com/w/index.php?title=ML17270A079&oldid=2228049"