ML17355A488
| ML17355A488 | |
| Person / Time | |
|---|---|
| Issue date: | 01/24/2018 |
| From: | NRC/OCIO |
| To: | |
| References | |
| Download: ML17355A488 (14) | |
Text
Page 1 of 13 ADAMS ML17355A488 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.
Labor Relations Tracking System Date: October 16, 2017 A.
GENERAL SYSTEM INFORMATION
- 1.
Provide a detailed description of the system:
The Labor Relations Tracking System automates manual paper-based business processes of the Office of the Chief Human Capital Officer (OCHCO) Labor Relations process. This SharePoint-based system will streamline and improve overall efficiency in processing, managing and reporting on labor relations information.
- 2.
What agency function does it support?
The Labor Relations Tracking System supports the NRCs Employee and Labor Relations function.
- 3.
Describe any modules or subsystems, where relevant, and their functions.
The Labor Relations Tracking System manages the relationship between the agency and its unions and bargaining units. This includes negotiation and administering labor contracts and collective bargaining agreements; managing negotiated grievances; and participating in negotiated third party proceedings.
- 4.
What legal authority authorizes the purchase or development of this system?
The Civil Service Reform Act of 1978 requires all Federal agencies to establish an employee and labor management relations program. NRC Management Directive 10.102, Labor-Management Relations Program for Federal Employees, defines the NRC Labor-Management Relations Program.
Page 2 of 13
- 5.
What is the purpose of the system and the data to be collected?
The purpose for collecting this information is to accurately capture, store, manage, track, and report the issues, status, and outcomes of employee management issues and grievances.
- 6.
Points of
Contact:
Project Manager Office/Division/Branch Telephone Barbara Sanford, Branch Chief OCHCO/PLERB 301-287-9260 Business Project Manager Office/Division/Branch Telephone Yvonne Weed OCHCO/PLERB 301-287-9463 Technical Project Manager Office/Division/Branch Telephone Sally Wilding OCHCO/HCAB 301-287-0596 Executive Sponsor Office/Division/Branch Telephone Miriam Cohen OCHCO 301-287-0747
- 7.
Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
- a.
New System X Modify Existing System Other (Explain)
- b.
If modifying an existing system, has a PIA been prepared before?
(1)
If yes, provide the date approved and ADAMS accession number.
ADAMS ML14056A330, January 23, 2014 ADAMS ML081410101, May 9, 2008 (2)
If yes, provide a summary of modifications to the existing system.
No modifications to the system. Updated Points of Contact Information and OCHCO/ELRB to OCHCO/PLERB. (January 23, 2014)
The Labor Relations Tracking System will now use SharePoint to automate the Labor Relations process. (May 9, 2008)
Page 3 of 13 B.
INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.
- 1.
INFORMATION ABOUT INDIVIDUALS
- a.
Does this system maintain information about individuals?
Yes (1)
If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public).
Federal employees Federal contractors who are identified as witnesses (2)
IF NO, SKIP TO QUESTION B.2.
- b.
What information is being maintained in the system about an individual (be specific)?
For Federal Contractors, contact information only Federal Employees (can include):
a) Employee Name b) Supervisor/Manager Name c) Phone Number Business location d) Organization e) Complaint/Issue Description f) Disciplinary/Adverse action proposed and/or taken g) Performance appraisal data h) Grievance/Complaint data i)
System-generated case number
- c.
Is information being collected from the subject individual?
Yes (1)
If yes, what information is being collected?
Can include any of the information listed under 1.b.
- d.
Will the information be collected from 10 or more individuals who are not Federal employees?
Page 4 of 13 No (1)
If yes, does the information collection have OMB approval?
(a)
If yes, indicate the OMB approval number:
- e.
Is the information being collected from existing NRC files, databases, or systems?
Yes (1)
If yes, identify the files/databases/systems and the information being collected.
Depending on the issue, collect only what is needed to take the pertinent action from among the following:
Federal Personnel Payroll System (FPPS): title, series, grade, SCD, leave balances, WGI due dates, performance ratings, bargaining unit status, retirement eligibility, forwarding address, separation dates.
HR Merit Staffing Files: selections, qualification determinations Policy, Labor and Employee Relations Branch (PLERB) paper files.
- f.
Is the information being collected from external sources (any source outside of the NRC)?
No (1)
If yes, identify the source and what type of information is being collected?
- g.
How will information not collected directly from the subject individual be verified as current, accurate, and complete?
PLERB staff will verify the currency, accuracy and completeness of data.
- h.
How will the information be collected (e.g. form, data transfer)?
Information will be collected directly from individual employees by personal interview and/or through declaration, Official Personnel Folders, Merit Staffing Files. Information may be manually entered into the system from verbal input.
- 2.
INFORMATION NOT ABOUT INDIVIDUALS
- a.
Will information not about individuals be maintained in this system?
Yes
Page 5 of 13 (1)
If yes, identify the type of information (be specific).
Disciplinary/Adverse actions, grievance, statistical data such as number of cases per year, types of cases.
- b.
What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.
Internal sources. This information will result directly from the manually entered data by the OCHCO/PLERB Specialists and from information verified by employees, supervisors and other OCHCO records. Upon entry, the system will generate a case number for each case entered.
C.
USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.
- 1.
Describe all uses made of the data in this system.
The electronic data will replace a large portion of the old paper-file-cabinet storage operation currently used in OCHCO/PLERB for its labor-management relations program. Some paper case evidence such as signed, sworn affidavits may not be replaced electronically until such time as the agency has electronic signature capability. Additionally, ad-hoc reports can be generated with updated information for reporting to senior management, union representatives, the Commission, and OMB.
- 2.
Is the use of the data both relevant and necessary for the purpose for which the system is designed?
Yes
- 3.
Who will ensure the proper use of the data in this system?
The end users (Policy, Labor and Employee Relations Branch) are responsible for ensuring the proper use of the information.
- 4.
Are the data elements described in detail and documented?
No
- a.
If yes, what is the name of the document that contains this information and where is it located?
- 5.
Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?
Page 6 of 13 Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.
Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).
No
- a.
If yes, how will aggregated data be maintained, filed, and utilized?
- b.
How will aggregated data be validated for relevance and accuracy?
- c.
If data are consolidated, what controls protect it from unauthorized access, use, or modification?
- 6.
How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier? (Be specific.)
Information will be retrieved by last name, case number, case type or organization.
- 7.
Will this system provide the capability to identify, locate, and monitor (e.g.,
track, observe) individuals?
No
- a.
If yes, explain.
(1)
What controls will be used to prevent unauthorized monitoring?
- 8.
List the report(s) that will be produced from this system.
NRC requires periodic reporting and requested data to Office of the Inspector General, OGC, and Equal Employment Opportunity Commission reports required under the NO FEAR Act, ad hoc reports to track trends of types of misconduct, and workload.
- a.
What are the reports used for?
Reports will be generated and submitted to satisfy agency senior management, Commission, collective bargaining agreement, and OMB requirements.
- b.
Who has access to these reports?
Page 7 of 13 The system users within PLERB and those who are authorized access or have a need to know, NO FEAR Act reports are published for oversight agencies: Congress, Department of Justice, Office of Personnel Management, and the Attorney General.
D.
ACCESS TO DATA
- 1.
Which NRC office(s) will have access to the data in the system?
OCHCO/PLERB (1)
For what purpose?
To track case data relating to labor relations and employee relations, including bargaining units and agreements, from beginning to end.
(2)
Will access be limited?
Yes. Limited to the designated users within OCHCO /PLERB.
- 2.
Will other NRC systems share data with or have access to the data in the system?
No (1)
If yes, identify the system(s).
(2)
How will the data be transmitted or disclosed?
- 3.
Will external agencies/organizations/public have access to the data in the system?
No (1)
If yes, who?
(2)
Will access be limited?
(3)
What data will be accessible and for what purpose/use?
(4)
How will the data be transmitted or disclosed?
E.
RECORDS RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention
Page 8 of 13 schedules and are required under 36 CFR 1234.10. The following questions are intended to determine whether the records in the system have an approved records retention schedule or if one will be needed.
- 1.
Can you map this system to an applicable retention schedule in NUREG-0910, or the General Records Schedules at http://www.archives.gov/records-mgmt/grs ?
Yes.
- a.
If yes, please cite the schedule number, approved disposition, and describe how this is accomplished. For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to a file for transfer based on their approved disposition?
GRS 2.3, item 050 - Labor management relations agreement negotiation records.
Office(s) responsible for negotiations.
Temporary. Destroy 5 years after expiration of agreement, but longer retention is authorized if required for business use.
GRS 2.3, item 051 - Labor management relations agreement negotiation records. All other offices.
Temporary. Destroy when no longer needed for business use.
GRS 2.3, item 052 - Labor management relations arbitration records.
Temporary. Destroy no sooner than 4 years but no less than 7 years after case is closed.
GRS 2.3, item 060 - Administrative grievance files.
Temporary. Destroy no sooner than 4 years but no less than 7 years after case is closed. [NRC previously elected to destroy when 7 years old, therefore use that retention.]
Note: OPM has determined that agencies may decide how long, within the range of 4 to7 years, administrative grievance, adverse action and performance-based action records need to be retained. To implement this authority, each agency must select one fixed retention period, between 4 and 7 years. Agencies are not authorized to use different retention periods for individual cases. The agency should publish the chosen retention in the agencys records disposition manual, and any other issuance dealing with the disposition of these records.
GRS 2.3, item 061 - Adverse action files.
Temporary. Destroy no sooner than 4 years but no later than 7 years after case is closed. (see Note above).
GRS 2.3, item 062 - Performance-based action files.
Temporary. Destroy no sooner than 4 years but no later than 7 years after case is closed. (see Note above).
Page 9 of 13 RESCINDED PER TRANSMITTAL NO. 23* The old GRS was not a disposition authority, but rather instruction to either apply an existing schedule or submit a new one.
- b.
If the answer to question E.1 is yes, skip to F.1. If the response is no, complete question E.2 through question E.7.
- 2.
If the records cannot be mapped to an approved records retention schedule, how long do you need the records? Please explain.
- 3.
Would these records be of value to another organization or entity at some point in time? Please explain.
- 4.
How are actions taken on the records? For example, is new data added or updated by replacing older data on a daily, weekly, or monthly basis?
- 5.
What is the event or action that will serve as the trigger for updating, deleting, removing, or replacing information in the system? For example, does the information reside in the system for three years after it is created and then is it deleted?
- 6.
Is any part of the record an output, such as a report, or other data placed in ADAMS or stored in any other location, such as a shared drive or MS SharePoint?
- 7.
Does this system allow for the deletion or removal of records no longer needed and how will that be accomplished?
F.
TECHNICAL ACCESS AND SECURITY
- 1.
Describe the security controls used to limit access to the system (e.g.,
passwords).
Access to the tracking system will be restricted using SharePoint permissions.
Page 10 of 13
- 2.
What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?
The Program Manager will define the user access roles of the OCHCO/PLERB and will monitor all accessibility to the tracking system. Each user will be restricted/limited access by the use of SharePoint permissions. The system will not be accessible by unauthorized users.
- 3.
Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?
No.
(1)
If yes, where?
- 4.
Will the system be accessed or operated at more than one location (site)?
Yes. Designated users within OCHCO/PLERB working at alternate work sites will have access to information stored in the system at their desk, at Headquarters or in the regions, or by using CITRIX or VPN to access their NRC accounts remotely.
- a.
If yes, how will consistent use be maintained at all sites?
Users are required to adhere to NRCs policies for computer use.
- 5.
Which user groups (e.g., system administrators, project managers, etc.)
have access to the system?
Only OCHCO/PLERB users will have access to the system.
- 6.
Will a record of their access to the system be captured?
Yes.
- a.
If yes, what will be collected?
The Versioning feature in SharePoint will capture the user and timestamp associated with any changes and will list values of modified fields.
- 7.
Will contractors be involved with the design, development, or maintenance of the system?
Possibly, but not anticipated at this time.
If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses are inserted in their contracts.
Page 11 of 13 FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.
- 8.
What auditing measures and technical safeguards are in place to prevent misuse of data?
SharePoint permissions will ensure that only approved OCHCO/PLERB have access to the data. The Versioning feature in SharePoint will capture the user and timestamp associated with any changes and will list values of modified fields.
- 9.
Are the data secured in accordance with FISMA requirements?
Yes.
- a.
If yes, when was Certification and Accreditation last completed?
The Labor Relations Tracking System is covered by the Certification and Accreditation of the NRC LAN/WAN - November 2011
Page 12 of 13 PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMS/ISB Staff)
System Name:
Labor Relations Tracking System Submitting Office:
Office of the Chief Human Capital Officer (OCHCO)
A.
PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.
X Privacy Act is applicable.
Comments:
The Labor Relations Tracking System will be maintained as part of NRCs Privacy Act system of records NRC-8, Employee Disciplinary Actions, Appeals, Grievances, and Complaints Records.
Reviewers Name Title Date Sally A. Hardy Privacy Officer 1/19/2018 B.
INFORMATION COLLECTION APPLICABILITY DETERMINATION X
No OMB clearance is needed.
OMB clearance is needed.
Currently has OMB Clearance. Clearance No.
Comments:
Reviewers Name Title Date David Cullison Agency Clearance Officer 12/26/17
Page 13 of 14 C.
RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.
Additional information is needed to complete assessment.
Needs to be scheduled.
X Existing records retention and disposition schedule covers the system Comments:
Reviewers Name Title Date Marna B. Dove Sr. Program Analyst, Electronic Records Manager 1/17/2018 D.
BRANCH CHIEF REVIEW AND CONCURRENCE
__X_
This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.
This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.
I concur in the Privacy Act, Information Collections, and Records Management reviews:
/RA/
Date January 24, 2018 Anna T. McGowan, Chief Information Services Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer
Page 14 of 14 TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/
PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Miriam Cohen, Office of the Chief Human Capital Officer (OCHCO)
Name of System: Labor Relations Tracking System Date ISB received PIA for review:
October 20,2017 Date ISB completed PIA review:
January 19, 2018 Noted Issues:
Anna T. McGowan, Chief Information Services Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer Signature/Date:
/RA/ January 24, 2018 Copies of this PIA will be provided to:
Tom Rich, Director IT Services Development & Operation Division Office of the Chief Information Officer Jonathan Feibus Chief Information Security Officer (CISO)
Governance & Enterprise Management Services Division Office of the Chief Information Officer