ML18031A847

From kanterella
Jump to navigation Jump to search
Official Presence Use of Social Media Platforms March 2018
ML18031A847
Person / Time
Issue date: 03/01/2018
From: Anna Mcgowan
NRC/OCIO
To:
S. West
References
Download: ML18031A847 (25)
v  d  e


Text

U.S. Nuclear Regulatory Commission Updated Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Official Presence Use of Social Media Platforms Date: February 23, 2018 Social media interactions and applications include a sphere of non-government websites and web-based tools that focus on connecting users, inside and outside of the Nuclear Regulatory Commission (NRC), to engage in dialogue, share information and media, and collaborate. Third parties control and operate these non-governmental websites; however, the NRC may use them as alternative channels to provide robust information and engage with the public. The NRC may also use these websites to make information and services widely available, while promoting transparency and accountability, as a service for those seeking information about or services from the NRC. This privacy impact assessment (PIA) analyzes the NRCs use of social media and how these interactions and applications could result in the NRC receiving personally identifiable information (PII). This PIA describes the information the NRC may have access to, how it will use the information, and what information is retained and shared. Appendix A of this PIA will serve as a listing, to be updated periodically, of NRC official presence social media interactions and applications that follow the requirements and analytical understanding outlined in this PIA.

A.

GENERAL SYSTEM INFORMATION

1.

Provide a detailed description of the system:

The NRC's Official Presence Social Media initiative is designed to increase the NRC's use of third party social media services in an incremental fashion, enabling the NRC to conduct its Open Government activities in new and innovative ways, while complying with applicable laws, policies and regulations.

As an effort under the NRC's Open Government Flagship initiative1, the implementation of an agency-wide official presence using third party social media services/sites supports new ways to increase transparency, collaboration and participation with the public and other key stakeholders. These social media activities are consistent with the NRC's current policies and procedures for the deployment of the tools and services envisioned under this effort. See Appendix 1 NRCs Open Government Flagship Initiative, http://www.nrc.gov/public-involve/open/philosophy/nrc-open-gov-plan.pdf#page=35

A of this document for a list and description of the specific tools that are part of this initiative.

The use of social media platforms/tools represents a strategic communication mechanism to help the NRC expand outreach efforts to engage new audiences not currently accessing NRC information, and enable two-way dialogue with the public. These tools will be used to help individuals and organizations better understand the NRCs mission, roles, responsibilities, actions, and policies as well as provide them with more easily accessible information on specific topics of interest.

2.

What agency function does it support?

The requirements and associated recommendations for the use of social media services within this document are consistent with the NRCs Strategic Plan2, the Office of Management and Budget (OMB) Open Government Directive3, and the NRCs Open Government Plan4. The specific requirements for establishing an NRC official presence using third party social media services/sites spans five primary functional areas:

Information Dissemination (public information/content)

Information Collection (in the form of comments[if applicable, see Appendix A], questions and ideas submitted by the public as part of a public dialogue)

Applying NRC Branding to Social Media Tools and Services New Information Distribution Channels Administrative Requirements Within each of these functional areas, the NRC also requires a number of service characteristics for each functional requirement. The primary required service characteristics include:

Increased speed of distribution of agency content Enhanced access to agency content through multiple channels Enhanced interaction with the public and other agency stakeholders Increased scale and reach across all potential stakeholders The combination of the NRC's functional requirements and the required service characteristics represent the primary requirements for the use of third party social media services to meet the NRC's needs.

2 Strategic Plan: Fiscal Years 2008-2013 (NUREG-1614, Volume 4) http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1614/v4/sr1614v4.pdf 3 OMBs Memorandum M-10-06, Open Government Directive, available at http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-06.pdf.

4 NRCs Open Government Plan, available at http://www.nrc.gov/public-involve/open/philosophy/nrc-open-gov-plan.pdf.

3.

Describe any modules or subsystems, where relevant, and their functions.

Blogging tool, video channel, such as YouTube.com, micro-blogging tool, such as Twitter.com, photo gallery, such as Flickr.com and social networking tool, such as Facebook. These modules are used to publish content or conduct close-ended discussions with the public, publish videos, snippets of content, and images related to the agency and its mission in order to increase transparency, collaboration and participation with the public and other key stakeholders.

4.

What legal authority authorizes the purchase or development of this system?

Both the Presidents Transparency and Open Government Memorandum5 dated January 21, 2009, and the OMB Open Government Directive Memorandum dated December 8, 2009, direct Federal departments and agencies to harness new technologies to engage the public and serve as one of the primary authorities motivating the NRCs efforts to utilize social media websites and applications.

Authorities that impact the NRCs use of social media websites and applications include:

5 U.S.C. § 301; 5 U.S.C. § 552a, Privacy Act of 1974, as amended; 44 U.S.C. § 31, Federal Records Act; 44 U.S.C. § 3501, Paperwork Reduction Act of 1995 Section 208 of the E-Government Act of 2002; The Presidents Memorandum on Transparency and Open Government, January 21, 2009; The OMB Directors Open Government Directive Memorandum, December 8, 2009; OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications (June 25, 2010)6; and OMB Memorandum for the Heads of Executive Departments and Agencies, and Independent Regulatory Agencies, Social Media, Web-Based Interactive Technologies, and the Paperwork Reduction Act, (April 7, 2010)7.

5 President Barack Obama, Memorandum on Transparency and Open Government, available at http://www.gpoaccess.gov/presdocs/2009/DCPD200900010.pdf.

6 OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications, available at http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-23.pdf 7 OMB Memorandum for the Heads of Executive Departments and Agencies, and Independent Regulatory Agencies, Social Media, Web-Based Interactive Technologies, and the Paperwork Reduction Act, available at http://www.whitehouse.gov/sites/default/files/omb/assets/inforeg/PRA_Gen_ICRs_5 2010.pdf.

5.

What is the purpose of the system and the data to be collected?

The third party social media service/sites will provide the agency with the ability to engage in public dialogue, communicate and educate the public about the NRC and mission activities, and collaborate with the public and stakeholder groups. Please also refer to section C - USES OF SYSTEM AND INFORMATION

6.

Points of

Contact:

Project Manager Office/Division/Branch Telephone Stephanie West OPA 301-415-8211 Business Project Manager Office/Division/Branch Telephone Holly Harrington OPA 301-415-8203 Technical Project Manager Office/Division/Branch Telephone Natalya Bobryakova OCIO 301-287-0671 Executive Sponsor Office/Division/Branch Telephone David Castelveter Director, OPA 301-415-8201

7.

Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?

a.

New System X Modify Existing System X Other (Explain)

This privacy impact assessment has been reviewed to ensure that it describes the Official Presence Social Media system accurately and that the information is current. Specifically, point of contact and Authority to Use information for the system has been updated.

b.

If modifying an existing system, has a PIA been prepared before?

Yes (1)

If yes, provide the date approved and ADAMS accession number.

Original PIA maintained in ADAMS at ML103410478 and approved 12/14/2010. First update to original PIA maintained in ADAMS at ML11159A004 and approved 6/22/2011. Second update to original PIA maintained in ADAMS at ML11307A211 and approved 11/15/2011. Third update to original PIA maintained in ADAMS at ML13028A183 and approved 2/11/2013. Fourth update to PIA maintained in ADAMS at ML13316A942 and

approved 11/27/2013.

(2)

If yes, provide a summary of modifications to the existing system.

The social media program is being modified to discontinue the use of a live-discussion tool. References to the live-discussion tool have been removed from the Appendix A listing of NRC official presence use of social media interactions and applications that follow the requirements and analytical understanding outlined in this PIA.

B.

INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1.

INFORMATION ABOUT INDIVIDUALS

a.

Does this system maintain information about individuals?

Generally, social media websites and applications are privately owned by third parties. These social media websites and applications continue to grow in size and diversity. Because of the depth and diversity of this reach, the NRC is using a diverse set of third party social media services to achieve mission and Open Government objects.

The need for a user to create a site user account depends on the particular third party social media service/site. Some third party services/sites will not require a site visitor to create an account or provide profile information. For example, WordPress (for blogging) does not require site visitors to provide information about themselves to review a post or submit a comment (this can be submitted anonymously).

Social media sites often provide the ability for members of the public to set up their own personal accounts and profiles on the third party service/site. These sites have their own privacy policies which site users must agree to in order to create an account. Most sites allow site visitors to decide how much information they want to capture about themselves and also to establish rules for whether all or part of their information is made public and to whom (e.g. only to those they have accepted as friends or to anyone with access to the service/site).

Each third party social media service/site provides its own privacy policy, and while users may be required to submit some personally identifiable information (PII) during the account registration/profile process, the NRC will not solicit or collect this PII. If PII is posted by the individual on the social media website or application or sent to the NRC in connection with the transaction of public business, it may be a Federal record and if so, the NRC is required to maintain a copy per the appropriate records management policies.

See Appendix A for referenced privacy policies, information required for account creation, and other details for specifically referenced sites.

(1)

If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public).

If profile data is provided by individuals, then it may include information regarding:

a.

General public visiting the web site to view and submit comments, ideas, etc. Members of the public may create their personal accounts with the third party services and voluntarily share information from their profiles such as name and email address when submitting comments, ideas, etc.

b.

NRC Federal employees account information who are assigned to moderate submitted postings. This information will contain their name, NRC email address, position title, and relevant NRC position-specific information to engage in dialogue with the public.

c.

NRC Federal employees and Federal contractors who are assigned to administrate the NRC page and account. This information would include NRC work related information necessary to create their user account information.

Each third party social media service/site provides its own privacy policy, and while users may be required to submit some PII during the account registration process, the NRC will not solicit or collect this PII. If PII is posted on the social media website or application or sent to the NRC in connection with the transaction of public business, it may be a Federal record and if so the agency is required to maintain a copy per the appropriate records management policies.

(2)

IF NO, SKIP TO QUESTION B.2.

b.

What information is being maintained in the system about an individual (be specific)?

See Appendix A for referenced privacy policies, information required for account creation, and other details for specifically referenced sites.

c.

Is information being collected from the subject individual?

See Appendix A for referenced privacy policies, information required for account creation, and other details for specifically referenced sites.

(1)

If yes, what information is being collected?

d.

Will the information be collected from 10 or more individuals who are not Federal employees?

See Appendix A (1)

If yes, does the information collection have OMB approval?

(a)

If yes, indicate the OMB approval number:

e.

Is the information being collected from existing NRC files, databases, or systems?

No (1)

If yes, identify the files/databases/systems and the information being collected.

f.

Is the information being collected from external sources (any source outside of the NRC)?

No (1)

If yes, identify the source and what type of information is being collected?

g.

How will information not collected directly from the subject individual be verified as current, accurate, and complete?

N/A

h.

How will the information be collected (e.g. form, data transfer)?

See Appendix A

2.

INFORMATION NOT ABOUT INDIVIDUALS

a.

Will information not about individuals be maintained in this system?

(1)

If yes, identify the type of information (be specific).

These services will be used to post and share public information content on topics of interest to educate, inform, and communicate with the public about NRC activities. Information content can include information already available on the public website. If permitted, members of the public can share comments (if applicable, see Appendix A), questions and ideas related to information posted by the NRC. Information posted on the social media website or application or sent to the NRC in connection with the transaction of public business may be a Federal record, and if so, the NRC is required to maintain a copy per the appropriate records management policies.

See Appendix A for referenced privacy policies, information required for account creation, and other details for specifically referenced sites

b.

What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

NRC offices and staff create content for posting and choose topics for discussion. This can be content that exists on the public website or new content created to engage visitors and topics deemed suitable by the NRC.

Site visitors are members of the general public. Specific services (listed in Appendix A) give site visitors the option to submit comments (if applicable, see Appendix A), questions and ideas related to content that has been posted by the NRC. NRC moderators will review comments and ideas that are submitted by the public for posting or regularly monitor comments that do not require NRC approval before posting (Facebook) and if necessary, remove those that do not meet comment policy standards. Moderators will also approve all content postings of publicly available information by NRC staff.

C.

USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1.

Describe all uses made of the data in this system.

The information communicated and collected is considered public information and is used to inform and educate the public about the NRC and its mission activities, reach a wider public audience, and allow for a dialogue between the public, stakeholders, and the NRC. These third party social media services/sites provide another channel for the NRC to communicate with the public about its regulatory mission. Specific social media services allow the public to contribute their opinions and ideas related to the agencys business activities. Public comments and information posted by members of the public will be shared with appropriate NRC offices where applicable. See Appendix A for referenced privacy policies, which services are to permit the posting of comments, information required for account creation, and other details for specifically referenced sites.

2.

Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes

3.

Who will ensure the proper use of the data in this system?

The NRCs Office of Public Affairs (OPA) will oversee and administer the third party social media services/sites used to establish an NRC official presence.

OPA will work with the NRC program offices to publish relevant and accurate

information, respond to public comments (if applicable, see Appendix A),

questions and ideas, and to ensure proper use of information exchanged through these third party social media channels.

4.

Are the data elements described in detail and documented?

Yes

a.

If yes, what is the name of the document that contains this information and where is it located?

See Appendix A for information related to specifically referenced sites.

5.

Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a.

If yes, how will aggregated data be maintained, filed, and utilized?

b.

How will aggregated data be validated for relevance and accuracy?

c.

If data are consolidated, what controls protect it from unauthorized access, use, or modification?

6.

How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier? (Be specific.)

Depending on the specific third party social media service/site, visitors to the site may be able to view all posted information and comments (if applicable, see Appendix A) submitted on the site (if applicable). This information will be publicly available. The NRCs OPA moderator(s) and Office of the Chief Information Officer (OCIO) administrator(s) can also view the information directly on the web site as well as retrieve the information via methods such as file exports, depending on the site capabilities.

If PII is collected on a social networking or social media site or sent to the NRC in connection with the transaction of public business, it will not be retrieved by personal identifier.

7.

Will this system provide the capability to identify, locate, and monitor (e.g.,

track, observe) individuals?

No

a.

If yes, explain.

(1)

What controls will be used to prevent unauthorized monitoring?

8.

List the report(s) that will be produced from this system.

Reporting capabilities are heavily dependent on the specific third party social media services/sites being used. Reports are potentially viewable on-line by the OPA moderators and OCIO administrators only. These reports can be exported to downloadable files. The data in these reports may include statistical information about the activities performed on the site, blog comments, and other voluntary information provided by the visitor (their e-mail address or name).

a.

What are the reports used for?

To provide administrative and performance metrics on the site activity or postings submitted by visitors of the third party social media service/site, including a data export of all comments (if applicable, see Appendix A) or postings for record requirements.

b.

Who has access to these reports?

Only limited OPA moderators and OCIO administrators will have access to these reports.

D.

ACCESS TO DATA

1.

Which NRC office(s) will have access to the data in the system?

OPA moderator(s) will be able to review, monitor, approve and remove all posted content, which will be publicly available information on the social media service/site.

OCIO administrators will be able to view all information collected on-line, as well. All NRC employees will be able to see the posted information and comment on it (if applicable, see Appendix A).

(1)

For what purpose?

OPA moderator(s) will review submitted content prior to publishing it on the social media service. The OCIO administrator(s) will access the information to support OPA's business activities and adjust the look and feel of the site (as directed by OPA).

(2)

Will access be limited?

Administrator/moderator access will be limited to OPA and designated OCIO personnel. Content that is posted to these sites will be publicly available on the Internet. OPA moderator(s) and OCIO administrator(s) will administer the agency's accounts.

2.

Will other NRC systems share data with or have access to the data in the system?

Yes (1)

If yes, identify the system(s).

In most cases, information (e.g. comments (if applicable, see Appendix A), ideas, questions, etc.) is accessible directly from a web browser.

(2)

How will the data be transmitted or disclosed?

When the OPA/OCIO Administrator or Moderator is logged in, their information will be transmitted to the browsers securely and encrypted over a Hypertext Transfer Protocol Secure (HTTPS) protocol.

3.

Will external agencies/organizations/public have access to the data in the system?

Yes (1)

If yes, who?

The NRC does not own or control social media websites and applications, and accesses them only as a user. The public will have access to content posted and published by NRC staff to the third party social media website/service. In addition, the public will have access to submit comments or questions about the posted content using the comment capabilities provided by the third party social public media service/site (if applicable, see Appendix A).

(2)

Will access be limited?

Information managed by NRC administrators and moderators will be restricted to designated NRC personnel. Passwords for accounts will be controlled by the NRCs OPA and will ensure that only authorized individuals have access to the accounts. The OPA must set-up an official account that clearly establishes the account is managed by NRC (3)

What data will be accessible and for what purpose/use?

Public communication such as informational posts on topics of relative interest to NRC business activities, photos, videos, etc. will be made available by OPA (or approved subject matter experts) to increase outreach, inform the public and stakeholders, and create a dialogue between the public and the NRC. OPA will work with NRC program

offices to identify topics of interest for creating public posts. This information is similar in nature to information found on the NRC public web site. Use of third party social media service/sites will enable the NRC to reach wider audiences and (for specific social media sites) enable interactive dialogue on topics of public interest.

(4)

How will the data be transmitted or disclosed?

When the OPA/OCIO Administrator or Moderator is logged in, their information will be transmitted to the browsers securely and encrypted over a Hypertext Transfer Protocol Secure (HTTPS) protocol.

E.

RECORDS RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and are required under 36 CFR 1234.10. The following questions are intended to determine whether the records in the system have an approved records retention schedule or if one will be needed.

1.

Can you map this system to an applicable retention schedule in NUREG-0910, or the General Records Schedules at http://www.archives.gov/records-mgmt/grs ?

No. This information collection will need to be scheduled appropriately.

GRS 6.4 covers Public Affairs Records (https://www.archives.gov/files/records-mgmt/grs/grs06-4-sch-guide.pdf); however many exclusions apply.

NARA Bulletin 2014-02, Guidance on managing social media records, provides high-level requirements to consider when scheduling these records (https://www.archives.gov/records-mgmt/bulletins/2014/2014-02.html).

a.

If yes, please cite the schedule number, approved disposition, and describe how this is accomplished. For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to a file for transfer based on their approved disposition?

b.

If the answer to question E.1 is yes, skip to F.1. If the response is no, complete question E.2 through question E.7.

2.

If the records cannot be mapped to an approved records retention schedule, how long do you need the records? Please explain.

All public information and comment postings (if applicable, see Appendix A) will be maintained on the social media site until site activity and business needs for the particular topic has ceased. Content and comments (if applicable, see

Appendix A) will be exported and copied to the Agencywide Documents Access and Management System (ADAMS) in an acceptable recordkeeping format every 60 days. All postings will be placed in an appropriate records series and appropriate retentions applied.

Content uploaded to services that do not offer an export function will be stored in ADAMS or an appropriate and approved NRC record repository prior to hosting the content on the social media service.

3.

Would these records be of value to another organization or entity at some point in time? Please explain.

Yes, the records have historical value. The social media services support the Agencys long-standing commitment to transparency, participation, and collaboration in its regulatory activities by engaging the public in dialogue, sharing information, and collaborating on topics of Agency and public interest regarding strong, fair regulation of the nuclear industry. The Agencys use of social media services sites is in compliance with the Presidents Memorandum on Transparency and Open Government (January 21, 2009) and the Director of the Office of Management and Budgets (OMB) Open Government Directive Memorandum (December 8, 2009). The NRC plans to leverage third party social media services/sites to expand public outreach, communication, and foster engagement using these new media channels.

The NRC may use selected popular non-government third party social media services/websites to expand its reach to new communities and stakeholder groups. Based on the diversity of information collected from the public, the value of this information will vary.

4.

How are actions taken on the records? For example, is new data added or updated by replacing older data on a daily, weekly, or monthly basis?

Records are updated incrementally in ADAMS either monthly or bi-monthly.

5.

What is the event or action that will serve as the trigger for updating, deleting, removing, or replacing information in the system? For example, does the information reside in the system for three years after it is created and then is it deleted?

The designated update schedule.

6.

Is any part of the record an output, such as a report, or other data placed in ADAMS or stored in any other location, such as a shared drive or MS SharePoint?

All records are stored in ADAMS.

7.

Does this system allow for the deletion or removal of records no longer needed and how will that be accomplished?

The system allows for the deletion or removal of records no longer needed.

However, all records will be exported as a file and stored in ADAMS in

compliance with submitted guidance and recordkeeping requirements and placed into appropriate records series to which associated retentions can be applied.

In certain cases, information hosted by a social media platform will not be original content, but instead will be used to distribute previously-existing content into a social network. If content is not original but instead references information hosted through a previously-existing NRC service, that information will be maintained in ADAMS through the existing procedures for that specific service/site.

F.

TECHNICAL ACCESS AND SECURITY

1.

Describe the security controls used to limit access to the system (e.g.,

passwords).

Each third party social media service/site used to create an NRC official presence will provide capabilities to create administrator and/or moderator accounts to allow NRC staff in OPA, and designated staff in NRC offices, to manage site content and respond to public comments (if applicable, see Appendix A). Login and privileged activity will be conducted over secure sessions using HTTPS. The Social Media Interim Guidance describes relevant security requirements for NRC staff that will create and manage NRC official accounts.

OPA moderators and OCIO administrators can only perform their assigned functions after access authentication with their login ID and password credentials. Viewing of public information posted will not require access authentication.

Contractors may provide support for the NRCs use of social media websites and applications. Contractor access will be authorized based on the roles and responsibilities required by the contract.

2.

What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

Information posted on these third party social media services/sites is considered to be public by its very nature. Also, access to public information is not limited by the NRC or the third party social media service/site. Administrator/moderator information is protected by the social media site by requiring administrators and moderators to securely login using encrypted sessions (HTTPS) to access and administer the NRC's official presence on site.

3.

Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes (1)

If yes, where?

OPA, in collaboration with OCIO, will document administration and moderation procedures, controls and responsibilities.

The NRC Interim Guidance on the Use of Social Media, issued January 5, 2011 (ADAMS accession #ML103060402), outlines who may or may not sign up to create an NRC official presence or account on a third party social media service/site.

4.

Will the system be accessed or operated at more than one location (site)?

Yes

a.

If yes, how will consistent use be maintained at all sites?

The social media site/application is designed to be accessed by anyone from anywhere. Information content managed by the third party social media service consists of non-sensitive public information.

Designated OPA representatives (which may include authorized contractors) may contribute to and post information. These individuals are located at NRC Headquarters. Information will be managed using the capabilities provided by the third party social media service/site.

5.

Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

OPA moderators and designated NRC staff will have access to all public comments that are posted to the NRC official presence social media sites.

OCIO administrators will support the needs of OPA and have administrator rights for the specific social media site to support changes to the look and feel of the site, manage moderator accounts, as well as other administrator activities as needed and directed by OPA.

In addition, employees of third party social media websites and services designated as Administrators have access to their own systems. These Administrators typically use this access to assist with technical issues. The ability of employees of third party sites to access client information is managed by the respective company's terms of service or privacy policy.

6.

Will a record of their access to the system be captured?

This is dependent on the specific social media site.

a.

If yes, what will be collected?

Third party social media services/sites will normally capture the following information:

  • A record of site visitor comments (if applicable, see Appendix A) submitted with a date/time
  • Administrator activity.
  • Moderator activity.
7.

Will contractors be involved with the design, development, or maintenance of the system?

Yes, but we do not collect information about individuals, therefore; contract clauses are not applicable If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses are inserted in their contracts.

FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

8.

What auditing measures and technical safeguards are in place to prevent misuse of data?

The content and dialogue posted on the social media service will be in the public domain. Information that is misstated or misused should be reported to OPA, who will follow up with the NRC program offices, as appropriate. Most third party social media services/sites provide auditing capabilities for content that is published and comments that are posted by visitors (if applicable, see Appendix A).

Content information to be maintained by the NRC will be added to ADAMS, which has technical safeguards in place to prevent misuse of data.

9.

Are the data secured in accordance with FISMA requirements?

There are two places where the information will be maintained.

Third party social media services/sites. These are not controlled by the NRC. Security controls are implemented by these providers and some have third party certifications. Whenever possible, to meet business requirements, the NRC will leverage third party social media services that are sponsored by the General Services Administration (GSA). GSA is also in the process of standing up a secure cloud service for selected third party social media services. NRC will leverage available services through GSA in order to take advantage of GSA provided terms of service and enhanced security features.

ADAMS. This system is operated in accordance with FISMA requirements.

Content that is to be published in the public internet domain will be reviewed by the information owner and/or OPA to ensure it is suitable and appropriate for public consumption. This will be analogous to what occurs for publishing information to the NRC public website and public ADAMS. Visitors will be referred to a comment policy on the NRC website that indicates they should submit comments that conform to ethical standards and should be suitable for general public consumption (if applicable, see Appendix A). OPA at their discretion, as moderators, may choose not to publish comments or remove those that do not meet comment policy standards (Facebook).

OPA administrators and moderators, as well as other designated NRC staff moderators, will adhere to standard security rules for establishing account logins and profiles. This information is included in the Social Media Interim Guidance.

Social media websites and applications are external and third party hosted.

Therefore, no internal system security plan is currently required. Users should also consult the website security policies of social media websites and applications they subscribe to for more information as they apply.

a.

If yes, when was Certification and Accreditation last completed?

Yes, Authority to Use was recertified via email from NRC CIO David Nelson on September 29, 2017 (ML17286A073).

Contact:

Natalya Bobryakova, OCIO IT Specialist : (301) 287-0671.

Appendix A Social media interactions and applications covered by this privacy impact assessment include:

Blogging Tool - GSAs WordPress Micro-blogging Tool, such as Twitter.com (via GSA)

Video Channel, such as YouTube.com (via GSA)

Photo Gallery, such as Flickr.com (via GSA)

Social Networking, such as Facebook (via GSA)

Future areas will be added as the need for additional NRC official presence sites are further established. To support the expansion of the Open Governance capabilities, to increase collaboration, transparency, and participation in the NRC regulatory activities, it is expected that multiple solutions will be leveraged by the NRC. This envisioned approach is consistent with the desire to increase NRC's communication channels in support of various business and Open Government needs.

Purpose Blogging Tool Site WordPress.com (via GSA)

Privacy Policy http://automattic.com/privacy/

Registration Requirements (required for NRC administrator and moderator managing the NRC public blogs)

Account profile information (name, title, and other information adequate to represent the NRC authorized representatives to the public)

Username - for account Password - for account E-mail Address - NRC email address of the NRC representative Other Information WordPress will be used by OPA or a designated office representative to publish content that is publicly available or conduct close-ended discussions on topics of interest for the purpose of informing the public. Visitors will have the option to post comments on published content and optionally provide their name and email address as part of the dialogue. This information will not be solicited by the NRC. Visitors may also choose to submit comments anonymously. A comment policy will be posted and available to visitors to establish expectations and guidelines on comments submitted and their use by the NRC.

WordPress uses cookies to help identify and track visitors, their usage of the website, and their website access preferences.

WordPress visitors have the option to refuse cookies before using WordPress, with the drawback that certain features of WordPress may not function properly. WordPress will not share cookie information with the NRC and NRC will not solicit this information.

Visitors Visitors may post a comment anonymously or voluntarily provide their name (or alias) and an email address. Names and email addresses are often provided by these services to establish a conversation on the web between the NRC blogger and public site visitors.

Purpose Video Channel Site YouTube.com (via GSA)

Privacy Policy http://www.youtube.com/t/privacy Registration Requirements (required for NRC administrator and moderator managing the NRC Video Channel)

E-mail Address - NRC email address of the NRC representative Username - Publicly-displayed username for the account.

Password - for account Location (Country) - for account Postal Code - for account Other Information YouTube will be used by OPA or a designated office representative to publish videos that are publically available on topics for the purpose of informing and educating the public as well as generating conversation/dialogue with the public. Visitors will NOT have the option to post comments about the videos.

YouTube registration requires an email address and password.

This information will not be collected by NRC.

Visitors For some activities on YouTube, like posting comments, flagging videos, or watching restricted videos, visitors will need to establish a YouTube or Google Account. Some personal information is required to create an account, including an email address and a password. This information is used to protect the visitors' account from unauthorized access. No account information is needed for viewing videos. No account information is collected by the NRC.

Purpose Micro-blogging Tool Site Twitter.com Privacy Policy http://twitter.com/privacy Registration Requirements (required for NRC administrator and moderator managing the NRC Twitter feed)

Account profile information (name, title, and other information adequate to represent the NRC authorized representatives to the public)

Username - for account Password - for account E-mail Address - NRC email address of the NRC representative Other Information Twitter will be used by OPA or a designated office representative to publish snippets of content for the purpose of generating conversation/dialogue with the public or providing information to the public. Visitors will have the option to flag as favorite, retweet, or reply in response to the agency's twitter posts. In order to retweet or reply, visitors will be asked to register on the Twitter site. Registration requires the user to enter their name, email address, username, and password. This information will not be collected by NRC. A policy will be posted and made available to visitors to establish expectations on replies submitted and their use by the NRC.

Visitors In order to retweet or reply to the tweets posted by OPA or NRC authorized representatives, visitors must sign up for a Twitter account. Along with any comments/tweets posted on the site, Twitter publishes the individual's name and username.

Purpose Photo Gallery Site Flickr.com (via GSA)

Privacy Policy http://info.yahoo.com/privacy/us/yahoo/flickr/details.html Registration Requirements (required for NRC administrator and moderator managing the NRC Photo Gallery)

Account profile information (name (first and last), gender, birthday, country, postal code)

Username - for account Password - for account E-mail Address - NRC email address of the NRC representative Other Information Flickr will be used by OPA or a designated office representative to publish photos in order to raise awareness of the agency's current activities, enhance information about existing collections of visual content such as historic photos, and allow the public to easily browse, view, and download content. Visitors will NOT have the option to post comments. Other content may be viewable to the public at large. Flickr registration requires an email address and password. This information will not be collected by NRC.

Visitors Visitors may view photos or content on Flickr without having an account. However, in order to add a photo to a user's "Favorites", they must have a Flickr account. Some personal information is required to create an account, including an email address and a password. This information is used to protect the visitors' account from unauthorized access. No account information will be collected by NRC.

Purpose Social Networking Tool Site Facebook.com (via GSA)

Privacy Policy https://www.facebook.com/about/privacy/your-info Registration Requirements (required for NRC administrator and moderator managing the NRC public blogs)

Account profile information (name, title, and other information adequate to represent the NRC authorized representatives to the public)

Username - for account Password - for account E-mail Address - NRC email address of the NRC representative

Other Information Facebook will be used by OPA to publish content that is publically available on topics of interest for the purpose of informing the public and generating ongoing dialogue with the public. Visitors will have the option to post comments on published content. This information will not be solicited by the NRC. A comment policy will be posted and available to visitors to establish expectations and guidelines on comments submitted and their use by the NRC.

Facebook uses cookies to enable features, provide personalized experience, protect security of accounts, improve, deliver, and understand advertisements on Facebook, and to research the use of products and services. Facebook visitors have the option to refuse cookies before using Facebook, with the drawback that certain features of Facebook may not function properly.

Facebook will not share cookie information with the NRC and NRC will not solicit this information.

Visitors Visitors, by virtue of creating an account with Facebook, have provided information including names, email addresses, birthdays and gender some of which is always publicly available according to Facebook policy. However, the NRC will not solicit personally identifiable information from visitors.

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/CSD Staff)

System Name: Official Presence Use of Social Media Platforms Submitting Office: Office of Public Affairs A.

PRIVACY ACT APPLICABILITY REVIEW X

Privacy Act is not applicable.

Privacy Act is applicable.

Comments:

The social media websites and applications covered by this privacy impact assessment (PIA) may require users to submit some personally identifiable information (PII) during the registration process when an account is required by the third party social media service. As a result, PII may transit and be displayed during the sign-up/log-on transaction and subsequent interactions.

The NRC will not solicit or collect this PII.

When NRC uses the social media websites and applications listed in Appendix A, NRC will not:

1) actively seek PII, and may only use the minimum amount of PII, which it receives, to accomplish a purpose required by statute, executive order, or regulation (all other PII received will be managed in accordance with the requirements and analytical understanding outlined in this PIA); 2) search social media websites or applications for or by PII; and 3)friend public users proactively.

When NRC uses the social media websites and applications listed in Appendix A, NRC may: 1) establish user names and passwords to form profiles, so long as they are easily identifiable as NRC accounts; and 2) interact on social media websites or applications on official NRC business.

As a requirement of this PIA, PII may not be retrieved by personal identifier, thus, a Privacy Act System of Records Notice is not required.

Unless otherwise directed by statute, executive order, or regulation the NRCs Office of Public Affairs (OPA) will serve as the primary account holder for all NRC official presence social media websites and applications and will manage and approve all NRC content posted on these public-facing networks. All content disseminated through official NRC accounts must be approved by OPA (or, by agreement with OPA, by authorized NRC employees in each office) prior to posting. OPA (or authorized NRC employees) will ensure that all posted content falls within the appropriate requirements for publicly available information and materials. OPA will, when necessary, act as the final authority on what content is acceptable for posting.

If NRC posts a link that leads to a social media application or website, the NRC will provide an alert to the visitor, such as a statement adjacent to the link or a pop-up, explaining that visitors are being directed to a nongovernment website that may have different privacy policies from those of the NRCs official website.

If NRC has an operational need to use social media interactions or applications that are outside the scope of the requirements and analytical understanding outlined in this PIA, a separate PIA must be written to address the specific privacy concerns that may be unique to that initiative.

Reviewers Name Title Date Sally A. Hardy Privacy Officer 2/23/2018 B.

INFORMATION COLLECTION APPLICABILITY DETERMINATION X__ No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

The NRC uses of social media outlined in this PIA do not require an OMB clearance. Certain uses of social media websites and applications are exempt from the Paperwork Reduction Act (PRA). For example, the NRC may use web-based technologies, such as blogs, wikis, and social networks, as a means of publishing general solicitations for public comment and for conducting virtual public meetings. Items collected by social media websites and applications that are not collecting information on behalf of the federal government are not subject to the PRA. Additionally, if the NRC authorizes website users to share content, such as send to a friend using a web form, this authorization does not require OMB clearance unless the agency collects additional information from the friend.

However, if the NRC uses social media websites and applications to post surveys of any kind, including web polls and satisfaction surveys that pose identical, specific questions, (including pop-up windows), the PRA does apply. Requesting information from respondents beyond name and email or mailing address would require OMB approval because it seeks information beyond what is necessary for self-identification during account registration of the respondent.

The PRA applies whether the obligation to respond to a collection of information is mandatory, voluntary, or required to obtain a benefit.

Reviewers Name Title Date David Cullison Agency Clearance Officer 2/16/18 C.

RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

X_

Needs to be scheduled.

Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

This system will need to be scheduled; therefore, NRC records personnel will need to work with NARA, OPA and OGC staff to develop a records retention and disposition schedule for records created or maintained with social media tools. Until the approval of such schedule, these records and information are permanent. Their willful disposal or concealment (and related

offenses) is punishable by fine or imprisonment, according to 18 U.S.C., Chapter 101, and Section 2071. Implementation of retention schedules is mandatory under 44 U.S. 3303a (d), and although this does not prevent further development of the project, retention functionality or a manual process must be incorporated to meet this requirement.

The NRC uses of social media, as outlined in this PIA, will require further consult with the OPA to assure that content is either uploaded to ADAMS as an agency record prior to posting on a hosted site, or either exported (or copied) to ADAMS at an agreed upon time. In both cases, the records must be profiled in a manner that retentions can be applied. Records retentions do not currently exist for these scenarios; therefore, records filed in ADAMS will be considered permanent until a NARA approved retention is obtained.

Moreover, the Presidents Memorandum for the Heads of Executive Departments and Agencies, Managing Government Records, dated November 28, 2011, requires that all agencies improve its records management performance and promote openness and accountability by better documenting agency actions and decisions. These actions and decisions include those that must be taken into account when using social media.

Reviewers Name Title Date Marna B. Dove Sr. Program Analyst, Electronic Records Manager 2/9/2018 D.

BRANCH CHIEF REVIEW AND CONCURRENCE

_X This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

/RA/

Date March 1, 2018 Anna T. McGowan, Chief Information Services Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: David Castelveter, Director, Office of Public Affairs Name of System: Official Presence Use of Social Media Platforms Date ISD received PIA for review:

October 13, 2017 Date ISD completed PIA review:

February 23, 2018 Noted Issues:

Based on the social media interactions and applications, no PII will be solicited or Collected, Privacy Act System of Records Notice is not required.

Anna T. McGowan, Chief Information Services Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer Signature/Date:

/RA/ March 1, 2018 Copies of this PIA will be provided to:

Tom Rich, Director IT Services Development & Operation Division Office of the Chief Information Officer Jonathan Feibus Chief Information Security Officer (CISO)

Governance & Enterprise Management Services Division Office of the Chief Information Officer

Retrieved from "https://kanterella.com/w/index.php?title=ML18031A847&oldid=5033666"