ML18075A261
| ML18075A261 | |
| Person / Time | |
|---|---|
| Issue date: | 07/12/2018 |
| From: | Anna Mcgowan NRC/OCIO |
| To: | |
| References | |
| Download: ML18075A261 (14) | |
Text
ADAMS ML18075A261 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.
NRCareers System (NRCareers)
Date: March 15, 2018 A.
GENERAL SYSTEM INFORMATION
- 1.
Provide a detailed description of the system:
NRCareers is the NRCs web-based vacancy application system that facilitates the posting of vacancy announcements to the Office of Personnel Management (OPM) USAJobs system and gives applicants the ability to apply for vacancies via the web. NRCareers also passes information on the selectees to the Workforce Transformation Tracking System (WTTS), which supports the agencys tracking and reporting of recruitment activities.
NRCareers is a subsystem of the Office of the Chief Information Officer (OCIO)
Third Party System (TPS). TPS provides a framework for managing cybersecurity compliance for the external IT services used by NRC.
NRCareers is owned, operated, and housed by Monster Government Solutions.
It is procured by NRC through an interagency agreement with the Department of the Interiors Interior Business Center. The system is entirely browser-based, and so has no components housed in the NRC infrastructure.
- 2.
What agency function does it support?
NRCareers supports the agency in filling vacancies, evaluating candidates, and onboarding selectees by passing information to WTTS and USAJOBS.
- 3.
Describe any modules or subsystems, where relevant, and their functions.
There are no subsystems or additional modules associated with the NRCareers system.
- 4.
What legal authority authorizes the purchase or development of this system?
What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.
NRCareers was upgraded in FY 2007 to be compliant with the e-government
Recruitment-One-Stop/ USA Jobs mandate.
- 5.
What is the purpose of the system and the data to be collected?
NRCareers supports on-line vacancy creation by OCHCO personnel, the on-line application process, interfaces to required web sites such as the Office of Personnel Management (OPM) USAJOBS, and an automated rating process.
- 6.
Points of
Contact:
Project Manager Office/Division/Branch Telephone Dariele Taswell OCHCO/ADHROP 301-287-0278 Executive Sponsor Office/Division/Branch Telephone Jason Shay OCHCO/ADHROP 301-287-0590
- 7.
Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
- a.
New System x Modify Existing System Other (Explain)
- b.
If modifying an existing system, has a PIA been prepared before?
Yes (1)
If yes, provide the date approved and ADAMS accession number.
A PIA was developed on May 22, 2008. ML081550319 (2)
If yes, provide a summary of modifications to the existing system.
NRCareers cybersecurity compliance will now be managed under TPS.
B.
INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.
- 1.
INFORMATION ABOUT INDIVIDUALS
- a.
Does this system maintain information about individuals?
Yes
(1)
If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public).
NRCareers collects information about applicants for NRC vacancies. These applicants may be NRC employees, contractors, other Federal employees, or the general public.
(2)
IF NO, SKIP TO QUESTION B.2.
- b.
What information is being maintained in the system about an individual (be specific)?
NRCareers maintains employment application information about individuals such as their employment history, training and awards, education, personal information such as address and phone number, references, and any information an applicant shows on their resume.
Most importantly, NRCareers maintains the applicants social security number as a unique identifier.
- c.
Is information being collected from the subject individual?
All information collected in NRCareers is provided by the subject individual building their resume.
To the greatest extent possible, collect information about an individual directly from the individual.
(1)
If yes, what information is being collected?
NRCareers collects employment history, training and awards, education, including personal information such as address and phone number, references, and social security numbers.
- d.
Will the information be collected from 10 or more individuals who are not Federal employees?
Yes, information can be collected from applicants that are not federal employees.
(1)
If yes, does the information collection have OMB approval?
Yes (a)
If yes, indicate the OMB approval number:
OMB CONTROL NUMBER: 1225-0072.
- e.
Is the information being collected from existing NRC files, databases, or systems?
No (1)
If yes, identify the files/databases/systems and the information being collected.
- f.
Is the information being collected from external sources (any source outside of the NRC)?
Yes (1)
If yes, identify the source and what type of information is being collected?
NRCareers collects employment histories, training and awards, education, personal information such as addresses and phone numbers, references, and social security numbers.
- g.
How will information not collected directly from the subject individual be verified as current, accurate, and complete?
Applicants have an obligation to provide truthful information during the vacancy application process. Information is verified by the agency human resources professional or selecting official.
- h.
How will the information be collected (e.g. form, data transfer)?
Information is collected electronically through forms on USAJOBs and NRCareers web pages on Monster.com.
- 2.
INFORMATION NOT ABOUT INDIVIDUALS
- a.
Will information not about individuals be maintained in this system?
Yes (1)
If yes, identify the type of information (be specific).
Information about position vacancies is maintained in NRCareers, such as title, grade, salary, duties, and required skills. In addition, NRCareers has general government information such as benefits, veterans preference rules, etc. which are used when posting vacancy announcements.
- b.
What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.
This information comes from internal sources such as position descriptions and crediting plans and also from external sources such as the Office of Personnel Management.
C.
USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.
- 1.
Describe all uses made of the data in this system.
The information will be used to fill NRC position vacancies.
- 2.
Is the use of the data both relevant and necessary for the purpose for which the system is designed?
Yes
- 3.
Who will ensure the proper use of the data in this system?
HR specialists and hiring managers
- 4.
Are the data elements described in detail and documented?
No
- a.
If yes, what is the name of the document that contains this information and where is it located?
- 5.
Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?
No Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.
Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).
- a.
If yes, how will aggregated data be maintained, filed, and utilized?
- b.
How will aggregated data be validated for relevance and accuracy?
- c.
If data are consolidated, what controls protect it from unauthorized access, use, or modification?
- 6.
How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier? (Be specific.)
Information can be retrieved by the vacancy announcement number or name.
- 7.
Will this system provide the capability to identify, locate, and monitor (e.g.,
track, observe) individuals?
No
- a.
If yes, explain.
(1)
What controls will be used to prevent unauthorized monitoring?
- 8.
List the report(s) that will be produced from this system.
The system can produce various reports such as applicant reports and vacancy statistics reports.
- a.
What are the reports used for?
To view information about applicants and vacancies.
- b.
Who has access to these reports?
The system administrator assigns authorized users to a permission group.
D.
ACCESS TO DATA
- 1.
Which NRC office(s) will have access to the data in the system?
OCHCO personnel and offices that have position vacancies will have access to the system information.
(1)
For what purpose?
To post vacancies and view applicants.
(2)
Will access be limited?
Yes
- 2.
Will other NRC systems share data with or have access to the data in the system?
No (1)
If yes, identify the system(s).
(2)
How will the data be transmitted or disclosed?
- 3.
Will external agencies/organizations/public have access to the data in the system?
No (1)
If yes, who?
(2)
Will access be limited?
(3)
What data will be accessible and for what purpose/use?
(4)
How will the data be transmitted or disclosed?
E.
RECORDS RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and are required under 36 CFR 1234.10. The following questions are intended to determine whether the records in the system have an approved records retention schedule or if one will be needed.
- 1.
Can you map this system to an applicable retention schedule in NUREG-0910, or the General Records Schedules at http://www.archives.gov/records-mgmt/grs?
Yes
- a.
If yes, please cite the schedule number, approved disposition, and describe how this is accomplished. For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to a file for transfer based on their approved disposition?
The records and information identified in the system are Federal records that are covered under GRS 2.1 - Employee Acquisition Records.
GRS 2.1: Item 020 - Official record copy of position description:
Temporary - Destroy 2 years after position is abolished or description is superseded, but longer retention is authorized if required for business use.
GRS 2.1: Item 060 - Employee Acquisition Records:
Temporary. Destroy 1 year after date of submission.
The system also includes employment application information and therefore must also abide by other retention and disposition instructions -
please see GRS 2.1) for the following:
GRS 2.1: Items 50, 51 - Job Vacancy Case Files GRS 2.1: Items 100, 102 - Political appointment (Schedule C) records GRS 2.1: Items 110, 111 - Excepted service appointment records
- b.
If the answer to question E.1 is yes, skip to F.1. If the response is no, complete question E.2 through question E.7.
- 2.
If the records cannot be mapped to an approved records retention schedule, how long do you need the records? Please explain.
- 3.
Would these records be of value to another organization or entity at some point in time? Please explain.
- 4.
How are actions taken on the records? For example, is new data added or updated by replacing older data on a daily, weekly, or monthly basis?
- 5.
What is the event or action that will serve as the trigger for updating, deleting, removing, or replacing information in the system? For example, does the information reside in the system for three years after it is created and then is it deleted?
- 6.
Is any part of the record an output, such as a report, or other data placed in ADAMS or stored in any other location, such as a shared drive or MS SharePoint?
- 7.
Does this system allow for the deletion or removal of records no longer needed and how will that be accomplished?
F.
TECHNICAL ACCESS AND SECURITY
- 1.
Describe the security controls used to limit access to the system (e.g.,
passwords).
Access to the system is requested via a request form used for all HR systems.
The NRCareers System Administrator sets up access based on this request. The user receives a User ID and Password for the system which they use to access those parts of the system that are included in their permission group. Permission Groups are also changed based on the same request form. When a user leaves, their permission is removed from the system so they can no longer access information.
- 2.
What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?
Passwords and access level controls are in place and a record of the date/time and user ID when records are inserted or modified are maintained.
- 3.
Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?
Yes (1)
If yes, where?
Documentation will be maintained by OCHCO and OCIO personnel in ADAMS and SharePoint.
- 4.
Will the system be accessed or operated at more than one location (site)?
No
- a.
If yes, how will consistent use be maintained at all sites?
- 5.
Which user groups (e.g., system administrators, project managers, etc.)
have access to the system?
NRCareers has a designated System Administrator and several permission groups for HR specialists/Regional Users. There is also a permission group for selecting officials and rating panel/reviewing officials.
- 6.
Will a record of their access to the system be captured?
Yes
- a.
If yes, what will be collected?
The User ID, time, date, and what the individual action was that occurred.
- 7.
Will contractors be involved with the design, development, or maintenance of the system?
The NRCareers application is hosted by Monster Government Solutions. In addition, HR employs several other contractors who review and update information in the system.
If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses are inserted in their contracts.
FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.
- 8.
What auditing measures and technical safeguards are in place to prevent misuse of data?
Passwords and access level controls are in place and a record of the date/time and user ID when records are inserted or modified are maintained.
- 9.
Are the data secured in accordance with FISMA requirements?
Yes, Monster Hiring Management System is a FedRAMP Ready system.
- a.
If yes, when was Certification and Accreditation last completed?
The Monster Hiring Management System still needs to undergo a FedRAMP authorization process.
PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMS/ISB Staff)
System Name: NRCareers System (NRCareers)
Submitting Office: Office of the Chief Human Capital Officer A.
PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.
X Privacy Act is applicable.
Comments:
This system contains personally identifiable information. NRCareers is maintained as part of NRCs Privacy Act system of records NRC-28, Merit Selection Records.
Reviewers Name Title Date Sally A. Hardy Privacy Officer 7/12/2018 B.
INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed.
X OMB clearance is needed.
Currently has OMB Clearance. Clearance No.
Comments: The OMB clearance cited was discontinued in 2012. Currently the NRC does not have a clearance allowing for the collection of the information contained in this system from non-Federal employees. The continued use of NRCareers to collect information from non-Federal employees is a potential violation of the Paperwork Reduction Act.
Reviewers Name Title Date David Cullison Agency Clearance Officer 4/24/18
C.
RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.
Additional information is needed to complete assessment.
Needs to be scheduled.
X Existing records retention and disposition schedule covers the system - no modifications needed.
Comments:
Reviewers Name Title Date Marna B. Dove Sr. Program Analyst, Electronic Records Manager 5/31/18 D.
BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.
X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.
I concur in the Privacy Act, Information Collections, and Records Management reviews:
/RA/ Date July 12, 2018 Anna T. McGowan, Chief Information Services Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer
TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/
PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Jason Shay, Office of the Chief Human Capital Officer Name of System: NRCareers System (NRCareers)
Date ISB received PIA for review:
March 16, 2018 Date ISB completed PIA review:
July 12, 2018 Noted Issues:
The OMB clearance cited was discontinued in 2012. Currently the NRC does not have a clearance allowing for the collection of the information contained in this system from non-Federal employees. The continued use of NRCareers to collect information from non-Federal employees is a potential violation of the Paperwork Reduction Act.
Anna T. McGowan, Chief Information Services Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer Signature/Date:
/RA/ July 12, 2018 Copies of this PIA will be provided to:
Tom Rich, Director IT Services Development & Operation Division Office of the Chief Information Officer Jonathan Feibus Chief Information Security Officer (CISO)
Governance & Enterprise Management Services Division Office of the Chief Information Officer