ML20191A216

From kanterella
Jump to navigation Jump to search
Foiaonline Privacy Impact Assessment
ML20191A216
Person / Time
Issue date: 07/29/2020
From: Natalya Bobryakova
NRC/OCIO/GEMSD/CSB
To:
Natalya Bobryakova, 301-287-0671
References
Download: ML20191A216 (15)
v  d  e


Text

PIA Template (04-2019) Page 1 of 15 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

E-FOIA Tracking System (FOIAonline)

Date: July 29, 2020 A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system:

FOIAonline is a multi-agency cloud-based web application managed by the Environmental Protection Agency (EPA). FOIAonline allows the public to submit Freedom of Information Act (FOIA) requests to participating agencies and track the progress of an agencys response to a request. FOIAonline is also a workflow system and repository that enables participating agencies to manage FOIA requests and generate reports including the annual FOIA report for submission to the Department of Justice.

The Nuclear Regulatory Commission (NRC) uses FOIAonline to receive, manage, track, and respond to FOIA requests, communicate with requestors, and maintain the FOIA case files as electronic records. NRCs routine correspondence with the requesters, along with responsive records from the agency are maintained in the system. Responsive records that exceed the system security categorization of moderate are maintained at NRC in a secure restricted access location (safe or secure restricted drive).

2. What agency function does it support?

FOIAonline supports the NRC Freedom of Information Act/Privacy Act (FOIA/PA)

Program.

3. Describe any modules or subsystems, where relevant, and their functions.

FOIAonline fulfills the tracking and reporting requirements under the Freedom of Information Act (5 U.S.C. § 552, as Amended by Public Law No.104-231, 110 Stat. 3048).

4. What legal authority authorizes the purchase or development of this system?

Clinger Cohen (40 U.S.C 11318)

The Economy Act (31 U.S.C. §1535, 1536)

The Freedom of Information Act (5 U.S.C. § 552. as amended by P.L. 104-231. 110 Stat. 3048) and the FOIA Improvement Act of 2016 (P.L. 114-185 (June 30, 2016)) Memorandum for the Heads of Executive

PIA Template (04-2019) Page 2 of 15 Departments and Agencies: Open Government Directive, M10-06 (December 8, 2009)

5. What is the purpose of the system and the data to be collected?

To process FOIA requests and FOIA appeals. To allow the public to submit and the agency to process FOIA requests and FOIA appeals. Collecting site usage activity is a common practice and the only means to determine how the public is actually using features on any given web site.

6. Points of

Contact:

Project Manager Office/Division/Branch Telephone Stephanie Blaney OCIO/GEMS/ISB 301-415-6975 Business Project Manager Office/Division/Branch Telephone Stephanie Blaney OCIO/GEMS/ISB 301-415-6975 Technical Project Manager Office/Division/Branch Telephone Anna McGowan OCIO/GEMS/ISB 301-415-7204 Executive Sponsor Office/Division/Branch Telephone David Nelson OCIO 301-415-8700 ISSO Office/Division/Branch Telephone Natalya Bobryakova OCIO/ITSDOD 301-287-0671

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a. New System X Modify Existing System Other
b. If modifying or making other updates to an existing system, has a PIA been prepared before?

Yes, updating contacts, format, and descriptions.

PIA Template (04-2019) Page 3 of 15 (1) If yes, provide the date approved and Agencywide Document Access Management System (ADAMS) accession number.

ML17270A079, approved March 14, 2018 (2) If yes, provide a summary of modifications or other changes to the existing system.

Update to contacts and system description.

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

No, FOIAonline is an externally provided Software-as-a-Service (SaaS) application.

a. If yes, please provide Enterprise Architecture (EA)/Inventory number.
b. If, no, please contact EA Service Desk to get Enterprise Architecture (EA)/Inventory number.

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS
a. Does this system maintain information about individuals?

Yes.

(1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

Any person who submits a FOIA/PA Request.

(2) IF NO, SKIP TO QUESTION B.2.

PIA Template (04-2019) Page 4 of 15

b. What information is being maintained in the system about an individual (be specific - e.g. SSN, Place of Birth, Name, Address)?

Name, home address, business name, business address, home phone number, business phone number, mobile phone number, fax number, home e-mail address, and business e-mail address. Requestors can provide additional information, such as Date of Birth (DOB) and Social Security Number (SSN); however, this information is not required and is provided voluntarily by the requestor. FOIA/PA team members redact the Personal Identifiable Information (PII) when possible to reduce the sensitivity of the information.

c. Is information being collected from the subject individual?

Yes, through voluntary submittal of a FOIA/PA request.

(1) If yes, what information is being collected?

The person making the FOIA/PA is required to provide NRC with their name and contact information such as home address, business name, business address, home phone number, business phone number, mobile phone number, fax number, home e-mail address, or business e-mail address.

d. Will the information be collected from individuals who are not Federal employees?

Yes.

(1) If yes, does the information collection have the Office of Management and Budget (OMB) approval?

Yes.

(a) If yes, indicate the OMB approval number:

3150-0043

e. Is the information being collected from existing NRC files, databases, or systems?

No.

(1) If yes, identify the files/databases/systems and the information being collected.

PIA Template (04-2019) Page 5 of 15

f. Is the information being collected from external sources (any source outside of the NRC)?

No.

(1) If yes, identify the source and what type of information is being collected?

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

FOIA/PA Team only verifies the ability to contact a requestor, whether it is by telephone, mail, e-mail, or fax, but does not verify whether the information provided is in fact their home address or home phone number.

h. How will the information be collected (e.g. form, data transfer)?

FOIA/PA requests can be submitted in a paper or electronic format.

2. INFORMATION NOT ABOUT INDIVIDUALS
a. Will information not about individuals be maintained in this system?

Yes.

(1) If yes, identify the type of information (be specific).

Offices assigned cases, assigned caseworker, fee category, fee estimates, multi-track type, received date, closed date, target date, perfected date of request, fee waiver request, expedited processing request, final fees due or owed to requester, requester type, and identification of exemptions used for denied records.

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

Information identified in a. is determined by the FOIA/PA Team.

Exemptions used for denied records are determined by the program offices and verified by the FOIA/PA Team and the Office of the General Counsel (OGC).

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

PIA Template (04-2019) Page 6 of 15

1. Describe all uses made of the data in this system.

The system is used to track all FOIA/PA requests received by the NRC in both paper and electronic form. The information is used to communicate with the requestor, to generate the FOIA Annual Report to the Department of Justice (DOJ), to generate correspondence to the FOIA requesters, reports required by regulation, and ad hoc reports as needed. The system also calculates fees for the requests and is used as an archival system to locate previous similar requests and requesters.

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes.

3. Who will ensure the proper use of the data in this system?

Members of the NRCs FOIA/PA Team.

4. Are the data elements described in detail and documented?

Yes.

a. If yes, what is the name of the document that contains this information and where is it located?

Software is owned and managed by EPA, for use by Federal agencies.

Licenses are purchased from EPA, that provides a users manual and training, as needed. Hard copy of users manual is located with FOIA/PA team as well as EPA.

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a. If yes, how will aggregated data be maintained, filed, and utilized?
b. How will aggregated data be validated for relevance and accuracy?

PIA Template (04-2019) Page 7 of 15

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?
6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?

(Be specific.)

Data can be retrieved through queries or reports using any of the fields in the database such as names of requesters, types of requesters, request number, subject matter of requests, exemptions used for denied records, multi-track type, payment status, fee waiver status, expedited status, closed between dates, caseworker name, etc.

a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

Data can be retrieved by a requester name or caseworker name.

7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

Yes.

a. If Yes, provide name of SORN and location in the Federal Register.

NRC-10, Freedom of Information Act (FOIA) and Privacy Act (PA)

Request Records.

8. If the information system is being modified, will the SORN(s) require amendment or revision?

No.

9. Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?

No.

a. If yes, explain.

(1) What controls will be used to prevent unauthorized monitoring?

10. List the report(s) that will be produced from this system.

FOIA Quarterly and Annual Reports to DOJ describe the NRCs response to FOIA requests. Statistical data only. Reports are available through NRCs public Website.

PIA Template (04-2019) Page 8 of 15 A report for a previous request will provide data to the caseworker, such as which offices were assigned the case, received date, closed date, perfected date, exemptions used for denied records, fees charged, etc.

Ad hoc statistical reports, for example, how many cases are open, how many cases were closed, uses of particular exemptions, response times, backlogs, etc.

a. What are the reports used for?

The FOIA Quarterly and Annual Reports for DOJ, which oversee all Government FOIA programs, and provide the DOJ the statistical data needed to gauge our success in responding to FOIA/PA requests in a timely manner.

A report on a previous request can assist the review in handling a newer request for similar records.

A report on how many requests by particular requester type are received can be provided to a FOIA/PA requester.

Management and oversight of the FOIA/PA program.

b. Who has access to these reports?

FOIA/PA Team members and contractors.

D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

OCIO FOIA/PA Team and contractors.

(1) For what purpose?

FOIA Quarterly and Annual Reports to DOJ.

Archival data to review previous cases/requesters.

Data input to correct information in system, fees, owed, etc.

Input case closing information such as closed date, exemptions used.

Review FOIA/PA cases.

(2) Will access be limited?

Access will be based on individuals need to know.

PIA Template (04-2019) Page 9 of 15

2. Will other NRC systems share data with or have access to the data in the system?

No.

(1) If yes, identify the system(s).

(2) How will the data be transmitted or disclosed?

3. Will external agencies/organizations/public have access to the data in the system?

Yes.

(1) If yes, who?

Agencies, organizations, and the public.

(2) Will access be limited?

Yes.

(3) What data will be accessible and for what purpose/use?

Requestors can only access their data/info which they have provided through the FOIAonline account for tracking their FOIA/PA requests.

(4) How will the data be transmitted or disclosed?

Data will be transmitted online through a FOIAonline requestor user account or via e-mail or regular U.S. mail for non FOIAonline users.

E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 U.S.C., 36 CFR). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management (RIM) and NARAs Universal Electronic Records Management (ERM) requirements, and if a strategy is needed to ensure compliance.

PIA Template (04-2019) Page 10 of 15

1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule(NUREG-0910), or NARAs General Records Schedules?

Yes.

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

Access and disclosure request files GRS 4.2 - Item 020 Temporary.

Destroy 6 years after final agency action or 3 years after final adjudication by the courts, but longer retention is authorized if required for business use.

b. If no, please contact the Records and Information Management (RIM) staff at ITIMPolicy.Resource@nrc.gov.

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g.,

passwords).

Each NRC approved user with access to FOIAonline has a username and password, along with a Personal Identity Verification (PIV) Card or One-Time Password (OTP) credential. Responsive records that exceed the system security categorization of moderate will be maintained in a secure restricted access location (safe or secure restricted drive).

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

Each user has an individual username and two-factors of authentication. Access rights are provided based on their need to know.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes.

(1) If yes, where?

In the signed Memorandum of Understanding between EPA and NRC.

PIA Template (04-2019) Page 11 of 15

4. Will the system be accessed or operated at more than one location (site)?

Yes. The FOIAonline system can be accessed remotely through the Virtual Private Network (VPN) and CITRIX.

a. If yes, how will consistent use be maintained at all sites?

Consistent use will be through NRC offices, VPN, and CITRIX only.

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

FOIA/PA Team members and contractors.

6. Will a record of their access to the system be captured?

No.

a. If yes, what will be collected?
7. Will contractors be involved with the design, development, or maintenance of the system?

EPA is responsible for the design, maintenance, and development of FOIAonline.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses are inserted in their contracts.

FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

8. What auditing measures and technical safeguards are in place to prevent misuse of data?

No auditing measures. The system is only accessed by the FOIA/PA Team members and contractors.

9. Is the data secured in accordance with FISMA requirements?

Yes

a. If yes, when was Certification and Accreditation last completed?

Maintained by EPA

PIA Template (04-2019) Page 12 of 15 PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMS/ISB Staff)

System Name: E-FOIA Tracking System (FOIAonline)

Submitting Office: OCIO A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

This system is covered by System of Records Notice - NRC-10, Freedom of Information Act (FOIA) and Privacy Act (PA) Request Records.

Reviewers Name Title Signed by Hardy, Sally on 07/20/20 Privacy Officer B. INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed.

OMB clearance is needed.

X Currently has OMB Clearance. Clearance No. 3150-0043 Comments:

Reviewers Name Title Signed by Cullison, David on 07/13/20 Agency Clearance Officer

PIA Template (04-2019) Page 13 of 15 C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Signed by Dove, Marna on 07/17/20 Sr. Program Analyst, Electronic Records Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE This Information Technology (IT) system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Signed by Brown, Cris on 07/29/20 Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer

PIA Template (04-2019) Page 14 of 15 TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: David Nelson, OCIO/D Name of System: FOIAonline Date CSB received PIA for review: Date CSB completed PIA review:

July 09, 2020 June 20, 2020 Noted Issues:

Chief Signature/Date:

Cyber Security Branch Governance and Enterprise Management Signed by Brown, Cris Services Division on 07/29/20 Office of the Chief Information Officer Copies of this PIA will be provided to:

Thomas G. Ashley, Jr.

Director IT Services Development and Operations Division Office of the Chief Information Officer Jonathan R. Feibus Chief Information Security Officer (CISO)

Office of the Chief Information Officer

ML20191A216 OCIO/GEMSD OCIO/GEMSD OFFICE OCIO/GEMSD/CSB OCIO/GEMSD/CSB

/FLICB/ICT /DPRB NAME DCullison DC MDove MD SHardy SH CBrown CB DATE Jul 13, 2020 Jul 17, 2020 Jul 20, 2020 Jul 29, 2020

Retrieved from "https://kanterella.com/w/index.php?title=ML20191A216&oldid=3347080"