Text

PIA Template (04-2019)

Page 1 of 15 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Labor and Employee Relations Tracking System Date: September 03, 2020 GENERAL SYSTEM INFORMATION A.

Provide a detailed description of the system:

1.

The Labor and Employee Relations Tracking System automates manual paper-based business processes of the Office of the Chief Human Capital Officer (OCHCO) Labor and Employee Relations process. This SharePoint-based system will streamline and improve overall efficiency in processing, managing and reporting on labor and employee relations information.

What agency function does it support?

2.

The Labor Relations Tracking System supports the U.S. Nuclear Regulatory Commissions (NRCs) Employee and Labor Relations functions.

Describe any modules or subsystems, where relevant, and their functions.

3.

The Labor and Employee Relations Tracking System manages the relationship between the agency and its unions and bargaining units. This includes negotiation and administering labor contracts and collective bargaining agreements; managing negotiated grievances; and participating in negotiated third party proceedings. The purpose of this system is to document, track and maintain all current and former NRC employees and annuitants who have filed complaints, grievances or appeals or are the subject of proposed or final disciplinary action or have been suspected of misconduct. Employee Disciplinary Actions, Appeals, Grievances, and Complaints Records.

What legal authority authorizes the purchase or development of this 4.

system?

The Civil Service Reform Act of 1978 requires all Federal agencies to establish an employee and labor management relations program. See relevant Management Directives (MDs): 10.102, Labor-Management Relations Program for Federal Employees, MD 10.99, Discipline and Adverse Actions, and MD 10.101, Employee Grievances.

PIA Template (04-2019)

Page 2 of 15 What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.

What is the purpose of the system and the data to be collected?

5.

The purpose for collecting this information is to accurately capture, store, manage, track, and report the issues, status, and outcomes of employee and management issues and grievances.

Points of

Contact:

6.

Project Manager Office/Division/Bran ch Telephone Bi Smith, Branch Chief OCHCO/PLERB 301-287-0553 Business Project Manager Office/Division/Bran ch Telephone Yvonne Weed OCHCO/PLERB 301-287-9463 Technical Project Manager Office/Division/Bran ch Telephone Sally Wilding OCHCO/HCAB 301-287-0596 Executive Sponsor Office/Division/Bran ch Telephone Mary Lamary OCHCO 301-415-3300 TPS ISSO Office/Division/Bran ch Telephone Natalya Bobryakova OCIO/GEMSD/CSB 301-287-0671 Subsystem Owner/User Office/Division/Bran ch Telephone Mary Lamary OCHCO 301-415-3300 Does this privacy impact assessment (PIA) support a proposed new system 7.

or a proposed modification to an existing system?

New System a.

X Modify Existing System Other If modifying or making other updates to an existing system, has a b.

PIA been prepared before?

PIA Template (04-2019)

Page 3 of 15 If yes, provide the date approved and the Agencywide (1)

Documents Access and Management System (ADAMS) accession number.

ADAMS ML14056A330, January 23, 2014 ADAMS ML081410101, May 9, 2008 If yes, provide a summary of modifications or other changes (2) to the existing system.

Add a tab for the Addressing Allegations of Retaliation for Raising Safety Concerns and other inquiry processes. (October 30, 2020)

No modifications to the system. Updated Points of Contact Information and OCHCO/Employee Labor Relations Branch to OCHCO/Policy, Labor and Employee Relations Branch (PLERB).

(January 23, 2014)

The Labor and Employee Relations Tracking System will now use SharePoint to automate the Labor Relations process.

(May 9, 2008)

Do you have an NRC system Enterprise Architecture (EA)/Inventory 8.

number?

Yes.

If yes, please provide EA/Inventory number.

a.

EA Number 20210001.

If, no, please contact EA Service Desk to get EA/Inventory number.

b.

INFORMATION COLLECTED AND MAINTAINED B.

These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

INFORMATION ABOUT INDIVIDUALS 1.

Does this system maintain information about individuals?

a.

Yes.

PIA Template (04-2019)

Page 4 of 15 If yes, identify the group(s) of individuals (e.g., Federal (1) employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

Federal employees Federal contractors who are identified as witnesses.

IF NO, SKIP TO QUESTION B.2.

(2)

What information is being maintained in the system about an b.

individual (be specific - e.g. Social Security Number, Place of Birth, Name, Address)?

For Federal Contractors, contact information only Federal Employees (can include):

a) Employee Name b) Supervisor/Manager Name c)

Business Phone Number d) Organization e) Complaint/Issue Description f)

Disciplinary/Adverse action proposed and/or taken g) Performance appraisal data h) Grievance/Complaint data i)

System-generated case number Is information being collected from the subject individual?

c.

Yes.

To the greatest extent possible, collect information about an individual directly from the individual.

If yes, what information is being collected?

(1)

Can include any of the information listed under 1.b of this section.

Will the information be collected from individuals who are not d.

Federal employees?

No.

If yes, does the information collection have the Office of (1)

Management and Budget (OMB) approval?

PIA Template (04-2019)

Page 5 of 15 If yes, indicate the OMB approval number:

(a)

Is the information being collected from existing NRC files, e.

databases, or systems?

Yes.

If yes, identify the files/databases/systems and the (1) information being collected.

Depending on the issue, collect only what is needed to take the pertinent action from among the following:

Federal Personnel Payroll System: Title, series, grade, Service Computation Date, leave balances, Within Grade Increase due dates, performance ratings, bargaining unit status, retirement eligibility, forwarding address, separation dates.

Electronic Official Personnel Folder: Personnel information Talent Management System: Performance information Human Resources Merit Staffing Files: Selections, qualification determinations PLERB paper files.

Is the information being collected from external sources (any source f.

outside of the NRC)?

No.

If yes, identify the source and what type of information is (1) being collected?

How will information not collected directly from the subject g.

individual be verified as current, accurate, and complete?

PLERB staff will verify the currency, accuracy and completeness of data.

How will the information be collected (e.g. form, data transfer)?

h.

Information will be collected directly from individual employees by personal interview and/or through declaration, Official Personnel Folders, Merit Staffing Files. Information may be manually entered into the system from verbal input.

PIA Template (04-2019)

Page 6 of 15 2.

INFORMATION NOT ABOUT INDIVIDUALS a.

Will information not about individuals be maintained in this system?

Yes.

If yes, identify the type of information (be specific).

(1)

Disciplinary/Adverse actions, grievance, statistical data such as number of cases per year, types of cases, administrative inquiries and fact-findings and the outcomes.

b.

What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

Internal sources. This information will result directly from the manually entered data by the OCHCO/PLERB Specialists and from information verified by employees, supervisors and other OCHCO records. Upon entry, the system will generate a case number for each case entered.

USES OF SYSTEM AND INFORMATION C.

These questions will identify the use of the information and the accuracy of the data being used.

Describe all uses made of the data in this system.

1.

The electronic data replaced a large portion of the old paper-file-cabinet storage operation used in OCHCO/PLERB for its employee and labor-management relations program. Some paper case evidence such as signed, sworn affidavits may not be replaced electronically until such time as the agency has electronic signature capability. Additionally, ad-hoc reports can be generated with updated information for reporting to senior management, union representatives, the Commission, and OMB.

Is the use of the data both relevant and necessary for the purpose for which 1.

the system is designed?

Yes.

Who will ensure the proper use of the data in this system?

2.

The end users (Policy, Labor and Employee Relations Branch) are responsible for ensuring the proper use of the information.

PIA Template (04-2019)

Page 7 of 15 Are the data elements described in detail and documented?

3.

No.

If yes, what is the name of the document that contains this a.

information and where is it located?

Will the system derive new data or create previously unavailable data about 4.

an individual through aggregation from the information collected?

No.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

If yes, how will aggregated data be maintained, filed, and utilized?

a.

How will aggregated data be validated for relevance and accuracy?

b.

If data are consolidated, what controls protect it from unauthorized c.

access, use, or modification?

How will data be retrieved from the system? Will data be retrieved by an 5.

individuals name or personal identifier (name, unique number or symbol)?

(Be specific.)

Yes.

If yes, explain, and list the identifiers that will be used to retrieve a.

information on the individual.

Information will be retrieved by last name, case number, case type or organization.

Has a Privacy Act System of Records Notice (SORN) been published in the 6.

Federal Register?

Yes.

PIA Template (04-2019)

Page 8 of 15 If Yes, provide name of SORN and location in the Federal Register.

a.

Employee Disciplinary Actions, Appeals, Grievances, and Complaints Records - NRC 8 Federal Register, December 27, 2019 (84 FR 71542).

If the information system is being modified, will the SORN(s) require 7.

amendment or revision?

No.

Will this system provide the capability to identify, locate, and monitor 8.

(e.g., track, observe) individuals?

No.

If yes, explain.

a.

What controls will be used to prevent unauthorized (1) monitoring?

List the report(s) that will be produced from this system.

9.

NRC requires periodic reporting and requested data to Office of the Inspector General and Equal Employment Opportunity Commission reports required under the NO FEAR Act, ad hoc reports to the Office of the General Council and the National Treasury Employees Union as requested, to track trends of types of misconduct, and workload.

What are the reports used for?

a.

Reports will be generated and submitted to satisfy agency senior management, Commission, collective bargaining agreement, and OMB requirements.

Who has access to these reports?

b.

The system users within PLERB and those who are authorized access or have a need to know, NO FEAR Act reports are published for oversight agencies: Congress, Department of Justice, Office of Personnel Management, and the Attorney General.

ACCESS TO DATA D.

Which NRC office(s) will have access to the data in the system?

1.

OCHCO/PLERB.

PIA Template (04-2019)

Page 9 of 15 For what purpose?

(1)

To track case data relating to labor relations and employee relations, including bargaining units and agreements, from beginning to end.

Will access be limited?

(2)

Yes. Limited to the designated users within OCHCO/PLERB.

Will other NRC systems share data with or have access to the data in the 2.

system?

No.

If yes, identify the system(s).

(1)

How will the data be transmitted or disclosed?

(2)

Will external agencies/organizations/public have access to the data in the 3.

system?

No.

If yes, who?

(1)

Will access be limited?

(2)

What data will be accessible and for what purpose/use?

(3)

How will the data be transmitted or disclosed?

(4)

RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND E.

DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 U.S.C., 36 Code of Federation Regulations (CFR)).

Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

PIA Template (04-2019)

Page 10 of 15 Can you map this system to an applicable retention schedule in 1.

NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules?

Yes.

If yes, please cite the schedule number, approved disposition, and a.

describe how this is accomplished (then move to F.1).

General Records Schedule (GRS) 2.3, item 10 - Employee relations programs administrative records. Temporary. Destroy when 3 years old, but longer retention is authorized if required for business use.

GRS 2.3, item 090 - Labor arbitration (negotiated grievance procedure) case records. Temporary. Destroy 3 years after close of case, but longer retention is authorized if required for business use.

GRS 2.3, item 130 - Labor management relations agreement negotiation records. Temporary. Destroy 5 years after expiration of agreement or final resolution of case, as appropriate, but longer retention is authorized if required for business use.

Note: The United States Office of Personnel Management has determined that agencies may decide how long, within the range of 4 to7 years, administrative grievance, adverse action and performance-based action records need to be retained. To implement this authority, each agency must select one fixed retention period, between 4 and 7 years.

Agencies are not authorized to use different retention periods for individual cases. The agency should publish the chosen retention in the agencys records disposition manual, and any other issuance dealing with the disposition of these records.

GRS 2.3, item 060 - Administrative grievance, disciplinary, performance-based, and adverse action case files. Temporary. Destroy no sooner than 4 years but no later than 7 years after case is closed or final settlement on appeal, as appropriate. [NRC previously elected to destroy when 7 years old, therefore use that retention.]

RESCINDED PER TRANSMITTAL NO. 23* The old GRS was not a disposition authority, but rather instruction to either apply an existing schedule or submit a new one.

For example, will the records or a composite thereof be

deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

PIA Template (04-2019)

Page 11 of 15 If no, please contact the Records and Information Management (RIM) b.

staff at ITIMPolicy.Resource@nrc.gov.

TECHNICAL ACCESS AND SECURITY F.

Describe the security controls used to limit access to the system 1.

(e.g., passwords).

Access to the tracking system will be restricted using SharePoint permissions.

What controls will prevent the misuse (e.g., unauthorized browsing) of 2.

system data by those having access?

The Program Manager will define the user access roles of the OCHCO/PLERB and will monitor all accessibility to the tracking system. Each user will be restricted/limited access by the use of SharePoint permissions. The system will not be accessible by unauthorized users.

Are the criteria, procedures, controls, and responsibilities regarding access 3.

to the system documented?

No.

If yes, where?

(1)

Will the system be accessed or operated at more than one location (site)?

4.

Yes. Designated users within OCHCO/PLERB working at alternate work sites will have access to information stored in the system at their desk, at Headquarters or in the regions, or by using CITRIX or VPN to access their NRC accounts remotely.

If yes, how will consistent use be maintained at all sites?

a.

Users are required to adhere to NRCs policies for computer use.

Which user groups (e.g., system administrators, project managers, etc.)

5.

have access to the system?

Only OCHCO/PLERB users will have access to the system.

Will a record of their access to the system be captured?

6.

Yes.

PIA Template (04-2019)

Page 12 of 15 If yes, what will be collected?

a.

The Versioning feature in SharePoint will capture the user and timestamp associated with any changes and will list values of modified fields.

Will contractors be involved with the design, development, or maintenance 7.

of the system?

Possibly, but not anticipated at this time.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or personally identifiable information (PII) contract clauses are inserted in their contracts.

Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause

52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable

Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

What auditing measures and technical safeguards are in place to prevent 8.

misuse of data?

SharePoint permissions will ensure that only approved OCHCO/PLERB staff have access to the data. The Versioning feature in SharePoint will capture the user and timestamp associated with any changes and will list values of modified fields.

Is the data secured in accordance with Federal Information Security 9.

Management Act (FISMA) requirements?

Yes.

If yes, when was Certification and Accreditation last completed?

a.

The Labor Relations Tracking System is covered by the Certification and Accreditation of the NRCs Information Technology Infrastructure which was fully authorized in September 2017.

PIA Template (04-2019)

Page 13 of 15 PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: The Labor and Employee Relations Tracking System Submitting Office: Office of the Chief Human Capital Officer (OCHCO)

A.

PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

Labor Relations Tracking System will be covered by NRCs Privacy Act System of Records NRC-8, Employee Disciplinary Actions, Appeals, Grievances, and Complaints.

Reviewers Name Title Privacy Officer B.

INFORMATION COLLECTION APPLICABILITY DETERMINATION X

No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

Reviewers Name Title Agency Clearance Officer Signed by Hardy, Sally on 09/22/20 Signed by Cullison, David on 09/22/20

PIA Template (04-2019)

Page 14 of 15 C.

RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Sr. Program Analyst, Electronic Records Manager D.

BRANCH CHIEF REVIEW AND CONCURRENCE X

This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signed by Dove, Marna on 09/21/20 Signed by Brown, Cris on 10/16/20

PIA Template (04-2019)

Page 15 of 15 TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Miriam Cohen, Director, Office of the Chief Human Capital Officer (OCHCO)

Name of System: The Labor and Employee Relations Tracking System Date CSB received PIA for review:

September 03, 2020 Date CSB completed PIA review:

September 22, 2020 Noted Issues:

Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signature/Date:

Copies of this PIA will be provided to:

Thomas G. Ashley, Jr.

Director IT Services Development and Operations Division Office of the Chief Information Officer Jonathan R. Feibus Chief Information Security Officer (CISO)

Office of the Chief Information Officer Signed by Brown, Cris on 10/16/20