Text

PIA Template (12-2020) 1 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Web Advisory Committee Tracking System (WebACTS)

Date: October 16, 2020 GENERAL SYSTEM INFORMATION A.

Provide a detailed description of the system: (Use plain language, no 1.

technical terms.)

The Web Advisory Committee Tracking System (WebACTS) is an automated information management system which supports the daily functions of the administrative and technical staff within the Office of the Advisory Committee on Reactor Safeguards (ACRS). These functions include the management of the technical work for the ACRS technical branch. This includes the Committee's technical letter reports to the Commission, as well as the management of administrative business functions of the ACRSincluding travel, training, contracts, budget appropriations, conference room scheduling, meeting schedules and expenditures. WebACTS contains no classified information.

What agency function does it support? (How will this support the U.S.

2.

Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))

The WebACTS tool supports the daily business functions of the ACRS. The mission of Advisory Committee supports the U.S. Nuclear Regulatory Commission Strategic Goal of safety.

Describe any modules or subsystems, where relevant, and their functions.

3.

Program Management, Policy Development & Analysis (PMDA) Module:

Employee/Member/Consultant information: Required for travel and

training management.

Appropriation: Available budget and expenditures for a fiscal year.

Travel: Authorizations and travel claims for Committee members and

staff.

Training: External training information for staff including training cost.

Procurement: Maintaining information of ACRS contracts and bankcard

purchases.

PIA Template (12-2020) 2 Reviews: Internal business process audit reviews to support

Management controls.

Reports: Custom Reports that assist with the management of PMDA

Functions.

Technical Module:

Technical Workload: Technical topics addressed by ACRS.

Scheduler: 10 Full and up to 120 Subcommittee Meetings.

Reports: Custom Reports that assist with management of technical

functions.

Management Module:

Custom reports for ACRS management.

Control Panel Module:

System Administration Corner: The ability to administer the system and

establish security for WebACTS.

What legal authority authorizes the purchase or development of this 4.

system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)

N/A.

What is the purpose of the system and the data to be collected?

5.

Daily ACRS Committee oversight and management.

PIA Template (12-2020) 3 Points of

Contact:

(Do not adjust or change table fields. Annotate N/A if 6.

unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)

Project Manager Office/Division/Branch Telephone Sandra Walker ACRS/PMDA 301-415-1401 Business Project Manager Office/Division/Branch Telephone Alesha Bellinger ACRS/PMDA 301-415-0596 Technical Project Manager Office/Division/Branch Telephone Larry Burkhart ACRS/TSB 301-287-3775 Executive Sponsor Office/Division/Branch Telephone Scott Moore ACRS 301-415-7360 ISSO Office/Division/Branch Telephone Consuella Debnam OCIO/GEMSD/CSB 301-287-0834 System Owner/User Office/Division/Branch Telephone Thomas Ashley OCIO/ITSDOD/D 301-415-0771 Does this privacy impact assessment (PIA) support a proposed new system 7.

or a proposed modification to an existing system?

New System a.

Modify Existing System X

Other If modifying or making other updates to an existing system, has a b.

PIA been prepared before?

Yes.

If yes, provide the date approved and the Agencywide (1)

Documents Access and Management System (ADAMS) accession number.

2018 - Main Library (ML) ML18130A841.

PIA Template (12-2020) 4 If yes, provide a summary of modifications or other changes (2) to the existing system.

Reviewed and updated the new PIA.

Do you have an NRC system Enterprise Architecture (EA)/Inventory 8.

number?

Yes.

If yes, please provide the EA/Inventory number.

a.

20080003.

If, no, please contact EA Service Desk to get the EA/Inventory b.

number.

INFORMATION COLLECTED AND MAINTAINED B.

These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

INFORMATION ABOUT INDIVIDUALS 1.

Does this system maintain information about individuals?

a.

Yes.

If yes, identify the group(s) of individuals (e.g., Federal (1) employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

Federal Government employees and Special Government Employees (SGEs).

IF NO, SKIP TO QUESTION B.2.

(2)

What information is being maintained in the system about an b.

individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)?

Name, work address, work e-mail, and work telephone numbers.

PIA Template (12-2020) 5 Is information being collected from the subject individual? (To the c.

greatest extent possible, collect information about an individual directly from the individual.)

Yes.

If yes, what information is being collected?

(1)

E-mails and telephone numbers for members and consultants are used by technical staff to discuss technical topics.

Home or work addresses are identified for ACRS to send technical materials to members/consultants as read-aheads to ACRS meetings.

Will the information be collected from individuals who are not d.

Federal employees?

No.

If yes, does the information collection have the Office of (1)

Management and Budgets (OMB) approval?

N/A.

If yes, indicate the OMB approval number:

(a)

N/A.

Is the information being collected from existing NRC files, e.

databases, or systems?

No.

If yes, identify the files/databases/systems and the (1) information being collected.

N/A.

Is the information being collected from external sources (any source f.

outside of the NRC)?

No.

If yes, identify the source and what type of information is (1) being collected?

N/A.

PIA Template (12-2020) 6 How will information not collected directly from the subject g.

individual be verified as current, accurate, and complete?

SGEs are members and consultants. They are asked to give ACRS their latest contact information.

How will the information be collected (e.g. form, data transfer)?

h.

Personal e-mail.

2.

INFORMATION NOT ABOUT INDIVIDUALS a.

Will information not about individuals be maintained in this system?

Yes.

If yes, identify the type of information (be specific).

(1)

No classified data is entered into the system. Information about technical topics discussed at the Committee; schedule of the Committee meetings and the members attending each subcommittee meeting, and funding information on ACRS VISA purchases and contract information are in the system.

b.

What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

A WebACTS user (with the appropriate privileges) is an ACRS manager, technical engineer, program assistant or management analyst. The user enters the information from internal agency sources. The schedule of ACRS Committee meetings depends on the schedule of work set by program offices or from external sources. The system contains data items for tracking the identified tasks and the capability to re-create, capture, save and archive necessary U.S. Nuclear Regulatory Commission (NRC) forms associated with each task, i.e. NRC Form 279, Official Travel Authorization.

USES OF SYSTEM AND INFORMATION C.

These questions will identify the use of the information and the accuracy of the data being used.

Describe all uses made of the data in this system.

1.

Note: The limited amount of personal data (i.e., Name, work address, e-mail address, and phone numbers) is only visible to system administrator and authorized users and is entered by ACRS staff into WebACTS in order to support the daily functions of the ACRS staff. The systems objective is not to collect information about the public nor is it imposing an information collection burden on the public. Therefore, Section C has been viewed as Not Applicable (N/A).

PIA Template (12-2020) 7 Is the use of the data both relevant and necessary for the purpose for which 1.

the system is designed?

Yes.

Who will ensure the proper use of the data in this system?

2.

ACRS Management.

Are the data elements described in detail and documented?

3.

Yes.

If yes, what is the name of the document that contains this a.

information and where is it located?

WebACTS Developer Documentation - ACRS.

Will the system derive new data or create previously unavailable data about 4.

an individual through aggregation from the information collected?

No.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

If yes, how will aggregated data be maintained, filed, and utilized?

a.

N/A.

How will aggregated data be validated for relevance and accuracy?

b.

N/A.

If data are consolidated, what controls protect it from unauthorized c.

access, use, or modification?

N/A.

PIA Template (12-2020) 8 How will data be retrieved from the system? Will data be retrieved by an 5.

individuals name or personal identifier (name, unique number or symbol)?

(Be specific.)

Yes.

If yes, explain, and list the identifiers that will be used to retrieve a.

information on the individual.

In the forms of Reports, i.e., report on Member names and term

dates.

NRC forms.

Has a Privacy Act System of Records Notice (SORN) been published in the 6.

Federal Register?

No.

If Yes, provide name of SORN and location in the Federal a.

Register.

N/A.

If the information system is being modified, will the SORN(s) require 7.

amendment or revision?

No.

Will this system provide the capability to identify, locate, and monitor 8.

(e.g., track, observe) individuals?

No.

If yes, explain.

a.

N/A.

What controls will be used to prevent unauthorized (1) monitoring?

N/A.

List the report(s) that will be produced from this system.

9.

Administratively, WebACTS will produce custom reports on a variety of sorted

information, e.g., an alphabetical listing of the current members and their term dates (limited to 4 years), displaying checklist for new committee members (to show which NRC forms have been processed and which ones are pending),

display renewal/exit checklist for members List of TACS used by ACRS, VISA log expenditures per month.

PIA Template (12-2020) 9 Technically, WebACTS produces reports on Committees future activities

which are used for planning purposes with the Office of the Executive Director for Operations, the Operating Plan, etc.

What are the reports used for?

a.

Reports serve a variety of operational and managerial needs:

To determine if there are schedule conflicts to set up a committee/sub-

committee meeting.

To monitor member and engineering/scientist workloads to maintain a

balance of work among the technical staff.

To obtain information on the Committee member to send the technical

topics for review to them prior to Committee meetings.

Monthly VISA log to the Office of the Chief Financial Officer.

Travel and training expenditures.

Who has access to these reports?

b.

Authorized ACRS staff only.

ACCESS TO DATA D.

Which NRC office(s) will have access to the data in the system?

1.

The ACRS technical and administrative staff will have access to the information.

The information in WebACTS has been categorized to be low in confidentiality, low in availability and low in integrity. WebACTS will only be available as an in-house application for ACRS. There will be no access by the public or other agencies.

For what purpose?

(1)

Management of committee meetings and related tasks, as well as appropriations and related expenses.

Will access be limited?

(2)

Yes.

Will other NRC systems share data with or have access to the data in the 2.

system?

No. WebACTS does not have a direct link to other NRC applications.

If yes, identify the system(s).

(1)

N/A.

PIA Template (12-2020) 10 How will the data be transmitted or disclosed?

(2)

N/A.

Will external agencies/organizations/public have access to the data in the 3.

system?

No.

If yes, who?

(1)

N/A.

Will access be limited?

(2)

N/A.

What data will be accessible and for what purpose/use?

(3)

N/A.

How will the data be transmitted or disclosed?

(4)

N/A.

RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND E.

DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

Can you map this system to an applicable retention schedule in 1)

NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?

Yes.

PIA Template (12-2020) 11 If yes, please cite the schedule number, approved disposition, and a.

describe how this is accomplished (then move to F.1).

For example, will the records or a composite thereof be

deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

Record Type Citation Disposition Disposition Instructions Travel authorization GRS 1.1 item 010 -

Record Copy Temporary Destroy 6 years after final payment or cancellation, but longer retention is authorized if required for business use GRS 1.1 item 011 - all other copies (for administrative or reference purposes);

includes ACRS working copies; copies put into IPP and SharePoint; copies filed in cabinets Temporary Destroy when business use ceases ACRS Committee Accountability Records Includes:

Contracts, Procurement, Bankcard Purchases, Budget and Expenditures for a Fiscal Year.

GRS 6.2 item 040 Temporary Destroy when 6 years old. Longer retention is authorized if required for business use.

Note 1: Verify if GRS 1.3 item 050 - Budget Administration Records applies to these records.

Note 2: Contracts and Bankcard Purchases can also be scheduled under GRS 1.1 -

Financial Management Records Note 3: Invoice processing records may be through the government wide IPP, Invoice Processing Platform ACRS Training Management (External training information for staff including training cost)

GRS 2.6 item 010 Temporary Destroy when 3 years old, or 3 years after superseded or obsolete, whichever is appropriate, but longer retention is authorized if required for business use.

Note: If the training is considered Mission-critical, then those records are Unscheduled and are to be retained as Permanent until an agency-specific schedule is approved.

ACRS Management Controls (records created and/or maintained to the overall management of committees)

GRS 6.2 item 060 Temporary Destroy when 3 years old, 3 years after submission of report, or 3 years after superseded or obsolete, as appropriated.

Longer retention is authorized if required for business use.

PIA Template (12-2020) 12 WebACTS Developer Documentation -

ACRS GRS 3.1 item 051 Temporary Destroy 5 years after the project/activity/

transaction is completed or superseded, or the associated system is terminated, or the associated data is migrated to a successor system, but longer retention is authorized if required for business use.

Note: Refer to GRS 3.1 item 050 -

Documentation necessary for preservation of permanent electronic records. Permanent.

Transfer for the National Archives with the Permanent electronic records to which the documentation relates.

System Development Records GRS 3.1 item 011 Temporary Destroy 5 years after system is superseded by a new iteration, or is terminated, defunded, or no longer needed for agency/IT administrative purposes, but longer retention is authorized if required for business use.

Special purpose computer programs and applications GRS 3.1 item 012 Temporary Delete when related master file or database has been deleted, but longer retention is authorized if required for business use.

ACRS Members Checklist Included

under ACRS Members Personnel Files NUREG 0910 Revision 4-2.3.3.a Temporary Cut off files when appointment expires, or member resigns.

Maintain for life of committee.

FACA GRS: Non-substantive Committee Records (administrative nature or duplicates maintained elsewhere);

includes meeting logistics GRS 6.2 item 050 Temporary Destroy when superseded, obsolete, no longer needed, or upon termination of the committee, whichever is sooner.

ACRS Meeting Files NUREG 0910 revision 4-2.3.1.a Permanent Cut off electronic files as close of fiscal year.

Maintain for life of Committee. Transfer to NARA 5 years after Committee ceases to exist.

ACRS Members General Files NUREG 0910 revision 4-2.3.3.a Temporary Cut off files when appointment expires, or member resigns. Maintain for life of Committee.

Substantive Committee Records (includes records which document decisions, discussions, or actions a committee takes)

GRS 6.2 item 010 Permanent Transfer when records are 15 years old or upon termination of committee, whichever is sooner.

If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.

b.

PIA Template (12-2020) 13 TECHNICAL ACCESS AND SECURITY F.

Describe the security controls used to limit access to the system 1.

(e.g., passwords).

Secure log in, restricted access. Access is controlled by password.

What controls will prevent the misuse (e.g., unauthorized browsing) of 2.

system data by those having access?

Each users account is limited by roles to the data that they should have access to.

Are the criteria, procedures, controls, and responsibilities regarding access 3.

to the system documented?

Documentation to be transitioned to the BASS FISMA system.

If yes, where?

(1)

This system is being transitioned to the BASS FISMA system. The BASS Security Categorization document will be updated accordingly.

Will the system be accessed or operated at more than one location (site)?

4.

Yes.

If yes, how will consistent use be maintained at all sites?

a.

Virtual Private Network, Citrix.

Which user groups (e.g., system administrators, project managers, etc.)

5.

have access to the system?

All ACRS staff.

Will a record of their access to the system be captured?

6.

Yes.

If yes, what will be collected?

a.

Activity logs, including name, date and time of access.

Will contractors be involved with the design, development, or maintenance 7.

of the system?

Yes.

PIA Template (12-2020) 14 If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.

Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause

52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable

Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

What auditing measures and technical safeguards are in place to prevent 8.

misuse of data?

No.

Is the data secured in accordance with the Federal Information Security 9.

Management Act (FISMA) requirements?

The application resides on the BASS infrastructure and will be assessed accordingly.

If yes, when was Certification and Accreditation last completed?

a.

To be updated as the application is transitioned to BASS.

PIA Template (12-2020) 15 PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: Web Advisory Committee Tracking System (WebACTS)

Submitting Office: Office of the Advisory Committee on Reactor Safeguards (ACRS)

A.

PRIVACY ACT APPLICABILITY REVIEW X

Privacy Act is not applicable.

Privacy Act is applicable.

Comments:

Reviewers Name Title Privacy Officer B.

INFORMATION COLLECTION APPLICABILITY DETERMINATION X

No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

No clearance is needed if information is only collected from Federal Government employees and Special Government Employees (SGEs).

Reviewers Name Title Agency Clearance Officer Signed by Hardy, Sally on 11/10/20 Signed by Cullison, David on 11/06/20

PIA Template (12-2020) 16 C.

RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Sr. Program Analyst, Electronic Records Manager D.

BRANCH CHIEF REVIEW AND CONCURRENCE X

This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Acting Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signed by Dove, Marna on 11/06/20 Partlow, Benjamin signing on behalf of Brown, Cris on 12/18/20

PIA Template (12-2020) 17 TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Scott Moore, Executive Director, Office of the Advisory Committee on Reactor Safeguards (ACRS)

Name of System: Web Advisory Committee Tracking System (WebACTS)

Date CSB received PIA for review:

October 16, 2020 Date CSB completed PIA review:

November 10, 2020 Noted Issues:

Acting Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signature/Date:

Copies of this PIA will be provided to:

Thomas G. Ashley, Jr.

Director IT Services Development and Operations Division Office of the Chief Information Officer Jonathan R. Feibus Chief Information Security Officer (CISO)

Office of the Chief Information Officer Partlow, Benjamin signing on behalf of Brown, Cris on 12/18/20