Reasonable Accommodation Tracking Tool Privacy Impact Assessment (Pia)

ML20303A215
Person / Time
Issue date:	10/30/2020
From:	James Shea NRC/OCHCO/HCAB
To:
John E. Shea, 301-415-0246
References
Download: ML20303A215 (16)
v • d • e

Text

PIA Template (09-2020) Page 1 of 16 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Reasonable Accommodation Tracking Tool Date: June 02, 2020 A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system:

The Reasonable Accommodation Tracking Tool is located on the Office of the Chief Human Capital Office (OCHCO) SharePoint site, internal to the U.S.

Nuclear Regulatory Commission (NRC) and will replace an existing Access database which is used to track employee requests for reasonable accommodations.

2. What agency function does it support?

The NRC has committed to increase the population of employees with disabilities at the NRC to 2% in accordance with the agencys Disability Strategic Plan.

3. Describe any modules or subsystems, where relevant, and their functions.

N/A.

4. What legal authority authorizes the purchase or development of this system?

Executive Order 13164 states that an agency's procedures must:

Ensure that agencies' systems of recordkeeping track the processing of requests for reasonable accommodation and maintain the confidentiality of medical information received in accordance with applicable law and regulations." (Order, Section 1(b)(9))

The Order does not require that agencies maintain particular record-keeping systems, documents, or databases. Nonetheless, all agencies must be able to identify at least the following information:

PIA Template (09-2020) Page 2 of 16 the number and types of reasonable accommodations that have been requested in the application process and whether those requests have been granted or denied; the jobs (occupational series, grade level, and agency component) for which reasonable accommodations have been requested; the types of reasonable accommodations that have been requested for each of those jobs; the number and types of reasonable accommodations for each job, by agency component, that have been approved, and the number and types that have been denied; the number and types of requests for reasonable accommodations that relate to the benefits or privileges of employment, and whether those requests have been granted or denied; the reasons for denial of requests for reasonable accommodation; the amount of time taken to process each request for reasonable accommodation; and the sources of technical assistance that have been consulted in trying to identify possible reasonable accommodations.

5. What is the purpose of the system and the data to be collected?

Based on the Executive Order 13164, all agencies are required to track reasonable accommodations requests. The Reasonable Accommodation Tracking Tool will be used to track employee requests for reasonable accommodations.

PIA Template (09-2020) Page 3 of 16

6. Points of

Contact:

Office/Division/Bran Project Manager Telephone ch Anne Meyer OCHCO/PLERB 301-287-0745 Business Project Office/Division/Bran Telephone Manager ch Bi Smith OCHCO/PLERB 301-287-0553 Technical Project Office/Division/Bran Telephone Manager ch Sally Wilding OCHCO/HCAB 301-287-0596 Office/Division/Bran Executive Sponsor Telephone ch Mary Lamary OCHCO 301-415-3300 Office/Division/Bran ISSO Telephone ch Julie Hughes OCIO/GEMSD/CSB 301-287-9277 Office/Division/Bran System Owner/User Telephone ch Mary Lamary OCHCO 301-415-3300

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?

a. New System X Modify Existing System Other

b. If modifying or making other updates to an existing system, has a PIA been prepared before?

Yes.

(1) If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.

Main Library (ML) ML16327A443.

PIA Template (09-2020) Page 4 of 16 (2) If yes, provide a summary of modifications or other changes to the existing system.

Updated Business Project Manager, updated template.

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

Yes.

a. If yes, please provide the EA/Inventory number.

20200054.

b. If, no, please contact EA Service Desk to get the EA/Inventory number.

N/A.

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS

a. Does this system maintain information about individuals?

Yes.

(1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

Federal employees requesting a reasonable accommodation.

(2) IF NO, SKIP TO QUESTION B.2.

N/A.

PIA Template (09-2020) Page 5 of 16

b. What information is being maintained in the system about an individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)?

The following information is maintained: name, accommodation being requested, accommodation type, impairment, disability type, disability condition, 504/508 explanation, and case notes. Medical documentation is not uploaded to SharePoint.

c. Is information being collected from the subject individual?

Yes. Information may also be submitted by employees supervisor.

(1) If yes, what information is being collected?

The following information is being collected: name, title, grade, series, agency email address, office, duty station, supervisor name, supervisor email address, supervisor phone number, accommodation being requested, type of accommodation request, impairment type, major life activity affected, disability type, and disabling condition.

d. Will the information be collected from individuals who are not Federal employees?

No.

(1) If yes, does the information collection have the Office of Management and Budgets (OMB) approval?

N/A.

(a) If yes, indicate the OMB approval number:

N/A.

e. Is the information being collected from existing NRC files, databases, or systems?

No.

(1) If yes, identify the files/databases/systems and the information being collected.

N/A.

f. Is the information being collected from external sources (any source outside of the NRC)?

No.

PIA Template (09-2020) Page 6 of 16 (1) If yes, identify the source and what type of information is being collected?

N/A.

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

The Disability Program Manager, or designee(s), will verify the currency, accuracy and completeness of data.

h. How will the information be collected (e.g. form, data transfer)?

Information is being collected primarily through the completion of NRC Form 726, but some information may be collected via email. The form is maintained in a case file associated with the request.

2. INFORMATION NOT ABOUT INDIVIDUALS

a. Will information not about individuals be maintained in this system?

No.

(1) If yes, identify the type of information (be specific).

N/A.

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

N/A.

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

The SharePoint list tracks reasonable accommodation requests and provide statistical information on types of accommodation requests.

1. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes.

PIA Template (09-2020) Page 7 of 16

2. Who will ensure the proper use of the data in this system?

The Disability Program Manager, or designee(s) is responsible for ensuring the proper use of the information.

3. Are the data elements described in detail and documented?

No. The data elements are available in the settings of the SharePoint list.

a. If yes, what is the name of the document that contains this information and where is it located?

N/A.

4. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a. If yes, how will aggregated data be maintained, filed, and utilized?

N/A.

b. How will aggregated data be validated for relevance and accuracy?

N/A.

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?

N/A.

5. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?

(Be specific.)

Yes.

a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

Information is retrieved by employee name or case type.

PIA Template (09-2020) Page 8 of 16

6. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

Yes.

a. If Yes, provide name of SORN and location in the Federal Register.

OPM/GOVT 1 - General Personnel Records - NRC 11 General Personnel Records (Official Personnel Folder and Related Records) replaced with government-wide SORN.

7. If the information system is being modified, will the SORN(s) require amendment or revision?

No.

8. Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?

No.

a. If yes, explain.

N/A.

(1) What controls will be used to prevent unauthorized monitoring?

N/A.

9. List the report(s) that will be produced from this system.

There are no formal reports produced. There will be an ability to produce reports, if necessary, in the future. The Disability Program Manager, or designee(s) may provide statistical data to NRC management upon request.

a. What are the reports used for?

N/A.

b. Who has access to these reports?

N/A.

PIA Template (09-2020) Page 9 of 16 D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

Access to the data is limited to designated staff in OCHCO. No other offices will have access to the data.

(1) For what purpose?

(2) Will access be limited?

Yes.

2. Will other NRC systems share data with or have access to the data in the system?

No.

(1) If yes, identify the system(s).

N/A.

(2) How will the data be transmitted or disclosed?

N/A.

3. Will external agencies/organizations/public have access to the data in the system?

No.

(1) If yes, who?

N/A.

(2) Will access be limited?

N/A.

(3) What data will be accessible and for what purpose/use?

N/A.

(4) How will the data be transmitted or disclosed?

N/A.

PIA Template (09-2020) Page 10 of 16 E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 U.S.C., 36 Code of Federation Regulations (CFR)).

Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?

Yes.

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

The information in SharePoint will be assessed with the office using the RIM Certification process to ensure electronic recordkeeping procedures and controls are in place to manage the data and information appropriately. This can be done during the development and implementation and does not delay the PIA.

Other information and records generated that are not put into SharePoint will be assessed using the Information Inventory (NUREG 0910) which includes the GRS.

The old GRS 1.24 Reasonable Accommodation Request Records; is superseded by:

GRS 2.3 - Employee Relations Records: Item 010:

Destroy 3 years old, but longer retention is authorized if required for business use. (DAA-GRS-2018-0002-0001)

PIA Template (09-2020) Page 11 of 16 The old GRS 1.24.b: Employee Case File is superseded by:

GRS 2.3 item 020 Destroy 3 years after employee separation from the agency or all appeals are concluded whichever is later, but longer retention is authorized if required for business use.

(DAA-GRS-2018-0002-0002)

The old GRS 1.24.c: Supplemental Files is superseded by:

GRS 2.3 item 020 Destroy 3 years after employee separation from the agency or all appeals are concluded whichever is later, but longer retention is authorized if required for business use.

(DAA-GRS-2018-0002-0002)

GRS 1.24.d: Tracking System is superseded by:

GRS 2.3 item 010 Destroy 3 years old, but longer retention is authorized if required for business use. (DAA-GRS-2018-0002-0001)

b. If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g., passwords).

Access to information will be restricted using SharePoint permissions.

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

The Disability Program Manager, or designee(s) is/are the sole user(s) of the system. Access will be controlled by the use of SharePoint permissions. The information will not be accessible by unauthorized users.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

No. OCHCO uses an internal SharePoint list to request and track access requests. The Disability Program Manager may submit an access request to add or remove a designated back-up.

PIA Template (09-2020) Page 12 of 16 (1) If yes, where?

N/A.

4. Will the system be accessed or operated at more than one location (site)?

Yes.

a. If yes, how will consistent use be maintained at all sites?

Designated OCHCO users may access SharePoint remotely via the NRC VPN or Citrix environments. Users are required to adhere to NRCs policies for computer use.

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

The Disability Program Manager, or designee(s), Branch Chief of the Policy, Employee and Labor Relations Branch, and OCHCO SharePoint administrator(s) will have access to the Reasonable Accommodation SharePoint list.

6. Will a record of their access to the system be captured?

Yes.

a. If yes, what will be collected?

The Versioning feature in SharePoint will capture the user and timestamp associated with any changes and will list values of modified fields.

7. Will contractors be involved with the design, development, or maintenance of the system?

No.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.

Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

PIA Template (09-2020) Page 13 of 16

8. What auditing measures and technical safeguards are in place to prevent misuse of data?

SharePoint permissions will ensure that only approved users have access to the data. The Versioning feature in SharePoint will capture the user and timestamp associated with any changes and will list values of modified fields.

9. Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?

Yes.

a. If yes, when was Certification and Accreditation last completed?

The Reasonable Accommodation Tracking Tool, based on Microsoft (MS)

SharePoint, benefits from NRCs Microsoft Office 365 (O365) Certification and Accreditation. SharePoint, (an MS O365 component), is included in NRCs Information Technology Infrastructure which was fully authorized in September 2017.

PIA Template (09-2020) Page 14 of 16 PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: Reasonable Accommodation Tracking Tool Submitting Office: Office of the Chief Human Capital Officer A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

System only contains information about federal employees and the information is retrieved by an individuals name. The system is covered by NRC 11 - Reasonable Accommodations Records.

Reviewers Name Title Signed by Hardy, Sally on 10/29/20 Privacy Officer B. INFORMATION COLLECTION APPLICABILITY DETERMINATION X No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

Reviewers Name Title Signed by Cullison, David on 10/16/20 Agency Clearance Officer

PIA Template (09-2020) Page 15 of 16 C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Signed by Dove, Marna Sr. Program Analyst, Electronic Records on 10/22/20 Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE X This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Signed by Brown, Cris on 10/30/20 Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer

PIA Template (09-2020) Page 16 of 16 TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Mary A. Lamary, Deputy, Office of the Chief Human Capital Officer (OCHCO)

Name of System: Reasonable Accommodation Tracking Tool Date CSB received PIA for review: Date CSB completed PIA review:

June 05, 2020 October 29, 2020 Noted Issues:

Requested the Office of the General Council (OGC) to review due to OCHCO creating a new form requesting to collect information from contractors and visitors. OGC determined that contractor employees should direct reasonable accommodation request to their contractor employers, not to the NRC OCHCO. OGCs view is there is no basis to expand the categories of individuals covered by NRC 11 to include NRC contractors. As for visitors, the information is being maintain by date of the public meeting and therefore there is not a need to expand the system of records coverage under NRC 11 or otherwise, to cover records of official-business visitor requests for reasonable accommodations. With the determinations, we do not need to revise the PIA or SORN.

Chief Signature/Date:

Cyber Security Branch Governance and Enterprise Management Signed by Brown, Cris Services Division on 10/30/20 Office of the Chief Information Officer Copies of this PIA will be provided to:

Thomas G. Ashley, Jr.

Director IT Services Development and Operations Division Office of the Chief Information Officer Jonathan R. Feibus Chief Information Security Officer (CISO)

Office of the Chief Information Officer