ML21060B559

From kanterella
Jump to navigation Jump to search
Privacy Impact Assessment for NRC Careers System
ML21060B559
Person / Time
Issue date: 07/23/2021
From: Nalabandian G
NRC/OCIO
To:
Bobryakova N
References
Download: ML21060B559 (15)
v  d  e


Text

U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

NRC Careers System (NRCareers)

Date: February 22, 2021 A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system: (Use plain language, no technical terms.)

NRCareers is the Nuclear Regulatory Commissions (NRCs) web-based job application system that facilitates the posting of vacancy announcements to the Office of Personnel Managements (OPMs) USAJOBS system and gives applicants the ability to apply for vacancies online. NRCareers also passes information on the selectees to the Workforce Transformation Tracking System (WTTS ) and the Entrance on Duty System (EODS), the agencys onboarding solutions.

The NRCareers system gives job seekers the ability to create and advertise their resumes, search government jobs, and apply for a job directly through the web interface. The Office of the Chief Human Capital Officer (OCHCO) personnel use NRCareers to create and advertise government jobs, source candidates for employment consideration, and manage the recruiter hiring process through the web interface. The NRC leverages the USAJOBS system to post its positions; however, the agencys recruitment system is NRCareers. NRCareers is operated by Monster Government Solutions on their Software as a Service cloud-based system, Monster Hiring Management Enterprise (MHME). NRCareers is a component of the NRCs Third Party System (TPS) OCHCO External Services (OES) subsystem. TPS provides a framework for managing cybersecurity compliance for numerous external IT services used by the NRC.

NRCareers is procured by the NRC through an interagency agreement with the Department of the Interiors Interior Business Center. The system is entirely web-based and has no technical components on the NRC infrastructure.

2. What agency function does it support? (How will this support the U.S.

Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))

NRCareers supports the agency in filling vacancies, evaluating candidates, and onboarding selectees by passing information to WTTS and USAJOBS.

PIA Template (01-2021)

3. Describe any modules or subsystems, where relevant, and their functions.

NRCareers includes the Monster Position Classification module that enables the classification of positions, the creation of Position Descriptions (PDs), Functional Statements, Benchmarking, and coversheets. It also includes work and workflow management capabilities that facilitate collaboration among Classification Stakeholders.

4. What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)

NRCareers was upgraded in Fiscal Year 2007 to be compliant with the e-government Recruitment-One-Stop/ USA Jobs mandate.

5. What is the purpose of the system and the data to be collected?

NRCareers supports the following functions: on-line vacancy creation by the OCHCO personnel; the on-line application process; interfaces to required web sites such as the OPMs USAJOBS; and an automated rating process. Collected data is used for resume creation and applicant identification.

PIA Template (01-2021)

6. Points of

Contact:

(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)

Project Manager Office/Division/Branch Telephone Dariele Taswell OCHCO/ADHROP/OB 301-287-0728 Business Project Manager Office/Division/Branch Telephone Dariele Taswell OCHCO/ADHROP/OB 301-287-0728 Technical Project Manager Office/Division/Branch Telephone John Shea OCHCO/HCAB (301) 415-0246 Executive Sponsor Office/Division/Branch Telephone Susan Salter OCHCO/ADHROP 301-287-0545 ISSO Office/Division/Branch Telephone Natalya Bobryakova OCIO/GEMSD/CSB/IAT 301-287-0671 System Owner/User Office/Division/Branch Telephone Thomas Ashley OCIO/ITSDOD 301-415-0771

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a. New System Modify Existing System X Other
b. If modifying or making other updates to an existing system, has a PIA been prepared before?

Yes.

(1) If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.

A PIA was approved on July 12, 2018, ADAMS accession number Main Library (ML)18075A261.

PIA Template (01-2021)

(2) If yes, provide a summary of modifications or other changes to the existing system.

Updated the system description, Points of Contact table, previous PIA date and accession number, Enterprise Architecture (EA) number and authorization details.

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

Yes.

a. If yes, please provide the EA/Inventory number.

EA Number 20180002.

b. If, no, please contact EA Service Desk to get the EA/Inventory number.

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS
a. Does this system maintain information about individuals?

Yes.

(1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

NRCareers collects information about applicants for NRC vacancies. These applicants may be NRC employees, NRC contractors, other Federal employees, or the general public.

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)?

NRCareers maintains employment application information about individuals such as their employment history, training and awards, education, personal information such as address and phone number, PIA Template (01-2021) references, and any information applicants provide on their resumes.

NRCareers maintains an applicants SSN as a unique identifier.

c. Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)

All information collected in NRCareers is provided directly from the subject individuals building their resumes.

(1) If yes, what information is being collected?

NRCareers collects employment history, training and awards, education, personal information such as address and phone number, references, and SSN .

d. Will the information be collected from individuals who are not Federal employees?

Yes, information can be collected from applicants who are not federal employees.

(1) If yes, does the information collection have the Office of Management and Budgets (OMB) approval?

No. OCHCO is working with the Information Collection Team on requesting OMB clearance.

(a) If yes, indicate the OMB approval number:

N/A.

e. Is the information being collected from existing NRC files, databases, or systems?

No, information is not being collected from existing NRC files, databases or systems.

(1) If yes, identify the files/databases/systems and the information being collected.

N/A.

f. Is the information being collected from external sources (any source outside of the NRC)?

Yes.

PIA Template (01-2021)

(1) If yes, identify the source and what type of information is being collected?

NRCareers collects employment history, training and awards, education, personal information such as addresses and phone numbers, references, and SSNs from individuals responding to vacancies via OPM's USAJOBS system.

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

Applicants have an obligation to provide truthful information during the vacancy application process. Information is verified by the agency Human Resources (HR) professional or selecting official.

h. How will the information be collected (e.g. form, data transfer)?

Information is collected electronically through forms on USAJOBS and NRCareers web pages on www.monster.com.

2. INFORMATION NOT ABOUT INDIVIDUALS
a. Will information not about individuals be maintained in this system?

Yes.

(1) If yes, identify the type of information (be specific).

Information about position vacancies is maintained in NRCareers, such as title, grade, salary, duties, and required skills. In addition, NRCareers has general government information such as benefits, veterans preference rules, etc. which are used when posting vacancy announcements.

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

This information comes from internal sources such as PD and crediting plans and from external sources such as OPMs USAJOBS.

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

The information will be used to fill NRC position vacancies.

PIA Template (01-2021)

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes.

3. Who will ensure the proper use of the data in this system?

The HR specialist and hiring managers.

4. Are the data elements described in detail and documented?

Yes.

a. If yes, what is the name of the document that contains this information and where is it located?

Data elements are listed in the OPM USAJOBS Privacy Impact Assessment.

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No, the system does not derive or create new information.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a. If yes, how will aggregated data be maintained, filed, and utilized?

N/A.

b. How will aggregated data be validated for relevance and accuracy?

N/A.

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?

N/A.

6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?

(Be specific.)

Information can be retrieved by the vacancy announcement number and name.

PIA Template (01-2021)

a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

SSN and name are used to retrieve individual applicant information as well as a vacancy announcement number.

7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

No, a SORN has not been published.

a. If Yes, provide name of SORN and location in the Federal Register.

N/A.

8. If the information system is being modified, will the SORN(s) require amendment or revision?

No SORN has been published.

9. Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?

No, individuals are not monitored, located or identified.

a. If yes, explain.

(1) What controls will be used to prevent unauthorized monitoring?

10. List the report(s) that will be produced from this system.

The system can produce various reports such as applicant reports and vacancy statistics reports.

a. What are the reports used for?

The reports are used to view information about applicants and vacancies.

b. Who has access to these reports?

The system administrator assigns authorized users to a permission group.

D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

OCHCO personnel and offices that have position vacancies will have access to the system information.

PIA Template (01-2021)

(1) For what purpose?

To post vacancies and view job applications.

(2) Will access be limited?

Yes, account managers review accounts and are able to disable accounts as advised by supervisors.

2. Will other NRC systems share data with or have access to the data in the system?

No, other NRC systems do not share data with or have access to NRCareers.

(1) If yes, identify the system(s).

N/A.

(2) How will the data be transmitted or disclosed?

N/A.

3. Will external agencies/organizations/public have access to the data in the system?

No external agencies or organizations will have access to the system data.

(1) If yes, who?

N/A.

(2) Will access be limited?

N/A.

(3) What data will be accessible and for what purpose/use?

N/A.

(4) How will the data be transmitted or disclosed?

N/A.

E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or PIA Template (01-2021) evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?

Yes.

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

The records and information identified in the system are Federal records that are covered under GRS 2.1: Item 020, Official record copy of position description: Temporary. Destroy 2 years after position is abolished or description is superseded, but longer retention is authorized if required for business use. GRS 2.1: Item 060, Employee Acquisition Records:

Temporary. Destroy 1 year after date of submission.

b. If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g., passwords).

Access to the system is requested via a request form used for all HR systems.

The NRCareers System Administrator sets up access based on this request.

The user receives a user identification and password for the system which they use to access those parts of the system that are included in their permission group. Permission Groups are also changed based on the same request form.

When a user leaves, their permission is removed from the system so they can no longer access information.

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

PIA Template (01-2021)

MHME is designed to implement security and privacy controls required for a Moderate impact system per Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems.

Passwords and role-based access controls are in place and when records are inserted or modified, a record of the date/time and user ID is maintained.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes.

(1) If yes, where?

Documentation is maintained by OCHCO and Office of Chief Information Officer (OCIO) personnel in ADAMS and SharePoint.

4. Will the system be accessed or operated at more than one location (site)?

No, the system is operated only at one location.

a. If yes, how will consistent use be maintained at all sites?

N/A.

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

NRCareers has a designated System Administrator and several permission groups for HR specialists/regional users. There is also a permission group for selecting officials and rating panel/reviewing officials.

6. Will a record of their access to the system be captured?

Yes.

a. If yes, what will be collected?

The user ID, time, date, and the individual action that occurred will be collected.

PIA Template (01-2021)

7. Will contractors be involved with the design, development, or maintenance of the system?

The NRCareers application is hosted by Monster Government Solutions. In addition, OCHCO employs several other contractors who review and update information in the system.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.

Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

8. What auditing measures and technical safeguards are in place to prevent misuse of data?

Passwords and access level controls are in place and when records are inserted or modified, a record of the date/time and user ID is maintained.

9. Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?

Yes.

a. If yes, when was Certification and Accreditation last completed?

As of April 2021, Monster Government Solutions was working with the U.S. General Services Administration (GSA) to obtain an Authority to Operate (ATO) for MHME. Once the GSAs authorization is granted, Monster Government Solutions and GSA, as their sponsor, will initiate a Federal Risk and Authorization Management Program (FedRAMP) authorization process for MHME.

NRC granted an ATO for NRCareers, as a component of the TPS-OES subsystem, on December 20, 2018 (ADAMS accession number ML18354A944).

PIA Template (01-2021)

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: NRC Careers System (NRCareers)

Submitting Office: Office of Chief Human Capital Officer A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

This system is covered by Government-wide System of Records Notice OPM/GOVT-5 Recruiting, Examining, and Placement Records.

Reviewers Name Title Signed by Hardy, Sally on 03/09/21 Privacy Officer B. INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed.

X OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

OCHCO has committed to obtaining an OMB clearance for collecting this information.

Reviewers Name Title Signed by Cullison, David on 03/08/21 Agency Clearance Officer PIA Template (01-2021)

C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Signed by Dove, Marna Sr. Program Analyst, Electronic Records on 03/05/21 Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Signed by Nalabandian, Garo on 03/09/21 Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer PIA Template (01-2021) 14

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Susan Salter, Office of Chief Human Capital Officer Name of System: NRC Careers System (NRCareers)

Date CSB received PIA for review: Date CSB completed PIA review:

February 22, 2021 March 9, 2021 Noted Issues:

Chief Signature/Date:

Cyber Security Branch Governance and Enterprise Management Signed by Nalabandian, Garo Services Division on 03/09/21 Office of the Chief Information Officer Copies of this PIA will be provided to:

Thomas G. Ashley, Jr.

Director IT Services Development and Operations Division Office of the Chief Information Officer Jonathan R. Feibus Chief Information Security Officer (CISO)

Office of the Chief Information Officer PIA Template (01-2021) 15

Retrieved from "https://kanterella.com/w/index.php?title=ML21060B559&oldid=3460246"