Text

PIA Template (06-2021) U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Student Service Tracking Log (Microsoft Excel)

Date: July 16, 2021 A.

GENERAL SYSTEM INFORMATION 1.

Provide a detailed description of the system: (Use plain language, no technical terms.)

There is no system. The Office of Nuclear Regulatory Research (RES) grants program uses Microsoft Excel to record and maintain grant recipients (students) information so that under the terms of the U.S. Nuclear Regulatory Commissions (NRCs) University Nuclear Leadership grant program, we can track the students through graduation and into employment as required. This information is needed to verify if a student will have to repay funds received under the grant program if they do not obtain a job in a nuclear related area. This information collected consists of the following:

Student last name

Student first name

Grantee

Grant award

Type of award

Period of performance

Service agreement recd

Major of student

Student address

Student phone number

Student email

Expected graduation date

Support in years (this is how much time a student is to work in a nuclear position)

Funds recd

Work status

Service obligation reached

Place of employment

Position held

Comments

PIA Template (06-2021) 2.

What agency function does it support? (How will this support the U.S.

Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))

The Omnibus Appropriations Act, 2009 (Public Law 111-8) established the IUP between the NRC, the U.S. Department of Energy (DOE), and the National Nuclear Security Administration (NNSA).1 The act authorized the appropriation of $45 million per year from fiscal year (FY) 2009 to FY 2019, with $15 million for each agency. Of that, $10 million is to be used for university research and development in areas relevant to the respective organizations mission and

$5 million to support a jointly implemented Nuclear Science and Engineering Grant Program to fund multi-year research projects that do not align with programmatic missions but are critical to maintaining the discipline of nuclear science and engineering. After initial consultation, the three agencies decided that jointly implemented would be accomplished as a coordinated effort. Each agency would independently manage its own portion of the program, but coordination would be done to eliminate duplication or overlaps, and to ensure coverage of nuclear science, engineering, and related technical areas.

Coordination is done through semi-annual meetings between the NRC, DOE, and NNSA.

In FY20 congress enacted the budget for a 1-year follow-on to the program.

In FY21 congress enacted authorizing extending the program to FY25 and changed the name of the program to University Nuclear Leadership Program (UNLP), the programs mission is the same as above.

3.

Describe any modules or subsystems, where relevant, and their functions.

N/A. Only uses Microsoft Excel.

a.

Provide ADAMS ML numbers for all Privacy Impact Assessments or Privacy Threshold Analysis for each subsystem.

N/A.

4.

What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)

The funds are mandated from Congress each year to support the UNLP grant program. There are no funds for a system, as RES uses Microsoft Excel to record and maintain the information required.

1 The previous year, in FY 2008, $15 million was shifted from DOE to the NRC to administer grant programs for faculty development, fellowships, and scholarships, including scholarships to trade schools and community colleges. A small fellowship and scholarship program was also funded in FY 2007, outside of IUP.

PIA Template (06-2021) The Omnibus Appropriations Act, 2009 (Public Law 111-8) established the IUP between the NRC, DOE, and the National Nuclear Security Administration (NNSA).2 See response in Item #2 above.

5.

What is the purpose of the system and the data to be collected?

As stated in Item 1 above: This information is used to track a student that receives federal grant funds from academia through employment after graduation. This information collected consists of the following:

Grantee

Student last name

Student first name

Grant award

Type of award

Period of performance

Service agreement recd

Major of student

Student address

Student phone number

Student email

Expected graduation date

Support in years (this is how much time a student is to work in a nuclear position)

Funds recd

Work status

Service obligation reached

Place of employment

Position held

Comments 2 The previous year, in FY 2008, $15 million was shifted from DOE to the NRC to administer grant programs for faculty development, fellowships, and scholarships, including scholarships to trade schools and community colleges. A small fellowship and scholarship program was also funded in FY 2007, outside of IUP.

PIA Template (06-2021) 6.

Points of

Contact:

(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)

Project Manager Office/Division/Branch Telephone Nancy Hebron-Isreal Sarah Shaffer RES/PMDA/FPMT 301-415-6996 301-415-2031 Business Project Manager Office/Division/Branch Telephone Ashley Willen RES/PMDA/FPMT 301-415-3327 Technical Project Manager Office/Division/Branch Telephone Executive Sponsor Office/Division/Branch Telephone ISSO Office/Division/Branch Telephone System Owner/User Office/Division/Branch Telephone Sarah Shaffer RES/PMDA/FPMT 301-415-2031 7.

Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?

a.

New System Modify Existing System X

Other b.

If modifying or making other updates to an existing system, has a PIA been prepared before?

No.

(1)

If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.

N/A.

PIA Template (06-2021) (2)

If yes, provide a summary of modifications or other changes to the existing system.

N/A.

8.

Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

Yes, part of the Information Technology Infrastructure. This is a MS Excel file stored on the G Drive with restricted access.

a.

If yes, please provide the EA/Inventory number.

20090005.

b. If, no, please contact EA Service Desk to get the EA/Inventory number.

B.

INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1.

INFORMATION ABOUT INDIVIDUALS a.

Does this system maintain information about individuals?

Yes.

(1)

If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

Students that receive federal grant funds under the UNLP program.

(2)

IF NO, SKIP TO QUESTION B.2.

PIA Template (06-2021) b.

What information is being maintained in the system about an individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)?

Student last name

Student first name

Grantee

Grant award

Type of award

Period of performance

Service agreement recd

Major of student

Student address

Student phone number

Student email

Expected graduation date

Support in years (this is how much time a student is to work in a nuclear position)

Funds recd

Work status

Service obligation reached

Place of employment

Position held

Comments c.

Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)

Yes, the grantee (the institutions) request the student to fill out the service agreement and provide the information, and then sign. The agreement is then a binding contract with the NRC.

(1)

If yes, what information is being collected?

Student Name, address, phone, email, what their major/degree is, amount of funds recd under the grant award and when they are to graduate. Then when employed we require Company, title, and amount of time employed at the company to be able to mark the service requirement satisfied.

d.

Will the information be collected from individuals who are not Federal employees?

Yes.

PIA Template (06-2021) (1)

If yes, does the information collection have the Office of Management and Budgets (OMB) approval?

The service agreement has been used since the program started in 2009. The form was not approved. In FY20 RES updated the form to align with the grants changing environment, it came to RES attention that OMB approval was needed. RES is currently working with forms manager in the Office of the Chief Information Officer (OCIO) to have the form created and with Information Collections Team on the OMB approval.

(a)

If yes, indicate the OMB approval number:

Pending.

e.

Is the information being collected from existing NRC files, databases, or systems?

No, each service agreement is received from the institutions and then the information is recorded into our Microsoft Excel workbook.

(1)

If yes, identify the files/databases/systems and the information being collected.

N/A.

f.

Is the information being collected from external sources (any source outside of the NRC)?

Yes.

(1)

If yes, identify the source and what type of information is being collected?

The information is pulled from approved student service agreements that are required under the program. NRC created the agreement, the institutions have the students fill out the forms, then the institution and NRC approve the agreements and logs the student information in the Excel workbook.

g.

How will information not collected directly from the subject individual be verified as current, accurate, and complete?

All information is collected from the institution and the student. We have grant staff that monitor the Excel files and provides outreach to the institutions and students to verify and update information.

h.

How will the information be collected (e.g. form, data transfer)?

The information is collected through an NRC student service agreement.

PIA Template (06-2021) 2.

INFORMATION NOT ABOUT INDIVIDUALS a.

Will information not about individuals be maintained in this system?

N/A.

(1)

If yes, identify the type of information (be specific).

N/A.

b.

What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

N/A.

C.

USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1.

Describe all uses made of the data in this system.

The information is used to document the students that are supported under the grant program for the following reasons:

1.

All students supported under the UNLP can be hired by the NRC non-competitively (information is used by the Office of the Chief Human Capital Officer (OCHCO)).

2.

All students are monitored through the college years and into employment. If a student does not satisfy the service requirements of the grant program, then the student will be required to repay the funds back to the NRC.

3.

Tracks the student and the amount of federal funds recd under each grant award. This is used to provide oversight monitoring on the grant program as required by 2CFR200.

The programs focus is to provide skilled workers in specific nuclear areas that will continue to strengthen the nuclear workforce for the future.

2.

Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes, but its not a system. Its an excel workbook.

3.

Who will ensure the proper use of the data in this system?

RES grant staff. Currently there are three staff members that record and monitor the data in the excel workbook. The information is protected on a shared drive, that is only accessible to these three individuals and a couple of people in OCHCO for recruitment purposes.

PIA Template (06-2021) 4.

Are the data elements described in detail and documented?

No, currently there is no written manual for this process of data collections.

However, the program manager of the UNLP is currently working in a desk manual that covers the full program.

a.

If yes, what is the name of the document that contains this information and where is it located?

N/A. Once completed it will be a desk manual for the whole grants program.

5.

Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

Yes. RES staff is requested to produce information from the workbook to provide analysis on the program, to inform senior managers and other interested managers of the NRC. These reports do not provide the students information, it only provides status on metrics related to the program, such as how many students have been supported, how many have graduated, how many have obtained jobs in the nuclear workforce, etc. No personal student information is provided.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a.

If yes, how will aggregated data be maintained, filed, and utilized?

See response above in item 5.

b.

How will aggregated data be validated for relevance and accuracy?

RES grant staff are constantly monitoring and providing outreach on the data from institutions (grantees) and the students that are receiving the support.

c.

If data are consolidated, what controls protect it from unauthorized access, use, or modification?

The Excel workbook is on a protected shared drive in which a total of 6 people have access to. RES/OCHCO have access.

PIA Template (06-2021) 6.

How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?

(Be specific.)

We filter the spreadsheets (Workbook) in multiple fashions. We use names, grant award numbers, job status, etc.

a.

If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

Any data can be filtered in the workbook. See information collected in item 1 above.

7.

Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

No, new request.

a.

If Yes, provide name of SORN and location in the Federal Register.

N/A.

8.

If the information system is being modified, will the SORN(s) require amendment or revision?

This is a new request.

9.

Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?

Yes.

a.

If yes, explain.

Yes, we will track each individual student from time of receiving grant funding through employment.

(1)

What controls will be used to prevent unauthorized monitoring?

The information is on a protected shared drive, that it only accessible by grant staff and OCHCO.

10.

List the report(s) that will be produced from this system.

There are no reoccurring reports. Only information as previously stated to provide metrics to management. OCHCO also uses this information for recruitment. Im unaware if OCHCO created reports.

PIA Template (06-2021) a.

What are the reports used for?

There are no reoccurring reports. Only information as previously stated to provide metrics to management. OCHCO also uses this information for recruitment. Im unaware if OCHCO created reports.

b.

Who has access to these reports?

If there is a need for a report, only grant staff and RES senior management.

D.

ACCESS TO DATA 1.

Which NRC office(s) will have access to the data in the system?

RES and OCHCO.

(1)

For what purpose?

RES receives, maintains, and monitors the information as required under the grant program.

OCHCO uses the information for recruitment for jobs and internships.

(2)

Will access be limited?

Yes, only individuals that need to know, have access to the protected shared drive.

2.

Will other NRC systems share data with or have access to the data in the system?

No.

(1)

If yes, identify the system(s).

N/A.

(2)

How will the data be transmitted or disclosed?

N/A.

3.

Will external agencies/organizations/public have access to the data in the system?

No.

(1)

If yes, who?

N/A.

PIA Template (06-2021) (2)

Will access be limited?

N/A.

(3)

What data will be accessible and for what purpose/use?

N/A.

(4)

How will the data be transmitted or disclosed?

N/A.

E.

RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

1)

Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?

Yes.

a.

If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

PIA Template (06-2021) Proposed SORN 47 - Grants Management System POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS Section:

GRS 1.2 item 010 - Grant and cooperative agreement program management records.

Temporary. Destroy 3 years after final action is taken on the file, but longer retention is authorized if required for business use.

GRS 1.2 item 020 - Grant and cooperative agreement case files. Successful applications.

Temporary. Destroy 10 years after final action is taken on file, but longer retention is authorized if required for business use.

GRS 1.2 item 021 - Grant and cooperative agreement case files.

Unsuccessful application.

Temporary. Destroy 3 years after final action is taken on file, but longer retention is authorized if required for business use.

For Financial Transactions Related to Grants:

GRS 1.1 item 010 - Financial transaction records related to procuring good and services, paying bills, collecting debts and accounting. Official record held in the office of record. Temporary. Destroy 6 years after final payment or cancellation, but longer retention is authorized if required for business use.

GRS 1.1 item 011 - Financial transaction records related to procuring good and services, paying bills, collecting debts and accounting. All other copies (used for administrative or reference purposes). Temporary. Destroy when business use ceases.

b.

If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.

F.

TECHNICAL ACCESS AND SECURITY 1.

Describe the security controls used to limit access to the system (e.g., passwords).

We use a protected shared drive that only 6 people have access to, RES/OCHCO.

2.

What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

The individuals that have access, use this data for their everyday workflow. Im unsure how to answer this question.

PIA Template (06-2021) 3.

Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

No, but the information will be documented once the UNLP Program Manager creates a desk manual of the grants program.

(1)

If yes, where?

N/A.

4.

Will the system be accessed or operated at more than one location (site)?

Its a Microsoft file, so the files are accessible while working on NRC server.

a.

If yes, how will consistent use be maintained at all sites?

Limited number of people have access to the shared drive.

5.

Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

RES grant staff and OCHCO recruitment personnel.

6.

Will a record of their access to the system be captured?

No, but you can see version control.

a.

If yes, what will be collected?

N/A.

7.

Will contractors be involved with the design, development, or maintenance of the system?

N/A.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.

Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

PIA Template (06-2021) 8.

What auditing measures and technical safeguards are in place to prevent misuse of data?

File is stored on the NRC Local Area Network drive with restricted permissions.

9.

Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?

No.

a.

If yes, when was Certification and Accreditation last completed?

And what FISMA system is this part of?

N/A.

b.

If no, is the Certification and Accreditation in progress and what is the expected completion date? And what FISMA system is this planned to be a part of?

N/A. This is a MS Excel file that is encrypted and stored on the protected Network Drive.

c.

If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Offices (CSOs) Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track.

N/A.

PIA Template (06-2021) PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: Student Service Tracking Log (Microsoft Excel)

Submitting Office: Office of Nuclear Regulatory Research (RES)

A.

PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

System of Records Notice is required.

Reviewers Name Title Privacy Officer B.

INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed.

X OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

RES has slowly been working on the information collection request to be submitted to OMB to resolve this long-standing violation of the requirements of the Paperwork Reduction Act. The SORN for this information collection is needed before RES can obtain a clearance.

Reviewers Name Title Agency Clearance Officer Signed by Hardy, Sally on 08/16/21 Signed by Cullison, David on 08/02/21

PIA Template (06-2021) 17 C.

RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Sr. Program Analyst, Electronic Records Manager D.

BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signed by Dove, Marna on 08/02/21 Signed by Nalabandian, Garo on 08/25/21

PIA Template (06-2021) 18 TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Office of Nuclear Regulatory Research (RES)

Name of System: Student Service Tracking Log (Microsoft Excel)

Date CSB received PIA for review:

July 16, 2021 Date CSB completed PIA review:

August 12, 2021 Noted Issues:

System of Records Notice is required. Will need to work with RES office and OGC to create a new SORN or revise an existing SORN.

Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signature/Date:

Copies of this PIA will be provided to:

Thomas G. Ashley, Jr.

Director IT Services Development and Operations Division Office of the Chief Information Officer Jonathan R. Feibus Chief Information Security Officer (CISO)

Office of the Chief Information Officer Signed by Nalabandian, Garo on 08/25/21