ML22004A306
ML22004A306 | |
Person / Time | |
---|---|
Issue date: | 02/07/2022 |
From: | Nalabandian G Governance & Enterprise Management Services Division |
To: | |
Bobryakova N | |
References | |
Download: ML22004A306 (21) | |
Text
PIA Template (06-2021) U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.
Entellitrak Equal Employment Opportunity (ETK EEO)
Case Management System Date: December 23, 2021 A.
GENERAL SYSTEM INFORMATION 1.
Provide a detailed description of the system: (Use plain language, no technical terms.)
Entellitrak Equal Employment Opportunity (ETK EEO) is a case management system provided to the U.S. Nuclear Regulatory Commission (NRC) as a Software as a Service solution (SaaS) by Tyler Federal, LLC. ETK EEO is hosted by Tyler Federal on the Tyler Federal Product Suite (formerly MicroPact Product Suite) cloud platform authorized by the Federal Risk and Authorization Management Program (FedRAMP).
The NRCs Office of Small Business and Civil Rights (SBCR) uses ETK EEO to manage Equal Employment Opportunity (EEO) complaints for all individuals who file informal and formal EEO complaints against the NRC and to comply with the Equal Employment Opportunity Commissions (EEOC)s regulations as set forth in the Code of Federal Regulations (CFR) governing Federal Sector EEO complaint processing (29 CFR Part 1614 - Federal Sector Equal Employment Opportunity) and the Notification and Federal Antidiscrimination and Retaliation Act of 2002 (No FEAR Act), as amended by the Elijah E. Cummings Federal Employee Antidiscrimination Act of 2020.
NRC employees (current and former) and job applicants can use the EEO eFile Portal website to initiate a request for EEO counseling, submit information about their informal EEO complaint, and view the status of their EEO case(s).
2.
What agency function does it support? (How will this support the U.S.
Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))
ETK EEO supports SBCR in its mission to provide a work environment free of discrimination and retaliation in accordance with laws and regulations mandated by the No FEAR Act and enforced by the EEOC. ETK EEO enables SBCR to do the following:
collect, track, and monitor EEO complaints from initiation through appeal
PIA Template (06-2021) ensure counseling and investigations are completed within mandated timeframes
meet regulatory requirements for providing an annual EEOC Form 462 Report to the EEOC
meet statutory requirements for providing an annual No FEAR Act Report to Congress
conduct trend analysis on types of complaints to identify and eradicate discrimination in the NRC workplace, as well as repost trends to relevant agency staff 3.
Describe any modules or subsystems, where relevant, and their functions.
ETK EEO contains the following modules:
Quality Review Management (QRM) - The QRM module provides a Data Integrity Analysis and a Checklist Report that help users to validate the EEOC Form 462 Report.
No FEAR Reporting - Pre-formatted screens and data elements enable users to capture all required information quickly and produce the No FEAR Report at a variety of levels and in a range of formats
eFile - EEO complainants are able to electronically submit complaints, track the progress of their claims, and respond to the EEO specialists inquiries. The EEO specialists can review submissions before advancing them for processing.
eScan - This scanning solution skips the desktop, allowing for the direct upload of documents to individual EEO case files.
Report Builder - The Report Builder module enables users to design, generate, and format ad hoc reports. Once created, reports can be saved as templates, shared with other users, and placed on users dashboards.
a.
Provide ADAMS ML numbers for all Privacy Impact Assessments or Privacy Threshold Analysis for each subsystem.
N/A.
4.
What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)
29 CFR part 1614 and the No FEAR Act, as amended by the Elijah E. Cummings Federal Employee Antidiscrimination Act of 2020, direct Federal agencies to process complaints of alleged discrimination under the laws enforced by the
PIA Template (06-2021) EEOC. As stated above, agencies must submit annual reports to the EEOC and to Congress, and they must purchase and/or develop systems that can compile the necessary information to track EEO complaint activity for case management and reporting as set forth in EEOC regulations.
5.
What is the purpose of the system and the data to be collected?
SBCR staff use ETK EEO and the data that is collected to:
manage and track informal and formal EEO complaints
review the status of open cases
analyze trends with EEO activity
prepare and submit annual reports to Congress and to the EEOC 6.
Points of
Contact:
(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)
Project Manager Office/Division/Branch Telephone Stephen Smith SBCR/CRP 301-415-0192 Business Project Manager Office/Division/Branch Telephone Meredith Neubauer SBCR/CRP 301-415-0587 Technical Project Manager Office/Division/Branch Telephone Nandini Sharma OCIO/GEMSD/APIB/EAT 301-415-1586 Executive Sponsor Office/Division/Branch Telephone Vonna Ordaz SBCR 301-415-7380 ISSO Office/Division/Branch Telephone Natalya Bobryakova OCIO/GEMSD/CSB/IAT 301-287-0671 System Owner/User Office/Division/Branch Telephone Vonna Ordaz SBCR 301-415-7380
PIA Template (06-2021) 7.
Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a.
New System X
Modify Existing System Other b.
If modifying or making other updates to an existing system, has a PIA been prepared before?
Yes.
(1)
If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.
ML20087K489, November 27, 2020.
(2)
If yes, provide a summary of modifications or other changes to the existing system.
iComplaints has been migrated to ETK EEO, the next generation of the iComplaints web-based application. ETK EEO was developed specifically for managing the EEO process. It includes functionality that improves the EEO process for agencies and built-in business rules to meet the NRCs and other Federal agencies EEO business requirements. The ETK EEO system provides enhanced case processing and management functionalities (i.e., inputting, processing, tracking, managing, and reporting on EEO complaint activities), and components customized to efficiently process and report EEO cases in every stage of the EEO process, from intake to resolution.
8.
Do you have an NRC system Enterprise Architecture (EA)/Inventory number?
Yes.
a.
If yes, please provide the EA/Inventory number.
ETK EEO is a subsystem of the NRCs Third Party System (TPS).
The TPS EA number is 20180002.
- b. If, no, please contact EA Service Desk to get the EA/Inventory number.
PIA Template (06-2021) B.
INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.
1.
INFORMATION ABOUT INDIVIDUALS a.
Does this system maintain information about individuals?
Yes.
(1)
If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).
ETK EEO maintains information about NRC employees (current and former), applicants for employment, and contractors who contact SBCR to file informal and formal EEO complaints.
(2)
IF NO, SKIP TO QUESTION B.2.
b.
What information is being maintained in the system about an individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)?
SBCR maintains the following information about individuals in the ETK EEO system:
Name
grade/step/series/salary
job title
home address
phone numbers
race
color
religion
national origin
gender identity and expressions, including transgendered status
PIA Template (06-2021) sexual orientation
prior EEO activity
Age
date of birth
disability, including identifying physical or mental impairments c.
Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)
Yes, information is collected directly from an individual. The subject individual can submit a complaint through the ETK EEO eFile Portal website or contact a SBCR counselor to file the complaint.
(1)
If yes, what information is being collected?
Information collected about the complaint can include, but is not limited to:
name(s) and contacts information of the alleged discriminatory officials and any witnesses
description of the complaint, including what the complainant considers to be discriminatory, such as:
o denial of promotion or non-selection o
poor or negative performance appraisal denial of training o
sexual and non-sexual harassment o
denial of religious or reasonable accommodation o
claims that genetic information was improperly revealed, obtained, or shared d.
Will the information be collected from individuals who are not Federal employees?
Yes. Complainants can include applicants for employment, former employees, and contractors.
PIA Template (06-2021) (1)
If yes, does the information collection have the Office of Management and Budgets (OMB) approval?
Yes, still need OMBs approval.
SBCR should use eFile for collecting information only from current Federal employees until an OMB clearance is obtained.
(a)
If yes, indicate the OMB approval number:
TBD.
e.
Is the information being collected from existing NRC files, databases, or systems?
Yes.
(1)
If yes, identify the files/databases/systems and the information being collected.
For complainants who are NRC employees, SBCR staff have been given access rights to gather data and run demographic reports through the Federal Personnel and Payroll System (FPPS) to obtain information such as race/ethnicity, sex, age, disability, job series, and grade. The FPPS system is owned and authorized by the Department of Interior (DOI). FPPS is interconnected with the Office of the Chief Financial Officers Human Resource Management System.
f.
Is the information being collected from external sources (any source outside of the NRC)?
Yes.
(1)
If yes, identify the source and what type of information is being collected?
Occasionally, when a complaint (formal or informal) is filed by a contractor, SBCR will contact the contracting company to gather information, such as contact and cost, to support the investigation/mediation process.
Additionally, a complainant may provide supporting documentation from outside sources such as a physicians medical report providing evidence of a disability, including the need for reasonable accommodation.
Further, if events related to a complaint occur outside of an NRC facility, then relevant records, such as, travel or hotel receipts, phone records, or other evidence, depending on the nature of the claims alleged by the complainant, are collected.
PIA Template (06-2021) g.
How will information not collected directly from the subject individual be verified as current, accurate, and complete?
Most of the information is self-reported by the subject individual; therefore, SBCR does not question the accuracy of the data unless there is a reason to do so.
h.
How will the information be collected (e.g. form, data transfer)?
During the informal complaint process, the information is collected from the individual through the ETK EEO eFile Portal website, in which a complainant can submit information and upload documents related to the case. Individuals are also able to view, in eFile, the status of their EEO cases.
During the formal complaint process, the individual contacts SBCR to be assigned to an SBCR/CRP case manager, then completes and signs a formal complaint form, which is uploaded and maintained through the ETK EEO case management system. The formal complaint forms are emailed to SBCR staff.
During the investigation process, evidence and affirmed/sworn statements from alleged discriminatory officials and witnesses are gathered and compiled into an investigative report, which is provided to the complainant and uploaded/maintained through the ETK EEO case management system.
2.
INFORMATION NOT ABOUT INDIVIDUALS a.
Will information not about individuals be maintained in this system?
No.
(1)
If yes, identify the type of information (be specific).
N/A.
b.
What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.
N/A.
PIA Template (06-2021) C.
USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.
1.
Describe all uses made of the data in this system.
SBCR uses ETK EEO to utilize enhanced case processing and management functionalities (i.e., inputting, processing, tracking, managing, and reporting on EEO complaint activities), and components customized to efficiently process and report EEO cases in every stage of the EEO process, from intake to resolution.
In addition, SBCR compiles reports from data maintained in ETK EEO to analyze and identify trends such as the number of complaints by fiscal year; complaints related to race/ethnicity claims; complaints related to sexual or non-sexual harassment claims; disparate treatment claims, etc. These reports enable SBCR to be more proactive in eradicating discrimination in the agency and assess its organizations to identify the offices that are doing well and/or those that are in need of improvement.
SBCR also uses the data maintained in ETK EEO to generate an annual EEOC Form 462 Report (for the EEOC) and an annual No FEAR Act Report (for Congress).
2.
Is the use of the data both relevant and necessary for the purpose for which the system is designed?
Yes, as set forth in 29 CFR Part 1614 and the No FEAR Act, as amended by the Elijah E. Cummings Federal Employee Antidiscrimination Act of 2020, the NRC, through SBCR, is required to maintain an EEO complaint tracking system (i.e.,
ETK EEO) to fulfill its mission by cultivating a civil workplace that is free from discrimination, harassment, and retaliation by addressing and eliminating all forms of harassing behavior and misconduct, discrimination, and retaliation.
In supporting the principles of EEO to eliminate unlawful discrimination in the workplace, SBCR submits annually its report to the EEOC and Congress summarizing the steps taken to ensure compliance with these statutory requirements.
3.
Who will ensure the proper use of the data in this system?
SBCR and administrators will ensure the proper use of the data in ETK EEO.
4.
Are the data elements described in detail and documented?
Yes.
a.
If yes, what is the name of the document that contains this information and where is it located?
The data elements are described in the ETK EEO Administrator Guide published by Tyler Federal (formerly MicroPact).
PIA Template (06-2021) 5.
Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?
ETK EEO aggregates the data into more usable formats such as tables and reports; however, ETK EEO does not derive new data or create previously unavailable data.
Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.
Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).
a.
If yes, how will aggregated data be maintained, filed, and utilized?
Aggregated data is used in investigations to determine whether discrimination occurred.
b.
How will aggregated data be validated for relevance and accuracy?
Aggregated data is only gathered in an investigation file if the data could be relevant to prove or disprove discrimination. Since much of the information is self-reported, SBCR does not question the accuracy of the data unless there is reason to do so.
c.
If data are consolidated, what controls protect it from unauthorized access, use, or modification?
Role-based access control (RBAC) is implemented in ETK EEO to control access to the system and to prevent unauthorized use. Roles are defined for each authorized user, which prevents unauthorized use for accessing other parts of the system. Users are authenticated to the system through NRCs Identity, Credential, and Access Management (ICAM)
Authentication Gateway solution. SBCR staff are the only authorized users with full access of the ETK EEO system. Complainants use the eFile Portal website to submit complaints, track the progress of their claims, and respond to SBCR inquiries for their own complaints.
6.
How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?
(Be specific.)
Yes.
a.
If yes, explain, and list the identifiers that will be used to retrieve information on the individual.
Information is retrieved by individual name and NRC case number.
PIA Template (06-2021) 7.
Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?
Yes.
a.
If Yes, provide name of SORN and location in the Federal Register.
Government-wide system of records notice EEOC/GOVT-1 Equal Employment Opportunity in the Federal Government Complaint and Appeal records, previously covered by NRC-9, Office of Small Business and Civil Rights Discrimination Complaint Records.
8.
If the information system is being modified, will the SORN(s) require amendment or revision?
No.
9.
Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?
No.
a.
If yes, explain.
N/A.
(1)
What controls will be used to prevent unauthorized monitoring?
N/A.
10.
List the report(s) that will be produced from this system.
Annual EEOC Form 462 Report
Annual No FEAR Act Report
Ad hoc reports, including Commission Briefing complaint activity reporting a.
What are the reports used for?
SBCR submits the annual reports listed above to communicate the steps taken by the agency to ensure compliance and enforcement with the Federal sector EEO complaint processing requirements. In addition, these reports also demonstrate NRCs commitment to the principles of EEO (by eliminating unlawful discrimination in the workplace) and whistleblower protection laws in accordance with the No FEAR Act, as amended by the Elijah E. Cummings Act.
PIA Template (06-2021) The ad hoc reports include compiled data about complaints on an as needed basis. For example, a particular office within NRC may request a report of all complaints filed by individuals in that office over the last 3 years. The report can be listed by the type of complaint.
b.
Who has access to these reports?
The No FEAR Act Report (with summary statistical data but without Personally Identifiable Information (PII)) is posted to the NRCs public website in accordance with Section 302 of the No FEAR Act, which states that agencies must post data pertaining to formal complaints. Individuals who view the No FEAR Act Report include:
members of Congress
personnel from the EEOC, the Department of Justice (DOJ), and the Office of Personnel Management (OPM)
members of the public The EEOC Form 462 Report, which is not publicly accessible, is provided to the EEOCs Office of Federal Operations (OFO) through their Federal Sector EEO Portal (FedSEP).
Ad-hoc reporting is generally provided to SBCR staff and management, but it may also be provided to the Office of the Executive Director for Operations (OEDO), the Office of the Chief Human Capital Officer (OCHCO), and the Office of General Counsel (OGC) on a need to know basis and as it relates to a particular EEO complaint.
D.
ACCESS TO DATA 1.
Which NRC office(s) will have access to the data in the system?
Only SBCR Civil Rights Program staff and onsite support contractor(s) have access to the data in ETK EEO.
For complainants using the eFile Portal, individuals will only have access to their own data related to their case(s).
(1)
For what purpose?
SBCR Civil Rights Program staff and onsite support contractor(s) use the data that is collected and input into ETK EEO to:
manage and track formal and informal EEOC complaints
review the status of open cases
PIA Template (06-2021) prepare and submit annual reports to Congress and the EEOC
create ad-hoc reports as needed for statistical and/or trend analysis (2)
Will access be limited?
Yes. Access to the data in ETK EEO is limited to SBCR/CRP team members and onsite support contractor(s) in carrying out their EEO complaint processing job responsibilities. The administrator has limited access to some of the data such as case numbers; however, the administrator has no access to the PII data. OCHCO, OGC, and EDO staff with a need to know have access to ad hoc reports generated from ETK EEO; however, only SBCR has access to ETK EEO directly.
For complainants using the eFile Portal, the access is allowed to their self-reported information.
2.
Will other NRC systems share data with or have access to the data in the system?
No.
(1)
If yes, identify the system(s).
N/A.
(2)
How will the data be transmitted or disclosed?
N/A.
3.
Will external agencies/organizations/public have access to the data in the system?
Yes.
(1)
If yes, who?
EEOC - The EEOC OFO will receive the agencys annual EEOC Form 462 Report that outlines the EEO complaint activities carried out during that reporting period to ensure compliance with this requirement. In addition, the EEOC will also be provided with the Reports of Investigation (ROI) supporting each complaint when the request for a hearing or an appeal is filed by the complainant and/or their attorney.
Congress, other Federal agencies, and the public - Congress, EEOC, DOJ, Merit Systems Protection Board, Office of Special Counsel (OSC), OPM, and members of the public may have access to view redacted information pertaining to EEO complaint activities of the NRC on a need to know basis.
PIA Template (06-2021)
Complainants and/or their attorneys - Complainants and/or their attorneys may obtain a copy of the ROI, but they will not have direct access to ETK EEO.
(2)
Will access be limited?
Yes. Access to the data is limited to SBCR Civil Rights Program staff and onsite support contractor(s).
Access to the EEOC Form 462 Report is limited to the EEOC OFO personnel, and access to investigation reports is limited to the complainant and/or their attorneys. The No FEAR Act Report is publicly available, but it does not contain PII.
(3)
What data will be accessible and for what purpose/use?
The No FEAR Act Report is a summary of statistical data pertaining to formal complaints and does not contain PII. ROIs include compiled data from the investigation and do contain PII.
The data provided in the EEOC Form 462 Report contains:
the number of cases at different stages of the investigation process
the EEO bases involved in each case
the status of the cases, including findings of discrimination or no discrimination, for each case
the costs associated with processing the cases, including settlements, investigations, or other miscellaneous costs
data related to processing times (e.g., how long a case was in the informal complaint stage or how long an investigation took to complete)
(4)
How will the data be transmitted or disclosed?
The No FEAR Act Report is posted to the NRC internal and public websites, and is transmitted electronically to Congress and the Speaker of the United States House of Representatives.
The EEOC Form 462 Report is submitted to the EEOC OFO through their FedSEP Portal. Transmission sessions are encrypted using secure sockets layer v3.0 and transport layer security v1.0.
PIA Template (06-2021) E.
RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.
1)
Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?
Yes.
a.
If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).
For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?
GRS 2.3 item 110, EEO discrimination complaint case files. Informal process. Disposition instruction: Temporary. Destroy 3 years after resolution of case, but longer retention is authorized if required for business use.
GRS 2.3 item 111, EEO discrimination complaint case files. Formal process. Disposition instruction: Temporary. Destroy 7 years after resolution of case, but longer retention is authorized if required for business use.
GRS 2.3 item 120, Records documenting contractor compliance with EEO regulations. This item refers to reviews, background documents, and correspondence relating to contractor employment practices.
Disposition instruction: Destroy when 7 years old, but longer retention is authorized if required for business use.
b.
If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.
PIA Template (06-2021) F.
TECHNICAL ACCESS AND SECURITY 1.
Describe the security controls used to limit access to the system (e.g., passwords).
The system administrator sets user rights and permissions and assigns usernames and initial passwords.
To authenticate to the ETK EEO system, authorized users must use their NRC-provided Personal Identity Verification card. SBCR Civil Rights Program staff and onsite contractor(s) are the only authorized users with full access of the ETK EEO system. ETK EEO logs unauthorized access attempts.
To authenticate to the eFile Portal, registered complainants will use their email address and password.
2.
What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?
Only authorized personnel with a need to know will have access to the data maintained in ETK EEO. RBAC is implemented in ETK EEO to control access to the system and to prevent unauthorized use. Roles are defined for each authorized user, which prevents authorized users from accessing other parts of the system. In addition, the system can generate audit logs to determine if unauthorized access has occurred.
SBCR also relies on ICAM security controls to prevent unauthorized access.
3.
Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?
No.
(1)
If yes, where?
N/A.
4.
Will the system be accessed or operated at more than one location (site)?
No.
a.
If yes, how will consistent use be maintained at all sites?
N/A.
5.
Which user groups (e.g., system administrators, project managers, etc.)
have access to the system?
Only the SBCR Civil Rights Programs authorized staff have full access to ETK EEO.
PIA Template (06-2021) 6.
Will a record of their access to the system be captured?
Yes.
a.
If yes, what will be collected?
All user successful and failed log in attempts, and date and time of access is collected.
7.
Will contractors be involved with the design, development, or maintenance of the system?
Yes. Tyler Federal is an external service provider and is responsible for the development and maintenance of ETK EEO. In addition, SBCR employs an NRC contractor who is responsible for inputting data into the system.
If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.
Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.
8.
What auditing measures and technical safeguards are in place to prevent misuse of data?
SBCR relies on Tyler Federal to employ auditing measures and technical safeguards to prevent misuse of data. The Tyler Federal IT Operation Team reviews/analyzes audit records for indications of inappropriate or unusual network activity on a weekly basis. The SBCR administrator reviews auditable events, audit logs, and audit reporting records for indications of inappropriate or unusual activity at least daily.
9.
Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?
Yes.
PIA Template (06-2021) a.
If yes, when was Certification and Accreditation last completed?
And what FISMA system is this part of?
The Tyler Federal Product Suite, which includes both iComplaints and Entellitrak, received its FedRAMP authorization sponsored by the U.S.
Department of Interior on June 6, 2014.
iComplaints received an NRC authorization on October 20, 2016 (ML16309A084).
ETK EEO received an NRC system change authorization for migration from iComplaints to ETK EEO within the TPS system boundary on July 10, 2021 (ML21202A080).
b.
If no, is the Certification and Accreditation in progress and what is the expected completion date? And what FISMA system is this planned to be a part of?
N/A.
c.
If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Offices (CSOs) Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track.
N/A.
PIA Template (06-2021) PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)
System Name: Entellitrak Equal Employment Opportunity (ETK EEO) Case Management System Submitting Office: SBCR A.
PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.
X Privacy Act is applicable.
Comments:
Government-wide system of records notice EEOC/GOVT-1 Equal Employment Opportunity in the Federal Government Complaint and Appeal records.
Reviewers Name Title Privacy Officer B.
INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed.
X OMB clearance is needed.
Currently has OMB Clearance. Clearance No.
Comments:
An OMB Clearance is needed before eFile can be opened to contractors, former employees, and job applicants.
Reviewers Name Title Agency Clearance Officer Signed by Hardy, Sally on 01/27/22 Signed by Cullison, David on 01/21/22
PIA Template (06-2021) 20 C.
RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.
Additional information is needed to complete assessment.
Needs to be scheduled.
X Existing records retention and disposition schedule covers the system - no modifications needed.
Comments:
Reviewers Name Title Sr. Program Analyst, Electronic Records Manager D.
BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.
X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.
I concur in the Privacy Act, Information Collections, and Records Management reviews:
Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signed by Dove, Marna on 01/24/22 Signed by Nalabandian, Garo on 02/07/22
PIA Template (06-2021) 21 TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/
PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Vonna Ordaz, SBCR Name of System: Entellitrak Equal Employment Opportunity (ETK EEO) Case Management System Date CSB received PIA for review:
December 29, 2021 Date CSB completed PIA review:
January 26, 2022 Noted Issues:
Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signature/Date:
Copies of this PIA will be provided to:
Thomas G. Ashley, Jr.
Director IT Services Development and Operations Division Office of the Chief Information Officer Jonathan R. Feibus Chief Information Security Officer (CISO)
Office of the Chief Information Officer Signed by Nalabandian, Garo on 02/07/22