Text

PIA Template (06-2021) U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Mind Your Business, Inc. (MYB) ShareFile Portal Date: March 24, 2022 A.

GENERAL SYSTEM INFORMATION 1.

Provide a detailed description of the system: (Use plain language, no technical terms.)

The Mind Your Business, Inc. (MYB) ShareFile Portal is a cloud-based secure file sharing service. MYB is a small business company that provides investigation services to corporate businesses and government agencies. The U.S. Nuclear Regulatory Commissions (NRC) Office of Small Business and Civil Rights (SBCR) contracts MYB to provide non-personnel services to assist SBCR staff with the investigation and resolution of Equal Employment Opportunity (EEO) complaints. MYB provides the following EEO services to SBCR:

counseling, mediation, investigation, drafting formal documents, and other related case processing documents.

MYB is utilizing Citrix ShareFile, a secure file sharing solution, to provide its clients, including SBCR, with a secure cloud-based portal for sharing files with MYB. MYB delivers the required electronic content deliverables to SBCR via MYB ShareFile Portal as well. SBCR staff use MYB ShareFile Portal to provide the EEO complaint files to MYB for performing EEO services as directed by SBCR staff and to retrieve the MYB deliverables, such as the Counseling Report, Report of Mediation, Report of Investigation, and other required documents.

2.

What agency function does it support? (How will this support the U.S.

Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))

MYB ShareFile Portal supports the agencys mission to provide a work environment free of discrimination and retaliation in accordance with laws and regulations mandated by the Notification and Federal Antidiscrimination and Retaliation Act of 2002 (No FEAR Act), as amended, and the U.S. Equal Employment Opportunity Commission (EEOC) regulations.

SBCR staff use MYB ShareFile Portal to perform their duties to administer the NRCs administrative discrimination complaint process and to support the functions of the NRC Alternative Dispute Resolution (ADR) program at both the pre-complaint (informal or EEO counseling) and formal complaint stages of the discrimination complaint process.

PIA Template (06-2021) 3.

Describe any modules or subsystems, where relevant, and their functions.

N/A.

a.

Provide ADAMS ML numbers for all Privacy Impact Assessments or Privacy Threshold Analysis for each subsystem.

N/A.

4.

What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)

The EEOC regulations at Title 29 of the Code of Federal Regulations (29 CFR)

Part 1614, Federal Sector Equal Employment Opportunity, and the Notification and Federal Antidiscrimination and Retaliation Act of 2002 (No FEAR Act), as amended, require Federal agencies to process complaints of alleged discrimination.

5.

What is the purpose of the system and the data to be collected?

SBCR uses the MYBs ShareFile Portal to transmit EEO case files to MYB for performing EEO services and to retrieve the documents developed by MYB, such as the Counseling Report, Report of Mediation, Report of Investigation, and other required documents. MYB ShareFile Portal is used only to transfer this information, but the system itself does not collect the information.

6.

Points of

Contact:

(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)

Project Manager Office/Division/Branch Telephone Stephen Smith SBCR/CRP 301-415-0192 Business Project Manager Office/Division/Branch Telephone Meredith Neubauer SBCR/CRP 301-415-0587 MYB EEO Project Manager Office/Division/Branch Telephone Evon Lee-Patton MYB 240-506-1081 Executive Sponsor Office/Division/Branch Telephone Vonna Ordaz SBCR 301-415-7380 ISSO Office/Division/Branch Telephone

PIA Template (06-2021) Natalya Bobryakova OCIO/GEMSD/CSB/IAT 301-287-0671 System Owner/User Office/Division/Branch Telephone Vonna Ordaz SBCR 301-415-7380 7.

Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?

a.

X New System Modify Existing System Other b.

If modifying or making other updates to an existing system, has a PIA been prepared before?

N/A.

(1)

If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.

N/A.

(2)

If yes, provide a summary of modifications or other changes to the existing system.

N/A.

8.

Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

No, NRC does not have any responsibility for the MYB ShareFile Portal. The system is owned by MYB a.

If yes, please provide the EA/Inventory number.

N/A.

b. If, no, please contact EA Service Desk to get the EA/Inventory number.

PIA Template (06-2021) B.

INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1.

INFORMATION ABOUT INDIVIDUALS a.

Does this system maintain information about individuals?

Yes.

(1)

If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

The MYB ShareFile Portal transfers information about NRC employees (current and former), applicants for employment, and contractors who contact SBCR to file complaints for employment discrimination. Transferred files remain on the portal until they are removed by SBCR or MYB.

(2)

IF NO, SKIP TO QUESTION B.2.

b.

What information is being maintained in the system about an individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)?

The case files transferred by MYB ShareFile Portal can include the following information about an individual:

name

grade/step/series/salary

job title

home address

phone numbers

race

color

religion

national origin

gender identity and expressions, including transgendered status

sexual orientation

prior EEO activity

age

date of birth

disability, including identifying physical or mental impairments

PIA Template (06-2021) name(s) of the alleged discriminating officials

description of the complaint, including what the

complainant considers to be discriminatory c.

Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)

Yes, the files placed in MYB ShareFile Portal contain information that is collected directly from subject individuals (i.e., aggrieved individuals and/or complainants) during the complaint filing and processing stages.

However, this information is collected outside of MYB ShareFile Portal.

MYB ShareFile Portal is used only to transfer this information, but the system itself does not collect the information.

(1)

If yes, what information is being collected?

Information that is transferred via MYB ShareFile Portal is related to EEO cases, such as information about the complainant(s) (as listed in Question B.1.b), name(s) of the alleged discriminating individuals, and a description of the complaint(s).

d.

Will the information be collected from individuals who are not Federal employees?

Yes, the files placed in MYB ShareFile Portal can include information collected from individuals who are not Federal employees (e.g.,

applicants for employment, former employees, and contractors).

However, this information is collected outside of MYB ShareFile Portal.

MYB ShareFile Portal is used only to transfer this information, the system itself does not collect the information.

(1)

If yes, does the information collection have the Office of Management and Budgets (OMB) approval?

No. MYB ShareFile Portal is used only for file sharing. This is not an information collection under the Paperwork Reduction Act (PRA). OMB approval is not needed.

(a)

If yes, indicate the OMB approval number:

N/A.

e.

Is the information being collected from existing NRC files, databases, or systems?

Yes.

PIA Template (06-2021) (1)

If yes, identify the files/databases/systems and the information being collected.

Information is being collected from the NRCs Entellitrak (ETK)

EEO system. SBCR staff download the case files to their designated shared network drive and then upload to the MYB ShareFile Portal. The information that is transferred via MYB ShareFile Portal is related to the complaint, such as, information about the complainant, information pertaining to the alleged discriminating individual(s), and a description of the complaint.

f.

Is the information being collected from external sources (any source outside of the NRC)?

No.

(1)

If yes, identify the source and what type of information is being collected?

N/A.

g.

How will information not collected directly from the subject individual be verified as current, accurate, and complete?

N/A.

h.

How will the information be collected (e.g. form, data transfer)?

The information is uploaded into MYB ShareFile Portal by secure file transfer, a feature of MYB ShareFile Portal that uses secure protocols and encryption to safeguard data in transit.

2.

INFORMATION NOT ABOUT INDIVIDUALS a.

Will information not about individuals be maintained in this system?

No.

(1)

If yes, identify the type of information (be specific).

N/A.

b.

What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

N/A.

PIA Template (06-2021) C.

USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1.

Describe all uses made of the data in this system.

MYB staff review, verify, and analyze the EEO case data to conduct EEO counseling, mediation, investigation, and document processing services as directed by SBCR to assist SBCR staff with processing of EEO formal and informal complaints.

2.

Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes. For MYB to fulfill the obligation of the contract, SBCR must be able to securely upload EEO case data to MYB ShareFile Portal. SBCR uses the information delivered by MYB to support the functions of the NRCs administrative discrimination complaint process and the ADR program.

3.

Who will ensure the proper use of the data in this system?

MYB and SBCR ensure that only authorized personnel have access to the MYB ShareFile Portal. MYBs Information Technology (IT) staff closely monitor access to the portal. The MYB counselors, investigators, and operational staff have clearances processed by NRC that afford them the right to handle privacy data.

The MYB investigators must undergo background investigations for Public Trust positions. All SBCR key personnel and MYB staff complete yearly certification for Records Management training and Personally Identifiable Information (PII)

Management training.

4.

Are the data elements described in detail and documented?

Yes.

a.

If yes, what is the name of the document that contains this information and where is it located?

The MYBs Statement of Work (SOW).

5.

Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No, data is not aggregated to derive new data or create previously unavailable data about an individual. The reports developed by MYB are compiled of information of the complainants data and witness testimonies along with any supporting documentation that they provide.

PIA Template (06-2021) Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a.

If yes, how will aggregated data be maintained, filed, and utilized?

N/A.

b.

How will aggregated data be validated for relevance and accuracy?

N/A.

c.

If data are consolidated, what controls protect it from unauthorized access, use, or modification?

Information transferred by MYB ShareFile Portal is stored within a dedicated folder for the NRC. Access to this folder is only accessible and visible to SBCR users and assigned MYB staff. MYB counselors, mediators, investigators, and operational staff use dedicated MYB laptops to investigate cases. All MYB laptops are encrypted for further security.

6.

How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?

(Be specific.)

Yes.

a.

If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

Case files are retrieved case number and individuals last name.

7.

Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

Yes.

a.

If Yes, provide name of SORN and location in the Federal Register.

Government-wide SORN EEOC/GOVT-1 (Equal Employment Opportunity in the Federal Government Complaint and Appeal Records).

8.

If the information system is being modified, will the SORN(s) require amendment or revision?

No.

PIA Template (06-2021) 9.

Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?

No.

a.

If yes, explain.

N/A.

(1)

What controls will be used to prevent unauthorized monitoring?

MYBs IT staff ensure that only authorized personnel are accessing the portal.

10.

List the report(s) that will be produced from this system.

N/A.

a.

What are the reports used for?

N/A.

b.

Who has access to these reports?

N/A.

D.

ACCESS TO DATA 1.

Which NRC office(s) will have access to the data in the system?

SBCR is the only NRC office with access to the data.

(1)

For what purpose?

SBCR staff access the MYB ShareFile Portal to upload case files for MYB and download MYBs deliverables.

(2)

Will access be limited?

Yes, access to the data is limited to only authorized personnel. The case processors will only have access to the case files that they upload to the portal.

2.

Will other NRC systems share data with or have access to the data in the system?

No.

PIA Template (06-2021) (1)

If yes, identify the system(s).

N/A.

(2)

How will the data be transmitted or disclosed?

N/A.

3.

Will external agencies/organizations/public have access to the data in the system?

Yes.

(1)

If yes, who?

MYB authorized EEO key personnel have access to the data in the system.

(2)

Will access be limited?

Yes, access to the data in MYB ShareFile Portal is limited to only the MYB EEO key personnel including the EEO program manager, EEO specialists, and EEO assistants. The MYB counselors, mediators, and investigators are unable to view any case file until it is sent to them by the MYB EEO program manager. Upon assignment, the case files for each case are encrypted and sent to the assigned specialist using MYB ShareFile Portal (link for pickup or drop-off) or email.

(3)

What data will be accessible and for what purpose/use?

The complaint case files that are uploaded by SBCR will be accessible to the assigned MYB counselor, mediator, investigator, or document drafter to perform requested services as directed by SBCR.

(4)

How will the data be transmitted or disclosed?

The authorized MYB personnel can transmit the data via MYB ShareFIle Portal and provide the encrypted case files to the assigned specialist via a link for pickup or email.

E.

RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish

PIA Template (06-2021) procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

1)

Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?

Yes.

a.

If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

In accordance with the EEOC Management Directive 110 (EEO-MD-110), Chapter 6,Section VIII.G, MYB retains case files, Reports of Investigation, and other EEO reports for a total of four years. This includes media and hard copies. After the investigation is completed MYB maintains the files for one year, readily available, locked in a secure locked office and file cabinet.

After one year, the files are archived. At the end of the four-year period, the files are expunged.

NRC records are covered under GRS 2.3 - Employee Relations Records GRS 2.3 item 110 - EEO discrimination complaint case files.

Informal Process. Temporary. Destroy 3 years after resolution of case, but longer retention is authorized if required for business use.

GRS 2.3 item 111 - EEO discrimination complaint case files.

Formal process. Temporary. Destroy 7 years after resolution of case, but longer retention is authorized if required for business use.

b.

If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.

PIA Template (06-2021) F.

TECHNICAL ACCESS AND SECURITY 1.

Describe the security controls used to limit access to the system (e.g., passwords).

MYB utilizes multi-step authentication for access to the portal on the client-facing side and the management side of the MYB ShareFile Portal.

2.

What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

Each user utilizing MYB ShareFile Portal has a username and password. There is also a second authentication factor that is required by a verification security feature in multi-step authentication. This feature will be either a text or voice call with a security number that the user must use to log into MYB ShareFile Portal.

3.

Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes.

(1)

If yes, where?

Yes, as a vendor of MYB, MYB ShareFile Portal provides an administrative user guide.

4.

Will the system be accessed or operated at more than one location (site)?

No.

a.

If yes, how will consistent use be maintained at all sites?

N/A.

5.

Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

SBCR and MYB EEO staff.

6.

Will a record of their access to the system be captured?

No.

a.

If yes, what will be collected?

N/A.

7.

Will contractors be involved with the design, development, or maintenance of the system?

Yes.

PIA Template (06-2021) If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.

Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

8.

What auditing measures and technical safeguards are in place to prevent misuse of data?

SBCR relies on MYB to employ auditing measures and technical safeguards to prevent misuse of data. MYB utilizes multi-step authentication for each login to the portal on both the client-facing side and the management side of the MYB ShareFile Portal.

9.

Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?

The MYB ShareFile Portal is hosted by Citrix ShareFile on servers maintained by Amazon Web Services (AWS). According to Citrix ShareFile, their Citrix ShareFile cloud infrastructure is secured to industry-leading security standards.

The Citrix ShareFile cloud platform is a part of the Citrix WorkSpace Suite, which is currently undergoing a FedRAMP authorization and is designated as In Process on the FedRAMP marketplace.

a.

If yes, when was Certification and Accreditation last completed?

And what FISMA system is this part of?

N/A.

b.

If no, is the Certification and Accreditation in progress and what is the expected completion date? And what FISMA system is this planned to be a part of?

N/A.

The MYB ShareFile Portal is not a part of the NRC network.

c.

If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Offices (CSOs) Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track.

N/A.

PIA Template (06-2021) PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: Mind Your Business, Inc. (MYB) ShareFile Portal Submitting Office: Office of Small Business and Civil Rights A.

PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

Information is covered by Government-wide System of Records Notice, EEOC/GOVT-1 (Equal Employment Opportunity in the Federal Government Complaint and Appeal Records)System.

Reviewers Name Title Privacy Officer B.

INFORMATION COLLECTION APPLICABILITY DETERMINATION X

No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

MYB Sharefile Portal is not used to collect information.

Reviewers Name Title Agency Clearance Officer Signed by Hardy, Sally on 03/31/22 Signed by Cullison, David on 03/30/22

PIA Template (06-2021) 15 C.

RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Sr. Program Analyst, Electronic Records Manager D.

BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Acting Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signed by Dove, Marna on 03/30/22 Signed by Partlow, Benjamin on 04/01/22

PIA Template (06-2021) 16 TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Vonna Ordaz, Office Director, Office of Small Business and Civil Rights Name of System: Mind Your Business, Inc. (MYB) ShareFile Portal Date CSB received PIA for review:

March 24, 2022 Date CSB completed PIA review:

March 31, 2022 Noted Issues:

MYB ShareFile Portal is a secure file sharing for EEO case files, the information is encrypted and sent to the assigned specialist using MYB ShareFile Portal. The information that is being transferred is covered by Government-wide SORN EEOC/GOVT-1 (Equal Employment Opportunity in the Federal Government Complaint and Appeal Records)System.

Acting Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signature/Date:

Copies of this PIA will be provided to:

Thomas G. Ashley, Jr.

Director IT Services Development and Operations Division Office of the Chief Information Officer Garo Nalabandian Acting Chief Information Security Officer (CISO)

Office of the Chief Information Officer Signed by Partlow, Benjamin on 04/01/22