Text

PIA Template (07-2022) U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

ArkCase Legal Case Management System Date: September 14, 2022.

A.

GENERAL SYSTEM INFORMATION 1.

Provide a detailed description of the system:

ArkCase is a cloud-based case management application provided as a Software-as-a-Service solution on the Armedia Content Cloud (ACC) platform by Armedia, LLC. ArkCase is used by the Nuclear Regulatory Commission (NRC)

Office of the General Counsel (OGC) to manage labor and employment legal matters related to the operation and administration of the agency. ArkCase is also used for management of contract-related legal matters and disputes.

ArkCase allows electronic organizing of legal cases; the program can associate cases with relevant case notes, contact information, documents, reminders, tasks, milestones, and other data in a secure environment.

2.

What agency function does it support? (How will this support the U.S.

Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))

ArkCase supports the NRCs labor, employment, personnel security, and contract-related legal matters, and the agencys Human Capital Strategy 4 (Promote a strong NRC internal safety culture with an open, collaborative work environment) and Human Capital Strategy 6 (Strengthen workforce diversity and inclusion).

3.

Describe any modules or subsystems, where relevant, and their functions.

None.

a.

Provide ADAMS ML numbers for all Privacy Impact Assessments or Privacy Threshold Analysis for each subsystem.

N/A.

PIA Template (07-2022) 4.

What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)

42 U.S.C. 2201(d), as amended; 5 U.S.C. 3132(a); 5 U.S.C. 4303, as amended; 5 U.S.C. 7503; 29 U.S.C. 633a; 29 U.S.C. 791; 42 U.S.C. 2000e-16; 42 U.S.C.

2165 5.

What is the purpose of the system and the data to be collected?

The system supports the management of the agencys legal cases related to labor, employment, personnel security, and contracts.

6.

Points of

Contact:

(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)

Project Manager Office/Division/Branch Telephone Yana Shnayder OGC/LHE/PSB 301-287-0706 Business Project Manager Office/Division/Branch Telephone N/A N/A N/A Technical Project Manager Office/Division/Branch Telephone N/A N/A N/A Executive Sponsor Office/Division/Branch Telephone Catherine Scott OGC/LRAA/LECL 301-287-9151 ISSO Office/Division/Branch Telephone Natalya Bobryakova OCIO/GEMSD/CSB/IAT 301-287-0671 System Owner/User Office/Division/Branch Telephone Catherine Scott OGC/LRAA/LECL 301-287-9151

PIA Template (07-2022) 7.

Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?

a.

New System Modify Existing System X

Other b.

If modifying or making other updates to an existing system, has a PIA been prepared before?

Yes.

(1)

If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.

ML16250A064, May 15, 2018.

(2)

If yes, provide a summary of modifications or other changes to the existing system.

Since January 6, 2022, the ACC platform is undergoing a Federal Risk and Authorization Management Program (FedRAMP) authorization under the sponsorship of the U.S. Postal Regulatory Commission (PRC).

8.

Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

Yes.

a.

If yes, please provide the EA/Inventory number.

ArkCase is a subsystem of the NRCs Third-Party System (TPS).

The TPS EA number is 20180002.

b.

If, no, please contact EA Service Desk to get the EA/Inventory number.

PIA Template (07-2022) B.

INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1.

INFORMATION ABOUT INDIVIDUALS a.

Does this system maintain information about individuals?

Yes.

(1)

If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

Federal employees, former employees, and the NRC contractors and job applicants.

(2)

IF NO, SKIP TO QUESTION B.2.

b.

What information is being maintained in the system about an individual (be specific - e.g., Social Security Number (SSN), Place of Birth, Name, Address)?

Potentially: name; position; grade; home address and phone number; cell phone number; personal email address; family information; Electronic Official Personnel Folder (eOPF) information; reasonable accommodation information; Equal Employment Opportunity (EEO) complaints; disciplinary actions; performance-related actions; security clearance actions.

c.

Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)

Yes.

(1)

If yes, what information is being collected?

Potentially: name; position; grade; home address and phone number; cell phone number; personal email address; family information; Electronic Official Personnel Folder (eOPF) information; reasonable accommodation information; EEO complaints, disciplinary actions; performance-related actions; security clearance actions.

PIA Template (07-2022) d.

Will the information be collected from individuals who are not Federal employees?

Yes. The information may be collected from applicants for employment, former employees, and contractors.

(1)

If yes, does the information collection have the Office of Management and Budgets (OMB) approval?

N/A.

No clearance is needed as the information collected meets the conditions of 5 CFR 1320.4(a)(2) for an exclusion from the requirements in 5 CFR 1320.3.

(a)

If yes, indicate the OMB approval number:

N/A.

e.

Is the information being collected from existing NRC files, databases, or systems?

Yes. In some cases, it may, but it depends on the type of case.

(1)

If yes, identify the files/databases/systems and the information being collected.

The collected information may include the Chief Human Capital Officer (OCHCO) personnel records; union grievances; eOPF files, personnel security files, Small Business and Civil Rights (SBCR) case files, materials on contracts in agencys Strategic Acquisition System (STAQS), and Office of the Inspector General (OIG) reports of investigation. It depends on the type of case.

f.

Is the information being collected from external sources (any source outside of the NRC)?

Yes. In some cases, it may, but it depends on the type of case.

(1)

If yes, identify the source and what type of information is being collected?

Possibly, legal documents may be collected from the following sources: Equal Employment Opportunity Commission (EEOC);

Merit Systems Protection Board (MSPB); Federal Labor Relations Authority (FLRA); Small Business Administration (SBA); General Services Administration (GSA); hearing adjudicators; arbitrators; outside attorneys; former employees via personal email; job applicants; current or former NRC contractors.

PIA Template (07-2022) g.

How will information not collected directly from the subject individual be verified as current, accurate, and complete?

This should not be an issue. OGC relies on accuracy of information within NRC personnel records (for cases involved current or former NRC employees) and in STAQS (for contract materials).

h.

How will the information be collected (e.g., form, data transfer)?

Information will primarily be in documents (e.g.,.pdf,.doc or.msg,.jpeg files) transferred via email or downloaded from the existing NRC records in the NRC IT systems. The information may also be downloaded from the IT platforms supporting hearings at MSPB or EEOC.

2.

INFORMATION NOT ABOUT INDIVIDUALS a.

Will information not about individuals be maintained in this system?

Yes.

(1)

If yes, identify the type of information (be specific).

Paperwork related to cases; other relevant cases (i.e., from Westlaw and Lexis); calendars (attorney appointments); court documents; transcripts; testimony; briefs; drafts; emails; materials from OMB, Office of Personnel Management (OPM), Centers for Disease Control and Prevention (CDC), and other Federal agencies or State agencies.

b.

What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

Information can possibly come from EEOC; MSPB; FLRA; policy materials from OMB, OPM, CDC, and other Federal agencies or State agencies: GSA, State of Maryland, Safer Federal Workforce Task Force, Executive Office of the President (EOP); hearing adjudicators; arbitrators; outside attorneys; current employees; former employees via personal email; job applicants; current or former NRC contractors.

C.

USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1.

Describe all uses made of the data in this system.

To process labor, employment, and personnel security legal matters related to claims filed against the NRC, by NRC employees, job applicants, former employees, disappointed bidders for contracts, etc. Also, the data in ArkCase is used for contract-related litigation.

PIA Template (07-2022) 2.

Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes, the data is relevant and necessary for legal case management.

3.

Who will ensure the proper use of the data in this system?

The attorneys in the OGC, Labor, Employment, and Contract Law (LECL)

Division, who have authorization and need to know, ensure the proper use of the data in this system.

4.

Are the data elements described in detail and documented?

Yes, the data elements are described within the system.

a.

If yes, what is the name of the document that contains this information and where is it located?

Armedia (the software vendor) maintains the documents that describe the data elements permitted within the system.

5.

Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

Yes.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e., tables or data arrays).

a.

If yes, how will aggregated data be maintained, filed, and utilized?

The data will be maintained in OGCs system of records for legal case files.

b.

How will aggregated data be validated for relevance and accuracy?

OGC personnel validate aggregated data for relevance and accuracy.

c.

If data are consolidated, what controls protect it from unauthorized access, use, or modification?

Only authorized agency staff have access to the data. Access to the data is restricted by passwords.

PIA Template (07-2022) 6.

How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number, or symbol)?

Yes. The data may be retrieved by an individuals name.

a.

If yes, explain, and list the identifiers that will be used to retrieve information on the individual. (Be specific.)

The information can be retrieved by individuals name, case number, or document number.

7.

Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

Yes.

a.

If Yes, provide name of SORN and location in the Federal Register.

NRC-8: Employee Disciplinary Actions, Appeals, Grievances, and Complaints Records. Republication of Systems of Records Notices, December 27, 2019 (84 FR 71536). This notice states: Duplicate systemA duplicate system may be maintained, in whole or in part, in the Office of the General Counsel.

EEOC/GOVT-1: Equal Employment Opportunity in the Federal Government Complaint and Appeal Records 8.

If the information system is being modified, will the SORN(s) require amendment or revision?

No.

9.

Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?

No.

a.

If yes, explain.

N/A.

(1)

What controls will be used to prevent unauthorized monitoring?

N/A.

10.

List the report(s) that will be produced from this system.

The reports can be produced based on the nature or attributes of case (e.g.,

type of case, cases involving named individuals, cases open or closed, etc.).

PIA Template (07-2022) a.

What are the reports used for?

Litigation status updates, workload planning; trends.

b.

Who has access to these reports?

The Office of the General Counsel / Labor, Employment, and Contract Law (OGC/LECL) attorneys, an OGC paralegal, and authorized administrative assistant.

D.

ACCESS TO DATA 1.

Which NRC office(s) will have access to the data in the system?

The OGC/LECL staff, the OGC Program Support Branch (PSB) authorized administrative assistant, and OGC Deputy General Counsel (GC) have access to the system (approximately 12 staff have access).

(1)

For what purpose?

Legal case management.

(2)

Will access be limited?

Yes.

2.

Will other NRC systems share data with or have access to the data in the system?

No.

(1)

If yes, identify the system(s).

N/A.

(2)

How will the data be transmitted or disclosed?

N/A.

3.

Will external agencies/organizations/public have access to the data in the system?

No.

(1)

If yes, who?

N/A.

PIA Template (07-2022) (2)

Will access be limited?

N/A.

(3)

What data will be accessible and for what purpose/use?

N/A.

(4)

How will the data be transmitted or disclosed?

N/A.

E.

RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with Federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

1)

Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?

Yes.

a.

If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

Note: Added superseded GRS items and GRS for contract materials.

PIA Template (07-2022) GRS Citation GRS Retention Superseding GRS Citation (Sept 2022)

Superseding GRS Retention (Sept 2022) 2.3 item 031 EEO official discrimination complaint case files - informal process Temporary. Destroy 3 years after resolution of case, but longer retention is authorized if required for business use.

2.3 item 110 EEO discrimination complaint case files.

Informal process Temporary. Destroy 3 years after resolution of case, but longer retention is authorized if required for business use.

2.3 item 032 EEO official discrimination case files -

Formal process Temporary. Destroy 7 years after resolution of case, but longer retention is authorized if required for business use.

2.3 item 110 EEO discrimination complaint case files.

Informal process Temporary. Destroy 3 years after resolution of case, but longer retention is authorized if required for business use.

2.3 item 011 ADR case files -

Informal process Temporary. Destroy 3 years after case is closed but longer retention is authorized if required for business use.

2.3 item 070 Alternative Dispute Resolution (ADR) case files. Informal process Temporary. Destroy 3 years after case is closed, but longer retention is authorized if required for business use.

2.3 item 012 ADR case files -

Formal process Temporary. Destroy 7 years after case is closed, but longer retention is authorized if required for business use.

2.3 item 071 Alternative Dispute Resolution (ADR) case files. Formal process Temporary. Destroy 7 years after case is closed, but longer retention is authorized if required for business use.

2.3 item 060 Administrative grievance files Temporary. Destroy no sooner than 4 years but no less than 7 years after case is closed.

2.3 item 060 Administrative grievance, disciplinary, performance-based, and adverse action case files Temporary. Destroy no sooner than 4 years but no later than 7 years after case is close or final settlement on appeal, as appropriate.

• See Note 1 and Note 2 below table 2.3 item 061 Adverse action files Temporary. Destroy no sooner than 4 years but no less than 7 years after case is closed.

(see schedule above for GRS 2.3 item 060)

(see retention above for GRS 2.3 item 060) 2.3 item 062 Performance-Temporary. Destroy no sooner than 4 (see schedule above for GRS 2.3 (see retention above for GRS 2.3 item 060)

PIA Template (07-2022) GRS Citation GRS Retention Superseding GRS Citation (Sept 2022)

Superseding GRS Retention (Sept 2022) based action files years but no later than 7 years after case is closed.

item 060)

Contract-based Retention Schedules (Added to this PIA Sept 2022) 1.1 item 010 Financial transaction records related to procuring goods and services, paying bills, collecting debts, and accounting.

Official record held in the office of record.

Temporary. Destroy 6 years after final payment or cancellation, but longer retention is authorized if required for business use.

1.1 item 011 Financial transaction records related to procuring goods and services, paying bills, collecting debts, and accounting.

All other copies.

Temporary. Destroy when business use ceases.

Note 1: Letter of reprimand filed in an employee's Official Personnel File is scheduled by GRS 2.2, item 041. This comes directly from the description for GRS 2.3 item 060.

Note 2: Per OPM, each agency must select one fixed retention period, between 4 and 7 years, for all administrative grievance, adverse action, and performance-based action case files. Agencies may not use different retention periods for individual cases.

b.

If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.

PIA Template (07-2022) F.

TECHNICAL ACCESS AND SECURITY 1.

Describe the security controls used to limit access to the system (e.g., passwords).

User ID and password; system administrator can change controls to further restrict access.

2.

What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

User ID and password; system administrator can change controls to further restrict access.

3.

Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

No.

(1)

If yes, where?

N/A.

4.

Will the system be accessed or operated at more than one location (site)?

No.

a.

If yes, how will consistent use be maintained at all sites?

N/A.

5.

Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

The OGC/LECL attorneys, one administrative assistant, and Deputy GC have authorized access.

6.

Will a record of their access to the system be captured?

Yes.

a.

If yes, what will be collected?

The logon events are captured in the audit log: userId, IP address, date, time, and whether a user logon was successful or unsuccessful.

PIA Template (07-2022) 7.

Will contractors be involved with the design, development, or maintenance of the system?

Yes. The system is operated and maintained by Armedia on their cloud platform.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.

Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

8.

What auditing measures and technical safeguards are in place to prevent misuse of data?

OGC relies on Armedia to employ auditing measures and technical safeguards to prevent misuse of data. The OGC application administrator reviews auditable events, audit logs, and audit reporting records for indications of inappropriate or unusual activity at least daily.

9.

Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?

Yes.

a.

If yes, when was Assessment and Authorization last completed?

And what FISMA system is this part of?

The ACC platform is undergoing a FedRAMP authorization sponsored by the U.S. PRC (https://marketplace.fedramp.gov/#!/product/armedia-content-cloud?status=In%20Process&sort=productName).

The NRC authorized ArkCase under the TPS system boundary on March 18, 2022. This authorization is valid through February 28, 2023 (ML22081A241).

b.

If no, is the Assessment and Authorization in progress and what is the expected completion date? And what FISMA system is this planned to be a part of?

N/A.

PIA Template (07-2022) c.

If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Offices (CSOs) Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track.

N/A.

PIA Template (07-2022) PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: ArkCase Legal Case Management System Submitting Office: Office of the General Counsel A.

PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

Covered under System of Records, NRC-8, Employee Disciplinary Actions, Appeals, Grievances, and Complaints Records. and government-wide EEOC/GOVT-1: Equal Employment Opportunity in the Federal Government Complaint and Appeal Records Reviewers Name Title Privacy Officer B.

INFORMATION COLLECTION APPLICABILITY DETERMINATION X

No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

No clearance is needed as the information collected meets the conditions of 5 CFR 1320.4(a)(32) for an exclusion from the requirements in 5 CFR 1320.3.

Reviewers Name Title Agency Clearance Officer Signed by Hardy, Sally on 09/29/22 Signed by Cullison, David on 09/26/22

PIA Template (07-2022)

C.

RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

X Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

In regard to GRS 2.3 item 060 Administrative grievance files, the office must select a fixed retention period.

Reviewers Name Title Sr. Program Analyst, Electronic Records Manager D.

BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Acting Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signed by Dove, Marna on 09/28/22 Signed by Partlow, Benjamin on 10/11/22

PIA Template (07-2022)

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Catherine Scott, Office of the General Counsel Name of System: ArkCase Legal Case Management System Date CSB received PIA for review:

September 19, 2022 Date CSB completed PIA review:

September 29, 2022 Noted Issues:

Acting Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signature/Date:

Copies of this PIA will be provided to:

Thomas G. Ashley, Jr.

Director IT Services Development and Operations Division Office of the Chief Information Officer Garo Nalabandian Acting Chief Information Security Officer (CISO)

Office of the Chief Information Officer Signed by Partlow, Benjamin on 10/11/22