ML22285A112

From kanterella
Jump to navigation Jump to search
Labor Employment and Contract Law Case Management System Privacy Impact Assessment
ML22285A112
Person / Time
Issue date: 11/17/2022
From: Sally Hardy, Benjamin Partlow
NRC/OCIO
To:
Frost A
References
Download: ML22285A112 (18)
v  d  e


Text

U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Labor, Employment, and Contract Law (LECL)

Case Management SharePoint Site Date: October 4, 2022.

A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system:

The Labor, Employment, and Contract Law (LECL) Case Management SharePoint Site (CMS) is used by the Nuclear Regulatory Commission (NRC)

Office of the General Counsel (OGC) to manage labor, employment, personnel security, and contract legal matters relating to the operation and administration of the agency. The SharePoint site allows electronic organizing of legal cases; the site can associate cases with relevant case notes, contact information, documents, reminders, tasks, milestones, and other data in a secure environment.

The underlying infrastructure for SharePoint falls within the Information Technology Infrastructure (ITI) Azure Cloud Services (ACS) FISMA Boundary.

ITI does not own, nor is it responsible for the management of this site including access controls or data stored within it. This SharePoint site is fully owned and managed by the OGC staff.

2. What agency function does it support? (How will this support the U.S.

Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))

The LECL Case Management SharePoint site supports labor, employment, and personnel security matters for the NRC, and supports the NRCs Human Capital Strategy 4 (Promote a strong NRC internal safety culture with an open, collaborative work environment) and Human Capital Strategy 6 (Strengthen workforce diversity and inclusion).

3. Describe any modules or subsystems, where relevant, and their functions.

None.

a. Provide ADAMS ML numbers for all Privacy Impact Assessments or Privacy Threshold Analysis for each subsystem.

N/A.

PIA Template (07-2022)

4. What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)

42 U.S.C. 2201(d), as amended, 5 U.S.C. 3132(a); 5 U.S.C. 4303, as amended; 5 U.S.C. 7503; 29 U.S.C. 633a; 29 U.S.C. 791; 42 U.S.C. 2000e-16; 42 U.S.C.

2165; 15 U.S.C. 631, 644; 31 U.S.C. 3511; 13 CFR 124.501-520; 44 U.S.C.

3301; 48 CFR subpart 4.8; 48 CFR part 19.

5. What is the purpose of the system and the data to be collected?

The system supports the management of legal cases for the NRC involving labor, employment, and personnel security matters.

6. Points of

Contact:

(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)

Project Manager Office/Division/Branch Telephone Yana Shnayder OGC/LHE/PSB 301-287-0706 Business Project Manager Office/Division/Branch Telephone N/A N/A N/A Technical Project Manager Office/Division/Branch Telephone Catherine Scott 301-287-9151 OGC/LRAA/LECL Rebecca Susko 301-415-0032 Executive Sponsor Office/Division/Branch Telephone Catherine Scott OGC/LRAA/LECL 301-287-9151 ISSO Office/Division/Branch Telephone Julie Hughes OCIO/GEMSD/CSB/IAT 301-287-9277 System Owner/User Office/Division/Branch Telephone Thomas Ashley OCIO/SDOD 301-415-8700 PIA Template (07-2022)

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a. New System Modify Existing System X Other: SharePoint site was created to replace ArkCase
b. If modifying or making other updates to an existing system, has a PIA been prepared before?

No.

(1) If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.

Data was previously stored in ArkCase Legal Case Management System, a subsystem of Third-Party System (TPS). The ArkCase PIA was approved on October 11, 2022, ML22259A149.

(2) If yes, provide a summary of modifications or other changes to the existing system.

N/A.

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

The LECL Case Management SharePoint site falls within Information Technology Infrastructure ACS boundary. The ITI EA number is 20090005.

a. If yes, please provide the EA/Inventory number.

The ITI EA number is 20090005.

b. If, no, please contact EA Service Desk to get the EA/Inventory number.

N/A.

PIA Template (07-2022)

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS
a. Does this system maintain information about individuals?

Yes.

(1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

Federal employees, former employees, and job applicants for Federal government.

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific - e.g., Social Security Number (SSN), Place of Birth, Name, Address)?

Potentially: name; position; grade; home address and phone number; cell phone number; personal email address; family information; Electronic Official Personnel Folder (eOPF) information; reasonable accommodation information; Equal Employment Opportunity (EEO) complaints; disciplinary actions; performance-related actions; security clearance actions. May also include SSN and health- and genetic- related information.

c. Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)

Yes. In some circumstances information has been collected from third party credit services, other Federal employees or non-Federal witnesses, other government entities and competitor companies/vendors, and the OIG.

(1) If yes, what information is being collected?

Potentially: name; position; grade; home address and phone number; cell phone number; personal email address; family information; Electronic Official Personnel Folder (eOPF) information; reasonable accommodation information; Equal PIA Template (07-2022)

Employment Opportunity (EEO) complaints, disciplinary actions; performance-related actions; security clearance actions.

d. Will the information be collected from individuals who are not Federal employees?

Yes. The information may be collected from applicants for employment and former employees. The information may also be collected from third parties.

(1) If yes, does the information collection have the Office of Management and Budgets (OMB) approval?

No clearance is needed as the information collected meets the conditions of 5 CFR 1320.4(a)(2) for exclusion from the requirements in 5 CFR 1320.3.

(a) If yes, indicate the OMB approval number:

N/A.

e. Is the information being collected from existing NRC files, databases, or systems?

Yes. In some cases, it may, but it depends on the type of case.

(1) If yes, identify the files/databases/systems and the information being collected.

Possibly Chief Human Capital Officer (OCHCO) personnel records; union grievances; eOPF files, personnel security files, Small Business and Civil Rights (SBCR) case files, contract materials from STAQs, Office of the Inspector General (OIG) reports of investigation. It depends on the type of case.

f. Is the information being collected from external sources (any source outside of the NRC)?

Yes. In some cases, it may, but it depends on the type of case.

(1) If yes, identify the source and what type of information is being collected?

Legal documents possibly from Equal Employment Opportunity Commission (EEOC); Merit Systems Protection Board (MSPB);

Federal Labor Relations Authority (FLRA); General Services Administration (GSA), Government Accountability Office (GAO),

Small Business Association, (SBA), hearing adjudicators; arbitrators; witnesses; outside attorneys; former employees via personal email; job applicants.

PIA Template (07-2022)

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

If information not collected directly from the subject individual forms the basis of the matter, the individual would in most circumstances be able to address or contest its validity. Cases may involve current or former NRC employees with NRC personnel records or contract material maintained in STAQs.

h. How will the information be collected (e.g. form, data transfer)?

Information will primarily be in documents (e.g., .pdf, .doc or .msg, .jpeg files) transferred via email, downloaded from platforms supported by other administrative bodies, or are in existing NRC records on the NRC IT systems.

2. INFORMATION NOT ABOUT INDIVIDUALS
a. Will information not about individuals be maintained in this system?

Yes.

(1) If yes, identify the type of information (be specific).

Paperwork related to cases; other relevant cases (i.e., from Westlaw); calendars (attorney appointments); court documents; transcripts; testimony; briefs; drafts; emails.

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

Information can possibly come from EEOC; MSPB; FLRA; hearing adjudicators; arbitrators; outside attorneys; current employees; witnesses; former employees via personal email; job applicants.

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

To process and track labor, employment, and personnel security matters related to claims filed against the NRC.

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes, the data is relevant and necessary for legal case management.

PIA Template (07-2022)

3. Who will ensure the proper use of the data in this system?

The SharePoint site will have limited access/permissions to attorneys in the Office of the General Counsel (OGC) who have authorization and need to know.

4. Are the data elements described in detail and documented?

Yes, the data elements are described within the SharePoint site. Below is a list of all data fields captured on the site.

Fields Description Case Name Descriptive name given to case Case ID # given to case from external administrative body (i.e., EEOC, MSPB), court, or SBCR OGC Case # ID # automatically generated from the SharePoint site when case information is entered into list Region NRC Region from which the case originated Case Type Type of case being processed (i.e., EEO, misconduct, grievance, contract dispute)

Forum Administrative body or tribunal the case is before (i.e.,

EEOC, MSPB, federal court, arbitration)

Status Designation of whether the case is OPEN or CLOSED Stage Designation of the general stage of the litigation process that the case is currently in Case Initiated (date) Date the case was formally OPENED Case Closed (date) Date the case was formally CLOSED Attorney Attorney(s) assigned to case Judge Judge assigned to case Judge email Judge's email Likelihood of Designation of the likelihood of an unfavorable Unfavorable outcome, either: probable, reasonably possible, or Outcome remote. Note: This field corresponds to the designation provided on the "PENDING OR THREATENED LITIGATION" form required as part of NRC's financial audit process Estimated Potential Dollar estimate of the amount or range of potential loss Loss (for cases designated with probable and reasonably possible likelihood of unfavorable outcome). Note: This field corresponds to the estimate provided on the "PENDING OR THREATENED LITIGATION" form required as part of NRC's financial audit process PIA Template (07-2022)

Fields Description Notes Any relevant notes on the case provided by the attorney(s)

Case Files SharePoint document library where attorneys collect all relevant case files

a. If yes, what is the name of the document that contains this information and where is it located?

N/A.

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

Yes.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e., tables or data arrays).

a. If yes, how will aggregated data be maintained, filed, and utilized?

The data will be maintained in the LECL Case Management SharePoint Site for legal case files. Monthly and ad hoc reports will be run and the data and shared with OGC staff and management with a valid need to know.

b. How will aggregated data be validated for relevance and accuracy?

OGC personnel validate aggregated data for relevance and accuracy.

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?

NRC Cleared users authenticate via ICAM to the O365 environment (PIV login) and specific access to the SharePoint site is managed through SharePoint permissions set by the SP owners. SharePoint owners are responsible for quarterly review of the permissions.

6. Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?

Yes.

PIA Template (07-2022)

a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual. (Be specific.)

By individual name, case number, or document number.

7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

Yes.

Note - all records maintained in this system are duplicate records.

a. If Yes, provide name of SORN and location in the Federal Register.

NRC-8: Employee Disciplinary Actions, Appeals, Grievances, and Complaints Records. Republication of Systems of Records Notices, December 27, 2019 (84 FR 71536). This notice states: Duplicate systemA duplicate system may be maintained, in whole or in part, in the Office of the General Counsel.

NRC-41: Tort Claims and Personal Property Claims Records EEOC/GOVT-1: Equal Employment Opportunity in the Federal Government Complaint and Appeal Records OPM/GOVT-1: General Personal Records OPM/GOVT-2: Employee Performance File System Records OPM/GOVT-5 (Recruiting, Examining, and Placement Records)

8. If the information system is being modified, will the SORN(s) require amendment or revision?

No.

9. Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?

No.

a. If yes, explain.

N/A.

(1) What controls will be used to prevent unauthorized monitoring?

N/A.

PIA Template (07-2022)

10. List the report(s) that will be produced from this system.

Number of cases by case type, by status (open or closed) or by attorney; type of case; cases involving named individual.

a. What are the reports used for?

Litigation status updates; workload planning; trends.

a. Who has access to these reports?

The Office of the General Counsel / Labor, Employment, and Contract Law (OGC/LECL) attorneys; the Deputy General Counsel for Legislation, Rulemaking and Agency Administration; authorized staff from the OGC Program Support Branch (OGC/PSB); and authorized administrative assistants.

D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

Only staff within OGC will have access. This includes OGC/LECL attorneys; the Deputy General Counsel for Legislation, Rulemaking and Agency Administration; authorized staff from OGC PSB and authorized administrative assistants within OGC.

(1) For what purpose?

Legal case management.

(2) Will access be limited?

Yes.

2. Will other NRC systems share data with or have access to the data in the system?

No.

(1) If yes, identify the system(s).

N/A.

(2) How will the data be transmitted or disclosed?

N/A.

PIA Template (07-2022)

3. Will external agencies/organizations/public have access to the data in the system?

No.

(1) If yes, who?

N/A.

(2) Will access be limited?

N/A.

(3) What data will be accessible and for what purpose/use?

N/A.

(4) How will the data be transmitted or disclosed?

N/A.

E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?

Yes.

b. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported PIA Template (07-2022) to an approved file format for transfer to the National Archives based on their approved disposition?

Data in Case Management SPO site is as follows:

New GRS Citation New GRS Retention 1.1 item 010 Financial transaction Temporary. Destroy 6 years after final records related to procuring payment or cancellation, but longer retention goods and services, paying bills, is authorized if required for business use.

collecting debts, and accounting 1.1 item 011 Financial transaction Temporary. Destroy when business use records related to procuring ceases.

goods and services, paying bills, collecting debts, and accounting -

all other copies 1.1 item 060 Contract appeals case Temporary. Destroy 1 years after final files resolution, but longer retention is authorized if required for business use.

1.1 item 080 Administrative claims Temporary. Destroy 7 years after final action, by or against the United States but longer retention is authorized if required for business use.

2.1 item 050 Job vacancy case Temporary. Destroy 2 years after selection files. certificate is closed or final settlement of any associated litigation; whichever is later.

2.1 item 090 Interview records Temporary. Destroy 2 years after case is closed by hire or non-selection, expiration of right to appeal a non-selection, or final settlement of any associated litigation, whichever is later.

2.3 item 110 EEO official Temporary. Destroy 3 years after resolution of discrimination complaint case case, but longer retention is authorized if files - informal process required for business use.

2.3 item 111 EEO official Temporary. Destroy 7 years after resolution of discrimination case files - Formal case, but longer retention is authorized if process required for business use.

2.3 item 070 ADR case files - Temporary. Destroy 3 years after case is Informal process closed but longer retention is authorized if required for business use.

2.3 item 071 ADR case files - Temporary. Destroy 7 years after case is Formal process closed, but longer retention is authorized if required for business use.

2.3 item 060 Administrative Temporary. Destroy no sooner than 4 years grievance, disciplinary, but no less than 7 years after case is closed or performance-based, and adverse final settlement on appeal, as appropriate.

action case files 2.3 item 080 Merit Systems Temporary. Destroy 3 years after final Protection Board (MSPB) case resolution of case, but longer retention is files authorized if required for business use.

2.3 item 090 Labor arbitration Temporary. Destroy 3 years after close of (negotiated grievance procedure) case, but longer retention is authorized if PIA Template (07-2022)

New GRS Citation New GRS Retention case records required for business use.

2.3 item 100 Federal Labor Temporary. Destroy 3 years after final Relations Authority (FLRA) case resolution of case, but longer retention is files authorized if required for business use.

c. If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g., passwords).
2. NRC Cleared users authenticate via ICAM to the O365 environment (PIV login) and specific access to the SharePoint site is managed through SharePoint permissions set by the SP owners. SharePoint owners are responsible for quarterly review of the permissions.
3. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

NRC Cleared users authenticate via ICAM to the O365 environment (PIV login) and specific access to the SharePoint site is managed through SharePoint permissions set by the SP owners. SharePoint owners are responsible for quarterly review of the permissions.

4. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

No. SharePoint usage rules apply, and access restrictions are controlled by LECL staff and Site Owners. Access to the site will be reviewed at least quarterly or as roles and personnel change.

(1) If yes, where?

N/A.

5. Will the system be accessed or operated at more than one location (site)?

No, the site is only accessed via the NRC production network.

a. If yes, how will consistent use be maintained at all sites?

A user guide has been generated to ensure consistent use.

PIA Template (07-2022)

6. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

OGC/LECL attorneys; the Deputy General Counsel for Legislation, Rulemaking and Agency Administration; authorized staff from OGC PSB and authorized administrative assistants within OGC.

7. Will a record of their access to the system be captured?

Yes. Updates, edits and additional documents added to the site are tracked and date and time stamped with username. SharePoint inherently performs this action.

a. If yes, what will be collected?

Updates, edits and additional documents added to the site are tracked and date and time stamped with username.

8. Will contractors be involved with the design, development, or maintenance of the system?

Yes, NRC badged contractors may be involved in future maintenance of the site.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.

Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

9. What auditing measures and technical safeguards are in place to prevent misuse of data?

See answer F.6 above for a description of the auditing features. In addition, site access is limited to those with a business need to access the system. Access permissions will be reviewed periodically.

10. Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?

Yes. Use of SharePoint is authorized under the ITI ACS (M365) Subsystem. Full ATO granted on 7/24/2018.

PIA Template (07-2022)

a. If yes, when was Assessment and Authorization last completed?

And what FISMA system is this part of?

Use of SharePoint is authorized under the ITI ACS (M365) Subsystem.

Full ATO granted on 7/24/2018.

b. If no, is the Assessment and Authorization in progress and what is the expected completion date? And what FISMA system is this planned to be a part of?

N/A.

c. If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Offices (CSOs) Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track.

N/A.

PIA Template (07-2022)

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: Labor, Employment, and Contract Law (LECL) Case Management SharePoint Site.

Submitting Office: Office of the General Counsel.

A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

Covered under System of Records, NRC-8, Employee Disciplinary Actions, Appeals, Grievances, and Complaints Records.

Reviewers Name Title Signed by Hardy, Sally on 11/09/22 Privacy Officer B. INFORMATION COLLECTION APPLICABILITY DETERMINATION X No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

No clearance is needed as the information collected appears to meet the conditions of 5 CFR 1320.4(a)(2) for an exclusion from the requirements in 5 CFR 1320.3.

Reviewers Name Title Signed by Cullison, David on 10/20/22 Agency Clearance Officer PIA Template (07-2022)

C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Signed by Dove, Marna Sr. Program Analyst, Electronic Records on 10/26/22 Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE X This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Signed by Partlow, Benjamin on 11/17/22 Acting Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer PIA Template (07-2022) 17

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Office of the General Council Name of System: Labor, Employment, and Contract Law (LECL) Case Management SharePoint Site Date CSB received PIA for review: Date CSB completed PIA review:

October 12, 2022 November 2, 2022 Noted Issues:

Historical Info: Previously MyCase Legal Case Management System (ML14268A299), then ArkCase Legal Case Management System (ML22259A159).

Acting Chief Signature/Date:

Cyber Security Branch Governance and Enterprise Management Signed by Partlow, Benjamin Services Division on 11/17/22 Office of the Chief Information Officer Copies of this PIA will be provided to:

Thomas G. Ashley, Jr.

Director IT Services Development and Operations Division Office of the Chief Information Officer Garo Nalabandian Acting Chief Information Security Officer (CISO)

Office of the Chief Information Officer PIA Template (07-2022) 18

Retrieved from "https://kanterella.com/w/index.php?title=ML22285A112&oldid=3523399"