ML23031A235

From kanterella
Jump to navigation Jump to search
Office of International Program (OIP) Passports & Visa Registration Database Pia
ML23031A235
Person / Time
Issue date: 03/07/2023
From: Benjamin Partlow
NRC/OCIO/GEMSD/CSB
To:
Hughes J
References
Download: ML23031A235 (15)
v  d  e


Text

U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Please do not enter the PIA document into ADAMS. An ADAMS accession number will be assigned through the e-Concurrence system which will be handled by the Privacy Team.

Office of International Program (OIP)

Passports & Visa Registration Database Date: January 12, 2023.

A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system: (Use plain language, no technical terms.)

The list is a repository of the agencys passport and visa registrations needed to support the Nuclear Regulatory Commission (NRC) international travel consistent with U.S. government requirements. The site is in NRCs SharePoint Online and the list has need-to-know, limited/restricted access.

2. What agency function does it support? (How will this support the U.S. NRCs mission, which strategic goal?))

Per YA-17-0016, official (business) passports are mandatory to support international travel on behalf of the NRC. Per YA-20-0056, these passports should be used as a form of identification instead of PIV cards, which cannot be used while on travel. DOS also require visas for certain countries.

International travel is needed to support the agencys International Strategy (ML21125A423 and ML21236A120)

3. Describe any modules or subsystems, where relevant, and their functions.

N/A. This list is in NRCs SharePoint online.

a. Provide ADAMS ML numbers for all Privacy Impact Assessments or Privacy Threshold Analysis for each subsystem.

N/A.

PIA Template (09-2022)

4. What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)

U.S. Department of States requires the use of official passports and visas for Federal employees conducting international travel. This requirement is documented in YA-17-0016. YA-20-0056 also states that these passports should be used as a form of identification instead of PIV cards, which cannot be used while on travel. International travel is needed to support the agencys International Strategy (ML21125A423 and ML21236A120).

5. What is the purpose of the system and the data to be collected?

The list is a repository of the agencys passport and visa registrations needed to support NRC international travel consistent with U.S. government requirements.

Per YA-17-0016, official (business) passports are mandatory to support international travel on behalf of the NRC.

6. Points of

Contact:

(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)

Project Manager Office/Division/Branch Telephone N/A Business Project Manager Office/Division/Branch Telephone N/A Technical Project Manager Office/Division/Branch Telephone N/A Executive Sponsor Office/Division/Branch Telephone David Skeen OIP, Acting Director 301-287-9056 ISSO Office/Division/Branch Telephone Julie Hughes OCIO/GEMSD/CSB/IAT 301-287-9277 System Owner/User Office/Division/Branch Telephone Stanley Freeman 301-287-9058 OIP / International Clarence Breskovic 301-287-9086 Operations Branch David Humerick 301-287-0544 PIA Template (09-2022)

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a. New System Modify Existing System X Other (This is a collection)
b. If modifying or making other updates to an existing system, has a PIA been prepared before?

No.

(1) If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.

N/A.

(2) If yes, provide a summary of modifications or other changes to the existing system.

N/A.

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

Yes.

a. If yes, please provide the EA/Inventory number.

20090005 (ITI EA Number).

b. If, no, please contact EA Service Desk to get the EA/Inventory number.

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS
a. Does this system maintain information about individuals?

Yes.

PIA Template (09-2022)

(1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

Names of Federal employees.

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific - e.g., Social Security Number (SSN), Place of Birth, Name, Address)?

Name, Official business passport numbers, passport issuance date, and passport expiration date. Issued visas (country name and expiration date only).

c. Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)

No. The information for business passport numbers and visas are assigned by Department of State and provided to OIP via courier. OIP uses the information provided by Department of State and inputs it into the OIP Database.

(1) If yes, what information is being collected?

N/A.

d. Will the information be collected from individuals who are not Federal employees?

No.

(1) If yes, does the information collection have the Office of Management and Budgets (OMB) approval?

N/A.

(a) If yes, indicate the OMB approval number:

N/A.

e. Is the information being collected from existing NRC files, databases, or systems?

No.

PIA Template (09-2022)

(1) If yes, identify the files/databases/systems and the information being collected.

N/A.

f. Is the information being collected from external sources (any source outside of the NRC)?

Yes.

(1) If yes, identify the source and what type of information is being collected?

The information for business passport numbers and visas are assigned by Department of State and provided to OIP via courier.

OIP uses the information provided by Department of State and inputs it into the OIP Database.

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

Passport numbers and visas are validated against the information provided by the Department of State.

h. How will the information be collected (e.g. form, data transfer)?

Passport numbers and visas are provided by the Department of State.

Individual has to complete the Department of State form and provide completed form to OIP, OIP then sends via courier completed form to Department of State. OIP does not get a copy of form.

2. INFORMATION NOT ABOUT INDIVIDUALS
a. Will information not about individuals be maintained in this system?

No.

(1) If yes, identify the type of information (be specific).

N/A.

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

N/A.

PIA Template (09-2022)

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

The list is a repository of the agencys business passport and visa registrations needed to support NRC international travel consistent with US government requirements.

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes.

3. Who will ensure the proper use of the data in this system?

OIP. This list is only need-to-know and it has restricted/limited access.

4. Are the data elements described in detail and documented?

No. This is a basic/simple list documenting minimal passport and visa details from employees.

a. If yes, what is the name of the document that contains this information and where is it located?

N/A.

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a. If yes, how will aggregated data be maintained, filed, and utilized?

N/A.

b. How will aggregated data be validated for relevance and accuracy?

N/A.

PIA Template (09-2022)

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?

N/A.

6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?

(Be specific.)

Yes, by Individuals name.

a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

Individuals names.

7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

Yes, was previously NRC 20 official Travel Records, and has been replaced with government wide SORN GSA/Govt-4 Contracted Travel Services Program.

a. If Yes, provide name of SORN and location in the Federal Register.

GSA/Govt-4 Contracted Travel Services Program.

8. If the information system is being modified, will the SORN(s) require amendment or revision?

No.

9. Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?

No.

a. If yes, explain.

N/A.

(1) What controls will be used to prevent unauthorized monitoring?

N/A.

PIA Template (09-2022)

10. List the report(s) that will be produced from this system.

OIP Expiration Report.

a. What are the reports used for?

Yes, OIP Expiration Report includes only the travelers name and expiration date for passport and visa (passport number is not included).

b. Who has access to these reports?

OIP Expiration Report will be available agency wide (no Personally Identifiable Information (PII) is included in this report).

D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

OIP and OCIO.

(1) For what purpose?

OIP with a need to know. OCIO has limited access for normal SharePoint maintenance purposes. If needed, OCIO is provided access to update the list structure.

(2) Will access be limited?

Yes, the list already has limited access. Only a handful of staff in NRC can use it that have a need to know.

2. Will other NRC systems share data with or have access to the data in the system?

Yes.

(1) If yes, identify the system(s).

The OIP database will transmit only the staffs name and his/her passport/visa expiration dates with the NRC International Cooperation and Engagement (NICE) SharePoint. This information is not considered PII and is already available in NICE. There is a workflow to transmit (no PII is transmitted, passport numbers are not transmitted) the staffs name and passport and visa expiration date automatically.

(2) How will the data be transmitted or disclosed?

There is an automated workflow to transmit the passport/visa expiration date to NICE. No PII information will be transmitted or shared.

PIA Template (09-2022)

3. Will external agencies/organizations/public have access to the data in the system?

No.

(1) If yes, who?

N/A.

(2) Will access be limited?

N/A.

(3) What data will be accessible and for what purpose/use?

N/A.

(4) How will the data be transmitted or disclosed?

N/A.

4. Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA))

None.

C. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?

Yes.

PIA Template (09-2022)

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

General Records Schedule 9 - Item 5 (Records Related to Official Passports) has been superseded by GRS 2.2 - Employee Management Records and includes the following:

Old GRS and Current GRS and Item Current Disposition Item GRS 9 item 5.a - GRS 2.2 item 090 - Temporary. Destroy Application Files Records related to when 3 years old or official passports. upon employee Application records separation or transfer, whichever is sooner; For this PIA, GRS 2.2 but longer retention is item 091 is the best fit authorized if required for the Register records. for business use.

GRS 9 item 5.b - GRS 2.2 item 010 - Temporary. Destroy Annual Reports Employee management when 3 years old, but Containing administrative records longer retention is Official Passports authorized if required for business use.

GRS 9 item 5.c - GRS 2.2 item 010 - Temporary. Destroy Passport Employee management when 3 years old, but Registers administrative records longer retention is authorized if required for business use.

GRS 2.2 item 091 -

Records related to official passports. Temporary. Destroy Official passport when superseded or registers obsolete.

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

b. If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.

D. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g., passwords).

Active Directory and SharePoint security groups. Only a handful of staff in the agency, with a need-to-know, have access to the list.

PIA Template (09-2022)

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

The list has access/restricted control and available only when there is a need-to-know. General SharePoint users do not have access or privileges to browse the information.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

The Agencys Passport Specialist is responsible for managing and safeguarding the information. This is included in his/her roles and responsibilities.

(1) If yes, where?

Position roles/responsibilities.

4. Will the system be accessed or operated at more than one location (site)?

No.

a. If yes, how will consistent use be maintained at all sites?

N/A.

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

OIP and OCIO on those that have a need to know.

6. Will a record of their access to the system be captured?

Yes.

a. If yes, what will be collected?

Only the following SharePoint security groups have access: site owners and members (i.e., Agencys Passport Specialist, the first line supervisor, and one support staff). Theres no visitor access.

7. Will contractors be involved with the design, development, or maintenance of the system?

Yes, OCIO support but temporarily and only when theres a need for maintenance.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.

PIA Template (09-2022)

Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

8. What auditing measures and technical safeguards are in place to prevent misuse of data?

SharePoint features allow the NRC to identify users that access and modify the list and its fields. SharePoint also has the capability to version control. This information can be audited and reviewed, as needed. In addition, GAO may conduct audits of the agencys International Program, which may include managing passports records.

9. Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?

This list is in the NRCs SharePoint online environment and operates under the SharePoint/ITI FISMA requirements.

a. If yes, when was Assessment and Authorization last completed?

And what FISMA system is this part of?

Part of ITI received an Ongoing Authority to Operate (ATO) on 9/29/2021.

b. If no, is the Assessment and Authorization in progress and what is the expected completion date? And what FISMA system is this planned to be a part of?

N/A.

c. If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Offices Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track.

N/A.

PIA Template (09-2022)

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: OIPs Passports & Visa Registration Database Submitting Office: Office of International Programs (OIP)

A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

Information is covered under GSA/Govt-4 Contracted Travel Services Program.

Reviewers Name Title Signed by Hardy, Sally on 02/28/23 Privacy Officer B. INFORMATION COLLECTION APPLICABILITY DETERMINATION X No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

The collection of information that is housed in this system is exempt from the requirements of the Paperwork Reduction Act (5 CFR 1320.3(c)(4)).

Reviewers Name Title Signed by Cullison, David on 02/01/23 Agency Clearance Officer PIA Template (09-2022)

C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Signed by Dove, Marna Sr. Program Analyst, Electronic Records on 02/15/23 Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE X This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Signed by Partlow, Benjamin on 03/07/23 Acting Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer PIA Template (09-2022) 14

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: David Skeen, Acting Director, OIP Name of System: OIPs Passports & Visa Registration Database Date CSB received PIA for review: Date CSB completed PIA review:

March 7, 2023 February 28, 2023 Noted Issues:

Requested OGCs review to confirm GSA/Govt-4 Contracted Travel Services Program would cover this information. OGC agrees that this government wide SORN covers the information OIP maintains. If any changes are made to the information being maintain, the PIA would need to be updated and reviewed to determine if the changes create any new privacy concerns.

Acting Chief Signature/Date:

Cyber Security Branch Governance and Enterprise Management Signed by Partlow, Benjamin Services Division on 03/07/23 Office of the Chief Information Officer Copies of this PIA will be provided to:

Gwen Hayden Acting Director IT Services Development and Operations Division Office of the Chief Information Officer Garo Nalabandian Chief Information Security Officer (CISO)

Office of the Chief Information Officer PIA Template (09-2022) 15

Retrieved from "https://kanterella.com/w/index.php?title=ML23031A235&oldid=3530737"