NRC International Cooperation and Engagements (Nice) Privacy Impact Assessment (Pia)

ML23059A065
Person / Time
Issue date:	02/28/2023
From:	NRC/OCIO/SDOD
To:
Alston J
References
Download: ML23059A065 (16)
v • d • e

Text

U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Please do not enter the PIA document into ADAMS. An ADAMS accession number will be assigned through the e-Concurrence system which will be handled by the Privacy Team.

NRC International Cooperation and Engagements (NICE)

Date: February 28, 2023.

A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system: (Use plain language, no technical terms.)

NICE is the agency wide system used to monitor international meeting requests.

NICE helps execute the agencys International Strategy and contributes to the strategic performance goals of the Nuclear Regulatory Commission (NRC). NICE also allows the various offices to project international travel budget needs and disseminate achieved results and benefits to the organization.

2. What agency function does it support? (How will this support the U.S. Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))

The NRC is well-respected internationally. The Agencys International Strategy builds directly on the Commissions 2014 International Policy Statement, and its tied to multiple NRC Strategic Plan strategies. The International Strategy has 5 strategic objectives:

1. Excel in executing the NRCs legally mandated activities.

2. Integrate NRC international activities with broader U.S. Government foreign policy priorities.

3. Partner with countries of strategic importance to the U.S. Government to help advance NRC's domestic activities.

4. Demonstrate leadership through involvement in key activities in which the NRC is advanced in its thinking or progress.

5. Assist countries developing or strengthening their regulatory programs.

NICE helps execute the International Strategy by serving as the tool for planning, approving, and tracking agencywide international engagements. NICE is also key in allowing the NRC to budget and prioritize our activities. NICE also helps document meeting outcomes and international commitments.

PIA Template (09-2022)

3. Describe any modules or subsystems, where relevant, and their functions.

N/A. NICE is in NRCs SharePoint online.

a. Provide ADAMS ML numbers for all Privacy Impact Assessments or Privacy Threshold Analysis for each subsystem.

N/A.

4. What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)

NICE is an internal tool created to assist in the execution of the International Strategy. The idea for developing NICE (formerly known as i-Travel) stemmed from a need expressed by the agencys International Council Working Group (ICWG) for there to be agencywide coordination of international travel to minimize duplication of work and help improve the efficiency in executing our strategic goals. Throughout the years, the capabilities of NICE have expanded to meet the vision of having a one-stop shop for the execution of international engagements.

NICE is the tool used to implement the U.S. Department of State (DOS) requirements to track and manage international travel and engagements. NICE is also used to execute international travel requirements and expectations documented in the Office of the Executive Director for Operations (OEDO)-0290.

5. What is the purpose of the system and the data to be collected?

NICE is a planning, budgeting, and knowledge management tool. Offices enter all proposed international engagements in the system, including the desired outcome and NRCs roles. Management reviews the proposed plan and uses this information to determine which engagements to approve, delay, or combine taking into consideration budget constraints and agency/government strategic priorities. NICE is the agencywide repository for all pre-meeting notifications and meeting summaries (see OEDO-0290 travel requirements). To help execute OEDO-0290, NICE sends key reminders to the staff. NICE also contains a guidance library (e.g., checklists and travel announcements) and monitors the status of travel requirements established by DOS (e.g., travel training certificates).

NICE has proven to be very valuable and has dramatically increased the coordination and strategic planning of international engagements by the staff and management.

It should be noted that NICE is not a duplication of ETS2. ETS2 and NICE have two separate purposes. ETS2 is an official agency system to submit travel authorizations, book flights and hotels, and submit travel vouchers. The tools and features in NICE cannot be integrated in ETS2, and vice versa, the tools and features in ETS2 cannot be integrated in NICE.

PIA Template (09-2022)

6. Points of

Contact:

(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)

Project Manager Office/Division/Branch Telephone Jordon Alston OCIO/SDOD/ADSB 301-415-4085 Business Project Manager Office/Division/Branch Telephone Veronica Rodriguez Alfonso NRR 301-415-1006 Technical Project Manager Office/Division/Branch Telephone N/A N/A N/A Executive Sponsor Office/Division/Branch Telephone David Skeen OIP, Director 301-287-9056 ISSO Office/Division/Branch Telephone Luc Phuong OCIO/GEMSD/CSB/IAT 301-415-1103 System Owner/User Office/Division/Branch Telephone Tom Ashley OCIO 301-415-0771

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?

a. New System X Modify Existing System Other

b. If modifying or making other updates to an existing system, has a PIA been prepared before?

PIA has not been prepared before as the application did not contain Personally Identifiable Information (PII). NICE is a part of the Reactor Program Application System (RPAS) subgroup. A PTA has been created for RPAS, which includes NICE.

PIA Template (09-2022)

(1) If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.

RPAS PTA - ADAMS Main Library (ML) ML20009C762.

(2) If yes, provide a summary of modifications or other changes to the existing system.

Previously, NRC Form 445 and NRC Form 447 was used. These forms are covered by System of Records Notice (SORN)

GSA/Govt-4 Contracted Travel Services Program.

NICE will be used to collect and transmit this information electronically vs. via the forms. Moving forward, the forms will only be used by contractors.

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

Yes.

a. If yes, please provide the EA/Inventory number.

20090005 (ITI EA Number).

b. If, no, please contact EA Service Desk to get the EA/Inventory number.

N/A.

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS

a. Does this system maintain information about individuals?

Yes, the employees emergency contact (name, phone number only)

PIA Template (09-2022)

(1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

Federal employees General public (i.e., federal employees family member)

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)?

Employee business information and their emergency contact (name, phone number only).

c. Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)

No. The employee provides the emergency contact (name, phone number only.)

(1) If yes, what information is being collected?

N/A.

d. Will the information be collected from individuals who are not Federal employees?

No.

(1) If yes, does the information collection have the Office of Management and Budgets (OMB) approval?

N/A.

(a) If yes, indicate the OMB approval number:

N/A.

e. Is the information being collected from existing NRC files, databases, or systems?

No. The information was previously provided via NRC Form 445 and NRC Form 447. Moving forward the information will be entered by the Federal employee directly in NICE. The forms will only be used by contractors.

PIA Template (09-2022)

(1) If yes, identify the files/databases/systems and the information being collected.

N/A.

f. Is the information being collected from external sources (any source outside of the NRC)?

No.

(1) If yes, identify the source and what type of information is being collected?

N/A.

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

The information will be entered by the staff directly into NICE. The staff will be asked to confirm / validate the information is correct before submitting it.

h. How will the information be collected (e.g. form, data transfer)?

The information will be entered by the employees or their delegate directly into NICE.

2. INFORMATION NOT ABOUT INDIVIDUALS

a. Will information not about individuals be maintained in this system?

No.

(1) If yes, identify the type of information (be specific).

N/A.

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

N/A.

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

PIA Template (09-2022)

NICE is a planning, budgeting, and knowledge management tool. Offices enter all proposed international engagements in the system, including the desired outcome and NRCs roles. NICE is used to execute DOS and OEDO international travel requirements.

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes.

3. Who will ensure the proper use of the data in this system?

Each office has identified need-to-know individuals who are responsible for validating data and ensuring accuracy.

4. Are the data elements described in detail and documented?

Yes.

a. If yes, what is the name of the document that contains this information and where is it located?

We have checklists and guidance documents stored in NICE. We also capture design and development guidance documents in JIRA.

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a. If yes, how will aggregated data be maintained, filed, and utilized?

N/A.

b. How will aggregated data be validated for relevance and accuracy?

N/A.

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?

N/A.

PIA Template (09-2022)

6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?

(Be specific.)

Yes, by individuals name.

a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

Individuals names.

7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

Yes, was previously NRC 20 official Travel Records, and has been replaced with government wide SORN GSA/Govt-4 Contracted Travel Services Program.

a. If Yes, provide name of SORN and location in the Federal Register.

GSA/Govt-4 Contracted Travel Services Program.

8. If the information system is being modified, will the SORN(s) require amendment or revision?

No.

9. Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?

No.

a. If yes, explain.

(1) What controls will be used to prevent unauthorized monitoring?

N/A.

10. List the report(s) that will be produced from this system.

Office International Engagement Plan - contain the purpose of the meeting and help facilitate management approval.

Bi-monthly International Engagement Plan - bi-monthly report submitted to the Commission listing key international engagements.

Metrics report - details if the meeting notices / summaries were submitted on time.

OIP Expiration Report - includes only the travelers name and expiration date for passport and visa (passport number is not included).

PIA Template (09-2022)

a. What are the reports used for?

See #10.

b. Who has access to these reports?

Agencywide, no PII information is included in these reports.

D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

Agencywide access is provided. However, access to any PII information is limited to a need-to-know.

(1) For what purpose?

Plan, coordinate, and prioritize international engagements.

(2) Will access be limited?

Yes. Access to data with PII information is limited to a need-to-know.

2. Will other NRC systems share data with or have access to the data in the system?

Yes.

(1) If yes, identify the system(s).

The OIP passport database transmits only the staffs name and his/her passport/visa expiration dates to NICE. This information is not considered PII and is already available in NICE. There is a workflow to transmit (no PII is transmitted, passport numbers are not transmitted) the staffs name and passport and visa expiration date automatically.

(2) How will the data be transmitted or disclosed?

There is an automated workflow to transmit the passport/visa expiration date to NICE. No PII information will be transmitted or shared.

3. Will external agencies/organizations/public have access to the data in the system?

No.

(1) If yes, who?

N/A.

PIA Template (09-2022)

(2) Will access be limited?

N/A.

(3) What data will be accessible and for what purpose/use?

N/A.

(4) How will the data be transmitted or disclosed?

N/A.

4. Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

N/A.

C. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?

Yes.

PIA Template (09-2022)

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

The previous General Records Schedule (GRS) 9 item 5 has been superseded by the following:

GRS 2.2 item 090: Records related to official passports. Application records. Temporary. Destroy when 3 years old or upon employee separation or transfer, whichever is sooner, but longer retention is authorized if required for business use.

GRS 2.2 item 091: Records related to official passports. Official passport registers. Temporary. Destroy when superseded or obsolete.

GRS 2.2 item 092: Records related to official passports. Official passports of transferred or separated agency personnel. Transfer to new agency or return to State Department upon expiration or upon separation of the employee.

GRS 2.2 item 010: Employee management administrative records.

Temporary. Destroy when 3 years old, but longer retention is authorized if required for business use.

Travel in general is covered by GRS 1.1 item 010 - Financial transaction records related to procuring good and services, paying bills, collecting debts, and accounting. Official records held in the office of record.

Temporary. Destroy 6 years after final payment or cancellation, but longer retention is authorized if required for business use.

GRS 1.1. item 011 - All other copies used for administrative or reference purposes. Temporary. Destroy when business use ceases.

b. If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.

D. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g., passwords).

Active Directory and SharePoint security groups.

PIA Template (09-2022)

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

Information that is considered as need-to-know would be safe guarded by using security groups (e.g., approvers list).

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes.

(1) If yes, where?

Position roles/responsibilities.

4. Will the system be accessed or operated at more than one location (site)?

Yes, all NRC offices.

a. If yes, how will consistent use be maintained at all sites?

SharePoint features allow the NRC to identify users that access and modify the list and its fields. SharePoint also has the capability to version control. This information can be audited and reviewed, as needed. In addition, GAO may conduct audits of the agencys International Program, which may include records in this system.

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

All employees have access. However, data with PII will be limited to staff with need-to-know.

6. Will a record of their access to the system be captured?

Yes.

a. If yes, what will be collected?

SharePoint features allow the NRC to identify users that access and modify the list and its fields. SharePoint also has the capability to version control. This information can be audited and reviewed, as needed. In addition, GAO may conduct audits of the agencys International Program, which may include records in this system.

PIA Template (09-2022)

7. Will contractors be involved with the design, development, or maintenance of the system?

Yes, the NICE / OCIO contractors work on maintenance and development.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.

Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

8. What auditing measures and technical safeguards are in place to prevent misuse of data?

SharePoint features allow the NRC to identify users that access and modify the list and its fields. SharePoint also has the capability to version control. This information can be audited and reviewed, as needed. In addition, GAO may conduct audits of the agencys International Program, which may include records in this system.

9. Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?

This list is in the NRCs SharePoint online environment and operates under the SharePoint/ITI FISMA requirements.

a. If yes, when was Assessment and Authorization last completed?

And what FISMA system is this part of?

Part of ITI received and ongoing authority to operate on 09/29/21.

b. If no, is the Assessment and Authorization in progress and what is the expected completion date? And what FISMA system is this planned to be a part of?

N/A.

c. If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Offices (CSOs) Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track.

N/A.

PIA Template (09-2022)

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: NRC International Cooperation and Engagements (NICE).

Submitting Office: Office of International Programs.

A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

Reviewers Name Title Signed by Hardy, Sally on 03/24/23 Privacy Officer B. INFORMATION COLLECTION APPLICABILITY DETERMINATION X No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

No clearance is needed as long as information is only collected from Federal employees.

Reviewers Name Title Signed by Cullison, David on 03/15/23 Agency Clearance Officer PIA Template (09-2022)

C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Signed by Dove, Marna Sr. Program Analyst, Electronic Records on 03/23/23 Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Signed by Partlow, Benjamin ture: on 04/06/23 Acting Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer PIA Template (09-2022) 15

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: (Sponsor name and office): Office of International Programs (OIP)

Name of System: NRC International Cooperation and Engagements (NICE)

Date CSB received PIA for review: Date CSB completed PIA review:

February 28, 2023 March 24, 2023 Noted Issues:

A privacy act statement needs to be included; the information is covered by government wide System of Record Notice GSA/GOVT4.

Chief Signature/Date:

Cyber Security Branch Governance and Enterprise Management Signed by Partlow, Benjamin Services Division ture: on 04/06/23 Office of the Chief Information Officer Copies of this PIA will be provided to:

Gwen Hayden Acting Director IT Services Development and Operations Division Office of the Chief Information Officer Garo Nalabandian Chief Information Security Officer (CISO)

Office of the Chief Information Officer PIA Template (09-2022) 16