ML24065A285

From kanterella
Jump to navigation Jump to search
Privacy Impact Assessment Process Document
ML24065A285
Person / Time
Issue date: 03/01/2024
From:
NRC/OCIO, Oasis Systems
To:
References
Download: ML24065A285 (9)
v  d  e


Text

U.S. Nuclear Regulatory Commission

Privacy Impact Assessment Process U.S. Nuclear Regulatory Commission (NRC)

Privacy Program

Office of the Chief Information Officer (OCIO)

Version 2.1 March 01, 2024

NRC Privacy Program Version 2.1 Privacy Impact Assessment Process March 01, 2024

Document Revision History

Date Version Description Author March 01, 2024 v2.1 Annual review-minor edits NRC Privacy Officer Oasis Systems, LLC February 28, 2024 DRAFT v2.1 Annual review-minor edits NRC Privacy Officer Oasis Systems, LLC March 29, 2023 2.0 Major revisions based on new processes and NRC Privacy Officer requirements Oasis Systems, LLC March 24, 2023 DRAFT of 2.0 Major revisions based on new processes and NRC Privacy Officer requirements Oasis Systems, LLC February 2014 1.0 Initial Release NRC Privacy Officer

NRC Privacy Program Version 2.1 Privacy Impact Assessment Process March 01, 2024

Table of Contents

1 Overview 1

2 When Does a PIA Need to be Completed 1 2.1 What is PII 2 2.2 PIA Submittal Process 2 2.3 When does a PIA need to be updated 4 2.4 Federal PIA Exemptions 5 2.4.1 NRC Exemptions 5 2.5 PIA Requirements Related to the Privacy Act Systems of Records Notice (SORN) 5

3 Privacy Threshold Analysis 6

4 Further Assistance 6 NRC Privacy Program Version 2.1 Privacy Impact Assessment Process March 01, 2024

1 Overview

Federal laws recognize the ever-increasing amount of informatio n stored in government systems and the speed with which computers can process and tran sfer data. Section 208 of the E-Government Act of 2002 (E-Gov Act), along with Office of Mana gement and Budget (OMB)

Memorandum M-03-22, OMB Guidance for Implementing the Privacy P rovisions of the E-Government Act of 2002, require agencies to conduct a privacy i mpact assessment (PIA) before undertaking certain activities involving IT systems or electron ic information collection.

The PIA analyzes how personally identifiable information (PII) is collected, stored, protected, shared, and maintained. The PIA demonstrates that data/system owners have consciously incorporated privacy protections throughout the development of a system.

The PIA is also designed to collect the information necessary t o make relevant determinations regarding the applicability of the Privacy Act. The Privacy Ac t balances the governments need to maintain information about individuals with the right of ind ividuals to be protected against unwarranted invasion of their privacy. Part of the PIA require ment is to identify the legal authority and/or agreement to collect the PII (i.e., statute/la w, Federal regulation, Executive order).

In addition, the E-Government Act of 2002 requires an agency to make PIAs publicly available, except when an agency, in its discretion, determines publicatio n of the PIA would raise security concerns or reveal classified (i.e., national security) informa tion or sensitive information (i.e.,

potentially damaging to a national interest, law enforcement ef fort, or competitive business interest). The PIA helps the public understand what informatio n the agency is collecting, why the information is being collected, how the information will be used and shared, how the information may be accessed, and how it will be securely stored .

Another purpose of the NRCs PIA review process is to ensure th at data collections will adhere to the Paperwork Reduction Act (PRA), if applicable, and will c omply with Federal requirements for managing the lifecycle of agency records.

At the NRC, the PIA is created along with the Security Categori zation Report by the system owner / information owner / data steward, and/or information sy stems security manager (ISSM) during Step 2: Categorize, of the National Institute of Standar ds and Technology and (NIST)

Risk Management Framework. This effort is conducted in coopera tion and collaboration with appropriate organizational officials (i.e., senior leaders with mission/business functions and/or risk management responsibilities).

2 When Does a PIA Need to be Completed

A PIA must be completed before the agency:

  • Develops or procures IT systems or projects that collect, main tain, or disseminate information in identifiable form from or about members of the p ublic, or makes substantial changes to an existing IT system that manages infor mation in identifiable form.

Page 1 NRC Privacy Program Version 2.1 Privacy Impact Assessment Process March 01, 2024

  • Initiates a new electronic collection of information in identi fiable form for 10 or more members of the public consistent with the PRA, which governs ho w Federal agencies collect information from the public.

2.1 What is PII

PII is information that can be used to identify or contact a pe rson uniquely and reliably or can be tracked back to a specific individual. That is, PII is a perso ns name, in combination with any of the following information: relatives names, postal address, em ail address, home or cellular telephone number, personal characteristics, Social Security num ber (SSN), date or place of birth, mothers maiden name, drivers license number, bank acco unt information, credit card information, or other information that would make the individua ls personal identity easily traceable and could make it usable for unauthorized purposes.

PII may include direct identifiers (i.e., passport information) that can identify a person uniquely, or quasi-identifiers (i.e., race) that can be combined with oth er quasi-identifiers (i.e., date of birth) to successfully identify an individual. PII can be sens itive and non-sensitive.

  • Sensitive PII if lost, compromised, or disclosed without authorization, coul d result in substantial harm, embarrassment, inconvenience, or unfairness t o an individual. Some categories of PII are sensitive as stand-alone data elements, f or example, an individuals SSN, drivers license number, or State identification number.
  • Non-sensitive PII includes information that could be in a public record, such as an individuals birthday or phone number. It cannot directly iden tify the individual by itself, but it can identify the individual when used in combination wit h other personal linkable information.

A comprehensive listing of PII is provided for further referenc e in ADAMS at the following link:

PII Reference Table 2023.

Note: Consistent with the Privacy Act and NRC PII policies, PII is to be collected and maintained only where necessary for proper performance of the agencys mission/functions. In response to OMB guidance, the NRC has also developed and implemented a plan to eliminate the unnecessary collection and use of SSNs.

It is important to note that not all information that is sensit ive for personal privacy reasons will necessarily qualify as PII, because not all sensitive personal privacy information is useful for identifying an individual. Conversely, information qualifies a s PII based on its usefulness in identifying an individual, not based on whether the individual considers the information to be, or treats the information as, sensitive, or private.

Personal identity is distinct from an individuals professional identity; that is, an employees name, work title, work telephone number, work address (official work location), and work email address are not considered to be PII.

2.2 PIA Submittal Process

A PIA is completed during the early stages of system developmen t and the system owner/information owner, data steward, and/or ISSM completes th e assessment. Part of the

Page 2 NRC Privacy Program Version 2.1 Privacy Impact Assessment Process March 01, 2024

privacy assessment is to document the data elements that will b e collected, the authority for collecting the information, how the data will be used, who will use the data, and how long it should be kept for business purposes. Those involved may need to coordinate certain responses with the NRCs privacy office, records management, an d information collections subject matter experts.

Table 2.2-1: Submittal Process

Step Responsible party Description

1. System owner / information Complete the PIA:

owner / data steward and/or the PIA template is available in ADAMS at ML050460335 ISSM Save the template and rename it to the following format:

<system name_privacy_impact_assessment.doc>

Provide responses to all questions in the PIA. Consult with the privacy office, records management, and information collection subject matter experts if there are any questions.

2. System Owner / information Submit completed PIA and NRC Form 665, ADAMS Document owner / data steward and/or the Submissions, to OCIO for review and approval to the email address ISSM below:

Privacy.Resource@nrc.gov

Completing the NRC Form 665 determines if the PIA can be designated as publicly available or non-public in ADAMS.

All PIAs must be posted on the agency's website, unless doing so would raise security concerns or reveal classified or sensitive information.

3. Office of the Chief Information Upon receipt of the PIA, the privacy team reviews the document for Officer (OCIO) designee completeness. If there are any residual questions, the sponsoring office will be notified for further clarification.
4. OCIO / Cybersecurity and Once the PIA has been confirmed for completeness, the Information Security Division administrative assistant places the document into e-concurrence for (CISD) privacy office, and Data review from the following groups within OCIO to include:

Information Management and

  • Privacy Office-determining applicability of the Privacy Act Enterprise Governance (DIME) and any privacy risks to the NRC records management, and information collection subject
  • Information Collections-reviewing the Paperwork matter experts Reduction Act for information collection requirements
  • Records Management-reviewing the Federal Records Act for records management requirements

Once reviewed by all three groups, the PIA is provided to the OCIO/CISO.

5. OCIO CISO The CISO reviews the PIA and grants final approval, certifying that the office has prepared an adequate PIA for the project/system.

Page 3 NRC Privacy Program Version 2.1 Privacy Impact Assessment Process March 01, 2024

Table 2.2-1: Submittal Process

Step Responsible party Description

6. OCIO Administrative Assistant The administrative assistant finalizes the document by declaring it in ADAMS and closing it out through the e-concurrence process. A distribution notice will include the following:
  • Sponsoring office (program manager and system owner, ISSM)
  • Director SDOD
  • CISO
7. Privacy Officer The NRC Privacy Officer provides a link to the PIA document in the Public ADAMS on the NRC Privacy Program Web page available to the public.

2.3 When does a PIA need to be updated

The PIA is a living document that needs to be reviewed and upda ted as the program and/or system changes, not just when the pr ogram or system is initially deployed. PIAs must be reviewed annually and updated if necessary t o ensure that they are accurate and up to date. If no changes are required, the responsible party must send an ema il to the NRC Privacy Officer certifying the PIA has been reviewed and that no changes are re quired.

For PIAs requiring updates, the responsible party will need to complete a new PIA template addressing the changes and send it back through the approval pr ocess described above in Table 2.2.1.

Agencies must update their PIAs to reflect changes in informati on collection authorities, business processes, or other factors affecting the collection a nd handling of information in identifiable form. Some examples of system changes are provide d in the table below:

Table 2.3-1: System Changes System Changes Description System Management New uses of an existing IT system, including application of new technologies, any Changes change in how information in identifiable form is managed in the system Anonymous to Non- Functions applied to an existing information collection from anonymous information Anonymous into information in identifiable form Conversions Converting paper-based records to electronic systems Significant Merging Agencies adopt or alter business processes so that government databases holding information in identifiable form are merged, centralized, matched with other databases, or otherwise significantly manipulated New Public Access User-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system accessed by members of the public Commercial Sources Agencies systematically incorporate into existing information systems databases of information in identifiable form purchased or obtained from commercial or public sources Alteration in Character New information in identifiable form, such as health or financial information, added to of Data a data collection that raises the risks to personal privacy

Page 4 NRC Privacy Program Version 2.1 Privacy Impact Assessment Process March 01, 2024

2.4 Federal PIA Exemptions

In accordance with Federal guidance, certain types of IT system s may be exempt from the PIA requirement. These include any system where information relate s to internal government operations or has been previously assessed under an evaluation like a PIA. A PIA is also not required:

  • For government-run Websites, IT systems, or collections of inf ormation that do not collect or maintain information in identifiable form about memb ers of the public, government employees, contractors, or consultants
  • For government-run public Websites where the user is given the option of contacting the site operator for the limited purpose of asking questions or pr oviding comments
  • For national security systems
  • When all elements of a PIA are addressed in a data matching or comparison agreement governed by the computer matching provisions of the Privacy Act
  • When all elements of a PIA are addressed in an interagency agr eement permitting the merging of data for strictly statistical purposes and where the resulting data are protected from improper disclosure and use under Title V of the E-Government Act
  • When developing IT systems or collecting non-identifiable info rmation for a discrete purpose that does not involve matching with or retrieval from o ther databases that generate individual or business identifiable information 2.4.1 NRC Exemptions

The NRCs external website contains a notice stating that any comments submitted to the NRC, including PII contained in comments, as well as documents submi tted in public NRC adjudicatory proceedings, will generally be available to the pu blic. Because submitters are advised not to include PII in their submittals, it is presumed that submitters who do include such information have no objection to its public release. Thus, it is not necessary to remove home addresses, home phone numbers, or home email addresses from adjudicatory filings, documents associated with agency rulemakings, or correspondence received from the public on regulatory matters.

2.5 PIA Requirements Related to the Privacy Act Systems of Records Notice (SORN)

The Privacy Act of 1974 prohibits the Federal Government from d isclosing information about an individual without the individual's consent if the information is stored in a system of records that is, a collection of records containing information about i ndividuals, where the information is retrieved by the individuals name or by another identifier ass igned to the individual. It balances the government's need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy. I t requires agencies to publish a SORN in the Federal Register for the public to view. The SORN describes the categories of records on individuals that the agency collects, uses, maintain s, and retrieves by the name of the individual or by some identifying number, symbol, or anothe r identifier assigned to the

Page 5 NRC Privacy Program Version 2.1 Privacy Impact Assessment Process March 01, 2024

individual. The Privacy Act prohibits the disclosure of inform ation about individuals from a system of records absent the written consent of the subject ind ividual unless the disclosure is pursuant to one of 12 statutory exceptions. The Privacy Act al so provides individuals with a means by which to seek access to, and amendment of, their recor ds and sets forth various agency record-keeping requirements.

If personal information is collected, but never retrieved by th e unique identifier, it is not a system of records and a SORN is not required.

3 Privacy Threshold Analysis

If the sponsoring office (program manager/system owner and/or I SSM) anticipates that an IT system or project will not collect, maintain, or disseminate information about individual s, then a privacy threshold analysis (PTA) should be completed to documen t that a review of the data elements in the system or project has been performed and to con firm that there will be no information about an individual in the system or project.

PTAs are used to confirm that a system or project does not cont ain PII, and a PIA is not required, whether a SORN is required, and if any other privacy requirements apply to the system or project. PTAs should be submitted to the NRC Privacy Officer for review and approval.

The PTA submittal process is the same as the PIA submittal proc ess as defined above in Table 2.2.1. The PTA template can be found in ADAMS ML091970114.

4 Further Assistance

For privacy questions: contact the NRCs Privacy Officer for assistance.

  • Additional privacy guidance can be found on the NRCs internal Privacy Act Program Web page at:

https://nuclepedia.usalearning.gov/index.php/Privacy_Act_Progra m

Information collection (OMB clearances) questions: contact the NRCs Clearance Officer. Additional guidance can be found on the NRCs internal Information Collections Web page at:

https://usnrc.sharepoint.com/teams/Information-Collections/Site Pages/Information-Collections-Guidance.aspx

  • Records retention and disposition questions: contact the Agency Records Officer.

Additional records retention and disposal information can be fo und at:

https://usnrc.sharepoint.com/sites/information-records-manageme nt/SitePages/The-Lifecycle-of-NRC-Records.aspx

Page 6

Retrieved from "https://kanterella.com/w/index.php?title=ML24065A285&oldid=3663793"