ML25084A043
| ML25084A043 | |
| Person / Time | |
|---|---|
| Issue date: | 03/20/2025 |
| From: | NRC/OCIO/CISD |
| To: | |
| Debnam C | |
| References | |
| Download: ML25084A043 (1) | |
Text
U.S. Nuclear Regulatory Commission Privacy Impact Assessment Agencywide Documents Access and Management System (ADAMS)
Office of the Chief Information Officer (OCIO)
Version 1.1 03/20/2025 Template Version 2.4 (10/2024)
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 Document Revision History Date Version PIA Name/Description Author 03/20/2025 1.1 Updated the System Owner name and changed WRR to Proposed Alternative and transferred the ADAMS PIA to the new template OCIO Oasis Systems, LLC 03/11/2025 Draft of v1.1 Updated the System Owner name and changed WRR to Proposed Alternative and transferred the ADAMS PIA to the new template OCIO Oasis Systems, LLC 06/26/2024 1.0 ADAMS PIA Initial Release OCIO Oasis Systems, LLC 06/21/2024 DRAFT ADAMS PIA Draft Release C Rybos, VASS, Inc. Luc Phuong, NRC 06/10/2024 DRAFT ADAMS PIA Draft Release OCIO Oasis Systems, LLC
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 Table of Contents 1
Description 1
2 Authorities and Other Requirements 3
3 Characterization of the Information 4
4 Data Security 7
5 Privacy Act Determination 12 6
Records and Information Management-Retention and Disposal 13 7
Paperwork Reduction Act 17 8
Privacy Act Determination 18 9
OMB Clearance Determination 20 10 Records Retention and Disposal Schedule Determination 21 11 Review and Concurrence 22
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 1
The agency is subject to the requirements of the E-Government Act and is committed to identifying and addressing privacy risks whenever it develops or makes changes to its information systems. The questions below help determine any privacy risks related to the E-Government Act or later guidance by the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST).
Name/System/Subsystem/Service Name: Agencywide Documents Access and Management System (ADAMS).
Data Storage Location (i.e., Database Server, SharePoint, Cloud, Other Government Agency, Power Platform) Database Servers - MS SQL, CloudAzure SQL PaaS.
Date Submitted for review/approval: March 11, 2025.
1 Description 1.1 Provide the description of the system/subsystem, technology (i.e., Microsoft Products), program, or other data collections (hereinafter referred to as project).
Explain the reason the project is being created.
ADAMS is an enterprise-level system used by the U.S. Nuclear Regulatory Commission (NRC) to organize, process, and manage the agencys documentary material, which includes documents designated as official agency records (OARs) and non-record reference material, which includes works in progress, drafts, and other non-OAR documentation. ADAMS is the NRCs record retention system for documentary material and is integrated into many of the agencys mission critical standard operating procedures and records management processes. ADAMS is used throughout NRC Headquarters (HQ) and regional offices.
ADAMS provides the following capabilities:
Document management (intake, classification, and retention),
Document publishing, Document search and retrieval, Records management.
ADAMS supports NRCs content management function: document capture, distribution, search and retrieval, and records management. ADAMS is the official records repository for unclassified records and is tightly integrated into many of NRCs mission critical standard operating procedures and records management processes.
ADAMS servers in the Production (PROD) and Test & Acceptance (TA) environments reside primarily in the NRC-managed network on virtual servers maintained in the NRC HQ Data Center. The ADAMS development (DEV) and integration (INT) environments and selected resources in the PROD and Test & Acceptance environments reside in the NRC OCIO Cloud tenant.
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 2
ADAMS contains one subsystem, the Electronic Information Exchange (EIE) system, which provides an input mechanism to add documents to ADAMS. No further information/discussion of the EIE system is contained in this ADAMS Privacy Impact Assessment (PIA).
Please mark appropriate response below if your project/system will involve the following:
PowerApps Server/Database Design Dashboard Public Website SharePoint Internal Website Cloud Service Provider Other 1.2 Does this privacy impact assessment (PIA) support a proposed new project, proposed modification to an existing project, or other situation? Select options that best apply in table below.
Mark appropriate response.
Status Options
New system/project
Modification to an existing system/project.
If modifying or making other updates to an existing system/project, provide the ADAMS ML of the existing PIA and describe the modification.
Annual Review If making minor edits to an existing system/project, briefly describe the changes below. Updated the System Owner name and changed WRR to Proposed Alternative and transferred the ADAMS PIA to the new template
Other (explain) 1.3 Points of
Contact:
Project Manager System Owner/Data Owner /
Steward ISSM Business Project Manager Technical Project Manager Executive Sponsor Name Roy Choudhury Jon Feibus Luc Phuong Gayathri Sastry Roy Choudhury Scott Flanders Office
/Division
/Branch OCIO/
ITSDOD/
ADSB/CCAT OCIO/ ITSDOD OCIO/
GEMSD/
CSB/IAT OCIO/
ITSDOD OCIO/
ITSDOD/
ADSB/CCAT OCIO Telephone 301-415-7226 301-415-0717 301-415-1103 301-415-8344 301-415-7226 301-415-8700
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 3
2 Authorities and Other Requirements 2.1 What specific legal authorities and/or agreements permit the collection of information for the project?
Provide all statutory and regulatory authorities for operating the project, including the authority to collect the information; NRC internal policy is not a legal authority. Please mark appropriate response in table below.
Mark with an X on all that apply.
Authority Citation/Reference
Statute 44 United States Code (U.S.C) Chapters 31 & 33
Executive Order
Federal Regulation 36 Code of Federation Regulations (CFR)
Subpart B
Memorandum of Understanding/Agreement
Other (summarize and provide a copy of relevant portion) 2.2 Explain how the information will be used under the authority listed above (i.e., enroll employees in a subsidies program to provide subsidy payment).
NRC staff collect programmatic and administrative information to facilitate the activities necessary to conduct the NRCs day-to-day business. A portion of the vast amounts of programmatic and administrative documents that are added to ADAMS may contain information about an individual. NRC staff also collect this information to facilitate the records lifecycle management process and to comply with the regulations governing Federal records management. The licensing, technical, and adjudicatory information stored in ADAMS supports the NRCs mission.
The publicly available information in ADAMS is used by external users searching the agencys policies, regulations, and material related to NRC licensing activities.
If the project collects Social Security numbers, state why this is necessary and how it will be used.
The content of a document that is added to ADAMS may include any type of information about an individual but are normally only workplace-related or business-related information.
Information about an individual (e.g. Federal employee, contractor, licensee employee, general public) may be maintained in ADAMS if information about an individual is included as part of a document that is added into ADAMS.
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 4
The Replacement Reactor Program System (RRPS) is the Federal system of record for Operating License Records (OL Records), which contains personally identifiable information (PII) of applicants for, and holders of, operator licenses at nuclear powerplants.
RRPS uses ADAMS as a storage service provider for these records, which are owned and maintained by RRPS personnel. OL Records consist of application files, examination files, historical files, medical files, license files, and violation files related to the application, issuance, maintenance and, if necessary, revocation of an individuals operator license at a nuclear power facility regulated by the NRC.
It is not the agencys policy or practice to make documents identified as containing PII available to the public. In cases where such a document must be made public, the PII is redacted, and the redacted version is made public; the original remains non-public. Internal access to documents containing PII is also restricted to those with a need-to-know.
3 Characterization of the Information In the table below, mark the categories of individuals for whom information is collected.
Category of individual
Federal employees
Contractors
Members of the Public (any individual other than a Federal employee, consultant, or contractor)
Licensees
Other: Parties to NRC Adjudicatory proceedings, Nuclear Industry organizations, Members of Congress, Agreement States, Local governments, and Foreign governments and international organizations.
In the table below, is a list of the most common types of PII collected. Mark all PII that is collected and stored by the project/system. If there is additional PII not defined in the table below, a comprehensive listing of PII is provided for further reference in ADAMS at the following link: PII Reference Table 2023.
Categories of Information
Name
Resume or curriculum vitae
Date of Birth
Driver's License Number
Country of Birth
License Plate Number
Citizenship
Passport number
Nationality
Relatives Information
Race
Taxpayer Identification Number
Home Address
Credit/Debit Card Number
Social Security number (Truncated or Partial)
Medical/health information
Sex (Male or Female)
Alien Registration Number
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 5
Categories of Information
Ethnicity
Professional/personal references
Spouse Information
Criminal History
Personal e-mail address
Biometric identifiers (facial images, fingerprints, iris scans)
Personal Bank Account Number
Emergency contact e.g., a third party to contact in case of an emergency
Personal Mobile Number/Home Number
Accommodation/disabilities information
Marital Status
Children Information
Mother's Maiden Name
Other: ADAMS is a document repository for the NRC. Documents in ADAMS can contain various types of information, including different categories of PII.
3.1 Describe how the data is collected for the project. (i.e., NRC Form, survey, questionnaire, existing NRC files/ databases, response to a background check).
ADAMS does not directly collect information from an individual. Information placed into ADAMS is collected or generated by the NRC through other means, e.g. in response to adjudicatory filings, rulemakings, or other regulatory matters (to include records collected by RRPS, as documented in section 2.2).
The content of a document that is added to ADAMS may include any type of information about an individual but is normally only workplace-related or business-related information.
Information about an individual may be maintained in ADAMS if information about an individual is included as part of a document that is added into ADAMS.
Internal sources of information which may contain PII include:
Electronic files generated by NRC staff in various formats (e.g. text, images, graphics, spreadsheets, or any combination of these formats),
E-mail from the NRC e-mail system, OL Records from RRPS.
External sources of information which may contain PII include:
NRC Licensees and Applicants, Parties to NRC Adjudicatory proceedings, Nuclear Industry organizations, Members of Congress, Other Federal Agencies, Agreement States, Local governments, Members of the public commenting on NRC regulations and publications, Foreign governments and international organizations.
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 6
The methods of collection used include:
EIE submissions, Paper documents (scanned into ADAMS),
CD-ROM submissions, E-mail and Facsimile (Fax) submissions, Interface with RRPS, Interface with Web-Based Licensing (WBL) submissions, Interface with Mission Analytics Portal (MAP-X), currently for Proposed Alternative, formerly known as Web-Based Relief Requests (WRR).
3.2 If using a form (paper or web) to collect the information, provide the form number, title and/or a link to the form.
ADAMS does not directly collect information from an individual. Information placed into ADAMS is collected or generated by the NRC through other means, which can include any form in the NRC Forms library.
Document submissions made to the Document Processing Center (DPC) contain the NRC Form 665, ADAMS Document Submission, specifying document availability (e.g., publicly or non-publicly available) and access security level. However, NRC Form 665 is not published in ADAMS.
3.3 Who provides the information? Is it provided directly from the individual or a third party.
ADAMS does not directly collect information from an individual. Information placed into ADAMS is collected or generated by the NRC through other means, e.g. in response to adjudicatory filings, rulemakings, or other regulatory matters. Refer to section 3.1 regarding information sources.
3.4 Explain how the accuracy of the data collection is validated. If the project does not check for accuracy, please explain why.
The NRC rulemaking Electronic Maintenance and Submission of Information (E-Rule) and its accompanying regulatory document, Guidance for Electronic Submissions to the NRC govern the electronic submission, including fax submissions, of documents to the NRC, which may be accessed at ML13031A056.
The agencys DPC evaluates the EIE and CD-ROM submittals against the criteria specified in the electronic submission guidance document and processes the document(s) that meet its criteria into ADAMS. Documents that do not meet one or more of the guidance document criteria will not be processed into ADAMS. The DPC will forward these submittals to the submitter and/or the appropriate NRC office staff in order to resolve the issue and obtain a submittal that can be processed into ADAMS. The owners of internal information are responsible for accuracy and completeness of the information added to ADAMS.
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 7
3.5 Will PII data be used in a test environment? If so, explain the rationale for this and how the PII information is protected.
No.
3.6 What procedures are in place to allow the subject individual to correct inaccurate or erroneous privacy information?
The information owners are responsible for accuracy and completeness of the information added to ADAMS.
4 Data Security 4.1 Describe who has access to the data in the project (i.e., internal NRC, system administrators, external agencies, contractors, public).
After receiving an ADAMS account, all NRC office staff (employees and contractors) authenticated application users may have access to information in ADAMS. The exception is for OL Records. Only select RRPS users from the Office of Nuclear Reactor Regulation (NRR) can access this data.
In addition to being authenticated to access the system, application users must be a member of an appropriate Access Control List (ACL) to access specific data. In addition, system administrators must have an individual administrator account and password to access the system. Their access to data / permitted privileged actions are controlled by inclusion of the account in the appropriate administrative group account.
Other Federal agencies, licensees, state, local, and Tribal governments, participants in adjudicatory hearings, and members of the general public have access to the publicly available information in ADAMS.
4.2 If the project/system shares information with any other NRC systems, identify the system, what information is being shared and the method of sharing.
Public Meeting Notice System (PMNS): requires read-only access to the Docket table in the Master Data Management system (MDMS) database to retrieve specific Docket Number data.
The EIE system is a document ingestion system for various regulatory required documents, which are added into ADAMS for official recordkeeping. ADAMS provides accession numbers (ADAMS ML) back to EIE for submitted documents. In addition, EIE provides service list membership to ADAMS in order to populate ACLs for authorization purposes to Electronic Hearing Docket (EHD) Protective Order File (POF) documents.
RRPS uses ADAMS for the following:
o As a storage repository for OL Records, which are maintained solely by RRPS.
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 8
o For processing Technical Review Packages (TRP) that are accessed by TRP Staff Project Manager(s) via a TRP utility tool (which utilizes an ADAMS API) to enable RRPS staff to perform Licensee decisional processing.
An NRC-issued laptop is used by the Atomic Safety and Licensing Board Panel (ASLBP) to access pre-filed adjudicatory documents in ADAMS.
The WBL system ingests documents containing license and related information into the ADAMS Main Library, which returns live links back to WBL so that users may access the records in ADAMS while in WBL.
The MAP-X portal is a Cloud-based web application used by authenticated Licensees to submit NRC forms / information for addition to the ADAMS Main Library. Currently, the following systems are in use:
o WRR form(s) request relief from certain regulatory requirements 4.3 If the project/system connects, receives, or shares information with any external non-NRC partners or systems, identify what is being shared.
As per NRC CSO-PROS-1323, Information Security Continuous Monitoring Process, MOUs/ISAs are required between NRC and external entities; not between internal NRC systems. As ADAMS connections with RRPS, WBL, MAP-X (e.g., Proposed Alternative and TRP) and Enterprise Information Hub (EIH) are internal, MOUs/ISAs are not required.
The publicly available documents are released to the public via publishing to the ADAMS Public Libraries (Publicly Available Records System (PARS)) and Public Licensing Support Network (LSN) where they can be accessed through various NRC-provided websites. In addition, copies of all the PARS content are copied to the Unified Public Web Search (UPWS) repository where they can be searched via the publicly available Google search engine. Links to all these sites are provided on the NRCs public website.
If so, identify what agreements are in place with the external non-NRC partner or system in the table below.
Agreement Type
Contract Provide Contract Number:
License Provide License Information:
Memorandum of Understanding Provide ADAMS ML number for MOU:
Other
None
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 9
4.4 Describe how the data is accessed and describe the access control mechanisms that prevent misuse.
Internal access to ADAMS is restricted to NRC users with active NRC Local Area Network/Wide Area Network (LAN/WAN) accounts and passwords and ADAMS accounts.
Level of access to documents depends upon a users role(s) and need-to-know and is restricted by object (package, folder, and document) access rights. The users are authenticated via a Lightweight Directory Access Protocol (LDAP), which has an interface linked to the NRCs OCIO Information Technology Infrastructure (ITI) system Active Directory services (Single Sign-On).
ADAMS relies on the agency Rules of Behavior to ensure proper information usage by individuals that have been granted access to the ADAMS Main Library. Role-based access controls and need-to-know within ADAMS also limit misuse of data.
Except for POF documents, there are no security controls to authenticate external access to the ADAMS Public Libraries as this access is anonymous. Each POF document requires a valid NRC-approved digital certificate and inclusion in the appropriate ACL in order to view that document.
At the object level (packages, folders, and documents), all content is restricted to those assigned a valid security role (assigned by the owner of the object). Except for POF documents, a user without assigned rights is not able to see the object, much less access its contents.
Within the POF interface, business needs mandate that the authenticated user can see the title of the document but may not access the contents without the users inclusion in the appropriate ACL.
For all components, ADAMS relies on NRC ITI for security controls over access to the forward-facing web servers that host the libraries. This includes compliance with Homeland Securitys mandate for using secure ports and protocols to establish communication between the users browser and the web servers that access the public libraries.
4.5 Explain how the data is transmitted and how confidentiality is protected (i.e.,
encrypting the communication or by encrypting the information before it is transmitted).
ADAMS transmits content to staff over the NRCs ITI internal network.
ADAMS publishes public content to external-facing web servers for access by the general public and select members of adjudicatory proceedings. The publicly available documents are released to the public via publishing to the ADAMS Public Libraries (PARS and LSN) where they can be accessed through various NRC-provided websites. In addition, copies of all the PARS content are copied to the UPWA repository where they can be searched via the publicly available Google search engine. Links to all these sites are provided on the NRCs public website.
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 10 4.6 Describe where the data is being stored (i.e., NRC, Cloud, Contractor Site).
ADAMS database servers are hosted primarily at NRC HQ with some databases hosted in the Cloud (ITI-ACS resources).
4.7 Explain if the project can be accessed or operated at more than one location.
The ADAMS Main Library is accessed by NRC HQ and all regional offices staff users via the NRC LAN/WAN. External public libraries (PARS and LSN) are accessed by external users via the Internet.
ADAMS may only be accessed remotely by NRC staff through the NRCs ITI Virtual Private Network (VPN) or the Azure Virtual Desktop (AVD).
4.8 Can the project be accessed by a contractor? Have the contractors completed an IT-II investigation? Do they possess an NRC badge?
Yes. The NRC contractors, who are authorized for ADAMS access in order to fulfill their contractual obligations, are under the same access control, including accounts, passwords, and access rights at the document level, as other NRC internal users, on a need-to-know basis.
NRC contractors need an authorized and signed Non-Disclosure Agreement (NDA) before they can be provided access to specific ADAMS folders needed for their project related job.
All contractors supporting ADAMS are, at a minimum, NRC IT-I cleared, possessing NRC badges.
4.9 Explain the auditing measures and technical safeguards in place to prevent misuse of data.
The security controls recommended by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 5 have been implemented in ADAMS to prevent misuse of data. Please see the ADAMS System Security Plan and the ADAMS P8 Audit and Accountability Policy and Procedures document for more information.
4.10 Describe if the project has the capability to identify, locate, and monitor (i.e.,
trace/track/observe) individuals.
N/A.
4.11 Define which FISMA boundary this project is part of.
ADAMS is in its own FISMA boundary, which includes ADAMS and its subsystem, EIE.
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 11 4.12 Is there an Authority to Operate (ATO) associated with this project/system?
Authorization Status
Unknown
No If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Organization (CSOs)
Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track.
In Progress provide the estimated date to receive an ATO.
Estimated date:
Yes Indicate the data impact levels (Low, Moderate, High, Undefined) approved by the CISO Confidentiality-Moderate Integrity-Moderate Availability-Moderate 4.13 Provide the NRC system Enterprise Architecture (EA)/Inventory number. If unknown, contact EA Service Desk to get the EA/Inventory number.
EA Number: 9501.
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 12 5 Privacy Act Determination 5.1 Is the data collected retrieved by a personal identifier?
Mark the appropriate response.
Response
Yes, the PII is retrieved by a personal identifier (i.e., individuals name, address, SSN, or other unique number, etc.)
List the identifiers that will be used to retrieve the information on the individual.
No, the PII is not retrieved by a personal identifier.
If no, explain how the data is retrieved from the project.
Although there are some documents in ADAMS that contain information about individuals, it is not the practice or policy of the NRC to retrieve information in ADAMS by an individuals name or unique identifier (other than the name of the author).
ADAMS was designed and developed as the NRCs information management system. It was not developed as a system to collect or maintain information about individuals. ADAMS contains document profile data fields, two of which collect the name of a documents author and the documents recipient. The name of a document author and/or recipient is collected for administrative purposes, not for the purpose of collecting or retrieving records or information about the named individual. Also, the capability does exist to search for documents using an individuals name or personal identifier (or any other text) in a document text search.
5.2 For all collections where the information is retrieved by a personal identifier, the Privacy Act requires that the agency publish a System of Record Notice (SORN) in the Federal Register. As per the Privacy Act of 1974, "the term 'system of records' means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some other personal identifier assigned to the individual.
Mark the appropriate response in the table below.
Response
Yes, this system is covered by an existing SORN. (See existing SORNs:
https://www.nrc.gov/reading-rm/foia/privacy-systems.html )
Provide the SORN name, number, (List all SORNs that apply):
SORN is in progress
SORN needs to be created
Unaware of an existing SORN
No, this system is not a system of records and a SORN is not applicable.
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 13 5.3 When an individual is asked to provide personal data (i.e., form, webpage, survey), is a Privacy Act Statement (PAS) provided?
A Privacy Act Statement is a disclosure statement required to appear on documents used by agencies when an individual is asked to provide personal data. It is required for any forms, surveys, or other documents, including electronic forms, used to solicit personal information from individuals that will be maintained in a system of records.
Mark the appropriate response.
Options
Privacy Act Statement
Not Applicable
Unknown 5.4 Is providing the PII mandatory or voluntary? What is the effect on the individual by not providing the information?
The information owners are responsible for providing notice at the time of collection whether or not PII disclosure is mandatory.
6 Records and Information Management-Retention and Disposal The National Archives and Records Administration (NARA), in collaboration with Federal agencies, approves whether records are Temporary (eligible at some point for destruction/deletion because they no longer have business value) or Permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). Records/data and information with historical value, identified as having a permanent disposition, are transferred to the National Archives of the United States at the end of their retention period. All other records identified as having a temporary disposition are destroyed at the end of their retention period in accordance with the NARA Records Schedule or the General Records Schedule.
These determinations are made through records retention schedules and NARA statutes (44 U.S.C.), 36 CFR). Under 36 CFR, agencies are required to establish procedures for addressing Records and Information Management (RIM) requirements. This includes strategies for establishing and managing recordkeeping requirements and disposition instructions before approving new electronic information systems or enhancements to existing systems.
The following questions are intended to determine whether the records/data and information in the system have approved records retention schedules and disposition instructions, whether the system incorporates RIM strategies including support for NARAs Universal Electronic Records Management (ERM) requirements, and if a mitigation strategy is needed to ensure compliance.
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 14 If the project/system:
Does not have an approved records retention schedule and/or Does not have an automated RIM functionality, Involves a cloud solution, And/or if there are additional questions regarding Records and Information Management
- Retention and Disposal, please contact the NRC Records staff at ITIMPolicy.Resource@nrc.gov for further guidance.
If the project/system has a record retention schedule or an automated RIM functionality, please complete the questions below.
6.1 Does this project map to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules?
NUREG-0910, NRC Comprehensive Records Disposition Schedule
NARAs General Records Schedules
Unscheduled 6.2 If so, cite the schedule number, approved disposition, and describe how this is accomplished.
System Name (include sub-systems, platforms, or other locations where the same data resides)
ADAMS Records Retention Schedule Number(s)
Each NRC document declared as an Official agency Record in ADAMS is designated an authorized disposition in Records Manager.
This disposition covers the ADAMS Portable Document Format (PDF) files, Tag Image File Format (TIFF) files, as well as the ADAMS data related to digital signatures, and data regarding final NRC management and staff concurrences in documents that are linked to and considered part of the official records.
The NARA-approved records retention and disposition requirements for ADAMS records are described on the NRCs public website and may be accessed via the following link:
https://www.nrc.gov/reading-rm/records-mgmt.html Retention for Documentation is scheduled as follows:
GRS 3.1 Items 050 & 051: Data
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 15 administration records The retention for the Master file is scheduled as follows:
GRS 3.2 Items 050 & 051, Backup of master files and databases Additional information related to Information Systems Security are scheduled under the GRS:
GRS 3.2: Information Systems Security Records Approved Disposition Instructions Retention for Documentation is scheduled as follows:
GRS 3.1 Item 050, Data administration records. Documentation necessary for preservation of permanent electronic records.
Permanent. Transfer to the National Archives with the permanent electronic records to which the documentation relates.
GRS 3.1 Item 051, Data administration records. All documentation for temporary electronic records and documentation not necessary for preservation of permanent records.
Temporary. Destroy 5 years after the project/activity/transaction is completed or superseded, or the associated system is terminated, or the associated data is migrated to a successor system, but longer retention is authorized if required for business use.
The retention for the Master file is scheduled as follows:
GRS 3.2 Item 050, Backup of master files and databases. File identical to permanent records scheduled for transfer to the National Archives.
Temporary. Destroy immediately after the identical records have been captured in a subsequent backup file or at any time after the
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 16 transfer request has been signed by the National Archives, but longer retention is authorized if required for business use.
GRS 3.2 Item 051, Backup of master files and databases. File identical to temporary records authorized for destruction by a NARA-approved records schedule.
Temporary. Destroy immediately after the identical records have been deleted or replaced by a subsequent backup file, but longer retention is authorized if required for business use.
Additional information related to Information Systems Security are scheduled under:
GRS 3.2, Information Systems Security Records.
Is there a current automated functionality or a manual process to support RIM requirements?
This includes the ability to apply records retention and disposition policies in the system(s) to support records accessibility, reliability, integrity, and disposition.
Yes, ADAMS contains built-in automated records management processing tools.
Disposition of Temporary Records Will the records/data or a composite be automatically or manually deleted once they reach their approved retention?
Temporary Records are automatically marked as being ready for disposition once they reach their approved retention. Once marked, records management staff review with the offices and manually delete the records accordingly.
Disposition of Permanent Records Will the records be exported to an approved format and transferred to the National Archives based on approved retention and disposition instructions?
If so, what formats will be used?
NRC Transfer Guidance (Information and Records Management Guideline - IRMG)
Yes, Permanent Records are exported in CSV file, PDF, and TIFF format to the National Archives and Records Administration (NARA) in accordance with their approved retention and disposition instructions.
Note: Information in Section 6, Records and Information Management-Retention and Disposal does not need to be fully resolved for final approval of the privacy impact assessment.
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 17 7 Paperwork Reduction Act The Paperwork Reduction Act (PRA) of 1995 requires that agencies obtain an Office of Management and Budget (OMB) approval in the form of a "control number"before promulgating a paper form, website, surveys, questionnaires, or electronic submission from 10 or more members of the public. If the data collection is from Federal employees regarding work-related duties, then a PRA clearance is not necessary.
7.1 Will the project be collecting any information from 10 or more persons who are not Federal employees?
N/A - ADAMS does not collect any information, but organizes, processes, and manages existing agency documents.
7.2 Is there any collection of information addressed to all or a substantial majority of an industry (i.e., Fuel Fabrication Facilities or Fuel Cycle Facilities)?
No.
7.3 Is the collection of information required by a rule of general applicability?
N/A - ADAMS does not collect any information, but organizes, processes, and manages existing agency documents. Therefore, an OMB clearance is not needed.
Note: For information collection (OMB clearances) questions: contact the NRCs Clearance Officer. Additional guidance can be found on the NRCs internal Information Collections Web page at: https://intranet.nrc.gov/ocio/33456.
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 18 8 Privacy Act Determination Project/System Name: Agencywide Documents Access and Management System Submitting Office: Office of the Chief Information Officer (OCIO)
Privacy Officer Review Review Results Action Items
This project/system does not contain PII.
No further action is necessary for Privacy.
This project/system does contain PII; the Privacy Act does NOT apply, since information is NOT retrieved by a personal identifier.
Must be protected with restricted access to those with a valid need-to-know.
This project/system does contain PII; the Privacy Act does apply.
SORN is required-Information is retrieved by a personal identifier.
Comments: Although there are some documents in ADAMS that contain information about individuals, it is not the practice or policy of the NRC to maintain ADAMS as a system of records keyed to individuals, or to retrieve by an individuals name or unique identifier (other than the name of the author). ADAMS was designed and developed as the NRCs information management system. It was not developed as a system to collect or maintain information about individuals. ADAMS contains document profile data fields, two of which collect the name of a documents author and the documents recipient. The name of a document author and/or recipient is collected for administrative purposes, not for the purpose of collecting or retrieving records or information about the named individual. Also, the capability does exist to search for documents using an individuals name or personal identifier (or any other text) in a document text search. OMB guidelines make it clear that it is not sufficient that an agency has the capability to retrieve information indexed under a person's name, but the agency must in fact retrieve records in this way in order for a system of records to exist. The retrieval of information by name or other personal identifier must be an agency practice to create a system of records and not a practice by those outside the agency. This system may contain documents that include personally identifiable information (PII). Documents that contain PII will have restricted access. Information related to the workplace, such as an employees name, title, work telephone number, official work address/location, and work e-mail address is not treated as PII by NRC.
Additionally, NRCs Office of General Counsel has advised that home addresses, home phone numbers, or home e-mail addresses - within adjudicatory filings, documents associated with agency rulemakings, and correspondence received from the public on regulatory matters will not be treated as PII. History/
Background:
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 19 A request for a legal opinion (July 2003) was submitted to OGC to readdress the issue of whether or not ADAMS should be considered a Privacy Act system of Agencywide Documents Access and Management System (ADAMS) OGC reconfirmed on September 15, 2003, that ADAMS does not constitute a system of records for purposes of the Privacy Act. The basic concept of ADAMS has not been modified.
Reviewers Name Title Privacy Officer Signed by Hardy, Sally on 04/30/25
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (09-2024)-ML050460335 20 9 OMB Clearance Determination NRC Clearance Officer Review Review Results
No OMB clearance is needed.
OMB clearance is needed.
Currently has OMB Clearance. Clearance No.
Comments:
Reviewers Name Title Agency Clearance Officer Signed by Benney, Kristen on 04/24/25
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (10-2024)-ML050460335 21 10 Records Retention and Disposal Schedule Determination Records Information Management Review Review Results
No record schedule required.
Additional information is needed to complete assessment.
Needs to be scheduled.
Existing records retention and disposition schedule covers the system - no modifications needed.
Comments:
Reviewers Name Title Sr. Program Analyst, Electronic Records Manager Records and Information Management Specialist Signed by Dove, Marna on 04/30/25 Signed by Williams, Lisa on 04/17/25
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (10-2024)-ML050460335 22 11 Review and Concurrence Review Results
This project/system does not collect, maintain, or disseminate information in identifiable form.
This project/system does collect, maintain, or disseminate information in identifiable form.
I concur with the Privacy Act, Information Collections, and Records Management reviews.
Director Chief Information Security Officer Cyber Information Security Division Office of the Chief Information Officer Signed by Nalabandian, Garo on 05/01/25
Agencywide Documents Access and Management System (ADAMS)
Version 1.1 Privacy Impact Assessment 03/20/2025 PIA Template (10-2024)-ML050460335 23 ADDITIONAL ACTION ITEMS/CONCERNS Name of Project/System:
Agencywide Documents Access and Management System (ADAMS)
Date CISD received PIA for review:
03/25/2025 Date CISD completed PIA review:
04/30/2025 Action Items/Concerns: