ML17285A218: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
 
(Created page by program invented by StriderTol)
 
(2 intermediate revisions by the same user not shown)
Line 3: Line 3:
| issue date = 03/05/2018
| issue date = 03/05/2018
| title = Regulatory Information Conference System (Rics) - Privacy Impact Assessment - March 2018
| title = Regulatory Information Conference System (Rics) - Privacy Impact Assessment - March 2018
| author name = McGowan A T
| author name = Mcgowan A
| author affiliation = NRC/OCIO
| author affiliation = NRC/OCIO
| addressee name =  
| addressee name =  
Line 9: Line 9:
| docket =  
| docket =  
| license number =  
| license number =  
| contact person = Benjumea O L, NRR/DMPS, 415-5233
| contact person = Benjumea O, NRR/DMPS, 415-5233
| document type = Privacy Impact Assessment
| document type = Privacy Impact Assessment
| page count = 13
| page count = 13
Line 15: Line 15:


=Text=
=Text=
{{#Wiki_filter:Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.  
{{#Wiki_filter:ADAMS ML17285A218 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.
Regulatory Information Conference System (RICS)
Date: 2/27/2018 A. GENERAL SYSTEM INFORMATION
: 1.        Provide a detailed description of the system:
The Regulatory Information Conference System (RICS) is a web-based system developed to provide the tool for registration and access to conference program agenda.
: 2.      What agency function does it support?
The system supports public participation in conferences and considers public involvement to be a cornerstone of strong, fair regulation of the nuclear industry.
The NRC recognizes the publics interest in the proper regulation of nuclear activities and provides this open forum for citizens to be heard.
: 3.        Describe any modules or subsystems, where relevant, and their functions.
N/A
: 4.        What legal authority authorizes the purchase or development of this system?
The authority to collect this information to use for future mailings is 44 U.S.C.
3101, 44 U.S.C. 3301.
: 5.        What is the purpose of the system and the data to be collected?
The purpose of the system is to allow participants to register online and access to the conference program agenda.
: 6.      Points of


These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.  
==Contact:==
Project Manager                    Office/Division/Branch    Telephone Lorna Kipfer                      NRR/DMPS                  301-415-4065 Business Project Manager          Office/Division/Branch    Telephone Ashley Roberts                    NRR/DMPS                  301-415-1275 Technical Project Manager          Office/Division/Branch    Telephone NRR/DMPS                  301-415-8380 Sandra Caesar Executive Sponsor                  Office/Division/Branch    Telephone Brian E. Holian NRR                        301-415-1270
: 7.      Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
: a.          New System          Modify Existing System  x    Other (Explain)
Updating the PIA to include new contractor information.
: b.      If modifying an existing system, has a PIA been prepared before?
A PIA was prepared before.
(1)    If yes, provide the date approved and ADAMS accession number.
ML092600035 (2)    If yes, provide a summary of modifications to the existing system.
The system has not been modified, but the new primary contractor information has been added where necessary.
B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.
: 1.      INFORMATION ABOUT INDIVIDUALS
: a.      Does this system maintain information about individuals?


*************
Yes (1)    If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public).
Federal employees, federal contractors, licensees, and the general public.
(2)    IF NO, SKIP TO QUESTION B.2.
: b. What information is being maintained in the system about an individual (be specific)?
* First name, last name, prefixes, suffixes
* Badge name (How name should appear on the badge)
* Job title
* Organization
* Organization acronym (if any)
* Business telephone number
* Business e-mail
* Business address, city, state/province, zip code, country
* Special needs (wheelchair or other assistance, if any)
* Permission for NRC to include contact information in the Registrant List which will be posted on the RIC website
* Affiliation (public, NRC employee, industry vendor, law firm, etc.)
* Session selection
* Interest in NRCs Operation Center Tour (i.e. the Office of Nuclear Security and Incident Response (NSIR) Incident Response Experience)
: c. Is information being collected from the subject individual?
Yes (1)    If yes, what information is being collected?
Everything listed under B.1.b
: d. Will the information be collected from 10 or more individuals who are not Federal employees?
Yes (1)    If yes, does the information collection have OMB approval?
OMB approval is not required. The information collected for this type of transaction is exempt from Paperwork Reduction Act requirements because it is Iimited to the information required to select an item (RIC conference, badge name, session selection,


These questions will identify the use of the information and the accuracy of the data being used.**
special needs) and identify the person ordering the item.
***
(a)      If yes, indicate the OMB approval number:
: e. Is the information being collected from existing NRC files, databases, or systems?
No, the information is collected from the individuals as they register for the RIC. If yes, identify the files/databases/systems and the information being collected.
: f. Is the information being collected from an external source(s)?
No (1) If yes, identify the source and what type of information is being collected?
: g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?
The online registration has mandatory fields that help ensure complete information. The information is collected yearly for accuracy and up-to-date contact information. Since NRC uses the participants information to e-mail or send confirmation letters, this process helps verify the contact information. If NRC receives returned mail or bounce backs on an e-mail, NRC staff will follow-up by telephone to verify the contact information.
Also, NRC staff look at the registration list to make sure an affiliation was selected. For example, NRC management may want to know how many NRC employees intend to go to the conference. NRC can audit the list to sort by affiliation to get a fairly accurate number. NRC also scan for participants who might have selected the wrong affiliation such as choosing other and putting Dept. of RES instead of USNRC as their affiliation.
: h. How will the information be collected (e.g. form, data transfer)?
Information will be collected using an online registration form.
: 2. INFORMATION NOT ABOUT INDIVIDUALS
: a. Will information not about individuals be maintained in this system?
Yes.
(1)      If yes, identify the type of information (be specific).
Conference agenda (sessions and tours)
: b.      What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.
This information is developed by the NRCs Office of Nuclear Reactor Regulation (NRR) (program sponsor).
C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.
: 1. Describe all uses made of the data in this system.
* Create badges that include name and affiliation
* Develop participants lists for the Incident Response Experience tours
* Compile statistical data on the number of participants for each session
* Business address, fax and email information are used to send conference confirmation information, notification of future conference dates, and general conference information.
* Post RIC registrants list on NRC external Web (based on approval of each individual registrant).
: 2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?
Yes
: 3. Who will ensure the proper use of the data in this system?
NRR RIC Program Director.
: 4. Are the data elements described in detail and documented?
Yes
: a.      If yes, what is the name of the document that contains this information and where is it located?
Regulatory Information Conference Web Materials are located with the NRR/Division of Mission and Program Support (DMPS) and at Synergy Enterprises Inc. (SEI, subcontractor).
: 5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?
No
: a.      If yes, how will aggregated data be maintained, filed, and utilized?
: b.      How will aggregated data be validated for relevance and accuracy?
: c.        If data are consolidated, what controls protect it from unauthorized access, use, or modification?
: 6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier? (Be specific.)
Retrieval based on category types/data fields:
* Speaker
* Press
* Staff
* Tours
* Sessions
* Affiliation types
* Special needs
* Alpha badge listing The information is retrieved via an excel spreadsheet or can be viewed via a password accessible portal for the authorized user.
: 7. Will this system provide the capability to identify, locate, and monitor (e.g.,
track, observe) individuals?
No
: a.        If yes, explain.
(1)      What controls will be used to prevent unauthorized monitoring?
: 8. List the report(s) that will be produced from this system.
Participant list Session participation numbers Operation Center Tour Participants Affiliation Listing Specials needs as required by Americans with Disabilities Act.
Statistical adhoc reports
: a.        What are the reports used for?
The reports are primarily used for conference space planning
: b.        Who has access to these reports?
NRCs support subcontractor SEI, RIC Program Director, and Conference Administrator D. ACCESS TO DATA
: 1.      Which NRC office(s) will have access to the data in the system?
NRR (1)    For what purpose?
RIC planning and coordination (2)    Will access be limited?
Yes
: 2.      Will other NRC systems share data with or have access to the data in the system?
No (1)    If yes, identify the system(s).
(2)    How will the data be transmitted or disclosed?
N/A
: 3.      Will external agencies/organizations/public have access to the data in the system?
No, however the public can access information about previously held conferences through the NRCs external Web page.
(1)    Will access be limited?
(2)    What data will be accessible and for what purpose/use?
(3)    How will the data be transmitted or disclosed?
E. RECORDS RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and are required under 36 CFR 1234.10. The following questions are intended to determine whether the records in the system have an approved records retention schedule or if one will be needed.
: 1.      Can you map this system to an applicable retention schedule in NUREG-0910, or the General Records Schedules at http://www.archives.gov/records-mgmt/grs ?
No. Although material for Committee and Conference Records is referenced in


controlsretrieved
NUREG 0910, Item #3, (N1-431-00-8), these records are not covered and need to be scheduled.
********
: a.      If yes, please cite the schedule number, approved disposition, and describe how this is accomplished. For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to a file for transfer based on their approved disposition?
: b.      If the answer to question E.1 is yes, skip to F.1. If the response is no, complete question E.2 through question E.7.
: 2. If the records cannot be mapped to an approved records retention schedule, how long do you need the records? Please explain.
This has not been determined.
: 3. Would these records be of value to another organization or entity at some point in time? No because the information is publicly available and its specific to the NRC.
: 4. How are actions taken on the records? For example, is new data added or updated by replacing older data on a daily, weekly, or monthly basis?
Data is archived on a scheduled yearly basis, and every year, new data is added.
: 5. What is the event or action that will serve as the trigger for updating, deleting, removing, or replacing information in the system When we exercise a new option year to begin working on that years conference.
: 6. Is any part of the record an output, such as a report, or other data placed in ADAMS or stored in any other location, such as a shared drive or MS SharePoint?
No information is placed in ADAMS, but the information resides with the RIC Project Manager and archives reside on the RIC website.
: 7. Does this system allow for the deletion or removal of records no longer needed and how will that be accomplished?
Yes, system administrators can delete or remove records with the permission of the RIC Project Manager.
F. TECHNICAL ACCESS AND SECURITY
: 1. Describe the security controls used to limit access to the system (e.g.,
passwords).
Internal access to the system is restricted by accounts and passwords.
Authorization (Level of access) depends upon a users role(s) and need-to-know and is restricted by access rights.
: 2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?


The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and are required under 36 CFR 1234.10. The following questions are intended to determine whether the records in the system have an approved records retention schedule or if one will be needed.  
The security controls recommended by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, are applied to RICS to prevent the misuse of information.
: 3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?
Yes (1)     If yes, where?
RICS System Security Plan
: 4. Will the system be accessed or operated at more than one location (site)?
No. Currently the system will operate at the contractor site. The NRC access will be through a password protected portal.
: a.      If yes, how will consistent use be maintained at all sites?
: 5. Which user groups (e.g., system administrators, project managers, etc.) have access to the system?
System administrators and RIC Program Director
: 6. Will a record of their access to the system be captured?
Yes.
: a.      If yes, what will be collected?
User id, date and time accessed, and changes recorded.
* SEI constructs database audit tables on web application.
* Version control software captures any code changes/document submissions like VSS (version control software). SEI uses CVS (version control software) as part of the SEI development environment.
* Login information on the Web server, MS-Windows server security logs, is measured with Web metrics.
: 7. Will contractors be involved with the design, development, or maintenance of the system?
Yes If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses are inserted in their contracts.
* FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
* PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against


**
other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.
*If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses ar e inserted in th eir contracts.  
: 8. What auditing measures and technical safeguards are in place to prevent misuse of data?
*FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.  
Database queries are executed by an authorized database administrator and data is displayed on web based reports or retrieved into excel spreadsheet(s). The system complies with the FISMA and NIST guidelines. SEI creates audit tables for our secure databases. They use MS SQL Server on an independent database server. SEIs network is protected by 3 separate firewalls and various smart switches.
*PII clause, "Contractor Responsibility for Protecting Personally Identifiable  Information" (June 2009), in all cont racts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor  access to NRC owned or controlled PII.
: 9. Are the data secured in accordance with FISMA requirements?
Yes
: a.      If yes, when was Certification and Accreditation last completed?
February 18, 2011


(For Use by OCIO/GEMS/ISB Staff)  
PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMS/ISB Staff)
System Name: Regulatory Information Conference System (RICS)
Submitting Office: Office of Nuclear Reactor Regulation A.      PRIVACY ACT APPLICABILITY REVIEW X      Privacy Act is not applicable.
Privacy Act is applicable.
Comments:
This database collection information about individuals who wish to attend the NRCs RIC. Some of this information is considered personally identifiable information. This information is used to coordinate attendance at the conference (how many will attend each session, special accommodations required, etc.) and to maintain a mailing list which is used to send out notification of future conferences.
OMB guidelines explain that a system of records exists if: (1) there is an "indexing or retrieval capability using identifying particulars [that is] built into the system"; and (2) the agency "does, in fact, retrieve records about individuals by reference to some personal identifier." In the context of computerize information, OMB guidelines make it clear that it is not sufficient that an agency has the capability to retrieve information indexed under a person's name, but the agency must in fact retrieve records in this way in order for a system of records to exist."
It is not the practice of NRC to retrieve information by name or other identifying particular from this database. Therefore, this database does not meet the criteria for a system of record.
The contact information provided to the Office of Administration to maintain the official RIC mailing list is considered to be part of NRCs Privacy Act system of records, NRC 38, Mailing Lists.
Reviewers Name                                        Title                                    Date Sally A. Hardy              Acting Privacy Officer                                          2/27/2018 B.      INFORMATION COLLECTION APPLICABILITY DETERMINATION X    No OMB clearance is needed.
OMB clearance is needed.
Currently has OMB Clearance. Clearance No.
Comments:
Reviewers Name                                        Title                                    Date David Cullison              Agency Clearance Officer                                        2/16/18


OMB guidelines explain that a system of records exists if: (1) there is an "indexing or retrieval capability using identifying particulars [that is] built into the system"; and (2) the agency "does, in fact, retrieve records about individuals by reference to some personal identifier." In the context of computerize information, OMB guidelines make it clear that it is not sufficient that an agency has the capability to retrieve information indexed under a person's name, but the agency must in fact retrieve records in this way in order for a system of records to exist.
C.      RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.
Additional information is needed to complete assessment.
X    Needs to be scheduled.
Existing records retention and disposition schedule covers the system - no modifications needed.
Comments:
This system will need to be scheduled; therefore, NRC records personnel will need to work with NRR and subject matter experts to develop a records retention and disposition schedule for records created or maintained. Until the approval of such schedule, these records and information are permanent. Their willful disposal or concealment (and related offenses) is punishable by fine or imprisonment, according to 18 U.S.C., Chapter 101, and Section 2071. Implementation of retention schedules is mandatory under 44 U.S. 3303a (d), and although this does not prevent further development of the project, retention functionality or a manual process must be incorporated to meet this requirement.
Reviewers Name                                Title                              Date Sr. Program Analyst, Electronic Records            2/7/2018 Marna B. Dove Manager D.      BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.
X      This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.
I concur in the Privacy Act, Information Collections, and Records Management reviews:
              /RA/                                    Date March 5, 2018 Anna T. McGowan, Chief Information Services Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer


Copies of this PIA will be provided to:
TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/
Tom Rich, Director IT Services Development & Operation Division Office of the Chief Information Officer Jonathan Feibus Chief Information Security Officer (CISO) Governance & Enterprise Management Services Division Office of the Chief Information Officer}}
PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Brian E. Holian, Office of Nuclear Reactor Regulation Name of System: Regulatory Information Conference System (RICS)
Date ISB received PIA review:                        Date ISB completed PIA review:
October 13, 2017                          February 27, 2018 Noted Issues:
The Privacy Act applies to the contact information maintained by the Office of Administration, as Privacy Act system of records, NRC 38, Mailing Lists.
The RIC Registration Database does collect and maintain personally identifiable information.
Anna T. McGowan, Chief                              Signature/Date:
Information Services Branch Governance & Enterprise Management                    /RA/    March 5, 2018 Services Division Office of the Chief Information Officer Copies of this PIA will be provided to:
Tom Rich, Director IT Services Development & Operation Division Office of the Chief Information Officer Jonathan Feibus Chief Information Security Officer (CISO)
Governance & Enterprise Management Services Division Office of the Chief Information Officer}}

Latest revision as of 03:11, 4 December 2019

Regulatory Information Conference System (Rics) - Privacy Impact Assessment - March 2018
ML17285A218
Person / Time
Issue date: 03/05/2018
From: Anna Mcgowan
NRC/OCIO
To:
Benjumea O, NRR/DMPS, 415-5233
References
Download: ML17285A218 (13)


Text

ADAMS ML17285A218 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Regulatory Information Conference System (RICS)

Date: 2/27/2018 A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system:

The Regulatory Information Conference System (RICS) is a web-based system developed to provide the tool for registration and access to conference program agenda.

2. What agency function does it support?

The system supports public participation in conferences and considers public involvement to be a cornerstone of strong, fair regulation of the nuclear industry.

The NRC recognizes the publics interest in the proper regulation of nuclear activities and provides this open forum for citizens to be heard.

3. Describe any modules or subsystems, where relevant, and their functions.

N/A

4. What legal authority authorizes the purchase or development of this system?

The authority to collect this information to use for future mailings is 44 U.S.C.

3101, 44 U.S.C. 3301.

5. What is the purpose of the system and the data to be collected?

The purpose of the system is to allow participants to register online and access to the conference program agenda.

6. Points of

Contact:

Project Manager Office/Division/Branch Telephone Lorna Kipfer NRR/DMPS 301-415-4065 Business Project Manager Office/Division/Branch Telephone Ashley Roberts NRR/DMPS 301-415-1275 Technical Project Manager Office/Division/Branch Telephone NRR/DMPS 301-415-8380 Sandra Caesar Executive Sponsor Office/Division/Branch Telephone Brian E. Holian NRR 301-415-1270

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a. New System Modify Existing System x Other (Explain)

Updating the PIA to include new contractor information.

b. If modifying an existing system, has a PIA been prepared before?

A PIA was prepared before.

(1) If yes, provide the date approved and ADAMS accession number.

ML092600035 (2) If yes, provide a summary of modifications to the existing system.

The system has not been modified, but the new primary contractor information has been added where necessary.

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS
a. Does this system maintain information about individuals?

Yes (1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public).

Federal employees, federal contractors, licensees, and the general public.

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific)?
  • First name, last name, prefixes, suffixes
  • Badge name (How name should appear on the badge)
  • Job title
  • Organization
  • Business telephone number
  • Business e-mail
  • Business address, city, state/province, zip code, country
  • Special needs (wheelchair or other assistance, if any)
  • Permission for NRC to include contact information in the Registrant List which will be posted on the RIC website
  • Affiliation (public, NRC employee, industry vendor, law firm, etc.)
  • Session selection
  • Interest in NRCs Operation Center Tour (i.e. the Office of Nuclear Security and Incident Response (NSIR) Incident Response Experience)
c. Is information being collected from the subject individual?

Yes (1) If yes, what information is being collected?

Everything listed under B.1.b

d. Will the information be collected from 10 or more individuals who are not Federal employees?

Yes (1) If yes, does the information collection have OMB approval?

OMB approval is not required. The information collected for this type of transaction is exempt from Paperwork Reduction Act requirements because it is Iimited to the information required to select an item (RIC conference, badge name, session selection,

special needs) and identify the person ordering the item.

(a) If yes, indicate the OMB approval number:

e. Is the information being collected from existing NRC files, databases, or systems?

No, the information is collected from the individuals as they register for the RIC. If yes, identify the files/databases/systems and the information being collected.

f. Is the information being collected from an external source(s)?

No (1) If yes, identify the source and what type of information is being collected?

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

The online registration has mandatory fields that help ensure complete information. The information is collected yearly for accuracy and up-to-date contact information. Since NRC uses the participants information to e-mail or send confirmation letters, this process helps verify the contact information. If NRC receives returned mail or bounce backs on an e-mail, NRC staff will follow-up by telephone to verify the contact information.

Also, NRC staff look at the registration list to make sure an affiliation was selected. For example, NRC management may want to know how many NRC employees intend to go to the conference. NRC can audit the list to sort by affiliation to get a fairly accurate number. NRC also scan for participants who might have selected the wrong affiliation such as choosing other and putting Dept. of RES instead of USNRC as their affiliation.

h. How will the information be collected (e.g. form, data transfer)?

Information will be collected using an online registration form.

2. INFORMATION NOT ABOUT INDIVIDUALS
a. Will information not about individuals be maintained in this system?

Yes.

(1) If yes, identify the type of information (be specific).

Conference agenda (sessions and tours)

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

This information is developed by the NRCs Office of Nuclear Reactor Regulation (NRR) (program sponsor).

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.
  • Create badges that include name and affiliation
  • Develop participants lists for the Incident Response Experience tours
  • Compile statistical data on the number of participants for each session
  • Business address, fax and email information are used to send conference confirmation information, notification of future conference dates, and general conference information.
  • Post RIC registrants list on NRC external Web (based on approval of each individual registrant).
2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes

3. Who will ensure the proper use of the data in this system?

NRR RIC Program Director.

4. Are the data elements described in detail and documented?

Yes

a. If yes, what is the name of the document that contains this information and where is it located?

Regulatory Information Conference Web Materials are located with the NRR/Division of Mission and Program Support (DMPS) and at Synergy Enterprises Inc. (SEI, subcontractor).

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No

a. If yes, how will aggregated data be maintained, filed, and utilized?
b. How will aggregated data be validated for relevance and accuracy?
c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?
6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier? (Be specific.)

Retrieval based on category types/data fields:

  • Speaker
  • Press
  • Staff
  • Tours
  • Sessions
  • Affiliation types
  • Special needs
  • Alpha badge listing The information is retrieved via an excel spreadsheet or can be viewed via a password accessible portal for the authorized user.
7. Will this system provide the capability to identify, locate, and monitor (e.g.,

track, observe) individuals?

No

a. If yes, explain.

(1) What controls will be used to prevent unauthorized monitoring?

8. List the report(s) that will be produced from this system.

Participant list Session participation numbers Operation Center Tour Participants Affiliation Listing Specials needs as required by Americans with Disabilities Act.

Statistical adhoc reports

a. What are the reports used for?

The reports are primarily used for conference space planning

b. Who has access to these reports?

NRCs support subcontractor SEI, RIC Program Director, and Conference Administrator D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

NRR (1) For what purpose?

RIC planning and coordination (2) Will access be limited?

Yes

2. Will other NRC systems share data with or have access to the data in the system?

No (1) If yes, identify the system(s).

(2) How will the data be transmitted or disclosed?

N/A

3. Will external agencies/organizations/public have access to the data in the system?

No, however the public can access information about previously held conferences through the NRCs external Web page.

(1) Will access be limited?

(2) What data will be accessible and for what purpose/use?

(3) How will the data be transmitted or disclosed?

E. RECORDS RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and are required under 36 CFR 1234.10. The following questions are intended to determine whether the records in the system have an approved records retention schedule or if one will be needed.

1. Can you map this system to an applicable retention schedule in NUREG-0910, or the General Records Schedules at http://www.archives.gov/records-mgmt/grs ?

No. Although material for Committee and Conference Records is referenced in

NUREG 0910, Item #3, (N1-431-00-8), these records are not covered and need to be scheduled.

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished. For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to a file for transfer based on their approved disposition?
b. If the answer to question E.1 is yes, skip to F.1. If the response is no, complete question E.2 through question E.7.
2. If the records cannot be mapped to an approved records retention schedule, how long do you need the records? Please explain.

This has not been determined.

3. Would these records be of value to another organization or entity at some point in time? No because the information is publicly available and its specific to the NRC.
4. How are actions taken on the records? For example, is new data added or updated by replacing older data on a daily, weekly, or monthly basis?

Data is archived on a scheduled yearly basis, and every year, new data is added.

5. What is the event or action that will serve as the trigger for updating, deleting, removing, or replacing information in the system When we exercise a new option year to begin working on that years conference.
6. Is any part of the record an output, such as a report, or other data placed in ADAMS or stored in any other location, such as a shared drive or MS SharePoint?

No information is placed in ADAMS, but the information resides with the RIC Project Manager and archives reside on the RIC website.

7. Does this system allow for the deletion or removal of records no longer needed and how will that be accomplished?

Yes, system administrators can delete or remove records with the permission of the RIC Project Manager.

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g.,

passwords).

Internal access to the system is restricted by accounts and passwords.

Authorization (Level of access) depends upon a users role(s) and need-to-know and is restricted by access rights.

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

The security controls recommended by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, are applied to RICS to prevent the misuse of information.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes (1) If yes, where?

RICS System Security Plan

4. Will the system be accessed or operated at more than one location (site)?

No. Currently the system will operate at the contractor site. The NRC access will be through a password protected portal.

a. If yes, how will consistent use be maintained at all sites?
5. Which user groups (e.g., system administrators, project managers, etc.) have access to the system?

System administrators and RIC Program Director

6. Will a record of their access to the system be captured?

Yes.

a. If yes, what will be collected?

User id, date and time accessed, and changes recorded.

  • SEI constructs database audit tables on web application.
  • Version control software captures any code changes/document submissions like VSS (version control software). SEI uses CVS (version control software) as part of the SEI development environment.
  • Login information on the Web server, MS-Windows server security logs, is measured with Web metrics.
7. Will contractors be involved with the design, development, or maintenance of the system?

Yes If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses are inserted in their contracts.

  • FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
  • PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against

other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

8. What auditing measures and technical safeguards are in place to prevent misuse of data?

Database queries are executed by an authorized database administrator and data is displayed on web based reports or retrieved into excel spreadsheet(s). The system complies with the FISMA and NIST guidelines. SEI creates audit tables for our secure databases. They use MS SQL Server on an independent database server. SEIs network is protected by 3 separate firewalls and various smart switches.

9. Are the data secured in accordance with FISMA requirements?

Yes

a. If yes, when was Certification and Accreditation last completed?

February 18, 2011

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMS/ISB Staff)

System Name: Regulatory Information Conference System (RICS)

Submitting Office: Office of Nuclear Reactor Regulation A. PRIVACY ACT APPLICABILITY REVIEW X Privacy Act is not applicable.

Privacy Act is applicable.

Comments:

This database collection information about individuals who wish to attend the NRCs RIC. Some of this information is considered personally identifiable information. This information is used to coordinate attendance at the conference (how many will attend each session, special accommodations required, etc.) and to maintain a mailing list which is used to send out notification of future conferences.

OMB guidelines explain that a system of records exists if: (1) there is an "indexing or retrieval capability using identifying particulars [that is] built into the system"; and (2) the agency "does, in fact, retrieve records about individuals by reference to some personal identifier." In the context of computerize information, OMB guidelines make it clear that it is not sufficient that an agency has the capability to retrieve information indexed under a person's name, but the agency must in fact retrieve records in this way in order for a system of records to exist."

It is not the practice of NRC to retrieve information by name or other identifying particular from this database. Therefore, this database does not meet the criteria for a system of record.

The contact information provided to the Office of Administration to maintain the official RIC mailing list is considered to be part of NRCs Privacy Act system of records, NRC 38, Mailing Lists.

Reviewers Name Title Date Sally A. Hardy Acting Privacy Officer 2/27/2018 B. INFORMATION COLLECTION APPLICABILITY DETERMINATION X No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

Reviewers Name Title Date David Cullison Agency Clearance Officer 2/16/18

C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

X Needs to be scheduled.

Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

This system will need to be scheduled; therefore, NRC records personnel will need to work with NRR and subject matter experts to develop a records retention and disposition schedule for records created or maintained. Until the approval of such schedule, these records and information are permanent. Their willful disposal or concealment (and related offenses) is punishable by fine or imprisonment, according to 18 U.S.C., Chapter 101, and Section 2071. Implementation of retention schedules is mandatory under 44 U.S. 3303a (d), and although this does not prevent further development of the project, retention functionality or a manual process must be incorporated to meet this requirement.

Reviewers Name Title Date Sr. Program Analyst, Electronic Records 2/7/2018 Marna B. Dove Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

/RA/ Date March 5, 2018 Anna T. McGowan, Chief Information Services Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Brian E. Holian, Office of Nuclear Reactor Regulation Name of System: Regulatory Information Conference System (RICS)

Date ISB received PIA review: Date ISB completed PIA review:

October 13, 2017 February 27, 2018 Noted Issues:

The Privacy Act applies to the contact information maintained by the Office of Administration, as Privacy Act system of records, NRC 38, Mailing Lists.

The RIC Registration Database does collect and maintain personally identifiable information.

Anna T. McGowan, Chief Signature/Date:

Information Services Branch Governance & Enterprise Management /RA/ March 5, 2018 Services Division Office of the Chief Information Officer Copies of this PIA will be provided to:

Tom Rich, Director IT Services Development & Operation Division Office of the Chief Information Officer Jonathan Feibus Chief Information Security Officer (CISO)

Governance & Enterprise Management Services Division Office of the Chief Information Officer