ML21145A351: Difference between revisions
StriderTol (talk | contribs) (StriderTol Bot change) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 15: | Line 15: | ||
=Text= | =Text= | ||
{{#Wiki_filter:}} | {{#Wiki_filter:U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements. | ||
E-FOIA Tracking System (FOIAonline) | |||
Date: May 18, 2021 A. GENERAL SYSTEM INFORMATION | |||
: 1. Provide a detailed description of the system: (Use plain language, no technical terms.) | |||
FOIAonline is a multi-agency cloud-based web application managed by the Environmental Protection Agency (EPA). FOIAonline allows the public to submit Freedom of Information Act (FOIA) requests to participating agencies and track the progress of an agencys response to a request. FOIAonline is also a workflow system and repository that enables participating agencies to manage FOIA requests and generate reports including the annual FOIA report for submission to the Department of Justice. | |||
FOIAonline stores FOIA requests and appeals, responses to requests, notes, and other information related to requests and appeals. Members of the FOIA team and U.S. Nuclear Regulatory Commissions (NRC) personnel with system access can assign, track, and monitor tasks; calculate fees; generate reports; and store request records. These functions streamline and help automate business processes associated with NRC FOIA responsibilities. Members of the public can submit FOIA requests to the NRC, track the status of requests, file appeals, search for requests submitted by other users, access previously released records, and generate agency specific FOIA processing reports. | |||
: 2. What agency function does it support? (How will this support the U.S. | |||
Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?)) | |||
FOIAonline supports the NRC Freedom of Information Act/Privacy Act (FOIA/PA) | |||
Program. | |||
: 3. Describe any modules or subsystems, where relevant, and their functions. | |||
FOIAonline fulfills the tracking and reporting requirements under the Freedom of Information Act (5 U.S.C. § 552, as Amended by Public Law No.104-231, 110 Stat. 3048). | |||
PIA Template (03-2021) | |||
: 4. What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.) | |||
* Clinger Cohen (40 U.S.C 11318) | |||
* The Economy Act (31 U.S.C. §1535, 1536) | |||
* The Freedom of Information Act (5 U.S.C. § 552. as amended by P.L. 104-231. 110 Stat. 3048) and the FOIA Improvement Act of 2016 (P.L. 114-185 (June 30, 2016)) Memorandum for the Heads of Executive Departments and Agencies: Open Government Directive, M10-06 (December 8, 2009) | |||
: 5. What is the purpose of the system and the data to be collected? | |||
To process FOIA/PA requests, appeals, and consultations from other agencies. | |||
To allow the public and other federal participating agencies to submit requests electronically and the agency to process the requests. Collecting site usage activity is a common practice and the only means to determine how the public is actually using features on any given web site. | |||
: 6. Points of | |||
==Contact:== | |||
(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.) | |||
Project Manager Office/Division/Branch Telephone Stephanie Blaney OCIO/GEMSD/FLICB/FT 301-415-6975 Business Project Manager Office/Division/Branch Telephone Stephanie Blaney OCIO/GEMSD/FLICB/FT 301-415-6975 Technical Project Manager Office/Division/Branch Telephone Anna McGowan OCIO/GEMSD/FLICB 301-415-7204 Executive Sponsor Office/Division/Branch Telephone David Nelson OCIO 301-415-8700 ISSO Office/Division/Branch Telephone Natalya Bobryakova OCIO/GEMSD/CSB/IAT 301-287-0671 System Owner/User Office/Division/Branch Telephone Stephanie Blaney OCIO/GEMSD/FLICB/FT 301-415-6975 PIA Template (03-2021) | |||
: 7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system? | |||
: a. New System Modify Existing System X Other | |||
: b. If modifying or making other updates to an existing system, has a PIA been prepared before? | |||
Yes. | |||
(1) If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number. | |||
ML20191A216, approved on July 29, 2020. | |||
(2) If yes, provide a summary of modifications or other changes to the existing system. | |||
* Update to the system description, contact office/division/branch information, and Third Party System (TPS) Enterprise Architecture (EA) number. | |||
* Update to the user groups that have access to the system and FOIA Quarterly and Annual Reports | |||
* Update to the Certification and Accreditation information | |||
: 8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number? | |||
Yes. | |||
: a. If yes, please provide the EA/Inventory number. | |||
FOIAonline is a subsystem of TPS. The TPS EA number is 20180002. | |||
: b. If, no, please contact EA Service Desk to get the EA/Inventory number. | |||
B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals. | |||
PIA Template (03-2021) | |||
: 1. INFORMATION ABOUT INDIVIDUALS | |||
: a. Does this system maintain information about individuals? | |||
Yes. | |||
(1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)). | |||
Any person who submits a FOIA/PA request or appeal. | |||
(2) IF NO, SKIP TO QUESTION B.2. | |||
: b. What information is being maintained in the system about an individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)? | |||
Name, home address, business name, business address, home phone number, business phone number, mobile phone number, fax number, home e-mail address, and business e-mail address. Requestors can provide additional information, such as Date of Birth (DOB) and Social Security Number (SSN); however, this information is not required and is provided voluntarily by the requestor. FOIA/PA team members redact the Personal Identifiable Information (PII) when possible to reduce the sensitivity of the information. | |||
: c. Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.) | |||
Yes, through voluntary submittal of a FOIA/PA request. | |||
(1) If yes, what information is being collected? | |||
The person making the FOIA/PA is required to provide NRC with their name and contact information such as home address, business name, business address, home phone number, business phone number, mobile phone number, fax number, home e-mail address, or business e-mail address. | |||
: d. Will the information be collected from individuals who are not Federal employees? | |||
Yes. | |||
(1) If yes, does the information collection have the Office of Management and Budgets (OMB) approval? | |||
Yes. | |||
PIA Template (03-2021) | |||
(a) If yes, indicate the OMB approval number: | |||
3150-0043. | |||
: e. Is the information being collected from existing NRC files, databases, or systems? | |||
No. | |||
(1) If yes, identify the files/databases/systems and the information being collected. | |||
N/A. | |||
: f. Is the information being collected from external sources (any source outside of the NRC)? | |||
No. | |||
(1) If yes, identify the source and what type of information is being collected? | |||
N/A. | |||
: g. How will information not collected directly from the subject individual be verified as current, accurate, and complete? | |||
FOIA/PA Team only verifies the ability to contact a requestor, whether it is by telephone, mail, e-mail, or fax, but does not verify whether the information provided is in fact their home address or home phone number. | |||
: h. How will the information be collected (e.g. form, data transfer)? | |||
FOIA/PA requests can be submitted in a paper or electronic format. | |||
: 2. INFORMATION NOT ABOUT INDIVIDUALS | |||
: a. Will information not about individuals be maintained in this system? | |||
Yes. | |||
(1) If yes, identify the type of information (be specific). | |||
Offices assigned cases, assigned caseworker, fee category, fee estimates, multi-track type, received date, closed date, target date, perfected date of request, fee waiver request, expedited processing request, final fees due or owed to requester, requester type, and identification of exemptions used for denied records. | |||
PIA Template (03-2021) | |||
: b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail. | |||
Information identified in a. is determined by the FOIA/PA Team. | |||
Exemptions used for denied records are determined by the program offices and verified by the FOIA/PA Team and the Office of the General Counsel. | |||
C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used. | |||
: 1. Describe all uses made of the data in this system. | |||
The system is used to track all FOIA/PA requests received by the NRC in both paper and electronic form. The information is used to communicate with the requestor, to generate the FOIA Annual Report to the Department of Justice (DOJ), to generate correspondence to the FOIA requesters, reports required by regulation, and ad hoc reports as needed. The system also calculates fees for the requests and is used as an archival system to locate previous similar requests and requesters. | |||
: 2. Is the use of the data both relevant and necessary for the purpose for which the system is designed? | |||
Yes. | |||
: 3. Who will ensure the proper use of the data in this system? | |||
Members of the NRCs FOIA/PA Team. | |||
: 4. Are the data elements described in detail and documented? | |||
Yes. | |||
: a. If yes, what is the name of the document that contains this information and where is it located? | |||
Software is owned and managed by EPA, for use by Federal agencies. | |||
Licenses are purchased from EPA, that provides a users manual and training, as needed. Hard copy of users manual is located with FOIA/PA team as well as EPA. | |||
PIA Template (03-2021) | |||
: 5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected? | |||
No. | |||
Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information. | |||
Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays). | |||
: a. If yes, how will aggregated data be maintained, filed, and utilized? | |||
N/A. | |||
: b. How will aggregated data be validated for relevance and accuracy? | |||
N/A. | |||
: c. If data are consolidated, what controls protect it from unauthorized access, use, or modification? | |||
N/A. | |||
: 6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)? | |||
(Be specific.) | |||
Data can be retrieved through queries or reports using any of the fields in the database such as names of requesters, types of requesters, request number, subject matter of requests, exemptions used for denied records, multi-track type, payment status, fee waiver status, expedited status, closed between dates, caseworker name, etc. | |||
: a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual. | |||
Data can be retrieved by a requester name or caseworker name. | |||
: 7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register? | |||
Yes. | |||
: a. If Yes, provide name of SORN and location in the Federal Register. | |||
NRC-10, Freedom of Information Act (FOIA) and Privacy Act (PA) | |||
Request Records. | |||
PIA Template (03-2021) | |||
: 8. If the information system is being modified, will the SORN(s) require amendment or revision? | |||
No. | |||
: 9. Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals? | |||
No. | |||
: a. If yes, explain. | |||
N/A. | |||
(1) What controls will be used to prevent unauthorized monitoring? | |||
N/A. | |||
: 10. List the report(s) that will be produced from this system. | |||
FOIA Quarterly and Annual Reports to DOJ describe the NRCs response to FOIA requests. Statistical data only. Reports are available through NRCs public Website. | |||
A report for a previous request will provide data to the caseworker, such as which offices were assigned the case, received date, closed date, perfected date, exemptions used for denied records, fees charged, etc. | |||
Ad hoc statistical reports, for example, how many cases are open, how many cases were closed, uses of particular exemptions, response times, backlogs, etc. | |||
: a. What are the reports used for? | |||
The FOIA Quarterly and Annual Reports for DOJ, which oversee all Government FOIA programs, and provide the DOJ the statistical data needed to gauge our success in responding to FOIA/PA requests in a timely manner. | |||
A report on a previous request can assist the review in handling a newer request for similar records. | |||
A report on how many requests by particular requester type are received can be provided to a FOIA/PA requester. | |||
Management and oversight of the FOIA/PA program. | |||
PIA Template (03-2021) | |||
: b. Who has access to these reports? | |||
FOIA/PA Team members, contractors, and (Governance and Enterprise Management Services (GEMS) Division Director and Deputy Division Director. | |||
D. ACCESS TO DATA | |||
: 1. Which NRC office(s) will have access to the data in the system? | |||
OCIO FOIA/PA Team and contractors. | |||
(1) For what purpose? | |||
* FOIA Quarterly and Annual Reports to DOJ. | |||
* Archival data to review previous cases/requesters. | |||
* Data input to correct information in system, fees, owed, etc. | |||
* Input case closing information such as closed date, exemptions used. | |||
* Review FOIA/PA cases. | |||
(2) Will access be limited? | |||
Access will be based on individuals need to know. | |||
: 2. Will other NRC systems share data with or have access to the data in the system? | |||
No. | |||
(1) If yes, identify the system(s). | |||
N/A. | |||
(2) How will the data be transmitted or disclosed? | |||
N/A. | |||
: 3. Will external agencies/organizations/public have access to the data in the system? | |||
Yes. | |||
(1) If yes, who? | |||
Agencies, organizations, and the public. | |||
(2) Will access be limited? | |||
Yes. | |||
PIA Template (03-2021) | |||
(3) What data will be accessible and for what purpose/use? | |||
Requestors can only access their data/info which they have provided through the FOIAonline account for tracking their FOIA/PA requests. | |||
(4) How will the data be transmitted or disclosed? | |||
Data will be transmitted online through a FOIAonline requestor user account or via e-mail or regular U.S. mail for non FOIAonline users. | |||
E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance. | |||
: 1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)? | |||
Yes. | |||
: a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1). | |||
* For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition? | |||
GRS 4.2 Item 020: Access and disclosure request files Temporary. Destroy 6 years after final agency action or 3 years after final adjudication by the courts, but longer retention is authorized if required for business use. | |||
GRS 4.2 item 040: Records of accounting for and controlling access to records requested under FOIA, PIA, and MDR. | |||
PIA Template (03-2021) | |||
Temporary. Destroy 5 years after date of last entry or final action by agency, but longer retention is authorized if required for business use. | |||
: b. If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov. | |||
F. TECHNICAL ACCESS AND SECURITY | |||
: 1. Describe the security controls used to limit access to the system (e.g., passwords). | |||
Each NRC approved user with access to FOIAonline has a username and password, along with a Personal Identity Verification (PIV) Card or One-Time Password (OTP) credential. Responsive records that exceed the system security categorization of moderate will be maintained in a secure restricted access location (safe or secure restricted drive). | |||
: 2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access? | |||
Each user has an individual username and two-factors of authentication. Access rights are provided based on their need to know. | |||
: 3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented? | |||
Yes. | |||
(1) If yes, where? | |||
In the signed Memorandum of Understanding between EPA and NRC. | |||
: 4. Will the system be accessed or operated at more than one location (site)? | |||
Yes. The FOIA online system can be accessed remotely through the Virtual Private Network (VPN) and CITRIX.No. | |||
: a. If yes, how will consistent use be maintained at all sites? | |||
Consistent use will be through NRC offices, VPN, and CITRIX only.N/A | |||
: 5. Which user groups (e.g., system administrators, project managers, etc.) | |||
have access to the system? | |||
FOIA/PA Team members, contractors, and GEMS Division Director and Deputy Division Director. | |||
: 6. Will a record of their access to the system be captured? | |||
No. | |||
PIA Template (03-2021) | |||
: a. If yes, what will be collected? | |||
N/A. | |||
: 7. Will contractors be involved with the design, development, or maintenance of the system? | |||
EPA is responsible for the design, maintenance, and development of FOIAonline. | |||
If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts. | |||
* Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function. | |||
* PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII. | |||
: 8. What auditing measures and technical safeguards are in place to prevent misuse of data? | |||
No auditing measures. The system is only accessed by the FOIA/PA Team members, contractors, and GEMS Division Director and Deputy Division Director. | |||
: 9. Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements? | |||
Yes. | |||
: a. If yes, when was Certification and Accreditation last completed? | |||
And what FISMA system is this part of? | |||
FOIAonline received an ongoing Authority to Operate (ATO) with the TPS FISMA boundary on June 12, 2019 (ML19238A097). | |||
EPAs ATO for FOIAonline is valid until February 7, 20220. | |||
: b. If no, is the Certification and Accreditation in progress and what is the expected completion date? And what FISMA system is this planned to be a part of? | |||
N/A. | |||
: c. If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security PIA Template (03-2021) | |||
Offices (CSOs) Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track. | |||
N/A. | |||
PIA Template (03-2021) | |||
PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff) | |||
System Name: E-FOIA Tracking System (FOIAonline) | |||
Submitting Office: OCIO A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable. | |||
X Privacy Act is applicable. | |||
Comments: | |||
This system is covered by System of Records Notice - NRC-10, Freedom of Information Act (FOIA) and Privacy Act (PA) Request Records. | |||
Reviewers Name Title Signed by Hardy, Sally on 06/03/21 Privacy Officer June 17, 2021 B. INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed. | |||
OMB clearance is needed. | |||
X Currently has OMB Clearance. Clearance No.3150-0043 Comments: | |||
Reviewers Name Title Signed by Cullison, David on 06/03/21 Agency Clearance Officer June 17, 2021 PIA Template (03-2021) | |||
C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required. | |||
Additional information is needed to complete assessment. | |||
Needs to be scheduled. | |||
X Existing records retention and disposition schedule covers the system - no modifications needed. | |||
Comments: | |||
Reviewers Name Title Signed by Dove, Marna Sr. Program Analyst, Electronic Records on 06/03/21 Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public. | |||
X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public. | |||
I concur in the Privacy Act, Information Collections, and Records Management reviews: | |||
June 17, 2021 Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer PIA Template (03-2021) 15 | |||
TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/ | |||
PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: (Sponsor name and office) | |||
Name of System: E-FOIA Tracking System (FOIAonline) | |||
Date CSB received PIA for review: Date CSB completed PIA review: | |||
May 25, 2021 June 3, 2021 Noted Issues: | |||
Chief Signature/Date: | |||
Cyber Security Branch Governance and Enterprise Management Signed by Nalabandian, Garo Services Division on 06/17/21 June 17, 2021 Office of the Chief Information Officer Copies of this PIA will be provided to: | |||
Thomas G. Ashley, Jr. | |||
Director IT Services Development and Operations Division Office of the Chief Information Officer Jonathan R. Feibus Chief Information Security Officer (CISO) | |||
Office of the Chief Information Officer PIA Template (03-2021) 16}} | |||
Latest revision as of 12:55, 19 January 2022
| ML21145A351 | |
| Person / Time | |
|---|---|
| Issue date: | 05/18/2021 |
| From: | NRC/OCIO |
| To: | |
| References | |
| Download: ML21145A351 (16) | |
Text
U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.
E-FOIA Tracking System (FOIAonline)
Date: May 18, 2021 A. GENERAL SYSTEM INFORMATION
- 1. Provide a detailed description of the system: (Use plain language, no technical terms.)
FOIAonline is a multi-agency cloud-based web application managed by the Environmental Protection Agency (EPA). FOIAonline allows the public to submit Freedom of Information Act (FOIA) requests to participating agencies and track the progress of an agencys response to a request. FOIAonline is also a workflow system and repository that enables participating agencies to manage FOIA requests and generate reports including the annual FOIA report for submission to the Department of Justice.
FOIAonline stores FOIA requests and appeals, responses to requests, notes, and other information related to requests and appeals. Members of the FOIA team and U.S. Nuclear Regulatory Commissions (NRC) personnel with system access can assign, track, and monitor tasks; calculate fees; generate reports; and store request records. These functions streamline and help automate business processes associated with NRC FOIA responsibilities. Members of the public can submit FOIA requests to the NRC, track the status of requests, file appeals, search for requests submitted by other users, access previously released records, and generate agency specific FOIA processing reports.
- 2. What agency function does it support? (How will this support the U.S.
Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))
FOIAonline supports the NRC Freedom of Information Act/Privacy Act (FOIA/PA)
Program.
- 3. Describe any modules or subsystems, where relevant, and their functions.
FOIAonline fulfills the tracking and reporting requirements under the Freedom of Information Act (5 U.S.C. § 552, as Amended by Public Law No.104-231, 110 Stat. 3048).
PIA Template (03-2021)
- 4. What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)
- Clinger Cohen (40 U.S.C 11318)
- The Economy Act (31 U.S.C. §1535, 1536)
- The Freedom of Information Act (5 U.S.C. § 552. as amended by P.L. 104-231. 110 Stat. 3048) and the FOIA Improvement Act of 2016 (P.L. 114-185 (June 30, 2016)) Memorandum for the Heads of Executive Departments and Agencies: Open Government Directive, M10-06 (December 8, 2009)
- 5. What is the purpose of the system and the data to be collected?
To process FOIA/PA requests, appeals, and consultations from other agencies.
To allow the public and other federal participating agencies to submit requests electronically and the agency to process the requests. Collecting site usage activity is a common practice and the only means to determine how the public is actually using features on any given web site.
- 6. Points of
Contact:
(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)
Project Manager Office/Division/Branch Telephone Stephanie Blaney OCIO/GEMSD/FLICB/FT 301-415-6975 Business Project Manager Office/Division/Branch Telephone Stephanie Blaney OCIO/GEMSD/FLICB/FT 301-415-6975 Technical Project Manager Office/Division/Branch Telephone Anna McGowan OCIO/GEMSD/FLICB 301-415-7204 Executive Sponsor Office/Division/Branch Telephone David Nelson OCIO 301-415-8700 ISSO Office/Division/Branch Telephone Natalya Bobryakova OCIO/GEMSD/CSB/IAT 301-287-0671 System Owner/User Office/Division/Branch Telephone Stephanie Blaney OCIO/GEMSD/FLICB/FT 301-415-6975 PIA Template (03-2021)
- 7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
- a. New System Modify Existing System X Other
- b. If modifying or making other updates to an existing system, has a PIA been prepared before?
Yes.
(1) If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.
ML20191A216, approved on July 29, 2020.
(2) If yes, provide a summary of modifications or other changes to the existing system.
- Update to the system description, contact office/division/branch information, and Third Party System (TPS) Enterprise Architecture (EA) number.
- Update to the user groups that have access to the system and FOIA Quarterly and Annual Reports
- Update to the Certification and Accreditation information
- 8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?
Yes.
- a. If yes, please provide the EA/Inventory number.
FOIAonline is a subsystem of TPS. The TPS EA number is 20180002.
- b. If, no, please contact EA Service Desk to get the EA/Inventory number.
B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.
PIA Template (03-2021)
- 1. INFORMATION ABOUT INDIVIDUALS
- a. Does this system maintain information about individuals?
Yes.
(1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).
Any person who submits a FOIA/PA request or appeal.
(2) IF NO, SKIP TO QUESTION B.2.
- b. What information is being maintained in the system about an individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)?
Name, home address, business name, business address, home phone number, business phone number, mobile phone number, fax number, home e-mail address, and business e-mail address. Requestors can provide additional information, such as Date of Birth (DOB) and Social Security Number (SSN); however, this information is not required and is provided voluntarily by the requestor. FOIA/PA team members redact the Personal Identifiable Information (PII) when possible to reduce the sensitivity of the information.
- c. Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)
Yes, through voluntary submittal of a FOIA/PA request.
(1) If yes, what information is being collected?
The person making the FOIA/PA is required to provide NRC with their name and contact information such as home address, business name, business address, home phone number, business phone number, mobile phone number, fax number, home e-mail address, or business e-mail address.
- d. Will the information be collected from individuals who are not Federal employees?
Yes.
(1) If yes, does the information collection have the Office of Management and Budgets (OMB) approval?
Yes.
PIA Template (03-2021)
(a) If yes, indicate the OMB approval number:
3150-0043.
- e. Is the information being collected from existing NRC files, databases, or systems?
No.
(1) If yes, identify the files/databases/systems and the information being collected.
N/A.
- f. Is the information being collected from external sources (any source outside of the NRC)?
No.
(1) If yes, identify the source and what type of information is being collected?
N/A.
- g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?
FOIA/PA Team only verifies the ability to contact a requestor, whether it is by telephone, mail, e-mail, or fax, but does not verify whether the information provided is in fact their home address or home phone number.
- h. How will the information be collected (e.g. form, data transfer)?
FOIA/PA requests can be submitted in a paper or electronic format.
- 2. INFORMATION NOT ABOUT INDIVIDUALS
- a. Will information not about individuals be maintained in this system?
Yes.
(1) If yes, identify the type of information (be specific).
Offices assigned cases, assigned caseworker, fee category, fee estimates, multi-track type, received date, closed date, target date, perfected date of request, fee waiver request, expedited processing request, final fees due or owed to requester, requester type, and identification of exemptions used for denied records.
PIA Template (03-2021)
- b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.
Information identified in a. is determined by the FOIA/PA Team.
Exemptions used for denied records are determined by the program offices and verified by the FOIA/PA Team and the Office of the General Counsel.
C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.
- 1. Describe all uses made of the data in this system.
The system is used to track all FOIA/PA requests received by the NRC in both paper and electronic form. The information is used to communicate with the requestor, to generate the FOIA Annual Report to the Department of Justice (DOJ), to generate correspondence to the FOIA requesters, reports required by regulation, and ad hoc reports as needed. The system also calculates fees for the requests and is used as an archival system to locate previous similar requests and requesters.
- 2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?
Yes.
- 3. Who will ensure the proper use of the data in this system?
Members of the NRCs FOIA/PA Team.
- 4. Are the data elements described in detail and documented?
Yes.
- a. If yes, what is the name of the document that contains this information and where is it located?
Software is owned and managed by EPA, for use by Federal agencies.
Licenses are purchased from EPA, that provides a users manual and training, as needed. Hard copy of users manual is located with FOIA/PA team as well as EPA.
PIA Template (03-2021)
- 5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?
No.
Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.
Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).
- a. If yes, how will aggregated data be maintained, filed, and utilized?
N/A.
- b. How will aggregated data be validated for relevance and accuracy?
N/A.
- c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?
N/A.
- 6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?
(Be specific.)
Data can be retrieved through queries or reports using any of the fields in the database such as names of requesters, types of requesters, request number, subject matter of requests, exemptions used for denied records, multi-track type, payment status, fee waiver status, expedited status, closed between dates, caseworker name, etc.
- a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.
Data can be retrieved by a requester name or caseworker name.
- 7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?
Yes.
- a. If Yes, provide name of SORN and location in the Federal Register.
NRC-10, Freedom of Information Act (FOIA) and Privacy Act (PA)
Request Records.
PIA Template (03-2021)
- 8. If the information system is being modified, will the SORN(s) require amendment or revision?
No.
- 9. Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?
No.
- a. If yes, explain.
N/A.
(1) What controls will be used to prevent unauthorized monitoring?
N/A.
- 10. List the report(s) that will be produced from this system.
FOIA Quarterly and Annual Reports to DOJ describe the NRCs response to FOIA requests. Statistical data only. Reports are available through NRCs public Website.
A report for a previous request will provide data to the caseworker, such as which offices were assigned the case, received date, closed date, perfected date, exemptions used for denied records, fees charged, etc.
Ad hoc statistical reports, for example, how many cases are open, how many cases were closed, uses of particular exemptions, response times, backlogs, etc.
- a. What are the reports used for?
The FOIA Quarterly and Annual Reports for DOJ, which oversee all Government FOIA programs, and provide the DOJ the statistical data needed to gauge our success in responding to FOIA/PA requests in a timely manner.
A report on a previous request can assist the review in handling a newer request for similar records.
A report on how many requests by particular requester type are received can be provided to a FOIA/PA requester.
Management and oversight of the FOIA/PA program.
PIA Template (03-2021)
- b. Who has access to these reports?
FOIA/PA Team members, contractors, and (Governance and Enterprise Management Services (GEMS) Division Director and Deputy Division Director.
D. ACCESS TO DATA
- 1. Which NRC office(s) will have access to the data in the system?
OCIO FOIA/PA Team and contractors.
(1) For what purpose?
- Archival data to review previous cases/requesters.
- Data input to correct information in system, fees, owed, etc.
- Input case closing information such as closed date, exemptions used.
- Review FOIA/PA cases.
(2) Will access be limited?
Access will be based on individuals need to know.
- 2. Will other NRC systems share data with or have access to the data in the system?
No.
(1) If yes, identify the system(s).
N/A.
(2) How will the data be transmitted or disclosed?
N/A.
- 3. Will external agencies/organizations/public have access to the data in the system?
Yes.
(1) If yes, who?
Agencies, organizations, and the public.
(2) Will access be limited?
Yes.
PIA Template (03-2021)
(3) What data will be accessible and for what purpose/use?
Requestors can only access their data/info which they have provided through the FOIAonline account for tracking their FOIA/PA requests.
(4) How will the data be transmitted or disclosed?
Data will be transmitted online through a FOIAonline requestor user account or via e-mail or regular U.S. mail for non FOIAonline users.
E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.
- 1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?
Yes.
- a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).
- For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?
GRS 4.2 Item 020: Access and disclosure request files Temporary. Destroy 6 years after final agency action or 3 years after final adjudication by the courts, but longer retention is authorized if required for business use.
GRS 4.2 item 040: Records of accounting for and controlling access to records requested under FOIA, PIA, and MDR.
PIA Template (03-2021)
Temporary. Destroy 5 years after date of last entry or final action by agency, but longer retention is authorized if required for business use.
- b. If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.
F. TECHNICAL ACCESS AND SECURITY
- 1. Describe the security controls used to limit access to the system (e.g., passwords).
Each NRC approved user with access to FOIAonline has a username and password, along with a Personal Identity Verification (PIV) Card or One-Time Password (OTP) credential. Responsive records that exceed the system security categorization of moderate will be maintained in a secure restricted access location (safe or secure restricted drive).
- 2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?
Each user has an individual username and two-factors of authentication. Access rights are provided based on their need to know.
- 3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?
Yes.
(1) If yes, where?
In the signed Memorandum of Understanding between EPA and NRC.
- 4. Will the system be accessed or operated at more than one location (site)?
Yes. The FOIA online system can be accessed remotely through the Virtual Private Network (VPN) and CITRIX.No.
- a. If yes, how will consistent use be maintained at all sites?
Consistent use will be through NRC offices, VPN, and CITRIX only.N/A
- 5. Which user groups (e.g., system administrators, project managers, etc.)
have access to the system?
FOIA/PA Team members, contractors, and GEMS Division Director and Deputy Division Director.
- 6. Will a record of their access to the system be captured?
No.
PIA Template (03-2021)
- a. If yes, what will be collected?
N/A.
- 7. Will contractors be involved with the design, development, or maintenance of the system?
EPA is responsible for the design, maintenance, and development of FOIAonline.
If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.
- Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
- PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.
- 8. What auditing measures and technical safeguards are in place to prevent misuse of data?
No auditing measures. The system is only accessed by the FOIA/PA Team members, contractors, and GEMS Division Director and Deputy Division Director.
- 9. Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?
Yes.
- a. If yes, when was Certification and Accreditation last completed?
And what FISMA system is this part of?
FOIAonline received an ongoing Authority to Operate (ATO) with the TPS FISMA boundary on June 12, 2019 (ML19238A097).
EPAs ATO for FOIAonline is valid until February 7, 20220.
- b. If no, is the Certification and Accreditation in progress and what is the expected completion date? And what FISMA system is this planned to be a part of?
N/A.
- c. If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security PIA Template (03-2021)
Offices (CSOs) Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track.
N/A.
PIA Template (03-2021)
PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)
System Name: E-FOIA Tracking System (FOIAonline)
Submitting Office: OCIO A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.
X Privacy Act is applicable.
Comments:
This system is covered by System of Records Notice - NRC-10, Freedom of Information Act (FOIA) and Privacy Act (PA) Request Records.
Reviewers Name Title Signed by Hardy, Sally on 06/03/21 Privacy Officer June 17, 2021 B. INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed.
OMB clearance is needed.
X Currently has OMB Clearance. Clearance No.3150-0043 Comments:
Reviewers Name Title Signed by Cullison, David on 06/03/21 Agency Clearance Officer June 17, 2021 PIA Template (03-2021)
C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.
Additional information is needed to complete assessment.
Needs to be scheduled.
X Existing records retention and disposition schedule covers the system - no modifications needed.
Comments:
Reviewers Name Title Signed by Dove, Marna Sr. Program Analyst, Electronic Records on 06/03/21 Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.
X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.
I concur in the Privacy Act, Information Collections, and Records Management reviews:
June 17, 2021 Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer PIA Template (03-2021) 15
TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/
PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: (Sponsor name and office)
Name of System: E-FOIA Tracking System (FOIAonline)
Date CSB received PIA for review: Date CSB completed PIA review:
May 25, 2021 June 3, 2021 Noted Issues:
Chief Signature/Date:
Cyber Security Branch Governance and Enterprise Management Signed by Nalabandian, Garo Services Division on 06/17/21 June 17, 2021 Office of the Chief Information Officer Copies of this PIA will be provided to:
Thomas G. Ashley, Jr.
Director IT Services Development and Operations Division Office of the Chief Information Officer Jonathan R. Feibus Chief Information Security Officer (CISO)
Office of the Chief Information Officer PIA Template (03-2021) 16