Text

MEMORANDUM TO: FROM:

SUBJECT:

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 October 31, 2018 Mick Mulvaney, Director Office of Management and Budget Scott C. Flanders Senior Agency Official for Privacy THE NUCLEAR REGULATORY COMMISSION'S FISCAL YEAR 2018 PRIVACY PROGRAM MEMORANDUM It is the policy of the Nuclear Regulatory Commission (NRC) to ensure that Systems of Records are established and maintained to protect the rights of individuals from unnecessary invasion of personal privacy in accordance with the Federal Privacy Act of 197 4, as amended (5 U.S.C. 552a). The processing of initial requests or appeals is consistent with the requirements and the time limits of the Privacy Act and Title 10 of the Code of Federal Regulations (10 CFR) Part 9, Subpart B , "Privacy Act Regulations

." The NRC's privacy program is described in Management Directive (MD) 3.2, Privacy Act. July 10, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML18073A087).

The Agency's Chief Information Officer (CIO) is designated as the Senior Agency Official for Privacy (SAOP) responsible for ensuring that a program to administer the Privacy Act is established and effectively implemented within the NRC. The NRC General Counsel is responsible for advising and assisting with the development of regulations, procedures and other matters related to the Privacy Act. Placing the SAOP function at a senior management position within the Office of the Chief Information Officer (OCIO) with the participation of the General Counsel, ensures that the SAOP has the authority, independence, access to agency leadership, subject matter expertise, and resources to effectively manage and oversee all privacy-related functions across the agency. At NRC, the CIO may delegate the authorities and responsibilities of the SAOP, as necessary.

The CIO makes the final determinations, on behalf of the Executive Director for Operations (EDO), on appeals of initial denials of Privacy Act requests, corrections or amendments of Privacy Act records held by an office reporting to the EDO, and on appeals of denials of fee waivers or reductions and denials of expedited processing requests.

Pursuant to MD 3.2, the CIO has delegated authorities and responsibilities of the SAOP to the Deputy Director of OCIO. The Deputy Director of OCIO , as SAOP, has the overall responsibility and accountability for ensuring the agency's implementation of information privacy protections , including the agency's full compliance with Federal laws, regulations, and policies relating to information privacy. The SAOP designates the Privacy Act Officer, the official responsible for implementing and administering the Privacy Act program, in accordance with NRC regulations. The SAOP also approves and issues Federal Register notices establishing new and amending existing Systems of Records in accordance with the delegated authority.

The SAOP is also responsible for proposing needed amendments to NRC regulations (10 CFR Part 9) implementing the Privacy Act. In addition, the SAOP provides advice and assistance in the Enclosure 3

2 development of technical safeguards for the preservation of data integrity and security for Systems of Records using automated records or processes. Finally, the SAOP implements the program for administering the privacy provisions of Section 208 of the E-Government Act of 2002. The NRC conducts privacy reviews and provides employees and contractors with privacy-awareness training.

Importantly, the NRC has established a process for conducting Privacy Impact Assessments (PIAs) of its information systems containing Personally Identifiable Information (PII) to identify and reduce the privacy impact of the organization's activities, and to notify affected persons about any privacy impacts and steps taken to mitigate them if available. NRC's " Privacy Impact Assessment Manual" (ADAMS Accession No. ML11143A050) explains the processes and procedures required for completing a PIA. NRC has also prepared a privacy threshold analysis template that can be used to determine if a PIA is necessary. For additional information, please see the " Privacy Impact Assessment" (Accession No. ML050460335) or the " Privacy Threshold Analysis" (ADAMS Accession No. ML091970114).

NRC's PIA process is consistent with relevant privacy-related policy, guidance, and standards and Privacy Act System of Records Notices. Pursuant to Office of Management and Budget (0MB) memorandum (M-07-16), NRC also has developed a PII Breach Notification Policy (ADAMS No. ML14036A058) and has implemented procedures for responding to PII breaches.

NRC designates a Core Management Group (CMG) consisting of the General Counsel, the Inspector General, the CIO, and the SAOP. CMG membership may be supplemented by the Chief Human Capital Officer, the Director of the Office of Administration, or the Chief Financial Officer, as appropriate. For breaches resulting in a CMG decision to notify affected individuals, the Directors of the Office of Public Affairs and the Office of Congressional Affairs, will also participate in the CMG. Similarly, for breaches involving information technology systems , the Chief Information Security Officer in OCIO will also be included in the CMG. The Breach Notification Policy provides for assessment of the breach, and depending on the risk to individuals, notification of Credit-Monitoring

• Remedy. The NRC continues to develop and implement measures to ensure that the proper use and protection of PII is accomplished in accordance with statutory mandates and to properly safeguard the privacy of individuals. Below you will find our current listing of names and titles of all staff supporting the Privacy Program, along with the organizational information for the FY2018 SAOP FISMA reporting metrics:

• Office of the Chief Information Officer, Deputy Director, Senior Agency Official for Privacy (SAOP), Scott Flanders

• Office of the Chief Information Officer, Governance

& Enterprise Management Services Division, Director, John Moses

• Office of the Chief Information Officer, Governance

& Enterprise Management Services Division , Deputy Director, Jonathan Feibus

• Office of the Chief Information Officer, Governance

& Enterprise Management Services Division, Information Services Branch Chief, Anna McGowan 3

• Office of the Chief Information Officer, Governance

& Enterprise Management Services Division, Information Services Branch, Privacy Officer, Sally Hardy

• Office of the Chief Information Officer, Information Technology Services Development and Operations Division, Security Operations Branch, IT Specialist, Charles Watkins