ML19198A279

From kanterella
Revision as of 18:04, 14 December 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Igofigure Pia 2019
ML19198A279
Person / Time
Issue date: 11/01/2019
From: Anna Mcgowan
NRC/OCIO
To:
OCHCO_HCAB.Resource@nrc.gov
References
Download: ML19198A279 (16)
v  d  e


Text

ADAMS ML19198A279 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

iGoFigure Date: July 17, 2019 A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system:

iGoFigure Membership & Business Management Software makes it possible to easily manage a fitness center. It allows the tracking of members' attendance, results, and progress, organizes special populations based on health or medical considerations, and maintains a complete status history for each member. iGo Figure also provides robust membership reporting capabilities for effective health club management.

iGo Figures primary focus is creating a high quality software product that effectively manages member and customer information, provides easy payment processing and money management, tracks inventory, includes robust reporting capabilities and reduces the time and effort involved with successfully running a business.

2. What agency function does it support?

The Nuclear Regulatory Commission (NRC) supports the Global Employee Health & Fitness Month (GEHFM) and supports health and fitness in the work place as a strategic goal. GEHFM is a yearly program that promotes an international and national observance of health and fitness in the workplace. This program was created by two non-profit organizations, the National Association for Health & Fitness and ACTIVE Life. The NRC supports the GEHFM by promoting the benefits of a healthy lifestyle to NRC employers through worksite health promotion activities such as cycle to work day, 5k runs and the expansion of the Fitness Center to accommodate more employee membership, PIA Template (04-2019) Page 1 of 16

Formerly known as National Employee Health and Fitness Day, GEHFM has been extended to a month-long initiative in an effort to generate sustainability for a healthy lifestyle and initiate healthy activities on an ongoing basis.

3. Describe any modules or subsystems, where relevant, and their functions.

iGoFigure is easy to use; member management with unattended member scan-in; multiple memberships; point of sale; 10 cent EFT; integrated billing &

recurring payment; class scheduling; employee commissions & time clock; 100+

reports with custom reporting wizard; translated into 18 Languages; used by thousands of businesses in over 51 countries

4. What legal authority authorizes the purchase or development of this system?

5 U.S.C. 7901; Executive Order (E.O.) 9397, as amended by E.O. 13478

5. What is the purpose of the system and the data to be collected?

The purpose of the iGoFigure application system is to manage the member information regarding attendance and fitness level performance and progress.

The Fitness Center staff uses the application to track member fitness goals, progress attendance to the personal training services and daily classes at the facility.

6. Points of

Contact:

Project Manager Office/Division/Branch Telephone Sarah Linnerooth Hoenig OCHCO/HCAB 301-415-7113 Business Project Manager Office/Division/Branch Telephone Tracy Scott OCHCO/HCAB 301-287-0736 Technical Project Manager Office/Division/Branch Telephone Rick Grancorvitz OCHCO/HCAB 301-287-0805 Executive Sponsor Office/Division/Branch Telephone Jeanne Dempsey OCHCO/HCAB 301-287-0789 ISSO Office/Division/Branch Telephone Brendan Cain OCHCO/HCAB 301-287-0552 System Owner/User Office/Division/Branch Telephone Sarah Linnerooth Hoenig OCHCO/HCAB 301-415-7113 PIA Template (04-2019) Page 2 of 16

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a. New System X Modify Existing System Other
b. If modifying or making other updates to an existing system, has a PIA been prepared before?

Yes (1) If yes, provide the date approved and ADAMS accession number.

ML16165A088 (2) If yes, provide a summary of modifications or other changes to the existing system.

Update Points of Contact information and placed in new PIA template.

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

Yes

a. If yes, please provide Enterprise Architecture (EA)/Inventory number.

20190048

b. If, no, please contact EA Service Desk to get Enterprise Architecture (EA)/Inventory number.

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS PIA Template (04-2019) Page 3 of 16
a. Does this system maintain information about individuals?

Yes (1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

NRC employees who apply for membership at the Fitness Center, including current and former members.

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific - e.g. SSN, Place of Birth, Name, Address)?

The information maintained in the iGoFigure system is populated from the NRC Form 681 and additional information about fitness level and performance. The NRCs Fitness Center requires all members to complete the form and submit before becoming a member.

The specific data fields listed in the iGoFigure application are as follows:

Gender; FirstName; MiddleInitial; LastName; Home Location;Street1; Street2; City; State; Zip; Code; Country; Birthday ;Employee; HomePhone1; HomePhone2; ;WorkPhone1 WorkPhone2 ;CellPhone1 CellPhone2; Other Phone; Email1; Email2; Email3 EmergContact_FirstName;EmergContact_MiddleInitial EmergContact_LastName; EmergContact_HomePhone1 EmergContact_HomePhone2; EmergContact_WorkPhone1 EmergContact_WorkPhone2; EmergContact_CellPhone1 EmergContact_CellPhone2; EmergContact_OtherPhone MemberAttributes; StatusID; Membership; Primary Member_FirstName;Primary Member_MiddleInitial PrimaryMember_LastName PrimaryMember_RowNumber Notes MemberImage MeasurementDay Meas_BustMeas_WasitMeas_Abdomen Meas_Hips Meas_Thighs Meas_Calves Meas_Arms Meas_Weight Meas_Height Meas_BodyFatPercent Meas_BodyFatWt Meas_BMI Meas_RHR Meas_Shoulder Meas_Biceps NumWorkouts, Keytag#

PIA Template (04-2019) Page 4 of 16

c. Is information being collected from the subject individual?

Yes (1) If yes, what information is being collected?

Data from Form 681.

d. Will the information be collected from individuals who are not Federal employees?

No (1) If yes, does the information collection have OMB approval?

(a) If yes, indicate the OMB approval number:

e. Is the information being collected from existing NRC files, databases, or systems?

No (1) If yes, identify the files/databases/systems and the information being collected.

f. Is the information being collected from external sources (any source outside of the NRC)?

No (1) If yes, identify the source and what type of information is being collected?

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

Not applicable

h. How will the information be collected (e.g. form, data transfer)?

Form 681

2. INFORMATION NOT ABOUT INDIVIDUALS PIA Template (04-2019) Page 5 of 16
a. Will information not about individuals be maintained in this system?

No (1) If yes, identify the type of information (be specific).

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

Data used to monitor members fitness level, track fitness progress, and also log facility entry time.

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes

3. Who will ensure the proper use of the data in this system?

Fitness center manager, staff and system administrator.

4. Are the data elements described in detail and documented?

Yes

a. If yes, what is the name of the document that contains this information and where is it located?

\\nrc.gov\nrc\hq\office\ochco\HCAB\IT\Fitness Center Software\iGoFigure\iGoFigure_New_User_Manual.pdf

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No PIA Template (04-2019) Page 6 of 16

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a. If yes, how will aggregated data be maintained, filed, and utilized?
b. How will aggregated data be validated for relevance and accuracy?
c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?
6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)? (Be specific.)

Yes.

a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

By Fitness member name or PIV card number.

7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

Yes

a. If Yes, provide name of SORN and location in the Federal Register.

Employee Fitness Center Records - 44

8. If the information system is being modified, will the SORN(s) require amendment or revision?

No

9. Will this system provide the capability to identify, locate, and monitor (e.g.,

track, observe) individuals?

PIA Template (04-2019) Page 7 of 16

Yes

a. If yes, explain.

To track and monitor fitness level performance and improvements as well as identify members date/time of entry.

(1) What controls will be used to prevent unauthorized monitoring?

Username and Password assigned for access.

10. List the report(s) that will be produced from this system.

Fitness Member Exercise Plan Personal Training Test Results

a. What are the reports used for?

Track members fitness level and fitness level improvements.

b. Who has access to these reports?

Fitness Center Manager and staff D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

Fitness Center Manager and staff (1) For what purpose?

To monitor members, use of the facility and track members fitness goals.

(2) Will access be limited?

No

2. Will other NRC systems share data with or have access to the data in the system?

No PIA Template (04-2019) Page 8 of 16

(1) If yes, identify the system(s).

N/A (2) How will the data be transmitted or disclosed?

N/A

3. Will external agencies/organizations/public have access to the data in the system?

No (1) If yes, who?

N/A (2) Will access be limited?

N/A (3) What data will be accessible and for what purpose/use?

N/A (4) How will the data be transmitted or disclosed?

N/A E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 U.S.C., 36 CFR). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management (RIM) and NARAs Universal Electronic Records Management (ERM) requirements, and if a strategy is needed to ensure compliance.

PIA Template (04-2019) Page 9 of 16

1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule(NUREG-0910), or NARAs General Records Schedules?

No. Further assessment is needed to provide an overall records schedule for the system.

Some records in the system will need to be scheduled as they do not follow under a current Records Schedule or NARA General Records Schedule (GRS); therefore, NRC records personnel will need to work with staff to develop a records retention and disposition schedule for records created or maintained. Until the approval of such schedule, these records and information are Permanent. Their willful disposal or concealment (and related offenses) is punishable by fine or imprisonment, according to 18 U.S.C., Chapter 101, and Section 2071. Implementation of retention schedules is mandatory under 44 U.S. 3303a (d), and although this does not prevent further development of the project, retention functionality or a manual process must be incorporated to meet this requirement.

GRS 2.7, item 080 might possibly be used for a portion of these records, such as reports, received by and used by NRC's Health and Wellness Program in conducting their work activities/functions. The GRS disposition authority cannot be applied to the electronic system without further examining the functional use and, more importantly, the contract provisions for data handling.

Other records may be considered contract records as the center is operated under contract. Contract deliverables, including data, must be retained in accordance with the contract's data-handling/recordkeeping provisions which needs to be assessed.

The agency form is received in hard-copy format and the data is entered into the system.

Further assessment is needed to see if the hard copy can be disposed of according to GRS 5.2 item 020. Question 6 of the GRS FAQs for GRS 5.2 might provide more information, depending on the nature of the form:

https://www.archives.gov/files/records-mgmt/grs/grs05-2-faqs.pdf The membership fee is deducted through the employees payroll; the financial records can be retained under GRS 2.4 item 010. However, NARA will be revising the retention for GRS 2.4, item 010 (shortening it) to require retention for '3 years after data is validated' in an upcoming GRS transmittal amendment to GRS 2.4. Please continue following the current disposition instructions until this new GRS is published and made official for agency use.

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

PIA Template (04-2019) Page 10 of 16

  • For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?
b. If no, please contact the Records and Information Management (RIM) staff at ITIMPolicy.Resource@nrc.gov.

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g.,

passwords).

Need Username and Password to access the system.

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

Only approved contractor staff will have access to iGoFigure and the Fitness Center.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes (1) If yes, where?

Yes, detailed instructions on how to access the iGoFigure tracking system, is documented in the NRCs Fitness Services contractors Employees Procedure Manual which outlines how to lock and secure membership information. All of the data from iGoFigure is saved in a separated restricted R drive.

4. Will the system be accessed or operated at more than one location (site)?

No

a. If yes, how will consistent use be maintained at all sites?

N/A

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

PIA Template (04-2019) Page 11 of 16

NRC Application Administrator NRC Fitness Center Director NRC Fitness Center Staff.

6. Will a record of their access to the system be captured?

Yes

a. If yes, what will be collected?

Date and time system was accessed by user account.

7. Will contractors be involved with the design, development, or maintenance of the system?

No. The application is a commercial off the shelf product which will be operated in an NRC facility.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses are inserted in their contracts.

  • FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
  • PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.
8. What auditing measures and technical safeguards are in place to prevent misuse of data?

NRCs Fitness Center front desk is always monitored by one or more Fitness Center contractor employees at a time. All Fitness Center employees have successfully completed the required background and clearance process through the NRC. In addition, NRCs Fitness Services contract is required to go over the Privacy Act notification and their responsibilities with all of their staff. The Fitness Services System of Records manager also sends annual guidance reminders on how to safeguard and prevent misuse of data The Fitness Center closing procedures requires that all programs and computers are logged off and completely shut down at COB.

9. Is the data secured in accordance with FISMA requirements?

Yes PIA Template (04-2019) Page 12 of 16

a. If yes, when was Certification and Accreditation last completed?

March 24, 2014 PIA Template (04-2019) Page 13 of 16

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMS/ISB Staff)

System Name: iGoFigure Submitting Office: Office of the Chief Human Capital Officer A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

The iGoFigure is covered by NRCs Privacy Act System of Records NRC 44, Employee Fitness Center Records. The iGoFigure does maintain PII information and information on persons to be notified in case of emergency (name, address, telephone number) which could be about members of the public.

Reviewers Name Title Date Sally A. Hardy Privacy Officer 10/29/2019 B. INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed.

X OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

NRC Form 681 contains information collections that are subject to the requirements of the Paperwork Reduction Act. The exemption for collecting information from Federal employees does not apply since the information being collected is not within the scope of their employment. The NRC is not approved to collect this information. OCHCO did not respond to a request for clarifying information Reviewers Name Title Date David Cullison Agency Clearance Officer 9/18/19 PIA Template (04-2019) Page 14 of 16

C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

X Needs to be scheduled.

Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Date Marna B. Dove Sr. Program Analyst, Electronic Records Manager 10/29/19 D. BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

/RA/ Date: November 1, 2019 Anna T. McGowan, Chief Information Services Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer PIA Template (04-2019) Page 15 of 16

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Jeanne Dempsey, Office of Chief Human Capital Officer, Name of System: iGoFigure Date ISB received PIA for review: Date ISB completed PIA review:

July 17, 2019 October 29, 2019 Noted Issues:

The iGoFigure is covered by NRCs Privacy Act System of Records NRC 44, Employee Fitness Center Records.

Anna T. McGowan, Chief Signature/Date:

Information Services Branch Governance & Enterprise Management Services Division /RA/ November 1, 2019 Office of the Chief Information Officer Copies of this PIA will be provided to:

Thomas Ashley, Director IT Services Development & Operation Division Office of the Chief Information Officer Jonathan Feibus Chief Information Security Officer (CISO)

Governance & Enterprise Management Office of the Chief Information Officer PIA Template (04-2019) Page 16 of 16

Retrieved from "https://kanterella.com/w/index.php?title=ML19198A279&oldid=2278845"