ML20157A058

From kanterella
Revision as of 03:01, 25 September 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Departures and Exit Surveys Privacy Impact Assessment
ML20157A058
Person / Time
Issue date: 08/31/2020
From: Evans-Brown C
NRC/OCIO
To:
References
Download: ML20157A058 (13)
v  d  e


Text

ADAMS ML20157A058 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Departures and Exit Surveys (previously Recruitment Activity Tracking System (RATS))

Date: June 22, 2020 A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system:

The former Recruitment Activity Tracking System (RATS) is now called Departures and Exit Surveys and is a web-based database used to send out and record Exit Surveys to departing employees. This is used for the purpose of obtaining feedback from employees on their various reasons for leaving the agency.

2. What agency function does it support?

This supports the office of Human Resources (HR), HCAB and helps to improve employee/management relations, realize and correct issues on various levels and provide feedback to management on areas of improvement.

3. Describe any modules or subsystems, where relevant, and their functions.

HCAB enters employees who will be leaving the agency into the system. They track the number of departing employees in the reports. The automated part runs a nightly file to review for employees departing the agency within two weeks and sends them an email notifying them of the Exit survey to fill out prior to their departure. The employee fills out the survey. The results are compiled by HCAB for the improvement of the agency

4. What legal authority authorizes the purchase or development of this system?

U.S. Code Title 5 Section 1104 (5 USC 1104)

PIA Template (04-2019) Page 1 of 13

5. What is the purpose of the system and the data to be collected?

To determine areas of improvement within the agency. The system collects employee name, type of separation, date of departure, office, title, grade, appointment type, funding type along with all of the survey questions which consist of 5 categories involving work/life, benefits, management/organization, environment and family/personal questions.

6. Points of

Contact:

Project Manager Office/Division/Branch Telephone John E Shea OCHCO/HCAB 301-415-0246 Technical Project Manager Office/Division/Branch Telephone Roger Swiger OCHCO/ADHRTD 423-855-6446 Executive Sponsor Office/Division/Branch Telephone Miriam Cohen OCHCO 301-287-0747

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a. New System X Modify Existing System Other
b. If modifying or making other updates to an existing system, has a PIA been prepared before? YES (1) If yes, provide the date approved and ADAMS accession number.

ML16169A183 (2) If yes, provide a summary of modifications or other changes to the existing system.

Updated POCs, updated template.

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

PIA Template (04-2019) Page 2 of 13

Yes

a. If yes, please provide Enterprise Architecture (EA)/Inventory number.

EA 20060037

b. If, no, please contact EA Service Desk to get Enterprise Architecture (EA)/Inventory number.

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS
a. Does this system maintain information about individuals?

YES (1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

Federal employees.

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific - e.g. SSN, Place of Birth, Name, Address)?

Separation Data: Employee name, type of separation, date of departure, funding type, office, title, grade, appointment type, hours worked, survey responses: 5 categories of determining factors on reasons an employee leaves the agency.

c. Is information being collected from the subject individual?

YES (1) If yes, what information is being collected?

Yes, personal opinions in the survey responses.

PIA Template (04-2019) Page 3 of 13

d. Will the information be collected from individuals who are not Federal employees?

NO (1) If yes, does the information collection have OMB approval?

(a) If yes, indicate the OMB approval number:

e. Is the information being collected from existing NRC files, databases, or systems?

YES (1) If yes, identify the files/databases/systems and the information being collected.

HRMS Human Resource Management System database: grade, office, appointment type

f. Is the information being collected from external sources (any source outside of the NRC)?

NO (1) If yes, identify the source and what type of information is being collected?

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

Information is verified during exit interview.

h. How will the information be collected (e.g. form, data transfer)?

Interface with HRMS and entry by HCAB employees and employee responses in survey.

2. INFORMATION NOT ABOUT INDIVIDUALS
a. Will information not about individuals be maintained in this system?

NO PIA Template (04-2019) Page 4 of 13

(1) If yes, identify the type of information (be specific).

N/A

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

N/A C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

Tracking departures, soliciting feedback from employees on organization, providing areas of improvement to HR.

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

YES

3. Who will ensure the proper use of the data in this system?

HR application administrator controls user access.

4. Are the data elements described in detail and documented?

NO

a. If yes, what is the name of the document that contains this information and where is it located?
5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

NO

a. If yes, how will aggregated data be maintained, filed, and utilized?

N/A

b. How will aggregated data be validated for relevance and accuracy?

N/A PIA Template (04-2019) Page 5 of 13

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?

N/A

6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)? (Be specific.)

Yes - Records are retrieved by selecting employee name from a dropdown list.

However, the Employee ID identifier is used to query the database. Reports are run based on departure date, office.

a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

Records are retrieved by selecting employee name from a dropdown list. The Employee ID identifier is used to query the database.

7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

YES

a. If Yes, provide name of SORN and location in the Federal Register.

Government-wide system OPM/GOVT-5 (Recruiting, Examining, and Placement Records). (previously covered under NRC 28 Merit Selection Records)

8. If the information system is being modified, will the SORN(s) require amendment or revision?

NO

9. Will this system provide the capability to identify, locate, and monitor (e.g.,

track, observe) individuals?

NO

a. If yes, explain.

(1) What controls will be used to prevent unauthorized monitoring?

10. List the report(s) that will be produced from this system.

PIA Template (04-2019) Page 6 of 13

Departure Summary Report.

a. What are the reports used for?

To determine the number of employees leaving the agency within a timeframe

b. Who has access to these reports?

Authorized system users D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

Access to the data is limited to HCAB staff in OCHCO.

(1) For what purpose?

To plan for departing employees, solicit feedback on their reasons for leaving, and to review agency issues if identified in the surveys (2) Will access be limited?

YES

2. Will other NRC systems share data with or have access to the data in the system?

NO (1) If yes, identify the system(s).

N/A (2) How will the data be transmitted or disclosed?

N/A

3. Will external agencies/organizations/public have access to the data in the system?

NO (1) If yes, who?

PIA Template (04-2019) Page 7 of 13

(2) Will access be limited?

(3) What data will be accessible and for what purpose/use?

(4) How will the data be transmitted or disclosed?

E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 U.S.C., 36 CFR). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management (RIM) and NARAs Universal Electronic Records Management (ERM) requirements, and if a strategy is needed to ensure compliance.

1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule(NUREG-0910), or NARAs General Records Schedules?

YES

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

GRS 2.5. Item 011 - Temporary. Destroy 2 years after date of program closure, but longer retention is authorized if required for business use.

NOTE: HRSO Staff indicates that Record will be destroyed two years after employee separation.

b. If no, please contact the Records and Information Management (RIM) staff at ITIMPolicy.Resource@nrc.gov.

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g.,

passwords).

PIA Template (04-2019) Page 8 of 13

Access to the Exit Survey tool requires a valid NRC network credential and role-based access. An Exit Survey Administrator provides read, reporting, or edit permissions as necessary to appropriate NRC HR staff. Users navigate to the Exit Survey website using a web browser. NRC authenticated accounts access the system via single sign-on. Authentication to the NRC LAN is multi-factored.

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

Multi-factor LAN authentication ensures only NRC network users reach the Exit Survey website. The Exit Survey applications role-based security component restricts users access to only what is necessary. Three system admins monitor role-based permissions on a regular basis.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

NO (1) If yes, where?

4. Will the system be accessed or operated at more than one location (site)?

YES

a. If yes, how will consistent use be maintained at all sites?

Access to the Exit Survey tool is dependent on LAN access. Remote users and regional users can access provided: their NRC LAN account is signed into the network; and, their LAN account is issued a role-based permission by an Exit Survey admin. Use, administration, navigation is same for remote use.

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

System Administrator, application administrator, and HCAB users.

6. Will a record of their access to the system be captured?

YES

a. If yes, what will be collected?

Date/time and user ID when records are inserted and modified.

7. Will contractors be involved with the design, development, or maintenance of the system?

PIA Template (04-2019) Page 9 of 13

YES If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses are inserted in their contracts.

  • FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
  • PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.
8. What auditing measures and technical safeguards are in place to prevent misuse of data?

Access level controls are in place and a record of the date/time and user ID are kept when records are inserted or modified.

9. Is the data secured in accordance with FISMA requirements?

YES

a. If yes, when was Certification and Accreditation last completed?

System was authorized in October 2013, is within the TTCs system boundaries, and has had periodic system control assessments every year since then.

PIA Template (04-2019) Page 10 of 13

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMS/CSB Staff)

System Name: Departures and Exit Surveys Submitting Office: Office of the Chief Human Capital Officer A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

Departures and Exit Surveys (previously Recruitment Activity Tracking System (RATS) is covered by Government-wide system OPM/GOVT-5 (Recruiting, Examining, and Placement Records). (previously covered under NRC 28 Merit Selection Records)

Reviewers Name Title Date Sally A. Hardy Privacy Officer 7/20/2020 B. INFORMATION COLLECTION APPLICABILITY DETERMINATION X No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

Information is collected only from Federal employees Reviewers Name Title Date David Cullison Agency Clearance Officer 7/24/20 PIA Template (04-2019) Page 11 of 13

C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Date Marna B. Dove Sr. Program Analyst, Electronic Records Manager 7/10/2020 D. BRANCH CHIEF REVIEW AND CONCURRENCE X This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

/RA/ Date August 31, 2020 Clarissa L. Evans Brown, Chief Computer Security Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer PIA Template (04-2019) Page 12 of 13

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Miriam Cohen, Office of the Chief Human Capital Officer Name of System: Departures and Exit Surveys Date CSB received PIA for review: Date CSB completed PIA review:

June 3, 2020 July 24, 2020 Noted Issues:

Clarissa L. Evans Brown, Chief Signature/Date:

Computer Security Branch Governance & Enterprise Management /RA/ August 31, 2020 Services Division Office of the Chief Information Officer Copies of this PIA will be provided to:

Tom Ashley, Director IT Services Development & Operation Division Office of the Chief Information Officer Jonathan Feibus Chief Information Security Officer (CISO)

Office of the Chief Information Officer PIA Template (04-2019) Page 13 of 13

Retrieved from "https://kanterella.com/w/index.php?title=ML20157A058&oldid=2945562"