Agencywide Documents Access Management System (ADAMS) Privacy Impact Assessment (Pia)

ML20311A214
Person / Time
Issue date:	10/22/2020
From:	Benjamin Partlow NRC/OCIO/GEMSD/CSB
To:
Kathryn Harris, 301-287-0515
References
Download: ML20311A214 (22)
v • d • e

Text

U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Agencywide Documents Access and Management System (ADAMS)

Date: October 22, 2020 A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system: (Use plain language, no technical terms.)

The Agencywide Documents Access and Management System (ADAMS) is an enterprise- level system used by the U.S. Nuclear Regulatory Commission (NRC) to organize, process, and manage the Agencys documentary material, which includes documents designated as official agency records (OARs) and non-record reference material, which includes works in progress, drafts, and other non-OAR documentation. ADAMS is the NRCs record retention system for documentary material and is integrated into many of the Agencys mission critical-standard operating procedures and records management processes. ADAMS is used throughout NRC Headquarters (HQ) and regional offices.

ADAMS provides the following capabilities:

o Document management (intake, classification, and retention) o Document publishing o Document search and retrieval o Records management For a current description of the ADAMS system and its various components, please reference the ADAMS System Description document, which may be accessed at Main Library (ML) ML15070A582.

ADAMS contains one subsystem, the Electronic Information Exchange (EIE) system, which provides an input mechanism to add documents to ADAMS. A separate Privacy Impact Assessment (PIA) was performed for EIE, which may be accessed at this link:

Electronic Information Exchange System Privacy Impact Analysis ML18120A168 PIA Template (12-2020) 1

No further information/discussion of the EIE system is contained in this ADAMS PIA. EIEs System Description, and other relevant documentation, may be accessed via the EIE PIA.

2. What agency function does it support? (How will this support the U.S.

Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))

ADAMS supports NRCs content management function: document capture, distribution, search and retrieval, and records management. ADAMS is the official records repository for unclassified records and is tightly integrated into many of NRCs mission critical standard operating procedures and records management processes.

3. Describe any modules or subsystems, where relevant, and their functions.

ADAMS components provide support to the agency for document and records management, and image processing.

For a description of all modules and sub-components, please reference the ADAMS system description (ML15070A582).

4. What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)

44 United States Code (U.S.C.) Chapter 31; 44 U.S.C. Chapter 33; 36 Code of Federation Regulations (CFR) CFR Subpart B.

5. What is the purpose of the system and the data to be collected?

A portion of the vast amounts of programmatic and administrative documents that are added to ADAMS may contain information about an individual. The NRC staff collects programmatic and administrative information to facilitate the activities to conduct the NRCs day-to-day business. The NRC staff also collects this information to facilitate the records lifecycle management process and to comply with the regulations governing Federal records management. The licensing, technical, and adjudicatory information stored in ADAMS supports the NRCs mission.

6. Points of

Contact:

(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)

A non-publicly available list of ADAMS points of contacts can be found in the ADAMS Contact LIST (ML13343A122).

PIA Template (12-2020) 2

Project Manager Office/Division/Branch Telephone Mackenzie Stevens OCIO/ITSDOD/ADSB 301-415-2718 Business Project Manager Office/Division/Branch Telephone Mackenzie Stevens OCIO/ITSDOD/ADSB 301-415-2718 Technical Project Manager Office/Division/Branch Telephone Roy Choudhury OCIO/ITSDOD/ADSB 301-415-7226 Executive Sponsor Office/Division/Branch Telephone David Nelson OCIO/D 301-415-8700 ISSO Office/Division/Branch Telephone Kathryn Harris OCIO/GEMSD/CSB 301-287-0515 System Owner/User Office/Division/Branch Telephone Thomas Ashley OCIO/ITSDOD/D 301-287-0771

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?

a. New System X Modify Existing System Other

b. If modifying or making other updates to an existing system, has a PIA been prepared before?

Yes.

(1) If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.

01/16/2018, ADAMS accession number is ML17187A160.

PIA Template (12-2020) 3

(2) If yes, provide a summary of modifications or other changes to the existing system.

Moved into new PIA template and updated to reflect current points of contact for the system.

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

Yes.

a. If yes, please provide the EA/Inventory number.

9501.

b. If, no, please contact EA Service Desk to get the EA/Inventory number.

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS

a. Does this system maintain information about individuals?

Yes.

(1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

Information about an individual (e.g. Federal employee, contractor, licensee employee, general public) may be maintained in ADAMS if information about an individual is included as part of a document that is added into ADAMS.

In addition, the Replacement Reactor Program System (RRPS) is the Federal system of record for Operating License Records (OL Records), which contains personally identifiable information (PII) of applicants for, and holders of, operator licenses at nuclear power plants. RRPS uses ADAMS as a storage service provider for these records, which are owned and maintained by RRPS personnel. RRPS is owned by the Office of the Chief Information Owner (OCIO).

PIA Template (12-2020) 4

Information related to the workplace such as an employees name, title, work telephone number, official work address/location, and work e-mail address is not treated as PII by NRC. Additionally, NRCs Office of General Counsel has advised that home addresses, home phone numbers, or home e-mail addresses within adjudicatory filings, documents associated with agency rulemakings, and correspondence received from the public on regulatory matters will not be treated as PII.

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)?

Information about an individual (e.g. Federal employee, contractor, licensee employee, general public) may be maintained in ADAMS if information about an individual is included as part of a document that is added into ADAMS.

In addition, the RRPS is the Federal system of record for OL Records, which contains PII of applicants for, and holders of, operator licenses at nuclear power plants. RRPS uses ADAMS as a storage service provider for these records, which are owned and maintained by RRPS personnel.

RRPS is owned by OCIO.

Information related to the workplace such as an employees name, title, work telephone number, official work address/location, and work e-mail address is not treated as PII by NRC. Additionally, NRCs Office of General Counsel has advised that home addresses, home phone numbers, or home e-mail addresses within adjudicatory filings, documents associated with agency rulemakings, and correspondence received from the public on regulatory matters will not be treated as PII.

c. Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)

No, ADAMS does not directly collect information from an individual.

Information placed into ADAMS is collected or generated by the NRC through other means in response to adjudicatory filings, rulemakings, or other regulatory matters (to include Records collected by RRPS).

(1) If yes, what information is being collected?

N/A.

PIA Template (12-2020) 5

d. Will the information be collected from individuals who are not Federal employees?

N/A.

(1) If yes, does the information collection have the Office of Management and Budgets (OMB) approval?

N/A.

(a) If yes, indicate the OMB approval number:

N/A.

e. Is the information being collected from existing NRC files, databases, or systems?

Yes.

(1) If yes, identify the files/databases/systems and the information being collected.

Internal sources of information which may contain PII include:

Electronic files generated by NRC staff in various formats (e.g. text, images, graphics, spreadsheets, or any combination of these formats)

E-Mail from the NRC e-mail system OL Records from RRPS

f. Is the information being collected from external sources (any source outside of the NRC)?

Yes.

(1) If yes, identify the source and what type of information is being collected?

External sources of information which may contain PII include:

NRC Licensees and Applicants Parties to NRC Adjudicatory proceedings Nuclear Industry organizations PIA Template (12-2020) 6

Members of Congress Other Federal Agencies Agreement States Local governments Members of the public commenting on NRC regulations and publications Foreign governments and international organizations The methods used include:

EIE submissions Paper documents (scanned into ADAMS)

CD-ROM Submissions E-Mail and Facsimile (Fax) Submissions Interface with RRPS

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

The NRC rulemaking Electronic Maintenance and Submission of Information (E-Rule) and its accompanying regulatory document, Guidance for Electronic Submissions to the NRC govern the electronic submission, including fax submissions, of documents to the NRC, which may be accessed via this link: ML13031A056.

The Document Processing Center (DPC) evaluates the EIE and CD-ROM submittals against the criteria specified in the electronic submission guidance document and processes the document(s) that meet its criteria into ADAMS. Documents that do not meet one or more of the guidance document criteria will not be processed into ADAMS. The DPC will forward these submittals to the submitter and/or the appropriate NRC office staff in order to resolve the issue and obtain a submittal that can be processed into ADAMS. The owners of internal information are responsible for accuracy and completeness of the information added to ADAMS.

PIA Template (12-2020) 7

h. How will the information be collected (e.g. form, data transfer)?

The information is added into ADAMS via electronic data transfer mechanisms that are built into the various ADAMS components. Please see ADAMS Intake Components described in the ADAMS System Description, which may be accessed via this link: ML15070A582.

2. INFORMATION NOT ABOUT INDIVIDUALS

a. Will information not about individuals be maintained in this system?

Yes.

(1) If yes, identify the type of information (be specific).

With limited exceptions, the OARs stored in ADAMS, both programmatic and administrative, are related to the following:

NRC policy, direction, and oversight activities Nuclear reactor licensing, operation, safety, research, and inspection and enforcement activities Radioactive waste licensing, operation, safety, research, and inspection and enforcement activities Nuclear materials licensing, safety, research, and inspection and enforcement activities Accounting case and subject files, budget records, license fee case files, contract case files, Department of Energy work orders, interagency agreements, and other related records Information resources management activities Facility and property management activities Records of the Office of the General Counsel, Office of the Secretary, Atomic Safety And Licensing Board Panel (ASLBP), and Office of Commission Appellate Adjudication Records of the Offices of Congressional Affairs, International Programs, State Programs, Public Affairs, and Regional Public Affairs Offices PIA Template (12-2020) 8

ADAMS contains the bibliographic descriptions of the programmatic records dated prior to November 1, 1999, which were originally maintained in NUDOCS and the Public Document Rooms Bibliographic Retrieval System.

ADAMS public libraries, Publicly Available Records System (PARS), including copies from PARS in the Unified Public Web Search repository, and Public Licensing Support Network (LSN) contain the publicly available data copied from the ML.

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

The information stored in ADAMS originates from both internal and external sources. The internal sources consist of the NRC staff and contractors. The external sources are comprised of licensees, members of the general public, and other government agencies.

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

The information stored in ADAMS is used by the NRC internal users to conduct the Agencys day-to-day business activities. The publicly available information is used by external users searching the Agencys policies, regulations, and material related to NRC licensing activities.

1. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes.

2. Who will ensure the proper use of the data in this system?

ADAMS employs a role-based access control mechanism that allows content owners to determine who will have access to content and the level of that access (create, read, update, delete).

3. Are the data elements described in detail and documented?

Yes. Every document in ADAMS has a Document Profile that stores information about the document (e.g., author, title, docket number, public availability, etc.).

The required, and some optional, property fields are populated by the document owner and fully completed by the DPC staff when the document is declared as an OAR.

PIA Template (12-2020) 9

a. If yes, what is the name of the document that contains this information and where is it located?

The list of the ADAMS Document Profile Properties is located in the ADAMS Navigator User Manual, which is available by clicking the Help link after accessing ADAMS Navigator through the internal NRC website.

The manual can also be found in ADAMS ML17152A297.

4. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a. If yes, how will aggregated data be maintained, filed, and utilized?

N/A.

b. How will aggregated data be validated for relevance and accuracy?

N/A.

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?

N/A.

5. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?

(Be specific.)

ADAMS employs search tools that allow retrieval of the content of documents, as well as the metadata from the document profiles.

Search criteria include document date, accession number, docket number, document type, case or reference number, title, document text, and author name.

RRPS uses docket number, which is a personal identifier, to retrieve OL information from ADAMS.

PIA Template (12-2020) 10

a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

N/A.

6. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

No.

a. If Yes, provide name of SORN and location in the Federal Register.

N/A.

7. If the information system is being modified, will the SORN(s) require amendment or revision?

N/A.

8. Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?

No.

a. If yes, explain.

N/A.

(1) What controls will be used to prevent unauthorized monitoring?

N/A.

9. List the report(s) that will be produced from this system.

ADAMS support tools are capable of generating the following administrative reports:

ADAMS Sensitive Unclassified Non-Safeguards Information (SUNSI)

Reviewer Reports - list of the documents with a date in the SUNSI Review Date property and the Document Sensitivity value other than Sensitive-Internal-Periodic Review Required or Sensitive-Security- Related-Periodic Review Required ADAMS Admin Reports - list by office of user group membership Main-PARS Differences - list of differences between ML and PARS at the folder, document, or property level PIA Template (12-2020) 11

Public Release Timeliness Report - list by office of internal and/or external documents and their timeline to public release E-RIDS - list of the routing and distribution codes The ADAMS public web applications provide the built-in user reports to allow the public users to save their document search results, including document profile data.

a. What are the reports used for?

The administrative reports are used for monitoring and managing functions. The user reports are used by the public users to save their search results.

b. Who has access to these reports?

Access to administrative reports is available only to the NRC staff and is based upon the user role and access control list. The internal and external users have access to different sets of user reports based on a search library.

D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

All NRC offices may have access to the information in ADAMS, except for OL Records. Only select RRPS users from the Office of Nuclear Reactor Regulation can access this data.

(1) For what purpose?

The content supports information sharing for business processes and knowledge discovery.

(2) Will access be limited?

Yes, access is dependent upon a users role(s) and need-to-know. A document owner determines who will have access to the document and the level of that access (e.g., None, Viewer, Author, Owner, and Admin),

and can restrict access to specific individuals and/or user groups.

2. Will other NRC systems share data with or have access to the data in the system?

Yes.

PIA Template (12-2020) 12

(1) If yes, identify the system(s).

Public Meeting Notice System: requires read-only access to the DOCKET table in the Master Data Management system database to retrieve the Docket Number data (DocketNo, DocketType, and DocketName).

The EIE system is a document ingestion system for various regulatory-required documents, which are added into ADAMS for official recordkeeping. ADAMS provides accession numbers (ADAMS ML) back to EIE for submitted documents. In addition, EIE provides service list membership to ADAMS in order to populate Access Control Lists for authorization purposes to Electronic Hearing Docket Protective Order File (POF) documents.

Replacement Reactor Program System (RRPS) uses ADAMS as a storage repository for OL Records.

An NRC-issued laptop is used by ASLBP to access pre-filed adjudicatory documents in ADAMS.

(2) How will the data be transmitted or disclosed?

ADAMS transmits content to staff over the NRCs Information Technology Infrastructure (ITI) internal network.

ADAMS publishes public content to external-facing web servers for access by the general public and select members of adjudicatory proceedings.

3. Will external agencies/organizations/public have access to the data in the system?

Yes.

(1) If yes, who?

Other federal agencies, licensees, state, local, and tribal governments, participants in adjudicatory hearings and members of the general public have access to the publicly available information in ADAMS.

(2) Will access be limited?

Read-only access is granted to publicly available information in ADAMS.

Except for POF documents, no login is required since the agency has deemed this information as publicly available.

PIA Template (12-2020) 13

The content of POF documents is available only to select members of adjudicatory hearings who have been granted access to the documents by the issuing judge. A valid NRC-approved digital certificate and inclusion in the appropriate ACL is necessary to access the content.

(3) What data will be accessible and for what purpose/use?

Publicly available documents are published to the ADAMS PARS or, if part of the High-Level Waste hearing, to the Public LSN. They may be viewed and searched by members of the general public, external stakeholders, and other Federal agencies to fulfill the NRCs mandate to share information with the public.

(4) How will the data be transmitted or disclosed?

The publicly available documents are released to the public via publishing to the ADAMS Public Libraries (PARS and LSN) where they can be accessed through various NRC-provided web sites. Links to these sites are provided on the NRCs public Web site.

E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?

Yes.

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

PIA Template (12-2020) 14

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

Each NRC document declared as an Official Agency Record in ADAMS is designated an authorized disposition in Records Manager.

This disposition covers the ADAMS PDF files, TIFF files, as well as the ADAMS data related to digital signatures, and data that evidence final NRC management and staff concurrences in documents that are linked to and considered part of the official records.

The NARA approved records retention and disposition requirements for ADAMS records are described on the NRCs public web site and may be accessed via the following link:

http://www.nrc.gov/reading-rm/records-mgmt.html The retention for the Master file is scheduled as follows:

GRS 3.2 item 050, Backup of master files and databases.

File identical to permanent records scheduled for transfer to the National Archives.

Temporary. Destroy immediately after the identical records have been captured in a subsequent backup file or at any time after the transfer request has been sighed by the National Archives, but longer retention is authorized if required for business use.

GRS 3.2 item 051, Backup of master files and databases.

File identical to temporary records authorized for destruction by a NARA approved records schedules.

Temporary. Destroy immediately after the identical records have been deleted or replaced by a subsequent backup file, but longer retention is authorized if required for business use.

Retention for Documentation is scheduled as follows:

GRS 3.1 item 050, Documentation necessary for preservation of permanent electronic records.

Permanent. Transfer to the National Archives with the permanent electronic records to which the documentation relates.

GRS 3.1 item 051, All documentation for temporary electronic records and documentation not necessary for preservation of permanent records.

PIA Template (12-2020) 15

Temporary. Destroy 5 years after the project/activity/transaction is completed or superseded, or the associated system is terminated, or the associated data is migrated to a successor system, but longer retention is authorized if required for business use.

Additional information related to Information Systems Security are scheduled under the: GENERAL RECORDS SCHEDULE 3.2 -

Information Systems Security Records.

b. If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g., passwords).

ADAMS inherits network access controls and permissions, identification and authentication, and physical access controls from the Office of Chief Information Officer ITI system.

Internal access to the system is restricted to NRC users with NRC Local Area Network/Wide Area Network (LAN/WAN) accounts and passwords and ADAMS accounts. Level of access to documents depends upon a users role(s) and need-to-know and is restricted by object (package, folder, and document) access rights. The users are authenticated by an interface linked to the NRCs ITI system active directory services (Single Sign-On).

Except for POF documents, there are no security controls to authenticate external access to the ADAMS Public Libraries as this access is anonymous.

Each POF document requires a valid NRC-approved digital certificate and inclusion in the appropriate ACL in order to view that document.

For all components, ADAMS relies on the NRCs ITI infrastructure for security controls over access to the forward-facing web servers that host the libraries.

This includes compliance with Homeland Securitys mandate for using secure ports and protocols to establish communication between the users browser and the web servers that access the public libraries.

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

ADAMS will rely on agency rules of behavior to ensure proper information usage by individuals that have been granted access to ADAMS Main Library. Role-based access controls and need-to-know within ADAMS also limits misuse of data.

PIA Template (12-2020) 16

At the object level (packages, folders, and documents), all content is restricted to those assigned a valid security role (assigned by the owner of the object). A user without assigned rights is not able to see the object, much less access its content.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes.

(1) If yes, where?

Please refer to the following documents:

ADAMS Current System Security Plan (ML103220552)

ADAMS System Architecture Document (ML110760778)

ADAMS Publishing System Architecture Document (ML12123A163)

Public ADAMS Synch Service System Architecture Document (ML12023A042)

4. Will the system be accessed or operated at more than one location (site)?

Yes.

a. If yes, how will consistent use be maintained at all sites?

ADAMS Main Library is accessed by NRC HQ and all regional offices staff users via the NRC LAN/WAN. External public libraries (PARS and LSN) are accessed by external users via the Internet.

ADAMS may only be accessed remotely through NRC ITIs Virtual Private Network (VPN) or Citrix.

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

The user groups will include, but are not limited to, the NRC staff records liaison officers, records management staff, records managers, DPC staff, and operators and system administrators.

6. Will a record of their access to the system be captured?

Yes.

PIA Template (12-2020) 17

a. If yes, what will be collected?

The system keeps track of user IDs, when they log into the system, what content they access, and when they access it.

Please also see ADAMS System Security Plan and ADAMS P8 Audit and Accountability Policy and Procedures document (ML13301A505) for more information.

7. Will contractors be involved with the design, development, or maintenance of the system?

Yes. The NRC contractors, who are authorized for ADAMS access in order to fulfill their contractual obligations, are under the same access control, including accounts, passwords, and access rights at the document level, as other NRC internal users, on a need-to-know basis.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.

Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

8. What auditing measures and technical safeguards are in place to prevent misuse of data?

The security controls recommended by the National Institute of Standards and Technology Special Publication 800-53 Rev. 4 have been implemented in ADAMS to prevent misuse of data. Please see the ADAMS System Security Plan and the ADAMS P8 Audit and Accountability Policy and Procedures document for more information.

9. Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?

Yes.

a. If yes, when was Certification and Accreditation last completed?

ADAMS was last authorized on September 26, 2019.

PIA Template (12-2020) 18

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: Agencywide Documents Access and Management System (ADAMS)

Submitting Office: Office of the Chief Information Officer (OCIO)

A. PRIVACY ACT APPLICABILITY REVIEW X Privacy Act is not applicable.

Privacy Act is applicable.

Comments:

Although there are some documents in ADAMS that contain information about individuals, it is not the practice or policy of the NRC to maintain ADAMS as a system of records keyed to individuals, or to retrieve by an individuals name or unique identifier (other than the name of the author). ADAMS was designed and developed as the NRCs information management system.

It was not developed as a system to collect or maintain information about individuals. ADAMS contains document profile data fields, two of which collect the name of a documents author and the documents recipient. The name of a document author and/or recipient is collected for administrative purposes, not for the purpose of collecting or retrieving records or information about the named individual. Also, the capability does exist to search for documents using an individuals name or personal identifier (or any other text) in a document text search. OMB guidelines make it clear that it is not sufficient that an agency has the capability to retrieve information indexed under a person's name, but the agency must in fact retrieve records in this way in order for a system of records to exist. The retrieval of information by name or other personal identifier must be an agency practice to create a system of records and not a practice by those outside the agency.

Reviewers Name Title Signed by Hardy, Sally on 11/25/20 Privacy Officer PIA Template (12-2020) 19

B. INFORMATION COLLECTION APPLICABILITY DETERMINATION X No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

ADAMS does not collect any information but organizes, processes, and manages existing Agencys documentary material.

Reviewers Name Title Signed by Cullison, David on 11/23/20 Agency Clearance Officer C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Signed by Dove, Marna Sr. Program Analyst, Electronic Records on 11/23/20 Manager PIA Template (12-2020) 20

D. BRANCH CHIEF REVIEW AND CONCURRENCE X This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Signed by Partlow, Benjamin on 01/05/21 Acting Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer PIA Template (12-2020) 21

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Thomas Ashley, Jr., ITSOD Director, Office of the Chief Information Officer (OCIO)

Name of System: Agencywide Documents Access and Management System (ADAMS)

Date CSB received PIA for review: Date CSB completed PIA review:

October 22, 2020 November 25, 2020 Noted Issues:

This system may contain documents that include personally identifiable information (PII).

Documents that contain PII will have restricted access. Information related to the workplace such as an employees name, title, work telephone number, official work address/location, and work e-mail address is not treated as PII by NRC. Additionally, NRCs Office of General Counsel has advised that home addresses, home phone numbers, or home e-mail addresses within adjudicatory filings, documents associated with agency rulemakings, and correspondence received from the public on regulatory matters will not be treated as PII.

History/

Background:

A request for a legal opinion (July 2003) was submitted to OGC to re-address the issue of whether or not ADAMS should be considered a Privacy Act system of records. OGC reconfirmed on September 15, 2003, that ADAMS does not constitute a system of records for purposes of the Privacy Act. The basic concept of ADAMS has not been modified.

Acting Chief Signature/Date:

Cyber Security Branch Governance and Enterprise Management Signed by Partlow, Benjamin Services Division on 01/05/21 Office of the Chief Information Officer Copies of this PIA will be provided to:

Thomas G. Ashley, Jr.

Director IT Services Development and Operations Division Office of the Chief Information Officer Jonathan R. Feibus Chief Information Security Officer (CISO)

Office of the Chief Information Officer PIA Template (12-2020) 22